Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/16/2007
06:00 AM
50%
50%

Electoral Subtext

Whether you're monitoring the voting process or the status of your most valued server, you better have a Plan B

No worries... This isn't another article about voting machines or Internet voting. I have strong feelings about those issues, and since I vote absentee in nearly every election, Internet voting (properly implemented) would cut down on the paperwork and planning that my wife and I do. But as I said, this isn't about either of those topics. This is about the election that was held April 1 here in Cambodia.

Democracy in Cambodia is very young, and like most young democracies with one extremely strong party and a few minor ones, there is always a significant question about fairness. Everybody knows that before the election some votes are purchased, some people are intimidated, and myriad other dirty tricks are perpetrated. But for every election, a big chunk of the expatriate community in Cambodia spends the day going around to polling places, getting hotter, sweatier, and dustier than they otherwise would have, watching the extremely dull process of people standing in lines, voting, and getting their fingers marked with ink.

Like many places, Cambodia has regulations about when and where parties can campaign. For example, no campaigning is allowed starting the day before the election. The nominal reason for this is to give people a chance to think about their vote without disruption for at least 24 hours. This strikes me as a decent idea, and although I've been here long enough to suspect other motives as well, it could even be true.

What does all this have to do with technology? Well, in this last election there was a bit of a controversy surrounding a rule put in place by the National Electoral Commission. They ordered all mobile phone companies in the country to turn off SMS (text messaging) starting the day before the election going until the closing of the last polls. The reason given was that they were hoping to avoid SMS spam campaigns, which have been used in the past.

The problem with this is that it also interfered with the ability of the monitors to report back to their central sites the results from polling places. They were able to use voice to report in, but as we all know there is a reason that the children's game is called "telephone." That of course was compounded by problems of different languages spoken by people on each end of the phone.

Was this some nefarious plot by the ruling party to interfere with the election observers? Probably not. I suspect this was one of those situations where the NEC would have been criticized for either allowing the inevitable SMS spam, or for interfering with observers.

The problem it highlights is not exactly novel, but it is interesting. In a place like this, where you are lucky to have one form of communications technology available, people tend to rely entirely too much on that one form. This is one case where I really think the observers made a common mistake -- no backup plans. The SMS system was innovative, really a good idea.

But not having a plan to fall back on when SMS failed (as it has been known to do even without government interference) was just boneheaded. The reaction of blaming the government and coming up with a political motive is easy to understand, particularly here where stated motives are almost never the only ones. That, however, just makes the backup system more critical.

All too many times we fail to think about what's going to happen when what seems like our only option fails. Graceful degradation of service (in this case it could have amounted to guys on motorcycles carrying notebooks, a radio system, or some other form of wireless communication) is an important characteristic of any critical system, be it an e-commerce site or an election. Yet another example of how increasing reliance on technology has impaired many people's ability to see solutions that in previous decades would have been obvious.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.