Notices by Matt Blaze (mattblaze@federate.social), page 2

Thanks to the tariff craziness, they expedited a repair for a camera I had to send overseas so they could ship it back before new duties were to take effect. Expected to take 4-6 weeks, actually took 4 days.

It's especially notable that none of these "smoking guns" were raised by the Harris campaign or any other candidate to contest the election results before they were certified. Mostly because they don't actually show evidence of fraud.

Elections are decided by the votes reflected on the ballots that were cast, not by how well those votes conform to polling or prior elections.

I'm currently being swarmed on Bluesky by a posse that's mad at me for failing to acknowledge that the 2024 election was clearly stolen. I honestly have no idea if this is a bot army or real people. It's a very attractive explanation for the outcome of an election that disappointed you, so it's very easy to peddle stuff like this.

There's an elaborate, but mostly meaningless "analysis" floating around that purports to "prove" that the 2024 election was stolen. It consists of stats and graphs of supposedly "anomalous" voting patters in a handful of cherry-picked counties.

The graphs are very pretty, but they just aren't evidence of fraud. They're very similar to the supposed "proof" that the 2020 election was stolen.

"Proof" that reenforces what you want to believe has to be approached with extreme caution.

Election security is back in the news, and it's easy to be taken in by confident but specious claims of "hacked elections". There *are* technical vulnerabilities in US election infrastructure, but fortunately so far there's no they've been exploited to alter an election outcome. I know that's frustrating, but it's the reality we live in.

Want to learn more? Read on.

- My top suggestion: Become an election day poll worker! It's an important service and you'll learn a ton!

- This National Academies report is the best overall summary of of election security which I'm aware, and despite being published in 2018 is still current: https://nap.nationalacademies.org/catalog/25120/securing-the-vote-protecting-american-democracy

- Here's a paper outlining the technical issues and solutions: https://georgetownlawtechreview.org/wp-content/uploads/2020/07/4.2-p505-522-Blaze.pdf

- I gave a talk at Columbia last year on the state of election security: https://www.cs.columbia.edu/distinguished-lectures/2024-Fall/Matt_Blaze.mp4

Unfortunately, I have to say this again:

US election infrastructure isn't perfect and there's still work to do to make it more secure. But there is simply no credible evidence that the 2020 election outcome was altered through technical attacks, despite exhaustive scrutiny.

Shortly after the 2020 election, when these discredited claims were first raised, 58 of my colleagues and I issued this statement:

https://www.mattblaze.org/papers/election2020.pdf .

Nothing we've learned since then alters my assessment.

@sophieschmieg exactly. The great thing about Signal is you can bootstrap with another user quickly and easily and without having to trust much about the infrastructure. And that makes it highly useful for lots of things. But totally the opposite of what you need to enforce a well defined centralized hierarchy.

I should also note that when I say the cryptography in Signal is “probably fine; a practical attack would be a big surprise”, that’s about the best we can say about almost all cryptography used in the real world. No strong (not dependent on unproven assumptions) security proofs for much of anything you’d actually want to use.

I'm not dunking on Signal here (though there *are* some features and usability quirks I dislike). It's probably the best designed and implemented secure messaging platform *for general use* that we've got. I use and rely on Signal quite a bit myself.

But it's simply not designed for, or suitable for, classified national security communications.

For the record:

- The *cryptography* in Signal is probably fine; a practical attack would be a big surprise.

- Signal lacks specific features required for classified systems, such as security labels, certified identities, revocation, etc.

- Signal runs on uncontrolled, insecure platforms connected to the Internet, rendering it unsuitable for classified even if it had the above features.

- Adding classified features to Signal would make it unusable for most purposes for which it's intended.

If you were wondering how my day is going, I'm still being yelled at by Signal groupies who are mad at me for saying the app lacks special features for protecting classified information.

Thanks to everyone taking the time to explain trust management and communications security to me today. I’ll get it eventually.

@heidilifeldman There doesn't seem to be any reasoning in this decision that wouldn't apply to the rest of the deportees removed without any due process, too, other than that in this case the government admits it made an error (which doesn't seem especially relevant).

@kims *I'm* fine, of course. But this is so awful to watch, helplessly.

The one consolation is that my university seems to genuinely have these students' backs.

“Last month I was just worried about my classes. Now I’m worried that I’ll simply disappear.”

- From email from a talented student whose visa was just summarily cancelled because she’s from the wrong country.

God damn this.

The worst part for me is that I have no words to help or even offer meaningful comfort. I can't imagine how stressful this is, for so many.

Lighthouse, 2014.

All the pixels, none of the stairs to climb, at https://www.flickr.com/photos/mattblaze/15393439037

#photography

For those who don't follow legislative minutiae, there was a hearing on Salt Typhoon (and, inevitably, Signal) yesterday in House Government Reform.

My testimony focused on how Salt Typhoon was enabled by telecom wiretap mandates dating back to the Communications Assistance for Law Enforcement Act of 1994.

Video of the hearing and written testimony are online here: https://oversight.house.gov/hearing/salt-typhoon-securing-americas-telecommunications-from-state-sponsored-cyber-attacks/

Tech/Policy nerds: I'll be testifying tomorrow morning in House Government Oversight on "Salt Typhoon: Securing Americas Telecommunications From State-Sponsored Cyber Attacks", at 10AM in HVC-210. Hearing will be webcast.

Hearing website (which doesn't yet include all the witnesses or written testimony) is here: https://oversight.house.gov/hearing/salt-typhoon-securing-americas-telecommunications-from-state-sponsored-cyber-attacks/

I promise to be briefer in my remarks than Cory Booker.