Category Archives: Security

Hummingbird

by William Talcott (1936 – 2006)

When they’re hard
up for sugar they’ll steal bugs
the spiders wrapped in their webs.

The bones of the arm are so reduced
the wing’s a feathered hand.

The poet has one in the peach
branches of his poem
on top of news from the gulf
and scattered references to machismo.
I arrive in time to add an Aztec note.

I’ve seen the tongue
insinuate its way to the sweet
center of a rose.
I’ve heard the tick tick in fuschias
like little bombs.

They say the consecration of its temple
required the blood of ten thousand hearts.

And here is an article in CNet about Talcott’s lost passwords, as mentioned by Bruce.

Are they the tongue of the hummingbird? Could his passwords be hidden in his poetry?

Nine Million Bicycles

I was listening to a song called Nine Million Bicycles by Katie Melua and wondering why it reminded me so much of riding in dusty old buses in the country…and then I suddenly realized the melody was a near exact match of the ballads I used to hear when travelling around asia many years ago.

The bridge of the tune, rather ironically, doesn’t fit and I am skeptical every time I hear her beckoning me to cross it with her. Warm by the fire? Just believe everything that she says? She offers hope in her words, yet her soothing voice is a haunting reminder of the lonliness that can often take a seat right next to you on a late night journey down empty roads. Have you ever leaned your head against a cold rattling window, unable to point the way home, and pulled your jacket tighter to try and shut out a chill?

And while I find myself wondering about the trust implied in her lyrics, perhaps in a similar way that Ulysses lashed himself to his mast near the Island of Sirens, others have apparently taken up a more literal issue with the lyrics of the song:

I suspect that Katie took some poetic licence in order to make her lyrics scan. She replaced the bisyllabic number “14” with the nearest monosyllabic number, namely 12″. This alteration is just about acceptable, but the next line in the song is unforgivable. To say that the age of the universe is “a guess” is an insult to a century of astronomical progress. The age of the universe is not just “a guess”, but rather it is a carefully measured number that is now known to a high degree of accuracy.

While Simon Singh is technically correct, I feel he is missing the point of her expressing a “fact” in the face of the number of bicycles in Beijing and age of the universe. Although we may feel small, and we may feel lost and insignificant, she tells us not to worry because there are boundaries in time and a real significance to our relationships. Perhaps the fire she sings of is something I was wishing for on all those long nights. A sad yet joyful ballad, about trust, love and…leaps of faith.

Now if I could just stop playing the song over and over again.

Election Official Accountability in Los Angeles

Some scary comments from a Los Angeles City Beat interview with the infamous McCormack:

On credentials:

CityBeat: How do you respond to the charge by Kim Alexander of the California Voter Foundation that you put 40,000 votes at risk by asking Diebold to alter the software on the eve of the recall election?

Conny McCormack: That woman has absolutely no credentials in elections. It’s almost laughable. She says I put 40,000 votes at risk. I would never do that. I wouldn’t have a job if I did that.

That is a rather immature logical fallacy. She is attacking the other person’s character rather than answer the argument presented to her. And who in their right mind would use “I have not been fired, therefore I must be qualified…” as a defense? That’s a high-stakes politicized strategy since she infers that her opinion on any subject will always be “correct” until she gets fired. Because she has been wrong before, and yet still has a job, therefore she may be wrong again and still keep her job. See Donald Rumsfeld for another example of this dilemma.

But, since McCormack brought it up, it turns out Kim Alexander is a seasoned researcher who has focused on voter privacy and computerized voting systems. She was even recognized by the EFF for her efforts. According to her bio:

In 2004 she received the Electronic Frontier Foundation’s Pioneer Award, along with computer science professors David Dill and Avi Rubin, for their pioneering work spearheading and nurturing the popular movement for integrity and transparency in modern elections.

And according to the EFF:

In 1999 she served on California’s Internet Voting Task Force, which in 2000 issued the first comprehensive study of Internet voting security and concluded that the Internet was not yet a safe place for securely transacting ballots. In 2003, she served on the California Secretary of State’s Ad Hoc Touch Screen Voting Task Force. The task force report included a minority opinion of which Alexander was a co-author. The California Secretary of State adopted the opinion, and as a result, California is the first state in the nation to require that electronic voting machines provide a voter-verified paper trail.

[…]

Prior Pioneer Award recipients include Tim Berners-Lee, Linus Torvalds, and Vinton Cerf, among many others.

Impressive credentials indeed! McCormack is clearly not only mistaken about Kim Alexander, but it looks like McCormack may have an axe to grind with her — aside from political battles over state regulations and favored vendors, there may be a pride issue related to Alexander’s recognition for leadership and influence.

Back to the interview…here is McCormack on Diebold:

You are friends with Deborah Seiler, Diebold’s chief sales representative in California, and L.A. County is now buying equipment from Diebold. Is the friendship appropriate?

I’ve had a long-term friendship with her. There’s nothing wrong with a friendship. Has it influenced my judgment? Of course not. In terms of the Diebold contract for L.A. County, I was not on the evaluation committee. I removed myself from that. But Diebold was the only vendor that met all the requirements for L.A. County. Sequoia wrote a letter saying it could not meet the requirements.

Perhaps because the requirements could not be met securely? People say she is a shill of Diebold and, well, the facts do point in that direction. Why anyone in her position would flaunt friendship with a company like Diebold as “nothing wrong” is downright baffling. “I understand people’s concern” would sound more reasoned and mature, but the absolutism in her position belies a defiance of the facts and a lack of propriety. Remember how Randy “Duke” Cunningham insisted he did “nothing wrong” until he entered his plea?

McCormack on certifying software:

Isn’t proper certification of election software an issue?

We have been using and patching software in L.A. County for over 30 years. Whenever changes are made, an incredible amount of testing is done — literally thousands of checks. Now, there have been infractions by all vendors, including in L.A. County. We have not been dotting every “i” and crossing every “t” to certify all the software. But it would be the biggest irony, to me, to have someone say that because we hadn’t done it by such-and-such a date we couldn’t do it.

Wha? Huh? Whoa Bessie! Release known flawed elections software because it is capable of being fixed in the future? She really takes the concept of risk management to new lows. The threat (T) is high, the value of the assets (A) is high, and yet she wants to ignore the vulnerabilities (V)? If you accept the formula “Risk = T*A*V” then I find it impossible to tell anyone the risk is low when the vulnerabilities are not dealt with appropriately. My comments on this topic ended up on Bruce’s blog.

And finally, McCormack on proprietary software:

Isn’t there a problem with the software being proprietary, making it almost impossible for the Secretary of State’s office to examine it?

They have the authority to examine it, or they can go to court and ask a judge if they can examine it. Proprietary software has always been used in elections in this country. That doesn’t mean it is evil, or that there is anything wrong with it. It is just a way of preventing competitors from coming in and stealing it.

She’s deferring the question to later, perhaps with full intent to block any attempts to expose proprietary software. Who would be able to convince a judge to let the public take a look at the source code and under what terms? What would such a challenge look like?

In other words, she is apparently more concerned with the likelihood/ability of someone challenging the software’s security than with someone breaching its security. And so I support Bruce Schneier’s criticism that this election official has foolishly and apparently carelessly confused secrecy with security.

Another expert counter-point is provided in Ed Felton’s recent testimony (PDF) on Electronic Voting Machines to the US Congress:

Intuitions developed with older technologies can mislead when applied to computerized systems.

[…]

Getting the details of voting right is difficult, especially in today’s high-tech polling place. But failure is not an option. The stakes are too high, and the risk of malfunction or fraud too great, to make our current course tenable in the long run. We need to work harder and smarter, exploiting the knowledge of both election experts and technical experts.

Very eloquently stated.

US airline data mandate struck down in EU

The BBC reports that airlines flying to the US are now caught in a tricky situation. They could be fined by the EU for sharing passenger data. Yet they could also be fined or blocked from landing by the US for not sharing passeger data. This is due to a failure to rewrite a passenger data sharing agreement that was ruled illegal by the EU four months ago:

A European Commission spokesman said that a legal black hole could be created by the lack of agreement.

“There is no agreement. There is a legal vacuum as of midnight tonight,” EU Transport Commission spokesman Jonathan Todd said on Saturday.

The US, naturally, casually dismissed any negative language regarding their failure to reach a new agreement:

US Homeland Security Secretary Michael Chertoff told Reuters news agency that there was “absolutely no basis” to say that discussions had broken down.

However, he was not quoted with regard to how the system will work now that it has been strictly forbidden by the EU courts. No alternatives have been found in the past four months, but the system was in place for years before the court struck it down:

Since 2003, US authorities have requested that airlines provide passengers’ personal data to American security officials, including credit card information and telephone numbers.

A total of 34 pieces of data must be transferred to authorities within 15 minutes of a flight’s departure for the US.