Skip to main content

Voatz: a tale of a terrible, horrible, no-good, very bad idea

Let’s get the fish in the barrel out of the way. Voatz are a tech startup whose bright idea was to disrupt democracy by having people vote on their phone, and store the votes on, you guessed it, a blockchain. Does this sound like a bad idea? Welp.

It turned out that they seemed awfully casual about basic principles of software security, such as not hard-coding your AWS credentials. It turned out that their blockchain was an eight-node Hyperledger install, i.e. one phenomenologically not especially distinguishable from databases secured by passwords. They have been widely and justly chastised for these things. But they aren’t what’s important.

To their credit, their system is opt-in, and apparently generates real-time voter-verified paper ballots, the single most important thing about any voting system. But still. We need to step back and ask a question here: why are we trying to vote via an app and collate election results on any kind of centralized system at all? We don’t want to make voting more efficient. Efficiency is not the problem we are trying to solve with elections. The inefficiency of paper ballots and their handling and collation and tabulation is a feature, not a bug.

Just ask everyone at Def Con’s Vote Hacking Village, whose successes have been rampant this weekend, in the midst of the enmity of the National Association of Secretaries of State:

Voatz were approaching the wrong problem in the wrong way from the start. Even if your blockchain repository is verifiably write-once, which it isn’t, it only records the data sent to it via your app and servers. Voting cannot rely on apps and servers, no matter how allegedly secure they are claimed to be. It’s nice that you generate paper ballots for a post-election audit, but since we should not and cannot ever trust voting servers and software, and therefore will need to do a post-election paper ballot count every time — how about we skip the man-in-the-middle, and all of your software, and go straight to that part?

The other point is brought to us by XKCD, who responded to Voatz with this:

which in turn brought this response from Facebook’s (soon-to-be-former) CISO Alex Stamos:

which in turn brought this response from CFI and engineer Rob Russell, which a lot of the finest engineers I know have been sharing across social media:

There are valid points on all sides here. Stamos is right that most spheres, e.g. aviation, don’t have to deal with the constant threat of intelligent adversaries attacking the system in the same way that software does (although as they events at SeaTac yesterday show us, they are by no means devoid of such threats.)

But Russell brings up the very valid point that because software people are so fixated on adversaries, on hackers and not being hacked, their definition of “security” is often restricted to breaches and exploits and vulnerabilities, rather than systemic flaws, or sloppy development techniques, which hurt users’ security even if no external hacker is involved. In fairness, over the last few years the infosec community has been good at broadening its definition of “secure” beyond “external hacker resistant” … but it seems pretty apparent that much, much more work is needed.



from TechCrunch https://ift.tt/2vzjFxm

Comments

Popular posts from this blog

Android blatantly copies the iPhone X navigation gestures

Google unveiled some of the new features in the next version of Android at its developer conference. One feature looked particularly familiar. Android P will get new navigation gestures to switch between apps. And it works just like the iPhone X.“As part of Android P, we’re introducing a new system navigation that we’ve been working on for more than a year now,” VP of Android Engineering Dave Burke said. “And the new design makes Android multitasking more approachable and easier to understand.”While Google has probably been working on a new multitasking screen for a year, it’s hard to believe that the company didn’t copy Apple. The iPhone X was unveiled in September 2017.On Android P, the traditional home, back and multitasking buttons are gone. There’s a single pill-shaped button at the center of the screen. If you swipe up from this button, you get a new multitasking view with your most recent apps. You can swipe left and right and select the app you’re looking for.If you swipe up o…

Square launches restaurant point-of-sale platform

Square, which has already made its way into retail stores and service-based businesses (think hair salons, massage therapists, etc), is officially getting into the restaurant business with the launch of Square for Restaurants. Square for Restaurants is a point-of-sale system that handles everything from menu updates, floor layouts, employee scheduling, performance tracking to tip splitting.Usually, restaurants have “some old legacy thing or something else,” Square Seller Lead Alyssa Henry told me.“Historically, we’ve not served this customer segment very well,” Henry said. “With Square for Restaurants, we’re excited to finally be able to serve this customer segment and deliver on a couple of key things that are core to Square but also highly valued by sellers of all types.”This new product is designed to be fast, self-serve, elegant and cohesive, Henry said. It also integrates seamlessly into Square’s existing ecosystem that includes Payroll, Capital and more. Given Square’s ownership…