A cautionary tale about elections security

If you believe the 2020 elections experienced massive fraud, or that electronic voting machines were running some software from space, then please skip this post. If you believe otherwise, then I would urge you to read my thoughts.

I was party to a massive elections fraud back in the 1970s, when I lived and worked for the city of Albany NY. Albany at the time (and still today!) was under the grip of a powerful Democratic machine, and as a city employee I was told as election day approached that I will vote, and that I will vote the Democratic party line. If I didn’t show up, or if I strayed into supporting GOP candidates, I would lose my job. Whether or not everyone’s votes were being monitored, I wasn’t going to risk it, especially as this was my first job out of college. I can’t prove anything, and my recollection might be fuzzy, but there was no denying that the city spent decades in the iron grip of this political machine.

I am telling you this because I have spent a lot of time researching voting fraud over the past several years, and can tell you that our elections have come a long way since my Albany days. I based this on first-hand knowledge, having spoken to IT managers at state offices, election researchers, and others who are in the know. Let me first present a few links for you to establish some bona fides.

First up is Alex Halderman’s analysis of the 2020 voting irregularities in Antrim County, Mich. This was the scene of numerous recounts — five of them — and the source of a lot of conspiracy theories. If you read Alex’s paper, you will see that many of these theories were easily explained by more obvious error sources, namely humans. I have met Alex in person and interviewed him on this topic and he is a very sharp guy.  His paper concludes: there is “strong empirical evidence that there are no significant errors in Antrim’s final presidential results, including due to any scanning mishap.”

Copies of the voting machine software eventually found their way to Mike Lindell and his bogus “CyberSecurity Summit” that he held in South Dakota in the summer of 2021. One of the attendees at that conference was a long-time colleague Bill Alderson. He was interested in getting the promised reward of $5M to prove voting irregularities. You can watch Bill’s interview with local TV news where he unequivocally states that the data claimed by Lindell was a nothing burger (he had more colorful language when I spoke to him this week). In other words, there was no fraud, no evidence, nada. Bill never got a dime for his troubles, BTW.

There was several other county voting offices who were invaded by so-called security analysts looking for fraud. But they ended up doing their own fraud — and are now being charged for this by various legal efforts. These folks obtained copies of similar machine software and vote tally data cards. One of these locales was Coffee County, Geo. The AP ran this story about what happened last September and there was plenty of video footage, along with the data cards shown in the photo below that were given to these analysts. (Here is an excellent analysis from Lawfare too.)

As the 2020  election was happening, I was part of the CISA press group who was on the phone interviewing various officials on November 3rd. Granted, CISA had their own horn to toot, but from the evidence that I saw, the election happened without any major troubles. Yes, Chris Krebs lost his job shortly thereafter, which should tell you something about his integrity.

One lie that I hear often is the manipulation of mail-in ballots was done in a such way to swing the vote totals. Here is another data point: Colorado has been running universal mail-in ballots (meaning every registered voter gets one by mail, whether they want to use it or not is up to them). For years they have running fair and accurate elections. Neither major party had a problem with that, until the more recent elections. Here is a link to their info page, just to give you an idea of what they do. (Many states have had pre-Covid universal mail-in operations, BTW.)

Now, I warned you  — here comes the hard part for me to write about. We are approaching a very dangerous time in our country. There are many people who believe this massive voting fraud happened, despite various genuine IT consultants’ evidence to the contrary. I am not here to try to convince them of the error of their ways.

But let’s talk about something that I find even more distressing. Please check out this recent Politico post on what happened last week at the Vegas BlackHat conference. To provide some context, each year this hacking event features various “villages” where a bunch of attendees come to try to break stuff, in this particular case voting machines. (I wrote about the 2020 election village DEFCON event for Avast here.) Given the state of our society right now, this year they put on some extra physical security for the event. And if you believe Politico’s reporting is accurate, it is very chilling to see.

By now many of us have heard about how elections officials have been threatened both at home and at their offices. According to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77% said those threats had increased in recent years. Many have quit the field entirely.

That is bad enough, but now these threats have blossomed beyond the folks running the elections to include digital security researchers that are looking into election and voting-related matters. And I am thinking about my early Albany experience. Yes, we have issues with vote counting and certainly there is plenty of mistakes made over the years. But to annoy and threaten the people who in many cases volunteer their time and do their civic duty and claim they have evil intent, just because the election didn’t go your way is a horse of a different color.

Where do we go from here? I don’t know. But thanks for reading this far.

The trouble with Bob, a typical small businessman with tech issues

Small businesses have so much trouble with their IT support, especially if they are really small, have been around for a long time, and have owners that have just enough knowledge to know that they can do better. This was brought home to me with a nearly hour-long call with a friend of mine whom I will call Bob. Bob has four full time staff and several part timers, and has been in business for decades. We go back to the 1990s and have remained in touch, and he has called me for help on numerous times over the years.

I don’t mind being his IT support guru, and hey, I get to write this column as a result to share his pain with you. Let’s dive in.

Bob has several problems that he revealed by peeling layer by layer during our conversation. First was an aging Mac, and by aging I mean of late 2015 vintage. It is too old to run the current MacOS, a situation that I am all too painfully aware of myself. More on that in a moment. Then he needs a new printer. And what about his website? That has been down for some time, thanks to a variety of things.

And for DNS nameservers he is still using a friend from the dawn of the internet who has his own business to run — and the friend sometimes forgets that Bob’s email depends on him when he upgrades his servers, which will happen from time to time over many years. Bob is fearful about making any changes without understanding what he is doing. Oh, and by the by, his emails are getting blocked because he hasn’t set up DMARC/SPF et al. properly. And by properly, I mean he hasn’t set any of this up at all. And could his issues be due to a bad DNS entry somewhere? Perhaps.

Bob is typical of many small business people. They aren’t computer experts, even though Bob certainly knows his way around the tools mentioned above. But Bob has several things working against him:

  1. As he reminded me, I once told him his problem is that he takes really good care of his gear, but then hoards it way beyond the sell-by date. I am alot like him in that regard: last year I bought a Mac Studio that replaced a ten-year old Mac Mini. But the longer out you go with your gear, the harder it is to replace it. It took me months agonizing about this decision, so long that I missed several product review opportunities because I couldn’t run modern applications. Bob just wants to get his work done, he isn’t using anything special. Just old.
  2. He likes the all-in-one iMacs. I don’t: if you have to upgrade, you have to toss the whole unit out. Much better to have a separate monitor, and to have a system that you can add parts to it as needed. He does max out on memory when he buys his gear, which is a good strategy. But that 2015 vintage is time for the donation bin.
  3. He has multiple suppliers for his online presence. Having one ISP as his registrar, another one for his email, another for his website, and probably a few others for bits and bobs isn’t a good situation. I have two major ISPs: one for my registrar (GoDaddy) and Pair.com for my content (email lists, website). Make that three ISPs: I also use Google Workspace for my regular email functions. See how hard it is to keep track? As for Bob, his friend from the dawn of the ‘net is now ghosting him, and he doesn’t know what to do.
  4. He set a lot of this up years ago, back when things were simpler. That means his security exposure is a lot greater. Take the DMARC/SPF issue. It took me about six months and lots of help (in my case from Valimail) to get this working properly. Bob is frozen in indecision about how to even start on this particular project.
  5. He likes to have vendors that he can call up on the phone and talk him through things. I do too — that got me into trouble when my ISP died from Covid. He was a one-man operation, but once he was gone there wasn’t anything there. The trick is finding a company that prides themselves on good phone support. I am happy to report that Pair does a terrific job in this regard.

Bob will eventually figure this stuff out, get the right gear, and bring his operation at least into the 2020s. But all of this takes time away from doing productive work that generates income for his business. And that is the rub that many smaller businesses have to deal with: they aren’t IT specialists, and they don’t want to be. I don’t have that excuse: I have to play an IT guy on TV, or at least on the internet, every day.

SiliconANGLE: Google’s Web Environment Integrity project raises a lot of concerns

Earlier last month, four engineers from Google LLC posted a new open-source project on GitHub and called it “Web Environment Integrity.” The WEI project ignited all sorts of criticism about privacy implications and concerns that Google wasn’t specifically addressing its real purpose.

Remember the problems with web cookies? WEI takes this to a new level. I tell you why in my latest piece here:

 

SiliconANGLE: That Chinese attack on Microsoft’s Azure cloud? It’s worse than it first looked

The revelations last week that Chinese hackers had breached a number of U.S. government email accounts indicate the problem is a lot worse than was initially thought, according to new research today by Wiz Inc. Indeed, this hack could turn out to be as damaging and as far-reaching as the SolarWinds supply chain compromises of last year.

In my post for SiliconANGLE, I summarize what Wiz learned about the attack, what you have to do to scan and fix any potential problems, and why people who choose “login with Microsoft” are playing with fire.

A new foe of card skimmer crooks: Target Corp.

The war on credit card skimmers continues, this time from an unexpected source: Target Corp. Yes, the retailer. Cyber criminals attach skimmers to the outside of ATMs, gas pumps and other credit/debit card readers. When you insert your card into the machine, these skimmers capture your account number and PIN, which will be used later to clean out your account.

Brian Krebs has written about card skimmers for years, and I quoted him in this piece that I referenced when I last wrote about the topic in 2015.  Last year, he documented some of the ultra-thin skimmers that ATM vendors found inside their machines. It is pretty amazing how the crooks continue to innovate in smaller and smaller devices to steal our data.

Skimming is sadly on the rise: 161,000 cards were stolen annually, up more than four times the rate from 2021. Now they have a new nemesis — Target Corp. They recently blogged about their approach, which uses a piece of plastic called EasySweep to ferret out the skimmers. There isn’t any electronics on this card — it is just thick enough to see if something else is already inserted in the slot, and is sheer genius. Their cybersecurity group took the rather unusual step of 3-D printing the plastic that measures the thickness of the card reading slot. Target staffers can quickly swipe the thing in each of their 20 or so terminals in a typical store in a few minutes. And it is simple: if the card fits, the reader is clean. If it jams, it could indicate the presence of a skimmer. Each store now checks their readers daily. They have sent 60,000 of the cards to their stores, and they offer the design to other retailers free of charge.

Granted, the war on skimmers is a cat and mouse game: originally, many IT folks thought they could find them by scanning for unknown Bluetooth devices, because many of them sent out their collected data via that frequency. Then the crooks developed skimmers that had to be removed and the data downloaded. While there is a limit to how thin they can be made, so far the EasySweep cards are still a valid testing tool.

Still, consumers should be on the lookout, as the cops say. Check your machine for obvious signs of tampering, such as a loose part or something odd either with the card slot or the keyboard (which might have an overlay to capture your keystrokes). If you are at a bank of machines, compare the one you intend to use with its neighbor to see if there are any physical differences. And cover your hand as you enter your PIN number. If you can, use an embedded EMV chip card, which are harder to skim. And also consider more advanced cards, such as from Apple/Goldman Sachs, that can create virtual CVV numbers on the fly to make it more difficult to skim.

SiliconANGLE: The WeChat app is anything but private

What if we had an app on our phones that combined the functions of Facebook Messenger, Venmo payments, MyPatientChart health records and WhatsApp for making voice calls, and also allowed us to download all sorts of mobile apps and games like Apple Inc.’s App Store?

Furthermore, what if such an app had absolutely no privacy controls, so the federal government could monitor, censor and track users, conversations and all activities?

Well, such an app exists. It’s called WeChat and it has 1.2 billion monthly active users. But it is a threat to our privacy, and I explain why in this post for SiliconANGLE.

 

Solving the last mile of package delivery

You no doubt have had a package stolen from your front porch or know someone who has experienced this. And thanks to Covid, we are all using delivery services more often, which just increases the market size for porch pirates, as they are called.

The pirates are getting some pushback thanks to tech. First came the video-streaming door cameras (like Ring, now part of Amazon) that could capture them and report them to authorities. That made a small dent in their operations. But a better solution is happening in Singapore.

If you live there, for the last several years you can have your packages delivered to one of now 1,000 public lockers that are all over the island. If you have ever used the lockers that Amazon has at Whole Foods or one of its other storefronts, you get the idea. It is a wall of lockers of various sizes with a computer controlling access. Once you authenticate yourself, a door opens and the package is revealed. The lockers are built and operated by Pick Network and are called the Locker Alliance Network (which sounds vaguely Terminator-ish but let’s move on). You choose the locker installation nearest to your home or office or wherever you happen to be, and the delivery company will get the package there. On the company’s website, you can locate the nearest locker and you can see by the map how dense they are spread around the country.

To give you some sense of scale, Singapore is a very densely settled area about half the size of Rhode Island but with five times its population. I spoke at a conference there back in 1998, and was amazed at its diversity of languages and culture: fortunately for me, almost everyone these days is educated in English. It is very modern and apart from the signs in Chinese characters, you could have been in any major downtown city. Back then their freeways had one of the first open road toll collectors (meaning no booths that were designed for variable congestion pricing and no slowing down), something that took a while to show up elsewhere in the world.

It isn’t completely one humongous city like Hong Kong, but the density it does have makes something like the locker network functional. Pick claims lockers are within walking distance for most people. You can also drop off packages at the lockers, again like what we can do at Whole Foods.

Having a “last mile” solution is significant in that it has other benefits: there are fewer delivery vans tying up the roads, and less carbon consumption too. BTW, don’t you hate that term? How else should we refer to the contact with customers — maybe “first mile!” You get my point. And it is an open network, meaning (unlike Amazon), any delivery company can integrate with their own systems.

According to this article in the local newspaper, usage was initially slow but seems to have caught on, at least given by the increasing size of the locker network. It helps that Pick is federally funded. The delivery companies saw major increases in their own productivity, the story reported, although not clear how this was calculated.

In the meantime, watch out for those porch pirates on your own deliveries.

How to be more curious

I am by nature a curious person. I spend a lot of time trying to answer questions, which is why I love my job and what has contributed to my success as a tech journalist. One term that was popular was “life-long learner” (as I wrote about this term in relation to my non-retirement strategy back in 2021) but I think curiosity is a better description. I noticed that many analysts looking at our AI-enabled future have called attention to this skill as something we will need to cultivate and develop. So in this post, I want to examine what it will take to train folks to become more curious.

Before you do any formal training, it helps to understand what type of learner that you are. We all learn in different ways: some of us have to go through the actual experience — these people respond better to tactile situations. Others learn better through more visual or auditory cues and need materials specializing in these methods.

How do you figure this out? One way is to take this short online quiz to find out which style you are. Once armed with this data, you should focus your attention on situations that offer those types of materials so you can learn things your way and retain it better. For example, if you are an auditory learner, you may wish to listen to recorded lectures or presentations. This is a boon for online webinars, where you can stop, rewind, and replay the key portions. In some cases, you might want to take notes, or recite what was just said to fix the concepts in your mind.

If you are more of a visual learner, then by all means be sure that you look carefully at the study materials. Use charts, maps, movies, notes and flashcards. Practice visualizing or picturing words/concepts in your mind. Finally, if you are a tactile learner, think about ways that you can involve more of your senses besides just watching a particular lecture. Make study sheets and refer to them often.

But knowing how you learn is just one part of your journey. Next comes having the right motivations. I have been lucky to be a self-starter and get myself motivated, whether that involves writing one of these essays or tackling a more in-depth project. Sometimes, just seeking knowledge isn’t enough. If you’re not that motivated to learn, find someone who’s also interested in becoming more curious. That link will take you to other suggestions on how to become more curious. Here is another resource, posted on the site Natural Training, which describes the ten most common habits of curious people. Things like listening without judging, willing to be wrong, and staying in the moment are all important skills to acquire.

I was thinking about this when I read something that Naomi Wu, a Chinese maker, said recently about how the education of Asian students has to change. “The key skill- prompting, asking questions. Is something our kids are generally not taught and are often quite poor at. I’d even say it’s discouraged. The ability to ask good questions becomes incredibly important with AI.” I saw this first-hand when I gave lectures in Singapore and Japan years ago: I had to seed the audience with someone who was willing to ask the first question to break the ice.

ChatGPT For DummiesLongtime freelancing colleague Pam Baker’s forthcoming book on ChatGPT, has more tips on how to become an expert at using these tools. She told me, “Many worry that ChatGPT will erode the critical thinking skills of users. But that’s not likely because the most successful users will employ advanced critical thinking skills in forming prompts. The key is not in what you say to the machine, but in how you say it.” She tells me she is also putting together classes on LinkedIn Learning on the topic too.

I was thinking how fortunate I have been in my job as a freelance journalist. I have been able to to call up all sorts of people and ask them questions about their lives and jobs, as I wrote about ten years ago when I described two of my sources in this blog post on how to question everything. The two people had an insatiable curiosity for the unknown, to be constantly learning something new, and figuring out how the world works. While that extreme case of hyper-curiosity might not be your cup of tea, it might make you more motivated to become more curious about something.

Facing tough choices on TikTok

Last week Shou Chew, the CEO of the American TikTok, was called on the US House hearing room carpet. Combining the current anti-China paranoia with social media crimes against teenagers was a potent political mix that brought a tremendous amount of bipartisan angst. The five hour hearing was attended by seemingly the entire House membership, and for me it was noteworthy in that almost none of the members were folks that I have ever heard of, but all managed to ask unanswerable questions that they demanded simple yes or no answers so they could save time for their own take.

The best commentary was Jimmy Kimmel who simulated what the app does on his show (shown here at right). More insights from Casey Newton here.

Also last week, Utah became the first state to place legal restrictions on social media usage by children (<18).  This law goes into effect in a year; we’ll see how they will enforce it, which will be difficult. TikTok seems to be included in its framework, although Google might not be (there is an exemption for online emails, so Gmail might not apply but YouTube might be covered).

The hearing wasn’t a total time waster. In addition to getting acquainted with our Congress (a couple of whom actually have had tech jobs, interestingly), it also brought to the public’s attention a few reports that I will highlight here. But what I saw was that America will probably join others in some form of ban, whether it be just for the government employees (as the US has done, as have the UK and France did last week) or something that is contemplated by other bills that are making their way through Congress.

Second best commentary was by security maven Bruce Schneier, who wrote last month  “There’s no doubt that TikTok and ByteDance, the company that owns it, are shady. If we want to address the real problem, we need to enact serious privacy laws, not security theater, to stop our data from being collected, analyzed, and sold—by anyone.” He explored on the blog various kinds of bans, all of which would be ineffective or place Chinese-style restrictions across our internet. That message was lost on Congress, sadly. The UK ban is ineffective if you use your own Wifi or data provider, for example.

Who is Shou Zi Chew, TikTok's chief executive? | The EconomistThe relationship between TikTok and its parent company was explored in detail in this report done for the Australian Senate and released earlier this month. This was cited several times by various Congress members. The research found that ByteDance should be considered as a hybrid state/private entity, collaborating closely with the government on its operations. Chew made an effort to show TikTok’s independence from its parent and the Chinese Communist Party (CCP), an effort that fell on deaf ears and “didn’t pass the smell test” as one member said. The report looked closely at two days’ worth of content last November and compared the depictions of the CCP across TikTok when compared with what was posted on Twitter, Instagram and YouTube. While the researchers couldn’t assess the cause, they did find both Twitter and TikTok had more pro-CCP content than YouTube or Instagram.

Another issue is how TikTok tracks users across the internet. Consumer Reports did a report last fall that found hundreds of organizations sharing data with TikTok using tracking pixels and other canvas fingerprinting techniques. Before you sound any alarms, these are common for Facebook, Google, and numerous commercial websites, and TikTok’s tracking efforts are a small fraction of what these other companies do. Still Chew’s answers were less than satisfying in this area.

Much was made about the differences between the TikTok app we use in the USA versus the ByteDance app called Douyin that is only available in China. The excellent Citizen Lab issued a report last year that examined what data leaks from both apps. Not surprisingly, the Chinese app had more potential security and privacy issues, although the researchers said neither app had any noticeable malware characteristics.

So let’s answer some questions.

Is the TikTok app spying on its users? Not according to Citizen Lab and other security analysts. Could it become weaponized? Sure. But so could any other phone app.

What else should the government ban on its own phones? Well, if you are going to ban TikTok, how about deleting dozens of other apps that collect private data too? That is what France just did, or is trying to do. Good luck with that.

Will selling the company accomplish anything? Not really, other than improved optics. Look no further than Facebook to show misuse of data by a wholly-owned American company. Ownership doesn’t mean total control.

What about the Oracle Cloud migration? TikTok is making a big effort towards migrating its servers to the Oracle Cloud, and promises to keep all US data on these servers eventually. That clearly comes under the heading of “security theater,” since these servers can still transmit anything back to their Chinese parent company. Chew made a big deal about the Oracle project, but what he neglected to say is that any third-party code audit would be nearly impossible, since the servers started out in a pristine “bare metal” state and TikTok could put anything on them. I am not sure what is accomplished here other than having better app latency for US users. Again, a lot of effort to improve optics, but not much else.

How to know when you are ready to expand your career

“There may be nothing I’ve seen wreck the careers of high-performing, hardworking people more commonly than stepping into a manager role the person isn’t ready for,” tweeted Kieran Snyder earlier this month. The CEO of linguistic analysis firm Textio then follows up this with some very cogent remarks about knowing when to take that leap into management that really resonated with me.

This is because I faced a similar circumstance in my own career back in 1990, when I took the job to run Network Computing, a brand new computer publication. I have often mentioned that decision as a pivot point in my professional life in these essays, At that time, I was managing a group of about a dozen editors for PC Week — and this would be a big promotion to running an entire publication, hiring its entire staff, and learning how to get the magazine from words to a coherent whole. It shaped the rest of my career, to be sure.

I also addressed this topic a couple of years ago in this post about whether super coders should take the next step into management. It is worth reviewing that piece and listening to a discussion with Jaya Baloo and Troy Hunt on the subject.

Snyder lays out four important questions you need to ask yourself whether or not you are ready:

  1. Can you communicate complex expectations clearly? And behind this question is also holding people accountable — and avoiding eventual disappointments — for these expectations too. Even when you know this, it is still hard to achieve. “This is an issue I have faced, and often management fails to set clear expectations,” said Alan Elmont, who has been a recruiter and staffing professional for decades. “This has been particularly an issue with small companies or mid-sized companies that are growing too quickly.”
  2. Can you engage and mange conflicts well? Being fair in these fights is more important that being well-liked.
  3. Where do you fit in the scale between being a hero and being predictable? “Managers mostly do hero work to compensate when their team isn’t delivering,” she says. That could be caused by a variety of failures, such as unclear feedback or expectations or poor solutions delivery — or a combination.
  4. Finally, do you have the right combination of technical skills and a solid functional foundation to properly lead your team? That is a tough one to dispassionately assess, either by yourself or with your prospective hiring manager.

Now let me take another moment from my career when I got a job to run another publication. It was a major failure, and because I couldn’t do any of the first three things that Snyder mentioned above. I barely lasted a year there before being fired. I should have spent more time understanding the lay of the landscape and the management style of my eventual boss. Now, this happened years after my Network Computing anecdote, so you would think being older and more experienced I would have spotted the danger signs. But no, I was too caught up in the thrill of being chased for a new job. Live and learn.

While on the topic of career development, I had an opportunity to talk to a group of mid-career folks who are considering jobs in cybersecurity this week. You can see my slides below, and some of the issues that we discussed.