Don’t be like me. There really are great white sharks lurking offshore.

There are sharks lurking offshore (in Russia, for example) who want to hack your votes. Like me, your elected leaders are quick to shout “No danger!” Help me #protectGAvote

Amity-jaws1My name is Larry Vaughn. This is my website.  You last saw me In 1975 in Amity, New York. I was the town’s mayor when a rogue police chief tried to frighten 4th of July tourists with talk of a great white shark lurking off the shallow waters. Needless to say, I was not pleased with the panic that ensued. “No danger!” I said. “Fun in the water!” Then the shark started gobbling people up. I now regret that I did not do more to protect the people who trusted me, and I want to make sure the same thing does not happen to the voters of Georgia. There are sharks lurking offshore (in Russia, for example) who want to hack your votes. Like me, your elected leaders are quick to shout “No danger!”  Help me #protectGAvote

Voter rolls are not a retail commodity.

Beginning with the DNC hack in spring of 2016, it dawned on me (maybe I’m slow to the party, but eventually it clicks) that the retail market in voter registration databases is a bad idea. That’s been highlighted in the last few weeks by Kris Kobach’s ill-fated attempt to federalize voter information in a searchable facility. This was one of the key take-aways from the recent Time article on that chillingly describes how access to voter registration can be used to disrupt elections without ever touching one of those insecure DRE voting machines.
I even worked out a threat scenario and circulated it to some friends who agreed (1) it is plausible, and (2) it is not obviously illegal. You can see why if you follow the complicated trail in Guardian article.  Or if you just look at what the people creating the market in your voting data say about it:
Notes for a 2016 Democratic Campaign
Eric Schmidt
April 2014

Key is the development of a single record for a voter that aggregates all that is known about them.  In 2016 smart phones will be used to identify, meet, and update profiles on the voter.  A dynamic volunteer can easily speak with a voter and, with their email or other digital handle, get the voter videos and other answers to areas they care about (“the benefits of ACA to you” etc.)

The point is to be able to create dashboard, accurate to the individual vote level, that is predictive of future voter behavior.  Civis Analytics is one such company:

Civis Analytics, a company founded by the chief analytics officer of Barack Obama’s 2012 re-election campaign, has raised $22 million in Series A funding.



I’m not happy there’s a market in voter data, but I am even less happy that political parties, market analysts, and election owners do not seem to understand the significance of unauthorized access.  Unless there is a statute to the contrary, trading and in this kind of information is no more serious than buying and selling grocery store loyalty data.

I want the voter data market to be regulated. There is no consensus around this topic, but I am convinced this is a security hole big enough to drive a truck through.  I have friends who disagree, saying transparency in voter roles is important to prevent vote buying/trading, voter intimidation, and other problems.  Agreed, but that’s a long way from giving tacit approval to monetizing my contact and other personal information.

[As a side note:  I am baffled that my NRA-supporting friends have not been as up in arms (get it?) about this as they have about federal gun ownership registries.]

Regulation of this market, like many in the information age, will be messy.  Just look at how colleges and universities wrap themselves around the axle to comply with FERPA-mandated protection of student data, for example.  But that does not mean it should not be done.  At the very least, regulation can force information aggregators like the DNC and the RNC to provide safeguards to deter the sort of casual intrusion marking the 2016 election.


When it comes to election hacking, low tech is cheaper and better

Georgia Secretary of State Brian Kemp is often quoted as skeptical about the threat of web-based attacks on the State’s computerized voting systems. The Secretary makes many such pronouncements, but he also professes to know few details of the underlying technologies.  I suspect that Kemp’s knowledge base concerning such matters will disappear completely with the recently announced firing of Merle King and the incident-prone Center for Election Systems at Kennesaw State University. It was King who famously introduced the (incorrect) idea that Georgia’s voting machines were “air-gapped,” a measure that–even if true–would have little impact on the end-to-end security of the elections system.

When it comes to election hacking, low tech is always cheaper and, in most cases, it is much better.

I have already  previewed some of the main vulnerabilities here, here, and here, but will have a lot more to say in the next few days about high-tech vulnerabilities.  I want to use today’s post to point out that no self-respecting spy/hacker would resort to such exotic measures without first trying much less risky (and far less expensive) ways of hacking an election.

The human element is always the first choice in espionage.

Human espionage is an ancient art; in fact, it has even been called the oldest profession. Unfortunately, espionage is still alive and well in today’s post Cold War environment. If anything, it is even more rampant. Events in the news remind us of this, such as the recent arrests of two Lucent Technologies employees, and a catering employee of MasterCard International for the theft of trade secrets. Throughout history and in current times efforts to identify indicators of espionage have been made. Unfortunately these efforts have met with limited success. In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information

I will give just one of many examples that Russian election hackers are certain to know well.  The U.S. government spends hundreds of millions of dollars on encryption technology aimed at thwarting even the most well-funded adversaries. This is one of the oldest ideas in information and communications security.  It dates from the British cracking of German Enigma codes in World War II. The idea behind encryption security is that there should be a concrete price for technology that can be used to crack a code. For the British, that price was the cost of mounting the deciphering unit at Bletchley Park.

For modern hackers, the price tag is the cost of building a deciphering super computer. Those costs have soared over the last 25 years. In the 1980’s, a $20 million supercomputer would have been sufficient to hack into all but the most highly sophisticated encrypted communications. But it is an arms race, and today only National intelligence services and a few non-state actors are able to invest upwards of $500 million annually to reliably decrypt enemy communications.

One reason for this shift in strategy is that the most damaging breaches in history have been ridiculously easy to mount, and not all that expensive. Six million dollars would have done it.  That was the total price tag for turning CIA intelligence officer Alrich Ames ($2.5M), FBI agent Robert Hanssen ($1.4M), U.S. Navy communications officer John Anthony Walker ($1M), and intelligence analyst Jonathan Pollard (a bargain at $50,000), all of whom became spies for foreign powers. Edward Snowden and Chelsea Manning, get thrown in for free.

I mention this point only because, among Logan Lamb’s and Chris Grayson’s discoveries when they stumbled into the unprotected servers at Kennesaw State, were files containing election day passwords. Brian Kemp claims the files were enrypted and password protected.  Lamb and Grayson say no, and the the directories that I have seen myself back up the Lamb and Grayson accounts.

Either Kemp knows this and is simply lying to the public, or (more likely than not) he is ill-informed about what was going on the the Kennesaw operation.

Either way, why would a Russian attacker go through the trouble of mounting a web-based attack on voting machines when Georgia’s election officials simply handed over the election day keys to voting systems?



Why are Georgia’s election officials lying about the stolen poll books?

It’s not that hard to figure out that someone is lying.  There are the inevitable tells:

In order to convince the accuser, a liar may respond to an allegation with a truthful statement that casts him in a favorable light.


Going into attack mode against the questioner

But usually it’s just too darn hard to keep your stories straight.  That’s what trips people up. That’s what’s causing Brian Kemp’s story about stolen poll books to unravel. His office first reported that the poll books were stolen from a Cobb County precinct manager’s car. Not to worry said Kemp’s office:

the stolen machine, known as an ExpressPoll unit, cannot be used to fraudulently vote in Tuesday’s election but that it does contain a copy of Georgia’s statewide voter file

Not a question that anyone was asking, but ok. It’s not a small point however that it was not a single stolen machine, but five of them.

Oh, and by the way:

the poll book that was stolen did have a flash card with a voter list on it. But, it does require some knowledge or expertise to use machine to retrieve the information.

Wherever would someone get “some knowledge?”  It better be hard to do because, like a needle being passed among addicts in some back alley that flash card is a perfect vehicle for delivering malware to voting machines. And there are now five of them out there.

Kemp was upset that it took a couple days for Cobb County officials to let him know they had screwed up, but then it was all ok because the missing machines had been found in a dumpster.  Until they weren’t: “…safe in a landfill,” was the reassuring message from election officials.

Kemp was so relieved he had a ceremony for the police officers who “recovered the stolen equipment.” Except that they actually did not recover the stolen equipment, which was safe in a landfill.  “Too expensive to dig it up…” they said.

Finally, in an attempt to put the whole thing to bed, Kemp’s Office had to reassure us:

…no voter information had been taken from the stolen voting equipment and the equipment was destroyed before being placed in a landfill.

Now how the heck did they know that?  Police never actually had the machines in their possession, so how did they know they had been destroyed? And how would you know whether voter information had been taken from the machines in any event?

There are those flash cards. Those are not mentioned at all.  Were they in the landfill too?

You see where all this is going, don’t you? Taken together not much about this entire story makes much sense, unless you believe that Kemp and Georgia election officials are just making all this up on the spot.  That’s what eventually trips up a liar.

Let’s call in someone who knows a little about tripping up liars.





Out-dated, insecure election system is damaging Georgia’s brand as a hub for cyber security innovation

A small, local newspaper in an Atlanta suburb, beat the Atlanta-Journal and Constitution (AJC) to the real impact that Georgia’s outdated, insecure computerized election system has on the state’s economy.

Over the last 20 years, Atlanta has become an international innovation hub for cyber security. Kleiner-Perkins backed Internet Security Systems was launched by a Georgia Tech freshman and went on to become one of the most important enterprise security firms in the country before it was acquired by IBM. SecureWorks, another Atlanta start up was acquired by Dell in 2011.  Atlanta’s tech scene is relying on a planned $50M cyber security center to cement its brand as the place to be.

That’s why the Newnan, Georgia, Times-Herald, article about the effect of national publicity about Georgia’s out-dated insecure election system provokes one of those “Whatever can they be thinking?” moments.  The AJC, which you would expect to be a booster, has missed this story completely (In fact, the AJC has been so conspicuously wrong/absent on the Georgia elections story that you have to wonder what the heck is going on in their editorial meetings).

The Time-Herald piece was not original reporting, I can excuse them for concluding that the election systems are safe and unchallenged, but the paper correctly points out that recent national attention can do serious damage to Georgia’s reputation:

…it is an ignominious way for the world to recognize Georgia’s growing role in cybersecurity. Fort Gordon near Augusta is the new home of the U.S. Army’s Cyber Command and a branch facility of the National Security Agency that contracted with the company employing the alleged leaker. 
The state is establishing a cybersecurity research center at Georgia Tech, near the headquarters of some of the private sector’s most successful digital-security firms and the country’s major hub of financial transaction processing. Stories from here like this one are likely to become less infrequent.
The Peach State is at the center of this story because it is now at the center of cybersecurity.

Ironic that the Secretary of State’s Office, which has major responsibility for business development, has contributed to this state of affairs by not moving swiftly and decisively to shore up Georgia’s voting technology. Why would new investment be attracted to a place that apparently cannot manage 1999-era systems?

Even if you think that the fuss over Georgia’s system is much ado about nothing, or is part of a liberal effort to explain away electoral failures, you should be concerned about the impact it might have on this growing piece of the local economy.  It’s a shame, because the entire problem can be fixed tomorrow with relatively little investment.



30 Reasons (Part 3) to believe that Georgia’s computerized voting system may not be as secure as election officials claim

Reasons 1-10 are here, and 11-20 can be found here.

These are reasons 21-30:

  1. Georgia election officials consistently misstate operating characteristics and functionality of the computerized election system.  These misstatements are designed to convey an impression that the system has security and recovery features that, in fact do not exist. For example, in sworn testimony before Fulton County Judge Adams, the  Fulton County chief election administrator claimed under cross-examination that Accuvote TS voting machines maintain a voter verified trail because an image of the voter’s ballot is stored in memory. Unsupported claims of isolation, multi-layered protection and proper user authentication abound in statements from election officials.
  2. Election officials raise problems with alternative methods of verifying votes, where none exist.  Richard Barron (Fulton County administrator) for example, claimed that paper ballot counts have 5% error rates (and are therefore at least as error-prone as any method of counting votes).  There have been scientific studies of this matter. Barron is off by an order of magnitude.  Proper hand counting methods have error rate up to 0.5% and even low-cost methods have error rates of only 2%.
  3. Physical security  of devices and chain of custody are important to election security in Georgia, and the use of tamper-proof seals is often cited as an important link in the security chain. Not only are tamper-proof seals of the type used in Georgia readily online, election workers often break the seals and re-seal devices without prior authorization.  That type of breach for example might be prompted by a desire to check a machine for damage as was observed by independent 3rd parties during the June 20 runoff.
  4. According to CES Executive Director Merle King, Georgia’s computerized voting systems use a version of Windows that dates from the early 2000 and is unpatched and unsupported by Microsoft. Unpatched operating systems are vulnerable to malware of all type and significantly increase the likelihood of successful hacks.
  5. There has never been an independent security evaluation of Georgia’s computerized election system.
  6. Georgia’s election officials have never looked to see whether their systems have been hacked. Despite claims to the contrary, no one in CES or the Secretary of State’s Office has actually checked to see whether the election system has been hacked.  This includes the immediate aftermath of the CES break-in, during which it would have been appropriate to see whether malware had been introduced or the systems had otherwise been compromised.  A representative from the US Department of Homeland Security  testified to the Senate Intelligence Committee that DHS has not conducted such an analysis either.
  7. CES Executive Director has stated publicly that CES scrounges for used and reconditioned equipment to replace its aging components.   Information about information assurance measures for these devices has not been released.  Nor does CES have any idea about whether these parts have ever been connected to the Internet.
  8. Secretary of State Brian Kemp was one of the few secretaries of state objecting to DHS offer in 2016 to designate election systems as critical national infrastructure, which would have dramatically increased the security-related resources available to the state. In fact, Kemp used the occasion to pick a fight with DHS by accusing the agency of a “massive attack” on Georgia’s systems.  That accusation was refuted thoroughly by DHS Inspector General in an open letter.
  9. Secretary of State Brian Kemp issues dismissive statements to the press, but has yet to respond to this letter or this letter about Georgia’s system security posed by a group of distinguished computer scientists.  These questions were designed to increase the public confidence in the security of the underlying system.
  10. The premise underlying Georgia’s approach to paperless DRE voting systems was undermined in 2003, shortly after the implementation of HAVA and the chartering of the Election Assistance Commission (EAC), when the National Institute of Standards  (NIST) was asked to formulate the alternatives to a voter verified paper trail.  NIST in turn chartered the Auditability Working Group to conduct an exhaustive study.  The 2011 report of the NIST Working Group rejected the very idea of paperless voting. The report begins with the main conclusion: AWG Conclusions In other words, the paperless system in use in Georgia is, by design, perfectly engineered to incorporate a fatal flaw: there is always the possibility of undetectable errors in the recording of vote. The NIST study means that the high confidence expressed by election officials in the security of Georgia’s computerized voting system has no scientific basis.

30 Reasons (Part 2) to believe that Georgia’s computerized voting system may not be as secure as election officials claim

See Part 1 for Reasons 1-10.  Here are reasons 11-20.

  1. Despite repeated assurances that voting machines are never connected to the Internet, Logan Lamb watches a video on the CES website that instructs poll workers (and demonstrates) how to insert PCMCIA memory cards into Internet connected computers to load them with ballots and other election-related information.  Poll workers are instructed to insert those cards into a port on Diebold Accuvote TS voting machines on election day.  This establishes a connection between the voting machines and the Internet that would allow their exposure to malware.
  2. Despite assurances that voting machines cannot be tampered with because they are under the secure, continual physical control of election officials at all times, numerous voters observe the following

    unattended voting machines in hallways of public buildings. The receipt shows that the recipient has not signed for these machines and the machines are accessible to anyone.

  3. Despite repeated assurances that election security is a priority for Georgia elections, an internal Kennesaw State University audit of the Lamb-Grayson breach, concludes that there was “poor understanding” of the risk posed by CES.
  4. Missing ballots are nothing new in Georgia elections.  Reports surface every election cycle about votes that are cast on computerized voting equipment that are never recorded.  These range from anecdotes about touchscreen presses that are reversed by the time the summary screen is presented to the voter to legal challenges mounted by candidates (like this one). Georgia’s Secretary of State makes challenges based on illegal tampering even more complex because he has been on a crusade to reduce the size of voter rolls in the state.  Nevertheless, election night analysis continues to show that flipping votes on DRE type voting machines is a real risk. Tally records confirm missing ballots:
  5. It may seem like sour grapes for losing candidates to complain about election night anomalies, but Georgia seems to have more than its fair share of surprises like that. In 2002, for example, Diebold’s voting machines reported the defeat of Democratic senator Max Cleland. Early polls had given the highly popular Cleland a solid lead over his Republican opponent, Saxby Chambliss. Two days before the election, a Zogby poll gave Chambliss a one-point lead among likely voters, while the Atlanta Journal-Constitution reported that Cleland maintained a three-point advantage with the same group. Cleland lost by seven points. In the month leading up to the election, Diebold employees, led by Bob Urosevich, applied a mysterious, uncertified software patch to 5,000 voting machines that Georgia had purchased in May. Popular Governor Roy Barnes lost to Sonny Perdue by somehow blowing an 11 point lead on the eve of the election, and voter turnout anomalies like the one below led many to question the validity of the June 20 election in the 6th District.
  6. Voter rolls have become a favorite target of election hacks, so when it was reported that five electronic poll books were stolen before the April special election, it caught the eye of cyber security professionals already concerned about the integrity of Georgia elections.  The theft was not reported until the eve of the Special Election, and the stolen machines were subsequently found in a dumpster. (Note added July 9: Initial press reports were misleading.  They were not found in a dumpster. Later reporting said that the police took the word of the alleged thief  that he threw them away.  Officials did not think it was worth it to try to recover them.  Interestingly enough Secretary of State Brian Kemp threw a party for the police who did not recover the missing poll books).
  7. Since there were many opportunities for hackers to modify contact information, it is not surprising that voters were turned away from legitimate polling centers:
  8. Or directed to alternative centers because of an unusually large number of simultaneous renovations to existing centers, thus depressing voter turnout:
  9. Vague descriptions of what exactly constitutes Georgia’s computerized voting system are useful to deflect questions about what components are certified by whom.  A citizens’ request that SoS produce active, valid certifications for the entire system was denied.
  10. SoS Brian Kemp in published op-ed pieces is openly dismissive of threats to election systems.  In particular, he dismisses the threat of Russian hacking as “fake news,” making it difficult to balance threats, vulnerabilities, and security measures.  Kemp often declares Georgia’s systems to be absolutely secure, but that is not a great feat if you do not acknowledge any threats.

#protectGAvote and special thanks to Lady Liberty Votes for visual examples..

30 Reasons to believe that Georgia’s computerized voting system may not be as secure as election officials claim, Part 1

  1. An internal analysis by the vendor says the machines are vulnerable to vote changing.
  2. Data breach in the Secretary of State’s office exposes 6M+ names and personal information of Georgia voters to media outlets and political party offices.
  3. Secretary of State Karen Handel ignores recommendations for beefing up voting system
  4. The same voting machines used in Georgia are successfully and repeatedly attacked.
  5. In a realistic test, Washington DC voting system is hacked: in 48 hours all of the election results were undetectably changed.
  6. A walkthrough of The Center for Election System at Kennesaw State University (which programs, tests, and maintains the State’s 27,000 voting machines) shows shocking lapses of physical security.
  7. Cyber security researcher Logan Lamb stumbles into 15GB of sensitive documents that were externally accessible, already indexed by Google. Files included election day passwords, GEMS databases. training videos, and executable files. CES managers warn Lamb to avoid talking to the media or risk being “crushed by powerful people downtown.”
  8. CES promises to fix the problem, but 6 months later cyber security researcher Chris Grayson finds that the files are still exposed to the Internet.
  9. Despite assurances that CES is not connected to the public Internet, an internal Kennesaw State audit of the Lamb-Grayson breach find an unlocked data closet at CES wih a public access port to the Internet.
  10. Despite assurances that CES is not connected to the public Internet, an internal Kennesaw State audit of the Lamb-Grayson breach finds an unauthorized wireless acccess point on premises, providing a channel from internal CES systems to the public Internet.


Georgia Sec. of State does not want DHS to designate election systems as critical infrastructure. Here’s why.

Georgia’s election officials were all bent out of shape last fall when the US Department of Homeland Security (DHS) wanted to designate American election infrastructure as critical to national security.  As Sec. of State Brian Kemp explained in his recent USA Today op-ed, it’s really just a matter of state sovereignty.  We don’t want the federal government telling us how to run our elections, is what Kemp is telling Georgians. In fact, he thinks so little of DHS, he wants you to believe the federal government (ours, not Russia’s) is the one hacking Georgia’s election system in a “massive attack,” according to a complaint filed by Kemp’s office last January.

The Inspector General of DHS investigated Kemp’s allegations and found to the Secretary’s embarrassment that what he had characterized as a massive attack, was actually normal web traffic. Never mind murmured Kemp.

A more likely explanation for the critical infrastructure freak-out is that the Secretary of State’s office treats the protection of computerized election system like a high school science fair project, not a precious resource to be protected. Wouldn’t that be embarrassing if the Feds showed up to check on his ability to manage critical infrastructure?

Way back in the early days of electronic voting in Georgia, then SoS Cathy Cox, a Democrat,  set up the Center for Election Systems (CES) at Kennesaw State University to test, program, maintain and provide training for the Diebold-based touchscreen voting machines and associated servers, networks, and software.

CES Director Michael Barnes served as an enthusiastic tour guide to the Atlanta Journal and Constitution, which posted this video on YouTube™

A well-positioned sign announced the state’s central technology organization, helpfully displaying its precise location.  No guards or even a receptionist to check the identities of visitors; no ID badges to distinguish students who were authorized to be there from those who merely wanted to examine the piles of election equipment and computers that had been left unattended in otherwise unsupervised rooms.

You would think that an important system like this would have the eye of top university leadership.  Director Barnes says no. CES is just another department in the school of science.

The most likely explanation for the Secretary’s over-the-top reaction to the suggestion that Georgia’s election system be classified as critical infrastructure is that the state’s election officials do not think it is that important, and they would prefer that not be widely known.




Secretary of State Brian Kemp takes his case public for maintaining Georgia’s reputation for the country’s most insecure voting system.

Georgia Secretary of State Brian Kemp responded this morning to a USA Today editorial that points out an inconvenient fact:

in Georgia, where researchers discovered a gaping hole in election security last fall, it’s unclear what has been done to plug it. Georgia Secretary of State Brian Kemp has argued vehemently against replacing the state’s voting machines, which are susceptible to sabotage because they lack a paper record of votes.

Kemp could have defended himself by behaving like a responsible public servant and: (1) acknowledging the threat, (2) promising to marshal the considerable resources at his disposal to meet the threat, and (3) forming a national strength-in-numbers coalition of election officials to adopt the common-sense reforms that are the consensus recommendation of voting technology experts.  He did not do that.

Instead, Kemp laid out his case for placing his personal political ambitions above his duty to protect Georgia voters:

As reporters chase stories to feed the 24-hour news cycle, they dilute facts and develop false narratives about Russian hacking and potential vulnerabilities in the system. The prevailing plot line is that states like Georgia can’t provide suitable security for elections.

At last month’s Senate Intelligence Committee hearing, national security officials testified that there is no doubt about Russian hacking. Committee members-who have been briefed on the threats and vulnerabilities-showed rare bipartisan agreement. They also said that DHS has not conducted classified briefings for state election officials, so Brian Kemp actually has no way to know whether the “narratives” are false.

This sounds like me.  When I was Mayor of Amity, Chief Brody tried to get me to close the beaches because of a great white shark that was snacking on 4th of July tourists.  I was more concerned about the political implications than protecting people.  I’ve apologized for my irresponsible behavior.  My hope is that Brian Kemp follows suit, but I don’t think that’s very likely.

The next best outcome is for Kemp’s Republican gubernatorial opponent, Lt. Gov. Casey Cagle to use this shocking editorial to argue that Kemp should never again be allowed to represent the public interest.

In the meantime, Georgians are left to wonder whether the results of recent elections can be trusted.