The one thing I've learned in the Network Security Business is----

anything---and I mean anything, can eventually be hacked.

Diebold security is easy pickings for serious hackers.

I fully expect a show of force from hacktivists in the upcoming election.

Game on.

On edit: Folks are freaking that the 2012 election will be stolen by the Repubs.

I'm not so sure of that----if I were the Repubs, I'd be just as worried.

agencies could be put there as only a few wd be needed. Expensive ones would do much better job than norton, trendmicro etc.

I'm talking ten million dollar firewalls with thirty engineer staffs 24/7.

Do any other nations do anything like that?

the lack of protocol is alarming.

N

and how would firewalls placed there help?

ultra security Suite from MIT there,

than put such a s. S. on all of folks home laptops.

All the viruses that now get thru ur Norton wd be stopped at the bkbne.

The underlying protocol is either secure or not. If I don't trust somebody to secure a server, I don't trust him to secure the firewall in front of it either. (And why is it listening on ports you don't let through the firewall, anyways?)

Whatever Norton does on ur laptop, I say

Shd be souped up and located on the few backbones

So the eighty million we small folk spend on Norton

SHOULD be...instead... Twenty million spent..total spent... for three ultra muscular firewalls from MIT
Paid for by backbone administrators or government.
Any nations do that?

Is corporate greed by Norton to blame for todays stupid model?

Yes, firewalls can be made that operate at near-wire speed, and it's conceivable that you could put one in-line at the major peering points. But firewalls permit and deny traffic. In order to permit or deny traffic, you have to write rules. In Cisco-ese, these rules are in the form of what's called Access Control Lists. They'll say something like:
Permit the address 216.248.201.1 to get to the address 16.42.189.33 on port 80.
OK, that statement (revised into English for this thread) would permit one machine to attach to one other machine on a certain port (happens to be the www port, in this case, so the destination would be a webserver).

After this statement, everything else is denied. So no other address would be permitted to get to 16.42.189.33 on port 80. You could, of course, permit ALL traffic to get to that address on port 80, which is very likely what would be done on a firewall sitting close to that webserver (as opposed to a "backbone" firewall). In order to maintain an access list like this, you'd need to have the Verizon's and AT&T's of the world revising access lists millions of times per day. Incidentally, we'd be dealing with access lists larger than any ever written. This would also go a long way toward defeating the principle of net neutrality. The carriers are supposed to just open up and let the traffic through. What you're suggesting would give a lot of extra power to the principal ISP's in the US. AT&T, for example, could decide that they don't like an article written about their attempted merger with T-Mobile. Just access list that site, and no one will ever see it.

Anyway, in general terms, you want the firewall as close to the resources being protected as is feasible.

traffic?

The long ACL problem is unclear...if I am only positing a watchout list identical to what Norton puts on my laptop in current practice arrangements...

Then the w. list shd be do-able. It wd not be custom to the end user and so need not be unique nor changing oft daily. Just containing the url's of hackers and the codes of malware.

True?

Appreciate your time on this!
Sam

I had just been saying that a firewall sitting on the backbone(s) of the Internet would be unwieldy, and would be in constant need of change, and that would be tough to do with something so large and constantly-changing.

As to the wider security suite, if I correctly understand what you're saying, I think it would slow traffic down a great deal. That is, there are definable bad things out there that could be mitigated at centralized points. In a corporate network, the kind of device that does this work is called an Intrusion Prevention System (IPS). IPS systems are sometimes built into firewalls, and sometimes they're standalone devices. These devices have to inspect traffic going through, and they have to do a pretty deep inspection inside of each packet to see what it contains and whether or not something malicious is inside the packet (packet being a small unit of data sent from one computer to another. this post I'm typing will take a few packets worth of data to get from my PC to DU's webserver). Inspecting each of these packets takes much more time than the inspection that a standard firewall performs (for those in the industry, I'm referring to Layer 3-4 inspection on a standard FW, vs. L7 for IPS).

The overarching idea behind Internet backbone connections is speed, speed, and more speed. Slowing traffic down is highly undesirable. Some of the WAN switches (the devices that move traffic over the backbone) cost a million plus dollars, and a great deal of that money goes toward making the device as fast as possible, as close to "wire speed" as possible. Doing intrusion prevention at this level would be very costly, but more importantly, I think it would significantly slow traffic in the very place where it needs to be the fastest.

One more footnote: by the same token that one person's terrorist is another person's freedom fighter, not all "malicious" traffic is malicious in all cases. What may be an abnormality on your system, and therefore a possible security threat, might be desirable or even required for my system to run. True, there are some exploits and signatures out there that are all bad all the time, no good use for them. But there are some traffic patterns that look like exploits, or possible exploits, that are actually valid traffic. This is another reason to get as close to the bone as possible, and as specific as possible, when tailoring a security suite, or intrusion prevention, for your particular environment.

For what it's worth, I think your question is a good one, and it's the kind of thinking that can lead carriers to revise their "best practices".

Thanks.

The winner will be the one with the most hactivists at work...

It will be more of a game than political.

Tom Hartman cracked me up by wondering if Lady Gaga will win the presidency.

vote totals. People could then actually 'see' that hackers were messing the vote up.

I'm sure they'll think of it if they haven't already.

Upon second thought maybe they can hack the elections so completely that we won't have any other choice but to go back to paper votes.

Hmmmm...

But, yeah, yours is probably #2.

Curious that's all. Not being contrary.

A machine doesn't know what it is supposed to be doing, so it doesn't know if it is being programmed, repaired, or hacked.

The more complicated the lock, the greater the odds that you can hack the mechanism of the lock itself. You can't always hack it for $26, but if you can afford modern test equipment, you can hack pretty much any electronics, including military chips designed to be hacker-proof, or to self-destruct if hacked.

Xboxes are a hell of a lot more secure than any of these voting machines, and they've been hacked, repeatedly. Piles and piles of security devices and protocols. All hacked.

And that's not even STARTING to use social engineering, the other half of hacking. Why hack a password when someone will tell it to you? Why reverse-engineer a device when you can talk someone out of a manual, or access to the website where the manual is stored?

Can u use that level to answer my "backbone " Q. In re # one ?

Thank you!
Sam

...hackable? ;)

the vote. Doesn't matter if paper or electronic.

Evote stealing also less visible

Checklist: can u memorize it? Test next friday. LoL

 paper ballots,
hand counted,
precinct level,
many eyes,
election BOARD (never one sec. of state) , and

cash-free-campaigns.

-------------------------

This last point...cfc's: all media are required to give free space to candidates, in proportion to poll strength but with some extra given to small fringe candidates to "level things a bit".

IIRC this was/is done in Holland. Parties not allowed to spend ANY cash on ads. Ends the problem of PAC's and GOP advantage with billionaire cash.

Also; many eyes..I like having not only our people watch the counting but also foreign observers. Would get us some credibility overseas as "responsible adults".

Pls memorize these 6 points

in operating systems, networking and programming.

need to hack? what states? what counties? You would need access to virtually thousands and thousands of machines? And you would need an accurate running total, wouldn't you?
You can just hack one machine and put 2 million votes on it.
The whole idea is stupid, it would require a gigantic organization of people, with ip's and passwords, and access, and ....ect.
And of course, of all the thousands of people you would need involved all over the country, not one of them would ever talk, and no concrete proof would ever be found.
Like i said, stupid.

So a secretkeeping group the size of Nixons "plumbers" might do.

Also....small elections doable even with the hurdles u cited.

Vote totals while subbing that amt from Dems.

OR...OR the diebold makers could remote hack to help GOP. They would know all the IP's.

Emachines an ultra-awful idea. ALL types of vote machines make votetheft easier.

Aren't some Euro nations gone to paper? IIRC canada and France are paper now. ( See my checklist in a reply above. Re: 25 )

For most things, "eventually" is measured in years or centuries, but on the internet it might just be a few days or weeks. It is technically impossible to "secure" the internet or any electronic system attached to it. You are only as secure as your least secure, most vulnerable point. Unfortunately, with millions of potential weak points in software, hardware, and people, the web of trust and authentication we all depend on has itself been hacked, no longer trustworthy.

In general, the more secure you think you are, the less secure you really are. There are whole categories of threats most people have never even heard about.

The distinction between clock time and internet time was obvious to most people as soon as the technology became available, but few quite understand that internet time is getting faster and faster. with consequences and changes to our lives coming too rapidly for us to comprehend or to respond. The half lives of any competitive advantages in the marketplace, in security, in product design or features, in productivity, or anything else are becoming shorter and shorter. Competitors must respond quickly to survive, at least by including as the new standard what had been a competitor's advantage. It is a wild ride for everyone and will only get wilder.

For most things, "eventually" is measured in years or centuries, but on the internet it might just be a few days or weeks. We all know that the impossible takes longer, but the inconceivable are what really scare me. To believe something is impossible, even if in error, means that it was thought about and maybe any consequences. We are totally unprepared for the inconceivable.

A series of "inconceivable" security lapses over recent months are very troubling. Hackers gained access to internal networks at RSA and VeriSign, related companies that provide the key technologies for encryption, digital signatures, and authentications. A later hack at DigiNotar resulted in the issuing of fraudulent CAs for microsoft.com, google.com, verisign.com and many others. When combined with DNS cache poisoning to redirect the user to the ip of the imposter site, and with that in place there are lots of ways to escalate the attacks with little risk of detection.

A growing risk comes from hardware devices and components that are pre-hacked when manufactured, assembled, or shipped. While malware on a digital picture frame might be detected by Norton and such, more sophisticated exploits hidden in disk drive firmware, add-on memory, graphics controllers, or even in a cable plug are very difficult to find. Even harder to detect a Trojan inserted during the design of a CPU chip that will be used widely, the Trojan remaining dormant unless it is used in the targeted environment or activated some other way.

I posted a lot several years ago about voting machines, opscan, etc. and why they are technically unsound and operationally a nightmare, and neither can ever meet criteria for security and trustworthiness needed for our elections. Suppose for a moment that by some miracle you have voting machine software that is perfect, flawless implementation, ideal design, bug free, open source, no issues at all. (I did say a miracle.) Even with this miracle, it is not enough.

The issues with ballot design, "programming", validation, testing when dealing with the complexities of special overlay districts (water, schools, municipalities, with multiple combinations all at one polling place), multi-seat contest, straight party with exceptions, instant runoff, initiatives, amendments, ... This requires a significant effort for each election by election officials in every county or district. Testing and validation is a larger effort if done properly. These tasks are roughly the same as those for systems currently in use.

The big problem is ensuring that the machines and all components are secure and remain so. That should begin with chips manufactured in a secure foundry and assembled in secure facilities. For the life of each voting machine, it must be secured and have the equivalent of the chain of custody for evidence. If not, should be grounds for spoiliation of evidence.

The recent Argonne Labs Vulnerability Assessment demonstrates their $10 alien hardware man-in-the-middle hack against Diebold. I think a slightly more complex bit of hardware would make it much easier for people to understand how great the threats really are. Use a cell phone chip for remote control through text messages containing commands like Find text, Replace text, etc. Lets you show people things like changing candidate names while they are "voting", and do it from anywhere.