A few days ago I gave a lecture about innovation and one topic that came up was the security of e-voting. It is widely accepted by the security community that e-voting cannot be made secure enough, and yet existing literature on the topic seems to lack high level discussion on the basis for this assumption.
Following is my opinion on why reliable fully digital e-voting cannot be accomplished given its threat and security models.
This is an untypical management book. Aside of the fact that it is very well written, it is full of insights that you can actually relate to and use. It makes sense, and unlike other management books that "make sense" because they preach obvious trivialities, this one brings up points that are truly insightful.
I have been running a security research group at Sansa Security since 2006, and while I think about it often, I never bothered to publish any post about how to run an effective security research team. So here is a first post on this topic, with an anticipation for writing additional installments in the future.
I will address a few random topics that come to my mind this moment, about staffing, external interaction, being in the know, and logging. Feel free to bring up other topics of interest as comments to this post.
Today it is ten years since the first post on this blog was published. This blog superseded an email bulletin that I maintained for seven years beforehand.
I am not the best blogger ever. I write much less frequently than I planned and wanted. Writing takes time that I do not always have; but more importantly, I try not to write unless I have something unique to say, and by doing this I feel I differentiate this blog from hundreds of others.
TED published an excellent talk: Why Privacy Matters, by Glenn Greenwald.
Seldom do I call an online lecture "a must for all audience", but the TED lecture by Glenn Greenwald is worth such an enforcement. Glenn Greenwald is one of the key reporters who published material based on the leaks of Edward Snowden. He also wrote a good book about it called "No Place to Hide"; a book on which I wrote a review about 6 months ago.
If you know that privacy is important, but cannot explain why people who've done nothing wrong need it, or worse yet, if you really do not see why a surveillance state is bad also for law-abiding citizens, then you must listen to this. It packs hours of social, psychological, and public policy discussions into a few minutes.
As much as there is hype about the Internet of Things (IoT) and protecting it, there is no such thing as "IoT Security" per se. There is just the usual security engineering that is applied to IoT. Security engineering is about determining assets, threats to assets, and cost-effective means of mitigation. There are many models and ways for carrying out such analysis, but for the most part they all boil down to those key elements. Such security analysis applies to networks, it applies to servers, it applies to cars, and it also applies to IoT. That said, security engineering in IoT does pose a few unique challenges, which I would like to discuss now.