The following is being provided as a service. If you wish to
subscribe directly, please do. This reproduction is authorized per
the originator's own statement (see text below).
---- Below is the text of the newsletter in it's entirety ---
CRYPTO-GRAM
July 15, 2006
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@...
http://www.schneier.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights,
and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<
http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<
http://www.schneier.com/crypto-gram-0607.html>. These same essays
appear in the "Schneier on Security" blog:
<
http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Economics and Information Security
Crypto-Gram Reprints
Google and Click Fraud
A Minor Security Lesson from Mumbai Terrorist Bombings
News
Getting a Personal Unlock Code for Your O2 Cell Phone
The League of Women Voters Supports Voter-Verifiable Paper
Trails
Brennan Center and Electronic Voting
Comments from Readers
** *** ***** ******* *********** *************
Economics and Information Security
I'm sitting in a conference room at Cambridge University, trying to
simultaneously finish this article for Wired News and pay attention
to
the presenter onstage.
I'm in this awkward situation because 1) this article is due
tomorrow,
and 2) I'm attending the fifth Workshop on the Economics of
Information
Security, or: WEIS -- to my mind, the most interesting computer
security conference of the year.
The idea that economics has anything to do with computer security is
relatively new. Ross Anderson and I seem to have stumbled upon the
idea
independently. He, in his brilliant article from 2001, "Why
Information
Security Is Hard -- An Economic Perspective," and me in various
essays
and presentations from that same period.
WEIS began a year later at the University of California at Berkeley
and
has grown ever since. It's the only workshop where technologists get
together with economists and lawyers and try to understand the
problems
of computer security.
And economics has a lot to teach computer security. We generally
think
of computer security as a problem of technology, but often systems
fail
because of misplaced economic incentives: the people who could
protect
a system are not the ones who suffer the costs of failure.
When you start looking, economic considerations are everywhere in
computer security. Hospitals' medical-records systems provide
comprehensive billing-management features for the administrators who
specify them, but are not so good at protecting patients' privacy.
Automated teller machines suffered from fraud in countries like the
United Kingdom and the Netherlands, where poor regulation left banks
without sufficient incentive to secure their systems, and allowed
them
to pass the cost of fraud along to their customers. And one reason
the
internet is insecure is that liability for attacks is so diffuse.
In all of these examples, the economic considerations of security are
more important than the technical considerations.
More generally, many of the most basic security questions are at
least
as much economic as technical. Do we spend enough on keeping hackers
out of our computer systems? Or do we spend too much? For that
matter,
do we spend appropriate amounts on police and Army services? And are
we
spending our security budgets on the right things? In the shadow of
9/11, questions like these have a heightened importance.
Economics can actually explain many of the puzzling realities of
internet security. Firewalls are common, e-mail encryption is rare:
not
because of the relative effectiveness of the technologies, but
because
of the economic pressures that drive companies to install them.
Corporations rarely publicize information about intrusions; that's
because of economic incentives against doing so. And an insecure
operating system is the international standard, in part, because its
economic effects are largely borne not by the company that builds the
operating system, but by the customers that buy it.
Some of the most controversial cyberpolicy issues also sit squarely
between information security and economics. For example, the issue of
digital rights management: Is copyright law too restrictive -- or not
restrictive enough -- to maximize society's creative output? And if
it
needs to be more restrictive, will DRM technologies benefit the music
industry or the technology vendors? Is Microsoft's Trusted Computing
Initiative a good idea, or just another way for the company to lock
its
customers into Windows, Media Player and Office? Any attempt to
answer
these questions becomes rapidly entangled with both information
security and economic arguments.
WEIS encourages papers on these and other issues in economics and
computer security. We heard papers presented on the economics of
digital forensics of cell phones -- if you have an uncommon phone,
the
police probably don't have the tools to perform forensic analysis --
and the effect of stock spam on stock prices: It actually works in
the
short term. We learned that more-educated wireless network users are
not more likely to secure their access points, and that the best
predictor of wireless security is the default configuration of the
router.
Other researchers presented economic models to explain patch
management, peer-to-peer worms, investment in information security
technologies and opt-in versus opt-out privacy policies. There was a
field study that tried to estimate the cost to the U.S. economy for
information infrastructure failures: less than you might think. And
one
of the most interesting papers looked at economic barriers to
adopting
new security protocols, specifically DNS Security Extensions.
This is all heady stuff. In the early years, there was a bit of a
struggle as the economists and the computer security technologists
tried to learn each others' languages. But now it seems that there's
a
lot more synergy, and more collaborations between the two camps.
I've long said that the fundamental problems in computer security are
no longer about technology; they're about applying technology.
Workshops like WEIS are helping us understand why good security
technologies fail and bad ones succeed, and that kind of insight is
critical if we're going to improve security in the information age.
Links to all the WEIS papers are available here.
http://weis2006.econinfosec.org
Ross Anderson's Why Information Security Is Hard -- An Economic
Perspective":
http://www.cl.cam.ac.uk/ftp/users/rja14/econ.pdf
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its ninth year of publication. Back
issues
cover a variety of security-related topics, and can all be found on
<
http://www.schneier.com/crypto-gram-back.html>. These are a
selection
of articles that appeared in this calendar month in other years.
CardSystems Exposes 40 Million Identities:
http://www.schneier.com/crypto-gram-0507.html#3
Due Process and Security:
http://www.schneier.com/crypto-gram-
0407.html#1
Coca-Cola and the NSA:
http://www.schneier.com/crypto-gram-0407.html#8
How to Fight:
http://www.schneier.com/crypto-gram-0307.html#1
Crying Wolf:
http://www.schneier.com/crypto-gram-0307.html#8
Embedded Control Systems and Security:
http://www.schneier.com/crypto-
gram-0207.html#1
Phone Hacking: The Next Generation:
http://www.schneier.com/crypto-
gram-0107.html#1
Monitoring First:
http://www.schneier.com/crypto-gram-0107.html#5
Full Disclosure and the CIA:
http://www.schneier.com/crypto-gram-
0007.html#1
Security Risks of Unicode:
http://www.schneier.com/crypto-gram-
0007.html#9
The Future of Crypto-Hacking:
http://www.schneier.com/crypto-gram-
9907.html#hacking
Bungled SSL:
http://www.schneier.com/crypto-gram-9907.html#doghouse
Declassifying Skipjack:
http://www.schneier.com/crypto-gram-
9807.html#skip
** *** ***** ******* *********** *************
A Minor Security Lesson from Mumbai Terrorist Bombings
Two quotes. "Authorities had also severely limited the cellular
network for fear it could be used to trigger more attacks."
And: "Some
of the injured were seen frantically dialing their cell phones. The
mobile phone network collapsed adding to the sense of panic."
Cell phones are useful to terrorists, but they're more useful to the
rest of us.
http://www.stuff.co.nz/stuff/0,2106,3729278a12,00.html
Note: The story was changed online, and the second quote was deleted.
** *** ***** ******* *********** *************
Google and Click Fraud
Google's $6B-a-year advertising business is at risk because it can't
be
sure that anyone is looking at its ads. The problem is called click
fraud, and it comes in two basic flavors.
With network click fraud, you host GoogleAds on your own
website. Google pays you every time someone clicks on its ad on your
site. It's fraud if you sit at the computer and repeatedly click on
the ad or -- better yet -- write a computer program that repeatedly
clicks on the ad. That kind of fraud is easy for Google to spot, so
the clever network click fraudsters simulate different IP addresses,
or
install Trojan horses on other people's computers to generate the
fake
clicks.
The other kind of click fraud is competitive. You notice your
business
competitor has bought an ad on Google, paying Google for each
click. So you use the above techniques to repeatedly click on his
ads,
forcing him to spend money -- sometimes a lot of money -- on
nothing. Click Monkeys is a spoof site that offers to commit click
fraud for you.)
Click fraud has become a classic security arms race. Google improves
its fraud detection tools, so the fraudsters get cleverer ... and the
cycle continues. Meanwhile, Google is facing multiple lawsuits from
those who claim the company isn't doing enough. My guess is that
everyone is right: it's in Google's interest both to solve and to
downplay the importance of the problem.
But the overarching problem is both hard to solve and important: how
do
you tell if there's an actual person sitting in front of a computer
screen? How do you tell that the person is paying attention, hasn't
automated his responses, and isn't being assisted by
friends? Authentication systems are big business, whether based on
something you know (passwords), something you have (tokens), or
something you are (biometrics). But none of those systems can secure
you against someone who walks away and lets another person sit down
at
the keyboard, or a computer that's infected with a Trojan.
This problem manifests itself in other areas, as well.
For years, online computer game companies have been battling players
who use computer programs to assist their play: programs that allow
them to shoot perfectly, or see information they normally couldn't
see.
Playing is less fun if everyone else is computer assisted, but unless
there's a cash prize on the line, the stakes are small. Not so with
online poker sites, where computer-assisted players -- or even
computers playing without a real person at all -- have the potential
to
drive all the human players away from the game.
Look around the internet, and you see this problem pop up again and
again. The whole point of captchas is to ensure that it's a real
person visiting a website, not just a bot on a computer. Standard
testing doesn't work online, because the tester can't be sure that
the
test taker doesn't have his book open, or a friend standing over his
shoulder helping him. The solution in both cases is a proctor, of
course, but that's not always practical and obviates the benefits of
internet testing.
This problem has even come up in court cases. In one instance, the
prosecution demonstrated that the defendant's computer committed some
hacking offence, but the defense argued that it wasn't the defendant
who did it -- that someone else was controlling his computer. And in
another case, a defendant charged with a child porn offense argued
that, while it was true illegal material was on his computer, his
computer was in a common room of his house and he hosted a lot of
parties -- and it wasn't him who'd downloaded the porn.
Years ago, talking about security, I complained about the link
between
computer and chair. The easy part is securing digital information:
on
the desktop computer, in transit from computer to computer, or on
massive servers. The hard part is securing information from the
computer to the person. Likewise, authenticating a computer is much
easier than authenticating a person sitting in front of the
computer. And verifying the integrity of data is much easier than
verifying the integrity of the person looking at it -- in both senses
of that word.
And it's a problem that will get worse as computers get better at
imitating people.
Google is testing a new advertising model to deal with click fraud:
cost per action. Advertisers don't pay unless the customer performs
a
certain action: buys a product, fills out a survey, whatever. It's a
hard model to make work -- Google would become more of a partner in
the
final sale instead of an indifferent displayer of advertising -- but
it's the right security response to click fraud: change the rules of
the game so that click fraud doesn't matter.
That's how to solve a security problem.
Lawsuits against Google:
http://www.sfgate.com/cgi-bin/article.cgi?
f=/c/a/2006/03/09/BUGRMHKQTR1.
DTL or
http://tinyurl.com/z6gju
http://www.marketwire.com/mw/release_html_b1?release_id=103417
Spoof site:
http://www.clickmonkeys.com/
Captchas:
http://en.wikipedia.org/wiki/Captchas
Google cost-per-action testing:
http://www.betanews.com/article/Google_Tests_CostPerAction_Ads/1151005
16
9 or
http://tinyurl.com/znvzf
** *** ***** ******* *********** *************
News
Surreal story about a person coming into the U.S. from Iraq who is
held
up at the border because he used to sell copyrighted images on T-
shirts.
http://www.latimes.com/news/opinion/commentary/la-oe-
lemoine13jun13,0,15
07648.story or
http://tinyurl.com/ourlr
Patrick Smith writes the "Ask the Pilot" column for Salon. He's
written two very good posts on airline security, one about how
Israel's
system won't work in the U.S., and the other about profiling:
http://www.salon.com/tech/col/smith/2006/06/09/askthepilot189/
http://www.salon.com/tech/col/smith/2006/06/16/askthepilot190/
There are a variety of encryption technologies that allow you to
analyze data without knowing details of the data. Think of it as
privacy-enhanced data mining.
http://www.wired.com/news/wireservice/0,71184-0.html
"How to build a low-cost, extended-range RFID skimmer" by Ilan
Kirschenbaum and Avishai Wool. To appear in 15th USENIX Security
Symposium, Vancouver, Canada, August 2006.
http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html
Fascinating paper on Xbox security. The conclusion: "The security
system of the Xbox has been a complete failure."
http://www.xbox-
linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Se
curity_System or
http://tinyurl.com/blbke
This sounds like a science fiction premise: unmanned drones that
monitor the population for crimes.
http://www.wired.com/news/wireservice/0,71198-0.html
Random identity generator:
http://dev.allredtech.com/fakename/
I have no idea how good they are.
More information about the Greek wiretapping scandal:
http://www.schneier.com/blog/archives/2006/06/greek_wiretappi_1.html
http://www.schneier.com/blog/archives/2006/07/greek_wiretappi.html
I wrote about it previously:
http://www.schneier.com/blog/archives/2006/02/phone_tapping_i.html
AT&T rewrites its privacy policy:
http://www.sfgate.com/cgi-
bin/article.cgi?file=/chronicle/archive/2006/0
6/21/BUG9VJHB9C1.DTL&type=business or
http://tinyurl.com/on53q
http://ars.userfriendly.org/cartoons/?id=20060625
I've long known about the possible Unix date issue, but this is the
first I've heard of an actual bug due to the Unix time epoch rolling
over in 2038.
http://thedailywtf.com/forums/thread/78254.aspx
MySpace is increasing security.
http://www.cnn.com/2006/TECH/internet/06/20/myspace.safety.ap.ap/index
.h
tml or
http://tinyurl.com/rplw8
Honestly, it all sounds a lot more like cover-your-ass security than
real security: MySpace securing itself from lawsuits. "Safety
experts"
seem to agree that it won't improve security much.
http://www.washingtonpost.com/wp-
dyn/content/article/2006/06/25/AR200606
2500426.html or
http://tinyurl.com/r4vkn
Digital redacting failures are getting so common that they're no
longer
news:
http://www.mercurynews.com/mld/mercurynews/sports/special_packages/dop
in
g_scandal/14882936.htm or
http://tinyurl.com/kbyjm
You'd think a national mint would have better security against
insiders. But no, an employee at the Australian Mint stole $600 a
day
over a ten-month period.
http://www.smh.com.au/news/national/mint-
security-lapse-amazes-judge/200
6/06/21/1150845228544.html or
http://tinyurl.com/hox2e
Interesting research on how to defeat China's national firewall:
http://www.lightbluetouchpaper.org/2006/06/27/ignoring-the-great-
firewal
l-of-china/ or
http://tinyurl.com/zzbt5
Congress learns how little privacy we have:
http://www.washingtonpost.com/wp-
dyn/content/article/2006/06/25/AR200606
2500426.html
Excellent analysis on applying CALEA to VoIP: "Security Implications
of Applying the Communications Assistance to Law Enforcement Act to
Voice over IP," by Steve Bellovin, Matt Blaze, Ernie Brickell, Clint
Brooks, Vint Cerf, Whit Diffie, Susan Landau, Jon Peterson, and John
Treichler. At least read the Executive Summary.
http://www.itaa.org/news/docs/CALEAVOIPreport.pdf
Maybe I shouldn't have said this: "'I have a completely open Wi-Fi
network,' Schneier told ZDNet UK. 'Firstly, I don't care if my
neighbors are using my network. Secondly, I've protected my
computers.
Thirdly, it's polite. When people come over they can use it.'" For
the
record, I have an ultra-secure wireless network that automatically
reports all hacking attempts to unsavory men with bitey dogs.
http://news.com.com/2100-1029_3-6088741.html
More true than funny, unfortunately. A template for news stories on
data gathering:
http://www.concurringopinions.com/archives/2006/06/template_for_ne.htm
l
I can't believe I forgot to blog this great article about the
communications intercept trade show in DC:
http://www.wired.com/news/technology/0,71022-0.html?
tw=wn_story_page_pre
v2 or
http://tinyurl.com/rsebu
Just patented: password-protected bullets:
http://www.newscientisttech.com/article.ns?id=dn9412&feedId=online-
news_
rss20 or
http://tinyurl.com/pyn4s
Does Microsoft have the ability to disable Windows remotely? Maybe.
http://blogs.zdnet.com/Bott/?p=84&tag=nl.e622
Loading ActiveX controls on Vista without administrator privileges.
http://www.schneier.com/blog/archives/2006/07/load_activex_co.html
There's a lot of discussion as to whether this is a good idea or
not. I think ActiveX is a bad idea in the first place.
A song: Facial Recognition Technology Blues
http://www.eddiebandthegspots.com/Facial%20Recognition%20Technology%
20Bl
ues.mp3 or
http://tinyurl.com/hgnbm
This cell phone has a built in Breathalyzer. It alerts you if you're
too drunk to drive, and allows you to configure certain phone numbers
so you can't dial them while drunk. Think ex-lovers, and perhaps
your
boss.
http://abcnews.go.com/Technology/story?id=2125709
Annual Report from the Privacy Commissioner of Canada
http://www.privcom.gc.ca/information/ar/200506/200506_pa_e.asp
This is the 2001-2002 report:
http://www.privcom.gc.ca/information/ar/02_04_10_e.asp
Excellent reading.
In this attack, you can seize control of someone's computer using his
WiFi interface, even if he's not connected to a network. No details
yet; the researchers are presenting their results at BlackHat on
August
2nd.
http://www.infoworld.com/article/06/06/21/79536_HNwifibreach_1.html
No details yet. The researchers are presenting their results at
BlackHat on August 2.
http://www.blackhat.com/html/bh-usa-06/bh-usa-
06-index.html
Here's a new patent issued to the U.S. Navy. It sounds like they've
patented the firewall.
http://appft1.uspto.gov/netacgi/nph-Parser?
Sect1=PTO1&Sect2=HITOFF&d=PG0
1&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%
2220050022023%
22.PGNR.&OS=DN/20050022023&RS=DN/20050022023 or
http://tinyurl.com/khex6
Here's a chronology of data breaches since the ChoicePoint theft in
February 2005. Total identities stolen: 88,794,619. Although,
almost
certainly, many names are on that list multiple times.
http://www.privacyrights.org/ar/ChronDataBreaches.htm
I have already explained why NSA-style wholesale surveillance
data-mining systems are useless for finding terrorists. Here's a
more
formal explanation:
http://www.lewrockwell.com/orig7/rudmin1.html
My essay:
http://www.schneier.com/blog/archives/2006/03/data_mining_for.html
One response to software liability is to deliberately program in such
a
way as to obscure liabilities. This blog entry on "unreliable
programming" is satire, but it's perceptive.
http://pestilenz.org/cgi-
bin/blosxom.cgi/2005/11/11
A news article on the failure of two-factor authentication. Phishers
are converting to man-in-the-middle attacks, which bypass the
security
measures.
http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoo
fs
_2factor_1.html or
http://tinyurl.com/rbmr2
I predicted this last year.
http://www.schneier.com/crypto-gram-
0503.html#2
The New York Times is running a scare story on the linkage between
identity theft and methamphetamine users. Supposedly meth users are
ideally suited to be computer hackers. I don't know if this is true
or
not, but I worry about Congressional intervention if hacking gets
linked to the war on drugs.
http://www.nytimes.com/2006/07/11/us/11meth.html
The Galileo satellite codes have been cracked. Actually, the cracked
codes are from a prototype satellite; the final Galileo codes will be
different.
http://www.newswise.com/articles/view/521790/
Spy gadgets you can buy. What's interesting to me is less what is
available commercially today, and more what we can extrapolate is
available to real spies.
http://darkcreek.com/detective_equipment/notebook.htm
Good article on how complexity greatly limits the effectiveness of
terror investigations. The stories of wasted resources are all from
the
UK, but the morals are universal.
http://www.theregister.com/2006/07/06/90_days_terror_law_analysis/
** *** ***** ******* *********** *************
Getting a Personal Unlock Code for Your O2 Cell Phone
O2 is a UK cell phone network. The company gives you the option of
setting up a PIN on your phone. The idea is that if someone steals
your phone, they can't make calls. If they type the PIN incorrectly
three times, the phone is blocked. To deal with the problems of
phone
owners mistyping their PIN -- or forgetting it -- they can contact O2
and get a Personal Unlock Code (PUK). Presumably, the operator goes
through some authentication steps to ensure that the person calling
is
actually the legitimate owner of the phone.
So far, so good.
But O2 has decided to automate the PUK process. Now anyone on the
Internet can visit an O2 website type in a valid mobile telephone
number, and get a valid PUK to reset the PIN -- without any
authentication whatsoever.
This seems like a bad idea, but after I posted it on my blog a
representative from O2 sent me the following:
"Yes, it does seem there is a security risk by O2 supplying such a
service, but in fact we believe this risk is very small. The risk is
when a customer's phone is lost or stolen. There are two scenarios in
that event:
"Scenario 1 - The phone is powered off. A PIN number would be
required
at next power on. Although the PUK code will indeed allow you to
reset
the PIN, you need to know the telephone number of the SIM in order to
get it – there is no way to determine the telephone number from the
SIM
or handset itself. Should the telephone number be known the risk is
then same as scenario 2.
"Scenario 2 - The phone remains powered on: here, the thief can use
the
phone in any case without having to acquire PUK.
"In both scenarios we have taken the view that the principle security
measure is for the customer to report the loss/theft as quickly as
possible, so that we can remotely disable both the SIM and also the
handset (so that it cannot be used with any other SIM)."
The O2 website:
http://www.o2.co.uk/puk/landing/0,,555,00.html
** *** ***** ******* *********** *************
The League of Women Voters Supports Voter-Verifiable Paper
Trails
For a long time, the League of Women Voters (LWV) had been on the
wrong
side of the electronic voting machine issue. They were in favor of
electronic machines, and didn't see the need for voter-verifiable
paper
trails. (They use to have a horrid and misleading Q&A about the
issue
on their website, but it's gone now. Barbara Simons published a
rebuttal, which includes their original Q&A.)
The politics of the LWV are Byzantine, but basically there are local
leagues under state leagues, which in turn are under the national
(LWVUS) league. There is a national convention once every other
year,
and all sorts of resolutions are passed by the membership. But the
national office can do a lot to undercut the membership and the state
leagues. The politics of voting machines is an example of this.
At the 2004 convention, the LWV membership passed a resolution on
electronic voting called "SARA," which stood for "Secure, Accurate,
Recountable, and Accessible." Those in favor of the resolution
thought
that "recountable" meant auditable, which meant voter-verifiable
paper
trails. But the national LWV office decided to spin SARA to say that
recountable does not imply paper. While they could no longer oppose
paper outright, they refused to say that paper was desirable. For
example, they held Georgia's system up as a model, and Georgia uses
paperless Diebold DRE machines. It makes you wonder if the LWVUS
leadership is in someone's pocket.
So at the 2006 convention, the LWV membership passed *another*
resolution. This one was much more clearly worded: designed to make
it
impossible for the national office to pretend that the LWV was not in
favor of voter-verified paper trails.
Unfortunately, the League of Women Voters has not issued a press
release about this resolution. (There is a press release by
VerifiedVoting.org about it.) I'm sure that the national office
simply
doesn't want to acknowledge the membership's position on the issue,
and
wishes the issue would just go away quietly. It's a pity; the
resolution is a great one and worth publicizing.
Here's the text of the resolution:
"Resolution Related to Program Requiring a Voter-Verifiable Paper
Ballot or Paper Record with Electronic Voting Machines
"Motion to adopt the following resolution related to program
requiring
a voter-verified paper ballot or paper record with electronic voting
systems.
"Whereas: Some LWVs have had difficulty applying the SARA Resolution
(Secure, Accurate, Recountable and Accessible) passed at the last
Convention, and
"Whereas: Paperless electronic voting systems are not inherently
secure, can malfunction, and do not provide a recountable audit trail,
"Therefore be it resolved that:
"The position on the Citizens' Right to Vote be interpreted to affirm
that LWVUS supports only voting systems that are designed so that: 1.
they employ a voter-verifiable paper ballot or other paper record,
said paper being the official record of the voter¹s intent; and 2.
the voter can verify, either by eye or with the aid of suitable
devices for those who have impaired vision, that the paper
ballot/record accurately reflects his or her intent; and
3. such verification takes place while the voter is still in the
process of voting; and
4. the paper ballot/record is used for audits and recounts; and 5.
the vote totals can be verified by an independent hand count of the
paper ballot/record; and
6. routine audits of the paper ballot/record in randomly selected
precincts can be conducted in every election, and the results
published
by the jurisdiction."
By the way, the 2006 LWV membership also voted on a resolution in
favor
of net neutrality (the Connecticut league issued a press release,
because they spearheaded the issue), and one against the death
penalty. The national LWV office hasn't issued a press release about
those two issues, either.
Verified Voting press release:
http://www.verifiedvotingfoundation.org/article.php?id=6363
Net neutrality press release by the Connecticut LWV:
http://www.lwvct.org/issues/action/061506-release-net%20neutrality.htm
Q&A with Barbara Simons' rebuttal:
http://www.schneier.com/lwv-qa.pdf
** *** ***** ******* *********** *************
Brennan Center and Electronic Voting
I have been participating in the Brennan Center's Task Force on
Voting
Security. Earlier this month we released a report on electronic
voting.
From the executive summary:
"In 2005, the Brennan Center convened a Task Force of internationally
renowned government, academic, and private-sector scientists, voting
machine experts and security professionals to conduct the nation's
first systematic analysis of security vulnerabilities in the three
most
commonly purchased electronic voting systems. The Task Force spent
more than a year conducting its analysis and drafting this report.
During this time, the methodology, analysis, and text were
extensively
peer reviewed by the National Institute of Standards and Technology
("NIST")."
And:
"The Task Force examined security threats to the technologies used in
Direct Recording Electronic voting systems ("DREs"), DREs with a
voter
verified auditable paper trail ("DREs w/ VVPT") and Precinct Count
Optical Scan ("PCOS") systems. The analysis assumes that appropriate
physical security and accounting procedures are all in place."
And:
"Three fundamental points emerge from the threat analysis in the
Security Report:
"1. All three voting systems have significant security and
reliability
vulnerabilities, which pose a real danger to the integrity of
national,
state, and local elections.
2. The most troubling vulnerabilities of each system can be
substantially remedied if proper countermeasures are implemented at
the
state and local level.
3. Few jurisdictions have implemented any of the key countermeasures
that could make the least difficult attacks against voting systems
much
more difficult to execute successfully."
And:
"There are a number of steps that jurisdictions can take to address
the
vulnerabilities identified in the Security Report and make their
voting
systems significantly more secure. We recommend adoption of the
following security measures:
"1. Conduct automatic routine audits comparing voter verified paper
records to the electronic record following every election. A voter
verified paper record accompanied by a solid automatic routine audit
of
those records can go a long way toward making the least difficult
attacks much more difficult.
2. Perform "parallel testing" (selection of voting machines at random
and testing them as realistically as possible on Election Day.) For
paperless DREs, in particular, parallel testing will help
jurisdictions
detect software-based attacks, as well as subtle software bugs that
may
not be discovered during inspection and other testing.
3. Ban use of voting machines with wireless components. All three
voting systems are more vulnerable to attack if they have wireless
components.
4. Use a transparent and random selection process for all auditing
procedures. For any auditing to be effective (and to ensure that the
public is confident in such procedures), jurisdictions must develop
and
implement transparent and random selection procedures.
5. Ensure decentralized programming and voting system administration.
Where a single entity, such as a vendor or state or national
consultant, performs key tasks for multiple jurisdictions, attacks
against statewide elections become easier.
6. Institute clear and effective procedures for addressing evidence
of
fraud or error. Both automatic routine audits and parallel testing
are
of questionable security value without effective procedures for
action
where evidence of machine malfunction and/or fraud is discovered.
Detection of fraud without an appropriate response will not prevent
attacks from succeeding."
The report is long, but I think it's worth reading. If you're short
on
time, though, at least read the Executive Summary.
The report has generated some press. Unfortunately, the news
articles
recycle some of the lame points that Diebold continues to make in the
face of this kind of analysis. From The Washington Post article:
"Voting machine vendors have dismissed many of the concerns, saying
they are theoretical and do not reflect the real-life experience of
running elections, such as how machines are kept in a secure
environment.
"'It just isn't the piece of equipment, ' said David Bear, a
spokesman
for Diebold Election Systems, one of the country's largest vendors.
'It's all the elements of an election environment that make for a
secure election.'
"'This report is based on speculation rather than an examination of
the
record. To date, voting systems have not been successfully attacked
in
a live election,' said Bob Cohen, a spokesman for the Election
Technology Council, a voting machine vendors' trade group. 'The
purported vulnerabilities presented in this study, while interesting
in
theory, would be extremely difficult to exploit.'"
I wish The Washington Post found someone to point out that there have
been many, many irregularities with electronic voting machines over
the
years, and the lack of convincing evidence of fraud is exactly the
problem with their no-audit-possible systems. Or that the "it's all
theoretical" argument is the same one that software vendors used to
use
to discredit security vulnerabilities before the full-disclosure
movement forced them to admit that their software had problems.
The report:
http://www.brennancenter.org/presscenter/releases_2006/pressrelease_20
06
_0627.html or
http://tinyurl.com/mwzy8
http://www.brennancenter.org/programs/downloads/Full%20Report.pdf
http://www.brennancenter.org/programs/downloads/Executive%
20Summary.pdf
News articles:
http://today.reuters.com/news/newsArticle.aspx?
type=domesticNews&storyID
=2006-06-27T130232Z_01_N26181575_RTRUKOC_0_US-VOTINGMACHINES.xml or
http://tinyurl.com/kca69
http://business.bostonherald.com/technologyNews/view.bg?
articleid=145981
or
http://tinyurl.com/gdx7l
http://www.usatoday.com/news/washington/2006-06-26-e-voting_x.htm
http://www.washingtonpost.com/wp-
dyn/content/article/2006/06/27/AR200606
2701451_pf.html or
http://tinyurl.com/oudom
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on
these
topics on my blog. Search for the story you want to comment on, and
join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries,
analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
<
http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Comments on CRYPTO-GRAM should be sent to
schneier@.... Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and
clarity.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <
http://www.schneier.com>.
Counterpane is the world's leading protector of networked
information -
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See <
http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2006 by Bruce Schneier.
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email