Happy Halloween

[Before] [After]

As the election day looms closer, the political ads have become more hateful and more fear mongering. In the security community, this is called "FUD" -- Fear, Uncertainty, Doubt. FUD is a powerful driving factor for swaying uninformed opinions. Right now, an onslaught of anti-Obama attack ads are spewing false and misleading information.

Guilt by Association

Much of the misinformation from the Republican party is due to "guilt by association". Imagine this scenario:

You regularly attended your local PTA meeting. One of the members of the PTA was known to have been arrested for selling crack years earlier. Years later, you run for a public office. Your opponent accuses you of selling drugs or being friends with drug dealers. Supporters of the opposition claim that you tried to hide the association because you were not up-front about it.

How would you handle this kind of attack? Would you deny the association, ignore the attack, or feebly explain the inaccuracy?

Frankly, if you know more than 100 people then you probably have associated with someone who has an undesirable background -- whether or not you knew about it. Drug habits, alcohol abuse, domestic violence, protesters, felony arrests... If you search Google images for "Neal Krawetz" then you will see lots of pictures of Osama Bin Laden (I gave a presentation on image analysis and used him as an example -- it was picked up by the mass media). Does this mean that I support terrorism? No. But it could be used in a guilt-by-association attack.

This is one of the main types of attack being used by McCain against Obama right now. It is hard to defend against and the misinformation spreads rapidly. McCain has accused Obama of being a gang member (remember the fist bump?), terrorist, socialist, and anti-Israel. All of which are false attacks based on guilt-by-association.

Imagine the controversy that would arise if an Obama supporter launched a similar attack against McCain (he's an easier target than Obama -- because of the number of half-truths available):

John McCain. Patriot? Or greedy traitor. Although taken as a prisoner of war in 1967, he chose to stay with his captor rather than return to his home country. His captor, North Korea, is the same country that continues to threaten the United States with nuclear war, oppress personal privacy, and restrict economic development. Years later, McCain was involved in one of the largest government banking scandals. Even after the Keating Five, McCain still chose to associate with people guilty of fraud, drug abuse, financial deception, shoplifting, domestic violence, embezzlement, and felony charges of making false statements under oath. In an echo of North Korea, McCain voted against American privacy. He then raced back to Washington DC to support a $700 billion dollar spending spree and a socialist agenda. John McCain: It's all about the money.

Each of the above statements are misleading, but based on fact. However, the spin makes them appear negative and harder to defend against.

(And don't get me started on the hypocritical Glass-Houses attacks, where McCain accuses Obama of things that he also did. For example, McCain accuses Obama and "Liberals" of bloating the billion dollar bailout with millions of dollars in earmark spending. Yet, McCain voted for it. McCain also has closer ties to ACORN and Professor Rashid Khalidi than Obama, yet accuses Obama of associating with voter fraud and being anti-Israel.)

FUD and Hate and Lies

The hated based on FUD is only growing. There was actually assassination plot against Obama that was foiled. Granted, these two idiots were not even smart enough to get beyond planning, the fact is: the Republic party is strongly attracting FUD elements in society. Palin rallys have repeated reports of racial attacks and slurs. Palin, herself, is even reported as telling a black cameraman to "sit down, boy". At best, this comment shows an insensitivity that should not be found in a Vice President. At worst, it is racism. As one Anchorage minister is quoted as saying, "It's really been like you're going to a Ku Klux Klan rally." No wonder two skinheads wanted to kill Obama.

Not to be outdone, the Republican party claimed a racial attack by a black man against a white, female, Republican campaign worker. But it was later proven false. The story of her being attacked and mugged was fabricated. When TV station KDKA initially reported the story, they cited inflamatory remarks from a Republican campaign manager. However, when the manager backed down from his report, KDKA updated their story to bury the unvalidated claims.

In fact, the number of false statements in Republican campaign ads is increasing. PolitiFact is currently showing a 10:2 ratio of false statements: Obama and his party makes two false statements for every ten false statements from McCain, Palin, and the Republican party. Moreover, five of the latest 10 false statements from the Republicans have PolitiFact's harshest rating: "Pants on Fire" (Liar! Liar!).

Election Fraud

Complaints about election fraud are certain to increase this year. It started with false accusations about Obama: that he is Muslim (false -- not that there is anything wrong with being Muslim, but Obama isn't one), that he was not born in Hawaii or is not a US Citizen (both false), and that he has close ties with a domestic terrorist (false).

However, the fraud is now taking a more direct approach:

• Fake fliers in Viriginia are telling Republicans to vote on the 4th, and Democrats to vote on the 5th. (False: everyone votes on the same day.)
  
  
• Electronic voting machines in West Virginia are automatically switching votes -- from Democrat to Republican. According to Snopes, this is true and is happening for people who use the "straight ticket" option while voting Democrat. If this were an isolated incident in West Virginia, then it could be called an error. However, there are reports of the same problem coming from machines in Texas, Tennessee, and North Carolina. There is a claim that the problem is due to a simple miscalibration. However, all of the reported errors are in the Republican's favor and there are not complaints from tons of people who all use the same machine. This stinks of the same touch-screen voter fraud that was reported in 2004.
  
  
• [Added 2008-10-31] Voters in Florida are receiving bogus calls claiming that they can vote by phone. It seems that some people will do anything to keep voters away from the polls.

There is a famous quote about elections (falsely attributed to Joseph Stalin): "It's not the people who vote that count. It's the people who count the votes."

Bringing it Home

My home town of Fort Collins, Colorado had a visit from Obama last weekend. The line was over two and a half miles long, and estimates put the number of people between 50,000 and 100,000. The population of Fort Collins is approximately 120,000 and the majority of people in the line were from Fort Collins. Of course, I had to make the joke, "I should have gone to see Palin when she was in Loveland last week -- the line was shorter."

Loveland, Colorado is about a five minute drive from Fort Collins (people drove longer to get to CSU to hear Obama), so the distance is not a deterrent. Palin attracted a crowd of 6600 people. In contrast, news reports state that Obama attracted 45,000 to 50,000 people. (A good mile of the line never got close enough to hear him.) Just looking at these numbers, Obama should expect around 85% of the votes in Larimer county. This is significant since 92% of registered voters (95% of registered Democrats) in our county voted in the 2004 election. This was the highest turnout in the nation. Current county estimates say this year's voter turnout could be as high as 98%. Colorado is called a swing state, and Larimer county is large enough to push the entire state. If Fort Collins is strongly Democrat, then the state will go Democrat. (In 2004, the city was split -- nobody liked either candidate, but we all voted -- so the state was split.)

Another good metric for determining political viewpoint is to look at lawn signs. Fort Collins has plenty of yards with political signs. Here, strongly Republican homes have lots of signs for Republicans running for various offices, but few for McCain/Palin. In contrast, there are plenty of Obama signs. (The local news has no reports of Republican sign-theft in Fort Collins, but there are reports of Obama sign thefts.) Based on neighborhood signage, I expect the non-Presidential offices to be very close races, but the Presidential race seems obvious.

Fort Collins actually has similar signage to what I saw while driving across Wyoming and Montana. Although there were McCain signs, there were far more Obama signs.

These metrics can be used to detect voter fraud. If Larimer county and Fort Collins reports an 80/20 split (80% Democrat) in the Presidential race, then the observed metrics will match the tally. However, if the vote is close (51/49) or even favors Republicans, then it is clear evidence of voter fraud. (Remember: nearly everyone in Larimer county votes and the county had a huge turnout in support of the Democratic presidential candidate.)

Political Terrorism

Fear is a very powerful, primal force. Terrorists use a combination of fear and manipulative actions to direct agendas. The use of false statements, misleading statements, racial attacks, and voter fraud is nothing more than political terrorism.

With the election less than a week away, most people already know how they are going to vote. Unfortunately, there will be many more attack ads in order to sway people who are not fully committed to their decision.

Terrorism is defeated through knowledge. Ignore the attack ads and focus on the real information:

• Who is doing the attack? Why are they not using those same funds to build up their favorite candidate rather than bring down their opponent?
  
  
• What is the candidate's track record? Both Obama and McCain have terrible voting records, both missing more than 45% of the votes. If you missed 45% of the exams in school, you would fail the course.
  
  
• How consistent is the candidate? Obama calls himself the "candidate for change" because he differs from the current administration's views. Yet, Obama has maintained a mostly consistent message over the campaign. In contrast, McCain didn't call himself a "candidate for change" until mid-way through the campaign. And McCain is showing change; he seems to change his stance on critical issues every week: NASA, banking regulation, affirmative action, tax cuts, stem-cell research, Iran, and even his view on the Bush administration. (Even if you disagree with Obama's policies, you cannot be sure that McCain won't change his stance again and again. Which is better: the devil you know, or the devil you don't know.)
  
  
• Where does the candidate stand on the issues that matter to you? I'm big on electronic privacy. In February, Obama voted for privacy. McCain voted against it. However, in June Obama supported the "Protect America Act" (warrentless wiretaps), while McCain simply didn't show up to vote.

This year, don't vote for the candidate that you dislike the least. Instead, try to vote for the candidate that you like the most. Watch out for biased opinions, false or misleading information, and voter fraud. And when you see something questionable, question it.

The Department of Defense's Cyber Crime Center's (DC3) 3rd Annual Forensic Challenge is winding up! Solutions are due at the end of the week (Nov. 1st)!

The first year they held it, there were 140 teams, but only 21 teams turned in solutions. The challenges were a combination of physical and software forensics. The second year there were 126 teams, and only 11 turned in solutions! The challenges were mostly physical media, and many were very difficult.

You don't need to solve every problem in order to play, and the DC3 gives partial credit for incomplete answers. (I'm told that last year one team only wrote their name on a piece of paper -- and they came in 11th, beating out 115 other teams!)

This year, at least 190 teams are playing. There are no physical media problems; all challenges are software. According to the game status page, only one team has already turned in their solutions -- but I suspect that the DC3 is just slow at updating the page.

If you're playing the DC3 Forensic Challenge, be sure to turn in whatever you have! Even if you haven't solved any of the problems, you might just get 2nd place bragging rights for writing your name!

When the contest ends, I'll post updates about the winning teams, hardest problems (in my opinion), and any creative answers. If you're playing the game and have turned in your solutions, feel free to contribute your thoughts (but please wait until the game ends first! Remember: you don't want to give hints to other teams before the challenge completes.)

And if you're thinking about playing next year, I highly recommend it. You don't realize what you know (or don't know) until you are tested.

Update 2008-10-29: The DC3 just sent a reminder to all teams. Since the deadline (Nov 1st) falls on a Saturday, they are extending the deadline until Monday (Nov 3) at midnight. They wrote, "We have received two submitted solutions to date." Thus, just writing your name on a piece of paper could get you third place!

The exhaustion has finally ebbed. This week, I (and T.) drove to Helena, Montana for the Cyber Information Security Conference (CISCON). The drive from Fort Collins, Colorado takes over 10 hours (more like 13 hours with rest stops and food).

Half the Battle

Just the trip was exhausting. We drove instead of flew. As it turns out, driving takes 10 hours, and flying takes 8 hours (2 hours to the airport, 2 hours at the airport, 3 hour flight, 1 hour to the hotel). And unlike airplanes, there is no strip search needed to get into my car. There is also the cost: round-trip air costs nearly $500 per person, but round-trip gas cost under $150 total.

When I first planned this trip, gas prices were at an all-time high. Fortunately, prices began to drop right before we left. Get this: I paid $2.49 per gallon in Casper, Wyoming. I can't remember the last time I paid $2.49 for gas!

And speaking of Wyoming, what a boring land! Colorado is colorful. Montana is scenic. Wyoming is... depressing. No wonder Wyoming has the highest suicide rate of any state. (Yes, suicide in Wyoming is the second leading cause of death among residents between the ages of 15 to 44.)

Montana, on the other hand, is really only missing good cell phone coverage. (That "Can you hear me now?" guy has never been to Big Sky Country.) The first day, we didn't know how to spend the morning. We started out looking for an omen, some kind of entertainment. And then we saw a sign. It said, "Cruse Helena Neill". Ignoring the spelling, we drove around! (For folks not from Helena, these are street signs from one of the more complex intersections.)

CISCON

CISCON is the brainchild of my friend Brad Smith. He, along with Mandy (the real boss) and Nina, run an awesome security conference.

There are basically three sizes of conferences, and each has a different personality. The big conferences, like Black Hat and Defcon, cover lots of topics and have huge crowds. In these conferences, attendees generally listen. Even with break-out Q/A sessions, there is very little personal interaction between the speaker and the audience.

Medium conferences, like Lockdown, cover fewer topics, but the audience has a better chance of getting a little more personal-time with the speakers. However, even with a few hundred attendees, don't expect to monopolize the speaker's time or bond with very many other attendees.

Small conferences give that personal experience. CISCON had around 100 attendees total. Every person who wanted to chat with a speaker had the opportunity. As a speaker, I used this time to learn more about the issues that are on the audience's mind.

CISCON is unlike other security conferences. Rather than being hard-core security people and programmers, the conference was about a third medical personnel, a third from accounting and legal, and the rest from a smattering of fields where security is a concern. Maybe a dozen people held some kind of security certification, but most did not. And I was one of only a half-dozen hackers at the conference. This was a different and very interesting experience.

CISCON Talks

Brad started this conference by saying "no PowerPoint and no bullets". Fortunately, he gave me special permission to use both. I gave my talk on Image Analysis and Photo Forensics. I think it went over pretty well.

One of the talks that I attended did something that a medium or large conference could never do: every attendee introduced himself to the room. The discussion on Electronic Discovery and Personally Identifiable Information was directed by the room's needs. This made the topic very interesting... There was a hacker (excluding myself), an experienced technical expert witness (myself), an attorney, a medical administrator, and a handful of people from different fields. We all had different opinions about the importance around PI and ED. The differences were fascinating.

The surprise talk was a fill-in by Brad Smith. (Brad advertises himself as the only CISSP who is also a registered nurse.) I met Brad years ago at Black Hat, and I've always found discussions with him to be fascinating. However, I had never actually heard him give a presentation. Wow. Holy Cow. If you ever have the chance to hear him speak, make every effort to get there. Brad wasn't even scheduled to speak, but the scheduled speaker was late. Brad's topic: Neuro-Linguistic Programming (NLP). It is behavioral science -- tuning vocabulary and cadence and habitual ticks into social engineering and a provable approach toward lie-detection. I learned more in that one hour than in the entire last month.

The end of the conference had two events that I really enjoyed. The first was the "Rump Session". Basically, everyone had up to three minutes to rant about any security topic of their choice. It was very entertaining.

The conference closed with an open question: what topics they would like to see next year? The list was impressive. Many requests were for introductory security topics that would seem too beginner for Defcon or Black Hat. Topics like "physical security" (locks and basic protection measures) and encryption/steganography were both mentioned. A few advanced topics were also brought up: forensics, defense, and wireless security.

Overall, this was a very enjoyable conference. If you have the opportunity to attend CISCON next year, I highly recommend it. But beware: they want to keep the conference small, so register early if you want to get in. And if anyone wants to cut their teeth as a speaker, this is a good, friendly conference.

One of the biggest problems in information warfare comes from not knowing the source of an attack. If there is misinformation, then who provided it and for what purpose? For example, were the false pictures of an Iranian missile launch actually created by the Iranian government, or by some rogue video editor, or planted by a hostile nation with the intent of making Iran look bad, or...

Unless someone confesses (and the confession is truthful), you never really know who is really controlling things from behind a curtain of anonymity.

Vote Early, Vote Often

As we get closer to the election, the amount of information warfare is increasing. McCain is now reportedly using close to 100% attack ads to spread misinformation. So as not to show a political bias: not all of Obama's claims have been truthful either. The ratio is currently about 10-to-3 -- ten false statements by McCain for every three false statement by Obama. But unlike Obama, McCain's team continues to repeat false information even after it is proved inaccurate.

TV commercials are required to include disclaimers saying who's opinion is being expressed. "I'm John McCain and I approve this message" or "I'm Barack Obama and I approved this message." Sometimes these ads are sponsored by opinionated third parties: "This messages is paid for by Mothers against Plumber's Butt."


Unfortunately, in the last few weeks leading up to the elections, the ads have taken a turn toward high-tech. I have received spam for Obama and phone calls for John McCain.

Hello. Hello again...

Everyday my phone rings with automated systems that try to tell me how to vote. Usually they are for or against Congresswoman Marilyn Musgrave. (For those who don't know, Musgrave is repeatedly called one of the most corrupt members of Congress.) However, a recent phone call (mp3) really surprised me:

Hello. I'm calling for John McCain and the RNC because you need to know that Barack Obama has worked closely with domestic terrorist Bill Ayers, whose organization bombed the U.S. Capitol, the Pentagon, a judge's home and killed Americans. And Democrats will enact an extreme leftist agenda if they take control of Washington. Barack Obama and his Democratic allies lack the judgment to lead our country. This call was paid for by McCain-Palin 2008 and the Republican National Committee at 202-863-8500.

Of course, my first reaction was obvious: Calling for John McCain? He doesn't live here. But I can understand the confusion considering that he doesn't know how many homes he owns.

The phone message repeats false information that has been promoted by McCain for weeks. It has been repeatedly proven false that Obama has anything more than a passing "met him briefly a few times" type relationship with Ayers. Also, Ayers was investigated for domestic bombings, but the charges were dropped. More importantly, the bombings happened when Obama was 8 years old and had no relationship with Ayer's "Weather Underground" organization. This McCain-promoted association "with a terrorist" seems nothing more than an outrageous, desperate attempt to sway public opinion.

The mass media recently began reporting about this negative ad phone call. Although the call says it is paid for by the RNC, that does not necessarily mean that they had direct control over the ad campaign. For example, if Hertz hires OJ Simpson to be a spokesman, the company is not responsible for any illegal actions OJ does. This could just be a case of a last minute "get any ad out there" and McCain losing control of his campaign. Remember: this phone call never has McCain saying "I approve this message."

Uh, but his campaign did approve. In yet another sign of incompetence, the McCain campaign is cited as saying that the calls are warranted. Keep in mind, this same telemarketing firm was hired in 2000 to run a smear campaign against McCain! Yes: the same dirty tactics by the same company used by Bush against McCain are now being used by McCain against Obama. As McCain said in 2000:

''I'm telling you, they're shooting at me from everywhere,'' Mr. McCain said. ''Everybody's against me."

Even fellow Republicans are criticizing this latest attack method. As Senate Majority Leader Harry Reid said: these are scummy tactics. Reid is quoted as saying, "I can't believe that (McCain) knows that they're doing this." A campaign that is out of control? Who is pulling the strings? More importantly: if McCain cannot control his presidential campaign, how can we expect him to run a country? These large-scale campaigns are multifaceted and complex, but nowhere near as complicated as running the most powerful nation in the world. And McCain's team is already out of control.

Spam Spam Spam

While we all hate telemarketers and automated telephone political ads, we also hate spam. Sadly, someone is sending out "pro-Obama" spam on behalf of Barack Obama.

Date: Sat, 18 Oct 2008 05:07:25 UT
To: [redacted]
From: "Barack Obama"
Reply-To: Barack_Obama@bronzemail-usa.com
Subject: Join our campaign

To no longer receive emails from us, please go to
http://ct.bronzemail-usa.com/rd/cts?d=[redacted]
This is no ordinary time, and this is no ordinary election.

After eight years of failed policies that have devastated America's economy, it's never been more important to bring change to this country.

That's why I'm running for president. But I can't do it alone.

Sign up today to join our campaign for change:

http://ct.bronzemail-usa.com/rd/cts?d=[redacted]

You'll receive campaign news, invitations to events in your area, opportunities to get involved, and information about how to register and where to vote.

If you'd like to update your email address or other contact information, please click here:

http://ct.bronzemail-usa.com/rd/cts?d=[redacted]

If you wish to stop receiving emails from the Democratic National Committee, you can unsubscribe at any time by clicking the link at the bottom of the messages you receive.

Millions of Americans, in all 50 states, agree that Washington hasn't been working for our families, and that it's time to put an end to the insider politics that have favored lobbyists, special interests, and giant corporations.

You can join them, and help to bring the change we need. With less than a month until Election Day, time is running out to make a difference.

If you agree that America can't afford another four years of more of the same, join our campaign today:
http://ct.bronzemail-usa.com/rd/cts?d=[redacted]

Thanks,

Barack
---
Paid for by the Democratic National Committee. Approved by Obama for America.
430 S Capitol St SE
Washington, DC 20003

According to the email header, this email really did come from "bronzemail-usa.com". The sender matches the SPF record, and the DKIM is valid. Bronzemail-usa is a mass-mailing company. And the email itself is CAN-SPAM compliant: no forged headers, content is not obviously deceitful, an opt-out method is provided, and what appears to be a valid address is provided. (Yes: CAN-SPAM permits opt-out emailing. Blame the CAN-SPAM architects for permitting anything more than opt-in mailings.) As an aside: the fact that "Barack_Obama@bronzemail-usa.com" is not his email address at "Obama for America" does not imply deception. The address domain matches the service provider, and the account name matches the content. If you follow the hyperlinks, then you get redirected to "www.democrats.org" for joining the campaign.

Now keep in mind: this undesirable email ad does not attack McCain and does not say that it is actually from the Barack Obama. The ad only says that it is paid for by the DNC and approved by "Obama for America", which is Obama's campaign group. This could be 'yet another' case of a campaign beginning to get out of control as they send unsolicited political email to random email addresses that may not even represent voters. However, this is unlikely a scam since the hyperlinks redirect back to the Democratic party's web site.

According to reports, Bronzemail-USA is not the only mass mailing provider sending these emails. Other people have seen the message coming from less desirable companies. For example, the email from "BarackObama@ehb128.com" came from WSN LLC -- a company better known as "eHardBodies" (guess what "ehb" stands for). Obama is now associated with "Sexy, Anonymous and uncut personals!" (Ironic that the address is on "Church" street.) Then again, I have not seen the header for this email, so I cannot verify that it is as legitimate as the one I received.

The bigger issue with spam-based political ads is that everyone gets hit with them. The offensive McCain phone ad isn't going to call people in the UK or China. However, spam will. Moreover, my email address that received this spam is strictly a spam honeypot. The address has never signed up for anything, is not linked to any political organization, and cannot even be identified as a US citizen. Nothing even says that this is an adult's account -- they could be spamming a non-voting, foreign child.

Over the years, this particular honeypot email address has been repeatedly stolen by spammers who managed to get every email address at the ISP. (Yes: Comcast's address list is p0wned by spammers.) So how did it get signed up with "bronzemail-usa.com"? Most likely, they purchased the list -- either from Comcast or from spammers. In either case, this does not give me a warm fuzzy feeling.

The Right Choice?

Sadly, the only Presidential hopeful who has not offended me so far is Paris Hilton. Too bad she isn't running for real -- she actually knows how to control her campaigns.