Author: Danielle Citron

0

A Not So Pretty Picture

ZDNet reports that over 1,000 Facebook users adopted a Photo of the Day application featuring National Geographic images that also embedded malicious code, creating a botnet of users that launched distributed denial of service attacks. The good news is that information security researchers orchestrated the “Facebot” in order to expose this security flaw. The bad news is that given the flaws in social network platforms, real attacks could be worse. (Here is the research paper that the group produced, which is entitled “Antisocial Networks: Turning a Social Network into a Botnet”). Although Facebook has fixed the vulnerability identified by the researchers, concerns remain about the security risks of third-party applications on social networking sites. The serious downside of a pretty picture, to be sure.

9

The Right to Have Our Votes Count

In early August, Ohio Secretary of State Jennifer Bruner sued Premier Election Solutions (formerly Diebold), alleging that Premier’s e-voting machines lost hundreds of votes cast in Ohio’s primary election. At first, Premier blamed the machines’ malfunction on conflicts caused by antivirus software from McAfee Inc. Now, Premier has accepted responsibility for the problem. In a letter to Secretary Bruner, Premier’s President admitted that logic errors in the machines’ source code caused the machines to lose the votes.

This is a major problem not just for Ohio but for all of the states using Premier’s e-voting machines in November. (Premier is one of the four top vendors of electronic voting machines used by states across the country). Premier has released a product advisory notice, telling users of its e-voting machines running the troubled software how to avoid lost votes. To fix the problem, poll workers have to check the vote-counting servers to see if all memory cards are shown as uploaded. Although the company has submitted “fixed” software for federal certification, the new and improved version will not be certified before the November election.

This November, votes cast on Premier’s machines will be counted accurately only if poll workers execute the fix correctly. This seems like a dangerous gamble as poll workers likely do not have technical backgrounds. So the puzzling question remains–why is it so hard to ensure that e-voting machines count our votes accurately? Something is clearly amiss with the testing authorities working in connection with the Election Assistance Commission–they failed identify the logic error. Yet a variety of agencies, such as the NSA and FAA, oversee mission-critical systems that do not fail (at least not often). For instance, airplanes employ software and planes do not fall out of the sky. Perhaps, as Bruce Schneier suggests, voting machines need to undergo the same assurance practices as airplanes do in order to ensure that our votes are counted accurately.

2

E-Voting in California

Last summer, California’s Secretary of State Debra Bowen investigated the state’s electronic voting machines after allegations that they lost, added, or flipped votes. Teams of computer scientists found that the state’s e-voting systems had major security holes in their design and were vulnerable to attacks. California has now replaced its e-voting machines with the optical scan machines that it used for mail-in voting, only leaving one e-voting machine per precinct to accomodate voters with certain disabilities. Secretary Bowen recently explained to Government Technology that the decision to get rid of the machines came down to the concern that the state had no way to ensure that insiders, such as vendors and election officials, had not tampered with the machines’ software to alter the results. This concern is certainly justified. Party officials often control the administration of elections, and partisanship has long been a driving force in election officials’ dirty tricks . (Roy Saltman details these abuses in his comprehensive book on the history of voting machines). Because e-voting machines are black boxes whose actual operation cannot be checked, fraud perpetrated by vendors and election officials would be hidden from view.

Although it seems a colossal waste of the $450 million California counties spent on e-voting hardware and software, democracy will be better served so as long as the optical scan machines provide a more accurate and secure solution. Bowen recently urged Los Angeles to adopt open source e-voting. This is a step in the right direction. Open source code voting machines would be more transparent, accurate, secure, and accountable. They also might be cheaper. Last month’s LinuxWorld conference hosted a mock election of open source code voting machines. At a price of $400, the voting machine is a tenth of the cost of proprietary machines because it is simply designed and based on free software. Open Voting Consortium hopes to announce the adoption of its open-source e-voting system by at least one large county in California soon and would like to provide their services to the rest of the state by 2012.

9

The GPS Device: Law Enforcement’s Dirty Little Secret?

This Sunday, the New York Times reported on a recent trend–prosecutors’ growing use of a defendant’s Global Positioning System device (e.g., cell phone, car, among others) to prove the defendant’s location. For instance, prosecutors in suburban Chicago used data from a defendant’s GPS device in his car to place the defendant at the scene of a murder. To be sure, tracking a person’s location is common-place in criminal investigations. But my colleague Renée Hutchins (who is quoted in the NY Times article) cautions that law enforcement should be allowed to acquire GPS data only by getting a warrant. In her recent UCLA Law Review article entitled Tied Up in Knotts? GPS Technology and the Fourth Amendment, Hutchins develops that argument.

Read More

2

Reputation Under Fire

As Dan Solove brought alive in his superb book The Future of Reputation, online reputations are fragile and can easily be destroyed by determined individuals. Steve Rattner, a Managing Director at DLJ Merchant Banking, recently learned that lesson the hard way. The New York Times reports that in 2003, Mr. Rattner had an affair with a married woman in London. Even though the affair and the woman’s marriage ended years ago, the woman’s ex-husband began a campaign to destroy Mr. Rattner’s reputation over the summer. On a half a dozen websites, the ex-husband accused Mr. Rattner of using his firm’s money to pay for prostitutes and trying to “steal” the man’s wife with exotic trips and expensive gifts. He included these accusations in emails to Mr. Rattner’s colleagues, clients, and reporters. When asked why he waited five years to respond to the long-ended affair, the ex-husband explained that he needed to get his life “together” in order to address his wife’s betrayal. Although Mr. Rattner admits the affair, he says that the ex-husband’s claims are “either untrue or gross exaggerations.” According to Mr. Rattner, the online accusations have spread like a virus, and he has since resigned from his job.

The Rattner incident demonstrates that online accusations are difficult to contain and even more difficult to counteract. Although it is certainly possible that Mr. Rattner’s work troubles had more to do with the beleaguered market than the online accusations, his situation demonstrates the broader problem that misinformation considerably affects our thinking, no matter how much we protest its influence. We also often forget the collateral damage that can accompany online attacks. Another Wall Street financier has the same name as Steven Rattner–he reports fielding panicked calls from friends and investors who learned of the story. That Steven Rattner, too, had to spend time rehabilitating his online reputation. As in Shusaku Endo‘s terrific novel Scandal, having a doppelgänger is not always easy.

2

The Clear and Present Danger of Cyber Warfare

Malicious hacking and denial of service attacks are potent weapons of twenty-first century warfare. Recently, Russian and Georgian hackers attacked vital websites in each other’s countries as troops fought on the ground. They shut down government portals. Hackers defaced government websites (e.g., routing visitors to the Georgian President’s website to a site that portrayed him as a modern-day Hitler). Although cyber attackers have not yet significantly disrupted or destroyed government systems in the United States, they have stolen sensitive information about weapon systems from the U.S. government and its defense contractors. Cyber attackers invaded the State Department’s highly sensitive Bureau of Intelligence and Research, posing a risk to CIA operatives in embassies around the world. Online espionage is a serious problem—attacks on military networks were up 55% last year. U.S. officials reportedly believe the attacks come from the Chinese government.

The United States seems to appreciate the dangers of cyber warfare. According to Business Week, the U.S. is engaged in a classified operation to detect, track, and disarm intrusions on the government’s most critical networks. President Bush signed an order known as the Cyber Initiative to overhaul the government’s cyber defenses at a cost in the tens of billions. However, in testimony before the Senate Armed Services Committee, National Intelligence Director McConnell asserted that the “federal government is not well protected.” He warned that attackers can enter information systems and destroy data and systems related to the “money supply, electric-power distribution, and transportation sequencing.”

Despite attention to the matter in the U.S., the better part of the world does not take cyber warfare seriously, leaving their networks increasingly vulnerable to attack. This is not unusual—few appreciated the importance and potency of propaganda campaigns at the beginning of World War II until the power of such propaganda became readily apparent and deeply rooted. Broad attention should be paid to cyber attacks. Online sabotage compounds the dangers inherent in national conflicts. Nations may be unable to decelerate tensions through online communications. Cyber attacks convey inaccurate information that can inflame public option, limiting leaders’ political room to defuse tensions. The dangers of cyber warfare thus should not under-estimated.

0

With thanks

I am so grateful for the opportunity to join the CoOp chorus for September. I have long learned from the discussions here and hope to continue in that tradition. I will be posting about a variety of issues, including e-voting, automated systems, information privacy, cyberbullying, and e-Rulemaking. And with that, I am off to write my first post!