Speaking at the Infosec Forum

2009-01-20T22:08:00.001-08:00

I'll be speaking at the Northeast Ohio Information Security Forum once again tomorrow night, this will be a condensed version of my talk from the Northeast Ohio Information Security Summit, "Hacking Without Tools: Windows". In this I'll be covering a variety of handy Windows CLI commands which should work on most any modern Windows Installation. As always, you can find the slides here.

Is Your Vote Safe?

2008-04-07T22:03:00.000-07:00

At Notacon this weekend there was among a great lineup of talks, one on our electronic voting machines. They covered the legion of well-known vulnerabilities in one particular vendor's systems which range from what appears to be poor software engineering(something epidemic in the entire software industry really) to the comically weak physical security(all machines share the same master key, which has been successfully duplicated based on photos the vendor published on their own public website!).

The vulnerabilities in these machines have begun to come out with alarming frequency, and while the speakers had an interesting solution(leverage the Trusted Computing Module available on many commodity PCs today), it makes me ask a different question: do we actually need electronic voting machines at all?

The problem these machines were originally meant to solve was inaccurate voting results and disenfranchised voters. I've yet to hear of an example where the introduction of electronic voting machines has improved either in any significant way. In fact, I see many ways in which these electronic systems disenfranchise voters more. Forget all of the potential for one bad guy to influence the election results in these systems(disturbingly easy). Think of the elderly voter who's never used a computer and has absolutely no idea how to use an electronic voting machine. Think of the majority of Americans who are not computer scientists and have no better idea how the voting machines work than they do their own PCs.

Voting does not need to be quick, it needs to be transparent. Pen and paper may not be the most efficient way to vote, and it may take longer to count, but its a system which every single voter can understand. It's also one where its much more difficult to rig an election. With electronic systems it could be a single engineer at the manufacturing facility who decides to leave his own surprise in the system. This is not a far-fetched idea: it's happened before with the gambling industry's electronic poker machines, and that's an industry which is unfortunately much more tightly regulated than our voting systems. With paper votes, one has to bribe a large number of poll workers to successfully rig an election. Certainly not impossible...but a lot more work than gaming an electronic system.

I like shiny new technology as much as the next guy. But complexity is the bane of a secure system. When it comes to my vote, I'd like to be sure that it counts...a system with essentially two simple parts(pen and paper) is far easier to secure and audit than any electronic system on the market today.

blog.chrisclymer.com

Speaking at the Infosec Forum

Is Your Vote Safe?