Slashdot Mirror

Ideally, you have a centralized authentication system like Kerberos, and one password is good for all the network services you need. Also, password storage utilities like Bruce Schneier's Password Safe or Apple's Keychain help a lot, since you can use a single master password to store (in crypted form) all those other passwords you don't want to remember.

Strictly speaking, the United States of America doesn't run elections: fifty states run elections. And really, in many states, it's the counties that run elections. Many non-Americans don't realize just how decentralized the US is.

Now, a move to federal election standards is probably a fine idea, and in fact has been in the works for a couple years (e.g., the Help America Vote Act of 2002), but (a) IIRC it's unfunded and (b) implementing new standards across thousands of counties will take time.

Experts who have weighed in on the subject include Bruce Schneier.

So I don't think the new anticipated cards will eliminate the threat. I'm just more concerned about the ways it will be abused!

he is just a guy with an opinion, just like us

Just like us except he has intimate knowledge of the most highly secret intelligence reports of the US.

Read between the lines here, folks.

Gedankenexperiment - what would do more economic damage - a couple of planes crash into a skyscraper or 40% of the nation's economic data being erased?

We all know how well small and medium businesses backup and archive their data. And what OS most of them use. And how secure that OS is. And how isolated from the Internet those machines are.

What's harder - launching a massive worm attack on the US Windows Business Infrastructure or sneaking in the country and hijacking a bunch of airplanes? Which is being defended against? Do the Attack Tree Analysis.

al-Qaeda was going for shock and awe and got massive economic destruction by accident - UBL was reportedly very pleased by this side-effect.

Bruce Scnheier:
Computerized systems with these characteristics won't be perfect -- no piece of software is -- but they'll be much better than what we have now. We need to start treating voting software like we treat any other high-reliability system. The auditing that is conducted on slot machine software in the U.S. is significantly more meticulous than what is done to voting software. The development process for mission-critical airplane software makes voting software look like a slapdash affair. If we care about the integrity of our elections, this has to change.
http://www.schneier.com/blog/

Actually, I think the issue really isn't about officals being able to read the RFID, but rogue scanners (identity theives, terrorists, whatever) grabbing information from individuals in a crowd that do not realize that their passports are being scanned. Check out Bruce Schneier's blog entry http://www.schneier.com/blog/archives/2004/10/rfid _passports.html

Is the US the only country using them?

No. The EU is also discussing this, and most likely, other countries are as well.

I don't like the idea of walking around with a US Passport emitting signals to advertise my nationality.

This is also the reason why Bruce Schneier thinks terrorists will love this technology: if they want to specifically target a certain nationality (e.g. US), they can easily find people of this nationality in a crowd.

As far as I'm concerned, it's not a privacy issue unless they fuck it up. They can already track you by SSN, state ID, or whatever. It would only really be a privacy issue if they put RFID stuff in your card, and this enabled unintended people to scan the thing and get useful information. That would open the system up to abuse by criminals and stores alike.

But the real problem with national ID cards is that they have negative security value. They will be trusted more than ID cards and social security numbers, and they will be only one piece of information to forge or steal. The government databases connected with the ID cards will be vulnerable and unreliable, and more so than the SSN databases because of their size (i.e., more chances to create a privacy problem by fucking it up). They'll be a bigger pain in the neck for people who lose them, and the risks of identity theft will be monstrous.

It would be very difficult to get something on this scale right, and it would be worse than the current system of state IDs, kludgy as that is. On top of that, the project would be horrendously expensive.

There would also certainly be ways for an insider to ruin someone's life, even more than there are today, by fiddling with these databases.

If there were national ID cards from the beginning, the system might be better than what we see today (I personally think it would be simpler but probably more vulnerable to abuse). But I think that instituting them now would be a mistake.

Schneier has a good essay on this here.

Something you have, something you know.

'Something you are' is just another form of 'something you have'. The limitation of biometrics is that 'something you are' cannot easily be decommissioned and reissued if it has been compromised.

The key to good security is to have the strength and number of controls increase as the value of the protected contents increases. A password alone may be perfectly appropriate to protect low value content.

An oldtime Slashdot favourite : Cryptonomicon, Neal Stephenson.

Includes a supplemental algorithm called, Solitaire, developed by crpto-researcher Bruce Schneier.

Also, he knows his stuff; he submitted one of the AES candidates, Blowfish.

I guess you meant to say twofish. </nitpicking

This scheme is more commonly known as a one-time pad. Basically, you need to generate a set of random data that can be combined with your plain-text. A common implementation used to be pads of onion-skin paper with blocks of random letters on them. Onion-skin was used since it was possible to generate pairs of pads using carbons and also because the paper was easy to destroy. The pads usually had something like the date the pad was to be used on them.

Often these systems were broken because the pads were misused: the same pad used multiple times, or the same pad used with some variation.

IIRC, the scheme you are purposing is similar to the way that the red telephone communication between the Soviet Union and the US, as well as embassy communications, was secured. In that case, special vinyl records were distributed that had to be started at the same point. The length of the record determined how long you can talk.

This essay on Bruce Schneier's site highlights one of the chief weaknesses of the one-time pad: the key distribution problem. You have to figure out how to get your friend's CD to him without being intercepted. You also have to be sure that the computer that generated the CD's wasn't compromised; someone spying on your machine could just log what audio file you used, copy it, and generate their own key CD.

Considering that a CD can only hold around 700MB (for a standard audio CD), I would say the key space is small enough that even if an attacker doesn't know your position choosing scheme (your description of the system states that the position is part of the message, so I'm being generous here), it should be possible to brute force the message if he somehow gets access to the key.

Another problem is: you may suspect that you are being watched or the system is compromised, but your buddy may not. How do you communicate that information to your friend, especially if you aren't supposed to be in contact with them in the first place?

If the attacker has your key CD, he could send an encrypted message stating that you (the legitimate user) are the attacker? Then who would your buddy believe?

The benefit of public-key cryptography is that it limits the amount of data that needs to be shared in order to communicate. The keys used for encryption never leave the possession of the person doing the encryption. It is also relatively simple to generate new keys.

Of course, man-in-the-middle attacks can still happen. But if you can establish the first public keys that you and your friend will use in a secure manner (e.g. face-to-face meeting), subsequent public keys can be encrypted using the last trusted key, or by using other key sharing schemes.

I'd recommend applied crptography by Bruce Schneier instead.

Not only does it cover the same ground, it also goes into detail a bit more about real tricky business; protocols (where most mistakes are made these days, since nearly everybody uses off-the-shelf algorithms like AES, DSA, RSA and ElGamal). This guy knows how to write, and succeeds in warning you of potential pitfalls in a humorous manner. Also, he knows his stuff; he submitted one of the AES candidates, Blowfish.

Bruce also publishes the most excellent Crypto-Gram newsletter.

Beware of not heeding Bruce's stern words of warning. You may end up in the doghouse! The humiliation! The shame upon your house!

I'd recommend applied crptography by Bruce Schneier instead.

Not only does it cover the same ground, it also goes into detail a bit more about real tricky business; protocols (where most mistakes are made these days, since nearly everybody uses off-the-shelf algorithms like AES, DSA, RSA and ElGamal). This guy knows how to write, and succeeds in warning you of potential pitfalls in a humorous manner. Also, he knows his stuff; he submitted one of the AES candidates, Blowfish.

Bruce also publishes the most excellent Crypto-Gram newsletter.

Beware of not heeding Bruce's stern words of warning. You may end up in the doghouse! The humiliation! The shame upon your house!

Bruce Schneier's Applied Cryptography is another excellent resource for all you crypto-geeks out there. It goes from the basics (including the substitution cipher presented in the article) through basic crypto (ENIGMA, DES) all the way up through state-of-the-art (don't think AES was in my 1st ed., but I believe it's in there now). He talks about everything from the theoretical to the practical, hash collisions to rubber-hose cryptography.

It comes with source too! You know you love source....

Electronic voting could make voting easier, but it is a good idea to have a voter-verifiable audit trail. As of now, not all electronic voting machines have such audit trails.

We trust computers with just about everything under the sun: our power, our health, our lives, our money

Security expert Bruce Schneier has talked about secure voting versus secure financial transactions. E-voting has the difficulty of secret ballots, which is not an issue for even the largest financial transactions. In addition, a single vote is associated with many others. Imagine redoing an election. It is much easier to figure out what happened if something goes wrong with a financial transaction. Though there are mission-critical systems, their design is different from normal systems, not to mention much more expensive. Electronic voting machines are not designed like this. In addition, voting machines have to be secure against deliberate tampering (possibly from the inside), as well as accidental failure.

Not to sound like too much of a conspiracy freak, but I have to say that some of the numbers sound kinda flaky -- e.g. there was supposedly no change in turnout of young voters, but the news was *full* of anecdotal evidence of massive youth voter turnout... Also, the numbers from Florida just look a little... weird.

It's very, very good that these guys are doing this -- it's just too easy to imagine "election hacking" scenarios.

FYR: Some very good analysis of the problem, with resources, from Bruce Schneier: http://www.schneier.com/crypto-gram-0312.html#9

Not that he was going to secretly have a 13,000-employee company rig a presidential election.

Still, it is a scary thought...
It always makes me think about this article:
http://www.schneier.com/crypto-gram-0404.html#4

Disclaimer: I am Canadian. I don't care about American politics as long as WE don't get screw...

• Your Driver's License - http://www.wired.com/news/privacy/0,1848,65243,00. html?tw=wn_story_top5
• Your Passport License - http://www.schneier.com/blog/archives/2004/10/rfid _passports.html
• You - http://www.rfidnews.org/weblog/2004/10/14/verichip -approved-by-fda/

Just who is uninformed here? These data on these tags is not encrytped and would contain Your name, address, DOB, Drivers License Number, SS number, and medical history. Talk about a identity thief's paradise.

Since the terrorist attacks of 2001, the Bush administration--specifically, the Department of Homeland Security--has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century.

But the Bush administration is advocating radio frequency identification (RFID) chips for both U.S. and foreign passports, and that's a very bad thing.

These chips are like smart cards, but they can be read from a distance. A receiving device can "talk" to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily--and surreptitiously--pick Americans or nationals of other participating countries out of a crowd.

It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.

Security is always a trade-off. If the benefits of RFID outweighed the risks, then maybe it would be worth it. Certainly, there isn't a significant benefit when people present their passport to a customs official. If that customs official is going to take the passport and bring it near a reader, why can't he go those extra few centimeters that a contact chip--one the reader must actually touch--would require?

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can't be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.

This article originally appeared in the 4 October 2004 edition of the International Herald Tribune

Bruce Schneier, October 04, 2004.

The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners.

The problem is that the range is entirely dependent on the receiving equipment. These are only intended to be read from a few inches/cm away. But the way that RFID works leaves gaping holes for exploitation and abuse.

Basically, an RFID "chip" is a passive, unpowered radio tranceiver. When it receives a radio transmission of a certain power level and frequency, the antenna resonates, inducing a current within the circuitry. This current is passed through filters - AND/OR/XOR/NOT gates or what not, I'm nott 100% sure - which are unique to the data contained on the chip. By this process, the output power levels and frequency can be modified in accordance with what information the implementers want to be transmitted back. (This is nearly identical technology to the proximity cards and readers many of us have used at work, parking garages, dormitories, etc.)

The problem is, the chip will respond to any proper wavelength and dB, so there is no practical way (not yet anyway, though the technology is being developed for crypto-enabled RFID) to control to whom the chip will respond. This means that anybody can request the data contained on the chip (or perhaps more importantly, whether or not a chip is present!).

What's more, the chip simply outputs a certain radio frequency which any radio receiver in the propagation sphere can receive. It's been demonstrated that a properly tuned and sensitive receiver can read the resulting broadcast from an RFID chip from several, if not tens, of meters away.

There's a rather good article on the subject of RFID passports at Bruce Schneier's blog.

Sounds like you're just a consumer anyway.

If you're not making any difference in the world, positive or negative, do try to shut up.

It's people like you that let shit like this slide through.

It's not about having something to hide. It's a stupid idea.

Read this article.

RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that anyone carrying around an RFID passport is broadcasting his identity.

Think about what that means for a minute. It means that a passport holder is continuously broadcasting his name, nationality, age, address, and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers, and terrorists can easily -- and surreptitiously -- pick Americans out of a crowd.

RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that anyone carrying around an RFID passport is broadcasting his identity.

Think about what that means for a minute. It means that a passport holder is continuously broadcasting his name, nationality, age, address, and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers, and terrorists can easily -- and surreptitiously -- pick Americans out of a crowd.

Bruce Schneier has made some interesting observations on the RFID passport plans. Somehow, I do not see how this could possibly make us "safer".

I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.

One-Click Secure Access - A PostX secure document can include a link back to secure website pages. Because PostX already authenticates the user, there is no need for additional logins, combining security and convenience within the user experience.

There is no correlation between security and liberty

Blatantly untrue. Bruce Schneier talks about it constantly.

"The proper question to ask is whether the trade-off is worth it. Is the level of security gained worth the costs, whether in money, in liberties, in privacy or in convenience?"
from his site

Also check out this article, all about the costs of security, liberties being one of them.

I also recommend subscribing to his Crypto-Gram newsletter.

There is no correlation between security and liberty

Blatantly untrue. Bruce Schneier talks about it constantly.

"The proper question to ask is whether the trade-off is worth it. Is the level of security gained worth the costs, whether in money, in liberties, in privacy or in convenience?"
from his site

Also check out this article, all about the costs of security, liberties being one of them.

I also recommend subscribing to his Crypto-Gram newsletter.

In order to increase your security, you will be giving up some of your freedoms.

This is patently false. There is no correlation between security and liberty. I suggest you check out Bruce Schneier's book Beyond Fear for a start on re-educating yourself on this issue. You've fallen for the propoganda.

Besides, those that are taking the freedoms don't really care that much about security. Just look at airport security. Its all show and no substance. There are methods for airport security that work (those used by Isreal for example), but they decided not to go with those. Instead they decided to expand government and harass its citizens in a nice dog and pony show that will do nothing to stop another 9/11 type incident.

Schneier has a thing about RFID passports (same sort of thing) in his blog, his arguments might clarify the situation. www.schneier.com/blog/

You might want to check some of those well known "facts" Before they make you seem like a runner up for the tinfoil hat of the year award. No matter what you feel about Microsoft, if the NSA is going to have MS and other US corporations add backdoors to their code, are they really going to be dumb enough to leave it named NSAKEY in plain sight in the registry? Incidentally, how many believe this 'theory' also install the SELinux additions to make their Linux more secure. You might want to go ahead and check who puts that together.

Bruce Schneier should have this job. As a matter of fact he should be Secretary of Homeland Security.

IPSEC is secure? See this.

As a subscriber to Crypto-Gram I remember Bruce Schneier mentioning that a paper trail would indeed be a good idea. Not perfect, but better than electronic only.

Well in the article cringley talks about usb devices having write protection (unless enable viw M$ new licensing). I have a big issue with that. What about printers!! surely these are writable devices, or are they expecting everybody to buy a new usb printer. Oh but they ccould limit writing to just printer you say, well then my usb key will pretend to be a printer and I will print all my companies secret docs to it. This whole idea is M$ FUD for a good analysis regarding locking usb key thobs etc.. refere to cryptogram july 15th (Bruce schneier), way will always be found to overcome such limitations to the would be data thief.

Well in the article cringley talks about usb devices having write protection (unless enable viw M$ new licensing). I have a big issue with that. What about printers!! surely these are writable devices, or are they expecting everybody to buy a new usb printer. Oh but they ccould limit writing to just printer you say, well then my usb key will pretend to be a printer and I will print all my companies secret docs to it. This whole idea is M$ FUD for a good analysis regarding locking usb key thobs etc.. refere to cryptogram july 15th (Bruce schneier), way will always be found to overcome such limitations to the would be data thief.

From Bruce Schneier's Crypto-gram: "MagiQ Technologies is now selling an actual product that uses single photons to exchange keys over fiber optic lines.
..
I don't have any hope for this sort of product. I don't have any hope for the commercialization of quantum cryptography in general; I don't believe it solves any security problem that needs solving. I don't believe that it's worth paying for, and I can't imagine anyone but a few technophiles buying and deploying it."

all my passwords are on a yellow POST-IT(tm) which I crumble up and put in my pocket, just like Bruce http://www.schneier.com/crypto-gram.html.

For many years now Bruce Schneier has been writing on this topic extensively and since I share his views I decided to put together the most relevant excerpts from his excellent Crypto-Gram newsletter and let them speak for themselves. If you really want to get up to speed on this topic, this is what you've been looking for.

Crypto-Gram: September 15, 2003 :: News:

Interesting report on the security of Diebold's voting machines. Scary stuff, especially if you consider that these are already being purchased for use in U.S. elections.
http://avirubin.com/vote.pdf

Crypto-Gram: October 15, 2003 :: News:

Despite admitting that Diebold voting machines have a high risk of compromise, the state of Maryland is going to buy them:
http://www.wired.com/news/business/0,1367,60583,00 .html

Crypto-Gram: December 15, 2003 :: Computerized and Electronic Voting:

There are dozens of stories about computerized voting machines producing erroneous results. Votes mysteriously appear or disappear. Votes cast for one person are credited to another. Here are two from the most recent election: One candidate in Virginia found that the computerized election machines failed to register votes for her, and in fact subtracted a vote for her, in about "one out of a hundred tries." And in Indiana, 5,352 voters in an district of 19,000 managed to cast 144,000 ballots on a computerized machine.

These problems were only caught because their effects were obvious--and obviously wrong. Subtle problems remain undetected, and for every problem we catch--even though their effects often can't be undone--there are probably dozens that escape our notice.

Computers are fallible and software is unreliable; election machines are no different than your home computer.

Even more frightening than software mistakes is the potential for fraud. The companies producing voting machine software use poor computer-security practices. They leave sensitive code unprotected on networks. They install patches and updates without proper security auditing. And they use the law to prohibit public scrutiny of their practices. When damning memos from Diebold became public, the company sued to suppress them. Given these shoddy security practices, what confidence do we have that someone didn't break into the company's network and modify the voting software?

And because elections happen all at once, there would be no means of recovery. Imagine if, in the next presidential election, someone hacked the vote in New York. Would we let New York vote again in a week? Would we redo the entire national election? Would we tell New York that their votes didn't count?

Any discussion of computerized voting necessarily leads to Internet voting. Why not just do away with voting machines entirely, and let everyone vote remotely?

Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never-ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses. It might be convenient to vote from your home computer, but it would also open new opportunities for people to play Hack the Vote.

And any remote voting scheme has its own problems. The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by

For many years now Bruce Schneier has been writing on this topic extensively and since I share his views I decided to put together the most relevant excerpts from his excellent Crypto-Gram newsletter and let them speak for themselves. If you really want to get up to speed on this topic, this is what you've been looking for.

Crypto-Gram: September 15, 2003 :: News:

Interesting report on the security of Diebold's voting machines. Scary stuff, especially if you consider that these are already being purchased for use in U.S. elections.
http://avirubin.com/vote.pdf

Crypto-Gram: October 15, 2003 :: News:

Despite admitting that Diebold voting machines have a high risk of compromise, the state of Maryland is going to buy them:
http://www.wired.com/news/business/0,1367,60583,00 .html

Crypto-Gram: December 15, 2003 :: Computerized and Electronic Voting:

There are dozens of stories about computerized voting machines producing erroneous results. Votes mysteriously appear or disappear. Votes cast for one person are credited to another. Here are two from the most recent election: One candidate in Virginia found that the computerized election machines failed to register votes for her, and in fact subtracted a vote for her, in about "one out of a hundred tries." And in Indiana, 5,352 voters in an district of 19,000 managed to cast 144,000 ballots on a computerized machine.

These problems were only caught because their effects were obvious--and obviously wrong. Subtle problems remain undetected, and for every problem we catch--even though their effects often can't be undone--there are probably dozens that escape our notice.

Computers are fallible and software is unreliable; election machines are no different than your home computer.

Even more frightening than software mistakes is the potential for fraud. The companies producing voting machine software use poor computer-security practices. They leave sensitive code unprotected on networks. They install patches and updates without proper security auditing. And they use the law to prohibit public scrutiny of their practices. When damning memos from Diebold became public, the company sued to suppress them. Given these shoddy security practices, what confidence do we have that someone didn't break into the company's network and modify the voting software?

And because elections happen all at once, there would be no means of recovery. Imagine if, in the next presidential election, someone hacked the vote in New York. Would we let New York vote again in a week? Would we redo the entire national election? Would we tell New York that their votes didn't count?

Any discussion of computerized voting necessarily leads to Internet voting. Why not just do away with voting machines entirely, and let everyone vote remotely?

Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never-ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses. It might be convenient to vote from your home computer, but it would also open new opportunities for people to play Hack the Vote.

And any remote voting scheme has its own problems. The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by

For many years now Bruce Schneier has been writing on this topic extensively and since I share his views I decided to put together the most relevant excerpts from his excellent Crypto-Gram newsletter and let them speak for themselves. If you really want to get up to speed on this topic, this is what you've been looking for.

Crypto-Gram: September 15, 2003 :: News:

Interesting report on the security of Diebold's voting machines. Scary stuff, especially if you consider that these are already being purchased for use in U.S. elections.
http://avirubin.com/vote.pdf

Crypto-Gram: October 15, 2003 :: News:

Despite admitting that Diebold voting machines have a high risk of compromise, the state of Maryland is going to buy them:
http://www.wired.com/news/business/0,1367,60583,00 .html

Crypto-Gram: December 15, 2003 :: Computerized and Electronic Voting:

There are dozens of stories about computerized voting machines producing erroneous results. Votes mysteriously appear or disappear. Votes cast for one person are credited to another. Here are two from the most recent election: One candidate in Virginia found that the computerized election machines failed to register votes for her, and in fact subtracted a vote for her, in about "one out of a hundred tries." And in Indiana, 5,352 voters in an district of 19,000 managed to cast 144,000 ballots on a computerized machine.

These problems were only caught because their effects were obvious--and obviously wrong. Subtle problems remain undetected, and for every problem we catch--even though their effects often can't be undone--there are probably dozens that escape our notice.

Computers are fallible and software is unreliable; election machines are no different than your home computer.

Even more frightening than software mistakes is the potential for fraud. The companies producing voting machine software use poor computer-security practices. They leave sensitive code unprotected on networks. They install patches and updates without proper security auditing. And they use the law to prohibit public scrutiny of their practices. When damning memos from Diebold became public, the company sued to suppress them. Given these shoddy security practices, what confidence do we have that someone didn't break into the company's network and modify the voting software?

And because elections happen all at once, there would be no means of recovery. Imagine if, in the next presidential election, someone hacked the vote in New York. Would we let New York vote again in a week? Would we redo the entire national election? Would we tell New York that their votes didn't count?

Any discussion of computerized voting necessarily leads to Internet voting. Why not just do away with voting machines entirely, and let everyone vote remotely?

Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never-ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses. It might be convenient to vote from your home computer, but it would also open new opportunities for people to play Hack the Vote.

And any remote voting scheme has its own problems. The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by

What would happen if other things in the world were free? What if budding designers and contractors demostrated their skills by building free pubic buildings?

Free as in beer would be kinda strange and other posters have addressed that weirdness. Free as in speech is common place in construction. You have to apply for planning permission which requires submitting the plans to local government. Anyone can request a plan at a small fee. I don't know about you but I think that's quite a free system!

Artists could behave more freely by releasing their work under a GNU style license. That's great but how do they get renumerated for their efforts you ask? Rather than releasing an album you simply release many singles. The artist might sell their single directly from their website at a dollar. Now once you buy that song you can distribute that freely and do all of the other things you can do in a GNU style license however the artist will not release the next single until they feel they've been adequately compensated for their efforts.

If they're crap they disappear pretty quickly. If they have a good fan base they make quite a bit of cash. Stephen King (search for his name in the document) did this successfully with an e-book he wrote. It does work!

Simon.

But, with all of the terrorist threats lately, bringing passport documents into the digital world is sure to increase security.

Why should that increase security? Perhaps there will be even more opportunities for forgeries. From Bruce Schneier' Crypto-Gram

There's one other problem with identity documents: the ease of getting legitimate documents in fraudulent names. Several of the 9/11 terrorists obtained fraudulent IDs from the Virginia Department of Motor Vehicles by paying a corrupt employee $1000 each. These weren't fake IDs. These were real IDs in fake names, with all the holograms and micro printing and whatever else the driver's licenses have to make them hard to forge.

Oh my. If you truly believe that, I suggest you read some of Bruce Schneier's writings. This is a good start.

Bruce Scheneier calls this "Security Theatre".

Well, I like this quote, (I don't remember it from my reading of Applied Cryptography, guess I'll have to re-read the book more carefully) but it assumes something which is impossible, that is, perfect algorithms. A more interesting quote for this particular news post would be any of the many from Schneier's book Secrets and Lies . The whole point of the book, as explained in the Preface, was that Schneier assumed when he wrote Applied Cryptography that it would help people develop secure applications, however what eneded up happening was people peppered cryptography into their software assuming doing only that would make their software secure. The reality is, in most software, the is not properly implimented and therefore not secure.

Secrets and lies discusses security not cryptography and does and excellent job at it. Although I had the vegue concept that no security system is really secure before I read the book, I came away from my reading thanking Schneier for drilling the idea into my head so that I would not be naive. It is the best book on security I have read and I recommend it to anyone interested in this facinating field.

Point your tech support callers to these free docs - or others...

Check out this Bruce Schneier interview from Newsweek where he talks about real security vs security theatre. He basically says that surveillance, ID cards etc just provide an illusion of security (especially when limited to only a few sites: secure the olympic statium and they'll bomb the subway, or the CBD, or the stock exchange etc). Real security in the context of terrorism comes from better intelligence gathering and better spooks.

In the case of mission-critical or life-critical equipment, there are several things that should be done regarding the control software. For one thing, simplifying the software would be very useful and could reduce the number of possibilities where something could go wrong. Visual attractiveness should not necessarily be one of the highest priorities like it often is with regular software. Another thing would be to emphasize making the software secure to begin with to reduce problems and faults later on. Of course, this might mean that the release of the software might be delayed, but unexpected delays later on would be reduced. It is possible that open-source or free (free as in freedom) software might not be a bad idea. What would be important would be to review it for security issues and to obtain information about the changes and contributions in the past, to avoid a situation where proprietary copyrighted code was accidentally or deliberately introduced. It should not be necessary for the software to be secret in order for it to be secure (no "security through obscurity".) Another important aspect of open source or free software is the position of not being tied to a specific vendor who might change their practices in the future. If the equipment manufacturer can adjust the software to their precise circumstances, that is important.

There is a cancer clinic that uses free software, including the GNU software utilities and the Linux® OS kernel. Though it is not clear that the free software runs actual equipment, it is mentioned to show that free software has been used in serious circumstances.

With regard to security patches, security expert Bruce Schneier recommends monitoring something such as a network as an alternative to relying on security patches. Of course, there might be the issue of how to respond if something suspicious happens. Combined with measures such as simplifying the software, this might be better than repeatedly getting into difficulty over whether to apply a security patch.