Feeling comfy about our prospects in November? Sit down. If you are holding a cup of coffee, put it down. This is going to upset you. Before we start, here are two rules to keep in mind:
Rule #1: The vast majority of attacks originate from within the system.
In other words, you are more likely to get knifed in the back by a friend than attacked by a stranger. That is why date rape is the most common form of rape. That is why most murder victims knew their killer.
Rule #2: "Security through obscurity" does not work in the modern world.
In other words, you will fail if you try to secure a system by "hiding" stuff instead of designing a "lock" to protect stuff. The reason this fails is simple. The strategy keeps everything secret until someone talks or someone stumbles across the information. Then you are screwed -- or dead -- depending on how badly things go.
What's this got to do with you? If you care about winning in Nov. you need to read the rest of this. Follow me for a free ride on a subway. Our destination? Stealing an election....
Yesterday afternoon, a presentation at the Defcon Hacker conference in Las Vegas was cancelled. The presentation would have described:
"several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line.
The MIT students who were scheduled to present, were prevented from giving their take due to a hastily issued restraining order:
U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."
I'm not going to tell you how they managed to do this. The fact there is a restraining order can be taken as evidence they succeeded. The approach being taken by the MBTA is to try and "hide" this information. Unfortunately for them, that is not possible. The material is already available online. I found it and I wasn't even looking for it! That means anyone who is looking for it, probably has it. Anyone at the conference definitely has it, because it was included (along with source code) in the CD given to conference attenders.
How serious is this? Well consider this slide from their presentation. It shows certain types of vulnerabilities. As you can see, this system is vulnerable in a variety of ways at a variety of locations. I've modified the slide so it is not useful for determining the types of vulnerabilities. The only important point here is the system is vulnerable to a variety of attacks.
This is not theoretical. The presentation included evidence the students had succeeded in their claims. For example, they showed how they could reprogram the SmartCards to give them unlimited access to the system for free. They also showed they could exploit weaknesses in the system that could effectively open it up to anyone, even if they are completely computer illiterate. Once the gate is open, any fool can stroll right through it. Here's an example demonstrating that is not a metaphorical statement.
That is certainly a disturbing image, but here is the one that should really get your attention. Look at the screen. After reprogramming the card, they were able to fool the system into thinking it had as much money on it as possible. Think about that for a moment. What other system do you know of that uses SmartCards and counts stuff?
This example shows the system thinks they have $653 on their card, when in fact they paid nothing. If someone actually used this card that would be fraud. If enough people used the card, the system would fail due to lack of revenues. That would be bad.
At the end of the day, the subway system tallies up the revenues and usage. In this case, the problem is revenues will not be keeping up with usage and any projections of cost based on usage will be thrown into disarray because the expected revenues won't be there. If you don't fix the problem, the only available solution is to increase costs for the people who are paying to use the system. That covers the costs of the freeloaders at the expense of the honest users. That's why shoplifting and petty theft hurts all of us.
Free subway rides, like free cable, is a problem for the vendor but it rarely gets to the point that it crashes the system. Theft alone is not going to wipe most systems out. At the end of the day, it's just money. If you are bright, you will make more. However, there are systems that use similar technologies to count things that are more valuable than money. I'm talking about votes. People have been sounding this alarm for years. We know it is real. We know the vendors cannot be trusted to adequately protect their systems. The vulnerabilities in these systems are well-known. However, the response of the vendors is exactly the same as the MBTA. They try to achieve security through obscurity, instead of taking the superior method of security by design. Security by design assumes the attacker has access to the system, but lacks the key. That's why you lock your doors. That's why you use alarm systems. It's why people buy dogs. Security by obscurity assumes everyone is an idiot. You can see how well that worked for MBTA.
Behind all of the smoke and mirrors lies the real reason people go for security by obscurity. They are lazy, sloppy, or arrogant. Sometimes it is a combination of all three. We've all heard the stories about guards asleep at their post. It's so common, it's a cliche. But what happens if no one is asleep at their post because no one is at their post in the first place? This is not a rhetorical question. Here is another slide from the presentation. That is a state-of-the-art monitoring center. It is clear that no expense was spared outfitting this booth. They even have Herman Miller Aeron chairs. Those cost about 900 bucks a pop. How did I recognize the Aeron chair in the foreground? Because no one is sitting in it! In fact, no one is manning the station! So all those cameras and software and computers (and chairs) are worthless.
You think they have better monitoring of the election systems? Well consider this overlooked diary: from several months ago!
We have all heard the story that United Technologies has launched a hostile takeover attempt to acquire Diebold. We all know that Diebold is the Big Bad Wolf of electoral shenanigans. We all remember Diebold chief executive Walden O’Dell’s 2004 letter promising to deliver Ohio’s electoral votes to Bush.
But what some of us may have missed is that United Technologies is a client of the highly influential lobbying firm BKSH. Who works for BKSH? Charlie Black. Who is Charlie Black? An aide to John McCain.
Actually, zoltan understated things a bit. Charlie Black doesn't merely work for BKSH. He is the president. We all know he was much more than an aide to McCain. Here's the corker... that was posted in March. Before McCain won the nomination. The potential for cronyism is worse than simple negligence. This is why I think you should be sitting down. Negligence counts on the bad guys being sloppy or stupid. Cronyism means your attackers are inside. Even if that booth was completely manned, it wouldn't help if the people manning it are their to subvert it.
Recently, an extreme example of this came to light when the network administrator for San Francisco's network locked everyone out. The guy effectively held the whole city hostage for several weeks until he relented and gave the Mayor the password. It is still unclear why he did this. In the final analysis, his motives don't matter. As one person covering this noted:
[O]ur IT folks are kind, friendly and smart, the perfect combination. But what if the person who holds the key to all your computer secrets, who can get into any of your digital stuff, isn't so nice? If you work on a computer, you're at someone's mercy. A few dozen movies revolve around evil geniuses taking control of important computer systems, only in Hollywood the good guy/gal usually takes it back in the end.
Unfortunately, life doesn't always imitate art. Sometimes the good guys lose control and the fat lady sings. This is why another diary that got short shrift here really needs to get more visibiity. We know people with shady pasts and a history of manipulation are positioning themselves to do what they have done before. We all know Rove, but there is another name you need to know and the media should be asking about: Mike Connell.
Here is one guy who has been present every time at the scene of the crime, whether you are talking about Florida in 2000, or Ohio in 2004, or payoffs from Abramoff. The reason the lawyers are going after this guy is they are hoping he will give them testimony that helps nail Rove. How critical is this guy? According to Brad Friedman at BradBlog:
Karl Rove has threatened a GOP high-tech guru and his wife, if he does not "'take the fall' for election fraud in Ohio," according to a letter sent this morning to Attorney General Michael Mukasey, by Ohio election attorney Cliff Arnebeck.
It is not surprising that Rove would threaten former associates if they ratted him out. What is surprising is how little attention this is getting. It's not as if this story had to be dug up by BradBlog. In fact, in the same e-mail, Arnebeck informs Mukasey:
I have informed court chambers and am in the process of informing the Ohio Attorney General's and US Attorney's offices in Columbus for the purpose, among other things, of seeking protection for Mr. Connell and his family from this reported attempt to intimidate a witness.
Concurrently herewith, I am informing Mr. Conyers and Mr. Kucinich in connection with their Congressional oversight responsibilities related to these matters.
Because of the serious engagement in this matter that began in 2000 of the Ohio Statehouse Press Corps, 60 Minutes, the New York Times, Wall Street Journal, C-Span and Jim VandeHei, and the public's right to know of gross attempts to subvert the rule of law, I am forwarding this information to them, as well.
Cliff Arnebeck, Attorney
Connell's importance came to light because Arnebeck reopened a stalled investigation when new evidence came to light. The investigation started to heat up
following the discovery of new information, including details from a Republican data security expert, leading Arnebeck towards seeking depositions of Rove, Connell, and other GOP operatives believed to have participated in the gaming of election results in 2004.
So there you have it. The architects of this crime are in the hot seat because security by obscurity doesn't work. Even they can't avoid that reality. That is why the guy you have to worry about most is the one supposedly defending the system. That brings us to what you can do. Who is supposedly defending the system now? The congress? The media?
Security by obscurity doesn't work for us, it shouldn't work for them. We need to hold the media accountable. We need to pressure them to cover the stuff they want to bury. We need to expose their deceits at every turn. We need to be vigilant and relentless.
|
|
If that sounds like work, it is. And we're the ones to do it. We have to call them, write them, and expose them every time they try to hide the ball. We have to support anyone and everyone who is working to keep this out in front. Hoping someone else will do this is a fool's errand. Counting on someone else to do defend our future is as foolish as protecting your stuff by hoping people won't find it. We also have to defend ourselves.
As we get closer to winning, these are the voices that will grow louder and more dissonant. That is why it is important for you to take a hard look around and realize, there is no cavalry coming. We are the ones we have been waiting for. Now finish your coffee and get to work.