Bruce Schneier is the Bill Nye of computer security. He has made a career of both as a cryptographer and as someone who can make computer security issues accessible. I've been reading his works for over twenty years. I fought to have has first book Applied Cryptography used as a text when I was in my third year in college. In his field, he is an absolute heavyweight. He is also a noted civil libertarian on privacy issues and a board member of the Electronic Frontier Foundation, which for the unfamiliar, is the ACLU of the internet.
I'm not a person who is given to the worship of heroes. Schneier is not my hero but I have looked up to him for decades and his recent editorial in the Washington Post leaves me gravely disappointed in him. I am not disappointed because he pushed bad technology on the public that would leave them vulnerable, as the government has been documented to do, but because he failed to note the human factors in play surrounding what he advocated and how following his advice.
Schneier normally writes for the Guardian, so why his editorial appeared unsolicited in the intelligence community controlled and Democratic party compromised Washington Post is a clear signal that he is saying things that are in line with what the current Presidential Administration and the would be incoming administration want said to the public. Giving credence to the “Russians hacked Clinton” story in the absence of any real evidence, he noted the vulnerability of American Election Systems to cyber attack. It is unlikely we will ever have conclusive proof the Russians are involved in any hack of the DNC, as cyber attacks made from America on America are often routed through Eastern Europe.
To Schneier's credit, he has been saying that these systems are vulnerable for years. I have been saying this for four years as well. My friend and colleague at the Columbus Free Press, Bob Fitrakis, has been reporting on it since the obviously stolen 2004 election. Schneier failed to note, or his editors removed, three key facts from his discourse that would have radically changed the nature of the public alarm it was designed to sound.
Those facts are as follows. Election fraud has happened already in this election season, and it was done by the Clinton Campaign to Sanders. These systems are plagued with the kinds of known and documented vulnerabilities that would produce exactly the fraudulent results we have seen so far. Finally and most importantly, Election Fraud, like all other kinds of cyber attacks, are both easier to achieve and more commonly launched by insiders.
In multiple instances, election results in the current primary cycle have been at odds with the initial exit polls. Exit polls, despite pseudo-academic push back, are very accurate. In 16 states, Clinton's vote totals were greater than the exit polls than the exit poll's margin of error, which is 3%. The exit polls were “adjusted” to match the “correct” voting results after reporting. In short, the press lied about the vote totals. When confronted for access to the raw data, the refused and were sued. A potential critical witness, Seth Rich, was murdered as the suit was being finalized.
The vulnerabilities of voting machines are immediately obvious to the critical eye. Basically, they are crippled cash registers. They have a network, daily auditing and accounting, and a touch screen. Wendy's, for example, tracks the consumption of it's various burger products accurately for both marketing and loss prevention purposes. Their cash registers, unlike voting machines, require a manager's intervention to even change an order.
A cash register, unlike a voting machine, prints a receipt. That receipt, if it were a ballot, could be verified and then placed by the voter in a box. This does not happen. Thus a cheeseburger has more accountibility both at the point of sale and in the back office than a vote. A cheeseburger costs $1. A cash register costs around $600. A presidential campaign spends at least $5 per candidate per potential voter. A voting machine costs $1500.
Newer electronic election equipment includes electronic pollbooks. These are all virtually the same as they are all Andriod tablets running Andriod kit-kat and the same software made by Scytl. Other “manufacturers” still use Scytl's software of some adaptation thereof. These systems are vulnerable to a known attack called Heartbleed. That method of attack famously cost Target $50 million. These machines were designed with the same vulnerability AFTER the Heartbleed attack was known. There is no excuse in the information security profession for such an “oversight”.
Executing this attack would not require the resources of a Russian Intelligence Service. It could be executed for under $100,000 per State. Successfully executing this attack on election day would allow the kind of widespread voter suppression that is the subject of lawsuits and potential lawsuits against the Clinton Campaign and the DNC in California, New York and Rhode Island.
Bruce Schneier's last human factors error is the worst. He calls for an immediate revamping of all equipment and penetration testing with Tiger Teams. This seems like a good idea, and is the industry standard for military systems and critical infrastructure. However, we are less than 100 days from a general election and multiple scientific studies, such as the EVEREST study run in Ohio in 2007 have already conclusively proven that every single machine in the country is garbage and should be thrown out. The work he is calling for has been done at the government's behest by PhD level scientists from major universities in both California and Ohio.
Duplicating these tests will not produce secure machines in 100 days. It will only allow hundreds of additional security professional to bypass all security on voting equipment all over the country. This will allow any single one of them unfettered access to the machines thus increasing the number of people that could launch an attack while simultaneously decreasing both the difficulty of such an attack and the resources required to make the attack.
Bruce Schneier's history, connections and writings leave me assured that he does not want to live in a place where elections are rigged nor does he want to enable the rigging of elections. His error looking at a social problem from a purely mathematical standpoint. He has default trusted people to act with integrity as he would. His other error is failing to ask why the mainstream is suddenly paying attention to his writing on a topic after years of studied ignorance.
Prior to the DNC hacks, the mainstream media could care less about election technology despite over a decade's worth of absolute mathematical proof that it is complete and utter garbage. We are in a new world, and the journalist, the scientist and the journalist-scientist like Schneier need to be careful when and ask who is funding this study and why? Who wants this editorial read and why?