Add to the list of incidents when a nuclear attack was almost triggered: > So how did it happen? A computer program that simulated a nuclear attack > by the Soviet Union had been fed through NORAD's network. Terrifyingly, > NORAD and everyone else in the network mistook their own drill program as > a real attack. > http://gizmodo.com/1686123550 The movie *WarGames* is mentioned in the article: art imitating life. To remedy the situation a $16M test facility was built so simulations wouldn't be plugged into the production system.
The Editorial Board, *The New York Times*, 19 Feb 2015 http://www.nytimes.com/2015/02/19/opinion/regulating-the-drone-economy.html Interest in drones has been growing faster than government rules about how they can be used. That's what makes the Obama administration's proposed rules for unmanned aircraft by businesses and federal agencies so important. The measures include many good ideas but do not do enough to protect the privacy of Americans. Drones have played ever more important military roles, particularly in tracking suspected terrorists abroad in places like Pakistan. But these flying robots also have commercial uses, like monitoring energy pipelines, photographing real estate and managing large farms. With few exceptions, however, the Federal Aviation Administration has prohibited the commercial use of drones. On Sunday, the agency proposed allowing commercial use as long as operators pass a written test every two years. The proposal would also restrict when and how the devices can be used. On the same day, President Obama imposed some restrictions on how federal agencies like the F.B.I. and Customs and Border Protection collect information from drones and what they do with it. The F.A.A.'s proposal would require that drone operators always be able to see the aircraft without the aid of binoculars, cameras or other devices. The aircraft can be no heavier than 55 pounds, cannot be flown higher than 500 feet or faster than 100 miles per hour. The devices can be used only during daylight hours and cannot be flown over people not involved in their use. That means a movie director could fly a drone over a film set but not over a pedestrian on the street. Some businesses like Amazon, which says it plans to deliver packages by drones, complain that the rules are too restrictive because operators will have to stay close to their machines. But the rules are a sensible starting point for a new technology. Most drones cannot yet sense and avoid obstacles, making them a hazard to people and property. In recent months, drones, mostly operated by hobbyists, have had near misses with airplanes and one crashed on the South Lawn of the White House. As drone technology advances, officials can change the rules. Regardless of what the final rule says, the F.A.A. could find it difficult to enforce the regulation. It will have to rely on complaints from the public and local law enforcement. Also, the agency, which is in the middle of a major upgrade to the nation's air traffic system to reduce congestion, may not have enough resources to monitor the thousands of drones that could take to the sky once this rule is finalized in the coming months. The agency has about 7,200 employees in its aviation safety division, a number that has not increased much in recent years. Mr. Obama's action on drone use by government agencies is much more problematic. For example, the president's memorandum says the government should not retain personally identifiable information collected by drones for more than 180 days. But agencies can keep the data for longer if it is “determined to be necessary to an authorized mission of the retaining agency''—a standard that grants officials far too much latitude. Moreover, the administration says agencies have to provide only a `general summary' of how they use drones, and only once a year. Law enforcement agencies like the F.B.I. and local police departments are already using drones and manned aircraft for surveillance, often without obtaining warrants, but they have said little publicly about what they are doing with the information collected. The use of drones is likely to grow, and the devices could become as common as utility and delivery trucks. At the dawn of this technology, it's appropriate to set sound safety and privacy rules.
David Kravets, Ars Technica, 17 Feb 2015, via Dave Farber Obama: "Public's going to demand answers, if there's a terrorist attack." http://arstechnica.com/tech-policy/2015/02/obama-hedges-position-on-encryption-its-good-its-bad/ President Barack Obama is making his position on encryption known: he is a supporter and "believer in strong encryption" but also "sympathetic" to law enforcement's needs to prevent terror attacks. "I think the only concern is... our law enforcement is expected to stop every plot. Every attack. Any bomb on a plane. The first time that attack takes place, where it turns out we had a lead and couldn't follow up on it, the public's going to demand answers. This is a public conversation that we should be having," Obama said in a Friday interview with Re/Code. "I lean probably further in the direction of strong encryption than some do inside law enforcement. But I am sympathetic to law enforcement, because I know the kind of pressure they're under to keep us safe. And it's not as black and white as it's sometimes portrayed. Now, in fairness, I think those in favor of air tight encryption also want to be protected from terrorists." Encryption became a hot-button topic in the wake of the summer 2013 leaks by National Security Agency whistleblower Edward Snowden. His documents, including some seemingly showing that Skype has a backdoor, highlighted a broad online global surveillance society and set off a cottage industry of encryption companies. Both the FBI and the Justice Department are demanding that companies—like Apple and Google that are beginning to outfit mobile phone devices with encryption by default—should build backdoors to allow law enforcement access. Without a backdoor, the encryption likely prevents authorities from physically accessing contents directly from the phones' hardware, even with a warrant. The chief executive isn't faulting companies for building encrypted tools. "I think they are properly responding to a market demand." But the president, his second remarks on the topic in a month, said "we can't pretend" that there's not a tradeoff between civil liberties and safety. One of the interesting things about being in this job, is that it does give you a bird's-eye view. You are smack dab in the middle of these tensions that exist. But, there are times where folks who see this through a civil liberties or privacy lens reject that there's any tradeoffs involved. And, in fact, there are. And you've got to own the fact that it may be that we want to value privacy and civil liberties far more than we do the safety issues. But we can't pretend that there are no tradeoffs whatsoever. [...]
In late 2013, an ATM in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment. [...] David E. Sanger and Nicole Perlroth, *The New York Times*, dated 14 Feb 2015 http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html [Up'N AT'M! PGN] [Also noted by Allan Davidson. PGN]
Recent $1 billion international cyber bank robbery could have been prevented with simple security steps, expert http://r20.rs6.net/tn.jsp [No response for me, but browsing on the subject line works fine. PGN] A multinational gang of cyber criminals has stolen up to $1 billion from about 100 international banks over the past two years, according to an announcement earlier this week from the Russian cybersecurity form Kaspersky Lab. Responsibility for the robbery rests with a multinational gang of cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China according to Kaspersky, which worked with INTERPOL, Europol and authorities from different countries to uncover the massive heist. Though the criminals' take may be huge, many banks—along with other organizations—can take basic steps to reduce the risk of theft of money and information, according to Udi Shamir, chief security officer at Sentinel Labs, who recently spoke with Government Security News. Organizations can take steps including educating employees about the dangers of spear phishing emails (which can download malware) to keeping proprietary business systems separate from the Internet..
Joseph Menn (Reuters) 16 Feb 2015 via ACM TechNews, 18 Feb 2015 Kaspersky Lab on Monday said a group it calls the Equation group has developed spyware that can lurk in the firmware of most hard drives currently on the market. Although Kaspersky did not explicitly make the connection, the Equation group is widely believed to be a euphemism for the U.S. National Security Agency (NSA). Kaspersky says developing the spyware, which has been found on hard drives from all of the market's major players, would have required access to the hard drives' source code. Hard drive manufacturers have denied supplying NSA with their source code, but experts say the spy agency has numerous ways of obtaining the source code, including routine government security audits. Kaspersky found personal computers infected with the Equation group's spyware in 30 countries, primarily in Iran, Russia, and Pakistan, but also in Afghanistan, China, Mali, Syria, Yemen, and Algeria. Targets included government and military institutions, telecom firms, banks, energy companies, nuclear researchers, media, and Islamic activists. In addition to the spyware, Kaspersky also described other Equation group programs, including compromising jihadist websites, infected USB drives and CDs, and a self-spreading computer worm dubbed Fanny that was used to deliver the spyware and may have links to the Stuxnet worm used to target Iran's nuclear program several years ago. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d617x2c67cx062018&
Old Gemalto had a factory; E-I-E-I-O; And in this factory they made some chips; E-I-E-I-O; With a wink-wink here, and a nod-nod there; Here a wink, there a nod; ... Collaborators in WWII had their hair cut off (if they were lucky); I'd say that -7.5% qualifies as a haircut. Mark Scott, *The New York Times* 20 Feb 2015 Chip Maker to Investigate Claims of Hacking by NSA and British Spy Agencies, http://www.nytimes.com/2015/02/21/world/europe/chip-maker-to-investigate-claims-of-hacking-by-nsa-and-british-spy-agencies.html LONDON—Gemalto, a French-Dutch digital security company, said on Friday that it was investigating a possible hacking by United States and British intelligence agencies that may have given them access to worldwide mobile phone communications. The investigation follows news reports on Thursday that the National Security Agency in the United States and the Government Communications Headquarters in Britain had hacked Gemalto's networks to steal SIM card encryption codes. The claims—reported on a website called The Intercept -- were based on documents from 2010 provided by Edward J. Snowden, the former N.S.A. contractor. The American and British intelligence agencies are said to have stolen the encryption key codes to so-called smart chips manufactured by Gemalto, which are used in cellphones, passports and bank cards around the world. Gemalto is the world's biggest maker of SIM cards, the small chips in cellphones that hold an individual's personal security and identity information. [...]
Andy Greenberg, *WiReD*, 19 Feb 2015 http://www.wired.com/2015/02/powerspy-phone-tracking/ Smartphone users might balk at letting a random app like Candy Crush or Shazam track their every move via GPS. But researchers have found that Android phones reveal information about your location to every app on your device through a different, unlikely data leak: the phone's power consumption. Researchers at Stanford University and Israel's defense research group Rafael have created a technique they call PowerSpy, which they say can gather information about an Android phone's geolocation merely by tracking its power use over time. That data, unlike GPS or Wi-Fi location tracking, is freely available to any installed app without a requirement to ask the user's permission. That means it could represent a new method of stealthily determining a user's movements with as much as 90 percent accuracy—though for now the method only really works when trying to differentiate between a certain number of pre-measured routes. Spies might trick a surveillance target into downloading a specific app that uses the PowerSpy technique, or less malicious app makers could use its location tracking for advertising purposes, says Yan Michalevsk[y], one of the Stanford researchers. “You could install an application like Angry Birds that communicates over the network but doesn't ask for any location permissions. It gathers information and sends it back to me to track you in real time, to understand what routes you've taken when you drove your car or to know exactly where you are on the route. And it does it all just by reading power consumption.'' PowerSpy takes advantage of the fact that a phone's cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental conditions and cell tower distance is strong enough that momentary power drains like a phone conversation or the use of another power-hungry app can be filtered out, Michalevsky says. One of the machine-learning tricks the researchers used to detect that `noise' is a focus on longer-term trends in the phone's power use rather than those than last just a few seconds or minutes. “A sufficiently long power measurement (several minutes) enables the learning algorithm to `see' through the noise, We show that measuring the phone's aggregate power consumption over time completely reveals the phone's location and movement.'' Even so, PowerSpy has a major limitation: It requires that the snooper pre-measure how a phone's power use behaves as it travels along defined routes. This means you can't snoop on a place you or a cohort has never been, as you need to have actually walked or driven along the route your subject's phone takes in order to draw any location conclusions. The Stanford and Israeli researchers collected power data from phones as they drove around California's Bay Area and the Israeli city of Haifa. Then they compared their dataset with the power consumption of an LG Nexus 4 handset as it repeatedly traveled through one of those routes, using a different, unknown choice of route with each test. They found that among seven possible routes, they could identify the correct one with 90 percent accuracy. “If you take the same ride a couple of times, you'll see a very clear signal profile and power profile,'' says Michalevsky. We show that those similarities are enough to recognize among several possible routes that you're taking this route or that one, that you drove from Uptown to Downtown, for instance, and not from Uptown to Queens.'' Michalevsky says the group hopes to improve its analysis to apply that same level of accuracy to tracking phones through many more possible paths and with a variety of phones—they already believe that a Nexus 5 would work just as well, for instance. The researchers also are working on detecting more precisely where in a known route a phone is at any given time. Currently the precision of that measurement varies from a few meters to hundreds of meters depending upon how long the phone has been traveling.
FYI—These guys raised $31 million?? Where's the adult supervision at these VC firms? At $75, expect this doll to be one of the most hacked computers of 2015. Hello Barbie: Hang on, this Wi-Fi doll records your child's voice? What could possibly go wrong? 19 Feb 2015 at 07:39, Iain Thomson http://www.theregister.co.uk/2015/02/19/hello_barbie/ Toymaker Mattel has unveiled a high-tech Barbie that will listen to your child, record its words, send them over the Internet for processing, and talk back to your kid. It will email you, as a parent, highlights of your youngster's conversations with the toy. If Samsung's spying smart TVs creeped you out, this doll may be setting off alarm bells too so we drilled into what's going on. The Hello Barbie doll is developed by San Francisco startup ToyTalk, which says it has more than $31m in funding from Greylock Partners, Charles River Ventures, Khosla Ventures, True Ventures and First Round Capital, and others. [...PGN-truncated]
Associated press via the *San Francisco Chronicle* http://www.sfgate.com/business/article/Visa-wants-to-track-your-smartphone-to-combat-6085910.php Visa wants to track its customers' smartphones to know when a credit card is legitimately used in locations away from the holder's home area. Those days of calling your bank to let them know that, yes, you really are in Thailand, and yes, you really did use your credit card to buy $200 in sarongs, may be coming to an end. Visa will introduce a feature this spring that will allow its cardholders to inform their banks where they are automatically, using the location function found in nearly every smartphone. Having your bank and Visa know where you are at all times may sound a little like Big Brother. But privacy experts are applauding the feature, saying that, if used correctly, it could protect cardholders and cut down on credit card fraud. Credit and debit card fraud costs consumers and banks billions of dollars each year, and that figure has been growing as data breaches have become more common. The banking industry had $1.57 billion in debit card fraud in 2013 and $4 billion in credit card fraud in 2012, the latest years for which data are available, according to the Federal Reserve. [... PGN-Truncated]
Ars via NNSquad http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ "Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said. The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate." They now are (predictably) trying to back out of this, after initially suggesting it was OK because *only* their consumer-oriented systems were affected. Thanks a bunch, guys. [See also a later article by Nicole Perlroth, Spyware in Lenovo PCs Is Placed at Core of System, *The New York Times*, 23 Feb 2015. PGN]
Paul Venezia, InfoWorld, 19 Feb 2015 What was Lenovo thinking? We can only hope the company's disastrous decision to install adware on laptops that includes man-in-the-middle code will inspire the industry to revamp SSL security http://www.infoworld.com/article/2886792/security/lenovo-shows-us-why-we-need-to-reinvent-web-security.html
[Note: This item comes from friend Bob Frankston. DLH] Chris Duckett, ZDNet, 20 Feb 2015 http://www.zdnet.com/article/lenovo-says-superfish-not-a-security-concern-own-advisory-marks-it-highly-severe/ Summary: A Lenovo security advisory details the models of notebooks impacted by the Superfish SSL hijacking, while a company statement says that Superfish is used to 'enhance' users' computing experiences. Sacrificing one of the core pillars of its devices' security chain for ad revenue was all in an effort to allow users to "discover interesting products while shopping", a Lenovo statement said in response to the Superfish furore. Lenovo said that Superfish was shipped on its notebook devices between September and December 2014. In January, as a result of user feedback, the product was disabled by Superfish on its end, and Lenovo stopped preloading the software. "We will not preload this software in the future," the Chinese hardware manufacturer said. The company dismissed security concerns that Superfish was able to hijack SSL/TLS connections via a self-signing root certificate authority that had the same private key on each and every Lenovo device upon which Superfish was installed. "We have thoroughly investigated this technology, and do not find any evidence to substantiate security concerns," Lenovo's statement said. "We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience, and priorities first." However, a security advisory published by Lenovo rated the incident as highly severe. "Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern," the advisory said. The advisory also revealed the model numbers for notebooks that suffered from having Superfish preloaded: [...] It took mere hours, once the Superfish flaw was known, for the Superfish private key to be extracted by security expert Robert Graham. "The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe Wi-Fi hotspot," he said. [...]
Simon Phipps, In an exclusive interview, Lenovo's Mark Cohen explains how the Superfish debacle went down, InfoWorld, 20 Feb 2015 http://www.infoworld.com/article/2886959/laptop-computers/are-you-buying-risk-along-with-your-laptop.html
AP/Olympian via NNSquad http://www.theolympian.com/2015/02/21/3588510/superfish-points-fingers-over.html Either way, don't expect a mea culpa. Faced with a withering publicity barrage that could jeopardize any startup's future, Superfish CEO Adi Pinhas blamed another company for the security flaw and complained about what he called "false and misleading statements made by some media commentators and bloggers." Oh give me a break. This isn't rocket science. You screw around with the certs that way, you're committing a Man in the Middle attack. Q.E.D. Period. Full stop.
BBC via NNSquad http://www.bbc.com/news/technology-31523497 "Samsung has acknowledged that some of its smart TV models are uploading their owners' voices to the Internet in an unencrypted form. The apparent oversight makes it easier for hackers to spy on customers' activities." - - - Yeah, now they say they're fixing it. Great job, guys, your check from the Russian Security Service is in the mail.
Taylor Armerding, CSO Online, 17 Feb 2015 Millennials, by some accounts, have plenty of tech savvy but not much when it comes to security. What should your organization do about that? http://www.csoonline.com/article/2884638/security-awareness/millennials-becoming-known-as-generation-leaky.html
Source: http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216 The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives. That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations./ I've had hard disks that simply refused to store the word "oversight", it only worked if I changed that to "trust us". Now I know why.
Guardian via NNSquad "How Google determined our right to be forgotten" http://www.theguardian.com/technology/2015/feb/18/the-right-be-forgotten-google-search - - - Reliably nonsensical tripe from *The Guardian*. I've spent so much time and so many words ripping apart the disastrous concept that is the "Right To Be Forgotten" (RTBF) that I won't bend your ears (or rather, eyes) on it again here, except to note what is likely the most critical element—EU desires to expand their regional bureaucratic censorship nightmare regime from regional versions of Google to google.com globally. And it takes no more than a modicum of intelligence to see the problem with such demands. For if the EU can do this (and keep in mind we're likely on the cusp of vast new demands for Internet censorship from politically pandering European and other leaders promising to control the Net to ostensibly "stop terrorists") -- then what's to stop Putin, or Kim Jong-un, or the leaders who imprison citizens for decades for the "crime" of blasphemy or speaking negatively about their leaders—from making exactly the same kinds of demands for global censorship? There is no "gentle" path in this realm. All routes leading from the EU RTBF lead to kicking free speech off the cliff, to the delight and enrichment of the leaders who view information control as their permanent meal ticket to political control.
[Thanks to D Kross] The new standard http://www.post-gazette.com/news/education/2015/02/17/CMU-Sorry-your-acceptance-letter-was-sent-by-mistake/stories/201502170196
Marc Goodman FUTURE CRIMES: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It Doubleday, 2015, [The pre-pub copy I have seen is pushing 400 pages, plus copious end-notes] I noted in RISKS-28.43 that the forthcoming *Future Crimes* book would be highly relevant to RISKS readers. I've read it more carefully since then, and it is worthy of another mention here. This book is full of valuable anecdotes that illustrate the seriousness and pervasiveness of existing and past computer crimes—which are becoming increasingly more prevalent and more egregious. The book exhibits considerable wisdom and serious understanding of the risks, and I believe has a very realistic view of the future. The pithy final chapter considers The Way Forward and how to cope with the likely future. Also, the appendix has some useful suggestions for coping sensibly with the new reality; this provides a strong case for things *you* can do to protect yourself. From my own point of view, it seems that the book does not sufficiently confront the reality that today every system or network is riddled with security flaws, so that we really need computer and communication infrastructures that are inherently much more trustworthy than exist today. Nevertheless, the book should be very valuable to a wide range of readers—from naive computer users (who are likely to be shocked and surprised) to experienced people who have not yet fully understood the true depth of where we might be heading in the future. It's nicely organized, and makes a very good read. With respect to the *Future Crime* subtitle, `Everything is Connected', I am reminded of Bob Morris's statement for the National Research Council's CTSB on 19 September 1988: “To a first approximation, every computer in the world is connected with every other computer.'' That has become ever truer today; even if the dark net is not searchable, it is still accessible. PGN [Marc Goodman is a global strategist with over two decades of experience in law enforcement, former FBI Futurist-in-Residence, advisor to Interpol and over 70 countries in transnational cyberrisks, founder of the Future Crimes Institute, and Chair for Policy, Law, and Ethics at Silicon Valley's Singularity University.]
I find the statement "this digital snapshot would then be uploaded to the cloud where it could, in theory, live on in perpetuity" somewhat naive. At least he says "in theory", because in practice, there's no such place as "the cloud"—data have to be stored on some physical system eventually. In order to be kept "in perpetuity", someone must keep an eye on it constantly, ensuring that it stays useful across system upgrades, hardware switches, and changes of caretakers. Any break in the chain might cause data to be lost, possibly without anyone noticing until it's too late to save it.
On that topic, this comment in The Register (a UK e-zine) from a user "hplasm" is worth sharing: "A patch that breaks Powerpoint? What's wrong with that?"
In Risks 28.52, Paul Wallich wrote, "For people who are getting Plain Internet Service, regulators have already pretty much put the cable modem/router/access point/whatever on the customer side of the demarc..." My Fairpoint FIOS fiber-optic phone/Internet service also terminates in my garage. (It should be phone/Internet/TV but Cox Cable apparently has better lawyers in New Hampshire). Anyway, at the first power outage I was surprised to find that the rechargeable 7AH gel-cell battery inside the FIOS equipment box powered only the telephone service, not the Internet service. Apparently this is all the law requires so that 911 service will have higher availability. I remedied this by plugging the power cord for the entire FIOS equipment box into a separate UPS that I purchased locally. Now everything including my Internet service (and my VOIP phone lines) stays up during short outages.
In Real Life, one should be able to cope with accidental, as well as malicious, man-in-the-middle attacks. I have a Linux box awaiting a "salvage data and reinstall from OS up" exercise, because some of its system updates were invisibly corrupted in transit by Google's much-ballyhooed Mountain View wifi network, which it turned out could not be counted on to detect and resend corrupted packets—I suspect that the Layer 2 checksums were computed after the corruption was introduced. Rigorous verification of digital signatures should have made it possible to at least detect and contain the damage. David Gillett, CISSP CCNP
In RISKS-28.51, Lauren Weinstein wrote that Jeb Bush published hundreds of thousands of emails sent to him during his time as governor of Florida. Since the copyright of each of these letters belongs to the persons who wrote them, unless he got permission to publish them, he infringed upon their copyright.
Thanks for your thoughtful remarks on "Can Open-Source Voting Tech Fix the U.S. Elections System?". Given the many challenges you listed, I hope that any RISKS reader can conclude that it is truly a quixotic quest to build voting systems where software is 100% trusted to produce correct election results. I think that yous remarks on this model should convince any RISKS reader that it is fundamentally impossible to build a perfectly secure computing system for voting; and also impractical to build a fairly resilient system that can be operated by not-especially-risks-savvy election officials and volunteers. So what so we do instead? Some thoughts here about a *different* model where reasonable methods can be applied to creating a trustworthy election process that includes but does not trust software that counts ballots ... 1. Evidence based elections Open source code is not a solution to for fundamental problems in computing; Reflections on Trusting Trust still rules. Instead, "evidence based elections" is the term of art used by many election officials and election techies. Since both computers and people can't be solely trusted for accurate vote counts, the approach is to derive confidence from a publicly viewable process that trusts neither. First, voters cast paper ballots. (Computers can be involved in creating them.) Second, machines count the paper ballots and record the tallies. (Optical scan, digital image processing software, etc.) Third, election officials select batches of machine-counted ballots, and hand count them to detect any variance between human interpretation and the machine interpretation of the marks on the ballot. Selection of the batches, and the number of ballots involved, should follow statistically significant variance. 2. Smaller scope for software assurance That stated, there is still significant value in software assurance, including publicly visible source code, independent testing, etc. Even though the ballot-counting software is not trusted for correctness, it make sense to invest in software quality. But the *very* important point is that the quality and assurance are *not* in pursuit of highly trustworthy software—but rather software that has reasonable quality for doing its job well, particularly including creating the digital evidence for the "risk limiting audit" process sketched above. That evidence includes both a retained image of each ballot, and a "cast vote record" of interpretation made by software of that image. If the software fails in its duty to create the digital evidence, then the auditing process may be impaired. (Note that the audit process can be done with nothing more than batches and roll-up tallies of each batch, but it is more labor intensive.) If this sounds unfamiliar or improbable to some readers, let me re-assure: election officials across the U.S. are demanding exactly this approach to the next generation of voting systems, and a variety of organizations are listening and stepping up to help: government orgs (NIST, EAC), standards bodies (IEEE, NIST), and educational and research orgs like ours, the OSET Foundation; and technology developers include our TrustTheVote Project 3. Provenance and validation of software One last point is about software provenance: how do we know that a voting machine is running the approved software that it is "supposed to"? Currently, no voting system product that I know of has the ability to do this. One among several reasons that TrustTheVote Project has been doing voting tech development form scratch, is to include a boot time validation capability as a basic part of he design. Such validation is a critical requirement in our system. However, such validation was not a stated requirement back in 2002 when the HAVA mandated a move to electronic voting. Not being required, the vendors then and now very understandably didn't invest engineering effort in providing it. I hope that sounds like a more reasonable path that does not require *all* of the potentially complex mechanisms that your outlined in your RISKS post. John Sebes, OSET Foundation / TrustTheVote Project
This is a nice one: work gives you a laptop with site-licensed copy of Microsoft Windows and AnyConnect setup so that your computer is part of "the site". For, among other things, when Windows wants call home and check it's legit. Then KB 3023607 installs itself and suddenly you are the Dread Software Pirate HAM Who Stole Bill's Basic.
(RISKS-28.51) Statistical analysis of programs considered harmful? Indeed much of the use of "goto" is really as a "break" or similar statement. Perhaps a better question is what is the harm done by simply avoiding the string "goto". Closely related the is effort to eliminate multiple returns in programs. Both dogmatic approaches result in programs that are just as spaghetti code as program rife with goto's. And that's the real issue—how do does one write programs that can be understood and maintained. As Dijkstra noted the goal is to give people reading the static expression of a program better ability to understand the dynamic state. Too bad that simply point got lost in the focus on purity. Perhaps the biggest failing of the paper is in not considering the dynamic state of the practice of programming. In 1968 Goto's only one of the many problematic practices. Patching branch statements at runtime instead of using flag variables was not uncommon. Since then we've learned much more about writing readable code and studying "post Dijkstra" usage begs the question.
Gene Wirchenko remembers when URLs were fairly short. URLs are long now because long URLs with "semantic content" translate to higher rankings in one of Google's ranking algorithms.
Please report problems with the web pages to the maintainer