Cyber Saturday—Denver Votes on Blockchain, Facebook Password Snafu, 'LockerGoga' Ransomware

Robert Hackett
Updated
Denver and West Virginia Deserve Praise for Voting on Blockchain

As the world waits to learn what is contained within the Mueller report, the culmination of Justice Department special counsel Robert Mueller’s investigation into Russian interference in the 2016 U.S. presidential election, it seems appropriate to expand on last week’s column about the security of electronic voting systems.

I recently spoke to Nimit Sawhney, CEO and cofounder of Voatz, the blockchain-based, mobile voting software provider, whose technology West Virginia piloted during last year’s general midterm election. Sawhney came up with the idea for the project with his brother when the two competed in—and won—a hackathon at Austin’s SXSW festival in 2014. Since then, Sawhney has formally established a company, based in Boston, to develop the product.

Voatz’s technology is making inroads. Sawhney’s 14-person team recently won over Denver, Colo., as the second testing ground for its voting system. The city is trialling the app in its May 7th municipal election, early voting for which starts today.

I asked Sawhney why he decided to incorporate a blockchain into his system. He says it’s so that IT administrators within and outside his company can’t manipulate or delete records at will. Voatz uses so-called permissioned ledgers, meaning only authorized parties can operate them. In this case, the voting database is distributed across 32 computing nodes running the Linux Foundation’s Hyperledger Fabric and Hyperledger Sawtooth software on machines hosted by Amazon Web Services and Microsoft Azure. Voatz stewards the nodes alongside select nonprofits that act as independent monitors, a small cadre Voatz hopes to expand to include other major stakeholders—political parties, media entities, and others—over time.

While Sawhney says he’s excited about the potential of public blockchains, like Ethereum, to become part of the infrastructure of elections, his prospective customers are more wary. “Early feedback we received from election officials was that they were very uncomfortable with nodes running in potentially unfriendly part of world,” Sawhney tells me.

Sawhney believes blockchains can imbue the electoral process with greater transparency. The technology “gives citizens the ability to audit an election,” he says, noting that ballots submitted through Voatz return digital receipts that allow voters to verify their intentions. “You have a sense of trust that is backed by irrefutable mathematics rather than somebody telling you, These are the results and you must believe them,” Sawhney says.

Electronic voting systems are not bulletproof, however. Threats resulting from vulnerabilities, hackers, and physical coercion raise grave security concerns. Yet, conversely, these systems bear obvious benefits. They’re much more accessible than paper-based ballots, at least to smartphone owners. And they hold promise for enfranchising citizens who are disabled, traveling abroad, or serving in the military.

Despite the advantages, many security professionals find it impossible to overlook the risks. Sawhney understands critics’ objections. “No system is 100% safe,” he concedes. But, to this, he adds an addendum: “That’s true of paper-based systems as well.”

“We realize there are lots of opposing forces—people who hate and disapprove of what we’re doing,” Sawhney says. But, he continues, “we feel this is really important and needs to be done for progress to happen.”

All technologies are double-edged swords. The trick lies in blunting the blade when one falls into the hands of adversaries.

Besides, if Estonia can do it, maybe the U.S. can too.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Leek soup. Facebook accidentally stored hundreds of millions of people’s passwords in plaintext. Elsevier, the scientific journal publisher, accidentally exposed subscribers’ email addresses and passwords. Motherboard says it has been trying to alert an unnamed consumer spyware company that it has leaked 20 gigabytes of users’ audio and video files, but the company has not replied after the reporters’ weeks of attempts to get in touch. By the way, if you’re wondering what the owner of a company feels like after accidentally leaking millions of people’s personal information, Wired has you covered.

Out of control. Facebook, YouTube, and other tech concerns utterly failed to keep copies of the Christchurch massacre from proliferating on their sites, a failing that speaks to the magnitude of the content moderation problem they face. The New York Times’ editorial board is calling on these companies to limit their “own usability and reach” in the interest of public safety. Meanwhile, the creator of 8chan, a den of Nazi-inspired hatred where the shooter allegedly posted a comment before committing his heinous acts, told the Wall Street Journal he has misgivings about how the site has devolved into a cesspit of hatred. If society is going to address the rampant spread of toxic speech online, then the internet needs “to be totally redesigned and re-engineered with more censorship in mind,” he said.

Norwegian wouldn’t. Norway’s Norsk Hydro, one of the world’s biggest aluminum companies, succumbed to a crippling ransomware attack that affected global plant operations on Tuesday. Recorded Future, a threat intelligence firm, published some insights about the type of malware, called LockerGoga, while Kevin Beaumont, an information security expert, explained how the attack likely went down. With help from Microsoft, Norsk has begun restoring its systems from backups. Relatedly, two other businesses, Hexion and Momentive, both American chemical companies, were hit by similar attacks, reports Motherboard.

News you can use. Google released a couple of tools to curb the spread of misinformation online. The first helps news organizations tag “debunking” stories to give them a search engine boost, while the second offers a database of these fact-checking stories which journalists can draw from in their reporting. Facebook’s WhatsApp is also testing a fake news-fighting tool that reveals the original source of media shared and forwarded within the app.

Share today’s Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

Private eyes. World governments are increasingly buying spyware, intelligence, and disinformation services from a crop of shady private firms, many based in the Middle East. The New York Times delved into this bustling, mercenary market in an investigation this week. Political regimes are using tools created by companies such as NSO Group and DarkMatter for all sorts of purposes, ranging from hacking drug cartels and terrorist groups to spying on journalists and political dissidents.

Today even the smallest countries can buy digital espionage services, enabling them to conduct sophisticated operations like electronic eavesdropping or influence campaigns that were once the preserve of major powers like the United States and Russia. Corporations that want to scrutinize competitors’ secrets, or a wealthy individual with a beef against a rival, can also command intelligence operations for a price, akin to purchasing off-the-shelf elements of the National Security Agency or the Mossad.

NSO and a competitor, the Emirati firm DarkMatter, exemplify the proliferation of privatized spying. A monthslong examination by The New York Times, based on interviews with current and former hackers for governments and private companies and others as well as a review of documents, uncovered secret skirmishes in this burgeoning world of digital combat.

FORTUNE RECON

Facebook Left Hundreds of Millions of Passwords Unencrypted. Here’s How to Change Yours Right Now by Alyssa Newcomb

House Oversight Committee Investigating Jared Kushner’s Use of WhatsApp for Foreign Communications by Renae Reints

Tesla Accuses Former Employees and Start-Up Zoox of Stealing Trade Secrets In Lawsuit by Erin Corbett

Most Companies Aren’t Ready for California’s Tough New Privacy Law by Danielle Abril

Jeff Bezos Texts May Have Been Leaked to the National Enquirer by Girlfriend’s Brother by Don Reisinger

New Zealand Criticizes Facebook’s Handling of Mosque Attack Footage by Grace Dobush

ONE MORE THING

FUDdruckers. The cybersecurity market is so overcrowded that vendors are resorting to intensely aggressive scare tactics to grab the attention of corporate security executives: lies, blackmail, and other unsavory ploys, reports CNBC. One common method is to frame minor issues as emergencies, and then to pivot into sales pitches. The overload of misdirection may be damaging the security postures of big businesses: “as one executive said, ‘I distrust most of them [vendors], so it’s possible I miss the people who may be trying to raise actual issues.'”