Al Qaeda encryption

There's been a fair amount of coverage that some Florida-based web sites are offering "new and improved" encryption technology for use by Al Qaeda. According to a Computerworld article, MEMRI (a generally reputable organization) is reporting the availability of "Mujahideen Secrets 2". MEMRI says that the first version of the tool provides users with "the five best encryption algorithms, and with symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit) and data compression [tools]."

So far, that's quite believable.

The problem is the quote in the Computerworld article from Paul Henry of Secure Computing Corp, who says that the new version "likely uses at least 1024-bit encryption, whereas the first version of Mujahideen Secrets used 256-bit AES encryption". I'm going to guess that Al Quaeda has sufficient technical expertise to know that if they're using 256 bit AES encryption, the encryption algorithm isn't the weakest link - it's going to be the key selection and distribution, correct implementation of the algorithms, security of the web sites where their information is stored, etc. I have no idea whether Al Qaeda doesn't understand encryption, or Mr. Henry doesn't understand it, or whether Computerworld misquoted him. But in any case, it's one of those examples of where more is not necessarily better.

The Washington Post article has the good sense to report on the release of the software without speculating on what's "new and improved".

Good bills, bad bills on voting in Virginia

This year's legislative session has some good bills and bad bills. A quick overview for those who are interested...

SB 292 provides for random audits of optical scan voting results, and additional random selection (and hand counting if needed) for recounts. This is a critical change in Virginia, where current law precludes looking at paper ballots in case of recounts, and has no audits. It's not a perfect bill (the science of how to audit efficiently and to an extent that gives additional accuracy is still being refined), but it's a big step along the way of knowing who really won and lost elections. This is particularly important in Virginia, where we've had several close elections over the past few years.

SB 536 makes several small but important changes in how voting equipment is approved in Virginia. It gives the State Board of Elections the power to examine other state results in deciding what equipment should be certified, and allows the SBE to decertify equipment based on results from other states. This is important to take advantage of the studies done by California, Florida, Ohio, and other states. It also instructs the SBE to bring in experts in security and handicapped accessibility as part of the certification process.

The above bills are the primary focus for the Verifiable Voting Coalition of Virginia (VVCVa) this year. Unfortunately, we'll also be fighting off some bad bills, most notably HB 638, which rolls back the clock on the DRE purchase ban. Last year, VVVCVa worked with a bi-partisan coalition to pass a bill that prohibited wasting money by buying more DREs (paperless electronic voting systems). Considering that the move nationwide is away from DREs and towards optical scan machines, and that Federal legislation is pushing things the same way, a ban on more purchases is good financial sense. Why throw more money at equipment that we know doesn't work, and is going to be banned anyway? Just doesn't make sense.

There's also a whole series of bills (HB 467, HB 685, HB 801, HB 1476, and SB 52, which are nearly identical to each other) that in one way or another roll back the ban on wireless usage on election day, which was passed last year. While I still think that wireless usage is unnecessarily risky, many Virginia jurisdictions are suffering from the decision to use Advanced Voting Solutions for their voting systems. AVS assured the legislators last year that their voting machines could turn the wireless off before the polls opened, and then turn it back on in time to synchronize the machines as the end of the day (thus avoiding poll workers manually totaling all of the machines in a precinct when they're tired after a 16 hour day). Unfortunately, AVS's claims were false - this can't be done. AVS is in weaker financial shape than its better-known competitors like ES&S, Sequoia, and Diebold/Premier, and it doesn't have the money or the resources to fix this problem and get it certified. (Well, based on what's happening in Pennsylvania and with the EAC, they can't seem to get anything certified.)

To make a long story short, it looks like the prohibition on wireless is going to be rolled back for the pragmatic reason that the machines are too hard to use without wireless. From a security perspective, this is a bad decision, but it's probably inevitable. The key now is to ensure that no future voting systems have that same problem - and that the legislation truly allows what is needed and no more. I'll be working with a number of legislators to ensure that the legislation really says what it needs to!

So once again, an exciting legislative year in Virginia for electronic voting. If you're reading this and you live in Virginia, please contact your Delegate and Senator and ask them to support SB292 and SB536, and to oppose HB638.

[Updated Jan 17: Added links to the bills rolling back the wireless ban.]

RealID will cause riots

You've undoubtedly heard that DHS finally published the requirements for RealID, pushing off the deadline for implementation. That's good and bad news.

It's good news because some of the truly ridiculous requirements have been relaxed, and the deadline for implementation has been pushed back. There's the expected criticisms of the plan, which I applaud. Real ID is a truly bad idea.

But it's bad news, because it's going to delay the inevitable riots. I spent three hours this morning at the Virginia DMV waiting (ultimately unsuccessfully) with my nephew while he tried to get a driver's license. We arrived at 830am; his paperwork was entered into the computer at 930am; and at 1115am he was still over an hour away from getting a road test (at which point we had to leave due to another commitment - which means we have to start all over another day).

What does that have to do with Real ID? As horrible as the lines are - and think how much productivity is being wasted by the hundreds of people waiting in line - can you imagine what it's going to be like when Real ID becomes required? Instead of most people being able to renew their licenses online or by mail, now everyone is going to have to sit and wait for hours to have their papers checked. Even increasing the workload of DMV by 10% would have a catastrophic effect, just like adding 10% more traffic to an overcrowded highway brings things to a complete halt.

So I'll make a prediction: the first time a senator or representative (or their spouse) or a Fortune 500 CEO (or their spouse) has to sit for three or four hours to wait for a bureaucrat to review their papers, we're suddenly going to have Real Interest in repealing Real ID. And if there's a backdoor "express" approval for the high and mighty, we'll have riots.

Photo IDs and voting

There's been much said about the Supreme Court challenge this week (Indiana Democratic Party v. Indiana Secretary of State and Crawford v. Marion County Election Board) to Indiana's Voter ID law which requires voters to provide a photo ID (see here for a good discussion of the problems with the Indiana law).

There are two parts to this issue: whether fraud occurs by individuals casting multiple votes, and whether the requirement for photo ID is burdensome.

For the former, see the Washington Post OpEd which notes "Indiana has conceded that there have been no cases in state history of voter impersonation that an ID law would have prevented".

For the latter, these discussions talk about young, minority, and elderly voters, all of whom are less likely than others to have a government issued photo ID. I'd like to offer a case in point: my mother. My mother hasn't missed an election in about 60 years. But due to a glitch, her non-driver's license (i.e., government issued photo ID) expired several years ago. Due to the Patriot Act, the only way to get a new one is to go to Department of Motor Vehicles office, which she physically can't do. So she has no valid photo ID (her passport has also expired).

Her situation is not atypical. I mention it only because I think to many proponents of Voter ID, people without an ID don't really exist. But they do - even in middle class suburban neighborhoods.

There are many excellent blog posts on today's New York Times magazine article by Clive Thompson on voting machines. Steve Bellovin has some great comments, as does Dan Wallach. I particularly agree with Steve's comments that "the biggest problem with e-voting machines is ordinary buggy code". Or said another way, "never attribute to malice that which is adequately explained by stupidity" (which Wikiquote attributes to Robert Hanlon, as Hanlon's Razor).

One thing the article briefly mentions is how poor the state certification process is. Mr. Thompson writes "The vast majority of states “certify” their machines as roadworthy. But since testing is extremely expensive, many states, particularly smaller ones, simply accept whatever passes through a federal lab." As I've discussed elsewhere in this blog, I had the opportunity to observe Kentucky's certification process, which is certainly consistent with this description.

Mr. Thompson then goes on to write "And while it’s true that state and local elections officials can generally keep a copy of the source code, critics say they rarely employ computer programmers sophisticated enough to understand it." This isn't entirely true - while there are some cases where the software is available to state and local officials, in many cases (in my experience), no one even asked for it, so it's not available. Of course the second part of Mr. Thompson's comments are absolutely true - very few states or localities would know what to do with the source code. (For the record - I don't think that's a bad thing. You don't need a brain surgeon on staff in every neighborhood clinic, and you don't need an expert in source code analysis in every state Board of Elections. This is an area where hired experts are better than trying to retain people on staff.)

I'd give Mr. Thompson and the New York Times a grade of A-. As all the blogs have described, he did a great job covering a complex subject, and made only a few oversights.

[Updated 07 Jan to correct the author of the Freedom To Tinker blog entry. (Thanks Dan!) As to whether it was Hanlon or Napoleon or someone else who first said "never attribute to malice ...", I'm going to stick with Wikiquotes, since there seems to be a lot of disagreement.]

Intelligent Software Design

Software is incredibly complex. To the average person, it's incomprehensibly complex - so complex, that it couldn't be created by mere humans.

So my initial conclusion is that software must have been created by a greater power. But teaching creationism is prohibited in schools, as it's non-scientific. As mentioned in the latest National Academy of Sciences study, "Intelligent design holds that the universe's order and complexity are so great that evolution cannot explain it". What better explanation could there be for today's software, especially the madness that is Windows?

Intelligent Design: The only rational explanation for software.

In Memoriam: Jim Anderson, computer security pioneer

Many of us learned over the past few days that Jim ("J.P.") Anderson, one of the pioneers of computer security, passed away on November 17 2007. A tribute by Gene Spafford (Spaf) sums up a few of his many accomplishments.

It's in keeping with Jim's personality that even his closest friends only learned of his passing six weeks later (and others who were not his close friends, like me, a bit after that). Jim was an intensely private and self-effacing man. Several times my friend Dan Thomsen tried to convince Jim to write a paper about the impact of the seminal "Anderson Report" as one of the "classic papers" for ACSAC; Jim wouldn't hear of it.

Another time, Robin Roberts, a long-time friend of Jim's, organized a dinner in Jim's honor. When he found out he was the guest of honor, he refused to attend. The dinner went on without him, and several people shared memories of working with Jim.

Although I only knew him slightly, my personal experiences with Jim were similar to those described in Spaf's tribute. I recall a call out of the blue from a government agency inviting me to come in and talk about some research work I had done and how it could apply to their needs. I couldn't figure out how they had found me and why they considered my work so important until I showed up at the meeting. Jim was there - he head read or heard of my work, and saw the relevance to his client's needs. So he played the consummate matchmaker. The fact that my work built on Jim's foundation was obvious, but Jim's role was as a mentor to a (relatively) young researcher.

The computer security field has lost another one of its great innovators, and America has lost a selfless gentleman who worked behind the scenes to ensure that our government had the best advice available.

Maybe all we need for Internet voting is more certificates?

I had lunch yesterday with a co-worker who previously worked at VeriSign. We were discussing Internet voting, and she asked "wouldn't using certificates just solve the problem?" I explained why the problem with Internet voting isn't really about protecting the network communications, but rather issues of anonymity, vulnerability of the central servers, etc. Certificates are a hammer useful for one type of nail (where you need encryption or signatures), but are useless against the more significant types of nails in voting systems: accidental or deliberate flaws in software, errors in ballot setups, insider or outsider attacks, etc.

But afterwards it made me think: how many voters out there have been drinking the Kool-Aid that if it's got a little lock in the corner of the browser window, then it must be secure? Maybe that should be the new marketing spin for the voting system vendors - display a padlock, and everyone will believe it's true!

As the issue of Internet voting keeps coming back year after year, we should expect more questions of this sort from well-meaning voters who don't understand the full spectrum of security issues.

How effective are directed attacks?

I've read a lot of discussions about how there are regular attacks by various foreign governments, most typically attributed to the Chinese or North Koreans. At the ACSAC conference last month, Ron Ritchey from Booz Allen gave a fascinating talk about how they tracked down a series of targeted intrusions into major US defense contractors. I'm pretty surprised how much detail he was willing/able to give, especially since this was an unclassified setting. I'm even more surprised that he was able to share his slides, which are well worth reading.

Is this paranoia, or are these attacks for real?

My Year in Cities

My friend Gunnar Petersen posted his list of cities visited in 2007. Seems like fun - mine is much longer this year than most, largely due to college visits with my son. The rules on this "contest" are somewhat vague - I included only places at least 100 miles from home, and didn't include towns/cities in close proximity. On the other hand, I did include places where I made a real visit, even if I didn't stay there overnight.

Bangalore, India
Belfast, Northern Ireland
Blacksburg, VA
Boston, MA
Charlottesville, VA *
Chennai, India
Chicago, IL *
Cork, Ireland
Darmstadt, Germany *
Dingle, Ireland
Dublin, Ireland
Frankfort, Kentucky *
Frankfurt, Germany *
Kildare, Ireland
Kilkenny, Ireland
Los Angeles, CA
Rochester, NY
Miami, FL
Oberlin, OH
Pittsburgh, PA *
Richmond, VA
San Francisco, CA
Sofia, Bulgaria
Worcester, MA

* means more than one trip

Happy New Year, everyone!