Slashdot Mirror

← Back to Stories (view on slashdot.org)

Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices (bleepingcomputer.com)

Posted by msmash on from the holding-accountable dept.

Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.

13 of 62 comments (clear)

  1. food for thought by Orrin+Bloquy · · Score: 5, Interesting

    Fruit machines in casinos have to be state certified as honest with their code vetted regularly. Voting machines are largely unregulated.

    --
    "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."
    1. Re:food for thought by Noodles · · Score: 2

      What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.

    2. Re:food for thought by PopeRatzo · · Score: 2, Funny

      What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.

      And they're both equally fair.

      --
      You are welcome on my lawn.
    3. Re: Re:food for thought by phantomfive · · Score: 3, Insightful

      Quote from the first page of your link: ".... states are not required to participate in the program..." In other words, they can be tested, but most states don't.

      --
      "First they came for the slanderers and i said nothing."
  2. Isn't it Ironic? by DatbeDank · · Score: 4, Interesting

    How back in the early 2000s here on Slashdot we all were complaining how these electronic voting machines were the work of the devil in how easy they were to hack?

    Fast forward to 2018, they're now viewed as Russian hacking devices.

    Seems like we're on a collision course to return to the old style paper ballots.

    Shame no one listens to us. It seems most tech crises would be avoided! Thankfully we get to bill $300/hr when Mr. Executive's screw up comes to roost!

    1. Re: Isn't it Ironic? by dryeo · · Score: 3, Insightful

      What about the other piece of electronic voting, namely that the average (and less then average) person can understand the security?
      It's just as important that everyone trusts the voting as it being secure and it's hard to imagine a trustworthy electronic voting machine that most people understand.
      When I vote with paper and pencil and watch the whole procedure, it is very understandable.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
  3. I am an election officer and I am dismissive by davide+marney · · Score: 3, Insightful

    Unless you've spent time running an election, it's hard to appreciate just how distributed the process is. Virginia, where I am an officer, has 2,400+ separate voting precincts.

    None of our voting equipment is networked, not even locally within the precinct. None of the equipment even have the hardware necessary to be networked.

    Nearly 4 million people voted in the last Presidential race. The recount margin is 1%, so the winner and the loser must be within 1% of each other for a recount to be called.

    Thus for a hack to be effective and not be scrutinized by a recount, you'd have to win 1% of 4 million, or 40,000 votes.

    How likely is it that you will be able to hack your way into enough precincts, defeat the chain of custody, get your hands on the machines to do your dirty work -- UNDETECTED -- for EACH and every election (each election has a different ballot, and the order is chosen randomly), and change 40,000 votes? Otherwise, what would be the point of the attack?

    Local elections are secure, disconnected facilities. Anytime I see some hacker "fair" where they've got the covers off and people are probing the equipment, I just laugh. As if. We run a tight ship, and in 238 years of doing this job, we've learned a thing or two about how people try to cheat.

    It's not VOTING you have to worry about, it's REGISTRATION. Registration has many times more attack vectors.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
    1. Re:I am an election officer and I am dismissive by AlanBDee · · Score: 4, Insightful

      If you are truly an election officer then first let me commend you for coming to slashdot and taking the time to share your perspective. May I suggest you spend a little more time reading what many of us here have to say. You may be an expert in the election process but we are experts in hardware and software.

      We are not skeptical of the security of voting machines because we wear tin foil hats; it's because we've seen what can and has happened. You're far too confident that those systems can't be hacked undetected. I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?

    2. Re:I am an election officer and I am dismissive by bussdriver · · Score: 2

      Means nothing. This is like a security guard at the bank saying they run a tight ship and will never be robbed. Then that whole bank bailout mess happens... or the bank gets caught laundering or they are caught doing fake loans and false fees etc...

      Just because your looking in 1 place for 1 kind of threat doesn't mean that is all there is or that it is safe. An organized attack would be a different game... and do you watch... can you verify the machines were completely untouched since last use? Who does IT on them?

      What about totals at the county? I know my county had a ton of issues until I raised them - we had paper but the totals at the county were running on a personal office laptop with insecure internet access and without recounts nobody would notice. It's the 2nd biggest county so there were enough to flip every state race within 8 points. Some old FTP server sent it out to TV but hack that and you'd be into the crap Access DB powering the thing... running on Windoze 98 too. Fixed now; but that is the kind of stuff that went on with a secure PAPER optical scan system.

      --
      Democracy Now! - uncensored, anti-establishment news
    3. Re: I am an election officer and I am dismissive by jd · · Score: 2

      Unnetworked is part of the problem. It means voting machines tally and store, the source of most of the defects.

      Second, that's not a high number. Machines that tally just store a number. It's long past the point where ID is checked. All you need is to preload 40,000 votes in a test (corrupt official) - and that has happened in the past - or you have ten people load in 4,000 votes at the time in precincts with low turnout, OR you hack the election database where the tallies are stored.

      Any of those will work and you know they will because you will have been instructed on this.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:I am an election officer and I am dismissive by Anonymous Coward · · Score: 2, Interesting

      Why wait the day of the vote when the machines are distributed everywhere? Why not do it two weeks prior when they are in some warehouse, or from an usb key when somebody plugs in to update, diagnostic or whatever?
      It happened to the Iranians with their uranium centrifuges, it could happen to the Ohioans with their machines...

  4. Re:I just wrote them... by arth1 · · Score: 3, Informative

    "We hold ourselves to a higher standard, knowing that our products and services help maintain democracy in the jurisdictions we service."

    Yeah, right. This is Diebold of former infamy, first changing their name to Premier Election Solutions, and then again merging with Election Systems & Software (ESS).
    Same shit, different wrapper. Why would any state give them a third chance after the first screw-ups? The canapés must be very tall and the drinks very big.

  5. Why do you even need to use a machine anyways? by mark-t · · Score: 2

    There's a limited number of people that are going to be at any single voting station, so manual counts of paper ballots wouldn't take that long, happening in parallel all over the country. The ballots can even be kept for a little while, in case recounts are necessary.

    --
    File under 'M' for 'Manic ranting'