ELECTION SECURITY GETS THE DOCUMENTARY TREATMENT— HBO on March 26 debuts an election security documentary, “KIll Chain: The Cyber War on America’s Elections,” from the same team behind the 2006 Emmy-nominated doc “Hacking Democracy.” It revisits some of the previous film’s characters, namely the protagonist Harri Hursti, the Finnish election security expert who co-founded the DEF CON Voting Village.
For readers of this space, many of the lessons and events of “Kill Chain” will be familiar, if no less alarming: the VR Systems hack, the myth that voting machines aren’t connected to the internet, the Senate’s inability to enact election security legislation. But the storytelling is still engaging: Hursti is a more compelling figure than your MC host knew; for example, getting local press for his computer skills at age 13 and helping the Finnish government on a mysterious project he wouldn’t discuss.
Some were less familiar, and in places, the documentary appears to provide previously unrevealed information. In an interview, an Indian hacker going by CyberZeist talks about breaking into an Alaskan website where he could have changed the vote (but didn’t because he was afraid of being caught). He contends he could have made millions selling the backdoor to Russians wanting to get into the system to alter the numbers. “There was no containment, in effect,” Hursti says, reviewing state documents asserting the contrary. Hursti deems CyberZeist as credible.
In another instance, experts looked at voting machines at a polling place during Georgia’s last gubernatorial election, where six of seven machines went heavily Democratic for the whole ticket and one swung the opposite toward the GOP. University of California Berkeley statisticians Philip Stark and Kellie Ottoboni concluded there was less than a one in a million chance of that happening.
The documentary covers almost all the bases, with appearances from lawmakers to election experts: Sens. Mark Warner (D-Va.), James Lankford (R-Okla.), Amy Klobuchar (D-Minn.) and Ron Wyden (D-Ore.); DEF CON founder Jeff Moss; University of Michigan computer science professor J. Alex Halderman; and Hursti’s fellow Voting Village co-founder Jake Braun. The major election security vendors declined interviews, although their promotional videos make entertaining cameos — of note though, is how those vendors have moved closer to the positions of the other interviewees in favor of outside testing in the past year or so. The final verdict: It’s a should-watch for election security enthusiasts because it’s a good flick, and a must-watch for the average voter who isn’t caught up.
MORE NOTES FOR VOATZ, WHICH STILL GLOATS — Another audit of mobile voting app Voatz has found serious security flaws in the app and platform, confirming an MIT report that Voatz harshly criticized and revealing even more alarming vulnerabilities. The new research conducted by the security firm Trail of Bits found 79 issues, including nearly 50 technical flaws and 31 problems with Voatz’s threat model. The flaws included hardcoded AES encryption keys, a reliance on unvalidated data and a lack of proper configuration management. Other high-severity issues are summarized as “a voter can unregister another voter’s device” and “Amazon admin password is hardcoded in source file.”
“The quantity of findings discovered during this assessment, the complexity of the system, and the lack of access to both a running test environment as well as certain codebases leads us to believe that other vulnerabilities are latent,” Trail of Bits said in its blog post. After the researchers presented their findings to Voatz, the company fully fixed eight issues and partially fixed six others but left 34 unaddressed. Trail of Bits said it was “clear that the Voatz codebase is the product of years of fast-paced development.”
Cybersecurity experts pounced on the new findings, saying they illustrated why secretive electronic voting companies could not be trusted. One researcher said Voatz lied to him about its use of hardcoded encryption keys when he first reported the issue through the company’s bug-bounty program. Voatz’s CEO downplayed the vulnerabilities, calling them merely theoretical and extremely unlikely to be exploited.
Voatz said the new report was “the first of many to come in the next several months.” It also said it was working with CISA and that “one of the leading federal testing labs in the nation” was reviewing its code. A Voatz spokesperson denied to MC that the company lied to the researcher about its encryption keys but did not say why the public should trust it more than independent experts.
https://www.politico.com/newsletters/morning-cybersecurity/2020/03/16/an-early-look-at-hbos-election-security-documentary-786109