The US e-Election

As the US prepares to go to the polls to decide what everyone agrees is the most important election since FDR was voted in, lots of key states will be using Diebold voting machines. Everybody I know in the security business thinks this is bad news, but most non-techies probably feel unqualified to express an opinion. If so, they might consider a beautifully clear account by Ed Felten, who knows this stuff backwards. Here’s his analysis of one vulnerability in the system:

“One of the problems in voting system design is making sure that each voter who signs in is allowed to vote only once. In the Diebold AccuVote-TS system, this is done using smartcards. (Smartcards are the size and shape of credit cards, but they have tiny computers inside.) After signing in, a voter would be given a smartcard — the “voter card” — that had been activated by a poll worker. The voter would slide the voter card into a voting machine. The voting machine would let the voter cast one vote, and would then cause the voter card to deactivate itself so that the voter couldn’t vote again. The voter would return the deactivated voter card after leaving the voting booth.

This sounds like a decent plan, but Diebold botched the design of the protocol that the voting terminal used to talk to the voter card. The protocol involved a series of six messages, as follows:

terminal to card: “My password is [8 byte value]”
card to terminal: “Okay”
terminal to card: “Are you a valid card?”
card to terminal: “Yes.”
terminal to card: “Please deactivate yourself.”
card to terminal: “Okay.”

Can you spot the problem here? (Hint: anybody can make their own smartcard that sends whatever messages they like.)

As most of you probably noticed — and Diebold’s engineers apparently did not — the smartcard doesn’t actually do anything surprising in this protocol. Anybody can make a smartcard that sends the three messages “Okay; Yes; Okay” and use it to cast an extra vote. (Do-it-yourself smartcard kits cost less than $50.)

Indeed, anybody can make a smartcard that sends the three-message sequence “Okay; Yes; Okay” over and over, and can thereby vote as many times as desired, at least until a poll worker asks why the voter is spending so long in the booth.

One problem with the Diebold protocol is that rather than asking the card to prove that it is valid, the terminal simply asks the card whether it is valid, and accepts whatever answer the card gives. If a man calls you on the phone and says he is me, you can’t just ask him “Are you really Ed Felten?” and accept the answer at face value. But that’s the equivalent of what Diebold is doing here.

This system was apparently used in a real election in Georgia in 2002. Yikes.”

Did Bill Gates sucker Gary Kildall? Or did Kildall just blow it? Version 102a

Wherever techies gather to reminisce, one of the most rehashed myths of the history of the PC industry is whether Microsoft’s MS-DOS was a rip-off of Gary Kildall’s CP/M operating system. The story is told for the first time from Kildall’s perspective in Harry Evans’s coffee-table history book, They Made America — just out from Little, Brown — so stand by for more arguments. In the meantime, Business Week has a really excellent exegesis of the saga.

My own guess is that (a) Kildall blew it, (b) Gates did shaft him and (c) QDOS (the precursor of MS-DOS) did infringe Kildall’s copyright. But, as Business Week shrewdly observes, Kildall would not have been the guy to build an industry. He lacked Gates’s killer instinct.

Google can save your life — in Iraq!

From the Guardian OnlineBlog:

Iraqi militants who kidnapped an Australian reporter in Baghdad and threatened to kill him ‘Googled’ his name on the Internet to investigate his work before releasing him unharmed, the journalist’s executive producer said Tuesday,” reports Associated Press.

‘Reconstruction’ in Iraq

Well I never. Here’s an excerpt from the Boston Globe’s report:

“About half of the roughly $5 billion in Iraq reconstruction funds disbursed by the US government in the first half of this year cannot be accounted for, according to an audit commissioned by the United Nations, which could not find records for numerous rebuilding projects and other payments.

One chunk of the money — $1.4 billion — was deposited into a local bank by Kurdish leaders in northern Iraq but could be tracked no further: The auditors reported that they were shown a deposit slip but could find no additional records to explain how the money was used or to prove that it remains in the bank.

Auditors also said they could not track more than $1 billion in funds doled out by US authorities for hundreds of large and small reconstruction projects.

The audit, released yesterday, found serious gaps in how the Development Fund for Iraq — a pool of money drawn from Iraqi oil revenues and international aid, including some from the United States — was handled by American occupation officials responsible for funding reconstruction projects and the operations of Iraqi ministries and provincial governments. The development fund is separate from the $18.4 billion in US reconstruction funds set aside last year to rebuild the country.”

American dreams

Wow! Here’s today’s New York Times on the Great Iraq Liberation Plan:

“Gen. Tommy R. Franks climbed out of a C-130 plane at the Baghdad airport on April 16, 2003, and pumped his fist into the air. American troops had pushed into the capital of liberated Iraq little more than a week before, and it was the war commander’s first visit to the city.

Much of the Sunni Triangle was only sparsely patrolled, and Baghdad was still reeling from a spasm of looting. Apache attack helicopters prowled the skies as General Franks headed to the Abu Ghraib North Palace, a retreat for Saddam Hussein that now served as the military’s headquarters.

Huddling in a drawing room with his top commanders, General Franks told them it was time to make plans to leave. Combat forces should be prepared to start pulling out within 60 days if all went as expected, he said. By September, the more than 140,000 troops in Iraq could be down to little more than a division, about 30,000 troops.

To help bring stability and allow the Americans to exit, President Bush had reviewed a plan the day before seeking four foreign divisions – including Arab and NATO troops – to take on peacekeeping duties.

As the Baghdad meeting drew to a close, the president in a teleconference congratulated the commanders on a job well done. Afterward, they posed for photos and puffed on victory cigars.”

I trust (he said severely) that these were not, er, Cuban cigars.

MP3 begins to slip as the music compression standard

The Guardian Online Blog points to a survey suggesting that although MP3 is still the most favoured format for music files stored on hard drives, its pre-eminence is slipping. The stats are:

MP3 — 72%
WMA — 19.6%
AAC — 4.3%
Other — 3.9%

What’s in a name?

From Saturday’s Guardian: Staff at the south London Horniman museum have discovered that up to a tenth of all emails sent to or from the museum are being hoovered up by spam filters. Visitors trying to access the website, www.horniman.ac.uk, are being blocked or, worse, redirected to more specialist-interest sites. Tut, tut.

Pierre Salinger — as good as his word

Pierre Salinger, JFK’s Francophile Press Secretary (imagine such a thing in Bush’s xenophobic White House) died of heart failure on Saturday at the age of 79. He died in a hospital near his home near Avignon, after recent surgery to fit a pacemaker, his wife, Nicole, said. The couple moved to the Vaucluse to run a B&B when George W. Bush won the 2000 election. “He was very upset because he thought Bush was not fit to be president,” Nicole Salinger told the Associated Press. “He said he would leave if Bush became president, and he did.”

Hmmm… I wonder how many of the folks who are currently threatening to emigrate from the US if Dubya wins will do the same.

Censoring the Web

My Observer column about the implications of the Indymedia/Rackspace story is here. Audio version here.

Smoke Havanas, go to gaol.

This is what Ben Hammersley says:

“A new US Treasury ruling states that US citizens cannot consume Cuban goods anywhere in the world. Full stop. Travel abroad and smoke them there, and you’ll still go to prison. Voice of America news has the story:

The notice also clarifies that Americans are barred from not only purchasing Cuban goods in foreign countries, but also from consuming them in those countries.

The penalties for violating the prohibitions include maximum criminal fines for individuals of $250,000 and imprisonment for up to 10 years. Corporations can be fined as much as a million dollars.

You can read the official document, only as a PDF here, linked to also from here.”

Well, well, it’s tough being an American. But for Irishmen, well… where did I put those matches?

En passant, isn’t it interesting to note that the place where Americans are allowed to abuse human rights is, er, Cuba. Still, it’s a consolation to know that the guards at Guantanamo are forbidden to smoke Montecristos.