Behind the scenes at my local board of elections

If you have concerns about whether our elections will be free and fair, I suggest you take some time and visit your local elections board and see for yourself how they operate and ask your questions and air your concerns. That is what I did, and I will tell you about my field trip in a moment. I came away thinking the folks that staff this office are the kind of public servants that demand our respect for doing a very difficult job, and doing it with humor, grace, and a sense of professionalism that usually doesn’t get recognized. Instead, these folks are vilified and targeted by conspiracies that have no place in our society.

First, some background. I wrote in August 2020 about the various election security technologies that were being planned for the 2020 election here. And followed up with another blog in December 2020 with the results that those elections were carried out successfully and accurately, along with another blog written last August about further insights about election security gleaned from the Black Hat trade show.

A few weeks ago, I was attending a local infosec conference in town and got to hear Eric Fey, who is one of the directors of the St. Louis County election board. He spoke about ways they are securing the upcoming election. The county is the largest by population in the state, home to close to a million people.

He offered to give anyone at the conference a tour of his offices to see firsthand how they work and what they do to run a safe, secure and accurate election.

So naturally I took him up on it, and we spent an hour walking around the office and answering my numerous questions. Now he is a very busy man, especially this time of year, but I was impressed that a) he made good on his offer, and b) was so generous with his time with just an interested citizen who didn’t even live in his jurisdiction. (I live in nearby St. Louis City, which has its own government and elections board.)

There are about fifty people in the elections board offices, split evenly between Democrats and Republicans. Wait, what? You must declare your affiliation? Yes. That is the way the Missouri elections boards are run. Not every county is big enough to have an elections board: some of the smaller counties have a single county clerk running things. And Fey is the Democratic director. He introduced me to his Republican counterpart.

Part of the “fairness” aspect of our elections is that both parties must collaborate on how they are run, how the votes are tabulated, and how ballots are processed. And doing this within the various and ever-changing election laws in each state. We went into the tabulation room, which wasn’t being used. There were about a dozen computers that would be fired up a few days before the election, when they are allowed to start tabulating the absentee and mail ballots. These computers are not connected to the internet. They run special software from Hart InterCivic, one of the  election providers that the state has approved. These machines are never connected online. Okay, but what about the results?  Fey says, “We us brand new USB’s for a single transaction. We generate a report from the tabulation software and then load that report on the USB. That USB is then taken to an internet connected computer and the results are uploaded. That particular USB is then never used again in the tabulation room.”

Speaking of which, when the room is filled with workers, the door is secured by two digital locks and must be opened in coordination. Think of how nuclear missile silos are manned: in this case though, as you can see in the above photo, a Democrat must enter their passcode on their lock, and a Republican must enter their different passcode on their lock.

The Hart PCs have a hardware MFA key and are also password protected and have separate passwords for the two parties. What happens when they need new software? The county must then drive them to their Austin offices, where they are updated, in one of their vehicles, with both parties present at all times. This establishes a chain of custody and ensures they aren’t tampered with.

The elections board office is attached to a huge warehouse filled to the brim with several items: The voting machines that will be deployed to each polling place of course. The tablets that are used by poll workers (as shown here) to scan voters’ IDs (typically drivers licenses) and identify which ballot they need to use. These ballots are printed on demand, which is a good thing because that process eliminated a lot of human error in the past when voters got the wrong ballots. And loads of paper: the board is required to keep the last election’s ballots stored there. And commercial batteries spare parts for all the hardware too: because on election day, they travel around to keep everything up and running. Why batteries? In case of power failure in the polling place. Don’t laugh – it has happened.

Getting the right combination of polling places is more art than science, because the county has limited control over private buildings. One Y decided they didn’t want to be a polling place this year, and Fey’s staff found a nearby elementary school. Public buildings can’t decline their selection.

One thing Fey mentioned that I hadn’t thought about is how complex our ballots typically are. We vote for dozens of down-ballot races, propositions, and the like. In many countries, voters are just picking one or two candidates. We have a lot of democracy to deal with, and we shouldn’t take it for granted.

So how about ensuring that everyone who votes is legally entitled to vote? They have this covered, but basically it boils down to checking a new registration against a series of federal and other databases that indicate whether someone is a citizen, whether they live where they say they live, whether they are a felon, and whether they are deceased. These various checks convinced me that there aren’t groups of people who are trying to cast illegal votes, or bad actors who are harvesting dead voters. Fey and I spent some time going through potential edge cases and I was impressed that he has this covered. After all, he has been doing this for years and knows stuff. There have been instances where green card holders registered by mistake (they are allowed to vote in some Maryland and California local elections, but not here in Missouri) and then called the elections board to remove themselves from the voting rolls. They realize that a false registration can get them imprisoned or deported, so the stakes are high.

Let’s talk for a minute about accuracy. How are the votes tabulated? There are several ways. In Missouri, everyone votes using paper ballots. This isn’t typically a problem to process them, because as I said they are freshly printed out at the polling place and then immediately scanned in. This is how we can report our results within an hour of the polls closing. The ballots are collected and bagged, along with a cell phone to track their location, and then a pair drivers (D + R) head back to the office. Fey said there was one case where a car was in an accident, and the central war room that was tracking them called them before they had a chance to dial 911. They take their chain of custody seriously on election night.

If you opt for mail-in ballots, though, the ballot quality becomes an issue. Out of the hundreds of thousands of ballots the county office received in 2020, about four thousand or so looked like someone tried to light them on fire. Each of these crispy ballots had to be copied on to new paper forms so they could be scanned. Why so many? Well, it wasn’t some bizarre protest — it turns out that many folks were microwaving their ballots, because of Covid and sanitation worries. It was just another day of challenges for the elections board, but they took it in stride.

The paper ballots are then put through a series of audits. First the actual number of ballots are counted by machine to make sure the totals match up. They had one ballot that was marked with two votes, with one crossed out. So the team located the ballot and saw that the voter changed their mind, and corrected their totals. That is the level of detail that the elections board brings to the final count. They also pick random groups of ballots to ensure that the votes match what was recorded.

As you can see, they do their job, and I think they do it very well. If you are thinking about your own field trip, ballotpedia.org is a great resource if you want more details about how your state runs its elections, where and how to vote, and contacts at your local election agency.

CSOonline: Top IDS/IPS tools

An intrusion detection or prevention system can mean the difference between a safe network and a nasty breach. We’ve rounded up some of the best and most popular IDS/IPS products on the market.

Detecting and preventing network intrusions used to be the bread and butter of IT security. But over the past few years, analysts and defenders have seen a slow but steady transition from these products. They have become a component of a broader spectrum of network defensive tools, such as security information and event management (SIEM) systems, security orchestration and response (SOAR) and endpoint and network management and detection systems.

For CSO, I examined the top six commercial tools and four open source ones, explain the different approaches and form factors used, and compare how intrusion prevention fits into the overall security marketplace.

A new way to create podcasts using AI

I have been creating podcasts on and off — mostly off — since 2007, when Paul Gillin and I came up with the idea to talk to each other about war stories from the tech PR world. (You can listen to the very first pod here.) That series would eventually evolve into several different pods that Paul and I would do over the years, with the most recent episode here. In between these shows, I would freelance pods to various clients and publications such as eWeek and various IDG ones.

Dick and Jane: We LookI tell you this because today in the span of a few minutes, I managed to create some very credible podcasts out of previously just my written content, using a new Google tool called notebooklm.google.com. You upload your documents (PDFs or text files) and it converts them into two-host conversations that use some of it, along with using AI to bring in other information. The two “hosts” sound great: one is a male voice and the other a female voice. Call them Dick and Jane. The AI adds in almost the right amount of temporizing with “ums” and “likes” and back-and-forth byplay into the conversation. You can download the audio files here and hear it for yourself:

  • I wrote a handbook for CSOonline recently about AI security posture management. Here is the pod:
  • I also wrote an article for Internet Protocol Journal about the history of the Interop Shownet. Here is that pod:

I did almost no additional work to create these pods, other than search my own hard drive to find something that I wrote. Both of these samples are about ten minutes long. And while I wrote every word in both articles, the pods use examples that I never wrote (that were actually quite good) and bring in other information.) Using their ML routines to keep things more conversational works reasonably well and you almost believe that Dick and Jane are two live humans talking to each other about something that they “just read.” I could do with a few less inserted “likes” which seem to be the basic conversational building block of a certain generation. One thing that Google hasn’t coded into its system is to have the two hosts talk over each other, which I find annoying on other pods that have multiple human hosts.

Google’s tool is still very much in the experimental stage, but it is free to try out. In addition to creating podcasts, you can also query the content you upload just like any AI system, and it will also provide a summary and FAQs and other supporting things around your content. I would suggest that you don’t upload any private content however.

What does this mean for podcasters? Well, uh, things are going to get very interesting. While the Dick and Jane voices aren’t yet configurable, they are pleasant to listen to and seem 85% human. It also portends that my podcast business is probably dead in the water, not that I ever relied on it to produce any significant revenue. Given that I don’t cultivate any political outrage, or any outrage (other than from non-working tech or over-promised products), there was zero chance that my podcasting career would ever take off.

If you do produce some pods that you would like me to listen and compare to the original source materials, do drop a note in the comments.

Ways to harden your VPN

Susan Bradley writes today in CSOonline about ways to improve your password hygiene, especially if you are using a VPN to connect to your corporate network. I am horrified to report that I am guilty of doing Bad Things according to Bradley, and what is worse, that I should know better. Let’s review her suggestions:

First, one of the common attacks is taking advantage of password fatigue, whereby someone can gain access to your accounts by trying to figure out your password that was published on the dark web. She writes: “Too many people merely add a letter to a password rather than choosing a better passphrase.” That hand going up in the front of the room is my own. There is no excuse for it — I have a password manager that can make my passwords as complex as need be. Sometimes I add a character in the middle of my previous password. Far better to use multi-factor authentication, she says. I would agree with her, but many of the hundreds of my logins don’t support MFA. That is another travesty, to be sure. But color me lazy.

Another no-no is defending your login by looking for what is called “impossible travel” — whereby your login happens in one place, and your credentials are used in another place halfway across the planet shortly thereafter. VPNs check for this using location tracking. Wait, I thought this was good practice? Not any more: Bradley says this offers a false sense of security and we shouldn’t rely on geolocation blocking. Attackers have figured out ways around the blocks or obscure their locations.

Finally, she offers this wisdom: “It doesn’t hurt to reevaluate your current VPN platforms and consider alternatives such as managed-cloud VPN solutions, bearing in mind that MFA should be mandatory on all accounts.”

Bradley also runs AskWoody, another excellent resource.

Book review: Mapping St. Louis

Andrew Hahn’s delightful compendium of 40 rare maps of the St. Louis area is informative and an amazing record of the growth — and decline– of the region. He has put together maps from 1767 to the present, including some “fantasy maps” of how contemporary geographers envision the future infrastructure of the city. The maps show how the city developed around the confluence of the Missouri and Mississippi Rivers, and how events such as the Cyclone of 1896 and the fire of 1846 damaged various neighborhoods.

There are many different styles of maps featured, including maps for exploration and navigation, pocket and atlas maps, development and planning maps and pictorial maps.

Two places in the history of the city are chronicled with maps:

There are maps which show the massive population movements of the city — reaching a peak population of some 850,000 in 1950, only to decline to about 280,000 residents today.

Han is a seventh generation St. Louis native, and since 2003 he has worked as director of the Campbell House Museum, an 1851 townhouse in downtown St. Louis.

Andrew Hahn’s delightful compendium of 40 rare maps of the St. Louis area is informative and an amazing record of the growth — and decline– of the region. He has put together maps from 1767 to the present, including some “fantasy maps” of how contemporary geographers envision the future infrastructure of the city. The maps show how the city developed around the confluence of the Missouri and Mississippi Rivers, and how events such as the Cyclone of 1896 and the fire of 1846 damaged various neighborhoods.

There are many different styles of maps featured, including maps for exploration and navigation, pocket and atlas maps, development and planning maps and pictorial maps.

Two places in the history of the city are chronicled with maps:

There are maps which show the massive population movements of the city — reaching a peak population of some 850,000 in 1950, only to decline to about 280,000 residents today.

Hahn is a seventh generation St. Louis native, and since 2003 he has worked as director of the Campbell House Museum, an 1851 townhouse in downtown St. Louis.

Portable air pumps for bike and car: a work in progress

As an avid cyclist, I have collected a variety of tools to keep my tires inflated, both on the road and at home. These include:

  • A floor pump that has a pressure gauge and fits both Presta and Schrader valve types. We have both here in my family. This is used most frequently, because high-pressure tires tend to lose air over time.
  • A portable pump that has a Presta connection that I carry with me when I am riding. This is useful if I get a flat and have to inflate a new tire just enough to fit it on my rims.
  • A collection of CO2 high-pressure cartridges that can inflate my Presta tires up to full pressure. These are good for a single blast of air.

My social feeds have been filled with various ads for portable electric air pumps. In the distant past, these things were portable in the same sense that the first portable computers were: they were bulky and you wouldn’t want to carry them very far. But the latest generation of pumps weigh about a pound and could easily be carried with you on a ride, or fit in your car’s glove compartment. They range in price from $40 to $120, mostly made in China, and resemble an old-style walkie-talkie in dimensions. I bought one of the cheaper ones on AMZ.

The features that I wanted included:

  • Rechargeable battery via USB. The battery should last through a few inflations of your car tires, because you are pushing a lot more air. The unit that I got needed infrequent recharging. The pump’s screen should give you a rough idea of how much charge is available. Having a USB cable also makes recharging from your car simple, if you have the right cables.
  • A long enough hose that fits between the tire and the pump, so you can maneuver the pump around the target tire more easily.
  • Fits both kinds of tires. The way my pump does this is with a small and imminently losable adapter that screws on to the Schrader valve if you want to inflate a Presta tire. This adapter is very hard to fit on the valve stem, and gets tight enough to ensure you aren’t deflating your tire before you even start the inflation process. It took me a few tries to figure out the process of attaching and detaching the pump from both bike and car, and it would be easier if the vendor had two separate hoses, rather than the add-on adapter, but I didn’t find a unit that came that way.
  • Easy operation and usable screen. My pump shows the existing pressure when attached, and you can set it to stop automatically at a given pressure for both bike and car scenarios. That is helpful, especially for bike tires that can be easily overinflated. It also shows battery status too.

One question was could the new electric unit replace both my hand pump and CO2 cartridges on my rides? Even the smaller units still weigh more than the combination, but it is possible, although you probably have to carry it on your person or if you have a big enough bag on your bike. (My hand pump has a bracket to fit on my bike’s frame ) However, this means using the new pump twice when fixing a flat during a ride: once to get some air in the tire before you put it on the rim, then re-attach for the full inflation. It would be nice if the new pump could snap on and off the valve like my other pumps, but I didn’t see any units that offered that kind of mechanism.

I am not recommending my specific pump, and am calling the whole genre a work in progress. Some of them get very hot as their tiny pump motors work overtime to push the air through, especially for car tires. Some weigh a lot more making them difficult to carry in the back pockets of your jersey. The attach/detach process can be tricky: one time I unscrewed my valve stem completely when trying to remove the short air hose. And there doesn’t seem to be any relationship between price, quality, and user satisfaction from what I could tell.

On cargo cranes and undersea cables

What do cargo cranes, drones and undersea cables have in common? This isn’t a trick question. All three have significant intersections with Chinese businesses, and all three could be considered critical infrastructure elements that has got our Congress worried. And while normally I wouldn’t highlight the fear mongering (we have enough of that, especially lately), this seems to merit some attention.

joint Congressional report was released this week which focuses on Shanghai Zhenhua Heavy Industries, a Chinese company which accounts for roughly 80% of the ship-to-shore port cranes operational in the US, and 70% of the worldwide port cranes. These are those huge structures that take cargo off and on container ships. What has got Congress worried is that the cranes are fitted with cellular modems which may have remote software installed. Much of the control systems used by these cranes is subcontracted to industrial suppliers such as ABB and Siemens. However, their gear is shipped to Shanghai and installed by the Chinese before the crane is sent to the ultimate port destination. The investigation found that these companies allow for their gear to be sitting in China for long periods of time outside of their operational control. As you might have guessed, there are no US-based crane manufacturers.

The report cites that more than a dozen software vulnerabilities from SZHI have been reported to American but not Chinese security regulators, saying that it could be a potential national cybersecurity issue.

Let’s move on to drones. The U.S. House of Representatives voted on Monday to bar new drones from Chinese drone manufacturer DJI from operating in the United States, one of a series of measures aimed at China that lawmakers are considering this week. The bill, which still needs to be approved by the Senate before it could become law, would prohibit the company’s products from operating on U.S. communications infrastructure. It would not prevent existing DJI drones from operating in the United States. DJI has 80% of the US drone market share and 54% of the global drone market. Again, one motivation for this proposed ban is the potential for data collection from their operation. Another is the recent fears about Tik Tok data ownership.

Finally, Tom’s Hardware reports that the US and EU are working on a draft statement about undersea communications cable ownership. The proposed language would intentionally exclude Chinese ownership and ask member countries to only consider “trusted suppliers from allied countries,” and require cable operators to have supply chain and data security measures in place, along with more transparent ownership documentation. The lofty proposed language doesn’t specify any enforcement mechanisms, however. The cable market is not yet dominated by any Chinese supplier and is quite competitive. The major US supplier is SubCom.  You might have guessed that here the US dominates in terms of cable ownership, with Google, Amazon, Microsoft and Facebook/Meta owning or leasing at least half of all undersea bandwidth. I am not sure whether FAANG or China would be more of an issue to our regulators.

It is hard to sort out the technology issues from the political, something we have seen with the various Tik Tok screeds. it is clear that figuring out what is happening, understanding the extent of Chinese market control, and understanding whether insidious remote control software is actually present or could be present is a difficult lift.

CSOonline: AI-SPM buyer’s guide

Widespread adoption of generative AI across businesses has increased the need for contingencies, including AI security software. It is a tall order because AI’s reach into an organization’s infrastructure and data is enormous, meaning that there is a broad spectrum of protective measures required. This is one of the reasons why attackers are drawn to AI abuses.

I examined nine vendors’ tools that handle AI security posture management (AI-SPM). This is an emerging field and unfortunately that means most products are nowhere near as comprehensive or as integrated as they could be. You can read my buyer’s guide in CSOonline here. For your reference, here are a collection of AI SPM screenshots

Book review: Casket Case by Lauren Evans

Normally, I try to write reviews without any spoilers, but the main spoiler has already been revealed in the blurb about this very inventive and realistic novel about a very modern relationship. She has inherited her family business, and falls in love with a handsome gentlemen. What saves this from being another romance is that the business is a casket showroom, and he is actually a representative of Death. His job is to visit someone who is about to die and comfort them in their final moments. It is an interesting conceit, and his business doesn’t get revealed to her until halfway through the novel, at which point their love affair has fully blossomed. The book nicely deals with mutual trust, sharing one’s feelings, and one’s place in the family in a way that is fresh and interesting. This novel could border on the trite or the macabre, but doesn’t. And the topic of death for me personally is a tough one, having lost my adult son a few years ago to cancer. But Evans treats the topic with a great deal of sensitivity and verve, and I won’t give away the ending but this is a book that is interesting and well worth your time as well as well-written. Highly recommended.

Direct admissions: a new way to get into college

For the past couple of years, high school seniors have been part of an interesting experiment called direct admissions. Basically, there are systems that allow them to get conditional pre-acceptance offers, without having to fill out much of an application in advance, or even think about where they want to attend. What makes these offers interesting is that they arrive unsolicited. There are a few caveats, but hundreds of students are now attending college using this method.

Back in the pre-historic era when I was a high school senior when I had to walk uphill both ways to school, we had to fill out applications by hand. There was no CommonApp, a system by which a thousand or so colleges agree to basically open source the application process. They are one of the entities involved direct admissions, I’ll get to them in a moment. Each place had its own essay to write. You also had to take standardized tests from places like the College Board, the dreaded SAT or ACT. And then there were the application fees.

Direct admissions puts all that aside. You have to have good grades, of course, or good enough grades for the particular school that you want to attend. But that’s about it. No more stuffing silly clubs to pad your pre-college resume. No more parental nagging about whether you have written word one on your essays.

Not every college is on board, yet. But it clearly is the coming wave. As costs to attend college continue to rise, the onerous application process has to be simplified. One private venture is leading the charge called Niche. Their website has a portal for students to enter the direct admissions world and while there is some information to fill out, it doesn’t seem all that difficult.

There are several states that have signed up to include every graduating high school senior in the program. They notify all graduating seniors in the fall where they have been accepted, based on their GPAs. Minnesota, for example, has 55 two and four year colleges — both private and public — part of the program. Students then have to complete an application to the school of their choice. Missouri has several schools that take direct admissions, including probably one of the best engineering schools in the state.

CommonApp began testing direct admissions in 2021, and now has more than 70 participating schools. Niche began its program in 2022 and now has its own group of 100 or so schools. (Forbes has more details here.) The two have somewhat different qualification criteria. With CommonApp, students have to live in lower-income households to get app fees waived and be the first in their generation to enter college, and can only apply to in-state colleges. Niche doesn’t have any income or geographic threshold.

As the NY Times wrote earlier this year, colleges want more students and need more applicants to maintain their student population. Idaho, which is one of the states with a program, found that student enrollment increased by several percentage points in the first year.

Now, you might guess that the top tier Ivies aren’t on board with direct admissions: they get plenty of attention from the best students. But for many other schools, this could be a way to attract students that may have never considered or even heard of the school. And who doesn’t like getting a “you may already have been admitted” notice? It could be a big ego and motivational boost for some seniors.

If you have a kid that has used direct admissions, please post your experiences, I would be interested to hear from you.