[33418] in RISKS Forum
Risks Digest 34.36
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sun Jul 21 18:53:04 2024
From: RISKS List Owner <risko@csl.sri.com>
Date: Sun, 21 Jul 2024 15:52:44 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Sunday 21 Jul 2024 Volume 34 : Issue 36
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.36>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents: [Amid madness, way backlogged.]
CrowdStrike IT outage affected 8.5 million Windows
(BBC via Matthew Kruk)
A CrowdStrike update crashed the world's computers.
What comes next? (WiReD)
The MTA's Old Computer Technology Kept Going During
Today's MS-related Outrage (Curbed via Henry Baker)
Cyber Criminals Seek to Exploit Crowdstrike Outage
(Gabe Goldberg)
Re: Crowdstrike (Cliff Kilby)
Boeing and Failures (BBC viz Jim Geissman)
U.S. Gender Care Is Ignoring Science (Pamela Paul)
AT&T says hacker stole call records of ‘nearly all’ wireless customers
(WashPost)
Data breach exposes millions of mSpy spyware customers (TechCrunch)
Rite Aid says June data breach impacts 2.2 million people (Victor Miller)
What comes around: SSH CVE-2024-6387 (Qualys via Cliff Kilby)
Exim attachment flaw CVE-2024-39929 (Censys)
New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data
(geoff goodfellow)
German Navy still uses 8-inch floppy disks, working on
emulating a replacement (ArsTechnica)
Zombie browser says "what"? (Betanews)
You're holding your phone wrong? (WashPost)
In Ukraine War, A.I. Begins Ushering In an Age of
Killer Robots (The New York Times)
Perfect Apple Supply Chain Bug -- Millions of Apps at Risk of
CocoaPods RCE {Security Boulevard)
When AI tells you to verify (Lauren Weinstein)
In GA the Biggest Election Breach in History Has Gone Uninvestigated
(Notus via Susan Greenhagh)
OpenAI illegally barred staff from airing safety risks,
whistleblowers say (WashPost)
Drone photographer pleads guilty to Espionage Act charges
(The Verge)
Re: Voting in Switzerland (Rebecca Mercuri, Bertrand Meyer)
Re: Russian Disinformation (PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
From: Matthew Kruk <mkrukg@gmail.com>
Date: Sat, 20 Jul 2024 13:34:52 -0600
Subject: CrowdStrike IT outage affected 8.5 million Windows
devices, Microsoft says (BBC)
https://www.bbc.com/news/articles/cpe3zgznwjno
Microsoft says it estimates that 8.5m computers around the world were
disabled by the global IT outage.
It's the first time that a number has been put on the incident, which is
still causing problems around the world.
The glitch came from a cybersecurity company called CrowdStrike which sent
out a corrupted software update to its huge number of customers.
[Almost all major airline computer systems were affected: Bruce Crumley,
Inc. 19 Jul 2024
https://www.inc.com/bruce-crumley/airlines-bear-brunt-of-global-crowdstre.html
-- although JetBlue evidently had zero problems because it does *not use*
the MS/Crowdstrike connection. I had two flights to get home, and
everything seemed to be running ahead of schedule! PGN]
------------------------------
Date: Fri, 19 Jul 2024 19:12:50 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A CrowdStrike update crashed the world's computers.
What comes next? (WiReD)
Airports, banks, TV stations, health care organizations, hotels, and
countless other businesses are still reeling from widespread IT outages,
leaving flights grounded and causing untold disruption. The cause? A
software update from cybersecurity firm CrowdStrike that crashed Windows
machines across the globe.
Only a handful of times in history has a single piece of code managed to
instantly wreck computer systems worldwide. This time, the ongoing digital
catastrophe appears to have been triggered not by malicious code released by
hackers but by the software designed to stop them.
Here’s how it happened, how it’s impacting the world, and where we go from
here.
https://link.wired.com/view/5be9ddd83f92a40469eae33cliaml.2ptl/8d27d912
------------------------------
Date: Sat, 20 Jul 2024 00:35:34 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: The MTA's Old Computer Technology Kept Going During
Today's MS-related Outrage (Curbed)
FYI -- *diversity* in computer systems can provide more resilience...
Putting all your eggs in one basket risks putting egg all over your face!
https://www.curbed.com/article/mta-tech-outage-countdown-clocks-oldest-kept-going.html
The MTA's Old Computer Technology Kept Going During Today's Outage
Nolan Hicks, a longtime New York City politics and transit reporter
* On the website formerly known as Twitter, users (okay, me) jokingly
posted, "MTA this AM: Can't crash computers you don't have!" along with a
picture of the Battlestar Galactica, the interplanetary aircraft carrier
that survived a rebellion led by sentient robots because it was the one
vessel that, lacking a computer network, couldn't be
hacked.
* Housing-policy expert Alex Armlovich joked that "the MTA's deeply
fragmented IT systems are so mutually incompatible that at least only half
the system crashes at one time."
[DIVERSITY is ironic here: This reminds me of Microsoft's response to the
Internet Worm in 1988: ``Our software was completely unaffected.'' Of
course that was true, because the Worm targeted only Unix systems.
Remarkable hyperbole. Hyperbolloxed? PGN]
[It seems more like DieVarsity, because scuttlebutt suggests that a
single unintentional button push caused the entire fiasco. There should
have at least been some sort of advisory warning such as "Do you really
want to let the wild rumpus roar worldwide? PGN]
------------------------------
Date: Fri, 19 Jul 2024 17:38:38 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Cyber Criminals Seek to Exploit CrowdStrike Outage
Organizations, including government and Public Safety agencies, are
reporting blue screen of death on systems with a CrowdStrike Update deployed
last night. If you have CrowdStrike deployed in your environment, we suggest
following the guidance provided by CrowdStrike:
https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
The VFC has received information that cybercriminals are exploiting this
event and posing as Crowdstrike support. Exercise caution and only speak
with legitimate Crowdstrike support personnel. The following are known,
fraudulent pop up support partners claiming to be CrowdStrike support:
/crowdstrikebluescreen.com
/crowdstrike0day.com
/crowdstrike-bsod.com
/crowdstrikedoomsday.com
/crowdstrikedoomsday.com
/crowdstrikefix.com
/crowdstrikedown.site
/crowdstriketoken.com
https://fusion.vsp.virginia.gov/vfcshield/all-sector-specific-bulletin-update-cyber-criminals-seek-to-exploit-crowdstrike-outage/
------------------------------
Date: Fri, 19 Jul 2024 11:03:23 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Re: CrowdStrike
I've used and rather like Crowdstrike. I specifically like that it has an
auto-update policy available.
https://medium.com/mii-cybersec/crowdstrike-falcon-series-deployment-to-maximum-protection-5ba791d33270
Any org I've worked with or any product I've worked with has to have the
option for N-1 deployment, or I've had to create one. Version N goes on a
few QA machines, and one or two employee machines (IT testers). N-1 goes on
everything else. If there is an issue with N, we get a heads up. If there's
a vulnerability with N-1, we'd have the option to bypass auto update using
normal patching process.
https://techcrunch.com/2024/07/19/banks-airlines-brokerage-houses-report-widespread-outages-across-the-globe/
If this outage was caused by a sensor update, I have questions about why
anyone would be running software that hasn't had some local testing first.
Just because there is an update, your environment is most likely unique,
with machines running between OS and App patch levels. Are these companies
also pulling in upsteam patches without any testing?
https://www.theregister.com/2024/07/18/security_review_failure/
Oh. Oh dear.
Have fun with that.
APPENDED:
It seems that the defect was in a content update, not a sensor update.
There's no N rule for content deployment with CrowdStrike running auto
updates:
a defect found in a single content update of its software on Microsoft
Windows operating systems, according to a post on X from CEO George Kurtz.
My apologies for the miscommunication.
------------------------------
Date: Thu, 18 Jul 2024 11:25:59 -0700
From: "Jim Geissman" <jgeissman@socal.rr.com>
Subject: Boeing and Failures
https://www.bbc.com/future/article/20240718-how-ordinary-failure-could-have-
a-seismic-effect-on-an-industrial-giant
How ordinary failure could have a seismic effect on an industrial giant
By John Downer is Associate Professor in Science and Technology Studies at
the University of Bristol, and the author of "Rational Accidents."
<https://mitpress.mit.edu/9780262546997/rational-accidents/> A shorter
version of this story was previously published on MIT Press Reader.
------------------------------
Date: Sun, 14 Jul 2024 7:28:35 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: U.S. Gender Care Is Ignoring Science (Pamela Paul)
Pamela Paul, *The New York Times*, Sunday Opinion, 14 Jul 2024
Imagine a comprehensive review of research on a treatment for
children found ``remarkably weak evidence'' that it was effective.
Now imagine the medical establishment shrugged off the conclusions
and continued providing the same and life-altering treatment to its
young patients.
This is where we are with gender medicine in the United States.
... But there is no basis to rush putting kinds on an irreversible path of
medicalization. With children's health and well-being at stake, effective
evidence-based and compassionate health care must be accepted. It's one
thing to pursue medical path not knowing whether it's effective; it's quite
another to persisst on that path with no solid evidence to support it.
------------------------------
Date: Fri, 12 Jul 2024 15:58:55 -0400
From: Monty Solomon <monty@roscom.com>
Subject: AT&T says hacker stole call records of ‘nearly all’ wireless
customers (WashPost)
The information could provide a roadmap for criminals who could impersonate
a friend or relative to trick a victim, experts warned.
https://www.washingtonpost.com/business/2024/07/12/att-wireless-hacker-data-breach/
Hackers stole almost everyone’s AT&T phone records. What should you do?
Hackers stole phone records from almost all AT&T wireless customers. What
should you do if that includes you?
https://www.washingtonpost.com/technology/2024/07/12/att-data-breach-hack-calls-texts-what-do/
[Victor Miller spotted: AT&T says criminals stole phone records of 'nearly
all' customers in new data breach | TechCrunch
https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/
PGN]
------------------------------
Date: Sat, 13 Jul 2024 09:17:51 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Data breach exposes millions of mSpy spyware customers (TechCrunch)
A huge batch of mSpy customer service emails dating back to 2014 were stolen
in a May data breach.
https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/
------------------------------
Date: Tue, 16 Jul 2024 16:06:55 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Rite Aid says June data breach impacts 2.2 million people
These are getting to be so common it's hardly worth reporting. :-(
https://www.bleepingcomputer.com/news/security/rite-aid-says-june-data-breach-impacts-22-million-people/
------------------------------
Date: Mon, 1 Jul 2024 15:26:31 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: What comes around: SSH CVE-2024-6387 (Qualys)
https://www.qualys.com/regresshion-cve-2024-6387/
As mentioned in the source, this is actually the reemergence of an older,
previously resolved unauthenticated RCE, CVE-2006-5051.
Versions released for a period of about 4 years are affected. If you can't
patch, mitigation outlined sets LoginGraceTime to 0 in the config file.
This may lead to denial of service conditions and patching is strongly
advised.
https://www.computing.co.uk/news/4329906/critical-vulnerability-openssh-uncovered-affects-linux-systems
------------------------------
Date: Fri, 12 Jul 2024 09:11:23 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Exim attachment flaw CVE-2024-39929 (Censys)
https://censys.com/cve-2024-39929/
Due to a bug in header processing, Exim may ignore attachment rules
preventing executable or other attachment extension blocks.
Patch available in RC, but has not made GA yet. User education would be the
only realistic mitigation for orgs running Exim until 4.98 goes GA.
[NOTE: As of 4 Jun 2024, there were 240,830 CVEs in the MITRE repository.
That is really scary, as the number just keeps growing. The previous
occasion on which I recorded the comparable number was 121,241 CVEs on 20
August 2019, so the number of CVEs has essentially doubled in less than
five years. To me that is a very scary factoid. PGN]
------------------------------
Date: Thu, 4 Jul 2024 07:22:29 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: New Intel CPU Vulnerability 'Indirector' Exposes Sensitive
Data ()
Modern CPUs from Intel, including Raptor Lake and Alder Lake, have been
found vulnerable to a new side-channel attack that could be exploited to
leak sensitive information from the processors.
The attack, codenamed Indirector by security researchers Luyi Li, Hosein
Yavarzadeh, and Dean Tullsen, leverages shortcomings identified in Indirect
Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass
existing defenses and compromise the security of the CPUs.
"The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs
that predicts the target addresses of indirect branches," the researchers
noted <https://indirector.cpusec.org/>.
"Indirect branches are control flow instructions whose target address is
computed at runtime, making them challenging to predict accurately. The IBP
uses a combination of global history and branch address to predict the
target address of indirect branches."
The idea, at its core, is to identify vulnerabilities in IBP to launch
<https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html>
precise Branch Target Injection (BTI) attacks -- aka Spectre v2
(CVE-2017-57= 15 <https://nvd.nist.gov/vuln/detail/cve-2017-5715>) -- which
target a processor's indirect branch predictor
<https://nvd.nist.gov/vuln/detail/cve-2017-5715>) -- which target a
processor's indirect branch predictor
<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html>
to result in unauthorized disclosure of information to an attacker with
local user access via a side-channel.
This is accomplished by means of a custom tool called iBranch Locator that's
used to locate any indirect branch, followed by carrying out precision
targeted IBP and BTP injections to perform speculative execution.
Yavarzadeh, one of the lead authors of the paper, told The Hacker News that
"while Pathfinder
<https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html>
targeted the Conditional Branch Predictor, which predicts whether a branch
will be taken or not, this research attacks target predictors," adding
"Indirector attacks are much more severe in terms of their potential
scenarios."
Indirector reverse engineers IBP and BTB, Yavarzadeh said, which are
responsible for predicting the target addresses of branch instructions in
modern CPUs, with an aim to create extremely high-resolution branch target
injection attacks that can hijack the control flow of a victim program,
causing it to jump to arbitrary locations and leak secrets.
Intel, which was made aware of the findings in February 2024, has since
informed other affected hardware/software vendors about the issue. [...]
https://thehackernews.com/2024/07/new-intel-cpu-vulnerability-indirector.html
------------------------------
Date: Fri, 12 Jul 2024 16:04:53 -0400
From: Monty Solomon <monty@roscom.com>
Subject: German Navy still uses 8-inch floppy disks, working on
emulating a replacement (ArsTechnica)
https://arstechnica.com/gadgets/2024/07/german-navy-still-uses-8-inch-floppy-disks-working-on-emulating-a-replacement/
REMINDER: San Francisco’s Train System Still Uses Floppy Disks --
(RISKS-34.19)
------------------------------
Date: Sun, 14 Jul 2024 10:04:05 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Zombie browser says "what"? (Betanews)
Microsoft quit providing user access to Internet Explorer but the OS still
has it.
https://betanews.com/2024/07/10/resurrecting-internet-explorer-the-nasty-threat-impacting-potentially-millions-of-windows-10-and-11-users/
There are things you can do to prevent this.
Disable mhtml protocol
https://learn.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-037
MSHTA isn't IE. It's IE with no sandbox and OS level WSH/JScript access.
It's probably the most dangerous path to IE available on Windows. You can
prevent auto launch though.
Replace the mshta handler with something safer, like notepad. Or, cut it's
network access using firewall rules. An example of this (and a bunch of
other hardening rules) is available from
https://github.com/atlantsecurity/windows-hardening-scripts
I have personally had good luck with the Atlant scripts, but I would be
remiss if I didn't include: Do not run files if you do not know what they
are doing. Some of the hardening steps listed will disable insecure
features of Windows that are still in common use in large orgs. Manually
editing the registry can brick your box.
------------------------------
Date: Fri, 12 Jul 2024 23:44:11 -0400
From: Monty Solomon <monty@roscom.com>
Subject: You're holding your phone wrong? (WashPost)
Since you're unlikely to use your smartphone less, try these adjustments to
minimize hand and eye issues.
https://www.washingtonpost.com/technology/2024/07/11/holding-smartphone-wrong/
------------------------------
Date: Wed, 3 Jul 2024 14:24:14 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: In Ukraine War, A.I. Begins Ushering In an Age of
Killer Robots (The New York Times)
In a field on the outskirts of Kyiv, the founders of Vyriy, a Ukrainian
drone company, were recently at work on a weapon of the future.
To demonstrate it, Oleksii Babenko, 25, Vyriy’s chief executive, hopped on
his motorcycle and rode down a dirt path. Behind him, a drone followed, as a
colleague tracked the movements from a briefcase-size computer.
Until recently, a human would have piloted the quadcopter. No longer.
Instead, after the drone locked onto its target — Mr. Babenko — it flew
itself, guided by software that used the machine’s camera to track him.
The motorcycle’s growling engine was no match for the silent drone as it
stalked Mr. Babenko. “Push, push more. Pedal to the metal, man,” his
colleagues called out over a walkie-talkie as the drone swooped toward
him. “You’re screwed, screwed!”
If the drone had been armed with explosives, and if his colleagues hadn’t
disengaged the autonomous tracking, Mr. Babenko would have been a goner.
https://www.nytimes.com/2024/07/02/technology/ukraine-war-ai-weapons.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb
------------------------------
Date: Sun, 7 Jul 2024 18:54:32 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Perfect Apple Supply Chain Bug -- Millions of Apps at Risk of
CocoaPods RCE {Security Boulevard)
10-year-old vulnerabilities in widely used dev tool include a CVSS 10.0
remote code execution bug.
CocoaPods, a dependency manager used by millions of Apple iOS and macOS
apps, suffered secret critical flaws since 2014. If they’d been exploited by
hackers, the consequences could have been disastrous.
And maybe they were exploited. In today’s SB Blogwatch, it’s hard to be
sure. [...]
Is the lesson that you should audit your dependencies? No way, thinks Martin
Blank:
How do you reasonably do that? … The dependency stacks are so tall these
days that trying to audit the dozen libraries you call on (for a small
project) means auditing the dozens they rely on—and the hundreds that layer
relies on. If you have a project with thousands of dependencies, it becomes
impossible to vet them all, and it is impossible to recreate the
functionality in anything resembling an economically viable fashion without
a high risk of introducing your own vulnerabilities.
https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/
------------------------------
Date: Fri, 5 Jul 2024 16:51:05 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: When AI tells you to verify
If an AI system's disclaimers tell you to verify through other sources
whether or not the AI system is giving you accurate answers to your
questions, then that AI system is, in essence, worthless as a
question-answering tool. -L
------------------------------
Date: Thu, 18 Jul 2024 12:55:14 -0400
From: Susan Greenhalgh <segreenhalgh@gmail.com>
Subject: In GA the Biggest Election Breach in History Has Gone
Uninvestigated (Notus)
Here is an excellent summary of the failure to investigate the insider
voting system breaches in Georgia by Trump campaign operatives in 2021.
This breach was coordinated with and/or connected to other state breaches,
spanning state lines yet there is still no evidence of any federal
investigation.
In Georgia, the Biggest Election Breach in History Has Gone Uninvestigated
In 2020, a group of technicians accessed government election servers and
voting machines. The small town where it happened is still asking for
answers.
Jose Pagliery <https://www.notus.org/jose-pagliery>
July 18, 2024 05:30 AM | Updated: July 18, 2024 05:29 AM
------------------------------
Date: Sun, 14 Jul 2024 09:45:08 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: OpenAI illegally barred staff from airing safety risks,
whistleblowers say (WashPost)
OpenAI whistleblowers have filed a complaint with the Securities and
Exchange Commission alleging the artificial intelligence company illegally
prohibited its employees from warning
<https://www.washingtonpost.com/technology/2024/06/04/openai-employees-ai-whistleblowers/>
regulators about the grave risks its technology may pose to humanity,
calling for an investigation.
The whistleblowers said OpenAI issued its employees overly restrictive
employment, severance and nondisclosure agreements that could have led to
penalties against workers who raised concerns about OpenAI to federal
regulators, according to a seven-page letter
<https://www.washingtonpost.com/documents/83df0e55-546c-498a-9efc-06fac591904e.pdf>
sent to the SEC commissioner earlier this month that referred to the formal
complaint. The letter was obtained exclusively by The Washington Post.
OpenAI made staff sign employee agreements that required them to waive
their federal rights to whistleblower compensation, the letter said. These
agreements also required OpenAI staff to get prior consent from the company
if they wished to disclose information to federal authorities. OpenAI did
not create exemptions in its employee nondisparagement clauses for
disclosing securities violations to the SEC.
These overly broad agreements violated long-standing federal laws and
regulations meant to protect whistleblowers who wish to reveal damning
information about their company anonymously and without fear of
retaliation, the letter said. [...]
https://www.msn.com/en-us/news/other/ar-BB1pVgU8
------------------------------
Date: Fri, 12 Jul 2024 16:14:09 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Drone photographer pleads guilty to Espionage Act charges
(The Verge)
https://www.theverge.com/2024/7/12/24197356/chinese-national-graduate-student-espionage-act-drone-navy-shipyard-plea-guilty
------------------------------
Date: Sat, 13 Jul 2024 23:42:15 +0200
From: Bertrand Meyer <Bertrand.Meyer@inf.ethz.ch>
Suject: Re: Electronic voting (RISKS-34.35)
The previous post was evidently mistitled by PGN.
It should have been something like
Electronic voting from Switzerland to another country
------------------------------
Date: Sun, 14 Jul 2024 14:12:13 -0400
From: Rebecca Mercuri <notable@mindspring.com>
Subject: Re: Voting in Switzerland
The assessments of electronic voting risks by the many authors in Peter
Neumann's newsletters are far from the "doomsday assessments" that you have
characterized as such. I encourage you to break the hypnotic spell that you
seem to have fallen into with respect to your recent experience with
electronic voting in the French legislative election, and consider the
questions below.
Why do you believe that the crypto certificate accurately recorded your vote
selections? Why do you believe that the tally of the votes that were cast
electronically by each of the voters is a correct summation? Why do you
think that the crypto certificate assures correctness of the vote totals?
Why do you feel that having 44% of the voters lulled into using this system
is, in any way, a testimonial "to the broad success of the scheme"?
Indeed, a scheme is all that it is -- it is not a proof. Crypto voting is a
charade that requires voters to have blind faith in the correctness and
non-corruptability of mathematical formulae and software that they have not
personally seen nor do they understand. What is the crypto certificate other
than just a string of symbols? Only if each voter is able to validate for
themself that their individual ballot has been recorded correctly, AND only
if there is a TRANSPARENT way by which all voters can be assured THAT THEIR
BALLOT CHOICES ARE CORRECTLY AGGREGATED INTO THE VOTE TOTALS can the
election results be trusted.
Unfortunately, for such transparency to occur with cryptographic voting,
there is a price -- everyone must be willing to cast their ballot PUBLICLY,
so that they cannot later claim that the totals generated by the
calculations are incorrect. If you'd like to give up privacy, then crypto
voting is fine. But since there are a great number of reasons why citizens
want to cast private ballots, public ballot casting is not an appropriate
method for government elections. As it turns out, the assurance of the
correctness of vote totals (from encrypted or non-encrypted ballots) is an
NP-Complete problem that takes longer to complete than the time needed to
certify the election tallies (i.e. the time when the vote totals need to be
announced). So the PROVABILITY of correctness of vote totals from non-public
casting of encrypted ballots in large elections is infeasible.
You should be asking these questions: 1) Is speed an appropriate trade-off
for transparent assurance of correctness of ballot contents and vote
tallies? 2) Could votes be erroneously encrypted in such way that the
election results can be shifted? 3) Do you actually understand all of the
maths pertaining to how the crypto voting method works? 4) Do you trust the
government (or those they paid to create the voting system) to have properly
implemented this scheme? 5) Do you believe that this is a transparent and
independently auditable voting method?
------------------------------
Date: Mon, 15 Jul 2024 10:47:49 +0200
From: Bertrand Meyer <Bertrand.Meyer@inf.ethz.ch>
Subject: Re: Voting in Switzerland
I almost stopped at "hypnotic spell" as I think there are enough places for
gratuitous name-calling but RISKS is not one of them. All the more that, for
my part, I have followed some of Dr. Mercuri's pioneering work and respect
the major contributions it has made to our understanding of the field.
To answer Dr. Mercuri's questions: "1) Is speed an appropriate trade-off for
transparent assurance of correctness of ballot contents and vote tallies?" I
do not see any tradeoff here as there is no evidence that correctness is
being sacrificed. Facts please. 2) "Could votes be erroneously encrypted in
such way that the election results can be shifted?" I assume they
could. Also, when I order a box of paper clips on Amazon, my credentials
could be given to the Sicilian Mafia. 3) "Do you actually understand all of
the maths pertaining to how the crypto voting method works?" No. I also do
not understand much about fluid mechanics and combustion engineering, but I
travel on planes and drive cars.
On the side, when someone makes a comment about a field that I *do*
understand in depth, I refrain from using "do you understand the math?"
(meaning: I do and you don't) as my killer argument to prove them
wrong. (What about, instead, perhaps, explaining?)
Beyond arguments of sheer expert authority, the last two questions are the
most important. "4) Do you trust the government (or those they paid to
create the voting system) to have properly implemented this scheme?". Yes,
absolutely. France is a democracy with lots of checks and balances and
counter-powers. The press is very nasty with the government and prompt to
catch any appearance of wrongdoing. In practice, many in the academic
community (the kind of people who do "understand the math") are viscerally
opposed to the government. In social and psychological terms, a conspiracy
to skew the results algorithmically, one way or the other, is
unfathomable. And finally: "5) Do you believe that this is a transparent and
independently auditable voting method?" Of course I do, otherwise I would
not be voting electronically. My understanding is that the scheme (the
appropriate word, in its technical sense) was devised with advice from
people at INRIA, who is one of the best computer science research centers in
the world, with internationally respected cryptographers. For some of their
candid analysis see
https://www.inria.fr/fr/vote-electronique-securite-numerique-confidentialite.
It's as open and honest as you would expect from a scientific
organization.INRIA was also involved in the app that steered France through
Covid, and (whether or not we liked the idea) worked like a charm, with a
particular attention to preserving users' privacy. Let me actually turn
Dr. Mercuri's do-you-know questions back: do you know of any computer
scientist who is an expert in the field, has studied the French setup, and
uncovered actual risks?
We are not talking about a crazy out-of-the-blue experiment. People have
been discussing electronic voting, its risks and how to present them for a
quarter century now, and we have the benefit of analyses by such experts as
Dr. Mercuri, who have considerably advanced our understanding of the field.
Now is not the time, with the current political mess in France, for anyone
on this side of the pond to start lecturing the other. But it is important
to note that unlike in the US -- where every election triggers numerous
stories of alleged fraud, and endless recounts -- vote counting in France is
not a controversial topic. (Well, outside of Corsica.) The process is manual
and trusted. Although I cannot find it in the archive I sent a post to RISKS
some 24 years ago, at the time of the Gore-Bush Florida debacle, about
assisting a vote counting effort in Paris (any registered voter can
participate), all in a jovial atmosphere even between representatives of
rival parties. Everyone can check what is going on and the result is
incontrovertible. No doubt it helps that elections there are usually about
choosing *one* person, proposal or group, as opposed to the multiple
decisions required of US voters. But still there is a general feeling of
trust -- particularly remarkable between people who are by nature
adversaries.
My recent post was not proselytizing, it was just an experience report. Can
electronic voting be trusted? I believe this question should be evaluated
against the alternatives. Is examining hundreds of the now famous Floridian
"hanging chads" better? Is handing over the decision to the Supreme Court
(made, as the joke went of the time, of people appointed by a president and
now tasked with appointing his son) better? Is the persistent belief of tens
of millions of US voters that the 2020 elections were "rigged" better? Is
the $787 million to be paid by Fox News to Dominion (for fueling that
belief) better? I don't think so.
One alternative, when it is possible, may make e-voting unnecessary:
required in-person voting with paper ballots. But often the actually
available alternatives are dubious. After all, a Dominion Systems voting
machine *is* electronic voting, subject (for conspiracy theorists) to all
the corresponding distortions, but without the openness and public scrutiny
of the French scheme. Mail-in voting is widespread in the US and although it
has been shown -- in lawsuits -- to be quite safe, it is not hard to come up
with theoretical risks. The French mechanism for expat-voting was devised
for a good reason: many of the affected voters leave far away from any
potential voting place; imagine you are a doctor in a small town in the
developing world. In some countries, it is actually illegal to organize a
voting event for an election in another country. No solution is perfect, but
e-voting seems to be an excellent solution for such cases.
Whether its application should be broadened is up for discussion, but as
good scientists and technologists we should evaluate the pros and cons of
every option calmly and objectively. I could elaborate but, sorry, I need to
get back to my hypnosis session.
------------------------------
Date: Fri, 12 Jul 2024 10:19:36 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Re: Russian Disinformation (RISKS-34.35)
Re: Canada warns of AI-driven Russian 'bot farm' spreading disinformation
online (CBC)
There is an extensive article The NYTimes, originally online
three days prioe, and in the print edition yesterday:
U.S. and Allies take aim at Russian Disinformation
Steven Lee Myers and Julian E. Barnes
*The New York Times* National print edition, 11 Jul 2024
A campaign designed to stoke internal political divisions
Spreading dubious content has become easier with AI.
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.36
************************
