Biggest Voting Machine Maker Admits -- Ooops -- That It Installed Remote Access Software After First Denying It
from the you-guys-are-soooooooo-bad-at-this dept
We've been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don't mean "bad at security" -- though, that's part of it -- but I really mean "bad at understanding how insecure their machines really are." For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold's flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ.
What's incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system -- and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S -- under questioning from Senator Ron Wyden -- has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago. That was then:
In a statement, ES&S said, ‘‘None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.’’
This is now:
In a letter sent to Sen. Ron Wyden in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.
This should be a massive scandal considering the potential impact on our democracy, but considering all the other scandals going on right now with the potential to impact our democracy, expect this one to not get nearly enough attention. Wyden's own comment on this is noteworthy:
Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”
As for the pcAnywhere software ES&S had installed on those voting machines, well...
In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.
Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password.
So... that's disturbing.
Anyway, elections are a very tricky problem to do securely. It is a nearly impossible task. But there are lots of things that you clearly should not do, and for some reason, the e-voting manufacturers seem to want to do all of them, and don't seem particularly apologetic about any of it. And, while in the past the idea of hacking an election may have seemed far fetched and conspiracy-minded, these days... not so much. This is a key issue concerning our democracy, and the most incredible thing is how flippant many people are about all of this. Computer security professor Matt Blaze, who knows more about any of this than anyone reading this points out that "in the more than quarter century I've been doing computer security, I've never encountered a problem space nearly as difficult or complex as civil elections."
And yet, we're letting people who don't understand even the slightest bit of the problems and challenges run the show. What a mess.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: e-voting, electronic voting, pcanywhere, remote access, remote access software, ron wyden, security, voting
Companies: diebold, es&s
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Flagged.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Don't worry, the antivirus software will protect us!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Maybe I am more patient than most, but I am cool with waiting until that Friday to know who will be responsible for funning the country for the next few years. Hell even if it costs a few million extra dollars to pay the volunteers for overtime, its worth it.
Is this perfect? Hell no. It is still vulnerable to volunteers who have agendas* and early scanned results being manipulated. But its far better than the current system.
*I once had an election volunteer who clearly had an issue with a specific demographic voting. I was in college in an area that was a mix of students and residents. This volunteer would clearly single out students for minor issues and put them on provisional ballots. For example, she complained my signature on their dumb electronic pad did not match my ID exactly. I mean it had to match exactly. Every single twirl or slash had to be identical. She made me redo it three times, eventually giving me a provisional ballot. Meanwhile, she barely looked at the ID of the elderly resident who registered after me. So yah no way is a hand count system perfect. But I'd still rather have "Ms I hate Liberals Voting" than Hacker Mc Hacky changing results. At least Ms. I Hate Liberals would face jail time if they found out she lied.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Yes, that still means they're somewhat negligent and irresponsible. It also means though that anyone taken by surprise by this are in for a long bumpy ride in the world of tech.
[ link to this | view in chronology ]
Re:
It is certainly questionable.
[ link to this | view in chronology ]
Re: Re:
Security is hard, which makes the ability to access the system harder should be the norm. Paper ballots might be the way to go, though as pointed out elsewhere they have issues as well, the question is, can a system be established that is good enough.
With an open source hardware/software/firmware/OS project, could we create something that is as good, or better that what we have now? While the experts say no, I am thinking they are responding to existing systems. What if they helped to create a new system (maybe blockchains, also mentioned elsewhere, could help) with many eyes looking at it (also mentioned elsewhere). Perfect security might be a panacea, but what about better security?
[ link to this | view in chronology ]
Re: Re: Re:
If you want security in your operating system there is OpenBSD where:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
They can also be set up so that one terminal presents the ballot, and a separate terminal has to be plugged in to do anything else on the system, and that can be made so that the case has to be opened to do so for extra security.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
'have ever been found' being the key phrase here.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"In the default install" is the key phrase. Because the default install is quite limited.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
What if the machine had a self-programming FPGA? Some can take advantage of unique manufacturing flaws in hardware, preventing the resultant software from working on another machine.
[ link to this | view in chronology ]
Of course they did
[ link to this | view in chronology ]
Re: Of course they did
The same way everybody else does: lobbying and campaign contributions.
I'm much more inclined to chalk security weaknesses in voting machines up to incompetence than malice -- just like security weaknesses in everything else. If an American company that already has contacts with local politicians wants to influence elections, there are easier, more effective, less risky ways to do it than tampering directly with the voting machines.
That's not a defense, mind. There's no excuse for bad security practices, especially on voting equipment, and just because I don't see any reason to believe the manufacturers themselves are tampering with election data doesn't excuse leaving the door open for someone else to do so.
We need better security audits of our voting machines, and there should be serious financial repercussions for companies that make voting machines with glaring security flaws.
[ link to this | view in chronology ]
So we have a vector for a LOT of meddling.
Can they trace if it's ever been used to tamper with an election?
Can they fix the machines so they're not remotely accessible?
Because if the answer is no this is going to crush confidence further regarding elections in the US.
[ link to this | view in chronology ]
Re: So we have a vector for a LOT of meddling.
Maybe I'm a cynic, but I think it likely that a ridiculously small minority of our countrymen will hear about this, let alone utter a single word to anyone else regarding the matter.
[ link to this | view in chronology ]
Re: Re: So we have a vector for a LOT of meddling.
It seems the general public's list of what is important begins with putting food on the table and having shelter. I guess that is not important.
[ link to this | view in chronology ]
Food and Shelter
That seems to be the first order of business of every dystopian state: Keep the proles busy just sustaining themselves and they'll never have time to look up and see how awful everything is.
Giving the US the benefit of the doubt, I think we attained that by accident, encouraging everyone to be competitive and to offer themselves as an low-cost, high-performance employee, especially once it became an employers' market.
So now everyone is overworked and underpaid and has not even the energy to rear their children, let alone be mindful of civic affairs.
Which is just the way our corrupt aristocracy wants it. Score!
[ link to this | view in chronology ]
Electronic voting machines just don't cut it.
With paper ballots, the amount of votes a particular crook can manage to tamper with is rather limited. With electronic voting machines, not so much.
I know of large industrial projects in a Western country proceeding without valid permissions because there were billions at stake and the people casting the decision were confident that money would find a way to bribe all the necessary neuralgic points.
And it did.
The results of an elections are worth more, and the number of people to bribe quite fewer.
Bribing your way through paper ballots, in return, is much harder. Essentially you have to bribe the majority of voters (which is what campaign promises are all about) and, well, then it's the voters' fault and/or profit and that's what democracy is about: people at least deserve what they are getting then. But it's also a comparatively expensive manner of tilting the tables.
[ link to this | view in chronology ]
The advantage of electronic voting machines...
...is that they count the votes better than humans do.
Unless we count them much the way we did in the 2000 Florida recount in which a small committee examines each ballot and deliberates over whether hanging chads nullify a vote.
The problem is not the electronic voting machine, but the security problems presented by them, and if we solve that we might even be able to enable internet voting.
Open sourcing software would make it difficult to cheat.
In Europe there's been some looks into using blockchain tech to affirm that votes are registered and counted correctly without interference.
[ link to this | view in chronology ]
Re: The advantage of electronic voting machines...
Nonsense. State-level actors have created awfully involved malware that kept hidden for years. Intel has created processor-level malware (with its "Management engine") that is near impossible to disable. The Spectre and Meltdown vulnerabilities are for us to stay.
Open Source cannot help against all that, and additionally it does not help against compile chain bootstrap maladies which don't need to remain in the source code after the malware has been bootstrapped.
A device that cannot be verified and monitored at the time of its operation by nominated non-specialist officials has no place in a crucial point of voting.
[ link to this | view in chronology ]
Re: The advantage of electronic voting machines...
But it's possible to use a machine to count votes without using a machine to cast them.
I'm still inclined to believe that, in most cases, casting a vote with pen and paper is the best option. If a machine is then required to count the votes, use an optical scanning machine.
Of course, that still means the optical scanning machine is a failure point and a security risk.
[ link to this | view in chronology ]
Re: Re: The advantage of electronic voting machines...
[ link to this | view in chronology ]
Re: tl;dr
[ link to this | view in chronology ]
Their software "hoovers up" anything in the documents folder, actively searches for Excel and Word documents, parses them looking for "interesting" words and then sends documents wholesale back to the central server for "processing"
(i.e. information stealing).
Also doesn't help that Norton is the equivalent of locking your door at night then blowing a hole in the wall with a grenade.
Norton will happily run stuff if it even THINKS it came from symantec's website (.exe and .msi files etc) and it's so easy to spoof it's unbelievable anyone would use their software anywhere!
[ link to this | view in chronology ]
NO SYSTEM is perfect..
There are problems with this..IF you can get your hands on the device, and play with it, you can take time to DO ANYTHING..
Part and parcel of the problem is a bunch of companies that Cant program CRAP, and use the Standards and programming CURRENTLY available..
There are ALLOT of tricks and hacks that can be done to make it HARD AS HELL to do anything with the hardware..
you have to get thru the hardware FIRST..
Then the Software has to PROTECT itself.
How in hell cant a Programmer and hardware person design something that is FAIRLY protected from instant ONSITE changes??
Im sorry, but I think a GOOD system could be build, and SHOULD be at least 90% effective.
NOW if you want to compare a paper system that we use MOSTLY, with what can be done to corrupt that system... You would need a small amount of history and understand of HOW the system WORKED in the past.
ANd how many persons in this nation have been disuaded from voting..
[ link to this | view in chronology ]
What's the.....
[ link to this | view in chronology ]
Re: What's the.....
[ link to this | view in chronology ]
Invaluable to the rest of us
Quoth Zetter:
It’s unqualified claims like this that allow voting machine designers to avoid open-sourcing their products. I’d like to think he’s using “hacker” in the old sense of the word, but probably not. Either way, this statement is both too specific and misleading. Source code is also invaluable to those who want to understand/audit this crucial software, and making source code publicly available is, of course, good for security.
The idea that, for the public’s safety, voting source code should only be available to some NDA-bound developer priesthood needs to be killed dead.
[ link to this | view in chronology ]
That runs contrary to Linus' law
Given enough eyeballs, all bugs are shallow
[ link to this | view in chronology ]
Re: Invaluable to the rest of us
[ link to this | view in chronology ]
Re: Re: Invaluable to the rest of us
[ link to this | view in chronology ]
Re: Invaluable to the rest of us
Indeed, what we got here was the worst-case for a security-through-obscurity regime: the source code wasn't publicly available, but it was acquired by a malicious third party. That way, the only people (outside of the developers) who were auditing the source code were malicious actors. If the source code had been released for everybody, then white hats could have searched for vulnerabilities in order to disclose and fix them.
[ link to this | view in chronology ]
Re: Re: Invaluable to the rest of us
If the source code had been released for everybody, then white hats could have searched for vulnerabilities in order to disclose and fix them.
Followed by being sued and/or threatened with lawsuits for their actions, because as any good pointy-haired manager knows those flaws weren't there until the blasted hackers told people about them!
[ link to this | view in chronology ]
Re: Re: Re: Invaluable to the rest of us
[ link to this | view in chronology ]
Posting security findings anonymously
Even the super-temporary fake-email address services?
[ link to this | view in chronology ]
Re: Invaluable to the rest of us
[ link to this | view in chronology ]
To the contrary, let's connect them.
As soon as it is feasible to make voting machines robustly secure without the air gap, let us do so. I think that is ultimately what the future of voting holds.
I get that we're struggling to get there. I get that among the obstacles to a net-secure voting system is lack of concern by those officials who got themselves elected / appointed through outside meddling.
But ultimately, being able to vote while connected is a step towards being able to vote by connecting, which will increase voter turn out.
And yes, some people don't want that. Screw those guys.
[ link to this | view in chronology ]
Re: To the contrary, let's connect them.
I can't see the comment you're responding to, but it looks like you're advocating for online voting?
I don't believe it's ever going to be feasible.
The problem is this:
There needs to be a mechanism whereby (1) I can verify that my vote has been recorded correctly, (2) nobody else can tell how I voted, and (3) I can't vote twice.
I only know one way of doing that: my identity is verified and a record is made that I have voted; my vote is recorded on a piece of paper that does not identify me; I put that piece of paper in a box.
(Technically this doesn't actually satisfy (1), because it still requires trust that the people responsible for counting my votes are honest and competent. But ultimately, that's inherent in any democratic system; if the people responsible for tabulating the votes cannot be trusted, then the whole system is compromised.)
[ link to this | view in chronology ]
Re: Re: To the contrary, let's connect them.
I think it is possible, if not by using hash-codes, digital signing, asymmetric encryption and blockchaining then by using a technology related to them.
Eventually there would be a public blockchain of any given election that anyone could access, and confirm that their own vote is still in there. They should also be able to run the tallying software and get a sum of all the votes for any given election.
Granted it may require that individuals are responsible to keep and back-up their own access keys. If you lose your key, your own data is gone. But this is a degree of password hygiene we've wanted to encourage the public to sustain anyway.
The problem human beings cannot be assured to be honest or competent. We've just long assumed they were because the darkness in which they worked was securely impenetrable.
[ link to this | view in chronology ]
Re: Re: Re: To the contrary, let's connect them.
Well, that and election results are usually within the margin of error of polling data.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A little mistake
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
That didn't take long, did it?
[ link to this | view in chronology ]
Survivor bias?
For the losers? Rigged election? Well, they would say that wouldn't they?
[ link to this | view in chronology ]