Wednesday, October 31, 2007

Yet another bit of TSA stupidity

Every red-blooded American, and especially those with a security bent, has pointed out that the Transportation Security Administration practices what can politely be called “security theatre”. So it was no surprise that I got this message from a friend (edited for clarity):

We bought some very dangerous water globes while on vacation in California, small water globes all in quart ziplock bags. We had purchased similar sized water globes in Disneyworld in Florida without incident. The TSA screeners inform us that they are "too large" and that we have to discard them or put them in checked luggage, now we've already checked everything but my backpack. My daughter doesn't want to part with the water globes either. I ask for a supervisor, 5 min later the screener comes back and said his supervisor said "I am right" meanwhile another screener comes over and says "they're OK". I added that I took similar globes thru Orlando. His answer "this ain't Orlando we do stuff different here". These dangerous items were all of 5" long and contained less liquid then a 3oz bottle of liquid. So I leave 2 kids past security, and go back to the check-in counter, wrap the heck out of the snowglobes, put them in my backpack and check it. Then go back thru security, JUST in time to make the plane. Meanwhile, they missed 2 of the 4 snowglobes that were in my daughter's carry on.

So what can we learn from this?

(1) There’s no uniformity of TSA rules. Heck, we knew that - before Richard Reid, the rules on taking off your shoes differed from airport to airport and day to day for no apparent reason.

(2) The screeners can’t find stuff more often than not. Hey, I rarely bother taking my toiletries out of my carry-on, and 9 times out of 10 they sail right through. Recent studies by DHS itself have shown huge percentages of false negatives (i.e., missing things in baggage they're supposed to find).

(3) Even if they find something, they can’t distinguish 3 ounces of liquid - it’s entirely subjective.

TSA - wasting your tax dollars in new and innovative ways every day.

Monday, October 29, 2007

Plagiarism and technology

The following is something I wrote for RISKS forum that I thought others might be interested in. A recent discussion on the USACM (Public Policy Committee of the Association for Computing Machinery) mailing list triggered these thoughts.

It's obvious that the availability of so much information online makes plagiarism easier - it's impossible for a reader to know everything that could have been used without permission or attribution. On the flip side, things like Google make it easier to find suspected instances - as an example, when I'm reviewing an article for a journal or conference, I frequently put phrases in to Google that I suspect are stolen, and have on numerous instances found that they were in fact taken verbatim without attribution. [Hint to the plagiarist: if you're going to use someone else's words without attribution, make sure they fit with your writing style. This is particularly notable when choosing text written by someone with a different native language than your own - if your native language is English and you copy something written by a native Chinese speaker, it will be fairly obvious; the converse is also obviously true.]

For high school and college students, technology like TurnItIn is one way of finding plagiarism without teachers having to do extensive searching. Although I haven't personally seen the output, my understanding is that the student submits text which is automatically analyzed, and potential instances of plagiarism are noted in a message to the teacher. (If someone could provide a better explanation, I'd certainly appreciate it! I noticed that TurnItIn now put emphasis on improving students' writing style, perhaps as a way to give students a feeling that they're getting something out of the deal.)

There are several problems with products of this sort:

(1) False positives. When my daughter was in high school, she noted several times that TurnItIn considered her a plagiarist because it was unable to distinguish between properly quoted/referenced text, and unauthorized copying. Teachers who simply look at the overall "score" without reading the individual comments will tend to penalize those students who do the best job of citing background work! (I'm reasonably sure that TurnItIn is sufficiently cautious as not to deny that there are false positives, and to strongly encourage teachers and students to examine the results rather than simply believing them verbatim.)

(2) Copyright infringement. TurnItIn keeps copies of student papers in their database, for matching against future papers. This seems reasonable at first blush - after all, selling term papers is an old tradition, dating back well before the Web (although today's students may not believe that)! However, by keeping submissions for matching, TurnItIn may be violating copyright, as a recent lawsuit claims (see "McLean Students Sue Anti-Cheating Service", Washington Post, March 29 2007). Additionally, students have effectively no option to refuse adding their papers to the database, and are not compensated for their submissions.

So to bring this to RISKS, the issue is that we have competing risks: the risk of plagiarism being combated by TurnItIn and similar products vs. the risk of unfair accusations of plagiarism and copyright infringement - all of which is enabled by technology.

Wednesday, October 24, 2007

Plumbing leaks and voting machines

I spent yesterday in Frankfort Kentucky testifying at the Legislature's Interim Task Force on Elections, Constitutional Amendments & Intergovernmental Affairs on voting machine certification procedures and the resulting security of the voting machines. My role was as technical advisor to the Kentucky Attorney General.

Much of the discussion centered on whether the Kentucky certification process (which I've previously written about) should be an "examination" (the term used in the Kentucky statute) or "testing" as the Secretary of State characterized my proposed improvements to the process. (Technically, the word "testing" is an inaccurate description, as I suggested both testing and analysis, but that's not really critical.)

My contention is that the Kentucky certification process is a superficial review, and not even an examination. The word "examination" isn't particularly precise, and after the hearing was over it occurred to me that when I see the doctor for an physical "examination", I expect him/her to do more than just glance over me - I expect him/her to ask about known problems, take vital signs, some basic lab work, a physical exam, etc., and to interpret the results to determine if additional testing is necessary. True, I don't expect a full body CAT scan to search for hidden problems, but even a basic exam is more than just asking the patient "any problems". So what currently happens in Kentucky isn't an examination, by my definition of the word.

I tend to explain things by analogy, and so am always interested when someone comes up with a new analogy I can use. So I was particularly pleased by the comment from Representative Kathy Stein, who noted that she built two houses in the past few years, both of which (naturally) had plumbing inspections ("examinations") as part of the construction process, resulting in certificates from the inspectors. In each case, after she moved in, the plumbing developed leaks due to insufficiently glued plumbing joints (i.e., inadequate testing). As she pointed out, at that point it doesn't matter whether the goal was examination or testing - the important point is to fix the leak.

So too it is with voting machines - while we can debate whether more testing or analysis should be done before approval, the important thing is that the problems get fixed promptly, before the drips of water cause the floorboard underneath to rot and fail.

The good news is that the co-chair of the committee, Representative Darryl Owens asked the Attorney General and Secretary of State to work with his committee on proposing legislation that will strengthen the certification process, as well as address other issues in voting systems used in the Commonwealth.

Friday, October 19, 2007

And now for something completely different

My friend Conor Cahill wrote on his blog the other day about fighting with Sears to get his washing machine repaired, and the difficulties in getting adequate service. Then I came home and read a Washington Post story about Mona "The Hammer" Shaw, who decided to get the attention of Comcast for their lousy customer service (including not showing up when promised, showing up without necessary parts, etc). After here first visit (when she was left waiting for two hours to talk to a supervisor, and then told he had gone home for the day), she decided to get even. Her solution was to return to the Comcast office with a hammer, which she used to smash the keyboard, monitor, and telephone of the customer service rep.

As the Washington Post says, "Being a responsible newspaper, we must note that this is a misdemeanor, a crime, a completely inappropriate way of handling a business dispute." As a responsible blogger, I'd say the same thing. Right, uh-huh. Can I hire her to help with my customer service problems? Sears would be a good place to start, then maybe my health insurance company which routinely misprocesses claims.

Ms Shaw was sentenced to "a $345 fine in restitution and a year-long restraining order barring her from the Comcast office". Where can I contribute to paying her fine? If every American who felt the way Ms Shaw does about lousy customer service contributed a penny, we'd have that $345 paid in a moment!

Monday, October 15, 2007

Swiss armored cars and voting

Gene Spafford has been widely quoted as saying "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."

It seems that someone in Switzerland isn't satisfied with an armored car, and is now using an infantry division to deliver the votes from the voting machines to a central voting registry (see, for example, coverage in Computerworld and Network World).

There are three problems with what they've done:
(1) It's solving the wrong problem.
(2) It's solving the wrong problem.
(3) It's solving the wrong problem.

The first problem it's not solving are that the end-of-day vote tallies don't actually need to be protected from prying eyes - they're public information. So while they need to be digitally signed to prevent tampering, quantum cryptography isn't needed.

The second problem it's not solving is that existing cryptography (whether for protecting the data from prying eyes - confidentiality - or protecting against tampering - integrity) is more than adequate for voting data. As a friend of mine says, raising the tall pickets on a security fence doesn't make the fence stronger; the attacker goes over the lower pickets or goes around the end of the fence.

The third problem it's not solving is that the weak point in modern voting systems isn't cryptography - it's bugs, whether accidental or intentional. A system that uses cryptography such as is being used in Switzerland can be attacked just as easily as one without cryptography. And in fact, there are advantages to the attacker - as there's no way to eavesdrop on the quantum cryptography, it's impossible to build systems that detect and stop attacks.

A great publicity stunt for the fans of quantum cryptography. As David Wagner from UC Berkeley says, quantum cryptography is “a way to hoodwink companies with too much money into paying $50k or $100k for a box that doesn't solve a problem they don't have.”

Saturday, October 13, 2007

How old are election poll workers?

I spent a pleasant day with my son on Friday at Illinois Institute of Technology, where I gave a guest lecture on electronic voting. One of the questions I always ask students is about whether poll workers would be able to notice someone trying to manipulate voting machines - as physical security of most of the machines is critical to the overall system security.

Poll workers are extremely dedicated individuals, frequently working 16 hours on election day for $100 - less than minimum wage. They do it out of dedication to our democracy, and I admire them. As my friend Ivy Main noted in a recent editorial in the Fairfax Times, the average age of a poll worker in the United States is 72, according the to US Election Assistance Commission.

In my talk at IIT, I asked the students how old the average poll worker is in their home precinct. One of the students responded "35 to 40" and another said "50", both of which shocked me. As I pointed out to the students, for every 40 year old, there must be a 100 year old out there, to keep the average at 70. [Of course, a dozen or so 75 year olds would also be enough to offset a 40 year old.]

Regardless of how many younger poll workers it takes, one of the issues, is that older poll workers are on average less technically savvy than younger ones, and certainly less technically savvy than someone who intends to use technology to attack the voting system.

I'm hoping to do my part - while I'm still above the 35-40 that the student mentioned, I can help reduce the average, and expect to starting in the spring. And I hope I'm still energetic enough at 72 to work as hard as the average poll worker!

What's dangerous on an airplane?

TSA regularly changes the rules on what you're allowed to bring on planes. Like many, I find the rules bizarre and generally a waste of everyone's time.

On a recent trip to Chicago with my family, we realized after we arrived that we had several liquids/gels in our carry-on bags that weren't in the "one quart clear resealable bags" that are the pride and joy of airport screeners everywhere. But we didn't get stopped about them. So much for the scanning process.

More interestingly, the woman sitting behind me was carrying on a sports trophy - it was quite attractive, made of cast bronze. I'd guess it was 18 inches tall, and from the way she was holding it, probably weighed about 10 pounds. Lots of sharp edges all over that would make it a good weapon. You surely wouldn't be allowed to carry on a knife or scissors with an 18 inch blade.

As has been routinely pointed out, now that cockpit doors are armored, the danger from knives and scissors has been dramatically reduced, so the bronze figure was surely no danger. But we're still limited to 3 inch blades on scissors.

Maybe someday TSA will think about their regulations from a consumer perspective, instead of their current knee-jerk reactions to threats, which ignore the big picture. But I'm not holding my breath.

Wednesday, October 10, 2007

A different aspect of election security

An interesting new report was released yesterday on a different aspect of elections security. Unlike the area I’ve been working (security of the voting systems), this report focuses on what an attacker could do to influence voters prior to their going to the polls, including creating web sites with confusingly similar names to the official site, sending messages that appear to come from the legitimate candidate site (but don’t), creating fake (but realistic-looking) sites to collect donations, etc.

Nothing really new in the report, but points out how reliant we’ve become on the Internet as a source of information about elections.

Perhaps the most important thing to me is the implications of such a report to Internet voting. Yes, that’s a topic that just won’t go away. Would voters click on a link that says “click here to vote for Jane Doe”? If they do, are they actually voting for Jane Doe or her competitor? And there’s obviously motivation, although hopefully not by legitimate candidates, to create malware (keystroke loggers, or even software that modifies your traffic) to cause unsuspecting voters to cast votes in ways they don’t intend.

Worth a read.

Is "Man of the Year" farfetched?

I recently got an email from my sister about the movie "Man of the Year" with Robin Williams. She asked whether the attack described in the movie could really happen. The premise of the movie is that a voting machine company throws the election through deliberate manipulation of the voting results. The details are incredibly unrealistic to anyone who understands technology (hint: programs aren't written based on the number of double letters in a name), but it all hinges on the notion that there's a single nation-wide provider of electronic voting machines that are controlled from a single site.

In some countries that's not entirely farfetched - for example, The Netherlands until very recently was using a single model of machines nationwide, and I think they had a central data gathering site. But in the US, an attack of this sort would be much more complicated. First of all, each of the 50 states (and other entities such as the District of Columbia and territories) have their own procurement, and don't buy equipment from the same vendors. Second, in many states, each locality (county and/or city) does their own programming of the voting machines and tallies the results themselves. So there is no central control point.

Or could there be? Some anti-DRE activists have been explicit that their goal is to put the DRE vendors out of business - most notably Diebold (now known as Premier Election Systems), but also Hart Intercivic, Sequoia, Election Sytems and Software, Advanced Voting Solutions, and others. What would happen if they are (mostly) successful? We might well end up with a single vendor of all voting systems, and then the obvious optimization is to have central operation of elections. This would save money and increase professionalism. But it could also open the door to exactly the type of problem discussed in the movie.

I don't think it's likely, but in the back of my mind I worry about pushing too hard to fix the problems, lest we make it impossible for anyone to meet our needs and drive the vendors out of business.

The moral of the story: be careful of what you wish for - you may get it. And in this case, what you get may be the movie plot coming true.

Tuesday, October 09, 2007

To every feature there is a counter-feature

GM announced today that they're adding a new feature to OnStar, which will allow an operator to remotely disable a stolen car. Sounds reasonable - they say it will gradually slow it down, to prevent high speed police chases. See coverage on CNN Money, ABC News, and many others.

How long will it take before some less than ethical person hacks into the OnStar system and starts remotely disabling cars? There's already something of a motivation, in that OnStar can unlock the car doors remotely, which would be useful to thieves.

One of the more benign things that could be done with this type of attack is a denial of service. Say an attacker disables all OnStar equipped cars on a major highway at rush hour. That would create quite a mess, even if there are no accidents. If it happened repeatedly, could have quite an impact on the economy.

And since there's been talk recently of Chinese (and other) foreign governments attacking the US infrastructure, here's a new way they could do it - it's probably minimally defended, and the legal and internal relations aspects are a lot less serious than, say, cyberattacking a power plant.

Thanks GM - appreciate your increasing the opportunities for hackers!

Thursday, October 04, 2007

Everything but real security

I recently visited a government building where they had me remove my change, keys, belt, cell phone, and watch, and then walk through a metal detector. So far, so good. But they didn't have an X-Ray machine, so they just let me carry my backpack around the outside of the detector.

My backpack measures 15" wide x 9" deep x 18" tall, and is crammed with all the usual stuff a geek carries - laptop, MP3 player, GPS, various power adapters & chargers, etc. No one looked inside, or even asked me what I was carrying.

So what value was added by the X-Ray machine? Feel good security!

Wednesday, October 03, 2007

Kentucky Attorney General releases expert report

I spent some time over the past few weeks looking at Kentucky's certification process for electronic voting systems as a consultant to the Kentucky Attorney General. (In Kentucky, as in most states, there's a multi-tiered approval process before a voting system can be used - first it has to get Federal approval, then the state approves it, then individual jurisdictions, such as counties, actually purchase the equipment.)

The Attorney General put out a press release and my report yesterday. I'm very pleased that the AG adopted many of my recommendations in his press release and letter to the Secretary of State.

Now comes the hard work - turning the recommendations into action!

Is jam a liquid?

I spent August in Europe, mostly on vacation in Ireland, where (among other things) I bought a jar of grapefruit marmalade at a farmers market. I wish I could tell you how good it is - but I can't.

After vacation in Ireland, I headed to Germany and then Bulgaria on business. As I was clearing security in Frankfurt Germany, I learned that they consider jam to be a liquid (or perhaps a gel), and impounded it. I didn't bother to argue - that's a pointless exercise, since they have no motivation to act rationally in the Germany any more than in the US.

Wikipedia defines a liquid as "a fluid that can freely form a distinct surface at the boundaries of its bulk material, which doesn't seem to include jam". The US TSA (which obviously has limited influence over German security) talks about the 3 ounce rules, but never defines (at least that I can find) what a liquid or gel is.

So next time, I guess I'll have to check my baggage - at least until they prohibit jam in checked baggage.