November 28, 2024

Posts Comments

Immunizing the Internet

October 4, 2006 by

Can computer crime be beneficial? That’s the question asked by a provocative note, “Immunizing the Internet, or: How I Learned to Stop Worrying and Love the Worm,” by an anonymous author in June’s Harvard Law Review. The note argues that some network attacks, though illegal, can be beneficial in the long run by bringing attention to network vulnerabilities and motivating organizations to address problems.

I don’t buy the note’s argument, but there is a grain of truth behind it. Vendors and independent analysts often disagree about whether a vulnerability is real or could ever be exploited in practice. One thing I’ve learned over the years is that the best (and often the only) way to resolve that debate is to demonstrate an exploit. If you can do something, people will accept that it is possible.

Our recent e-voting study is a good example. Diebold can’t seriously argue that malicious code can’t sway an election, because we have a working demo that we have shown on national TV and in front of congress.

Even when the vendor is willing to acknowledge reality and work constructively to fix a problem, a working demonstration is useful in helping the vendor cope with the problem – and in helping the good guys within the vendor organization neutralize any internal minority that wants to deny the problem. Showing the vendor a working demo can be the first step in a constructive problem-solving relationship.

(To be clear: You can build a working demo and show it to people without revealing to the public every detail of how to build the exploit. How much information to publish about a demonstration exploit is a separate issue from whether to build it in the first place.)

But some sorts of problems can’t be demonstrated without breaking the law. For example, Diebold apparently claims that there is no way to tamper with the upcoming November election in (say) Maryland. I’m convinced that claim is false, but the most direct, obvious way to prove it false would involve actually tampering with the election, which of course is unthinkable.

The note’s reasoning would imply that the penalty for tampering with the election might be reduced, especially in cases where the tampering is engineered to be obvious and to cause minimal damage, for example if it added 10,000 write-in votes for Homer Simpson to a statewide race where a candidate was running unopposed. Though such an attack would be instructive, it would still be wrong and would deserve serious punishment. If the legal lines are drawn in the right places, and if the punishment otherwise fits the crime, then we shouldn’t let attackers off easy just because their attacks were instructive.

Filed Under: Uncategorized Tagged With:

HP Spokesman Says Company Regrets Spying on Him

October 2, 2006 by

As most people know by now, Hewlett-Packard was recently caught spying on its directors and employees, and some reporters, using methods that are probably illegal and certainly unethical. Throughout the scandal, we’ve heard a lot from HP spokesman Mike Moeller. This got my attention because Mike was my next-door neighbor in Palo Alto during my sabbatical five years ago. Mike and I spent more than a few evening and weekend hours chatting over the fence.

Now it is reported that one of the targets of HP’s spying was … Mike Moeller. An HP internal email turned over to investigators says, “New monitoring system that captures AOL Instant Messaging is now up and running and deployed on Moeller’s computer”. The company also reportedly had a detective follow Mike at a trade show, and they acquired his private phone records.

I wouldn’t have figured Mike as the type to leak boardroom secrets to the press, and indeed the spies found he had done nothing improper.

What’s interesting is that he is still serving as spokesman for HP. I’m not sure what to make of this. He must have been unhappy about being targeted; who wouldn’t be? But the essence of the spokesman’s job is to stay on message – the company’s message, not your own. Resigning in anger is not the spokesmanlike thing to do, and can’t be a good career move.

Heads have rolled at HP over the spying incident – as they should have – but the investigation is far from over. Executives claim not to have known what was going on, and not to have known it might be illegal, but those claims are hard to believe. Why would the company’s lawyers have allowed this to happen without getting careful legal opinions in advance? The most plausible reason is that they didn’t want to find out whether the spying tactics were legal, just as the executives probably didn’t want to find out how the information they received had been collected.

Obviously HP is not the only organization that did this. The investigators HP hired had plenty of other customers, and they are only part of a larger industry of private spies. Obtaining others’ phone records by identity theft is common enough to have its own euphemism: “pretexting”.

After the fallout at HP, expect more revelations about spying by other organizations. People will be more alert for spying, and they’ll know that revealing it can bring down the mighty. Meanwhile, law enforcement will be prying open the records of the “investigators,” finding more examples of reputable organizations that wanted information but didn’t want to be told where it came from.

Eventually the scandal at HP will blow over, and Mike Moeller’s job will return to normal. But maybe he’ll think twice before sending that next email or instant message to his family.

Filed Under: Uncategorized Tagged With:

E-Voting Testimony

September 28, 2006 by

Today at 10:00 AM Eastern I’m testifying at a House Administration Committee hearing on e-voting. Here is the written testimony I submitted.

Filed Under: Uncategorized Tagged With: ,

Networking Diebold Voting Machines

September 25, 2006 by

Reacting to our report about their AccuVote-TS e-voting product, Diebold spokesmen are claiming that the machines are never networked. For example, Diebold’s official written response to our report says that the AccuVote-TS “is never attached to a network” and again that “These touch screen voting stations are standalone units that are never networked together.” This is false – AccuVote-TS systems are designed to be networked.

The Diebold manual that came with our machine explains how to network AccuVote-TS machines. The manual is called “AccuVote-TS User’s Guide: GEMS Touch Screen Client 4.1”, revision 1.0. In section 8.5, “Transfer Results”, the manual explains,

Results [of elections] are transferred are [sic] by means of a TCP/IP network connection, either directly, by modem or ethernet.

[…]

Representative tests of all results transfer configurations should be performed in the process of election confinguration, including transmissions by direct, modem, or ethernet connection.

Touch the Transfer Results button in order to activate the Transfer Results Window… Enter the network host name in the Host Name field using the [keyboard]. Enter the network user Id in the User Name field and the network password in the Password field.

Other sections of the manual contain similar text describing the transfer of election results over a network.

Appendix E of the manual lists “[s]upplies required and recommended for AccuVote-TS system operation, maintenance and logistical support”. The list includes “network cards” and “ethernet cabling”.

Diebold’s insistence that the voting machines cannot be networked is especially odd given that the conclusions in our report don’t rely in any way on the use of networking – even if Diebold’s no-networking claim were true, it would be irrelevant.

Filed Under: Uncategorized Tagged With: ,

Honest Election Workers

September 22, 2006 by

One of Diebold’s responses to our paper and video about their products’ security is that election workers are honest and would never do anything to corrupt an election. Like many of Diebold’s arguments, this one is mostly true but almost entirely irrelevant.

The overwhelming majority of election workers are honest and diligent. They put in a long, hard day and struggle with unfamiliar equipment, receiving little or no pay in return. They’re on duty in the polling place for the best of reasons. Next time you vote, remember to thank them.

But one of the lessons of our study is that even one dishonest election worker can cause big trouble. So the relevant question is not whether the average election worker is honest, but whether a would-be villain can get a job as an election worker.

The answer to that question is almost certainly “yes”. Election workers are in short supply in most places, so any competent adult who volunteers is likely to get the job. And every election worker I’ve talked to has had private access to a voting machine for more than a minute – enough time to inject the kind of vote-stealing software we demonstrated.

As always with computer security, we don’t just worry that things will go wrong on their own. What really vexes us is that our adversary is trying to make things go wrong. If a single election worker can corrupt an elections, then the bad guys will become election workers. Without the necessary safeguards, the many honest election workers won’t be able to stop them.

Filed Under: Uncategorized