2020/03/12

COVID-19: Evaluating School Closures

I'm getting increasingly concerned that many Santa Clara County public schools are continuing normal operations when -- based on available evidence -- they should be suspending in-person classes.

The communication from my local school districts, MVWSD and MVLA, is roughly the same:
In the event of potential school closure: The Public Health Department currently is not recommending closing schools. If a staff member or student in a specific school is confirmed to have COVID-19, the Public Health Department will consider, based on the specific facts and circumstances of that case, whether closure of that school is warranted.
The problem with this:

  • We already know there is community transmission in the local area;
  • Patients presenting symptoms of COVID-19 are unable to get tested without meeting additional criteria (known contacts, foreign travel, etc.);
  • Therefore, absence of people "confirmed to have COVID-19" isn't evidence of much of anything, and not something to base critical safety decisions on. 
I've checked with a local ER physician who, as of Monday night, had 2 patients presenting symptoms, but who could not get the patients tested and did not know when they would be tested.   That's consistent with local and national reporting on the availability of testing, which is still very limited.  There's simply a capacity issue -- we cannot test everyone physicians want to screen, yet.

Also, the school sizes greatly exceed the (new) 250 person cap on large gatherings from Governor Newsom's latest orders.  While those orders explicitly carve out schools to be treated differently from other large gatherings -- I'm having a pretty hard time seeing how we can say that, say, a conference of 300 people should be cancelled, but a school of over 2,000 kids should remain open, based purely on public health criteria.

So, the official guidelines for shutting down public schools seems to still be catching up to the facts on the ground.  We have 48 confirmed cases in Santa Clara County, many in the local area, so clearly there is community transmission happening here.  We do not have the ability to screen people to see if we should trigger the current shutdown criteria.  So, I'm calling to ignore those criteria based on that evidence and to suspend in-person classes in the local schools with community transmission in the area.

Other local educational organizations appear to agree with this.  Local colleges and universities have suspended in-person classes. At least one local private high school has announced suspension of in-person classes until Mar 10. I  do not believe any of these are of these are based on the Health Department guidelines or specific cases -- they're evaluating the overall situation and risk.

I'd love to be wrong, but for today & tomorrow, out of an abundance of caution, I'm keeping my kids home from school.

(There's also a petition going around to suspend classes at MVHS: https://www.change.org/p/mvla-school-district-halt-in-person-classes-at-mvhs.)

Update:  The reasoning provided by the Santa Clara County Health Department in a Nextdoor post is:

The reason we are not recommending school closures at this time is because children have not been shown to be a high-risk group for serious illness from this virus. Some children have underlying health conditions, such as weakened immune systems, that put them at higher risk. Caregivers of children with underlying health conditions should consult with healthcare providers about whether their children should stay home from school.
Many students also rely on schools and staff for basic needs, including regular meals, health care, and child care. If schools shut down, vulnerable families are at a higher risk of being negatively impacted. 
Another factor to consider is that closing schools may unintentionally impact our health care community and our collective response to COVID-19. There may be parents of students who are working as health care providers or in the health field on the front lines of the COVID-19 response. If schools close, parents may not be able to work and provide support to those who need it.

I agree the children without underlying health conditions aren't at high risk; that's not my major concern here -- it's amplifying the community transmission of the virus in a major way by failing to shut down our biggest group event, public schools.  The concerns about vulnerable families being at risk due to lack of meals, health care, and child are are definitely valid issues, but ones the school needs to have made contingency plans for weeks back.  We do not need to continue in-person classes to maintain those services.

Update: After I wrote the above, I checked the Mercury News and saw this op-ed from a team of doctors.  It reaches the conclusion that school closures are inevitable and suggests some good options for mitigating the impact: https://www.mercurynews.com/2020/03/12/opinion-doctors-call-for-school-closures-done-right/

Update 5pm 3/12: The elementary school district just sent this out:

* In the event of potential school closure, our Food and Nutrition Services Department will utilize the district's food truck to serve meals to children under the age of 18 near Castro Elementary/Gabriela Mistral Elementary campus, as part of the Seamless Summer program
* We are in the process of creating grade-level packets with student work for use through spring break. The District will provide information to families on how they can access packets beginning Wednesday, March 18. These packets are designed to reinforce concepts already taught. Additionally, parents and students can log onto Clever.com for online learning resources like i-Ready, Khan Academy, Zearn, etc. This is not a replacement for classroom instruction.
Absences: The Santa Clara County Office of Education and County of Santa Clara Department of Health continue the guidance that students who are well continue to attend school. We understand that families can still make a choice to keep their children at home during this time, and we want to honor that choice. For the next few weeks, we will not be taking any truancy action or dis-enrolling students accruing unexcused absences. 
The decision-making process for potential school closure is that we continue to assess the situation on an almost-daily basis with the County of Santa Clara Department of Health and Santa Clara County Office of Education. The possibility of school closure is more imminent as districts and organizations around the area close in an attempt to curtail the potential spread of the virus. It is wise that families now prepare plans for child care. We will continue to update you and will provide any details as soon as we have them. 

Links:
https://www.fast.ai/2020/03/09/coronavirus/
https://www.wired.com/story/singapore-was-ready-for-covid-19-other-countries-take-note/

2020/01/24

Things People Have Been Impeached For In the Past

Just a few things to bear in mind when considering what counts as "high crimes and misdemeanors".  Read this list, and, however vague you might think the boundary to be, consider just how far beyond the following lines the President's alleged conduct has brought us:
  1. Acting "contrary to the duty of his trust and station as a Senator of the United States" [Blount, 1797]
  2. Acting as a judge "in a state of total intoxication, produced by the free and intemperate use of intoxicating liquors" [Pickering, 1804]
  3. On numerous occasions, "with a loud voice, certain intemperate, inflammatory, and scandalous harangues, and did therein utter loud threats and bitter menaces ... against Congress [and] the laws of the United States duly enacted thereby, amid the cries, jeers and laughter of the multitudes then assembled and within bearing" [Johnson, 1868]
  4. Because his "personal habits unfitted him for the judicial office . . . and that his sobriety would be the exception and not the rule." [Delahay, 1873]
  5. "[B]ringing the Judiciary into disrepute" [Archbald, 1913, Article XIII, convicted and removed]
Photo of Archbald
I can't believe I was removed for "bringing the Judiciary into disrepute" but y'all are gonna keep Trump.
If "[B]ringing the Judiciary into disrepute" is a lower bound for impeachment & removal, we passed that lower bound several miles ago.  And all of this is precedent over 100 years old, so it should be no surprise to Donald John Trump.

References:

https://www.senate.gov/artandhistory/history/common/expulsion_cases/Blount_expulsion.htm
https://networks.h-net.org/node/950/reviews/1062/rotter-melton-first-impeachment-constitutions-framers-and-case-senator
https://constitutionallawreporter.com/2017/04/04/john-pickering-federal-judge-impeachment/
https://history.house.gov/Exhibitions-and-Publications/Johnson-Impeachment/Building-the-Case-for-Impeachment/
https://en.wikipedia.org/wiki/Mark_W._Delahay
https://en.wikipedia.org/wiki/Robert_Wodrow_Archbald


2020/01/21

Why VSAP 2.0 Should Not Be Certified

Text of my letter to the California Secretary of State office with public commentary on the proposed certification of the LA County VSAP 2.0 system's universal-use Ballot Marking Devices.


Dear Secretary of State Padilla,

I write to provide my comments on the VSAP 2.0 evaluation and certification process for LA County.  I have reviewed the written reports and corresponded with Dean Logan, RR/CC for LA County, to try to resolve open questions about the system and the process.  I have several open questions remaining, but with the deadline upon us I will give the feedback I can with the information I have. If I have interpreted anything incorrectly, please let me know, and please understand that I have done everything I can with the time allowed to gather information and form opinions

Background

I am a software engineer (B.S. Computer Science, M.S., Computer and Information Sciences).  I have worked as a software engineer in the industry for 30 years. I have ordinary skill in the art with various standards and technologies for data storage, distributed computing, and security for online and offline systems.  I am not a security specialist but have worked extensively with such specialists in building large scale consumer systems. I have also worked as an election clerk in Santa Clara County and am familiar with the processes and systems used in that county.

General

I have been happy to hear that LA County has been working to create a system that is fully owned by the public, not by a vendor. The flexibility and potential ability to re-use this system in other counties is very promising. At the same time, I have concerns about this system that I ask to be considered both in certifying it for 2020 and going forward in LA County and elsewhere.  They primarily involve the security of ballot marking devices and how those impact the assurances of Risk Limiting Audits (RLAs).

Universal Ballot Marking Devices Are an Unnecessary Security Risk

For security reasons, and because it is not a necessary requirement for the improvements incorporated in VSAP 2.0, I strongly object to the requirement for universal use of ballot marking devices (BMDs) for in-person voting.  I am basing this on the reporting that “Starting with the presidential primary, every in-person L.A. voter must use a ballot marking device”  While voters still have the option of hand marked paper ballots for mail-in ballots, this is not available to in-person voters.  The only option for voters wishing to opt for a hand marked paper ballot is to request a pre-printed ballot by Feb 25:

"Pre-printed ballots will not be available at vote centers," Logan said, adding that voters who want to use pen and paper should request a mail-in ballot by Feb. 25. 

Mr. Logan claims that denying hand marked paper ballot options to in-person voters is because having that option “creates a separate but equal type of scenario.”.  He provides no evidence or argument to support that claim.  In addition, the fact that California does allow hand-marked paper ballots for voters who request them before Feb 25 undermines this argument -- if this were truly a “separate but equal” issue, why is it a non-issue for vote by mail voters?

On the other hand, there are strong security arguments for allowing voters to hand mark paper ballots.  Specifically, hand marked ballots are not vulnerable to an entire class of electronic attacks against ballot marking devices (which the VSAP 2.0 BMD clearly belongs). We have recent experimental evidence that voters do not effectively verify BMD printed ballots without very specific training and real time prompts in the polling place -- none of which is in place for the March 2020 elections.

In addition, the VSAP 2.0 system may potentially be vulnerable to a variant of the attack Andrew Appel termed “permission to cheat”, because it includes a print head in the paper scanning path for ballots, potentially allowing marks to be added to ballots even if the voter visually verified them first.  (This was not evaluated by the security report below).

Allowing voters to use hand marked paper ballots, in conjunction with Risk Limiting Audits, mitigates this entire class of attacks and is a recommended practice among a large group of security experts.  Matthew Blaze, testifying before the House Administration Committee earlier this month, made this point clearly:

BMD-based voting systems are controversial, since, by virtue of their design, the correctness of their behavior cannot be effectively audited except by individual voters carefully verifying their machine-printed ballots before they are cast. A maliciously compromised BMD could subtly mismark candidate selections on ballots in a way that might not be noticed by most voters and that could undetectably change election outcomes. Furthermore, if BMDs fail or must be rebooted at a polling place, there may be no alternative method for voters to create marked ballots, making BMDs a potential bottleneck or single point of failure on election day.

As a relatively new technology, BMD-based systems have not yet been widely examined by independent researchers and have been largely absent from practical election security research studies. However, even with relatively little scrutiny, exploitable weaknesses and usability flaws have been found in these systems. This underscores the need for more comprehensive studies and for caution before these systems are purchased by local jurisdictions or widely deployed.

[Emphasis added.  Testimony by Matt Blaze before the House Administration Committee on Jan 9 2020, p 9; available at https://docs.house.gov/meetings/HA/HA00/20200109/110346/HHRG-116-HA00-Wstate-BlazeM-20200109-U1.pdf.]  This advice is in line with the recommendations of most other recommendations from security experts and takes into account the best practices of the field.

LA County, disregarding this advice, proposes to widely deploy VSAP 2.0 and to force all in-person voters to use the system.  It should not do this.

Specific Issues with the Certification Process

The Security Report Has Unresolved Findings

The “Security and Telecommunications Testing of the LA County VSAP 2.0 Voting System” (“Security report”) dated Dec 24, 2019 includes several detailed findings.  I will reproduce some of the key findings of concern here, as they are not reproduced fully in the Staff Report and recommendations.

The easily defeated locks and seals on all of the VSAP devices resulted in the system not conforming to CVSS 2.1.1.a, which provides that all systems shall “Provide security access controls that limit or detect access to critical system components to guard against loss of system integrity, availability, confidentiality, and accountability.” It also degrades the ability of the system to meet CVSS 7.3.a. which states, “Any unauthorized physical access shall leave physical evidence that an unauthorized event has taken place.”  [Security report, page 17].

Compounding the above, “Booting from a USB drive was not disabled on any of the systems. As such, gaining physical access to the machines allowed access to both the operating and application files for VBL, Tally and FormatOS.“ In addition,  “The cryptographic key material used to protect the integrity of elections was not encrypted. All cryptographic keys present were accessible in plaintext.“ and “This allowed secrets used to ensure election integrity to be recovered with only physical access to the system’s storage device.“ [Security report, page 18].

Mitigating this somewhat: “This attack could be conducted by an elections official insider or a vendor insider. A voter would not have sufficient access to the system to successfully complete the prerequisite defeat of physical security without leaving evidence of the attack.“  Even granting this (difficult to evaluate) it does indicate that the system is not secure against insider attacks without additional precautions.

The finding “High Dependency on Root Access” is also concerning:  “Root access is required for many regular operations in the VSAP system. These include, but are not limited to, updating cryptographic keys used to protect and verify the integrity of elections and voting information and performing regular system maintenance, including regular system shutdown and startup. This situation invariably leads to poor control of access to the root password which enables subsequent unauthorized access.” [Security report, page 20.]  Not conforming with CVSS 2.1.4.f and 7.2.1.b.

The Source Code Review Report Supports The Security Findings

The VSAP Source Code Review Report is relevant here as well, stating on page 91: “The system is airgapped—that is, not connected to the internet or connected to any other system that is connected to the internet. Air gap systems include  Ballot Marking Device Manager (BMG) Ballot Marking Device (BMD) VSAP Ballot Layout (VBL) Tally … Note: Unused hardware ports (i.e. USB ports) are protected by port locks and/or tamper evident seals with signaling residue to reveal modification and/or removal. The serialized tamper evident seals are manually logged with an operator signature, seal number, location, date and time. This is to prevent removal of authorized connections when the port is in use and to prevent the insertion of unauthorized connections when the port is not in use. This prevents any infected USB flash drive from crossing any air gap.”  However, per the Security report, this does not defend against an insider attack given the seals can be bypassed without detection with an insider’s access.

The Smartmatic response to the concerns involving an infected USB flash drive was (page 91): “A malicious trusted insider would likely attempt other avenues by which to subvert the voting system… At this late time in the Certification campaign, we do not see the ability to remediate the listed software vulnerabilities assuming any could be exploited and would serve as a valuable target.“

On page 93, highly secure key material is left open to all users of the operating system: “The CA certificate and key are stored in tmp and set to 777 file permissions. …”  The response indicates that this data is not necessary to the operation of the system and should have been removed as part of installation: “The documentation will be updated to instruct the installer user to delete all data from temp once the install is finished.”.  This does not inspire confidence.

The Usability of the System Is Not Yet Proven

While voters clearly enjoyed using the new system, and it may well be an improvement over the old electronic system, that does not mean it produces the correct results.

The “Usability, Accessibility and Privacy Testing” report may also have detected some reliability problems, though it is difficult to tell given the available data.  On page 7: “Long periods of silence made it seem as if the voting session was over” and on page 25, “Some voters noted that there were some long delays/pauses in the audio in varying parts of the ballot. This was confusing for the voter. and is also not in conformance with section 3.2.8.b, CVSS standards”.  This might indicate a problem that could become worse under load, making the system unusable for some voters and/or confusing for others.

There are other usability problems that are worth calling out because they are key to the claimed superiority of BMDs over hand marked paper ballots:  The system does not warn about overvotes.  

On page 26, there is the following finding re: CVSS 3.2.2.1 (emphasis added):

CVSS 3.2.2.1: Notification of Effect of Over voting - If the voter attempts to select more than the allowable number of choices within a contest on a VEBD or PCOS, the voting system shall notify the voter of the effect of this action before the ballot is cast and counted. 

When a voter attempts to over vote a race the BMD automatically cancels the first choice and accepts the second.

While this is a standard computer list selection UX and might be more familiar than other designs, it is definitely more susceptible to inadvertent touches changing the voter selection by accident than a system which warns and requires confirmation.  Without full usability testing it is impossible to say either way, but this clearly appears to violate CVSS 3.2.2.1.

Similarly, on page 26, we find a technical noncompliance that may lead to real election concerns and lawsuits:

3.2.7.a.: No page scrolling - Voting systems shall not require page scrolling by the voter.

Long candidate lists require the voter to scroll on BMDs

From other reporting it appears that “long” in this context might be “more than 3 candidates” (I am interpreting this finding as equating “scrolling” with the “next” button used to move to the next page of results, where the page size appears to be set to 3 at a time, leading to breaking up even rather small lists of candidates into small sub-sections.)  This also appears to violate CVSS 2.3.3.3.f per the Functional Test Report. Finally, this UI also appears to violate CVSS 3.2.5.e.i “The voting system shall visually present a single contest on a single page or column except where the number of choices in a contest makes it impossible.” 

The Functional Test Report’s Findings Remain Unaddressed

The “Functional Test Report” reflects a large number of findings, some of which are not noted in the staff report.  

On page 12, findings related to CVSS 2.1.1.a,  CVSS 2.1.4.f:, CVSS 7.2.1.a.i, CVSS 7.2.1.c “The excessive root access and the ability to boot the system from a USB port give access to the system by unauthorized individuals. Either scenario can result in undetected changes to files and data.”

The Red Team was able to gain access regardless of mitigations:

CVSS 7.5.4.b: “Threat model: failure - Voting systems shall fail open ended vulnerability testing if the manufacturer’s model of the system along with associated use procedures and security controls does not adequately mitigate all significant threats as described in the threat model. The OEVT team may use a threat model that has been amended based on their findings in accordance with 7.5.4.3.c.” 
The testers were able to gain access to the system regardless of mitigations

The Staff Report Does Not Address the Findings Yet  Recommends Adoption of a Non Compliant System

Finally, the “Staff Report” summarizes the findings and address them. However, it fails to address all of the findings.  I will focus only on some that appear to be unaddressed for no apparent reason.

On Page 15, Table 4a, it lists some but not all of the non-conformance findings I detailed above:


The problems with this table are:
  1. There is no information on how updated “processes and procedures” are going to address physical design issues with tamper evident seals.  How?
  2. “The county will apply port protectors” does not appear to be a new mitigation at all, since the ports were theoretically already protected by tamper-evident port blockers per the Source Code  Review Report (“Unused hardware ports (i.e. USB ports) are protected by port locks and/or tamper evident seals…”)  Thus, this is non responsive and the non conformance is unaddressed.
  3. The finding "Shared/Static Secrets" not conforming w/ CVSS 7.2.4.a is simply ignored.
  4. The finding "High Dependency on Root Access", not conforming w/CVSS 2.1.4.f,  CVSS 7.2.1.b, CVSS 7.2.4.a is also simply ignored.

The section “ Accessibility, Usability and Privacy Testing Summary” (page 16) similarly ignores a set of non conformance issues which appear to remain unaddressed anywhere; in particular, the only non conformance issue mentioned is the long period of silence (delay in audio output) with no mitigation or plan to address noted; none of the other non conformance issues listed earlier are noted or addressed.

Three California Elections Code Requirements Are Not Met by VSAP 2.0

Finally the Staff Report lists the sections of the Elections Code and claims that VSAP 2.0 meets all of the requirements.  I would take exception to the following:

§19101 (b) (3): The system shall be safe from fraud or manipulation.

The system has unaddressed conformance issues which show it has not yet met this requirement.

§19204.5: The Secretary of State shall not certify or conditionally approve a voting system that cannot facilitate the conduct of a ballot level comparison risk-limiting audit.
§19270 (a): The Secretary of State shall not certify or conditionally approve a direct recording electronic voting system unless the system includes an accessible voter verified paper audit trail.

The system produces ballots that cannot be said to be voter verified and therefore the fundamental requirement for a ballot level comparison risk-limiting audit (per Stark’s definition) cannot yet be met.

Per the above, I do not believe that the Staff Report should be accepted and the system certified for use in elections.  With modification, I believe it can be -- if we accept that it should not be used as a universal forced-BMD solution but as an optional mechanism for casting ballots for voters who prefer to use it.  That mode does not pose nearly as great a danger and mitigates the non conformance with §19101 (b) (3), §19204.5, and §19270 (a) of the Election Code of California.


COVID-19: Evaluating School Closures

I'm getting increasingly concerned that many Santa Clara County public schools are continuing normal operations when -- based on availab...