Pennsylvania's Voting Machines Are Running Windows XP

Slashdot reader rmurph04 writes: As reported by CBS News, the battleground state of Pennsylvania might as well have a target on its back as Election Day nears, the cybersecurity company Carbon Black warned in a new report released Thursday. Across the state, most Pennsylvania counties use particularly high-risk electronic voting machines that leave behind zero paper trails, which could be useful to audit the integrity of votes cast. In addition, many of these machines -- called "direct-recording electronic" machines -- are running on severely outdated operating systems like Windows XP, which has not been patched by Microsoft since 2014.

According to the survey more than one in five registered U.S. voters may stay home on Election Day because of fears about cybersecurity and vote tampering. Respondents believe a U.S. insider threat poses the most risk (28%), followed by Russian hackers (17%) and then the candidates themselves (15%).

Desktop XP or XP POS

[lister+king+of+smeg]

Are they running the POS or embeded that are still getting updates? Just saying XP isn't exactly helpful.

Re:Desktop XP or XP POS

[0dugo0]

Who cares about the OS, these things could be running UNIX v6. The implementation matters. I'd stick with crayons though.

Re:Desktop XP or XP POS

[BarbaraHudson]

The summary is probably wrong (what else is new). How would they have tested without actually hacking into the machines? This is just one security firm claiming it,, without any proof. Also, Windows XP Standard Embedded is supported until 2019. Nothing to see here except an attention whore making speculations.

Re:Desktop XP or XP POS

You are right, XP is a piece of shit.

Re:Desktop XP or XP POS

[vux984]

To be fair, you don't have to hack a thing to necessarily know its running on XP. Maybe they saw one start up.

But you are right, the summary is probably wrong, and the leap from XP to "seriously outdated systems that haven't been updated since 2014" is sadly more likely to be mouthbreathers just looking up when XP Pro was EOL on google rather than actually finding out when the last time the units were updated.

Re:Desktop XP or XP POS

[thegarbz]

The OS matters because some OSes are more forgiving to poor implementations than others.

Re:Desktop XP or XP POS

[invictusvoyd]

No wonder George Bush won .

Re: Desktop XP or XP POS

[Zak3056]

I do agree with your point about paper trails (they are important, so a physical recount can be performed as both an audit tool and in the event of an issue with the machines), but the rest of your post is uninformative.

1. This is not one election, it's 51 separate elections. The elections determine the members of the electoral college, who actually vote for the president. Strictly speaking, there doesn't have to be an election at all--the states determine how to appoint electors. All of them currently choose to appoint their electors based on the result of a popular election, but they don't have to.

Montana could decide, tomorrow, that their citizens aren't going to vote for president this year, but the legislature will choose Montana's delegation instead.

2. The idea that "votes were sent to the RNC to be counted and the state subtotals were removed" is absolutely nonsensical. You're either woefully misinformed (which would be par for the course in the US these days, as everybody seems to have either failed civics class or never taken it) or are purposefully spreading disinformation. If you have to ask why, see point 1 above.

Re:Desktop XP or XP POS

[605dave]

You joke, but in 2004 I watched a machine in Texas change my vote from Kerry to Bush. I had selected Kerry but when I got to the final page it said Bush. I had to scroll back and change it. Not that it would have mattered in Texas.

Re:Desktop XP or XP POS

[invictusvoyd]

Wow !! I was joking !!.

Re: Desktop XP or XP POS

[BarbaraHudson]

This story has NOTHING to do with audit trails. Why? Because your stupid voting machines were purposefully designed so as to not provide an audit trail. Other countries manage to do paper ballots and have a winner within hours of the polls closing.

Re: Desktop XP or XP POS

[Coren22]

In Maryland, civics is a graduation requirement, my assumption is that that was a nationwide requirement as most education stuff is done federally now.

When I went to school, it was called US Government.

Stay at home, they may try rigging the election

[thegarbz]

What a dumb thought process. Someone may try rig the election so I'm not going to bother going to vote? Who's brain works like this?

Re:Stay at home, they may try rigging the election

What a dumb thought process. ... Who's brain works like this?

The same idiots who gave us a choice between Ms. repulsive and Mr. truly scary.

Re:Stay at home, they may try rigging the election

[overshoot]

Someone may try rig the election so I'm not going to bother going to vote? Who's brain works like this?

Someone who wasn't going to vote anyway, but this makes a better excuse than "Luke Cage is on."

Re:Stay at home, they may try rigging the election

[Hognoxious]

Who's brain works like this?

I have no idea who is brain. Pinky's friend?

Re:Stay at home, they may try rigging the election

What a dumb thought process. ... Who's brain works like this?

The same idiots who gave us a choice between Ms. repulsive and Mr. truly scary.

What's "truly scary" about Trump? The press will do it's job if Trump wins, and keep him honest.

Crooked Liar Hillary! is the truly scary one - the press has already completely abdicated it's role in keeping Crooked Liar HIllary! honest.

The press is so fawning over Crooked Liar Hillary! that she's allowed to get away with lying over and over again about commiting multiple felonies with her mishandling of classified data that "never existed" on a personal server that also "never existed".

"They weren't marked classified!" is an ACCEPTABLE EXCUSE for someone claiming to be qualified to be President?

The press has let Crooked Liar Hillary! get away with claiming "I'M TOO STUPID AND/OR INMCOMPETENT TO RECOGNIZE CLASSIFIED DATA, AND YOU'RE SEXIST!" as her excuse.

And that's just ONE thing Crooked Liar Hillary! has been DOCUMENTED to have PROVABLY LIED about.

Crooked Liar Hiilary! was NOT named after Sir Edmund Hilary - she was born six years before he climbed Everest.

Crooked Liar Hillary! was NOT shot at in Bosnia.

Crooked Liar Hillary! NEVER opposed the Trans Pacific Partnership - as Secretary of State she was one of its biggest boosters

And the press has let Crooked Liar Hillary! get away with all that - confirming that she's de facto above the law.

Please - tell us whats' more dangerous than a thoroughly corrupt, arrogant, sheltered, self-entitled 1%-er who's demonstrably above the law and who's demonstrably at the very least given the appearance of selling access and decisions affecting national interest for personal gain?

Because that's what's TRULY SCARY: Crooked Liar Hillary! selling out actual US national security and its citizens safety for personal gain. AND YOU KNOW SHE'S LIKELY TO DO IT, you just too fucking partisan to care.

Do you really think if Crooked Liar Hillary! had the choice between making $100 million for herself and her cronies, and enacting policies that would save 10,000 lives a year from starvation or death by war in Syria or Libya, Crooked Liar Hillary! would actually turn down the money? Yeah, YOU KNOW SHE'D TAKE THE MONEY AND LET THE PEOPLE DIE.

You fucking know.

But again, you're too fucking partisan to care.

Re:Stay at home, they may try rigging the election

Who's brain works like this?

I have no idea who is brain.

No, the OP seems to be questioning whether the brain of "Who" works like this. Unfortunately, we're no closer to knowing who's Who.

Re:Stay at home, they may try rigging the election

[thegarbz]

Who's brain works like this?

I have no idea who is brain. Pinky's friend?

Whose Pinky?

Re:Stay at home, they may try rigging the election

[hambone142]

Try watching George Carlin's video on why he doesn't vote.

We have no choices. They're both idiots and the American population seems to believe that they can't vote for anyone but a Democrap or a Repugnican.

Re:Stay at home, they may try rigging the election

[rtb61]

Apparently the corporate executive team that asked the questions. Going from link to link, finally to get some of the question, it is pretty clear the correlation between fears the vote will likely be hacked by the current US government and not bothering to vote is purely speculation, not going to vote actually reflects the dissatisfaction with the current election cycle.

It makes much more sense to vote third party than not to vote at all. It will be a very messy four years after the election, whom ever is elected will be subject to endless protests based upon sheer loathing and disgust. When it comes to the mentally disturbed fringes of politics, this could prove quite interesting and is sure to keep the FBI and Secret Service on their toes. When the public face of the elections are so awful, so abusive, so derogatory, then the turmoil, hate and potential for violence in the fringes becomes greatly exaggerated.

This expectation for this election are so low, it is not a matter of whether or no the elections will be, hacked and cheated, it is a matter of whether the Republican hacks or the Democrat hacks will dominate, you could imagine certain machines switching back and forward between the Democrats winning and the Republicans winning. This election has become a standing joke, the biggest loser being main stream media, very few people believe anything coming from US main stream media.

Re:Stay at home, they may try rigging the election

[Bob_Who]

Who's brain works like this?

I have no idea who is brain. Pinky's friend?

My Brain, that's Whose...
Who's me
Horton Hears me.
He never forgets a dinky pinky.

Re:Stay at home, they may try rigging the election

He's on first base

Re:Stay at home, they may try rigging the election

[Coren22]

Perhaps you should point out anything in the rant above that is inaccurate, I am having trouble finding anything there that is actually "ignorant".

Re:Stay at home, they may try rigging the election

[Coren22]

Please, point out what is false about those statements above, provide citations as well, as I can provide citations of each statement the AC made.

Used to suck, but not network connected

[ArtemaOne]

Granted, XP sucked SO bad when it launched. It was nearly unusable for the first year, then it just became tolerable to switch from Windows 2000 with SP1. But why the complaint? These are not network connected, so the concerns of the OS are really pointless. If there's a security threat, like open physical ports, then address those. XP isn't some boogey man. Be specific.

Re:Used to suck, but not network connected

[BarbaraHudson]

The person making the claim can't be specific. Being specific would not only get him exposed to hacking charges, but XP Embedded Standard is supported by Microsoft until 2019. The guy is an attention whore. OMG say it isn't so - an obscure CyberSecurity company trying to get attention and a TV station falling for it?

Re:Used to suck, but not network connected

[ArtemaOne]

XP sucked really badly at launch. Maybe if you went from Windows 98 or ME to XP, it could have seemed like an upgrade. But if you went from Windows 2000, which was probably the most solid operating system they've ever made, it was a huge let down. Tons of capability lost, despite the fact that it was just a transition from NT5 to NT5.1, much like going from Windows 7 Pro to Windows 10 Pro. The move also screwed with the NTFS making reverting back to Windows 2000 next to impossible without a huge pain in the butt of transferring files back and forth.

Re:Used to suck, but not network connected

[ArtemaOne]

To be clear, after SP1 it was a great OS, but the bugs in that first year far exceeded any of their releases since, including Vista and 10.

Re:Used to suck, but not network connected

[ArtemaOne]

Yeah, you just talked around all the points I made. Got it.

Re:XP, or Windows Embedded Standard 2009?

[BarbaraHudson]

Microsoft is supporting it to 2019. People have reported, and Microsoft has confimed ta registry hack that lets regular XP and XP Professional also get support by pretending to be Windows Embedded Stardard 2009.

That's surprising

[overshoot]

I would have figured Win98 or maybe WinME.

Re:That's surprising

[Fire_Wraith]

At least it isn't Win10, so we don't have to worry about them forcing an update on themselves the day before election day, then failing and going into an update loop.

What's the threat model?

[Chelloveck]

Unpatched XP? So what? What's the threat model? Are these things online? I'd be worried about the latest OS running today's patch set online. Are they worried about tampering by election officials? Physical access is access. Again, the latest patches won't help. What threat do they think will be thwarted by current software?

Re:What's the threat model?

[dwywit]

Exactly. Imagine the collective *gasp* if the machines were running Win 10!

Re:What's the threat model?

[jrumney]

Any OS patch made since the candidates were announced should be considered suspect. Voting machines should be offline an not allowed to be patched during the election cycle.

Re:What's the threat model?

[thegarbz]

Physical access is access. Again, the latest patches won't help.

You're ignoring an entire world of security upgrades and patches that have been released to countless OSes over the year to patch security holes that help prevent escalations when you have physical access. Not everything is about being online.

Re:What's the threat model?

[thegarbz]

No we'd be perfectly secure in that case. They would receive an update and reboot on election day, after coming up the touchscreen driver would magically have disappeared and all voting would cease. It's about the best possible outcome.

Re:What's the threat model?

[Bert64]

Voting machines should be simple devices for counting votes, not full blown computers running a general purpose OS. With a bare minimum of functionality there is less attack surface and less need to patch anything.

Re:What's the threat model?

[rubycodez]

all that gets you nothing in an election polling machine. the OS is almost irrelevant for this use case.

Any computer can be compromised with physical access regardless of OS

Re:What's the threat model?

[fgouget]

Unpatched XP? So what? What's the threat model?

Right. Patched or unpatched does not make much difference. The important thing is that they run a full blown OS, specifically Windows XP, which means 45 million lines of proprietary unauditable code (trade secret). And that's not counting all the other software the manufacturer added on top of it to turn it into a voting computer.

So an attacker has a wealth of juicy targets: the display driver, touchscreen controller, hundreds of drivers, etc. Anything he changes will be a straw in the middle of a haystack... even more so if he works for the manufacturer or is part of the team that defines the reference software platform.

Plus none of that matters for the voter: he will never be allowed to run a debugger or hook up a hardware monitor on election day to verify that the voting machine has not been tampered with, and with good reason since that would allow him to tamper with it. So even a knowledgeable voter will never be able to verify that the voting computer used on election day has not been hacked, which is totally unlike the situation for regular paper ballots boxes.

Re:What's the threat model?

[fgouget]

Voting machines should be simple devices for counting votes, not full blown computers running a general purpose OS. With a bare minimum of functionality there is less attack surface and less need to patch anything.

Even the simplest electronic voting machine can cheat and yet even they cannot be audited by voters on election day. So you're telling us that voters should trust the people they are voting out of office to organize fair elections! That's quite insane.

Not a problem

[rsilvergun]

I vote early. If you can't vote early in your state it's because somebody doesn't want you to. Let that thought sink in for a moment.

Re:Not a problem

[thegarbz]

I let it sink in and I don't get your point. You're implying early voting is some arbitrary switch rather than a long complicated and expensive process requiring systems and infrastructure in place to allow it.

Money talks and makes a far more compelling reason than any rigging scenario you could come up with.

Re:Not a problem

[jfdavis668]

The funny thing is that early votes are counted last. Not sure how voting early helps.

Re:Not a problem

[Patent+Lover]

Not everybody can just take time off from work on a Tuesday. Red states have given early voting a hard time. I wonder why.

In every election, a slim plurality decide

[HBI]

Historical turnout data

This "survey" is useless, since the number that normally don't turn out is more than the most hyperbolic security threat number they offer. If they said 50% were going to stay home, then i'd start to take notice.

Sounds like an excuse for laziness.

Why OS?

[ChrisMaple]

Voting machines should be open-source coded in assembly language to run directly on the hardware, and the hardware should be open source - something like a clean-room recreation of a 6502 or Z80. Every gate, every mask, should be verified by hand against the schematics, and every machine code in ROM disassembled by hand and compared against the source listings.

Nothing in the voting mechanisms should be capable of being hidden, nor should it be so complex that one person can't understand and verify the whole thing in a reasonable time, say 1 year.

That means no OS, no proprietary hardware or software, nothing but obvious routines running on "metal".

Re:Why OS?

[sinij]

Voting machines should be open-source coded in assembly language.

You can backdoor hardware just like you can backdoor compiler. Assembly only wins you lack of code readability so it is easier to hide code-based backdoors.

Re:Why OS?

[Bert64]

Assembly is only less readable than higher level source code, in many cases no source code is provided at all which is just as bad if not worse than providing assembly.

Re:Why OS?

[fgouget]

Voting machines should be open-source coded in assembly language to run directly on the hardware, and the hardware should be open source

Open-source software and hardware is useless for voting computers. What matters is allowing voters to verify that the hardware and software used on election day is the one that was audited. But of course nobody in their right mind would allow a random voter to hook up a hardware probe or run his own code(*) on the voting computer on election day!

(*) I hope you were not thinking of letting the (lying?) voting computer audit itself!

US State of Georgia only runs on Windows 2000

[garrett.rhodes]

Georgia, which in 2002 set out to be an early national model for the transition to computerized voting, shows the unintended consequences. It spent $54 million in HAVA funding to buy 20,000 touchscreen voting machines from Diebold, standardizing its technology across the state. Today, the machines are past their expected life span of 10 years. (With no federal funding in sight, Georgia doesn’t expect to be able to replace those machines until 2020.) The vote tabulators are certified to run only on Windows 2000, which Microsoft stopped supporting six years ago. To support the older operating system, the state had to hire a contractor to custom-build 100 servers—which, of course, are more vulnerable to hacking because they can no longer get current security updates.

Re:US State of Georgia only runs on Windows 2000

[Joe_Dragon]

diebold for GOP anyways but there ATM's are updated

Nathan for you

[bangular]

My favorite Nathan for you running joke is Windows 95. "You're still running Windows 95? My parents got rid of their Windows 95 computer because minesweeper stopped working."

They sure don't want me to vote in Texas

[shanen]

It's possible I'll get to vote anyway, but they rejected my ballot application the first time with several BS reasons (selected from a long list on the rejection form). Over the last few elections, it has been getting harder and harder to vote, and this latest voter-ID bogosity makes it much more difficult. And stupid.

The hilarious part is that my vote had already been rendered meaningless by the partisan gerrymandering and double-gerrymandering. My so-called Representative is such a worthless tool that they had to rejigger his district to keep it "safe". They are running out of room in the sacrificial districts where they pack in and waste the Democratic votes. They can't draw the district boundaries house by house! Or can they?

I sure hope it's worse than that from the dictators' perspective. The so-called Republicans (really former Dixiecrats "betrayed" by LBJ) have been driving Texas to the bottom so hard and making the state so cheap that a lot of damn Yankees have moved south. Maybe they are about to flip the state back to the Dems, even though the polls have trouble tracking and accounting for first-time-in-district voters. No evidence, but "some people are saying", as the Donald says.

(Also hurts them that Trump is killing the Hispanic vote. This latest insane TwitterWar is NOT the temperament of a potentially great president. If she would have just given him the damn blowjob as payback for maker her a winner, then none of this would have happened!)

Re:They sure don't want me to vote in Texas

[shanen]

Hate typos. Meant to say "making", not "maker" near the bottom.

Also thinking I should have mentioned that the tool is question is McCaul. He serves on 4 committees, including "Science, Space and Technology" and has frequently proved he knows NOTHING about science. However, the big laugh is the "Ethics" committee, since one of my degrees included philosophy of the Socratic sort. What a SAD joke, though Trump is the biggest joke to day.

Hyperbole and Strawmen....

[Lumpy]

The voting machines are NOT connected to the internet. They are also running EMBEDDED XP not desktop XP. No they can not be infected easily unless someone has physical access... and at that point every OS on the planet is easily cracked wide open if the attacker has their hands on the device.

Re:Hyperbole and Strawmen....

On the contrary, it's super-easy to infect them by infecting the developer machines first, because these guys patch the machines manually and there is no additional safeguard that protects against running untrusted code. For an effective attack you need to have the source code anyway, so you pawn the developer machines first in any case. I guarantee you that this is fairly doable even for private and fairly unorganized attackers.

Optical scan

[trout007]

What's wrong with optical scan? We use it in my country and its great. Just fill in the line. What's nice is you can 50 people in a room filling out the forms and one or two scanning machines that read then in a second and depot the paper in a locked box. Instant check to make sure you votes and o dublicates and easy to rescan later or manually count.

Logic problem

[RightwingNutjob]

Either it's running an old OS and it's vulnerable to unpatched exploits or it's always running the latest and greatest and it's vulnerable to code breaking because of changes to the OS. Can't have latest and greatest AND high reliability.

Say it again

[ThatsNotPudding]

AS INTENDED.

zOMG! Old Is Bad!

[kackle]

"...are running on severely outdated operating systems like Windows XP, ..."

So? News flash: Software doesn't wear out.

These things were designed by ATM makers

The fact that any voting machine leaves no paper record is criminal.

Re:Everything is Connected

[ArtemaOne]

Those are vulnerabilities to read information from them, which does not affect the outcome of an election. Maybe you should realize that before posting.

Let the viruses romp!

[Applehu+Akbar]

Pennsylvania will probably find itself electing Ruth From Card Services, or some guy in India who promises to repair your PC.

The big fail is...

[pentagramrex]

XP embedded doesn't get security updates. Because it is pick-and-mix, windows update doesn't work. Trying to make a Sasser fix was VERY hard work.

Re:Everything is Connected

[ArtemaOne]

Clearly you have no idea what you're talking about. Being able to read data off a closed system that contains public owned information is not a vulnerability. I am very familiar with OPSEC, and there is no data to be read from these machines that would affect anything. What are they going to read, the public owned vote data? They're closed systems, so anything read cannot be used as a vulnerability. Perhaps you should study about INFOSEC.

Hand Counted Paper Ballots are the answer

Don't be fooled with claims of paper backup trails and the like, it is not possible to verify a vote on any electronic black box voting machine.

The only way to verify a vote is using hand counted paper ballots.

prsdntl

old SQL? time for write in candidate drop tables!

[Joe_Dragon]

old SQL? time for write in candidate drop tables!

Re:XP, or Windows Embedded Standard 2009?

[AlphaBro]

Security fixes are great, but the lack of mitigations present in newer versions of Windows make it more vulnerable in comparison.

Why do people watch George Carlin?

[Brannon]

He's not funny, and he's not insightful.

In my experience only truly stupid people find him to be either.

Also, in my experience truly stupid people think that not voting is somehow political action.

Re:Everything is Connected

[ArtemaOne]

There has been no discussion. You simply are repeating a buzzword that doesn't seem to apply to an intrusion with manipulation as the result.

This is Clinton's problem

[tomhath]

Who's brain works like this?

Clinton's big problem is voter indifference. People don't like Trump, but they don't like Clinton enough to vote for her.

Articles like this are intended to nudge tepid Clinton supporters to get out and vote.

Re:This is Clinton's problem

[unixisc]

In PA, where Trump has been talking non stop about the trade deals, there is likely to be a surprise blue collar support for him. The people who don't like him are the politicos anyway

Use state lottery machines ..

[khz6955]

"most Pennsylvania counties use particularly high-risk electronic voting machines that leave behind zero paper trails, which could be useful to audit the integrity of votes cast."

Why not use the same machines as state lotteries. They're reliable and secure and produce a fully audited paper trail.

The question isn't who will hack the election

[CityZen]

It's whose hacks will be the most effective?

And I'm not referring just to people playing with code. The people playing with money have been hacking pretty effectively as well.

Re:Might as well be Windows 95

[Kvasio]

opinion from outside the USA: both options are scary. But while Hilary is likely to "only" make wars in predictable places like Middle East so SE Asia, Trump seems like the guy who would for example make alliance Russia to nuke China, sacrificing Europe for Russian support.

I mean, many past presidents were horrible scum and liars; but DT makes no slightest trace of consistency, he denies obvious facts, invents stats etc.

Re: XP, or Windows Embedded Standard 2009?

[BarbaraHudson]

They're still releasing patches for XP Standard Embedded. You can obtain and apply these patches to ANY XP with a registry hack.