US Voting Machines Cracked In 90 Minutes At DEFCON

An anonymous reader quotes The Hill: Hackers at at a competition in Las Vegas were able to successfully breach the software of U.S. voting machines in just 90 minutes on Friday, illuminating glaring security deficiencies in America's election infrastructure. Tech minds at the annual "DEF CON" in Las Vegas were given physical voting machines and remote access, with the instructions of gaining access to the software. According to a Register report, within minutes, hackers exposed glaring physical and software vulnerabilities across multiple U.S. voting machine companies' products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.
Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed.

By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."

Not being used any more

[FrankHaynes]

In Virginia these machines have been decertified. I imagine other states have acted as well.

Re:Not being used any more

[fustakrakich]

Problem is that they replaced them with other machines instead of pen and paper.

Re:Not being used any more

Actually, during the brief recount effort in Michigan before it was shut down, roughly 60% of the ballot boxes opened did not contain the number of ballots they were supposed to. Some were off by pretty significant percentages; I know that one box that according to the ledger should have contained over 350 votes actually contained less than 50. We didn't get even close to opening all of them.

It may not have been a "hack", but SOMETHING definitely happened....

Re:Not being used any more

[dbIII]

Maybe, but it's kind of a big deal if they have ever been used live in an election and are found to be this substandard. It's worth looking at the process involved to purchase the things in the first place to see if there were any shortcuts or criminal activity (eg. kickbacks) in the process to avoid the same mistake happening again.
Also a lot of smug bastards like me get to say "I told you so". Diebold especially were up to a few things that looked very suspicious, including having a convicted fraudster in charge of the project.

Re:Not being used any more

[MillionthMonkey]

The agency that's supposed to be in charge of securing voting machines is the Election Assistance Commission, which operates on a $10 million annual budget. A House committee voted along party lines for HR 634, the Election Assistance Commission Termination Act, which will completely shut it down by 2018.

The argument is that "this is a matter best left to the states". According to Rep. Tom Graves from Georgia, "People supporting the EAC are quite frankly proponents for a greater federal role in our elections. States themselves, they're responsible for all the elections. We do not have a federally run election system." Rep. Gregg Harper from Mississippi argued the program has "outlived its usefulness", and that closing it down would save money and cut down the size and scope of government, saying "It is time for the EAC to be officially ended. We don't need fluff".

Ah, NOW I understand.

[buss_error]

By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."

So, you're saying America got Rick Rolled on November 8th, 2016.

Explains a lot.

Sometimes an old system is best

[elrous0]

Physical ballots are still the best way to do it. The added confidence and security is WELL worth it.

Oregon Vote By Mail - Hands Down The Best System

[StevenMaurer]

Voters receive their paper ballots about a month in advance. They can either fill it out and put it in the mail, or wait until the last minute and drop it off at any library or county clerk's office (think traffic court). All ballots must be in an envelope signed by the voter or it doesn't count. The county registrar has people trained to check signatures as they come in. If there is a mismatch, they contact the voter when there is time (sometimes older people, or those who have health issues, have shakier handwriting), and the voter can come down to straighten it out.

The ballots are then put in bins, which are then tabulated (for cost efficiency) by high speed vote counting machines on election night. The machines are certified, tested with special ballot runs to make sure they're working correctly, and are not hooked up to the internet. And to the best of my understanding, don't even have any external interfaces.

The paper ballots are never thrown away, in case there is a challenge. If the vote is very close, a recount is done automatically by hand. If not, the losing side can pay to have the recount done. All these processes are open to the public and are typically overseen by everyone from the most kook teabagger to the greenest of pretending-not-to-be-communist green.

About eight years ago, on a special election night in Tillamook, there was a terrible winter storm. The main highway was quite literally flooded by 5 feet of water. Despite this, there was an over 80% turnout. Everyone had mailed in their ballots long before.

Democrats love the system. Rural Republicans especially love the system. It's secure. Almost impossible to pull dirty tricks with. Basically impossible to hack. And best of all - cheap. Seriously. Because it reuses the US post system and libraries, there is no need to organize election stations, monitors, volunteers, reserve space for people to vote. It's nearly half the cost of all other systems.

Same pattern everywhere

[Archtech]

The root problem with voting systems is that, fundamentally, they can only be as reliable as the people who operate them. If those people really honestly want to conduct fair, unbiased, honest elections then, on the whole, that is what will ensue. There may be glitches and little pockets of unfairness, but if the people who vote AND the people who run the system all want an honest result, they will get one.

The trouble arises when a critical fraction of those involved in running an election do not want an honest outcome. Frankly, there are so many ways of cheating that it would be tedious to list them. Just imagine what a highly-trained, experienced security specialist would make of any democratic voting system. They are so full of holes that there are more holes than solid material.

Sure, voting machines can be hacked. But if you run a system without any machine more complicated than a pencil, there are still ample opportunities for massive cheating. Anyone familiar with the history of elections could write down dozens of examples. As one of the most often-quoted remarks on the subject tells us, it's not who votes that counts - it's who counts the votes. (And who look after the actual ballots in the long watches of the night, and who has control of the totals once they have been written down).

The situation is just the same as with the US Constitution. Admirable in principle, well-intentioned, and carefully designed to preserve freedoms. But... no piece of paper, in and of itself, can stop people doing bad things. That's obvious. So the missing piece of the puzzle must be that the people who rule choose to act in accordance with the piece of paper. For years now, they haven't.

In a country where the Supreme Court can solemnly declare that bribery is free speech, and that corporations are people, no statement or declaration of principle is safe. Powerful people can simply "interpret" it to mean something entirely different.