Nov 24, 2016

It has its own problems: https://jhalderm.com/pub/papers/ivoting-ccs14.pdf

Jun 14, 2016

Sure, apt is secure. However, I don't think that's what's being discussed. If I remember correctly, the researchers were complaining about how Linux ISOs were downloaded, not packages. (The writer of the rebuttal seems to be confusing these, which is, again, concerning.) To quote their paper:

> Despite procedural safeguards, an attacker who strikes early enough can introduce malicious code into the counting server by using a chain of infections that parallels the configuration process. During pre-election setup, workers use a development machine, which is configured before setup begins, to burn Debian Linux installation ISOs to DVDs. These DVDs are later used to configure all election servers. If the machine used to burn them is compromised—say, by a dishonest insider, an APT-style attack on the development facility, or a supply-chain attack—the attacker can leverage this access to compromise election results.

> We experimented with a form of this attack to successfully change results in our mock election setup. We first created a modified Debian ISO containing vote-stealing malware intended to execute on the counting server. The tainted ISO is repackaged with padding to ensure that it is identical in size to the original. In a real attack, this malicious ISO could be delivered by malware running on the DVD burning computer, by poisoning the mirror it is retrieved from, or by a network-based man-in-the-middle.

> During the setup process, election workers check the SHA-256 hash of the ISO file against the SHA256SUMS file downloaded via anonymous FTP from debian.org. Since regular FTP does not provide cryptographic integrity checking, a network-based man-in-the-middle could substitute a hash that matched the malicious ISO. However, this hash would be publicly visible in videos of the setup process and might later arouse suspicion.

(https://jhalderm.com/pub/papers/ivoting-ccs14.pdf)