Slashdot Mirror

PetManimal writes "Computerworld is reporting that gamers who have installed Vista are reporting problems with first person-shooter titles such as CounterStrike, Half-Life 2, Doom 3. and F.E.A.R. (Users have compiled lists of games with Vista issues.) The complaints, which have turned up on gamers' forums, cite crashes and low frame rates. Not surprisingly, the problems relate to graphics hardware and software: 'Experts blame still-flaky software drivers, Vista's complexity, and a dearth of new video cards optimized for Vista's new rendering technology, DirectX 10. That's despite promises from Microsoft that Vista is backwards-compatible with XP's graphic engine, DirectX 9, and that it will support existing games. Meanwhile, games written to take advantage of DirectX 10 have been slow to emerge. And one Nvidia executive predicts that gamers may not routinely see games optimized for DirectX 10 until mid-2008.'"

PetManimal writes "Computerworld is reporting that gamers who have installed Vista are reporting problems with first person-shooter titles such as CounterStrike, Half-Life 2, Doom 3. and F.E.A.R. (Users have compiled lists of games with Vista issues.) The complaints, which have turned up on gamers' forums, cite crashes and low frame rates. Not surprisingly, the problems relate to graphics hardware and software: 'Experts blame still-flaky software drivers, Vista's complexity, and a dearth of new video cards optimized for Vista's new rendering technology, DirectX 10. That's despite promises from Microsoft that Vista is backwards-compatible with XP's graphic engine, DirectX 9, and that it will support existing games. Meanwhile, games written to take advantage of DirectX 10 have been slow to emerge. And one Nvidia executive predicts that gamers may not routinely see games optimized for DirectX 10 until mid-2008.'"

Mac OS X 10.5 Leopard is set to feature several new enhancements to Spotlight, Apple's desktop search, and ComputerWorld outlines them. The improvements include searching across multiple networked Macs, parental search snooping, server Spotlight indexing, boolean search, better application launching (sorely needed), and quick-look previews.

VE3OGG writes "Cisco, the networking Goliath, has decided to release the source code of its NAC (network admission control) client, Cisco Trust Agent (CTA) to the open source community within 'a few months.' This comes hot on the heels of Cisco announcing its plans to redevelop a new breed of network security infrastructure. 'CTA will be something that's open source. That's just logically where it should end up,' Gleichauf told InfoWorld. 'We don't want to be in the CTA business, so we're going to just open it up.'"

An anonymous reader writes to let us know that Scott Finnie, Computerworld's Windows expert, has given the final verdict to Windows after 3 months of using a Mac. And the verdict is: "Sayonara." Finnie is known to readers here for his many reviews of Vista as it progressed to release. Quoting: "If you give the Mac three months, as I did, you won't go back either. The hardest part is paying for it — everything after that gets easier and easier. Perhaps fittingly, it took me the full three-month trial period to pay off my expensive MacBook Pro. But the darn thing is worth every penny."

narramissic writes "The first phase of a Microsoft-funded project to create software that can convert Microsoft Word documents between Open XML and Open Document Format (ODF) has been completed. As a result, the Open XML Translator is now available for download in version 1.0 from SourceForge.net. A ComputerWorld article details the history of the project, discussing the work of companies like CleverAge and AztecSoft, as well as community efforts to bring this project to realization."

jcatcw writes "After hundreds of hours of testing Vista, Scot Finnie is supremely tired of it. And of Microsoft. Although 80% of the changes in Windows Vista are positive, there is nothing about Vista that is truly innovative or compelling; there's no transformational, gotta-have-it feature in Vista. But the real problem isn't with Vista. It's with Microsoft itself. His opinion is that Microsoft has stopped focusing on end users. They 'now seemingly make many decisions based on these two things: 1. Avoiding negative publicity (especially about security and software quality) 2. Making sure the largest enterprise customers are happy.'"

DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).

jcatcw writes "Thornton May is mystified by the very small number of Fortune 500 companies that led by former CIOs. "Knowing what we know about CIOs — that is, that most are smart, hardworking, supremely aware of how the business works and increasingly savvy regarding the workings of external customers' minds — the failure of more CIOs to become CEO has to be one of the biggest mysteries of our age.""

dthomas731 writes to tell us that Computerworld has a brief article on some of DARPA's current projects. From the article: "Later in the program, Holland says, PAL will be able to 'automatically watch a conversation between two people and, using natural-language processing, figure out what are the tasks they agreed upon.' At that point, perhaps DARPA's PAL could be renamed HAL, for Hearing Assistant That Learns. The original HAL, in the film 2001: A Space Odyssey, tells the astronauts how it knows they're plotting to disconnect it: 'Dave, although you took thorough precautions in the pod against my hearing you, I could see your lips move.'"

theodp writes "A week before the release of Vista, Microsoft is expanding its fight against software piracy with a new educational effort that includes comics. Making its U.S. debut Monday, the Genuine Fact Files campaign aims to make Microsoft's message more accessible to a broader audience. BTW, Vista's Software Protection Platform (SPP) can put unvalidated copies of the software into a reduced-functionality mode. From the article: 'Microsoft plans to draw attention to it through banner ads on its Web sites and promotional material that it will hand out through partners. By using comics, the company aims to make the message more accessible to a broader audience. They are black and white, in a style similar to newspaper comics.'"

jcatcw writes "Mike Elgan at Computerworld lists six reasons why it was a mistake to make the iPhone keynote at Macworld. He argues that extremely high expectations can only lead to disappointment for consumers and investors. The focus on the phone during the keynote also took away from the Apple TV announcement, put iPod sales at risk, gave competitors a head start, and (perhaps worst of all) ruined the company's talks with Cisco over the iPhone name. From the article: 'The iPhone, despite its many media-oriented virtues and its sweet design, will do far less than most existing smart phones. The problem Apple now faces because of Jobs' premature detail-oriented announcement is that of dashed expectations. When customers expect more and don't get it, they become dissatisfied.'"

jcatcw writes "Computerworld reviewed four online office suites — Ajax13, Google Docs & Spreadsheets, ThinkFree Online and Zoho Office Suite. None has all the applications and features of Microsoft Office, but if you're looking for the core office applications in an access-anywhere format, at least two were surprisingly sophisticated. The article weighs the ability to save files to a centralized server quite heavily in its ranking. The winner is ThinkFree Office because it provides the most sophisticated features and has the best Microsoft Office compatibility. Zoho's suite is the second choice."

jcatcw writes "Networked printers are more vulnerable to attack than many organizations realize. Symantec has logged vulnerabilities in five brands of network printers. Printers outside firewalls, for ease of remote printing, may also be open to easy remote code execution. They can be possible launching pads for attacks on the rest of the network. Disabling services that aren't needed and keeping up with patches are first steps to securing them." From the article: "Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.... [N]etworked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals."

Slashback tonight brings some clarifications and updates to previous Slashdot stories, including: anti-Net-neutrality article modified; no bugged Canadian coins; a tech program for women in Silicon Valley; Pirate Bay and Sealand; and Microsoft evangelist apologizes for "pawns" comment. Read on for details.

Network neutrality. MobyDisk writes, "Network Performance Daily retracted last week's interview with Professor Christopher Yoo from Vanderbilt University Law School on his opposition to net-neutrality policies. The new article is a clearer, more subdued interview. The editor, Brian Boyko, says he never received Mr. Yoo's corrections to the article before press time. From the apology: 'The article had done him a disservice and we resolved to repair any inaccuracy or anything that would be unfair to his words or image.'"

Bugged Canadian coins. Lars T. writes in a journal article, "A recent Slashdot story asked: Bugged Canadian Coins?. Now The Globe and Mail has an update on the story — or rather the non-story. '[A] U.S. agency that investigated the complaint found no evidence of any secret transmitters, or of any other tampering. It's not clear why this information failed to find its way into the released U.S. Defense Security Service report.' So you can all pack in your tin-foil hats — at least that's what they want you to believe."

Engineering gender gap. Ellen Spertus writes, "Regarding the recent article The Hidden Engineering Gender Gap: Mills College has a post-baccalaureate program in computer science, which was recently written up in the San Francisco Bay Guardian. The program is co-ed, although the majority of students are female. Graduates of the program have successfully gone on to CS PhD programs and industry jobs."

Pirate Bay and Sealand. Kawahee writes, "Coming off previous coverage here of The Pirate Bay's intentions to purchase Sealand after it was put up for sale, The Pirate Bay has revealed on its website www.buysealand.com that it has entered into negotiations with Sealand. From the post: 'The Government of Sealand has initiated negotiation. Tomorrow, the ACFI and Government of Sealand will sit down in the SMTP chambers of the Internets to discuss the future of the micronation. We welcome the request and hopefully we can settle on a price. But knowing how hard non-kopimistic people can be to negotiate with, we will go with Plan B if they're not willing to meet our demands, press officer of ACFI says.' BuySealand.com is also now sporting a donation meter, and as of the 15th of January it stood at USD $13,714."

MS evangelist apologizes for "pawns" comment. gogat0rs writes "Former Microsoft Tech Evangelist James Plamondon, who made headlines this week when a 1996 speech he gave became public during a Microsoft antitrust trial in Iowa, has apologized to the Microsoft developer community for using a metaphor that described key industry influencers and developers as 'pawns.' Plamondon wrote that calling developers pawns was both offensive and inaccurate. He goes on to say, It mischaracterizes the mutually supportive relationship that must exist between a platform vendor and its platforms early adopters, such as that which Microsoft and independent software developers created in the 1990s. I regret having used the "pawns" metaphor; I apologize for any misplaced ill will it may have caused towards Microsoft; and I won't use it in [the] future.' Since the apology was issued, the full text of the Plamondon speech has been released as a public document on a Comes v. Microsoft website, along with 80 other exhibits."

jcatcw writes "At the Comes vs. Microsoft antitrust case, last Friday's testimony included evidence that James Plamondon, a Microsoft technical evangelist, in a 1996 speech referred to independent software developers as 'pawns' and compared wooing them to trying to win over a one-night stand. Last week's proceedings also included testimony by Ronald Alepin, a former CTO at Fujitsu Software Corp. and currently an adviser to the law firm Morrison Foerster LLP. He said that Lotus 1-2-3 was killed, in part, by Microsoft encouraging Lotus's programmers to use the Windows API even though Microsoft's own developers found it too complicated to use." The plaintiffs have created a site that includes transcripts of testimony presented in the case.

jcatcw writes "The Centers for Disease Control and Prevention (CDC) found the patterns of illness in both of the recent E. coli outbreaks — packaged spinach and Taco Bell — using PulseNet, which uses a customized version of BioNumerics to conduct comparisons and analysis of samples in a SQL Server database. PulseNet holds the DNA fingerprints provided by pulsed field gel electrophoresis (PFGE). It operates at a national level and can link small, localized cases in a nationwide pattern. 'We can now see the connections you would not have seen before, which has revolutionized the world of food safety,' according to John Besser, clinical laboratory manager at the Minnesota Department of Health and a member of the Association of Public Health Laboratories."

eldavojohn writes "On Friday, a whole bunch of associations signed an agreement with China to combat internet piracy. From the article, "China's National Copyright Administration said the country would investigate and punish those suspected of online intellectual property abuses by the movie association as well as other groups such as the Association of American Publishers." From another article, I found that not only was it the MPA but also the Business Software Alliance (BSA), Association of American Publishers (AAP) and The Publishers Association (TPA) of the U.K."

jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."

jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."

jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."

richi writes "Two of Computerworld's top operating systems editors, a Mac expert and a Windows expert, compare notes on what Apple should reconsider as it develops Mac OS X 10.5 Leopard. Mac OS X 10.4, or Tiger, is (in their opinion) a noticeably better operating system than XP or Vista. But it is not perfect. OS X has its own quirks and flaws, and they set out to nail down some of the 'proud nails' for the next release." From the article: "7. Inconsistent User Interface. Open iTunes, Safari and Mail. All three of these programs are Apple's own, and they're among the ones most likely to be used by Mac OS X users. So why do all three of them look different? Safari, like several other Apple-made apps such as the Finder and Address Book, uses a brushed-metal look. iTunes sports a flat gun-metal gray scheme and flat non-shiny scroll bars. Mail is somewhere in between: no brushed metal, lots of gun-metal gray, and the traditional shiny blue scroll bars. Apple is supposed to be the king of good UI, and in many areas, it is. But three widely used apps from the same company with a different look? Sometimes consistency isn't the hobgoblin of little minds."

El Lobo writes to mention a ComputerWorld article about Microsoft's battles with the Hackers of the world. The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie. The article discusses Microsoft's 'defense in depth' strategy, and discusses just some of the layers in that barrier. From the article: "The first layer of protection for the Microsoft VPN is two-factor authentication. After an infamous incident in the fall of 2000, Microsoft installed a certificate-based Public Key Infrastructure and rolled out smart cards to all employees and contractors with remote access to the network and individuals with elevated access accounts such as domain administrators. Two-factor authentication requires that you have something physical, in this case the smart card, and also know something, in this case a password."

Andy Updegrove writes "Carol Sliwa at ComputerWorld has posted two excellent stories just now on ODF in Massachusetts, based on over 300 emails secured under the Massachusetts Public Records Law (the local analogue of the Federal Freedom of Information Act). The longer and more intriguing article focuses on Microsoft's lobbying efforts in Massachusetts, and confirms, as I reported last week, that Microsoft lobbyist Brian Burke was spearheading an effort to bring pressure on the state's Information Technology Division (ITD) by promoting an amendment that would have taken away much of the ITD's power to make technology policy. The article goes on to describe the back-channel negotiations between State CIO Louis Gutierrez and Microsoft's Alan Yates, and the way that Microsoft played the lobbying card throughout those discussions in an effort to protect its wildly profitable Office software franchise against potential erosion by competing products that support ODF." Andy has a blog entry on the lobbying effort.

raffe writes "Here is a Q&A with Ron Hovsepian CEO of Novell. He describes 'a love-hate thing' between the two companies." From the article: "This past May, I picked up the phone and called Kevin Turner, the COO at Microsoft. I knew Kevin when he was the CIO at Wal-Mart. I said, "Kevin, I'd like to have a conversation about what the customer needs. If you could put back on your old hat as a customer, if I came in and started talking to you about virtualization on Linux, and this Microsoft guy showed up and started talking to you about virtualization on Windows, what would you say to us?""

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

theodp writes "Some say that good managers should not be technical at all. Over at Computerworld, 'C.J. Kelly' takes a contrarian position, arguing that managers should keep their hands on the technology. The ability to tell the difference between fiction and reality, says Kelly, is priceless." From the article: "If you don't know the difference between fiction and reality, you've got a problem. By being technically informed while managing people and projects, no one can blow smoke up my skirt. I can tell the difference between a lame excuse for a delay and a legitimate reason why something can't be done." Where do you fall on this issue? Is it nice to be able to flim-flam the boss once in a while? Or is the valuable input of a boss with a technical background worth the occasional all-nighter?

Yesterday Novell released a statement disavowing Steve Ballmer's claim that Linux infringes Microsoft's IP. Linux-watch.com reports that Microsoft quickly responded with a statement of its own that softened, but did not entirely back away from, Ballmer's claim (but the article offers no link to such a statement). xtaski writes, "Everyone took notice when Ballmer spewed forth FUD about Microsoft and Linux IP. Now CIOs are asking just what did Ballmer think he was doing? They are not fooled — but rather, a little angry. ComputerWorld covers the news including one CIO who says 'There were some applications I had been thinking about moving to a Microsoft platform, but this has now totally alienated me from Microsoft.'" And an anonymous reader points us to the statement by the Open Invention Network — whose investors include IBM, Novell, Sony, Red Hat, Philips and NEC — on the Microsoft-Novell agreement. From the statement: "OIN continues to support the Linux community's ability to collaborate and innovate. Through the accumulation of patents that may be used to shield the Linux environment, including users of Linux software, OIN has obviated the need for offers of protection from others."

You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.

1) paper trail?
by ummit

This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.

Hugh: In some states the debate has already been settled in that there is legislation in place requiring a voter-verified paper trail. Verifiedvoting.org has a good tracker of this here.

There are a few points often cited by groups resistant to a voter-verified paper trail. A first argument is that printers can fail. In touch-screen - Direct Record Electronic or DRE machines - printers are often the only components with moving parts (although some systems do have hard drives) which increases the risk of mechanical failure. Printers also bring issues like running out of paper, jams, misprints, etc. Another reason (cited less frequently) is the cost of paper/printing, but as you pointed out, this is a cost that can be passed on to counties.

Some election officials have also made the argument that they've already bought machines that don't have a paper trail and retrofitting existing machines would be costly and painful. I've also heard the argument that having a paper receipt doesn't matter because in most cases they won't be referenced.

I don't think that the sum of these arguments against a paper trail come any where near countering the necessity of having some sort of redundant recording mechanism. A critical system should always failover securely and a voter verified paper trail, if implemented properly, can meet that need for DRE machines.

2) Re:paper trail?
by Thansal

Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?

Hugh: There are a couple of key things to keep in mind. First, there are only a few main machine suppliers. Second, the Help America Vote act (see http://www.fec.gov/hava/law_ext.txt) provided a ton of money to invest in electronic voting machines within a short (debatably unrealistic) timeframe. Given these two factors, the sales that I've seen have boiled down to readily visible machine elements like purchase price, how many other places have used the machines successfully, deployment cost, maintainability, ongoing service/maintenance cost, personal relationships, etc.

Generally, buyers of this technology aren't factoring in security: the machines pass certification lab tests but the testing doesn't cover security well (or at all). The National Institute of Standards (NIST) is working on certification procedures to address this very problem and the hope is that security will factor prominently into buying decisions made in the future. Hopefully existing machines will be retrofitted to meet those new standards too.

3) Largest Inherent Flaw?
by eldavojohn

In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news for having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"

Hugh: The biggest problem with e-voting isn't technical; it's procedural. Ignoring the perennial social voting issues (voter suppression, dead people voting, etc.) there's no real guidance given to elections administrators on how to safely and effectively use electronic voting equipment. If one has no idea what a memory card is, why would you bother trying to secure it?

One glaring example of bad procedure is 'sleepovers', a practice where voting machines are sent home with poll workers before an election to make the process of transporting them to polling places on election day easier (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002204 for some info on this). If one were dealing with a box to hold ballots, 'sleepovers' wouldn't be a problem because the morning of the election a group of poll workers could inspect the box and verify that it was empty (including the old false bottom trick; see 'Stuffer's ballot box' at http://americanhistory.si.edu/vote/paperballots.html). If election officials knew the risks of tampering with some of these electronic voting machines (just search Slashdot for 'e-voting' for examples) then a voting machine sleepover suddenly seems like a pretty bad idea.

Right now we're at a point where election supervisors and poll workers are given a technology that they don't understand with little or no guidance on how to use that technology safely and securely. That's a recipe for serious risk, for voting or anything else.

4) Here is my question...
by Noryungi

Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...

How do you prove that foul play (hacking) has been involved?

Do you even have a plan in place to check the results?

Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.

What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?

Hugh: First it's important to define e-voting security as a technology issue and not a partisan politics issue; what we've seen so far has been bad software and bad procedures to administer that software. Given the types of vulnerabilities that have been found, proving (and sometimes even detecting) foul play can be very difficult if the malicious person is skilled and the effect is minor (meaning a small percentage of the actual votes cast). For the types of vulnerabilities uncovered in some of the touch screens, optical scan readers, and backend tabulation systems, exploits can be written for some of them that are 'self erasing.' This means that the last executed bits of code can change things so that it looks like the original which could make slight tampering difficult to detect or prove in purely electronic systems. I think this argument speaks to the need for a voter-verified paper receipt so that there will be at least a good answer to the recount question.

5) OSS?
by Xzzy

Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.

How do you think open source could fit into this issue? Or should it?

Hugh: When it comes to voting, I'm not sure if it's a matter of open vs. closed source but instead a matter of standards and inspection by people who understand security. I'd be a fan of any solution, open or closed source, that allows trusted, knowledgeable, and independent software and hardware security practitioners the ability to inspect the systems and the code that runs them.

For example, I believe that there should be some sort of standards organization that is chartered with inspecting the system AND has proven security expertise to act as a representative of the people. For airplanes we put faith in FAA and airline carrier safety and security inspections. This kind of process has worked pretty well for a long time for machines that we place our trust in like airplanes, elevators, etc. but we're still a long way away from it in voting unfortunately. If the voting systems were open source, this may come automatically as a function of the 'citizen inspector' and might get us to where things should be faster but I think its still possible in a closed-source environment.

6) Pen-and-paper voting
by NetDanzr

What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.

Hugh: There are some pretty interesting (and legitimate) drivers behind e-voting and I'll go through the biggest.

The first is a push for disabled voters to be able cast their ballot using the same mechanism as able-bodied voters in a non-assisted way. Many states have mandated that machines must be able to service blind and illiterate voters and section 301 of the Help America Vote Act (HAVA)requires that such facilities at least be available (see HAVA section 301 from http://www.fec.gov/hava/law_ext.txt). Most touch screen machines do this through audio output to a headphone jack.

Another driver is the desire to capture voter intent unambiguously. Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote. In pen and paper voting, someone can put Xs (or shaded-in ovals) next to two candidate names instead of one or make a stray mark on a paper ballot which may lead to some late night debates involving lawyers and magnifying glasses. One of the hopes for e-voting was to drastically reduce voter intent ambiguity by guaranteeing that someone couldn't vote for multiple candidates in the same race simultaneously.

Efficiency (theoretically) has been another driver, more so in counting than in the actual voting process itself.

The sum of these present a good case to at least rethink pen-and-paper as the answer but, as with any new system, care has to be taken that the solution fixes more problems than it creates.

7) Why is it so hard?
by gorbachev

As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.

Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, sheer incompetence, or something else?

Hugh: We've certainly seen some pretty glaring security problems in voting machines that span touch screens, tabulators, and optical scan devices. We've really seen problems across vendors too. The biggest problem I think is that there's no real economic driver to make the systems more secure. The people that buy voting machines typically haven't discriminated based on the security quality of the machines because they have no visibility into it. It's like buying a car without something like consumer reports crash test ratings. Unless someone actually starts looking at machine security and comparing it then we're left to making buying decisions based on qualities we can see like purchase price, market share, and whatever unsubstantiated thing the vendor wants to tell us about features and quality. Even given some of the vulnerabilities that have been found, and supposedly fixed, we're still no better off. If you determine that company X has vulnerability Y in one of their voting systems who's to say if the competition's voting system is any better or worse? We are at the point now where we know the systems that have been looked at are sub-par with respect to security and hopefully that's enough to spur consumers (counties that buy the machines) to start asking some tough questions to vendors about security and get us to a place where they can factor security quality into their buying decisions.

8) On Open vs. Closed Networks
by the-banker

It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.

As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are literally thousands of ballot boxes that would have to be compromised for any sort of advantage (on a state or national scale).

Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?

Hugh: I agree that networking machines together is a serious risk certainly from a scale-of-attack perspective and unfortunately some counties continue to modem in results from polling places using procedures that are insecure.

I think the bigger issue is visibility and awareness; election officials just aren't given procedural guidance on how to administer the systems securely. The result is risk and I think many of these risks aren't weighed with the proper magnitude by election officials because it's unfamiliar territory. I think that most Board of Elections officials are good people who want to do the right thing but just don't know what questions to ask vendors about security and don't know how to interpret their answers. This isn't just a problem in voting, it's a problem with software security in general and I think it's important that if you're investing heavily in a software-based solution that you ask hard questions about security. I think a good starter set of questions to throw at software vendors (voting or otherwise) is:

• What process improvements have you made as a result of vulnerabilities reported in your software?
• What is your patch release (or update) strategy?
• Have you had an external (and reputable) security auditing or penetration testing firm evaluate your system? Can we see a summary of their report?
• Can we have our own security auditing firm evaluate your system?
• Do you have a dedicated team to assess and respond to security vulnerability reports in your products?
• What is your vulnerability response process?
• What training do your development and testing groups receive on security?
• What percentage of your test team is focused on security?
• What are the terms and period of your security support agreement?
• Do you offer security training, documentation or guidance to people that will be operating your system?

This list is by no means comprehensive but the answers will likely be illuminating. Some of the questions rely on vendor forthrightness while others use external validation. With someone technical and software security savvy on the team that's evaluating vendors though, you can get a good feel for how vendor answers compare with each other. The long term hope is that we'll have decent security standards for voting systems that are enforced. The National Institute of Standards (NIST) is making progress here and I look forward to the results.

9) The greatest threat to e-voting?
by sharkb8

Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting repository/database?

Hugh: In terms of attack, the greatest risk is still probably a people risk; and that has existed for a long time. The concern with e-voting is that some of the vulnerabilities found make it so that the number of folks that would have to be involved to tamper with results is fewer than before and that their efforts may scale. From that perspective I think there's risk at each stage of the process from how voter registration databases are stored and secured, to how they are cast on election day, to when they get aggregated at the central tabulator. The 'riskiest' piece of the process actually varies from state to state and county to county based on the procedures they have around security. In some places the biggest threat may exist in registration databases that are stored on unprotected servers. In other counties risk may come from poll workers that election officials know very little about who are allowed to take voting machines home the night before elections to make the setup process easier the next day. In others, the biggest risk might lay in the central tabulator which is housed in an unlocked room, where many people enter and exit throughout the day.

Many of these risks could be reduced by poll worker training and procedural change on how machines are operated and secured.

10) Is the Harm Really that Great?
by logicnazi

I am saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system?

All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.

However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.

But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the polling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.

In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?

Hugh: I think that the flaws we've seen with electronic voting are only a piece of the problem and that the largest issues we have in voting are people ones. The technical flaws, though, may amplify some of the classic people threats. As you pointed out, some of the vulnerabilities may allow a malicious person's actions to scale or may mean that a smaller number of people to have a bigger influence. Even just within the space of e-voting security I'd argue that many of the risks that come from machine vulnerabilities can be greatly reduced if we had some sound broad procedures/education around using and administering the machines securely.

The voting process has always posed some significant challenges. E-voting security is a small piece of the larger problem. It is a piece that we know we can do something about, though, by establishing some basic security assessment standards for the machines themselves and some procedural and education standards for those that administer elections. The biggest sin would be that e-voting vulnerabilities merit a prominent place on the laundry list of voting problems in years to come. I think we're at a point where some simple things can be done to move it off that list and I hope that some of the standards efforts that have begun now in earnest get rolled out so attention can be focused on other ongoing voting challenges.

Joan writes "Kaiser Permanente, the largest HMO in the U.S., has spent about $4 billion on an unreliable electronic medical record system that is impacting patient care, according to a 722-page internal report revealed by Computerworld. The CIO resigned after the news came out, and CEO George Halvorson is telling the media that the goal is an alarmingly low 99.5% uptime and that all the problems are really just power outages. Yesterday, Slashdot covered a story about the possibility that the NHS in the UK could now claim the 'biggest IT disaster' prize, but Americans, fear not: so far, the Brits are running a much more efficient failure at $24,000 per physician per year, while America's KP is spending $76,920 per physician, per year on its failing project."

Joan writes "Kaiser Permanente, the largest HMO in the U.S., has spent about $4 billion on an unreliable electronic medical record system that is impacting patient care, according to a 722-page internal report revealed by Computerworld. The CIO resigned after the news came out, and CEO George Halvorson is telling the media that the goal is an alarmingly low 99.5% uptime and that all the problems are really just power outages. Yesterday, Slashdot covered a story about the possibility that the NHS in the UK could now claim the 'biggest IT disaster' prize, but Americans, fear not: so far, the Brits are running a much more efficient failure at $24,000 per physician per year, while America's KP is spending $76,920 per physician, per year on its failing project."

PetManimal writes "Computerworld has picked apart the way Vista handles DRM in terms of hardware and software restrictions. Trusted Platform Module, Output Protection Management, Protected Video Path and various Windows Media software components are designed to 'protect' copyrighted content against security breaches and unauthorized use. The article notes that many of the DRM technologies were forced upon Vista by the entertainment industry, but that may not garner Microsoft or Hollywood any sympathy with consumers: 'Matt Rosoff, lead analyst at research firm Directions On Microsoft, asserts that this process does not bode well for new content formats such as Blu-ray and HD-DVD, neither of which are likely to survive their association with DRM technology. "I could not be more skeptical about the viability of the DRM included with Vista, from either a technical or a business standpoint," Rosoff stated. "It's so consumer-unfriendly that I think it's bound to fail — and when it fails, it will sink whatever new formats content owners are trying to impose."'"

PetManimal writes "Computerworld has picked apart the way Vista handles DRM in terms of hardware and software restrictions. Trusted Platform Module, Output Protection Management, Protected Video Path and various Windows Media software components are designed to 'protect' copyrighted content against security breaches and unauthorized use. The article notes that many of the DRM technologies were forced upon Vista by the entertainment industry, but that may not garner Microsoft or Hollywood any sympathy with consumers: 'Matt Rosoff, lead analyst at research firm Directions On Microsoft, asserts that this process does not bode well for new content formats such as Blu-ray and HD-DVD, neither of which are likely to survive their association with DRM technology. "I could not be more skeptical about the viability of the DRM included with Vista, from either a technical or a business standpoint," Rosoff stated. "It's so consumer-unfriendly that I think it's bound to fail — and when it fails, it will sink whatever new formats content owners are trying to impose."'"

Lucas123 writes "Computerworld has an article about how consumers, home offices and company branch offices can use microwave, free space optics, WiMax, and a new Wireless USB protocol to backup and access data over short and long distances. The story says that wireless USB can be used to transmit data from one to 10 feet from a PC or laptop at up to 480Mbps, while microwave and WiMax can be used to transmit data securely over miles. Steinbach Credit Union Inc., in Canada, has been using microwave and an IP network for years to backup data to a disaster recovery site 32 miles away, the story states."

Lucas123 writes "Computerworld has an article about how consumers, home offices and company branch offices can use microwave, free space optics, WiMax, and a new Wireless USB protocol to backup and access data over short and long distances. The story says that wireless USB can be used to transmit data from one to 10 feet from a PC or laptop at up to 480Mbps, while microwave and WiMax can be used to transmit data securely over miles. Steinbach Credit Union Inc., in Canada, has been using microwave and an IP network for years to backup data to a disaster recovery site 32 miles away, the story states."

jcatcw writes "Computerworld's Rob Mitchell tells Diebold President and CEO Thomas Swidarski how to regain Diebold's reputation instead of throwing in the e-voting towel. He recommends full disclosure of all existing problems, a process for disclosure of future problems, hiring of some real professionals as CTO and as an advisory group, and public testing. 'Surely if Diebold can make a secure ATM there is no reason why it cannot make secure and reliable e-voting apparatus in which the public has confidence.'"

jcatcw writes "Computerworld's Rob Mitchell tells Diebold President and CEO Thomas Swidarski how to regain Diebold's reputation instead of throwing in the e-voting towel. He recommends full disclosure of all existing problems, a process for disclosure of future problems, hiring of some real professionals as CTO and as an advisory group, and public testing. 'Surely if Diebold can make a secure ATM there is no reason why it cannot make secure and reliable e-voting apparatus in which the public has confidence.'"

jcatcw writes "One-third of Americans will use voting machines next week that have never before served in a general election. Computerworld.com provides an overview of e-voting in each of the 50 states and the District of Columbia — equipment, systems for voter registration, polling, significant legal challenges to the systems, previous media coverage, links to government watchdog sites, the vendors, technologies and laws that are important to the issue, and a review of 'Hacking Democracy.'"

jcatcw writes "One-third of Americans will use voting machines next week that have never before served in a general election. Computerworld.com provides an overview of e-voting in each of the 50 states and the District of Columbia — equipment, systems for voter registration, polling, significant legal challenges to the systems, previous media coverage, links to government watchdog sites, the vendors, technologies and laws that are important to the issue, and a review of 'Hacking Democracy.'"

jcatcw writes "One-third of Americans will use voting machines next week that have never before served in a general election. Computerworld.com provides an overview of e-voting in each of the 50 states and the District of Columbia — equipment, systems for voter registration, polling, significant legal challenges to the systems, previous media coverage, links to government watchdog sites, the vendors, technologies and laws that are important to the issue, and a review of 'Hacking Democracy.'"

jcatcw writes "One-third of Americans will use voting machines next week that have never before served in a general election. Computerworld.com provides an overview of e-voting in each of the 50 states and the District of Columbia — equipment, systems for voter registration, polling, significant legal challenges to the systems, previous media coverage, links to government watchdog sites, the vendors, technologies and laws that are important to the issue, and a review of 'Hacking Democracy.'"

IntelliAdmin writes "Microsoft originally targeted October 25th for Vista's release to manufacturing, but a last-minute bug that 'took most of the Vista team by surprise' has caused an unexpected delay, said Ethan Allen, a quality assurance lead at a Seattle high-tech company that tests its products for Vista. Allen said the Vista team discovered the bug, which 'would totally crash the system, requiring a complete reinstall'. Vista now has a new RTM date of November 8th" A reader wrote in to point out this story originated with Paul Thurrott.

PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"

theodp writes "Computerworld Editor-in-Chief Don Tenant expresses astonishment at HP's cluelessness in the wake of its boardroom leak investigation fiasco, noting that HP CEO Mark Hurd's choice for a new Chief Ethics Officer was Hurd's go-to guy at NCR when the boss wanted internal leaks investigated." From the article: "It seems incomprehensible that no one at HP could foresee that appointing a former Hurd colleague to the ethics oversight position might be perceived as a shameless attempt by Hurd to keep from being further sullied by the scandal. But there's another dimension to all this that's even more baffling. Nearly two weeks before HP announced Hoak's appointment, BusinessWeek ran a story that recounted how Hurd had to deal with a number of internal investigations at NCR, including probes of leaks of sensitive information on Yahoo message boards."

jcatcw writes "Some government employees will be getting smart ID cards beginning this week. The unfunded mandate to have all employees and contractors use Personal Identity Verification (PIV) cards is part of Homeland Security Presidential Directive 12. The U.S. General Services Administration is providing enrollment centers that can verify the identities of employees, fingerprint and photograph the workers, and issue PIV cards to them. The deadline for getting cards to all employees and contractors is the end of September 2008."

jcatcw writes "Paul McFedries, author of Windows Vista Unveiled, thinks that an operating system should be thought of as more than just its user interface, but then again that interface should work well for the user. He thinks the Vista interface rates 'pretty darned good.' The Windows Presentation Foundation (WPF) results in positive changes for both developers and users. Developers can do 2-D, 3-D, animation, imaging, video, audio, special effects and text rendering using a single API. The use of vector graphics and offloading work to the GPU result in better animations, improved scaling, transparency, and smooth motion."

jcatcw writes "Paul McFedries, author of Windows Vista Unveiled, thinks that an operating system should be thought of as more than just its user interface, but then again that interface should work well for the user. He thinks the Vista interface rates 'pretty darned good.' The Windows Presentation Foundation (WPF) results in positive changes for both developers and users. Developers can do 2-D, 3-D, animation, imaging, video, audio, special effects and text rendering using a single API. The use of vector graphics and offloading work to the GPU result in better animations, improved scaling, transparency, and smooth motion."

jcatcw writes "Microsoft has released its 'Privacy Guidelines for Developing Software Products and Services.' According to Peter Cullen, chief privacy strategist, Microsoft has learned about protecting user's data from such endeavors as Hailstorm and WGA. 'Certainly that and other things have contributed to us thinking deeply with how we provide security and privacy, as well as respect and control with how their information is used,' he said. 'We think others should join in this discussion.'"

jcatcw writes, "Scot Finnie continues his love — hate relationship with Windows Vista. He installed the latest beta, RC2, on three machines. First problem: drivers — too many of them that should be available just aren't. User Access Control remains annoying and Vista's Software Protection Platform puts antipiracy above user security. Software compatibility is still in need even at this late date. However, previous problems with the Media Center were absent." And turnitover writes to point us to PC Mag's RC2 review. Their bottom line is that they expect an RC2+ or even an RC3 before it goes final. Here is PC Mag's slide show.

Update: 10/09 19:33 GMT by kd : michigano writes: "This late in the game and Microsoft has pulled firewire support from their OS! No one knows if its permanent."

jcatcw writes, "Scot Finnie continues his love — hate relationship with Windows Vista. He installed the latest beta, RC2, on three machines. First problem: drivers — too many of them that should be available just aren't. User Access Control remains annoying and Vista's Software Protection Platform puts antipiracy above user security. Software compatibility is still in need even at this late date. However, previous problems with the Media Center were absent." And turnitover writes to point us to PC Mag's RC2 review. Their bottom line is that they expect an RC2+ or even an RC3 before it goes final. Here is PC Mag's slide show.

Update: 10/09 19:33 GMT by kd : michigano writes: "This late in the game and Microsoft has pulled firewire support from their OS! No one knows if its permanent."