Wednesday, March 19, 2008

"And a function that tracked changes to the machines was purposely turned off." 

Ohio investigates reported voting machine irregularities.

A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.

This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.

In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.


Tuesday, March 18, 2008

I'm really starting to like this Rich Mogull guy 

Mac users, I highly recommend this article about OS X 10.5 Leopard security features. It's clear, informed, and does well at the really hard problem of being both accurate and understandable.


And you thought zip files were boring 

.ZIP files are only one of a whole class of files used to compress and package groups of other files. Antivirus programs need to understand how to look inside such things, otherwise viruses could escape detection by hiding inside .ZIP or other files.

So far, so good.

But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.

Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.

They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.

Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties


Good advice for Mac users 

I agree with almost everything in Mac security expert Rich Mogull's article about security precautions for Mac users. I'd add being cautious about downloaded software. Also be careful with Microsoft Office documents: macro viruses will spread just fine between Mac and Windows systems.


Sunday, March 16, 2008

But don't expect too much from a fingerprint-controlled nerdstick 

Some of them will just roll over and give you acess if you tickle them with a free tool. Technical details of the vulnerability of fingerprint-based USB drives.


Roundup of secure nerdsticks at Computerworld 

Summary of Computerworld's review of secure flash drives.

In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.


This page is powered by Blogger. Isn't yours?