July 15, 2024

Unsealing the Halderman report would be Responsible Vulnerability Disclosure

Statement by Computer Security Experts,  May 12, 2023

The report on security flaws in Dominion voting machines, written by Professors J. Alex Halderman and Drew Springall in July 2021 and placed under seal by the Federal District Court for the Northern District of Georgia, should be immediately unsealed by the Court and be made public.  It is widely recognized by computer security experts in both industry and academia that keeping vulnerability details secret, past the time in which a vendor could reasonably have patched them and indeed past the time in which the vendor has patched them, harms the security of users.

Bugs in computer software can be exploitable vulnerabilities, meaning that hackers who know about these bugs can exploit them to take unauthorized actions.  When such bugs persist without being fixed (“patched” in the language of computer security) and without the distribution of software updates incorporating such fixes, then users of such software suffer harms due to the insecure software.  Today, it is uniformly recognized that keeping vulnerabilities secret does not provide security. If someone can discover a vulnerability, others can as well.

In the early decades of computer systems, vendors were very slow to patch systems. To address this problem, a system of responsible disclosure was developed in the late 1990s and early 2000s, and this system is now widely accepted by industry (both the vendors and users of software), government agencies such as CISA, and by security researchers world-wide. 

Upon discovering a security flaw, a security researcher practicing responsible disclosure will notify the maker (either directly or via one of the organizations that exists for this purpose) of all the details needed to understand and reproduce the problem.  The researcher will inform the maker that after a set period (generally around 90 days) all the details will be published.

The purpose of the (delayed) public disclosure is twofold: (1) to incentivize software vendors to fix their bugs and distribute those fixes promptly (or to produce less buggy software in the first place); (2) to inform consumers of software so that they may improve their own security, either by installing such fixes or by discontinuing the use of vulnerable software.

This process–early notification to vendors followed by public disclosure–is the industry norm.  Corporate CSOs (Chief Security Officers) who are consumers of commercial software rely on public notification to secure their own businesses.  Makers of software (at sufficiently high level of professionalism) are well organized enough to act upon vulnerabilities disclosed to them.  Google’s “Project Zero” is a team of security researchers that have released 1791 disclosures after a 90-day delay, and 6 disclosures on which they delayed release for not more than 216 days. An entire industry exists to assist companies in paying cash bounties to independent researchers who responsibly disclose bugs and vulnerabilities.

Before responsible disclosure became the norm, vendors would ignore security flaws; before (delayed) full disclosure of details became the norm, vendors would claim that the flaws were merely “theoretical.”  They would leave their systems vulnerable – sometimes taking years to patch their software, or never patch their software – relying on the ignorance of their customers.

Those who argue that publishing vulnerabilities enables bad people to do bad things, are ignoring the fact that if one person can discover a flaw, so can others. This is why responsible disclosure, including the follow-up of full disclosure, is so widely practiced and accepted in the computer and software industry.  In this particular case, the report in question has been widely distributed with and without authorization. (In addition to the real possibility of independent discovery, it is also the case that dozens of people have read the Halderman report (with authorization): legal teams from the Defendants in this case, legal teams on both sides of the Dominion v. Fox News lawsuit, employees of US CISA and EAC;  and MITRE got it from Dominion without the Court’s authorization.) Bad actors undoubtedly already have access to the report. There is further danger that it could leak to the general public at any time.  A leak close to November 2024 could be used as a political tool to undermine confidence in the election.  

We have not read Professor Halderman’s report, since it is still under seal, but (from all descriptions of it) it is a classic example of a security-vulnerability report that should now be released to the public.  The report has been available to the vendor for over 500 days, so there has been ample time to patch those vulnerabilities that can be patched.  In fact, Dominion claims to have fixed some vulnerabilities apparently related to the Halderman report, in their Democracy Suite 5.17 product, according to their recent filing with the EAC.  

Today, the customers of Dominion’s product—election administrators, public officials, and voters—need full information about its security so they can make their own fully informed judgments about how to run their elections.  Citizens can ask their state election officials to install Dominion’s update rather than leaving it on the shelf.

Since Professor Halderman wrote his report pursuant to the Court’s Protective Order, the decision is not his to make: it is now up to the Court to practice responsible disclosure by unsealing the report.  We urge the Court to do so immediately.

Signed,

Andrew W. Appel,  Eugene Higgins Professor of Computer Science, Princeton University

Bruce Schneier, security technologist and Lecturer at the Harvard Kennedy School

Prateek Mittal, Professor of Electrical and Computer Engineering, Princeton University

David L. Dill,  Donald E. Knuth Professor in the School of Engineering, Emeritus, Stanford University

Vanessa Teague,  CEO, Thinking Cybersecurity Pty. Ltd. and Associate Professor (Adj.),

the Australian National University

David Jefferson, Computer Scientist, Lawrence Livermore National Laboratory (retired)

Poorvi L. Vora,  Professor of Computer Science, The George Washington University 

David Naumann, Professor of Computer Science, Stevens Institute of Technology

Duncan Buell, Chair Emeritus — NCR Chair in Computer Sci. and Engineering, U. South Carolina

David Wagner, Professor of Computer Science, University of California, Berkeley

Ronald L. Rivest,  Institute Professor, Massachusetts Institute of Technology

Patrick McDaniel, Tsun-Ming Shih Professor of Computer Sciences, Univ. of Wisconsin-Madison

Josh Aas, Executive Director, Internet Security Research Group

Douglas W. Jones, Emeritus Associate Professor of Computer Science, University of Iowa

Peter G. Neumann, Chief Scientist, SRI International Computer Science Lab

Affiliations are listed for identification purposes only and do not indicate endorsement by the institutions mentioned therein.

Comments

  1. Drew4Mercer County Sheriff says

    Clearly they can”t unseal this document while they still have people in jail from January 6th. They need to keep pretending that Trump had no reason to suspect any issues and they know the public will take issue with using machines during the upcoming election in November, so they must at least delay it until after that election.

  2. Martin Heidt says

    For the sake of transparency I can not begin to comprehend how any judge viewed that it was in the public’s interest to seal this report and not release it in July 2021 when it was completed. Can anyone explain that to me? All the tumult of the 2020 Election might have been adjudicated if this information had been made available sooner. Perhaps that was the idea in the first place to foot drag and obfuscate the lie, “The most secure election in history.”

    • Pat Langley says

      Halderman has credentials. They did not want any intelligent conversations.

      Money could easily corrupt someone setting up the machines. One person, at the correct level could put in malware.
      There are several software checking procedures that are not carried out here. And he explains how to fix the vulnerabilities.

      Number one, the machines should all be tested and validated months before the election.
      Ballot Configuration files should be completed weeks before the election.
      No last minute changes should be allowed. If a last minute change is made the software installation must be validated. He did reference the Boing 737s. That was due to a last minute, improperly tested change.
      Halderman found a lot of security issues.
      In automotive many years ago they were making us put data security microprocessors in any electronics communicating on the vehicle communication busses. Before that they had found that people were using any module they could find to penetrate the data communications systems. They would be able to do many things , like reprogram modules, if they could communicate with the modules.

  3. Neal McBurnett says

    Thank you for this post. You are quite right. Note that many of the signers have a great deal of experience with elections as well as with security. They have been appointed to national advisory boards like the TGDC, have worked for decades with election officials, and understand the consequences of the advice here.
    This is the time to move forward with responsible disclosure in the election field. The medical device field has learned this lesson recently, and the stakes there are even higher – life and death – in many situations.