Mercury News discovers Mythical Man-Month

The San Jose Mercury News has an article blaming Microsoft's schedule slippage on Vista (a.k.a. Longhorn) on a failure to understand Brooks' Law:

Adding manpower to a late software project makes it later.

The Mythical Man-Month is, of course, one of the classic treatises on software engineering. It is frequently cited, but too seldom heeded.

Paper ballots save the day

Techdirt has an item on an election in Keene, NH that required a hand recount because a misprogrammed electronic voting machine improperly discarded ballots. Fortunately, these were not the more widespread kind of direct recording electronic (DRE) voting machines that do not create a paper trail, so the hand recount was possible.

Another F in Computer Security

An article by Brian Krebs in the Washington Post discusses a report by the House Government Reform Committee.

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.

The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004...

The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?" ...

As online attacks against consumers and businesses have skyrocketed, so have assaults against government information systems. Alan Paller, director of research for the SANS Institute, a group in Bethesda, Md., that trains and certifies computer security professionals, said a number of federal computer systems have been badly penetrated by hackers and viruses over the past several years, in part because many agencies do not adequately monitor their systems or apply software security updates in a timely manner.

But Paller argues that the yearly FISMA grades force agencies to apply scarce funding and employee time toward the wrong priorities.

"It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified" ...

The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.

[bold face mine]

Your Tax Dollars at Work (somewhere...)

See also "Is the Government Ready for a Digital Pearl Harbor?"

The Electronic Voting Mess Persists

The Washington Spectator has an article by Warren Stewart, "Do You Know How Your Vote Will Be Counted?" that should ring alarm bells among those who thought the electronic voting problem was (about to be) solved.

The troubling truth about voting in America today is that a majority of the electorate casts their ballots on computers that run software that is hidden from public view and lacks any independent means of verification. The process by which our votes are cast and counted is controlled by private corporations to an extent that threatens the foundations of democracy.

Last September, the Government Accountability Office released a report on the security and reliability of electronic voting machines. The report, which detailed the findings of a nine-month study, said that "concerns about electronic voting machines have been realized and have caused problems with recent elections, resulting in the loss and miscount of votes." The GAO reported that it had confirmed instances of "weak security controls, system design flaws, inadequate system version control, inadequate security testing, incorrect system configuration, poor security management, and vague or incomplete voting system standards."

While acknowledging that efforts were under way to improve the situation, the report warned that "these actions are unlikely to have a significant effect in the 2006 federal election cycle." Not exactly reassuring.

And the situation has hardly improved in the months since. In many states, it is still unclear what kind of voting machines will be used in primaries only a few months away. Running elections has always been a daunting and largely unappreciated job performed by state and county officials. But the challenges they face in 2006 are unprecedented, and many have their fingers crossed hoping their experiments with voting technology will work out...

Experience has now demonstrated what the voting industry no doubt knew in 2002: elections using DREs are significantly more expensive—and therefore more lucrative for vendors—than those using paper ballots. And while they're more expensive, they are not necessarily better...

Fundamental to the argument against electronic voting is that there is no opportunity to observe the counting of votes. When using DREs, the recording and counting of votes is performed by software—software that is considered "proprietary" by the voting machine vendors, and that is therefore kept secret even from election officials. Not only is the software secret, but the process by which it is tested and the results of that testing are also secret. The laboratories that test the software and hardware are paid by the vendors, but of course all these financial transactions are—you guessed it—secret.

So perhaps its not surprising that there are hundreds of reported incidences of malfunctioning electronic voting machines in every election cycle—and those are just the errors that have been identified...

To be fair, there are states whose new equipment has been delivered on time to their county clerks, who are busy training and preparing for this year's elections. But most of those states will be employing at least some of their equipment for the first time. Thomas Jefferson said that "eternal vigilance is the price of freedom," and this is certainly a year when vigilance is required. More than ever before, we need to pay attention to how are votes are cast—and counted.

See also my posts Diebold Voting Hack Demonstrated, Electronic Voting Not Yet Secure, and More on explaining the exit polls.

Digital Rights Management Principles

USACM, the United States Public Policy Committee of ACM, has published a high-level "Policy Recommendations on Digital Rights Management" drafted by a subcommittee chaired by Ed Felten, of which I was a member.

The marketplace should determine the success or failure of DRM technologies but, increasingly, content distributors are turning to legislatures or the courts to erect new legal mandates to replace long-standing copyright regimes. DRM systems should be mechanisms for reinforcing existing legal constraints on behavior, not mechanisms for creating new legal constraints. Striking a balance among consumers’ rights, public interest, and protection of valid copyright interests is no simple task for technologists or policymakers.

Principles covering competition, balance of rights, consumer protection, privacy and consent, research and public discourse, and targeted policies are included. The goal was not to address specific policies or legislation, but to provide a reasoned set of principles that could be applied as issues arose. More on this at the USACM Policy Blog.

Spam declining?

An article in Computerworld indicates that spam has shown a decline since mid-2004. This accords with what seems to have been happening in my own inboxes. Perhaps, even with botnets, it has stopped being profitable to tout Vigaria, V*I*A*G*R*A, low, LOW mortgage rates, etc. Here's hoping.

Global rates of spam, viruses and phishing e-mails stagnated in the last month, managed e-mail provider MessageLabs Ltd. has reported.

Month-on-month, levels for all three problems mostly stayed where they had been in the previous month. Spam rates actually decreased slightly from January, falling from 66.6% to 60.6%, while viruses fell from one in 41.7 e-mails to one in 44.1, or 2.3% of traffic. Only phishing saw any increase but this was modest, rising from one in 395 to one in 335.

The company predicts that spam might rise in the short term, although this is after a marked and consistent decline since a peak in July 2004, when the company said 94.5% of its e-mail traffic was made up of spam.