Daily Archives: 8/4/2007

Matt Blaze: California voting systems code review now released

Keeping in the entire “hacker” theme, I read today on Bruce Schneier’s blog that code reviews of three voting machines that are proposed for use in California elections has been released. I found that (not surprisingly) someone that I knew had worked on one of them, and now that the report is published, he is free to talk (and blog) about it.

Matt Blaze: California voting systems code review now released

The problems we found in the code were far more pervasive, and much more easily exploitable, than I had ever imagined they would be.

I haven’t read the final reviews, but right now, security for voting machines seems to be a serious problem.

Matt exemplifies the best of the kind of hacker that I mentioned in my previous post, and here is participating in a project of monumental importance. At stake is literally the trust of the American people in the integrity of their democracy. It would be easy to put this control into the hands of a few companies who make millions of dollars selling voting machines, but as the reports that are coming out of this review indicate, they simply have not done a reasonable job of protecting the integrity of our democratic process, despite their assurances that exploits of such systems are impossible.

I’ll probably have some downtime next week, and will try to read more of the reports.

Technorati Tags: ,

Defcon 15: Undercover reporter flees

I proudly accept the label of “hacker”. That word gets tossed around alot, and means different things to different people, but I mean it mostly in the sense that author Steven Levy might have approved of. (I think it is a tremendous shortcoming that Levy’s fine book Hackers is only mentioned in passing on the above Wiki page). To me, a hacker is a person who is fascinated (even obsessed) by the inner workings of complex systems and mechanisms, and in the prospects of manipulating them to produce desired and unexpected effects.

When the media normally mentions hackers, it is in the context of computer crime: individuals who exploit vulnerabilities for either financial gain or simple vandalism. There is, of course, some overlap between these two camps, but I don’t identify myself with criminals of any sort, even those who nominally commit their acts to call attention to software vulnerabilities. After all, if someone kicks in the door of your house to demonstrate how easily a criminal might do it, I don’t think they deserve any special thanks.

But short of committing crimes, I think there is a valid purpose in engaging in exercising the skills that such criminals would employ. Someone doesn’t need to kick in my door, but someone can setup a door, and then show how easily such a door can be kicked in. This kind of information advises the publics on the risk of using weak doors, and the publicity means that door manufacturers are likely to do a better job.

Well, all that is background. This is just a way of saying: I think it would likely be pretty cool to attend DefCon. I’ve read about their goings-on for years, and think it would be a fun way to spend three days, immersed in a world that I’ve mostly seen from the edges. I’ve attended other smaller get-togethers of similar nature, but the sheer size and scope of DefCon is somewhat appealing.

Here’s the thing about such conferences though: the people involved are in general pretty cautious about talking about what they do. Much of what they do is circumvent security and copyprotection mechanisms, and the legal climate here in the U.S. makes that a fairly risky thing to admit to. In particular, it’s a bad thing to admit to in front of the general press. The press covers events like this with remarkably little subtlety, usually using interviews merely to confirm the preconceptions that they and the public already have about the hacking community. Such characterizations aren’t helpful, or even truthful.

The net result of this is that press are either denied access to such conferences (such as ones that I have attended) or are required to wear a press badge so that attendees know when they are talking to the press. The press is further required to obtain permission to film any individual in private conference areas, or to film conference sessions. Usually, general sweeps of cameras on the audience are not permitted. Those are rules.

That’s the background.

It appears that there was a bit of a kerfuffel (is that a word) this year as NBC Dateline producer Michelle Madigan showed up at DefCon this year. She apparently registered as an ordinary attendee, had repeatedly rejected the idea of using a press pass, and was reportedly secretly filming the goings on using a hidden camera. In the opening session, it was announced that there was a press person posing as an ordinary attendee, and that she should be found and escorted from the premises. She was told that she would be welcome to return if she used the appropriate press pass.

Link to Hack-a-day coverage, and youtube video of the results:

Defcon 15: Undercover reporter flees – Hack a Day

She obviously is a bit concerned about being photographed and followed as she is leaving. I must admit that I feel a bit of sympathy towards her, which is (upon reflection, and somewhat surprisingly to me) likely due to the fact that she is a woman, placed in a position which might (somewhat reasonably) be considered threatening. Still, I can’t help but think of the irony of this situation: she was photographing people secretly, and, let’s face it, quite likely to publish a report which portrayed the individuals filmed in a less than exemplary light. These people had told her (through the policies of the conference) that if they were to be photographed at the conference, you had to obtain their permission first.

She chose not to obey the rules. When you break the rules and get caught, it leads to some uncomfortable moments.

Frankly, I think that they could have done this better and more politely. They could have simple refused to grant her a pass, and announced that fact in the opening session. The drama of creating a potential mob scene in the opening session, and the risk that it could escalate was simply to great to justify any of the delicious irony of outting her live. Regardless of the intentions of the organizers, it could have rapidly gotten out of hand, and that would have sucked. Let’s face it, if one person is crying that you be tarred and feathered, that’s probably not a big deal, but if a conference room full of hundreds of people are all chanting it, you might have some legitimate reason to be fearful for your personal safety, and nobody should feel that their personal safety is in jeopardy in such a situation.

Be polite, people.

Technorati Tags: , ,