Robust McManlyPants on Average Display

Through a short but unexpected chain of relationships I was asked yesterday to appear this morning in a brief interview on Scott Fitzgerald’s show on WPTF 680 AM. To be honest, whether or not to say yes was something of a quandary. On the one hand, I couldn’t turn up anything specifically negative about the host and the chain of relationships involves a much-loved former boss; on the other, this is a right-wing AM talk radio station that plays Sean Hannity, for gods’ sakes.

After some thought and a discussion with The Boyf I decided that, given that the topic itself - securing credit card data and protecting personal information - is fairly apolitical and the tone of the thing seemed to be educational rather than advocating a particular point of view, well, what the hell, right? I did a little reading up on the big TJX breach, as that was apparently going to be the topic that morning, and wrote down a few thoughts in case my brain was fuzzy at 7:10am.

The experience itself was nice enough. The host was polite, the interview was brief, I didn’t say ‘um’ every other word and I got to say the thing that made me ultimately decide to do this: that there is no such thing as “security.” As I said to the host (after trying it out a couple of times on KJ, bascha and The Boyf last night), our society has become convinced that “security” is some attainable state of the absence of risk but in truth “security” is the ongoing process of trying to find a balance between risk and convenience.

It’s childish and silly of me but I really relished saying that to an audience of security-obsessed wingnuts.

The only thing I don’t understand is why the host asked me how 9/11 had changed network security. It hasn’t. I didn’t get a chance to bring this up but the truth is that 9/11 didn’t change a damned thing about network security - at least not in the markets where I’ve worked - because 9/11 was a physical attack, not an electronic one. The big engines of change have been government regulation, the very market interventions that free market righty types find so abhorrent. I’ve seen more clients make positive changes to their networks and their policies as a result of SarbOx, HIPAA and the FFIEC than anything else.

The host asked how a person can protect their credit card data and I said, in all honesty, that we can’t. The truth is that once your financial data is in a store’s hands it is out of yours. Period. If that data is compromised then they have to notify you but they don’t have to tell you how or by whom or anything else. In fact, there is a disincentive to inform. TJX’s (eventual) openness about how the theft was done led to lawsuit upon lawsuit. During the time span that the big, multi-store heist in question was being executed my bank sent me three (3) new copies of my credit card and I’ve never known exactly why. Was my information in that data? Probably so; I’ve shopped at Barnes & Noble plenty of times.

The example I gave them was that if one wants to make sure one’s credit or debit card data is never stolen from, say the grocery store, then one had better always pay in cash. It’s not that simple, though. Paying in cash means remembering to go to the cash machine and knowing exactly how much one will spend at the store. That also requires protecting one’s PIN from prying eyes at the ATM, keeping one’s wallet from ever getting stolen and then, even then, if one’s data is stolen directly from the bank, well… so much for all that effort.

The payment card industry has a set of protocols it requires called the PCI DSS (Payment Card Industry Data Security Standard). It’s a good start but it is only that: a start. It covers some basic common sense benchmarks but these are as basic as making sure default passwords aren’t left on vendor-provided cash registers and other equipment. It’s bare-bones at best. The truth is that payment data theft is a problem for which the market is not ever going to correct. The use of cards is way too profitable for everyone involved. Stores, the banks that issue the cards, the payment card providers themselves, payment processors, everyone involved makes way too much money off cards to ever give them up or to make them too inconvenient to use. No store is going to react warmly to someone walking in off the street and asking how that store protects credit card data. No store ever advertises that customer data is more secure with them than with their competitors.

So what do we do? There isn’t much we can do without accepting a high level of inconvenience. Sure, there are options - get prepaid cards to use for online shopping, but read up on the fraud protection for those cards first just in case it’s not as good as your normal credit card. Get a secured credit card. Get a credit card with your picture on it. Keep tabs on your account activity online - weekly, not monthly. Request a copy of your credit report once per year if not once per quarter. Write a check instead of using the card; check data can also be stolen but it’s harder to get at one’s cash with check data. Better yet, use cash. There are ways in which the TJX heist was very clever - they combined elements of physical theft (geographical proximity and physical access to the store) with an electronic intrusion (computer security is often contemplated only as a means of preventing distant attacks) - but ultimately war-driving and cracking WEP aren’t exactly innovations and the theft overall follows the same pattern used in all such cases: the thieves cast the widest possible net and took the easiest pickings. The only thing to do is to make one’s self a less attractive target surrounded by lower-hanging fruit.

None of these make the stores protect our data any better, though, and nothing ever will. Most of these ideas are only useful to protect against identity theft which could be much more easily and thoroughly protected by a couple of basic regulatory changes - require photos be included in credit reports and require automated notification if one’s credit report is accessed for any reason, two things that would cost the credit bureaus some money and save everyone else a lot of headache. Even regulation will at best discourage such carelessness in the retail sector. Ultimately the only option we have is to stare into the abyss and decide for ourselves how much we want that TV or that t-shirt.

So what do I do?

I use my card all the time. I hardly ever have more than a couple of dollars on me in cash. It’s just too convenient. I make up for it by monitoring my account and my credit record and trusting that I’ll be able to get refunds for any fraudulent activity. So far, so good. That’s “security” for me: the amount of risk I’m willing to tolerate balanced against the convenience I desire. Anyone who tells you “security” is anything else believes they can make a buck off it if they tell you enough times.

So, I’m the on-call this week. I hate being the on-call. I hate everyone who calls and I hate everyone at the helpdesk who forwards those calls to me. If I could kill with my mind, my every on-call would have a body count. I would be the greatest murderer of all time. Jim Jones would look like a Care Bear next to me.

At any rate, I have two stories to tell:

First: Friday I’m talking to a client about some work he wants to do on Saturday. We’re trying to schedule a time. I grit my teeth and tell him that whenever is good for him is good for me. He picks a time that means it will be impossible for me to go to brunch and finally meet a friend’s girlfriend - whom I failed to meet last time she was in town because I was on-call. Then he says, and I quote, “Well, really, just as long as we can be done early in the afternoon, any time works. I’ve got plans to get shit-faced at 3, so we have to be done by then.”

Ah, yes, I told him. In that case, we needed to do it around 1 because I had brunch plans. Fair’s fair.

That day, once we were on the call, things went well and truly south. I was trying to figure out why The Thing We Were Doing wasn’t working when it occurred to me that The Thing We Were Doing didn’t make much sense in the first place. I very casually asked him why we were doing this and he said, “Because my boss is a fucking manager and doesn’t know what the fuck he’s doing, that’s why.”

My response was the only word I could produce in that moment: “…Okay!”

Second story: we have a ticketing system that is based largely around email. When a ticket gets created, it automatically emails a copy of itself to the client involved. They can reply to that email and update the ticket themselves if need be. When we update the ticket it emails a new copy of the ticket log to the client. So on and so forth. It’s quite the clever little ticketing system in that it will spot quoted text from itself in a reply email and excise that so that a ticket log remains a fairly continuous conversation without a lot of quoted text from earlier entries.

Today a client emails us an error message they had received about an email they had sent that had been tagged as disallowed by the standards of their firewall. They sent the email with the following text at the top:

Do not sand me any email

So, a ticket gets cut. What does it do? Send that very email right back to the client. So they reply:

Do not sand me any email

…which causes them to get an email copy of the ticket log. Again. Several rotations of this later we get one last email response from them:

DO NOT SAND ME ANY EMAIL I AM NOT INTRSTED

I laughed until I cried. I could just picture them sitting there sending us an email and immediately getting a reply back that simply quoted what they’d just sent and them, in turn, picturing us sitting there with an evil gleam in our collective eye and shooting them a response as quickly as possible, rubbing our hands together at the thought of their annoyance.

What was the very next ticket in the queue? That same client had tried to send their email again, gotten the rejection message again and forwarded it to us - generating another ticket and another automated response right back to them. This time their plea for silence read:

do not sand me any email do not

I laughed so hard I had to go outside. I still don’t know what we did with those tickets. I don’t care. Whatever it was, if we didn’t print and frame them to go on a wall then what we did was wrong.

In case you’ve ever wondered, yes, you can install Checkpoint NG R55 for RHEL 3.0 on CentOS 3.9. Christ alive, it’s a good day.

I almost never discuss my work on this site for any number of reasons. However, this tidbit is too strange not to pass on and will, I hope, fail utterly to identify anyone involved.

One of the services my employers offer is URL filtering. Clients can be set up so that they can’t view websites that fall into certain pre-defined categories (adult, guns, politics, whatever) but there is also an overriding “allow” list and “deny” list, free-form lists where we can add a given URL to grant or block access to a given site regardless of whether or how it’s classified in the third-party database of URLs we use for category filters. This is all pretty standard, yes, I’m just trying to explain it for people who may not be familiar with the “Net Nanny” approach to web monitoring.

Most clients add big, obvious sites to their universal “deny” lists: myspace, Ebay, that kind of thing. Occasionally I get one that makes me die a little on the inside, like the time I was interrupted from reading the World of Warcraft user forums in order to block said forums for a client, a moment of terrible irony and a faint aftertaste of guilt. In one very amusing instance, I got a request around 3pm on a Friday afternoon from a client who wanted to unblock the Adult, Alcohol and Firearms categories and then have them re-enabled at the end of the day. Someone was, I could only conclude, getting ready for one heck of a weekend.

On even more rare occasions, however, we get a real glimpse into the inner workings of our clients’ offices and the personal obsessions that plague them. One had a string of radio station websites they wanted blocked; they had a colleague who was an incorrigible user of streaming broadcasts, the devil’s own bandwidth vacuum. Once we had a client who had to block, individually, a specific list of professional sports teams’ and, the next day, a collection of specific sports gambling sites. One had a pretty seriously MMO-addicted user and we had to block the forums.example.com domain for about half a dozen massively multiplayer games. Very rarely, a client will actually explain the situation to us, conversationally sharing private personnel matters in a way that makes us deeply uncomfortable; more often, we are left to invent our own explanatory scenarios.

Today, though? Today takes the cake. I just got asked by a client to block a specific list - half a dozen or more entries in length - of websites devoted to the personal and professional lives of the Olsen twins.

Some people don’t just need a hobby, they need a different hobby.

Ever wanted a thorough but largely non-technical discussion of the risks and problems inherent to electronic voting machines?  Read this article from Ars Technica.  He makes some fantastic points.  I will quote only one sentence from it, because that one sentence is, itself, a beautifully brief and very thoughtful point:

Bits and bytes are made to be manipulated; by turning votes into bits and bytes, we’ve made them orders of magnitude easier to manipulate during and after an election.

Monday afternoon I changed my password for the first time in ten years.

That’s a terrible thing to admit, especially given that I’ve made my career in network security, but it’s true. Ten years ago I set my password on the server where I still send and receive what I think of as my “real” email, and I hadn’t changed it since. It was many characters long, a sensible mix of letters and symbols and numbers. In all those ten years, my account was never cracked, my password never guessed, my login never abused.

Then I logged in on Monday afternoon, and I saw an email from Ebay telling me I’d successfully created a listing for 1,000 gold from World of Warcraft. Only, I hadn’t. I figured it was phishing spam, but it mentioned my specific Ebay login. So, I checked my account on Ebay, rarely used, and saw that, whoops, there were over 1,500 fake listings for WoW gold in my name. They were identical, and each listing page included Paypal buttons for the ordering of gold and leveling in WoW - it didn’t matter that they listed them using my account, because the goods weren’t actually bought at auction. It was just a convenient way for them to advertise their product and offer a direct-purchase Paypal link so many times that they could flood the listings one would get were they to search Ebay for World of Warcraft gold.

Long story short, the Ebay rep who talked to me (they call you after initially working with you online, which really sealed the deal for me in terms of coming away viewing it as a positive customer service experience - that, and it took them all of fifteen minutes to have the situation entirely fixed) told me two things: that it was the most fake listings he had ever seen, so many it crashed his administrative interface to the site when he tried to cancel them en masse, and that I should change the password on my email account.

Now, realize that the account in question is an old account. I’ve had it for over a decade. It’s an actual shell account on an actual server where I use Pine to read my email. It is not some Hotmail junk. I remember when I worked there, there was a terminal set up in one corner and whenever someone mistyped a password for an account on our system, an alert would pop up on that monitor.

But I work in network security, and I couldn’t very well just cross my fingers and hope for the best, could I? I’d already cancelled my Paypal account entirely in a fit of paranoid track-covering. I was already in slash-and-burn mode regarding anything related to my Ebay account. It occurred to me that if they had logged in as me then they knew my street address, they knew my email address, they knew my phone number, everything. Even if they couldn’t do much with my street address, it still drove me bat-shit just knowing they knew that. Anything I could do to improve the chances of not having my life dug further into, well, it had to be a pretty good idea, right? And so I sucked it up and typed something I hadn’t in a very long time:

passwd

Now I have to remember a new one. The old one is so programmed into my fingers that I still type it every time I log in. I felt oddly invaded, oddly stripped bare by the experience, but nothing about it is as bad, frankly, as my annoyance at having to remember a new password.

If I could wrap my hands around the necks of those bastards, that’s the last thing they’d hear as the light dimmed: You made me remember a new password, you fuckers.

What’s funniest to me is that I change all my other passwords all the time. Ebay password? Totally changed. I don’t buy or sell on Ebay that often, but I log in fairly frequently just to glance around. I change that password a lot. I just didn’t get lucky on this one.

It’s just that one password, on my “real” email, that I’d let stay the same. Eventually it was like a quiet point of shameful pride, like a monk with a prodigious collection of skin mags. But now even I, perverse as I am, will change it often as well. Just one more thing to go in the calendar appointments, one more account to remind myself to change every so often.

I would wring those bastards’ necks in two seconds, given half a chance.

In 2000, as I was standing in line to vote, a woman in front of me addressed those of us standing around her with this: “Why can’t I just do this online?” I should have kept my mouth shut, but I didn’t. “Because,” I said, “It would be too easy to hack.” After finding out I worked in network security, she went on to decide that it was somehow my fault that this hadn’t been figured out yet. While I certainly didn’t have the answer, I shared her frustration. A part of me relishes the civic cameraderie of standing in line to vote - how else would I have met that lady in ‘04 who told me her kids played soccer with the Bush twins in Texas years ago, and said “Laura is the biggest bitch you’ll ever meet,” without that experience? Still, online voting would make some things much easier.

And so, with that in mind, pretend for a moment that you and I are sitting in a bar. There is a large plate of cheese fries between us, with ample supplies of both ranch and honey mustard dressings. I have a Diet Coke (it counteracts the cheese fries, right?) and you have the beverage of your choice. You have just pulled out a pen and one of the bar napkins and said, “So how could it work and be safe?”

This is not a circumstance in which we are going to solve the problem from start to finish, but I do have a few ideas. I don’t know how feasible they are. I don’t even know if they’re truly secure, because encryption and authentication are not my specialties. I do network perimeters, though, so I do touch on authentication and encryption. I am not, however, a genius. I am a guy who is good enough at his job to keep doing it. Keep this in mind. I say this in part to excuse any gaffes and in part to make clear that criticism or other suggestions will not offend me. I am aware of my limitations! Anything we can come up with to improve on the following scenario is a good thing. I do not believe that in a day or a month or a decade the whole world will look back on this post as The Answer That Worked, but neither have I found much of anywhere that this is being discussed in a serious but casual and open way. So, we begin here, and see what happens.

The biggest issue with online voting is, how do we know your vote was cast by you? Online voting would, if dissected into an order of operations, look a great deal like voting in person, in part because that’s already the model that works, and in part because this can be translated into a friendly, tech-free presentation to the user that will make them comfortable with a new process by making it feel like the old process wherever possible. That means the first thing we have to do is check in at the front desk. So, we need to authenticate you. However, managing a national database of logins and passwords is impossible and, just as importantly, neither would it be anonymous. Confidential is not the same as anonymous (let’s hear it from the HIV-testing activists from ten years ago, people), and what we’re gearing for is authenticated anonymity. (I don’t even know if that’s a real term, but we’re too busy eating cheese fries to care. This is all just kicking the ball around.) You want to check in at the front desk but, after that, you do NOT want your vote in any way tied to your name. Remember, you don’t sign your ballot before you stick it in the box.

The second big question is going to be ensuring that your vote is not tampered with. In real life we do this by being alone in the voting booth and then putting the ballot in the box ourselves. Polling place workers do not take the ballots from our hands after they’re filled out. Instead, they are tucked away in the big, brown boxes for security’s sake. After that, we have to trust that the authorities are honest with their counting, but hey, we already do that. So far, so good. How to duplicate this online is going to be to use extra-strength encryption. I am not talking about 128-bit encryption you use to check your bank balance. Yes, that’s great, and the kid down the street sniffing your wireless link is not going to be able to crack that in a hurry, but we know someone can: the government. Rumor has had it for years that 128-bit is the industry standard because the average cracker can’t break it but the NSA can and in real time. Perhaps it is true that Uncle Frank is simply not going to care about that, but the geeks sure as heck will. If we’re going to sell online voting to anyone, we have to win over the geeks first. Then they can sell their Uncle Frank on it on their own time. Thus, I’m going to go out there and suggest 1024-bit encryption. It’s overkill, yes, but it is very, very safe, and all the nerds out there with GnuPG are going to like seeing that big number.

The third question is, how do we deliver it? The bottom line is that, like any question of voting equipment and processes, it’s going to be decided at the state and local-elections-board levels. Your town or county or city or whatever is going to have to keep a server where the votes are tallied. This is not hard, because the process of tallying votes is now largely computerized anyway. Butterfly ballots excluded, do you really think that here, in NC, when we complete the little arrow to the candidate’s name that someone is going through and checking those by hand? Those things are scanned and the results stored on a computer. We will store our results on the same computer. Voila.

“That’s a lot of nice talking,” you say to me around a mouthful of Beverage(tm), “But we already know all that.”

Too true! Here’s the tech part of it, and it’s very simple: one-time crypto keys.

Let’s say we have our system in place. I want to vote online because I am lazy and I could be sitting at home stuffing myself with my own plate of cheese fries rather than out standing in line. Thus, I appear at my local polling place and skip the line and go straight to the front table that’s next to the other front table. There is no line. I tell them who I am, and they check me off in the big book because I’m now saying that I have voted and I am not going to vote in person. The other front table checks me off, too. The nice people behind the table hand me a CD with the voting client software on it (a cosmetically modified VPN client that is light and simple and will uninstall the day after the election and a link to the page where I will vote, using a private IP address for which I’ll only have a route after the VPN client has bound to my network interface). Then, they reach into a big box next to them and pull out an envelope. It looks like a paystub - perforated edges on each end - and they open it. They toss the carbon-copy sheet in the middle, hand me one of the two pieces of paper inside, and take the other piece and stick it into a ballot box.

I have now, for the purpose of validating that as many votes were cast as voters showed up to vote, voted.

I go home. I start warming up the cheese fries.

While that’s happening, I pop the CD in and install the VPN client. It is quick and painless, and requires minimal user interaction. When it launches, I am asked for one thing: the string of letters and numbers printed on the otherwise blank sheet of paper I was handed at the polling place. That string is my key. I should note here that I don’t mean the actual encryption key, I mean something like a pre-shared secret - it’s not 1024 bits of characters, it’s just a random jumble of characters (let’s say 8 to 12 characters in length) that can be compared on the far side of my connection to verify that this is legit. Once I put that in, my browser launches and I am taken to a page that has the appropriate offices and candidates for my precinct/district/etc. I vote by clicking a few radio buttons. I click submit, which takes me to a listing of the votes I just cast. I am asked to review these votes and confirm them. Because this is just a simple page, my enhanced accessibility software for any disabilities I might have has no problem handling it - the page is read outloud, the text is enlarged, whatever. I click that I have verified this information, and tah-dah, I have voted.

The server on the far side marks my key as having been used. It can never be used again, not even next election.

I eat my cheese-fries.

That night, one candidate in a race asks for a recount. The number of votes cast is compared to the number of voters having shown up to vote, voted early or listed as voting online. The tallies are run again. There is no problem with online votes because they are, ultimately, every bit as secure as the output of a touch-screen machine that has no paper trail. So, OK, there are potential problems of the tallies having been tampered with, but these problems exist already in our system, so they are separate questions entirely.

Now, of course, there are problems with this. What about all those unused keys sitting in that box? They are thrown away. But what if someone decides to start opening them and checking off random no-shows in the voter roll and just voting for them? Well, that could already happen with blank paper ballots at any polling station. If we distrust the people running our elections, that is a separate question entirely and not of import to the technical matter of allowing secure, online voting.

But what, then, of Uncle Frank? He’s so bad with computers he tried to install iTunes and wiped his hard drive! He didn’t even know what iTunes was!

That, my friend, is Uncle Frank’s problem. Perhaps his geek niece will help him. Perhaps his geek niece will be so civicly minded that she sets up a local volunteer tech-support line for her precinct to help folks who aren’t sure what to do - staffed by both Democrats and Republicans, and endorsed by the local elections board after receiving election-staffing training. Perhaps she is supported entirely by one party or the other, like the many other programs the parties run on election day to assist voters by giving them rides to the polls, ringing doorbells to remind them it’s election day, all sorts of things.

But they could trick them into voting the wrong way! Yes, and so can phone-jamming schemes in New Hampshire prevent them from getting to the polls in the first place; the thing is, if it’s found out, it can be punished just as surely as any other form of election fraud.

Fine, Mr. Smarty Pants, what about spyware? Hackers? Key-stroke loggers? What about a virus that changes the local host file on Uncle Frank’s computer so that he gets redirected to a false website and his vote is stolen and he gives away his key to someone else to use? That? That I’m not so sure about. That’s partly a function of making sure your computer is safe in the first place and partly a function of threatening such voter fraud with the same punishments as any other form of voter fraud. It is, ultimately, a matter of law enforcement. I’m here to answer the technical matter of making the online voting happen as securely as possible, though, so I simply don’t have the technical answers other than to say that we all risk this every time we check our online banking or pay a bill. As such, Uncle Frank (or his geek niece) are going to have to take the same precautions they take every day, cross their fingers and hope for the best just like the rest of us.

So who’s going to pay for this? We are. We’re the taxpayers. The same budgets that pay for touch-screen voting machines will pay for the VPN equipment, and connections, and the perimeter security around the machines that handle tallying and the VPN concentrator itself, and on and on and on. Will it be expensive? Oh, you bet it will. It’ll be worth it, though, and heck, what we’re spending now on touch-screen devices is already pretty outrageous.

And yet, there are other problems, and other questions, and probably a whole slew of technical issues and hitches and hiccups that I just haven’t thought of. So what are they? It’s time to get cracking on this issue, because it’s going to happen one day, sooner or later, safe or not. We might as well start kicking around the best-case scenarios - not the worst-case, but the best-case - so that we can push for them early.

Now please, stop bogarting the honey mustard.

A movie destined to make me slightly embarrassed to tell people what I do for a living: FIREWALL.

C’mon, Harrison, suck it up and make Indiana Jones 4 or something so we can love you again, OK?

Fresh from MSNBC.com:

RALEIGH, N.C. - One of the nation’s leading suppliers of electronic voting machines may decide against selling new equipment in North Carolina after a judge declined Monday to protect it from criminal prosecution should it fail to disclose software code as required by state law.

Diebold Inc., which makes automated teller machines and security and voting equipment, is worried it could be charged with a felony if officials determine the company failed to make all of its code —some of which is owned by third-party software firms, including Microsoft Corp. —available for examination by election officials in case of a voting mishap.

The requirement is part of the minimum voting equipment standards approved by state lawmakers earlier this year following the loss of more than 4,400 electronic ballots in Carteret County during the November 2004 election. The lost votes threw at least one close statewide race into uncertainty for more than two months.

Diebold can bitch and moan all they want, but this is a good thing.  Black-box voting machines do not do democracy any favors.  The rules surrounding voting machines should be very simple:

• The code must be available for inspection by the state.
• The box must provide an easily readable receipt for voters to verify.
• The votes counted should be the verified receipts, not mysterious entries in a local file on the voting machine itself.

Sounds to me like, by my own personal test of what makes a "good" voting machine, Diebold fails before they get past the first hurdle.  Claiming that they can’t be held responsible because the boxes use other companies’ code that they can’t reveal simply should not hold water - and didn’t, thankfully, when it went to a court of law.  If they want to sell a product, they should be willing to stand behind their product.  If they can’t speak for third parties but they do want to sell a product that enables (or disables) something as important as voting, if they really want to be serious about being in that business at all, they should be willing to build the boxes from the ground up so that they can continue to stand behind their product.

Is there anything about that a company could seriously find unfair?  Hell, North Carolina’s law is considerably more generous to the sellers than I would be -  after all, they’re just requiring that the code be held in escrow for examination after any questions are raised.  Me, I’d want the code in my hands and positive assessments from as many impartial experts as I could round up before one of these was ever unveiled in a polling place. 

Ah, but we all remember that Diebold is headed by a Republican fundraiser who, last year, swore he was "committed to delivering Ohio’s electoral votes to President Bush."  Now, that’s the sort of statement any enthusiastic volunteer or donor would say.  The problem is, it was said by a guy who makes fucking voting machines.  It’s a relatively young conspiracy theory, but it’s one with some meat on its bones:  the head of Diebold, Wally O’Dell, was on the list of "Pioneers & Rangers," ruggedly doughy white guys who promised to raise $100,000 or more for Bush’s reelection campaign last year.  So when Diebold balks that they can’t comply if they have to open their code to inspection in the case of "irregularities," then frankly I think our state benefits from having lost a vendor whose commitment to transparency and vote security is at best questionable and who is, in my not-at-all-humble opinion, irrationally fidgety around questions of accountability both political and technical. 

The state has plenty of other choices.  Diebold makes it sound like we won’t have any voting machines at all if we ask them to accept responsibility for the ones they provide us - even after a Diebold machine’s malfunction was what threw the Secretary of Agriculture race into the courts last year - but that’s simply false.  What we won’t have is any of their machines screwing up a race with no way to determine whether elections using them were actually fair.  If you ask me, that’s not a loss, it’s a gain.

(more…)

So, a dude in Florida has been charged with a felony for using someone else’s wireless network:

Police say Benjamin Smith III, 41, used his Acer brand laptop to hack
into [emphasis mine - RMcMP] Dinon’s wireless Internet network. The April 20 arrest is
considered the first of its kind in Tampa Bay and among only a few so
far nationwide.

Don’t you just love that “hack into” up there?  Lordy.  Sensationalize much?

Now, lest you take me wrong, by no means am I endorsing driving around
suburban neighborhoods and making use of the Wi-Fi of a stranger. 
(What a great title for a trashy techno-romance:  The Wi-Fi of a Stranger.  Must remember it for the Plot Dare forum on NaNo this year.)  I decline to endorse it not because it’s some great evil, however.  Rather, I think it’s just kind of tacky. 
It’s like letting your dog drop a huge steamer in your neighbor’s lawn
and failing to clean it up because it’s more convenient than walking
the dog your damn self. 

See, here’s the thing:  the concept of “stealing” Wi-Fi is not
unlike the concept of “stealing” air.  Am I stealing something
when I stand in my yard and breathe oxygen that might otherwise have
meandered across the invisible line that marks the border of my
neighbor’s property?  If I stand too close to that invisible line
and breathe for all I’m worth, am I taking something from them? 
The wireless signal that extends beyond those golden, holy boxes with
labels like Linksys and D-Link is effectively unlimited.  Yes,
there are constraints - LAN speeds and the bandwidth available via a
given means of accessing the interwebulons beyond that - but c’mon, who
is ever, and I mean ever, pushing 100 Mb/s across their
wireless LAN?    Seriously.  Get real,
people.  I don’t care how many substitute electronic cocks
someone’s got strapped to his geek belt and how many TiVo’s are on the
network and how many computers they have in the basement, the bottom
line is that it takes a whole lot of users before one more
makes the difference.  So get real with the metaphors and the
similes and the whatevers.  It is not theft, because it is
impossible to steal that of which there is an effectively infinite
supply.

This tweaks me so bad, first of all, because the “real” threat - and
it’s not much of one, frankly - is not the theft of a signal but its
pollution.  Second, it gives me an opportunity to point out
needless corporate greed draped in the cloak of self-righteous
indignation.

So, what’s the real threat?  The article (and the “victim”) get it
quite right:  that someone could use your network for activities
you don’t want carried out on your network:

The technology has made life easier for high-tech criminals because
it provides near anonymity. Each online connection generates an
Internet Protocol Address, a unique set of numbers that can be traced
back to a house or business.

That’s still the case with Wi-Fi but if a criminal taps into a
network, his actions would lead to the owner of that network. By the
time authorities show up to investigate, the hacker would be gone.

“Anything they do traces back to your house and chances are we’re going to knock on your door,” [Special Agent Bob] Breeden [head of the Florida Department of Law Enforcement's computer crime division] said.

That’s true.  If you have an unsecured wireless network, anybody
can use it to do anything they can do with any network, including
whatever bad things you can imagine.  The interwebs are a dark and
dangerous alley, kids, and every bum has a knife up his sleeve, etc.,
etc.  I mean, yes, the risk is there - if I were a child
pornographer, I could think of few safer(-ish) ways to get a fix than
by driving around the corner and sitting outside the home of the nice
old lady with the wireless network her granddaughter set up for her
last Christmas.  So yeah, that danger is there, I guess, but I’m
pretty sure it ranks right up there with being hit twice by lightning
while under a rain of frogs.

But you know what?  Were I a child pornographer I could also
simply sneak into your house and plant porno tapes in it.  I could
tuck them away at the backs of long-forgotten closets and you’d never
be the wiser.  If only there were a way to keep strangers from
entering your home.  Something - maybe something built into the
door - that could be used to make sure (within a reasonable margin of
failure) that only those who should have access to your home actually
enter it.  Something simple, preferably…. Gosh, I’m just not
sure I can think of anything.

Oh yeah, they’re called LOCKS and KEYS.  Even this article points that out:

For as worrisome as it seems, wireless mooching is easily preventable
by turning on encryption or requiring passwords. The problem, security
experts say, is many people do not take the time or are unsure how to
secure their wireless access from intruders. Dinon knew what to do.
“But I never did it because my neighbors are older.”

And whose fault is that, again?

What really bothers me about this whole thing, though, is the attitude
presented by at least one source for the article:  that even if
you do it with their permission you’ve still committed a crime:

“It’s no different if I went out and bought a Microsoft program and
started sharing it with everyone in my apartment. It’s theft,” said
Kena Lewis, spokeswoman for Bright House Networks in Orlando. “Just
because a crime may be undetectable doesn’t make it right.”

Um, actually, no it is not theft to borrow a neighbor’s network with permission.  That’s kind of what permission is.  The article is a bit murky as to whether they’ve asked her whether it’s wrong to use a neighbor’s connection without permission or whether it’s wrong to use a neighbor’s connection with permission, but it certainly seems, from context, that the situation she’s discussing is one of sharing a wireless connection with permission. 
No, sorry, survey says: XXX.  If I let my neighbor borrow my
wireless signal, it’s no different than letting him borrow the lawn mower.  If her point is that I paid for the right to use the cable modem and no one else
can do so, then I guess I’d better stop letting Bascha and Katastrophes
fire up their machines when they’re DM’ing over here for a night of
D&D, right?  I guess they’re not allowed to borrow my computer
to check their email, either.  And what are they doing in my chairs?  Did I get permission from my Chair Service Provider to let them sit their asses down?

Sorry, Ms. Lewis, but you don’t get to put me in a panic over the scary, scary war-drivers and tell
me what to do with my network in my own home.  Just fuck right
off.  It’s absurd to think that they can tell us what to do with
our own networks, but there you go.  They’re pissed at the idea
the neighbors might skip getting a cable modem altogether if they know
that whenever their grandkids are over to visit they can borrow my
signal, or that I might tell Mr. Saturday he should feel free to stop
by with a laptop whenever he’s out looking at houses in my
neighborhood.  That’s just plain fucked up.

Ultimately, that’s really what gets my goat.  This jackass who
thought it would be smart to set up shop in front of someone else’s
house and use his wireless signal is just that:  a jackass. 
That’s tacky.  That’s just so lame.  This is 2005, buddy, get
a coffeeshop.  I mean, puh-leze.  But to arrest him on felony
charges is equally absurd, and to turn it into an opportunity for some
mouthpiece for an ISP to claim that borrowing a neighbor’s network with
their permission is outright theft borders on the insane.

OK, I’m done now.  It just really put a burr under my saddle. (more…)

So, last night I’m driving home from the awesome Tarot class I’m in, and I’m listening to Future Tense
on NPR.  One of their segments is an interview with Kevin Mitnick
- you know, the guy who ended up in prison after a dick-waving
incident.  Not cool, despite his Mumia-like status by the time it
was all over. 

Anyway, Mitnick is being interviewed about his own computer getting jacked recently.  Apparently aerosmith.com
- yes, that Aerosmith, the band - had been compromised, and Mitnick
went there while it was compromised in order to check their concert
schedule.  A few minutes later his computer starts “acting funny,”
and he realizes an executable has been dropped onto his machine and he
has been, as the kids like to call it, pwned.  Then he remembers,
oh yes, he turned off his firewall while doing some testing on his home
network, and he forgot to turn it back on before getting back
online.  And now he’s hosed.  Whoops.  So he has to
reinstall his OS and all its patches.

Turns out the OS is Windows.  Turns out the browser he was using,
with a known vulnerability - how his machine was jacked by
aerosmith.com in the first place - was Internet Explorer.

The Boyf was
behind me on the drive home, listening to the same show.  We get
back to our abode and he says, “Were you listening to NPR?”  I say
that yes, I was, and he says, “Oh, so that was you I could hear laughing all the way home.”

Hee! (more…)

And in other geek news, UC-San Diego is going to run a study/experiment in which they attempt to track the spread of computer virii
using the same methods used to track the spread of human
epidemics.  Their stated goal is to develop a model for a
self-defending network that fights off attacks in the same way as the
human body.

I’m going to go out on a limb here and say, Duh.  We haven’t been calling them virii for years for no reason.

Snarkiness aside, very cool.  I won’t bore you with my opinions on
the technical side of things, but suffice to say, I think the day will
come when we have to have automated defenses - more automated than we
currently have, anyway - because human defenders already fail to notice
almost everything that happens.  Computer security is not a field
in which intrusions and attacks are prevented or eradicated, it’s an
industry in which, at best, risk is managed and responses are made more efficient, not obsolete. (more…)

The subject says it all.  Recent logs indicate I’ve got someone
reading from Portland (hello to you) and someone in or around Chicago
(hello to you), someone in Philadelphia (hello to you) and someone in
Taiwan (what the fuck?, unless it’s Casey, in which case I’m waving to you
right now, as I type this, because I’m that talented).

The most interesting new visitor I’ve noted, though, is someone or something at Cyveillance,
an “Online Risk Monitoring & Management Service.”  I haven’t
been able to suss out exactly what it is they do, other than apparently
provide a very comprehensive, very private search engine that covers
more than just websites, and provide information to their clients
regarding a broad swath of potential risks inherent to the
Internet.  I’m quite accustomed to seeing search engines plow
through on occasion, but given I’ve had more than one visit from a
Cyveillance IP address, and given at least one visit from a client
coming through on what I imagine may be an anonymizer/proxy, I’m
intrigued.  Given that they’re also located in Arlington, VA, I
figure it’s probably best to go ahead and nod.  I’ll not be so
gauche as to ask if you’re hiring remote employees, and I’ll not be so
freakishly paranoid as to also file this post under “conspiracy
theories,” though that category is right there, looking at me, arms
crossed over its chest and its eyebrows raised a little as if to say,
“Oh?  You aren’t?”

At any rate, welcome to all.  As always, I am reachable from the
mailto: link constituted by my name at the bottom of every post. 
If you’ve got any, you know, questions for me, email away. (more…)

Securityfocus.com is running another top-notch story - this one about the CEO of a web-based satellite TV equipment retailer
hiring out the buddy who ran his webhosting to launch distributed
denial-of-service attacks against the competition.  What I find
funniest about the whole deal is how quickly corporate it became, as
the CEO first hired one gun to take care of it, who then hired other
guns, one of whom in turn further sub-sub-contracted out the work to
another guy entirely.  Eventually, the CEO bought the webhosting
company outright so that everyone allegedly worked for him on paper as
well as in spirit - and there you have it, corporate culture overtakes
an electronic crime and the whole thing falls apart.  Imagine Lumbergh from “Office Space” asking for a report on that DDoS attack, and you’ve got exactly what the atmosphere must have been like.

From the CEO’s “welcome message” page linked above, I take the following true - almost visionary - statement:

Technology is changing rapidly. Even as you read this message, breakthroughs are being
made every day that will make life easier for us all.

(more…)

Securityfocus.com has a great column
up by a security consultant and former Air Force officer discussing the
ease with which one’s personal data gets released into commercial fora,
and the exploited but largely unknown value of personal data, both to
businesses and governments.  His analysis is of a pretty everyday
example:  a Virginian renting a car from Hertz and using an AmEx
card to do it.  We’re all pretty savvy folks, but I for one had no
idea how valuable personal data could be, in a very tangible way, to
someone like, say, the DMV.  It’s a good illustration of how
little we really know about how much others know about us.

He very importantly makes clear that it’s not about conspiracies to
manipulate us by our information - it’s about who’s going to get rich
(or merely fair compensation) off that information: the people who buy
& sell the information, or the subjects of that information.

I think I’m most intrigued by his comparison of the transition to the
Information Age with the transitions to the Agrarian or Industrial
ages:  things change, new things become valuable, and someone is going to make a truckload of money in the process - probably running over several other someones in the process. (more…)