[EL] The $45M Hiest (sic) from NYC ATMs

Joseph Lorenzo Hall joehall at gmail.com
Wed May 15 11:10:25 PDT 2013 

I'm not sure I need to say this but I will: David speaks for an
overwhelming consensus of the technical community with expertise in
voting technology. best, Joe

On Wed, May 15, 2013 at 1:50 PM, David Jefferson <d_jefferson at yahoo.com> wrote:
> I feel compelled to differ with Mr. Kelleher again, after his latest posting
> on May 14. After this, I plan to drop the subject, since in my experience
> Mr. Kelleher is unpersuadable on the subject of online voting security.
>
> In his last message he begins by protesting that “I did not say, or in any
> way suggest … that ‘some email-related attack may have been the means of
> penetration’ in the heist'”. But actually he did suggest it in his first
> message in this thread when he wrote “Did an official in the victim company
> click on a link in a spoofing email …?” and also later when he followed up
> with a major concluding point that “Internet voting servers are not
> connected to email systems”.
>
> Even though he denies suggesting it was an issue, he nonetheless continues
> to argue vociferously that Internet voting systems are “not connected to
> email systems” and uses as a major example “Email activity in the office of
> the WV SOS had no connection with the secure voting website; hence,
> penetration via trick emails was not possible”. I can only say that Mr.
> Kelleher shows a complete lack of understanding of the security issues with
> email. A hacker who wanted to attack an Internet voting system via an email
> spear phishing ploy ("trick email") would not send it to the SoS office, of
> all places. He would target someone who works in the data center where the
> ballots are collected or counted and hope that an enclosed attachment or
> link would be opened from there.
>
> Mr. Kelleher then argues with me about the term “‘Internet voting’, as
> commonly used”, claiming it does not include email voting. However, in
> security discussions the term “Internet voting” means, and has always meant,
> the transmission of voted ballots over the public Internet, regardless of
> the protocol or service used, the type of encryption used (if any), the
> types of computers or devices at either end of the voting transaction, or
> the software they are running. It includes systems in which votes are
> transmitted by web, by email, or by any other combination of standard
> protocols or new ones invented just for voting. “Internet voting” has had
> that meaning since the earliest literature on the subject, dating at least
> back to 1999 before any of the current vendors or systems even existed.
>
> From a security point of view we classify all of today’s forms of Internet
> voting together because they all share a wide range of profound security
> problems for which we have no good solutions available, including (1) remote
> voter authentication weaknesses, (2) susceptibility to client side malware
> attacks, server side penetration attacks, distributed denial of service
> attacks, various other network attacks, and insider attacks by officials or
> by programmers, and (3) the lack of support for any meaningful end-to-end
> auditing of the election. Again, I apologize for this jargon, but all
> security experts who have studied voting agree on these points.
>
> Mr. Kelleher is also wrong about why 30+ states have instituted email
> voting. It is not because of a “nation-wide irrational Moral Panic“ and
> “scary stories” around web-based voting. The actual reasons for the
> popularity of email (and fax) voting are more prosaic. In most cases it was
> because legislators and election officials were familiar with email and were
> led (falsely) to believe that email voting would be essentially similar to
> paper mail-in voting, which is already legal. Also, email voting can be
> supported cheaply (but poorly) without much infrastructure, and even without
> any third party vendor, which is why New Jersey hastily attempted to
> institute it (with little preparation or success) in the aftermath of
> Hurricane Sandy.
>
> Finally, Mr. Kelleher attempts to argue that the famous Okaloosa County
> Internet voting experiment was not really “Internet voting”, and thus the
> fact that its servers were in Barcelona does not refute his false claim that
> Internet voting systems “are not connected to far away or foreign servers”.
> His bizarre reason for exclusion is that in that experiment voters cast
> their votes at specially-prepared laptops set up and manned by election
> officials instead of voting from home from their own private PCs. However,
> that important restriction offered an extremely valuable security protection
> because it essentially eliminated one entire category of security threat,
> namely malware on the machines that people actually voted from. By Mr.
> Kelleher’s idiosyncratic definition, only when people are permitted to send
> ballots from their personally-owned, possibly virus- or Trojan-infected
> devices can the system be properly called Internet voting!
>
> David
> David Jefferson
> d_jefferson at yahoo.com
>
>
>
>
> _______________________________________________
> Law-election mailing list
> Law-election at department-lists.uci.edu
> http://department-lists.uci.edu/mailman/listinfo/law-election



-- 
https://josephhall.org/

View list directory