Crime on Paper

"Crime on-line", that's the cover age title of the ACM Queue (Vol 4, #9) that arrived in my mailbox last week.

There's crime there all right, but it's on paper, specifically in the articles relating to on-line crime and e-voting.

Not that there isn't something good in the issue: Kode Vicious is fully up to his usual standard with bits like this, from a comment on the interaction between two teams: one developing an application in C and one working with Java to develop a manager for that application:

The Java team members were all into abstraction. Their APIs were beautiful creations of sugar and syntax that scintillated in the sunshine, moving everyone to gaze in wonder. The problem was that they didn't understand the underlying code they were interacting with, other than to know what the data types and structure layouts were. They did not have a deep appreciation of what their management application (so called) was supposed to manage. They made grand assumptions, often wrong, and when their code ran it was slow, buggy, and crashed a lot.

Hey, I know those guys - but I don't know how to write like that, and wish I did.

On the other hand, half of the title justification comes from an interview between Doug Jones (of Diebold discovery fame) and Peter Neumann, about e-voting. Like most of the contents of this issue, this story is filled with erudite self illumination and makes perfect sense if read on its own - but suffers from two problems. First, all of these stories take the PC as defining computing - set that assumption aside and basically nothing in any of the logical structures in these stories survives.

More importantly, however, all of these stories seem to be informed by the elitist political assumption that the problem would just go away if only some beneficient higher power would enforce the rules on others.

Both Jones and Neumann, for example, silently assume that an e-voting machine has to be a fully programmable, stand-alone, unit - and see the problem largely as one of developing processes in which such a thing's faultless operation could be proven to the uneducated or uninformed.

Sample:

Finally, of course, no highly technical measure is going to be entirely convincing to a naive observer. We therefore need to emphasise understandable measures. In the area of cryptography, for example, the work being done by people like David Chaum to develop cryptographic election protocols that can be explained to those of us without Ph'ds is promising, but it seems to me that they have a long way to go. I see no way of reducing software correctness proofs for paperless voting machines to a form that voters should trust.

What's worst about this - and I don't mean the political agenda and the "let somebody else do it" worldview that goes with it - is that it's obvious from what Jones says elsewhere that he's ready to acknowledge the PC assumption as the primary source of the problems he's worried about, leaving me feeling that he's too politically invested to let himself recognise the obvious.

Want to make e-voting work? simple: fix registration and get rid of the programmable voting machines -because you can't audit a programmable, stand alone, voting machine without taking away voting secrecy.

And then there's the two articles on cyber-crime: one calling it an epidemic by "Team CYMRU" and one a discussion by Eric Allman (the sendmail guy) on e-mail authentication. Both articles are all about closing barn doors: classical examples of the "I'm exempt" thinking that leads to blaming the victims and the imposition of more, and more intrusive, legal controls on the people who aren't doing anything illegal or shady -even though no sane person doubts that these measures will cripple legitimate access to the barn without significantly affecting the bad guys.

Two samples:

Team CYMRU

While governments and law enforcement lament this [that cybercrime statutes .. in many countries .. do not exist, are incomplete, or are poorly written] stark realization, underground internet criminals are exceptionally insightful, they can perpetrate their activities with virtually no threat of legal retribution...

One of the notable outcomes from some cases, though, is the unprecedented demonstration of how multiple international law enforcement agencies can work together... in far too many instances, political or cultural impediments preclude that level of cooperation and interaction... Breaking down those barriers and achieving some equivalence or consistence in statutory restriction are essential to waging a comprehensive campaign against cybercrime worldwide.

Allman:

Email has had a fundamental flaw from the beginning: a lack of authentication ... this situation is increasingly untenable, which is resulting in calls for authentication technology.

Want to fix SPAM, phishing, and the related high profile issues? Simple: don't create another UN secratariat; just recognise that the internet is a set of commercial connections between local networks, and ensure that any message placed on that interconnection can be traced directly to whoever paid to put it there - then penalise that person or organization for doing so if the message carries spam or some form of attack code. How? ensure that the first device to process a message headed onto the internet writes the account information into an accessible, but not forge-able, header - and have clients which get inappropriate messages automatically bounce multiples of them back to the account holder.

But the piece de resistance, the article that more than any other demonstrates the intellectual bankruptcy and weak kneed self flagellation this issue indulges in, is a piece by Daniel Geer (of X-Windows and Usenix fame) defending the proposition that threats to personal freedoms will force Americans to choose between general purpose computing and what he calls "the surveillance world."

On its own, it's a thoughtful, literate, even intelligent, discussion of the issues that arise at the nexus between the commercial necessity of selling software upgrades, the ever evolving nature of cyber crime and hacking, and the opportunities created as information about people becomes both more valuable and more available.

Unfortunately, it's as much a victim of parochialism, silent assumptioneering, and political correctness as the other keynote articles in this issue: in this world the PC completely defines computing, the evil of surveillance is defined by the tools of surveillance -you get the feeling an editor somewhere cut out the anti-Bush rant- and there is no world outside the United States.

Sample:

Preemption requires intelligence, intelligence requires surveillance, and surveillance requires mechanisms for doing so that do not depend on the volition or sentience of those under surveillance. The public is demanding protection that it feels unable to accomplish itself.

Someone should tell him first that guns don't use people to kill people; secondly, that nobody in the U.S. voted for 9/11 but it happened anyway; and thirdly that the network, not the PC, now defines computing. Take away his assumptions to the contrary, and the basis for his whole argument starts to resemble that for Nortel's $1,200+ share price in 2000 - it's now $24, and, oh yeah, that's why this issue just barely misses winning the idiot's triple crown for self-contradiction: there's no article hyping Google as the new Microsoft.