August 2007

The vote tallies on Public Law 110-55, subject of some consternation around here, are up on WashingtonWatch.com, in case you want to see how your representatives represent you.

A great insight from Avi Rubin, who attributes it to California Secretary of State Debra Bowen:

The current certification process may have been appropriate when a 900 lb lever voting machine was deployed. The machine could be tested every which way, and if it met the criteria, it could be certified because it was not likely to change. But software is different. The software lifecycle is dynamic. As an example, look at the way Apple distributes releases of the iPhone software. The first release was 1.0.0. Two minor version numbers. When the first serious flaw was discovered, they issued a patch and called it version 1.0.1. Apple knew that there would be many minor and some major releases because that is the nature of software. It’s how the entire software industry operates.

So, you cannot certify an electronic voting machine the way you certify a lever machine. Once the voting machine goes through a lengthy and expensive certification process, any change to the software requires that it be certified all over again. What if a vulnerability is discovered a week before an election? What about a month before the election, or a week after it passes certification? Now the point is that we absolutely expect that vulnerabilities will be discovered all the time. That would be the case even if the vendors had a clue about security. Microsoft, which arguably has some of the best security specialists, processes and development techniques issues security patches all the time.

Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software. Since we cannot change the nature of software, the certification process for voting machines needs to be radically revamped. The dependence on software needs to be eliminated.

USA Today reports that most are unaware of the dangers facing them at public Wi-Fi hotspots, which brought to mind an interesting question about municipal Wi-Fi. What incentive is there for municipalities to provide encryption and other security technologies?

The article mentions that AT&T and T-Mobile are the largest providers of free Wi-Fi hookups in the country and although the Wi-Fi itself is unsecured, both companies encourage the use of freely provided encryption software. The incentives for both companies seem fairly obvious. If people are going to be Wi-Fi users they need to feel safe and encryption technology is a way to do this. Customers stay safe and continue to use the service, making AT&T T-Mobile and other providers money.

Do municipal setups have the same incentives? Depending on the financial structure of such a system I can see how there would be little incentive to provide security software or other safeguards to users. Yet these Muni-Fi services would still distort the market, making it less likely for companies–that might be affected by privacy concerns–to invest in those areas.

Question: Does Muni-Fi pose a risk to security because of the lack of incentives to push security solutions and its edging out private competitors who have that motivation?

Times Unselect

by on August 7, 2007 · 0 comments

The New York Post is reporting that the New York Times is going to ditch its paywall, making all of its new content freely available to the world. The rumor comes a week after rumors that Rupert Murdoch is considering doing the same with the Journal.

It’ll be interesting to see how long Salon and The Economist can soldier along with a paywall/daypass model. They’re both excellent publications, yet I hardly ever visit them because the blogs I read hardly ever link to them. My sense is that they’d be significantly more prominent if they had gone free a few years ago.

Hat tip: Yglesias, who concludes that the Internet will “make being an important opinion writer less financially lucrative, relative to other professions, than it once was.”

The video game industry’s string of unbroken First Amendment court victories continued this week with a win in the case of Video Software Dealers Association v. Schwarzenegger. [Decision here.] In this case, the VSDA and the Entertainment Software Association brought a suit seeking a permanent injunction against a California law passed in October 2005 (A.B.1179), which would have blocked the sale of violent video games to those under 18. Offending retailers could have been fined for failure to comply with the law.

The court’s decision overturning the law was written by Judge Ronald Whyte and it echoed what every previous decision on this front has held, namely:

Continue reading →

Julian on the FISA Fiasco

by on August 7, 2007 · 0 comments

Over at Reason Julian chastises the Democrats for their spinelessness in passing the FISA “modernization” this weekend:

The hasty passage of the massive USA PATRIOT Act, a scant 45 days after [the 9/11] attacks, was ill-considered but understandable. Six years later, however, the administration has grown comfortable with the prerogatives panic affords. And, perversely, it has learned that it can continue to wield those prerogatives even under a Democratic majority, provided it insists on regarding Congress always and only as a last resort.

Consider the provenance of this “emergency” legislation. President Bush first authorized the National Security Agency to carry out a range of surveillance activities without court order, the full scope of which is still unknown, but which at the least included monitoring communications between persons in the United States and targets abroad. (Wholly international communications had always been exempt from the privacy restrictions imposed by U.S. law.) When this was revealed by The New York Times late in 2005, the administration insisted that national security required that intelligence agents be allowed to bypass even the super-secret—and highly compliant—FISA courts. Then, following the 2006 midterm elections, which gave Democrats a congressional majority, the Department of Justice abruptly announced that it had found a way to work within FISA after all. Finally, according to The LA Times, a spring ruling by a FISA court judge found that even this restricted version of the six-year-old program ran afoul of the law.

Suddenly it became urgent that Congress “modernize” what was invariably described as “the 1978 FISA statute,” conjuring images of forlorn agents in white polyester leisure suits vainly hunting for al-Qaeda terrorists hidden under Pet Rocks. Yet FISA had already been updated dozens of times since its initial passage, including six major amendments since the September 11 attacks, giving the administration myriad opportunities to request all the “modernization” it required, subject to thorough public debate. But even this manufactured urgency, it seems, was not enough. On the eve of the legislature’s August recess, House Democrats had worked out a compromise bill with Director of National Intelligence Michael McConnell, which preserved a modicum of judicial oversight over the expanded surveillance powers it granted. But the White House pronounced this unsatisfactory, threatening a veto and demanding still broader powers. If Democrats did not yield completely before Congress adjourned, Bush said, they would “put our national security at risk.”

More where that came from. I’ve also got a summary of the bill over at Ars.

Do you mean to tell me that muni wi-fi networks will actually cost money? I’m shocked, shocked, I tell you. Where’s the free lunch we were promised?!

[see San Jose Mercury News story below]
______________________

Municipal WiFi: A not-so-free lunch
by Sarah Jane Tribble
Mercury News
08/06/2007

It’s been more than a year since Silicon Valley’s Joint Venture Wireless Project first announced plans to build a regional wireless network, giving millions of local residents free access to the Internet. But that network won’t be so free after all, and the area’s millions of local residents may not really use it.

While initially the project was lauded as a way to give the masses affordable Internet, key organizers have gently shifted the focus of the network from serving residents, for free, to giving businesses and city governments wireless access, for a price. …

But the increasing focus on dollars and cents reflects a trend nationwide: As cities strive to provide wireless Internet service, they’re realizing it can’t truly be free.

[Read the rest here.]

Humor for the Day

by on August 6, 2007 · 0 comments

Slashdot reports on a new flashlight that makes subjects puke when you point it at them.

A Slashdot commenter says:

Just browse a few pages on myspace…you’ll get a similar nauseating effect.

Via TechDirt, Wired reports that SoundExchange, the cartel for the major labels collective licensing authority for digital music, has been lobbying for Congress to make terrestrial broadcasters pay royalties for playing music on the air. That despite the fact that radio stations have been legally entitled to play music without royalties (to the band—I believe they have to pay statutory royalties to the songwriter), and despite the fact that the labels beg and plead with radio stations to play their songs more.

Cato chairman Bill Niskanen wouldn’t be surprised.

The spying bill passed by Congress this weekend, says that:

With respect to an authorization of an acquisition under section 105B, the Director of National Intelligence and Attorney General may direct a person to immediately provide the Government with all information, facilities, and assistance necessary to accomplish the acquisition in such a manner as will protect the secrecy of the acquisition and produce a minimum of interference with the services that such person is providing to the target.

105B requires only that “reasonable procedures [be] in place for determining that the acquisition of foreign intelligence information under this section concerns persons reasonably believed to be located outside the United States.” Court oversight is limited to verifying, after the fact, that these “procedures” are in fact “reasonable.” Notice that it’s easy to imagine that some domestic-to-domestic calls or emails could “concern” a person located outside of the United States.

We’re inching ever closer to giving the executive branch the power to issue Writs of Assistance.