Efforts to move medical records out of their antiquated paper files and into sleek new computer systems have gained great momentum in recent months. The Obama administration has pledged $17.2 billion in economic stimulus funds toward this goal. Supporters have hailed the benefits of speedier access to critical medical data and easier transfer of medical histories when a patient sees a new physician.
But amid this rush toward new technology, some doctors and several organizations such as Patient Privacy Rights have raised a yellow flag of caution. In this age of Internet hackers and lost laptops, just how secure, they ask, will these computerized medical records be? After all, it’s a lot easier for someone to waltz out of a hospital with a USB stick in their pocket containing 5,000 patient records, than with many boxes containing the equivalent paper records. Moving electronic records online can make them particularly vulnerable.
To some extent, these fears are justified. I have been studying the security of electronic medical files for about a year now, and it’s not the first time I’ve confronted the pros and cons of paper versus electronic records. Since 2003, my primary research has focused on the security of electronic voting systems. As a result of that work, I have concluded that the best way to ensure proper elections is to move from electronic to paper ballots.
Yet what is true for voting systems is not necessarily true for electronic medical records. The adversarial model in these two applications is completely different. In a voting system, all parties should be viewed as adversarial. Everyone has a stake in the outcome, and there is no reason to believe every software developer, election official, poll worker or voter will refrain from tampering with the process. That doesn’t mean these people are malicious. It just means that we need voting systems that can be trusted, even when the people associated with the process are corrupt.
Contrast that with the medical records scenario. Computerized system designers and builders have every reason to want their technology to be secure, and little or no incentive to undercut this. Vendors will sell more systems if their technology is highly secure. Hospital administrators will seek the safest systems to protect patient privacy and keep their institutions off the front pages and out of the courtroom. For patients, the benefits are obvious.
Protecting identifiable electronic medical records is easier than protecting anonymous votes in an election. And it is a manageable problem. That’s not to say that there will never be incidents where medical records are compromised. But with good design, proper care, appropriate procedures and of course sufficient funding, electronic medical records can be protected as well or even better than the paper versions.
Still, we need to be careful. There are many wrong ways to make this transition. If history is any indicator, unless a concerted effort is made to require proper protection, the new medical systems will be no better than the insecure voting machines that many states have purchased. When money flows from Washington, vendors tend to spring up out of nowhere. The ones who gain traction are the ones with the best sales teams, the glossiest brochures and the best connections, but not necessarily the most secure systems. This has happened over and over again in every industry.
We need to make sure that security standards, including evaluation and testing procedures, are established before the billions are spent. Computer security experts in academia, government and industry should all be engaged to establish criteria and evaluation methodologies. We need support from all of the relevant stakeholders, including privacy advocates, the medical establishment, vendors and the technical security community.
We are facing a golden opportunity to improve the lives of millions of Americans by providing computerized storage and access for medical records. We can reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors. And, we can do it without inordinate risks to individual privacy. Nevertheless, while electronic records appear to be our destiny, the privacy of those records will only be preserved if we are careful and do this right. There will be no second chances.
Tuesday, May 12, 2009
Tuesday, March 31, 2009
ISE press release: New CEO hired April 1
FOR IMMEDIATE RELEASE
Date: April 1, 2009
Independent Security Evaluators Hires CEO
Independent Security Evaluators LLC (“ISE”), a Baltimore-based computer security consulting firm, has hired Richard “Rick” Wagoner as the Chief Executive Officer. Dr. Avi Rubin, president and founding partner of ISE, stated that the company’s rapid growth led to the need to bring in a CEO. “We have been very fortunate to have experienced significant growth since we started ISE four and a half years ago,” said Dr. Rubin. “Our client base and reputation continue to grow, and in order to continue delivering the highest level of technical consulting expertise, we felt it was time to recruit a business leader with a proven track record to manage operations and provide strategic direction for ISE. We are grateful to President Barack Obama for making Mr. Wagoner available for this job.”
Dr. Rubin and the partners of ISE believe Mr. Wagoner has the right skill set and experience to move ISE forward. “Rick offers the unique blend of drive and creativity, combined with executive management experience that we are confident will take ISE to the next level,” said Dr. Rubin.
Mr. Wagoner has held high level corporate management positions. Most recently, Mr. Wagoner was chairman and chief executive of General Motors Corporation. Although GM experienced a loss of $80 billion under his watch, Mr. Wagoner is confident that things he will be better at ISE. “The tremendous loss of market share that we experienced at General Motors in the last eight years is simply not possible at ISE. This makes my new challenge all the more exciting,” said Wagoner. He received a bachelor’s degree in economics from Duke University in 1975 and a master’s in business administration from Harvard University in 1977.
“I am thrilled to be working with such a talented group of people in the expanding field of information security,” said Mr. Wagoner. “Avi and the partners have created a very solid base from which to grow the business. I am excited to work for a company that is not unionized and to escape the cold winters of Michigan. Being in Baltimore has other advantages. If we need to go to Washington for a bailout, it’s only an hour’s drive away – no need for a corporate jet.” ISE plans to invest the savings from not needing a corporate jet back into the local community.
---
About ISE: ISE was founded by Dr. Rubin, a computer science professor and the Technical Director of the Information Security Institute at the Johns Hopkins University. A custom technology consulting group, ISE was established to address the need for increased information security at every level of an organization. ISE leverages academic theory and real world experience to design and build new, innovative solutions and to evaluate existing security infrastructure. In the near future, ISE expects to produce energy efficient, low cost, and highly secure automobiles.
Date: April 1, 2009
Independent Security Evaluators Hires CEO
Independent Security Evaluators LLC (“ISE”), a Baltimore-based computer security consulting firm, has hired Richard “Rick” Wagoner as the Chief Executive Officer. Dr. Avi Rubin, president and founding partner of ISE, stated that the company’s rapid growth led to the need to bring in a CEO. “We have been very fortunate to have experienced significant growth since we started ISE four and a half years ago,” said Dr. Rubin. “Our client base and reputation continue to grow, and in order to continue delivering the highest level of technical consulting expertise, we felt it was time to recruit a business leader with a proven track record to manage operations and provide strategic direction for ISE. We are grateful to President Barack Obama for making Mr. Wagoner available for this job.”
Dr. Rubin and the partners of ISE believe Mr. Wagoner has the right skill set and experience to move ISE forward. “Rick offers the unique blend of drive and creativity, combined with executive management experience that we are confident will take ISE to the next level,” said Dr. Rubin.
Mr. Wagoner has held high level corporate management positions. Most recently, Mr. Wagoner was chairman and chief executive of General Motors Corporation. Although GM experienced a loss of $80 billion under his watch, Mr. Wagoner is confident that things he will be better at ISE. “The tremendous loss of market share that we experienced at General Motors in the last eight years is simply not possible at ISE. This makes my new challenge all the more exciting,” said Wagoner. He received a bachelor’s degree in economics from Duke University in 1975 and a master’s in business administration from Harvard University in 1977.
“I am thrilled to be working with such a talented group of people in the expanding field of information security,” said Mr. Wagoner. “Avi and the partners have created a very solid base from which to grow the business. I am excited to work for a company that is not unionized and to escape the cold winters of Michigan. Being in Baltimore has other advantages. If we need to go to Washington for a bailout, it’s only an hour’s drive away – no need for a corporate jet.” ISE plans to invest the savings from not needing a corporate jet back into the local community.
---
About ISE: ISE was founded by Dr. Rubin, a computer science professor and the Technical Director of the Information Security Institute at the Johns Hopkins University. A custom technology consulting group, ISE was established to address the need for increased information security at every level of an organization. ISE leverages academic theory and real world experience to design and build new, innovative solutions and to evaluate existing security infrastructure. In the near future, ISE expects to produce energy efficient, low cost, and highly secure automobiles.
Tuesday, March 17, 2009
Trusting Bruce Schneier is risky business - just ask Jack Bauer
In last night's episode of Fox's thriller show, 24, there is a reference to the Blowfish algorithm which was designed by Bruce Schneier. On the show, an email message that contains the expected location of Jack Bauer is encrypted using Blowfish. The FBI intercepts the message and must decrypt it if they are to find him. I was curious to see what the 24 writers had up their sleeve. The answer: the designer of Blowfish put in a back door which was known to a former CTU operative. The FBI had leverage over the former CTU man because his wife was being held and faced at least 15 years in prison. The cipher was broken in seconds. Thanks a lot, Bruce! Thanks to your back door, Bauer is now being chased as a wanted man ... at least until next week.
Monday, March 09, 2009
Facebook privacy settings - nice, but I wish they actually worked
I resisted joining facebook as long as I could, but I finally succumbed to peer pressure and joined. Like most people, I have a love-hate relationship with the site. It has been great for catching up with old friends, keeping up with what people are doing, and making announcements to large groups of friends. But facebook has also posed dilemmas at times. What do I do when someone I barely know tries to friend me? How about someone I don't know? What about someone from high school whose name sounds very familiar, but I can't for the life of me recall if we were friends or if perhaps I hated that person?
Like most people, I set a person threshold above which I accept the invitation. At the risk of offending people, I typically err on the side of accepting requests. So, I've now got over 200 facebook friends, many of whom I barely know. As such, facebook is a lot less useful. The main reason is that I have disjoint circles of friends who I know for different reasons, and with whom I have different kinds of interactions. First there's family. I like to share pictures and videos of my kids with my relatives. But, I don't necessarily want everyone to see them. I have my soccer buddies. I play in two different leagues on Sunday mornings and Thursday nights. I sometimes use my status to poke fun at something that happened in a game, or to brag about a big win. Most of my friends don't really care about that. I have my poker buddies, my geek computer science friends, my high school pals, college roommates, sailing mates, tennis partners, and other circles of friends, none of whom know each other. I've been friended by current and former students, researchers in my field at other universities, past colleagues in industry, and friends of my family since childhood. Of course, I've done a lot of the friend requesting myself. The point is that it's a diverse set of people, and that I interact with them very differently. Some of my poker buddies have tattoos and take cigarette breaks during games, while many colleagues in my field have never had a friend with fancy body markings and wouldn't be caught dead in a casino. Some of my computer science colleagues have won international awards for highly technical discoveries, while some of my soccer teammates didn't go to college.
As far as I can tell, facebook does not recognize that people live in many different communities. I'd like the ability to post one status message to all my relatives and a different one to all my technical colleagues. I'd like to post pictures of my kids that only our group of friends that I will refer to as "parents of our kids' friends in school" can see. I tried to figure out a way to do this, and discovered a feature on facebook that allows you to make lists of friends. Then, supposedly, you can control the access to your facebook information based on these lists.
Either I do not understand how these features work, or more likely, they do not actually work correctly. (If the former is true, then facebook has designed privacy features that a computer scientist specializing in computer security and privacy cannot understand, and so they better get to work on their interface.) In the privacy setting screen, under Settings->Privacy->Profile, you can set who can see various information, such as profile, status, wall postings, videos that you are tagged in, and others. If you select "Custom", you can specify a friend list. There is also a nifty feature that lets you see your page as any of your friends who you select would see it. So, for example, I can specify Ann Rubin and see what my facebook pages look like when Ann Rubin access them, based on my privacy settings. I played around with this for a while. I set a friends list that consists of personal friends who I tend to socialize with. Selecting the names was an interesting exercise. The threshold I set was whether I had gotten together with this person in a purely social setting in the last two years. I set it so that only people on this list could view my status updates and my wall postings. I then set my status and posted some things to my wall.
Next, I viewed my facebook home page as one of my friends who was not on the social list. The status was not visible, but the wall posting was. I've since experimented quite a bit with the privacy settings using friend lists, and I've found that some of the features simply don't work. It is possible that I'm not doing it right. It wouldn't be the first time. But I consider myself an expert in this sort of thing, and if I can't get it right, I don't think there's much hope for the broader facebook user population. I wonder to what extent facebook has tested their custom settings options in their privacy settings. The only thing worse than not providing privacy features is providing privacy features that do not actual give the claimed privacy. Think of how much trouble you could get in. I might have posted pictures of myself sailing on a day that I was supposed to be at work, believing that my JHU colleagues, my department chair, or most seriously my students couldn't access my wall. It's a good thing that I tested the features before feeling comfortable using them.
The bottom line is that there really is no privacy for information that you volunteer onto facebook. If something would embarrass you, or would be inappropriate for certain friends, you shouldn't post it thinking that only the other friends will see it. In theory, facebook is an excellent way to keep up with people and to notify people of your activities in a twitter-like fashion. But, when it comes to privacy, facebook still has a lot of work to do to.
Like most people, I set a person threshold above which I accept the invitation. At the risk of offending people, I typically err on the side of accepting requests. So, I've now got over 200 facebook friends, many of whom I barely know. As such, facebook is a lot less useful. The main reason is that I have disjoint circles of friends who I know for different reasons, and with whom I have different kinds of interactions. First there's family. I like to share pictures and videos of my kids with my relatives. But, I don't necessarily want everyone to see them. I have my soccer buddies. I play in two different leagues on Sunday mornings and Thursday nights. I sometimes use my status to poke fun at something that happened in a game, or to brag about a big win. Most of my friends don't really care about that. I have my poker buddies, my geek computer science friends, my high school pals, college roommates, sailing mates, tennis partners, and other circles of friends, none of whom know each other. I've been friended by current and former students, researchers in my field at other universities, past colleagues in industry, and friends of my family since childhood. Of course, I've done a lot of the friend requesting myself. The point is that it's a diverse set of people, and that I interact with them very differently. Some of my poker buddies have tattoos and take cigarette breaks during games, while many colleagues in my field have never had a friend with fancy body markings and wouldn't be caught dead in a casino. Some of my computer science colleagues have won international awards for highly technical discoveries, while some of my soccer teammates didn't go to college.
As far as I can tell, facebook does not recognize that people live in many different communities. I'd like the ability to post one status message to all my relatives and a different one to all my technical colleagues. I'd like to post pictures of my kids that only our group of friends that I will refer to as "parents of our kids' friends in school" can see. I tried to figure out a way to do this, and discovered a feature on facebook that allows you to make lists of friends. Then, supposedly, you can control the access to your facebook information based on these lists.
Either I do not understand how these features work, or more likely, they do not actually work correctly. (If the former is true, then facebook has designed privacy features that a computer scientist specializing in computer security and privacy cannot understand, and so they better get to work on their interface.) In the privacy setting screen, under Settings->Privacy->Profile, you can set who can see various information, such as profile, status, wall postings, videos that you are tagged in, and others. If you select "Custom", you can specify a friend list. There is also a nifty feature that lets you see your page as any of your friends who you select would see it. So, for example, I can specify Ann Rubin and see what my facebook pages look like when Ann Rubin access them, based on my privacy settings. I played around with this for a while. I set a friends list that consists of personal friends who I tend to socialize with. Selecting the names was an interesting exercise. The threshold I set was whether I had gotten together with this person in a purely social setting in the last two years. I set it so that only people on this list could view my status updates and my wall postings. I then set my status and posted some things to my wall.
Next, I viewed my facebook home page as one of my friends who was not on the social list. The status was not visible, but the wall posting was. I've since experimented quite a bit with the privacy settings using friend lists, and I've found that some of the features simply don't work. It is possible that I'm not doing it right. It wouldn't be the first time. But I consider myself an expert in this sort of thing, and if I can't get it right, I don't think there's much hope for the broader facebook user population. I wonder to what extent facebook has tested their custom settings options in their privacy settings. The only thing worse than not providing privacy features is providing privacy features that do not actual give the claimed privacy. Think of how much trouble you could get in. I might have posted pictures of myself sailing on a day that I was supposed to be at work, believing that my JHU colleagues, my department chair, or most seriously my students couldn't access my wall. It's a good thing that I tested the features before feeling comfortable using them.
The bottom line is that there really is no privacy for information that you volunteer onto facebook. If something would embarrass you, or would be inappropriate for certain friends, you shouldn't post it thinking that only the other friends will see it. In theory, facebook is an excellent way to keep up with people and to notify people of your activities in a twitter-like fashion. But, when it comes to privacy, facebook still has a lot of work to do to.
Thursday, March 05, 2009
I'll update my software when I'm good and ready - thank you
Not since I got my first iPhone (after waiting in line for a few hours) have I been as excited to get a new gadget as I was last week when my new Amazon Kindle 2 arrived. It did not disappoint. The screen resolution, using the new e-ink technology, is absolutely stunning. You have to see it to believe it. I immediately purchased the book that I've been reading in hard cover, Ken Follet's World Without End, and I put the heavy volume on the bookshelf for good. I also downloaded samples of Barak Obama's book about his father and of course, of my book Brave New Ballot, so I could show it to people. The books download in under a minute. I read in the instructions that the battery lasts much longer when the wireless modem is off, so once I downloaded my books, I turned off the modem.
Yesterday, Amazon released the Kindle for iPhone app - another exciting development. I installed the app, and the iPhone automatically downloaded the books that I had purchased on my Kindle. I checked out World Without End, and the book opened to the spot that I was reading on the Kindle a couple of days ago when I turned off the wireless modem. Very nice! Amazon's Whisper Sync technology kept the iPhone version and the Kindle version at the same spot. Unfortunately, this meant that I had to keep the Kindle modem on if I wanted the iPhone to know where I was. That was okay. I could either remember to turn on the modem for a short while when I finished reading on the Kindle, or just keep it on and remember to charge it.
I wanted my iPhone to know where I was in the book, so I turned on the kindle modem. That's when I discovered a "feature" in the Kindle that I did not like. The Kindle suddenly went blank and a progress bar came on, along with the words "Software is updating" or something like that. I don't remember the exact words. The Kindle had a software upgrade, and without any prompting, it performed the update. Presumably, this was the update that disabled text to speech on some of the books (see this article).
Now, I am a gadget freak. I am an early adopter of almost every cool new gadget that comes out. I can barely count the numbers of items in my house that udpate their own software. My Blu-Ray DVD player, my DVR, my Apple TV, my computers, my iPhone, my digital camera, and even my refrigerator (just kidding) - they all get software updates all the time. But first, they ASK ME. It is only civilized. Amazon has decided that it is not a users' choice whether or not to update the Kindle software. This is downright rude.
When I first studied the idea of software updates on common devices, back when I worked at AT&T Labs, and we were designing security protocols for cable modems, I was very concerned. But, proper use of digital signatures and public key cryptography can greatly reduce the security risks. However, software updates are disruptive. They can break things, and they might come at a very inconvenient time. The user owns his devices, and it should be his choice whether or not to update the software. I do not like the auto software update on the Kindle one bit. I hope that the next software update that happens to me while I'm in the middle of reading will change the software update process so that the user can decide whether or not to update.
Other than that, I love my Kindle. I read a lot, and now the experience is that much better. Now, I wait for Kindle 3. What will it have? Color? Touchscreen? Virtual Display in my contact lenses? It will be exciting, and hopefully, it will let me control software updates.
Yesterday, Amazon released the Kindle for iPhone app - another exciting development. I installed the app, and the iPhone automatically downloaded the books that I had purchased on my Kindle. I checked out World Without End, and the book opened to the spot that I was reading on the Kindle a couple of days ago when I turned off the wireless modem. Very nice! Amazon's Whisper Sync technology kept the iPhone version and the Kindle version at the same spot. Unfortunately, this meant that I had to keep the Kindle modem on if I wanted the iPhone to know where I was. That was okay. I could either remember to turn on the modem for a short while when I finished reading on the Kindle, or just keep it on and remember to charge it.
I wanted my iPhone to know where I was in the book, so I turned on the kindle modem. That's when I discovered a "feature" in the Kindle that I did not like. The Kindle suddenly went blank and a progress bar came on, along with the words "Software is updating" or something like that. I don't remember the exact words. The Kindle had a software upgrade, and without any prompting, it performed the update. Presumably, this was the update that disabled text to speech on some of the books (see this article).
Now, I am a gadget freak. I am an early adopter of almost every cool new gadget that comes out. I can barely count the numbers of items in my house that udpate their own software. My Blu-Ray DVD player, my DVR, my Apple TV, my computers, my iPhone, my digital camera, and even my refrigerator (just kidding) - they all get software updates all the time. But first, they ASK ME. It is only civilized. Amazon has decided that it is not a users' choice whether or not to update the Kindle software. This is downright rude.
When I first studied the idea of software updates on common devices, back when I worked at AT&T Labs, and we were designing security protocols for cable modems, I was very concerned. But, proper use of digital signatures and public key cryptography can greatly reduce the security risks. However, software updates are disruptive. They can break things, and they might come at a very inconvenient time. The user owns his devices, and it should be his choice whether or not to update the software. I do not like the auto software update on the Kindle one bit. I hope that the next software update that happens to me while I'm in the middle of reading will change the software update process so that the user can decide whether or not to update.
Other than that, I love my Kindle. I read a lot, and now the experience is that much better. Now, I wait for Kindle 3. What will it have? Color? Touchscreen? Virtual Display in my contact lenses? It will be exciting, and hopefully, it will let me control software updates.
Tuesday, February 03, 2009
Family Resemblance
Yesterday, I installed the new version of iLife '09 on my computer. This is Apple's photo management and editing software for the Mac, and the new version includes a truly incredible feature based on face recognition technology. You can select pictures from your photo library and tag faces in the pictures. The software then searches your library and finds other pictures that it selects as candidate matches for the tagged faces. There is an interface for viewing all of the candidate pictures, confirming correct matches, and correcting pictures that have been mis-tagged.
I am an amateur photographer with a photo library of over 30,000 pictures, going back to the advent of digital cameras. I have a studio in my basement where I take portrait shots, and I'm often lugging around my camera bag with all my lenses - especially to the kids' events at school. Finding particular pictures has been very hard, but Apple has made it easier with the last few upgrades to iPhoto, including categorizing pictures into Events, keyword searches, and smart libraries. This face recognition technology takes organizing photos to a new level.
One of the most interesting and entertaining properties that I've discovered in iPhoto '09 comes from pictures that are tagged incorrectly by the software. The most common mistake is tagging someone as his/her sibling. There must be something in the face recognition algorithm that picks up on family resemblances that are not perceived by humans. For example, as luck would have it, my brother and I look nothing alike. (In this case it is his good fortune.) We've been told that our entire lives. But, in several instances the software confused our faces. Similarly, my father and his brothers were mis-tagged as each other. In fact, the two people that the software seems the most confused about are my older daughter and my son. I found this a bit surprising because my son has a twin sister, and I have not seen an instance yet where one of the twins was tagged as the other. However, my older daughter and my son seem to provide the biggest challenge to the tagging feature.
I've noticed two factors that contribute to the accuracy of the face recognition - the number of pictures I have of someone, and the number of times I manually tag them. So, it's not surprising that the most collisions occur between relatives. Still, I observed few instances of two people being tagged as each other where there was no blood relation. Siblings on the other hand seem to throw iPhoto face recognition for a loop.
What was surprising to me was that I was not tagged as either of my parents by the software, despite the fact that people tell me I look like my mother. In fact, I saw very few instances of parents tagged as their children or vice versa. I'm very curious about the face recognition algorithm and about the family resemblance properties that iPhoto '09 exposes as a side effect.
Apple has taken what I believe to be a revolutionary step in photo organization, and for once, the bugs, or more accurately, the deficiencies in the software, namely mistakes in the tagging algorithm, actually provide the most fun.
I am an amateur photographer with a photo library of over 30,000 pictures, going back to the advent of digital cameras. I have a studio in my basement where I take portrait shots, and I'm often lugging around my camera bag with all my lenses - especially to the kids' events at school. Finding particular pictures has been very hard, but Apple has made it easier with the last few upgrades to iPhoto, including categorizing pictures into Events, keyword searches, and smart libraries. This face recognition technology takes organizing photos to a new level.
One of the most interesting and entertaining properties that I've discovered in iPhoto '09 comes from pictures that are tagged incorrectly by the software. The most common mistake is tagging someone as his/her sibling. There must be something in the face recognition algorithm that picks up on family resemblances that are not perceived by humans. For example, as luck would have it, my brother and I look nothing alike. (In this case it is his good fortune.) We've been told that our entire lives. But, in several instances the software confused our faces. Similarly, my father and his brothers were mis-tagged as each other. In fact, the two people that the software seems the most confused about are my older daughter and my son. I found this a bit surprising because my son has a twin sister, and I have not seen an instance yet where one of the twins was tagged as the other. However, my older daughter and my son seem to provide the biggest challenge to the tagging feature.
I've noticed two factors that contribute to the accuracy of the face recognition - the number of pictures I have of someone, and the number of times I manually tag them. So, it's not surprising that the most collisions occur between relatives. Still, I observed few instances of two people being tagged as each other where there was no blood relation. Siblings on the other hand seem to throw iPhoto face recognition for a loop.
What was surprising to me was that I was not tagged as either of my parents by the software, despite the fact that people tell me I look like my mother. In fact, I saw very few instances of parents tagged as their children or vice versa. I'm very curious about the face recognition algorithm and about the family resemblance properties that iPhoto '09 exposes as a side effect.
Apple has taken what I believe to be a revolutionary step in photo organization, and for once, the bugs, or more accurately, the deficiencies in the software, namely mistakes in the tagging algorithm, actually provide the most fun.
Tuesday, January 13, 2009
Jack Bauer and the security of our critical infrastructure
Last year, I became addicted to the Fox TV show "24". I downloaded all of the old episodes to my iPhone (and later my Apple TV) and I watched them while working out. Watching the high intensity, high action, 24 adds to the adrenalin rush I get while riding my exercise bike or running on my treadmill. The first two seasons were amazing. Jack Bauer saved the world from nuclear war and from a deadly virus. Over the next 4 seasons, the show continued to play on these themes, but it became somewhat predictable. There are only so many ways bad guys can destroy the world. Several months ago, I finally caught up; I had seen all of the old episodes. And last year, there was no 24 due to the writers' strike in Hollywood.
It appears that the writers had some time to come up with some new and creative material during the year layoff. This year's season, which premiered last month and then again this past weekend (the show managed to have 3 premiers for a total of 6 hours) is based on a premise that I know all too well. In fact, it is very interesting to me that the writers' brainstorming of what could be the worst threat to the US besides a nuclear or viral attack is the same as what I have been worried about for some time now. The basic idea is that the bad guys have kidnapped a security expert who was the chief designer for a super firewall that controls access to all of the critical infrastructure in the country. This scientist is forced to create a device that allows the bad guys to take over air traffic control, the water treatment centers, the power grid, etc. (Never mind that he is able to accomplish this in a matter of minutes.)
While the show is not very accurate technologically, and the specific scenario of this season's 24 is far from realistic, the actual threat is very real. Much of our critical infrastructure is controlled by computers. Real time control systems are increasingly dependent on software. Software that inherently contains bugs, and which is increasingly complex. The same targets that are depicted in over-dramatized fashion on 24 are becoming increasingly vulnerable to real world criminals. Now, President-elect Obama is talking about digitizing health records and about upgrading our technological infrastructure. I'm all for that. But, security needs to be a top priority. We cannot let what happened with voting systems - where the technology was developed before security was considered - happen in our healthcare system.
Part of the reason why I have been enjoying watching 24 is that I get a good laugh at some of the ridiculous depictions of technology and, in particular, security. However, the vulnerability of our critical infrastructure to cyber attack is no laughing matter.
It appears that the writers had some time to come up with some new and creative material during the year layoff. This year's season, which premiered last month and then again this past weekend (the show managed to have 3 premiers for a total of 6 hours) is based on a premise that I know all too well. In fact, it is very interesting to me that the writers' brainstorming of what could be the worst threat to the US besides a nuclear or viral attack is the same as what I have been worried about for some time now. The basic idea is that the bad guys have kidnapped a security expert who was the chief designer for a super firewall that controls access to all of the critical infrastructure in the country. This scientist is forced to create a device that allows the bad guys to take over air traffic control, the water treatment centers, the power grid, etc. (Never mind that he is able to accomplish this in a matter of minutes.)
While the show is not very accurate technologically, and the specific scenario of this season's 24 is far from realistic, the actual threat is very real. Much of our critical infrastructure is controlled by computers. Real time control systems are increasingly dependent on software. Software that inherently contains bugs, and which is increasingly complex. The same targets that are depicted in over-dramatized fashion on 24 are becoming increasingly vulnerable to real world criminals. Now, President-elect Obama is talking about digitizing health records and about upgrading our technological infrastructure. I'm all for that. But, security needs to be a top priority. We cannot let what happened with voting systems - where the technology was developed before security was considered - happen in our healthcare system.
Part of the reason why I have been enjoying watching 24 is that I get a good laugh at some of the ridiculous depictions of technology and, in particular, security. However, the vulnerability of our critical infrastructure to cyber attack is no laughing matter.
Tuesday, December 16, 2008
The Great Debate
I participated in the Great Latke-Hamantash debate at Johns Hopkins this year. If you are not familiar with this serious, intellectual event, you can read about it here. I took the side of the Latke, of course, as it is the superior snack. Here is a video clip showing my opening statements in the debate. Unfortunately, we lost. (There is a rumor that the Hamantash paid off the moderator, but I can't prove it.)
Tuesday, November 04, 2008
My day at the polls
This morning, I woke up at 4:08 a.m., and I could not fall back asleep. I was charged with adrenalin. It was Election Day again. And what an election; without a doubt the most hyped-up super-charged election in my entire life. I stayed in bed until about 4:45 and got ready to head out for a long, long day at the polls. I left the house at 5:40 a.m. and arrived at my precinct a few minutes later. About half of the election judges were already there, and I got busy helping to set up our precinct so that we could open on time at 7:00.
In Maryland, we use paperless Diebold DRE voting machines. The same ones that we analyzed in our report in 2003 and that were analyzed in several follow-up reports, all of which found serious security problems. The machines are set up in a daisy chain fashion, where one of them is plugged into the wall, and then each one plugs into the one next to it. I noticed that the judges had set up 9 of our 16 machines in a line, such that voters would have to walk all the way around to get to the middle ones. So, I broke them up into a group of 4 and a group of 5, with a passage in between them. This provided much better access for voters. I had plenty of discretion in setting up our precinct, as one of the chief judges was the same as in the last election, and she told me to make any decisions I wanted and to do whatever I thought was best. We worked very well together last time, and she and the other judges deferred to me whenever there was an issue - and there were several. I made several changes to the way our precinct was set up. Numerous times, I was called away by the person who was provided by the county as the technical person to help. It didn't take long before everybody, including the two chief judges, called me away from whatever I was doing, whenever we had a real problem.
I wondered what happened in other precincts that did not have someone who was very experienced with the machines and as a poll worker. This was my sixth election working as a judge with these voting machines. I attended a half a dozen training sessions, and my research team wrote a paper about the machines. Some of the problems I had to deal with related to human factors, and others were purely technical. Let me summarize some of the problems we had in my precinct today.
One of our voting machines was dead. The first thing I noticed was that it didn't boot correctly. It said "No Election Loaded" or something like that. This did not seem good. I noticed that the battery was at 0%, and I realized that this machine was probably shipped to us with an empty battery, so whatever information was loaded onto it about our election had been erased. We called the board of election, and they sent a technician out, but he was unable to do anything about it. However, we had 16 machines, and in the previous election we had only had 12 and we had managed. I was a bit concerned because the turnout was expected to be much higher. The thought crossed my mind about what would have happened if all the machines had arrived in that condition. We had 125 provisional ballots, no emergency backup ballots, 3,091 registered voters, and 2,080 voters showed up. It would have been a total disaster.
We had several other glitches with the machines, which I consider to be minor. Some of the machines have housings that are starting to wear. On one of them the screen had broken off the rest of the machine and was barely hanging together by some wires. On another one of the machines there was a gap next to the section where the smartcard is supposed to be inserted, and a couple of voters inserted their cards into the gap. The final one got it stuck so badly that we were unable to remove it and we had to issue him a different card. My overall impression is that these machines are showing the wear and tear of several election cycles, and that they will require some pretty serious maintenance and upkeep if they are to be used again. Thankfully, Maryland plans to switch to optically scanned paper ballots in 2010. (However, at the moment, there is a possibility that Maryland will not be able to fund this change, and that it will fall through. I believe it would be more expensive to fix up the current systems and to maintain them than what it would cost to switch to op scan.)
We were also missing a cable needed to hook up one of the electronic poll books. The e-poll books are used to check voters in. They contain a copy of the voter registration database. We were able to hook up the other three e-poll books, and they worked fine. However, about an hour and a half into the election, we realized that the ethernet hub that was connecting the e-poll books to each other was not working, and we found that it had become unplugged. This means that for some non-trivial amount of time, our e-poll books were not synchronized, meaning that people could have theoretically signed in and voted several times. During that busy time, there is no way we would have noticed that. Once we realized this and fixed the problem, the e-poll books synchronized. I felt pretty stupid because I should have noticed that the e-poll books were not synchronizing, but there was a lot going on, and I overlooked that. We had an incredible turnout between 7 a.m. and 12:30 p.m., and besides working at the e-poll books, I was getting called away by the chief judges every time there was a problem, or when a voter was having trouble. It was hectic, and I was not able to pay attention to all the details as much as I would have liked. We eventually got the cable and hooked up the fourth e-poll book. At that point, we were able to check in voters faster than they could vote, and as a result, we ended up with longer lines by the machines, and so we throttled down our check-in until we found a state of equilibrium inside. During that time, the lines outside were pretty long, but I think even at the worst, the most anybody waited today at our precinct was an hour and a half.
I think that the worst part of our election had to do with the voter registration database. We had numerous people who came in but were not listed as registered. One man I remember said he had voted forever in this precinct and had even voted in the primary. He was there with his wife who was in the system and who was able to vote. But, his name was simply not there. We looked in the statewide database and even in a paper printout we had of the registered voters, and he did not exist. We gave him a provisional ballot, but I don't have confidence that it will ever be counted. Numerous people were listed as not registered in our precinct despite having voted there before. This was also the hardest part for us as judges because we were on the front lines with these justifiably irritated voters. I didn't want to defend our system, but I didn't want to denigrate it either. Most people understood that we were volunteers who were working very hard to try to make the election work, but some of the ones with registration problems only saw us as part of the problem that was causing them to miss out on the ability to vote. I dreaded those moments when I realized that the voter in front of me was going to have a problem and I had to be the one to tell them.
At one point, the chief judge called me over because a voter had a serious problem. The voter was convinced that the machine was not working correctly. She showed me the problem. There was a race for judge that allowed the voter to pick up to two choices for judges. She had picked one but wanted to leave the other one blank. When she got to the summary screen, the race was colored in pink (to represent an undervote), and it had the name of the judge, and under it were the words "Not Selected". She told me that she had wanted to select the judge, but that her choice was not selected. It took me a few times going back and forth to the summary screen to figure out what was going on. Since she voted for one and not both candidates, the race was flagged as an undervote. Her two choices were shown as "the one she chose" and the other as "Not selected", rather than saying that the one she chose was not selected. Once I explained this to her, she was satisfied. There were about 5 or 6 times that I had to help voters because they misunderstood the machines.
At the end of the day, we shut down the machines and tallied the votes. Then, we transmitted the final tallies to the board of elections using the modem provided with the machines. Interestingly, in my precinct, registered Democrats outnumber registered Republicans by a 4-1 ratio, but Obama won over McCain by 20%. Surprisingly, on one of the machines, McCain actually beat Obama by 2 votes. Several of the other judges had some interesting theories about why the results diverged from the expected values, but nobody suggested that the machines had gotten it wrong somehow. Despite all kinds of glitches and mishaps throughout the day, people just believe the results that come out of the computer, and I think this is a natural human tendency.
Do I think that the machines were hacked or that some bug caused us to get the wrong results? I can't say that I do. However, what would have happened if McCain had won by a 2-1 ratio? Would we have come up with all kinds of interesting theories? Or, would someone have questioned the machines? What happens if a candidate in one of the local races that was close wants to challenge the result? The answer is - nothing. There is no way to recount the election. We have the totals that the machines produce, and that's it. No insight into how those numbers were achieved and no way to recreate them. The election cannot be audited. This is a terrible way to run elections, and I sincerely hope that when I work the 2010 election, it is with paper ballots and rigorous audit procedures.
So, now I'm home after another exhausting day. I'd like to propose that election judges work 8 hour days instead of 16 hour days. The current system is so physically exhausting that the judges, many of them elderly, are more concerned with getting out of there and going home than with taking the time to follow all of the procedures to the letter. And, the procedures are critical. I believe you could more than double the participation of poll workers if it wasn't such a grinding, unforgiving day. I don't know how I manage to get these blog entries written, and I'm not sure this is a tradition I can continue because after getting up before 5 a.m. and working all day in one room, writing all of this before I go to bed is getting harder and harder. But, now is when it's all fresh on my mind, and I was afraid I would forget some of it; I had to get this out tonight.
So, now I'm going to watch election returns for a while with Ann, have a glass of wine, and then go to bed. Good night!
In Maryland, we use paperless Diebold DRE voting machines. The same ones that we analyzed in our report in 2003 and that were analyzed in several follow-up reports, all of which found serious security problems. The machines are set up in a daisy chain fashion, where one of them is plugged into the wall, and then each one plugs into the one next to it. I noticed that the judges had set up 9 of our 16 machines in a line, such that voters would have to walk all the way around to get to the middle ones. So, I broke them up into a group of 4 and a group of 5, with a passage in between them. This provided much better access for voters. I had plenty of discretion in setting up our precinct, as one of the chief judges was the same as in the last election, and she told me to make any decisions I wanted and to do whatever I thought was best. We worked very well together last time, and she and the other judges deferred to me whenever there was an issue - and there were several. I made several changes to the way our precinct was set up. Numerous times, I was called away by the person who was provided by the county as the technical person to help. It didn't take long before everybody, including the two chief judges, called me away from whatever I was doing, whenever we had a real problem.
I wondered what happened in other precincts that did not have someone who was very experienced with the machines and as a poll worker. This was my sixth election working as a judge with these voting machines. I attended a half a dozen training sessions, and my research team wrote a paper about the machines. Some of the problems I had to deal with related to human factors, and others were purely technical. Let me summarize some of the problems we had in my precinct today.
One of our voting machines was dead. The first thing I noticed was that it didn't boot correctly. It said "No Election Loaded" or something like that. This did not seem good. I noticed that the battery was at 0%, and I realized that this machine was probably shipped to us with an empty battery, so whatever information was loaded onto it about our election had been erased. We called the board of election, and they sent a technician out, but he was unable to do anything about it. However, we had 16 machines, and in the previous election we had only had 12 and we had managed. I was a bit concerned because the turnout was expected to be much higher. The thought crossed my mind about what would have happened if all the machines had arrived in that condition. We had 125 provisional ballots, no emergency backup ballots, 3,091 registered voters, and 2,080 voters showed up. It would have been a total disaster.
We had several other glitches with the machines, which I consider to be minor. Some of the machines have housings that are starting to wear. On one of them the screen had broken off the rest of the machine and was barely hanging together by some wires. On another one of the machines there was a gap next to the section where the smartcard is supposed to be inserted, and a couple of voters inserted their cards into the gap. The final one got it stuck so badly that we were unable to remove it and we had to issue him a different card. My overall impression is that these machines are showing the wear and tear of several election cycles, and that they will require some pretty serious maintenance and upkeep if they are to be used again. Thankfully, Maryland plans to switch to optically scanned paper ballots in 2010. (However, at the moment, there is a possibility that Maryland will not be able to fund this change, and that it will fall through. I believe it would be more expensive to fix up the current systems and to maintain them than what it would cost to switch to op scan.)
We were also missing a cable needed to hook up one of the electronic poll books. The e-poll books are used to check voters in. They contain a copy of the voter registration database. We were able to hook up the other three e-poll books, and they worked fine. However, about an hour and a half into the election, we realized that the ethernet hub that was connecting the e-poll books to each other was not working, and we found that it had become unplugged. This means that for some non-trivial amount of time, our e-poll books were not synchronized, meaning that people could have theoretically signed in and voted several times. During that busy time, there is no way we would have noticed that. Once we realized this and fixed the problem, the e-poll books synchronized. I felt pretty stupid because I should have noticed that the e-poll books were not synchronizing, but there was a lot going on, and I overlooked that. We had an incredible turnout between 7 a.m. and 12:30 p.m., and besides working at the e-poll books, I was getting called away by the chief judges every time there was a problem, or when a voter was having trouble. It was hectic, and I was not able to pay attention to all the details as much as I would have liked. We eventually got the cable and hooked up the fourth e-poll book. At that point, we were able to check in voters faster than they could vote, and as a result, we ended up with longer lines by the machines, and so we throttled down our check-in until we found a state of equilibrium inside. During that time, the lines outside were pretty long, but I think even at the worst, the most anybody waited today at our precinct was an hour and a half.
I think that the worst part of our election had to do with the voter registration database. We had numerous people who came in but were not listed as registered. One man I remember said he had voted forever in this precinct and had even voted in the primary. He was there with his wife who was in the system and who was able to vote. But, his name was simply not there. We looked in the statewide database and even in a paper printout we had of the registered voters, and he did not exist. We gave him a provisional ballot, but I don't have confidence that it will ever be counted. Numerous people were listed as not registered in our precinct despite having voted there before. This was also the hardest part for us as judges because we were on the front lines with these justifiably irritated voters. I didn't want to defend our system, but I didn't want to denigrate it either. Most people understood that we were volunteers who were working very hard to try to make the election work, but some of the ones with registration problems only saw us as part of the problem that was causing them to miss out on the ability to vote. I dreaded those moments when I realized that the voter in front of me was going to have a problem and I had to be the one to tell them.
At one point, the chief judge called me over because a voter had a serious problem. The voter was convinced that the machine was not working correctly. She showed me the problem. There was a race for judge that allowed the voter to pick up to two choices for judges. She had picked one but wanted to leave the other one blank. When she got to the summary screen, the race was colored in pink (to represent an undervote), and it had the name of the judge, and under it were the words "Not Selected". She told me that she had wanted to select the judge, but that her choice was not selected. It took me a few times going back and forth to the summary screen to figure out what was going on. Since she voted for one and not both candidates, the race was flagged as an undervote. Her two choices were shown as "the one she chose" and the other as "Not selected", rather than saying that the one she chose was not selected. Once I explained this to her, she was satisfied. There were about 5 or 6 times that I had to help voters because they misunderstood the machines.
At the end of the day, we shut down the machines and tallied the votes. Then, we transmitted the final tallies to the board of elections using the modem provided with the machines. Interestingly, in my precinct, registered Democrats outnumber registered Republicans by a 4-1 ratio, but Obama won over McCain by 20%. Surprisingly, on one of the machines, McCain actually beat Obama by 2 votes. Several of the other judges had some interesting theories about why the results diverged from the expected values, but nobody suggested that the machines had gotten it wrong somehow. Despite all kinds of glitches and mishaps throughout the day, people just believe the results that come out of the computer, and I think this is a natural human tendency.
Do I think that the machines were hacked or that some bug caused us to get the wrong results? I can't say that I do. However, what would have happened if McCain had won by a 2-1 ratio? Would we have come up with all kinds of interesting theories? Or, would someone have questioned the machines? What happens if a candidate in one of the local races that was close wants to challenge the result? The answer is - nothing. There is no way to recount the election. We have the totals that the machines produce, and that's it. No insight into how those numbers were achieved and no way to recreate them. The election cannot be audited. This is a terrible way to run elections, and I sincerely hope that when I work the 2010 election, it is with paper ballots and rigorous audit procedures.
So, now I'm home after another exhausting day. I'd like to propose that election judges work 8 hour days instead of 16 hour days. The current system is so physically exhausting that the judges, many of them elderly, are more concerned with getting out of there and going home than with taking the time to follow all of the procedures to the letter. And, the procedures are critical. I believe you could more than double the participation of poll workers if it wasn't such a grinding, unforgiving day. I don't know how I manage to get these blog entries written, and I'm not sure this is a tradition I can continue because after getting up before 5 a.m. and working all day in one room, writing all of this before I go to bed is getting harder and harder. But, now is when it's all fresh on my mind, and I was afraid I would forget some of it; I had to get this out tonight.
So, now I'm going to watch election returns for a while with Ann, have a glass of wine, and then go to bed. Good night!
Tuesday, October 21, 2008
Another problem with DREs
DREs really worry me because of security concerns and the fact that they cannot be properly audited. However, there is another problem with DREs, which this year, I think is going to be very serious.
News reports today are highlighting long lines at the polls for early voting. This is not unexpected, as the turnout for this election is bound to be tremendous. I'm very concerned about the impact a high turnout will have on an already stressed voting system. In Maryland, for example, we use touchscreen DRE machines. Precincts only have a handful of these machines, and they create a tight bottleneck in the voting process. As a poll worker, I've seen people take 30-45 minutes to vote. I've also seen it done in 5 minutes. The average, by my observation, is around 8 or 9 minutes. With an increased turnout, the expected growth in the lines is exponential. That is because the throughput of the election machinery does not change, so additional people will be added to the line much faster than the system's ability to absorb them, and the lines will be long - very long.
When Maryland switches to paper ballots with optical scanners in 2010, this problem will go away. The reason is that the time critical resource will be the scanner, and people can scan their ballots in seconds. The process of filling out the paper ballots can be massively parallelized. We could have 40 or 50 people filling out ballots at the same time, and even with only a couple of scanners, we can move people through the voting process much faster. Using touchscreen DREs, the time critical resource is the voting machine and voters spend on the order of 8 or 9 minutes, and sometimes much longer to vote. Paper ballots with op scan counting will eliminate long lines at the polls. And, I am worried that long lines are going to be a serious, serious problem in the election, which is two weeks from today. However bad it might be in early voting right now, and indications are that it's bad, I fear that on November 4, the problems will be worse.
News reports today are highlighting long lines at the polls for early voting. This is not unexpected, as the turnout for this election is bound to be tremendous. I'm very concerned about the impact a high turnout will have on an already stressed voting system. In Maryland, for example, we use touchscreen DRE machines. Precincts only have a handful of these machines, and they create a tight bottleneck in the voting process. As a poll worker, I've seen people take 30-45 minutes to vote. I've also seen it done in 5 minutes. The average, by my observation, is around 8 or 9 minutes. With an increased turnout, the expected growth in the lines is exponential. That is because the throughput of the election machinery does not change, so additional people will be added to the line much faster than the system's ability to absorb them, and the lines will be long - very long.
When Maryland switches to paper ballots with optical scanners in 2010, this problem will go away. The reason is that the time critical resource will be the scanner, and people can scan their ballots in seconds. The process of filling out the paper ballots can be massively parallelized. We could have 40 or 50 people filling out ballots at the same time, and even with only a couple of scanners, we can move people through the voting process much faster. Using touchscreen DREs, the time critical resource is the voting machine and voters spend on the order of 8 or 9 minutes, and sometimes much longer to vote. Paper ballots with op scan counting will eliminate long lines at the polls. And, I am worried that long lines are going to be a serious, serious problem in the election, which is two weeks from today. However bad it might be in early voting right now, and indications are that it's bad, I fear that on November 4, the problems will be worse.
Subscribe to:
Posts (Atom)
