Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 AM

Electoral Subtext

Whether you're monitoring the voting process or the status of your most valued server, you better have a Plan B

No worries... This isn't another article about voting machines or Internet voting. I have strong feelings about those issues, and since I vote absentee in nearly every election, Internet voting (properly implemented) would cut down on the paperwork and planning that my wife and I do. But as I said, this isn't about either of those topics. This is about the election that was held April 1 here in Cambodia.

Democracy in Cambodia is very young, and like most young democracies with one extremely strong party and a few minor ones, there is always a significant question about fairness. Everybody knows that before the election some votes are purchased, some people are intimidated, and myriad other dirty tricks are perpetrated. But for every election, a big chunk of the expatriate community in Cambodia spends the day going around to polling places, getting hotter, sweatier, and dustier than they otherwise would have, watching the extremely dull process of people standing in lines, voting, and getting their fingers marked with ink.

Like many places, Cambodia has regulations about when and where parties can campaign. For example, no campaigning is allowed starting the day before the election. The nominal reason for this is to give people a chance to think about their vote without disruption for at least 24 hours. This strikes me as a decent idea, and although I've been here long enough to suspect other motives as well, it could even be true.

What does all this have to do with technology? Well, in this last election there was a bit of a controversy surrounding a rule put in place by the National Electoral Commission. They ordered all mobile phone companies in the country to turn off SMS (text messaging) starting the day before the election going until the closing of the last polls. The reason given was that they were hoping to avoid SMS spam campaigns, which have been used in the past.

The problem with this is that it also interfered with the ability of the monitors to report back to their central sites the results from polling places. They were able to use voice to report in, but as we all know there is a reason that the children's game is called "telephone." That of course was compounded by problems of different languages spoken by people on each end of the phone.

Was this some nefarious plot by the ruling party to interfere with the election observers? Probably not. I suspect this was one of those situations where the NEC would have been criticized for either allowing the inevitable SMS spam, or for interfering with observers.

The problem it highlights is not exactly novel, but it is interesting. In a place like this, where you are lucky to have one form of communications technology available, people tend to rely entirely too much on that one form. This is one case where I really think the observers made a common mistake -- no backup plans. The SMS system was innovative, really a good idea.

But not having a plan to fall back on when SMS failed (as it has been known to do even without government interference) was just boneheaded. The reaction of blaming the government and coming up with a political motive is easy to understand, particularly here where stated motives are almost never the only ones. That, however, just makes the backup system more critical.

All too many times we fail to think about what's going to happen when what seems like our only option fails. Graceful degradation of service (in this case it could have amounted to guys on motorcycles carrying notebooks, a radio system, or some other form of wireless communication) is an important characteristic of any critical system, be it an e-commerce site or an election. Yet another example of how increasing reliance on technology has impaired many people's ability to see solutions that in previous decades would have been obvious.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.