ABQORDIA - Thoughts on security and society

The WinVote video

2009-07-22T09:50:00.003-04:00

Just after the November 2008 election, a video appeared on YouTube showing someone playing with an AVS WinVote DRE voting machine in my home county (Fairfax Virginia), and showing that under certain circumstances it records incorrect votes, and even flips selected candidates.

I was recently asked for comments on the video, so I thought I'd post them here too.

My reaction (aside from the amateur filmmaking) is that while it tooka bunch of fiddling before the machine failed, the fact that the failures occurred show that under some circumstances the WinVote will fail to get the voter's intent - i.e., there's unquestionably one or more bugs in the software that can trigger under certain circumstances and cause incorrect candidate selection. The question is whether it would also fail under normal circumstances - once you've established that the bug occurs in an unrealistic situation, one has to ask can it also occur in a realistic situation. Given the minimal level of testing done in the Federal and state certification processes, it would be highly unlikely to be detected as part of certification. I don't know whether Fairfax County's testing is thorough enough that it might have been found there.

The more interesting question is whether a voter (other than the one who made this video) ever encountered this problem by accident, and believing it to be their mistake never reported it (or reported it to a pollworker, who never reported it to the Fairfax County office). [Or perhaps it got reported in another state that used the WinVote, but the word never got to the Fairfax County Board of Elections.

And the other interesting question is whether this bug, when triggered, causes incorrect recording of the candidate choices.... if the voter doesn't notice that it switched candidates on them, does the vote recorded in memory reflect what is being shown on the screen or what the voter had actually selected before the flip? The answer isn't obvious...

Cloud Computing - all that's old is new again

2009-06-19T13:22:00.003-04:00

Cloud computing is the buzzword du jour. What amazes me most is how little people realize that it's nothing new.

From about 1978 until ultimate cancellation in 1986, AT&T ran a project called "Net 1000" (codename: ACS or Advanced Computing System). This was the first product AT&T released as part of the deregulatory process.

Managing projects in telecommunication services by Mostafa Hashem Sherif describes Net 1000 as follows: "The service consisted in providing customers with the capacity to develop, install, and manage applications software to run on AT&T's owned processors. The architecture was based on having a large number (100-200) of dispersed data centers (caled "service points"). These were interconnected using an X.25 packet switched network from the regulated part of AT&T. Initially, data centers were built in New York, Chicago, Los Angeles, Greensboro, Salt Lake City, Camden, Kansas City, and San Antonio [...] A Network Operations Center was constructed in Somerset, NJ. [...] The idea of Net 1000 was for users to pay for what they use. They wer charged for network terminations (ports), disk storage, transmission bandwidth, connection time, and communications process." (Page 79)

Sherif continues on page 81 that problems with the business included "the absence of application software and overlook[ing] the time needed to develop, test, and deploy software applications, particularly in a new operating environment."

Later on, AT&T changed the direction for Net 1000, and it ceased to be an application hosting infrastructure. But that's another story.

AT&T lost more than $1B on Net 1000. Yes, that's billion.

Certainly there are significant differences between cloud computing and Net 1000 - AT&T was trying to sell both the network communications and the applications platform, while cloud vendors are using the existing network infrastructure. And of course computer equipment is much cheaper - at the time I worked on Net 1000, the VAX 11/780 computers used as the application hosting platforms cost about $200,000 each, and operated at a speed comparable to about 1 MHz (vs. 2+GHz for a typical laptop today). Databases are a lot more mature too - the Net 1000 product was built on a DBMS called "Seed", which I think was written in FORTRAN, with a COBOL layer built on top of that. (We looked at a startup called Oracle but their products weren't mature enough to use for a nationwide offering!)

I'm not predicting that cloud computing will go the way of Net 1000. Just saying that all that's old is new again.

Election Day 2009 - report from the trenches

2009-06-10T14:57:00.002-04:00

What, it’s election day again? Yes, Virginia, there is an election this year (state and most local candidates are elected in odd numbered years). Today was the Democratic primary– it’s an open primary to select Governor and Lieutenant Governor candidates, and in some places to select candidates for the House of Delegates. (The Republicans picked their candidates at a convention last month – in Virginia, it’s up to the parties whether to select candidates by convention or primary. The third statewide office, Attorney General, only had one candidate on the Democratic side so it wasn’t on the ballot.)

My precinct in Fairfax County has 1975 registered voters (small for this county), of whom 146 showed up over the 13 hours the polls were open, and 6 others voted absentee. We had four pollworkers – a chief and three assistants (including me). We were using two AVS WinVote DREs, neither of which had an apparent problems (after the special election a few months ago with strange results, I checked the zero and end of day tapes carefully). I found the election interesting because it was so slow that I had a chance to observe all of the weird things that happen in nearly any election, but in a general election we’re too busy to notice.

1. One of the three candidates for Lieutenant Governor had withdrawn before the election, but after the ballots were approved. We had signs everywhere telling voters that, but he still got four votes in our precinct.

2. Several voters didn’t know it was only a Democratic primary, and wanted to vote for Republican candidates. I presume they undervoted.

3. One voter left without pressing the final “Vote” button. Local rules say that the vote is voided rather than cast.

4. Several voters seemed surprised that there were just two races on the ballot (as noted above, some areas also had a third race for Delegate).

5. One voter who didn’t have a driver’s license or similar ID tried to use a Visa card with a photo. Luckily, Virginia allows an affidavit as an alternative to an ID, so we didn’t have to decide whether a credit card is a valid ID.

6. One voter was listed as a permanent overseas voter who gets an absentee ballot automatically, so she had to vote a provisional ballot until the county can verify that she hadn’t already voted absentee.

7. One voter needed to vote curbside; the DRE was very easy to handle for that use. However, the rules in Virginia are such that I could carry it to the car by myself (without a second pollworker coming along), so I could have (theoretically) cast extra votes without anyone noticing – except that the count would have mismatched. We discovered when it was time to close the polls and fill out the final reports that we forgot to note the protective counter when the machine was carried out to the curb and back again – most likely because none of the pollworkers had ever done curbside voting before.

8. One voter said he had registered to vote in his high school in the past few weeks (which was probably after the deadline). I wanted to allow him to cast a provisional ballot (if for no other reason than to give him the feeling that his vote might be counted), but the chief for the precinct called the county which said they didn’t have him listed, so she sent him away.

9. One voter had trouble getting the touchscreen to respond to him. The problem seemed to be that he was balling up his fist and pushing the screen with his thumb, which probably caused his other fingers to touch the screen at the same time.

10. No one asked about the paper optical scan ballots we used in the fall general election, nor did anyone express concern about the reliability/accuracy of the DREs (other than my wife). Just a statement of facts, ma’am!

All in all, a thoroughly ordinary election, but one that reinforced the range of “unusual” activities.

Metric to English measurements - no more precision

2009-06-07T21:44:00.003-04:00

Here's an excerpt from a CNN report about the airplane crash: "The part of the ocean where the debris and bodies have been found ranges between 19,685 and 26,247 feet (6,000 and 8,000 meters) deep. The search area covers 77,220 square miles (200,000 square km), an area nearly as big as the country of Romania."

Converting 6000 meters to feet doesn't change from 1 to 5 digits of precision, and similarly for the other numbers.

This happens in all sorts of reporting. Why isn't it taught as part of Journalism 101?

A little knowledge is a dangerous thing

2009-05-14T15:50:00.003-04:00

Last week the Washington Post reported that a web site belonging to the Virginia Department of Health Professions was broken into, and that millions of records regarding use of controlled drugs had been at least potentially accessed by an attacker. The attacker claims to have encrypted the records with a key only s/he knows, and will not release the key without being paid a ransom.

Clearly this was a bad thing.

But here's where we get into "a little knowledge". The Washington Post reports that "Del. Joe May, an electrical engineer by profession and the House's resident expert on technology issues, wanted to know what security measures the hacker had to overcome to access the records." So far, so good. They then quote May as saying "It doesn't sound like the proper firewalls, the proper backing up, the proper security measures were in place, ... and the question is why didn't we go ahead and have VITA do it."

Unfortunately, the problem almost certainly wasn't an issue of firewalls or similar security measures - it's much more subtle than that, probably an application security flaw.

I served with Del May on a state commission on electronic voting issues some years ago, and learned that he's got a great understanding of the big picture, but doesn't understand the details. As an example, he insisted that it was impossible for someone to break into a voting machine because there's no source code that's publicly available. I'm sure that will come as a great surprise to the black hats who routinely reverse engineer products to find vulnerabilities and develop attacks, to the white hats at companies like Symantec and McAfee who reverse engineer the attacks to come up with protections, and the hundreds of millions of users who have to install patches to protect against the vulnerabilities that, in Del May's mind, cannot exist.

It's great that the legislature has technical members - this is very much in keeping with Thomas Jefferson's view of a citizen legislature. However, those members need to be aware enough of their breadth of knowledge to understand when it's time to call an expert. You don't ask an oncologist for an expert opinion on brain surgery, or vice versa. Del. May and the legislature need to ask for help when they need it.

Ironically, the article concludes "Paquette [the state technology director] said DHP had one of the most secure systems in state government, and that firewall systems and backups were operational at the time of the attack". If this is one of the "most secure" systems, I'd hate to see the others....

Too much information (for too little value)

2009-05-14T15:39:00.002-04:00

I rarely go to the movies - I usually just wait until whatever I want to see comes out on DVD. But recently I wanted to see the This American Life live simulcast. When I bought my tickets, I was disappointed that I had to register in order to make the purchase - and very surprised that a required field in the registration is a birthdate.

I can see where if I were under 18 they might want a birthdate to verify what types of movies I'm allowed to see (although it should really control admission, not ticket purchase). But for those of us over 18, it's only useful for marketing purposes - and it's an unnecessary piece of personal information for them to have. Just another bit of data to put identities at risk...

The privacy policy says "Through customer surveys, subscriptions, and newsletter registration, our site may request users to give us contact, demographic and/or financial information (such as
their name, locale, gender, age, income level and email address). The demographic information is used, among other things, to enhance user experience so we can be more content specific." I guess they consider the birthdate to be demographic, although IMHO if that were the case they could do just fine with the year alone.

I've filed a complaint with their customer service department. Not surprisingly, I haven't heard back. I may file a complaint with their privacy person next.

How to guarantee bad passwords (part 2)

2009-05-07T13:45:00.002-04:00

As I described in a recent post, overly complex password rules lead to hard-to-remember passwords that get written down. Well, I tried not to write it down, and promptly forgot it. So I called the helpful help desk person, who reset it for me to a random value, and had me reset the password. Other than the cost to the organization of having to have a person involved in password resets, so far so good.

But then the kicker: your new password can't have any two character sequence the same as any of your previous 9 passwords. Makes sense to some extent - you shouldn't be able to switch from "myDOGspot!!" to "myDOGspot??". However, it means that in order to do this check, they're almost certainly not storing one-way hashes of the passwords (as good security engineers do), but rather the original passwords. The help desk person assured me that the passwords are encrypted, so there's nothing to worry about. So even if someone breaks into their site, all they'd get is the encrypted passwords.... Of course, if someone figures out how to get in below the level of encryption, then game over.

Moral of the story: "improving" security by strong passwords can backfire in many ways, by causing users to write them down, having servers that store the original passwords, etc.

Disaster recovery

2009-05-01T11:20:00.002-04:00

Bruce Perens has an excellent analysis of the recent California bay area telecom outage, which showed the level of interdependency among systems. Anyone who thinks cloud computing is a panacea, especially for government services (some of which are needed in emergencies) needs to understand the implications of this outage, and what attackers may have learned from it.

Well worth reading.

How to guarantee bad passwords

2009-04-30T14:11:00.003-04:00

Getting users to choose good passwords and not write them down is always a challenge. It's a tradeoff - if you make the requirements too loose, then an attacker can guess the password. Make it too complex, and users have to write them down. The rules should be proportional to the sensitivity of the data that's accessible - read-only access to a newspaper shouldn't require as strong a password as financial or health information.

In the "too loose" category, the extreme case I've run into was a web site used for storing personnel information - which should have had relatively strong requirements - that required a two character password. No quality restrictions, no frequency of changes, nothing. Bad choice.

Today, I ran into the other end of the spectrum. A site that requires passwords that:
* have a minimum length of 9 characters
* must contain two upper and two lower case characters
* must contain two digits and two special characters
* must be different from the last 9 passwords you've used
* must not contain a single quote

But the kicker: passwords may not contain any word of two letters or more. That's apparently determined (as best as I can tell through trial and error) by comparing every substring to a dictionary. So a password like 97to$%ABC isn't acceptable, because "to" is a word. And 3-5zq?jbeLN isn't valid either, because "be" is a word. Presumably a1b2c3d4e5** would be a valid password, though. (I didn't try that one.)

Oh, and the password expires every 60 days, so just about when you've come up with something that matches their criteria, it's time to change again.

Now granted this site has some sensitive information, but wouldn't it make more sense to use certificate-based authentication, which is far harder to attack in a brute force manner than passwords? (Assuming, that is, that you're not using certificates with MD5 signatures.)

I'd bet that 90% of their users have the passwords written down.

Social Security card requirements

2009-04-30T12:07:00.001-04:00

To get paid by an employer in the US, the employee and employer are required to fill out an I-9, which requires that the employee provide various forms of ID. In addition, employers are generally required to use the eVerify system to do an online employee check – that the Social Security Number provided actually belongs to the employee.

This is about an employer who decided to go beyond the law, and is not only violating the law but also causing themselves extra work.

I work roughly one day a year for Fairfax County (Virginia) as a pollworker, for which I’m paid $100. I obviously don’t do it for the money. Even though I presented a passport as proof of citizenship (a requirement for being a pollworker, and legally adequate for the I-9), this year they decided to demand that pollworkers also provide a copy of Social Security Cards – even though for many of us, they’re clearly labeled “not valid for identification”. I refused to provide mine – it’s not a legal requirement, but rather their policy. And I said if they didn’t want to pay me, they don’t have to. [Incidentally, no employer has ever asked me to provide a Social Security card – of course I have to provide the SSN, but that’s a different requirement.]

Last week, I got a call from the county’s payroll department. It seems that eVerify kicked me out as a mismatch – my Social Security record includes my middle name, and I used my middle initial on the pollworker form, or vice versa. So they’re spending an hour of someone’s time (not to mention annoying me) to validate my SSN, so they can determine whether I have a legal right to work – even though they’ve already determined that, by virtue of my passport.

I suggested that if the verification doesn’t match, they don’t have to pay me. But Virginia law requires them to pay pollworkers. Further, the law gives only a few reasons for refusing to allow someone to be a pollworker, and refusal to provide a Social Security card isn’t one of them (about the only reasons for refusing someone are if they’re not a citizen of the US, not a resident of Virginia, or a convicted felon).

The county employee also said that “only” ½ of 1% of people failed e-Verify. Given that being a pollworker is a job that (almost?) no one does for the money, one would expect that every single verification failure is an error – unlike in other jobs where there’s a certain fraction of illegal workers. So in a “real world” environment – say a grocery store, where the motivation for fake credentials is much higher – the rate of mismatches is probably ten times higher.

My conclusion: eVerify is a huge waste of money and will have a negative impact in the long run, because the ratio of false positives (people who are incorrectly tagged as being unauthorized to work) is so high it will cause organizations to become complacent and ignore the TRUE positives.
Postscript: After writing this blog entry but before posting it, I met some people from the Social Security Administration who confirmed my understanding that there’s no legal requirement for presenting a Social Security card as a condition to work.

Election corruption in Kentucky

2009-03-23T09:48:00.002-04:00

There's been a number of reports of election corruption in Kentucky. The indictment is long, but it describes how local officials in Clay County Kentucky used a number of schemes, including paying voters for their votes and tricking voters into walking away from electronic voting machines (DREs) before their vote had been cast. Matt Blaze has a very nice writeup on what the indictment really means.

The critical things that have been missed by some of the hysterical discussions (e.g., Brad Friedman) are that:

Much of the corruption could have happened regardless of the technology in use. Vote buying far predates DREs.
Auditing wouldn't really help - there were no software attacks, and about the only thing that could have helped is if a pattern were noticed in the audit logs (i.e., perhaps a higher-than-expected percentage of voters appeared to go back from the summary screen and change their votes, in the case where the election officials were telling voters to walk away too soon).
Paper ballots wouldn't help - the same types of vote buying and stealing can happen with paper ballots. When I was a pollworker in November 2008, many voters handed me their optical scan ballots and walked away (I stopped them) instead of verifying that their ballot was read into the scanner. If I wanted, I could have replaced their ballots with ballots I marked, in just the same way as the Kentucky officials changed voters votes.

The real message to be reinforced from this indictment is that election officials, like any other community, has some bad actors. Honest elections require an element of trust in the voting officials; this case proves that the trust isn't always deserved. This shouldn't be surprising, as every organization, including places like the CIA and FBI, have had their share of corrupt insiders.

Fairfax County elections in the news again

2009-03-11T22:02:00.002-04:00

While the rest of the country (except Minnesota) is taking a break from elections, it's still election time here in Virginia. Tuesday was a special election to fill a vacancy in the Fairfax County Board of Supervisors (roughly the equivalent of a city council). The vacancy was caused when the former member was elected chair of the Board of Supervisors (roughly the mayor) in a special election in February. That vacancy was caused when the former chair was elected to Congress in November. A domino election, one might say.

But even simple elections aren't simple. Last night, things were unclear, as reported in The Washington Post. Today, I spent the day in the canvass, and things became a lot clearer.

In this election, there were 25 precincts, and 2 voting machines per precinct. All machines in question were made by Advanced Voting Solution (AVS), and are Windows-based touchscreens called WinVote. (AVS is out of business, as I've noted here before, and although another company is supposedly maintaining the machines, there's not much recourse for failure.) Unlike some other recent Fairfax County elections, there were no optical scans, except for absentee ballots.

In one of the precincts, there were two anomalous results:

First, on one of the two machines in this particular precinct, the zero tape showed the "public counter" having zero votes (which is as it should be), and then showed three votes for Mr. Cook, two for Mr. Moon, one for Mr. Campbell, and one write-in. That's the pattern Fairfax County uses for L&A testing. But how was it possible to reset the public counter after L&A testing without also resetting the vote totals?

Second, at the end of the day, the two machines synchronize via Wi-Fi (the same technology we use at home and in hotels), and then the master machine prints its own vote totals and the
combined vote totals. It showed a total of 359 votes cast (which would be about right for one machine in this low turnout election), of which 377 were for Mr. Cook, 328 for Mr. Moon, 15 for Mr. Campbell, and 3 write-ins, for a total of 723 votes. Yes, you read that right - 359 votes, but 723 recorded. And there were only 707 voters in the precinct, so it's not like it did the totals for the races but not the overall total. So clearly the per-candidate totals are wrong, and they don't add up to the total number of votes.

The "solution" was to bring up both machines in the precinct (one at a time), have them print their totals, then have them print the "ballot images" (which I put in quotes because they're the software representation of the ballot images), and add those up by hand. When they did that, the number of votes on the two machines combined equaled the number of voters who checked in at the polls, and for each machine the number of voters equaled the sum of the number of votes for the candidates. All of which makes perfect sense... except that it doesn't explain in any way the discrepancies.

Finally, one other piece of data: Virginia law says that in a case of machine malfunction, the board of elections is required to follow the instructions in the manual provided by the vendor. I got a chance to see the manual - it's totally silent on what to do. This had the Dem lawyer quite unhappy, since it meant that they're ignoring the law.

Shortly after the canvass completed, the Democrat conceded. He was 90 votes behind out of about 12,000 cast. Given Virginia's extremely restrictive recount law, I think that was the right decision - but it leaves unresolved what went wrong with the voting machines.

My one hope is that once again both parties will see the dangers of DREs - it was really a coin toss which side would win in such a close race without anything meaningful to look at.

Micro-economics - is the economy really that bad?

2009-03-08T20:36:00.002-04:00

I read the newspapers like everyone else, but here's a micro-indicator I just received: "The cookie depots are facing unprecedented demand. Depot transactions are up 27% and the size of each transaction is much larger than last year. We have increased our deliveries to depots this year by 104% yet still stock levels are extremely low in all depots. Cookies are being rushed to us from the bakery as we speak since we have cleaned out, once again, the local supply."

Or in non-Girl Scout speak: cookie sales in the Washington DC area are up sharply. Is that because people are giving up luxuries and buying cookies? Is the DC area relatively unscathed? Or is the economy just not as bad as the media is reporting?

Hiding from Google

2009-02-19T11:52:00.002-05:00

I recently started working on a project that has a * in the middle of its name - think of GM's On*Star as an example. Google (and other search engines I tried, including Microsoft Live, Yahoo!, and Lycos) all treat the * as a wildcard, and don't allow wildcard escaping.

Now On*Star isn't hard to find with Google, because the words "on" and "star" rarely appear together except in this context. But if you take two other words that frequently occur together, put a * between them, and then try to find references to that unique term, you won't get very far. For example, stimulus*package would not be a good name, nor would high*tech.

It's not clear to me whether the people who started this project knew that their project name would make it effectively impossible to find the project and either did that intentionally or didn't care, or whether it's a happenstance that is now a problem. But in any case, it's a way to hide in plain sight - any websites they have can be indexed by robots, but won't be found by searchers.

When is a safety deposit box not a safety deposit box?

2009-01-25T20:01:00.002-05:00

For 25 years or so I've had a safety deposit box (SDB), where I keep valuables like birth certificates, savings bonds, passports, stock certificates, etc. It's in a bank about 5 miles from where I live, and I'd like it to be at a more convenient location. It's also at a bank where I no longer have any other business, and I think one of these days they may decide they don't want my safety deposit box business, since they have a limited number of boxes and would like to offer them to other customers.

So my current bank (PNC) just opened a branch that's reasonably convenient, and has "Express Storage Boxes" (XSB), which are similar to but not the same as a safety deposit box:

XSBs are inside the bank, but not in a vault with a big door & lock (which is also presumably fire proof).
XSBs can be accessed without talking to a bank staffer any time the bank is open.
XSBs don't require a signature card to access.
The customer has both keys to the XSB, and there's no "bank key" required for access.

So an XSB seems like a fairly poor cousin to a safety box. But as a security specialist, I think about risk management.

What are the threats that a safety deposit box is supposed to protect against, and how well does it actually protect against them?

Fire - an XSB is protected by the standard fire protection system in the bank, while a SDB is inside a (somewhat) more fireproof vault. Or at least I assume the vault is more fireproof - it's hard to tell by simply walking in, and asking too many questions might not be a good thing. Banks don't believe in security by openness!
Flood - probably no difference here.
Theft - divide this into "bank hours" and "after hours". During bank hours, the requirement for matching signatures provides some (minimal) measure of protection for a SDB, as does the requirement for a bank key. However, the bank key is frequently just kept in an unlocked desk drawer right outside the safe, so it's probably not providing much protection. After hours, the vault (presumably) provides some extra measure of protection for the SDB, although the bank itself presumably has cameras, alarms, etc. which would protect the XSB. Both have the same level of protection against insider (bank employee) theft, since they both require the customer's key to open the box, unless the lock is drilled out which would be pretty obvious.

It isn't obvious to me whether a real safety deposit box is worth the additional aggravation, but it just seems wrong to put my stuff in a box in the bank that anyone could walk over and touch. Is the big vault door just feel-good security, or is it truly offering an extra measure of security, given the cameras and sensors that protect the whole of the bank?

Of course there's the issue for both XSB and SDB if the lock gets drilled out, but I'll put that risk aside for another day...

2004 & 2008 - Four Years and A Million Miles

2009-01-22T09:09:00.002-05:00

Tuesday I joined 1.8 million of my closest friends for the celebration of President Obama's inauguration. (As Rachel Maddow says, it just feels good to say it.) It was the nation's biggest party - 50% larger than the previous record, Lyndon Johnson's 1965 inauguration, according to the Washington Post.

But more than the number of people is the feeling. In 2004, I went to the inauguration war with my (then) 18 year old daughter to protest against the war in Iraq. With heavily armed police and military on every corner, it felt like we an occupied country under an oppressors thumb. (Some might argue that in fact we were.) The police and military were tense and it showed.

By contrast, this week's inauguration was a love-in - a very cold one, but an amazing feeling of optimism for the future. There were far more police and military than there had been four years ago, but we all felt that they were there to protect us - and they seemed relaxed and happy to see the crowds. Yes, it was cold and noisy and very very very crowded -but there's no way to avoid the infectious feel of celebration.

My daughter, now 22, her partner, and I arrived just before noon, so we were a mile from the Capitol, almost at the Lincoln Memorial. Anyone who watched the inauguration on TV had a better view than we did - we watched on the Jumbotrons set up along the National Mall. Was it worth going? Absolutely! Feeling the excitement, and knowing that 50 years from now we'll look back and know that we were there when America turned the corner - priceless!

(My son and his friends, by contrast, arrived at the Mall at 4am - something they would never do for a class! - and were as close to the front as people without tickets could get. They could see the stage, but not the individual people.)

And now the work begins. We'll all find things that we disagree with President Obama as he pushes through his agenda. But a new day has started, and I feel more optimistic than I have in a long time.

A good idea, badly done

2009-01-10T15:33:00.002-05:00

According to a Computerworld article, "Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers."

While using strong encryption (such as 3DES) is a good idea, it's too bad that's the focus - breaking the encryption is not a very effective way to steal credit card numbers. Far easier is one of a hundred other methods - breaking into the server where the credit card numbers are stored, installing a "skimmer" to read the credit card at the gas pump, hacking the software, etc.

Seems to me that Visa needs a better risk assessment methodology...

Getting a proper recount in Virginia's 5th CD

2008-12-02T07:14:00.002-05:00

As I wrote almost a month ago, Virginia's 5th Congressional District is still up in the air. The official results show incumbent Virgil Goode behind challenger Tom Periollo by about 800 votes out of about 300,000 cast.

But as I noted in that earlier posting, Virginia recount laws are very restrictive. Let's be precise:

If you've got a DRE, you look at the total tapes printed on election day. If they're illegible, you reprint them.
If you've got optical scan, you reprogram and retest the scanner to only count the one race in question, and rerun the ballots. If the scanner kicks out a ballot, you can examine it by hand.
If you've got traditional hand-counted paper ballots (not optical scan), you recount those.

Note that optical scan ballots aren't examined by hand, unlike in other places. The good news is that you don't have the mess currently going on in Minnesota trying to figure out what the voter was trying to do with some strange markings. The bad news is that if the machine isn't interpreting the voter's markings correctly, it's illegal to actually look at the ballot.

The good news is that this problem, which has been of great concern to those of us in the verifiable voting community for years, is now getting some press attention. The WashPost ran a story mentioning the recount, and published a letter to the editor (from me) on the topic. Today, the Roanoke Times published an editorial calling for a reform of Virginia's archaic recount laws.

So maybe there's hope to get some progress on fixing the recount problems this year.

In Virginia, the issues of election integrity have been truly bipartisan, because both sides have seen what happens when you can't do a recount: the 2005 Attorney General race (Republican candidate won by <0.02%), 2006 Senate race (Democratic candidate won by <0.4%), and now this race.

Old and new in central Ohio

2008-11-10T11:20:00.003-05:00

I spent most of this weekend in central Ohio, visiting my daughter. We spent Saturday roaming the roads of Amish country, a bit northeast of Columbus and southwest of Cleveland. Two items struck my fancy.

In Wooster, home of the College of Wooster, we had a nice breakfast and visited Freedlander's Department Store, which is going out of business. Freedlander's is the story of the growth of America's heartland. The store, which until now is the largest independently owned downtown department store in America, was opened in 1884 by a Polish Jewish immigrant who got his start peddling goods from farm to farm before opening his store in the thriving town of Wooster. The store grew over the next 75 years and generations of the founding family, slowly taking over neighboring buildings until it covered most of a downtown block, four stories high. In the 1970s things started declining, and today all that's left is a small fraction of what was there a few decades ago - probably largely done in by suburban stores like WalMart and cars which made it easier to travel to bigger cities & stores. A nice history of the store can be found here.

The lesson is that we should never assume things will be the same 20 years from now as they are today. The technology industry survives because it constantly reinvents itself, although some companies who have thrived have lost sight of the continuing changes. Wang Labs comes to mind - when I graduated from college in 1980 they were one of the highest of the high fliers, and were in the process of building a huge new campus. Now, almost no one has even heard of them.

The second item was also something of a recognition of continuing change, and how people learn to adapt. As is well known, Amish people eschew use of electricity and other modern conveniences. However, after teenagers finish 8th grade (the end of their formal education), both boys and girls are permitted to work in the "English" (secular) world. So I was amused when visiting a cheese store to see the girls, dressed in their traditional Amish clothing, chatting on the phone with their friends, and expertly running cash registers. The cashier I spoke to said she didn't get tired of cheese (which was rather overwhelming in the store), but rather the sheer number of people she had to deal with every day - quite a contrast to her serene farm life. The most amusing example I saw of this old-new contrast was at a flea market, where a young woman (again wearing traditional clothing) was intently staring at a computer screen used to set up a laser engraving machine!

I wonder how they feel about the contrast between old and new?

Verifiable Voting legislative priorities for 2009

2008-11-09T16:16:00.004-05:00

Now that the election is over, it's time for the Verifiable Voting Coalition of Virginia (VVCVa) to set our legislative options for 2009. Please post your thoughts as responses to this blog posting!

Below is a preliminary list of items that may be on the agenda:

Non-partisan redistricting (guaranteed to be a good fight again this year)
Explicitly permit independents to be poll workers
No-excuse in person absentee voting (we keep trying) - maybe we should point out how many people voted absentee and how it contributed to a generally smooth election day
Explicit instructions on breakdowns - when emergency paper ballots are required
SBE authority to tell jurisdictions the minimum number of ballots they are required to have on hand.
SBE to gain authority to tell jurisdictions the minimum number of poll workers they need - but that is both a funding and an ability to find workers issue, so much harder to make a rule.
Improve the machine to voter ratio.

We're also hopeful that given the very close race in the Virginia 5th Congressional District (undecided at this writing), we'll see interest in fixing Virginia's audit and recount laws, which are among the most restrictive in the nation.

If there are specific issues that you would like to work on, also please let us know that. We always welcome help as we develop legislation and lobby legislators. We request your feedback before Friday Nov. 14 to be added in time to our coalition' discussion.

Thanks for all your work this year to write your legislators about your concerns.

An interesting undecided race - Virginia's 5th Congressional

2008-11-06T20:17:00.002-05:00

No, there's no massive undervotes or hanging chads or anything like that, but Virginia's 5th Congressional District, home to Charlottesville and the University of Virginia, is a cliffhanger: the Democratic challenger was ahead this morning by 31 votes out of 300,000 over the Republican incumbent - as of this writing the margin is about 600 votes. (Most recent info here .)

There's a couple of interesting things here:

(1) Problems with vote total uploads. The coverage (see below) indicates that there were problems uploading the unofficial results into VERIS, Virginia's statewide system for voter registration and election results. (This is the same system that appears to have been the cause of the long lines in Chesapeake.) The coverage indicates that right around midnight there was some sort of glitch and vote totals were scrambled and/or lost. As the reports are short on technical details, I'm not sure what really happened.

(2) The race is close enough that there's a good chance one of the candidates will ask for a recount (recounts aren't automatic in Virginia, but allowed when the margin is less than 0.5%). But Virginia law, as readers of this blog may remember, is extremely restrictive. For DREs, you look at the totals from the machines and re-add those. If the tape is illegible, you print a new one. For optical scan, you test the machine (the tests being undefined - it was the best I could do when we were amending the law) and then run the ballots through again and use the results from the total tape. Only with a judge's order can you manually inspect the ballots - but judges have refused since the law doesn't tell them when to allow inspection.

Not clear at this point what's going to happen next - will the purported loser challenge things?

Local coverage:

http://www.thenewsrecord.com/2008webfiles/20081106election.htm
http://www.wdbj7.com/Global/story.asp?S=9297265&nav=menu368_11_10_22
http://www.inrich.com/cva/ric/news.apx.-content-articles-RTD-2008-11-05-0282.html
http://www.wset.com/news/stories/1108/567630.html
http://www.roanoke.com/politics/wb/183217
http://www.wset.com/news/stories/1108/567480.html

My first day as a pollworker

2008-11-05T20:15:00.003-05:00

Like many Americans, I had a long day yesterday - I'm a pollworker in Fairfax County Virginia. I started my day at 415am (haven't gotten up that early in a while!) so I could be at my polling place by 500am to start setting up. (I'm jealous of Avi Rubin whose polling place didn't open until 700am, so he got to sleep later!) By the time I arrived, there were already 10 people in line - even though polls didn't open until 600am.

Virginia is a hodge-podge when it comes to voting equipment. Each city or county (they're different in Virginia) can choose their equipment from a list approved by the state - and they make many different choices. Fairfax County uses a hybrid system: Diebold optical scanners and AVS WinVote touchscreen DREs. The WinVote machines have been used for the past few years and voters are familiar with them; the optical scan is new this year thanks to a bill I helped write and pass a couple years ago.

Once we got the machines set up, the doors opened right on time. I heard (but didn't see) that by the time polls opened, the line went out the door of the school where our polling place was held, and down the street a couple hundred feet. What I know is that the line was non-stop from 600am until about 830am - after which we never had more than a handful of people in line for the rest of the day.

When voters came in, they went to one of two desks (A-L and M-Z) by last name (yes, some voters asked if it was by first or last name). This turned out to be our bottleneck - thanks to the optical scan machine and the privacy booths described below, we could have completely eliminated lines if we had been able to divide our pollbook into three or four groups, but Virginia law doesn't allow us to do that. Given what I've read in other places, I think I'm happy we didn't have electronic pollbooks.

In our training, the county election officials had told us we were to give voters the optical scan ballot in a folder with instructions on how to fill it out. If the voter explicitly asked for a DRE, we were to allow them to choose that, but we were not to offer that choice. Some of the pollworkers in my precinct, including the chief, seemed to disagree with that guidance and either suggested the DRE, or asked voters their preference. (Later on in the day the deputy chief noticed this aberration from the policy, and instructed everyone what to do. I heard from friends working in other polling places that they similarly had problems with giving instructions.)

Most voters were fine with the optical scan, and a few expressed a strong preference for it. Some expressed a strong preference for the DREs - mostly older voters, to my surprise. Why is that? Is it familiarity from the past few elections?

One of the frustrating parts about this "choice" was that we weren't allowed to tell voters why they should choose one or the other - we couldn't say "the DREs are inaccurate and unauditable" or "it saves money" anything like that. (In fact, during the training, the instructors didn't even know why the change was being made, other than the law told them to.) One of the great things about optical scan is that when the line gets long, you get more pens - unlike DREs, where when the line gets long, you're out of luck. But I couldn't say that either.

Back to the story, we had seven "privacy booths" (basically stand-up cardboard boxes where you can mark your ballot) and three "privacy desktops" (cardboard boxes that sit on a table) for use by voters while coloring their optical scan ovals. During the morning rush, and several other times during the day, we had all 10 of them in use, and sometimes the three DREs were in use also. To do that with all DREs would have taken at least a dozen, at a cost of $3000 each (vs. $5000 for a single optical scanner). So I figure we saved the taxpayers at least $30,000 in my precinct alone (that's before counting the cost of the optical scan ballots, but those are relatively cheap).

Virginia law says you can have no more than 750 registered voters per DRE (if you're using DREs). My precinct, which has just under 2000 registered voters, could therefore have had as few as three DREs, if we weren't using optical scan. If we had three DREs, instead of 10 cardboard boxes plus three DREs, the lines would have been hours long, and might well have lasted all day - the line which started at 600am might well have had voters waiting six hours or more.

By about 1100am, over 50% of registered voters had cast their ballots (including absentees). That meant the remaining 8 hours were slow - there just weren't that many voters left. There was no last minute rush with people running in to cast their ballot just before the doors closed at 700pm - in fact, our last voter came in about 5 minutes before closing. When we closed the polls, just over 80% of registered voters had cast ballots - consistent with the rest of the county.

Then came the long process of closing out the machines, packing everything up, accounting for every piece of paper, reconciling totals, etc. (There was one mistake which initially caused us to think we had one more votes than voters - until we discovered by careful review that in the pollbooks, someone had marked two different people as the 59th voter of the day. Mystery solved.) We didn’t finish until 930pm. Then I went home and watched election results.

For working from 500am to 930pm, I earned $100. (Plus I had to take training, which is unpaid.) Definitely not a way to get rich.

Some lessons learned and other notes:

When I went to pollworker training, I had to present an ID. But when I showed up to work as a pollworker, no one asked to see my ID. This is similar to the TSA "identity triangle" problem - the TSA matches your ID against your boarding pass, and the airline makes sure you have a valid boarding pass, but no one checks that the two are the same, which allows for subverting the system. If someone knew that I was a pollworker in my precinct, they could show up at 500am and claim to be me - and get access to things like the key that authorizes casting multiple votes on a machine. Of course, if the real person showed up, that would make things sticky - but in the meantime, it highlights a low-risk vulnerability in the system.

The most novel way to cast a ballot incorrectly was a voter who after marking his ballot, slipped it in between the base and side of the cardboard privacy booth (so it fell to the floor underneath the box). Luckily, I realized this as he started to walk out the door without scanning his ballot (I was standing at the scanner at that point helping voters), so I retrieved his ballot and got it scanned in.

At the close of the night, I noticed that the presidential breakdown was roughly 55%/45% for Obama on the optical scan machine vs. 50%/50% on the DRE. Friends in other precincts noticed similar discrepancies. Why is that? Are people who like DREs more likely to vote Republican? I don't think it's just coincidence, given the wide difference and the consistency across precincts.

Localities in Virginia that use DREs only learned the hard way that the lines just get too long, since you can't just go out and buy more when lots of voters show up. Perhaps instead of arguing against DREs on the basis of security or reliability, we should argue on the basis of line length - that's something everyone can understand!

And finally: several voters came up to me and other pollworkers during the day and thanked us for being there. While it didn't make me any less tired, it sure was nice to feel appreciated!

Push or pull for prescription security?

2008-11-03T06:56:00.001-05:00

I recently had a reason to fill two prescriptions on the same day, one at a local pharmacy and the other through a mail-order pharmacy. In both cases, the same doctor was writing the prescriptions.

First, I tried calling the doctor to get copies of the prescriptions to bring to the store and mail off. No luck - he doesn't do that any more. (Maybe if I had an office visit he would, I don't know.) Instead, it's all done electronically - but the two were handled differently by the pharmacies.

For the mail-order pharmacy, I had to call them, give them the name and phone number of my doctor (which they looked up in some sort of registry), the names of the prescriptions, and my insurance and credit card number to pay. They then called the doctor, who approved the prescriptions by phone. For the local prescription, I called the doctor's office, gave them the phone number of the pharmacy which they called and ordered the prescription, which I then picked up and paid for.

So I wondered, is one of these more secure and/or private? I don't think there's a privacy difference - in both cases, my doctor (obviously) knows what prescriptions I'm taking, and so does the pharmacy. In the mail order case, presuming that they really checked the doctor's information I gave them against some sort of authorized prescribers list, then a patient can't get prescriptions without approval (unless I subvert the doctor's telephone system and redirect the approval calls). And in the local pharmacy case, while I could cause the doctor's office to call a fake pharmacy (since I provide them with the phone number), that would have no real value to me.

The most likely problem is if I could convince the mail order pharmacy that the doctor's phone number had changed, and their records were out of date, then I might be able to get prescriptions that aren't authorized. Presumably they have processes in place to prevent those types of attacks - and those processes are hopefully stronger for controlled drugs (e.g., narcotics) than for ordinary medications (e.g., antibiotics).

As a security engineer, I can't help but think about the security aspects of almost anything I see...

A real-life Zelig

2008-10-29T10:12:00.002-04:00

Zelig is a Woody Allen film about Leonard Zelig, a "human chameleon" who shows up (thanks to very clever editing) in all sorts of historical places. There are echoes of the idea in Forrest Gump (better known for the line "life is a box of chocolates").

Robert Furman, age 93, died last week. He was a real-life Zelig - as a young man, he supervised building the Pentagon, helped bring scientists to Los Alamos, tracked German scientists like Werner Heisenberg across Europe during and after World War II, and worked with baseball player turned spy Moe Berg. When the war was over, he didn't speak of his involvement but instead returned to a quiet life, eventually becoming a builder of shopping malls.

An obituary well worth reading. And a man I wish I had known.

[For a fascinating biography of Moe Berg, read "The Catcher Was a Spy: The Mysterious Life of Moe Berg." It mentions many of the same incidents listed in the obituary, with more details, although it disputes the claim in the obit that Berg spoke seven languages.]

Proud papa

2008-10-10T09:07:00.002-04:00

I usually write about technology topics. But today, I have to shep naches: my son Daniel spent the summer on a research program at the Weizmann Institute in Rehovot Israel, and yesterday an article about his summer experience appeared in the local newspaper. Makes a father proud!

Official pollworker training

2008-10-10T07:34:00.002-04:00

Like many technical professionals involved in the voting world, I've decided to become a pollworker. I almost wrote "volunteer", but it is paid in Virginia - $100 for a 16 hour day (and no pay for training)! I live in Fairfax County, which is the most populous in Virginia, and so probably a "best case" in terms of organization and technology.

Last night I went to pollworker training. There are four "levels" of pollworkers in Virginia - the pages, the ordinary grunts, the assistant chief, and the chief. The pages are high school students who get credit for helping (all schools in Fairfax County on election day); they can do limited tasks. The ordinary grunts, like me, can do most of the jobs that don’t require exception processing (such as dealing with machine failures, or provisional ballots). The assistant chief and chief seem to be generally interchangeable, and have the responsibility for oversight of the whole thing (setup, opening, voting, and closing), and handling all of the exceptions that occur. [Assistant chiefs are paid $150 and chiefs are paid $200/day - showing that these are very dedicated individuals.]

I was quite impressed by several things at training:

The folks doing the training are well organized. Last night was their 25th training session this year; they're planning on about 60 in all.
All pollworkers are required to go through training this year, even if they've worked before, due to the change in equipment (described more below). Having said that, about half the people in the room last night were first-time workers like me.
The average age of the pollworkers was well below the widely-reported national median of 74. In fact, I'd guess it was two decades younger than that. There were a few people in their 30s; most looked to be in their 40s or 50s. That seems to be a good sign.
The county is providing 104% ballots - that is, 104% of the number of eligible voters. That should (hopefully!) ensure that we don't run out of ballots, even accounting for spoiled ballots.
If a voter spoils more than about 3 ballots, they are encouraged to switch to the DRE. That makes sense, as they're having trouble following the instructions.

Presidential elections in Virginia tend to have short ballots, since we elect state and local officials in odd-numbered years. So the ballot in Fairfax will have only four items: president/VP, US Senate, US House, and one bond issue. That's good, as the expectation is for very heavy turnout.

For the past 5 years, Fairfax has been a DRE-only county, except for absentee voters. This year, we're going to a hybrid voting system this year - Premier AccuVote-OS optical scan and AVS WinVote DREs. Voters are being encouraged to use the optical scan (we're to offer an optical scan ballot, and a voter has to explicitly request to use the DREs). Precincts in Fairfax vary greatly in size from about 500 voters to over 5000. Depending on the number of voters, there will be 1-3 AccuVote readers and 3-7 DREs, plus 3-15 "privacy booths" (cardboard box dividers) for use in marking the optical scan ballots, and 10 plain old clipboards for people who don't want to wait for a booth.

The training mentioned several times that turnout is expected to be very heavy all day long, and pollworkers should vote early at one of the central locations in the county (the polls are already open) or by absentee. I hope they're right - I get very frustrated by low turnouts, especially at important elections like this one.

There are only three critiques I have of the way the election is being run in Fairfax County.

The AccuVote readers are being set up to reject overvotes (selecting more candidates for a race than are allowed), although the voter can, with assistance from the chief, override that and cast a ballot anyway. However, they're not set up to even give a warning if someone undervotes - for example, forgetting to vote for Senate. Voters shouldn't have to vote for all races, but they should get a warning if the machine doesn't detect a vote. This isn't a fault of the machines; it's how they've been set up.
There's no minimum number of votes to be cast on DREs (the trainer thought I meant maximum and I had to explain why a minimum was also a concern). As I expect most people will select the optical scan, there's a risk that if there are only one or two votes cast per DRE, the end-of-day totals will reveal those voters choices. My preference would be to use the first DRE for the first five (or so) votes, then switch to the second, then to the third, etc., until all machines have at least five votes - and after that it doesn't matter which ones get used. [The pollworkers should have the discretion to note that there's almost no one voting on the DREs, and not to even use more than one or two if the load demands it.]
There was no training on inspecting or watching for physical security issues. Perhaps this is part of the chief/assistant chief training, but I expected to hear something about watching out for evidence of tampering with seals before, during, and after the election.

The county election officials seem to have come to the conclusion that at least one part of our arguments against DREs was right: they scale better. Even if they don't agree on the reliability & security issues, they now understand that more voters means more pencils, instead of more $5000 machines!

Virginia still has some serious election problems, including possibly the worst audit law in the country (it's generally speaking illegal to look at the paper ballots, except after all the election results have been certified, and then only if there's a margin of victory more than 10%), and a recount law that's almost as bad, but at least having the optical scan ballots is making it possible to do the audits and recounts if we can change the law in the future.

I'm looking forward to election day - sorry I won't be able to keep up on the minute-by-minute developments since I'll be working at the polls, but excited to be part of the process!

Watch for my post-election-day report on how things go...

DC Council releases their findings

2008-10-08T15:52:00.002-04:00

As I wrote about yesterday, the DC Council is looking into what went wrong in the primary election last month. Today, the results of their investigation were released; the report can be found here. If I worked for the vendor, Sequoia Voting Solutions, I'd be unhappy - the council accepted the recommendations of the experts (including me), and generally rejected Sequoia's excuses.

The report concludes with three main recommendations.

1. The District should set up an independent voting-technology experts to perform a forensic study of what went wrong.

2. The Board of Elections should improve its procedures to do a better job detecting problems like those in the preliminary results, and address them before releasing the results.

3. The Board of Elections should set up effective post-election audits. (Kudos to Larry Norden from NYU for his excellent information in this area).

4. The Board of Elections should provide better training to pollworkers. Pollworker training is critical everywhere, and its importance is usually underestimated.

5. The Board of Elections should set up procedures to ensure a rapid but accurate release of preliminary results.

6. The Board of Elections should have policies in place for public communication in case something goes wrong.

I'm pleased with the results of the DC Council investigation. Now comes the hard work - putting these recommendations into practice!

The DC voting mess continues

2008-10-07T11:39:00.004-04:00

Way back before the financial market collapsed (say, last month), the District of Columbia held a primary election. For reasons still unexplained, there were some very strange preliminary results - huge numbers of overvotes in one part of the city. The vendor, Sequoia Election Systems, has alternately blamed the problem on static electricity, errors by the Board of Elections, and reporting the results too quickly - but at all times have denied that it was due to a problem in their hardware or software. The DC Council established an ad hoc committee to examine what happened and try to get to the bottom of the issue.

There's been lots of coverage of the problem in The Washington Post: here (Sep 11), here (Sep 12), here (Sep 12 again), here (Sep 22), here (Sep 25), here (Sep 26), here (Sep 30), here (Oct 2 editorial), and here (Oct 4).

The last of the above articles is coverage of a public hearing held by the special committee, where they heard from interested citizens, the vendor, and several voting system experts. I was honored to be one of the experts invited to testify, and my testimony can be found about 54 minutes into the video.

I made four basic points:

1. We shouldn’t blindly take the vendor’s word for what happened, because the vendor's explanations don't make sense. Sequoia hasn't been able to reproduce the problems that correspond to any of their explanations, be they static electricity or mistakes by the election officials.

2. We shouldn’t blindly take the vendor’s word for what happened – the explanations may be wrong. We’ve seen at least one case where a vendor example where a vendor’s initial claims were proven wrong. After the spring 2008 primary in Ohio, the vendor, Premier Election Systems, blamed election officials for incorrect results, where one precinct’s votes were lost. Later, the vendor changed their explanation, and blamed the anti-virus vendor for the error. Eventually, the vendor admitted that it was a bug in their software. Right now Sequoia is saying it’s not a software error – but that might change as the DC Council and Sequoia learn more.

3. We shouldn’t blindly take the vendor’s word for what happened – prior studies have indicated that the problem seen in DC was a possible problem. In particular, the California Top To Bottom Review, sponsored by the California Secretary of State, noted that Sequoia software “seems not to check whether vote counts stored on Memory Packs received from the MPR are consistent with the number of voters, so an erroneous Memory Pack will corrupt the final tally instead of being detected”. The California report then goes on to note that the Sequoia software does not perform any sanity checks to ensure that each Memory Pack only contains data from a single precinct – so a corrupted Memory Pack that is somehow corrupted can not only affect that precinct, but can cause the erroneous results to propagate into other precincts.

4. We shouldn’t blindly take the vendor’s word for what happened – we’ve seen similar failures before with Sequoia voting systems. In Alameda County California, the February 2008 primary election had a very similar failure, where a corrupted memory card registered an absurd number of votes in one precinct, and reprocessing the memory card caused it to give correct results.

I then recommended that the Council obtain an independent expert forensic study to figure out what went wrong, along the lines of the investigations of the 2006 Florida CD-13 election or the 2008 New Jersey primary.

I don't know what's going to happen next, but I hope the Council moves forward quickly, so there can be some preliminary answers before the election next month!

No meaningful audits or recounts in Virginia this year

2008-09-21T19:39:00.003-04:00

Readers of this blog know that one of my pet peeves is that Virginia law prohibits meaningful audits or recounts after an election. To be precise, audits are allowed only after the election results have been finalized, and only if the margin of victory is greater than 10% (no, that's not a typo, I mean greater - i.e., when there's no chance that you'll find anything wrong). And recounts are generally restricted to just retallying the printouts from the voting machines (DREs or optical scanners). If a jurisdiction uses DREs, there's nothing else to count so it wouldn't make much difference, but where there are optical scan ballots you'd really want to at least rerun them through the scanner - but even that is prohibited without a judge's order. [I'm slightly simplifying things, but not in a meaningful way.]

Last Thursday WTVR-TV in Richmond (the state capital) ran a two-part series on the upcoming election. My comments were included in part 2 of the series, which can be found here. As someone who explains things frequently using analogies, I was pleased that they included my explanation for why Virginia's "retally the results" isn't a good way to do recounts.

My only disappointment about the series is that Secretary of the Board of Elections Nancy Rodrigues, for whom I have tremendous respect, made the comment that there's no way the machines could be hacked because they have strong chain of custody. She's right that a strong chain of custody is important, but it's not enough - in particular for the WinVote machines used widely in the state which have wireless networks. I wish the reporters had more technical background to challenge her on that point...

Me and my buddy Sarah

2008-09-19T11:11:00.002-04:00

As has been widely reported, Gov Sarah Palin's Yahoo! email accounts were "hacked", and some of her email has been published on the web. There's a number of interesting aspects to this:

1. Much of the coverage has focused on Yahoo! accounts as being "insecure", with the implication that the State of Alaska accounts are "secure". While there's possibly a difference in how the email is stored (i.e., on state computers - although with outsourcing that's not necessarily the case), I strongly suspect that Yahoo!'s systems are more secure - they have the staff and motivation to ensure that there are no security vulnerabilities in their system. While the State of Alaska might benefit from the obscurity of their mail servers, it's unlikely that they have the level of expertise to protect their systems as well as Yahoo!

2. There's the question of propriety of Gov Palin using a Yahoo! account for state business. Doesn't look appropriate to me, but that's just an opinion.

3. Is it legal for Gov Palin to use Yahoo! for official state business? I don't know Alaska law (and I'm not a lawyer anyway), but it's an interesting question - it's really the same issue as President Bush has faced with use by his staff of RNC accounts rather than official whitehouse.gov accounts, thus allowing potentially millions of emails to be lost (which were by law public records).

4. Finally, my sister points out that the method purportedly used by the "hackers" (and I put that in quotes because it doesn't feel like my definition of hacking) to get control of Gov Palin's account was to ask for a password reset, and then guess the answers using well-known information. As I noted in my previous posting on this blog, many of the so-called secret questions used for security purposes by financial institutions really aren't very secret - so Gov Palin may well have fallen victim to exactly the problem I wrote about! (As I wrote this it occurred to me that one of the questions I was asked for financial verification is who holds my mortgage - a fact which is a public record in most places.)

Lessons learned? If you're a prominent person, whether elected official or not, use your official work email for official communications. Whether it's convenient or not, the embaressment of getting caught on a non-official email address isn't worth it.

Credit bureaus, credit reports

2008-09-12T10:14:00.003-04:00

I recently had two occasions to do credit-related activities.

In the first, a company had a (fairly) legitimate reason to run a credit check. After collecting name, address, SSN, driver's license, etc., they ran a credit check, and then wanted to "verify" that I am who all those things belong to. A noble goal - but one done poorly. The "verification" (which must be in quotes, as you'll see) consisted of asking three questions:

(1) Which of the following companies holds your mortgage? The person then named four companies, three of which I had never heard of (and may not even exist), and the fourth is one of the larger mortgage companies. If I weren't me, I could have reasonably guessed the large one - it would probably be accurate for 99% of people.

(2) Which of the following companies holds your primary credit card? Again, four banks were named, three of which I had never heard of and probably don't exist, and the fourth is one of the largest issuers (think Amex, Chase, Citi, Capital One, etc - they issue so many more cards than everyone else that it's clearly a very likely choice). Again, someone who knew nothing about me could guess accurately with at least 99% probability.

(3) Your previous address was 123 Main St, in which city? This time four cities were named, one of which is a neighboring town to where I live now, and the other three I've not heard of. This one would be a bit harder to guess without some data, but anyone who has a copy of my credit report would know the answer.

So my conclusion is that, just like TSA and airport security, these new security "safeguards" are security theatre, and don't actually improve security at all.

The day after the above transaction, I got a letter from a bank I do business with saying that my personally identifiable information had been stolen, etc. - I've received quite a few of these before, as have most middle-class Americans. (One of the advantages, I suspect, of being poor is that you have less financial data and in fewer places, so you're less likely to have it stolen!) As is the norm, they offered me two years of free credit monitoring, which of course is just a Band-Aid.

So I accepted the credit service anyway, and ran a credit report on myself. It was moderately accurate (no accounts I didn't know about, which is good). But the amount of missing and inaccurate data is amazing - two of the three credit bureaus list my current employer as a company I left more than 15 years ago. So if one of those clever "validation" questions I discussed above had been to verify my current employer, I would have failed the test, since they had the wrong answer!

The good news from all this is that credit bureaus and the companies who use their data are starting to realize that using an SSN as both an identifer and an authenticator doesn't work, and they need to do more to verify identity. That bad news is that they totally misunderstand how to do it correctly, so they've just added an illusion of security which may have many false positives (i.e., indications of fraud that don't exist) due to the inaccuracy of their data.

And now for something completely different

2008-09-03T18:46:00.003-04:00

I usually write about security related topics, but not today! I had my 15 nanoseconds of fame on PBS's Nightly Business Report. My neighbor is a friend of one of their reporters, and when I mentioned the hassles I'm having with my home equity line of credit (HELOC), the reporter interviewed me and put the story on the air today.

There's nothing unique about my story, but it was still cool to be on PBS! It'll be interesting to see if Homecomings suddenly gets more interested in resolving my issue.

Cheat a cash register, cheat a voting machine?

2008-08-30T16:32:00.002-04:00

The New York Times reports on "zapper" technology which allows business owners to change the records in the cash register to reduce the taxes they owe. This is the modern equivalent of not closing the cash drawer between transactions, and then taking the cash out at the end of the day to cheat the tax man (woman?).

No great surprise there - when you make the incentive big enough, people will find a way to work around the system. And when it's really big, systems will be developed - as the article describes, businesses can buy the software, and don't have to do the dirty work themselves.

David Jefferson wrote in a private email (quoted with permission), if you read this article [and] substitute the word "DRE" for "cash register" and "votes" instead of "money"for what is stolen you will have nearly perfect explanation of the danger of malicious code injection in voting systems, complete with falsification of the audit trail to fool the auditors. If it can happen in cash registers, it can happen in DREs.

I believe there are certification requirements for cash registers, and I'd guess that they're stricter than those for voting machines. [I make that guess not because I think cash registers have strong certification, but because I know that voting system certifications are extremely weak.]

When I talk to elected office holders and election officials, they sometimes doubt the technical ability to modify the software to change votes - this is absolute non-theoretical proof that it can be done in an embedded system where tampering has a real-world impact.

Signed code isn't always enough

2008-08-22T15:05:00.003-04:00

Computer security specialists frequently point to digitally signing software as a way to prevent an attacker from replacing software with a malicious version. (Of course, the signatures themselves are of no value unless they're checked - with a chain of custody starting as far back as you can, which is what some of the Microsoft Trusted Computing stuff is about.) The lack of digital signatures on software in voting machines is frequently (and accurately) listed as one piece of evidence that the voting systems are insecure.

But more importantly, the signature is only of value if the bad guy can't create their own signature that looks valid. And it appears possible that something like that may have happened with Red Hat Fedora. Red Hat announced that "some Fedora servers were illegally accessed...
One of the compromised Fedora servers was a system used for signing Fedora packages. ... we have high confidence that the intruder was not able to capture the passphrase used to secure
the Fedora package signing key."

They then go on to note that they're replacing the signing key out of an abundance of caution, and everyone will have to update their systems to understand the new key. But it's very hard to know for sure whether the signing key was used during the compromise period - bad guys are very good at covering their tracks.

The bottom line is that code signing just shifts the weak spot for attackers - instead of just trying to change the code on the server before it gets downloaded, they focus on accessing the signing key. And the real safeguard isn't the length of the signing key (which is presumably long enough to prevent brute-force attacks), but rather the quality of the passphrase used to unlock the signing key, the set of people (or systems) that have the signing key, and the safeguards around changing the key.

We should keep doing code signing, but as with all security measures, recognize that it's a defensive measure, not a panacea.

When is speeding better than voting?

2008-08-18T12:32:00.003-04:00

I couldn't resist - the Washington Post reports that an older couple was cited for doing 100 mph on their street - which is highly improbable given how winding the street is and the type of car they drive (a Toyota Echo, which has a 0-60 rating measured in hours). Clearly the ticket shouldn't have been issued - the Post writes that "The speed camera system is designed to catch its own mistakes. When a glitch occurs, the device warns the reviewers by citing a weird speed to get their attention, such as 0 mph or 100 mph. The Brennan's speed should have been the tip-off to toss the ticket, but it got through the review."

All's well that ends well. So what does this have to do with voting? Well, all-electronic voting machines don't have anything to detect glitches, as we've regularly seen. And unlike someone driving 100 on a winding neighborhood street, which can clearly be ruled out, it's pretty much impossible for a paperless voting system to detect an "unexpected" result and throw it out.

Additionally, the cameras (I believe) rapidly snap a couple of pictures. So by examining the pictures and their timestamps, it should be possible to come up with a more reasonable speed. Having the camera digitally sign the images together with a trustworthy timestamp would be even better.

All of which makes me wonder - I'm guessing these cameras are networked into a central site, probably connected via the Internet. How resilient are the cameras from hacking (i.e., from someone breaking in and modifying or erasing images, or inserting images)? The cameras seem more likely to be unprotected than the servers where the images are uploaded for processing. They're probably not the most important systems out there on the Internet (assuming they are, in fact, connected that way), but they're an attractive target to someone who doesn't want a speeding ticket....

When is swimming better than voting?

2008-08-16T18:57:00.002-04:00

Simple - when there's a close race, Olympic swimming has an audit trail, in the form of videos that back up the sensors used to detect the winner of a race. As Michael Phelps learned, one onehundredth of a second is close enough.

By contrast, in a few months a large fraction of Americans will vote on systems that get less testing than the Olympic timing system, and have no independent way of judging the winner.

Nationwide biometric databases - a good idea? Not!

2008-08-08T11:10:00.004-04:00

Haaretz (arguably Israel's most influential newspaper) argues in an editorial that the Interior Ministry's proposal for a nationwide biometric database is a good idea. Aspects of the argument remind me of Scott McNeally's famous quote "You have no privacy. Get over it".

But perhaps the scariest part of the Interior Ministry's proposal (and the Haaretz editorial) is a seeming complete ignorance of some of the other downsides of such a database. For example:

What happens if someone steals your biometric data from the database, and is able to use a "replay" attack to make it appear that you're the one being authenticated?
What happens if someone replaces the biometric information of a bad guy in the database with an innocent victim? The bad guy will then go free ("it couldn't be him, since the biometrics don't match"), and the victim will have a hard time being vindicated ("the crime scene fingerprints match his fingerprints in the database, so he must be the murderer").
What happens when someone uses some of the published techniques to pick up latent fingerprints and play them back? (I remember an example of this by researchers in Japan a few years ago.)

The editorial claims that the database will be secure and "will be accessible only by judicial order." But that's also true of many databases, and it just doesn't work - see, for example, the many recent cases of hospital workers in Los Angeles reading medical records of celebrities, or IRS employees accessing celebrity tax records....

Absurd patents

2008-08-06T10:48:00.002-04:00

This patent was described in a Slate article. Has to be read to be believed. (Note that the patent was eventually canceled - but the fact that it was granted boggles the mind. Was the patent examiner trying to meet some sort of quota?)

The Google privacy dossier

2008-08-05T14:26:00.002-04:00

Computerworld reports that the National Legal and Policy Center (NLPC) has turned the tables on Google Inc. by using the company's controversial Street View technology along with Google Earth to compile and make public a detailed dossier on a "top Google executive."

You can find the dossier here. To (somewhat) protect the privacy of said Google executive, the dossier "blacks out" key parts of its findings, such as the detailed driving instructions from the executive's house to the Google office. However, NLPC did it wrong (or maybe right?) by just pasting black boxes across the more sensitive data. What they probably didn't realize is that Acrobat doesn't really eliminate the stuff under the black box, so you can just cut & paste the data into another application, and recover the "hidden" data.

As an example, here's the directions from page 6 of the report, after uncovering the hidden text:

1) Head NE on Waverley Oaks to Waverley St. (305 feet)
2) Turn right at Waverley St. (0.2 mi)
3) Turn left at Oregon Expressway (go 1.2 mi)
4) Merge onto US101 via ramp to San Jose (go 2.5 mi)
5) Take the Rengstorff Ave. exit (go 499 feet)
6) Keep right at the fork, merge onto Amphitheatre Parkway (go 0.7 mi)
7) Arrive at 1600 Amphitheatre Parkway
Distance 4.8 miles, about 11 minutes

You can do the same thing with almost all of the hidden text in the document.

This "feature" of Acrobat is nothing new - because it gets misunderstood on a regular basis, Adobe has some nice features and a good blog entry describing the issues. And this is nothing unique to Acrobat - the US National Security Agency has published a nice document on how to do redaction correctly for Microsoft Word.

The moral of the story: if you're trying to protect data, make sure you know what's there before you publish it online!

Putting the brakes on software rollout

2008-07-15T11:45:00.002-04:00

The New York Times reports that the latest hitch in getting the 787 "Dreamliner" out the door is validation of the software that runs the brakes. The general manager for the 787 program is quoted as saying ”It’s not that the brakes don’t work, it’s the traceability of the software,” and notes that the subcontractor had to "go back and rewrite certain parts of the brake control software to verify it for the certification process".

This is a good thing for two reasons:

(1) They're really paying attention to the software in the verification process, and not just rubber stamping it. That's something that the safety community has always done much more effectively than the security community.

(2) Because this is showing up in the popular press, perhaps we'll get people to ask "if they go to that much trouble for brake systems, why don't they go to that much trouble for voting systems". We know that if any modern voting system underwent the level of scrutiny as the 787 brakes, we'd have much more trustworthy elections.

The greatest public speaker in decades?

2008-07-10T20:36:00.002-04:00

I went this afternoon to hear Barack Obama speak at Robinson Secondary School in Fairfax, just a few miles from home. My motivation was two-fold: I'm a supporter (and have spent some weekend time knocking on doors for him), and his reputation as a great speaker. When I was a kid, my mother took my younger brother to see Robert F. Kennedy speak at a campaign rally, and I've regretted that I never saw him (or JFK or MLK - probably the two greatest speakers of the second half of the twentieth century).

It was exciting to be there - newspaper reports say there were 2800 people there (including a few McCain supporters chanting outside). There's certainly a lot of enthusiasm you can't ignore.

Perhaps it was the town hall format - Obama spoke for about 20 minutes, and then answered audience questions for another hour, but he didn't seem to be at his best. There was a certain rhythm to his answers - each one started in a halting way to answer the question, and then he suddenly seemed to remember his talking points, and went into a canned speech, and wound up the answer with a big applause line.

I'm glad I went, but disappointed that I wasn't wowed by his speaking. I'm no less committed to him - I agree with him on nearly everything. Just disappointed that I didn't hear a once-in-a-lifetime speech.

Two questions he was asked (out of roughly a dozen) that I found particularly interesting: one about his commitment to science (he promised to double science research funding and bring commitment to science back to the White House - both of which would be a good start given the impact on science during the Bush administration), and he defended his vote for the get-out-of-jail-free card for the telecom companies on the grounds that he believes that monitoring is important and the Inspector General report required by the law will tell us about Bush's violations of FISA. I'm thrilled about the science part, and disappointed about the domestic surveillance bill. But I guess that one of two is better than none.

Maybe not surprising, given the locale (Fairfax County is one of the most educated and wealthiest places in the country) - but the fact that two of the questions focused on science & technology questions is interesting.

I hope that twenty years from now I'll think back on this afternoon, and remember that I saw America's first African-American president. And with luck, the president who brings science back into the White House.

How many laptops are lost - lies, damn lies, and statistics

2008-07-09T16:07:00.002-04:00

A Ponemon Institute survey (sponsored by Dell) says that about 12,000 laptops are lost at US airports every week. But when Computerworld magazine called some of the airports cited in the study, the numbers they gave differed dramatically from the study reports. For example, in Miami Ponemon said 1000 laptops/week while TSA said that there were 68 stolen and 480 turned in - for all of 2007. At Washington National airport (*) Ponemon claims 450/week, but TSA says 276 laptops were turned in for the whole year.

So what's the truth here? Is TSA underestimating, or is Ponemon exaggerating for effect? As usual, the truth is probably somewhere in between. But if I had to make a bet, I'd guess it's a lot closer to the TSA's numbers than Ponemon's.

Let's try some round numbers. Miami airport had 33 million passengers in 2007. (I don't know if that includes people changing planes, and whether that includes both departures and arrivals.) But let's assume that's only departing passengers, which comes out to about 650,000/week. Let's assume that half of the lost laptops are at security checkpoints, since that's the place where things tend to get misplaced the most. So let's take half of Ponemon's numbers, or 500/week. In very round numbers, that means 1 out of 1000 passengers loses their laptop going through security. So if you're flying on a 747 (which seats about 400 people), the odds are roughly 50% that someone on that flight lost their laptop on the way to the plane.

I find that hard to believe - you'd think that if it happened that frequently, there would be paniced people running around airports on a regular basis looking for their laptops... and we'd all hear horror stories from our friends and relatives.

This is all back of the envelope calculation, so even if I'm off on some of these numbers, it's not going to change the overall answer.

Back of the envelope calculation is a useful technique to sniff out the unlikely in statistics. I'm surprised that Ponemon didn't ask "do these numbers really seem likely".

(*) Out-of-towners call it "Reagan", but to locals, it's always National.

Free & open source security testing tools

2008-07-03T11:34:00.002-04:00

HP recently released its free Scrawlr tool, a dumbed-down version of the former SPI Dynamics tools that can find some forms of SQL injection. Google released the source code for their RatProxy tool that can "pick up cross-site scripting flaws and incomplete cross-site defence mechanisms, as well as potential data leak sources and risky code that retrieves data from outside domains".

Making tools freely available is a Good Thing(TM). But the real question is - will they get used by companies and individuals to find vulnerabilities in their sites, and even more critically, will they fix the problems identified? Like almost any security tool, Scrawlr and RatProxy are dual-use technologies - they can be used by defenders to find problems (and verify that the fixes work), but they can also be used by adversaries to figure out the most promising avenues for attack.

No one should rely on these tools as the sole measure of a web site's security, but they're ignored at your own peril.

Put another way: any web site owner who has dynamic content and is NOT using these free tools (or something better) AND fixing the problems they identify is taking a big risk - if you don't use them yourself, the bad guys will!

New attacks, and taking risk measurement personally

2008-07-02T12:59:00.002-04:00

Today, a terrorist used a bulldozer as an attack weapon, running over several cars in Jerusalem, and killing at least three people and wounding many others. It's a novel attack method - the Israeli police and army have gotten quite good at stopping car bombs by preventing them from getting into Israel, but this is a weapon that's already present (and the terrorist was an authorized user of the vehicle, although obviously not for that purpose).

While not taking away from the tragedy of the people killed, or the crime by the terrorists (including their sponsors who are perversely cheering these murders), it's important as security engineers that we're always aware of attacks that don't follow our "script". That's as true for real-world ("kinetic") attacks as for cyber attacks.

More to the point, this attack made me think about risk. My son is in Israel, and his plans are to go to Jerusalem tomorrow - probably even going past the very place where the attack occurred. Should I let him? What are the risks of another terrorist attack? How do those risks compare with the risks that would ordinarily be present in a city - the risk of getting hit by a car while crossing the street? Ultimately, I decided that the risk of another terrorist attack is fairly small in comparison with other risks.

(Incidentally, there's very little non-terrorist violent crime in Israel, so I don't worry about him getting mugged walking around the streets even at night - something I might be more cautious of in an American city.)

Like all parents, I worry when my kids are out driving late at night (even though I don't believe they drink, there's always other drivers to worry about, as well as the fact that they're not very experienced drivers), when they travel, etc. My older daughter is spending the summer in Pittsburgh - and like any big city, there's some amount of street crime there. How much should I try to protect her? (Both my son and older daughter are old enough that I have no legal control, just a parent's moral influence.) Figuring out which risks to allow them to take and which to prohibit is one of the hardest things about being the parent of young adults.

How much is an Easter Egg worth?

2008-06-24T17:12:00.002-04:00

The New York Times is reporting on the results of a class action lawsuit against Take Two Interactive over a hidden sex scene in Grand Theft Auto: San Andreas. The issue is that the lawyers fees are about $1.3 million, vs. about $30,000 paid to the alleged plaintiffs (because only a tiny fraction of a percent of buyers were upset enough about the hidden scene, which can only be accessed using third party software, to participate in the settlement).

Easter Eggs in software have a long history. Based on my experience with commercial software in several companies, I'd guess that a large fraction of commercial products have easter eggs. Unless software vendors do a thorough scrub (which is pretty rare), it's a given that something put in by a developer will make it into the product, unless it causes some QA failure.

So given the settlement cost, how much would it be worthwhile for vendors to invest in ensuring that there are no obscene Easter Eggs in their software? Unless it's game software, where looking for hidden features is a well-established practice, it's probably not worth anywhere close to a million dollars. That's unfortunate, since looking for Easter Eggs might well help find security flaws, which are a bigger real threat.

Maybe we should encourage Congress to impose huge fines for software that contains Easter Eggs - and use that leverage to improve the security of our products?

A wake-up call to banks on application security

2008-06-23T13:09:00.004-04:00

The Office of the Comptroller of the Currency is part of the US Treasury Department, and is one of the regulatory bodies for US national banks. So when they speak, banks listen (to paraphrase an old E.F. Hutton advertisement).

In early May, the OCC released guidance to banks that they have to pay attention to application security. Kudos to C. Warren Axelrod who blogged about it last week.

Here's a few quotes from the OCC letter, which is addressed to "Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel":

Banks that purchase applications typically rely upon the vendors to provide secure applications. However, bank management remains responsible for ensuring that the application meets the bank’s security requirements at acquisition and thereafter. As needed for purchased software, banks should expand their vendor management program to include application security considerations in their request for information (RFI) or request for proposal (RFP) process. An attestation from the vendor that their software development process follows secure development practices and is periodically tested may suffice for some applications. For applications that present higher risks, banks may require vendor evidence of adherence to sound processes and validation through third-party testing and/or audits. All applications purchased should be supported by appropriate vulnerability identification and remediation processes, including appropriate vendor support. Additionally, banks should ensure that their ongoing testing process (e.g., penetration, vulnerability assessment) includes purchased and contracted applications.

Among the questions they recommend asking for in an RFI/RFP:

What are the vendor’s risk-based processes for development and validation of the application security before, during, and after it is purchased?

What are the vendor’s notification processes whenever security vulnerabilities are identified by the vendor, reported by customers, or others?

Will the vendor provide timely mitigation or remediation solutions to identified security vulnerabilities?
Does the vendor have an industry-recognized third party who conducts application vulnerability assessments on the application (including security)? If so, obtain the third party’s name and determine how often the assessment is conducted, and:

The date of the last time an application vulnerability assessment was conducted for the application;
Whether the vendor is willing to share the results before the bank selects it as the chosen vendor;
Whether the application has any known open vulnerabilities (including security) at the time of responding to the RFI/RFP. If so, is the vendor willing to share the nature of those vulnerabilities with the bank before selection of the product; and
Whether the vendor is willing to share its secure coding processes and practices with the bank before execution of a contract.

If the vendor does not have a third party who conducts application vulnerability assessments (including security), can the vendor describe their internal methodology?
Is the vendor willing to conduct, or contract for, an assessment to provide assurance to the bank regarding the security of the application?

Where appropriate, the bank should include in the contract language about the need for current and ongoing application vulnerability assessments (including security) and who will conduct the assessments. Depending on the risk profile of the application, bank management may request the full vulnerability assessment report or a summary.

Their recommendations include "incorporating appropriate attack models [which they define as being equivalent to a threat model] in risk assessments" and using "Static, dynamic, and functional evaluations, depending on the type and criticality of the application. Automated evaluations using commercial or freeware tools, as well as manual interaction to supplement application tools. Authenticated and non-authenticated user scenarios. Comprehensive testing in a simulated production environment including appropriate operating systems and associated databases. The weakest link in several connected components may expose the entire system to compromise." They also recommend looking at open source applications from a security perspective.

Now if banks really do what the OCC is recommending, this may be a truly meaningful kick-in-the-pants to everyone to start paying attention to application security. I never thought I'd say it, but hooray for government bureaucracies!

[Edited 02 Jul to correct the link to the OCC page, which had moved.]

A new favorite quote

2008-06-20T18:04:00.003-04:00

I don't often quote evangelical ministers (at least not positively), but I ran across this today: "Tony Campolo [a progressive Evangelical] once said that mixing politics and religion is like mixing horse manure and ice cream. You don’t hurt the manure, but the ice cream gets pretty messed up. No matter how much ice cream you toss into the mixture, the manure wins." [There are a number of slight variations I found on this quote, but everyone seems to attribute it to Tony Campolo.]

Its one of those great quotes that can be modified in so many ways - in fact, substituting almost any word in place of "religion" works quite well. "Mixing politics and economics", "mixing politics and science", etc.

How did Citbank lose customers' money?

2008-06-19T15:16:00.002-04:00

Wired is reporting that "a computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors".

But the explanation of how they did it is a bit confusing - did someone steal PINs by hacking into a server, as is suggested by the article? It's possible, but my guess (backed up by someone I spoke to who knows a lot more about this subject than I do) is that someone actually installed software on the server that approves the transactions. If you do that, you don't need to know anybody's PIN - if you can create duplicate cards, you can get the system to allow withdrawals. Of course, you wouldn't want the approval to automatically say "yes" to any withdrawal, because then it would be too obvious, and the "free money" machines would be reported by customers and stopped before long. A clever attacker would insert code that would be highly unlikely to trigger by accident, but easy to trigger on purpose. For example, a PIN that matches the current month and day, or a PIN that matches some function of the account number - either would be incredibly unlikely to be triggered except by someone who knew the approval hack was present. Once the code is inserted into the approval system, the attacker can make unlimited withdrawals from an account, regardless of the account balance.

Regardless of the mechanism, the attack demonstrates that banks can't simply pass the buck (so to speak) to their customers for protecting PINs - it's up to the banks themselves to monitor their servers, and ensure that they're hardened.

Can TSA employees spot irony?

2008-06-06T12:48:00.003-04:00

As I went through "security" at Dulles yesterday, I noticed a book sitting on top of the X-ray machine. George Orwell's 1984, to be precise. I wanted to take a picture, or to ask the TSA folks about it, but was late for my flight and didn't feel like missing it by being branded a terrorist.

Was it put there by a TSA employee? If so, did they recognize the irony?

The Societe Generale report

2008-05-30T10:19:00.003-04:00

Societe Generale (and their auditing partner PricewaterhouseCoopers) has announced the results of their investigation into how Jerome Kerviel managed to lose US$7B. Conveniently, their release came out at the same time as my article about security lessons learned appeared in IEEE Security and Privacy.

Dark Reading has a good summary of the Societe Generale report. It's nice to know that my article (which I wasn't paid for) comes to largely the same conclusions as PWC, which probably got paid US$1M or so. Of course, any competent security specialist could have figured out most of the probable causes - the only thing that I didn't know is how many of them were the actual causes, and for that the PWC report is worth reading.

How long between switching jobs?

2008-05-02T13:57:00.002-04:00

When I graduated college, I went to work for Bell Labs. Three years later I quit - and my father-in-law was aghast that I'd leave a job with a major corporation. In his generation, you worked for one company your whole career. I've now been in the workforce 25+ years, and worked for eight companies, including 8+ years with my current employer. The early years, where I switched every 2-3 years, were a mixed blessing - gave me a view of different organizations and helped increase my salary, but I think I made a mistake in not looking for jobs inside the organization before looking outside.

Anyway, I was amused by this requirement in a VP sales job posting sent to me recently: "Job tenure of not more than 3 jobs within the last 5 years proving you have staying power. " Wow. By that standard, I could have worked for nearly 20 companies so far! (Yes, I know that longevity for sales people is different from technical people, but calling that "staying power" was amusing.)

On the Internet, no one knows you're a (dyslexic dead) dog

2008-04-30T11:24:00.005-04:00

The expression "on the Internet, no one knows you're a dog" has become a cliche. But now, we see that in reality, on the Internet, no one knows you're a dyslexic dead dog!

What do I mean by that?

There have been a number of messages floating around about the death of a hacker known as rgod. But someone who claims to be rgod says "Thank you for your kind words. I am pleased to inform you that I am not dead. I have been the subject of a horrendous and difficult joke. Some hackers unknown to me have compromised my web server and email accounts making it impossible for me to access my site. They are falsely stating that I have died. Please ignore this statement until my services can be fixed."

So how do you prove, as someone who's known by a pseudonym, that you're not dead?

[Added 30Apr08: It appears that in fact rgod may be dead, but it's hard to tell for sure. One Bugtraq posting noted "But, if isnt dead, why he use a computer based translator to translate, from english, something that he can write in correct italian ? I'm italian and i garantee that is not italian", to which another responded "Yes, someone else told me already in private that the 'I'm not dead site' was a hoax. I did not know rgod and I don't know if he's dead or not - I just wanted bugtraq to know, that there's something else going on here - without taking sides. The decision which website to trust (or, more generally, (how) to trust online information at all) is left to the bugtraq readers." [emphasis added]. I won't continue to update this posting, as I think the current uncertainty adequately summarizes the problem!]

Nabatean security

2008-04-15T14:52:00.002-04:00

Raise your hand if you know who the Nabateans were. OK, now that we've established that, the Nabateans were an ancient people who lived in much of what's now Jordan, Israel, and Saudi Arabia. (I'm no expert, but the article on Wikipedia seems pretty good.)

So what do the Nabateans have to do with security? Separation of duties, security by obscurity, and perimeter security. Let me explain. I spent last week in Israel, mostly visiting family, but also doing some sightseeing. And like any security engineer with a "security mindset", I thought about security as I saw some of the ancient sites.

As I learned in my visit to Avdat, there was an ancient route for transporting spices and perfumes from what is now Yemen to Greece. The perfume makers kept their technology a secret, but needed to get the product to market. The Nabateans knew how to cross the desert safely, which the perfume makers didn't know. But they didn't know how to safely cross the Mediterranean, which the Greeks knew. So each group had their role, with strongly enforced separation of duties. (Nabateans would be killed for drinking alcohol, which I presume was a method of ensuring that they didn't spill the beans.)

So how did the Nabateans cross the desert safely? First, they established cisterns to hold the water, since oases aren't entirely reliable. They camouflaged them, so they wouldn't be found by other desert wanderers. Second, they marked their route using a series of large stones, but again they were set up in such a way that they could only be followed by one who knew the secret to interpretation. In other words, security by obscurity.

And perimeter security? The Nabateans got fabulously wealthy through the perfume and spice trade, and eventually built the city of Petra (in modern Jordan). Petra is several respects. The "buildings" weren't actually buildings, but rather elaborate caves carved into the rock walls. But for purposes of this discussion, the important thing is that Petra is in a very narrow valley with high walls - the only way to attack the city was by coming in at one narrow entrance to the valley, which could be defended relatively easily - a simple perimeter defense, just as a firewall is (incorrectly) believed to provide that feature today.

[For those considering visiting Avdat and/or Petra, I highly recommend doing it in the spring or fall - the summertime is far too hot to make these comfortable vacation destinations!]

Are data breach laws good policy?

2008-03-27T13:26:00.003-04:00

This week Indiana passed a new data breach and notification law, which closes some loopholes in the previous law. Generally speaking, I think that's a good thing.

But what worries me about the Indiana law, as I read it (and IANAL), is that if I you, gentle reader, happen to live in Indiana and post your private information such as your name and social security number as a comment to my blog, then I could be in violation of the breach law - even though I never asked you to post it. (Or depending on how a court interprets the terms of the agreement between the individual and Blogger, it might be Blogger that would be in violation.) Simply the presence of personal information, even if it was never requested by the owner of a site, can put that site at risk.

This could obviously impact places like LinkedIn or VisualCV, where people routinely post some types of information that might be considered private (employment and education history), as well as the more obvious sites like MySpace and Facebook. If a user of LinkedIn decides to aid their job search by posting their SSN and driver's license number (two of the protected types of personal information), and then someone else copies the data from that site, is LinkedIn at risk? Even though their terms of service don't explicitly say "don't post personal data, stupid", most people would understand that - and it would be hard to say such disclosure would be a "breach" since LinkedIn pages are public, but would it come under the law? (LinkedIn's user agreement says you may not "post content in fields that aren’t intended for that content. Example: Putting an address in a name or title field" - but would putting your SSN be a violation of those terms?)

It's an interpretation that wouldn't make a lot of common sense, but some lawyers specialize in lawsuits against deep-pocketed targets like LinkedIn.

So to me, the problem with the law is that the site holding the data doesn't even need to ask for the data in order for it to be at risk of violating the law.

Brookings seminar on "Voting Technology: The Not-So-Simple Act of Casting a Ballot"

2008-03-21T15:06:00.005-04:00

A couple of weeks ago, there was a lot of publicity around the new book "Voting Technology: The Not-So-Simple Act of Casting a Ballot" by Paul Herrnson et al (Brookings Institution Press). Much of the publicity was focused on the critiques in the book of the need for computer security, including the authors claims that the needs for security are much less important than the need for usability.

This morning, Brookings hosted a panel with four of the six authors of the book. I won't try to summarize their book, other than to say that it's well worth reading about their usability results, some of which are quite surprising. There are serious scientific problems with their work even as far as it goes, but that doesn't take away from the fact that this is one of the first studies with field trials of voting systems. One of the major limitations of their results is that in considering usability, they entirely ignored usability by disabled voters. I had hoped that they would address some in their field trials some of the issues that Noel Runyan's team identified in the California Top to Bottom Review Accessibility Study. However, as Paul Herrnson told me, their funding was less than requested, and this is one of the areas they cut, to the great dismay of Jim Dickson, a leading advocate for blind voters.

The biggest issues I have with this report are as follows:

(1) It states categorically that no elections have been corrupted due to intentional security breaches (i.e., no hacking), so therefore security isn't an issue. While I certainly don't know of any examples of successful security attacks on real elections, there are many cases where there have been accidental problems that have caused incorrect election results. The ironic thing is, of course, that we only know of the ones that did NOT take place on paperless DREs, since if there's no paper, there's nothing meaningful to recount. Although we can't prove incorrect election results on the DREs, I'd bet money that we've had them from accidental errors, if not intentional ones.

Besides, if anyone has successfully caused incorrect election results, one would hardly expect them to brag about it - just as old fashioned ballot box stuffing and switching was well known, but not advertised.

(2) Their primary focus is on whether voters get the votes selected correctly. This is important, but it misses the even more important factor of whether votes are recorded correctly. If the voting system (whether it's a computer, paper, punchcard, or something else) doesn't accurately record what the voter selected, it doesn't matter whether the voter was able to figure out how to use the system.

(3) Their secondary focus is on whether voters feel comfortable with the voting system, and are confident that it worked correctly. As was pointed out by Roy Saltman (author of "The History and Politics of Voting Technology: In Quest of Integrity and Public Confidence", an excellent book on voting systems), while it's important that the voter feel confident, it's less critical than whether the auditors can actually verify the results. He noted that we need to have systems that can be verified, even if that makes it slightly more difficult for voters to vote.

Incidentally, Roy told me his book will be available in paperback this summer for about half the price of the hardback, and Amazon is taking orders.

Norman Ornstein asked which of the technologies they investigated offer meaningful opportunities for recounts, especially given that "optical scan is what people perceive as the right answer". The authors didn’t answer directly, but noted that the real problem is which is the ballot of record in systems where there is more than one form (such as DREs with VVPAT). Herrnson strongly prefers that the electronic ballot fill that role - which of course defeats the purpose of having paper, and guarantees that we'll have more elections where we'll never know who was the real preference of the voters.

Among their recommendations which I agree with are the need for "pre-testing" of ballots to make sure they're not confusing to voters (ala the infamous Florida "butterfly ballot" of 2000 or the Florida 13th Congressional District election of 2006). While this won't help with security issues, it will address many of the problems that plague elections today. I also agree with them that there should be parallel testing, although there's no indication that they understand the limitations of that technology.

After the seminar, I suggested to Herrnson that asking voters about their comfort with the voting systems is like asking patients which of two medical procedures to diagnose a problem is better - trained experts (i.e., doctors) can be expected to answer that question, but the patient can only comment on the patient experience not the test accuracy. I suggested that offering as a choice an invasive procedure vs. a Star Trek-like "magic scanner", most patients would select the scanner as both more accurate and more desirable. He disagreed, saying that most patients would conclude that the invasive procedure is more accurate - if it's uncomfortable, it must be better. He might be right on that one...

Also after the seminar, when I asked Herrnson about his critiques in the press of security, he complained that it was taken out of context - he said he spoke to journalists for as much as an hour, and the part they chose to publicize was the security critique, which he claimed was hardly the focus of his work. I can appreciate that - anyone who talks to the press knows they'll take the "juicy" parts. But at the same time, I think it's unwise for a group of political scientists to be passing judgment on whether computer security is a real problem or not. As with the doctors above, let's leave that to the subject matter experts - the computer scientists.

I had at least a hundred more questions I wanted to ask, but given the constraints of the seminar that wasn't possible. Brookings videotaped the presentation; hopefully viewers will be able to judge for themselves the limits of this study.

[Updated 21 Mar to correct a number of typos and add a link to the video archive.]

How did those classified emails get out?

2008-03-04T16:18:00.003-05:00

The Register is reporting that the owner of mildenhall.com, a site for the town of Mildenhall England, has been getting thousands of emails intended for people at Mildenhall Air Force Base, including many that are classified and include sensitive information such as the path of Air Force One.

What I can't figure out is how the emails got there. The US military runs several separate networks - NIPRnet for unclassified stuff, SIPRNet for Secret, and then various other networks that are more highly classified. If the information is classified (and from the descriptions, it probably should be), it should have been on SIPRNet. There are "guards" (automated or semi-automated transfer devices that do content-based filtering) that allow limited flow of information between network classifications.

So one of a few things happened:

The information wasn't classified, but probably should have been. Unlikely, given that the current administration is much more likely to over than under classify information.
The information was classified, but for some reason was on the NIPRNet, instead of SIPRNet (or higher). Maybe someone felt they absolutely had to get the information to Mildenhall AFB, and couldn't wait for the normal channels, so they took a shortcut.
The guards weren't in place.
The messages are bypassing the guards.
The automated part of the guards that are supposed to be filtering the data aren't working correctly, approving release of information that shouldn't be released.
The "semi" part of the semi-automated guards made bad decisions (i.e., the person reviewing the data for release approved things that shouldn't have been). Given the tens of thousands of messages involved, this seems unlikely.

Without knowing what actually happened (and I doubt we ever will - the Department of Defense is nothing if not tight-lipped), it's impossible to come up with lessons learned. But clearly something went quite wrong. And whether it was a personnel security failure or a computer system failure, it shouldn't take years to accomplish.

And it's worth pointing out that the problem isn't actually solved! All that happened is that the owner of mildenhall.com gave up on his site - the messages are still flowing across the Internet unencrypted, and to whomever the new owner of mildenhall.com is. The suggestions from the Department of Defense that mildenhall.com block messages coming from DoD sites is ridiculous - they shouldn't be sending out the classified information in the first place!

Management understanding staff concerns

2008-02-28T12:26:00.002-05:00

Joel Spolsky, a childhood friend of mine, writes a rather well read blog. ("Well read" in the same way that, say Bill Gates is moderately well off.) He's recently started a column in Inc magazine; his March column of how executive management can become detached from their staff reminded me of one of the best managers I've ever encountered.

Like Joel in his Army days, I was working on grueling project (although no live fire ammunition!) at a site in Florida, preparing to give a major demo to a government customer. Everyone had been working around the clock for weeks, and was tired. One of the VPs showed up one day, for what we expected would be a "pep talk" similar to the general's talk in Joel's story. But it was the opposite - she didn't ask what she could do to help technically, because that wasn't her skill. Instead, she went out to get food for everyone and offered to do laundry (which no one accepted, of course).

I've wondered since then whether such an approach would have worked with a male VP, but regardless of that, it struck me that she understood the role of management is to enable the workers to get their job done effectively and efficiently. The president of Ford or AT&T doesn't do anything that serves the customers, but the people on the manufacturing line or sales floor do. So the best thing the president can do is bring lunch to the person who's sweating to make that deadline.

I've tried to incorporate that lesson into my management philosophy, sometimes succesefully. My goal as a manager is to do whatever is needed to make my team successful - whether that's bringing them lunch, getting the equipment they need, or running interference with whatever part of the organization is in their way. These are the things that all managers do to some extent - but I try to remember that they're the main reason for my being there.

Teaching users to be phishing victims

2008-02-26T11:37:00.002-05:00

I received the following (genuine) message from PNC Bank today (somewhat edited for length):

At the end of the PNC Save and Win Sweepstakes, [...]

If you don't have a PNC Statement Savings Account, open one today online, or by visiting any PNC branch or by calling 1-800-762-5684.
OPEN ONLINE -- https://www.pnc.com/webapp/unsec/Blank.do?siteArea=/PNC/Home/Personal/Savings/Savings%2bOffers/saveandwin&WT.mc_id=SAVWIN08_Email_0001
LOCATE BRANCH -- https://www.pnc.com/MapQuest/mqlocator/MapQuestSearchInit
[...]
LEARN MORE -- https://www.pnc.com/webapp/unsec/Blank.do?siteArea=/PNC/Home/Personal/Savings/Savings%2bOffers/saveandwin&WT.mc_id=SAVWIN08_Email_0001

[...] Emails from PNC are intended to inform you of our offers, promotions and updates. PNC will never ask you for confidential account information to be sent by unsecured email or provide a link in an email to a sign on page that requires you to enter personal information. If you need to communicate sensitive customer information to PNC, you should go to pnc.com, sign on to Online Banking, and communicate with us via the secured messaging center.
[...]
This email message may contain an advertisement or solicitation. If you no longer wish to receive such messages from PNC, click below to Unsubscribe.
https://pnc.p.delivery.net/m/u/pnc/uni/p.asp

Review the PNC Bank Web Privacy Policy by clicking the link below.
http://www.pnc.com/webapp/unsec/Solutions.do?siteArea=/PNC/Privacy+Policy

NO PART OF THIS PUBLICATION MAY BE REPRINTED WITHOUT WRITTEN PERMISSION.

The text in red is an attempt to combat phishing a bit, but generally this is a terrible idea. Other than spelling errors, it has all of the usual characteristics of a phishing attack.

As for their "no part of this publication" notice, tough luck, PNC - don't send phishing messages!

Pew report on the status of paper in voting systems

2008-02-22T15:28:00.003-05:00

Interesting new report titled "Back to Paper: A Case Study" was released by Pew ElectionLine.org on the history and current state of paper ballots for elections, focusing on Florida, California, Ohio, and Colorado. It's reasonably well balanced, although there are definitely things I disagree with.

One of the really awful things about the report, though, is this horrendous picture found on page 17. I'm no User Interface specialist, but a map with three shades of blue (and relatively similar shades at that) seems more designed to confuse than enlighten.

The people be damned

2008-02-15T17:01:00.002-05:00

I spent this morning at the meeting of the Virginia House Subcommittee on Privileges and Elections, mainly to urge passage of several bills I've been working on this year (SB 35 which makes recounts slightly meaningful, SB 292 which in its watered-down state allows some pilot audit programs, and SB 536 which strengthens the requirements for voting machine certification).

But the most contentious bill was SB 38, which calls for creating a bi-partisan commission to do the redistricting after the 2010 elections. The room was packed, with people standing in the hall outside, despite the fact that the meeting started at 7am and was not well publicized. I was encouraged by the vocal support of many different groups who frequently differ, including the League of Women Voters, AARP, Virginia 21, the Libertarian Party, the Richmond Chamber of Commerce, and the Virginia Redistricting Coalition (a non-partisan group of political and business leaders). As has been pointed out, virtually all Virginia political leaders of both the Democratic and Republican parties from the past 20 years have come out in favor of this bill, including Governor Kaine and former governors Mark Warner, Allen, Wilder, and Baliles; US Senators Allen, John Warner, and Webb; and many others. In fact, there was only one person in the room who had anything negative to say about the bill: Delegate Chris Jones.

Unfortunately, Delegate Jones is the only one whose vote actually counted, and the bill was killed on a party line vote, without going to the floor of the house.

Washington Post coverage doesn't begin to capture the frustration in the room and in the halls afterwards.

Delegate Jones should be ashamed of himself for disgracing the people of Virginia.

Really bad error message

2008-02-13T15:03:00.004-05:00

Security people sometimes wonder why users have such a hard time using their systems securely. This summary from an installation of a Nortel VPN product typifies for me the problem - what is a non-crypto expert supposed to do with this information???

United really doesn't want to hear from you

2008-02-05T07:40:00.000-05:00

Not related to security or voting, but a rant about poor customer service today.

Yesterday, United Airlines announced a change to their baggage check policy - for mere mortals, it will now cost $25 to check more than one bag. Now I don't do that very often - and it's their right to make changes - but it's a bad policy anyway. It'll just encourage people to carry on even more and larger suitcases and try to stuff them into the too-small overhead bins.

So I decided to give United my opinion. Went to their customer service page, and clicked on "Submit a Question". It says " ERROR: Could not create process" which seems appropriate - United is unable to create any sort of process that involves listening to customers or thinking through the results of decisions.

I guess when my kids go back and forth to college (which frequently involves multiple suitcases), they'll cross United off their lists.

Al Qaeda encryption

2008-01-24T11:20:00.000-05:00

There's been a fair amount of coverage that some Florida-based web sites are offering "new and improved" encryption technology for use by Al Qaeda. According to a Computerworld article, MEMRI (a generally reputable organization) is reporting the availability of "Mujahideen Secrets 2". MEMRI says that the first version of the tool provides users with "the five best encryption algorithms, and with symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit) and data compression [tools]."

So far, that's quite believable.

The problem is the quote in the Computerworld article from Paul Henry of Secure Computing Corp, who says that the new version "likely uses at least 1024-bit encryption, whereas the first version of Mujahideen Secrets used 256-bit AES encryption". I'm going to guess that Al Quaeda has sufficient technical expertise to know that if they're using 256 bit AES encryption, the encryption algorithm isn't the weakest link - it's going to be the key selection and distribution, correct implementation of the algorithms, security of the web sites where their information is stored, etc. I have no idea whether Al Qaeda doesn't understand encryption, or Mr. Henry doesn't understand it, or whether Computerworld misquoted him. But in any case, it's one of those examples of where more is not necessarily better.

The Washington Post article has the good sense to report on the release of the software without speculating on what's "new and improved".

Good bills, bad bills on voting in Virginia

2008-01-16T17:03:00.001-05:00

This year's legislative session has some good bills and bad bills. A quick overview for those who are interested...

SB 292 provides for random audits of optical scan voting results, and additional random selection (and hand counting if needed) for recounts. This is a critical change in Virginia, where current law precludes looking at paper ballots in case of recounts, and has no audits. It's not a perfect bill (the science of how to audit efficiently and to an extent that gives additional accuracy is still being refined), but it's a big step along the way of knowing who really won and lost elections. This is particularly important in Virginia, where we've had several close elections over the past few years.

SB 536 makes several small but important changes in how voting equipment is approved in Virginia. It gives the State Board of Elections the power to examine other state results in deciding what equipment should be certified, and allows the SBE to decertify equipment based on results from other states. This is important to take advantage of the studies done by California, Florida, Ohio, and other states. It also instructs the SBE to bring in experts in security and handicapped accessibility as part of the certification process.

The above bills are the primary focus for the Verifiable Voting Coalition of Virginia (VVCVa) this year. Unfortunately, we'll also be fighting off some bad bills, most notably HB 638, which rolls back the clock on the DRE purchase ban. Last year, VVVCVa worked with a bi-partisan coalition to pass a bill that prohibited wasting money by buying more DREs (paperless electronic voting systems). Considering that the move nationwide is away from DREs and towards optical scan machines, and that Federal legislation is pushing things the same way, a ban on more purchases is good financial sense. Why throw more money at equipment that we know doesn't work, and is going to be banned anyway? Just doesn't make sense.

There's also a whole series of bills (HB 467, HB 685, HB 801, HB 1476, and SB 52, which are nearly identical to each other) that in one way or another roll back the ban on wireless usage on election day, which was passed last year. While I still think that wireless usage is unnecessarily risky, many Virginia jurisdictions are suffering from the decision to use Advanced Voting Solutions for their voting systems. AVS assured the legislators last year that their voting machines could turn the wireless off before the polls opened, and then turn it back on in time to synchronize the machines as the end of the day (thus avoiding poll workers manually totaling all of the machines in a precinct when they're tired after a 16 hour day). Unfortunately, AVS's claims were false - this can't be done. AVS is in weaker financial shape than its better-known competitors like ES&S, Sequoia, and Diebold/Premier, and it doesn't have the money or the resources to fix this problem and get it certified. (Well, based on what's happening in Pennsylvania and with the EAC, they can't seem to get anything certified.)

To make a long story short, it looks like the prohibition on wireless is going to be rolled back for the pragmatic reason that the machines are too hard to use without wireless. From a security perspective, this is a bad decision, but it's probably inevitable. The key now is to ensure that no future voting systems have that same problem - and that the legislation truly allows what is needed and no more. I'll be working with a number of legislators to ensure that the legislation really says what it needs to!

So once again, an exciting legislative year in Virginia for electronic voting. If you're reading this and you live in Virginia, please contact your Delegate and Senator and ask them to support SB292 and SB536, and to oppose HB638.

[Updated Jan 17: Added links to the bills rolling back the wireless ban.]

RealID will cause riots

2008-01-12T18:17:00.000-05:00

You've undoubtedly heard that DHS finally published the requirements for RealID, pushing off the deadline for implementation. That's good and bad news.

It's good news because some of the truly ridiculous requirements have been relaxed, and the deadline for implementation has been pushed back. There's the expected criticisms of the plan, which I applaud. Real ID is a truly bad idea.

But it's bad news, because it's going to delay the inevitable riots. I spent three hours this morning at the Virginia DMV waiting (ultimately unsuccessfully) with my nephew while he tried to get a driver's license. We arrived at 830am; his paperwork was entered into the computer at 930am; and at 1115am he was still over an hour away from getting a road test (at which point we had to leave due to another commitment - which means we have to start all over another day).

What does that have to do with Real ID? As horrible as the lines are - and think how much productivity is being wasted by the hundreds of people waiting in line - can you imagine what it's going to be like when Real ID becomes required? Instead of most people being able to renew their licenses online or by mail, now everyone is going to have to sit and wait for hours to have their papers checked. Even increasing the workload of DMV by 10% would have a catastrophic effect, just like adding 10% more traffic to an overcrowded highway brings things to a complete halt.

So I'll make a prediction: the first time a senator or representative (or their spouse) or a Fortune 500 CEO (or their spouse) has to sit for three or four hours to wait for a bureaucrat to review their papers, we're suddenly going to have Real Interest in repealing Real ID. And if there's a backdoor "express" approval for the high and mighty, we'll have riots.

Photo IDs and voting

2008-01-08T13:46:00.000-05:00

There's been much said about the Supreme Court challenge this week (Indiana Democratic Party v. Indiana Secretary of State and Crawford v. Marion County Election Board) to Indiana's Voter ID law which requires voters to provide a photo ID (see here for a good discussion of the problems with the Indiana law).

There are two parts to this issue: whether fraud occurs by individuals casting multiple votes, and whether the requirement for photo ID is burdensome.

For the former, see the Washington Post OpEd which notes "Indiana has conceded that there have been no cases in state history of voter impersonation that an ID law would have prevented".

For the latter, these discussions talk about young, minority, and elderly voters, all of whom are less likely than others to have a government issued photo ID. I'd like to offer a case in point: my mother. My mother hasn't missed an election in about 60 years. But due to a glitch, her non-driver's license (i.e., government issued photo ID) expired several years ago. Due to the Patriot Act, the only way to get a new one is to go to Department of Motor Vehicles office, which she physically can't do. So she has no valid photo ID (her passport has also expired).

Her situation is not atypical. I mention it only because I think to many proponents of Voter ID, people without an ID don't really exist. But they do - even in middle class suburban neighborhoods.

2008-01-06T14:34:00.000-05:00

There are many excellent blog posts on today's New York Times magazine article by Clive Thompson on voting machines. Steve Bellovin has some great comments, as does Dan Wallach. I particularly agree with Steve's comments that "the biggest problem with e-voting machines is ordinary buggy code". Or said another way, "never attribute to malice that which is adequately explained by stupidity" (which Wikiquote attributes to Robert Hanlon, as Hanlon's Razor).

One thing the article briefly mentions is how poor the state certification process is. Mr. Thompson writes "The vast majority of states “certify” their machines as roadworthy. But since testing is extremely expensive, many states, particularly smaller ones, simply accept whatever passes through a federal lab." As I've discussed elsewhere in this blog, I had the opportunity to observe Kentucky's certification process, which is certainly consistent with this description.

Mr. Thompson then goes on to write "And while it’s true that state and local elections officials can generally keep a copy of the source code, critics say they rarely employ computer programmers sophisticated enough to understand it." This isn't entirely true - while there are some cases where the software is available to state and local officials, in many cases (in my experience), no one even asked for it, so it's not available. Of course the second part of Mr. Thompson's comments are absolutely true - very few states or localities would know what to do with the source code. (For the record - I don't think that's a bad thing. You don't need a brain surgeon on staff in every neighborhood clinic, and you don't need an expert in source code analysis in every state Board of Elections. This is an area where hired experts are better than trying to retain people on staff.)

I'd give Mr. Thompson and the New York Times a grade of A-. As all the blogs have described, he did a great job covering a complex subject, and made only a few oversights.

[Updated 07 Jan to correct the author of the Freedom To Tinker blog entry. (Thanks Dan!) As to whether it was Hanlon or Napoleon or someone else who first said "never attribute to malice ...", I'm going to stick with Wikiquotes, since there seems to be a lot of disagreement.]

Intelligent Software Design

2008-01-04T12:31:00.001-05:00

Software is incredibly complex. To the average person, it's incomprehensibly complex - so complex, that it couldn't be created by mere humans.

So my initial conclusion is that software must have been created by a greater power. But teaching creationism is prohibited in schools, as it's non-scientific. As mentioned in the latest National Academy of Sciences study, "Intelligent design holds that the universe's order and complexity are so great that evolution cannot explain it". What better explanation could there be for today's software, especially the madness that is Windows?

Intelligent Design: The only rational explanation for software.

In Memoriam: Jim Anderson, computer security pioneer

2008-01-03T13:28:00.001-05:00

Many of us learned over the past few days that Jim ("J.P.") Anderson, one of the pioneers of computer security, passed away on November 17 2007. A tribute by Gene Spafford (Spaf) sums up a few of his many accomplishments.

It's in keeping with Jim's personality that even his closest friends only learned of his passing six weeks later (and others who were not his close friends, like me, a bit after that). Jim was an intensely private and self-effacing man. Several times my friend Dan Thomsen tried to convince Jim to write a paper about the impact of the seminal "Anderson Report" as one of the "classic papers" for ACSAC; Jim wouldn't hear of it.

Another time, Robin Roberts, a long-time friend of Jim's, organized a dinner in Jim's honor. When he found out he was the guest of honor, he refused to attend. The dinner went on without him, and several people shared memories of working with Jim.

Although I only knew him slightly, my personal experiences with Jim were similar to those described in Spaf's tribute. I recall a call out of the blue from a government agency inviting me to come in and talk about some research work I had done and how it could apply to their needs. I couldn't figure out how they had found me and why they considered my work so important until I showed up at the meeting. Jim was there - he head read or heard of my work, and saw the relevance to his client's needs. So he played the consummate matchmaker. The fact that my work built on Jim's foundation was obvious, but Jim's role was as a mentor to a (relatively) young researcher.

The computer security field has lost another one of its great innovators, and America has lost a selfless gentleman who worked behind the scenes to ensure that our government had the best advice available.

Maybe all we need for Internet voting is more certificates?

2008-01-03T12:28:00.000-05:00

I had lunch yesterday with a co-worker who previously worked at VeriSign. We were discussing Internet voting, and she asked "wouldn't using certificates just solve the problem?" I explained why the problem with Internet voting isn't really about protecting the network communications, but rather issues of anonymity, vulnerability of the central servers, etc. Certificates are a hammer useful for one type of nail (where you need encryption or signatures), but are useless against the more significant types of nails in voting systems: accidental or deliberate flaws in software, errors in ballot setups, insider or outsider attacks, etc.

But afterwards it made me think: how many voters out there have been drinking the Kool-Aid that if it's got a little lock in the corner of the browser window, then it must be secure? Maybe that should be the new marketing spin for the voting system vendors - display a padlock, and everyone will believe it's true!

As the issue of Internet voting keeps coming back year after year, we should expect more questions of this sort from well-meaning voters who don't understand the full spectrum of security issues.

How effective are directed attacks?

2008-01-02T18:12:00.000-05:00

I've read a lot of discussions about how there are regular attacks by various foreign governments, most typically attributed to the Chinese or North Koreans. At the ACSAC conference last month, Ron Ritchey from Booz Allen gave a fascinating talk about how they tracked down a series of targeted intrusions into major US defense contractors. I'm pretty surprised how much detail he was willing/able to give, especially since this was an unclassified setting. I'm even more surprised that he was able to share his slides, which are well worth reading.

Is this paranoia, or are these attacks for real?

My Year in Cities

2008-01-02T15:33:00.000-05:00

My friend Gunnar Petersen posted his list of cities visited in 2007. Seems like fun - mine is much longer this year than most, largely due to college visits with my son. The rules on this "contest" are somewhat vague - I included only places at least 100 miles from home, and didn't include towns/cities in close proximity. On the other hand, I did include places where I made a real visit, even if I didn't stay there overnight.

Bangalore, India
Belfast, Northern Ireland
Blacksburg, VA
Boston, MA
Charlottesville, VA *
Chennai, India
Chicago, IL *
Cork, Ireland
Darmstadt, Germany *
Dingle, Ireland
Dublin, Ireland
Frankfort, Kentucky *
Frankfurt, Germany *
Kildare, Ireland
Kilkenny, Ireland
Los Angeles, CA
Rochester, NY
Miami, FL
Oberlin, OH
Pittsburgh, PA *
Richmond, VA
San Francisco, CA
Sofia, Bulgaria
Worcester, MA

* means more than one trip

Happy New Year, everyone!

New Years Resolution: No More Research in New Clothes for a Naked Emperor

2007-12-26T13:08:00.000-05:00

This is the time of year when everyone makes new year’s resolutions. I’m proposing one for program chairs for security conferences: it’s time to “just say no” to yet another paper on how to control damage from buffer overflows and format string attacks. I’ve been attending security conferences for about 20 years, and for at least 10 of those there have been numerous papers about how buffer overflows and format string attacks happen, and how to stop them.

As examples, I offer the following from the recent ACSAC conference:

If you look at any recent security research conference (such as USENIX Security), you’ll similarly find papers on the subject.

We know how to solve problems like this - strongly typed languages like Java and C# are nearly completely effective at preventing these types of attacks. So why are we continuing to invest our scarce research funding in problems like this?

Could you imagine a medical conference where 10% of the presentations were on ways to prevent smokers from getting lung cancer? I’m sure there’s research in figuring out why non-smokers get lung cancer (as well as treatment for the cancers of both smokers and non-smokers), but let’s put our research where it can do some good!

So as my small step, my pledge for 2008 is to reject any papers submitted to me (as a paper reviewer for conferences and magazines) that could be solved by simply using a type-safe language.

A non-recount in Virginia

2007-12-20T15:50:00.000-05:00

A month ago I wrote about the very close race between Ken Cuccinelli and Janet Oleszek for the 37th Virginia Senate seat. Today, the Washington Post reports that Oleszek conceded after a recount. The recount widened Cuccinelli's lead from 92 to 101 voes out of about 37,000 cast.

What's truly sad is that the Post article didn't discuss the fact that real recounts are impossible in Virginia. The Verifiable Voting Coalition of Virginia is working with legislators to update state law to allow true recounts (as well as random audits at every election), so that when the last of the DREs are gone, today's sham recounts will be just a bad memory.

Phishing - or not?

2007-12-18T14:58:00.000-05:00

Like most people, I get a TON of spam and phishing messages. So I almost deleted this one without reading it - and then realized it's legitimate. This is a horrible example of a company training its customers to be susceptible to phishing attacks, as well as viruses, etc.

For your protection, the content of this message has been sent securely by Aetna using encryption technology. For more information about Aetna's use of encryption please visit this website http://www.aetna.com/aboutaetna/safeguard_data.htm.

Steps to open your secure message:
1. Please double click on the attachment labeled securedoc.html to begin the process of decrypting your message.
2. When you open the attachment you will see Aetna's secure envelope. This envelope contains your encrypted message. There are two ways of opening the envelope.

Preferred method:

By clicking the "open" button you will be offered the opportunity to download a small application (applet) that will enable you to open the message directly on your computer (c: drive). By choosing this option and selecting "always" any future messages that you receive from Aetna will be opened on your computer without further installation. This method may take a few extra minutes initially (depending on your machine and the speed of your connection to the internet), but overall will result in faster / more efficient message retrieval.

Alternate method:

If you cannot, or choose not to download the application click on the link labeled "here". This option will allow you to open the secure email without having to download anything to your computer, but may result in slower retrieval of your secure message.

Saving your message:
The securedoc.html that you clicked to begin the process actually retrieves a key from Aetna which is used to open (or decrypt) your message. The key will expire in 90 days. If you would like to save your message for later review, you should save a copy of the unencrypted message.
How you save email will vary depending on your email service. If you are unsure, please use the help function of your email service and look for topics like: saving, saving messages, storing messages.

If you experience any problems, please contact 1-800-237-7476, option 4 (Secure Email) during normal business hours; 8AM to 6PM E.S.T.

More details of Aetna's "secure" email system can be found here.

BTW, the reason they contacted me is I complained their customer web site doesn't work well with Firefox.

Aetna, you should be ashamed of yourself!

P.S. In case all that isn't enough, the "secure" email system doesn't actually encrypt the message - it just obfuscates it. I tried taking the HTML file and copying it to another system, and it opened and displayed the message immediately.

False positives on automated responses

2007-12-05T13:52:00.000-05:00

My previous post was about false positives by police, so it seems appropriate to talk about false positives in another context.

I was looking for a branch of Suntrust Bank (one of the major banks in the area where I live), and discovered that most of their site only works with Internet Explorer (not uncommon, but still frustrating). So I wrote a comment to their "contact us" site, saying that I was unhappy that it wouldn't work with Firefox, especially since Firefox is more secure than IE.

I'm guessing (hoping?!?!) that it's an automated system that provided this response:

Thank you for contacting SunTrust in regards to security of the web site.

We at SunTrust understand your concerns regarding the security of our services, and we appreciate the opportunity to address them.

SunTrust has taken strong measures to ensure that your information remains confidential. The first step is the use of a secure browser. Certain browsers and certain computers have the ability to communicate securely by scrambling the information as it passes across the Internet. The method of communication is called SSL, or Secure Socket Layer. We require the use of a secure browser before a connection can be made to SunTrust's online services. After you reach us using a secure browser, we take measures to make sure your information is kept secure and confidential.

Your information passes through a firewall, which is a device specifically designed to keep out unauthorized users. The information is also scrambled again to ensure that only authorized SunTrust representatives can read it. For security purposes, SunTrust requires you to enter two sets of numbers to gain access to our Online Services, a Customer Identification Number and a password. Your password should only be known by you.

Finally, communication with our representatives regarding your accounts may occur only after your identity has been thoroughly verified.

Wow, I feel better now.

"See something say something" false positives

2007-12-01T20:29:00.000-05:00

There are numerous programs for ordinary citizens to report suspicious sightings. Bruce Schneier (among many others) wrote about the problems in these sorts of programs, and how they're prone to get lots of false positives.

Here's one to add to the list: Orthodox (and some non-Orthodox) Jewish men (and a few women) wear Tefillin as part of daily morning prayers every day except Saturday. They are somewhat odd-looking to anyone who hasn't encountered them before. Seems that passengers on a commuter train in suburban Chicago didn't know what they were. They summoned the conductor, who asked the man what he was doing. He replied "I'm praying" and didn't want to be interrupted further. So the conductor stopped the train at the next station and called the police (who, for the record, were brighter than the conductor, and did not arrest the man - contrary to some reports). Apparently one of the concerns was that the straps of the tefillin were "wires" (which is amusing, considering that they are always made of leather).

The issue isn't whether the practice is strange - many religious rituals are strange to those not familiar with them - but whether the paranoia about terrorism has gotten so out of hand that people are unable to distinguish an unusual behavior from a threatening one. But that's really not really a question - it's more a sad reflection on our times.

An insider SCADA attack

2007-11-30T13:20:00.000-05:00

For all the talk of attacks on SCADA systems (for those not in-the-know, those are systems used to control things like power plants and water pipelines), there have been few publicly acknowledged actual attacks. Probably the most famous was in Australia last year where an attack on the systems controlling a water treatment plant caused raw sewage to be dumped onto the beach.

There was also an article and video recently talking about how one could use an attack on a SCADA system to blow up a generator. Not clear to me whether that was just theatre, but in any case it wasn't an actual attack.

But this is an interesting case - an employee of a California water authority attacked the system and diverted water. It's interesting not because of the level of damage or the ease of causing damage, but because it was an insider attack. Lots of systems, including control systems and voting systems assume that the insiders are trustworthy, and only worry about outsider attacks. Just as I wrote about insiders and voting when viewed through the lens of the Washington DC real estate scandal, perhaps we need to reconsider insider SCADA attacks, which were previously ignored.

Hats off to TSA

2007-11-26T08:25:00.000-05:00

I rarely (OK, never) have anything good to say about TSA. But today I'm turning over a new leaf.

I returned last night from spending the Thanksgiving weekend in Los Angeles. I flew west (Dulles to Los Angeles on Tuesday night) and east on Sunday morning. (My daughter also flew Cleveland to Los Angeles on Wednesday night and back on Sunday morning.) TSA had ample staffing, with short lines at security checkpoints.

Lest it sound like I've been totally won over, I'll point out that they still failed to notice liquids and gels in my hand-carried baggage. The whole thing is still a charade - but one they managed to do more efficiently than I would have dreamed.

Voting systems and real estate fraud

2007-11-23T13:17:00.000-05:00

The vast majority of election officials are honest, hardworking, underpaid public servants whose goal is to ensure that every eligible voter has the opportunity to vote, and that vote is counted accurately. So too, the vast majority of people who work in tax collection authorities are honest, hardworking public servants who want to ensure that everyone pays their fair share, according to the laws.

Over the past few weeks, a scandal has rocked Washington DC city government. It seems that a group of at least a dozen officials in the real estate tax office put through false paperwork to generate real estate tax refunds to non-existent companies, and stole at least $30M in taxpayer funds over a period of years.

When thinking of voting systems, one of the primary safeguards is multiple control - even if there is one corrupt official trying to sway (or steal) elections, their attempt will be unmasked by others. That's supposed to happen in tax systems too - but evidently it didn't.

The primary criteria used in the widely acclaimed Brennan Center report was the number of people who had to be involved to pull off a fraudulent election. Many of the attacks were infeasible because the numbers were too high. But perhaps in light of the DC tax scandal, we need to reconsider how big a conspiracy can go undetected within a government organization.

Many of the election officials I've talked to say that many types of attacks, such as replacing software with malicious software, or changing ballot layouts, just can't happen because trusted people do the work. Is that really good enough to trust our democracy?

How close is close enough?

2007-11-16T17:39:00.001-05:00

Last week's elections left (at least) two very close elections in Virginia, based on the unofficial counts. In Spotsylvania County, the Clerk of the Court race, the two leading contenders are separated by 63 votes, with 7,420 (38.46%) for Christy Jett vs. 7,357 (38.13%) for Paul Metzger out of a total of 19,295 votes cast. (Full details here.) In Fairfax County, out of 37,185 votes cast for the 37th State Senate seat, Ken Cuccinelli has 18,602 votes (50.02%) for a lead of 92 votes over Janet Oleszek (18,510 votes or 49.77%). (Full details here; Oleszek has announced she's seeking a recount.

What does this mean? Both Spotsylvania and Fairfax counties use paperless Direct Recording Electronic (DRE) voting systems, meaning that the only record of the votes is what's in memory cards on the voting machines. As has been amply demonstrated, there's lots of ways that these can be wrong, whether by accident or malicious intent.

Perhaps more critically, Virginia law is very clear on what can and can't be done in case of a recount. Section 24.2-802(D)(2) says "For direct recording electronic machines (DREs), the recount officials shall open the envelopes with the printouts and read the results from the printouts. If the printout is not clear, or on the request of the court, the recount officials shall rerun the printout from the machine or examine the counters as appropriate. [...] There shall be only one redetermination of the vote in each precinct." Section (H) notes "The recount proceeding shall be final and not subject to appeal."

Virginia is no stranger to close elections. In 2005, the Attorney General's race was decided by less than 0.02% (that's two hundredths of a percent, not two precent), and in 2006 the Senate race was decided by less than 0.4%.

Thus, there are no meaningful recounts possible in Virginia. All you can do is total up the tapes from the individual machines - but you can't go looking to see if there's an error in the software or the ballot programming. I'd love to have the opportunity to convince a judge that the law violates the constitutional right to have your vote counted, but I doubt I'll have that chance.

For those of us who believe the voting requires paper trails, our best allies are those who lose elections, regardless of their party. Those who win are much less likely to want to risk opening their election results to inspection.

Thanksgiving travel streamlined - not!

2007-11-16T16:41:00.000-05:00

I'm as pleased as anyone to hear that President Bush cares about my Thanksgiving travel headaches. It's wonderful that there will be extra space for flights in the sky, and extra airline staff in the airports to help out.

Now is someone going to make sure the TSA doesn't screw it all up? In my experience, the bottlenecks are frequently TSA incompetence and understaffing, not any of the other problems. If I can't get through security, it doesn't matter whether my flight is on time or not.

Keep your fingers crossed for me - I'm California-bound!

Judging the risk

2007-11-11T19:27:00.000-05:00

I spent the weekend visiting my daughter at Oberlin College - like all parents, I'm tremendously proud of my children, and find I enjoy spending time with her more than ever.

My return trip was a bit more exciting than usual. After takeoff, the landing gear wouldn't retract, and then the smoke detector in the bathroom went off. The flight attendant commented that the smoke detector had done that on the same plane two days ago, and they replaced parts to try to fix the problem, obviously unsuccessfully. The net result was an emergency landing back at Cleveland, chased down the runway by fire trucks and ambulances. (No one was hurt, and there was no emergency evacuation.)

Several people were unwilling to get back on the plane (which turned out not to matter, since they canceled the flight and rebooked everyone). But it made me wonder - is getting on a plane that's just had an emergency (but a normal landing) safer or riskier than getting on a randomly selected airplane? On the one hand, we know that in this case they had tried and failed to fix the problem several days earlier, which would tend to indicate that it's riskier. [Of course, the problem might be that it's not a failing smoke detector, but something really wrong.] The landing gear issue is different - they hadn't seen that problem before. On the other hand, that particular plane is probably being checked over more carefully than usual by both mechanics and pilots, which would tend to make it less risky.

I've read several articles and books on misperception of risk, but in a simple case like this I don't know how to answer the question. Are people being superstitious in avoiding a flight on a plane that they know had a problem, and instead selecting a plane about which they have no historical information?

Unrelated to the risk item, but while I'm writing, here's my obligatory swipe at TSA: as I went through security, I deliberately did not remove my plastic bag of toiletries from my suitcase, and it went right through without complaints. But the pilot just in front of me had his baggage sent through the scanner twice. As numerous people have pointed out, an insider attack (i.e., a pilot who wants to destroy his own plane in flight) can't be stopped, so there's no point checking their baggage for explosives they placed aboard. I asked him about his feelings on the value of TSA - he didn't want to directly criticize them, but said "I do what I'm told".

Strange failure modes for voter sign-in

2007-11-07T07:34:00.001-05:00

I spend a lot of time thinking about (and whining about) problems in electronic voting systems. But yesterday's Montgomery County (Maryland) election had a new twist to failures, not in the electronic voting system but in the system used by voters to check in at the polls. According to the Washington Post, "The state's list inadvertently marked as absentee the names of voters with a home address that begins with the number five. Election judges kept track of those who showed up to vote today in handwritten lists. And to ensure that voters only cast one ballot, election officials said they planned to compare the list to the names of those who actually cast absentee ballots."

This sounds like a movie-plot failure - it mishandles voters whose address begins with the number five?!?!?! It's hard for me to imagine what accidental software bug would cause that flaw!

Yet another bit of TSA stupidity

2007-10-31T21:51:00.000-04:00

Every red-blooded American, and especially those with a security bent, has pointed out that the Transportation Security Administration practices what can politely be called “security theatre”. So it was no surprise that I got this message from a friend (edited for clarity):

We bought some very dangerous water globes while on vacation in California, small water globes all in quart ziplock bags. We had purchased similar sized water globes in Disneyworld in Florida without incident. The TSA screeners inform us that they are "too large" and that we have to discard them or put them in checked luggage, now we've already checked everything but my backpack. My daughter doesn't want to part with the water globes either. I ask for a supervisor, 5 min later the screener comes back and said his supervisor said "I am right" meanwhile another screener comes over and says "they're OK". I added that I took similar globes thru Orlando. His answer "this ain't Orlando we do stuff different here". These dangerous items were all of 5" long and contained less liquid then a 3oz bottle of liquid. So I leave 2 kids past security, and go back to the check-in counter, wrap the heck out of the snowglobes, put them in my backpack and check it. Then go back thru security, JUST in time to make the plane. Meanwhile, they missed 2 of the 4 snowglobes that were in my daughter's carry on.

So what can we learn from this?

(1) There’s no uniformity of TSA rules. Heck, we knew that - before Richard Reid, the rules on taking off your shoes differed from airport to airport and day to day for no apparent reason.

(2) The screeners can’t find stuff more often than not. Hey, I rarely bother taking my toiletries out of my carry-on, and 9 times out of 10 they sail right through. Recent studies by DHS itself have shown huge percentages of false negatives (i.e., missing things in baggage they're supposed to find).

(3) Even if they find something, they can’t distinguish 3 ounces of liquid - it’s entirely subjective.

TSA - wasting your tax dollars in new and innovative ways every day.

Plagiarism and technology

2007-10-29T12:26:00.001-04:00

The following is something I wrote for RISKS forum that I thought others might be interested in. A recent discussion on the USACM (Public Policy Committee of the Association for Computing Machinery) mailing list triggered these thoughts.

It's obvious that the availability of so much information online makes plagiarism easier - it's impossible for a reader to know everything that could have been used without permission or attribution. On the flip side, things like Google make it easier to find suspected instances - as an example, when I'm reviewing an article for a journal or conference, I frequently put phrases in to Google that I suspect are stolen, and have on numerous instances found that they were in fact taken verbatim without attribution. [Hint to the plagiarist: if you're going to use someone else's words without attribution, make sure they fit with your writing style. This is particularly notable when choosing text written by someone with a different native language than your own - if your native language is English and you copy something written by a native Chinese speaker, it will be fairly obvious; the converse is also obviously true.]

For high school and college students, technology like TurnItIn is one way of finding plagiarism without teachers having to do extensive searching. Although I haven't personally seen the output, my understanding is that the student submits text which is automatically analyzed, and potential instances of plagiarism are noted in a message to the teacher. (If someone could provide a better explanation, I'd certainly appreciate it! I noticed that TurnItIn now put emphasis on improving students' writing style, perhaps as a way to give students a feeling that they're getting something out of the deal.)

There are several problems with products of this sort:

(1) False positives. When my daughter was in high school, she noted several times that TurnItIn considered her a plagiarist because it was unable to distinguish between properly quoted/referenced text, and unauthorized copying. Teachers who simply look at the overall "score" without reading the individual comments will tend to penalize those students who do the best job of citing background work! (I'm reasonably sure that TurnItIn is sufficiently cautious as not to deny that there are false positives, and to strongly encourage teachers and students to examine the results rather than simply believing them verbatim.)

(2) Copyright infringement. TurnItIn keeps copies of student papers in their database, for matching against future papers. This seems reasonable at first blush - after all, selling term papers is an old tradition, dating back well before the Web (although today's students may not believe that)! However, by keeping submissions for matching, TurnItIn may be violating copyright, as a recent lawsuit claims (see "McLean Students Sue Anti-Cheating Service", Washington Post, March 29 2007). Additionally, students have effectively no option to refuse adding their papers to the database, and are not compensated for their submissions.

So to bring this to RISKS, the issue is that we have competing risks: the risk of plagiarism being combated by TurnItIn and similar products vs. the risk of unfair accusations of plagiarism and copyright infringement - all of which is enabled by technology.

Plumbing leaks and voting machines

2007-10-24T10:24:00.000-04:00

I spent yesterday in Frankfort Kentucky testifying at the Legislature's Interim Task Force on Elections, Constitutional Amendments & Intergovernmental Affairs on voting machine certification procedures and the resulting security of the voting machines. My role was as technical advisor to the Kentucky Attorney General.

Much of the discussion centered on whether the Kentucky certification process (which I've previously written about) should be an "examination" (the term used in the Kentucky statute) or "testing" as the Secretary of State characterized my proposed improvements to the process. (Technically, the word "testing" is an inaccurate description, as I suggested both testing and analysis, but that's not really critical.)

My contention is that the Kentucky certification process is a superficial review, and not even an examination. The word "examination" isn't particularly precise, and after the hearing was over it occurred to me that when I see the doctor for an physical "examination", I expect him/her to do more than just glance over me - I expect him/her to ask about known problems, take vital signs, some basic lab work, a physical exam, etc., and to interpret the results to determine if additional testing is necessary. True, I don't expect a full body CAT scan to search for hidden problems, but even a basic exam is more than just asking the patient "any problems". So what currently happens in Kentucky isn't an examination, by my definition of the word.

I tend to explain things by analogy, and so am always interested when someone comes up with a new analogy I can use. So I was particularly pleased by the comment from Representative Kathy Stein, who noted that she built two houses in the past few years, both of which (naturally) had plumbing inspections ("examinations") as part of the construction process, resulting in certificates from the inspectors. In each case, after she moved in, the plumbing developed leaks due to insufficiently glued plumbing joints (i.e., inadequate testing). As she pointed out, at that point it doesn't matter whether the goal was examination or testing - the important point is to fix the leak.

So too it is with voting machines - while we can debate whether more testing or analysis should be done before approval, the important thing is that the problems get fixed promptly, before the drips of water cause the floorboard underneath to rot and fail.

The good news is that the co-chair of the committee, Representative Darryl Owens asked the Attorney General and Secretary of State to work with his committee on proposing legislation that will strengthen the certification process, as well as address other issues in voting systems used in the Commonwealth.

And now for something completely different

2007-10-19T09:59:00.001-04:00

My friend Conor Cahill wrote on his blog the other day about fighting with Sears to get his washing machine repaired, and the difficulties in getting adequate service. Then I came home and read a Washington Post story about Mona "The Hammer" Shaw, who decided to get the attention of Comcast for their lousy customer service (including not showing up when promised, showing up without necessary parts, etc). After here first visit (when she was left waiting for two hours to talk to a supervisor, and then told he had gone home for the day), she decided to get even. Her solution was to return to the Comcast office with a hammer, which she used to smash the keyboard, monitor, and telephone of the customer service rep.

As the Washington Post says, "Being a responsible newspaper, we must note that this is a misdemeanor, a crime, a completely inappropriate way of handling a business dispute." As a responsible blogger, I'd say the same thing. Right, uh-huh. Can I hire her to help with my customer service problems? Sears would be a good place to start, then maybe my health insurance company which routinely misprocesses claims.

Ms Shaw was sentenced to "a $345 fine in restitution and a year-long restraining order barring her from the Comcast office". Where can I contribute to paying her fine? If every American who felt the way Ms Shaw does about lousy customer service contributed a penny, we'd have that $345 paid in a moment!

Swiss armored cars and voting

2007-10-15T21:48:00.000-04:00

Gene Spafford has been widely quoted as saying "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."

It seems that someone in Switzerland isn't satisfied with an armored car, and is now using an infantry division to deliver the votes from the voting machines to a central voting registry (see, for example, coverage in Computerworld and Network World).

There are three problems with what they've done:
(1) It's solving the wrong problem.
(2) It's solving the wrong problem.
(3) It's solving the wrong problem.

The first problem it's not solving are that the end-of-day vote tallies don't actually need to be protected from prying eyes - they're public information. So while they need to be digitally signed to prevent tampering, quantum cryptography isn't needed.

The second problem it's not solving is that existing cryptography (whether for protecting the data from prying eyes - confidentiality - or protecting against tampering - integrity) is more than adequate for voting data. As a friend of mine says, raising the tall pickets on a security fence doesn't make the fence stronger; the attacker goes over the lower pickets or goes around the end of the fence.

The third problem it's not solving is that the weak point in modern voting systems isn't cryptography - it's bugs, whether accidental or intentional. A system that uses cryptography such as is being used in Switzerland can be attacked just as easily as one without cryptography. And in fact, there are advantages to the attacker - as there's no way to eavesdrop on the quantum cryptography, it's impossible to build systems that detect and stop attacks.

A great publicity stunt for the fans of quantum cryptography. As David Wagner from UC Berkeley says, quantum cryptography is “a way to hoodwink companies with too much money into paying $50k or $100k for a box that doesn't solve a problem they don't have.”

How old are election poll workers?

2007-10-13T16:32:00.000-04:00

I spent a pleasant day with my son on Friday at Illinois Institute of Technology, where I gave a guest lecture on electronic voting. One of the questions I always ask students is about whether poll workers would be able to notice someone trying to manipulate voting machines - as physical security of most of the machines is critical to the overall system security.

Poll workers are extremely dedicated individuals, frequently working 16 hours on election day for $100 - less than minimum wage. They do it out of dedication to our democracy, and I admire them. As my friend Ivy Main noted in a recent editorial in the Fairfax Times, the average age of a poll worker in the United States is 72, according the to US Election Assistance Commission.

In my talk at IIT, I asked the students how old the average poll worker is in their home precinct. One of the students responded "35 to 40" and another said "50", both of which shocked me. As I pointed out to the students, for every 40 year old, there must be a 100 year old out there, to keep the average at 70. [Of course, a dozen or so 75 year olds would also be enough to offset a 40 year old.]

Regardless of how many younger poll workers it takes, one of the issues, is that older poll workers are on average less technically savvy than younger ones, and certainly less technically savvy than someone who intends to use technology to attack the voting system.

I'm hoping to do my part - while I'm still above the 35-40 that the student mentioned, I can help reduce the average, and expect to starting in the spring. And I hope I'm still energetic enough at 72 to work as hard as the average poll worker!

What's dangerous on an airplane?

2007-10-13T16:25:00.000-04:00

TSA regularly changes the rules on what you're allowed to bring on planes. Like many, I find the rules bizarre and generally a waste of everyone's time.

On a recent trip to Chicago with my family, we realized after we arrived that we had several liquids/gels in our carry-on bags that weren't in the "one quart clear resealable bags" that are the pride and joy of airport screeners everywhere. But we didn't get stopped about them. So much for the scanning process.

More interestingly, the woman sitting behind me was carrying on a sports trophy - it was quite attractive, made of cast bronze. I'd guess it was 18 inches tall, and from the way she was holding it, probably weighed about 10 pounds. Lots of sharp edges all over that would make it a good weapon. You surely wouldn't be allowed to carry on a knife or scissors with an 18 inch blade.

As has been routinely pointed out, now that cockpit doors are armored, the danger from knives and scissors has been dramatically reduced, so the bronze figure was surely no danger. But we're still limited to 3 inch blades on scissors.

Maybe someday TSA will think about their regulations from a consumer perspective, instead of their current knee-jerk reactions to threats, which ignore the big picture. But I'm not holding my breath.

A different aspect of election security

2007-10-10T13:36:00.000-04:00

An interesting new report was released yesterday on a different aspect of elections security. Unlike the area I’ve been working (security of the voting systems), this report focuses on what an attacker could do to influence voters prior to their going to the polls, including creating web sites with confusingly similar names to the official site, sending messages that appear to come from the legitimate candidate site (but don’t), creating fake (but realistic-looking) sites to collect donations, etc.

Nothing really new in the report, but points out how reliant we’ve become on the Internet as a source of information about elections.

Perhaps the most important thing to me is the implications of such a report to Internet voting. Yes, that’s a topic that just won’t go away. Would voters click on a link that says “click here to vote for Jane Doe”? If they do, are they actually voting for Jane Doe or her competitor? And there’s obviously motivation, although hopefully not by legitimate candidates, to create malware (keystroke loggers, or even software that modifies your traffic) to cause unsuspecting voters to cast votes in ways they don’t intend.

Worth a read.

Is "Man of the Year" farfetched?

2007-10-10T09:26:00.001-04:00

I recently got an email from my sister about the movie "Man of the Year" with Robin Williams. She asked whether the attack described in the movie could really happen. The premise of the movie is that a voting machine company throws the election through deliberate manipulation of the voting results. The details are incredibly unrealistic to anyone who understands technology (hint: programs aren't written based on the number of double letters in a name), but it all hinges on the notion that there's a single nation-wide provider of electronic voting machines that are controlled from a single site.

In some countries that's not entirely farfetched - for example, The Netherlands until very recently was using a single model of machines nationwide, and I think they had a central data gathering site. But in the US, an attack of this sort would be much more complicated. First of all, each of the 50 states (and other entities such as the District of Columbia and territories) have their own procurement, and don't buy equipment from the same vendors. Second, in many states, each locality (county and/or city) does their own programming of the voting machines and tallies the results themselves. So there is no central control point.

Or could there be? Some anti-DRE activists have been explicit that their goal is to put the DRE vendors out of business - most notably Diebold (now known as Premier Election Systems), but also Hart Intercivic, Sequoia, Election Sytems and Software, Advanced Voting Solutions, and others. What would happen if they are (mostly) successful? We might well end up with a single vendor of all voting systems, and then the obvious optimization is to have central operation of elections. This would save money and increase professionalism. But it could also open the door to exactly the type of problem discussed in the movie.

I don't think it's likely, but in the back of my mind I worry about pushing too hard to fix the problems, lest we make it impossible for anyone to meet our needs and drive the vendors out of business.

The moral of the story: be careful of what you wish for - you may get it. And in this case, what you get may be the movie plot coming true.

To every feature there is a counter-feature

2007-10-09T15:34:00.000-04:00

GM announced today that they're adding a new feature to OnStar, which will allow an operator to remotely disable a stolen car. Sounds reasonable - they say it will gradually slow it down, to prevent high speed police chases. See coverage on CNN Money, ABC News, and many others.

How long will it take before some less than ethical person hacks into the OnStar system and starts remotely disabling cars? There's already something of a motivation, in that OnStar can unlock the car doors remotely, which would be useful to thieves.

One of the more benign things that could be done with this type of attack is a denial of service. Say an attacker disables all OnStar equipped cars on a major highway at rush hour. That would create quite a mess, even if there are no accidents. If it happened repeatedly, could have quite an impact on the economy.

And since there's been talk recently of Chinese (and other) foreign governments attacking the US infrastructure, here's a new way they could do it - it's probably minimally defended, and the legal and internal relations aspects are a lot less serious than, say, cyberattacking a power plant.

Thanks GM - appreciate your increasing the opportunities for hackers!

Everything but real security

2007-10-04T12:17:00.000-04:00

I recently visited a government building where they had me remove my change, keys, belt, cell phone, and watch, and then walk through a metal detector. So far, so good. But they didn't have an X-Ray machine, so they just let me carry my backpack around the outside of the detector.

My backpack measures 15" wide x 9" deep x 18" tall, and is crammed with all the usual stuff a geek carries - laptop, MP3 player, GPS, various power adapters & chargers, etc. No one looked inside, or even asked me what I was carrying.

So what value was added by the X-Ray machine? Feel good security!

Kentucky Attorney General releases expert report

2007-10-03T10:17:00.000-04:00

I spent some time over the past few weeks looking at Kentucky's certification process for electronic voting systems as a consultant to the Kentucky Attorney General. (In Kentucky, as in most states, there's a multi-tiered approval process before a voting system can be used - first it has to get Federal approval, then the state approves it, then individual jurisdictions, such as counties, actually purchase the equipment.)

The Attorney General put out a press release and my report yesterday. I'm very pleased that the AG adopted many of my recommendations in his press release and letter to the Secretary of State.

Now comes the hard work - turning the recommendations into action!

Is jam a liquid?

2007-10-03T10:09:00.000-04:00

I spent August in Europe, mostly on vacation in Ireland, where (among other things) I bought a jar of grapefruit marmalade at a farmers market. I wish I could tell you how good it is - but I can't.

After vacation in Ireland, I headed to Germany and then Bulgaria on business. As I was clearing security in Frankfurt Germany, I learned that they consider jam to be a liquid (or perhaps a gel), and impounded it. I didn't bother to argue - that's a pointless exercise, since they have no motivation to act rationally in the Germany any more than in the US.

Wikipedia defines a liquid as "a fluid that can freely form a distinct surface at the boundaries of its bulk material, which doesn't seem to include jam". The US TSA (which obviously has limited influence over German security) talks about the 3 ounce rules, but never defines (at least that I can find) what a liquid or gel is.

So next time, I guess I'll have to check my baggage - at least until they prohibit jam in checked baggage.

So what about WabiSabiLabi?

2007-07-16T11:40:00.001-04:00

I've been meaning to use this blog on a regular basis, but never seem to get around to it. So instead of waiting for the new year and a New Year's resolution, I'm resolving to do it today.

WabiSabiLabi has been getting a huge amount of press, including mainstream press like Forbes and The Washington Post.

Most of the coverage has been pretty negative, about how this may encourage black hats to find problems and sell them to the bad guys (where the definition of "bad guys" is dependent on where you stand, but frequently includes foreign governments). I think these criticisms are all valid, but there's also one positive aspect: they make ROI (Return on Investment) real.

For many years, security people have had a hard time justifying why anyone should spend money on security. It's the "fear" and "insurance" arguments - "if you don't invest in security now, your site might get hacked". But we've never been able to justify how much to spend - it's never possible to solve all the problems, but how much is enough? What WabiSabiLabi offers is a free market in figuring out how much is enough.

If I'm a software vendor, and a vulnerability in my product shows up in WabiSabiLabi, I have a few choices:

Buy it myself (and presumably fix it for my customers)
Wait for someone else to buy it, and hope they don't use it to attack my customers
Hope no one buys it

If the result is the first, I know how much I have to spend to keep the vulnerability out of a competitor's hands. If it's the second, I know how much a vulnerability in my product is worth to a bad guy (or a competitor), and that gives an indication of how much I might want to invest to prevent it from happening again. If it's the third, I know that no one is willing to pay enough to satisfy the bug finder, so perhaps addition security spending isn't needed.

Obviously, one data point isn't enough to come to any conclusions, but if they get substantially more than the four bugs currently up for sale, we might be able to draw some conclusions about the dollar (or euro or ...) value of security.

How much is enough crypto?

2005-12-07T13:53:00.000-05:00

Twice in the past two weeks I've had requests for too much crypto from very large companies. What's "too much"? In one case, the customer complained that my product wouldn't support RSA keys larger than 4096 bits (in particular, they wanted 6144 bit keys). In the other, the customer is demanding 256 bit symmetric keys for SSL (i.e., AES). This is too much because the strength of the crypto (at 4096 bit RSA keys and 128 bit RC4/3DES) is almost certainly greater than the software that's using the crypto. That is, an attacker will find and exploit a vulnerability in the non-crypto software long before they'll be able to crack the crypto.

We need to better educate the non-experts that when it comes to crypto, more is not the same as better.

What both cases have in common is that the customers aren't asking for these to satisfy their own requirements, but rather because they want to exchange business information with other companies that demand the extra-strong crypto. In some cases, businesses pushing other businesses can be a good thing - if Amazon refused to do business with anyone who didn't train their programmers in the OWASP Top 10 (for example), it would quickly improve the security of many web sites. But in this case, it's inflicting pain on the businesses, and the software vendors who supply them, for no particularly good reason.

There's also a lesson learned for those who would like to see regulation or legislation for improved security - be careful of what you wish for! I wouldn't want to see silly rules getting encoded, especially to the detriment of meaningful methods of improving security.

Why ABQORDIA?

2005-11-07T15:55:00.000-05:00

Well, why not? A few years ago, when we were designing our house, I looked at a lot of custom houses. Some had clever signs - "Trail's End" or whatever to welcome visitors. And I thought it was a neat idea to name your house, but I wanted something that related to me, and also had a technology sound to it. So in the shower one morning, the name "abqordia" came to me.

My wife thought it sounded to weird to put a sign out front that said ABQORDIA, so I started looking for other ways to use the name. The SSID on my home wireless network is ABQORDIA. So when I decided to start a blog, ABQORDIA seemed like the right choice.

The ABQ (as very frequent travellers will know) is the airport code for Albuquerque NM, where I spent most of my growing-up years. (Although I've now lived in Virginia for far more years than in Albuquerque.) The ORD (as many American travellers will know) is the airport code for Chicago O'Hare, where my wife grew up. For you trivia buffs, the ORD is for Orchard Field in Skokie, where the original airport was located. It's now the Old Orchard mall.

And the "IA"? No, nothing to do with Iowa. Just something to give it a high tech sound.

Say it out loud - ab-cord-e-ah! Makes you want to invest in the company, huh?

ABQORDIA - Thoughts on security and society

The WinVote video

Cloud Computing - all that's old is new again

Election Day 2009 - report from the trenches

Metric to English measurements - no more precision

A little knowledge is a dangerous thing

Too much information (for too little value)

How to guarantee bad passwords (part 2)

Disaster recovery

How to guarantee bad passwords

Social Security card requirements

Election corruption in Kentucky

Fairfax County elections in the news again

Micro-economics - is the economy really *that* bad?

Hiding from Google

When is a safety deposit box not a safety deposit box?

2004 & 2008 - Four Years and A Million Miles

A good idea, badly done

Getting a proper recount in Virginia's 5th CD

Old and new in central Ohio

Verifiable Voting legislative priorities for 2009

An interesting undecided race - Virginia's 5th Congressional

My first day as a pollworker

Push or pull for prescription security?

A real-life Zelig

Proud papa

Official pollworker training

DC Council releases their findings

The DC voting mess continues

No meaningful audits or recounts in Virginia this year

Me and my buddy Sarah

Credit bureaus, credit reports

And now for something completely different

Cheat a cash register, cheat a voting machine?

Signed code isn't always enough

When is speeding better than voting?

When is swimming better than voting?

Nationwide biometric databases - a good idea? Not!

Absurd patents

The Google privacy dossier

Putting the brakes on software rollout

The greatest public speaker in decades?

How many laptops are lost - lies, damn lies, and statistics

Free & open source security testing tools

New attacks, and taking risk measurement personally

How much is an Easter Egg worth?

A wake-up call to banks on application security

A new favorite quote

How did Citbank lose customers' money?

Can TSA employees spot irony?

The Societe Generale report

How long between switching jobs?

On the Internet, no one knows you're a (dyslexic dead) dog

Nabatean security

Are data breach laws good policy?

Brookings seminar on "Voting Technology: The Not-So-Simple Act of Casting a Ballot"

How did those classified emails get out?

Management understanding staff concerns

Teaching users to be phishing victims

Pew report on the status of paper in voting systems

The people be damned

Really bad error message

United really doesn't want to hear from you

Al Qaeda encryption

Good bills, bad bills on voting in Virginia

RealID will cause riots

Photo IDs and voting

Intelligent Software Design

In Memoriam: Jim Anderson, computer security pioneer

Maybe all we need for Internet voting is more certificates?

How effective are directed attacks?

My Year in Cities

New Years Resolution: No More Research in New Clothes for a Naked Emperor

A non-recount in Virginia

Phishing - or not?

False positives on automated responses

"See something say something" false positives

An insider SCADA attack

Hats off to TSA

Voting systems and real estate fraud

Micro-economics - is the economy really that bad?