back to article Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers

Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk. This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show's village and its …

Page:

  1. DJV Silver badge

    Weasels!

    "Voting machine vendor ES&S says it did not cooperate with the Voting Village hacking competition at DEF CON because it worried the event posed a national security risk."

    Bollocks, more like it posed a risk to exposing how lousy ES&S's security really is! Do they build insecure IoT crap as well?

    1. Anonymous Coward
      Anonymous Coward

      Oldschool saying comes to mind

      Worried about 'National Security' or 'Natural-Insecurity'

    2. big_D Silver badge

      Re: Weasels!

      Exactly, everybody in the security industry or with any interest in IT security already knew that voting machines are one of the biggest security holes out there - probably only second to PLCs that have been put online with no thought to additional security (i.e. they were designed to be air-gapped, so no security was implemented, now they are online and the only security, the air gap, is gone).

      1. Prst. V.Jeltz Silver badge

        Re: Weasels!

        already knew that voting machines are one of the biggest security holes

        I didnt know that. I had assumed that , unlike iot producers , it might have at least crossed the minds of the voting machine makers that some security would be needed. I'm not saying theyre secure (what is) but surely they tried?

        (despite the fact this idiot ceo refuses to show the results of their efforts)

        1. big_D Silver badge

          Re: Weasels!

          In the past, they (various voting machine manufacturers) have tried several different tactics to stop the devices being tested at all.

          For a start, part of the contract of sale prohibited the owner performing security tests or letting security tests be performed on the machines, they tried to restirc the resale of old machines, so they couldn't be bought by pen-testers and they tried using the DMCA to stop the machines being tested.

          So, yes, they tried a lot of things in relation to security, but more in the direction of burying their heads in the sand and silencing anyone who could tell them they had loused it up.

        2. JohnFen Silver badge

          Re: Weasels!

          "I'm not saying theyre secure (what is) but surely they tried?"

          From the day that voting machines were put into use, it was readily apparent that they didn't even try. They put some effort into making them look secure, but little effort into making them actually secure. And, also from day 1, when people pointed out the numerous serious flaws in the machines, their response was not to fix the flaws, but to condemn those who were looking for, and found, them.

          Just as they continue to do today.

    3. Velv Silver badge
      Facepalm

      Re: Weasels!

      clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop

      Yup, that's the sound of the horse already out of the stable, no point finding out how to close and lock the stable door now

      1. Frumious Bandersnatch Silver badge

        Re: Weasels!

        clip clop clip clop ...

        Viz Top Tip:

        Bang two pistachio shells together to recreate the sound of a really small horse on the cheap.

    4. Pen-y-gors Silver badge

      Re: Weasels!

      It could only pose a 'threat to national security' if the voting machines are actually insecure. It's not as if the hackers are creating the security holes.

      So the threat is actually the manufacturer.

    5. Giovani Tapini

      Re: Weasels!

      Why would they fix the issues? The machines are clearly designed to let the Russians dictate the election results. It would not be wise to remove their ability to do so... (depending on who's story you believe)

    6. a_yank_lurker Silver badge

      Re: Weasels!

      Please do not insult weasels, they like to feast on vermin like ES&S.

      Seriously, anything that is linked to the web is vulnerable to attack and needs to be secured. Does not matter what it is, it will be attacked. Some will be harder to get at as they might not be directly accessible, that only makes them somewhat less vulnerable not invulnerable. Anything that is mission critical as a voting machine should be considered should be thoroughly tested by outside experts to find the failures. If they can find them then black-hats can find them also.

    7. Eddy Ito Silver badge

      Re: Weasels!

      Do they build insecure IoT crap as well?

      Are you giving odds? I'd be willing to put a tenner or two on their voting machines being insecure IoT crap for the right moneyline.

  2. ITS Retired

    Electronic voting machines need to be insecure, so that the local precincts can have the correct winner.

    That is the why of no paper trail, internet connectable, common admin passwords among machines, Some flavor of windows, propitiatory secret software and firmware and so on.

    These people also make very secure ATM machines, so it is not like they don't know how to do voting machine security right.

  3. Nick Kew Silver badge
  4. DryBones

    Er...

    Perhaps they should try being less rubbish instead. Did they ever think of that? Thought not.

    1. Mark 85 Silver badge

      Re: Er...

      Security by obsurity, surely. So they won't participate in these kinds of things, that's fine. Now for the disclaimer...if they really wanted to ensure security, they would maybe go open source? Or invite selected white hat hacker types to test either on-site or in very secure locations?

      It's not a question of "they're happy to work with outside researchers" but are they actually doing it? This article on the heels of the previous one, smells like a fish that's been left in the sun for a week.

      1. big_D Silver badge

        Re: Er...

        Going Open Source isn't necessarily going to bring any changes to the security of the product. Plus it is probably considered a "trade secret" and can't be open sourced.

        On the other hand, for something as important as a voting machine, the purchasers should be ensuring that what they are buying has been thoroughly, independently tested, before handing over any money.

        1. kain preacher Silver badge

          Re: Er...

          Open source is worthless if you don't let people see the code.

          1. kain preacher Silver badge

            Re: Er...

            To the person that down voted me, you think Open source is good if you can't see the source code that is being run. How do you know what back doors are in it ? Open or closed source makes no diff if people can not see what's running under the hood.

            1. JohnFen Silver badge

              Re: Er...

              I didn't down vote you, but I'll take a guess that the person who did was thinking something like "being open source means that people can look at the code". If you can't see the code, then it isn't open source.

            2. strum Silver badge

              Re: Er...

              >you think Open source is good if you can't see the source code that is being run

              You're being downvoted because you seem to be unaware that if the code can't be seen, it ain't open source.

        2. JohnFen Silver badge

          Re: Er...

          "Plus it is probably considered a "trade secret" and can't be open sourced."

          That's another issue. Machines that are intended to tally votes should not be allowed to have any secret code at all. Ideally, it would be available to the public. But, if that's too much for their weak stomachs, then at least it should be available to security researchers.

          Claiming "trade secret" should automatically mean "no sale".

          1. kain preacher Silver badge

            Re: Er...

            "Plus it is probably considered a "trade secret" and can't be open sourced."

            That's exactly what Diebold claimed and then promptly sued the state of New Jersey to stop them from looking.

  5. Allan George Dyer Silver badge

    Most Secure Voting Machine

    The pencil (with appropriate procedures)

    1. onefang Silver badge

      Re: Most Secure Voting Machine

      "The pencil (with appropriate procedures)"

      I still think the pen I bring with me is even more secure.

      1. hughca
        Coat

        Umm...

        "I still think the pen I bring with me is even more secure."

        Only if it's been rigorously pen-tested...

        ...sorry...

        1. Anonymous Coward
          Anonymous Coward

          Re: Umm...

          Well it is better than a sword.

          1. onefang Silver badge

            Re: Umm...

            Yeah, a sword is just a bit too unwieldy to use to make your mark on a ballot paper. Though it does leave no doubt about your voting intentions if you use it to make your mark on a politician. Which I think was one of the original design goals for swords.

            1. Velv Silver badge
              Happy

              Re: Umm...

              "it does leave no doubt about your voting intentions"

              There was a case in the UK where instead of an X in the box, the voter had written a bad word against four of the five candidates. While those four candidates sought to have the ballot paper declared excluded, the presiding officer had to agree that the voter had expressed a clear preference for one of the five.

          2. Giovani Tapini

            Re: Umm...

            Swords are large and can leave a mess. Why not just stick to hanging Chad instead

            1. onefang Silver badge

              Re: Umm...

              "Swords are large and can leave a mess. Why not just stick to hanging Chad instead"

              I don't think there are any politicians around here called Chad.

      2. tom dial Silver badge

        Re: Most Secure Voting Machine

        Traditional "counting" methods include both completing ballots when the voter skipped an office or voted for fewer candidates than allowed and (probably much more often) invalidating voters' choices (by marking additional boxes or bubbles) when they made "mistakes."

        It is convenient if everyone is forced to use the same marking instrument (pencils often are preferred because a voter can correct a misplaced mark rather than enduring the fairly significant hassle of having the election judges cancel and issue a replacement ballot. Use of a variant marker will insure, at most, the security of a single ballot; corrupt ballot counters will simply omit it from their correction activities.

        1. Allan George Dyer Silver badge

          Re: Most Secure Voting Machine

          @tom dial - Appropriate counting procedures make such malpractice impractical. My personal experience is with UK county council elections, where I acted as an observer. Each candidate could have observers at the count. Observers had to swear in front of a JP that they would not interfere beforehand. Ballot boxes were opened and ballots counted in view of the observers who could raise queries. Spoiled and questionable ballots were reviewed by the Returning Officer with the candidate's Agents. Ballot counters were mostly (all?) local government employees. Nothing is hidden.

          It's all scalable - if you're a candidate with a chance of winning, you have enough supporters to act as observers; larger constituencies have larger pools of local government employees to act as ballot counters. A corrupt ballot counter is risking their permanent job, and has very little opportunity to act unobserved.

          1. tom dial Silver badge

            Re: Most Secure Voting Machine

            @Allan George Dyer: Appropriate counting procedures make this misbehavior more difficult, but not necessarily impractical. You describe theory and, as far as I know UK practice, quite accurately. I described reasonably well documented US historical practice, where manual counting, when used, customarily is done by teams of election judges representing at least two political parties. As in the UK, the procedure may be witnessed by independent (i. e., non-official) observers. Skewing the count requires no more than the practical skills of a magician, and has not always been free of corruption.

            Voter marked paper ballots clearly are the most transparent and easily understood way to record votes. Vote counting, whether by humans or machines has vulnerabilities. They can be mitigated and rendered less probable, but probably cannot be eliminated entirely and may sometimes affect the outcome of close elections.

            1. strum Silver badge

              Re: Most Secure Voting Machine

              >manual counting, when used, customarily is done by teams of election judges representing at least two political parties. As in the UK, the procedure may be witnessed by independent (i. e., non-official) observers

              That's not how it works in the UK. The counting is done by non-partisan officials. They are supervised by representatives of the parties.

        2. ivan5

          Re: Most Secure Voting Machine

          No matter how good the counting methods are the big question is how do you get round the problem that is best expressed as:

          'Grandma was a loyal Republican until the day she died. Ever since, she's voted Democrat'

          No machine or counting system is going to counter that.

          1. Stork Bronze badge

            Re: Most Secure Voting Machine

            In Denmark (at least) where everybody is registered to a scary degree, that cannot happen. By law you have to register in the municipality where you have your residence, and the electoral roll is simply the subset of residents who are old enough to vote and have suitable nationality. Yes, prisoners can also vote.

            The consequence is that when you status changes to "dead" you are token off the roll.

            These are the upsides of the pervasive registers.

          2. a_yank_lurker Silver badge

            Re: Most Secure Voting Machine

            @ivan5 - That problem is with the voter rolls and their maintenance plus whatever id is required to prove your identity to vote. A different issue altogether than the security of the actual vote. If the actual vote totals can easily be manipulated without easy detection by the counters then all elections are in question as one does not know what the real votes were. Cleaning up voter rolls is important but not as critical as making sure the votes can not be changed without detection. The 2000 US fiasco in Florida was an example of having the actual ballots for a recount (Bush won them all). Even if there were issues about how to count some ballots ("hanging chads") one had the physical evidence to look at.

    2. Claptrap314 Bronze badge

      Re: Only Secure Voting Machine

      Fixed the title for you.

      I've worked about 30 elections, all in Texas.

  6. Anonymous Coward
    Anonymous Coward

    Security

    NO votes!

  7. John Smith 19 Gold badge
    Thumb Up

    "Ignorance of insecurity does not get you security. "

    The most succinct description of why security by obscurity (even with special "National Security" BS sauce) doesn't work.

    Yes I also wonder if they have a division of code monkeys who sling IoT s88t

  8. Potemkine! Silver badge

    Voting machines are nonsense

    Every sane democracy should get rid of it. All these companies should be out of business, they are a threat rather than a solution.

  9. Prst. V.Jeltz Silver badge

    "Why Electronic Voting is a BAD Idea"

    Y'all know Tom Scott, proffessional youtube geek?

    https://www.youtube.com/watch?v=w3_0x6oaDmI

  10. Anonymous Coward
    Anonymous Coward

    Crudbump has a great song about Christmas.

  11. Prst. V.Jeltz Silver badge

    When J Clarkson and co ask the manufacturers to loan them their latest hatchbacks for a comparison test, they do it - because even if they dont win the comparison test , to refuse to enter shows they have no confidence in their product. .... and the testers would possibly get one elsewhere anyway.

    And to show that lack of confidence when you make VOTING machines??

  12. qwertyuiop

    I can't remember where I read (or heard) this, but it seems entirely appropriate here: "Hackers don't break things, they just prove they were broken in the first place".

    1. Mongrel

      Hackers don't break things

      Not forgetting that these are the good guys, for some slightly fuzzy definitions of good, who are willing to show their work. We generally have no idea how far along the bad guys are in defeating the 'security' on these machines.

  13. This post has been deleted by its author

  14. elvisimprsntr

    Don't some of the voting machine manufacturers also make ATM machines which are vulnerable to remote jackpotting and have one key fits all locks? I would not be surprised if they also manufacturer the computer systems in gas pumps. That is all one really needs to know to make an educated guess about security of voting machines.

  15. DropBear Silver badge
    Trollface

    So, um... (you knew this was inevitable, didn't ya) ...voting based on blockchain, anyone?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019