Author: Jeremy Epstein
-
Report on the NSF "Secure and Trustworthy Cyberspace" PI meeting
The National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Principal Investigator Meeting (whew!) took place Nov. 27-29, 2012, at the Gaylord Hotel just outside Washington, DC. The SaTC program is NSF’s flagship for cybersecurity research, although it certainly isn’t the only NSF funding in this area. The purpose of this blog posting is to…
-
What happens when responsible disclosure fails?
The topic of how to handle security vulnerabilities has been discussed for years. Wikipedia defines responsible disclosure as: Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before…
-
Voting technology issues in Virginia on election day
I spent Election Day in one of the command centers for the 866-OUR-VOTE hotline. The command center was accepting calls from New Jersey, Maryland, DC, and Virginia, but 95% of the technology issues were from Virginia. I was the designated “technology guy”, so pretty much everything that came through that center came to me. This…
-
Joisy on my mind
Like everyone interested in the mechanics of elections, I’ve been fascinated by the New Jersey efforts to allow voters to request and submit ballots via email. In this posting, I’d like to address four brief points that I don’t think have received much attention – the first two policy, and the last two technical. First,…
-
Grading the absentee-in-person experience in Virginia
[Each year, I write a “my day as a pollworker” report. This year, I’m not a pollworker, or election officer in Virginia parlance, for a variety of reasons, so I decided to write about my voting experience.] I just got back from “in-person absentee voting”. This is similar to but not the same as early…
-
Going to the doctor and worrying about cybersecurity
For most people, going to the doctor means thinking about co-pays and when they’ll feel better. For me though, it means thinking about those plus the cyber security of the computer systems being used by the medical professionals. I’ve spent more time than usual visiting doctors recently. I broke my hand – sure I’ll tell…
-
Who won the Iowa primary – and does it matter from a technical perspective?
As Americans know, the 2012 presidential season began “officially” with the Iowa caucuses on January 3. I say “officially”, because caucuses are a strange beast that are a creation of political parties, and not government. Regardless, the Republican results were interesting – out of about 125,000 votes cast, Mitt Romney led by eight votes over…
-
A review of the FVAP UOCAVA workshop
The US Federal Voting Assistance Program (FVAP) is the Department of Defense Agency charged with assisting military and overseas voters with all aspects of voting, including registering to vote, obtaining ballots, and returning ballots. FVAP’s interpretations of Federal law (*) says that they must perform a demonstration of electronic return of marked ballots by overseas…
-
Yet again, why banking online .NE. voting online
One of the most common questions I get is “if I can bank online, why can’t I vote online”. A recently released (but undated) document ”Supplement to Authentication in an Internet Banking Environment” from the Federal Financial Institutions Examination Council addresses some of the risks of online banking. Krebs on Security has a nice writeup…
-
Don't love the cyber bomb, but don't ignore it either
Cybersecurity is overblown – or not A recent report by Jerry Brito and Tate Watkins of George Mason University titled “Loving The Cyber Bomb? The Dangers Of Threat Inflation In Cybersecurity Policy” has gotten a bit of press. This is an important topic worthy of debate, but I believe their conclusions are incorrect. In this…
-
Oak Ridge, spear phishing, and i-voting
Oak Ridge National Labs (one of the US national energy labs, along with Sandia, Livermore, Los Alamos, etc) had a bunch of people fall for a spear phishing attack (see articles in Computerworld and many other descriptions). For those not familiar with the term, spear phishing is sending targeted emails at specific recipients, designed to…