The 5 Nov 2002 article "Electronic elections: What about security?" (www.cnn.com/2002/TECH/ptech/11/05/touch.screen/index.html) on CNN.com by Jeordan Legon contains a number of factual errors and misrepresentations. To CNN's credit, they did attempt to contact me for an interview on 11/4 for that article, but their tight deadline should be no excuse for not getting the facts straight. The article states: "the voting software and hardware has to pass strict security standards imposed by the Federal Election Commission and the National Association of State Election Directors." This is untrue. ALL voting systems newly deployed for the 2002 election were inspected to the OBSOLETE 1990 FEC recommendations. Even these were only adopted by 2/3 of of the States. The 2002 standards must be adopted prior to use and it is unclear when (or in some States if) this will happen. Mark Beckstrand, a Sequoia Voting Systems VP, was quoted in the CNN article as saying: "Show me somebody who has gotten into our software. We haven't lost or misplaced or ever been accused of not having 100 percent accuracy." Well, first of all, experts, such as myself, are prevented from looking at Sequoia's equipment because it is sold under restrictive trade-secret agreements making it a felony if a purchaser (such as a County Board of Elections) provides it for internal inspection, except under court order. For a court case in Palm Beach County, we have tried for months to obtain a Sequoia machine (for which we have numerous affidavits from voters indicating problems) in order to perform an internal inspection, and have even offered to purchase a machine from the County outright, but so far have been barred from doing so. It makes it really hard to show if their product has been tampered with, if it's a felony to inspect it. In addition to our case in Boca Raton, where there was an 8% "undervote" (votes missing compared with number of voters who signed in at the election), there are other instances of problems involving Sequoia equipment. Susan Bernicker videotaped numerous Sequoia machines used in a Louisiana election that showed different names on the confirmation screen than the candidate buttons that were pressed. Over in New Jersey in 2000, a brand new Sequoia machine turned up zeros for some candidates in a local election. Elsewhere in Palm Beach Co. in March 2002, Sequoia systems registered a 3% undervote in an election where only 2 candidates were running in only 1 race. It was conjectured (by Election Supervisor Theresa LePore) that people came to the polls and deliberately did not vote for one of the candidates, but this seems rather unlikely. Sequoia seems to have a short memory when it comes to court cases and missing votes. There might be a good reason for this. According to the San Francisco Business Times (11/19/2001), their Southern Regional Sales Manager, Phil Foster, was indicted in Louisiana for "conspiracy to commit money laundering and malfeasance" involving kickbacks to Jerry Fowler, the Louisiana state commissioner of elections, now serving a prison term for his involvement in a decade-long kickback scheme with Sequoia. Foster sold machines in Lousiana and Florida, and testified as a technical expert against Bernicker in her Baton Rouge case. I hope CNN can be encouraged to run a correction or follow-up on their article. The public needs to know the rest of this story.
In yesterday's voting, there were numerous irregularities, as usual -- although perhaps fewer visible ones than had been anticipated. * Palm Beach and Broward in FL had reports of voters touching the screen for McBride and having the vote showing up for Bush. The vendors and voting officials claim that that error was quickly "fixed". Remember that "fix" has two meanings. For example, check out the Matt Drudge report at http://www.drudgereport.com/ http://www.drudgereport.com/vote1.htm * In Broward County, a programming error left out 34,000 votes, because the combination of early votes exceeded a preprogrammed maximum. Also, 70,000 absentee and Spanish-language ballots were missing from the reported turnout, although they were included in the vote totals. These were later corrected. * In Houston, where the all-electronic voting machines have rotary dials instead of touch-screens, voters in five precincts had their attempts to vote a straight party ticket rejected. (It happens to have been the Democratic ticket that was not accepted.) * In Georgia, newly using touch-screens, some voters reported their votes being recorded for other candidates. * In Pulaski County, Arkansas, half of the voters had not been assigned precincts after redistricting and were denied being able to vote despite having legitimate registration cards. * San Francisco failed to deliver enough ballots to several precincts, where voting continued until midnight. * In Nebraska, Charlie Matulka (a long-shot Democratic candidate) reports having been given a paper ballot already premarked for his Republican opponent. * In South Carolina, there were some reports of long waits in line. Elsewhere, people turned away from the polls in various places even with valid identification. Also, reports of lever machines dropping votes. NOTE: Andrew Klossner sent in a correction on Andrew Morton's item in RISKS-22.35 on absentee voting in Oregon: the ballot he gets is just an unlabeled punch-card in which he has to punch out the chad for the desired holes. (Same for me in Santa Clara County, California. PGN) The general consensus among election officials and voters seems to be that the all-electronic machines are a great improvement, relatively easy to use, and inherently able to prevent overvotes. The general consensus among knowledgeable computer security experts seems to be that almost all of the existing all-electronic systems could relatively easily be rigged by internal fraud in the software and external manipulation of the local polling-place configurations and could also be subject to undetected internal errors, because of an almost complete absence of meaningful audit trails and independent verification of the consistency of votes tabulated with votes cast. Just because an all-electronic machine looks like it might be working, how do you *KNOW* it is doing the right thing? From a RISKS perspective, a perceived potential lack of integrity is a serious obstacle to democracy.
According to the *Wall Street Journal*, 6 Nov 2002, the world's dominant operator of national and state lotteries has warned of a possible compromise of its system for patching scratch-ticket winners. The company referred to an "operational and technical issue" in which the bar code used on the ticket had been cracked. The article quotes an unnamed source who claims someone had "decoded the algorithm" for the bar codes. Setting aside the RISK of whichever algorithm they chose, and not knowing whether this was an inside job, it's interesting to contemplate what other technology based industries have become so thoroughly centralized that one crack can cause a worldwide mess like this. http://online.wsj.com/article/0,,SB1036548523995761668,00.html?mod=3Dhome_whats_news_us http://online.wsj.com/article/0,,SB1036548523995761668,00.html ?mod=3Dhome_whats_news_us Conrad Heiney <firstname.lastname@example.org> http://fringehead.org
According to http://money.cnn.com/2002/11/06/technology/gtech/index.htm, GTech (the largest lottery operator) has determined that the scratch-off lottery tickets can be determined before doing the scratch-off operation. "A corrupt ticket salesperson that knew the codes theoretically could pick out the winners on a sheet of tickets and cash them, selling only the losers to the general public." Sounds like the serial/code number isn't being encrypted or otherwise protected before being printed...
http://www.sptimes.com/2002/10/30/TampaBay/Patient_dies_in_robot.shtml In an surgical operation to remove a cancerous kidney at St. Joseph's Hospital in St Petersburg, a three-armed da Vinci robot (made by Intuitive Surgical Inc.) was being controlled by an experienced doctor from a 3-dimensional computer screen, 10 feet away. The robot technology for cutting blood vessels is supposed to decrease bleeding, pain, and recovery time. Unfortunately, the patient's aorta and another blood vessel were cut, and this went unnoticed for an hour and one-half. Two days later, the patient died of complications. The developer found no mechanical problems, and absolved the robot, which had been used successfully in 10 similar operations. [Source: Patient dies in robot-aided surgery; Such robots are considered a major surgical breakthrough, but something went wrong, Graham Brink, *St. Petersburg Times*, 30 Oct 2002; PGN-ed] [Classical case. The vendor absolves the technology, implicating the doctor. Others blame the robot. What about the doctor-machine interface? PGN]
The NTSB (U.S. National Transportation Safety Board) has released its report on the pipeline accident at Bellingham, Washington, in June 1999. Three people were killed when a 16-inch pipeline ruptured and released about 237,000 gallons of gasoline, which then ignited. One link in the chain of events leading to this accident was the pipeline company's SCADA (supervisory control and data acquisition) system. Just before the rupture, there was a pressure surge in the pipeline. This was a common occurrence, unrelated to the SCADA. But through rotten luck the surge hit right in the middle of an extreme slowdown in the SCADA computer. Since the SCADA controlled the pumps and valves along the pipeline, the control room operator was unable to relieve the pressure. Had the computer responded promptly to his commands, pressure probably would have remained within the pipeline's burst strength. A pair of DEC VAX computers (one active, one standby) ran the SCADA software. Investigators attempted to duplicate the system slowdown but were not successful. Nor were any flaws uncovered in the hardware or software. However, there were flaws in the company's computer procedures. 1. All computer operators used the same login. The account had system administrator privileges, including unlimited authority to hog resources. 2. Modifications to the SCADA historical database were performed on the same computer that was in control of the pipeline. Just before the SCADA became unresponsive, the system administrator had added some database records. That probably triggered the SCADA lockup, concludes the NTSB report. 3. Although the system administrator monitored error logs to check the progress of his database work, and began to see errors 18 minutes before the rupture, he did not warn the pipeline control room or his supervisor. Instead, he left the computer room for about 15 minutes. 4. Anyone with an account could log in to the SCADA through a dialup connection. However, the fact that the system troubles began shortly after the database modification, and stopped when the new records were deleted, suggested that an intruder was not to blame. In the wake of the accident, the pipeline company rectified these problems. Executive summary and complete accident report are on line: http://www.ntsb.gov/publictn/2002/PAR0202.htm
This morning (local time), the web browser Opera is serving Australians with banner ads intended for Austria. The relatively small difference in syllables has been the cause of much misdirected physical mail over the years (puzzling to the Austrians who spell their country completely differently). Now the small difference between .au and .at seems to be causing the same problems in the cyberworld.
Along the lines of the FBI-bugs-libraries reference in RISKS 22:35 http://catless.ncl.ac.uk/Risks/22.35.html#subj3 there is also this article about cooperation between ISPs and the prying eyes of government on e-mail. http://www.thenation.com/docprint.mhtml?i=20021111&s=mejia20021030 Looks like Orwell should have called his book "2004".
Yale computer scientist David Gelernter is glad that the Microsoft trial is behind us, because "operating systems are lapsing into senile irrelevance," and we need to move on to the future. And what will the future be all about? "Every piece of digital information you own or share will appear (in the near future) in one universal structure" — one to which you'll have access from any Net-connected computer anywhere. "I have time for only one screen in my life," says Gelernter. "That screen had better give me access to everything, everywhere." The universal structure, dubbed Scopeware, will be a narrative, 3D stream of electronic documents flowing through time. "The future (where you store your calendar, reminders, plans) flows into the present (where you keep material you're working on right now) and on into the past (where every e-mail message and draft, digital photo, application, virtual Rolodex card, video and audio clip and Web bookmark is stored, in addition to all those calendar notes and reminders that used to be part of the future and have since flowed into the past to be archived forever)." [*The New York Times*, 7 Nov 2002; NewsScan Daily, 7 November 2002] http://partners.nytimes.com/2002/11/07/technology/circuits/07soft.html
PGN, The RISK here is that of assuming 'British' spelling exists — it is the Oxford ENGLISH Dictionary for spelling and the Queen's ENGLISH for pronunciation. <GRIN> Simply put, Britain comprises the 'home countries' of England, Northern Ireland, Scotland and Wales. There are other island territories immediately offshore that are part of Britain (eg. the Scilly Isles) and others that are part of the United Kingdom but not of Britain (e.g., the Channel Islands). [LATER CORRECTION: Northern Ireland is NOT a part of Great Britain, but is a part of The United Kingdom of Great Britain and Northern Ireland, as of 1927. Thanks to John Carlyle-Clarke for this fact! PGN] There is no 'British' language per se — the (recent — i.e., immediately pre-AD) native majority tongues of Great Britain were basically Celtic, French and Latin (by today's definitions) — English arose as a combination of these and other, imported, languages. Today, basically, the native Welsh language is Celtic, the native Scots language is Celtic, the native Irish language is Celtic, and the native English language is English — except for Cornwall (a county) where their native language is Celtic. The individual country variation of the Celtic language is frequently spoken in Wales and in the Highlands of Scotland (and in Cornwall). I was raised in Jersey (the Channel Island, not the State). This is part of the United Kingdom, but not the European Union (confusing isn't it?) where I grew up speaking 'Jersey patois' (a form of Norman French) and English. So. 'English spelling' - yes, 'British spelling' - no. With "tongue" slightly in cheek, Michael (Streaky) Bacon
The next proposal deadline for NSF's continuing Trusted Computing program is Wednesday, December 4, 2002. Links to the program announcement, as well as a summary description and list of the initial awards under NSF's Trusted Computing program can be found on NSF's web. NSF has changed its Web infrastructure recently, so the direct URL for the Trusted Computing Program is a bit lengthy: http://www.cise.nsf.gov/div/ccr/fndg/display.cfm?pgm_pims_id=5158&pgm_supp_id=10091&loc=ccr&pub_id=5370 http://www.cise.nsf.gov/div/ccr/fndg/display.cfm ?pgm_pims_id=5158&pgm_supp_id=10091&loc=ccr&pub_id=5370 [split] Alternatively you can visit: www.cise.nsf.gov and then select "funding opportunities" and then select "trusted computing". If you are in a position to conduct research in this area, I encourage you to consider submitting a proposal this year. NSF focuses on funding research at universities and not-for-profit organizations. I also hope you will consider helping me staff the review panels for the proposals that are submitted. My warm thanks to all who proposed and who participated in the review process this past year. Carl Landwehr, Director, Trusted Computing Program email@example.com National Science Foundation 1-703-292-8936
BKTCIEPB.RVW 20020823 "The Total CISSP Exam Prep Book", Thomas R. Peltier/Patrick D. Howard, 2002, 0-8493-1350-3, U$59.95 %A Thomas R. Peltier %A Patrick D. Howard %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2002 %G 0-8493-1350-3 %I Auerbach Publications %O U$59.95 800-950-1216 firstname.lastname@example.org email@example.com %P 287 p. %T "The Total CISSP Exam Prep Book: Practice Questions, Answers, and Test Taking Tips and Techniques" Both the preface and the back cover copy stress the assertion that "until now, [CISSP (Certified Information Systems Security Professional) candidates] were not afforded the luxury of studying a single, easy-to-use manual." Despite the reservations that I may have about the quality of their works, this statement must surely be a shock to Shon Harris (cf. BKCISPA1.RVW), Mandy Andress (cf. BKCISPEC.RVW), S. Rao Vallabhaneni (cf. BKCISPET.RVW), and Ronald Krutz and Russell Vines (cf. BKCISPPG.RVW) and Carl Endorf (wait for it). (Well, I suppose that, technically, Vallabhaneni's is *two* books ...) It would be difficult to say that you could use this volume for study, either. It doesn't actually have any tutorial material, other than some advice on how to write the exam. Some of the tips are outdated, and most of the rest of the content is rather generic, such as the suggestion to eat a hearty breakfast before you go. (I'd suggest that you go easy on the recommendation to drink lots of coffee before you head off: some of the proctors can be pretty sticky about letting you go to the washroom.) What it does have is ten chapters (one for each of the CBK [Common Body of Knowledge] domains) of twenty five "exam" questions each. That's twenty five questions for physical security (the smallest domain) and twenty five questions for telecommunications (the largest). The questions in the chapters have explanations of which answers are right and which are wrong. Then there is a sample "exam," and then the same exam with the answers. Sample exams are highly sought after: it makes sense to know the type and style of questions that you may encounter on the exam. There is only one problem: (ISC)^2 doesn't hand out sample exams. In fact, they guard the exam questions rather closely. The sample exams at cccure.org are a staple in CISSP study groups, and there is a commercial outfit that will sell you a set that they have made up. Essentially, of course, this is what Peltier et al. have done. So, the question is, how close are the sample questions in this book to the real thing. The answer, unfortunately, is not very. Different people worked on the questions for different chapters, so the level of success varies. (Security management has possibilities, telecommunications is rather ghastly.) Ultimately, though, these questions are not representative of what you will find on an actual CISSP exam. Those familiar with Bloom's Taxonomy of questions will know that you progress from simple questions of fact through synthesis of multiple facts through analysis based on synthesis to a level of judgment or critical thinking. Most of the questions a candidate will encounter on the CISSP exam are at the analytical or critical levels. Too many of the questions found in most sample exams are at the simple factual level. The questions in this current work do move beyond the simplistic, but they tend to turn on specific wording in some very weak references, rather than the principles and concepts encountered in the CISSP exam itself. (Appendix A is a bibliography used in the creation of the questions, and it is a decidedly poor one.) Some questions and answers are flatly wrong (planting malicious software is definitely *not* a passive attack). Others may have some point to their creation but get confused. One question states that a certain answer is not correct because the technology is not an encryption algorithm, but the "correct" answer isn't an algorithm either. This book may give you a very rough idea of the types of questions you may encounter, and the range of topics you may need to know. If you rely on it to prepare you for the exam, however, you may be in for a rude shock. copyright Robert M. Slade, CISSP, 2002 BKTCIEPB.RVW 20020823 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKISPTGE.RVW 20020823 "Information Security", Donald L. Pipkin, 2000, 0-13-017323-1, U$39.99/C$60.00 %A Donald L. Pipkin %C One Lake St., Upper Saddle River, NJ 07458 %D 2000 %G 0-13-017323-1 %I Prentice Hall %O U$39.99/C$60.00 +1-201-236-7139 fax: +1-201-236-7131 %P 364 p. %T "Information Security: Protecting the Global Enterprise" It takes quite a while to figure out what Pipkin is trying to do in this book. Ultimately, there is coverage of some of the important basic concepts involved in information security. However, the text as a whole is both confused and confusing. The prologue tells us that business is changing and chaotic, and that information is of prime importance. The introduction takes a quick run through a few of the basic security concepts, with an emphasis on business continuity planning. Phase one of the book is entitled "Inspection," but the prologue lists some items of concern in risk analysis. Chapter one, called "Resource Inventory," is concerned with data classification. It touches on, but does not really discuss, the orthogonal nature of classification schemes when confidentiality, availability, and integrity must be considered. The material is sparse, and, while there are some indications of forward references to later chapters, those chapters do not get down to practical details either. Chapters two to six begin to examine the concepts of threats (concentrating, very poorly, on malicious software), loss analysis (many examples, little of substance), vulnerabilities, safeguards, and assessment. Phase two, on protection, seems to be trying to expand chapter five, but really just repeats prior material. Concepts touched on include access, identification, authentication, authorization, and accountability. Mixed in are the not-quite-related topics of availability, accuracy, confidentiality, and administration. Phase three looks at intrusion detection, with chapters on intrusion types, methods, process, and detection methods. It isn't very useful. Phase four reviews incident response, but rather vaguely. Phase five concerns the post-mortem reflection. The chapter on documentation has some useful material on the contents of after-action reports, but the rest of the content is unfocused and generic. It is not quite true to say that the book is unstructured: it has a structure, but either does not follow it, or does not usefully employ it. Those without a security background will find it hard to build a useful or working framework from the material in this book. Those with such a background will eventually find that the parts of the book do fit neatly, if not logically, into the common framework. However, those with such a background will have no need for this work. copyright Robert M. Slade, 2002 BKISPTGE.RVW 20020823 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer