Category Archives: Security

Security

Ron Rivest’s proposed Voting System

Leave a comment

Ron Rivest, of RSA fame, has published a paper (PDF) describing a new voting system:

Not only can each voter verify that her vote is recorded as she intended, but she
gets a “receipt� that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.

In brief, the system allows the voter to create three ballots and then take a copy of one of them as a receipt. Attackers would not know which ballot was the real one, thus creating privacy, while the voter would have a copy of the original, thus creating verifiability. I haven’t finished reading it yet, but the first question that jumps to mind is what happens if the voter forges or alters their receipt to dispute the recorded votes?

History, Poetry, Security

WWI poem by Robert Frost revealed

3 Comments

The Associated Press reports that a poem by Robert Frost, about the tragic loss of a friend (poet Edward Thomas) in World War I, has been uncovered by a student reviewing Frost’s papers archived at the University of Virginia.

“War Thoughts at Home” will now be published in the next issue of the Virginia Quarterly Review:

And one says to the rest

We must just watch our chance

And escape one by one

Though the fight is no more done

Than the war is in France.

First-hand source material is the holy grail of the Internet and information security. Rather than all the citations and quotations (like the one provided above), which diminish in quality, meaning and integrity as they become more and more removed from the source, access to original source material is golden. If primary source material were available, we could have a far more rich and rewarding source to study and learn from. Imagine hanging an exact replica of a famous painting on your wall compared to the ability to print a precise copy of Frost’s handwritten poem.

I will never forget the time I was perusing some original papers in the British Archives and stumbled upon a note from the desk of Winston Churchill. The handwriting was unmistakable. The dark, rich strokes from his fountain pen made me stop and think about the amazing treasure trove of information locked away in the rows and rows of folders that the vast majority of people will never see.

I left the archives that day imagining giant racks of spinning optical media (maybe I liked the idea of a shiny surface) serving primary source material to everyone in the world as they sat liesurely at desks hundreds or thousands of miles away. This was the summer of 1994 and I saw the Internet as a place where the source could finally bubble up. Not editorials, not analysis, not books (although those are also important) but the raw source material. As it turns out, I myself found someone had published a book misquoting original Colonial Office and War Office memos (quite badly, in fact, if I remember correctly).

I also spent an evening in the basement of an old library and found actual leaflets distributed in Ethiopia by RAF planes in the early 1940s. I mentioned the leaflets in passing to another historian and he became excited and insisted I publish them so others could someday enjoy the information I uncovered.

He was right. That library was “rennovated” and I fear it may be impossible to find the original leaflets again. Sadly, today you are most likely to find my copy of the leaflet at the end of my master’s thesis hidden away in an obscure folder in an archive or buried in some university library, and Frost’s poem looks like it will be “published” and then filed rather than posted online…

Security

Parents log out of eBay

Leave a comment

I can not resist commenting on this story. It does not surprise me that a three-year old child was able to use a computer to purchase a real automobile on an auction site. In fact I can just imagine a high-tech company executive telling his/her staff “I want this system to be simple enough for a baby to use!”

Sometimes companies can go overboard thinking that the obstacle to the flow of money is a little bit of authentication, or a simple authorization check. But there needs to be a balance. Making things too easy leads to a higher rate of fraud and frustration among those trying to undo unauthorized or unathenticated purchases. And so what actually surprised me was the mother’s reaction:

Mrs Neal, of Sleaford, Lincolnshire, said she had left her eBay password in her computer and her son had used the “buy it now” button.

She said: “Jack’s a whizz on the PC and just pressed all the right buttons.

“I was just horrified.

“We now have the parental locks on – and we make sure we sign out of eBay!”

Note that she said rather specifically that she does not sign out of anything else, just eBay. Is that the right lesson? Baby buys car on eBay, mother signs out of eBay. Baby buys new computer on Amazon…

Security

Mine safety workers commit suicide

Leave a comment

Sad story about the psychological effects of managing a system that can not be trusted.

Two miners whose jobs included watching for safety hazards inside the Sago Mine before the deadly explosion last January committed suicide in the past month.

Neither man had been blamed for the disaster that killed 12 of their comrades, and neither one’s family has definitively linked the suicides to the accident. But those who knew the men say there is little doubt the tragedy haunted them.

Tragedy beset by more tragedy. This part of the report was also disturbing:

Boni, who was certified as a fireboss and occasionally conducted pre-shift inspections to ensure the safety of incoming crews, told investigators he had detected low levels of methane in that area five days earlier and reported his findings to a supervisor, who was not alarmed.

As for Chisholm, he told investigators that a carbon monoxide alarm had sounded about 20 minutes before the explosion. Following ICG procedure, he alerted a crew inside the mine and asked it to verify the alarm because the system that had a history of malfunctions.

At a hearing in May, ICG executive Sam Kitts said miners are not required to evacuate when there is an alarm; they verify it, then decide how to proceed.

“The dispatcher did what he was supposed to do. He notified a maintenance person who was then able to go up and check the sensor before they would have again advanced onto the section,” Kitts testified.

The men may have blamed themselves, struggled with investigators’ visits, or buckled from public scrutiny, or all three. And yet we see that they were forced to make calls based on a system with “a history of malfunctions”. Does the system manufacturer carry liability as much as the operations management, or even the operators themselves? What was the accepted standard for a functioning mine alarm system? Was it accurate 50 or 90% of the time? I know that an intrusion detection system that gives anything more than 40 or 50% false positives, especially in high traffic areas, is a problem. That number might seem low, but the cost/benefit analysis of getting an intrusion detection system above 90% often reveals better investments in security. Perhaps miners would be better served by new breathing apparatus rather than slightly better alarms.

I also wonder how the cost of a false positive weighed upon the alarm operators (e.g. what was the tone of the workers and managers when a mine was stopped and the workers evacuated — annoying and unnecessary interuptions, lost revenue, better safe than sorry, etc.)?