Alex Halderman has clarified his earlier remarks about the integrity of the Wisconsin election: in a nutshell: voting machine security sucks, hackers played an unprecedented role in this election; there are statistical irregularities in the votes recorded on software-based touchscreen machines and the votes registered with paper ballots counted by optical scanners, so why the hell wouldn't we check into this?
The local government of the District of Columbia has been conducting a pilot project to test an internet-based voting system that would give overseas and military voters a way to download and submit absentee ballots online. Here's a PDF of the system architecture. — Read the rest
The Secure Elections Act is a bipartisan Senate bill with six co-sponsors that reads like a security researcher's wish-list for voting machine reforms. Specifically, it reads like Matt Blaze's wishlist, hewing closely to the excellent recommendations laid out in his testimony to the House of Representatives' Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Intergovernmental Affairs Hearing on Cybersecurity, recounting his experiences as a security researcher and as the founder of Defcon's Vote Hacking Village.
An anonymously leaked Top Secret NSA report on Russian state hackers interfering with the US elections has been published by The Intercept, which had the documents independently analyzed by a who's-who of America's leading security experts.
A group of security researchers from academe and industry (including perennial Boing Boing favorite J Alex Halderman) have published an important paper documenting the prevalence and problems of firewalls that break secure web sessions in order to scan their contents for undesirable and malicious content.
University of Michigan prof J Alex Halderman (previously) is one of America's top experts on voting machine security (see this, for example), and he's issued a joint statement with voting-rights attorney John Bonifaz to the Clinton campaign, advising them to ask for a recount of the Wisconsin votes.
Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.
Ever since the Supreme Court ordered the nation's voting authorities to get their act together in 2002 in the wake of Bush v Gore, tech companies have been flogging touchscreen voting machines to willing buyers across the country, while a cadre computer scientists trained in Ed Felten's labs at Princeton have shown again and again and again and again that these machines are absolutely unfit for purpose, are trivial to hack, and endanger the US election system.
Well, obviously, we need to get Congress to start imposing adult supervision on the NSA, but until that happens, there are some relatively simple steps you can take to protect yourself.
There have long been rumors, leaks, and statements about the NSA "breaking" crypto that is widely believed to be unbreakable, and over the years, there's been mounting evidence that in many cases, they can do just that. Now, Alex Halderman and Nadia Heninger, along with a dozen eminent cryptographers have presented a paper at the ACM Conference on Computer and Communications Security (a paper that won the ACM's prize for best paper at the conference) that advances a plausible theory as to what's going on. — Read the rest
The Logjam bug allows attackers to break secure connections by tricking the browser and server to communicate using weak crypto — but why do browsers and servers support weak crypto in the first place?
Remember when the TSA spent $113K on Rapiscan pornoscanners that turned out not to work? Now they're selling them off for $8,000.
Researchers from UCSD, the U Michigan, and Johns Hopkins will present their work on the Rapiscan Secure 1000 at Usenix Security tomorrow; the Secure 1000 isn't used in airports anymore, but it's still in courts, jails, and government security checkpoints (researchers can't yet get their hands on the millimeter machines used at airports).
J. Alex Halderman and his colleagues have unveiled Telex, a "state-level response to state-level censorship." It's a network of censorship-busting major ISPs that provide infrastructure-level, hard-to-detect proxying that allows people in repressive regimes to get access to sites blocked by their national firewalls. — Read the rest
Oldsma sez, "DC election officials put a test version of their voting system up in a mock primary and invited white hat attacks. U. Michigan broke it completely within 36 hours. DC officials reply, in a nutshell, 'Well, that's why we asked people to test it.'" — Read the rest
Hari Prasad is one of the winners of this year's Electronic Frontier Foundation Pioneer Awards; in Prasad's case, the prize was awarded based on his excellent work dissecting the (deeply flawed) electronic voting machines used in India's elections. Prasad was imprisoned by Indian authorities for pointing out the many vulnerabilities he and his colleagues discovered. — Read the rest
Over at the Submitterator, lbigbadbob points us to this video of a Sequoia AVC Edge touch-screen DRE voting machine hacked to, er, play Pac-man. This was done without breaking any of the tamper-evident seals. Nice work, J. Alex Halderman, University of Michigan, and Ariel J. — Read the rest
J. Alex Halderman writes, "About four months ago, Ed Felten blogged about a research paper in which Hari Prasad, Rop Gonggrijp, and I detailed serious security flaws in India's electronic voting machines. Indian election authorities have repeatedly claimed that the machines are "tamperproof," but we demonstrated important vulnerabilities by studying a machine provided by an anonymous source. — Read the rest
E-voting security researcher J Alex Halderman writes,
— Read the rest
India, the world's largest democracy, votes entirely on paperless electronic voting machines. There are an incredible 1.4 million machines in use. Authorities claim they are "tamperproof", "infallible", and "perfect," but they've prevented anyone from doing an independent security analysis by denying access on secrecy and intellectual property grounds.
Green Dam, the mandatory censorware that will be installed on all Chinese PCs as of July 1, is remarkably insecure. J Alex Halderman from Freedom to Tinker and his colleagues Scott Wolchok and Randy Yao have released a paper, based on a mere 12 hours testing, detailing attacks that can be used to "steal private data, send spam, or enlist the computer in a botnet" and " install malicious code during the update process." — Read the rest