Slashdot Mirror

← Back to Stories (view on slashdot.org)

Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices (bleepingcomputer.com)

Posted by msmash on from the holding-accountable dept.

Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.

7 of 62 comments (clear)

  1. I am an election officer and I am dismissive by davide+marney · · Score: 3, Insightful

    Unless you've spent time running an election, it's hard to appreciate just how distributed the process is. Virginia, where I am an officer, has 2,400+ separate voting precincts.

    None of our voting equipment is networked, not even locally within the precinct. None of the equipment even have the hardware necessary to be networked.

    Nearly 4 million people voted in the last Presidential race. The recount margin is 1%, so the winner and the loser must be within 1% of each other for a recount to be called.

    Thus for a hack to be effective and not be scrutinized by a recount, you'd have to win 1% of 4 million, or 40,000 votes.

    How likely is it that you will be able to hack your way into enough precincts, defeat the chain of custody, get your hands on the machines to do your dirty work -- UNDETECTED -- for EACH and every election (each election has a different ballot, and the order is chosen randomly), and change 40,000 votes? Otherwise, what would be the point of the attack?

    Local elections are secure, disconnected facilities. Anytime I see some hacker "fair" where they've got the covers off and people are probing the equipment, I just laugh. As if. We run a tight ship, and in 238 years of doing this job, we've learned a thing or two about how people try to cheat.

    It's not VOTING you have to worry about, it's REGISTRATION. Registration has many times more attack vectors.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
    1. Re:I am an election officer and I am dismissive by AlanBDee · · Score: 4, Insightful

      If you are truly an election officer then first let me commend you for coming to slashdot and taking the time to share your perspective. May I suggest you spend a little more time reading what many of us here have to say. You may be an expert in the election process but we are experts in hardware and software.

      We are not skeptical of the security of voting machines because we wear tin foil hats; it's because we've seen what can and has happened. You're far too confident that those systems can't be hacked undetected. I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?

    2. Re:I am an election officer and I am dismissive by SlaveToTheGrind · · Score: 1, Insightful

      I think you're overlooking his broader point, which is that the distributed architecture of the system (both machines and people) makes it extremely difficult to even plot a coordinated attack much less carry one out.

      The question therefore isn't so much whether one individual machine can be hacked -- it's how many would have to be hacked to make a material difference in the outcome, and how many layers of human security would have to be defeated over how wide of an area to get physical access to hack them.

      For decades we've faced the same question with non-electronic voting -- bad apples have hacked counters on mechanical voting machines, stuffed ballot boxes, and so on. And that's OP's point: the system has evolved in recognition of the temptation to cheat, and has a ton of checks and balances in place to minimize the fallout.

      I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?

      What in the world would a skimmer on a voting machine skim?

  2. Re: Re:food for thought by phantomfive · · Score: 3, Insightful

    Quote from the first page of your link: ".... states are not required to participate in the program..." In other words, they can be tested, but most states don't.

    --
    "First they came for the slanderers and i said nothing."
  3. Re: Has anyone checked the Money Trail? by jd · · Score: 1, Insightful

    There are tried methods, but few of them true. In paper elections, it was common for officials to discover ballot boxes or misplaced ballot papers after the election. Party workers were also routinely accused of falsely claiming authority to collect absentee ballots and destroying ones for rival parties.

    Voting stations were also suspect, with election officials accused of tampering.

    In other words, an awful lot of institutionalised vote fraud by the parties.

    It got so bad, countries were planning on sending in international election monitors after the 2000 election. America avoided it by refusing them visas.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. Re: Isn't it Ironic? by dryeo · · Score: 3, Insightful

    What about the other piece of electronic voting, namely that the average (and less then average) person can understand the security?
    It's just as important that everyone trusts the voting as it being secure and it's hard to imagine a trustworthy electronic voting machine that most people understand.
    When I vote with paper and pencil and watch the whole procedure, it is very understandable.

    --
    https://en.wikipedia.org/wiki/Inverted_totalitarianism
  5. Re: Isn't it Ironic? by dryeo · · Score: 1, Insightful

    OK, number 3 helps a lot, throw in some random recounts as well as any statutory (eg when things are close) recounts of the physical copy and the fact that I have a hard time with numbers 1&2 would go a long way.

    --
    https://en.wikipedia.org/wiki/Inverted_totalitarianism