Finally something that Voatz and serious researchers can agree on!

https://twitter.com/kevincollier/status/1672281225933860874

(This looks to me like a botched website redesign, rather than a hack, but still, lol. If Voatz is careless enough to flip its core talking points, why should anyone trust them with their votes?)

Today, the Federal District Court for the Northern District of Georgia unsealed a 96-page report that I wrote w/ Prof. @_aaspring_ from @AuburnU. It describes serious vulnerabilities we found in Georgia's Dominion ImageCast X ballot marking devices.

storage.courtlistener.com/recap/gov.usco… I encourage you to read the whole report, and I've also written a blog post that provides important context for understanding the findings and their implications for election security and public policy:
freedom-to-tinker.com/2023/06/14/sec…

1/ Colleagues and I have found a serious privacy flaw that affects Dominion ICP and ICE ballot scanners. We've already informed Dominion, CISA, EAC, and state officials, and we've created a site to help officials and the public understand the issue:

DVSorder.org 2/ We call the flaw DVSorder. It's a privacy vulnerability, so it *cannot* directly modify results or change votes. However, under some circumstances, it could allow members of the public to identify other peoples’ ballots and learn how they voted.

1/ There's been lots of speculation about why Antrim County, MI initially reported incorrect results on Wed. The results have since been corrected, but people are naturally wondering what happened. Here's the likely technical explanation and my assessment. 2/ First, see @MichSOS's new statement about the issue:
michigan.gov/documents/sos/…
It was human error, isn't a sign of anything malicious, and couldn't impact the official results in any way. But what exactly happened?

1/ In a new research paper today, @MSpecter and I perform the first public, independent analysis of the security and privacy risks of Democracy Live's OmniBallot online voting platform.

Full paper:
internetpolicy.mit.edu/omniballot

Advice for voters:
internetpolicy.mit.edu/omniballot-adv… 2/ OmniBallot is a web-based platform that can be used in three ways:
1) Voters can download blank ballots to print, hand mark, and mail in.
2) Voters can mark ballots online and return them by mail, email, or fax.
3) In some states, voters can cast votes entirely online.

1/ Remember Voatz, the “blockchain”-based Internet voting app that doesn’t really use blockchain to send votes? There's an excellent new security analysis by @trailofbits that confirms the issues recently reported by MIT researchers and finds *way* more problems.

https://twitter.com/trailofbits/status/1238432788388478979

2/ Notably, this time @Voatz commissioned the analysis itself, as @rachelegoodman1 and I recently advocated slate.com/technology/202….

It's the first public system-wide security assessment. Election officials should demand this kind of testing before considering such a system.

Today, @mspecter, @jimmykoppel, and @djweitzner released a detailed security analysis of Voatz, a blockchain-based Internet voting app that's used in West Virginia and other states. Their findings are devastating, bit.ly/VoatzPaper. But Voatz has even more problems! 1/ @mspecter @jimmykoppel @djweitzner The paper finds that the Voatz API server, if hacked, can change votes entirely. The authors say the app doesn't actually use a blockchain or an E2E-V protocol to secure app-server vote transmission, but essentially just a regular HTTPS connection to voatzapi.nimsim.com. 2/