Vice Publishes Bullshit Nonsense Article Blaming DEFCON Voting Village For 'Stop The Steal' Idiots

from the this-is-bad-reporting dept

Vice News has some really great reporters on tech issues who work for its Motherboard publication. For reasons that don't make sense, last week they had some other reporter write an absolutely ridiculously bad story trying to argue that the "stop the steal" idiots were helped along by the amazingly important work done by folks in the famed "Voting Village" at the DEFCON conference. The full article is long and bad and has the ridiculous and misleading title: How an "Ethical" Hacker Convention Is Fueling Trump's Big Lie. But the very premise of this story is not just wrong, but dangerously stupid. It's shameful that anyone at Vice thought this was an appropriate story to publish.

The facts are this: there have been quite reasonable concerns about the security and technology in certain electronic voting machines going back decades. In fact, Techdirt covered tons of these stories, which were often about problems with the security in early machines, the lack of paper trails for the votes, and (perhaps most importantly) the unwillingness of the voting machine companies to work transparently with actual security researchers who could help harden those machines. Voting Village was set up in DEFCON as a response to that, in which these ethical hackers would get their hands on voting machines, seek out the vulnerabilities in order to help harden the security and improve these machines. It's how cybersecurity has always worked.

And while it is true that some of the Stop the Steal grifters have tried to take some of the headlines or presentations from DEFCON and pretend that they prove that the 2020 election was hacked or broken or whatnot, that's got nothing to do with Voting Village "helping" them. If it weren't for Voting Village, those same grifters would have found other reports and other news stories to misinterpret and to make their unsubstantiated claims.

The simple fact is that just because security researchers have concerns about some voting machines, and have worked to highlight where security vulnerabilities might be, that does not mean that an election is easily hacked, or that any election was actually hacked. That's the kind of thing that the "stop the steal" grifters have never been able to show and all of the evidence to date has failed to substantiate.

Paragraphs like this are utter nonsense:

And then there is DEFCON. The experts here agree that there was no evidence of widespread voter fraud in the 2020 election, and many have worked hard to debunk those conspiracy theories. But with its sensationalist rhetoric, flashy theatrics, unstructured hacking, and lack of context about how elections operate, DEFCON also emphasizes the vulnerabilities that are possible, even when they’re not necessarily probable. As a result, the event serves as easy fodder for dis- and malinformation, showing how even well-intentioned experts are being used to prop up the Big Lie.

Yeah, it emphasizes vulnerabilities are possible because of course they're possible. That's just being factual and accurate. And, on top of that, the way to minimize those vulnerabilities and to better protect elections is to allow security researchers to find those vulnerabilities, report them, and seek better ways of protecting voting. And that's exactly what Voting Village does. Arguing that they should somehow be blamed because idiots are misrepresenting their work, as if the work was the problem is so disingenuous to be effectively disinformation.

Or as security researchers Rob Graham rightly notes:

As he notes later in the thread, "pretty much all government transparency information is at some point misrepresented by conspiracy theorists" but that's no excuse to say we should have less transparency.

Others, like Kim Zetter -- one of the best cybersecurity reporters ever -- point out that the reporter's main sources for the article appear to be people close to voting tech companies and election officials, which are the two groups of people who are most frequently embarrassed by the security research that comes out of Voting Village. In other words, this was a hit piece, put in place by folks who have long wanted to destroy Voting Village. In fact, Zetter highlights that one of the main sources quoted in the article has complained about Voting Village for years, which seems like extremely relevant context that was left out of the article.

Others noted that many of the actual experts in this space -- names which have been mentioned on Techdirt frequently, like Alex Halderman and Matt Blaze -- are not quoted in the article at all. The author claimed that while he spoke to many such experts he didn't have room to include their quotes. Maggie MacAlpine, a Voting Village organizer notes that neither she nor any of her colleagues were quoted, and the article is full of "unattributed, and factually incorrect statements."

Matt Blaze -- again, one of the foremost experts on election security issues -- summed up the nonsense premise of the article perfectly:

He later notes three important facts about the complicated world of computer security:

• There's been great progress securing US election infrastructure.
• There are still serious vulnerabilities and much work is left to be done.
• Yet there's no evidence technical attacks have altered election outcomes.

And the only reason the first bullet point is as true as it is, is because of the work of the security researchers like those who populate Voting Village every year at DEFCON. The only reason more work is progressing on the second point is because of the same thing. And articles like this one in Vice make that much, much more difficult.

Do better, Vice.

Filed Under: defcon, electronic voting, security research, voting, voting village
Companies: vice

Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes

from the voting-village-strikes-again dept

Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:

Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false.

Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this:

Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.

Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter:

Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they're "breaking licensing agreements" is not a good look. But, it's the hill ES&S has ridiculously decided to die on:

In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.

And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website:

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Lots of other hackers were successful as well:

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.

And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:

Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.

Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.

“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”

The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”

While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines.

Filed Under: defcon, e-voting, hacking, voting, voting integrity
Companies: es&s

Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon

from the and-thank-you-for-your-service dept

Update: He's been indicted for his alleged role in creating a different malware, Kronos. More below.

As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn't registered -- so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it... and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn't very nice. Still, now it's known that Marcus Hutchens is MalwareTech, and people should be thanking him.

Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year... and got his second big "thank you." According to Motherboard, US authorities have detained him in an undisclosed location.

At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There's a second defendant, whose name and information is redacted (suggesting he hasn't been arrested just yet...) who then went out and appears to have promoted Kronos and tried to sell it.

So the specific charge includes:

MARCUS HUTCHINS, aka "Malwaretech" knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.

In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.

There's also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what's in there, the evidence isn't that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.

Needless to say this will be an interesting case to pay attention to.

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...

Filed Under: defcon, detained, fbi, malwaretech, marcus hutchens, wannacry

Dutch Journalist In Legal Trouble For Showing How New Transit Card Is Easy To Defraud

from the imprison-the-messenger dept

Three years ago, the Boston Subway system (MBTA) got plenty of attention for getting a judge to block some MIT students from presenting a paper at DEFCON that showed how the MBTA's magnetic strip cards were vulnerable to hacking. Of course, all that really did was provide that much more attention for the weaknesses in the MBTA system. It seems we may be in for a repeat performance, of sorts, of this kind of "blame the messenger" approach from a public transporation group -- and this time it's by the very journalist who stepped in and did a presentation to replace the MIT kids who could not.... DEFCON regular, Dutch journalist Brenno de Winter won't be attending DEFCON this year because the Dutch transporation companies are taking legal action against him for daring to do his job as a reporter and highlight security problems with the Dutch transit system's "OV transit chip card." De Winter, quite reasonably, points out that both European and Dutch courts have supported journalists for reporting on security weaknesses -- and yet he still faces a legal fight that could net him six years in prison. Even worse, it appears that even the threat of such things now has de Winter self-censoring:

"They are effectively banning me from doing my job because if I write about this card, I have to think about the consequences," said 39-year-old de Winter, of Ede, The Netherlands. "I'm writing a book and I have to leave whole chapters out."

This is no way at all to thank someone who finds a flaw for you to fix, but the Dutch transportation conglomerate appears hellbent on making life difficult for those who point out technical problems, rather than just fixing the problems.

Filed Under: brenno de winter, defcon, free speech, netherlands, reporting, security

MBTA Will Work With MIT Students, Rather Than Suing Them, To Improve Security

from the a-good-move,-a-little-late dept

You may recall, back in August, that the Massachusetts Bay Transportation Authority convinced a judge to ban the Defcon presentation by three MIT students, showing how weak the security was on the Boston transit system, and how easy it was to get past it. Of course, in trying to ban the talk, the MBTA only succeeded in getting a lot more attention for its own security vulnerabilities -- and, in the end, the judge lifted the gag order anyway, allowing the students to present their research.

The good news is that the MBTA has now dropped the lawsuit and done what it should have done in the first place: agreed to work with the students to come up with ways to improve security. It's good that they eventually came to this conclusion -- though still mind-boggling that they went down the legal route first.

Filed Under: bans, defcon, mit, obscurity, security, subway
Companies: mbta

Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back

from the yeah,-that'll-work dept

You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn't even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference... until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released -- which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops.

Of course, even if the court had actually been able to stop the distribution of the presentation, it's silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA's system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don't exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.

Filed Under: bans, defcon, mit, obscurity, security, subway
Companies: mbta