Security

You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

As it emerges non-internet-connected election systems are actually connected to the internet


Black Hat While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper.

It's the only way to be sure hackers and spies haven't delved in from across the web to screw with your vote.

“Paper ballots are almost 100 per cent reliable and provide a voter-verifiable paper trail,” he told your humble Reg vulture and other hacks at Black Hat in Las Vegas on Thursday. “This isn’t hard or controversial. We use them all the time in Minnesota, and you make your vote and it’s easily tabulated.”

The integrity of the election process depends on three key areas: the security of the voter databases that list who can vote; the electronic ballot boxes themselves, which Schneier opined were the hardest things to hack successfully; and the computers that tabulate votes and distribute this information.

Election security is a hot topic at the Black Hat and DEF CON hacking conferences this year, and a matter of increasing national concern. Two pieces of legislation, one requiring paper ballots be produced for every vote, and another requiring parties to inform the FBI if foreign governments quietly hit them, passed the US House of Representatives last month.

However, Senate majority leader Mitch McConnell (R-KY) has refused to table the legislation in the upper house, saying the bills were partisan. Entirely coincidentally, it has subsequently come out that "Moscow Mitch" accepted thousands of dollars in lobbying cash from election machine manufacturers.

“The problem with election security is politics,” Schneier said. “We have a party in the US that doesn’t favor voting.”

Warning signs

Schneier's comments came on the same day that investigative reporter Kim Zetter revealed that America's election management systems that are not supposed to be connected to the internet long term were, and still are, in fact connected to the internet.

We're told ten security eggheads found that dozens of back-end election systems manufactured by ES&S had been left facing the internet for ages. The systems are designed to receive preliminary voting tallies from ballot machines after the polls close, remaining online for a very short period, and yet many were still lingering around on the 'net to this day. They do not count up the final results, it must be stressed: those totals are obtained by extracting data from the memory cards in the individual voting machines and processing all that offline.

The idea is that, during election night after the polls close, these back-end internet-connected systems receive initial tallies from e-voting boxes via SFTP behind a Cisco firewall, yet they end up being left online for many months after. If someone were to hack into these back-end computers and tamper with them on a crucial election evening, the preliminary counts arriving from the e-ballot boxes – figures that are quickly handed to the media for live analysis – could be intercepted and altered so that when the official numbers come in from the memory cards, there is enough mistrust among the public that no one believes which result is real.

It is, if you'll forgive us, a bit of a stretch: you'd need to pwn the SFTP server after getting through the filters on the Cisco firewall in order to get anywhere inside. Yet, it would be lovely if officials could get on top of their IT equipment, and take offline systems that are supposed to be offline, as America gears up for the crucial 2020 White House race.

The government is here to help

Schneier also spoke of the importance of technically skilled people getting into government, a topic he has raised before.

The technical knowledge of most congresscritters is sadly lacking, Schneier said, and they need good advice. He pointed to a big improvement in the statements issued by Senator Ron Wyden (D-OR) after the ACLU’s Christopher Soghoian joined his team.

Schneier suggested that technologists can do the most good for the country by avoiding running for public office, and instead join regulatory agencies. Legislators may enact major new laws on technology once a decade or so, but federal agencies are much more flexible and can make policy quickly and often.

Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act

READ MORE

He was blisteringly scathing about the Active Cyber Defense Bill, being considered by Congress. The legislation, introduced by House Representative Tom Graves (R-GA) would legalize “hacking back,” whereby if a company is pwned online, it can legally go after their attacker.

“I’m sure there are some IT managers who would love to break out the attack code but it’s a terrible idea,” he said. “There’s a good reason why we give government a monopoly on violence: vigilante mobs get it wrong.”

He was also dismissive of recent noises from the US and other Five Eyes nations to force technology companies to introduce backdoors into encryption exclusively for law enforcement to use. Such calls have been going on since the 1990s, he pointed out, and so far it had been all talk.

“We’ve seen the Australian law passed, and the UK is moving on it too,” he said. “But in the US we have a very different relationship with government. Americans just don’t trust their governments as much as the UK and Australia.” ®

Send us news
67 Comments

Another US president, time for another big Intel factory promise by another CEO

Let's not get too excited about this right away

Comment Intel puts on a show for its biggest manufacturing announcements, with episodes every few years using a rotating cast of CEOs and US presidents.

Intel boss Pat Gelsinger and President Joe Biden were the latest to join the series, on Friday jointly announcing the chip maker's investment of $20bn in plants near Columbus, Ohio. The fabs could be operational by 2025 and make chips down to 2nm and beyond.

"This is our first major site announcement in 40 years," Gelsinger said on on-stage later in the day with Ohio Governor Mike DeWine (R).

Continue reading

European silicon output shrinking, metal smelters closing as electricity prices quadruple, trade body warns

Probably something to tackle before those chip fabs are built, eh?

Soaring electricity prices have derailed manufacturing involving silicon and non-ferrous metals in Europe, politicians were warned this week.

Eurometaux, a European metals association, urged action [PDF] from the EU, fearing the region could experience spikes in electricity prices for the next decade if nothing is done to control the situation.

The power crisis has already curtailed production and shut down facilities in silicon and metals industries across EU nations. "After a quadrupling of electricity prices, over half of the EU’s aluminium and zinc smelters are today operating at reduced capacity or have temporarily closed, together with a significant reduction in silicon output," Eurometaux said.

Continue reading

Tougher rules on targeted ads, deepfakes, crafty web design, and more? Euro lawmakers give a thumbs up

'This is strongly limiting the scope of maneuver by Big Tech' expert tells El Reg

Analysis The European Parliament has adopted a set of amendments to the Digital Services Act (DSA) that makes the pending legislation even more protective of personal privacy and requires businesses to give greater consideration to advertising technology, respecting user choice, and web design.

The DSA, advanced by the European Commission in late 2020, aims to police online services and platforms by creating "a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses." It's a set of rules for limiting illegal content and misinformation online and for making digital advertising more accountable and transparent.

It complements the Digital Markets Act (DMA), which focuses on regulating large technology "gatekeepers" like Amazon, Apple, Google, Meta (Facebook), and Microsoft.

Continue reading

Meta trains data2vec neural network to understand speech, images, text so it can 'understand the world'

Whatever it takes, Mark

Researchers at Facebook parent's Meta have trained a single AI model capable of processing speech, images, and text in the hope that these so-called multi-modal systems will power the company’s augmented reality and metaverse products.

The model, known as data2vec, can perform different tasks. Given an audio snippet, it can recognize speech. If it’s fed an image, it can classify objects. And when faced with text, it can check the grammar or analyse the writing’s tone and emotions.

AI algorithms are typically trained on one type of data, though data2vec is trained on three different modalities. It still, however, processes each form, whether its speech, images, and text, separately.

Continue reading

Apple preps fix for Safari's web-history-leaking IndexedDB privacy bug

Disclosure of WebKit flaw appears to have prodded iBiz to undertake repairs

Apple is preparing to repair a bug in its WebKit browser engine that has been leaking data from its Safari 15 browser at least since the problem was reported last November.

Updates made available on Thursday to Apple developers – iOS 15.3 RC and macOS 12.2 RC – reportedly fix the flaw, an improper implementation of IndexedDB API that allows websites to track users and potentially identify them.

The bug affects Apple's Safari 15 browser on macOS, and all browsers on iOS and iPadOS 15 – because Apple requires all browsers on iOS to be based upon its WebKit engine, instead of alternatives like Chromium's Blink or Mozilla's Gecko.

Continue reading

Nvidia pushes crowd-pleasing container support into AI Enterprise suite

As long as you're running on VMware

Nvidia has rolled out the latest version of its AI Enterprise suite for GPU-accelerated workloads, adding integration for VMware's vSphere with Tanzu to enable organisations to run workloads in both containers and inside virtual machines.

Available now, Nvidia AI Enterprise 1.1 is an updated release of the suite that GPUzilla delivered last year in collaboration with VMware. It is essentially a collection of enterprise-grade AI tools and frameworks certified and supported by Nvidia to help organisations develop and operate a range of AI applications.

That's so long as those organisations are running VMware, of course, which a great many enterprises still use in order to manage virtual machines across their environment, but many also do not.

Continue reading

Wolfing down ebooks during lockdown? You might want to check out Calibre, the Swiss Army ebook tool

When audiobooks just take too darn long...

Friday FOSS Fest In this week's edition of our column on free and open-source software, El Reg takes a look at Calibre, which converts almost any file type into almost any other file type, so you can read whatever you want, wherever you want, no matter what format it's in.

It's free and runs on Windows, Linux and Mac.

There's more to ebooks than the Kindle, of course, with devices such as the Kobo, Nook, and Onyx Boox. The author's own Sony Reader still worked fine when I gave it to a friend a year ago.

Continue reading

Dog forgets all about risk of drowning in a marsh as soon as drone dangles a sausage

It's not the wurst idea in the world

Man's best friend, though far from the dumbest animal, isn't that smart either. And if there's one sure-fire way to get a dog moving, it's the promise of a snack.

In another fine example of drones being used as a force for good, this week a dog was rescued from mudflats in Hampshire on the south coast of England because it realised that chasing a sausage dangling from a UAV would be a preferable outcome to drowning as the tide rose.

Or rather the tantalising treat overrode any instinct the pet had to avoid the incoming water.

Continue reading

Almost there: James Webb Space Telescope frees its mirrors and prepares for insertion

Freed of launch restraints, mirror segments can waggle at will

NASA scientists have deployed mirrors on the James Webb Space Telescope ahead of a critical thruster firing on Monday.

With less than 50,000km to go until the spacecraft reaches its L2 orbit, the segments that make up the primary mirror of the James Webb Space Telescope (JWST) are ready for alignment. The team carefully moved all 132 actuators lurking on the back of the primary mirror segments and secondary mirror, driving the former 12.5mm away from the telescope structure.

Continue reading

Arm rages against the insecure chip machine with new Morello architecture

Prototypes now available for testing

Arm has made available for testing prototypes of its Morello architecture, aimed at bringing features into the design of CPUs that provide greater robustness and make them resistant to certain attack vectors. If it performs as expected, it will likely become a fundamental part of future processor designs.

The Morello programme involves Arm collaborating with the University of Cambridge and others in tech to develop a processor architecture that is intended to be fundamentally more secure. Morello prototype boards are now being released for testing by developers and security specialists, based on a prototype system-on-chip (SoC) that Arm has built.

Arm said that the limited-edition evaluation boards are based on the Morello prototype architecture embedded into an Armv8.2-A processor. This is an adaptation of the architecture in the Arm Neoverse N1 design aimed at data centre workloads.

Continue reading

Multi-level marketing corporation that sells weightloss products sues ex-exec over 'fraudulent' Dell deal

Alleges he had an off-the-books agreement with reseller

MLM firm Herbalife, which sells diet-linked products but styles itself as a "nutrition company", has accused one of its former execs of cutting a "fraudulent" $20m deal with a Dell reseller.

Continue reading