Disclose.io, VDP, Hackers, and voting

About 18 months ago, I sat in Capitol Hill with a bunch of other badasses including Eric Mill, Matt Blaze, Kimber Dowsett, Jack Cable, Alexander Romero, Leonard Bailey, and others, and talked to voting machine manufacturers and US states.

We were discussing how they needed to:

  1. Get better at securing their stuff, and

  2. Actively counter the disinformation risk created by the topic of election hacking.

Outside of typical form, instead of talking about vulnerabilities and good-faith hackers, I focussed on (b) by showing the room a receipt of a voting machine I’d bought off eBay earlier that week, and the ease with which I could make it LOOK hacked…

We’re at a point where the average voter is worried about getting “hacked” despite not being quite sure of what it means, and my demonstration was to show that an old machine, some creativity with malware, and some tweeted pictures in the right places could have as much of an impact on voter turnout (and, by extension, the result of an election) than real vulnerabilities. The only antidote to this is a full about-face, the acceptance of human imperfection in creating software and the vulnerabilities this can cause, and the engagement of “neighbourhood watch for the Internet” to create a security control which is not only effective, but could be understood by the average voter.

It got the point across.

Today, the CIO of ES&S – who I met for the first time and sat across from in that meeting, and who manufactures 60% of the voting machines in the USA – announced the first vulnerability disclosure program for a voting machine manufacturer, ending eight or more years of hostility between vendors and good-faith hackers.

They used the disclose.io 2020 US Presidential Election VDP boilerplate, which is maximized for safe-harbor and transparency. Disclose.io is a project myself and Chris Raethke kicked off back in in 2014.

Feels good, man.