Archive for October, 2006

Two things really distress me this year about the runup to the general election: first, the degree of dismally gratuitous mudslinging among the candidates, and second, the corporate steamroller toward electronic voting machines lead by Diebold, Inc. They boast that “over 130,000 Diebold electronic voting stations are in use” around the country, and boy, what a distressing thought that is.

But it’s not just Diebold, who after all make excellent ATMs, but Diebold is the leader and they have the most well-oiled sales force and the most flawed machine, so they are going to get the brunt of my criticisms. But don’t miss the larger point: I think electronic voting is a very poor idea that opens us up to the specter of rigged elections and, almost as bad, of a public loss of confidence in the accuracy and impartiality of our election process. We in danger of sacrificing this so that a corporation can sell lots of machines. I personally don’t think this is a good trade. And I say this as a lifelong promoter of new technologies in business: this technology really sucks.

Princeton University’s Computer Science Department has issued an excellent critique of the Diebold AccuVote-TS voting machine. What the report says is that the machine can be readily compromised physically or via its software to promote vote-stealing and denial-of-service attacks. The review team was able to write several kinds of undetectable code that injected itself into the AccuVote’s software that could carry out any kind of vote manipulation scheme you would like. Furthermore, the machine is so physically insecure that its keyed lock was able to be picked reliably in under 10 seconds by team members. Finally, frosting on the cake, the system software is Windows CE, a terrible choice for a “hardened” operating system.

The Princeton report regards the machines and their software so fundamentally flawed as to require a complete redesign of the whole works, hardware and software.

Of course Diebold on their website publishes a heated and self-righteous “refutation” of the Princeton study, saying “the system was old, we don’t do it that way any more, screws were removed to get inside the machine, a virus was introduced into the machine that is never connected to a network, etc.” PS, guys, viruses are not just network-vectored problems! If this is an example of your security knowledge, well, the product shows it. At the end of their press release, they say, in effect, “well, you just need to have proper procedures at the polling places and that’ll make it secure.”

But all that aside, here’s the fundamental problem with the AccuVote: its all proprietary. And if it’s proprietary, it can’t be demonstrated to be secure. There’s no peer review, no best minds seeking to crack it, no rounds of improvement. It’s called “security by obscurity” and it doesn’t work. The pros — the guys at NSA and the big cryptography companies — publish everything they do, code and all, for the best cryptanalysts in the world to chew on, and when they break it, the algorithm gets improved. Over and over, until it can’t be broken. Then, its secure. Diebold, on the other hand, tries to hide it all behind a veil of “proprietary,” and then cries “foul!” when somebody gets their hands on a machine and starts reverse-engineering the code and breaking it. Hey, you’re not supposed to have access to one!

Come on, who do you think you will be be facing when somebody goes to rig a national election, a bunch of old ladies in Blue Earth County?

Maybe they do think think that. And, there’s the heart of the problem!


Read Full Post »

Free Lynndie England

I will start out saying that I can’t believe that our US Congress approved a bill that makes it (retroactively) legal to torture people we decide need torturing, but they did. I can’t believe I fought to preserve the right of these people to do such a thing, everyone who voted for this bill ought to be turned out in the next election based on this action alone.

Well, now that we’ve given the President, Vice-President, and the Secretary of Defense the authority to let loose their goons on our behalf ala the Inquisition, I just have one question: since prisoner maltreatment is now the Law of the Land, will this get-out-of-jail-free card extend to the last batch of our torturers who were convicted of it? Surely so!

Specifically, I would raise the situation of PFC Lynndie England, poster-girl of Abu Ghraib Prison, Miss Prisoner-on-a-leash of 2005. Does she get to go free? If not, why not? I mean, she was a little ahead of the curve on this one, but now that it’s retroactively OK, why is she still in the slammer?

Now you may say that she’s a disgrace to the unform and her actions made our task there ever so much more difficult, and of course you are right. But it’s OK now; why do only the higher-ups get the pass? Have mercy, now; she’s really just a poor dimwitted girl who should never have been let into the Army. Her recruiter must have been desperate beyond words to take her.

Reality is, the whole chain of command starting at the Commander in Chief created the trap that she sprung — sent out inadequately-trained troops with incapable officers who exerted no control over their troops, with vague instructions hoping that people like Lynndie would be tempted to take out their fears and frustrations on the prisoners under their control. And if they did, so much the better; if they got caught (as they were), well, so what? They’re nobodies, sacrifice them, let them rot.

I really do feel sorry for her — I don’t excuse her morally one bit, but now it’s legal to do this stuff, why should she (and a few other equally-guilty peons) be the only ones to suffer? Yes, she’s a disgrace, but now so are we.

Read Full Post »

Once again the Federal government, and once again the Commerce Department, have demonstrated how incapable they are of securing themselves against foreign penetration through Internet connections. In an article today (October 6th), the Washington Post reports:

“The attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses. The bureau has stepped up its activity in regulating trade with China in recent years as the United States increased its exports of such dual-use items to the growing Chinese market.

“This marked the second time in recent months that U.S. officials confirmed that a major attack traced to China had succeeded in penetrating government computers. “

To cap it off, to show how little the people running our Federal networks understand about computers and cyber attacks, the article contains the following statement:

“Commerce officials have also decided they cannot salvage the workstations that employees had been using and instead will build an entirely new system for the bureau in the coming months with “clean hardware and clean software,” the senior official said. Foulon told employees in late August that they hoped to replace all the bureau’s workstations within three months.”

This is of course ridiculous, the hardware isn’t damaged by rootkits or viruses, but I suppose if you know nothing about it, throwing the stuff out and getting new does make some limited sense. But how long until the new ones are penetrated?

It would be so nice to see someone in the Commerce Department hung out to dry for this, it would be nice to see a Congressional investigation into who is responsible, and it would be nice to have some discussions with the Chinese about this, but given the pace of Federal data losses and network penetrations, Congress would be busy for the next few years doing nothing but hearings on the current backlogs.

This is worse than pathetic.

Read Full Post »