Friday, July 28, 2006

Wikipedia, Again

The Onion (America's Finest News Source) has a wonderful article entitled Wikipedia Celebrates 750 Years Of American Independence, that expertly skewers the style, pretensions, and reliability of Wikipedia.

NEW YORK—Wikipedia, the online, reader-edited encyclopedia, honored the 750th anniversary of American independence on July 25 with a special featured section on its main page Tuesday.

"It would have been a major oversight to ignore this portentous anniversary," said Wikipedia founder Jimmy Wales, whose site now boasts over 4,300,000 articles in multiple languages, over one-quarter of which are in English, including 11,000 concerning popular toys of the 1980s alone. "At 750 years, the U.S. is by far the world's oldest surviving democracy, and is certainly deserving of our recognition," Wales said. "According to our database, that's 212 years older than the Eiffel Tower, 347 years older than the earliest-known woolly-mammoth fossil, and a full 493 years older than the microwave oven."
"In fact," added Wales, "at three-quarters of a millennium, the USA has been around almost as long as technology." ...

But wait, there's more!



Thursday, July 27, 2006

November 7, 2006:
Ready or Not

The National Academies Press provides free access to a Letter Report on Electronic Voting, by the National Research Council Committee on a Framework For Understanding Electronic Voting. This is an alarming (though not alarmist) assessment of nationwide readiness for the widespread use of electronic voting in the US elections this November. It is well worth reading by anyone concerned with the integrity of American elections.


The committee believes that some jurisdictions--and possibly many--may not be well prepared for the deployment and use of electronic voting equipment and related technology...

Security issues remain prominent in the public debate about voting technologies...

Election officials are increasingly realizing the fundamental contradictions between relying on current procedures and requirements for certifying voting system software, on the one hand, and holding elections on fixed, immovable dates, on the other... In the event that problems are found after certification, election officials must then choose between using certified systems with known problems or using uncertified systems in which those problems may have been fixed...

It is not clear that electronic voting machines can be adequately tested before being deployed...


As the November 2006 elections approach, the committee's first and most urgent recommendation is that election jurisdictions should--indeed must--ensure the availability of backup mechanisms and procedures for use in the event of any failure of e-voting equipment or related technology. This recommendations is based on the fact that any "flash" cutover to new technology (such as we are seeing today with many e-voting systems) almost guarantees surprises and unintended consequences (e.g., system crashes, unacceptably slow performance)... [emphasis in original]

Most organizations have learned the hard way that it is necessary to develop, test, evaluate, and iterate with small-scale prototypes before committing themselves to an organization-wide program of technology upgrade. They have also learned that they should plan on the simultaneous availability of both old and new systems for some period of time, so that failures in the new system do not leave them unable to perform their mission...

To prepare for the possibility of widespread failures (e.g., voting systems made inoperable on a large scale, whether by technology or acts of nature), election officials need to engage in a contingency planning process focused on such a possibility...

The November 2006 elections pose challenges like no other previous one regarding reliability, usability, security, training, education, and testing...

However, these observations are not meant to suggest that there will be widespread failures of electronic voting systems, that election results will be clouded by excessive voter confusion about using new electronic voting systems, or that electronic election fraud will necessarily occur in November. Nevertheless, the circumstances of the November election raise the stakes for conducting elections that are regarded as fair and that can withstand close scrutiny even in the face of unproven technology and new election procedures. The challenges facing election officials and the nation in the upcoming election are formidable indeed, and only time will tell if election officials across the land will be able to succeed in the face of these challenges.



Monday, July 24, 2006

What, me worry?

Labels: ,


Thursday, July 20, 2006

Voting machines: What to do?

The USACM blog has a nice post covering the July 19 Congressional hearing on "Voting Machines: Will the New Standards and Guidelines Help Prevent Future Problems?" The answer seems to be that Yes, they will help, but not enough; there is wide variation in opinions of what else must be done. Witness testimony and an archived Webcast are both available on the House website.

Labels: , ,


Thursday, July 13, 2006

What will be the Katrina of cyberspace?

The Washington Post has an article by Brian Krebs on the Bush Administration's delay in dealing with cybersecurity.
One year after the Department of Homeland Security created a high-level post for coordinating U.S. government efforts to deal with attacks on the nation's critical technological infrastructure, the agency still has not identified a candidate for the job.

On July 13, 2005, as frustration with the Bush administration's cyber security policy grew on Capitol Hill and Congress appeared poised to force its hand, Homeland Security Secretary Michael Chertoff announced the new assistant-secretary job opening.

Critics say the yearlong vacancy is further evidence that the administration is no better prepared for responding to a major cyber attack than it was for dealing with Hurricane Katrina, leaving vulnerable the information systems that support large portions of the national economy, from telecommunications networks to power grids to chemical manufacturing and transportation systems.

"What this tells me is that ... [Chertoff] still hasn't made this a priority ... to push forward and find whoever would be the best fit," said Paul Kurtz, a former cyber security advisor in the early Bush administration...

Rep. Zoe Lofgren (D-Calif.), a co-author of the bill that would have forced the department to create the position last year, did not mince words: "I think DHS is pathetic and incompetent. It's a complete mystery what's happening over there." ...

John McCarthy, director of the critical infrastructure program at the George Mason University School of Law, agreed and related that just a few months after the administration released its cyber plan in 2003, one of his graduate students submitted a dissertation containing detailed maps zeroing in on key points in the Internet infrastructure that -- if targeted by terrorists -- could wreak a cascading series of outages capable of bringing major U.S. industries to a screeching halt.

Government officials suggested that the dissertation be classified [1] ...

But McCarthy said he believes it is a question of when -- not if -- a major portion of the U.S. economy comes under a targeted cyber attack, and that the nation desperately needs the technical and social leadership in place to deal with it when the time comes.

"I believe that as we as a society and economy move towards a greater reliance on these vulnerable communications networks, that those who would wish us harm will find ways to target those infrastructures in ways we haven't thought about yet, and that's going to present a major challenge for whoever is picked for that position."
[1] "Security by obscurity" is a thoroughly discredited approach, uniformly ridiculed by the security community.

Labels: , , ,


Friday, July 07, 2006

This is not a spam blog

Starting yesterday, Blogger (Google) has required me to pass their "Word Verification" (CAPTCHA) for each new post to this blog, since "Blogger's spam-prevention robots have detected that your blog has characteristics of a spam blog." They're not specific about what these characteristics are.

Although their explanation is courteous, they are firm that "Before we can turn off mandatory word verification on your posts we'll need to have a human review your blog and verify that it is not a spam blog." Robots can apparently put a blog on the list, but only a human can remove it.

Just to be clear, I am a real human being. I'm opinionated, and my posts are fallible, but my sole purpose is to share information that I think is interesting, and I hope my readers (bleaders? :-) find it to be so. I am not trying to entice anyone to buy or sell anything, or even to click on any ads. (Maybe that last is why Google thinks I'm abberant? :-)

Jim Horning


Thursday, July 06, 2006

Spaf on the VA Breach

I have belatedly seen the testimony by Prof. Eugene Spafford to the House Committee on Veterans’ Affairs Hearing on "The Academic and Legal Implications of VA’s Data Loss." As always, Spaf was crisp, insightful, and thought-provoking.
For decades, professionals in the field of information security have been warning about the dangers of weak security, careless handling of data, lax enforcement of policies, and insufficient funding for both law enforcement and research. Our warnings and cautions have largely been dismissed as unfounded or too expensive to address. Unfortunately, we are seeing the results of that lack of attention with incidents such as what happened at the VA. In addition we have seen new levels of sophisticated computer viruses and spyware, increasing cyber activity by organized crime, and significant failures of security across a wide variety of public sector entities and government agencies, including the Department of Defense...

There are many reports describing these threats, including reports from the PITAC, the GAO, the National Academies, the Department of Justice, and many commercial entities. From these reports the following general trends may be derived:
* The number of reported attacks of various kinds is increasing annually;
* Attacks are becoming more sophisticated and more efficient;
* Few perpetrators are ever caught and prosecuted;
* An unknown (but probably large) number of attacks, frauds and violations are not detected with current defenses;
* A large number of detected attacks are not reported to appropriate authorities;
* The problem is international in scope, both in origin of attacks and in location of victims;
* The majority of the attacks are enabled by faulty software, poor configuration, and operator error.

Undoubtedly the magnitude of the problems are greater than have been reported, and more has occurred than has been detected. Regrettably, I believe the situation is going to get worse because the problems have been ignored and neglected for too long to be quickly remedied.

Labels: ,


Privacy Policy Recommendations

USACM (the US public policy committee of the ACM) has released a new set of recommendations on privacy.
Current computing technologies enable the collection, exchange, analysis, and use of personal information on a scale unprecedented in the history of civilization. These technologies, which are widely used by many types of organizations, allow for massive storage, aggregation, analysis, and dissemination of data. Advanced capabilities for surveillance and data matching/mining are being applied to everything from product marketing to national security.

Despite the intended benefits of using these technologies, there are also significant concerns about their potential for negative impact on personal privacy. Well-publicized instances of personal data exposures and misuse have demonstrated some of the challenges in the adequate protection of privacy. Personal data – including copies of video, audio, and other surveillance – needs to be collected, stored, and managed appropriately throughout every stage of its use by all involved parties. Protecting privacy, however, requires more than simply ensuring effective information security...

Striking a balance between individual privacy rights and valid government and commercial needs is a complex task for technologists and policy makers, but one of vital importance. For this reason, USACM has developed the following recommendations on this important issue.









USACM does not accept the view that individual privacy must typically be sacrificed to achieve effective implementation of systems, nor do we accept that cost reduction is always a sufficient reason to reduce privacy protections.
I believe that the report is worthwhile reading in full, both by citizens and by policy makers. But I may be biased, since I helped in its drafting.

Labels: , ,