Sometimes, Bugs are Inevitable

Good point:

“Hacking an election is hard, not because of technology — that’s surprisingly easy — but it’s hard to know what’s going to be effective,” said [Bruce] Schneier. “If you look at the last few elections, 2000 was decided in Florida, 2004 in Ohio, the most recent election in a couple counties in Michigan and Pennsylvania, so deciding exactly where to hack is really hard to know.”

But the system’s decentralization is also a vulnerability. There is no strong central government oversight of the election process or the acquisition of voting hardware or software. Likewise, voter registration, maintenance of voter rolls, and vote counting lack any effective national oversight. There is no single authority with the responsibility for safeguarding elections.

You run into this all the time when designing systems. One or more of the requirements are a dilemma, pitting one need against another. Ease-of-use vs. security, authentication vs. anonymity, you know the type. Fixing a bug related to that requirement may cause three more to pop up, and that may not be your fault. The US election system is tough to hack, because it’s a patchwork of incompatible systems; but it’s also easy to hack, because some patches are less secure than others and the borders between patches lack a clear, consistent interface. Solving this sort of problem usually means trashing the system and starting from scratch, with a long, extensive consultation session.

Oh yeah, and an NSA report provides evidence that Russia hacked some distance into US voting systems. The Intercept also outed their source, the reporters somehow forgot that all colour printers output a unique stenographic code while printing. That doesn’t speak highly of them, the practice is decades old, and they should have know this as the Intercept was founded on sharing sensitive documents.

[HJH 2017-06-19: A minor update here.]

The Most Hacked President

The current US President is a beginner’s class in hacking. Let’s rewind back to the end of January.

Lost amid the swirling insanity of the Trump administration’s first week, are the reports of the President’s continued insistence on using his Android phone (a Galaxy S3 or perhaps S4). This is, to put it bluntly, asking for a disaster. President Trump’s continued use of a dangerously insecure, out-of-date Android device should cause real panic. And in a normal White House, it would.

A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world. The best available Android OS on this phone (4.4) is a woefully out-of-date and unsupported. The S4, running 5.0.1, is only marginally better. Without exaggerating, hacking a Galaxy S3 or S4 is the type of project I would assign as homework for my advanced undergraduate classes.

I know, that one’s a bit old, but it nicely bookends more recent reporting.

We also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Va. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

“Those networks all have to be crawling with foreign intruders, not just [Gizmodo and] ProPublica,” said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Worried that your Pringles can will rat you out? Not to worry, planting a pineapple is easy-peasy.

At the White House, visitors must undergo a rigorous background screening before they’re let in the door. Agents scan every visitor’s full name, birth date, Social Security number, city of residence and country of birth.

But at Mar-a-Lago, gaining entry doesn’t require that degree of disclosure. Guests entering the club go through multiple security checkpoints staffed by the Secret Service looking for weapons or other immediate threats. But there’s only one requirement to produce a photo ID, and the club itself does not ask guests to provide their names or other information when they enter through the main wrought-iron gated door.

The club also serves as a venue for ticketed public events. Hosts for the slate of political and charity dinners booked at the president’s part-time home from now to the end of the club’s season in May told POLITICO the only request for information about attendees has come from the club itself. And all they’re asked to provide is a name, not additional information that can be used for Secret Service background checks in the event the president is in residence.

I’m a bit shocked no-one has tried blackmailing Trump yet. Maybe there are too many people jockeying for that honor? The WiFi networks probably look like a Spy vs. Spy comic by now.