The Sorry State of Electronic Voting Machine Security

A lot of people from different backgrounds have expressed concerns about the integrity of electronic voting machines. It turns out that those concerns were entirely valid:

It’s no secret that it’s possible to hack voting systems. But how easy is it, really? Entirely too easy, if you ask researchers at this year’s DefCon. They’ve posted a report detailing how voting machines from numerous vendors held up at the security conference, and… it’s not good. Every device in DefCon’s “Voting Machine Hacking Village” was compromised in some way, whether it was by exploiting network vulnerabilities or simple physical access.

Multiple systems ran on ancient software (the Sequoia AVC Edge uses an operating system from 1989) with few if any checks to make sure they were running legitimate code. Meanwhile, unprotected USB ports and other physical vulnerabilities were a common sight — a conference hacker reckoned that it would take just 15 seconds of hands-on time to wreak havoc with a keyboard and a USB stick. And whether or not researchers had direct access, they didn’t need any familiarity with the voting systems to discover hacks within hours, if not “tens of minutes.”

Just put those voting machines in the cloud! Everything is magically fixed when it’s put in the cloud!

Anonymous ballots are notoriously difficult to secure but it’s obvious that the current crop of electronic voting machines were developed by companies that have no interest whatsoever in even attempting to address that problem. Many of the issues mentioned in the report are what I would call amateur hour mistakes. There is no reason why these machines should have any unprotected ports on them. Moreover, there is no reason why the software running on these machines isn’t up to date. And the machines should certainly be able to verify the code they’re running. If the electronic voting machine developers don’t understand how code signing works, they should contact Apple since the signature of every piece of code that runs on iOS is verified.

And therein lies the insult to injury. The types of security exploits used to compromise the sample voting machines weren’t new or novel. They were exploits that have been known about and addressed for years. A cynical person might believe that the companies making these voting machines are just trying to make a quick buck off of a government contract and not interested in delivering a quality product. A cynical man might even feel the need to point out that this type of behavior is common because the government seldom holds itself or contractors accountable.

The End of Everything Good and Holy

It seems like every generation is destined to disparage the next generation. This is nothing new. Even the elderly Romans complained about how an easy life has made their successor soft. In the most recent entry of the new generation sucking we have an article wondering if smartphones have destroyed a generation:

Around 2012, I noticed abrupt shifts in teen behaviors and emotional states. The gentle slopes of the line graphs became steep mountains and sheer cliffs, and many of the distinctive characteristics of the Millennial generation began to disappear. In all my analyses of generational data—some reaching back to the 1930s—I had never seen anything like it.
The allure of independence, so powerful to previous generations, holds less sway over today’s teens.

[…]

What happened in 2012 to cause such dramatic shifts in behavior? It was after the Great Recession, which officially lasted from 2007 to 2009 and had a starker effect on Millennials trying to find a place in a sputtering economy. But it was exactly the moment when the proportion of Americans who owned a smartphone surpassed 50 percent.

The more I pored over yearly surveys of teen attitudes and behaviors, and the more I talked with young people like Athena, the clearer it became that theirs is a generation shaped by the smartphone and by the concomitant rise of social media. I call them iGen. Born between 1995 and 2012, members of this generation are growing up with smartphones, have an Instagram account before they start high school, and do not remember a time before the internet. The Millennials grew up with the web as well, but it wasn’t ever-present in their lives, at hand at all times, day and night. iGen’s oldest members were early adolescents when the iPhone was introduced, in 2007, and high-school students when the iPad entered the scene, in 2010. A 2017 survey of more than 5,000 American teens found that three out of four owned an iPhone.

Do you know what destroyed a generation? The printing press! When books stopped being written by hand by monks in monasteries, they become cheaper and more readily available. This lead to more people reading more frequently, which cause them to pass less attention to their social obligations.

That’s the same argument except it would have, and probably did, taken place in the 1440s.

Just as every generation is destined to disparage the next generation, every technological advancement that makes its way into the hands of consumers is destined to be accused of destroying the next generation. Television, video games, and computers were all accused of destroying a generation in recent times. The first generations the grew up with those technologies turned out fine just as the new generation will end up turning out fine. Adoption of new technologies are always disruptive to a point but it seems like humanity has a knack for discovering, rather rapidly, the positives and negative aspects and adopting the former while discarding or working around the latter. As today’s teenagers develop they too will discover the positives and negatives of smartphones and adjust themselves accordingly. Then they’ll be at an age where they can disparage their successors and whatever new technology is being adopted by them at the time.

Put It in the Cloud, They Said. It’ll Be Fun, They Said.

Not only do you not own devices that are dependent on online services but those devices are also more vulnerable to unauthorized remote access. If your Internet connected devices aren’t secure, they can be accessed by unauthorized third parties, which can make for an awkward time when said device is capable of playing audio:

That suave chat is a translation of what webcam owner and shocked F-bomb flinger Rilana Hamer, of the Netherlands, related in a 1 October Facebook post.

Hamer says that a month or two ago, she picked up a Wi-Fi enabled camera to keep an eye on the house. Most particularly, to keep an eye on her puppy, who has a penchant for turning everything upside down. She bought the device at Action—a local discount-chain store that mostly sells low-budget convenience utilities.

Hamer’s experience isn’t unusual. In fact, there’s a website dedicated to providing remote feeds to insecure video cameras. Internet of Things (IoT) manufacturers have a pretty dismal record when it comes to security and few have shown any notable effort to improve that record. While the ramifications of this lack of security awareness aren’t immediately obvious for many IoT devices, they are obvious when it comes to devices that allow unauthorized third-parties to interact with you.

What Happens When You Don’t Own Something

The cloud is good. The cloud is holy. The cloud is our savior. If you listen to the marketing departments of online service providers and Internet of Things manufacturers, you’d be lead to believe that the cloud will soon cure cancer. While there can be advantages to moving services online there are also major disadvantages. The biggest disadvantage, in my opinion, is the fact that you don’t own anything that is dependent on an online service. People who bought the Canary security camera are learning this lesson the hard way:

Canary, a connected home security camera company, announced changes to its free service last week that went into effect on Tuesday. Under the new terms, non-paying users will no longer be able to freely access night mode on their cameras nor will they be able to record video for later viewing. Night mode is a feature that lets you set a schedule for your Canary camera to monitor your home while you sleep without sending notifications.

On top of that, all the videos the company previously recorded for free will be converted into 10-second clips called “video previews.” Essentially, important features are being taken away from users unless they’re willing to pay $9.99 a month.

People will likely blame this on greed but the real culprit is the lack of ownership. The Canary camera isn’t free but paying money to acquire one doesn’t mean you’re paying money to own it. In reality, you’re paying money for the privilege of paying a monthly fee to tie a camera to an online service. The terms of accessing that online service can change on a whim and, in this case, the change left people who decided not to pay the $9.99 per month fee with a paperweight that used to be a security camera (albeit a limited one).

The Internet of Things means never owning the devices you pay money for and if you don’t own it, you don’t control it.

NIST Publishes New Password Best Practices

g’70A32KsZQ8H2n0JkJ__rfy[JsFzJ(wN(y1,F’Ou1kH(TQcSyNYs”3CSXYPbXQm

That looks like a secure password, right? It is. However, there’s no way I could possibly type that in accurately or remember it. Passwords that cannot be typed or remembered aren’t a big deal for online services if you use a password manager. They are a big deal for passwords you have to type in, like the one to log into your computer. Unfortunately, conventional password wisdom has it that users should be required to have complex passwords instead of memorable passwords. The National Institute of Standards and Technology (NIST) recently published changes to its password best practices. Its changes reflect conventional wisdom when it comes to password security:

Among other things, they make three important suggestions when it comes to passwords:

  1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
  2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
  3. Let people use password managers. This is how we deal with all the passwords we need.

The good news here isn’t so much that NIST published these recommendations but that system administrators are willing to follow NIST’s guidelines. None of the changes published by NIST are new, these practices have been advocated by security professionals for some time now. Unfortunately, many, if not most, system administrators have kept the old guidelines in place, which has lead to users having to come up with passwords that are complex enough to satisfy password policy requirements but simple enough to remember for the several months that password is valid for. Hopefully NIST publishing these changes will convince those administrators of the errors of their ways.

Defense Distributed Enters the Handgun Market

Defense Distributed, Cody Wilson’s enterprise that proves the fallacy of gun control, released the Ghost Gunner, a computer numerically controlled (CNC) machine that specializes in milling AR-15 lower receivers, to the chagrin of gun control advocates. The Ghost Gunner made it simple for individuals with relatively little skill to manufacture an AR-15 lower receiver, the part of the gun that is serialized and therefore regulated. Now Defense Distributed has entered the handgun market:

Today, that scope widens: Wilson and Defense Distributed are now in the handgun business, too.

Defense Distributed will offer two of the most common handgun “80 percent” receivers—for Glocks and single-stack M1911s—for interested customers to complete using the Ghost Gunner. “What we’ve done for ARs we’re going to do for handguns now,” Wilson tells Ars. Defense Distributed’s store now carries new fixtures, frames, and tooling to create these two handguns, in addition to its previously offered AR-15 lower receivers and jig sets.

Building a firearm isn’t rocket science. Anybody with basic machining knowledge and competency in firearm design can do it. This fact has always made gun control a pipe dream. But as technology improves so does the ease of manufacturing. CNC machines reduced the machining knowledge necessary to manufacture a great many goods, which made controlling those goods even less feasible.

I’m sure gun control advocates will demand that the Ghost Gunner be prohibited but it’s nothing more than a specialized CNC machine and there is no way gun control advocates are going to get CNC machines banned. Likewise, CNC machines will continue to drop in price and increase in capabilities. In a few years it will be easy to pick up a general CNC machines that is as affordable as the Ghost Gunner and even more capable.

Gun control is effectively dead. Technology killed it just as it ultimately kills all restrictions.

Assume All Source Code is Open Source

Let’s pretend that you’re a fool and believe that security through obscurity works. Because of your foolish belief you sought closed source security software. Since potential adversaries can’t see the source code, they can’t find vulnerabilities in it to attack you with, right? Not so much. Just because software is closed source doesn’t mean nobody is allowed to see the source code. HP recently granted Russia permission to review the source code of one of its security software packages:

Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the Pentagon, Reuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity — such as a high number of failed login attempts — that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia’s Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks.

I don’t subscribe to the belief that open source software is inherently more secure (however, I do believe open source software offers several advantages over closed source software that are unrelated to security). I think the numerous critical vulnerabilities discovered in OpenSSL put that belief to bed. However, I also don’t believe that closed source software is inherently more secure. Just because a developer doesn’t share its source code with everybody doesn’t mean it doesn’t share its source code with third parties. In the case of HP, one of the third parties granted access to its source code was an adversary of one of its customers.

If you’re purchasing software from a third party, you have no control over who it shares its source code with. So if you believe in security through obscurity, closed source software won’t offer you any advantage, perceived or otherwise.

You Have Access to the Collective Knowledge of Humanity, Use It

If I had a dollar for every time somebody gave incorrect firearm legal advice, I’d be sitting on a mega yacht in the middle of the Atlantic Ocean drinking scotch that is older than I am.

People who have no knowledge about something but talking about it authoritatively isn’t a new phenomenon nor is it restricted solely to gun laws. However, it was far more excusable in the past because the people who did it didn’t have access to the collective knowledge of humanity at their fingertips. If you’re posting something to Facebook then you’re using the Internet. Since you’re using the Internet, you can quickly look things up. For example, if I search for “machine gun law” in Google, the very first link that appears is the Wikipedia article on the National Firearms Act. A brief reading of that article will debunk the claim that anybody can easily buy a machine gun, which is a claim that I’ve seen posted a lot since the attack in Las Vegas.

There is no excuse to not perform at least a basic amount of due diligence this day and age. If you can post to Facebook, you can perform a search on Google to verify whether or not the claim you’re about to make it true or at least plausible. “But Chris,” I can hear somebody say, “why would I suspect that the thing I believe is false and needs to be verified?” Simple, if you didn’t come by that belief by doing your own search, you should suspect it of being false.

There’s already enough bad information being circulated. Rise above the masses, use your access to the collective knowledge of humanity and verify claims before you post them.

If You Had a Yahoo Account in 2013, It Was Compromised

Yahoo suffered one hell of a database breach in 2013. However, it was only recently that the scale of the breach has become known. As it turns out, every account that existed during the time of the breach was compromised:

Yahoo said a major security breach in 2013 compromised all three billion accounts the company maintained, a three-fold increase over the estimate it disclosed previously.

The revelation, contained in an updated page about the 2013 hack, is the result of new information and the forensic analysis of an unnamed security consultant. Previously, Yahoo officials said about one billion accounts were compromised. With Yahoo maintaining roughly three billion accounts at the time, the 2013 hack would be among the biggest ever reported.

“We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected,” Yahoo officials wrote in the update. “Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.”

This should have been everybody’s assumption from the beginning. If an unauthorized individual had access to 1 billion accounts, it’s safe to say they had access to every account.

Rejoice for Mozilla is Trying Again

Some time ago I switched from Firefox to Chrome. While I far prefer Firefox in many regards, it’s performance had become so bad that I couldn’t realistically use the browser anymore (the entire browser would grind to a halt if, for example, I had Amazon open in a tab). At the time it seems like Mozilla’s only mission was to copy as much of Chrome’s user interface as possible but not bother with the important parts that make Chrome desirable.

It seems like the people at Mozilla finally realized that their strategy wasn’t a winning one because they finally put Mozilla Quantum in beta. I’m happy to say that the beta version of Firefox is fast. Damned fast. While shifting to a multiprocess in the current release of Firefox did help with performance, the changes made in Quantum have significantly boosted performance. On top of that, Mozilla has finally enabled U2F in Firefox’s nightly builds, which means we should see U2F support in the near future.

I’m glad to see that Mozilla is back in the game. While Chrome is a very good browser, I want to keep my Google footprint as small as possible because I don’t like its business model of surveilling users. I also don’t want to see a return to the dark days where one browser, at the time Internet Explorer, held an almost unshakeable monopoly.