Monday, October 27, 2003

Analysis of a voting system

I recently wrote, as many did about the flaws discovered in Diebolds voting system. Researchers of Johns Hopkins Information Security Institute published a report giving a detailed analysis what can possibly go wrong in a live election. Later, Diebold responded to claims made in this report in a rebuttal, to which of course the authors reponded again. All in all an interesting story, which is still continuing, as instapundit notices. A lobby group will start a PR campaign to persuade us that these voting machines are the gold standard for voting, as Wired notices. But isn’t the problem more that the machines are intrinsically insecure? Why then launch public awereness campaigns instead of fizing the security holes Prof. Rubin found. I think the general public opinions shouldn’t just be influenced by a media campaign, but instead assurances should be given by *independent* expert on the safety of these machines. Of course also I can only base my opninon on what I read on the web and elsewher. We, the ordinary people don’t have the means and possibility to possess source code or the machines themselves to perform the tests. We need experts to guide us. Though, don’t forget to keep our own minds thinking at the same time..

Friday, October 17, 2003

Something to keep you busy for the weekend

Some links at the end of the week to keep you reading, and thinking, hopefully. CYA

http://www.theregister.co.uk/content/4/33397.html
Gates announces Longhorn will be delayed until 2005, 2006…

http://www.sf.indymedia.org/news/2003/10/1653530.php
"ISP Rejects Diebold Copyright Claims Against News Website" This interests me. I read about flaws in Diebolds voting machines some weeks ago (see my blog somewhere). Now, IndyMedia links to sites mentioning leaked Diebold internal memo’s. Diebold seems succesful in it’s trying to get rid of all internet pages talking about this subject. But wait… read a book talking about these voting machines … on http://www.talion.com/blackboxvoting.org.htm you can download the complete BlackBox voting book. I found a lot of links to it having disappeared from the internet the last days, so maybe this one also will be offline soon. Let me know a then, mail me!!

Sunday, October 12, 2003

The future of the internet

The future of the internet: some say it will end in chaos somewhere in the not so far future. I don’t think so. It will be a dwelling place for those capable enough to handle it. When development of viruses and worms like Blaster and SoBig continues, some will be effectively disconnected from the internet as theire website and connection points will be under constant compromise. This seems like a unfair situation of unequal . However, everyone has the right to join the internet. Only thing: in the future this right can only be claimed when you’re securing yourself enough. During the MSBlaster worm outbreak, the most informed person at my family’s house placed a paper on their PC, announcing to the rest of the house "do not go to the internet: danger of viruses!". I hope they really followed the advice, for at that time they were as vulnerable as a newborn baby. Statistically speaking, their PC would have be infected with, for the sake of the argument, 95% possibility within the hour after connection to the internet. I even think that’s’ too low, given the amount of connection to port 135 I received back then (and still: I just received 4 port 135 connections and 7 ICMP pings over just the last 15 minutes according to ZoneAlarm). As these ICMP pings are perfromed to check on the vailability of the victim PC, these will add up to 11 hack attempts. Every one of them would have resulted in infection I guess, to a vulnerable PC.
What's your opinion?

The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)

[LINK] The absolute...
As being a *Dutch* software developer I'm reading this article now. You also do, no excuse.....

By the way, this is the first post which has the possibility to add comments to, thanks to BlogComments

Thursday, October 09, 2003

Remotely editing logfiles

The defence counsel asked Stunt if it was possible to cut some text from one log file and paste it into another log file from a remote computer. Stunt dismissed the idea: "Remotely, the answer would be no. It is impossible, the technology does not exist," he said.

Article: Accused port hacker says log files were 'edited'
Well Cut and paste something from your local PC to a remote one is not possible I guess. But why shouldn’t you just download / edit / upload the log. It has the same result and is trivial… it looks like one of:
- the above article is an incomplete representation of the mentioned trial
- the researcher is incapable of doing the research in question
You name it

Monday, October 06, 2003

SQL Server BLOGs

Didn’t know that there would be any BLOGs entirely devoted to SQL Server. But there are SQLTeam, sqljunkies.com and more. Just go to ... http://www.daypop.com, enter "sql server" in the search box and you’re on your way to discovering much more blogs I assure you! Just wanted to let you know, don’t know whether you’re the database type at all. As for myself I’m working on databases on a daily basis. Both as Sysadmin and DBA.This broad job description is interesting on the one hand, but complicated on the other as you might understand. You get to learn all kind of interesting stuff on databases, new technologies and systems, as well as software.However I feel myself strugggling with things every now and then, as deep insight into what I’m doing is lacking sometimes, which is just art of the type of job I have. I wouldn’t know what to do without Google for example :) And then again, it’s only a part of my job, which is total IT management of my company. It extends to keeping a website on air, supporting users with all kind of technical problems. Furthermore even replacing the toner catrdidges of the companys printers will be done by me most of the time. Luckily, the last thing is accompanied by more exciting tasks as installing new servers adn things like that

Well, I’m on the internet serveral times a day, to keep up with tech sites, some forums, following the security news. And yes, to try to keep up with SQL Server also. I know myself as a curious person on the technical level, I want to know every detail about every technology that can be found (to give an impression, articles and websites I follow the last months are about: Computer Security, Computer Science, Tech news, Software Engineering , Web building (HTML, Active Server Pages, CSS), databases in general, SQL Server more specifically, data enabling websites. I try (tried) to follow a lot of BLOGs also from people working in these areas. But it is just too much: Since some time there a baby around in our house, who also claims (read: deserves) a lot of attention. During the evenings, after he’s falling asleep, and the house turns more quiet, would be a good time to keep up with all this info, but I’m tired then and go to sleep. Also, time goes into volunteering work of our local church. What I need is not to read as much as I can, but to focus on what is best for extending my knowledge, and appreciate the little time available to me. Imagine, right now I’m bashing away on a little notebook in my sons room, where at the start of this post he was crying aloud, and now peacefully asleep :) I guess I have about 2 more hours, but in that time I want to also put some plants into the garden at the back of our house.

Friday, October 03, 2003

voting machines

Bruce Schneier’s lates CryptoGram had a reference to an interesting article about voting systems. Systems in active use in the US seem to be substantially flawed in a security sense. According to the article it’s relatively easy for an attacker to shutdown elections early, and even modify voting results on the machines. Also contifuration settings of the machine might be altered. This way a voter selecting Candidate A can result in the system wrintg a vote on Candidate B into the vote log (MS Excel equivalent of reordering Column B with candidate names while not selecting Colum A with their ID’s). It is *realy* worrisome that voting machines like this are actually in real use. I can only think of software instructing some hospital’s Intensive Care facilities, or a nuclear plant, of being more essential than a voting machine. And I can asure you the aforementioned software works a lot better,. At least it won’t be flawed as the software described in the specific article.
Reading about these machines, I wondered how the systems work we have here in the Netherlands. The’re other systems definetely, as the’re not working with smart card in the first place. As a voter you are presented a big plate of buttons which you’ll have to push to make your choice. This is not a real touchscreen however, but still your vote must be saved on some persistent memory. However, how the results are sent to the central computer I don’t know. Let’s hope at least they dial in directly to it, so the data is sent over a private line instead of the internet. Only now time is lacking me to do some more Googling into this matter

Wednesday, October 01, 2003

Security Steve

Well, as I was telling you the other day: I’m more and more on the hand of MS. But lo and behold… - well, don’t say that, the phrase is so popular there days that it becomes just noise in the background- now I just read this article above, where Microsofts’s CEO Steve Ballmer compares hackers to skyscraper destroying terrorists showing absolutely no morale.

“Hackers are criminals," Ballmer says, plain and simple.

and another quote about the ‘criminals’:

"There's no way to way to look these people as anything other than what they are: malicious people who are violating the law"

Unfortunately, this leaves no room at all to the interpretation that at least *some* so-called ‘criminals’ serve the general public by announcing security holes. In the end, making software errors public, just forces software manufacturers to addressing security issues promptly, thereby preventing the exploitation in the future. Let’s make a comparison: some
In the end this will make software more secure. I can draw no other conclusion that Mr. Ballmer must be a big fan of the principle of security by obscurity (correct me if I’m wrong). Well, there’s an abundance of information about why this is a bad thing. For starters, read what Bruce Schneier has to say about this in his famous Cryptogram newsletter, or in his book Secrets and Lies. It just does not work, and it is a dangerous way to just hide something secret in this digital age (thought added: well it will not work *in the end*, as there’ll can / will always be someone reading your mind someway – and figuring out your cmd.exe resides in c:\mytools instead of the systemdir…). I will not go into it any further, as I’ll only do that when I’d have something new to tell you. Repeating what others have already said is only boring and not attributing anything to the discussion.

But we were talking about Microsoft. When they take the issue of security seriously, that is: are trying their best to make software more secure, they can only be happy with so many people finding security holes in their products. What I don’t mean is that you should just write an exploit, release it on some hacker ftp site, and not tell the manufacturer about the issue. A reasonable amount of time should be given to them to fix the hole and subsequently release a patch to the general public

(whatis: reasonable. I have no distinct opinion about the time that should be given, other people are more capable of deciding this. I guess a complicated problem could need more time to fix than some minor thing. But on the onther hand, it shouldn’t *too* long, given that knowledge about the issue will spread on the net, giving others the possibility to make their exploits). I still think the Thrustworthy Computing Initiative from Microsoft is a serious one. And maybe it’ll really (link??) take a substantial amount of time before improvements will show.

(whatis: general. Patches should always be available to the general public, and not just the manufacturers list of clients. Everyone should have the option to download them somewhere from the web. I know people are using illegal software, but what’s the use of excluding them from patches? It will only keep their machines vulnerable to attack, and no one is served with that. The use of illegal software is a bad practice, no doubt about that, but other measures must be taken to handle this)