James Galvin

With the midterm elections in the US in full swing, all eyes (well… some eyes) are once again on the shambles of e-voting as it buckles and crashes - as expected. RTE mentions “problems with electronic voting machines in a number of states, including Ohio, Maryland, New York, Pennsylvania and Florida”. I expect we’ll be hearing more about that, since the recent US elections have been plagued by discrepencies in the e-voting system. Start with Ohio 2004, and work your way back to the Volusia County fiasco in 2000 - the Florida constituency with such strong support for Bush that Al Gore actually ended up with fewer than -16,000 votes. These were the high profile cases, the issues that came to light - but always remember the words of a wise hotel cook from Torquay: “what the eye can’t see, the chef gets away with”.
Update via Slashdot: The candidate who allegedly got 0 votes.

On this side of the Atlantic, we have a different system. The Irish government put €40million into the Nedap-Powervote, which, as any computing student would have told you, is not secure. This was confirmed in a demonstration (linked to by ICTE last month) by some hackers who reverse-engineered the Dutch electronic voting system, which is almost identical to our own (except ours has a thick layer of dust on top).

As we become accustomed to the security failures and general inconsistencies in the electronic voting systems in other countries, there is a danger that the Irish public will forgive the faults in our own. Consider the informative website that the government has given us to ease our concerns - electronicvoting.ie. It does its best to reassure us ignorant members of the public, urging us to disregard those ridiculous experts and nonsensical independent audits:

The Nedap-Powervote system has already been proven in the Netherlands over the past 15 years and in a number of cities in Germany and France.

I would have worded that slightly differently. Maybe more along the lines of “The Nedap-Powervote system has already been proven to be insecure in the Netherlands”. The fact that they are still using it is completely beside the point - there’s no need for us to turn a blind eye just because our neighbours are.

But we can overlook those minor details such as accuracy, as long as its nice from a usability perspective -

It has been adapted, improved, tested and successfully piloted at two polls in Ireland. To date, over 400,000 Irish people have used the system in real polls, and their response has been overwhelmingly positive.

Daniel from Kildare reported that it was overwhelmingly nice to push a button instead of ticking a box. Margaret from Leitrim was also overwhelmed by her button-pushing experience. With results like this, who needs the accuracy? Its just a shame we spent so much on the Nedap-Powervote - I hear Fisher Price have a system that lights up.

I actually don’t have a major problem with e-voting, because to be honest I don’t really care who gets elected. However, I don’t like being force-fed blatant lies at the same time. This website is provided by the government and thus should give us a fair and accurate overview of electronic voting, rather than peddling half-truths in a marketing brochure. It should have been taken down the day the Commission on Electronic Voting pointed out that the system is no good, and that we’d hold off for another few years. But the government decided to leave the website there, because whats the harm in a few inconsistencies? It sounds to me like they’re setting a precedent.

I was examining the junk mails that made it through the spam filter yesterday, wondering about the lengths that spammers have to go to in order to dodge Spam Assassin, and how many people actually respond to advertisements for V!agr$Aa. One of the more common characteristics of spam emails is a variety of colours in the text - a blue header, red sub-heading, green text, etc. I was amazed to learn from a colleague that, statistically, spam emails with multi-coloured text receive a much higher response than plain text. So, many of the internet users who do sign up for Fr€e un1vrs+y d1pl.o/\/\as are lured partially by the colourful text. It made me wonder about the type of people who click on these links. Surely there are no Irish people among them, right?

Phishing is a very different story, and unfortunately there seems to be no shortage of Irish among the victims of the latest Banking 365 scams.

BANK of Ireland issued a warning to its customers yesterday on online fraud as it emerged that seven customers of the bank have now lost a total of €113,000 to an internet swindle.

So who are the suckers who handed over their bank details? According to the Independent they are:

• A golf professional in North Dublin lost €16,900
• An environmental consultant in Dublin lost €5,000
• A small farmer in Galway lost €6,700
• A receptionist from the capital lost €7,600
• A midlands-based sales manager who was defrauded of €49,100
• A Kilkenny businesswoman who lost €12,000
• A university professor who lost €15,500

I have great sympathy for these people - some of these phishing attacks are very well crafted, and an inexperienced internet user can easily be fooled. But if you’re stupid/ignorant enough to fall for a scam, it is a costly lesson but you can only blame yourself. This group of people are taking on Bank of Ireland, demanding compensation. The receptionist goes so far as to say that it is was not her fault that she fell for this extremely common and basic scam:

The Dublin receptionist said yesterday her account had been used to lodge stolen cheques by the fraudsters. They had later withdrawn the money and Bank of Ireland was now insisting that the woman was liable for a deficit of €7,600 in her current account.

“I have no intention of paying one penny. It was not my fault fraudsters used my account to launder money,” she said.

While I hate banks, and 95% of the time I love to see them have to fork out in lawsuits, this time around I have to side with the BoI. The internet can be a dangerous place, I’m sure even the Galway farmer knew that when he got his Eircom 25 dialup account. There is no shortage of warnings, and a responsible internet user will surely take the time to inform himself about the potential dangers of online banking, and e-commerce. If anything, public tends to exaggerate the actual danger on the internet in my experience. I know there have been some horror stories on Bebo and Myspace and ICQ, but if you have a bit of sense and your eyes open then you would have to be extremely unlucky to fall into some internet pothole… it is certainly a lot safer than crossing the road.

To the receptionist from Dublin, let me tell you about a character from Skibbereen called Paddy Banana. I’m not sure how he got his name… I have been told that it was something to do with a banana-eating contest in Schull, but that is not relevant to my story. Paddy Banana was an old man with a shiny bald head and a waddly gait, well known in West Cork and often feared by the tourists because of his tendency to remove his false teeth and chase people down the street, clattering them in his hand. Paddy Banana made a few bob selling used lottery tickets. On a sunny day, he might take a trip to a neighbouring town, or more often than not he would just hang out in Skibb. Covering the date with his thumb, he would sell expired tickets of any description to whomever was willing to part with a few pounds. Occasionally, a self-righteous victim would demand money back, which would usually result in a very short conversation with Paddy’s false teeth. Now, receptionist, do you think that those aggrieved tourists have the right to claim compensation from the National Lottery?

The bank gave you a key. If somebody had broken into your account using brute force or an exploit, then I would be backing you fully. But you handed over your key to a Nigerian in a fake BoI uniform. By all means, press the bank for compensation. Demand that they launch an awareness campaign and increase the security of their online banking. But remember that on the internet there is nobody holding your hand, and there are always scammers ready to lure you away with their shiny multi-coloured text.

I spent many hours this week trying to port the python-based network tool Scapy to Windows. After a number of slow downloads, red herrings, and lot of messing around, I finally had the end in sight. Thats when some guy posted this with everything I needed. Thanks Andrew - nice one, just wish you had posted it three days earlier and I would have been able to watch an extra few World Cup games.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …

And in case you are wondering, I didn’t get clamped \o/

I just read a good post on IrishEyes about the dangers of banking in Internet Cafes. With the recent influx of immigrants, netcafes are more popular than ever, and are springing up all over the place, largely in Cork. I wouldn’t be surprised to learn if our immigrant community does more of their banking online than in a bank - for example, last month AIB announced that over 1 in 6 online-banking transactions were to banks in Poland. I would expect that a large proportion of these took place in internet cafes. IrishEyes mentions that keystroke-logging software is a big risk in the Irish net cafes now. Despite having seen first-hand some of the dodgy dealings that can go on in an internet cafe - spammers, disgruntled employees with webmail, and kids installing back orifice, for example - this comes as a surprise to me.

Lar Veale, in the comments suggests that there be a code of practice established which cafes must sign up to. This is a very interesting prospect. I know that Nethouse used to (maybe they still do) automatically re-image each PC over the network every morning at 5am or something. Some cafes have very high quality security systems, with each station fully visible to a camera. Some other cafes give no administrative rights to the user, who can use nothing but their web browser and MSN. The unfortunate reality is that there are many internet cafes opened by people who know very little about computers and nothing about security, and they are endangering their customers. I remember one cafe which opened in the greater Cork area that had no antivirus installed, no firewall, and never ran Windows Update, and never reimaged their PCs.

With all the publicity that the ATM fraud got a few months ago, its about time somebody spoke up about the dangers of internet banking in the net cafes. Educating the masses will only get you so far, there should be a standard introduced, a League of Secure Internet Cafes, with a sticker on the window with a golden lock indicating that they follow the basic security procedures recommended by <insert relevant party here>. It won’t stop Krzysztof from using the Windows 98 PCs down the back of O’Dwyer’s Fishing Tackle & Internet Cafe, but at least its a step in the right direction. I know its frustrating when you can’t save your Quake config on the computer for future use because it will be wiped out at 5am, or when you can’t use IRC because its not in the start menu, but this is a small price to pay for knowing that your passwords probably aren’t getting stolen.

With Breezy running on three of my systems here, I was a bit surprised to find this post on the Ubuntu security forum; root password in plain text in a file that is readable by all users, on a standard installation. I am amazed that nobody has spotted this before - surely there has been some paranoid user who has searched for his password in case he accidentally left it in plaintext somewhere. Now is a good time to update your system, and change your password while you’re at it.