Author Archives: John S. Quarterman

ATMs and Voting Machines, or, Waiting for Perfection

ATM_Cabinet.jpg This is true, but misses the point:
If ordinary bank ATMs can be made secure and reliable, why can’t electronic voting machines? It’s a simple enough question, but, sadly, the answer isn’t so simple. Secure voting is a much more complex technical problem than electronic banking, not least because a democratic election’s dual requirements for ballot secrecy and transparent auditability are often in tension with one another in the computerized environment. Making ATMs robust and resistant to thieves is easy by comparison.

ATMs can fail, too: It isn’t just voting machines. Matt Blaze, Exhaustive Search, 23 May 2008

Yes, and Lyndon Johnson stole a Senate race by ballot box stuffing back in the days of all-paper ballots.

But that doesn’t change the simple fact that it’s far easier to fiddle results with paperless electronic machines than it was with paper ballots. Or that an ATM failure tends to be very localized and limited, while voting machines can be hacked in bulk. Or that the results of a failed election can be an unnecessary war, more than 4,000 U.S. dead, a million others dead, quadrupled gas prices, $40+ trillion in debt, peak oil without deployment of solar and wind, environmental crisis near or beyond tipping point, and need I go on? At what level of demonstrated risk does it become obvious that waiting for perfect voting machines isn’t the right answer?

Fortunately, some states have gotten the point already.

-jsq

Logging to Fund Firefighting?

CommunityForestry.jpg Got too many wildfires and need somebody to pay?
The forest service’s reasoning is simple: sell trees to loggers, use the money to clear areas of potential fire fuel. What the loggers cut can be potential fuel. With one sale, a fire hazard can be removed and the agency paid so it can remove more fuel.

US judges order stop to California logging projects, McClatchy newspapers, guardian.co.uk, Thursday May 15 2008

The federal Ninth District Court didn’t think that was so clever, or at least not so legal, and also not the only way:
Two for one always has an attractive ring. But are there no alternative ways of getting money to do the clearing that is imperative? Obviously, there may be. First of all, there is the USFS’s own budget. Does that budget contain any funds that could be devoted to fuel removal? Is every one of its activities so necessary and so tightly allocated that no money could be shifted? We do not know the answer because this alternative has not been explored.

Suppose that the USFS and its parent, the Department of Agriculture, cannot spare a dime. What then? Appropriate appropriations come from Congress. The work of fire prevention is work of the first importance. If the USFS does not have enough, why should not Congress be asked to give it more? Surely the avoidance of catastrophic fire in the national forests must rate a high priority among the needs of the nation.

No. 07-16892 D.C. No. CV-05-00205-MCE, United States Court of Appeals for the Ninth Circuit, 14 May 2008

Coming soon: eating seed corn to prevent hunger, credit card debt to get rich, and other clever risk management strategies.

-jsq

Loopholes Closed by FTC in CAN-SPAM Act Rules

The U.S. FTC has updated its regulations regarding the CAN-SPAM Act (PDF) to require:
(1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender;

(2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements;

(3) a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and

(4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons.

FTC Approves New Rule Provision Under The CAN-SPAM Act, Press Release, FTC, May 12, 2008

These changes appear to tighten up what is required of marketers; they have to say who they are and they can’t weasel out by claiming a corporation is not a person.

However, it’s not clear to me why it’s opt-out that’s required; why not opt-in? I never trust a spammer to process an opt-out; I assume they’re just collecting more addresses. Plus the spammer still has ten days to process opt-out requests.

-jsq

Band Uses CCTV to make Music Video

getoutclause.jpg This is clever:

Unable to afford a proper camera crew and equipment, The Get Out Clause, an unsigned band from the city, decided to make use of the cameras seen all over British streets.

With an estimated 13 million CCTV cameras in Britain, suitable locations were not hard to come by.

They set up their equipment, drum kit and all, in eighty locations around Manchester – including on a bus – and proceeded to play to the cameras.

The Get Out Clause, Manchester stars of CCTV. By Tom Chivers, Telegraph.co.uk, Last Updated: 6:54PM BST 08/05/2008

Then they requested copies of the coverage from the various companies and law enforcement organizations owning the cameras through the British Data Protection Act, and got enough to use. They even managed closeups.

So maybe there is a use for CCTV, even though it’s failed at crime prevention. It’s a huge arts subsidy program!

-jsq

NSL: Internet Archive Exposes Lack of Security in National Security Letters

Brewster_Kahle_20021120.jpg The Internet Archive has for a decade been a cornerstone of the Internet, and the FBI was foolish to try to break it:
The FBI has withdrawn an illegal National Security Letter seeking information from an online library and has lifted a gag order that until Wednesday prevented any discussion of the information request.

Lawyers from the American Civil Liberties Union and Electronic Frontier Foundation helped the Internet Archive push back against what they say was an overly broad and unlawful request for information on one of its users. The FBI issued its National Security Letter in November, but ACLU, EFF and Archive officials were precluded from discussing it with anyone because of a gag order they say was unconstitutional.

After nearly five months of haggling, the FBI eventually withdrew its NSL, which requested personal information about at least one user of the Internet Archive. Founded in 1996, the archive is recognized as a library by the state of California, and its collections include billions of Web records, documents, music and movies.

Watchdogs prompt FBI to withdraw ‘unconstitutional’ National Security Letter, Nick Juliano, therawstory, Published: Wednesday May 7, 2008

The article goes on to say that the FBI has issued 200,000 National Security Letters, that almost none of those NSL have been challenged, yet every single time someone has challenged an NSL in court, the FBI has withdrawn it.

How do these NSL represent “Security”?

In any case, National Security Letters were authorized by the mis-named Patriot Act. Brewster Kahle has shown us how a real patriot acts: Continue reading

CCTV Security Fad Fails

CCTV2_228x342.jpg London probably has more security cameras per square inch than any other city, and:
The billions of pounds spent covering Britain with CCTV cameras has been an “utter fiasco” and failed to slash crime, Scotland Yard’s surveillance chief has said.

Detective Chief Inspector Mick Neville said a Metropolitan Police pilot project found just three per cent of street robberies in London were solved using CCTV images.

He claimed the vast swathes of money spent on cameras had been wasted because criminals don’t fear the cameras.

Billions spent on CCTV have failed to cut crime and led to an ‘utter fiasco’, says Scotland Yard surveillance chief, Just 3% of street robberies in London solved, By DANIEL BATES, Daily Mail, Last updated at 13:48pm on 6th May 2008

Needless to say, there are numerous efforts planned to make the cameras pay anyway.

The basic problem is:

But Mr Neville also castigated the police and claimed officers can’t be bothered to seek out CCTV images because it’s “hard work”.
CCTV is not the only security fad that hasn’t panned out:
For every 800 DNA samples being added by the police – including those taken from innocent people – only one crime is being solved.
We’ll see if either of these white elephant programs get terminated. I’m not holding my breath.

-jsq

Paypal Says Old IE is Like Car Without Seat Belt: EV SSL blocking

bullet-details-ev-ssl.jpg
The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.

“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.

Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.

BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17

Now on the one hand, I think EV SSL is color-coded checklist security candy: Continue reading

Tokyo in May: CeCOS II

cecos2indexLogo.jpg 26-27 May 2008 in Tokyo:
The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year’s meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

Counter-eCrime Operations Summit II, APWG Japan, 2008

The Anti-Phishing Working Group continues to expand via national associates, and to put on good workshops.

-jsq

Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading