Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/16/2007
06:00 AM
50%
50%

Electoral Subtext

Whether you're monitoring the voting process or the status of your most valued server, you better have a Plan B

No worries... This isn't another article about voting machines or Internet voting. I have strong feelings about those issues, and since I vote absentee in nearly every election, Internet voting (properly implemented) would cut down on the paperwork and planning that my wife and I do. But as I said, this isn't about either of those topics. This is about the election that was held April 1 here in Cambodia.

Democracy in Cambodia is very young, and like most young democracies with one extremely strong party and a few minor ones, there is always a significant question about fairness. Everybody knows that before the election some votes are purchased, some people are intimidated, and myriad other dirty tricks are perpetrated. But for every election, a big chunk of the expatriate community in Cambodia spends the day going around to polling places, getting hotter, sweatier, and dustier than they otherwise would have, watching the extremely dull process of people standing in lines, voting, and getting their fingers marked with ink.

Like many places, Cambodia has regulations about when and where parties can campaign. For example, no campaigning is allowed starting the day before the election. The nominal reason for this is to give people a chance to think about their vote without disruption for at least 24 hours. This strikes me as a decent idea, and although I've been here long enough to suspect other motives as well, it could even be true.

What does all this have to do with technology? Well, in this last election there was a bit of a controversy surrounding a rule put in place by the National Electoral Commission. They ordered all mobile phone companies in the country to turn off SMS (text messaging) starting the day before the election going until the closing of the last polls. The reason given was that they were hoping to avoid SMS spam campaigns, which have been used in the past.

The problem with this is that it also interfered with the ability of the monitors to report back to their central sites the results from polling places. They were able to use voice to report in, but as we all know there is a reason that the children's game is called "telephone." That of course was compounded by problems of different languages spoken by people on each end of the phone.

Was this some nefarious plot by the ruling party to interfere with the election observers? Probably not. I suspect this was one of those situations where the NEC would have been criticized for either allowing the inevitable SMS spam, or for interfering with observers.

The problem it highlights is not exactly novel, but it is interesting. In a place like this, where you are lucky to have one form of communications technology available, people tend to rely entirely too much on that one form. This is one case where I really think the observers made a common mistake -- no backup plans. The SMS system was innovative, really a good idea.

But not having a plan to fall back on when SMS failed (as it has been known to do even without government interference) was just boneheaded. The reaction of blaming the government and coming up with a political motive is easy to understand, particularly here where stated motives are almost never the only ones. That, however, just makes the backup system more critical.

All too many times we fail to think about what's going to happen when what seems like our only option fails. Graceful degradation of service (in this case it could have amounted to guys on motorcycles carrying notebooks, a radio system, or some other form of wireless communication) is an important characteristic of any critical system, be it an e-commerce site or an election. Yet another example of how increasing reliance on technology has impaired many people's ability to see solutions that in previous decades would have been obvious.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.