image title

At risk in hack of Arizona voter database: Trust

ASU expert says hack of AZ voter registration data could erode trust in system
August 29, 2016

ASU cybersecurity expert says hacked database controls who is allowed to vote

Jamie Winterton

Arizona officials confirmed Monday that a voter registration database in the state has suffered a hack, although they believe no personal information has been compromised. Illinois' voter registration database suffered a similar breach.

Jamie Winterton (left), director of Strategic Research Initiatives at Arizona State University's Global Security Initiative, said the biggest risk is to the trust voters place in the electoral system, and whether or not everyone actually registered to vote will be allowed to when they show up to the polls.

Question: What’s the risk of voter registration systems being hacked?

Answer: When we think of “hacked elections,” we usually think of people breaking into electronic voting systems. That is a real concern – and it’s been done before. A team from University of Michigan and Princeton was able to install Pac-Man on voting machines from 2008 without breaking any of the tamper-evident seals – and if you can install Pac-Man, you can easily affect the vote tallying software! But this recent breach is different. It wasn’t on the voting machine software itself, but on the registration databases in Arizona and Illinois. Most of the information in the database is publicly available, so it’s not terribly concerning from an identity-theft perspective. What is worrisome, however, is that the voter database guides who is — and who is not — allowed to vote. With the possibility that Arizona will be a swing state this year, removing even a small percentage of voters from the database could swing the result. 

Q: Could this have an impact on particular voter groups?

A: The database is also how the state communicates with voters. It’s used to send early ballots and tell voters where their polling places are located. What if 10 percent of people in lower socio-economic areas were misled as to their polling location? What if Spanish-language ballots or election materials were not sent? The validity of our electoral system depends on consistent communication. That communication can easily be polluted if the voter database is tampered with. 

Q: What kind of attack was used on the voter registration system? Was it Russia again?

A: It’s not clear how the attackers got into the Arizona system. We know about the attack because the FBI found voter database credentials (like a login and password) on the dark web. The secretary of state’s office took the systems offline for over a week and changed all the credentials. We do know that in Illinois — a voter registration database attack that happened around the same time — the attackers used something called SQL injection. SQL stands for Structured Query Language; it’s how many databases are managed. When you type information into a box on a website — a username and password, for example — that website is probably using SQL to facilitate the conversation between you and the database, to make sure you have an account and the right credentials to access it. During a SQL injection attack, though, a hacker will type code into the box instead of a username, in an attempt to control the database. If the website doesn’t check to make sure that the inputs are valid, the code gets passed through to the database and can do things like dump information or allow modifications of the database. However, it’s also easy to protect against: Creating rules against nonsensical inputs — no one’s name has a "=" in it, for example — goes a long way towards protecting against SQL injection attacks.

Q: What will be the effect of this attack?

A: It’s hard to say what will come of this attack. Hopefully backup versions of the voter registration databases can be compared with the current version, to see where changes might have been made. Hopefully the systems will be patched and tested, and hardened against these kinds of attacks. 

There’s a building problem with trust and election systems, however. The U.S. has a fairly disenchanted electorate as it is. How will they respond to our election systems being violated? Even if the database checks out with a prior version, will people feel that their vote is still meaningful? Or will they feel that the election is rigged and not bother showing up to vote? When the results are in, will voters trust and abide them? Machines can be hacked, but so can people. We need to figure out how to patch them both.

Top photo courtsey Secretlondon, via Wikimedia Commons


image title

ASU experts dispute study that says Lucy fell from tree

August 29, 2016

It's not the conclusion that they object to, but the process used to reach it

Read this as a cautionary tale, and not about the danger of falling out of trees.

A study published Monday in Nature Communications claimed to have discovered that Lucy, the 3.18 million-year-old hominid discovered by paleoanthropologist Donald Johanson in the Ethiopian desert in 1974, died from falling from a tree.

Researchers at the University of Texas X-rayed Lucy’s skeleton on a rare visit outside Ethiopia with a machine designed to scan through materials as solid as rock. They believed they found a broken shoulder. After reviewing clinical literature and talking to about 10 orthopedic specialists, they concluded she fell out of a tree.

The problem is they didn’t rule out other possibilities. One of these is that geology works on anything buried for millions of years, said JohansonJohanson is the Virginia M. Ullman Chair in Human Origins and a professor in the School of Human Evolution and Social Change in the College of Liberal Arts and Sciences., founding director of the Institute for Human Origins at Arizona State University.

“It suggests to me that this was the result of geological forces rather than having fallen out of a tree,” Johanson said. “There’s a lot of pressure on these bones when they’re overladen with heavy rock like sandstone.”

The research tries to show that the 3.5-foot, 65-pound Lucy died from the fall from severe trauma, “what they call a terminal velocity event,” said William KimbelKimbel is the Virginia M. Ullman Professor of Natural History and the Environment in the School of Human Evolution and Social Change in the College of Liberal Arts and Sciences., director of the Institute of Human Origins.

However, it’s common for scientists to find the same type of bone breakage in lots of four-legged animals buried in sediments.

“Much of the breakage, trauma and deterioration shown on the bones is shown on so many — I’d say 80 percent — of the fossils we dig up,” Johanson said. Pigs, rhinos and horses “don’t live in trees; they don’t fall out of trees. They live on the ground.”

“I’m not convinced,” he said of the paper.

ASU paleoanthropologist Donald Johanson with the Lucy skeleton in the field

ASU paleoanthropologist Donald Johanson with the Lucy hominid skeleton bones (also pictured above) in the Ethiopian desert in 1974. Photo courtesy of the Institute of Human Origins

Kimbel, who has worked for decades at similar sites in East Africa, said he has found damage like this in animals ranging from hippos to hares.

“The probability of any of them having fallen out of a tree is precisely nil, of course,” Kimbel said. He was flabbergasted when he saw the news.

“To be honest, I did a double take and my first reaction was incredulity,” he said. “My first reaction was how could they know that? How could they conclude that?”

The University of Texas researchers relied almost exclusively on clinical literature and clinical expertise. The answers they got were entirely predictable, Kimbel said.

“If you ask an orthopedic surgeon to take a look at breaks like this, what other explanation is he going to give you?” Kimbel said. “The problem is the East African Rift Valley is not an emergency room. There are a wide array of forces that can break bones in this way.”

Where the University of Texas researchers fell short was a comprehensive examination of everything that could have happened, the ASU experts said.

“There are two basic issues here: The issue for science is not being able to tell a plausible story, the issue is to put forth a probable explanation for events that happened in the distant past,” Kimbel said. “The article simply does not offer us enough of a competition between all these competing factors. ... They did not put in place enough of the appropriate scientific safeguards to make this more than just a good story.”

Johanson agreed.

“They didn’t explore a lot of avenues,” he said. He hopes for more research in depth into breakage patterns. “I thought it was an interesting story.”

But not a good one, Kimbel said.

“The point of good science is not to tell a good story,” he said.

If Lucy had fallen out of a tree, it wouldn't change what has been learned from her in the past 42 years, Kimbel said.

“I don’t think anyone seriously doubted she could climb a tree — you can and I can," he said. "It doesn’t bear on the issue of whether she was primarily adapted to life on the ground as a two-legged walker. ... I don’t think it would challenge much of what we know about her biology.”

A cast of the Lucy skeleton on the ASU campus

A cast of the Lucy skeleton is on view in the reading room of the Institute of Human Origins office in the Social Sciences Building on the Tempe campus. Photo by Deanna Dent/ASU Now