1/ Saturday 🧵 on real-world security in voting machines.
Should voting machines be allowed to contain wifi hardware, later disabled in software?
At first glance, bad idea. Let's simply ban wifi hardware.
In practice, that would make machines less secure. Allow me to explain.
2/ Security is about threat models and tradeoffs. What this means in practice is more complex than it might seem. It means that "more security" on one specific aspect may lead to less security in the overall system.
3/ the threat model behind "no wifi" is that, with wifi turned on, attackers could remotely connect to the machine and do nefarious things. So what's the difference between software and hardware disabling of the wifi?
4/ if wifi can be enabled in software, then a modification at point of distribution could cause machines to turn on wifi... But wait, now we're assuming an attacker who controls the software distribution. If that attacker exists, we've got bigger problems than wifi!
5/ so maybe threat is a retail modification of the software, say by a technician accessing a single machine. But if an evil technician has access to machine long enough to install software, they could also surreptitiously add a USB wifi dongle.
6/ in other words, there's not much daylight between attackers that thwart software vs hardware wifi disable. I'm assuming, relatively safely I think, that when official software is installed, wifi is off and cannot be turned on remotely.
7/ now, there is always the argument of defense in depth. Extra barriers, extra protection, can be helpful. There would be a modest win here from hardware wifi disabling. Absent any cost, it would be the right recommendation. So let's look at tradeoffs: what would be the cost?
8/ it turns out, cost would be large. To understand this, keep in mind that the voting machine market is pretty small. Maybe 100,000-150,000 machines a year.
That's why there's a movement towards using off-the-shelf hardware to leverage all the wins of large-scale production.
9/ Have you tried buying a computer without wifi recently? It's almost impossible.
So the cost of enforcing "no wifi hardware" would be, without exaggeration, equivalent to banning off-the-shelf hardware.
10/ but wait, we also want trusted boot, encrypted drives, etc. Are we going to build these on custom boards?
If we fail to leverage existing large production processes, we'll have to reinvent the wheel for every major security feature, at tiny scale of voting machine market.
11/ i haven't yet broached the fact that voting machines today are so expensive that counties keep them for 10 or 15 years. Do you know anything that's still secure 15 years later?
We need machines upgraded much more often. Cheaper machines. We can't do it without off-the-shelf.
12/ so we should absolutely require that voting machines disable wifi in a strong manner. Maybe no wifi drivers installed. Maybe a privileged setting that cannot be accessed in normal use.
But if we ban wifi *hardware*, we end up with voting tech more expensive and less secure.
13/ this issue is being fought right now in the standard-setting process led by @EACgov. I don't agree with all the aspects of the new standard, but on this point EAC got it right: disabling wifi in software is good enough.
14/ some folks who are arguing for hardware disabling are not doing so in good faith: they want to remove all tech from voting, and this is their poison pill.
Nevermind that many millions of voters need accessible voting that should be secured with good tested tech.
15/ most of the folks arguing for hardware wifi disabling *are* doing so in good faith. I just think they may not be seeing the trade-off. It's not as clear a tradeoff if you're not actually building voting equipment.
16/ nevertheless our field of voting tech must mature. Security is about tradeoffs. We must move beyond the too-simple arguments that pile on requirements w/o care for resulting complexity.
1/ Thinking about the impact of the new strain (B117). Read this thread. It is significantly more transmissible than the previous strain, which means the measures we're used to can reduce classic infections, but they're *not yet good enough* in Denmark to stop growth.
2/ most states have recount procedures that trigger below a certain margin of victory. Sometimes automatic, sometimes has to be requested by a candidate. In Georgia, threshold is 0.5% & recount needs to be requested by a candidate after certification. Wait, what's certification?
3/ certification is the real result. When TV networks call an election, that carries no legal weight, it's just the media predicting the outcome. They're usually right, with some notable exceptions. Certification is when the state, having triple checked, declares their winner.
1/ The @voting_works team has been working around the clock for the last week to support the State of Georgia in running their first state-wide risk-limiting audit, which turned into a full hand-count.
1/ I spent a bit of time looking at the Canada COVID Alert app this evening. Bottom line: this app is pretty much the model for how to do this kind of tech.
2/ It's super clear about what data it collects and doesn't, and about how it works. This is not easy stuff to convey.
3/ It's such a caring and lovely flow. Here it is letting you know it's about to ask for that single permission it needs – to access the Google/Apple API.
1/ In light of the voting question that will never die -- "if I can do X online, why can't I vote online" -- I'm reminded that most people don't have a good intuition for what makes things secure. So let's explore.
Security online depends predominantly on logging and auditing.
2/ This probably sounds weird and surprising, but hear me out. And there are exceptions that I'll get to. But truly, security depends predominantly on logging and auditing.
3/ Consider the Twitter hack from earlier this week. We found out about it because the attackers tweeted a Bitcoin scam visible to everyone. Twitter is, by definition, a public audit log. Those messages looked odd. We all saw them. That's why we all knew: Twitter was hacked.
1/ a little story. When I was 18yo, summer 1995, I had the immense luck of working as an intern at Hearst Publishing in NYC. I was a rising sophomore, the web was just taking off, and that internship taught me so much, it dramatically kickstarted my career.
2/ the group VP was a guy who dressed like a banker and led the effort to create the first dynamic web site for Hearst. His office was on the 5th floor, top most floor of the Hearst building at the time, 57th and 8th (there's now a huge tower at that address.)
3/ About every other day, he wanted a demo, so he would call me up to his office from the dungeon basement where the small engineering team worked.