Voting Machine Manual Instructed Election Officials To Use Weak Passwords

An anonymous reader quotes a report from Motherboard: An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor's name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases -- alternating between two of them -- and in other cases to simply change a number appended to the end of some passwords to change them.

The vendor, California-based Unisyn Voting Solutions, makes an optical-scan system called OpenElect Voting System for use in both precincts and central election offices. The passwords in the manual appear to be for the Open Elect Central Suite, the backend election-management system used to create election definition files for each voting machine before every election -- the files that tell the machine how to apportion votes based on the marks voters make on a ballot. The suite also tabulates votes collected from all of a county's Unisyn optical scan systems. The credentials listed in the manual include usernames and passwords for the initial log-in to the system as well as credentials to log into the client software used to tabulate and store official election results.

Re:Unity?

[LynnwoodRooster]

Paper ballot, voter ID, absentee ballots need to be applied for each election. No need for anything else.

Re:Unity?

In Russia they use paper ballots, and the number of people through the door is about 1/3rd of the total claimed vote count.

When a candidate wins that Putin doesn't like, he cancels the election due to ballot stuffing (because they didn't stuff enough ballots in to rig the vote, they have to cancel it due to their own ballot stuffing!).

You also need the structures in place to verify the count, verify the votes correspond to the people who voted and so on.

Once you decide to put party before country, and manage to seize power over the judicial processes that control the election you are lost.

You end up with elections run by the people who are running for election (Kemp in Georgia), decided by partisan judges (like Kavanaugh), with news outlets telling lies they know are lies. (Fox News).

Re:California Republicans

You probably wouldn't last 20 seconds in front of Robert Mueller without blurting out some retarded falsehood and getting insta-carted off to Federal prison, just like Trump is about to...

With Trump there are two possibilities.

1. He knows 100% what he is saying. He is on top of things but chooses to lie about everything, even when it makes no sense to do so.

2. He is mentally unfit for the position he is in, but not stupid. He is a very accomplished con man and is going with his gut and his wits to find the levers necessary to move the electorate, mo matter the cost, particularly with respect to keeping the senate, which are really the only ones who could really stop him.

Notice that (1) doesn't make sense. His own actions sometimes don't make sense from this viewpoint, and his own lawyers have said, you can't testify. You will be convicted of perjury. I think it is really 2. We have someone in office who thinks the ends justify the means, if the result is Trump wins, and really only has two skills. 1. He is an accomplished con man. 2. He never gives up. Have you noticed that several times lately his only defence is, "It worked," as if that is all he needs? That is his ends justify the means stuff.

Failure is not an option

[jd]

Few obvious questions.

First, with aren't they using smart cards with passwords on the keys?

Second, why did the software permit weak choices? Manual be damned.

Third, why are infosec officers not replacing those pages in the manual, training users in proper procedures, rejecting the products at user acceptance or running tools for weak password detection?

This is a failure of the entire procurement procedure, start to finish.

how hard is it?

[pereric]

Should not be too hard making a good voting system?

Sweden (and many Europeans do it like this): Every citizen get sent a physical voting card to their home address (including information on where and how to vote). No need for registration, just being a citizen (national elections) or at least legal resident (local elections). Election places are all over towns, usually in schools of libraries. They are staffed by volunteer respected citizen.

On election day, you go to the election place, take some ballots and envelope, and put one ballot in one envelope per election. Then you show your card at the front desk (always staffed by several volunteers), and get ticket off in the electoral roll. If you have lost your card, you can use some ID. The envelopes are put in sealed boxes (one per election) under your supervision. (Oh, you can also hand in you vote in advance, at advance election places anywhere in the country (and at consulates). They will be sent to your election place, and used if you haven't voted physically)

The boxes are kept under supervision, and when election closes, counting starts. Everyone is welcome supervising the opening of boxes and envelopes, as well as the counting. Results are usually presented the same evening. The ballots are then handed in and re-counted once at a central location for each county just to be sure.

The system is easy to audit, and hard to cheat - especially on a systematic nation-wide level (which is much easier if there is a electronic system to attack)

Re:Unity?

[Kiuas]

Or are you opposed to proving identity when voting, like most of the rest of the world requires?

Greetings from the rest of the world. Here in Finland we do in fact have to provide ID upon voting, and we do not have to to register to vote because your ID is checked against a list of eligible voters upon arrival to the voting site. However, social services also funds the cost of the ID for those who cannot afford it (which is why essentially everyone in Finland has an ID). This being the case, the ID requirement does not prevent anyone from voting regardless of income status. This point is often conveniently left out in the american discussions over voter IDs when the 'pretty much everyone else does it' -argument is presented because from what I've seen so far, voter ID proposals in the States don't have provisions for providing an ID for people who can't pay for it, and that's the crux of the problem.

Voting is such a fundamental right that it should never be gated behind a financial barrier of any kind, wouldn't you agree?