Voatz-watch: Mobile voting in West Virginia

Jragon · August 9, 2018, 2:22am

For the midterm elections, West Virginia is testing out a new mobile voting platform called Voatz. This is unwise, especially amidst serious concerns, founded or not, about voting integrity and hacking among the US populace (Russian interference etc). To anybody who works even tangentially with software development or cybersecurity it already was a bad idea, but an EU cybersecurity specialist looked into it and it’s even more of a trainwreck than expected.

Twitter thread:
https://twitter.com/GossiTheDog/status/1026603800365330432

Of specific note, while in a lot of cases slightly outdated security technology is not always a big deal, voting software is going to be necessarily subjected to more scrutiny. By his poking around for maybe a day, he found numerous out of date technologies and certificates. As well as numerous rookie security mistakes (default database admin usernames on standard ports, things like that).

They also hired a Russian national a while back who worked on the project, though they claim he’s not with them anymore and didn’t touch the voting aspect. Still, in the political climate it’s not a good look, even if he’s a good person, and voting confidence is as important as actual security. Even a perfectly secure system can cause problems if there’s sufficient doubt and uncertainty about its security.

They also appear to have lied or misrepresented their security audits, and of note haven’t done any actual penetration testing (hiring external testers to break into your system). https://twitter.com/GossiTheDog/status/1027080513922760704

I’ve also heard tell that this platform has been tested in the PA primaries at some point, and they had to stop using it in the middle of the primary and switch to paper ballots because it didn’t work under load, and primaries are much less demanding than real elections. I don’t have a cite for that one though, just scuttlebutt.

Finally, it uses some dodgy blockchain buzzword stuff that isn’t adequately tested or trusted enough to really be deployed in an election setting.

XKCD is on point with this one: xkcd: Voting Software

My point here isn’t that mobile voting should never be a thing, but that especially with so much tension around our electoral stability and the general importance of this midterm, this is not the time to be deploying untested technologies, especially not one with so many red flags. There are a lot of security experts working on academic papers on related topics, but it’s not in a state where we should be testing this. There are plenty of ways to ensure minorities and others get to vote such as pure vote-by-mail, auto-registration on receiving a state ID, and voting day paid holidays that we have no reason to be turning to something so untrusted and untested.

This thread is mainly for watching how this develops over the next months, unless there turns out to be significant disagreement about Voatz being good, because I’m somewhat curious.

blindboyard · August 9, 2018, 8:09am

Jragon:

Of specific note, while in a lot of cases slightly outdated security technology is not always a big deal, voting software is going to be necessarily subjected to more scrutiny. By his poking around for maybe a day, he found numerous out of date technologies and certificates. As well as numerous rookie security mistakes (default database admin usernames on standard ports, things like that).

They also hired a Russian national a while back who worked on the project, though they claim he’s not with them anymore and didn’t touch the voting aspect. Still, in the political climate it’s not a good look, even if he’s a good person, and voting confidence is as important as actual security. Even a perfectly secure system can cause problems if there’s sufficient doubt and uncertainty about its security.

Voting software is not, in fact, subjected to more scrutiny. Quite the opposite. The people behind it aren’t big tech companies or anything, and all of their technology is proprietary. They do get hacked on a regular basis, because of their poor security practices, but that gets a few headlines then gets forgotten. Default passwords, frequently simples ones like 12345, and normally hardcoded so they can’t be changed, are standard in the industry.

Hiring a Russian national isn’t a big deal. Crowdstrike, the firm that investigated the DNC hack on behalf of the Democratic party, is owned and run by a Russian national. Plenty of Russian nationals are against Putin, and plenty of the others aren’t secretly working for the KGB.

America’s biggest voting machine company is Dominion Voting Systems. They are run out of a small office in Toronto’s Chinatown. They are privately owned, by someone we in the public can’t identify. They took over such earlier voting companies as Premier Voting Solutions, formerly Diebold Election Systems, and Sequioa Voting Systems, formerly Shouptronic, Automatic Voting Machines, and so on. Both companies have long histories of scandals. Diebold being suspected of manipulating results in Ohio in 2004 after promising to deliver the state for Bush. Sequoia, back in the days when it was Automatic Voting Machines, had their CEO sent to prison for bribing election officials. Then there next owner went to prison for bribing a supreme court judge. As recently as the year 2000 they were being convicted of paying ten million in bribe money to election officials. So Voatz isn’t really a change, it’s just moving organised vote crime into the smartphone era.

Jragon · August 9, 2018, 9:48am

Perhaps I should have said “the standards are going to be set higher than normal among those who are knowledgeable and care about computer security and the electoral process.”