Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices

Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.

food for thought

[Orrin+Bloquy]

Fruit machines in casinos have to be state certified as honest with their code vetted regularly. Voting machines are largely unregulated.

Re: Re:food for thought

[phantomfive]

Quote from the first page of your link: ".... states are not required to participate in the program..." In other words, they can be tested, but most states don't.

Isn't it Ironic?

[DatbeDank]

How back in the early 2000s here on Slashdot we all were complaining how these electronic voting machines were the work of the devil in how easy they were to hack?

Fast forward to 2018, they're now viewed as Russian hacking devices.

Seems like we're on a collision course to return to the old style paper ballots.

Shame no one listens to us. It seems most tech crises would be avoided! Thankfully we get to bill $300/hr when Mr. Executive's screw up comes to roost!

Re: Isn't it Ironic?

[dryeo]

What about the other piece of electronic voting, namely that the average (and less then average) person can understand the security?
It's just as important that everyone trusts the voting as it being secure and it's hard to imagine a trustworthy electronic voting machine that most people understand.
When I vote with paper and pencil and watch the whole procedure, it is very understandable.

I am an election officer and I am dismissive

[davide+marney]

Unless you've spent time running an election, it's hard to appreciate just how distributed the process is. Virginia, where I am an officer, has 2,400+ separate voting precincts.

None of our voting equipment is networked, not even locally within the precinct. None of the equipment even have the hardware necessary to be networked.

Nearly 4 million people voted in the last Presidential race. The recount margin is 1%, so the winner and the loser must be within 1% of each other for a recount to be called.

Thus for a hack to be effective and not be scrutinized by a recount, you'd have to win 1% of 4 million, or 40,000 votes.

How likely is it that you will be able to hack your way into enough precincts, defeat the chain of custody, get your hands on the machines to do your dirty work -- UNDETECTED -- for EACH and every election (each election has a different ballot, and the order is chosen randomly), and change 40,000 votes? Otherwise, what would be the point of the attack?

Local elections are secure, disconnected facilities. Anytime I see some hacker "fair" where they've got the covers off and people are probing the equipment, I just laugh. As if. We run a tight ship, and in 238 years of doing this job, we've learned a thing or two about how people try to cheat.

It's not VOTING you have to worry about, it's REGISTRATION. Registration has many times more attack vectors.

Re:I am an election officer and I am dismissive

[AlanBDee]

If you are truly an election officer then first let me commend you for coming to slashdot and taking the time to share your perspective. May I suggest you spend a little more time reading what many of us here have to say. You may be an expert in the election process but we are experts in hardware and software.

We are not skeptical of the security of voting machines because we wear tin foil hats; it's because we've seen what can and has happened. You're far too confident that those systems can't be hacked undetected. I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?

Re:I just wrote them...

[arth1]

"We hold ourselves to a higher standard, knowing that our products and services help maintain democracy in the jurisdictions we service."

Yeah, right. This is Diebold of former infamy, first changing their name to Premier Election Solutions, and then again merging with Election Systems & Software (ESS).
Same shit, different wrapper. Why would any state give them a third chance after the first screw-ups? The canapés must be very tall and the drinks very big.