Reliability of pricey new voting machines questioned

By FRANK BAJAK
February 23, 2020

Nearly 1 in 5 U.S. voters will cast ballots this year on devices that look and feel like the discredited paperless voting machines they once used, yet leave a paper record of the vote. But computer security experts are warning that these so-called ballot-marking devices still pose too much of a risk.

Ballot-marking machines were initially developed not as primary vote-casting tools but as “accessible” alternatives for the disabled. They print out paper records that are scanned by optical readers that tabulate the vote.

They cost at least twice as much as hand-marked paper ballots, which computer scientists prefer because paper can’t be hacked. That’s an important consideration as U.S. intelligence officials warn that malicious meddling in this year’s presidential contest could be worse than in 2016.

The machines have been vigorously promoted by the trio of privately held voting equipment vendors that control 88 percent of the U.S. market and are nearly unregulated at the federal level. They are expected to be used by some 40 million eligible voters more than in the 2018 midterm elections.

MORE

Book Review: An electronic Pearl Harbor is closer than you think







Book Review: An electronic Pearl Harbor is closer than you think

“Sandworm,” Doubleday, by Andy Greenberg

The Obama administration did not issue a single public rebuke after hackers knocked sections of Ukraine’s power grid offline on frigid December nights in 2015 and 2016. The unprecedented cyberattacks on civilian populations presaged the most devastating malware attack to date _ the June 2017 onslaught of NotPetya, which also targeted Ukraine but went further. Hobbled, too, were international business partners including Danish shipping multinational Maersk and pharmaceutical giant Merck. Damage was in the billions. In the U.S., hospital surgeries were impacted.

In “Sandworm,” Andy Greenberg sets out to track down the hackers behind those attacks, and his page-turning narrative sounds the alarm: We have failed to adequately confront a looming, existential threat. Our largely unquestioning dependence on digital technologies compounds the threat of a digital doomsday. The more reliant we become, the greater the potential peril. Power generation, health care and other vital services are at risk. Foreign agents have penetrated vital U.S. infrastructure, though the U.S. could also threaten global stability if its cyber-capabilities are carelessly loosed.

The 316-page real-life thriller takes the reader to the front lines of global cyberconflict, where U.S., Ukrainian and other computer security researchers painstakingly work to solve the authorship riddle. It concludes that the culprits _ initially dubbed ‘Sandworm’ by researcher John Hultquist after his team finds a reference to the Frank Herbert novel “Dune” in their code _ are the same state-backed hackers who wreaked havoc on the 2016 U.S. presidential elections, stealing and exposing Democratic National Committee emails and breaking into voter registration databases in at least two states.

andygreenbergThe military-backed Kremlin cyber-agents, it turns out, were also behind hacking of global anti-doping agencies and the U.S. power grid _ and knocked 2018 Winter Olympics networks offline during opening ceremonies.

When he gets technical _ no way around it, really _ Greenberg, a senior writer at ‘Wired,’ keeps the geek jargon to a minimum. His previous book, “This Machine Kills Secrets,” explores how digital tech and the global Internet _ where we are all publishers _ have transformed whistleblowing and leaking, keying off the WikiLeaks saga.

In “Sandworm,” Greenberg exposes the still uncharted world of global cyber-competition _ a perilous new front in warfighting that lacks norms and rules of engagement where human casualties seem inevitable. He describes, for one, how a nation’s own espionage tools can be dangerously turned against it and its allies, how programs written by U.S. National Security Agency uber-hackers to break into computers running on Microsoft operation systems wound up being exploited by Russian military hackers. Were they pilfered? Or leaked? That remains unclear.

“Sandworm” ranks with the multiple books by James Bamford and with Clifford Stoll’s 1989 “The Cuckoo’s Egg” as essential reading for grasping digital technology’s role in the evolution of global conflict.  It takes us well past the intrigue of cyber-espionage to contemplate _ now that the Trump administration has endorsed the use of offensive cyber operations _ how a global digital arms race might spiral out of control.

“Permanent Record” By Edward Snowden

Headline: Snowden memoir: The spy who came out and told
(On AP: Abridged version)

By FRANK BAJAK
Oct. 28, 2019

Edward Snowden is mostly self-invented, the fruit of his own ingenuity. He’s a community college dropout, but he’s no layabout. If hacking, purely defined, consists in devising the simplest, most elegant way of getting what you want then Snowden has always excelled at it, beginning when he set back every clock in the house at age 6 in order to stay up late.

The memoir “Permanent Record” from this computer whiz who exposed secret U.S. government mass domestic surveillance six years ago is already a headline. The government has sued to try to deny Snowden royalties for not allowing it pre-publication review. But I didn’t find any secrets he hasn’t already revealed.

A former CIA and National Security Agency systems engineer, Snowden is now a committed digital privacy activist with 4 million Twitter followers, charged with Espionage Act violations for which he says his conscience offered no other option. Civil disobedience is a long, proud tradition with practioners including the republic’s founders, Snowden reminds, and the book does at times read like a manifesto.

If anyone grew on the internet, it was Ed, who was intoxicated with its seemingly limitless potential for good. Snowden waxes poetic on the magic of the two-modem handshake when going online meant tying up the family phone line, which he did incessantly.

Before innocence was lost, the internet represented America’s true values to Snowden. Dorkishly, he read the U.S. Constitution cover to cover when it was offered free at work. Patriotism was ingrained in his upbringing. His parents quietly exercised it when clocking in daily at work. Dad was a Coast Guard techie. Mom held various government jobs.

The North Carolina-born Snowden hacked his way through adolescence in the shadow of Fort Meade, Maryland, the NSA’s home. His scheme for skating through high school with minimum effort _ calculating what it took to get passing grades and doing no more _ worked until Honest Ed explained it to a teacher.

Coming-of-age memoirs like Snowden’s typically recount personal journeys of moral and psychological discovery. That is the book’s strength. Others, most notably journalist Glenn Greenwald and filmmaker Laura Poitras, have already better chronicled the white-knuckled drama of how the most famous whistleblower since Daniel Ellsberg persuaded them to meet him in Hong Kong in 2013 so he could lift the lid on the NSA’s mass surveillance of U.S. citizens _ the 21st century’s biggest scoop.

What Snowden does well, aided by novelist Joshua Cohen, his ghostwriter, is define the promise and dangers of digital technology and the wacky alchemy that grants system architects and administrators like him extraordinary power over people’s lives. His clearcut explanations of complicated yet vital phenomena like the TOR privacy browser and encryption are especially instructive.

Looking back, Snowden most regrets his atavistic reaction to 9/11, how the 18-year-old Ed became “a willing vehicle of vengeance.” He enlists in the Army, hoping to join the Special Forces _ only to break his leg in basic training. He’d been at Fort Meade the day of the attacks, coding for an employer who lived on the base, and joined the vehicular exodus as thousands fled the NSA’s gleaming black towers.

Engrossing is Snowden’s description of how he used his programming skills to create a repository of classified in-house jots on the NSA’s global snooping _ and built a backup system for agency data he called EPICSHELTER. Reading through the repository _ and through his research during a short stint as a briefer on Asian cyberthreats _ Snowden begins to understand just how badly the government was stomping on its citizens’ civil liberties. The “bulk collection” program was called STELLARWIND.

Snowden became sullen. “I felt more adult than ever, but also cursed with the knowledge that all of us had been reduced to something like children, who’d been forced to live the rest of their lives under omniscient parental supervision. I felt like a fraud.”

The rest is history: Snowden’s aborted flight from Hong Kong to Ecuador, stymied when the U.S. canceled his passport, stranding him in Moscow, where he lives in forced exile with longtime girlfriend, now wife, Lindsay Mills. If that relationship was ever tested Snowden is not saying. He turns the book over to Mills for a late chapter taken from her diaries when he disappears without a trace _ then shows up on everyone’s TV screen _ and the FBI is on her like flypaper. By then, the narrative has gone thin.

Snowden says he came to realize, in 2011 as he was deciding to blow the whistle on the NSA, that it wasn’t just the government that was endangering our liberty by amassing and categorizing our data. Back in the U.S. from Japan, he meets his first Internet-equipped ‘smart fridge.’ He is aghast.

Here he was, getting all exercised about U.S. government snooping while surveillance capitalists similarly spied on acquiescent consumers, rendering them a product that “corporations sold to other corporations, data brokers and advertisers.” Worse, people were being persuaded to surrender control of their data to corporations for storage “in the cloud.”

Snowden, at age 28, had soured on his beloved internet. “The Internet that had raised me was disappearing. And with it, so was my youth. The very act of going online, which had once seemed like a marvelous adventure, now seemed like a fraught ordeal.”

“Every transaction was a potential danger.”

Two years later, he’d share his discoveries with the rest of us.

‘Erratic’ online handle apt for Capital One hack suspect







August 1, 2019

By GENE JOHNSON and FRANK BAJAK

SEATTLE (AP) — The 33-year-old former Amazon software engineer accused of hacking Capital One made little attempt to hide her attack. In fact, she effectively publicized it.

It’s one of many riddles swirling around Paige Thompson, who goes by the online handle “erratic.” Well-known in Seattle’s hacker community, Thompson has lived a life of tumult, with frequent job changes, reported estrangement from family and self-described emotional problems and drug use.

FBI agents arrested Thompson Monday for allegedly obtaining personal information from more than 100 million Capital One credit applications, including roughly 140,000 Social Security numbers and 80,000 bank account numbers. There is no evidence the data was sold or distributed to others.

Thompson, in federal custody pending an Aug. 15 detention hearing, wasn’t reachable. Her public defender, Mohammad Hamoudi, did not return an emailed request for comment.

But her online behavior suggested that she may have been preparing to get caught. More than six weeks before her Monday arrest, Thompson had discussed the Capital One hack online with friends in chats and in a group she created on the Slack messaging service.

Those chats and the recollections of others offer a sketch of someone talented and troubled, grappling with what friends and her own posts indicate was an especially bumpy crossroads in her life.

Friends and associates described Thompson as a skilled programmer and software architect whose career and behavior — oversharing in chat groups, frequent profanity, expressions of gender-identity distress and emotional ups and downs — mirror her online handle.

MORE

 

Whistleblower vindicated in Cisco cybersecurity case







August 1, 2019

By FRANK BAJAK

BOSTON (AP) — A computer security expert who has won a trailblazing payout in a whistleblower lawsuit over critical security flaws he found in October 2008 in Cisco Systems Inc. video surveillance software thought his discovery would be a career-boosting milestone.

James Glenn imagined at the time that Cisco would credit him on its website. The software was, after all, used at major U.S. international airports and multiple federal agencies with sensitive missions

“I mean, this was a pretty decent accomplishment,” Glenn said Thursday in a phone interview.

Instead, he was fired by the Cisco reseller in Denmark that employed him, which cited cost-cutting needs. And Cisco kept the flaws in its Video Surveillance Manager system quiet for five years.

Only Wednesday, when an $8.6 million settlement was announced and the lawsuit he filed in 2011 under the federal False Claims Act unsealed, was Glenn’s ordeal revealed — along with the potential peril posed by Cisco’s long silence.

MORE

 

Activists worry about potential abuse of face scans for ICE







July 9, 2019

By FRANK BAJAK

BOSTON (AP) — Civil rights activists complained Monday of the potential for widespread abuse following confirmation that at least three states have scanned millions of driver’s license photos on behalf of Immigration and Customs Enforcement without the drivers’ knowledge or consent.

Public records obtained by the Georgetown Law Center on Privacy and Technology provided the first proof that ICE had sought such scans, which were conducted in Utah, Vermont and Washington.

All three states — which offer driving privileges to immigrants who are in the U.S. illegally — agreed to the ICE requests, according to documents shared with The Associated Press on Monday and first reported by The Washington Post .

“States asked undocumented people to come out of the shadows to get licenses. Then ICE turns around and uses that to find them,” Alvaro Bedoya, the center’s director, said Monday.

ICE spokesman Matthew Bourke did not directly address written questions, including whether the agency used the scans to arrest or deport anyone.

MORE

Data scientist drops Facebook defamation suit







July 2, 2019

By FRANK BAJAK

Aleksandr Kogan, the data scientist at the center of Facebook’s Cambridge Analytica privacy scandal, said he is dropping a defamation lawsuit against the social network rather than engage in an expensive, drawn-out legal battle.

Kogan, 33, sued the social giant in March, claiming it scapegoated him to deflect attention from its own misdeeds, thwarting his academic career in the process. The suit sought unspecified monetary damages and a retraction and correction of what Kogan said were “false and defamatory statements.”

“We thought there was a one percent chance they would do the right thing,” Kogan told The Associated Press. Facebook is “brilliant and ruthless,” he added. “And if you get in their way they will destroy you.”

A Facebook spokesperson said the company had “no comment to share concerning this development.”

The former Cambridge University psychology professor created an online personality test app in 2014 that vacuumed up the personal data of as many as 87 million Facebook users . The vast majority of those were unwitting online friends of the roughly 200,000 people Kogan says were paid about $4 to participate in his “ThisIsYourDigital Life” quiz.

MORE

Server image mystery in Georgia election security case







July 3, 2019

By FRANK BAJAK

The case of whether hackers may have tampered with elections in Georgia has taken another strange turn.

Nearly two years ago, state lawyers in a closely watched election integrity lawsuit told the judge they intended to subpoena the FBI for the forensic image, or digital snapshot, the agency made of a crucial server before state election officials quietly wiped it clean. Election watchdogs want to examine the data to see if there might have been tampering, given that the server was left exposed by a gaping security hole for more than half a year.

A new email obtained by The Associated Press says state officials never did issue the subpoena, even though the judge had ordered that evidence be preserved, including from the FBI.

The FBI data is central to activists’ challenge to Georgia’s highly questioned, centrally administered elections system, which lacks an auditable paper trail and was run at the time by Gov. Brian Kemp, then Georgia’s secretary of state.

The plaintiffs contend Kemp’s handling of the wiped server is the most glaring example of mismanagement that could be hiding evidence of vote tampering. They have been fighting for access to the state’s black-box voting systems and to individual voting machines, many of which they say have also been altered in violation of court order.

Marilyn Marks of the Coalition for Good Governance, a plaintiff in the case, said that if the state failed to secure the data from the FBI — despite informing U.S. District Judge Amy Totenberg in October 2017 of its intent to do so with the subpoena — it clearly has something to hide.

MORE

WhatsApp flaw let spies take control with calls alone







whatsapp nsoMay 14, 2019

By FRANK BAJAK and RAPHAEL SATTER

Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a flaw in the popular WhatsApp communications program to remotely hijack dozens of phones without any user interaction.

The Financial Times identified the hacking group as Israel’s NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.

WhatsApp all but confirmed the identification, describing hackers as “a private company that has been known to work with governments to deliver spyware.” A spokesman for the Facebook subsidiary later said: “We’re certainly not refuting any of the coverage you’ve seen.”

WhatsApp has released a new version of the app containing a fix.

The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle. The malware allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones and vacuuming up personal and location data. Encryption is worthless once a phone’s operating system has been violated.

Hackers are always looking for flaws in apps and operating systems that they can exploit to deliver spyware. State-run intelligence agencies including the U.S. National Security Agency invest tens of millions of dollars on it. Indeed, Google’s ProjectZero bug-hunting team scoured WhatsApp last year looking for vulnerabilities but did not find any. Instead, it was WhatsApp’s security team that found the flaw.

MORE

 

Microsoft offers software tools to secure elections







May 6, 2019

By FRANK BAJAK

Microsoft has announced an ambitious effort to make voting secure, verifiable and subject to reliable audits by registering ballots in encrypted form so they can be accurately and independently tracked long after they are cast.

Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their voting systems.

The software is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon’s advanced research agency, DARPA. Dubbed “ElectionGuard,” it will be available this summer, Microsoft says, with early prototypes ready to pilot for next year’s U.S. general elections.

CEO Satya Nadella announced the initiative Monday at a developer’s conference in Seattle, saying the software development kit would help “modernize all of the election infrastructure everywhere in the world.”

Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems.

Open-source software is inherently more secure because the underlying code is easily scrutinized by outside experts but has been shunned by the dominant vendors whose customers — the nation’s 10,000 election jurisdictions — are mostly strapped for cash.

None offered bids when Travis County, Texas, home to Austin, sought to build a system with the “end-to-end” verification attributes that ElectionGuard promises to deliver.

MORE