November 21, 2024

Joisy on my mind

Like everyone interested in the mechanics of elections, I’ve been fascinated by the New Jersey efforts to allow voters to request and submit ballots via email. In this posting, I’d like to address four brief points that I don’t think have received much attention – the first two policy, and the last two technical. First, […]

Grading the absentee-in-person experience in Virginia

[Each year, I write a “my day as a pollworker” report. This year, I’m not a pollworker, or election officer in Virginia parlance, for a variety of reasons, so I decided to write about my voting experience.] I just got back from “in-person absentee voting”. This is similar to but not the same as early […]

Going to the doctor and worrying about cybersecurity

For most people, going to the doctor means thinking about co-pays and when they’ll feel better. For me though, it means thinking about those plus the cyber security of the computer systems being used by the medical professionals. I’ve spent more time than usual visiting doctors recently. I broke my hand – sure I’ll tell […]

DHS OIG study of scanners silent on computer threats

The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as what it doesn’t, mostly focusing on issues of incremental risk to the traveling public, the large number of repair services, and the lack of data analyzing whether the machines serve their claimed purpose. (The report does not address millimeter wave machines, which most scientists believe are safer.)

But what’s surprising in both the report and the critiques about it is that they have only discussed the radiation aspects when used as intended, and not the information systems embedded in the devices, or what happens if the scanners are used in unintended ways, as could happen with a computer system malfunction. Like any modern system, the scanners almost certainly have a plethora of computer systems, controlling the scanning beam, analysis of what the beam finds, etc. It’s pretty likely that there’s Windows and Linux systems embedded in the device, and it’s certain that the different parts of the device are networked together, for example so a technician in a separate room can see the images without seeing the person being scanned (as TSA has done to head off the complaints about invasion of privacy).

The computer systems are the parts that concern me the most. We should be considered about security, safety, and privacy with such complex systems. But the report doesn’t use the word “software” even once, and the word “computer” is used twice in reference to training but not to the devices themselves.

On the safety front, we know that improperly designed software/hardware interaction can lead to serious and even fatal results – Nancy Leveson’s report on the failure of the Therac-25 system should be required reading for anyone considering building a software-controlled radiation management system, or anyone assessing the safety of such a system. We can hope that the hardware design of the scanners is such that even malicious software would be unable to cause the kind of failures that occurred with the Therac-25, but the OIG report gives no indication whether that risk was considered.

On the security and privacy front, we know that the devices have software update capabilities – that became clear when they were “upgraded” to obscure the person’s face as a privacy measure, and future planned upgrades to provide only a body outline showing items of concern, rather than an actual image of the person. So what protections are in place to ensure that insiders or outsiders can’t install “custom” upgrades that leak images, or worse yet change the radiation characteristics of the machines? Consider the recent case of the Air Force drone control facility that was infected by malware, despite being a closed classified network – we should not assume that closed networks will remain closed, especially with the ease of carrying USB devices.

Since we know that the scanners include networks, what measures are in place to protect the networks, and to prevent their being attacked just like the networks used by government and private industry? Yes, it’s possible to build the devices as closed networks protected by encryption – and it’s also possible to accidentally or intentionally subvert those networks by connecting them up using wireless routers.

Yes, I know that the government has extensive processes in place to approve any computer systems, using a process known as Certification and Accreditation. Unfortunately, C&A processes tend to focus too much on the paperwork, and not enough on real-world threat assessments. And perhaps the C&A process used for the scanners really is good enough, but we just don’t know, and the OIG report by neglecting to discus the computer side of the scanners gives no reassurance.

Over the past few years, Stuxnet and research into embedded devices such as those used in cars and medical devices have taught us that embedded systems software can impact the real world in surprising ways. And with software controlled radiation devices potentially causing unseen damage, the risks to the traveling public are too great for the OIG to ignore this critical aspect of the machines.

Who won the Iowa primary – and does it matter from a technical perspective?

As Americans know, the 2012 presidential season began “officially” with the Iowa caucuses on January 3. I say “officially”, because caucuses are a strange beast that are a creation of political parties, and not government.

Regardless, the Republican results were interesting – out of about 125,000 votes cast, Mitt Romney led by eight votes over Rick Santorum, with other contenders far behind. The “official” results released today show Santorum ahead by 34 votes.

However, it’s not so simple as that.

First, there’s the matter of paper ballots. The good news is that Iowa caucuses, unlike primaries and general elections in some states, are recorded on paper. So in a case like this, there’s paper to turn to, unlike all-electronic systems where the results rely on correct software.

Second, there’s the matter of proper chain of custody. In releasing the updated results, it appears that some of the records from the caucuses cannot be located. It doesn’t matter whether the records are paper or electronic – if the chain of custody is weak (or non-existent!), then the results are at best suspect.

Third, and perhaps most importantly, “the early part of the Presidential Primary series is the only case in American politics that I know of where the preliminary election results may be actually more important than the final certified results.” [Thanks to David Jefferson for this observation.] While this is not a technical issue, it points out that our technical solutions for voting systems must recognize the reality that timely accurate results are important – timely results that are wrong aren’t helpful, and slow results that are right will be ignored.

Finally, it’s critical to realize that caucuses, like primaries in some states, are run by the parties, and not by the election professionals. Perhaps if the caucuses were run by the pros, some of these problems might not have happened.