Communications of the ACM, February 2019, Vol. 62 No. 2
By Dror G. Feitelson
Someone did not tighten the lid, and the ants got into the honey again. This can be prevented by placing the honey jar in a saucer of water, but it is a nuisance, occupies more counter space, and one must remember to replenish the water. So we try at least to remember to tighten the lid.
In the context of security, the software industry does not always tighten the lid. In some cases it fails to put the lid on at all, leaving the honey exposed and inviting. Perhaps the most infamous example of recent years is the WINvote voting machine, dubbed the worst voting machine in the U.S. A security analysis by the Virginia Information Technologies Agency in 2015 found, among other issues, the machines used the deprecated WEP encryption protocol, that the WEP password was hardwired to “abcde,” that the underlying Windows XP (which had not been patched since 2004) administrator password was set to “admin” with no interface to replace it, and that the votes database was not secured and could be modified. These machines had been used in real elections for more than 10 years.