Slashdot Mirror
US Voting Machines Cracked In 90 Minutes At DEFCON (thehill.com)
An anonymous reader quotes The Hill:
Hackers at at a competition in Las Vegas were able to successfully breach the software of U.S. voting machines in just 90 minutes on Friday, illuminating glaring security deficiencies in America's election infrastructure. Tech minds at the annual "DEF CON" in Las Vegas were given physical voting machines and remote access, with the instructions of gaining access to the software. According to a Register report, within minutes, hackers exposed glaring physical and software vulnerabilities across multiple U.S. voting machine companies' products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.
Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed.
By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."
Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed.
By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."
In Virginia these machines have been decertified. I imagine other states have acted as well.
slashdot: A failed experiment.
after dropped from the delivery truck
By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."
So, you're saying America got Rick Rolled on November 8th, 2016.
Explains a lot.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
You're the voter fraud.
Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.
Does anyone like myself, see this as a reason to support our president?
Folks, let's join our president's efforts in making "America Great Again!"
"Stop whining."
-President Barack Obama, on concerns about election hacking, October 2016
Physical ballots are still the best way to do it. The added confidence and security is WELL worth it.
SJW: Someone who has run out of real oppression, and has to fake it.
Where is the Putin/Trump cyber security task force when you need it!?!?!?!
Isn't it obvious by now that that's the way they want it?
Anything to shine the spotlight away from your corrupt guy, right, comrade?
"Nothing to see here folks, move along, voting is secure, buffet's in the next room" haha
DNC goose is cooked. Here is the DNC special prosecutor appointment request from Congress. Check out the last page for signatures.
If people were allowed to vote via public key, they could vote online, over the Internet, and could even verify that their vote had been accepted.
It's not difficult to solve this problem - the difficulty lies in dealing with those who don't want the problem solved.
If you've worked as a programmer, you know this already.
When someone tells you they want it done by a deadline and they won't hire people who are good at security because they're expensive, instead scowling and saying "you programmers need to make it secure on top of everything else!" what do you think will happen?
Why is this even news?
Republicans will need things like this since they can not win the popular vote.
Voters receive their paper ballots about a month in advance. They can either fill it out and put it in the mail, or wait until the last minute and drop it off at any library or county clerk's office (think traffic court). All ballots must be in an envelope signed by the voter or it doesn't count. The county registrar has people trained to check signatures as they come in. If there is a mismatch, they contact the voter when there is time (sometimes older people, or those who have health issues, have shakier handwriting), and the voter can come down to straighten it out.
The ballots are then put in bins, which are then tabulated (for cost efficiency) by high speed vote counting machines on election night. The machines are certified, tested with special ballot runs to make sure they're working correctly, and are not hooked up to the internet. And to the best of my understanding, don't even have any external interfaces.
The paper ballots are never thrown away, in case there is a challenge. If the vote is very close, a recount is done automatically by hand. If not, the losing side can pay to have the recount done. All these processes are open to the public and are typically overseen by everyone from the most kook teabagger to the greenest of pretending-not-to-be-communist green.
About eight years ago, on a special election night in Tillamook, there was a terrible winter storm. The main highway was quite literally flooded by 5 feet of water. Despite this, there was an over 80% turnout. Everyone had mailed in their ballots long before.
Democrats love the system. Rural Republicans especially love the system. It's secure. Almost impossible to pull dirty tricks with. Basically impossible to hack. And best of all - cheap. Seriously. Because it reuses the US post system and libraries, there is no need to organize election stations, monitors, volunteers, reserve space for people to vote. It's nearly half the cost of all other systems.
That is nobody that followed the developments for the last 10 years or so. Of course, the actual experts have been warning of this far longer, but who in politics listens to mere experts. Pathetic.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Four obvious ways to hack. Thinking of several more subtle methods now. Let's see, now who would be the ones doing the hacking? Of course...
https://twitter.com/randygdub/status/787747220267278336
They were probably not in best shape
Slashdot, fix the reply notifications... You won't get away with it...
So someone lied and tweeted that they opened mail and ripped up votes, and then the post office confirmed that the person has never worked there.
Not really the best counter argument - though obviously there needs to be a lot of monitoring at each stage of handling the vote, just like there has to be that during more traditional voting.
It's turtles all the way down.
It is possible to assess and address corruption and fraud across multiple different communities and individuals at the same time.
I suspect the FBI is large enough to manage two concurrent investigations.
Demand that any electronic voting machine survive two days taking votes on something important (e.g. M&Ms vs Skittles) at DefCon before it can be used in an election.
It's free pen testing, what's not to like?
In the UK electoral fraud is rare, but when it does occur it is almost always related to postal voting.
LOL. They check the signature? "It's a perfect match! One might even say it's a carbon copy!... No voter fraud here!"
Seriously though, my hands don't work well anymore, so I can't form the letters to spell my name correctly unless I've practiced for about 5 minutes. Would I be disqualified if they compared my "on the spot" signature with my "official" signature?
Physical Voting Machines means they had physical access.
Yeah. Those weird old League of Womens Voters people who volunteer to hang out at the polling places are gonna look at trenchcoat dude and not be suspicious. Right.
Problems with this system:
1) No secret ballot
2) Signatures are easily faked
The root problem with voting systems is that, fundamentally, they can only be as reliable as the people who operate them. If those people really honestly want to conduct fair, unbiased, honest elections then, on the whole, that is what will ensue. There may be glitches and little pockets of unfairness, but if the people who vote AND the people who run the system all want an honest result, they will get one.
The trouble arises when a critical fraction of those involved in running an election do not want an honest outcome. Frankly, there are so many ways of cheating that it would be tedious to list them. Just imagine what a highly-trained, experienced security specialist would make of any democratic voting system. They are so full of holes that there are more holes than solid material.
Sure, voting machines can be hacked. But if you run a system without any machine more complicated than a pencil, there are still ample opportunities for massive cheating. Anyone familiar with the history of elections could write down dozens of examples. As one of the most often-quoted remarks on the subject tells us, it's not who votes that counts - it's who counts the votes. (And who look after the actual ballots in the long watches of the night, and who has control of the totals once they have been written down).
The situation is just the same as with the US Constitution. Admirable in principle, well-intentioned, and carefully designed to preserve freedoms. But... no piece of paper, in and of itself, can stop people doing bad things. That's obvious. So the missing piece of the puzzle must be that the people who rule choose to act in accordance with the piece of paper. For years now, they haven't.
In a country where the Supreme Court can solemnly declare that bribery is free speech, and that corporations are people, no statement or declaration of principle is safe. Powerful people can simply "interpret" it to mean something entirely different.
I am sure that there are many other solipsists out there.
How else could your self-elected, self-appointed incumbent officials secretly benefit from skewed election results? No paper trails, no log trails, all in the name of "protecting YOUR privacy*."
(* applicable only when electorate's personal benefits are at stake, otherwise privacy concerns are promptly shunned and swiftly bypassed)
LOL, all electronic voting systems have central tabulators which are inherently insecure. There is no way to make electronic voting secure without a blockchain.
https://www.youtube.com/watch?v=w3_0x6oaDmI
>80 column hard wrapped e-mail is not a sign of intelligent
>life
Why are voting machine even allowed to be sold on Ebay? Can I buy a used money making machine too?
^^^^^
Still butthurt lmao
he should just make what the other side do, get republican dead voters and illegals to vote for him
thats way better in the eyes of the media
It sounds like the best system.... for party operatives to drive around and steal ballots out of selected mailboxes or neighborhoods.
Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
My apologies i read your comment more carefully- stealing ballots would require the collusion of the registrar. How honest are these people?
Considering the Democrats went on a campaign to capture secretary of state seats so they could put their thumb on the scales at that level, a few dirty registrars aren't out of the question.
Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
Just think how much money states spent on these machines that were built by companies that are far too close to the Republican party. Send all these electronic machines back to the vendors for a full refund and user paper ballots and a pen. Keep it simple, verifiable, and quite secure. Sure, it will take longer to count the votes, but I rather wait a day and get results anyone can trust than get results in an hour and question for years if they were accurate.
Not any worse than all the other approaches. Around here they do not even make one sign anything. You go to the polling place, tell them your name and address, they look it up in the list, and if it is on the list you get to vote...and just maybe they cross off the right name. Just be faster to the poll station than the folks across town that you can look up in the phone book.
Seems like he's more like actually retarded.
I'd trust electronic voting machines a lot more if they were made by the companies who do slot machines for Vegas.
That fine and dandy, but as I just said elsewhere: Unless you can trust the entire chain of custody of the aforementioned paper ballots, from end-to-end, it's useless. If someone wants to destroy, alter, or replace ballots, then it's useless.
Until you get that one house with 83 ballots - all with different names - mailed to it. Or you get those Democratic elected officials "finding" more votes after the election and you count them anyway, overturning a Gubernatorial election... And of course - no way to prove who actually cast the ballot because there is ZERO identification required (you know, like Canada , Germany, the Netherlands, the UK, and most of the rest of the world requires).
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
But these machines were used prior to the 2016 election, they were bought on eBay. They were used for the previous elections, so...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
This result proves Trump won the popular vote by a record margin and that the numbers they list for clinton were false and hyped by the main stream media.
When I show up with ID and my name is already crossed off on the ballot, I can challenge it and make an accusation of fraud.
When I mail in my vote, I can sell it, or be coerced into "selling" it, and send it in with someone looking over my shoulder to make sure I "fill it in right".
These are not nearly the same failure mechanism.
The former only succeeds if a small fraction of people bother to vote (which is another reason to give people shit for not voting), and requires a large number of people to engage in the fraud.
The latter succeeds if the criminal is sufficiently criminal, and it requires a large number of people to root it out.
Mail-in ballots should be declared, at a federal level, compromised, and considered invalid in any federal election. (And, as TFA shows, the same for all-electronic voting machines. If a vote comes from a voting machine, deem it invalid, throw it out, and move on.)
Weak.
If we were to follow the spirit of the Constitution to a T, there wouldn't be any geese left.
Just because paper ballots aren't immune to tampering doesn't mean they're anywhere near as bad as electronic voting machines.
It is much harder to rig paper ballots *on a massive widespread scale* compared to electronic voting. Period.
Yes, that's the whole point. With paper ballots, the count can physically be observed IN PUBLIC by as many parties as are interested.
A number of years ago, Germany's highest court found that:
Smart people.
"Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
Best practices: optical scan ballots, with the readers on an air-gapped network: in other words, networked to each other, but no WiFi, and no connection even to the local jurisdiction's network. All results get hand-carried to the officials who run the elections. There are still vulnerabilities this way, but they are the unavoidable human kind as opposed to the technological variety. Wide-spread compromise of elections becomes much harder this way, as many officials have to get bribed to affect the outcomes.
While it may be possible to create a robust electronic voting environment, there doesn't seem to be anyone with any awareness of risk (or readers of comp.risks) working on it.
Problems with this system:
1) No secret ballot
Sorry. But it is secret. The signature is on the outside of the envelope. The ballot is inside a security sleeve inside the envelope. Once the signature is verified, the envelope and the ballot part ways. No one gets to see to see them both together. No one ever knows how you voted.
...Just be faster to the poll station than the folks across town that you can look up in the phone book.
In small towns the poll worker knows everyone by sight, so that kind of fraud is not possible.
Neither the people, nor the voting machines, are going to vote for the man I would endorse for or appoint to the office of "Representative", should the state ever decide that it wants to recognize representatives which are actually going to represent the people...
And, for the most part, those who obtain the office by popular vote (whether their voters are genuine or not) seem far more concerned about promoting their own agendas, party agendas, and financier & kingmaker agendas than about determining what the political agenda of their constituents generally is and promoting that as best they can.
Seriously, why should these voting machines be accessable remotely? Private network, machines talk locally, no WiFi, and all ethernet ports should be locked down. The information can then be uploaded via a manual process, data pull every 30 minutes or something, and then uploaded, again via a closed and secured connection. Local network not being connected to the Internet means any hacking would have to be done locally, local numbers can be verified as well as what was uploaded at each interval. The only thing to be concerned with then, is if individual voting machines are properly counting votes(a printout and display of what a voter voted for SHOULD be shown, just saying, "We have your vote" gives reason to doubt if a vote was properly counted...for all people know, you vote one way, and votes are randomly given to other people if an electronic system does not display who it thinks you have voted for.
We should go back to paper as well.
The votes can be altered by any election official. Some voting machines even had an adjust votes.
Paper ballots are even worse UNLESS they are properly scrutineered. In the US, they are counted in secret rooms and nobody is allowed in. And there are strict laws to prevent any recounts or external scrutiny.
Republicans seem to be better at hacking elections than Democrats.
In civilized countries, like Australia, the votes are counted in front of scrutineers appointed by the candidates. All done in a couple of hours on election night. Very efficient, cheaper than voting machines, and impossible to hack.
What we really should be aiming for is doing away with the election and traditional politicians with it.
Direct Democracy though, where everyone votes on everything, is not practical though as it essentially gives everyone a second job. But there are ways a hybrid system could possibly work thanks to the internet. We would still elect people for either the senate or house, as well as the presidency, but 1/2 of the legislative branch would be direct democracy in the form of:
- have every person have a vote on every piece of legislation/amendment/etc.
- With this vote, it'd be possible to use it directly or to delegate it to a representative of your choice revocable at will. This way it'd be easy to choose people you want representing your interests (be they whoever - from any political party representative, to the commentator of your choice, to any activist group)
The internet makes it possible to do better than electing dictators who are accountable to the people they serve only once every 2/4/6 years. We can and should do better.