Risks Digest 31.70

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Tuesday 21 April 2020  Volume 31 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.70>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Zoom's security woes were no secret to its business partners (NYTimes)
New Pressure on Voatz for false claims in Oregon (Politico)
2B phones cannot use Google and Apple contact-tracing tech
  (Ars Technica)
Microsoft says the pandemic argues for a federal privacy law (WashPost)
Computer Fraud and Abuse Act (WashPost)
What do SHARP IoT devices and facial masks produced by its factory have in
  common? (CNET Japan via Chiaki Ishikawa)
Re: Australian Government proposes to distribute Coronavirus App
  (Michael Bacon)
Re: Internet Usage update (Stewart Fist)
Re: The world after coronavirus (3daygoaty)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 21 Apr 2020 10:43:32 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Zoom's security woes were no secret to its business partners
  (NYTimes)

Natasha Singer and Nicole Perlroth, *The New York Times*, front page
of the business section, today, 21 April 2020

Interestingly, Dropbox sponsored a bug bounty program to find bugs in Zoom.

Very informative article.

------------------------------

Date: Tue, 21 Apr 2020 10:44:52 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: New Pressure on Voatz for false claims in Oregon (Politico)

Politico reports:

The controversial mobile voting firm Voatz may have violated Oregon consumer
protection law by making false claims about the security of its Internet
voting app, an activist group said in a letter (attached) to Oregon Attorney
General Ellen Rosenblum. In urging Rosenblum to investigate the company's
behavior, Free Speech For People cited damning audits by researchers at MIT
and Trail of Bits as well as Voatz's "false, misleading or specious"
pushback to those audits as evidence that it violated the Unlawful Trade
Practices Act in Oregon, where two counties have pilot-tested its app. The
letter also cited Voatz's misrepresentation of a still-secret DHS audit and
its refusal to release an audit performed by ShiftState Security. Susan
Greenhalgh, Free Speech for People's senior adviser on election security,
and Ron Fein, its legal director, argued that "Voatz has been making false,
misleading or deceptive claims to promote and sell its product."

Voatz told MC it would "participate in any conversation with the AG's office
to resolve all questions." A spokesperson added, "We're believers that all
technology should be considered, vetted, and tested carefully =97 including
ours." If Oregon opens an investigation, it would be merely the latest
headache for the company. Already, the bad publicity from the excoriating
security audits led West Virginia to cancel its partnership with Voatz for
the state's May 12 primary. In 2018, West Virginia became the first state to
let military and overseas voters use Voatz in a live election.

"Voatz has been marketing its product with emphatic claims regarding
security, but those claims don't hold up in the light of the independent
security reviews recently published," Greenhalgh told MC. "It's time to
investigate to determine if those faulty claims could constitute a violation
of law."

------------------------------

Date: Tue, 21 Apr 2020 01:42:36 -0400
From: Monty Solomon <monty () roscom com>
Subject: 2B phones cannot use Google and Apple contact-tracing tech
  (Ars Technica)

System developed by Silicon Valley relies on technology missing from older
handsets.

https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/

------------------------------

Date: Tue, 21 Apr 2020 9:13:10 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Microsoft says the pandemic argues for a federal privacy law
  (WashPost)

*The Washington Post*, 21 Apr 2020

Microsoft executives say the coronavirus pandemic underscores the need for a federal privacy law.

``In the U.S., the need for this conversation in the midst of a pandemic
underscores the urgency for a strong federal privacy law,' write Julie
Brill, chief privacy officer, and Peter Lee, corporate vice president for
research and regulation.

``An updated legal framework placing obligations on businesses that collect
and use personal data would help provide the necessary guardrails for
companies to know how to protect and respect personal data as they create
tools and technologies to address urgent societal needs.''

The Washington state tech giant is weighing in on a growing debate between
privacy and public safety as it is providing AI to researchers, developing a
self-checking tool and protecting hospitals from ransomware. The executives
also released privacy principles to which they urge governments to adhere
when using technology in their responses, including:

 * Providing transparency around why data is collected and how it is used
 * Giving people a choice over where their data is stored
 * Limiting data use to public health applications
 * Deleting data once the emergency is over

------------------------------

Date: Tue, 21 Apr 2020 09:34:26 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Computer Fraud and Abuse Act (WashPost)

https://www.washingtonpost.com/politics/courts_law/supreme-court-montana-superfund-epa/2020/04/20/872f22e0-8309-11ea-ae26-989cfce1c7c7_story.html
(see bottom of Courts & Law section in the URL)

"In the case the justices accepted, Van Buren was supposed to run searches
only for official law enforcement reasons. Instead, he was paid by an
individual working as part of a police sting operation to run a license
plate belonging to an exotic dancer whom the man said he was interested in
getting to know better."

When police use a computer for an unofficial purpose, is it legal or not?

------------------------------

Date: Wed, 22 Apr 2020 00:20:54 +0900
From: "ISHIKAWA,chiaki" <ishikawa () yk rim or jp>
Subject: What do SHARP IoT devices and facial masks produced by
 its factory have in common? (CNET Japan)

SHARP, a Japanese electronics company, turned one of its LCD factories into
a facial mask maker earlier this year.  The scarcity of facial masks in the
market prompted the company to produce masks in the clean air room of its
former LCD factory.  Finally, it has begun shipping facial masks earlier
this month initially to medical facilities.

Of course, SHARP produces many other home electronic goods including the air
conditioners, air purifiers, intelligent cooking devices, etc.  In the
recent IoT application framework, SHARP's IoT devices including the goods
mentioned in the previous sentence can be controlled by smartphone app via
SHARP's cloud.

News is that after SHARP's mask sales to the general public started via its
website on 21 Apr, users of SHARP IoT devices have begun reporting that they
could not control them via smartphone app any more.  Local control using the
infrared remote controller or physical switches works as usual.

Why?

It turns out that the SHARP IoT control app accesses an authentication
server that happens to run on the SAME SERVER on which the web server that
handles the sales of facial mask to the general public resides. The server
could not keep up with the surge of workload due to the facial mask sales on
21 Apr.

The app seems to access the authentication server each time its command is
invoked, adding to the workload surge.  (The user enters userid/password,
and it seems the pair is cached locally on the phone. So user does not have
to retype it. However, each time a command is sent to a device, the
authentication server seems to be accessed for authentication. Ouch.)

A careful planning of server peak usage and the migration of server function
will be in order in the IoT age. (Not that it was unnecessary before, but a
careful server deployment planning is much more in demand now that there are
devices that can be controlled by smartphones via a server and some devices
do not have interactive LCD numeric display or buttons at all by using
network-based control via smartphone alone (!) ) Many of these IoT devices
affect our daily living and, in the worst case, our lives even.

BTW, I am dumbfounded at SHARP's response as follows.  It is as if there
were no users of smartphone app to control these devices.  SHARP's PR
department was contacted by the following news article writer, and according
it, SHARP plans to accepts orders for facial masks at 10:00 A.M. each day
when the available amount of daily stock of masks delivered from the factory
is entered until the stock runs out for the day. It will be repeated daily
from April 21st to May 10th.  Such is the high demand of facial masks in
Japan.  SHARP says it has no plan of changing this practice, but it would
monitor the situation and may modify the sales practice.

I bet irate SHARP users and their blog posts will FORCE SHARP to do
something by the end of this week, given that we have unusually cold April
month this year. A savvy network company would have switched the web server
front-end to a different host in no time quick and possibly moved the
backend database server using replication to a different host very fast.

https://japan.cnet.com/article/35152681/  (in Japanese)

------------------------------

Date: Tue, 21 Apr 2020 11:34:13 +0100
From: A Michael W Bacon <amichaelwbacon () gmail com>
Subject: Re: Australian Government proposes to distribute Coronavirus App
  (RISKS-31.69)

Of the proposed app, John Colville said it's use was:

> to help identify contacts of people who have been identified as having novel Coronavirus (COVID-19)

This contains an error that is being made far too often in reporting on
"contact tracing" apps.

Unless the app is forcibly updated (and then locked) by a clinician, the
user will *not* have been *identified* as being infected.

The apps currently being touted in the Western world rely on the user
updating the app with their diagnosis.  If they desire not to, there is no
compulsion, and if there were, how would it be enforced?  Conversely, if an
uninfected user decides to flag themselves as infected, there is nothing to
stop them; post facto there might be a legal sanction ... but a defence
would undoubtedly be: "I was running a temperature and decided to warn
others."

Consider in this latter instance a pupil who decides to "lockdown" their
school and so marks themself as infected.  Consider too the prankster who
marks the app on a burner phone as 'infected' and ties it to a dog which is
then allowed to run loose, or who hides the phone in a location
visited/passed by many people (say a railway station, or a street in a
business/commercial area - yes, even in these times).  Hundreds to thousands
of 'contacts' could/would be flagged in a short space of time through the
exponential process.

Then, from the app's perspective a 'contact' is not necessarily an
epidemiological contact, there might well be a physical barrier between the
parties.

The effectiveness of such apps in Western society is questionable, and their
use and abuse could cause more problems than the one they're trying to fix.

The proposals have the hallmarks of the classical false syllogism: "We must
do something; this is something; so we must do it."

------------------------------

Date: Tue, 21 Apr 2020 09:44:52 +1000
From: Stewart Fist <stewart_fist () optusnet com au>
Subject: Re: Internet Usage update (RISKS-31.69)

Would the Information Technology Community promote the idea that we should
all pay a low fee for sending each email.

I know every reader of RISKS will initially bristle at the idea.  But, if we
were charged, say, 1 cent per mail sent, then most individuals would pay
only fractions of a dollar a day, and in a competitive world, this would be
set off against annual fees

However those scam organisation which exist by flooding the world's
mailboxes with unwanted, illegal and disgusting emails by the millions,
would be quickly driven out of business.

The global email and Internet system is never going to reach its potential
until there is an actual money penalty for abusing the technology.

Couldn't such a charge be introduced on a global scale at the borders?

I believe it could.

------------------------------

Date: Tue, 21 Apr 2020 10:53:55 +1000
From: "3daygoaty ." <threedaygoaty () gmail com>
Subject: Re: The world after coronavirus (RISKS-31.69)

The last time I looked, my state government attempted to have us all use a
smart card to carry around and use to access the mass transport system.
This ran years late and cost three times as much as they expected.  I
believe but I can't prove, that at least 10% of users travel for free every
day.

You'd think *security experts* forced to wear the security anklets might
turn their efforts to tricking the anklet (with a Gummy Bear, or something)?
And so if my government forced 10 million bracelets (or apps or such) on us
and how long will it take for someone to break or jam one and publish the
instructions?  A week?

It reminds me of the film Gorky Park where apparently all the phones were
surveilled but this was defeated by turning the rotary dialer and sticking a
pencil in it.  This is what all the characters in the film did when they
needed a private conversation.  The (very large) cost of listening to tall
those phones was subverted by a ten cent pencil.

Aren't these technical asymmetries also a risk for Kim Jong Un?

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.70
************************