Monday, January 31, 2005

More on explaining the exit polls

A thoughtful post in Left2Right discusses the polling company's analysis of what went wrong in the November 2004 election exit polls, and finds it wanting, based on further analysis of the analysis.

"In the 1970’s and 80’s I worked on election nights for a major network as part of a team of statisticians making “calls” in statewide races (President, Senator, and Governor). Eventually, the team was disbanded because exit polls were so accurate that our expertise was no longer needed."

"But in the past election, the exit polls differed from the recorded vote by an unprecedented amount. Nationwide, exit polls predicted that Kerry had won by 3%, but the final tally showed Bush ahead by 2.5%. Errors in some key states were even larger. As a statistician, I have been concerned that the errors were unexplained..."

"Let me be very clear. I do not assert there was extensive fraud. I would prefer not to think that, and I had hoped the E/M report would reveal a systematic flaw in their methods that accounted for the errors. But it hasn't, and the issue is still open. The E/M report does not account for the biases in a manner that would support explanation (2). The exit polls may well have been flawed, but we have yet to see a plausible account of how or why."

"The data released thus far beg for a more thorough analysis. E/M have not released precinct-level data, which would be necessary to determine whether voting technology is a factor. I hope that they will do so soon. I also hope that the news media report this story so that the public can be widely informed about it. I recognize that if significant problems with the reported vote are found, Republicans will feel that the effort was somehow directed against them. But honest voting is a value that should be supported equally by both Left and Right. We cite discrepancies between exit polls and votes in elections in other countries as evidence of problems. Especially when we have been called to spread liberty and democracy throughout the world, it behooves us to make our own democracy as open and honest as we can."



Sunday, January 30, 2005

Government computer blunders are common and expensive

SecurityFocus has an AP story on government computing projects gone awry.

"The FBI's failure to roll out an expanded computer system that would help agents investigate criminals and terrorists is the latest in a series of costly technology blunders by government over more than a decade. Experts blame poor planning, rapid industry advances and the massive scope of some complex projects whose price tags can run into billions of dollars at U.S. agencies with tens of thousands of employees."

" 'There are very few success stories,' said Paul Brubaker, former deputy chief information officer at the Pentagon. 'Failures are very common, and they've been common for a long time.' "



Friday, January 28, 2005

EFF on "recounting" electronic ballots

A post on EFF's Deep Links discusses the problem with "recounting" DRE ballots.

"Now that the dust has settled on the majority of the close elections nationwide, we can see more clearly than ever the most disturbing problem caused by using paperless touchscreen voting machines: the recounts were, to put it bluntly, a charade."

"The goal of a recount is to ensure that the voters' intentions were properly recorded and the right person won. That's why we pull out the punch cards and review them for hanging chads, or check optically scanned ballots for stray marks.
But nothing remotely that sensible occured in Washington State, Ohio, or anywhere else that voters used paperless touchscreen machines. Instead, we saw what could accurately be described as a 'reprint.'"

"Unfortunately, there remain a number of states and counties that cannot see the writing on the wall. After all, pressing a button to reprint a 'recount' would seem to be the clean and easy solution; if the numbers never change, voting officials can simply claim that the first count was correct and call it a day."

"What we didn't anticipate was that some e-voting vendors would make it 'easier' by removing the ability to do an accurate recount -- the design equivalent of a CEO making an audit 'easier' by eliminating the accounting department."



Wednesday, January 26, 2005

US to tighten nuclear cyber security (voluntarily)

A post in The Register discusses a Draft Regulatory Guide for operators of nuclear reactors by the US Nuclear Regulatory Commission. Excerpts from their discussion:

Federal regulators are proposing to add computer security standards to their criteria for installing new computerized safety systems in nuclear power plants. The US Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security.

The replacement would expand existing safety and reliability requirements for digital safety system, and infuse security requirements into every stage of a system's lifecycle, from drawing board to retirement.

No successful targeted attacks against plants have been publicly reported, but in 2001 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall. The NRC draft advises against such interconnections. It also advises plant operators to consider the effect of each new system on the plant's cyber security, and to develop response plans to deal with computer incidents. Vendors are told how to reduce the risk of saboteurs planting backdoors and logic bombs in safety system software during the development phase.

But for all its breadth, adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the US - a detail that irks some security experts... "It's kind of sad," [Chris Wysopal] says. "I see that people have all these great notions of how we can build software and systems more securely, but it's always voluntary."

Excerpts from the report itself:

Regulatory guides are not substitutes for regulations, and compliance with regulatory guides is not required.

With respect to software diversity, experience indicates that independence of failure modes may not be achieved in cases where multiple versions of software are developed from the same software requirements.

Computer-based systems must be secure from electronic vulnerabilities, as well as from physical vulnerabilities, which have been well addressed.

The lifecycle phase-specific security requirements should be commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, or destruction of the digital safety systems.

Remote access to the safety system software functions or data from outside the technical environment of the plant ... that involves a potential security threat to safety functions should not be implemented.
[This suggests that putting the SCADA system on the Internet is a bad idea, but doesn't actually condemn it.]

The security requirements are part of the overall system requirements.

The developer should delineate its security policies to ensure the developed products (hardware and software) do not contain undocumented code (e.g., back door coding), malicious code (e.g., intrusions, viruses, worms, Trojan horses, or bomb codes), and other unwanted and undocumented functions or applications.
[No guidance on how this is actually to be done.]

The user should develop an incident response and recovery plan for responding to digital system security incidents (e.g., intrusions, viruses, worms, Torjan horses, or bomb codes). The plan should be developed to address various loss scenarios and undesirable operations of plant digital systems, including possible interruptions in service due to the loss of system resources, data, facility, staff, and/or infrastructure. The plan should define contingencies for ensuring minimal disruption to critical services in these instances.

The user should perform periodic computer system security self-assessments and audits.

No backfitting is intended or approved in connection with the issuance of this guide... The use of this revision by the licensees of currently operating nuclear power plants is entirely voluntary.

Labels: ,


Tuesday, January 25, 2005

Newt Gingrich on investing in research

Noted in a Computing Research Policy Blog post.

"The research budget of the United States should be considered part of the national security budget. Investing in science (including math and science education) is the most important strategic investment we make in continued American leadership economically and militarily. Investing in science has also been the most consistent, powerful, single mechanism for extending life and for improving the quality of life. When developing the federal budget, the investment in science should be considered immediately after operational military requirements and before any of the traditional domestic spending programs."

"Congress should consider establishing a separate budget line item for federal research and protecting it from encroachment by all the interest groups who want immediate gratification for their projects. Special interests can find funding for highways, subsidies to farmers, and public housing. For a variety of reasons scientists and those who believe in science have a harder time making a 'pork barrel' or special interest appeal for more money."

Labels: ,


Monday, January 24, 2005

Phishing against banks hits all time high

A report by summarizes the latest report by the Anti-Phishing Working Group.

"Phishing against banks hits all time high, Anti-Phishing Working Group warns of 'relentless increase.'"

"Phishing attacks targeting financial services firms reached an all-time high in December, the Anti-Phishing Working Group (APWG) has revealed. According to APWG's monitoring some 85 per cent of all reported phishing incidents during the month targeted the financial sector, representing an increase of around 10 per cent on previous levels."

Labels: ,


Global warming approaching critical point

A CNN report summarizes a new task force report by the Institute for Public Policy Research.

"Global warming is approaching the critical point of no return, after which widespread drought, crop failure and rising sea-levels would be irreversible, an international climate change task force warned Monday."

"The report, 'Meeting the Climate Challenge,' called on the G-8 leading industrial nations to cut carbon emissions, double their research spending on green technology and work with India and China to build on the Kyoto Protocol."

"'An ecological time-bomb is ticking away,' said Stephen Byers, who co-chaired the task force with U.S. Republican Senator Olympia Snowe, and is a close confidant of British Prime Minister Tony Blair. 'World leaders need to recognize that climate change is the single most important long term issue that the planet faces.'"

Labels: ,


Friday, January 21, 2005

Defense Tech: Lock the back door, too

A Defense Tech article, JAMES FALLOWS AND THE JEWEL THIEF, argues that the government is making terrible trade-offs in investing in homeland security.

"In Confessions of a Master Jewel Thief, diamond-nabber Bill Mason notes notes a strange security trend: people will spend big bucks to have a whole host ultra-sophisticated locks on their front doors -- but they'll put something flimsy on the back door, or leave the windows unlocked altogether."

"That's what came to mind as I read James Fallows' homeland defense story in the current Atlantic Monthly. The Transportation Security Administration is spending $4 billion -- 80 percent of its budget -- on airport screening. Making sure grandma takes off her Mary Janes before she gets on the plane. That leaves, Fallows notes, 'well under $1 billion for everything except airlines: roads, bridges, subways, tunnels, railroads, ports, and other facilities through which most of the nation's people and commerce move.'"

"Kinda reminds you of Mason's back door, hunh? Except the analogy doesn't quite hold together. It'd probably be more accurate to say that, while the Bush administration is making sure America's front door is tripled-locked, it has left the jewel box out on the front lawn."



Monday, January 17, 2005 - The Revolt of the Corporate Consumer

A (subscription-only) report in the Wall Street Journal,The Revolt of the Corporate Consumer claims that customers are gaining the whip hand.

"The power has shifted. For more than two decades, software vendors have been in control, selling tech-hungry companies a steady stream of new products and services largely on the vendors' terms. No longer. In the four years since the collapse in corporate technology spending, the tables gradually have turned -- to the point that now, it's the buyers who are clearly calling the shots. They are wrangling for better prices, demanding software that's more reliable and secure, and resisting software companies' push for constant -- and expensive -- upgrades."

"All this represents a seismic shift in power to tech buyers from sellers. Limited tech budgets have given chief information officers more negotiating clout with vendors, who know that many buyers already feel burned by disappointments with previous purchases. Meanwhile, open-source and subscription Web-based software services have emerged as more-serious competitors to the established software giants, putting downward pressure on prices. Combined, these trends mean that customers are demanding -- and getting -- more and better software for their money."

"'They're economic tectonic plates and they're moving,' Mitchell Kertzman, a venture capitalist with Hummer Winblad Venture Partners in San Francisco, says of the forces propelling the customer revolt. The power shift is permanent, he adds. 'There isn't any way to go back.'"

"For software companies finally being forced to improve security, simplify maintenance, reduce costs and deliver measurable business results, Mr. Kertzman says, the shift 'will be really punishing.' But customers are already reaping rewards."

The following is a box accompanying the article:


According to tech-industry experts, software buyers want suppliers to:

* Deliver software that meets the standards of other commercial products, namely that it work out of the box

* Be accountable for agreed-upon service levels develop and maintain secure products and services that place minimal burden on users

* Responsibly alert users when new vulnerabilities are detected

* Integrate security throughout the design, manufacture and upgrade cycles

* Ensure compliance with security requirements before release

* Develop more secure and less costly patch-management processes

* Test common software configurations for security vulnerabilities and bugs

* Provide innovations more specific to their business



Scientific Research Targeted in New Budget?

A post in the Computing Research Policy Blog, President Will Target "Scientific Research" in New Budget, Wash Times Says, suggests bad news ahead for basic research.

"Facing heat on the right for excessive spending, President Bush has apparently indicated he will provide a 'very tough' spending blueprint to Congress for FY 2006. In a commentary posted today, the Washington Times quotes members of the Administration saying the President will exert 'very, very strong discipline' on next year's spending.
'That discipline will be there big time,' [White House Chief of Staff Andrew] Card told business leaders.'"

"The Times is pretty specific in predicting the cuts:
Among the budget-cutting targets: the bloated Agriculture Department, corporate welfare, scientific research, housing, state and local giveaway grants, and other low-priority and no-priority programs that will be slashed or eliminated altogether."

"This is very disturbing news, not just because of the cuts it portends, but because the attitude on display in the article is a far cry from the very supportive language we've seen this Administration use in reference to the National Science Foundation and the rest of the federal basic research effort."



Covert Ops in Iran

A post by Jeffrey Lewis in Hersh Article on Covert Ops in Iran is a thoughtful analysis of the New Yorker article THE COMING WARS, by Seymour M. Hersh.

"Hersh obviously thinks such a strike would be foolish, but he repeats a myth that is at least partially responsible for the ardor of proponents of a strike against Iranian facilities:
'In 1981, the Israeli Air Force destroyed Iraq’s Osirak reactor, setting its nuclear program back several years.' ..."

"The scientists were also unanimous in dating Saddam's pre-Gulf War effort to acquire a nuclear weapon through a clandestine uranium enrichment program to the days immediately following the Israeli attack. The effect of the attack was probably to transform a virtual bomb program into a very real one that may or may not have succeeded without the intervention of the Operation Desert Storm."

"If Tehran is pursuing a virtual bomb, as I and others have suggested, then the military option will likely collapse diplomatic efforts, further radicalize the Iranian regime, and guarantee a crash program for the bomb."

"Come to think of it, that does kind of sound like something Rumsfeld would do."



Thursday, January 13, 2005

A Programmer's Story

The Per Brinch Hansen Archive now contains an online edition of Per's memoirs, A Programmer's Story, which I found to be quite interesting. Per was heavily involved in much of the early work on systematizing operating systems and concurrent programming.

"This autobiography is the story of Brinch Hansen's professional life and his personal impressions of the birth of modern programming. He traces his school years, engineering studies, and the beginning of his career in Denmark. And he recounts his exciting and frustrating years as a researcher at Carnegie-Mellon, Caltech, USC, University of Copenhagen, and Syracuse University."

"He tells his story in nontechnical detail with candid anecdotes about computer pioneers he has known, such as Peter Naur, Jorn Jensen, Edsger Dijkstra, Niklaus Wirth, Tony Hoare, Ole-Johan Dahl, Alan Perlis, Nico Habermann, Jim Horning, Don Knuth, Charles Simonyi, Butler Lampson, Bill Wulf, Gordon Bell, Carver Mead, Ivan Sutherland, Seymour Ginsburg, Harlan Mills, Geoffrey Fox, Chuck Seitz, David May, Dennis Ritchie, and others."



PITAC Approves Cyber Security Report Calling For Significant Increases in Basic Cyber R&D

Post in the Computing Research Policy Blog

"The President's Information Technology Advisory Committee (PITAC) achieved consensus yesterday on the final draft of its report on the status of the federal cyber security R&D effort, finding that support for civilian-oriented, fundamental cyber security research is seriously inadequate, the pool of researchers is insufficient, and that coordination between funding agencies is lacking."

"Judging by yesterday's presentation (delivered by Tom Leighton, the Chair of PITAC's Subcommittee on Cyber Security), the report will lay out in stark terms the magnitude of the threat posed by vulnerabilities in the information infrastructure. It will also spell out in some detail the difficulties faced by researchers, especially in academic institutions, in finding federal support for the fundamental cyber security research that will address the vulnerabilities long-term. The report will note problems in all three agencies one would expect to be funding critical long-term cyber security R&D: NSF, DARPA and the Department of Homeland Security."

"As a quick fix, the committee will recommend an immediate $90 million infusion of funding into NSF's cyber security research efforts to alleviate some of these funding pressures, while leaving the door open to future funding increases should the situation warrant it."

"Rather than summarize Leighton's whole presentation, I'll just link to the slides."

Labels: , , ,


New FBI Software May Be Unusable

A Los Angeles Times article reports yet another high-profile example of troubled software development.

"A new FBI computer program designed to help agents share information to ward off terrorist attacks may have to be scrapped, the agency has concluded, forcing a further delay in a four-year, half-billion-dollar overhaul of its antiquated computer system. The bureau is so convinced that the software, known as Virtual Case File, will not work as planned that it has taken steps to begin soliciting proposals from outside contractors for new software, officials said."

"The overhaul of the decrepit computer system was identified as a priority both by the independent commission that investigated the Sept. 11 attacks and by members of Congress, who found that the FBI's old system prevented agents from sharing information that could have headed off the attacks."

"The bureau recently commissioned a series of independent studies to determine whether any part of the Virtual Case File software could be salvaged. Any decision to proceed with new software would add tens of millions of dollars to the development costs and render worthless much of a current $170-million contract."

"That the software may have outlived its usefulness even before it has been fully implemented did not surprise some computer experts. An outside computer analyst who has studied the FBI's technology efforts said the agency's problem is that its officials thought they could get it right the first time. 'That never happens with anybody,' he said."



South Carolina: Weaknesses in Electronic Voting

A column in The State by Duncan Buell rebuts an upbeat report.

"Marci Andino, executive director of the S.C. Election Commission, reported glowingly on the new electronic voting machines after the November election. This rebuttal is to alert South Carolina voters: Most computer professionals probably would disagree with Ms. Andino's optimism. The most serious problems in the machines would be exactly those that the commission would not be capable of detecting."

"Ms. Andino asserts that not a single vote has been lost because of an equipment malfunction either on Nov. 2 or in previous elections. This statement is indefensible. None of us, not even Ms. Andino, knows what the actual votes have been. In the absence of knowing the truth, malfunctions that are undetected pose serious problems. Further threats include attacks against the integrity of the voting process that are made possible by the inherent complexities of computer security."

"As a professional computer scientist with more than 25 years' experience, I believe the security of the ES&S machines is extremely suspect and consider their use in South Carolina inadvisable. I do not believe voters in South Carolina should feel comfortable about their votes being recorded properly. I myself would not trust my vote to these machines, since they contain fundamental software and system flaws."

"Further, the machines are part of a more complicated system, and the system, not just the machines, is suspect. Maintaining complete system security is difficult, and preventing exploits against inherent security flaws requires high standards that derive from significant expertise. That expertise seems neither readily available to nor used by the Election Commission."



Ohio pulls plug on electronic voting

An article in the Cleveland Plain Dealer reports:

"The battle is over and electronic voting machines, at least in Ohio, are dead. After years of wrangling and protests, Secretary of State Ken Blackwell announced Wednesday that he will limit Ohio's uncompleted voting-machine conversion to a single device: the precinct-count optical-scan machine. The decision effectively sidelines the embattled touch-screen voting machines that protesters portrayed as razor-toothed, vote-eating monsters prone to hacking. An Ohio security review completed in December 2003 uncovered dozens of security risks in the machines, many of which companies were working to fix."

"The exception is that one electronic machine per voting location is required for the disabled."



Wednesday, January 12, 2005

General: "Glitch" caused missile defense test failure

A report implies that the ballistic missile defense system builders have a high embarassment threshold. Systems that have to work the first time they're used must not have "glitches."

"In the December 15 test, a target missile, a simulated ICBM with a mock warhead was launched without problem from Kodiak, Alaska. But the interceptor that was to fly into the target's path in outer space, destroying it by direct impact, did not launch from its pad at the Ronald Reagan Test Site at Kwajalein Atoll in the central Pacific Ocean."

"Offering the first public explanation of what went wrong, Obering said the blame lay with an automated pre-launch check of the communications flow between the interceptor and the main flight control computer. Detecting too many missed messages, the system shut down automatically, as designed. In response, the Pentagon will increase the pre-launch tolerance for missed messages. Obering said the tolerance level was set too low; increasing it will not risk a flight guidance failure, he said."

"'We kind of did this to ourselves,' Obering said, by setting the tolerance level so low. 'This has been nothing more than a minor glitch,' he added. 'Statistically, it's a very rare occurrence and most likely would not happen again.'"

"He disputed the assertion by some outside observers that the failure was a significant setback for a program that has been decades in development at the cost of tens of billions of dollars. 'We're disappointed in the fact that we did not get this (test) off, but we were certainly not embarrassed and we're certainly not disheartened in any way, shape or form,' Obering said. 'We are working through what we consider to be the fine-tuning of this system.'"

See also my previous post on this topic.



Another Computer Security Official Quits

A Washington Post article by Brian Krebs and Jonathan Krim discusses continuing churn in the government's response to cybersecurity risks.

"The Homeland Security Department official in charge of protecting the nation's physical and computer infrastructure is stepping down at the end of the month in the latest in a string of departures at the department's struggling cyber-security division. The announcement by Robert P. Liscouski, the department's assistant secretary for infrastructure protection, comes as technology executives and experts increasingly say that the Bush administration is giving short shrift to computer security."

"Attacks continue to proliferate and have become more sophisticated, whether they be viruses and phony solicitations aimed at home computer users or assaults on the networks of companies and other organizations."

"Also leaving the department this month is Lawrence C. Hale, the cyber-security division's deputy director."

"In July, the Homeland Security Department's inspector general found that the division's efforts suffered from a lack of coordination, poor communication and a failure to set priorities. The division 'must address these issues to reduce the risk that the critical infrastructure may fail due to cyber attacks,' the report said. 'The resulting widespread disruption of essential services after a cyber attack could delay the notification of emergency services, damage our economy and put public safety at risk.'"

Labels: , ,


Tuesday, January 11, 2005

Hackers Tune In to Windows Media Player

An article by Ryan Naraine in eWeek discusses a new ploy.

"Hackers are using the newest DRM technology in Microsoft's Windows Media Player to install spyware, adware, dialers and computer viruses on unsuspecting PC users."

"According to Panda Software, both Trojans take advantage of the new Windows anti-piracy technology to trick users into downloading spyware and adware applications. 'When a user tries to play a protected Windows media file, this technology demands a valid license. If the license is not stored on the computer, the application will look for it on the Internet, so that the user can acquire it directly or buy it,' Panda Software explained."

"An unsuspecting user attempting to download the DRM (digital rights management) license will instead be redirected to a Web site that loads a large quantity of adware, spyware, modem dialers and other viruses, the company said in an advisory."

Labels: ,


Roll Call Op-Ed: Crisis of Trust Over Voting Difficulties Must Be Addressed

Op-Ed from Roll Call, by Richard L. Hasen

"There is a partisan and racial dimension to the issue. John Harwood reports that 'just one-third of African-Americans call the vote "accurate and fair," while 91 percent of Republicans do.'"

"It is hardly surprising that the winners have more faith in the process than the losers. But just before the election, a Rasmussen Reports poll showed 59 percent of American voters believing there was 'a lot' or 'some' fraud in American elections."

"It should go without saying that free and fair elections are essential to a well-functioning democracy and that an eroding public faith in the electoral process is worrisome. Had the margin in Ohio been 100,000 votes closer and the outcome determined by a set of provisional ballots to be judged and counted post-election by partisan election officials, we would have seen crowds in the street as we saw in the Ukraine."

"Part of the solution to the fraud-and-legitimacy problem is additional resources to minimize election administration incompetence. But the more fundamental question is that of trust."

"In many parts of the United States, the chief elections officer of the state is a secretary of state who runs in a partisan election and is involved in partisan activities. This is intolerable. How can Democratic voters in Ohio trust Kenneth Blackwell, the Ohio secretary of state, who co-chaired the Ohio campaign to re-elect President Bush? How can Republican voters in California trust Kevin Shelley, California's secretary of state, who is accused of taking federal money earmarked for voter education to promote Democratic causes?"

It bears repeating: Voter-verifiable audit trails seem to be an essential component in a system voters will trust.

Labels: ,


McAfee Research sold to Sparta, Inc.

In a press release today, McAfee, Inc. announced a definitive agreement to transfer the assets, people, and contracts of McAfee Research to Sparta, Inc., which issued its own press release.

The group is transfering intact, so there should be little short-term impact on lab members, such as me. (I am slated to become Chief Scientist of the Information Systems Security Operation within the National Security Systems Sector.Org Chart) We expect to continue doing contract research, mostly for our existing government customers. My new office location will probably be somewhere nearby in Silicon Valley.

I believe that in the medium term this is a win for all parties:
    McAfee never managed to gain strategic advantage from having a research lab. It's announced target for all lines of business is a 25% operating margin; there is no (legal) way to earn this doing government contracting.

    Sparta is an employee-owned company whose primary business is government contracting; they have done very well in that business. Not being publicly traded, they are able to take a somewhat longer-term view than is currently permitted by Wall Street.

    McAfee Research will bring a complementary set of skills, contracts, and relationships to Sparta in an area where they intend to grow their business: computer and network security.
Stay tuned.



Just when you thought it was safe to drink the water

A report discusses security lapses.

"Water utilities have installed computer-based remote controls 'with little attention paid to security,' leaving valves, pumps and chemical mixers for water supplies vulnerable to cyber-attack, according to an Environmental Protection Agency report."

"In a report Monday, the EPA's inspector general cited costs, lack of ability to check employees' backgrounds and poor communication between technical engineers and management for the shortcomings."

The 57-page report is available online: EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known Supervisory Control and Data Acquisition (SCADA) Vulnerabilities.



Monday, January 10, 2005

Net experts believe a widespread attack on the Web is likely

A new report on a Pew Internet and American Life Project survey indicates a consensus that worse is to come.

"The Internet will fall victim to a `devastating attack' sometime in the next decade, and governments will use networked devices to increase their surveillance of individuals.
That sobering outlook came from a large panel of experts asked to peer into the future of the Internet."

"The nearly 1,300 Internet pioneers, academics and business leaders concluded that the Web will bring profound changes to the news business, education, families and creativity."

Labels: , ,


Friday, January 07, 2005

Bloopers bedevil Gates at CES (video)

Between the Lines |

"You got to watch this. Murphy's Law strikes more than once for Microsoft Chairman Bill Gates at the 2005 Consumer Electronics Show in Las Vegas. A brief video shows Conan O'Brien easing the tension with his classic humor as Gates encountered problems with his remote control while demoing the Windows Media Center."



Risks of lenient parsing

Wednesday I had a frustrating experience trying to help track down a problem in a post to a blog I subscribe to. It ended happily enough when we were able to locate a syntax error in the HTML of the post, but not before we had explored several blind alleys.

Before discussing the implications, I will first present some (lightly edited) excerpts from our correspondence, to set the stage.


Me: R&D Funding post. A link near the end seems to be broken.

Peter: I'm looking at the post and trying to find the broken link without success. They all seem to be working for me. Maybe you caught it as I was rebuilding the page? If not, can you give me more context for the link?

Me: It's the link associated with the text "de-emphasizing long-term, fundamental research", and it still takes me to "", which still yields a "HTTP 404 - File not found" message.

Peter: Hmmm. I'm at a loss. I've had a few people on varied platforms test it without problem. Could it be that you're looking at a cached version?
The link that shows in my browser (and my test subjects) is:
A mystery....

Me: I can follow the link in your email just fine, but not from the post.
Must be a poisoned cache (perhaps caught while you were rebuilding). CTRL-F5 is SUPPOSED to force a refresh, but I've had trouble with this on our corporate network before. I'll try it from home and see if I get the same results.

Me: It's even more weird than I thought, and not simple cache poisoning.
I did a View Source on the page, while it was exhibiting the problem. In the resulting HTML, the link is exactly what you say it is. However, when I mouse over the link, I still get what I told you.
To investigate further, I saved the HTML to my local disk and repeated the experiment. Same results, except that now it looks for and fails to find a local file ("increasing" in the same directory as the main page). I cleared the browser cache and refreshed. Same results. Out of superstition, I quoted the URL in the link. Same result.
This is truly bizarre, and, as nearly as I can tell, affects only this one link.

Me: Just looked at a larger fragment of the HTML, and the problem is obvious (note the "href=increasing"). Is this corrupted relative to what you have published?

As others have <a href=> noted</a>, the bulk of that 44% increase has gone to the Defense Department, which is <a href=increasing it's support for more short-term, development-oriented research and <a href=> de-emphasizing long-term, fundamental research</a>. <a href=>Here's more</a> on CRA's concerns about DOD research. </p>

Peter: Aha. You've found the problem!
I had intended to add a link to that "increasing it's support for more short-term, development-oriented research" phrase but changed my mind. Unfortunately, as you discovered, I left a fragment of the "<a href=" tag in the text. Apparently Safari and the browsers my "testers" used didn't stumble on the fragment -- they just ignored everything between the tag fragment and the correctly formatted "<a href>" tag that starts with "de-emphasizing." But that must not be the case with all browsers.
I didn't catch it looking at the rendered HTML because the sentence still made sense without the "increasing it's support..." phrase.
Anyway, seems to work now with the tag fragment deleted. Does it work for you?


So what is the lesson in this? There was clearly a syntax error, so what we got is what we deserved, right? I think not.

Given the frequency of errors in HTML, it would be unreasonable for renderers to refuse to display pages with errors. (I only with great difficulty found the HTML bug in the first version of this post.) However, we stumbled around blindly because none of the browsers we were using gave any hint that there was a syntax error on the page. Each just silently "corrected" the error. Unfortunately, but predictably, they didn't all "correct" it in the same way, meaning that Peter and his testers were getting one result, and I was getting another.

I contend that all of the browsers were wrong not to indicate clearly the existence of a syntax error. A friendly browser would even have made some attempt to indicate the approximate location on the page of the error.

Although it was published more than thirty years ago, I think my advice on "What the Compiler Should Tell the User" (in Compiler Construction, an Advanced Course, F. L. Bauer and J. Eickel (eds.), Springer-Verlag, pp. 525–548, 1974) is still pertinent to those who build compilers and other formal language interpreters. Those who do not study the past are very likely not to learn its lessons, and therefore to repeat old mistakes.

Labels: ,


Wednesday, January 05, 2005

Preserving Democracy: What Went Wrong in Ohio

A report by House Judiciary Committee Democratic Staff raises serious charges that suggest that the problems were more widespread than many have thought. Of course, since the Democratic party is out of power in the House, Senate, and White House, no one expects this report to have any impact on the past election. However, there is at least a slight chance that it will be considered in organizing future elections.

"We have found numerous, serious election irregularities in the Ohio presidential election, which resulted in a significant disenfranchisement of voters. Cumulatively, these irregularities, which affected hundreds of thousand of votes and voters in Ohio, raise grave doubts regarding whether it can be said the Ohio electors selected on December 13, 2004, were chosen in a manner that conforms to Ohio law, let alone federal requirements and constitutional standards."

"This report, therefore, makes three recommendations:
(1) consistent with the requirements of the United States Constitution concerning the counting of electoral votes by Congress and Federal law implementing these requirements, there are ample grounds for challenging the electors from the State of Ohio;
(2) Congress should engage in further hearings into the widespread irregularities reported in Ohio; we believe the problems are serious enough to warrant the appointment of a joint select Committee of the House and Senate to investigate and report back to the Members; and
(3) Congress needs to enact election reform to restore our people’s trust in our democracy. These changes should include putting in place more specific federal protections for federal elections, particularly in the areas of audit capability for electronic voting machines and casting and counting of provisional ballots, as well as other needed changes to federal and state election laws.

"With regards to our factual finding, in brief, we find that there were massive and unprecedented voter irregularities and anomalies in Ohio. In many cases these irregularities were caused by intentional misconduct and illegal behavior, much of it involving Secretary of State J. Kenneth Blackwell, the co-chair of the Bush-Cheney campaign in Ohio."

This calls to mind the infamous promise by the president of Diebold to help Ohio deliver its electoral votes to the President in November.

Labels: , ,


Pentagon: Current Needs Outweigh Advances in Technology

A Washington Post article describes leaked information about the emerging defense budget. It doesn't make it clear whether the cuts are primarily in procurements, or also include research and advanced development. Pessimist that I am, I suspect the latter.

"Rising war costs and a stubborn budget deficit have forced the Pentagon to propose billions of dollars in cuts to advanced weapons systems, as the military refocuses spending from its vision of a transformed fighting force to the more down-to-earth needs of its ground troops."

"An internal defense budget document for fiscal 2006 shows a vivid shift of emphasis from procuring the weapons of the future to fighting the wars of the present, numerous defense analysts said yesterday. The Air Force and the Navy--once favored by Defense Secretary Donald H. Rumsfeld--would have to sacrifice some of their high-tech weapons development for the humble needs of the Army, such as tank treads and armor."

"Now, Adams said, Rumsfeld will no longer be able to 'have his budgetary cake and eat it, too.'"



Saturday, January 01, 2005

A Bibliography on Computing Technology Policy

This bibliography was compiled by Bob Ellis. It "covers the popular press and computing magazines, but not research or scholarly publications. The ACM Digital Library is the best source for the latter."

"Why provide this bibliography when a more complete and less idiosyncratic search could be done with a search engine such as Google? Using this bibliography has several advantages: categorization into a taxonomy that groups like articles together, a chronological presentation and a selective number of hits. Entries in this bibliography could then be used to generate a more complete search with a search engine."