Security, authentication, authorization

Alex, I'll take "Things I never thought I would write about" for $500. A network security researcher has successfully hacked a coffee machine and was able to take control of it, make it beep constantly, have it refuse to make coffee, and spill water all over.

Hard to believe this story: a rental car provided by an app-based car sharing service called GIG Car Share stopped working when the car was driven into a rural part of northern California.

More than twenty years ago, as the Internet became more common, some prognosticators began talking about the "smart house," where lots of household devices would be interconnected and make our lives one of ease.

At that time, I wrote a somewhat tongue in cheek article for a professional newsletter about a "smart house" gone wild, somewhat in the fashion of the Hall 9000 problem in the movie 2001: A Space Odyssey.

I had some hope that Microsoft, once Steve Ballmer departed, might become more customer friendly. And in the past couple of years, Microsoft has made steady improvements to products like the Surface tablet/laptop--I see a lot of them in my travels.

Here at the office, we've actually seriously discussed moving away from Apple for office productivity software because Apple, since Tim Scott took over, has apparently just decided quality software is not particularly important.

Vendors who want to roll out home security devices using Apple's HomeKit are complaining. Using the HomeKit API allows customers to control the devices (with many more applications than home security) from their iPhone or iPad.

Apple is requiring a very high level of encryption for HomeKit-enabled devices to prevent hackers from taking over these devices. If the HomeKit-enabled device controls your front door lock or the entire house alarm system, a complex encryption algorithm is a good idea.

The Internet of Things (IoT) continues to roll along merrily, with manufacturers sticking a WiFi chip and a poorly designed single purpose Web server into anything with electricity. That is not so bad. What is bad is the complete and utter disregard for testing for security.

The U.K. MailOnline has an excellent article about privacy concerns swirling around Google's new spectacles with a built in camera and screen. While the ability to get information in real time about where you and what you are doing is interesting and possibly quite useful, the problem many see with Google Glass is the fact that you cannot tell if someone is taking pictures of you and/or recording you on video.

The storm of the century may have blown over by November 6th, but if power is still out in some places in the northeast, I wonder what the Plan B is for voting if all the local governments have are coal-powered (i.e. electric) voting machines? If all the old manual voting machines have been recycled for scrap, how will they handle the power outage? If they still have the old manual voting machines in storage somewhere, do they have a well-designed contingency plan to haul all those machines to each voting precinct and train the poll tenders to set them up and use them on short notice?

The FBI says that you might want to leave your laptop home when traveling overseas. The latest scam is from criminals who set up bogus WiFi networks that look just like the real hotel network. When you fire up your laptop, you get what looks like the real hotel login page, but it is a fake one that immediately loads zombie malware onto your computer. Another trick they use is to have a fake "software update needed" window pop up.

I have waited a bit to write about the hoo-ha surrounding the accusation that Apple and Google were tracking user locations via GPS information stored in iPhones and Android phones. I suspected there was more to the story than was being cited in the news. And I was right. Apple has released a Q&A that explains what is going on, and it is indeed benign. Note that this applies only to Apple--I have not seen a similar statement from Google, although it is likely to appear soon.

Just last night, at the opening of the Broadband Properties conference in Dallas, I had a discussion about cloud computing with a gentleman who assured me in soothing tones that from a security perspective, there was "nothing to worry about" because IT folks would be very careful and make sure cloud-based data was secure from hackers.

The city of Washington, D.C. challenged hackers to try to break into one of their secure Internet-based electronic voting system. It was part of a test for the software before deploying it in the city--letting D.C. voters skip going to the polls and voting online instead. Well, students from the University of Michigan hacked into the system and re-programmed the software to play the Michigan fight song after each vote.

What do the following things have in common?

• Minicomputers
• Relational databases
• Client-server computing
• Object-oriented programming
• Web 2.0

All of the above were the latest and greatest IT buzzphrases that, over the past thirty years, were supposed to solve all the world's IT problems. Cloud computing, which by squinting only slightly, could be replaced with the word "mainframe," is the latest buzzphrase.

Diebold has thrown in the towel on its troubled voting machines business. It has sold the whole division to its competitor, ES&S. Diebold electronic voting machines have been plagued with problems, and the company says it is writing off tens of millions in losses, due primarily to lawsuits from disgruntled local governments who bought the machines only to find out they are a security nightmare.

Verizon gets a pat on the back for cracking down on spam. The company has announced that it will finally close Port 25 on its mail servers. Port 25 allows email be sent without any authentication, making it easy for spammers to use "zombie" PCs infected with spambot software to send spam email.

In the continuing saga of voting machines that simply don't work, here is perhaps the most alarming story to date. In a Washington, D.C. voting precinct during the primaries, a "static discharge" magically created an extra 1,500 votes on the memory cartridge that stores the vote tally. The only slightly good news is that someone did notice that the manual tally of voters at the precinct was only 326, but what if it had not been caught?

Paper ballots will be used to collect votes in many elections this fall. There will be a drop in the use of electronic ballot equipment because of security problems, and more states are using paper ballots that are optically scanned because they are easy to use, ease to scan, and provide an auditable paper trail. The biggest shortcoming of the electronic equipment is the lack of a paper trail that can be used to verify results.

"Whaling" is a new form of phishing attacks. It is called whaling because the spam emails are carefully targeted towards big fish, or whales. Spammers have been sending carefully crafted emails that look like an official U.S. Federal Court sub poena. Clicking on the link embedded in the email secretly installs a keystroke logger on your computer which then sends userids, passwords, and credit card numbers to the spammer.

A study by a watchdog e-voting group in Maryland called SaveOurVotes found that in that state, the switch to electronic voting machines raised the cost of elections by 866%.

But wait, there's more! The counties are still paying off a $67 million dollar loan needed to purchase the machines, even though the machines were found to have serious security flaws and have had to abandoned in favor of the older and more secure optical scanning equipment--which is much less expensive.

This moderately technical article (PDF file) has an extensive discussion of the vulnerabilities of wireless systems, including WiFi, Bluetooth, and WiMax. Communities interested in investing primarily in wireless broadband should read this article first, as the data presented illustrates why most businesses do not regard wireless as a business class service.