bugfox blog

Michael Nygard provides an unexpected reason why you should probably avoid buying the latest and greatest technology: Steve Jobs made me miss my flight.

Article from The Register. I thought of making a list of all the basic security practices being violated here, but I gave up. It just boggles the mind.

California is one of the few jurisdictions that is belatedly starting to do the right thing with electronic voting machines: subject them to rigorous testing by qualified computer security experts. Ars Technica describes the latest results here: California’s testing cracks ES&S evoting system wide open.

The bottom line seems to be that all of the electronic voting machines currently in use can easily be subverted using simple techniques available to any teenage hacker.

Most of the attention so far has focused on touch-screen voting machines, but the popular optical-scan ballot systems are also made by the same companies and have many of the same security flaws. The advantage of the optical-scan systems is that you have the paper ballots and can use them for a manual recount which should reveal any fraud. The fraud can still go undetected if you don’t suspect it and don’t order a recount.

Update to previous post: Starting with Vista Service Pack 1 (available in early 2008) Microsoft will no longer disable your computer if “Windows Genuine Advantage” decides that your copy of Vista isn’t genuine.

Instead it will bombard you with messages telling you what a wicked pirate you are and urging you to pay up at once. No doubt this will still continue to catch a lot of innocent people, but at least they won’t be locked out of their computers.

via Ars Technica.

The continuing horror story of electronic voting machines reaches a new level of tragic absurdity: Ohio e-voting review makes a mockery of “recounts”.

This illustrates the real reason why we have had so many problems. Computer security is hard, and too many election officials are simply not capable of grasping the issues involved in conducting a fair and trustworthy election when computers are used.

The latest flap about “net neutrality” started with a test by the Associated Press which found evidence that Comcast is slowing BitTorrent traffic over its network.

If this were really a story about “net neutrality” the report would say that Comcast is identifying BitTorrent packets and transmitting them with lower priority so that they arrive more slowly. But what they actually found is much more disturbing. Comcast actually appears to be generating forged TCP Reset packets from the sender and receiver to trick them into dropping the connection.
(more…)

LWN.net has a good summary of the latest developments in the voting machine scandal.

This has been a bad few weeks to be a voting machine vendor. Three separate governments, California, Florida and the UK looked at the devices and have come to remarkably similar conclusions. The machines they looked at are poorly designed, poorly implemented and subject to a wide variety of security threats. None of the studies mentioned it, but it is likely that the machines looked great.

in particular…

The teams were able to defeat the physical security of the voting machines, modify or overwrite the software in the machines as well as subvert the tabulation machines in order to provide incorrect vote counts. All of this just by having access to the machines themselves; the same access that election officials, poll workers and, to a lesser extent, voters, have.

Several days later, the source code teams’ reports were released and, at that point, were almost anti-climactic. Unsurprisingly, they found numerous, hideous source code flaws in all three systems. Buffer overflows, hard coded passwords (‘diebold’ being a particularly difficult one to guess), misuse of encryption, integer overflows (wrapping vote counts to negative or zero perhaps); the list goes on an on. It is as if the voting machine vendors are completely unaware of the last twenty (or thirty or forty) years of software security flaws.

Alex Eckelberry of Sunbelt Software discusses the SPY-ACT, a bill before Congress whose purpose seems to be to legalize the Sony Rootkit and any other spyware that vendors choose to foist on us: Unintended consequences

He also gives a fairly authoritative rundown on the current state of spyware and makes a good argument that there is no need for Congress to pass any legislation on the subject. (Which is good because we obviously can’t trust them not to make the problem worse.)

The Washington Post’s Rob Pegoraro describes a direct encounter with Vista’s DRM: Vista’s “Reduced Functionality”

The bottom line seems to be that Woody Leonhard is right (previous posts):

1. Microsoft can and will disable your computer without warning for no apparent reason.
2. If that happens you are SOL.

Woody Leonhard continues to examine the implications of Microsoft’s product activation scheme from Vista and Office 2007.

If your product key is stolen, part 2 – Office Watch

The obligation falls on you to prove to Microsoft that you bought legally. That can be difficult because Microsoft has already decided that your product key has been used illegally by a number of people and it has no means of knowing whether anyone was a legitimate user of that product key, and it has no clear path for customers to prove otherwise. Microsoft’s recommendations about documentation would not really help.

Since the product key isn’t linked to you by name there is no way for you to prove that you are the legitimate owner of that product key.
…
What if Microsoft disables your copy of Vista or Office 2007? You’ve tried to explain to Microsoft that you were the original purchaser but they won’t believe you. How can you appeal?

You can’t. There’s no appeal process.

Microsoft’s decision is final; you’re a software thief, then you’ve lost that software license. You’re expected to buy another copy of the software (and hope the same thing doesn’t happen again).