Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Adapted for readability in RISKS. Interspersed screenshot are omitted. Please see the original URL for the full story online, or listen to the three-minute Morning Edition clip. This topic has long been at the forefront in RISKS. I am grateful to Miles Parks for a superb treatment of the pros and cons. The November election will certainly be a relevant topic here. PGN]
Coronavirus Drives States To Pilot Internet Voting *Voters with disabilities, as well as those who serve in the military and live overseas could cast ballots via their phone or home computer even as security experts warn the technology can't be trusted.* https://www.npr.org/2020/04/28/844581667/states-expand-internet-voting-experiments-amid-pandemic-raising-security-fears
Miles Parks, Heard on Morning Edition, NPR, 28 Apr 2020, 5:00 AM ET <https://www.npr.org/programs/morning-edition/2020/04/28/846887293/morning-edition-for-april-28-2020>
Election officials nationwide are preparing for what may the highest election turnout in modern history in the middle of a pandemic. In response, several states will be turning to a relatively new and untested form of Internet-based voting to aid the voters who may have the most trouble getting to the polls.
In the latest demonstration of the technology, Delaware will allow voters with disabilities to return their ballots electronically in its primary election next month, becoming the second U.S. state to do so. The decision comes despite grave warnings from the cybersecurity community that the technology doesn't offer sufficient safeguards to protect the integrity of an election.
NPR is the first to report the development, which has yet to be announced publicly. Both the state, and the Seattle-based company administering the technology, Democracy Live, confirmed the decision, although they dispute the term “Internet voting” for the cloud-based system.
Earlier this year, West Virginia passed a bill to allow the use of the technology for disabled voters, after becoming the first state to allow overseas and military voters to use an app to vote in the 2018 midterms. Delaware will also allow overseas and military voters to use the technology. <https://www.wvpublic.org/post/bill-allow-electronic-voting-west-virginians-disabilities-passes-legislature#stream/0> <https://www.npr.org/2019/11/07/776403310/in-2020-some-americans-will-vote-on-their-phones-is-that-the-future>
A third state, New Jersey, is considering making the technology available for voters with disabilities and overseas voters, according to an election official with knowledge of the state's plans. A state elections spokesperson did not respond to a request for comment.
The developments are sure to worry election security advocates. Until the pandemic struck, their efforts were focused on cybersecurity following the 2016 election, when Russian operatives successfully hacked election networks in multiple states. Since then, many states have increased their security protocols and generally moved away from all-electronic voting systems back towards paper ballots. <https://www.npr.org/2019/05/16/723996207/possible-more-counties-than-now-known-were-hacked-in-2016-fla-delegation-says>
Those in favor of Democracy Live's system argue that it is a paper-based system, because when a voter elects to electronically submit their ballot, an election official must print it out before it's counted.
But most security experts scoff at that concept because the ballot is transmitted via the Internet before it reaches the stage where it's printed, leaving it potentially vulnerable to cyber-manipulation.
“In the computer security business, we worry about worst-case scenarios, and the downside risk of the Democracy Live model is really bad,” said Doug Jones, a computer science professor, and election security expert at the University of Iowa. “If the voter is marking the ballot using a device, it's an online ballot-marking system, and if the physical ballot is not printed by the voter, it's online voting.”
Still, there are signs that the general public may be becoming more open to the idea. A survey this month by TargetSmart, a data analytics firm that works with Democrats, found that a plurality of voters support Internet voting as a response to the coronavirus crisis. <https://insights.targetsmart.com/covid-19-and-elections-findings-from-a-national-poll-of-american-voters.html>
But advocates of Internet voting technology are clear that they don't see it stopping with relatively small slices of the electorate such as overseas voters and voters with disabilities, or being restricted to times of crisis. They see it as the future of voting.
“You know, eventually we can't hold back the tide. We're going to get there,” said Bryan Finney, the CEO and founder of Democracy Live. “Next generation voters are going to demand next generation voting technologies.”
Who Paper Leaves Behind
The pandemic took hold in the U.S. in the middle of primary season during a presidential election year. Officials around the country are scrambling with how to make sure the democratic process doesn't become a casualty.
Many voters are concerned about the potential health risks of casting ballots in-person. During Wisconsin's recent controversial primary, voters wearing masks stood in long lines to cast ballots, sometimes relying on DIY safety measures crafted by election officials. State health officials say at least 36 voters and poll workers have subsequently tested positive for COVID-19. <https://www.politico.com/news/2020/04/27/wisconsin-tested-positive-coronavirus-election-211495>
In response, many jurisdictions and states are looking for alternatives to in-person voting.
While ballots cast by mail are viewed by many as highly accessible, they leave some people behind, says Eric Bridges, the executive director of the American Council of the Blind.
Bridges authored a letter to congressional leaders earlier this month pushing for online voting, which was signed by more than 70 national, state, and local disability advocacy groups. <https://www.prnewswire.com/news-releases/congress-must-protect-the-voting-rights-of-people-with-disabilities-301039474.html>
“To complete a paper ballot one is required to, at the least, read standard text, physically write and/or fill in the ballot choices, seal and certify the ballot via a signature on the envelope, and mail the ballot back to the appropriate voting official to be counted,” Bridges wrote. “Each of these steps may act as a barrier to voting for voters who are blind and disabled.”
The Democracy Live system that will be used this summer allows voters with disabilities to access and mark their ballots on their own accessible devices, meaning voters can fill them out without help and send them in using whatever technology suits their specific physical needs.
Typically, voters with these sorts of needs have had to travel to a polling place to use an accessible voting machine, but the pandemic may make that difficult this year.
Bridges doesn't think politicians have purposefully or maliciously failed to take the needs of voters with disabilities into consideration by expanding mail-in voting.
“It doesn't make it any less frustrating or angering to be to be completely honest,” Bridges said. “It's just sort of like we weren't even considered; there wasn't even a debate that took place where we could serve and volley.”
When asked about security concerns with the technology, he said that's not his job, that's the role of security firms and the government.
“We want access,” Bridges said. “It's not really up to the American Council of the Blind to ensure that these systems are secure.”
'Risk appetite'
Returning ballots electronically is still in a pilot phase, with the states taking it one election at a time. But Finney said he expects at least five states to offer his company's ballot return technology to voters with disabilities in November's general election.
It's a major development to expand the use of such systems beyond just military and overseas voters, since many of those voters already vote by what are considered insecure methods like email and fax. Disabled voters in many instances will be choosing to electronically transmit their ballot instead of using a completely paper system. <https://www.ncsl.org/research/elections-and-campaigns/internet-voting.aspx>
The Democracy Live ballot return system stores a voter's ballot and then allows an election official to access and print it.
Finney, however, doesn't prefer the term “online voting.”
“It's a loaded term… Really what this is, is a secure portal. If anything, it's a document storage application,” Finney said. “When people think of online voting, they're thinking it's all being tabulated online.”
But a number of cybersecurity experts disputed that characterization when presented with it by NPR.
“Sorry, but what a load of bull****,” said Joe Kiniry, a principal scientist at Galois, the company contracted by the federal government to develop a secure and open source voting machine. <https://www.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system>
The phrase online voting encompasses any voting system where “voter choices are transmitted over a wide area network,” Kiniry said, and has nothing to do with how those ballots are counted. “Online voting is not a loaded term. It has a very simple definition that has been widely agreed upon in the research community for about 40 years.”
Cities, counties and states are largely free to use whatever voting technology they want because elections are run at the local level with very limited federal oversight.
In the case of online voting, there's also very little financial risk. Tusk Philanthropies, a nonprofit funded by multimillionaire Bradley Tusk, is funding many of the pilots with an aim at expanding Internet voting and increasing turnout in U.S. elections.
Tusk told NPR earlier this year that he hopes to fund as many as 50 mobile voting pilots in the coming five years.
“Everyone who doesn't want this to happen is never going to say, 'We oppose mobile voting because we don't want higher turnout,'” Tusk said in January. “They're going to say, 'It's not safe.' And if we have proven 30, 40, 50 times over that it is safe, it's a lot harder for those objections and arguments to fly.”
Election security experts say that rigorous independent auditing is needed in order to reassure the public the results are legitimate. That's lacking in the case of Democracy Live, says Sen. Ron Wyden, D-Ore., who has opposed online voting for many years.
Wyden does believe voters with disabilities should have access to software that allows them to mark their own ballot using their own accessible machine, but he thinks those ballots should then be mailed in, not returned electronically.
"It is simply irresponsible to allow online voting, when leading experts have warned specifically that this technology is dangerous and before a system has passed an audit by independent experts,” Wyden said in a statement to NPR. “So far none of these products has passed that test. It is far too risky to gamble the Constitutional rights of voters with disabilities on unproven tech.”
West Virginia dropped its previous online voting vendor after a number of independent investigators cited security issues with its system. <https://www.nbcnews.com/tech/tech-news/west-virginia-backtracks-using-smartphone-voting-app-state-primary-n1145571> <https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/> <http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213>
Overall, the amount of voters using some form of Internet ballot return in 2020 is still expected to be minuscule; Finney expects less than 10,000 voters nationwide. And he says he doesn't think the systems should be used more widely until there have been more pilots.
But many election officials say they shouldn't be used at all. One state election director who requested anonymity in order to speak candidly called the technology “the third rail” of voting systems because they ignite such controversy.
Similarly, Washington Secretary of State Kim Wyman gives two reasons for why she has pushed back for 20 years against various efforts to expand Internet voting.
“The Internet is not secure, and we know this more today than I did 20 years ago,” Wyman says.
The second problem has less to do with technology, but is tougher to solve she says: convincing voters in a close election that the results are legitimate when they don't understand the underlying technology.
Ahead of a highly polarized presidential election, Wyman says it's not the time to introduce new technology.
“We can't put our election at risk to technology we cannot guarantee is secure, and right now, in 2020, we cannot guarantee that any electronic transmission of a ballot is secure,” Wyman said. “While it seems like electronic voting would really solve a lot of problems, it would create far more mistrust than I think we have the risk appetite for.”
Yep, in-the-wild SQL injection exploits in 2020 are still a thing.
At work several years ago, a few email attachments containing very old Windows viruses slipped through our scanners to land on my Mac. Weeks later, enterprise Mac antivirus software reported this "emergency" and within minutes the IT cops confiscated my laptop. Much argument back and forth ensued on how to disinfect this machine. I finally convinced them to remove the offending files and rescan for malware so I could get back to work.
If life were only that simple.
IT support reasonably insisted on scanning my external Apple Time Machine backup drive, too. TM uses file-system links to make one copy of a static file appear in multiple timeline views—"YOU ARE IN A MAZE OF TWISTY LITTLE PASSAGES, ALL ALIKE." The not-Mac-savvy AV software didn't know that, so proceeded to scan every long-lived file many dozens of times, once for each link. The projected completion time was measured in months. We agreed to wipe that disk and rely on less-frequent network backups if needed.
Except the AV software had a another bug. Every time that Mac plugged back into the network, the program would report the exact same but now removed virus "infection" again. IT cops return, lather, rinse, repeat. Which triggered another rule—after three tries at disinfection they wipe your machine and restore from backups. In my case this would also restore the virus attachments, which I pointed out repeatedly to no avail. I'm now approaching two weeks without a computer or access to my files.
So I called in some very high-level favors, which triggered a 12-way conference call spanning four time zones. Someone on the call suggested removing and re-installing the AV software on that Mac. Bingo—no more false positive reports. Within 24 hours I got my laptop back, mostly intact.
The risks here are numerous and mostly obvious. Buggy Mac AV software and inflexible IT policies are at the top of my list.
[Follow-up to RISKS-29.65, old item]
Kate Cox, 27 Apr 2020 The COVID-19 crisis may just be the last nail in the coffin for the company.
Excerpt:
Cloud-connected, "smart" automated pet-feeder system Petnet has had a rough spring. The service not only went offline in February, but all its customer service vanished, too, leaving users in the dark until the company apologized and pushed a patch more than a week later. The service briefly returned for some users but fell off again in March. Now, after weeks of silence, the company is blaming COVID-19 for driving it offline for good—even though its problems started weeks or months before the novel coronavirus became a significant concern.
Several Petnet customers began reaching out to Ars during the second and third weeks of April to report that, once again, not only were their feeders not working, but also they couldn't reach anyone at Petnet about it. Everyone's feeders didn't go offline at the same time but seemed to fail in slow sequence over the period between 26 Mar and 13 Apr.
The company emailed its customers on 26 Mar, blaming the novel coronavirus for outages and delays.
On 14 Apr, Petnet posted another Tweet saying, "We are still experiencing SmartFeeder connection downtime due to an ongoing service disruption that is currently being investigated." As of 27 Apr, that remains the company's last tweet.
[Tweet to eat? Did their service include automated bird-seed feeders? PGN]
> I wasn't kidding when I said censorship is in operation here […]
Oh, please, this is like a time warp from the 1990s. Spam filtering is hard, and these days it's not optional because there's an order of magnitude more spam than real mail and people's mailboxes would be unusable without it. We are not thrilled that filters make mistakes but a single mistake is not a life altering experience.
In your case, you're sending mail from Earthlink, which is not exactly a hotbed of sophisticated Internet users, so I can't blame other mail systems for viewing purported COVID warnings from Earthlink with some scepticism.
A couple of quotes from the article that I found depressing:
> Crumbley recommends the CMMI Institute's Capability Maturity Model > Integration (CMMI) as a good process model.
CMMI defined five "maturity levels" starting at level 1: "Processes unpredictable, poorly controlled and reactive."
So to say that you use "CMMI" just means you have decided which maturity level your process is currently defined as. You could be level 1 and happy with it!
Crumbley does not say what level NASA's software development department has currently reached, or what level they are aiming at nor what steps they are taking to reach the desired level. Instead he says:
> We use the CMMI model as a tool to see how our software development > practices compare with other industries
"Other industries" have woefully inadequate software development practices: as exemplified in every issue of comp.risks! Comparing yourself with them just gives a false sense of security. NASA's software requirements are so much more stringent than the vast majority of other industries: on other industries, if the software more-or-less works, only needs rebooting occasionally and only has a few zero-day exploits per week, then the software is considered to be a success. He does not even mention formal methods.
The downside is that instead of asking someone to repeat something because of a dropout, you have to analyse everything and try and guess if they really said it, or it was just the AI guessing: "Did you really suggest injecting disinfectant as a coronavirus treatment, or did the AI make it up?"
The upside is that you can abuse your boss out loud and blame it on the Google bot.
Please report problems with the web pages to the maintainer