1/ Saturday on real-world security in voting machines.

Should voting machines be allowed to contain wifi hardware, later disabled in software?

At first glance, bad idea. Let's simply ban wifi hardware.

In practice, that would make machines less secure. Allow me to explain.

2/ Security is about threat models and tradeoffs. What this means in practice is more complex than it might seem. It means that "more security" on one specific aspect may lead to less security in the overall system.

3/ the threat model behind "no wifi" is that, with wifi turned on, attackers could remotely connect to the machine and do nefarious things. So what's the difference between software and hardware disabling of the wifi?

4/ if wifi can be enabled in software, then a modification at point of distribution could cause machines to turn on wifi... But wait, now we're assuming an attacker who controls the software distribution. If that attacker exists, we've got bigger problems than wifi!

5/ so maybe threat is a retail modification of the software, say by a technician accessing a single machine. But if an evil technician has access to machine long enough to install software, they could also surreptitiously add a USB wifi dongle.

6/ in other words, there's not much daylight between attackers that thwart software vs hardware wifi disable. I'm assuming, relatively safely I think, that when official software is installed, wifi is off and cannot be turned on remotely.

7/ now, there is always the argument of defense in depth. Extra barriers, extra protection, can be helpful. There would be a modest win here from hardware wifi disabling. Absent any cost, it would be the right recommendation. So let's look at tradeoffs: what would be the cost?

8/ it turns out, cost would be large. To understand this, keep in mind that the voting machine market is pretty small. Maybe 100,000-150,000 machines a year.

That's why there's a movement towards using off-the-shelf hardware to leverage all the wins of large-scale production.

9/ Have you tried buying a computer without wifi recently? It's almost impossible.

So the cost of enforcing "no wifi hardware" would be, without exaggeration, equivalent to banning off-the-shelf hardware.

10/ but wait, we also want trusted boot, encrypted drives, etc. Are we going to build these on custom boards?

If we fail to leverage existing large production processes, we'll have to reinvent the wheel for every major security feature, at tiny scale of voting machine market.

11/ i haven't yet broached the fact that voting machines today are so expensive that counties keep them for 10 or 15 years. Do you know anything that's still secure 15 years later?

We need machines upgraded much more often. Cheaper machines. We can't do it without off-the-shelf.

12/ so we should absolutely require that voting machines disable wifi in a strong manner. Maybe no wifi drivers installed. Maybe a privileged setting that cannot be accessed in normal use.

But if we ban wifi *hardware*, we end up with voting tech more expensive and less secure.

13/ this issue is being fought right now in the standard-setting process led by @EACgov. I don't agree with all the aspects of the new standard, but on this point EAC got it right: disabling wifi in software is good enough.

14/ some folks who are arguing for hardware disabling are not doing so in good faith: they want to remove all tech from voting, and this is their poison pill.

Nevermind that many millions of voters need accessible voting that should be secured with good tested tech.

15/ most of the folks arguing for hardware wifi disabling *are* doing so in good faith. I just think they may not be seeing the trade-off. It's not as clear a tradeoff if you're not actually building voting equipment.

16/ nevertheless our field of voting tech must mature. Security is about tradeoffs. We must move beyond the too-simple arguments that pile on requirements w/o care for resulting complexity.

@EACgov is doing the right thing here.