Wednesday, July 27, 2005

Multiple vulnerabilities in Diebold Optical Scan

A post by Bruce O'Dell in Risks Digest summarizes the results of a demonstration of many ways to hack election results in one of the most widely-used optical scan vote counters.
"Exploits available with this design include, but are not limited to:

1) Paper trail falsification - Ability to modify the election results reports so that they do not match the actual vote data

1.1) Production of false optical scan reports to facilitate checks and balances (matching the optical scan report to the central tabulator report), in order to conceal attacks like redistribution of the votes or Trojan horse scripts such as those designed by Dr. Herbert Thompson.

1.2) An ingenious exploit presents itself, for a single memory card to mimic votes from many precincts at once while transmitting votes to the central tabulator. The paper trail falsification methods in this report will hide evidence of out-of-place information from the optical scan report if that attack is used.

2) Removal of information about pre-loaded votes

2.1) Ability to hide pre-loaded votes

2.2) Ability to hide a pre-arranged integer overflow

3) Ability to program conditional behavior based on time/date, number of votes counted, and many other hidden triggers.

Labels: , ,


Pentagon effort could chill US innovation

A post on the USACM Technology Policy blog points out likely consequences of an effort by the Department of Defense to create new restrictions on foreign researchers’ access to export-controlled technology.
College officials fear that the mandate, if instituted as currently drawn, would drastically curtail academic freedom in laboratories where such studies are performed and in fields of research where large numbers of the graduate students participating in studies are foreigners...

An arguably greater fear is that deemed export control policy will ultimately have a chilling effect on research and development of new technologies in the United States by limiting or encumbering the work of talented individuals and encouraging organizations to move research activities overseas in an effort to remain competitive.

Labels: ,


Sunday, July 24, 2005

Schneier: Secure Flight is a disaster

A post in Schneier on Security spells out some of the implications of the Government Accountability Office report on the Transportation Security Agency's testing of Secure Flight.
Secure Flight is a disaster in every way. The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone. And it is turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist...

One, assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement -- in almost every way -- over what is currently in place. (And by this I mean the matching program, not any potential uses of commercial or other third-party data.)

Two, the security system surrounding Secure Flight is riddled with security holes. There are security problems with false IDs, ID verification, the ability to fly on someone else's ticket, airline procedures, etc.

Three, the urge to use this system for other things will be irresistible. It's just too easy to say: "As long as you've got this system that watches out for terrorists, how about also looking for this list of drug dealers...and by the way, we've got the Super Bowl to worry about too." Once Secure Flight gets built, all it'll take is a new law and we'll have a nationwide security checkpoint system.

And four, a program of matching airline passengers with names on terrorism watch lists is not making us appreciably safer, and is a lousy way to spend our security dollars...

My fear is that TSA has already decided that they’re going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give them a risk score? So we're back to CAPPS-II, the very system Congress killed last summer. Actually, we're very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.

Secure Flight is a mess in lots of other ways, too. A March GAO report said that Secure Flight had not met nine out of the ten conditions mandated by Congress before TSA could spend money on implementing the program. (If you haven't read this report, it's pretty scathing.) The redress problem -- helping people who cannot fly because they share a name with a terrorist -- is not getting any better. And Secure Flight is behind schedule and over budget.

It's also a rogue program that is operating in flagrant disregard for the law. It can’t be killed completely; the Intelligence Reform and Terrorism Prevention Act of 2004 mandates that TSA implement a program of passenger prescreening. And until we have Secure Flight, airlines will still be matching passenger names with terrorist watch lists under the CAPPS-I program. But it needs some serious public scrutiny.

Labels: , , ,


Tony Hoare elected Fellow of the Royal Academy of Engineering

Another well-deserved honor.


Tuesday, July 19, 2005

An interesting conversation between Bill Gates and Maria Klawe

Bill Gates is, of course, the Chairman and Chief Software Architect of Microsoft Corporation. Maria Klawe is Dean of Engineering and Applied Science at Princeton University.

Microsoft has posted a transcript of their public conversation at the Microsoft Research Faculty Summit 2005, including important insights on the decline in support of fundamental computer science research and the decline of the number of women in computing. It's a bit long, but worth reading for several nuggets. I will quote just a few excerpts here.
MARIA KLAWE: So this morning, Bill, I'd like to start off with a really important question: How many of the Harry Potter books have you read so far? (Laughter.) ... We all know that the magic in the future comes out of computer technology, and especially computer software...

MARIA KLAWE: So why do you think the government should be spending money on computer science research in tough economic times? What does the public get out of federal funding for research?
BILL GATES: Well, I think the payoff, if there's any place you can say there's been a dramatic payoff, it's in computer science. The United States in the 1980s was viewed as falling behind, Japan had a better industrial model, the U.S. just was going to lose industry after industry; and yet what really happened in the 1990s was that our economy created more jobs, new companies, lots of amazing leadership things happened. And I think you can really point to the DOD and NSF money that went into computer science work as being one of the key elements that allowed us to turn what was a period where people thought we were falling behind into preparation for one of the greatest success periods the country has ever had.
The amount of money we're talking about here is not gigantic, I mean, compared to, say, the government budget as a whole or the defense budget or even research as a whole, the portion that computer science really should get is not that gigantic, but to have a decline is really bad... And it's kind of a crime that at the time when computer science is about to solve the most interesting problems, and when computer science is not only an interesting field of its own with some exciting problems, but it's also becoming the toolkit for all the sciences where biologists are turning to us and saying, OK, how do you find the pattern in this information or astronomers or physicists or basically all the sciences are becoming very data driven, you'd think, wow, there would be a shift of NIH money into computer science techniques and standards and things like that. That's also not happening to any significant degree...
So we're saying to companies, hey, you ought to invest more in R&D, this is defining the future of the company, it is our competitive edge that we're out there on the frontiers, and we're always surprised, at least in our field, our competitors, if you put aside IBM that's kind of a special case, the amount invested in research is very small. I'd like to see that change, I think it's a huge mistake on their part...
So we'll certainly be as strong an advocate as we can be that the government is making a mistake here, and throughout the world I think governments should fund computer science research. I think in terms of creating great jobs, great companies in their area, what other area would people be funding. This is the change agent of the time, this is the thing that will drive forward. Even just say you're only going to do it just for education to build the tools for the future of education, you'd want to fund it just for that one little piece alone, not to mention --
MARIA KLAWE: Healthcare.
BILL GATES: -- yeah, e-government --
MARIA KLAWE: Environment, energy.
BILL GATES: Yeah, modeling the world, it's about time we understood things like the CO2 cycle and stuff like that, and definitely computer science will be at the heart of that.
So it is an incredible paradox, and you need examples of cases where it made a big difference, and certainly our company wouldn't exist without that funding that took place on those basic advances...

MARIA KLAWE: So let me go to the other half of the crisis in computer science. I mean, I think at least within the U.S., but I believe it's also true in other areas of the world, not only are we seeing a decline in research funding, but perhaps even more worrisome we're seeing a huge decline in interest in studying computer science.
So just give some data, the popularity in the U.S. of computer science as a major for incoming college students has plummeted. It's fallen more than 60 percent between 2000 and 2004, according to the Higher Education Research Institute at UCLA.
On the other hand, according to the U.S. Labor Department, the fastest growing jobs throughout 2012 include data communication analysts, health information technicians and computer software engineers.
The most recent numbers for U.S. employment in IT are the highest ever, up more than 5 percent since the peak of the bubble in 2000. In addition, salaries in the IT area have continued to grow by a compound growth rate of 4 percent.
So it seems that there's a huge mismatch between the demand for graduates with these skills and what we're willing to pay graduates with these skills and the interest among our youth.
Do you have -- I mean, do you have a sense of what's going on here and should we be really worried about this?
BILL GATES: Well, I'm certainly very worried about it. Microsoft is trying to hire every great college graduate who has basic computer science skills and we think is highly talented. When I sit down and review projects here inside the company, the topic that always comes up is how is the hiring going, we've got open headcount, these are super well-paying jobs, you can get your own office...
And I say to myself, what are these other fields doing, I mean, what's going on? Apparently the fastest growing major is physical education.
MARIA KLAWE: No! (Laughter.)
BILL GATES: And so I think wow --
MARIA KLAWE: I thought it was economics.
BILL GATES: You know, what is going on in that field? I mean, are they making breakthroughs like speech recognition or artificial intelligence? I'm dying to see these new games they're inventing, new rules. And I think, you know, the poor Chinese, they don't realize this is the coming field, and 10 years from now they're going to wake up and say, oh no, physical education, we completely missed that activity. (Laughter.) ...

MARIA KLAWE: So let me ask you, when Microsoft -- I mean, are you finding enough people to hire in the U.S.?
BILL GATES: No, absolutely the answer is no. We have this interesting paradox where in China and India we can get lots of engineers but getting people who have sort of what we call program management type skills or general management type skills, it's very hard to find enough of those, whereas here in the United States we do pretty well at getting people with those skill sets, but then it's just the engineering we're very short of what we'd like to get. And so the competition for somebody who's got the right background is just phenomenal...

MARIA KLAWE: Well, do you have any thoughts about what are more effective ways to get more women into computing careers? I mean, one of the things that's really depressing from my perspective is that computer science is the only field in science and engineering where participation of women has gone down over the last 25 years. So, for instance, if you look at mathematics, when I got my PhD in mathematics in 1977, I think it was about 11 percent of the PhDs went to women, and now it's over 30 percent. If you look at undergraduate degrees in mathematics, it's about 45 percent, and it was down around 10, 15 percent.
So in computer science, our figures are now about 15 percent of the PhDs go to women, about 15 percent of the bachelor degree recipients in research universities are women. I mean, it's just unbelievable how bad it is. We're down there, we're below physics in some cases.
So what could we do to bring more -- what would be effective in getting more women into these fields?
BILL GATES: Well, I don't know the magic answer. I think everybody who thinks about the problem says you've got to get the women who are in the field to be more visible and get them --
MARIA KLAWE: No, no, no, no, that can't be the answer. OK, raise your hand if you're a female here. All right. Are we being visible? Are we serving on every committee, going to all the schools?
BILL GATES: Well, it's good, you should keep doing that.
MARIA KLAWE: Yeah, we are going to keep doing it, but I hate to say it --
BILL GATES: I applaud that.
MARIA KLAWE: -- we're not getting anywhere with it. The numbers --
BILL GATES: I think if you weren't doing that, we'd be even worse off, to be frank.
MARIA KLAWE: Yes, I think that's absolutely true...



Saturday, July 09, 2005

Data Theft: How to Fix the Mess

A piece by Joseph Nocera in the New York Times lays it on the line.
Here's what Mr. Proxmire did. First, in 1970, he drafted a bill that banned the practice of "dropping" credit cards on people without their consent. Four years later, he pushed through a bill that limited consumer liability to $50 if a credit card was used fraudulently.

The banking industry was apoplectic as these bills became the law of the land, especially the $50 limit. Why, bank lobbyists complained, should the institutions have to take the hit if a customer was so careless as to have his wallet stolen or credit card snitched? Shouldn't people be responsible for their own actions?

But in time, the banks came to see that it owed Senator Proxmire a debt of gratitude. He hadn't hurt the credit card industry. He had saved it...

Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."

Mr. Schneier, though, has a solution that is positively Proxmirian in its elegance and simplicity. Most of the bills that have been filed in Congress to deal with identity fraud are filled with specific requirements for banks and other institutions: encrypt this; safeguard that; strengthen this firewall.

Mr. Schneier says forget about all that. Instead, do what Congress did in the 1970's - just put the burden on the financial industry. "If we're ever going to manage the risks and effects of electronic impersonation," he wrote recently on CNET (and also in his blog), "we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.

"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."

Yes, he acknowledged, letting consumers off the hook might cause them to be less vigilant. But that is exactly what Senator Proxmire did and to great effect. Forcing the financial institutions to bear the entire burden will cause them to tighten up their procedures until the fraud is under control. Maybe they will invest in complex software. But maybe they'll take simpler measures as well, like making it a little less easy than it is today to obtain a credit card. Best of all, once people see these measures take effect - and realize that someone else is responsible for fixing the problems - their fear will abate.

As Senator Proxmire understood a long time ago, fear is the great enemy of commerce. Maybe this time, the banks will finally understand that as well.

Labels: ,


Saturday, July 02, 2005

Congress moved Wednesday...

A post by John Paczkowski on Good Morning Silicon Valley:
Congress moved Wednesday to protect the personal information of the few thousand remaining Americans not yet affected by data theft, introducing a bill aimed at stopping security breaches that have put millions of Americans' personal data on the black market... Dubbed The Personal Data Privacy and Security Act, the legislation would more closely regulate data brokers, enact stiffer penalties for database intrusions and mandate a "comprehensive personal data privacy and security program" for most businesses...

Labels: ,