• United States



by Senior Editor

FUD Watch | The Boogeyman in the E-Voting Machine

Oct 29, 20085 mins
ComplianceData and Information SecurityIdentity Management Solutions

There's no mix quite like Halloween, politics and government. It's a cocktail that can be heavy on the fear-mongering. Here are some examples

It was inevitable that my brain would start spinning its wheels over the political and legislative landscape this week. It is Halloween, after all. And nothing gets my brain spinning quite like that cocktail of politics, legislative drama and the boogeyman.

Warnings that the boogeyman is out and about are evident in the press releases I’m getting about spammers engaging in “political hacktivism” by sending out e-mails to people in Maryland warning that their right to vote will be nullified if their homes have been foreclosed upon.

Then there’s the reports in Florida that e-mails warnings are circulating that your driver’s license and Social Security information will need to match up with federal records in order to be able to vote.

And, of course, there are warnings that the upcoming election will be hijacked by hackers tampering with electronic voting machines in such battleground states as Ohio and Florida. So now we have red hat hackers and blue hat hackers to go with the white hats, black hats and grey hats. And nothing will send a child screaming from their bedroom at night like the pairing of the words “Florida” and “election.”

Finally, there’s the outcry from Massachusetts business leaders over a new identity theft law that’s scheduled to take effect Jan 1, 2009.

According to this article , Bay State business leaders are seeing the boogeyman in the law, known in legislative language as 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.

They complain that the cost of compliance is too high and too disruptive for businesses and the state should fall in line with federal rules. The law’s advocates say the regulations allow the state to catch up with other states and give consumers the protection they deserve.

My thoughts on these issues:

  • Political hacking: This one is absolute lunacy to me. For starters, one would hope that the average voter was smart enough to know better than believe that their vote will be taken away if they failed to pay the mortgage. I mean, c’mon. The bit about driver’s licenses and Social Security cards is a little more believable, but not by much.

    I found one voice of sanity on this issue in Sam Masiello, VP of information security at MX Logic, who wrote in a blog posting that this line of spamming is too off the wall to be believed.

    “I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic?” he asks. “These e-mails have been sent out en masse and have not been targeted towards a particular party affiliation. So, it isn’t like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other. Either way, in this financially motivated underground economy, it isn’t clear to me what a spammer would have to gain by spreading these types of messages. There is no proof at this time that these e-mails are in any way associated with either the Obama or McCain campaigns.”

  • E-voting security: Much has been made about the security holes in e-voting machines, and there is plenty of merit to the argument. Princeton University and other research organizations I trust have warned that e-voting machines used in New Jersey and elsewhere are unreliable and potentially prone to hacking. To me that’s a no-brainer.

    But I look at this the same way I look at all technology. I assume there are security holes whether they have been researched and reported or not. But I’m not about to shy away from the technology, either. In the long run I think e-voting machines are a good thing because it cuts down on the amount of paper used and it’s a quicker, more efficient way to tally votes. [That’s probably going to get me in trouble with those who say there should be a paper trail on these machines. There should in the short term, but I think a better way will emerge eventually.]

    There’s no doubt some machines will be tampered with, and I applaud the researchers who try to stay on top of this. But vote counts have been tampered with since the nation was founded. It’s always going to be a problem, and while e-voting machines open the door for new methods of voter fraud, the overall threat hasn’t changed much. I think most of these machines will do their thing without incident.

  • Mass ID protection law: I’m actually stunned by how little has been written about this. But I’ve seen enough to know that the business community thinks it goes too far. I had a conversation the other day with a colleague who feels the same way. While this looks like the most detailed ID theft law out there, my friend pointed out that it’s going to be near-impossible for businesses to obey.

    He may be right. But then I’ve also heard the business outcry at the enactment of every security/privacy regulation that’s come along before this one. Take your pick: HIPAA, SOX, GLB, and industry standards like PCI DSS.

    Eventually, most businesses adjust, become compliant and more secure in the process. And as long as companies are honest with regulators and auditors about where they are having difficulty, they won’t be thrown to the wolves.

    This Halloween, be aware of the threats around you and take the right precautions. But for goodness sake, don’t hide under the bed.

    About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to