Please change your life!!! Click on the link!
Can you afford this thing?:
Software at the best prices:
Voatz, the Massachusetts-based company touting a blockchain-enabled mobile voting app, has been met with public criticism for a lack of transparency, among other things, particularly when it comes to data security. And with the threat of election tampering, the stakes are as high as ever. Voatz has been used in elections in West Virginia; Jackson County, Oregon; Umatilla County, Oregon; municipal elections in Utah County, Utah; as well as in runoff elections and municipal elections in Denver, Colorado. The public security audit by a reputable third-party firm that experts have been calling for is here at last. In December 2019, Voatz and Tusk Philanthropies, which funded most of Voatz’s mobile voting pilots, engaged security firm Trail of Bits to conduct a comprehensive white box audit. Although Voatz failed to provide a backend to live-test malicious attack vectors, Trail of Bits had access to all of the source code, including the core server, Android client, iOS client and administrator web interface. The audit report is comprehensive, and includes a 122-page security review and a 78-page document on threat-modeling considerations. Here’s a quick rundown of the main parts. The appeal of blockchain voting is that it’s a decentralized system that doesn’t require voters to trust anybody. But the blockchain Voatz uses doesn’t actually extend to the mobile client. Instead, Voatz has been applying the votes to a Hyperledger Fabric blockchain, which it uses as an audit log — something just as easily done by using a database with an audit log. The code Trail of Bits looked at did not use custom chaincode or smart contracts. In fact, the report reads: “All data validation and business logic are executed off-chain in the Scala codebase of the Voatz Core Server. Several high-risk findings were the result of data validation issues and confused deputies in the core server that could allow one voter to masquerade as another before even touching the blockchain.”Because voters do not connect directly to the blockchain themselves, they can’t independently verify that the votes reflect their intent. But anyone with administrative access to Voatz’s back-end servers has the ability to “deanonymize votes, deny votes, alter votes, and invalidate audit trails.”The report found that the Voatz system doesn’t have any mitigation for deanonymizing voters based on the time their ballot was recorded in the blockchain. Although Voatz’s FAQ claims that “once submitted, all information is anonymized, routed via a ‘mixnet’ and posted to the blockchain,” this was called into question in an MIT report — and now again in this audit. “There does not appear to be, nor is there mention of, a mixnet in the code provided to Trail of Bits,” the audit reads. “The core server has the capability to deanonymize all traffic, including ballots.”On Feb. 13, MIT researchers published the aforementioned report, “The Ballot Is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U. S. Federal Elections,” to which Voatz responded with a blog post the same day to refute what it called a “flawed report,” leading the MIT researchers to post an FAQ with clarifications. It turns out that Voatz’s refutation was written three days after Trail of Bits confirmed the presence of the described vulnerabilities to MIT, having received an anonymized summary report of the issues from the United States Department of Homeland Security. This suggests that Voatz was aware that the report was accurate before publicly discounting it. The audit also disputes some of Voatz’s objections to the MIT researchers’ reports. Voatz stated that the Android app analyzed was 27 versions old, but Trail of Bits wrote that it “did not identify any security relevant changes in the codebase” between the September 2019 version of the app used by the MIT researchers that would substantively affect their claims. Voatz also took issue with the researchers developing a mock server, calling it a “flawed approach” that “invalidates any claims about their ability to compromise the overall system.” Voatz even wrote that this practice “negates any degree of credibility on behalf of the researchers.” But Trail of Bits claims that “developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research. It is also a standard practice in software testing.” Furthermore, the report points out that the findings focused on the Android client, but did not rely on in-depth knowledge of the Voatz servers. Despite Voatz touting multiple security audits, this is the first time a white box assessment has been conducted, with the core server and backend having be