First, welcome to my new blog!
I am excited to have recently joined Mozilla‘s Application Security Engineering team, and especially excited to be able to do security work I can actually talk about. At the moment, that means working my way through code-reviewing a bunch of WordPress plugins that Mozilla would like to use, some of which have their own plugins, and thinking about ways Mozilla can enlist community involvement in security, as it successfully has with Firefox and other products.
Once I get through reviewing 50,000 or so lines of PHP code, I’m looking forward to sharing the efficient, repeatable general PHP and WordPress plugin-specific security code review processes and tools for static and dynamic analysis I came up with to actually get it done.
If you’re wondering if there’s any connection between that and my putting this blog on the free wordpress.com host, no, there’s not. I have no idea as to how they secure it, or if it is, and haven’t tested my own blog here, because it’s not running on my computer, and I don’t have their permission, so that wouldn’t be right.
With that out of the way, I’m going to just jump right into my first post, a link to an article at MIT Technology Review about the mechanics of voting fraud.
MIT Technology review asks, How Long Before Hackers Steal Votes?
That, indirectly, is the question asked and answered in a just-released judge’s summary (pdf) of testimony from a trial conducted in 2008-2009 in which the state of New Jersey was sued for insufficiently guaranteeing the physical security of its electronic voting machines.
Experts called during the trial asserted that that the state’s existing security methods, consisting primarily of tape that should reveal evidence of tampering if key parts of a voting machine are removed or opened, were insufficient. So New Jersey expanded the number of physical seals on its machines from three to six. Subsequently, the same experts testified that these measures were essentially useless in the absence of training for election workers in the proper use of these seals, and that the seals interfered with legitimate maintenance of the machines.
In other words: New Jersey’s electronic voting machines, which are emblematic of machines across the U.S., remain vulnerable to attack by hackers who could inject software or hardware to skew vote counts.
I saw this guy, Datagram, give what I thought was one of the most original talks at Blackhat 2011 – a talk about “tamper-evident” seals, and how many can actually be tampered with, without easy detection.
Youtube has him giving the same talk a few days later, at Defcon: