document [https://www.documentcloud.org/documents/25260169-mod-bp-22-071-232_5622_1-4], as of December 2022 law enforcement in the country could rent spyware for €150 a day, regardless of which vendor they used, and without the large acquisition costs which would normally be prohibitive. > > As a result, thousands of spyware operations have been carried out by Italian
authorities in recent years, according to a report [https://irpimedia.irpi.eu/en-italian-spyware-on-the-international-market/] from Riccardo Coluccini, a respected Italian journalist who specializes in covering spyware and hacking.

Italian spyware is cheaper and easier to use, which makes it more widely
used. And Italian companies have been in this market for a long time.

** *** ***** ******* *********** *************


** STEVE BELLOVIN’S RETIREMENT TALK ------------------------------------------------------------

[2024.11.20] [https://www.schneier.com/blog/archives/2024/11/steve-bellovins-retirement-talk.html]
Steve Bellovin is retiring. Here’s [https://www.cs.columbia.edu/~smb/blog/2024-05/2024-05-09.html] his
retirement talk, reflecting on his career and what the cybersecurity field needs next.

** *** ***** ******* *********** *************


** SECRET SERVICE TRACKING PEOPLE’S LOCATIONS WITHOUT WARRANT ------------------------------------------------------------

[2024.11.21] [https://www.schneier.com/blog/archives/2024/11/secret-service-tracking-peoples-locations-without-warrant.html]
This feels important [https://www.404media.co/email/f459caa7-1a58-4f31-a9ba-3cb53a5046a4/]:

The Secret Service has used a technology called Locate X which uses

location data harvested from ordinary apps installed on phones. Because
users agreed to an opaque terms of service page, the Secret Service
believes it doesn’t need a warrant.

** *** ***** ******* *********** *************


** THE SCALE OF GEOBLOCKING BY NATION ------------------------------------------------------------

[2024.11.22] [https://www.schneier.com/blog/archives/2024/11/the-scale-of-geoblocking-by-nation.html]
Interesting analysis [https://www.lawfaremedia.org/article/how-geoblocking-limits-digital-access-in-sanctioned-states]:

We introduce and explore a little-known threat to digital equality and

freedomwebsites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to
information in repressive regimes. Clarifying distinctions between free and paid websites, allowing trunk cables to repressive states, enforcing transparency in geoblocking, and removing ambiguity about sanctions
compliance are concrete steps the U.S. can take to ensure it does not
undermine its own aims.

The paper: “Digital Discrimination of Users in Sanctioned States: The Case
of the Cuba Embargo [https://www.usenix.org/conference/usenixsecurity24/presentation/ablove]”:

Abstract: We present one of the first in-depth and systematic end-user

centered investigations into the effects of sanctions on geoblocking, specifically in the case of Cuba. We conduct network measurements on the
Tranco Top 10K domains and complement our findings with a small-scale user study with a questionnaire. We identify 546 domains subject to geoblocking across all layers of the network stack, ranging from DNS failures to
HTTP(S) response pages with a variety of status codes. Through this work,
we discover a lack of user-facing transparency; we find 88% of geoblocked domains do not serve informative notice of why they are blocked. Further,
we highlight a lack of measurement-level transparency, even among HTTP(S) blockpage responses. Notably, we identify 32 instances of blockpage
responses served with 200 OK status codes, despite not returning the
requested content. Finally, we note the inefficacy of current improvement strategies and make recommendations to both service providers and
policymakers to reduce Internet fragmentation.

** *** ***** ******* *********** *************


** SECURITY ANALYSIS OF THE MERGE VOTING PROTOCOL ------------------------------------------------------------

[2024.11.25] [https://www.schneier.com/blog/archives/2024/11/security-analysis-of-the-merge-voting-protocol.html]
Interesting analysis: An Internet Voting System Fatally Flawed in Creative
New Ways [https://arxiv.org/pdf/2411.11796].

Abstract: The recently published “MERGE” protocol is designed to be used

in the prototype CAC-vote system. The voting kiosk and protocol transmit
votes over the internet and then transmit voter-verifiable paper ballots through the mail. In the MERGE protocol, the votes transmitted over the internet are used to tabulate the results and determine the winners, but
audits and recounts use the paper ballots that arrive in time. The
enunciated motivation for the protocol is to allow (electronic) votes from overseas military voters to be included in preliminary results before a
(paper) ballot is received from the voter. MERGE contains interesting ideas that are not inherently unsound; but to make the system trustworthy -- to
apply the MERGE protocol -- would require major changes to the laws,
practices, and technical and logistical abilities of U.S. election jurisdictions. The gap between theory and practice is large and
unbridgeable for the foreseeable future. Promoters of this research project
at DARPA, the agency that sponsored the research, should acknowledge that
MERGE is internet voting (election results rely on votes transmitted over
the internet except in the event of a full hand count) and refrain from claiming that it could be a component of trustworthy elections without
sweeping changes to election law and election administration throughout the U.S.

** *** ***** ******* *********** *************


** WHAT GRAYKEY CAN AND CAN’T UNLOCK ------------------------------------------------------------
---
* Origin: High Portable Tosser at my node (21:1/229.1)