Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes
from the voting-village-strikes-again dept
Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:
Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false.
Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this:
Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.
Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter:
In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me. pic.twitter.com/6eQUYuuGJA
— Kim Zetter (@KimZetter) August 10, 2018
Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they're "breaking licensing agreements" is not a good look. But, it's the hill ES&S has ridiculously decided to die on:
In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.
And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website:
The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.
Lots of other hackers were successful as well:
After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.
And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:
Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.
Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.
“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”
The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:
“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”
While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: defcon, e-voting, hacking, voting, voting integrity
Companies: es&s
Reader Comments
Subscribe: RSS
View by: Time | Thread
11-year-old is good, but...
[ link to this | view in chronology ]
Re: 11-year-old is good, but...
[ link to this | view in chronology ]
Re: Re: 11-year-old is good, but...
[ link to this | view in chronology ]
Voting machine company: "This was a useless test of the machine's vulnerabilities. Eleven-year-olds can't vote. So your machines are safe from them getting into and changing any records. "
[ link to this | view in chronology ]
That's fair
In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.
I mean, that's certainly a valid argument, everyone knows that the sort of people who would hack a voting machine would absolutely be the sorts that would stop in a moment the second they realized that doing so would violate the licensing agreement regarding the software.
They're criminals trying to undermine if not shift an election, something with potentially huge repercussions, but that doesn't mean they'd be rude enough to ignore a license, and as such simulated hacking that does so isn't really an accurate scenario, and can be completely dismissed as non-representative of reality.
[ link to this | view in chronology ]
Re: That's fair
- Every useless politician.
[ link to this | view in chronology ]
Re: That's fair
[ link to this | view in chronology ]
Re: Re: That's fair
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Pointy-haired boss security: 'If I can't see it, it isn't there'
Possible, but in this case I'd go with stupidity/laziness/CYOA rather than malice as the likely culprit. It's much cheaper to pretend that things are nice and secure rather than admit that the very expensive voting systems that have been purchased are so laughable insecure that literal children are able to crack their security.
An admission like that makes the company look all sorts of bad(potentially to the 'bankruptcy' point), the people who purchased voting machines from them all sorts of stupid, and the latter on the hook for scrounging up the funds to replace everything after a potentially lengthy search to find an actually secure system.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The new machines are unhackable? ... lol, sure they are.
Automatic teller Machines have been around for some time and there have been a few stories about how they susceptible but not to the extent that voting machines are. Shows where the priorities lie.
[ link to this | view in chronology ]
Re: Re: Re:
It's not like someone manipulating the voting machines is 'buying' the election, amiright?
Don't be surprised if local machines use playground bully counting rules, 1 for you, 2 for me, 2 for you, 3 for me, etc... I win again??? imagine my surprise :)
[ link to this | view in chronology ]
Re: Re:
But depending on how outdated the machine is, it is still a gauge on the risks election authorities are willing to take, just by accepting voting machines in the first place.
Pen and paper is work-intensive to defraud and the more you want to fudge the numbers, the harder it is. Voting machines are as easy as the hack and you can change the vote-winner to "Downeaster Alexa" if you want, without much work needed: The damage potential from voting machines is a lot larger than from "pen and paper"-fraud, making the question of security that much more important.
"security by obscurity" is stupidity. In this case the approach of the voting machine manufacturers is the equivalence of that. Sitting in a corner and screaming "fake news!" at everything is not as good as providing evidence, but it sure is hell of a lot easier!
[ link to this | view in chronology ]
Mixed Metaphors
[ link to this | view in chronology ]
As if election day is the prime window during which hacking any part of the system is going to occur.
[ link to this | view in chronology ]
DEFCON is a three-ring circus compared to actual security circles.
"Hackers “breach” election equipment during a highly publicized workshop via methods that bear no resemblance to the real world. Workshop sponsors report their success to credulous reporters who print them under inflammatory headlines. And voters are worked into a lather, inspiring larger and larger budgets. Vendors are standing by, ready to capitalize on this cycle of fear and misinformation."
Voting Machines, Fake News, and the Future of Democracy.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Microsoft, Apple, and other major OS makers pay close attention to those events for security vulnerabilities to patch.
If tech companies pay attention to such events to improve their products, and think they reflect the real world enough to pay attention to, why wouldn't voting machines?
[ link to this | view in chronology ]
Re: Re: Re:
My polling place is staffed entirely by volunteers. All of them have access to the machines and could compromise it. Also, with many elections going down to a few thousand votes deciding the winner, only one or two actual precincts needs to be compromised to change an election.
Your article was also written a week before the conference. So how can you call the results of this conference bearing no resemblance to the real world?
[ link to this | view in chronology ]
Re:
"“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday."
So you were there? I look forward to your in-depth analysts of the methods they used and how you formed your opinion.
[ link to this | view in chronology ]
Re:
"Actual security circles" ... which I'm certain you are familiar with - lol, not.
Did you know that people actually within said "security circles" attend, present papers and participate in this convention because there are things to learn. Unlike yourself, they do not already know everything.
[ link to this | view in chronology ]
I don't see why the hackers would need to agree to any license agreements when they aren't making any copies of the software.. what exactly are they supposed to be getting out of these agreements? You don't need a license to use software. How exactly does the hacker get bound up into an license agreement?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Isn't there even an anti-circumvention exemption for security research?
[ link to this | view in chronology ]
Someone somewhere is benefiting. If it is that easy to hack a voting machine and they are not keeping paper trails, then someone some where is taking advantage of that.
That would be a strong incentive not to want change to more secure. At this point one can not help but feel voting is just another fraud these days.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
List of officials they emailed and phoned?
[ link to this | view in chronology ]
Government agencies would promote such events and put up large vuln bounties. Vendors would proudly seek to demonstrate that their offerings are fit-for-purpose.
Instead they lie about it and try to suppress it, or, at best, ignore it. Can you really blame people for assuming the worst?
[ link to this | view in chronology ]
Re:
I am fine with using the machines to speed up counting, but there should always, always, always be a human count for the official records. Have a team of volunteers (must be different from the volunteers who staffed on election day), backed up by an impartial official count the votes and their number is the actual one used. The digital one is just used for verification. If there is any discrepancy between human and digital greater than 0.5% and the vote total is close enough where the discrepancy would matter, it forces a recount for both systems.
Rinse and repeat until a result is agreed upon.
[ link to this | view in chronology ]
Ok, I want info..
I would LOVE to know.
Because if it takes more then a 486dx100, I think something is REALLY WRONG..
[ link to this | view in chronology ]
Re: Ok, I want info..486
Dell has donated about 20 newer machines that are mounted below the SOS approved tally computers and use their same key-boards & mices.
In 2004, Cisco had donated a 6ft. tall '19-inch rack-mount' that had it's own closed room within the 3,500 sq ft room where voter-ink-doted cards are brought in to be run through the 20 tally stations. Los Angeles County Register Of Voters promised that the Cisco machine would be turned of on the first Tuesday in November, but it's closed room is not visible from puplic observing windows.
When we took the Precinct volunteer class for this last Primary, we were told that LA County was going to 'tablets' in the voter booths soon.
[ link to this | view in chronology ]
A positive note
A marked paper ballot is fed into and stored in a counting machine. At the end a sampling of precincts are re-tallied on a separate machine to verify. All the machines are tested after they are prepared and cannot be opened by individual poll workers. No chads, no missing electrons, very little fuss.
There are times in life where a little inefficiency is a good thing, this is one of them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Wondering When History Would Repeat ...
[ link to this | view in chronology ]