Slashdot Mirror

← Back to Stories (view on slashdot.org)

Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices (bleepingcomputer.com)

Posted by msmash on from the holding-accountable dept.

Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.

32 of 62 comments (clear)

  1. food for thought by Orrin+Bloquy · · Score: 5, Interesting

    Fruit machines in casinos have to be state certified as honest with their code vetted regularly. Voting machines are largely unregulated.

    --
    "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."
    1. Re:food for thought by Noodles · · Score: 2

      What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.

    2. Re: Re:food for thought by Okian+Warrior · · Score: 1

      What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.

      And what are you basing *that* statement on?

    3. Re:food for thought by PopeRatzo · · Score: 2, Funny

      What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.

      And they're both equally fair.

      --
      You are welcome on my lawn.
    4. Re:food for thought by Anonymous Coward · · Score: 1

      And even that's pointless (ie certification).

      Slot machines in casinos have cameras on them, security personelle, and the ability to see if the machine is 'paying out' too much. Why? They know what the odds SHOULD be, therefore, know if the machine is "off".

      Contrast that with voting, which even the best pollsters, and political scientists are often wrong about. There's no camera above you watching you vote, and no security guard hovering over you as you do so either.

      My point in all of this? NO computer is secure. None. Nada. No software, either. Anyone on /. can see the litany of vulnerabilities that exist, and anyone on /. can see how these clearly exist for years, DECADES sometimes prior to being discovered/made public. Pre-0day is what the NSA, and what foreign governments spend countless cash focusing on.

      There is NO way, EVER one can make a voting machine secure or make hardware secure. Every piece of software in use is riddled with bugs, every piece of hardware, everywhere, right now.

      You know what's safe? Paper. Manual counts. Systems of counting that have worked for democracies for centuries.

      THERE IS NO NEED FOR VOTING MACHINES!

      It is *not* worth the risk, and it certainly isn't worth the cost.

    5. Re: Re:food for thought by phantomfive · · Score: 3, Insightful

      Quote from the first page of your link: ".... states are not required to participate in the program..." In other words, they can be tested, but most states don't.

      --
      "First they came for the slanderers and i said nothing."
    6. Re: Re:food for thought by AutodidactLabrat · · Score: 1

      Republican't quotemine fail!!

    7. Re: Re:food for thought by phantomfive · · Score: 1

      The summary I gave is completely accurate. The quoted part strips off the spin.

      --
      "First they came for the slanderers and i said nothing."
    8. Re:food for thought by tlhIngan · · Score: 1

      What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines

      .

      And they're both equally fair.

      Actually, payout rates are heavily regulated. The loosest machines actually are gambling machines. The tightest machines generally are arcade machines.

      Arcade machines? Yes, those "claw" machines, or "key master" machines or other machines "of skill" actually are gaming machines with payout rates. They will never let you win a prize if they aren't ready to pay out. Typically the operator sets the payour rate to be around 25-33% or so (i.e., the machine will take in 3-4x the cost of the product).

      Claw machines do it by lowering the "claw" power - the claw will not grasp as hard so if you do "get lucky" the item will simply slip from the fingers. Keymaster type games will "lag" the control a bit (notably the up/down control) to intentionally skip over the winning count (the machine knows exactly how high the grabber is and it knows to simply run the motor a bit longer so you're always going to be "just a bit high" if it's not ready to payout. The other machines of skill again will simply do something - the "pile" style machine (the one with the LED back that you have to create a tower) again skips over the winning position by reacting a bit slow so even if you time it perfectly you will always miss.

      They're really games of skill, only once the payout rate has been met.

    9. Re: Re:food for thought by AutodidactLabrat · · Score: 1

      Like I said, quotemine fail, ignoring the fact in favor of YOUR claim that facts are spin

    10. Re: Re:food for thought by phantomfive · · Score: 1

      And you only speak in vague generalities. Either learn to speak concretely, figure out how to support your ideas, or be gone back to the pool of ignorance you came from. Making a good argument is something you can do.

      --
      "First they came for the slanderers and i said nothing."
    11. Re: Re:food for thought by AutodidactLabrat · · Score: 1

      Your "Strip the spin" proves you failed to address the issue.
      Quotemine fail

  2. Isn't it Ironic? by DatbeDank · · Score: 4, Interesting

    How back in the early 2000s here on Slashdot we all were complaining how these electronic voting machines were the work of the devil in how easy they were to hack?

    Fast forward to 2018, they're now viewed as Russian hacking devices.

    Seems like we're on a collision course to return to the old style paper ballots.

    Shame no one listens to us. It seems most tech crises would be avoided! Thankfully we get to bill $300/hr when Mr. Executive's screw up comes to roost!

    1. Re: Isn't it Ironic? by dryeo · · Score: 3, Insightful

      What about the other piece of electronic voting, namely that the average (and less then average) person can understand the security?
      It's just as important that everyone trusts the voting as it being secure and it's hard to imagine a trustworthy electronic voting machine that most people understand.
      When I vote with paper and pencil and watch the whole procedure, it is very understandable.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    2. Re: Isn't it Ironic? by dryeo · · Score: 1, Insightful

      OK, number 3 helps a lot, throw in some random recounts as well as any statutory (eg when things are close) recounts of the physical copy and the fact that I have a hard time with numbers 1&2 would go a long way.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
  3. Has anyone checked the Money Trail? by Rick+Schumann · · Score: 1

    Perhaps they don't care because they're being paid not to care?
    I think perhaps these companies need to be thoroughly investigated. In the meantime DUMP THEM and go back to tried-and-true methods.

    1. Re: Has anyone checked the Money Trail? by jd · · Score: 1, Insightful

      There are tried methods, but few of them true. In paper elections, it was common for officials to discover ballot boxes or misplaced ballot papers after the election. Party workers were also routinely accused of falsely claiming authority to collect absentee ballots and destroying ones for rival parties.

      Voting stations were also suspect, with election officials accused of tampering.

      In other words, an awful lot of institutionalised vote fraud by the parties.

      It got so bad, countries were planning on sending in international election monitors after the 2000 election. America avoided it by refusing them visas.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. I am an election officer and I am dismissive by davide+marney · · Score: 3, Insightful

    Unless you've spent time running an election, it's hard to appreciate just how distributed the process is. Virginia, where I am an officer, has 2,400+ separate voting precincts.

    None of our voting equipment is networked, not even locally within the precinct. None of the equipment even have the hardware necessary to be networked.

    Nearly 4 million people voted in the last Presidential race. The recount margin is 1%, so the winner and the loser must be within 1% of each other for a recount to be called.

    Thus for a hack to be effective and not be scrutinized by a recount, you'd have to win 1% of 4 million, or 40,000 votes.

    How likely is it that you will be able to hack your way into enough precincts, defeat the chain of custody, get your hands on the machines to do your dirty work -- UNDETECTED -- for EACH and every election (each election has a different ballot, and the order is chosen randomly), and change 40,000 votes? Otherwise, what would be the point of the attack?

    Local elections are secure, disconnected facilities. Anytime I see some hacker "fair" where they've got the covers off and people are probing the equipment, I just laugh. As if. We run a tight ship, and in 238 years of doing this job, we've learned a thing or two about how people try to cheat.

    It's not VOTING you have to worry about, it's REGISTRATION. Registration has many times more attack vectors.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
    1. Re:I am an election officer and I am dismissive by AlanBDee · · Score: 4, Insightful

      If you are truly an election officer then first let me commend you for coming to slashdot and taking the time to share your perspective. May I suggest you spend a little more time reading what many of us here have to say. You may be an expert in the election process but we are experts in hardware and software.

      We are not skeptical of the security of voting machines because we wear tin foil hats; it's because we've seen what can and has happened. You're far too confident that those systems can't be hacked undetected. I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?

    2. Re:I am an election officer and I am dismissive by bussdriver · · Score: 2

      Means nothing. This is like a security guard at the bank saying they run a tight ship and will never be robbed. Then that whole bank bailout mess happens... or the bank gets caught laundering or they are caught doing fake loans and false fees etc...

      Just because your looking in 1 place for 1 kind of threat doesn't mean that is all there is or that it is safe. An organized attack would be a different game... and do you watch... can you verify the machines were completely untouched since last use? Who does IT on them?

      What about totals at the county? I know my county had a ton of issues until I raised them - we had paper but the totals at the county were running on a personal office laptop with insecure internet access and without recounts nobody would notice. It's the 2nd biggest county so there were enough to flip every state race within 8 points. Some old FTP server sent it out to TV but hack that and you'd be into the crap Access DB powering the thing... running on Windoze 98 too. Fixed now; but that is the kind of stuff that went on with a secure PAPER optical scan system.

      --
      Democracy Now! - uncensored, anti-establishment news
    3. Re:I am an election officer and I am dismissive by phantomfive · · Score: 1

      Do you have paper records in your machines to verify the votes?

      --
      "First they came for the slanderers and i said nothing."
    4. Re:I am an election officer and I am dismissive by SlaveToTheGrind · · Score: 1, Insightful

      I think you're overlooking his broader point, which is that the distributed architecture of the system (both machines and people) makes it extremely difficult to even plot a coordinated attack much less carry one out.

      The question therefore isn't so much whether one individual machine can be hacked -- it's how many would have to be hacked to make a material difference in the outcome, and how many layers of human security would have to be defeated over how wide of an area to get physical access to hack them.

      For decades we've faced the same question with non-electronic voting -- bad apples have hacked counters on mechanical voting machines, stuffed ballot boxes, and so on. And that's OP's point: the system has evolved in recognition of the temptation to cheat, and has a ton of checks and balances in place to minimize the fallout.

      I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?

      What in the world would a skimmer on a voting machine skim?

    5. Re:I am an election officer and I am dismissive by Anonymous Coward · · Score: 1

      Neither of you are thinking critically. If they know how to corrupt one or a series of vendors, doing so IS TRIVIAL for a funded conspiracy to pull off locally. They don't need to win "all votes" 1%-5% boost is HUGE. Think harder.

    6. Re: I am an election officer and I am dismissive by jd · · Score: 2

      Unnetworked is part of the problem. It means voting machines tally and store, the source of most of the defects.

      Second, that's not a high number. Machines that tally just store a number. It's long past the point where ID is checked. All you need is to preload 40,000 votes in a test (corrupt official) - and that has happened in the past - or you have ten people load in 4,000 votes at the time in precincts with low turnout, OR you hack the election database where the tallies are stored.

      Any of those will work and you know they will because you will have been instructed on this.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    7. Re:I am an election officer and I am dismissive by Anonymous Coward · · Score: 2, Interesting

      Why wait the day of the vote when the machines are distributed everywhere? Why not do it two weeks prior when they are in some warehouse, or from an usb key when somebody plugs in to update, diagnostic or whatever?
      It happened to the Iranians with their uranium centrifuges, it could happen to the Ohioans with their machines...

    8. Re:I am an election officer and I am dismissive by Rob+Y. · · Score: 1

      I think the tinfoil hat version of election tampering centers on the part that is centralized. At some point all those distributed components of the voting system log on electronically to a central system to tabulate the statewide vote. And the real life event that convinced at least some that hacking this central tabulation was Karl Rove's on-air meltdown in 2008 over Ohio calling the state for Obama. It sure looked like he 'knew' that that was not supposed to happen, and to the conspiracy minded, that sure looked like he thought the fix was in somewhere along the chain of custody. Who knows? But to assume that the distributed nature of the system renders it invulnerable is a bit naive...

      --
      Posted from my Android phone. Oh, I can change this? There, that's better...
    9. Re:I am an election officer and I am dismissive by SlaveToTheGrind · · Score: 1

      At some point all those distributed components of the voting system log on electronically to a central system to tabulate the statewide vote.

      Really? Where are you getting your information? How do you know the precincts don't, for example, report by telephone? And regardless of how the data is aggregated, today you and I can drill down and see the vote tallies on a precinct-by-precinct basis. Do do you really think the precincts themselves aren't watching those numbers like hawks against the ones they reported?

      And the real life event that convinced at least some that hacking this central tabulation was Karl Rove's on-air meltdown in 2008 over Ohio calling the state for Obama. It sure looked like he 'knew' that that was not supposed to happen, and to the conspiracy minded, that sure looked like he thought the fix was in somewhere along the chain of custody.

      So the evidence for hacking is that hacking didn't happen but somebody acted in a way people say we should interpret as him thinking that hacking was going to happen? Oh dear. I suppose these people also want us to believe that the hacking that he supposedly was so confident was going to happen but didn't somehow mysteriously failed without anyone outside the conspiracy detecting it?

      But to assume that the distributed nature of the system renders it invulnerable is a bit naive...

      Nothing in life is invulnerable, but the distributed nature of the system, along with the multiple layers of checks and balances, dramatically reduces the odds of broad-scale issues.

      I'd suggest the real naivety lies with those sitting around blindly conjecturing about how electronic voting machines could be used to swing elections without factoring in or caring to understand the safeguards in the broader system in which the EVMs operate.

    10. Re:I am an election officer and I am dismissive by Rob+Y. · · Score: 1

      I said it was a tinfoil hat conspiracy, didn't I?

      --
      Posted from my Android phone. Oh, I can change this? There, that's better...
  5. Re:I just wrote them... by arth1 · · Score: 3, Informative

    "We hold ourselves to a higher standard, knowing that our products and services help maintain democracy in the jurisdictions we service."

    Yeah, right. This is Diebold of former infamy, first changing their name to Premier Election Solutions, and then again merging with Election Systems & Software (ESS).
    Same shit, different wrapper. Why would any state give them a third chance after the first screw-ups? The canapés must be very tall and the drinks very big.

  6. Why do you even need to use a machine anyways? by mark-t · · Score: 2

    There's a limited number of people that are going to be at any single voting station, so manual counts of paper ballots wouldn't take that long, happening in parallel all over the country. The ballots can even be kept for a little while, in case recounts are necessary.

    --
    File under 'M' for 'Manic ranting'
  7. The Dems keep wining popular votes by rsilvergun · · Score: 1

    and losing elections. It's one thing when that happens with the presidency. Our electoral college was designed to do exactly that. But they've lost the House two or three times now but won more votes. I want to see stuff like this because if nothing else I want to see an end to our sham Democracy. Maybe if enough people recognize there's a problem we'll start seeing changes.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  8. Well Senator by nehumanuscrede · · Score: 1

    I would be happy to answer that right after you explain why you and your colleagues have been ignoring everyone and their fucking brother telling you your electronic voting machines are susceptible to manipulation for the past GD decade or more.

    NOW it's a big deal ? :facepalm: