Security Hole Left Critical Infrastructure Vulnerable for Months

THIS is the kind of thing that keeps me awake at night...

That, and of course the general ineptitude of our government in terms of adequately dealing with the environmental crisis. Sigh.

The Internet is Helping Us in Natural Disasters, But Not Enough

I just published a new post on the Silicon Valley Moms Blog about what's now being called the "Summit Fire" in the Santa Cruz Mountains near Watsonville. As a kid who grew-up in tornado country, I was completely clueless about wildfires until yesterday. Now I've been studying everything available online to track the blaze because it's just a few miles from my sister's dream home, her animals, and one of the most beautiful pieces of property I've ever seen in my life. I don't know if I'm at liberty to describe it, but even if I did, still, it's one of those places where you have to see it to believe it.

In any case, what I learned over the past 24 hours is that although we have 2700 firefighters on the scene to battle these fires, we only get semi-accurate updates about once a day about where the fires really are. People are in their homes waiting for calls or knocks on the door to evacuate. The neighbors who may or may not have phones or power communicate to the best of their ability, but they're still not certain how far away it is. They see the smoke or possibly the flames, but it's difficult to discern the distance. I found one live blog site where there was some minimal conversation via locals about what was going on to help sift through the mystery, but that was it.

So what I want to know is where do we go from here? What is the future of emergency response online? It has to be better than a few news sites and links. I'm not saying what we have now isn't good. I'm happy we have the resources we do. But I know from my technology background that we can do better. We've put together phenomenal outreach programs and online activism to raise money and repair devastated areas. Why not create a place where communities can create ad-hoc emergency response sites as they arise? It's possible something like this already exists, but not enough of us know about it.

What I found was one site for firefighters that said how to listen on short range scanners, some articles on the local newspaper site, a few maps that are only updated daily, the state fire site with data updated periodically (like every day or half a day), one satellite image of the fire, brief TV and radio coverage, a state road closures page, one live blog on the local news station web site where people exchanged notes, and a totally overloaded fire detection map at noaa.gov that nobody can use because everybody's trying to get to it. And when watching the news and hearing from locals, it seems that the firefighters and police are keeping things barricaded for safety and not allowing any information transferral during the process.

Fires are dangerous, but if people can use personal weather stations and webcams like linked on the Weather Underground, why not have a system that applies locals as information centers online and includes what's coming across the waves from emergency support services? Anyone out there have an idea of how to do this?

Internet Archive Wins Settlement with FBI

From the Chronicle, the Internet Archive recently won a settlement with the FBI about a "national security letter" i.e. government request for private information that was sent to them demanding they turn over data that they probably don't even have. The Archive, legally considered an online library, for those who don't know, was founded by Brewster Kahle who is also on the Board of the EFF. They keep books online as well as web sites, and they run the Wayback machine, a great tool for finding older versions of sites online. (Want to restore from an older backup of your site that's gone? Try the Wayback machine.) Anyway, Brewster's a good guy who just wants to share information with people, so it looks like after 4 months and $10,000 in donated legal services, the FBI got off his back. It's a good article. I haven't spoken with my EFF buddies about this particular case, but I'm guessing they're happy a precedent's been set to show others that the Patriot Act induced loophole can be fought.

Then What Exactly Does the Pentagon Do?

Here's a scary article - supposedly according to a retired Major General, the Pentagon's disaster planning "couldn't move a Girl Scout unit". Well, in their defense, a bunch of girls is hard to herd, but this is really sad considering the billions we spend in tax dollars that ends up flowing through the Pentagon. So they send us to wars that blow things up, shuffle regimes around, kill people, make terrorism easier to hide and raise the price of gasoline and they push paper around under the auspices of "defense" and "disaster planning" is just a word. That's fine. Anyone else ready to move to Antigua?

I've never worked in the Pentagon and I'm sure if I did, I'd have a different perspective, but I have worked in government and in security and I know that it's a big bumbling bureaucracy. I also know that when things are urgent and important, it is possible to make progress. So here's a note to them: things are urgent and important - there are still terrorists out there and there are other pseudo-natural (i.e. global warming-enhanced) disasters also waiting to occur.

This is a problem that's much bigger than the Pentagon; it's a problem that oozes through layers of government regarding who does what and when. News to lawmakers and government agencies: we the people don't care who does it. We just want it done so we can have a safe, solid, secure, sensible country again.

As much as I can't wait until we have a new president in office, I still acknowledge this problem is much bigger than one leader alone can solve. It takes a village and another village and another... 'nuff said, end rant.

Fly, Be Free for the Holidays... Or Not

For those traveling over the holidays, check out this amusing comic at The Moderate Voice from The Hartford Courant. I still don't understand why we had to pour out one ounce of water from my daughter's sippy cup the last time we were going through a security line. (Of course the time before that, they let us through with a lot more... so random.)

Connecting With Elizabeth Edwards

The Silicon Valley Moms Blog and sister sites (via conference call) Chicago Moms Blog and DC Metro Moms Blog had a unique opportunity to meet with Elizabeth Edwards in San Jose yesterday. As I've been contributing to the blog now for over a year, this was my second chance to meet with this remarkable woman, with whom many of us feel a connection. Except this time was different - she's no longer on a book tour; she's the wife of a presidential candidate. And while the discussion shifted to more specific policy issues than personal, it was still intimate and inviting.

As you can see from my liveblogging, we covered topics from tax brackets to math education to healthcare translators. And Elizabeth Edwards still loves us. (After one of my fellow contributors challenged her parenting choices a few weeks ago, there was some heated exchange that got picked-up by "Good Morning America" and taught our blogger and many others a lesson in taking care of what they post. Eventually Elizabeth and Rebecca made up, but it was an interesting few days for the blog.) And we still love her. Even if some of us won't be voting for her husband.

In my case, as much as I really like Elizabeth and John Edwards, Hillary Clinton's experience and her deep grasp of the issues is holding me strongly in her support. When it comes to national security, our place in the world, healthcare and the economy, I believe Hillary Clinton is our best choice. I like John Edward's proposals and I especially like the fact he's willing to talk about the environment and poverty more than most of the other candidates, but at the end of the day, with terrorists striking, hurricanes flooding and children dying all over the world, I'll sleep better at night knowing Hillary and Bill Clinton are in the White House than John and Elizabeth Edwards. That said, I would still sleep very well knowing John and Elizabeth Edwards were in the White House, and if John Edwards wins the nomination, I will work extremely hard to make sure he wins the election next November.

So what is it about Elizabeth Edwards that makes us all like her so much? As we noticed when we met with her last year during her book tour, she has this down-to-earth quality that shows both her intelligence and her kindness, without any superficial attitude or put-on interest. She genuinely likes to meet new people, she has a wonderfully light way about her, and she sat down with us like we were all old friends. She's also a little bit of a geek, hanging out on the blogs late at night in hotel rooms while traversing the campaign trail, which I find endearing. And she has dealt with major life challenges with the death of her son and her breast cancer, both of which have only added more depth to her persona and more commitment to the causes meaningful to her. I find her both incredibly inspiring and acutely insightful.

Where do we go now? Well, she's promised to meet with the DC Metro Moms Blog and the Chicago Moms Blog as well, so hopefully that will transpire. The SVMoms still seek to meet with other candidates and their spouses, regardless of party, and I hope to help facilitate that. Although I realize it is a long shot because Elizabeth Edwards is unique in her connection to mommybloggers, I think the other candidates could benefit greatly from the discussion with the women in our network - all of whom are highly educated, qualified people in their own right, not just moms, and all of whom represent a key group of women voters.

Some of us from the SVMoms Blog spoke today with various members of the press about our meeting, and one of the points brought up was that this event really has no precedent. The reporter in one case couldn't recall another time where a group of bloggers was given such intimate access to a candidate or candidate's wife. I think this holds great promise for blogs to provide another vehicle for kitchen table and New Hampshire-style living room meet-and-greet democracy. If we can take these small conversations taking place in person and somehow transmit that feeling through the web, we might all feel a little closer to the national political process after all. Thank you Elizabeth.

...
Also posted here on the BlogHer site.

Wiretapping Insecurity - New Law's Loopholes

I don't understand it - one would really like to think our lawmakers would have security in mind, on all levels and from all angles, when devising new policies about security. One would (ok at least I would) especially like to think that recommendations for policies provided by the NSA would be even more concerned with all levels of security. Well, it looks like that's not necessarily the case. See Susan Landau's Washington Post article about our new wiretapping law for the story. Is the NSA the new CIA?

Water Tables, Wasps, Web & Warfare

I can't keep track of everything going on, but amidst trying to order a water play table for my daughter, keep wasps (actually yellow jackets, I guess) away from her swingset, and follow news about how the Chinese are planning to attack us online (wtf?) along with all of the SVMoms' political activity after a week in the North Woods, I'm feeling a bit overwhelmed.

It's all thrilling, but I get off the plane going through email on my iPhone just trying to keep up on the most urgent. Honestly I feel like I'm in the middle of a Presidential campaign again. (Yeah, I know we are, but I'm not working 100 hours a week just on that this time around... at least not right now.)

Watching how the campaigns are doing, it's all good - Hillary is rocking in the print magazines, Edwards' online campaign is on fire, Barack is getting the newspapers going, and I'm hearing more about Thompson and Giuliani every day (although I might add that the Elle magazine article I read on the plane about Rudy's ways with women wasn't all that positive.) Keep up with the tech news about the campaigns at TechPresident or Politics Online. And in terms of national security, Gary Hart has launched a new organization - the American Security Project. I'm very excited about this. I'll blog more about it soon.

Back in the parenting world, plastics are everywhere and although the sky isn't falling, the oceans may be. My dad gave me this frightening chapter from Alan Weisman's book to read while I was in Minnesota. Our oceans are literally drowning in these toxic plastics everybody's ranting about being dangerous to children and fertility, affecting our planetary water table.

E-Mail Security Flap in Nevada Governor's Office

This is classic... according to Declan McCullagh of the Politech mailing list & CNET News, someone in the Nevada governor's office I'll only assume accidentally posted the password to the official Governor's email list and Outlook account password on the gubernatorial web site via a MS Word document that instructed aides on how to send out weekly email updates.

The current Governor, Jim Gibbons, a Republican, must not have much in terms of tech-savvy staff since (this is my favorite part) the password on the account was 'kennyc', the name of the former Republican governor, Kenny C. Guinn. (Note: the old password was weak, let alone the fact that it's how old?)

The full story details the instructional document and a few additional related facts. As Declan notes, it's possible that there's a firewall or some sort of security above and beyond the password "protection" in their system, so had someone attempted to use that password from the outside to hack in, it may not have worked... we can only assume they've changed it by now having heard about this post. Still, this is one of the most embarrassing political computer security stories I've ever heard.

Not Quite Robin Hood - ID Theft Scams and Nonprofits

According to this Slashdot post (via Symantec), a new identity theft tactic is to test out stolen credit card numbers on nonprofit web sites to determine whether accounts are valid before going on to use the cards elsewhere. Although it might sound like a Robin Hood scheme at first - giving money to charity - it's just another scam.

BigFix Presidential Campaign Winning Online

According to an article in the San Francisco Chronicle, BigFix, an Emeryville-based IT Security & Compliance Provider, is running a faux viral presidential campaign online to gain traffic and interest in the site. It's working... their pretend candidate, Ray Hopewood, is on Flickr, MySpace, and everywhere in-between. Check out his web site. It's pretty good.

Hillary Clinton's Promise

I saw Hillary Clinton speak a couple of weeks ago in San Francisco. She packed a ballroom at the Sheraton Palace Hotel full of people for lunch. Most in the audience were women who heard about the event through word of mouth and womens' political organizations in the area, since the event was organized by Susie Tompkins Buell and Emily's List. I don't know how much money the event raised but it must've been in the hundreds of thousands of dollars.

I've blogged before about how wonderful it is that a woman is finally a viable candidate both with respect to qualifications and fund raising, but I had no particular knowledge of Hillary Rodham Clinton's skills as an orator or policy maker beyond what I've read in the news before the SF event. What surprised me that afternoon as I sat eating sushi shoulder-to-shoulder with some of the Bay Area's most powerful women, was not what I expected. In fact, I tried very hard to go into the event with no expectations at all, but with an open mind to consider this person as a candidate in her own right - not as the wife of Bill Clinton, but as someone with deep policy experience, a Senator, lawyer, wife, mother, and someone who spent 8 years working closely with the President in the White House. I knew she was savvy politically and I knew she has gained a reputation for working across the aisle in Congress. What I didn't know was how impressed I would be.

First of all, I've seen a lot of candidates speak. She has skills that match the best of them. But more importantly, she did a few things to surprise me. A) She listened to her audience, without just talkinig about her agenda. She spoke about issues that concerned us. B) She responded to questions with detailed answers, not just canned sound bites. She talked for at least ten minutes about how to improve education and gave actual examples and thought-out policy changes. I've never seen a politician give such detail before. She spoke a lot about how important pre-school is, for example. It really made me think more about that issue than I ever had before. C) She admitted her mistakes - particularly regarding her attempts to work on universal healthcare in the past.

As someone who has worked for the government in security, I'm always concerned about any details that relate to security detail and the other thing that interested me about this event was the level of Secret Service attachment Senator Clinton has. I assumed there would be some, but as a Senator, presidential candidate and former first lady, she has a serious security staff and motorcade. This got me thinking about another issue that I don't think most people have considered with respect to her run: she's a huge target. So many people dislike her for a variety of reasons, so she needs that security. And on top of that, she's taking a major additional risk becoming a presidential candidate. People can say what they want about her political agenda and formulating a path to run for president for years, but it takes a lot of courage to put up with the kind of criticism and risk.

The question on everybody's minds, of course, is: Can she WIN? This is an incredibly unique case, so my answer still is that I don't know. Of course Bill Clinton and political pundits with experience say she can, but they have to say that. Hillary herself says: "we won't know until we try." (She was referring to getting a woman elected in general, but since she's the only woman with a chance right now, she's our sample.) I just don't know. It's a numbers game and she has to convince enough moderate and liberal voters to vote for her. Most conservatives detest her and will never consider voting for her and will fight tooth and nail to defeat her. But it is theoretically possible that if she swung enough moderates who see her work across the aisle that she could do it. And if she could capture the majority of the women's vote (which I think she can), that will be huge. That's assuming she can win the Democratic nomination, which I believe she can. I don't know if she will, of course, but she's definitely a strong enough candidate that she's viable in that area - unlike Joe Biden, for example, who just doesn't have a chance at this point. We'll have to see how the debates play out with Barack Obama, the youthful favorite, and Chris Dodd, who I believe is a dark horse.

The bottom line is that Hillary Clinton is worth considering. Take a look at her site. Don't count her out. Read about her policy plans. Go see her speak next time she's in town. The one thing that I took from the event was that day 1 in the White House, she will hit the ground running and make major policy changes to improve the environment, education, health care, and foreign policy. Whether she can lead as well as she can collaborate remains to be seen, but she definitely has promise.

Treading Carefully Online & "Good Morning America"/ABC News How-Tos

Internet defamation is hardly new, but the way it can happen to younger people in situations where they are hurt before even entering the workplace is a serious issue. "Good Morning America" put up a segment on this today and I was shown as an Internet privacy expert.

The ABC News video lasts 5 minutes and 22 seconds, of which I'm on for about 6 seconds (1:38-1:44). What's interesting is actually the advice delivered by Tory Johnson slightly later in the segment, also repeated in an article on the ABC News site. The article is entitled "How to Avoid Cyberspace" but that's not really a practical or realistic piece of advice in itself - I'm not sure why they called it that. She's not advocating avoiding the Internet and we all realize that's impossible. She does provide some good tips on fighting and preventing defamatory remarks.

Also, as noted by Kurt Opsahl in yesterday's Washington Post piece, you can sue and you can fight the negative information by posting positive information. I would add to that it's almost easier to post it in other locations on the web rather than getting into direct confrontations on the site in question. The Internet, unlike tabloids, is a 2-way street so you can control the information out there about you to some extent.

Other things I explained to the interviewer:
1) I advise my clients - even those who are not political - to think of themselves as candidates when they go online and only put up limited information about themselves that shows them in the most positive light.
2) Treat the people who are causing the trouble like hackers or school bullies - you can't completely avoid them, but you can ignore them - what they really crave is attention.
3) Remember that this type of damage fades over time and whatever's most popular and current out there on the web is going to be what comes up first in search engines.
4) Don't attack the search companies like Google and don't blame the Internet - they are merely vehicles for information and do not have any malicious intent.
5) You can make a difference with what companies do when they are pre-screening potential employees by contacting them and asking them to avoid certain sites.
6) The market drives this activity to a certain extent - if sites get a bad reputation for hosting misinformation, they will lose traffic and other sites will take over the dominant spot in the social networking sphere.
7) Utilize anonymity if necessary, but sparingly - it can still sometimes be traced.

Online Account Nonsense

About once a week, I find myself creating a hand full of new accounts for various sites that I may or may not ever use again. And then there are the couple that expired or were purged that I have to renew. Of course also we can't forget the passwords that need to be changed - which I'll admit even as a security professional, I'm not as on top of as I should be.

Today, I decided to count all of the accounts I have for sites that I have to date. Not including client accounts or ISP/telephony - just things like containerstore.com and blogger.com - I have over 225. As someone who learned about e-commerce before it existed, I'm still mind-boggled by this. Who can keep track of these things in a secure, organized fashion without being overwhelmed?

Options?
a) Use a site that aggregates passwords that better be damn secure if you have any kind of financial or personal data in it
b) Save passwords in an insecure but easily accessible location
c) Use the same password for multiple accounts
d) Create fake email accounts that are really anonymous or have pseudonyms to use for as many as possible

These still each have their own problems. But what's the alternative? Don't read news online, don't conduct business transactions online, don't use your own identification for your searching? It's tiresome...

Dolphins Stadium Site Wide Open For Hackers

I don't want to say I'm glad that something Superbowl related got hacked, but here's the thing: when major web sites like Dolphins Stadium get hit with known attacks for Windows security holes, it raises awareness. And frankly, this is such small potatoes in the scheme of things - it wasn't our water system hacked or our electrical infrastructure or something controlling train lines that could kill people. Sure, it's inconvenient for the people running the site and for the fans who visit the site, but they should have updated their web servers months ago in preparation for this event. If it teaches them a lesson and gets others in corporations and government better educated about security, then something good will come out of this. Thinking about the big picture and preventing real terrorist threats is much more important. Here's the story from ZDNet.

TSA Has A Long Way To Go

I would like to believe that all of the tax dollars going toward the Transportation Security Administration are making a difference in our national security, but they just can't seem to do anything right.

Recently, I traveled and pre-travel, I brought up their site on my Mac to learn more about this whole 3oz. liquid thing and the site crashed Safari, didn't work in Mozilla or Mac ie. So I basically got nowhere. I was able to read one file that was somewhat pertiment about what's allowed and what's not. Meat cleavers are not. This doesn't really affect me, but it got me to chuckle.

Next step was to pack for the trip. I had to put everything in the wrong bag in order to fit the stupid ziplock with all of the liquids into one of my carry-ons. (Yes, I had multiple. I have an infant - it's nearly impossible to travel without multiple carry-ons with an infant in tow.) Anyway, I dealt with that and made it to the gate.

Best news of the day - TSA let us fast track through security with first class since we had a kid in a stroller. Then we got stuck behind some stuck-up goth-laden rockers carrying Louis Vuitton bags and had to wait seemingly forever. Anyway after they were moving on, the TSA people actually asked me to take off my cardigan sweater to make sure there was nothing underneath - while I was carrying my baby. Like these other people with their black jackets wouldn't be hiding something more serious than my limp little cardigan? We looked at the TSA staff like they were nuts so they let us through. We bought water in the terminal before boarding the plane so we would have enough for the 3 of us, formula, and other needs while in flight.

On the flight back, we were leaving Kansas City which doesn't have shops inside security so we couldn't buy water. I brought a few extra bottles anyway to see what they would let us have. The guy explained that the more liquid formula you bring, the less water you're allowed to take, but he allowed me to bring one bottle of water because I had a few dry packets and only one can of the liquid. Come on... and to top it off, he gave me this look like "here, you can get away with more water if you bring more packets!" Like he was doing me some favor? If this is really a security risk, why would he be telling me this? Please.

I'm not afraid of flying, airplanes, or terrorists. Maybe I should be, but I'm not. What I am afraid of is stupidity, disorganization, loopholes, wasting time and money, and above all, poor management when it comes to security. I've been through a real clearance process that was much more rigorous, I'm willing to bet, than most of the TSA employees at airports have. Security should be serious. You don't bend the rules when it comes to true security. Ever. You don't keep changing them either. And you don't waste anybody's time. You look out for what's a realistic threat and you keep your eye on the ball. (And it wouldn't hurt to have a web site that didn't crash browsers either.)

A Preview of New Congress's Tech Policy Agenda

Here is what Cameron Wilson, the USACM Public Policy Director says about what the new Democratic-led Congress will be doing with respect to technology policy. He focuses on six big areas that have been in focus by recent administrations: innovation, offshoring, privacy, copyright, e-voting, and Internet regulation.

Here's what's not on that list. First, biometrics and national IDs. Even with conservatives in the minority, this probably won't go away. It's scary because those things don't actually give us greater security although we might think they will. But my guess is this will continue to be something that's discussed in the name of security. As to Homeland security, I think Democrats will step it up a notch as they're able. (I think a Democratic president or Guiliani or McCain would also do this after '08 though.) I also think that the Dems will put a stop to all of this wiretapping and over-the-top surveillance that's borderline unconstitutional.

As to the six main categories, I can only hope the VVPAT bill goes national so we can make sure that when (not if) e-voting machines fail we have some way of verifying the votes cast. In the globalization arena, yes - we must deal with these visa issues. All of the talk about immigration problems is always about illegals but what about the workers who are skilled who come to this country to take jobs and then can't get them because of visa problems on our end? That's just silly. And yes, education's a factor here - we need to be training more skilled tech workers here, but that's another issue. As to IP, I can only hope the DMCA is reduced to rubble but that may be a pipe dream since so many Hollywood are tied to the Democratic party.

Voting Angst in Allentown

Some guy in Allentown, PA went ballistic and started smashing an electronic voting machine Tuesday... here's my take on it:


Voting Angst
(to the tune of "Allentown", by Billy Joel)

Well we're voting here in Allentown
And we had to take a crazy man down
Cause he came up to a new machine,
Went kind of nuts, bashed in the screen.

Guess the man was really ready to snap,
Thought the voting booth was booby-trapped,
Took a paperweight and rammed it in,
Broke the machine. Forgot his PIN.

(Chorus)
(But the craziness is going round...)
(And it's getting very weird today...)
(But we're voting here in Allentown.)

We're just voting here in Allentown
For the Pennsylvania governor's crown,
For the promise of some better days
If we work hard, if we behave.

Every voter had a pretty good shot
But this one machine just wasn't so hot
When the man wigged out and broke the piece,
Poll workers freaked, called the police.
We were voting here in Allentown.

(Chorus)

Now we're waiting here in Allentown
And they're closing all the voting booths down.
Out in Washington they're doing fine,
Filling out forms, standing in line.

Well our poll workers are really fried,
Spent their day crossing off voters who'd died,
But something happened on the way there that day
To the man who held the paperweight.

(Chorus)

...see article, "Balloting Breakdown: Pa. voter attacks machine"

Paper Ballot Majority

When we arrived at our polling place today in Atherton, after worrying about these handheld e-voting machines the county has, we were surprised to discover there was only one per city. The default was to hand out paper ballots. Of course the paper ballots are counted by an electronic machine, but that's another issue. Anyway, voting went smoothly here as far as I can tell so far.

Angelides Site Gone - Error Messages Look Fishy

Hmm. Goto angelides.com. See what you find.

As I type this, it's not there. (Although it may be back up again by the time most people read this post.) Went bye-bye at least 2 hours ago when I checked it last.

Three reasons it could go poof:
1) They ran out of money and the ISP pulled the plug (doubtful)
2) They got hacked (possible)
3) The site crashed because of more traffic than expected (most likely)

What's really strange is that the page gives an error with a misspelling, so it's an error that was individually crafted for use on the site, not a generic server error. It says: "Sorry, the requested page was not found. Please try again. Original URI: /" It's not written like a typical error message and they misspelled URL. I don't get it.

I'm not an expert in web programming, but I have to say it looks like from the HTML that this page was deliberately put there and I have to say based on that, I'm leaning toward thinking it was hacked (DOS - Denial Of Service - attack). It just doesn't feel to me like an authentic error page unless someone in the campaign mocked it up on a different machine when the site crashed as a temporary measure.

A few months back, the same thing happened to Lieberman's site and I didn't witness it, but I know he threatened legal action thinking it was a hacker although I assumed at the time it was more likely the server couldn't handle the load. (I also didn't see the site during the outage). In this case, I'm not so sure.

Errors Reported in E-Voting Machines Across the Country

It's started. The reports are coming in - errors in many kinds of electronic voting machines around the country are occurring and they're major. VotersUnite.org has a great Election Problem Log page where they report any problem noted in the media.

Florida, Kentucky, Ohio, Texas, California, Indiana, Kansas, New Mexico, South Carolina, Tennessee, Colorado, Illinois, Pennsylvania, Arkansas, Washington, Michigan, Maryland, Virginia and Nevada have all reported errors so far.

Do what you can - request a paper ballot.

And check out HBO's documentary, "Hacking Democracy" airing Tuesday.

No More Rocking The Vote, Just FIX It!

Gene Spafford, computer security expert and co-chair of the U.S. Association for Computing Machinery Public Policy Committee forwarded this article to USACM members (of which I'm one). It pinpoints a company, FixAVote.com, that supposedly offers "election outcome solutions". If you look closely at the site, it is really tough to tell if it's serious or a joke. Take a look - you'll see what I mean.

Avi Rubin and Ed Felten, two other USACM members known for their research on the security of electronic voting machines (see my post, Fixing E-Voting, from a few weeks ago) were interviewed for the Computer World article. Zogby recapped TechDirt's post on the site as well. For those knowledgeable about the issue and the security behind it, it was fairly clear it was a hoax, but it was done so deadpan that a little doubt was left.

Bruce Schneier, another computer security (crypto, for those of you who don't know) expert, a few days ago, confirmed on his site that it is a hoax but everyone I've seen writing about it agrees that it was very well done. It's one of those sites with boring corporate model photo clips (people just a little bit too beautiful, so that tipped me off that the site wasn't for real) and generic consultantspeak that makes you really confused about what they can actually do for you, but the best part is where they name the specific electronic voting machine makers, like Diebold, who they supposedly work with. Great joke.

It's Never Too Late To Hate Microsoft

Is it just me or has anyone else noticed that the Microsoft Office "updates" now take up more space than an entire hard drive did 15 years ago, and their product really hasn't improved?

I know this isn't new or news but I was installing the 57.3 MB update today that ostensibly repairs security holes and patches the kludgy mess of software that they've paid thousands of people to develop over the past several years and that they now charge upwards of $400 for (I got it free) and I recalled that my first hard drive was actually 40MB that I got in 1990. At the time, I was using a great word processor on the Amiga that had nearly all of the features that MSWord has now, and it took up slightly over 1MB of space.

I never understood how Microsoft turned all of their products into such beasts, I never understood their protection of the code or their lack of attention to security, and I still don't understand it. But I had let myself start to try and believe the company wasn't so evil because I have a good friend who works there (I've heard employees are treated well) and because of the Bill & Menlinda Gates Foundation's work around the world.

Then I heard a story the other night from a woman who knew Bill Gates and it made my stomach turn. So here I am again, with very little that's positive to say about Microsoft. Why do I use their software, you might ask? Just because it's the standard. And I suppose I'm somewhat masochistic. Or possibly because everybody needs something to complain about that's really not so important in the scheme of things and kludgy word processors fit that category.

Fixing E-Voting

Thursday, two esteemed colleagues from the USACM Public Policy Committee, Barbara Simons and Ed Felten, two experts on computers and voting machines, testified in a Congressional hearing on electronic voting. More specifically, they stressed that we need a voter verifiable paper audit trail (VVPAT) or a or voter verified paper ballot (VVPB) for these machines. This isn't anything new; unfortunately, it just takes this long for Congress to start listening to this type of concern when it's already been a serious problem for a few years.

Two weeks ago, Dr. Felten and his staff at Princeton, released a report based on a study they conducted on the Diebold AccuVote-TS, a Direct Recording Electronic (DRE) device, that proved that this particular machine could be hacked in under a minute with "little if any risk of detection."

So yes, when the Diebold people (a company run by active, known Republicans) told Bush they would "deliver Ohio", they could have meant they would make sure he won there. Felten noted that "injecting a virus into a single computerized voting machine can affect an entire election." In other words, the people who were out there on the fringe saying Bush stole two elections could be right. (I'm not saying they are; I'm only saying it's now been scientifically and technically proven that it was a possibility.)

Here's a simple scenario on how it would work (so easy a dog could be trained to do it):

1) E-Voting machine is delivered to polling place and/or poll worker the week of the election.
2) Machines are initially tested to make sure they work. Someone is given one physical key. Then they leave.
3) Any time over the next few days, that person or another person (most likely a poll worker - they are unsupervised but would have easiest access) with the same key (there are only a few versions for over ten thousand machines, like hotel minibars) comes in, unlocks the back of one machine.
4) That person inserts a memory card and the card automatically uploads a virus. The person (or dog) then removes the card, locks the machine and leaves. Boom - done. Election won. The whole process takes under one minute.
5) The machine is given its pre-election test the day before or day of the election with no detection of the virus.
6) As the votes are processed, the virus changes them.
7) The virus then deletes itself in order to remove the evidence that it was there. The program is simple enough to write that even I could do it (and that's saying something).

So in order to prevent this sort of thing from happening (again?), here is what needs to be done in order to create machines and process that are truly secure and can provide a system that we can be reasonably sure produces accurate results:

- Collaboration of technical and election communities
- Increased use of independent technical security experts
- Further research to improve the voting systems
- More accessibility to companies designing these products
- More secure physical and crypto keys
- More robust hardware and software design
- Rigorous testing by third party experts
- Removed/reduced and/or encrypted access for random memory cards
- Stricter certification process
- Deployed with safeguards against failure
- Heightened security training and processes for poll workers
- Routine random manual audits
- Policies and procedures that guarantee the integrity of the paper and the quality of the printers used for printed paper trails
- Mandatory manual recounts
- Increased accountability

This may still seem like a complex problem and it is, but the best way to circumvent continued issues is with a verifiable paper trail, regardless of the system used. That's all we can hope for with one month until election day.

See also: RFK Jr's article in Rolling Stone.

Listen to Ed Felten Re: Voting Technology

Ed Felten, Princeton Professor of Computer Science and Public Affairs, also known for Felton v. RIAA and Freedom-To-Tinker, spoke with Scott Simon on NPR about an voter verifiable paper trail for electronic voting systems today.

A lot is happening right now with respect to e-voting with recent and upcoming elections, particularly with recent problems in Maryland. Check out the recording. He also spoke on "Science Friday" on voting technology yesterday.

Aside: I just found out that Ed Felten and Barbara Simons both been invited to testify at a Congressional hearing on voting technology Thursday at 10am (in room 1310 LHOB if you are in DC) and will be webcast. See also: USACM weblog.

Security Analysis Post 9/11

I have written a lot about security over the past several years. I don't call myself a security expert because I know a lot of real security experts, but having worked in the field a long time, I am quite knowledgeable on the subject so I thought I should weigh in on how we're doing since 9/11/2001.

National Security - Better & Worse
It's better because we now have funds being directed towards infrastructure costs that were needed such as securing water treatment facilities and mail protection. Unfortunately, there are also places that are inherently week and must remain so in order to be productive. Can you imagine searching every truck that went over the Bay Bridge to make sure it did not contain explosives? Traffic would be impossible.

National Security is worse because most of our military is elsewhere. If we were attacked at home again, depending on how we were attacked, we would not necessarily be able to respond rapidly. Also the Department of Homeland Security has become a major bureaucracy without much real accountability and that accounts for some of the lack of speed.

Air Travel Security - Better
TSA (Transportation Security Administration) has become another huge entity. The government has poured tons of money into it, but in the end, it's still a guessing game as to what tactics the terrorists will try to use next and whether it will even involve transportation at all. Rules keep changing to meet with current estimates of threats, including banning liquids. However, there are always holes in that system. For example, powdered infant formula is still allowed from what I've read. It is possible to make bombs out of infant formula, for example.

Air travel security is better because people are paying more attention to what's at stake, TSA employees generally do a good job (although they tend to relax when the terror alert is low, which isn't necessarily the right thing to do) and they tend to pay more attention to social engineering. A few basic changes that were made soon after 9/11 like locking the cockpit made planes much more secure. There are still issues with securing the airports themselves. Unfortunately, requiring biometric identification for passports isn't necessarily the right direction either due to inherent flaws in most of the biometric systmes.

Computer Security - The Same
With computer and network security, the problem is decentralized. And it rests on the shoulders on every company and server administrator to keep the Internet secure. A nasty virus could be released from anywhere to cripple systems across the globe. But computer security always gets put on the back burner when money is tight because it doesn't directly make companies money (although it does save them money usually in the long run).

The Cybersecurity arm of the Department of Homeland Security still needs to gain its footing. It has changed leadership numerous times since its inception and the only places I've heard of that really sounds like the government is taking any action are in securing government labs more tightly and creating an FBI hacker army of sorts - a computer crime squad. The NSA (National Security Agency) was doing wiretaps on international calls for a while but now that has been determined to be unconstitutional. I wouldn't really call that security anyway - it was more of an investigatory method.

Local Response - Better
I think this area improved more from the failures in New Orleans than due to 9/11. Much was promised for local response, but again it's an issue of money. Security and training is expensive, so with a tough economy, local responders are the last rung on the ladder to get paid. But since we had another (natural this time) disaster, it brought attention to the weaknesses in this process. The City of Menlo Park and San Mateo County have both sent out mailers on Emergency Preparedness and I have noticed more information sessions available to residents over the past few years.

Overall - Better
It would be sad to think that all of the money, time and effort going into security was not yielding some results after five years. I think overall, security is better (but don't let that fool you - there's still a lot that needs to be done and I still think the administration has been weak in this area). Awareness has increased and that is the first and most vital step in improving security. Unfortunately, we need occasional reminders that there are still terrorists out there waiting to strike and that not every nation is friendly to us in order to stay on alert. It's a delicate balance that must be struck between security and productivity, but that is the challenge we continue to face today.

Spying on Citizens Ruled Unconstitutional - No, Really?

This week's ACLU win over the NSA should not be a shock except that it is - a welcome one. U.S. District Court Judge Anna Diggs Taylor has my vote as the first person to slap down the Bush administration's NSA program. What I don't get is how it takes so long to say "no no, that's bad" to programs like this and how they get away with doing these things in the first place.

Here are the meaty quotes from the ruling -- "The irreparable injury necessary to warrant injunctive relief is clear, as the First and Fourth Amendment rights of Plaintiffs are violated..." And [the program is] "... in contravention of the Foreign Intelligence Surveillance Act [FISA] and Title III ...[and]... violates the separation of powers doctrine, the Administrative Procedures Act, the First and Fourth amendments to the United States Constitution, the FISA and Title III."

Read my comment on BlogHer about the ruling. Also see the judge's opinion.

"Hit the road, Jack, and don't ya come back no more, no more, no more, no more..." - Ray Charles

Infant Formula Bombs

With the new security rules, nearly every liquid is banned. Moms and dads will be happy to know this does not include liquid infant formula as long as a baby is in tow. However, powder infant formula is allowed, which is a bit risky.

Powdered infant formula contains crystallized components that can be faked, meaning someone could carry bomb-making agents that look similar. These powders also often contain high concentrations of metals that make it difficult to detect real formula from fake formula - including with the X-ray machines used in airports. It would be necessary, however, for this material to be mixed with another bomb-making agent in order for it to be detonated.

Theft of formulas and black market formula creation and sales is on the rise. Resulting from the high price in infant formulas, some fringe groups are actually profiting from these black market sales - potentially even terrorist groups. And in 1994, a bomb was hidden inside a can of infant formula that exploded in a church in Baghdad.

It is inconvenient to not be able to carry formula or electronics and to have our children scanned, but these are legitimate threats. Not only could a detonator be devised to look like a cell phone, but it could be hidden inside a working phone as well. And terrorists won't always keep these items on their own person - they could sneak them into our carry-on bags in a tight security line. Be careful.

Antidisestablishmentarianism

I recall hearing at some point that it's the longest word in the dictionary, but I can't confirm that. All I can say is it fits Joe Lieberman's actions this week.

A lot of woo-hooing is going on about Lamont beating Lieberman in Connecticut - Lieberman lost with 48% of the vote. What I don't get is how he got that many votes in the first place. There's all this controversy over Dems backing Lamont now. Like they're supposed to bail on the guy who legitimately won their primary? I'm sure Joe Lieberman is a good guy and all, but if he really thinks he can run as an Independent and win, he's been smoking some pretty strong stuff.

Meanwhile, what's up with that whole bit about the Lamont campaign hacking into Lieberman's site? It's certainly possible, but nobody would condone that sort of thing. And from what I know of campaign databases, most of the information that might be useful to an opposing team would not be located on the campaign web site's server anyway. As far as a DOS (Denial-of-Service) attack goes, he has no proof - why is the first assumption to think that if his site's down, it's because of a hacker? These campaigns are always so cheap, it's more likely the server just couldn't handle the election day load.

Recent Writing

For a writer, there's nothing like that first time you see your own byline. I've had that opportunity online and in print magazines, but I had yet to see it in a book until recently. One of my articles, "Social Engineering Fundamentals," has attracted a lot of attention over the past few years and an editor in India asked to publish it in a new book - Ethical Hacking - An Introduction. Mine is the third article, part one of the series - "Hacker Tactics." Here's one place you can buy it - Bagchee.com. It doesn't affect my pocketbook, but it's a good compilation. Mostly, it's a great motivator to get me back to work on my book proposal. ;)

A few months ago, while still in the postpardum haze, I wrote a followup piece for Security Focus - "Social Engineering Reloaded" - to continue where I left off in the original series. It was fun revisiting the topic, particularly in light of how much has changed during that time.

As of yesterday, I'm now blogging for the Silicon Valley Moms Blog. My first post, Apple's Next Generation Challenge, looks at why Apple Computer doesn't have an educational discount for kids before college. The SV Moms Blog is a really interesting collection of women and I'm proud to be associated with them.

I've updated dotblog with Julia's URL and a photo so people at the March of Dimes' ShareYourStory.org, who were following the latter days of my pregnancy can see how well she is doing. I may begin using that blog again as a place to vent my frustrations about recovering, rather than posting that here. For anyone facing preterm labor and preemie problems, ShareYourStory.org is a comforting community.

Bienvenue

Welcome to segmented. Since blogs typically include segments of news, ideas, thoughts and information, that's where I came up with the name. It also happens that s-e-g are my initials.

This isn't my first time blogging, but it's the first weblog I've created on my own, so it is an experiment of sorts. I was knee deep in the blogosphere when the hype began but didn't see the pull to start my own at the time - I knew the time commitment involved and wanted to wait for the right moment.

As to the content, I outlined this blog to focus on technology, politics, culture and arts but I will most certainly cover other topics. I designed my own degree program entitled "Technology & Society" where I studied technology policy, politics, economics and culture. My career, including BBS development, network consulting, computer security, web startups, Internet campaigns and online activism, has been centered around that. However, I wear many other hats - writer, parent, volunteer, world traveler, philanthropist, activist, musician, figure skater - but I prefer not to be defined by any particular role. These are all a part of who I am.

I may be able to hack a kernel, sing an aria and land an axel, but I can't make this blog successful without fresh ideas and participation from others. So I welcome your thoughts and comments as I embark on this new venture. Appreciez!