Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/16/2007
06:00 AM
50%
50%

Electoral Subtext

Whether you're monitoring the voting process or the status of your most valued server, you better have a Plan B

No worries... This isn't another article about voting machines or Internet voting. I have strong feelings about those issues, and since I vote absentee in nearly every election, Internet voting (properly implemented) would cut down on the paperwork and planning that my wife and I do. But as I said, this isn't about either of those topics. This is about the election that was held April 1 here in Cambodia.

Democracy in Cambodia is very young, and like most young democracies with one extremely strong party and a few minor ones, there is always a significant question about fairness. Everybody knows that before the election some votes are purchased, some people are intimidated, and myriad other dirty tricks are perpetrated. But for every election, a big chunk of the expatriate community in Cambodia spends the day going around to polling places, getting hotter, sweatier, and dustier than they otherwise would have, watching the extremely dull process of people standing in lines, voting, and getting their fingers marked with ink.

Like many places, Cambodia has regulations about when and where parties can campaign. For example, no campaigning is allowed starting the day before the election. The nominal reason for this is to give people a chance to think about their vote without disruption for at least 24 hours. This strikes me as a decent idea, and although I've been here long enough to suspect other motives as well, it could even be true.

What does all this have to do with technology? Well, in this last election there was a bit of a controversy surrounding a rule put in place by the National Electoral Commission. They ordered all mobile phone companies in the country to turn off SMS (text messaging) starting the day before the election going until the closing of the last polls. The reason given was that they were hoping to avoid SMS spam campaigns, which have been used in the past.

The problem with this is that it also interfered with the ability of the monitors to report back to their central sites the results from polling places. They were able to use voice to report in, but as we all know there is a reason that the children's game is called "telephone." That of course was compounded by problems of different languages spoken by people on each end of the phone.

Was this some nefarious plot by the ruling party to interfere with the election observers? Probably not. I suspect this was one of those situations where the NEC would have been criticized for either allowing the inevitable SMS spam, or for interfering with observers.

The problem it highlights is not exactly novel, but it is interesting. In a place like this, where you are lucky to have one form of communications technology available, people tend to rely entirely too much on that one form. This is one case where I really think the observers made a common mistake -- no backup plans. The SMS system was innovative, really a good idea.

But not having a plan to fall back on when SMS failed (as it has been known to do even without government interference) was just boneheaded. The reaction of blaming the government and coming up with a political motive is easy to understand, particularly here where stated motives are almost never the only ones. That, however, just makes the backup system more critical.

All too many times we fail to think about what's going to happen when what seems like our only option fails. Graceful degradation of service (in this case it could have amounted to guys on motorcycles carrying notebooks, a radio system, or some other form of wireless communication) is an important characteristic of any critical system, be it an e-commerce site or an election. Yet another example of how increasing reliance on technology has impaired many people's ability to see solutions that in previous decades would have been obvious.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...