2008-01-21

Vishing

Do we really need another fish-related buzzword? I'm beginning to wonder if the security community will ever find another classification of security problems that doesn't involve the act of feeding oneself. I can't decide which is worse, this or spear phishing. I suppose it's the latter, as it's often used incorrectly to describe any targeted email attack - even those not attempting to coax PII out of hapless users. Once we get into crustaceans and invertebrates, I quit.

Ladies and gentlemen, please. "Vishing" is nothing but a slight variation on tactics that have been around for decades: phone phreaking and social engineering. That the FBI named it and is comparing it to phishing, not phreaking, is further cause for irritation. Simply because the vector of exploitation differs from these more classic scams and phreaks is no reason to confuse the public by coming up with yet another meaningless classification. It's almost as if the security and electronic music production industries are in competition.

It's no wonder the public is so confused.

2008-01-06

NY Times article on e-voting

I was pleased to see Sunday New York Times Magazine have a front-page story (registration required) on the problems with e-Voting. While the article was a great opportunity to get these concerns in front of the American public, I feel its author, Clive Thompson, did not do the issue justice. Apart from glossing over the more serious concerns of the e-Voting machines in favor of detailing the political wrangling that resulted, the author all but undermines these concerns in the first paragraphs of the article with this sentence:

The earliest critiques of digital voting booths came from the fringe - disgruntled citizens and scared-senseless computer geeks...

The failure of government and society to listen to the subject matter experts on this topic is the single biggest contributor to the quagmire we're in with digital voting. The longer our political system and fellow citizens regard legitimate science as "tinfoil hat pontificating," the more likely we are to continue to run into these sort of problems with technology. The computer science and information security communities have been voicing the same concerns about e-voting machines from the very beginning, and now it turns out all of our concerns have been justified. For Mr. Thompson to consider these concerns as the mere rantings of "scared senseless computer geeks" - even in retrospect - completely illegitimates those concerns that he's now reporting on.

Note: I also voiced this concern as a comment on Bruce Schneier's blog. If you don't regularly read it, you should.