More on eVoting (DRE Machines)

I just finished reading a document written by one Daniel Castro at ITIF (http://www.innovationpolicy.org/), a think-tank. When you hear the phrase "think-tank" two question should spring in your mind before you can trust whatever the organization has put out:
a. Who's behind it?
b. What's their agenda?

In this case, ITIF seems to be very industry-friendly sometimes (http://www.itif.org/index.php?id=76) and somewhat neutral or even unfavorable at other times (http://www.itif.org/index.php?id=56)

Read through the website to get a flavor of what they do and what they're about. It does appear they are non-partisan to some extent, but it's going to be hard to guess without knowing who funds them.

This particular post deals with a 'paper' written by Daniel Castro about the use of paper audits during voting (on DRE machines, or Direct Recording Electronic machines). Curiously, he seems very much against it.

A good section of the document deals with the problems of paper ballot (when he should be discussing problems with paper audits). The document lists a couple of DRE concepts that could be applied for audit purposes, but somehow seems dead set against a paper printout.

One argument is that it'd be less secure. In my opinion, NOT having a receipt would be totally insecure. Would you like to do without your bank statement? Would you like to blindly deposit and spend money not knowing what's going on? I thought so.

Much the same way, a voter MUST know if his vote was recorded (he may not know if it was tallied, but the document has a section that deals with it quite well) and he must be able to store that receipt for reference.

The author also seems against disclosure of source code, arguing (disingenuously) that not only the system's code but also any third-party software code as well as OS code would have to be distributed. I've read many issues relating to Diebold's source code for one of their systems (http://avirubin.com/vote/analysis/index.html) so the author's argument is dangerous in that sense.

Some redeeming features of the article:
a. It does seek some sort of auditing
b. It proposes interesting new concepts to deal with eVoting issues (mainly tallying and verification)
c. It advocates a favorable outlook to companies that disclose their source code

However, the way the paper tackles (condescendingly) those that are FOR a paper audit is childish, amateurish, and completely runs against what the tone of such a paper should be (at least a little scholarly, IMHO).

Overall, I'd simply ignore this document (See this: http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070920005900&newsLang=en) -- especially because of this (extract from the above link):

About the Election Technology Council (www.electiontech.org)
The Election Technology Council (ETC) consists of companies that offer voting system technology hardware products, software and services to support the electoral process. The ETC represents manufacturers of the voting equipment used by over 90% of the population in the United States. These companies have organized as an industry trade association to work together to address common issues facing the industry. Membership in the ETC is open to any company in the election systems marketplace. Current members of the Election Technology Council include Election Systems & Software, Hart InterCivic, Premier Election Solutions and Sequoia Voting Systems.

Also, see my post here:
http://threeheadeddog.blogspot.com/2007/07/review-of-electronic-voting-systems.html

My view is this: People DESERVE to

• have a record of whom they voted for (verification/validation of vote)
• know their vote counted (verification/validation of local tally)
• feel satisfied that the total vote count reflects their decision/will with 100% accuracy (verification/validation of overall tally)

You can ensure the first by giving a paper copy of their vote (can be/should be anonymized -should have no tracking or identifiable information).

You can ensure the second by having a release of the total count from each machine for each county (along with audit verification by a third party - not the govt, not the officers of the electoral system, not a private company. How about the UN? :-)

You can ensure the third by repeating the above for the entire system (here the author introduces the use(fulness) of homomorphic cyrptography - a good idea, I think, with the use of, ironically enough, paper)

In conclusion, I wouldn't listen to any such so-called "think-tanks" or "policy centers" -- especially those that start with "Americans for" or have the words "Insititute" or "Center" in them.
I'd listen to the people.

Start by asking sane questions, and you will get surprisingly clear, smart, and highly implementable suggestions.

• What are you comfortable with using?
• Do you trust this voting system? What if we can show independent proof of how this works?
• Do you have any better ideas?
• How would YOU do it?
• What problems do you face with DRE machines or mechanical systems?
• What can we do to make sure we earn your trust in accepting the outcome of an election?

Grassroots organizations can help, too.

• Initiate focus groups to determine how to make the system simple, easy, and trustworthy
• Get communities involved (especially in depressed localities) in advocating the need for participation in the effort -- and to enhance turnout for the big event
• Initiate training and education throughout the nation (will help in removing doubts, suspicions and misconceptions; with the added bonus that you may get some excellent user-centered design ideas)

And a non-partisan election commission should:

• Make sure all machines pass a complete software (source code) test by a third-party validation agency (staffed by non-partisan scientists and researchers)
• Perform all manner of intrusion and hacking (physical, electronic, electrical, remote) to gauge the security of the product
• Assess all existing vulnerabilities and assign strict deadlines to fix the issues, then perform 100% regression testing
• MAKE ALL RESULTS PUBLIC - the process should be totally transparent and auditable/verifiable by any interested parties

Be safe!

VMWare Security

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1257101_idx1,00.html

In a pretty detailed article, the author discusses various aspects relating to VMWare security. According to the article it's possible for malware to jump between VM instances and therefore the 'isolation' that's promised between the individual instances may not hold all the time.

Further, it's also possible for malware and other such nasty attack-kits to exist at the actual OS level - below the VM level. In that case the isolation would not matter. With a well-crafted attack it should also be possible for the VM instances to break their boundaries and jump to - and infect - other instances too.

Apart from this, the sheer complexity of the setup makes admins less prone to changing security settings other than what the default configuration looks like. I can't say that's a bad argument - with new technologies it's always going to be difficult to manipulate things until they become more popular - more mainstream. Until such time people are going to be quite uncomfortable changing settings on production (mission-critical) systems.

There's also an interesting discussion on group policies and how they can be rendered ineffective by simply bringing on a new VM on the network - making the group policies (that can make it difficult or impossible to start new VMs or modify existing VMs on a given host OS) quite irrelevant.

The article is definitely worth a read.

Be safe!

Further Misadventures in Hacking

It gets curioser and curioser: New Zealand is the latest country to report that 'foreign' governments have been trying to hack into/infiltrate/penetrate their intelligence bureau's computers, and succeeded in many instances.
http://www.stuff.co.nz/4197227a10.html

While they do not directly name the country/countries, the suspects look very much like China and/or Russia. China has been accused many times (under veiled references) of the same crime by the US, UK, and Germany. However, none of this really made any headlines here in the US much, sadly.

But one thing that should catch one's eyes is a recent report that a couple of hackers (allegedly sponsored by the military) in China have devised devious plans on how to counter US air carriers (sabotage them). One can see why this may be the case: US can only reach China (and vice-versa) using ICBMs, or if they were to go at each other via Taiwan, the hapless little mouse caught in between the subtly warring elephants, via the existing launch sites. Every time of them makes threatening noises, I'm sure the little mouse makes multiple bathroom trips.

The key to this seems to be diplomacy to some extent, but probably coupled with other tactics such as strong protests, sanctions, trade restrictions, higher import taxes, and restricted protectionism.
One must remember that no country lives in a vacuum (unless you're North Korea, and even then you need to depend on someone - like South Korea), and therefore any strong or semi-strong steps will have at least some repercussions (stronger steps = stronger blowbacks).

China holds a huge amount of our treasury bills; and even a rumored attempt at getting rid of them would decimate the US economy. But that'd also affect China directly where it hurts. Her people would rebel out of hunger and shortages caused by the sanctions and other acts, which is what the Republic wants least. And therefore because these two mistrustful global leaders have decided to bond in this very uncomfortable relationship of business partners, a give-and-take deal MUST exist.

No amount of sabre-rattling is going to resolve this; and no amount of weapons-pointing at each other will make things better (there can't be a war since neither China and USA - nor the world - can afford one), but such actions do send a very bad message to people around the globe that want to see stability from the superpower(s) - desperately. Not to mention the impact on the world economy, which is not in the best of shapes.

None of this means that such despicable acts allegedly sponsored by the Chinese govt should be ignored - to the contrary the US govt owes its citizens at least this much: A strong protest to the leaders of China mingled with no-nonsense steps that the US would be forced to undertake if such actions were not stopped immediately - AND PERMANENTLY, unless in a state of war, when no such rules will apply or be followed/obeyed.

With the Olympics coming soon, let's hope China is forced to clean up its act - at least for the time being. Stopping its taxi drivers from spitting on passers-by and passengers is not enough - it should stop its out-of-control military personnel from trying to spit at people across the blue.

Be safe!
Sesh

The Monster Inside Monster.com

I'm sure many of you are aware by now of the data breach at monster.com, which not only affects monster.com users, but also the subsidiary that serves the military, called Military Advantage. Also affected was usajobs.gov (I think I got that right).

As of yesterday Monster could not figure out the extent of the breach and the depth of the data theft (meaning, what kind of data - how granular). But it does appear that names, email addresses, and other such common information were uploaded to a rogue server, which M.com shut down once they figured out where the siphoned-off info was actually going.

They are not able to trace the hackers yet, but I'm sure they're working on it. I'd say they better get the NSA and other such people involved - that's the only way to use the government's brute power to get to the bottom of this mess.

How does this affect most people? One of the main, potentially dangerous, ramifications is that users may be subject to blackmail. Not only that, but knowing most details about a user, including possibly home address, the hackers could initiate the infamous 'Hit Man' scam, where random people got mail that they're on a hit list and if they didn't send a certain amount they'd be killed. Very few people fell for it (from those who actually came forward to report the embarrassing incident) but I'm quite sure a significant majority kept quiet.

So, the same thing could happen here; think about the millions of records that were probably taken, and if you assume that only 1% responded to the blackmail, that's still a very large amount of money for the taking.

Where does the responsibility lie in this case? No question at all -- it's with the CISO if there is one; if not, the COO and CTO.

It's really remarkable that a company such as M.com, which has the trust of millions of job seekers, could not figure out the problem early enough, which would have saved a whole bunch of people a whole bunch of problems.

You also have fake employers posting ads wanting people and then scamming money out of the gullible, or even the street-smart ones. I don't want to sound as if M.com is not a good place to further one's career interests, but I'm still a firm believer in networking - PHYSICAL, human networking.

You know why bin Laden has still not been caught? Lack of humint (human intelligence), that's why. I was reading a very nice article on Newsweek that talked about the hunt for this insanely elusive mass-murderer, and they cited how he uses money as well as punishement (the old carrot-and-stick approach) to get his way and evade the technological might of the most powerful nation in the world.

What does this have to do with data breach? Well, who commits these acts? Not a self-learning, self-aware machine like HAL in 2000: A Space Odyssey (although that's not difficult to do), but HUMANS. It's people like you, like me, like us, who indulge in such nasty acts of damage and destruction.

It's impossible to prevent it (just read about the most current hacking controversy, that China's military is behind the hacking of Pentagon - and UK military's - computers). In this age, data is king; but information is the emperor. Getting random bits and bytes won't accomplish much, but it's the intelligence that puts those bits and bytes together that causes the real damage to the data ecosystem.

Certainly, precautions MUST be taken. All kinds of anti-hacking software should be installed, and users (usually the weakest link) MUST be educated in depth. I've repeatedly stressed the power of education on this blog, but I'm sure nobody at such data-sensitive companies including the government - neither management nor employees - take it seriously. You cannot change such a mindset overnight, but you can certainly take a stab at it.

How?

a. Hire white-hat hackers (Especially a Certified Ethical Hacker) so they can form tiger teams to hunt down vulnerabilities (remember Kevin Mitnick?)

b. Perform vulnerability scans as often as possible

c. Keep AV/Anti Spam/Anti Malware etc software updated to the latest version

d. Educate, educate, educate your employees and raise their awareness to the imminent threat that is the WWW

e. Isolate weak machines (those with vulnerabilities and either fix them or take them down)

f. Have an internal email system and an external system, so even if the external is compromised (which at some point it will) it won't shut the company communciations down. There should be a clear demarcation between the two, and they should NEVER mix

I could go on forever, but I need to stop before this becomes more than a blog and ends up a novella!

Be safe!