Category: Security

Security is immunity from the will of others.

On electronic voting

There is some controversy in The Netherlands right now about electronic voting. A group has gotten hold of a voting machine, discovered that the physical and software security therein is very weak, and otherwise established the possibility that determined individuals could significantly impact election results through electronic tinkering.

The advantages of electronic voting are fairly numerous. Firstly, it could be made to happen more quickly. This may advantage the media more than anyone else, but it may as well be listed. Secondly, electronic devices could be made easier to use for people with physical disabilities and the like. Another advantage the system should have is increasing standardization between voting districts. Skullduggery involving dated or problematic machines in districts likely to vote in a certain way has been noted in a number of recent elections. Also, having an electronic record in addition to a paper one could allow for cross-verification in disputed districts. In cases where the results very starkly do not match, it should be possible to repeat the vote, with greater scrutiny.

The answer to the whole issue is exceptionally simple:

  1. You are presented with a screen where you select from among clearly labeled candidates, with an option to write in a name if that is part of your electoral system.
  2. The vote is then registered electronically, by whatever means, and a piece of paper is printed with the person’s choice of candidate, ideally in large bold letters.
  3. For an election involving multiple choices, each is likewise spelled out clearly. For instance, “I vote NO on Proposition X (flags for orphans).”
  4. The voter then checks the slip to make sure it is correct, before dropping it in a ballot box.
  5. These are treated in the standard fashion: locked, tracked, and observed before counting.
  6. The votes are tallied electronically, with a decent proportion (say, 20%) automatically verified by hand.
  7. If there is any serious discrepancy between the paper and electronic votes, all the paper ballots should be counted. Likewise, if there is a court ordered recount on the basis of other allegations of electoral irregularity.

Electronic systems have vulnerabilities including hacked polling stations; transmission interception and modification; as well as server side attacks where the data is being amalgamated. Paper systems have vulnerabilities relating to physical tampering. Maintaining both systems, as independently as possible, helps to mitigate the risks of each separately and improve the credibility of the process. It is like having both your bank and your credit card company keep separate records of your transactions. If they do not match, you have a good leg to stand on when alleging some kind of wrongdoing.

This system could use relatively simple electronic machines, and may therefore actually cost less in the long run than all paper balloting. Critically, it would maintain an unambiguous paper trail for the verification of people’s voting intentions. Companies that deny the importance of such a trail are either not thinking seriously about the integrity of the voting process or have self interested reasons for holding such a position.

[Update: 14 October 2006] The Economist has a leader on electronic voting machines and the US midterm elections. They assert, in part:

The solutions are not hard to find: a wholesale switch to paper ballots and optical scanners; more training for election officials; and open access to machine software. But it is too late for any of that this time—and that is a scandal.

Quite right.

Truth and American politics: approaching the mid-terms

Written by Tariq Ramadan, a fellow at St. Antony’s, this statement about his lengthy troubles with trying to get a US visa is well worth reading. In part, he says:

I fear that the United States has grown fearful of ideas. I have learned firsthand that the Bush administration reacts to its critics not by engaging them, but by stigmatizing and excluding them. Will foreign scholars be permitted to enter the United States only if they promise to mute their criticisms of U.S. policy? It saddens me to think of the effect this will have on the free exchange of ideas, on political debate within America, and on our ability to bridge differences across cultures.

This hits straight at what I see as the biggest foreign policy problem in the United States. It is not the holding of convictions; nor is it the willingness to act upon them. It is willful ignorance and self-delusion applied to information that contradicts the existing stance of the administration. While this trend extends into domestic politics, the most stark examples exist in the area of foreign affairs.

It is fair enough to argue that, at the time of the invasion of Iraq, Saddam Hussein was widely considered a threat. This is a judgement that was not confined to the British and American intelligence services. The British and American administrations could say: “We may have been wrong, but we were honest in our beliefs.” To say, instead, that they have been right all along, or deny making claims that have been undeniably recorded makes you them either insane or cynically disinterested in the truth. The indictment here is not based on the truth or falsehood of the original claims, but on the unwillingness of a group of people to revise their positions, or even admit fault, when facts have proved them wrong.

When an intelligence report confirmed the absence of WMD at the same time as the administration was claiming that the report said the opposite, Jon Stewart cleverly remarked:

The official CIA report, the Duelfer Report, has come out. The one that they’ve been working on for the past two years that will be the definitive answer on the weapons of mass destruction programs in Iraq, and it turns out, uh, not so much. Apparently, there were no weapons of mass destruction in Iraq, and their capabilities had been degraded, and they pretty much stopped trying anything in ’98. Both the President and the Vice President have come out today in response to the findings and said that they clearly justify the invasion of Iraq. So, uh, some people look at a glass and see it as half full, and other people look at a glass and say that it’s a dragon.

A notorious example of the trend of denying past statements is Donald Rumsfeld on WMD: “We know where they are. They’re in the area around Tikrit and Baghdad and east, west, south and north somewhat.” on ABC’s This Week With George Stephanopoulos, 30 March 2003. When challenged, Rumsfeld has repeatedly denied having ever claimed certainty about the existence of Iraqi WMD. Dick Cheney has likewise lied about previous statements (example) in which he claimed that such weapons certainly existed. Numerous other examples are obvious: the administration has misjudged the seriousness of the Iraqi insurgency, entirely miscategorized the relationship between the former Iraqi leadership and Al Qaeda, and continually misrepresented the human rights records of friendly but abusive regimes, including Saudi Arabia and Pakistan.

While politics has never been a discipline where practitioners adhere closely to the truth (look at Taylor Owen’s article in this month’s Walrus about the scale of US bombing in Cambodia during the Johnson administration), there are times when the disjoint between official statements and observable reality becomes so broad as to indict all of those who cling to the former. The fact that the run-up to the mid-term elections is being dominated by a scandal that, while disturbing, is quite peripheral to the governmental record of the dominant party demonstrates how narrow and polarized political debate has become.

Let us hope that, whatever the results are, the November 7 midterm elections will lead to a more candid discussion of the most pressing issues regarding America’s place and actions in the world.

Basic problems with biometric security

You have to wonder whether anything other than having watched too many James Bond films feeds the idea that biometrics are a good means of achieving security. Nowadays, Canadians are not allowed to smile when they are having their passport photos taken, in hopes that computers will be able to read the images more easily. Of course, any computer matching system foiled by something as simple as smiling is not exactly likely to be useful for much.

Identification v. authentication

Biometrics can be used in two very distinct ways: as a means of authentication, and as a means of identification. Using a biometric (say, a fingerprint) to authenticate is akin to using a password in combination with a username. The first tells the system who you claim to be, the second attempts to verify that using something you have (like a keycard), something you know (like a password), or something you are (like a fingerprint scan). Using a biometric for identification attempts to determine who you are, within a database of possibilities, using biometric information.

Using a fingerprint scan for identification is much more problematic than using it for authentication. This is a bit like telling people to enter a password and, if it matches any password in the system, allow them into that person’s account. It isn’t quite that bad, because fingerprints are more unique and secure than passwords, but the problem remains that as the size of the database increases, the probability of false matching increases.

For another example, imagine you are trying to identify the victim of a car wreck using dental records. If person X is the registered owner and hasn’t been heard from since the crash, we can use dental records to authenticate that a badly damaged body almost certainly belongs to person X. This is like using biometrics for authentication. Likewise, if we know the driver could be one of three people, we can ascertain with a high degree of certainty which it is, by comparing dental x-rays from the body with records for the three possible matches. The trouble arises when we have no idea who person X is, so we try running the x-rays against the whole collection that we have. Not only is this likely to be resource intensive, it is likely to generate lots of mistakes, for reasons I will detail shortly.

The big database problem in security settings

The problem of a big matching database is especially relevant when you are considering the implementation of wholesale surveillance. Ethical issues aside, imagine a database of the faces of thousands of known terrorists. You could then scan the face of everyone coming into an airport or other public place against that set. Both false positive and false negative matches are potentially problematic. With a false negative, a terrorist in the database could walk through undetected. For any scanning system, some probability (which statisticians call Beta, or the Type II Error Rate) attaches to that outcome. Conversely, there is the possibility of identifying someone not on the list as being one of the listed terrorists: a false positive. The probability of this is Alpha (Type I Error Rate), and it is in setting that threshold that the relative danger of false positives and negatives is established.

A further danger is somewhat akin to ‘mission creep’ – the logic that, since we are already here, we may as well do X in addition to Y, where X is our original purpose. This is a very frequent security issue. For example, think of driver’s licenses. Originally, they were meant to certify to a police officer that someone driving a car is licensed to do so. Some types of people would try to attack that system and make fake credentials. But once having a driver’s license lets you get credit cards, rent expensive equipment, secure other government documents, and the like, a system that existed for one purpose is vulnerable to attacks from people trying to do all sorts of other things. When that broadening of purpose is not anticipated, a serious danger exists that the security applied to the originally task will prove inadequate.

A similar problem exists with potential terrorist matching databases. Once we have a system for finding terrorists, why not throw in the faces of teenage runaways, escaped convicts, people with outstanding warrants, etc, etc? Again, putting ethical issues aside, think about the effect of enlarging the match database on the possibility of false positive results. Now, if we can count on security personnel to behave sensibly when such a result occurs, there may not be too much to worry about. Numerous cases of arbitrary detention, and even the use of lethal force, demonstrate that this is a serious issue indeed.

The problem of rare properties

In closing, I want to address a fallacy that relates to this issue. When applying an imperfect test to a rare case, you are almost always more likely to get a false positive than a legitimate result. It seems counterintuitive, but it makes perfect sense. Consider this example:

I have developed a test for a hypothetical rare disease. Let’s call it Panicky Student Syndrome (PSS). In the whole population of students, one in a million is afflicted. My test has an accuracy of 99.99%. More specifically, the probability that a student has PSS is 99.99%, given that they have tested positive. That means that if the test is administered to a random collection of students, there is a one in 10,000 chance that a particular student will test positive, but will not have PSS. Remember that the odds of actually having PSS are only one in a million. There will be 100 false positives for every real one – a situation that will arise in any circumstance where the probability of the person having that trait (whether having a rare disease or being a terrorist) is low.

Given that the reliability of even very expensive biometrics is far below that of my hypothetical PSS test, the ration of false positives to real ones is likely to be even worse. This is something to consider when governments start coming after fingerprints, iris scans, and the like in the name of increased security.

PS. Those amazed by Bond’s ability to circumvent high-tech seeming security systems using gadgets of his own should watch this MythBusters clip, in which an expensive biometric lock is opened using a licked black and white photocopy of the correct fingerprint.

PPS. I did my first Wikipedia edit today, removing someone’s childish announcement from the bottom of the biometrics entry.

[Update: 3 October 2006] For a more mathematical examination of the disease testing example, using Bayes’ Theorem, look here.

The Economist on climate change

Catching up on the reading that accumulated in my absence, I have just gone through the Survey on Climate Change in the September 9-15 issue of The Economist. Their basic argument is that the possibility of catastrophic harm is sufficient to justify the costs of stabilizing the level of carbon in the atmosphere around 550 parts per million, compared with 280 ppm before the industrial revolution, 380 ppm now, and an estimated 800 ppm by 2100 is current policy goes unchanged. The most plausible dangers identified are disastrous shifts in ocean currents, dramatically cooling Europe, and the prospect of rising sea levels. Even modest amounts of the second could do enormous harm both in the coastal cities of the developed world and the lowlands of places like Bangladesh. Other problems include the possibility of an increase in the frequency and severity of extreme weather events, and large scale species migration or extinction.

Canada is singled out several times as unlikely to meet its Kyoto targets. We are committed to reduce emissions to 6% below 1990 levels by 2012, but seem likely to be 23% above. The survey quotes Environment Minister Rona Ambrose as saying: “it is impossible, impossible for Canada to reach its Kyoto targets.” The Economist had not previously been a supporter of Kyoto, though they surely support countries living up to commitments they have made. With this survey, the magazine seems to have changed tack from general opposition to the Kyoto Protocol to recognition that it may be a valid stepping stone towards a better organized and more all-encompassing climate change policy.

At the very least, the editorial change of heart signals strongly that climate change is no longer an issue whose reality is disputed, not suited to serious consideration by scientists, policy-makers, and the media. With my thesis in mind, it is largely the first group that I paid most attention to while reading this. At several points, the article asserts that it is at the 550ppm level that scientists in aggregate start to become seriously concerned about adverse and irreversible problems associated with climate change. That said, the survey also highlights a number of scientific disagreements and failed predictions. The interplay between science and politics is basically portrayed as a simple relationship between two internally complex dialogs. That is a model I certainly mean to unpack further in my thesis work.

As I didn’t actually manage to go see An Inconvenient Truth at the Phoenix yesterday, I am making another foray tonight for the 7:00pm show.

Republican torture ‘compromise’

Despite the thin rhetoric to the contrary, it is clear that the current American administration tolerates and abets torture, indefinite detention without charge, and other basic violations of human rights. This is an astonishing error on their part. It contradicts international law, including laws that have helped to protect Americans captured by foreign regimes. It significantly diminishes whatever claim to moral superiority the United States can use to help guide regimes entirely dismissive of human rights on to a more acceptable path. Finally, it neglects the very ideals about the respect for the human person that form the basis for the American constitution and the general American consensus on the nature of political ethics.

We can only hope that a saner administration will follow in the wake of this myopic crew.

The mainstream media is reporting on this here, here, here, here, here, and in many other places.

Clever way to protect cameras on planes

Blatantly stolen from Bruce Schneier’s blog (he stole it from Matt Brandon’s blog), this idea seems really clever. If you are travelling in the States with expensive camera gear, put a starter pistol in the locked box in which the camera equipment is to be transported, then register it as a weapon.

The airline safety people will then treat the luggage as though it contains a dangerous weapon, and you can be more certain they will not lose or blatantly mistreat it. A very neat way to make security procedures work for you. Of course, you can be quite sure they will x-ray it, so this doesn’t help with the problem of transporting film on ever-more-jittery airlines.

Early morning politics

United we stand?

Now, I could – and probably should – write about my enjoyable hike up Dam Mountain with my father today. Likewise, the subject of this early morning post should be the fine dinner at Palki on Lonsdale with my mother, father, and brother Sasha. Failing that, I should certainly write about exploring English Bay with Nick, Neal, and Lauren, then getting a jumbo poutine with extra war sauce at Fritz, just off Granville. But people are quite rightly sick of me just narrating life, so I will present a bit of a puzzle instead.

The image above was taken of the back of a utility truck of the kind used by many of the Vancouver schoolboards, at Georgia and Granville at about 2:00am. A fairly odd looking character in a jacket was using various tools on the newspaper vending boxes at that intersection: unloading newer looking units for selling The Vancouver Sun and The Province – local newspapers with content of varying quality.

§

The real questions are, who attached the original sticker, who blacked out one flag with spray paint, and why. Presumably, it previously showed an American flag that has been blacked out subsequently due to the widespread hostility in much of the world that has developed towards the United States, particularly since the invasion of Iraq in 2003.

I don’t really know how I feel about this display, but I took a photo for much the same reasons I often photograph graffiti: any expression of a genuine sentiment is at least worthy of cursory examination, and frequently worthy of deep thought. Right now, I am far too exhausted to think it through.

Flight safety

Emerson driving the boat

Those who were amused by Tyler’s discussion of airline safety in the excellent film Fight Club may enjoy a leader article (what the Brits call an editorial) from this week’s Economist. It purports to be an accurate version of the spiel you get every time you board an aircraft. It confirms what I have already heard, read, and believed and I am pretty sure they did their homework. It is also fairly funny:

Your life-jacket can be found under your seat, but please do not remove it now. In fact, do not bother to look for it at all. In the event of a landing on water, an unprecedented miracle will have occurred, because in the history of aviation the number of wide-bodied aircraft that have made successful landings on water is zero. This aircraft is equipped with inflatable slides that detach to form life rafts, not that it makes any difference. Please remove high-heeled shoes before using the slides. We might as well add that space helmets and anti-gravity belts should also be removed, since even to mention the use of the slides as rafts is to enter the realm of science fiction.

Please switch off all mobile phones, since they can interfere with the aircraft’s navigation systems. At least, that’s what you’ve always been told. The real reason to switch them off is because they interfere with mobile networks on the ground, but somehow that doesn’t sound quite so good.

The bit about water landings is, of course, especially dire. Just think about what would happen when a huge jetliner landed on water. It would either stall before hitting the water and fall more or less straight downward, or plow at a rate above stall speed forward into the water, in which those huge jet engines would rapidly cause the plane to slow. Passengers would be thrown forward with enormous violence. Far better to have seats facing backwards like in military transport planes, but who wants to pay $1000 for a ticket and then be reminded that you may end your flight as part of a mile-long trail or debris or cloud of polluted seawater?

All that said, flying is still definitely the safest way to travel long distances, and considerably less risky than failing to exercise and maintain a healthy diet, in terms of the risk of getting killed.

PS. Please note that these pictures have nothing to do with the posts in which they are embedded. They are just nice portraits from CF2 that I wanted to include in the blog. The very best photos will appear on Photo.net once I get my lovely Mac back.

Building utopias or avoiding disasters

Neal Lantela in a lifejacket

In the car, on the way back from Tristan’s cabin, a discussion arose about the problem of racism. As usual, I rapidly found myself unable to comprehend the terminology of philosophical devotees. I have never seen abstract theorizing as a particularly good way of effecting positive change in the world, or even identifying means by which to do so. Regardless, an interesting possibility arose from the conversation. At first, consideration was being given – by some – to mechanisms through which revolution could be used to generate a kind of ideal society. Personally, I found many of the characteristics of the postulated society despicable, but that is less interesting than the very phenomenon of trying to create utopias through the application of human reasoning and abilities. This is a vice to which those farthest from the political mainstream have always been particularly vulnerable: hoping to roll over the whole elephant of society so that their ideas end up on top.

From what I know of history and political philosophy, those who try to built utopias always fail: either for themselves or for those who are meant to live in their perfect society. Perhaps the big lesson of history is that people should focus on avoiding disaster, rather than perfecting the styles of interaction between people. Of course, that leaves the issue of deciding what constitutes a disaster. Was the internment of Japanese Canadians during the Second World War a moral disaster? What about the execution of an innocent person? What about the supposed decline of traditional family values?

The answer, perhaps, is a kind of pragmatic reverse utilitarianism which seeks to reduce violence in society to the minimum possible level, in lieu of trying to maximize utility. Utility or happiness is, after all, a fairly woolly concept and one open to flying accusations that there are ‘higher’ or ‘lower’ forms of happiness for reasons founded in morals or aesthetics. Violence, by comparison, is pretty clear cut. No doubt the idea is rife with problems – both logical and pragmatic – but it is something that seems worthy of consideration.

PS. Please note that these pictures have nothing to do with the posts in which they are embedded. They are just nice portraits from CF2 that I wanted to include in the blog. The very best photos will appear on Photo.net once I get my lovely Mac back.

Dangerous Afghan skies

I was talking with Edwina today about the possibility that the British Hawker-Siddeley Nimrod MR2 reconnaissance aircraft that crashed in Afghanistan recently was shot down by a FIM-92 Stinger missile, as Taliban representatives claimed. Fourteen British airmen were killed in the crash: the largest single day loss of British military personnel since the Falklands War. Given the ongoing presence of the Canadian Forces in Afghanistan and the famous provision of about 500 of these surface-to-air missiles to the Mujaheddin by the CIA during the Soviet invasion of Afghanistan, it is a question with contemporary relevance for Canadians.

Under construction since 1981 by the Raytheon Corporation (which also makes the washers and dryers used in residences at the University of British Columbia), the Stinger missile has a range of about 4800 metres and a maximum altitude of about 3800 – well below the cruising altitude of commercial aircraft. The Stinger seeks targets using an infrared homing system and is propelled using a two-stage chemical rocket. The homing system is thus vulnerable to flares used as decoy heat signatures, as well as to the reduction of an aircraft’s thermal profile through mechanisms like the internally mounted turbofan engines on vehicles like the B-2 Spirit Bomber, not that the Canadian Forces will or should get any of those.

Most of the reporting on the crash says that it was the result of a technical fault. This is the position that has been taken officially by NATO and the RAF, while the Taliban has claimed that it shot the plane down. There were Taliban fighters in the area, as evidenced by the rapidity with which the British Special Air Service (SAS) commandos were dispatched to destroy any secret electronic equipment that survived the malfunction and subsequent crash. Of course, it would be especially embarrassing to have a £100 million plane shot down and fourteen British soldiers killed by a $26,000 missile that was given to your enemies by the country with whom the Blair government is so loyally and controversially allied. As with the earlier discussion on conspiracy theories, we are left with little means for analyzing the official reports aside from our own intuition about which sources are trustworthy and which explanations are credible.

Whether the crash was an accident (as seems most plausible) or the result of enemy action, the dangers of continued military operations in Afghanistan are demonstrated. Even with complete air superiority, powerful allies, and all the other advantages of being in a superpower coalition, Canadian, British, and American soldiers will continue to die in Afghanistan until such a time as we decide to leave that country to the government and warlords who effectively control it today.