Profile picture
, 19 tweets, 11 min read
My Authors
Read all threads
Today, the NYT covered research by @mspecter, @jimmykoppel, and @djweitzner into the security of Voatz, a mobile app that's been used for online voting in US elections:

nytimes.com/2020/02/13/us/…

This found serious issues, but they're just some of the many problems with @Voatz. 1/
The researchers here reported these issues to @CISAgov, rather than @Voatz directly, out of concern for potential retaliation.

Their fear is well justified. In October, Voatz reported a student at U of Michigan to authorities for analyzing their app: 2/

magazine.cointelegraph.com/2020/02/07/saf…
@CISAgov @Voatz And in response to the researchers' work today, rather than acknowledging any of the issues in the paper, @Voatz accuses them of acting in bad faith, with the goal of sowing discord in elections:

blog.voatz.com/?p=1209
@CISAgov @Voatz To appear transparent, @Voatz makes a big deal about having a public bug bounty.

But the bounty doesn't allow the public to examine their backend, or the live production app. This dramatically limits public review of Voatz' infrastructure.

4/
Worse, at the time @Voatz reported the U of M student, the scope was ambiguous and easily could have led a casual reader to believe the production app was in scope.

But instead of extending any benefit of the doubt, Voatz reported the student and changed their scope text: 5/
@Voatz This is the total opposite of how anyone involved in elections should deal with researchers.

Even given a scope, people will still accidentally tread outside the lines. Election officials and voting companies need to work collaboratively with researchers to be successful. 6/
Recently, @CISAgov posted a draft directive that would require that federal agencies receive reports of vulns in their live systems from the general public:

cyber.dhs.gov/bod/20-01/

It's a genuinely great directive, and accurately captures modern norms in vuln disclosure. 7/
One of the key sentences in @CISAgov's guidance is that federal agencies should be "more concerned with receiving and fixing vulnerabilities than in enforcing strict compliance with the letter of the policy."

This is right, and what we should be bringing to election systems. 8/
But this is clearly not @Voatz' perspective.

Given how they handled the U of M student, how they responded to the MIT research today, their discomfort with basic transparency, and their reliance on security-through-obscurity -- Voatz should not be trusted to run US elections.
The researchers behind yesterday's disclosure of security issues with @Voatz published a solid FAQ today on their work and why they reported it the way they did:

internetpolicy.mit.edu/faq-on-the-sec…
In the meantime, @Voatz posted a transcript of a press call in which they claim that a ballot privacy flaw isn't important because it's not realistic for anyone to intercept internet traffic to the US from overseas.

Just to be clear: that is super wrong.

blog.voatz.com/?p=1243
CNN covered yesterday's security research on @Voatz, and Voatz' (generally misleading) statements since.

I'm also quoted, noting that Voatz' public bounty doesn't allow the public to research their back-end server the way Voatz claims:

cnn.com/2020/02/14/pol…
I also emphasized to CNN that vuln disclosure by the public has overall gotten better: @Voatz's reaction is more unusual today.

"Security through obscurity" can be tempting, but real security means not being afraid to let the public verify your work.

cnn.com/2020/02/14/pol… The tension between Voatz and independent security experts is not surprising, Mill said. But he added that the trend in the industry in recent years has tended toward greater disclosure and openness, not less -- making Voatz's reaction to the report stand out. It also highlights a common misperception that greater secrecy leads to stronger security, he said.
In a reversal, citing cybersecurity concerns, West Virginia will not use Voatz for its primary election after all.

They'll use Democracy Live instead, where ballots can be marked on- or offline, then printed and mailed:

nbcnews.com/news/amp/ncna1…
This is a clear win for West Virginia voters and for the security community, whose trust Voatz very deservedly lost.

In the piece, West Virginia's elections general counsel indicates they'll be looking to the security community later this year to judge how far Voatz has come:
It could be quite tough for @Voatz to regain that trust.

Two weeks ago, Voatz responded to valid security issues by inaccurately dismissing their impact, and publicly accusing the researchers of wanting to deliberately disrupt elections.

blog.voatz.com/?p=1209
This week, @Voatz updated their vulnerability disclosure policy.

But instead of offering an olive branch, they hand-wave at being "critical infrastructure" to falsely imply they have no discretion in reporting researchers who examine their live systems:

hackerone.com/voatz/policy_v…
Given how @Voatz is responding to all this, I'd say they have a long, long way to go to rebuild trust with the security community.

In the meantime, if you find a bug in Voatz' systems, I encourage you to report it right to CISA, since reporting it to Voatz directly is unsafe.
And today, @Voatz no longer has a public bug bounty on HackerOne: hackerone.com/voatz

There's no public indication of why, but it's good that it's closed. Given how Voatz treated security researchers, H1 was hosting a space that was unsafe for the public to engage with.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Eric Mill

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @konklone see all

Profile picture
Eric Mill
@konklone
A lot of people have asked me about the story on all the .gov certs expiring during the shutdown: news.netcraft.com/archives/2019/…

The security risk to users is actually very low, since trusting a recently expired cert doesn't in and of itself allow traffic to be intercepted.
The bigger user impact is being locked out of federal services, and of course how it weakens trust in federal agencies to show security warnings to users.

The culprit here is a severe lack of automation across agencies: certificate renewal should never need manual intervention.
Automation is critical to modernization, in more than just cybersecurity. And too many federal agencies fail to prioritize automation, or just don't have the skillset to do it.

Expired certificates are just the most publicly visible symptom of legacy infrastructure and process.
Read 3 tweets

Related threads

Profile picture
J. Alex Halderman
@jhalderm
Today, @mspecter, @jimmykoppel, and @djweitzner released a detailed security analysis of Voatz, a blockchain-based Internet voting app that's used in West Virginia and other states. Their findings are devastating, bit.ly/VoatzPaper. But Voatz has even more problems! 1/
@mspecter @jimmykoppel @djweitzner The paper finds that the Voatz API server, if hacked, can change votes entirely. The authors say the app doesn't actually use a blockchain or an E2E-V protocol to secure app-server vote transmission, but essentially just a regular HTTPS connection to voatzapi.nimsim.com. 2/
@mspecter @jimmykoppel @djweitzner To protect the connection, Voatz uses certificate pinning. That means the app will only trust a specific HTTPS certificate to authenticate the server. For maximal security, the app should pin to a cert that is used only on a specific well hardened server. 3/
Read 11 tweets
Profile picture
Lulu Friesdat
@LuluFriesdat
#Security for #Election2020 is at stake right now.
1) #ElectionSecurity is for our national defense. It is worth investing in.
2) If we do not have security REQUIREMENTS w/funding some states will spend poorly. That is bad for tax payers & bad for voters. #SMARTelections
At our #Senate briefing on #ElectionSecurity we brought national experts on #computer systems, #security and #audits together to demonstrate why it's critically important that congressional funding for election security includes REQUIREMENTS for security.
smartelections.us/congressional-…
3/ How EASY is it to change election results? #Princeton Prof of #Computer Science AndrewApppel says it's basic. Voting machines are computers. Computers can be programmed to run malware. It could be done w/ a USB stick & via modem.
Read 9 tweets
Profile picture
#BernieSquad is not for sale
@timeforbernie
"Elizabeth Warren’s Days Defending Big Corporations"

Twitter is deleting tweets sharing today's NYT article covering Warren's work as a corporate lawyer against people harmed by her corporate clients. It's included below for those behind the paywall. nytimes.com/2019/10/28/us/…
Read 10 tweets
Profile picture
Karol Cummins
@karolcummins
💣 SmokingHowitzer💣

Trump could shoot someone and escape prosecution, his lawyer argues

Words such as “devastating” & “bombshell” hardly do justice to the congressional testimony of Amb Taylor.

This wasn’t a smoking gun.

It was a smoking howitzer.
💣 Howitzer2💣

Taylor’s testimony devastated all of the excuses and evasions made by Trump’s die-hard defenders.

Matt Gaetz and his Coalition of the Stupid (COTS) stormed impeachment proceedings to 'demand transparency' — except that's not what it's really about
💣 Howitzer3💣

Dozens of the COTS brought in cell phones,”

“They not only brought in their unauthorized bodies, they may have brought in the Russians & the Chinese w/ electronics into a secure space, which will require that the space at some point in time be desensitized.”
Read 68 tweets
Profile picture
afghan peace
@afghanpeacenews
2019 presidential #elections in #Afghanistan
IEC Launches Voter Registration Process ariananews.af/iec-launches-v…

“The voter registration sites will remain open from 7 am until 4 pm and the process will end on June 28th,” said Hawa Alam Nuristani, the chairwoman of IEC.
Presidential Candidates Reject Negotiating in ARG
ariananews.af/presidential-c…

Presidential candidates are not ready to negotiate with President Ghani on the circumstances of his tenure extension in the Presidential Palace (ARG).
Read 90 tweets
Profile picture
Matthew Willemsen
@mwill_crypto
0/ Hot start to the week in the #crypto/#blockchain ecosystem! Successful fundraising rounds. New records set. Several products launched. Below is a 34-part thread on events that took place between Monday and Tuesday.

Enjoy!
1/ 🆕 @Guesserio launches today! Built on @AugurProject [ $REP ], the California-based #crypto project promises their release “will fundamentally change the way you participate in Augur prediction markets.”

Invest in the outcome of real-world events at your fingertips!
2/ 🔧 #Ethereum- and #IPFS-powered #blockchain platform for decentralized marketplaces, @OriginProtocol, unveiled its 'Marketplace Creator' tool.

This allows users to construct a decentralized marketplace in just a matter of minutes! medium.com/originprotocol…
Read 38 tweets

Trending hashtags

#ELECTION2020 #NeverAgain #Policy #McCabe #SarahLawrence #LatinAmerica #NewYorkTimes #Putin #embassy #StopArmingIsrael #CohenSentencingMemo #coronavirus #operation #Afghanistan #Press #UNSC #RussianAsset #HumanRights #Endangered #USAarmy #YankeeGoHome #EnoughIsEnough #SaudiArabia #ThePatriotTimes #Mercosur

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!