Monday, June 27, 2011

5-4 bad decision against Arizona Clean Elections law

The decision in Arizona Free Enterprise Club's Freedom Club PAC v. Bennett came out today (PDF), a 5-4 decision ruling Arizona's Clean Election laws unconstitutional.  The dissent, it seems to me, has a much better case than the majority:
the program does not discriminate against any candidate or point of view, and it does not restrict any person's ability to speak.  In fact, by providing resources to many candidates, the program creates more speech and thereby broadens public debate. ...
At every turn, the majority tries to convey the impression that Arizona's matching fund statute is of a piece with laws prohibiting electoral speech. The majority invokes the language of "limits," "bar[s]," and "restraints." ... It equates the law to a "restrictio[n] on the amount of money a person or group can spend on political communication during a campaign." ...

There is just one problem. Arizona's matching funds provision does not restrict, but instead subsidizes, speech. The law "impose[s] no ceiling on [speech] and do[es] not prevent anyone from speaking." ... The statute does not tell candidates or their supporters how much money they can spend to convey their message, when they can spend it, or what they can spend it on. ...

In the usual First Amendment subsidy case, a person complains that the government declined to finance his speech, while financing someone else's; we must then decide whether the government differentiated between these speakers on a prohibited basis--because it preferred one speaker's ideas to another's. ... But the speakers bringing this case do not make that claim--because they were never denied a subsidy. ... Petitioners have refused that assistance. So they are making a novel argument: that Arizona violated their First Amendment rights by disbursing funds to other speakers even though they could have received (but chose to spurn) the same financial assistance. Some people might call that chutzpah.

Indeed, what petitioners demand is essentially a right to quash others' speech through the prohibition of a (universally available) subsidy program. Petitioners are able to convey their ideas without public financing--and they would prefer the field to themselves, so that they can speak free from response. To attain that goal, they ask this court to prevent Arizona from funding electoral speech--even though that assistance is offered to every state candidate, on the same (entirely unobjectionable) basis. And this court gladly obliges.
(See my previous argument against the Institute for Justice's position on this, with some subsequent clarifications on other aspects of the law.)

The majority position on this issue is that the unconstitutionality arises from the way that the subsidy to clean elections candidates is tied to campaign spending by the non-clean-elections candidates; I take it that had the subsidy been a fixed amount the argument would not have worked at all.

There's a good overview of the issues at the SCOTUS blog.

Saturday, June 25, 2011

Arizona Department of Public Service's security breach

LulzSec breached the security of the Arizona Department of Public Service (DPS) at some point in the past, and on June 23 around 4 p.m. Arizona time, posted some or all of what they had acquired.  This included the names, email addresses, and passwords of several DPS officers as well as a number of internal documents which appeared to have been obtained from email attachments or perhaps from the compromise of end user systems.  The documents included a PowerPoint presentation on gang tattoos that purported to be a way of identifying Islamic radicals, which was reminiscent of similar ludicrous law enforcement presentations from the 1980s about identifying Satanic cult members by their black clothing and occult symbols. (Some police departments still promote such nonsense, citing exposed fraud "Lauren Stratford" as a source).  The documents also included a bulletin which expresses concern about the "Cop Recorder" iPhone application.

On June 24, DPS posted a press release responding to the attacks, accusing LulSec of being a "cyber terrorist group"--a term better reserved for the use of criminally disruptive activities intended to cause physical harm or disruption of critical infrastructure, not embarrassing organizations that haven't properly secured themselves.  In the press release, DPS enumerates the steps they've taken to secure themselves and the safeguards they've put in place. It's an embarrassing list which suggests they've had poor information security and continue to have poor information security.

First, their press release has a paragraph suggesting that the damage is limited, before they're probably had time to really determine that's the case.  They write:

There is no evidence the attack has breached the servers or computer systems of DPS, nor the larger state network. Likewise, there is no evidence that DPS records related to ongoing investigations or other sensitive matters have been compromised.

Just because they have "no evidence" of something doesn't mean it didn't happen--what records did they review to make this determination?  Were they doing appropriate logging?  Have logs been preserved, or were they deleted in the breach?  Do they have centralized logging that is still secure?  When did the compromise take place, and when did DPS detect it?  The appearance is that they didn't detect the breach until it was exposed by the perpetrators.  What was the nature of the vulnerability exploited, and why wasn't it detected by DPS in a penetration test or vulnerability assessment?  LulzSec has complained about the number of SQL injection vulnerabilities they've found--was there one in DPS's web mail application?

Next, they report what they've done in response, and again make statements about how "limited" the breach was:

Upon learning that a limited number of agency e-mails had been disclosed, DPS took action. In addition to contacting other law enforcement agencies, the Arizona Counter Terrorism Information Center (ACTIC) has been activated. Remote e-mail access for DPS employees remains frozen for the time-being. The security of the seven DPS officers in question remains the agency’s top priority and, since a limited amount of personal information was publicly disclosed as part of this breach. Steps are being taken to ensure the officers’ safety and that of their families. 

They've disabled the e-mail access that they believe was used in the breach--that's good.  Presumably the exposed officer passwords were discovered to be from this system.  Perhaps they will not re-enable the system until they have a more secure mechanism that requires VPN access and two-factor authentication--or at least intrusion prevention, a web application firewall, and effective security monitoring.  They've notified ACTIC--presumably in part because of their overblown claim that this breach constitutes "terrorism" and in part because there are some ACTIC personnel who have good knowledge of information security.  And they're doing something to protect the safety of officers whose personal information (including some home addresses) was exposed.

In the final paragraph of the press release, they list some of the safeguards they have in place:

- 24/7 monitoring of the state’s Internet gateway.
- Industry-standard firewalls, anti-virus software and other capabilities.
- IT security staff employed at each major state agency.
- Close coordination between the State of Arizona and state, federal and private-sector authorities regarding cyber-security issues.

This sounds like a less-than-minimal set of security controls.  Is that 24/7 monitoring just network monitoring for availability, or does it include security monitoring?  Do they have intrusion detection and prevention systems in place?  Do they have web application firewalls in front of web servers?  Do they have centralized logging and are those logs being monitored?  Are they doing event correlation?  How many full-time information security staff are there at DPS?  Are there any security incident response staff? Is there a CISO, and if so, why isn't that person being heard from?  Does DPS have an incident response plan?  Are they reviewing policy, process, and control gaps as part of their investigation of this incident?  Have they had any third-party assessments of their information security?  Have any past assessments, internal or external, recommended improvements that were not made?

These are questions journalists should be asking, which DPS should certainly be asking itself internally, and which organizations that haven't had a publicized breach yet should be asking themselves.  Breaches are becoming inevitable (a recent Ponemon Institute survey says 90% of surveyed businesses have had a security breach in the last 12 months; CNet charts the recent major publicly known breaches), so having in place the capacities to respond and recover quickly is key.

Here's how NOT to prepare:
Depth Security, "How to Get Properly Owned"

Here's how NOT to respond to a breach or vulnerability disclosure:
SANS ISC, "How Not to Respond to a Security Incident"

How to publicly disclose a breach:
Technologizer, "How to Tell Me You Let Somebody Steal My Personal Information"

Friday, June 24, 2011

Help Talk Origins bid for "Expelled"?

The assets of Premise Media, including rights to "Expelled," are going up for auction.  The Talk Origins Foundation plans to bid for the film, which includes production materials.  Their stated plan seems to be just to determine what interesting information might be in the production materials or raw footage and make that known, not, as I've suggested, make an "MST3K"-style version, or a version that points out and corrects the errors.

UPDATE (June 28, 2011): The winning bid for "Expelled" was $201,000.  My guess is that the film would only be worth that much to somebody who plans to promote it as-is without any significant re-editing, and thinks they can extract at least that much value out of it--perhaps via charitable deduction by giving it to a creationist organization.  There was a bidding war at the end between two bidders that drove the price up this morning from $43,000 (last night's high bid) to $201,000, which caused the bid to be extended 10 minutes beyond it's scheduled end time in one or two minute extension increments.  It was at $122,000 at the original auction end time, so that last $79,000 increase occurred in the last 10 minutes.

Monday, June 06, 2011

Expelled up for auction

Premise Media Holdings LP is in bankruptcy, and its assets are going up for auction online between June 23 and 28.  Those assets include the film "Expelled."  Perhaps a few of us should get together and buy it, and reissue it in a "Mystery Science Theatre 3000" format?

UPDATE:  As Damian Howard and Bob Vogel pointed out on Facebook, this adds financial bankruptcy to the moral and intellectual bankruptcy of the film.