Saturday, August 30, 2008

Rent "Hacking Democracy", the 2006 HBO documentary 

It's a good introduction for a non-specialist. It leaves some things out, and I spotted one really minor error, but it's worth your time.


Friday, August 29, 2008

If you have nothing to hide, you have nothing to fear? 

A three-year-old in Dorset, England, is having trouble sleeping at night. She's afraid there's a man outside watching her.

There's a reason. Government employees were following her family to and from school for three weeks, making records such as "female and three children enter target vehicle and drive off" and "curtains open and all lights on in premises".

But, we are told, we have to trade some privacy for security. Let's take a look at the public safety implications, and see if they justify following kids to school and scaring a three-year-old.

The surveillance was to assess whether the family really lived in the coverage area of the school they applied to. (They did, by the way).

The Poole borough spying case.

Ask tough questions if your government tells you they need to invade your privacy in the name of security.


"[T]he case could be treated as terrorism" 

Gary McKinnon admits that he went into US government computers without permission.

He was sitting at home in his bathrobe looking around for evidence that the US government had secret alien technology taken from UFOs.

He got into many machines, working alone and without being particularly sophisticated. If you're a US taxpayer, take that as a sign that the computers you're paying for are being badly administered. If a computer is important enough to prosecute someone over, it's important enough to protect well enough that a random eccentric can't get in.

BBC profile of Gary McKinnon
The authorities have warned that without his co-operation and a guilty plea the case could be treated as terrorism and he could face a long jail sentence. "


How are voting machines tested? 

I've written before about the limitations on the "certification" of voting machines.

There's been more talk about it recently. Wired magazine's criticism of voting machine testing notes that problems go years without being fixed, and that the testing consists of going down a checklist that often has nothing to do with reliability or security. Worse, the software running in your election may be different from the software that got certified. University of Iowa computer science professor Douglas Jones proposes testing procedures for voting machines including election-day tests aimed at catching malicious software that gives the right answers until it sees it's in a real election.

Nobody in those discussions mentions a key point. If you could make software reliable by testing it, we'd see a lot fewer bugs in our daily live. Security is even harder to test for than reliability. A program can run just fine and be insecure.

The way to get secure software is to start at the design stage and build it from the ground up to resist or detect attack. For example, the software that adds up the vote totals from the precincts shouldn't allow the machine operator to change the totals without even creating a record of the change. One widely used design did allow that.

The next step in improving software security is to let qualified people, lots of them, look for hidden flaws. That includes cryptographers, but also the kinds of sideways-thinking people who like solving puzzles and doing things that are supposed to be impossible.


Security can backfire 

TSA inspector damages multiple aircraft.

Mechanics caught the problem in time. The part damaged was important enough that flights had to be delayed while it was fixed.

One aviation industry newsletter had a truly sulfurous comment.


Privacy and "I've got nothing to hide" 

Earlier this month, the news came out that Best Western exposed the records of 8 million customers.

The information that got out included credit card numbers, which are of obvious interest to criminals, and maybe worse, information about future bookings. That's right, it's possible that crooks now know when people are going to be out of town and where they live.

Privacy contributes to safety and the rule of law.


Voting machines! Again! 

Premier Election Solutions (formerly Diebold) machines in Ohio fail to count votes. As far as anyone knows it's just a normal bug.

Premier Election Solutions started off by blaming the problem on a conflict with anti-virus software. I was trying to find a way to explain why that sounds wrong to a security person, but someone beat me to it. My favorite nerdy cartoon about antivirus on voting machines.

It's a bad sign when a system has a bug that mission-critical that didn't get caught in testing. Ohio's Secretary of State is suing.


Sorry you haven't heard from me in a while 

I fell way behind on the sources I normally follow to bring you news and commentary. I'll try to do better.


This page is powered by Blogger. Isn't yours?