Wow, this is a rather… childish response. It doesn't actually rebut the claims being made, they seem to dismiss everything with “so what”, as if they do not actually understand what is wrong. And the rest of the post is just deflection by making ad hominems, or complaining about things that weren't what the researchers said.
For example:
> 1. Debian Linux packages were downloaded from a place that the experts didn’t like.
> So they should’ve been downloaded a distro from a .ru or .su website?
They should have been downloaded over a secure connection and verified. Do you know what a MITM attack is?
> 2. The icon of a poker website could be seen on the desktop (was it actually a poker website or ‘an icon similar to the icon of a poker website’?).
> Of course, having this icon on the desktop of course discredits the user of that computer, their country and the entire European Union.
That they have gambling software, whose legitimacy is uncertain, installed on computers used for preparing servers for elections is concerning. Why introduce another possible threat vector?
> 4. The WiFi password of the local guest network could be seen on the wall.
> Oh dear, because the election servers (with the telephones and computers of all guests) are certainly connected to that WiFi network, their ILO ports greedily open.
No, the election servers aren't connected, but the computers used to prepare data for the election servers are.
> 5. The cameraman who shot the audit filmed an elections observer in such a manner that his password was captured on film.
> We do thank you for this observation – we will improve our cameraman’s training – but this is an error of the supporting process (the audit) and not the main process (the elections).
They should have been downloaded over a secure connection
That's not how apt works. The connection is assumed unreliable, the verification happens after download with the Debian keyring (already installed, and can be independently inspected and verified).
Sure, apt is secure. However, I don't think that's what's being discussed. If I remember correctly, the researchers were complaining about how Linux ISOs were downloaded, not packages. (The writer of the rebuttal seems to be confusing these, which is, again, concerning.) To quote their paper:
> Despite procedural safeguards, an attacker who strikes early enough can introduce malicious code into the counting server by using a chain of infections that parallels the configuration process. During pre-election setup, workers use a development machine, which is configured before setup begins, to burn Debian Linux installation ISOs to DVDs. These DVDs are later used to configure all election servers. If the machine used to burn them is compromised—say, by a dishonest insider, an APT-style attack on the development facility, or a supply-chain attack—the attacker can leverage this access to compromise election results.
> We experimented with a form of this attack to successfully
change results in our mock election setup. We first created
a modified Debian ISO containing vote-stealing malware
intended to execute on the counting server. The tainted
ISO is repackaged with padding to ensure that it is identical in size to the original. In a real attack, this malicious ISO could be delivered by malware running on the DVD burning computer, by poisoning the mirror it is retrieved from, or by a network-based man-in-the-middle.
> During the setup process, election workers check the SHA-256 hash of the ISO file against the SHA256SUMS file downloaded via anonymous FTP from debian.org. Since regular FTP does not provide cryptographic integrity checking, a network-based man-in-the-middle could substitute a hash that matched the malicious ISO. However, this hash would be publicly visible in videos of the setup process and might later arouse suspicion.
For example:
> 1. Debian Linux packages were downloaded from a place that the experts didn’t like.
> So they should’ve been downloaded a distro from a .ru or .su website?
They should have been downloaded over a secure connection and verified. Do you know what a MITM attack is?
> 2. The icon of a poker website could be seen on the desktop (was it actually a poker website or ‘an icon similar to the icon of a poker website’?).
> Of course, having this icon on the desktop of course discredits the user of that computer, their country and the entire European Union.
That they have gambling software, whose legitimacy is uncertain, installed on computers used for preparing servers for elections is concerning. Why introduce another possible threat vector?
> 4. The WiFi password of the local guest network could be seen on the wall.
> Oh dear, because the election servers (with the telephones and computers of all guests) are certainly connected to that WiFi network, their ILO ports greedily open.
No, the election servers aren't connected, but the computers used to prepare data for the election servers are.
> 5. The cameraman who shot the audit filmed an elections observer in such a manner that his password was captured on film.
> We do thank you for this observation – we will improve our cameraman’s training – but this is an error of the supporting process (the audit) and not the main process (the elections).
So? You've still had your password compromised.
I could go on.