Sunday, November 26, 2006

Security Absurdity - Feedback

Thanks to Gene Spafford for a pointer to a post by Noam Eppel responding to the responses to his earlier post: Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security.

There's too much in these posts for me to reasonably summarize (beyond the subtitle), other than to say that he provides a ton of evidence that the security sky really is falling, and that it is up to security professionals to lead the rescue (if there is to be a rescue).
If one is going to write an article claiming a "total failure" of information security, one should expect some strong feedback. I was not sure what to expect - total disregard, complete agreement, outrage, or indifference. Thankfully, the majority of responses have been very positive. Whether or not you believe there has been a "total failure", there seems to be almost unanimous agreement that things are pretty bad out there, and the security community faces some significant challenges. It has been six months since my article was posted and sadly the security situation is only getting worse. The Cyberworld has progressed merely from the Wild West to the 1920s mob-controlled urban centers. Shortly after my Security Absurdity article was posted online, we witnessed a remarkable series of events when cybercriminals forced Blue Security, an innovative anti-spam security company, out of business. This incident demonstrated quite dramatically that cybercriminals are indeed currently winning the battle.
[Other Sources]

Labels: , , , ,


Tuesday, November 21, 2006

Chaordic Leadership

I just encountered this term in one of Joe McCarthy's Gumption blog posts. According to Smart Leadership's article, " 'Chaordic' is a combination of two words: chaos and order. Hock coined the term to describe any organization, system or business that is 'self-organizing, self-governing, adaptive, nonlinear, and complex, and which harmoniously combines the characteristics of both chaos and order.' "

What I realized reading the Gumption post is that it is probably the best written description I have seen of the leadership style of Robert W. (Bob) Taylor (of NASA, ARPA, Xerox PARC, and DEC/SRC)--the best research manager I have been close to.

I won't repeat the blog post here, and I've just ordered the books that it's based on. I'll just say that I watched closely for nearly 20 years at PARC and DEC/SRC, and it really works. Bob got the best out of a fantastically talented bunch of computer researchers, and the computer industry (indeed, the country) is much the richer for it.

Labels: ,


Tuesday, November 14, 2006

A seductively bad idea

Wired News has an article by Keith Axline on proponents of voting by Internet. He is careful to mention the known drawbacks, and to quote the most prominent opponents. However, this is one of those quasi-balanced "he said, she said" presentations that makes no attempt to distinguish well-grounded claims from wishful thinking.

If you are willing to evaluate the arguments yourself, but have somehow not previously been exposed to this issue, you may find this article to be a useful survey.
In the wake of yet another election marred by technical glitches, critics of electronic voting machines are repeating their call to restore old-fashioned paper to the increasingly computerized election process.

But a smaller, quieter group is convinced the real solution lies in the other direction. Now is the time, they say, to make elections completely electronic, and allow voters to cast their ballots from home, over the internet...

If it seems insane to put democracy's most crucial function on wires shared by viruses and spam, consider that it's already happening...

... Internet voting is considered heresy in security circles, where the concept has been repeatedly and violently pilloried since at least 2000. If American voters are not ready to trust Diebold, are they ready to vote for president using their Windows machines? ...

Skeptics dismiss claims of past online voting successes, saying the elections officials evaluating those elections aren't qualified to pronounce them a security success. They point to four major breakdowns in any internet voting scheme that they claim are intractable:
  • General purpose PCs are inherently insecure and vulnerable to viruses and other attacks that could compromise votes without detection.
  • Denial of service attacks could disenfranchise voters.
  • Database hacks could change vote tallies.
  • Putting voting into the home would destroy poll-booth privacy, exposing voters to intimidation and bribery.
"The folks who decide to use (these systems) don't understand the technology," said David Wagner, an associate professor in the Computer Science Division at the University of California at Berkeley who specializes in computer security. "They don't know how to distinguish between good marketing and good technology." ...

Despite early setbacks, the idea isn't going away easily and it promises to grow in power as more countries give it a try as a way out of the failures of the current systems...

The main chokepoint for secure internet voting is the vulnerability of the home PC. The scientists interviewed for this article agreed that a closed set-top box would address many of their concerns, though not all of them.

Pushing hard-coded voting appliances into American homes wouldn't be easy, but the functionality could be built into other devices, with tight controls over what software can run on the box, and how the code is audited and authenticated. Consider the brainpower that went into making HDTV video resistant to high-quality copying. Apply that, under strict government regulations, to making secure home voting hardware, and voting machinery could be embedded in your television, Tivo or cable box in time for the 2010 midterms...
Anyone who seriously believes that HDTV isn't going to be hacked might find this almost plausible.

Labels: , ,


Wednesday, November 08, 2006

Virtual Recount

It apears that control of the United States Senate is going to come down to a recount in Virginia. However, as Avi Rubin points out in his blog, it is simply not possible to conduct a true recount in Virginia:

Virginia uses a plethora of different voting technologies. Just about every major vendor is represented. Most of votes in that state were cast on paperless DREs. There are no ballots to recount. A meaningful recount in Virginia is not possible.

The DRE vendors like to pretend that they can perform recounts. They take the vote totals on the machines and print corresponding ballots, and then count them by hand. Let me give an analogy to demonstrate how silly that is. It would be comical if vendors weren't actually doing it and convincing people that they were performing a recount.

Imagine if you had a word document on your computer, and the document stated some fact. You were not sure if the fact was true. So, to verify the fact, you print the word document, and then you read it out loud and say, "Ah, if that's what it says, then it must be true because I'm looking at a printout." What the vendors are doing is printing out the questionable results and then counting them. Of course they are going to match what was on the machine, but they do not provide an independent count. The so-called recounts of DREs are really just print and count, not RE-count. It is a waste of time...

It is unbelievable that the control of the US senate is coming down to a close race that cannot be recounted, and for which there are no physical ballots. The vendors may come out with their "emperor's clothes" recounts, but the public should understand that these are not really recounts, they are just print and count.

[Other Sources]

Labels: ,


Monday, November 06, 2006

What Diebold kept SAIC from telling us

There is now a copy of the unredacted version of SAIC's report to Maryland on Diebold voting machines available on The Brad Blog. It runs over 200 pages. When Diebold was through redacting it, the report released to the public was only 38 pages.

Apparently, neither the full Maryland State Board of Elections, nor even the Governor himself, was ever allowed to see the full report. So much for transparency in elections.

Labels: , ,


Thursday, November 02, 2006

Diebold leaving the election business?

A Fortune/CNN article by Barney Gimbel collects lots of tidbits about Diebold's blunders in the election business, then ends with an interesting observation:
As for Diebold, [CEO and President Thomas] Swidarski is questioning whether the election business "fits into our product portfolio." He says he'll make a decision within the next three months. But it says something that Swidarski recently ordered the name "Diebold" removed from the front of the voting equipment. Why? A spokesman would only say, "It was a strategic decision on the part of the corporation."
[Other Sources]



Department of Homeland Insecurity?

Interesting story by Kevin Poulsen in Wired about the deliberate decision by the DHS's Bureau of Customs and Border Protection not to protect the critical US-VISIT computers against the Zotob worm.
A Morocco-born computer virus that crashed the Department of Homeland Security's US-VISIT border screening system last year first passed though the backbone network of the Immigrations and Customs Enforcement bureau, according to newly released documents on the incident.

The documents were released by court order, following a yearlong battle by Wired News to obtain the pages under the Freedom of Information Act. They provide the first official acknowledgement that DHS erred by deliberately leaving more than 1,300 sensitive US-VISIT workstations vulnerable to attack, even as it mounted an all-out effort to patch routine desktop computers against the virulent Zotob worm.

US-VISIT is a hodgepodge of older databases maintained by various government agencies, tied to a national network of workstations with biometric readers installed at airports and other U.S. points of entry. The $400 million program was launched in January 2004 in an effort to secure the border from terrorists by thoroughly screening visiting foreign nationals against scores of government watch lists...

By that time, Zotob was already flooding DHS compartments like water filling a sinking battleship. Four CBP Border Patrol stations in Texas were "experiencing issues related to this worm," reads one report. More ominously, the virus had made itself at home on the network of an interconnected DHS agency -- the Immigrations and Customs Enforcement bureau, or ICE. The ICE network serves as the hub for traffic between the US-VISIT workstations and sensitive law enforcement and intelligence databases, and US-VISIT visibly slowed as traffic slogged over ICE's compromised backbone...

At international airports in Los Angeles, San Francisco, Miami and elsewhere, long lines formed while CBP screeners processed foreign visitors by hand, or in some cases used backup computers...

While DHS and its agencies are taciturn about discussing security issues, they couldn't hide the travelers stranded on the wrong side of Customs at airports across the country. The day after the infection, DHS publicly acknowledged a worm was responsible. But by December, a different story emerged; a department spokesman speaking to CNET claimed there was no evidence that a virus caused the August incident. Instead, the problem was merely one of the routine "computer glitches" one expects in any complex system, he said...

After we sued, CBP released three internal documents, totaling five pages, and a copy of Microsoft's security bulletin on the plug-and-play vulnerability. Though heavily redacted, the documents were enough to establish that Zotob had infiltrated US-VISIT after CBP made the strategic decision to leave the workstations unpatched. Virtually every other detail was blacked out. In the ensuing court proceedings, CBP claimed the redactions were necessary to protect the security of its computers, and acknowledged it had an additional 12 documents, totaling hundreds of pages, which it withheld entirely on the same grounds.

Labels: ,