[Politech] Reason magazine cover story has unusual privacy theme
_Reason_ pulls a cryptomesque BigEye op on subscribers: To: [EMAIL PROTECTED] X-URL: http://www.mccullagh.org/ Subject: [Politech] Reason magazine cover story has unusual privacy theme [priv] [Disclaimer: I was involved with the Reason article. --Declan] http://www.nytimes.com/2004/04/05/business/05reason.html Putting 40,000 Readers, One by One, on a Cover DAVID CARR Published: April 5, 2004 When the 40,000 subscribers to Reason, the monthly libertarian magazine, receive a copy of the June issue, they will see on the cover a satellite photo of a neighborhood - their own neighborhood. And their house will be graphically circled. On one level, the project, sort of the ultimate in customized publishing, is unsurprising: of course a magazine knows where its subscribers live. But it is still a remarkable demonstration of the growing number of ways databases can be harnessed. Apart from the cover image, several advertisements are customized to reflect the recipient's particulars. Nick Gillespie, editor in chief of Reason, said the magazine, with an editorial mission of Free Minds, Free Markets,'' used the stunt to illustrate the cover article about the power and importance of databases. Our story is man bites dog, Mr. Gillespie said. Everybody, including our magazine, has been harping on the erosion of privacy and the fears of a database nation. It is a totally legit fear. But they make our lives unbelievably easier as well, in terms of commercial transactions, credit, you name it. Rodger Cosgrove, president of Entremedia, a direct marketing firm and a member of Reason's board, assisted in coming up with a program that allows the subscriber list to be integrated with satellite photographs. He also worked with Xeikon, the manufacturer of the printer that made the endless customization possible. [...] - End forwarded message - ___ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
Utah vs. first amendment, global 'net, cookies
(I'm not defending hostile spyware but there are problems with the law..) http://www.pcworld.com/news/article/0,aid,115527,00.asp Tom Spring, PC World Friday, April 02, 2004 Utah has become the first state to make spyware a crime, passing a law that makes it illegal to install such programs on a PC without approval. Starting in early May, violators face a fine of $10,000 per incident, under the new Spyware Control Act. The Utah law aims to regulate the use of spyware and other advertising software, which is infamous for annoying computer users by tracking and reporting their Web whereabouts and displaying ads. A software company that wants to load a surveillance program onto a Utah user's PC must make full disclosure, under the law. It must reveal what user behavior its software records, what information goes back to a central server, how often ads will appear, and how the ads look. Vendors must also clearly state the purpose of the downloaded software and any changes it makes to a PC's system. snip Opponents say the Spyware Control Act is a legal threat to a technology company's right to innovate. Hackett says the Utah law could be interpreted to ban free ad-sponsored software, and perhaps even threaten common e-mail programs that track when and which messages are delivered. State Rep. Urquhart says the law will let a Utah firm sue a spyware company that doesn't follow the Spyware Control Act, when its program displays ads on the Web site of a Utah-based business. He also says the act will help protect consumers by forcing spyware companies to be more upfront about their software.
The wrong stuff: what it takes to be a TSA terror suspect
http://www.theregister.co.uk/2004/04/07/aclu-suit/print.html The Register Biting the hand that feeds IT The Register » Internet and Law » Original URL: http://www.theregister.co.uk/2004/04/07/aclu-suit/ The wrong stuff: what it takes to be a TSA terror suspect By John Lettice ([EMAIL PROTECTED]) Published Wednesday 7th April 2004 17:47 GMT The plaintiffs' statements in an American Civil Liberties Union lawsuit against the Department of Homeland Security and the Transport Security Administration provides some useful clues about what it takes to make the grade as a dangerous terror suspect. Career USAF Master Sergeant and mother of three? Retired Presbyterian Minister? ACLU special projects co-ordinator with Pakistani-type name? Well yes, that last one might not have come entirely as a surprise to you, but the ACLU has chosen its sample plaintiffs well. They are all American citizens who've experienced repeated delays and embarrassments because they are on the shady 'no fly' list distributed to US airlines by the TSA. No reason for their presence on this list is obtainable, and there would appear to be no easy mechanism for getting off it. According to the statement of Rev John F Shaw (71), when he complained to the TSA's Ombudsman's office a TSA agent explained that the list is computer-generated and linked to another database known as CAPPS. The CAPPS link is a strong signal that the no fly list will in the future be substantially expanded as the TSA expands its use of airline passenger data. The statements also indicate that the TSA itself has no ready mechanism for getting people off the list. It seems to agree with some of the plaintiffs that they're false positives, but they keep getting the treatment on subsequent flights anyway. Two of the plaintiffs have actually been given letters from the TSA verifying their identity, but one of these still experiences problems. The second, student Alexandra Hay, was given a personal escort through Philadelphia Airport by the TSA along with the letter after the ACLU threatened to sue on her behalf. Attorney David Nelson meanwhile reports he has been stopped over 40 times, and that other people called David Nelson, including the one who's a sitcom star, have had similar problems. The ACLU is asking that the court declare that the no-fly list violates passengers' constitutional rights to freedom from unreasonable search and seizure and due process of law under the Fourth and Fifth Amendments. ® Related link ACLU launches suit (http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=15430c=272) -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
RE: Firm invites experts to punch holes in ballot software
Firm invites experts to punch holes in ballot software The company's software is designed to let voters verify that their ballots were properly handled. It assigns random identification numbers to ballots and candidates. After people vote, they get a receipt that shows which candidates they chose--listed as numbers, not names. Voters can then use the Internet and their ballot identification number to check that their votes were correctly counted. This is kind of broken. Allowing the voter to get a receipt which they take away with them for verification may allow the voter to verify that their vote was recorded as cast, but also allows coercion and vote buying. To their credit, the creators thought of this, and suggest a partial procedural fix in the threat analysis document: P4. Let voters discard verification receipts in poll site trash can and let any voter take them Result: Buyer/coercer can't be sure voter generated verification receipt P5. Have stacks of random printed codebooks freely available in poll site Result: Vote buyer/coercer can't be sure captured codebook was used P6. Have photos of on-screen codebooks freely available on-line Result: Vote buyer/coercer can't be sure captured codebook was used The first problem, or course, is that a person under threat of coercion will need to present the coercer with a receipt showing exactly the mix of votes the coercer required. This is leads to a combinatorial explosion of fake receipts that need to be available. Having only one vote on each receipt might mitigate this, but it still gets really messy. Second, it's not clear how this protects against the coercer checking the ballot online - will every fake also be recorded in the system, so it passes the online check? Having both real and fake ballots in the verification server makes me very nervous. Its possible I've missed something - this is based on a quick glance through the online documents, but I don't see any advantage this system has over the much more discussed one where the reciept is printed in a human readable way, shown to the voter, but retained inside the machine as a backup for recounts. Just my private, personal opinion. Peter Trei
RE: Firm invites experts to punch holes in ballot software
Peter, what would be wrong with having a machine in the booth that prints any valid receipt BUT is not connected to the voting system. To vote use the red machine; if you're being coerced you can use the blue machine to print as many receipts as intimidators. A trade off between (mild) user complexity and the desire for receipts (without coercion). At 10:17 AM 4/7/04 -0400, Trei, Peter wrote: This is kind of broken. Allowing the voter to get a receipt which they take away with them for verification may allow the voter to verify that their vote was recorded as cast, but also allows coercion and vote buying. To their credit, the creators thought of this, and suggest a partial procedural fix in the threat analysis document: P4. Let voters discard verification receipts in poll site trash can and let any voter take them Result: Buyer/coercer can't be sure voter generated verification receipt P5. Have stacks of random printed codebooks freely available in poll site Result: Vote buyer/coercer can't be sure captured codebook was used P6. Have photos of on-screen codebooks freely available on-line Result: Vote buyer/coercer can't be sure captured codebook was used The first problem, or course, is that a person under threat of coercion will need to present the coercer with a receipt showing exactly the mix of votes the coercer required. This is leads to a combinatorial explosion of fake receipts that need to be available. Having only one vote on each receipt might mitigate this, but it still gets really messy. Second, it's not clear how this protects against the coercer checking the ballot online - will every fake also be recorded in the system, so it passes the online check? Having both real and fake ballots in the verification server makes me very nervous. Its possible I've missed something - this is based on a quick glance through the online documents, but I don't see any advantage this system has over the much more discussed one where the reciept is printed in a human readable way, shown to the voter, but retained inside the machine as a backup for recounts. Just my private, personal opinion. Peter Trei
VoteHere Release Audit Trail Code
http://www.internetnews.com/dev-news/print.php/3336851 Internetnews.com VoteHere Release Audit Trail Code By Jim Wagner April 7, 2004 E-voting software developer VoteHere made its audit checking source code available for download Tuesday in a bid to prove its software does what it promises: provide a verifiable audit trail over every citizen's vote. Much of the debate surrounding the electronic tabulation of votes has centered on the machines' ability (or inability in this case) to record votes and then let voters and election officials verify the correct vote was entered and stored in the central repository. Jim Adler, VoteHere founder, said the source code makes good on its promise back in August 2003 when the company announced a partnership with e-voting machine manufacturer Sequoia, to release the code for all to see. We're a bunch of cryptographers and as students of cryptography, we know there's no real security in obscurity and feel that openness and transparency are an important part of the process, especially with technology that is used to audit an e-voting machine, he told internetnews.com. To date, attempts by e-voting opponents to get software makers to release their code for public scrutiny have met with failure. The most notable case dealt with manufacturer Diebold Election Systems, which filed cease-and-desist orders against a group of college students who discovered vulnerabilities in its machines and posted their findings on the Internet, as well as anyone who put links to the vulnerabilities on their Web site and their Internet service providers (ISP). In December 2003, the company withdrew the orders after the college students, through the Electronic Frontier Foundation (EFF) filed suit against them. Eight days later, Diebold and five other manufacturers banded together under the Information Technology Association of America to identify and address security concerns and raise the profile of electronic voting. VoteHere officials expect the open-sourcing of its audit trail will close the debate on its area of security, at least. Though it's software only runs on Sequoia's machines, Adler said the manufacturer makes up 20 to 30 percent of the industry's market share. The company paid Dr. Robert Baldwin, co-founder of California-based Plus Five Consulting and former technical director of RSA Security, to conduct an independent analysis of its code, who said he was in no way affiliated with VoteHere. We actually found fewer types of problems than we normally find when we look at other people's code, he told internetnews.com. I think they definitely had an eye towards producing higher-quality code because they knew somebody was going to go looking at it. The software could easily look at 100 million-person audit trail and verify it within an hour. Individuals who want to review the code can download it here: http://www.votehere.com/downloads.html -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Firm invites experts to punch holes in ballot software
Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote. iang
RE: Firm invites experts to punch holes in ballot software
Ian Grigg[SMTP:[EMAIL PROTECTED] wrote: Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote. iang Yes, that seems to be the case. Note that in the current (non computer) systems, we have no way to assure that our votes actually contributed to the total, but the procedural stuff of having mutually hostile observers to the counting process makes deliberate discarding of one side's votes less likely. (Non-deliberate losses - such as the recent failure to record cards marked with the wrong kind of pen - can still happen). VoteHere, while they seem to be well-meaning, have not solved the problem. Mercuri Rivest have described how to do it right; we just need someone to buld or retrofit the machines appropriately. Peter Trei
Muslim Rivals Unite In Baghdad Uprising
Bwhhhahahahhahah --ROFL This thing is getting funnier by the minute. On Monday, residents of Adhamiya, a largely Sunni section of northern Baghdad, marched with followers of Moqtada Sadr, the militant Shiite cleric whose call for armed resistance was answered by local Sunnis the same afternoon, residents said. http://www.washingtonpost.com/wp-dyn/articles/A56091-2004Apr6.html -- Harmon Seaver CyberShamanix http://www.cybershamanix.com Hokay hey!
