It was inevitable that my brain would start spinning its wheels over the political and legislative landscape this week. It is Halloween, after all. And nothing gets my brain spinning quite like that cocktail of politics, legislative drama and the boogeyman.
Warnings that the boogeyman is out and about are evident in the press releases I'm getting about spammers engaging in "political hacktivism" by sending out e-mails to people in Maryland warning that their right to vote will be nullified if their homes have been foreclosed upon.
Then there's the reports in Florida that e-mails warnings are circulating that your driver's license and Social Security information will need to match up with federal records in order to be able to vote.
And, of course, there are warnings that the upcoming election will be hijacked by hackers tampering with electronic voting machines in such battleground states as Ohio and Florida. So now we have red hat hackers and blue hat hackers to go with the white hats, black hats and grey hats. And nothing will send a child screaming from their bedroom at night like the pairing of the words "Florida" and "election."
Finally, there's the outcry from Massachusetts business leaders over a new identity theft law that's scheduled to take effect Jan 1, 2009.
According to this article , Bay State business leaders are seeing the boogeyman in the law, known in legislative language as 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.
They complain that the cost of compliance is too high and too disruptive for businesses and the state should fall in line with federal rules. The law's advocates say the regulations allow the state to catch up with other states and give consumers the protection they deserve.
My thoughts on these issues:
I found one voice of sanity on this issue in Sam Masiello, VP of information security at MX Logic, who wrote in a blog posting that this line of spamming is too off the wall to be believed.
"I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic?" he asks. "These e-mails have been sent out en masse and have not been targeted towards a particular party affiliation. So, it isn't like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other. Either way, in this financially motivated underground economy, it isn't clear to me what a spammer would have to gain by spreading these types of messages. There is no proof at this time that these e-mails are in any way associated with either the Obama or McCain campaigns."
But I look at this the same way I look at all technology. I assume there are security holes whether they have been researched and reported or not. But I'm not about to shy away from the technology, either. In the long run I think e-voting machines are a good thing because it cuts down on the amount of paper used and it's a quicker, more efficient way to tally votes. [That's probably going to get me in trouble with those who say there should be a paper trail on these machines. There should in the short term, but I think a better way will emerge eventually.]
There's no doubt some machines will be tampered with, and I applaud the researchers who try to stay on top of this. But vote counts have been tampered with since the nation was founded. It's always going to be a problem, and while e-voting machines open the door for new methods of voter fraud, the overall threat hasn't changed much. I think most of these machines will do their thing without incident.
He may be right. But then I've also heard the business outcry at the enactment of every security/privacy regulation that's come along before this one. Take your pick: HIPAA, SOX, GLB, and industry standards like PCI DSS.
Eventually, most businesses adjust, become compliant and more secure in the process. And as long as companies are honest with regulators and auditors about where they are having difficulty, they won't be thrown to the wolves.
This Halloween, be aware of the threats around you and take the right precautions. But for goodness sake, don't hide under the bed.
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.