election security – Techdirt (original) (raw)

The Case Against Reality Winner Was A Travesty

from the now-with-even-more-proof dept

Ever since Reality Winner was arrested, we’ve written about the ridiculousness of her case. It was yet another in a long line of cases using the Espionage Act to go after whistleblowers who aren’t spies, but are actively trying to do the right thing — and, as per the Espionage Act — not even allowed to give the context to the court. And, as we noted, the information that Winner “leaked” and for which she was sentenced to five years in prison, was publicly revealed by other government agencies anyway, which seems to completely erase any claim that the leaking of the documents caused some sort of harm to national security.

This week, 60 Minutes conducted an interview with Reality Winner and it’s worth reading (or watching). A key part is that Winner’s whistleblowing actually helped to better secure the 2018 election, providing useful information to protect against hackers:

But what prosecutors called grave damage was a bombshell of truth to the Federal Election Assistance Commission, which helps secure the vote. In hours, the commission issued an alert on the “NSA document leak.” It spelled out the top secret email addresses “utilized by the attackers.” And urged officials to “check email logs.” Blindsided by Winner’s revelation, the commission called for “full disclosure of election security intelligence.” Two former officials told us, Reality Winner helped secure the 2018 midterm election.

That sure sounds like fundamental whistleblowing, and not “espionage.” But, under the Espionage Act, Winner was not allowed to discuss any of that.

The piece also details her motivations, which were basically to make sure people knew that the president was (1) lying about election hacks, and (2) as noted above, to make sure the people who needed to actually protect our elections were aware of vulnerabilities:

President Trump: If you don’t catch a hacker, okay, in the act, it’s very hard to say who did the hacking.

The president was raising doubt that Russia attacked the 2016 election. His interview with John Dickerson was typical of the time.

President Trump: I’ll go along with Russia, could have been China, could’ve been a lot of different groups.

But it was Russia and the NSA knew it. Reality Winner had seen proof in a top secret report on an in-house newsfeed.

Reality Winner: I just kept thinking, “My God, somebody needs to step forward and put this right. Somebody.”

The secret report said, in 2016, the Russian military “executed cyber espionage” against “122… local government organizations” “targeting officials involved in the management of voter registration systems.” It was top secret, in part, because it revealed what the U.S. knew about Russian tactics. Winner told us she was exposing a White House cover up. She printed the report, dropped it in this mailbox, addressed anonymously to an online news source that specialized in government wrongdoing. The NSA report was published a month later.

The piece also highlights the unfair treatment Winner got as compared to things that seem a hell of a lot more serious (and much, much closer to actual espionage):

In 2008, Gregg Bergersen, a Pentagon employee, was convicted of selling secrets to the Chinese. He was seen in FBI surveillance getting his pocket stuffed with cash. His sentence was six months shorter than Reality Winner’s. In 2012, former Army general and CIA Director David Petraeus gave notebooks of top secret information to an author who was his mistress. He was charged with misdemeanor mishandling of classified information and never spent a minute in jail.

The Espionage Act itself is a travesty and needs to be repealed. The entire setup of the law is such that it is not that useful in actual espionage cases, but has become a powerful tool for the government go after whistleblowers.

Filed Under: election security, espionage act, leaking, reality winner, whistlebowing

Arizona County's Voting Machines Rendered Unusable By OAN-Financed Vote Auditors

from the nice-work,-cyber-idiots dept

The libs have been owned. They’ve been owned so thoroughly that Maricopa County, Arizona is going to need to buy millions of dollars of new electronic voting machines.

Arizona Secretary of State Katie Hobbs sent a letter Thursday to Maricopa County officials to let them know that the fake “audit” of the 2020 election probably ruined hundreds of voting machines the county sent for “testing” under a subpoena from the state Senate. Since there’s no knowing whether Cyber Ninjas, the QAnon enthusiasts running the audit, had messed up the machines, they can’t safely be used again in future elections.

Once the machines were no longer under Maricopa County’s control, Hobbs explained, the “chain of custody” was broken, leaving her with “grave concerns regarding the security and integrity of these machines,” she wrote.

Before we get into the more expensive implications of this, let’s backtrack a little to see how this came to be.

For months leading up to the 2020 presidential election, President Donald Trump and his enablers claimed the upcoming election would be fraudulent. Suspecting he was on his way out, Trump ramped up his baseless claims that everything from voting machines to mail-in votes couldn’t be trusted.

Once he had lost, the claims went into overdrive. The election had been “stolen.” Hundreds of true believers stormed the Capitol on January 6, 2021 with the intent of preventing the election from being certified as a win for Joe Biden.

The claims of fraud continued. Nobody could prove any fraudulent activity had occurred but Trump and his acolytes continued to insist Trump had been illegally removed from power. This group of idiots included several Congressional reps and Senators. It also included everyone from a pillow salesman to a cybersecurity “expert” who claimed his inability to properly compose a tweet was evidence of malicious hacking.

Welcome to Maricopa County, where everyday is another scene cut from “Veep” because it was considered too improbable. State senate Republicans hired the ridiculous-sounding “Cyber Ninjas” to perform “America’s Audit” (called this despite the fact it’s confined to a single county in a single state) — a recount of every vote in the county.

Since then, it’s been fiascoes piled on debacles piled on a foundation of conspiracy theories. It started with auditors working with blue pens that could be used to change ballots. Auditors are only supposed to use red pens, which can’t be read by auditing equipment and voting machines.

That’s the most sane part of this. The CEO of the Cyber Ninjas has tweeted out stuff about “stopping the steal.” The audit is partially financed by One America News Network, one of several entities sued for defamation by Dominion Voting Systems. At one point, auditors were using UV lights and 5k cameras to search for traces of bamboo, following up on the absurd claim that a box of filled ballots had been shipped in from China. How this was supposed to prove a link between ballots and China is best left to the brain geniuses at Cyber Ninja, who probably assume nothing is above slanty-eyed furriners and their desire to elect Sleepy Joe.

Even the Republican-dominated Maricopa County Board of Supervisors found the whole thing appalling. Its scathing letter to state Senate leadership pointed out the auditors’ inexperience and apparent inability to count and said the whole thing was nothing more than the state Senate placing election integrity in the hands of “grifters and con artists.”

This brings us back to the latest insanity. The voting machines were turned over to the Cyber Ninjas, who then acted as though chain-of-custody isn’t that big of a deal. Since they followed none of the steps needed to ensure the machines remained intact and secure, the county has no choice but to decertify them once the Ninjas are done entertaining their “stolen election” fantasies. This isn’t just the Secretary of State saying this. This is also the DHS’s election security experts.

[DHS officials] unanimously advised that once election officials lose custody and control over voting systems and components, those devices should not be reused in future elections. Rather, decommissioning and replacing those devices is the safest option as no methods exist to adequately ensure those machines are safe to use in future elections.

As many as 358 machines may be affected by the actions of cybersecurity “experts” who have no previous experience with either election security or conducting a vote audit. The total cost for replacement could be more than $6 million.

The only upshot is that local residents won’t be paying for these. Thanks to the agreement reached with the so-called auditors, Maricopa County isn’t responsible for costs like these. No, it will be the entire state paying for the clusterfuck that is “America’s Audit.” The state is on the hook. And with lawsuits already flying, taxpayers will be out even more money no matter what the outcome of this litigation is. And it all could have been prevented by either 1) hiring competent people to conduct the audit or 2) Senate Republicans not indulging the worst members and supporters of their party.

Filed Under: arizona, audit, chain of custody, cybersecurity, election security, elections, maricopa county, recount, voting machines
Companies: cyber ninjas

Utter Insanity: Trump Lawyer Suggests Former Trump Cybersecurity Official Should Be 'Taken Out And Shot' For Saying The Election Was Secure

from the what-is-wrong-with-these-people? dept

Every day that I think I can’t be shocked and horrified by anything being done in the name of politics today, I end up being more shocked and more horrified. The latest is that one of the President’s campaign lawyers, Joe diGenova, who has been involved in a wide range of politically motivated conspiracy theory mongering, went on the Howie Carr show to say that fired CISA director Chris Krebs should be “taken out and shot.”

There’s a lot to unpack here. First off, we wrote about Krebs being fired by Trump for daring to contradict the narrative that the election was rigged. Krebs is one of a very few Trump appointees who was widely respected across the political spectrum. In his years running the newly created Cybersecurity and Infrastructure Security Agency (CISA), he’d been praised by many for the job he had done in actually dealing with cybersecurity threats, and coordinating information sharing about such threats to the private sector.

But him telling the truth and debunking the politically motivated nonsense the President and his dwindling team of supporters are trying to spew, apparently means that Krebs has been cast out as the enemy. Making matters worse (for Trump and his supporters) was that on Sunday, 60 Minutes had Krebs on, in which he made a very credible case that the President was just making shit up in claiming that there was interference or malfeasance in the election. In fact, in that interview, Krebs highlighted the death threats that are being made against election officials, rightly calling it “a travesty” that public servants are put through this nonsense.

And it’s, in my view, a travesty what’s happening right now with all these death threats to election officials, to secretaries of state. I want everybody to look at Secretary Boockvar in Pennsylvania, Secretary Benson in Michigan, Secretary Cegavske in Nevada, Secretary Hobbs in Arizona. All strong women that are standing up, that are under attack from all sides, and they’re defending democracy. They’re doin’ their jobs. Look at– look at Secretary Raffensperger in Georgia, lifelong Republican. He put country before party in his holding a free and fair election in that state. There are some real heroes out there. There are some real patriots.

And now Krebs is facing the same nonsense.

Howie Carr, the host of the show is a long time, Boston-based, Trump-supporting talk show host and columnist. He had diGenova on his show, which was simulcast to Newsmax (one of the two Trump-loving TV networks trying to take over the insane conspiracy theory pushing crown from Fox News) and allowed diGenova to say that Krebs should be killed. Carr doesn’t appear to have the video of it up on his own YouTube channel yet, but MediaMatters has the clip that you can see for yourself.

diGenova: This was not a coincidence. This was all planned. And anybody who thinks the election went well, like that idiot Krebs who used to be the head of cybersecurity for DHS.

Carr:: Oh yeah, the guy who was on 60 Minutes last night.

diGenova: That guy… that guy is a class A moron. He should be drawn and quartered. Taken out at dawn and shot,

Carr then chuckles for a bit before changing the subject.

Let’s be totally clear: this is offensive and dangerous. It would be offensive and dangerous coming from anyone, but the fact that it’s coming from a lawyer currently representing the President of the United States is completely and utterly terrifying. No, it almost certainly doesn’t reach the “true threats” test of the Supreme Court to be speech not protected by the 1st Amendment, but that doesn’t mean it’s not wildly inappropriate and dangerous.

I understand that Trump’s circle of grifters and hanger-ons will not let truth, accuracy, or common decency stand in the way of spreading their cult of bullshit, lies, FUD, and nonsense, but the rest of the country ought to speak up and make it clear that this is totally unacceptable. And that includes Republicans in Congress who have continued to try to look the other way or pretend that what Trump and his band of legal misfits are doing is totally normal and acceptable. It is not.

Filed Under: chris krebs, election security, elections, howie carr, joe digenova, rhetoric

Trump Fires US Cybersecurity Director Chris Krebs After Krebs Debunks Trump's Claims Of Election Systems Fraud

from the mad-king-tantrum dept

As we noted last week, it was widely expected that sooner or later Donald Trump would turn his post-election temper tantrum towards Chris Krebs, the widely respected director of the Cybersecurity and Infrastructure Security Agency (CISA). Krebs had been standing firm in reporting that there was no evidence to support the widespread conspiracy theories about hacked voting machines. CISA had been proactively debunking these claims.

On Tuesday morning, Krebs tweeted about how election security experts all agreed that there was no evidence of manipulated elections — directly contradicting the ongoing unsubstantiated claims of the President and his enablers:

ICYMI: On allegations that election systems were manipulated, 59 election security experts all agree, "in every case of which we are aware, these claims either have been unsubstantiated or are technically incoherent." #Protect2020 https://t.co/Oj6NciYruD

— Chris Krebs #Protect2020 (@CISAKrebs) November 17, 2020

In response, a few hours later, Trump tweeted that Krebs was fired:

If you can’t read that, it’s the President saying:

The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud – including dead people voting, Poll Watchers not allowed into polling locations, ?glitches? in the voting machines which changed… votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.

There is no evidence that any of that actually happened. None. Zero. Zilch. Every single one of those stories has been debunked (and most of them have literally nothing to do with Krebs’ job). The only thing truthful in those tweets is that Trump was firing Krebs. This is a disgusting abuse of power, supporting completely bullshit conspiracy theory nonsense, in order to remove a public servant who actually did his job well in protecting against such election manipulation.

Moments later, on his personal Twitter account, Krebs tweeted with class:

This is the kind of grace and class that Trump and his enablers will never understand.

As professor Steve Vladeck notes, “we’re worse off as a country” because of “this temper tantrum” by the President.

Filed Under: chris krebs, cisa, dhs, donald trump, election security, fired, tempter tantrum

House Passes Election Security Bill That Finally Adds Security Researchers To The Mix

from the still-have-to-suffer-through-this-year's-insecure-election-though dept

Everyone agrees elections should be secure. But hardly anyone in the federal government is doing anything useful about it. The shift to electronic voting has succumbed to regulatory capture which isn’t doing anything to ensure the best and most secure products are being deployed. On top of that, it’s become a partisan issue at times, resulting in legislators scoring political points rather than making voting and voters more secure.

There may be some good news on the way, although it’s unlikely to result in a more secure election in 2020. As Maggie Miller reports for The Hill, political differences have been stowed away for the moment to push an election security bill forward.

The House on Wednesday unanimously passed bipartisan legislation intended to boost research into the security of election infrastructure.

The Election Technology Research Act would establish and fund a Center of Excellence in Election Systems at the National Institute of Standards and Technology (NIST) to test the security and accessibility of voting equipment, along with authorizing NIST and the National Science Foundation to carry out research on further securing voting technology.

The bill [PDF] made its debut last year, but hasn’t gone anywhere since February 2020. Now, with an election right around the corner, the bill is finally moving again. This is still pretty last minute, though. The Senate still has to deliver its own version. And it appears to be in no hurry to do that. Earlier this year, the Senate majority blocked three election security bills, adding them to the pile of legislation Senate Majority Leader Mitch McConnell doesn’t care for.

Even with bipartisan support, one ranking House member thinks the bill just creates more problems.

Rep. Rodney Davis (R-Ill.), the ranking member of the House Administration Committee, expressed reservations about the legislation on the House floor Wednesday, saying that his panel had not held a markup or hearing on the bill and noting concerns about the legislation potentially undermining work by the Election Assistance Commission.

This may be a legitimate concern, but it could just be political posturing. Recent history shows the head of the EAC did more to undermine the EAC’s work than any outside election security efforts.

Brian Newby, the executive director of the Election Assistance Commission, has blocked important work on election security, micromanaged employees’ interactions with partners outside the agency and routinely ignored staff questions, according to former election officials, former federal employees and others who regularly work with the agency.

Newby failed to secure the EAC votes needed to serve another term. He exited the EAC last September, leaving behind a legacy of not giving a damn about election security.

The Election Assistance Commission has ceded its leadership role in providing security training, state and local officials say, forcing them to rely on the help of the U.S. Department of Homeland Security, which lacks the same level of experience in the issues confronting the country’s voting systems.

[…]

The election officials assert that the EAC’s executive director, Brian Newby, has blocked the travel of key staffers at the EAC who specialize in cybersecurity, preventing them from attending what training sessions have taken place.

Given this, it’s hard to imagine legislation that ropes in the NIST and NSF causing more problems for election security than the Election Assistance Commission has created itself.

Even if this bill lands on the President’s desk in time for this year’s election, it won’t make this one any more secure. The changes won’t be implemented immediately and a report on current security measures and processes won’t be provided to Congress for another 18 months. But it should make things better going forward, even if it will be off to a slow start. It finally adds actual researchers to the mix, which should hopefully keep this from becoming a political football every 2-4 years.

Filed Under: congress, election infrastructure, election security, election threat research act, elections, security research

Don't Panic, But Do Reflect: Lessons From The Iowa Democrat Debacle

from the don't-throw-in-the-towel dept

As I write this post, party officials in Iowa are still trying to figure out the results of last night’s Democratic Caucus, while pundits and political opponents have wasted no time in tearing into the Democratic Party, technology, and the very idea of democracy itself. Although there is plenty of reason for criticism, much of what there has been overwrought. Professor Ed Felten’s twitter thread here provides plenty of useful perspective on this:

Some perspective on the Iowa vote tabulation app: This is far from the worst that could have happened. Results will be tabulated correctly, if a bit more slowly than news junkies preferred. The key to securing elections is resilience. 1/6

— Ed Felten (@EdFelten) February 4, 2020

Nevertheless, there are many lessons to draw from last night’s Iowa caucus mess, but first and foremost is this one: don’t panic.

The biggest reason not to panic is that only the technology supporting the tabulation of the results broke. Whereas the systems for recording the results appear to be working just fine: there was paper, instruments for marking the paper, and (eventually) a way to transmit the recorded results to a place where they could all be added together. Sure, it will take a bit longer to add up all the results for the night, but that’s ok. Because there’s a paper trail we can still know what they are.

That said, there are still some cautionary lessons we as Americans can learn from the experience, not just for primaries and caucuses but for every election for every office, no matter how partisan, run in America.

First, of all the things elections need to be optimized for, speed is not one of them. And should not be one of them. The most important thing elections need is accuracy. While, sure, it would certainly be nice to have accurate results also quickly (and perhaps caucus officials thought the perceived convenience of the app would help towards that end), adding to the list of things it might be nice for election results to be tends to take away from what election results MUST be. And it is not worth the compromise. Which we can understand if we take a moment to think about the consequences if something does go wrong, as something almost always will. The reality is that if election results are delayed, we can still cope. As it is, in general elections results are often not certified until weeks or even months later. There is rarely a legitimate governance need requiring us to know electoral outcomes within hours of polls closing. We can wait a while, and it would probably behoove us to all expect to wait a while, because it’s our hunger for instant gratification that is creating pressure to rely on tabulation systems that are not optimized for what we can’t live without: accurate results we can all believe in. Ultimately nothing else matters, and we should be dubious about any voting solution that offers to deliver anything other than that.

Next is a lesson that applies to more than just elections, which is that just adding tech does not magically make everything better. Often, and as this situation illustrates, it can instead make things worse. Which is not to say that there is no room for technological innovation at all. The world would not be a better place if it were artificially locked into a 20th, or even 19th, century technological environment. Certainly there is a role for technology to play, and for technology innovation. However, not all new technology is necessarily an improvement over what came before. Sometimes what we already had was perfectly fine, or at least good enough for what we needed. And even if a new innovation might someday be better, it won’t necessarily be right away. In the case of the Iowa caucus, it appears they replaced the traditional tried-and-true telephonic support for reporting results with a brand new cell phone driven app, and it is not apparent why. True, sometimes older systems can have their own quirks and imperfections and things we might want to be better, and it’s not a bad thing to want to improve them. But where systems have at least been proven and reliable, any innovation needs to at least be able to deliver that same degree of trustworthiness before it can be considered a replacement, much less an improvement. No technology is magic; no innovation will suddenly solve all of our problems. Even the technology that is now regarded as proven and reliable was once new and untested itself. It takes a lot of time and a lot of work to get a technology to a point where we can depend on it for our most important functions, like elections. Expecting any new technology to immediately be able to be an adequate substitute for what came before, let alone an improvement, is therefore a mistake.

Next, paper matters. Again, the most important thing we need any electoral system to deliver is accuracy. Having a paper record helps deliver it. First, it affords redundancy. Even if our digital systems were perfect and bug-free, it would still be a good idea to have a back-up analog record. But especially while our digital technology is still evolving so rapidly and is still so decidedly NOT bug-free, it is critical to have a way to validate the results it gives us. Even when we think technology is working properly we still need to be able to audit it to make sure it is, and paper lets us do that. And then in those instances, like this one, when the technology has come up short, as it is still very much prone to do, paper means that we can still get what we need: accurate results of how people voted.

There is also one more critical lesson for now, and it’s one mentioned above: something will always go wrong, and so, by anticipating that something will go wrong, we can make it ok when it does. The more complex the system, the more likely something will go wrong. But on the other hand, a system complex enough to have problems is also complex enough to contain solutions.

Elections are complex systems, so there are plenty of opportunities for hiccups. Which is not to say that we want hiccups; naturally we should try to minimize them. The issue though is that no matter how much you try to eliminate them, hiccups will still happen, so what we need to do is be ready. And that means at least two things: one, that we design our systems to have the resiliency needed to overcome those hiccups. For instance, in the case of Iowa, the results could not be transmitted to a central accounting system via the app, and that was a problem. But because there was a paper record they will be able to overcome the problem.

And it means something else, which goes back to the first point made in this post: don’t panic. Don’t rush to throw away faith in our electoral systems when things go wrong, because it is almost a near certainty that something will go wrong. But just because something has gone wrong does not mean it’s the end of the world. Yet if, instead of allowing our systems to self-correct, we instead jump immediately to panic, we create a new problem. The reason we need accurate election results is because we need to be able to believe in them. It won’t matter how accurate they are though if we simply refuse to.

When things go wrong, as they are wont to, we need to take a deep breath and give them a chance to right themselves, which is what will happen in Iowa since they have paper records. Furthermore, as the saying goes, never attribute to malfeasance what can be more readily explained by incompetence. What happened in Iowa was the result of a poor deployment of a technological solution. It was not a conspiracy. It was not the Russians. It was plain old human error to have so heavily depended on this untested mobile app system. And the good news is that we can deal with these sorts of bad decisions. Sure, there are plenty of things we can and should do to minimize these sorts of problems and improve our electoral systems, like better fund and train local election authorities, end reliance on unproven new technologies for supporting elections, ensure we always have paper records, reinforce the franchise, and so on. But there’s no point in attacking our own democracy with distrust. Especially when it is so likely so misplaced.

Filed Under: apps, caucuses, data, election security, elections, iowa, voting, voting security

FBI Tells The Governor Of Florida About Election Hacking, But Says He Can't Tell Anyone Else

from the I-guess-democracy-thrives-in-silence dept

I thought this was America, but whatever. Secrecy in all things government, despite the (often misheld) presumption that our public servants will be open and honest about issues that affect us.

It’s no secret voting systems and databases are not secure. These are problems that date back 15 years, but have shown little improvement since. Election interference is just another tool in the nation-state hacking kit, and the US is far from immune from these attacks.

Federal agencies investigating election interference are at least speaking to officials in states affected by these efforts. But those officials are apparently not allowed to pass on this information to those affected the most: voters.

Gov. Ron DeSantis met with the FBI and the U.S. Department of Homeland Security last Friday to discuss the revelation in Robert Mueller’s report that “at least one” Florida county had its election information accessed by Russian hackers in 2016.

DeSantis told reporters Tuesday that he had been briefed on that breach — which he said actually happened in two counties in Florida — but that he couldn’t share which counties had been the target.

“I’m not allowed to name the counties. I signed a (non)disclosure agreement,” DeSantis said, emphasizing that he “would be willing to name it” but “they asked me to sign it so I’m going to respect their wishes.”

The FBI does love its non-disclosure agreements and gag orders. It uses these to keep service providers from talking about demands for user data and law enforcement agencies from talking about surveillance tech. It seems state officials shouldn’t have to sacrifice the public’s right to know for their right to know. This isn’t normal, and even Governor DeSantis seemed to recognize that.

DeSantis’ comments came during a surreal Capitol news conference during which he wouldn’t elaborate on the highly unusual situation of the federal government asking a governor to sign a nondisclosure agreement, especially in a case involving that governor’s own state.

DeSantis didn’t say much, thanks to this apparently voluntary gag order. He did say what was accessed was likely voter databases rather than vote tallying equipment. He also said the attack resulted from successful spearfishing targeting one of the vendors used by the unnamed Florida counties. The FBI sort of backed this up in a statement, saying none of the detected activity “impacted vote counts or disrupted electoral processes.”

Still, none of this makes it clear whether or not the counties themselves have been informed of the breach. Or the vendor. Or the voters in the county. The federal government says don’t talk about what you’ve learned, and the residents of the state are at the mercy of the man who thought the flow of information should stop with him.

But it’s not just Governor DeSantis and his willingness to sign an NDA. It’s the fact that the DHS and FBI demanded one be signed in the first place. This isn’t how a democracy should be run. If there are threats to election security, everyone needs to know, not just a few officials at the top of the food chain.

Filed Under: dhs, doj, election hacking, election interference, election security, elections, fbi, florida, hackers, nda, ron desantis, secrecy, transparency

Voting Device Manufacturer Encourages Users To Use (And Re-Use) Easily-Guessed Passwords

from the thanks-for-the-tips,-sparky dept

As Election Day 2K18 rolls on, the good news continues to roll in, he said in his most Professor Farnsworth voice. It’s never good news, not if we’re talking voting machine security. Kim Zetter, writing for Motherboard, has obtained a manual for devices made by Unisyn Voting Solutions, which provides horrendous security advice for users of its products.

There are federal guidelines for voting systems. The Elections Assistance Committee makes the following recommendations for passwords:

[E]lection officials are encouraged to change passwords after every election. Passwords should also have the following characteristics: they should be at least six characters, preferably eight, and include at least one uppercase letter, a lowercase letter, at least one number and a symbol. It also says, though, that passwords should be easy to remember so that employees won’t need to write them down, “yet sufficiently vague that they cannot be easily guessed.”

Unisyn has apparently decided minimal security efforts are badly in need of disruption. To begin with, the device manual suggests users should simply use variations of the default password the devices ship with. That password is the company’s name with a “1” appended to the end of it. This easily-guessed admin password should then be immediately replaced with… an easily-guessed password.

Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with “1” appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.

The Unisyn manual takes the EAC guidelines and throws them out. It then makes a minimal nod towards compliance before throwing everything out a second time. Remember the part about not writing down passwords? The sort of thing no one should do because it defeats the purpose of password security? Here’s Unisyn’s scorching hot take on EAC compliance:

“You will be periodically asked to change your password per EAC regulations,” [the manual] notes. But instead of providing customers with sound instructions for changing passwords—such as creating completely new passwords and not re-using them—the manual instructs them to simply alternate between a system administrator and a root password each time they are prompted to change the password. Space is provided below this instruction for election workers to write down which password they are using at any given time.

If there’s good news, it’s that these machines aren’t in use everywhere. Just 3,500+ jurisdictions in ten states. They’re also fairly insulated from online attacks, since they’re not supposed to be connected to the internet. This means attackers will most likely need physical access to the devices. Good thing these only get touched by non-election personnel every couple of years or so!

Filed Under: election security, passwords, voting, voting machines
Companies: unisyn voting solutions

Election Security Has Become A Partisan Issue As Senate Votes Down Funding

from the bad-ideas dept

It shouldn’t matter which party you belong to (or if you belong to no party at all): fixing our totally broken election security should be a priority. This is a topic we’ve written about on Techdirt for nearly 20 years. The broken system of electronic voting has always been a security disaster, and now with more direct attempts to influence elections happening, it should be even more of a priority. And yet, following the lead in the House, this week the Senate voted down an amendment from Senator Patrick Leahy providing more funding for election security.

The vote was almost exactly along partisan lines, with only one crossover (Senator Bob Corker was the only Republican who voted for the amendment). While there were some arguments made against the bill, they don’t make much sense:

Sen. Blunt said that states are responsible for running their elections, not the federal government, and that providing more funds would give the impression of federal overreach. Sen. Lankford said on the floor Wednesday, referencing the omnibus funds, ?the $380 million amount is what was needed for the moment,” and indicated he didn’t want to fund states beyond that right now.

There can be reasonable questions in how this money is being spent, and what’s being done to actually secure elections, but the fact that this seems to be becoming a partisan issue should worry us all. And, I know some of you will be tempted to do this, but claiming that Republicans are against this because insecure technology helps them get elected is not a serious response. That’s not only cynical, but almost certainly incorrect.

However, at a time when Congress (including many of the Senators who voted against this) have been grandstanding about tech companies being used to influence elections, the fact that they would then not really care that much about our woefully undersecured voting infrastructure just seems ridiculous. For years, we’ve argued that when tech policy issues get partisan, they get stupid, and it would be a real shame for election security, of all topics, to become stupidly partisan.

Filed Under: election security, funding, partisanship, patrick leahy, senate

Georgia Governor Vetoes Terrible Cybersecurity Law That Would Have Criminalized Security Research

from the buried-swiftly-with-all-the-credit-it-deserved dept

Georgia legislators chose to deal with blowback from from some election security gaffes (and the mysterious wiping of servers containing evidence sought in a lawsuit) by introducing a godawful “cybersecurity” bill that would have criminalized security research. The bill passed by the state Senate criminalized password sharing and “unauthorized” access, even if there was no malicious intent.

This legislation ran into opposition from everyone but its crafters.

With EFF’s support, Electronic Frontiers Georgia, a member of the Electronic Frontier Alliance, mobilized at every stage of the legislative process. They met with members of the state senate and house, “worked the rope” (a term for waiting outside the legislative chambers for lawmakers to emerge), held up literal “red cards” during hearings, and hosted a live stream panel. Nearly 200 Georgia residents emailed the governor demanding a veto, while 55 computer professionals from around the country submitted a joint letter of opposition. Professors organized at Georgia Tech to call upon the governor to veto the bill.

The mobilization worked. Governor Nathan Deal has vetoed the attempt to make security research illegal. His statement on the veto indicates Deal still feels some sort of law is needed to handle malicious hacking, but this badly-written bill isn’t it.

Under the proposed legislation, it would be a crime to intentionally access a computer or computer network with knowledge that such access is without authority. However, certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.

After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation.

Any discussion at all would be nice. Voter security can’t be fixed by placing security researchers and password sharers at risk of being fined or jailed. Nothing about this bill would have made anything in Georgia more secure. But it would have resulted in the exodus of security talent — the last thing the state needs if it wishes to become the “leader in cyber technology” its governor believes it can be.

Filed Under: cfaa, cybersecurity, election security, georgia, nathan deal, security research, veto