December 14, 2017

The Debian OpenSSL Bug: Backdoor or Security Accident?

On Monday, Ed wrote about Software Transparency, the idea that software is more resistant to intentional backdoors (and unintentional security vulnerabilities) if the process used to create it is transparent. Elements of software transparency include the availability of source code and the ability to read or contribute to a project’s issue tracker or internal developer discussion. He mentioned a case that I want to discuss in detail: in 2008, the Debian Project (a popular Linux distribution used for many web servers) announced that the pseudorandom number generator in Debian’s version of OpenSSL was broken and insecure.
[Read more…]

Is the NSA keeping your encrypted traffic forever?

Much has been written recently about the NSA’s program to systematically defeat the encryption methods used on the internet and in other communications technologies – Project Bullrun, in the parlance of our times. We’ve learned that the NSA can read significant quantities of encrypted traffic on the web, from mobile phone networks, and on virtual private networks, which companies use to connect remote employees or offices to their corporate networks over the public Internet. Knowing this leaves me with a question: if the NSA captures and decrypts an enciphered message, how are the spoils to be handled? Does an encrypted e-mail or web session between people within the United States enjoy the same protections as an unencrypted e-mail between the same people?

The surprising answer appears to be that encrypted messages get less protection! [Read more…]

Which States have the Highest Risk of an E-Voting Meltdown?

This post is joint work by Joshua Kroll, Ian Davey, Alex Halderman, and Ed Felten.

Computer scientists, including us, have long been skeptical of electronic voting systems. E-voting systems are computers, with all of the attendant problems. If something goes wrong, can the problem be detected? Can it be fixed? Some e-voting systems are much riskier than others.

As the 2012 Presidential election approaches, we decided to evaluate the risk of a “meltdown scenario” in which problems with electronic voting equipment cause a state to cast the deciding electoral college vote that would flip the election winner from one candidate to the other. We’re interested in the risk of these technological problems, weighted by the relative voting power of each voter. So for example, here in New Jersey we use direct-recording electronic voting machines that have been found by a court to be inadequate, but with Obama polling at +14% it’s not likely that a snafu with these machines could change the entire state’s outcome. But in swing states that poll closer to even, like Virginia (where your voting machines can be modified to play Pac-Man), an electronic voting mix-up could have a much bigger impact. So, which states have the greatest risk of an e-voting meltdown affecting the result of the 2012 Presidential election?

[Read more…]