E-Mail Security Flap in Nevada Governor's Office

This is classic... according to Declan McCullagh of the Politech mailing list & CNET News, someone in the Nevada governor's office I'll only assume accidentally posted the password to the official Governor's email list and Outlook account password on the gubernatorial web site via a MS Word document that instructed aides on how to send out weekly email updates.

The current Governor, Jim Gibbons, a Republican, must not have much in terms of tech-savvy staff since (this is my favorite part) the password on the account was 'kennyc', the name of the former Republican governor, Kenny C. Guinn. (Note: the old password was weak, let alone the fact that it's how old?)

The full story details the instructional document and a few additional related facts. As Declan notes, it's possible that there's a firewall or some sort of security above and beyond the password "protection" in their system, so had someone attempted to use that password from the outside to hack in, it may not have worked... we can only assume they've changed it by now having heard about this post. Still, this is one of the most embarrassing political computer security stories I've ever heard.

...
Originally posted at sairy.com, the personal blog of FutureCampaigns founder, Sarah Granger.

BigFix Presidential Campaign Winning Online

According to an article in the San Francisco Chronicle, BigFix, an Emeryville-based IT Security & Compliance Provider, is running a faux viral presidential campaign online to gain traffic and interest in the site. It's working... their pretend candidate, Ray Hopewood, is on Flickr, MySpace, and everywhere in-between. Check out his web site. It's pretty good.

...
Originally posted at sairy.com, the personal blog of FutureCampaigns founder, Sarah Granger.

A Preview of New Congress's Tech Policy Agenda

Here is what Cameron Wilson, the USACM Public Policy Director says about what the new Democratic-led Congress will be doing with respect to technology policy. He focuses on six big areas that have been in focus by recent administrations: innovation, offshoring, privacy, copyright, e-voting, and Internet regulation.

Here's what's not on that list. First, biometrics and national IDs. Even with conservatives in the minority, this probably won't go away. It's scary because those things don't actually give us greater security although we might think they will. But my guess is this will continue to be something that's discussed in the name of security. As to Homeland security, I think Democrats will step it up a notch as they're able. (I think a Democratic president or Guiliani or McCain would also do this after '08 though.) I also think that the Dems will put a stop to all of this wiretapping and over-the-top surveillance that's borderline unconstitutional.

As to the six main categories, I can only hope the VVPAT bill goes national so we can make sure that when (not if) e-voting machines fail we have some way of verifying the votes cast. In the globalization arena, yes - we must deal with these visa issues. All of the talk about immigration problems is always about illegals but what about the workers who are skilled who come to this country to take jobs and then can't get them because of visa problems on our end? That's just silly. And yes, education's a factor here - we need to be training more skilled tech workers here, but that's another issue. As to IP, I can only hope the DMCA is reduced to rubble but that may be a pipe dream since so many Hollywood are tied to the Democratic party.

...
Originally posted at sairy.com, the personal blog of FutureCampaigns founder, Sarah Granger.

No More Rocking The Vote, Just FIX It!

Gene Spafford, computer security expert and co-chair of the U.S. Association for Computing Machinery Public Policy Committee forwarded this article to USACM members (of which I'm one). It pinpoints a company, FixAVote.com, that supposedly offers "election outcome solutions". If you look closely at the site, it is really tough to tell if it's serious or a joke. Take a look - you'll see what I mean.

Avi Rubin and Ed Felten, two other USACM members known for their research on the security of electronic voting machines (see my post, Fixing E-Voting, from a few weeks ago) were interviewed for the Computer World article. Zogby recapped TechDirt's post on the site as well. For those knowledgeable about the issue and the security behind it, it was fairly clear it was a hoax, but it was done so deadpan that a little doubt was left.

Bruce Schneier, another computer security (crypto, for those of you who don't know) expert, a few days ago, confirmed on his site that it is a hoax but everyone I've seen writing about it agrees that it was very well done. It's one of those sites with boring corporate model photo clips (people just a little bit too beautiful, so that tipped me off that the site wasn't for real) and generic consultantspeak that makes you really confused about what they can actually do for you, but the best part is where they name the specific electronic voting machine makers, like Diebold, who they supposedly work with. Great joke.

...
Originally posted at sairy.com, the personal blog of FutureCampaigns founder, Sarah Granger.

Fixing E-Voting

Thursday, two esteemed colleagues from the USACM Public Policy Committee, Barbara Simons and Ed Felten, two experts on computers and voting machines, testified in a Congressional hearing on electronic voting. More specifically, they stressed that we need a voter verifiable paper audit trail (VVPAT) or a or voter verified paper ballot (VVPB) for these machines. This isn't anything new; unfortunately, it just takes this long for Congress to start listening to this type of concern when it's already been a serious problem for a few years.

Two weeks ago, Dr. Felten and his staff at Princeton, released a report based on a study they conducted on the Diebold AccuVote-TS, a Direct Recording Electronic (DRE) device, that proved that this particular machine could be hacked in under a minute with "little if any risk of detection."

So yes, when the Diebold people (a company run by active, known Republicans) told Bush they would "deliver Ohio", they could have meant they would make sure he won there. Felten noted that "injecting a virus into a single computerized voting machine can affect an entire election." In other words, the people who were out there on the fringe saying Bush stole two elections could be right. (I'm not saying they are; I'm only saying it's now been scientifically and technically proven that it was a possibility.)

Here's a simple scenario on how it would work (so easy a dog could be trained to do it):

1) E-Voting machine is delivered to polling place and/or poll worker the week of the election.
2) Machines are initially tested to make sure they work. Someone is given one physical key. Then they leave.
3) Any time over the next few days, that person or another person (most likely a poll worker - they are unsupervised but would have easiest access) with the same key (there are only a few versions for over ten thousand machines, like hotel minibars) comes in, unlocks the back of one machine.
4) That person inserts a memory card and the card automatically uploads a virus. The person (or dog) then removes the card, locks the machine and leaves. Boom - done. Election won. The whole process takes under one minute.
5) The machine is given its pre-election test the day before or day of the election with no detection of the virus.
6) As the votes are processed, the virus changes them.
7) The virus then deletes itself in order to remove the evidence that it was there. The program is simple enough to write that even I could do it (and that's saying something).

So in order to prevent this sort of thing from happening (again?), here is what needs to be done in order to create machines and process that are truly secure and can provide a system that we can be reasonably sure produces accurate results:

- Collaboration of technical and election communities
- Increased use of independent technical security experts
- Further research to improve the voting systems
- More accessibility to companies designing these products
- More secure physical and crypto keys
- More robust hardware and software design
- Rigorous testing by third party experts
- Removed/reduced and/or encrypted access for random memory cards
- Stricter certification process
- Deployed with safeguards against failure
- Heightened security training and processes for poll workers
- Routine random manual audits
- Policies and procedures that guarantee the integrity of the paper and the quality of the printers used for printed paper trails
- Mandatory manual recounts
- Increased accountability

This may still seem like a complex problem and it is, but the best way to circumvent continued issues is with a verifiable paper trail, regardless of the system used. That's all we can hope for with one month until election day.

See also: RFK Jr's article in Rolling Stone.

...
Originally posted at sairy.com, the personal blog of FutureCampaigns founder, Sarah Granger.