Sunday, September 21, 2008

No meaningful audits or recounts in Virginia this year

Readers of this blog know that one of my pet peeves is that Virginia law prohibits meaningful audits or recounts after an election. To be precise, audits are allowed only after the election results have been finalized, and only if the margin of victory is greater than 10% (no, that's not a typo, I mean greater - i.e., when there's no chance that you'll find anything wrong). And recounts are generally restricted to just retallying the printouts from the voting machines (DREs or optical scanners). If a jurisdiction uses DREs, there's nothing else to count so it wouldn't make much difference, but where there are optical scan ballots you'd really want to at least rerun them through the scanner - but even that is prohibited without a judge's order. [I'm slightly simplifying things, but not in a meaningful way.]

Last Thursday WTVR-TV in Richmond (the state capital) ran a two-part series on the upcoming election. My comments were included in part 2 of the series, which can be found here. As someone who explains things frequently using analogies, I was pleased that they included my explanation for why Virginia's "retally the results" isn't a good way to do recounts.

My only disappointment about the series is that Secretary of the Board of Elections Nancy Rodrigues, for whom I have tremendous respect, made the comment that there's no way the machines could be hacked because they have strong chain of custody. She's right that a strong chain of custody is important, but it's not enough - in particular for the WinVote machines used widely in the state which have wireless networks. I wish the reporters had more technical background to challenge her on that point...

Friday, September 19, 2008

Me and my buddy Sarah

As has been widely reported, Gov Sarah Palin's Yahoo! email accounts were "hacked", and some of her email has been published on the web. There's a number of interesting aspects to this:

1. Much of the coverage has focused on Yahoo! accounts as being "insecure", with the implication that the State of Alaska accounts are "secure". While there's possibly a difference in how the email is stored (i.e., on state computers - although with outsourcing that's not necessarily the case), I strongly suspect that Yahoo!'s systems are more secure - they have the staff and motivation to ensure that there are no security vulnerabilities in their system. While the State of Alaska might benefit from the obscurity of their mail servers, it's unlikely that they have the level of expertise to protect their systems as well as Yahoo!

2. There's the question of propriety of Gov Palin using a Yahoo! account for state business. Doesn't look appropriate to me, but that's just an opinion.

3. Is it legal for Gov Palin to use Yahoo! for official state business? I don't know Alaska law (and I'm not a lawyer anyway), but it's an interesting question - it's really the same issue as President Bush has faced with use by his staff of RNC accounts rather than official accounts, thus allowing potentially millions of emails to be lost (which were by law public records).

4. Finally, my sister points out that the method purportedly used by the "hackers" (and I put that in quotes because it doesn't feel like my definition of hacking) to get control of Gov Palin's account was to ask for a password reset, and then guess the answers using well-known information. As I noted in my previous posting on this blog, many of the so-called secret questions used for security purposes by financial institutions really aren't very secret - so Gov Palin may well have fallen victim to exactly the problem I wrote about! (As I wrote this it occurred to me that one of the questions I was asked for financial verification is who holds my mortgage - a fact which is a public record in most places.)

Lessons learned? If you're a prominent person, whether elected official or not, use your official work email for official communications. Whether it's convenient or not, the embaressment of getting caught on a non-official email address isn't worth it.

Friday, September 12, 2008

Credit bureaus, credit reports

I recently had two occasions to do credit-related activities.

In the first, a company had a (fairly) legitimate reason to run a credit check. After collecting name, address, SSN, driver's license, etc., they ran a credit check, and then wanted to "verify" that I am who all those things belong to. A noble goal - but one done poorly. The "verification" (which must be in quotes, as you'll see) consisted of asking three questions:

(1) Which of the following companies holds your mortgage? The person then named four companies, three of which I had never heard of (and may not even exist), and the fourth is one of the larger mortgage companies. If I weren't me, I could have reasonably guessed the large one - it would probably be accurate for 99% of people.

(2) Which of the following companies holds your primary credit card? Again, four banks were named, three of which I had never heard of and probably don't exist, and the fourth is one of the largest issuers (think Amex, Chase, Citi, Capital One, etc - they issue so many more cards than everyone else that it's clearly a very likely choice). Again, someone who knew nothing about me could guess accurately with at least 99% probability.

(3) Your previous address was 123 Main St, in which city? This time four cities were named, one of which is a neighboring town to where I live now, and the other three I've not heard of. This one would be a bit harder to guess without some data, but anyone who has a copy of my credit report would know the answer.

So my conclusion is that, just like TSA and airport security, these new security "safeguards" are security theatre, and don't actually improve security at all.

The day after the above transaction, I got a letter from a bank I do business with saying that my personally identifiable information had been stolen, etc. - I've received quite a few of these before, as have most middle-class Americans. (One of the advantages, I suspect, of being poor is that you have less financial data and in fewer places, so you're less likely to have it stolen!) As is the norm, they offered me two years of free credit monitoring, which of course is just a Band-Aid.

So I accepted the credit service anyway, and ran a credit report on myself. It was moderately accurate (no accounts I didn't know about, which is good). But the amount of missing and inaccurate data is amazing - two of the three credit bureaus list my current employer as a company I left more than 15 years ago. So if one of those clever "validation" questions I discussed above had been to verify my current employer, I would have failed the test, since they had the wrong answer!

The good news from all this is that credit bureaus and the companies who use their data are starting to realize that using an SSN as both an identifer and an authenticator doesn't work, and they need to do more to verify identity. That bad news is that they totally misunderstand how to do it correctly, so they've just added an illusion of security which may have many false positives (i.e., indications of fraud that don't exist) due to the inaccuracy of their data.

Wednesday, September 03, 2008

And now for something completely different

I usually write about security related topics, but not today! I had my 15 nanoseconds of fame on PBS's Nightly Business Report. My neighbor is a friend of one of their reporters, and when I mentioned the hassles I'm having with my home equity line of credit (HELOC), the reporter interviewed me and put the story on the air today.

There's nothing unique about my story, but it was still cool to be on PBS! It'll be interesting to see if Homecomings suddenly gets more interested in resolving my issue.