No, a Teen Did Not Hack a State Election

Headlines from Def Con, a hacking conference held this month in Las Vegas, might have left some thinking that infiltrating state election websites and affecting the 2018 midterm results would be child's play. Articles reported that teenage hackers at the event were able to "crash the upcoming midterm elections" and that it had taken "an 11-year-old hacker just 10 minutes to change election results." A first-person account by a 17-year-old in Politico Magazine described how he shut down a website that would tally votes in November, "bringing the election to a screeching halt." But now, elections experts are raising concerns that misunderstandings about the event -- many of them stoked by its organizers -- have left people with a distorted sense of its implications. From a report: In a website published before r00tz Asylum, the youth section of Def Con, organizers indicated that students would attempt to hack exact duplicates of state election websites, referring to them as "replicas" or "exact clones." (The language was scaled back after the conference to simply say "clones.") Instead, students were working with look-alikes created for the event that had vulnerabilities they were coached to find. Organizers provided them with cheat sheets, and adults walked the students through the challenges they would encounter. Josh Franklin, an elections expert formerly at the National Institute of Standards and Technology and a speaker at Def Con, called the websites "fake." "When I learned that they were not using exact copies and pains hadn't been taken to more properly replicate the underlying infrastructure, I was definitely saddened," Franklin said. Franklin and David Becker, the executive director of the Center for Election Innovation & Research, also pointed out that while state election websites report voting results, they do not actually tabulate votes. This information is kept separately and would not be affected if hackers got into sites that display vote totals.

This is slashdot FFS

Linux geeks and programmers on Slashdot, we known damn well they hacked the website, not the voting machine and we also know damn well that any voting machine without a paper audit trail, reports whatever the votes the Russian hacker says it should report.

Stop the PR effort against auditability, and help get the last of the states still using non-auditable voting machines to get their shit together.

There should *not* be a single voting machine now that cannot be audited, yet Florida and Pennsylvania, both swing states, both running large number of DRE machines without paper audit trails. How the f**k is that even legal, they could never comply with a recount, because they could only recount what the voting machine says it recorded as the vote, not the actual voters vote.

It's not a good thing, to pretend there is no problem here and sweep it under the rug, block the use of the paperless voting machines and use the emergency paper voting backup. Because the vote is worth far more than the Grocery you bought at Walmart and received a *paper* receipt for.

Re:This is slashdot FFS

[kenh]

Stop the PR effort against auditability, and help get the last of the states still using non-auditable voting machines to get their shit together.

Simple question - Imagine you are running an election, and you have electronic polls that create and audit trail and a tally. What do you do when the total and the audit trail don't match?

If you always trust the audit trail, then why have the automated tally?

Lying in a "good" cause

[joe_frisch]

Sometimes people feel so strongly about a cause, for example the dangers of electronic voting, that they think its ok to distort information or even outright lie for that cause. Its becoming very common - and I think its always wrong.

Re:Lying in a "good" cause

It's not about the dangers of electronic voting. Democrats don't care about that - you can tell because their bills for "securing" the election are never about the voting machines but instead about hiring private contractors to secure servers "against foreign cyber threads" AKA "Russian hackers."

This has nothing to do with showing flaws with voting machines. If it did, they would be hacking voting machines. No, this is part of a continued left-wing effort to convince people that our elections are fraudulent, and that Democrats "should" have won them. It's an effort to explain away their historic losses that's seeing them losing control on both a federal and local level. At this point I'm fairly well convinced they're already preparing their excuses for when they lose the midterms and give away even more seats to Republicans.

It's lying, but it's not for a good causes (or even one they think is good), and it's not about electronic voting machines. It's about explaining away election losses without having to admit that the voters don't agree with them.

Re:Lying in a "good" cause

[kenh]

Sometimes people feel so strongly about a cause, for example the dangers of electronic voting, that they think its ok to distort information or even outright lie for that cause.

We see this play out all the time in the mainstream press, how many "racist/homophobic/sexist customer" insulted me on the CC receipt claims have proven to be false? How about the black students that put nooses around campus to alert everyone to the rampant racism on campus? Or the lesbian couple that wrote anti-homosexual slurs on their own garage door, to prove their neighbors were anti-gay? The list, literally goes on and on.

The latest trend is for elected officials to claim police harassment/mistreatment, only to be proven wrong with the officers body cam or dash cam footage?

I actually said this the first time...

[Junta]

While the organizers of the event themselves stoked the misunderstanding, everything about it smelled like a kids hacking competition with an election theme rather than a real thing. Even if you assumed that the headliner child was some sort of once in a lifetime super genius, it certainly wouldn't have been the case for the majority of the participants to succeed, which did occur.

If the real thing were so trivial so that an 11 year old could casually do it, then one of the *huge* number of veteran security researchers would have found those problems for real in the real sites.

Re:I actually said this the first time...

[kenh]

It was "Day of Code" meets "Election Hacking" - the kids were all but handed step-by-step instructions on how to "compromise" the websites in question - websites which apparently were little more that public results websites, the hacking of which proves nothing.

But...but...11-year-old hackers!

[elrous0]

You mean an 11-year-old boy and 11-year-old girl didn't just hack all-der-voting-machines with their mad-crazy l33t hacking skills alone?!?

You lied to me AGAIN, media! DAMN YOUR HOUSE OF LIES!

Yes Uri

Yeh sure, the election wasn't hacked, those hacked emails were all nothingburgers and Slashdot wasn't deluged with a bunch of "Texas Houswives" suddenly concerned about "Bengazi".

Also computers never get hacked, even modern ones, Windows XP used in these old voting machines without paper trials has stood the test of time. No need to add any kind of paper trail, or test their security, since mother time has tested it for you!

Also Russian asbestos is totally tasty and edible and should be used as a filler in nothingburgers!

Re:Yes Uri

[kenh]

Yeh sure, the election wasn't hacked

You have evidence it was? Please share, I have seen no evidence in the mainstream press, just speculation.

those hacked emails were all nothingburgers

Hacking into the email of a political party is not "hacking the election", see, the elections are run by the states, and a political party has no part in the running of an election.

Your spewage on Windows XP, paper trails, and Russian Asbestos don't merit a response.

The Hillary Campaign tried to run a very different, data-driven campaign in 2016 than candidates had previously employed, and her campaign's data told her there was no need to visit several "blue wall states" in the general election, that she should instead maximize her fund-raising on either coast.

Hillary lost (or Trump won) because of simple mistakes made by her campaign, nothing more - but rather than accept that simple fact, we are spending countless millions of dollars investigating opposition research put together by the losing candidate in the last election (at a cost of millions of dollars) because her supporters are too butt-hurt to accept that "the smartest, most prepared woman" ran a lousy campaign and lost.

Re: Yes Uri

[Zero__Kelvin]

That means you don't pay attention to MSM or don't understand what they are saying. It is a universally known fact that the Russians hacked the election via phishing and social engineering techniques.

Re: Yes Uri

[Zero__Kelvin]

Yep ... The intelligence agencies are all lying loonies. Thank God we have honest super stable Trump to set the record straight.

No "THIS ONE THING" can defeat an election

[davide+marney]

As I commented in another thread on election security, unless you have run an actual election, you probably don't appreciate the sheer scale of what's involved in securing an election. I am an election officer in Virginia. Let me shed some light on the subject.

An election is a massively live event involving hundreds of millions of individuals spread out over 7 time zones (don't forget Guam) and an entire continent-sized geographic area.

51 independent elections are held, each with their own rules of procedure, equipment, and personnel, with the exception of some common rules for federal elections.

Within these 51 elections there are thousands of individual voting precincts where the actual votes are counted. Each one of those 51 x 000s precincts are under the complete supervision and control of volunteers. No politician or government worker ever administers the casting of a vote. This is done by your neighbors, a veritable small army of people.

A voter can only vote in the same physical place where they are a resident. You cannot vote remotely.

Before you can cast your vote, in most states you must prove your identity and residency. In all states, this process is entirely disconnected from the actual casting of a ballot.

Except in two states that allow mail-in voting (shame on them), your vote is completely private. No one can force you to vote against your conscience. No one can force you to prove how you voted.

The threat surface of such an undertaking is massive. There is the possibility of fraud in registering voters. There is possible fraud in selecting and configuring equipment. There is possible fraud in authentication. There is possible fraud in training (or lack thereof). There is possible fraud in counting. There is possible fraud in administration and reporting. And on and on.

There is no "this one thing" that can defeat an election. To successfully throw an election is a non-trivial task of monumental proportions. Of course that doesn't stop people from trying.

The gold standard preventative tools we use to secure a vote are:

- Contemporaneous, independent protocols recording the votes, such as scanned paper ballots, hourly running call logs of the number of voters voting, and duplicate end-of-day reports placed under court custody
- 100% Chain-of-custody controls of equipment
- Black-box testing
- Training, training, training
- Aggressive de-duplication and data cleansing.

Anyone who tells you that some 11 year-old can "throw" an election with a hack on some copy of a reporting web site is just trying to sell you something or gain some internet fame.

Re: No "THIS ONE THING" can defeat an election

[kenh]

What most of us advocate is that the electronic machines print a paper receipt which the voter verifies, then drops in a secure ballot box.

This is called a paper ballot - what is the purpose of the machine?

That way even if a 100% reliable and undetectable hack occurs, there's an audit trail which will reveal the fraud and provide an accurate vote count.

So, you take the electronic results, tally up your "audit trail" (paper ballots) and compare the numbers, and if there is a discrepancy always trust the "audit trail" (paper ballot)? WTF? Why bother with the voting machines at all, just hand out paper ballots and count them up?

Re: No "THIS ONE THING" can defeat an election

[Zero__Kelvin]

No, you just made up the part about "always trust the paper ballot" part. You are literally the only person that keeps saying this. Nobody else said it once as far as I can tell.

Re: No "THIS ONE THING" can defeat an election

[davide+marney]

"But you're mistaken about election security. You don't need to hack the entire thing, only a relatively small number of key precincts... "

But WHICH precincts are "key"? You mean the ones in Florida, Pennsylvania, Wisconsin, and Michigan? The Blue Wall that was supposed to protect Clinton in 2016?

If throwing an election were as easy as you say, then President Trump would not be President Trump today.

Re: No "THIS ONE THING" can defeat an election

[davide+marney]

The purpose of a paper ballot is to have a voter-verifiable record.

The purpose of scanning is to reduce the enormous error rate of hand-counted ballots down as far as possible. As a freebie, you also get a second contemporaneous record in the form of the scan image.

What makes this imperfect is that human beings still have to mark the paper, and the error rate on that is thousands of times greater than the error rate of scanning.

In a perfect world, the humans would be using computers to perfectly mark a ballot, which then gets scanned by a second machine. Then the error rate would be the error rate of bar codes: 1 in 400,000. In Virginia, that would have meant that 10 ballots would have been possibly miscounted IN THE ENTIRE STATE in 2016.

11 year old hackers

[lucasnate1]

Only exist in film.

Re:11 year old hackers

[Mashiki]

Oh come on now. Don't ya know they're so skilled they can hack the Gibson.

Re:11 year old hackers

[Aighearach]

Are you suggesting that all the 11 year olds who get in trouble for hacking their school computers are all just victims of some vast conspiracy?

Is it aliens? Please tell me it has aliens.

Don't know what they were reading...

[QuietLagoon]

...Headlines from Def Con, a hacking conference held this month in Las Vegas, might have left some thinking ...

... but all the articles I read on the topic left me with the impression that it was a duplicate copy of the election system, not the real, live election system itself.

Re:Suggested subtitle:

[kenh]

I don't think you quite grasp the degree to which how many Americans have literally no voice in things.

Gerrymandering only impacts House elections and state assembly and other local elections, gerrymandering has no impact on Senate or Presidential races, where state electoral votes are assigned based on the state-wide totals each candidate receives.

Your willingness to declare your vote meaningless in all elections is interesting, I suspect it is you that doesn't quite grasp how the election process works.

Can't help but wonder.

[Hallux-F-Sinister]

I knew as soon as I heard the story that it was 100% pure, uncut bullshit. That much was obvious. I figured the "exact copy" of the website was the HTML code your computer downloads when visiting the site, and that THAT's what he allegedly changed, which is a bit like claiming someone can hack your car and open the doors because he can open the doors on HIS car, which happens to be the same kind as your car, and oh, we forgot to mention the doors were already unlocked... or something like that. In any case, even if for not precisely the right reasons, I was right about the fact that the story was total bullshit.

HOWEVER... I can't help but wonder if this is going to turn into a zombie-lie, you know, a fake, bullshit story that people go on citing over and over again either in stupid, pointless verbal arguments or in substantiate, meaningful, important debates on matters of policy, and that the dolts who are convinced that an 11 year old hacked into the voting system of a US state... will keep spouting this debunked claim over and over again. I'm sure in some circles, it will. Anything, for some people, that serves the point of their argument, they'll insist is "valid" even when it plainly ISN'T.