Wednesday, January 24, 2007

Congress Lights Fire Under Vote Systems Agency

Internetnews.com's article, "Congress Lights Fire Under Vote Systems Agency," discusses background the NIST's certification of two companies that test electronic voting computers. The article also discusses possible efforts in the Senate and Congress to hold hearings on the electronic voting issues, including a possible subpoena of the source code used in the Florida election.

The Chronicle of Higher Education's article, "Georgia's Unusual 'Electoral College'," (subscription required, ACM TechNews Summary) describes efforts in Georgia by an electronic voting center at Kennesaw State University. TechNews says, "It is the center's perception that the election process' workings should not be disclosed, while many computer and political scientists argue that a transparent election process will help ensure reliability."

Thursday, January 18, 2007

Voting Computer News from Maryland and the Netherlands

The Washington Post article, "Officials Warm To Paper Trail To Verify Votes In Maryland," discusses a Maryland bill that would require paper records for voting computers. Maryland's voting computers are older, so retrofitting might not be possible.

The Dutch voting computer controversy continues. SDU, the manufacturer of the Dutch voting computers, submitted 5 different machines for testing and four of them had RF radiation leaks that made it possible to detect how the votes were cast. See the Slashdot article for links to the original source material.

"The Surprising Security Threat: Your Printers"

Computerworld's article, "The Surprising Security Threat: Your Printers" discusses in a general way how printers can be used as platforms for attacks by "password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program."

Wednesday, January 17, 2007

"How Legal Codes Can Hinder Hacker Cases"

The Wall Street Journal (Cassell Byran-Low, p. A8) runs an article today about some of the difficulties in trying people accused of computer crimes, and sentencing them once they're convicted. The article points out that the evidence of a crime, such as the release of a worm or operation of a botnet, can be difficult to collect and that the crimes themselves are difficult to explain in court. In addition, the article notes that damages are difficult to measure:
Some prosecutors say the problem in general isn't so much that available penalties aren't sufficient. "The bigger challenge in the penalty sense is making sure that we can actually quantify the harm that is caused" to persuade a judge to issue a punishment that fits the crime, says Christopher Painter, deputy chief of the U.S. Justice Department's Computer Crime Section. Damages can play a key part in sentencing, but collecting comprehensive data is practically impossible as a virus can affect millions of machines, which often are scattered across many countries.
For example, one provision of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030(a)(4), sets a threshold of $5000 in damages in a one-year period to define a crime. In addition, the U.S. Sentencing Guidelines take the amount of damage into account when recommending a sentences for people convicted under the CFAA. For a criticism of how these damages have been calculated in practice, see this paper by Jennifer Granick.

Friday, January 12, 2007

"Wake Up Your Computer"

The New York Times follows its Jan. 7 news story about botnets (see here) with an editorial that urges users to take steps to secure their computers:
Users need to update their computers regularly, bite the bullet and upgrade when out-of-date software is no longer supported by its maker, use the firewalls that come with their computers, and install antivirus programs. Most states require car owners to buy liability insurance. Asking users to make a minimal effort to keep their computers from damaging others is not beyond the pale.
And the editorial concludes:
Every user has a personal responsibility for our collective security, no matter how much of a hassle updates, firewalls and security patches may be.

Thursday, January 11, 2007

"CMU professor investigates vote"

The Pittsburgh Tribune-Review article, "CMU professor investigates vote," discusses the work of a research panel on the Florida undervote problem. The article quotes Florida Department of State spokesman Sterling Ivey as saying:

"From the evidence we've seen, it appears (the undervote is) a combination of ballot design and voter intent," Ivey said. "I'm not sure that 18,000 people made a conscious decision not to vote in the race, but you'll never know how many of the 18,000 consciously did.

"The key question for the computer scientists is: Is there a problem with the touch screens themselves?"

Tuesday, January 09, 2007

"For Windows Vista Security, Microsoft Called in Pros"

The Washington Post article, "For Windows Vista Security, Microsoft Called in Pros," says that the NSA assisted with the security of Vista. The article says,

The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager [NSA's chief of vulnerability analysis and operations group] said, The blue team helped Defense Department system administrators with Vista's configuration.

Sunday, January 07, 2007

"Attack of the Zombie Computers Is Growing Threat"

John Markoff reports in today's New York Times about the increasing scale of botnet-based operations to send spam and gather and use individuals' financial information. The article quotes David Farber:
“It represents a threat but it’s one that is hard to explain,” said David J. Farber, a Carnegie Mellon computer scientist who was an Internet pioneer. “It’s an insidious threat, and what worries me is that the scope of the problem is still not clear to most people.”

Thursday, January 04, 2007

U.S. Bars Lab From Testing Electronic Voting

The N.Y. Times article, "U.S. Bars Lab From Testing Electronic Voting," covers the decertification of the Ciber corporation from testing electronic voting machines. Avi Ruben is quoted as saying “What’s scary is that we’ve been using systems in elections that Ciber had certified, and this calls into question those systems that they tested."

Tuesday, January 02, 2007

Two Possible Security Programming Tools: Diehard and Airbag

University of Massachusetts research have developed Diehard, which helps with memory management issues.

Google has developed Air Bag, which helps with crash reporting.