Mobile voting vendor Voatz is trumpeting a test lab's report saying that its service meets the latest federal standards.
Experts say the report is meaningless, since those standards are hopelessly outdated and Voatz helped decide what/how to test.
subscriber.politicopro.com/article/2020/0…
Experts say the report is meaningless, since those standards are hopelessly outdated and Voatz helped decide what/how to test.
subscriber.politicopro.com/article/2020/0…
.@mspecter, who co-wrote a report exposing serious vulns in Voatz's system, told me that Pro V&V's report "says little-to-nothing."
For one thing, it doesn't even address flaws that MIT & @trailofbits identified in their reports.
internetpolicy.mit.edu/wp-content/upl…
blog.trailofbits.com/2020/03/13/our…
For one thing, it doesn't even address flaws that MIT & @trailofbits identified in their reports.
internetpolicy.mit.edu/wp-content/upl…
blog.trailofbits.com/2020/03/13/our…
.@nealmcb, who helped draft the security requirements in the pending VVSG 2.0, blasted Pro V&V for mashing up vendor-recommended tests and "selected VVSG requirements" to produce a report that "flies in the face of evidence from just a few months ago."
Specter made another good point: Even a test regimen that uses a modern VVSG with robust security requirements won't identify every problem.
“A system can meet all of the requirements of the VVSG and still be massively insecure.”
“A system can meet all of the requirements of the VVSG and still be massively insecure.”
Pro V&V is one of only two EAC-accredited voting system test labs.
McBurnett told me that the EAC should “demand retractions from both Pro V&V and Voatz” and change the testing process.
None of the parties here — Voatz, Pro V&V, or the EAC — responded to requests for comment.
McBurnett told me that the EAC should “demand retractions from both Pro V&V and Voatz” and change the testing process.
None of the parties here — Voatz, Pro V&V, or the EAC — responded to requests for comment.
A harsh statement here on Pro V&V from the CEO of Trail of Bits, which like MIT produced a report revealing many vulnerabilities in Voatz's system.
Received a reply from Jack Cobb of Pro V&V.
He said his lab performed the test that it was contracted to perform but noted that an internet voting system "does not meet the full requirements called out in the VVSG nor can it."
VVSG 2.0 specifically says IV is out of scope.
He said his lab performed the test that it was contracted to perform but noted that an internet voting system "does not meet the full requirements called out in the VVSG nor can it."
VVSG 2.0 specifically says IV is out of scope.
"As a test laboratory, we design and execute test[s] and report our findings," Cobb told me. "Our report I feel clearly states the requirements we tested to and our results."
Cobb said that how companies choose to describe his lab's test reports "is out of my control as long as it is factual."
"I usually don’t like when they make implications or stretch the truth," he said, "but it is out of my hands as long as it is accurate."
"I usually don’t like when they make implications or stretch the truth," he said, "but it is out of my hands as long as it is accurate."
This is how Voatz's CEO described Pro V&V's report in a statement: "We are pleased with Pro V&V’s conclusions that Voatz operates exactly as it’s designed to operate." blog.voatz.com/?p=1491
New: @EACgov rebukes Voatz for implying that its internet voting system meets the full VVSG requirements.
"[S]ecurity requirements" for internet voting "are not defined in a way that would allow for assurance that these types of systems are safe for use in U.S. elections."
"[S]ecurity requirements" for internet voting "are not defined in a way that would allow for assurance that these types of systems are safe for use in U.S. elections."
@EACgov Voatz commissioned an audit from one of the two EAC-accredited voting system test labs.
The EAC points out that those labs can conduct whatever tests they want, and the results "should not be viewed as implicit approval" by the EAC that the system is safe or meets all VVSG reqs.
The EAC points out that those labs can conduct whatever tests they want, and the results "should not be viewed as implicit approval" by the EAC that the system is safe or meets all VVSG reqs.
