Following last week's report by University of California, Davis engineers on the integrity -- or lack thereof -- of electronic voting machines used in statewide elections, the California Secretary of State late last week revoked the approval of systems from Diebold, Hart InterCivic, Sequoia, and Elections Systems and Software, Inc. Manufacturers now each have 30 days to come up with a plan for how they intend to harden their systems' internal configuration security, and 45 days for a network security hardening plan, before their systems can be submitted for re-approval for use in next February's presidential primary.
Among the findings Sec. of State Debra Bowen cited in her proclamations this morning was this: "The Diebold Red Team members [from UC Davis], with access only to the Windows operating system on the Diebold GEMS election management server supplied to Diebold and without requiring access to Diebold source code, were able to access the Diebold voting system server software and to corrupt the election management system database, which could result in manipulated voter totals or the inability to read election results, rendering an election impossible to complete electronically."
Officially dis-approved and uncertified for use in next year's primaries were the Diebold/AccuVote TS system to which Sec. Bowen referred above, plus the Hart InterCivic system 6.2.1 (the manufacturer voluntarily withdrew version 6.1) and a Sequoia WinEDS system that Bowen mentioned was found to contain "a shell-like scripting language in the firmware of the Edge direct recording electronic voting machine that could be coerced into performing malicious actions, in apparent violation of 2002 Voting System Standards that prohibit 'self-modifying, dynamically loaded or interpreted code."' One of its shell commands easily reset the machine's protective vote counter.
Bowen revoked the certification for the ES&S InkaVote Plus system after its manufacturer only complied with requests to participate in the testing program just five days prior to the release of test results during last week's public hearing. ES&S won't get a chance to resubmit.
Responding to this morning's decision, Diebold Election Systems (DESI) President Dave Byrd took issue with the way the testing was conducted. "Secretary Bowen's top-to-bottom review was designed to ignore security procedures and protocols that are used during every election," Byrd said. "Her team of hackers was given unfettered access to the equipment, the source code, and all other information on security features provided by DESI to the Secretary of State's office. And she refused to include in the review the current version of DESI's touch screen software with enhanced security features."
Byrd's characterization of UC Davis' researchers lends credence to the argument that manufacturers didn't feel obliged to cooperate with the research effort, on the basis that manufacturers would not be obliged or expected to cooperate with real malicious users to the same extent. However, California's refusal not to test the latest version of Diebold's software has to do with the fact that the state has not yet certified that version, and chose to only test machines already certified.
Sequoia Voting Systems issued a similar statement: "The California Top-to-Bottom Review was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the voting machines and software over several weeks. This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that Sequoia's customers - and election officials everywhere - carry out every day in their very important jobs of conducting elections in California and throughout the United States."
Last week, in an attempt to pre-empt possible criticism, UC Davis principal investigator Matt Bishop defended the methodology used by his and one other "Red Team." "The threats were taken to be both insiders (those with complete knowledge of the system and various degrees of access to the system) and outsiders (those with limited access to the systems)," Bishop wrote.
"As a result, all information available to the Secretary of State was made available to the testers. The testers were told to assume that the environments in which the systems were used would vary, and that the testers could do whatever they thought necessary to test the machines. The testers therefore assumed the attackers would include anyone coming in contact with the voting systems at some point in the process - voters, poll workers, election officials, vendor employees, and others with varying degrees of access."
Bishop added that his teams chose not to presume that hackers on the outside wouldn't know or be able to ascertain everything they could about the technology they were working to compromise. This way, he said, the teams could concentrate on the integrity of the technology rather than the mindsets of hackers or the efficacy of manufacturers' policies.
But criticism of the Red Teams' methods has not been restricted to outside of state government. In a statement prior to last week's public hearing, the president of the California Association of Clerks and Election Officials, Steve Weir, expressed his regret that researchers didn't appear to be conducting searches for malicious code that may have already found their way inside voting machines.
"I am sorry to say that I find the approach of the so-called Top-to-Bottom Review to be more to do with headlines than with definitive science or the pursuit of legitimate public policy," Weir wrote. "We have been told that no malicious code was found during the source code examination. Unfortunately, while this issue is a matter of public debate nationwide, no such comprehensive review was even attempted. If true, this is a tragic missed opportunity and a public policy blunder."
Despite that pronouncement, Sec. Bowen's proclamations state, "The expert reviewers reported that all of the voting systems studied contain serious design flaws that have led directly to specific vulnerabilities, which attackers could exploit to affect election outcomes."
Read the views of online Certification Experts, which provide the real questions and correct answer and explanation for the students / professionals who are seeking or enhancing their level of expertise. more at certkingdom.com
April 30, 2011
Could the economic stimulus plan delay patent reform?
After warning as late as yesterday afternoon about the possible disruptive side effects that Congress' economic stimulus program might have on future legislation, a powerful trade organization is suddenly applauding its passage today.
Last night, the US Senate passed the Economic Stimulus Package of 2008, after a few moments of heated debate over cloture (the rules of debate) that threatened to kill the bill, and that even led cable news to report at one point the bill was already dead. Among its provisions is one measure that extends the cap on business deductions on assets from $150,000 to $250,000.
It was that provision that prompted the Computing Technology Industry Association this morning to applaud the bill's passage, with its group director for public policy, Roger Cochetti, saying the raising of the cap will "incentivize the purchase of IT."
"This will create powerful cascading benefits," Cochetti wrote. "Small-to-large businesses will more rapidly bring new IT online, boosting competitiveness; laborers will have newer IT tools with which to be more productive; and average Americans will be more likely to purchase IT, decreasing the digital divide."
In an IDG News Service report yesterday, a CompTIA spokesman sounded an alarm, saying that the bill's passage could have a detrimental effect on other IT-related legislation Congress is considering down the road, including the critically important patent reform bill, which was drafted last April.
But this morning -- now that the stimulus bill is passed -- that same spokesman, Mike Wendy, told BetaNews he and his group are somewhat pleased that it went through, saying that the cap extension has been a measure the group has been prompting Congress to consider ever since President Bush took office, when Mr. Bush first mentioned the idea in his State of the Union Address following his inauguration.
"We've been pushing Section 179 small business provisions, pushing exemptions up, for seven years," Wendy told us. "We wish they'd make those deductions permanent."
His organization did achieve some success in that regard twice before, said Wendy, most recently in 2003. This year's stimulus package should give a boost to exemptions for at least one year.
A full one third of those business exemptions will be tech-oriented, CompTIA believes. If those exemptions were written into law permanently, Wendy argued, businesses would be able to amortize their assets over 18-month periods, thus aligning their deduction cycles with the real life cycles of their technology assets, rather than doling out deductions over three or four years for assets they no longer use. "We've been trying to make depreciation even faster," he said.
Business are asking, Wendy passed on, "Can't we expense this stuff? Isn't that the reality? But the IRS says, we still have to pay for these tools three years after they're useful."
But the fact that CompTIA won a small victory yesterday could be a problem in itself, Wendy warned.
"Look, we wanted this to go through, to benefit the IT industry," Wendy told us. "But Congress has other stuff that's still on the platter," he said, renewing his warning that Congress could conclude it's done its part for IT, thus "popping the bubble," as Wendy put it, for this year.
"Congress might say, 'We helped you out, we know...But we're so busy."
The big problem now lies with coordinating with Senate Majority Leader Harry Reid (D - Nevada), who is responsible for scheduling debate there. There are a huge number of items still on the docket for consideration, Wendy noted. Patent reform is one of them, and another problem from last April -- the overflow in demand for H-1B visas -- is another. Tax credits for research and development efforts is a third.
Sen. Reid promised CompTIA that these issues would be addressed, said Wendy, and when last they talked, the date was mid-March. But with economic stimulus having been passed in early February, the group's concern is that Reid may think the IT industry's chip has already been cashed in.
"The Senate is the upper body. It has a different pace [than the House]," remarked CompTIA's Wendy. "Sen. Reid cannot put [patent reform] on the schedule until he knows that there's consensus." So it's his group's job, therefore, to make the case that the IT industry has reached consensus.
Then there's the difficult little matter about the Bush Administration expressing disagreement with certain aspects of patent reform, especially its proposed limitations on the amounts of judgment awards.
One more prominent senator added his voice to the din of applause for the stimulus package's passage: Sen. John McCain (R - Ariz.), now widely considered to be the front runner for the Republican presidential nomination. In a statement issued this morning, Sen. McCain wrote, "America has the second highest corporate tax rate in the world. Cutting corporate taxes will spur economic growth immediately and over the long run. We need to allow first year expensing of technology and equipment investment for businesses, which would further simplify our code and provide incentives for capital expenditure."
CompTIA's Wendy was happy to align himself with everything...in the second part of McCain's paragraph. The first part, he said, he'll leave to others to debate. Right now, there's too many issues on the table to tackle something so big, so soon, as the overall corporate tax rate.
"Congress wasn't made to move quickly," remarked Wendy. "It wasn't made to pass bills. There are so many checks and balances."
Last night, the US Senate passed the Economic Stimulus Package of 2008, after a few moments of heated debate over cloture (the rules of debate) that threatened to kill the bill, and that even led cable news to report at one point the bill was already dead. Among its provisions is one measure that extends the cap on business deductions on assets from $150,000 to $250,000.
It was that provision that prompted the Computing Technology Industry Association this morning to applaud the bill's passage, with its group director for public policy, Roger Cochetti, saying the raising of the cap will "incentivize the purchase of IT."
"This will create powerful cascading benefits," Cochetti wrote. "Small-to-large businesses will more rapidly bring new IT online, boosting competitiveness; laborers will have newer IT tools with which to be more productive; and average Americans will be more likely to purchase IT, decreasing the digital divide."
In an IDG News Service report yesterday, a CompTIA spokesman sounded an alarm, saying that the bill's passage could have a detrimental effect on other IT-related legislation Congress is considering down the road, including the critically important patent reform bill, which was drafted last April.
But this morning -- now that the stimulus bill is passed -- that same spokesman, Mike Wendy, told BetaNews he and his group are somewhat pleased that it went through, saying that the cap extension has been a measure the group has been prompting Congress to consider ever since President Bush took office, when Mr. Bush first mentioned the idea in his State of the Union Address following his inauguration.
"We've been pushing Section 179 small business provisions, pushing exemptions up, for seven years," Wendy told us. "We wish they'd make those deductions permanent."
His organization did achieve some success in that regard twice before, said Wendy, most recently in 2003. This year's stimulus package should give a boost to exemptions for at least one year.
A full one third of those business exemptions will be tech-oriented, CompTIA believes. If those exemptions were written into law permanently, Wendy argued, businesses would be able to amortize their assets over 18-month periods, thus aligning their deduction cycles with the real life cycles of their technology assets, rather than doling out deductions over three or four years for assets they no longer use. "We've been trying to make depreciation even faster," he said.
Business are asking, Wendy passed on, "Can't we expense this stuff? Isn't that the reality? But the IRS says, we still have to pay for these tools three years after they're useful."
But the fact that CompTIA won a small victory yesterday could be a problem in itself, Wendy warned.
"Look, we wanted this to go through, to benefit the IT industry," Wendy told us. "But Congress has other stuff that's still on the platter," he said, renewing his warning that Congress could conclude it's done its part for IT, thus "popping the bubble," as Wendy put it, for this year.
"Congress might say, 'We helped you out, we know...But we're so busy."
The big problem now lies with coordinating with Senate Majority Leader Harry Reid (D - Nevada), who is responsible for scheduling debate there. There are a huge number of items still on the docket for consideration, Wendy noted. Patent reform is one of them, and another problem from last April -- the overflow in demand for H-1B visas -- is another. Tax credits for research and development efforts is a third.
Sen. Reid promised CompTIA that these issues would be addressed, said Wendy, and when last they talked, the date was mid-March. But with economic stimulus having been passed in early February, the group's concern is that Reid may think the IT industry's chip has already been cashed in.
"The Senate is the upper body. It has a different pace [than the House]," remarked CompTIA's Wendy. "Sen. Reid cannot put [patent reform] on the schedule until he knows that there's consensus." So it's his group's job, therefore, to make the case that the IT industry has reached consensus.
Then there's the difficult little matter about the Bush Administration expressing disagreement with certain aspects of patent reform, especially its proposed limitations on the amounts of judgment awards.
One more prominent senator added his voice to the din of applause for the stimulus package's passage: Sen. John McCain (R - Ariz.), now widely considered to be the front runner for the Republican presidential nomination. In a statement issued this morning, Sen. McCain wrote, "America has the second highest corporate tax rate in the world. Cutting corporate taxes will spur economic growth immediately and over the long run. We need to allow first year expensing of technology and equipment investment for businesses, which would further simplify our code and provide incentives for capital expenditure."
CompTIA's Wendy was happy to align himself with everything...in the second part of McCain's paragraph. The first part, he said, he'll leave to others to debate. Right now, there's too many issues on the table to tackle something so big, so soon, as the overall corporate tax rate.
"Congress wasn't made to move quickly," remarked Wendy. "It wasn't made to pass bills. There are so many checks and balances."
April 29, 2011
Hotmail fail: Microsoft lays an egg in the cloud
Microsoft lost all email for 17,000 Hotmail customers, then botched the response. Is this a harbinger of Office 365 hassles?
Even a simple "We don't know what's going on, but here are the symptoms and we're working on it" pinned to the top of the Hotmail forum would've been a breath of fresh air.
Instead, on Jan. 3, Microsoft posted an official terse explanation: "We have identified the source of the issue have restored email access to those who were effected."
It's now six days since the initial problem surfaced and we still don't have any definitive word from Microsoft about what happened. In fact, we're still getting conflicting stories. At 4:55 p.m. on Jan. 5, the tech support staff posted this response to a series of inquiries about still-missing messages:
I'd like you to know that we are actively working on resolving on this issue since it's already under investigation. We will post back as soon as we have the latest news on what caused this issue. Thank you for your understanding.
For heaven's sake. Microsoft's engineering team has been working on the problem for almost a week, and that's the only explanation they can give us? Three days ago, we were told that "we have identified the source of the issue," and now the support team's telling us, "we are actively working on resolving this issue"?
Granted, on the Hotmail scale, 17,000 inboxes doesn't amount to a hill of beans. But Microsoft's ongoing fumbles in identifying and analyzing the problem; its trouble restoring user data; its muddled explanations of what happened and how the problems were resolved; and repeated communication gaffes with its customers certainly have me worried. How about you?
Even a simple "We don't know what's going on, but here are the symptoms and we're working on it" pinned to the top of the Hotmail forum would've been a breath of fresh air.
Instead, on Jan. 3, Microsoft posted an official terse explanation: "We have identified the source of the issue have restored email access to those who were effected."
It's now six days since the initial problem surfaced and we still don't have any definitive word from Microsoft about what happened. In fact, we're still getting conflicting stories. At 4:55 p.m. on Jan. 5, the tech support staff posted this response to a series of inquiries about still-missing messages:
I'd like you to know that we are actively working on resolving on this issue since it's already under investigation. We will post back as soon as we have the latest news on what caused this issue. Thank you for your understanding.
For heaven's sake. Microsoft's engineering team has been working on the problem for almost a week, and that's the only explanation they can give us? Three days ago, we were told that "we have identified the source of the issue," and now the support team's telling us, "we are actively working on resolving this issue"?
Granted, on the Hotmail scale, 17,000 inboxes doesn't amount to a hill of beans. But Microsoft's ongoing fumbles in identifying and analyzing the problem; its trouble restoring user data; its muddled explanations of what happened and how the problems were resolved; and repeated communication gaffes with its customers certainly have me worried. How about you?
Subscribe to:
Posts (Atom)
