May 2004 - Posts
The push has been on in the U.S. since the 2000 elections to replace old paper and punchcard ballots with electronic voting systems, but as the 2004 elections draw closer, serious questions are being raised about the security of the new systems, many of which include no paper trail and no way for voters to verify that their votes were recorded correctly.
It's interesting that, in many cases, it's those who make their livings working with computers who are most worried about the idea of voting by computer. On the other hand, maybe that's not strange at all. We've seen, time after time, just how easily electronic systems of all types can be compromised and how easily things can go wrong and results can be skewed even when there is no intentional breach of security.
http://www.computerworld.com/governmenttopics/government/story/0,10801,92995,00.html
Today on CNN.com, I clicked the link to read Time Magazine's “Builders and Titans” report, which purports to be a list of those business people who have created successful businesses and/or championed established ones and have had a significant influence on shaping society.
In going down the list of 20, I saw a number of names that are familiar to those in our field: Michael Dell, Steve Jobs, Carly Fiorina. What I didn't see was any mention of Bill Gates. Oh, well, I guess the World's Largest Software Company doesn't quality as “successful,” having only made him a multi-billionaire.
Sure, we know how popular it is to hate B.G. and bash Microsoft, but regardless of whether or not you like him and/or the company, how can you deny that it's a successful business or that its software has not had a significant influence on society? After all, Time is the magazine that once named Adolf Hitler as Man of the Year. Personal popularity is obviously not (supposed to be) an issue.
Biometric security has been a source of contention on many levels. On the surface, it sounds like the perfect solution to the problem of identity theft. After all, there are a number of physiological traits that are more or less unique to individual human beings. And those prone to forgetting passwords or leaving their smart cards at home aren't apt to leave the house without their fingerprints or forget their retinal patterns.
However (there's always a “however”), nothing is perfect and biometrics is no exception. Privacy advocates object to the somewhat invasion nature of some biometric scanning technology and, even more troubling, some security experts warn that biometric identification is not nearly as fool-proof as it's hyped to be (especially by the makers of biometric security devices).
It has been demonstrated (most popularly by Japanese engineering professor Matsumoto a couple of years ago at the University of Yokohama) that most fingerprint scanners can be fooled by fake fingers made of gelatin. Facial recognition software has a high rate of false negatives and false positives. Iris scanners' results can be skewed by tears or even long eyelashes.
Nonetheless, the push for biometric identification moves forward. In many states in the U.S., fingerprints are required for driver's licensing, and the U.K. is developing new standards for passports and other identification documents that will include biometrics. The question no longer seems to be whether biometrics will be used for confirming our identities, but how biometric technology can be made more accurate.
If you're interested in the field of biometrics and what's being done to perfect this imperfect technology, you might want to attend the Biometric Consortium's September conference in Arlington, VA. It's open to the public, and likely to include some eye-opening information about the future of biometrics. See http://www.biometrics.org/bc2004/index.htm for more info.
It looks as if this summer the IEEE will finally approve the standards for 802.11i. That's the wireless security standard that is based on RSN, which uses AES (the protocol formerly known as Rinjdael) and a 128 bit encryption key to provide better security. WPA, another new wireless security standard adopted by the Wi-Fi Alliance, can be implemented by upgrading the client software for many current wireless devices. Deploying RSN is a bit more complicated, since it will require hardware devices with significantly more processing power.
It's been a long time coming, but we look forward to the demise of WEP - with its well-documented security flaws - and new, more secure technologies to replace it. Wireless security has to be a number one priority as wireless networking becomes more and more popular, and thus, securing wireless transmissions becomes more and more of a problem.
Next month, I'll have an article on Windowsecurity.com about 802.11i, how WPA2 and RSN work, and what it all means for existing wi-fi networks.
The article on Application Layer Filtering (ALF) that I wrote for Windowsecurity.com has just been reprinted by SecurityProNews over at
http://securitypronews.com/2004/0505.html. There is a lot of interest in ALF these days, and no wonder -- the ability to filter at the application layer not only helps prevent attacks that exploit application layer protocols, but is also a key element in filtering for spam at the firewall, which takes some of the load off your mail server or spam filtering server (of course, you have to be very careful about how you configure content filtering for spam at the firewall, to reduce the possibility of false positives. The most effective spam filtering methods use a multi-layered approach).
I have a new article up on the Windowsecurity.com Web site that contains some tips on how to make your Windows Server 2003 domain controllers more secure. As home networks become more and more sophisticated, I run into a lot of people who are “doing Windows domains” at home, often hosting their own Web sites and Exchange servers.
DCs present some special security problems, because they contain information that is not only security sensitive (such as user account passwords) but also critical to the operation of your network. It's important to give special attention to protecting them from intrusion or attack. Luckily, Server 2003 comes out of the box with many built-in security features, expanding on the security initiative that Microsoft began in earnest with Windows 2000.
The article addresses just a few of the important issues related to DC security, starting with (often overlooked) physical security measures. It also details how to move the Active Directory database and how to protect password information with the Syskey utility.
To read the full article, see http://www.windowsecurity.com/articles/Securing_Server_2003_Domain_Controllers.html.
In the April 27 issue of WinXPNews, I wrote a short piece on some of the experiences that our readers have reported with the installation of the technical preview release of Service Pack 2 for Windows XP. As noted in the article, those ranged from “smooth sailing, no problems at all” to complete system crashes with an inability to restart even in Safe Mode. I detailed the problems my husband had with wireless network connectivity after installing SP2. I also emphasized that readers should remember that as with any pre-release version of software, the service pack should only be installed on test machines, and I went on to point out that many readers were delighted with one of the new features, the pop-up blocker added to Internet Explorer.
The article brought a huge number of reader responses, most of them contributing their own “sometimes it's heaven and sometimes it's hell” stories about SP2. What surprised me, though, was that I received several messages accusing me of being part of the Microsoft-bashing media cabal because of the article. Actually, it was a bit of a refreshing change, since I'm more often accused of being a “shill” for MS (presumably because I don't sing the praises of Linux in the -- note this name, now -- WinXPNews).
In truth, I'm neither. I get very tired of the real Microsoft bashing that occurs on some of the IT and computer book mailing lists to which I belong. Some days it seems everywhere I turn, some open source advocate is slamming MSFT for having the audacity to make a profit for their shareholders instead of giving everything away for free (of course, if they did that, those same people would then slam them for “unfairly undercutting the competition” or some such). The constant refrain of “Microsoft products don't work, Microsoft products aren't secure, and Bill Gates is just too damn rich” seem ubiquitous at times. So I suppose I can understand a little oversensitivity.
But really, people -- reporting on some problems that have been encountered with a pre-release piece of software is in no way meant to cast a bad light on the company that made it. The whole point of making betas and release candidates available to the public is to broaden the base of people to discover any problems in the software, so those problems can be fixed in the final release version. It's part of the process of making software better. Microsoft is to be commended for taking this extra step and (contrary to the opinions of those who bash the company for missed release dates) for delaying finalization of their products so as many bugs as possible can be worked out.