Electronic voting box makers want kit stripped from eBay – and out of hackers' hands
Vendor intimidation, default passwords, official state seals for sale. Yes, we're talking about computer-powered election machines. The organizers of last year's DEF CON Voting Village – a corner of the annual infosec conference where peeps easily hacked into electronic ballot boxes – are preparing for a similar penetration- …
COMMENTS
-
Tuesday 23rd January 2018 09:40 GMT Anonymous Coward
Want to make congress act to secure voting machines?
Spread rumors on both political fringes that the 'other guys' have spent millions to recruit top hackers to compromise the machines and cheat in elections and guarantee an everlasting all blue or all red future and let the echo chambers start echoing.
If one thing will motivate congress to act, it is putting the fear of losing into the majority on each side who believe themselves to have invulnerable "safe seats" thanks to gerrymandering or simply being in a very blue or very red state.
-
-
Tuesday 23rd January 2018 10:07 GMT Anonymous Coward
Re: Admin passwords in the user manual
If they have a default Admin password it is probably better to have it in the manual and therefore transparent about it. When there is a default password and it is told to people on a need to know basis then there is an issue as you may not find out until it is too late.
Obviously better not to have a default password all all or at least one that only lasts until you turn the machine on for the first time.
-
Tuesday 23rd January 2018 15:22 GMT Antron Argaiv
Re: Admin passwords in the user manual
In Massachusetts, we use a (machine readable) paper ballot. Mark with ink, then insert into the reader.
Now, the totals could be hacked (or inaccurate for other reasons, including machine failure) but the paper ballot is the legal vote, and they are retained for hand counting if necessary.
Seems like common sense.
-
Tuesday 23rd January 2018 19:00 GMT Anonymous Coward
Re: Admin passwords in the user manual
While I don't think paper ballot into reader systems (which I use here as well) should be replaced until they are EOL, I would like to see touchscreen voting where the touchscreen prints a human readable ballot which the voter inserts into the reader.
That way the voter can verify that his votes are correctly recorded, human recounts can be done, and those recounts will be indisputable because every vote will be clearly marked - no arguing about the voter's intent when one circle is filled in and another has an X through it.
-
Monday 29th January 2018 09:01 GMT MachDiamond
Re: Admin passwords in the user manual
"Now, the totals could be hacked (or inaccurate for other reasons, including machine failure) but the paper ballot is the legal vote, and they are retained for hand counting if necessary."
The paper ballots could also be put through several machines that have gone through different chains of custody to make it much harder to insert a hack. If the totals don't agree to a very high degree of precision (nothing is error proof) across all machines, the count is suspended until all of the machines can be tested.
-
-
-
-
Tuesday 23rd January 2018 09:41 GMT Anonymous Coward
Some things just shouldn't be made electronic/automated etc. Voting is one of them. Our voting method in the UK is understood by anyone - a glance at a piece of paper to see which box has a cross in it. No need for a computing degree to understand what's gone on, possible to recount, far less doubt that the process has been meddled with.
-
Tuesday 23rd January 2018 11:08 GMT DaLo
Ah yes, no voter fraud at all. It is impossible to register your dog to vote or utilise the postal voting system to gather as many votes as you want. It's not like anyone could turn up to vote saying they are someone else.
Luckily no blank voting slips go missing or boxes with completed ballot papers and all the blank postal ballots are delivered safely.
Absolutely agree nothing can beat the good 'ol UK paper voting system for ensuring no fraud takes place.
-
-
Tuesday 23rd January 2018 13:12 GMT Anonymous Coward
Re: @ DaLo
The "least irrelevant place" is by definition the most relevant place. What's the problem? :)
What DaLo is on about is that paper based voting is no more tamper-proof than electronic, thus the OPs point of "some things shouldn't be made electronic" (because paper is implied to be better) isn't true.
I'd have no problem with electronic voting, if the manufacturers did as a poster above mentioned, and donated a machine or two to these conferences for "testing". If they refuse to do that, then I'll assume these are known-to-be-insecure by the manufacturer and not fit for purpose. The more they try to prevent hackers getting hold of these machines, the more I'll believe that.
If one of these manufacturers had a brain, they could use these conferences to improve their product, "hacked at conference", security hardened, "hacked at conference", security hardened, "hacked at conference", security hardened, "survived conference" - holy crap... that company has a voting machine that openly survived an attack by hackers, granted they got their teeth kicked in a few times prior, but they got back up, secured the product and tried and tried again BEFORE claiming it was secure.
If that didn't stand you out above the rest, I'm not sure what would.
-
Tuesday 23rd January 2018 14:09 GMT Stork
Re: @ DaLo
As we all know computers are way more efficient that papers based methods (well, that's what IT lives from, right?).
In practical terms, I am convinced it is much easier to commit significant, undetected (as in result-altering) election fraud with non-paper based voting. That is reason enough for me.
-
-
Tuesday 23rd January 2018 13:17 GMT DaLo
Re: @ DaLo
"Our voting method in the UK is understood by anyone ... far less doubt that the process has been meddled with"
Seemed to suggest that using a paper based system created less doubt that it had been meddled with - meddled I would assume meant a chance of fraud which also meant less chance of fraud than an electronic system.
So I would imagine that a list of areas where the UK voting system can be meddled with in response to a post saying that the UK voting system had far less doubt that it had been meddled with is hardly "the least [ir?]relevant place" to post a reply.
-
-
Tuesday 23rd January 2018 14:37 GMT DaLo
Re: @ DaLo
"He was saying that the paper voting method was less susceptible to fraud. The crap state of voter registration in the UK is a different matter."
I gave 1 example of voter registration fraud and 5 of possible voting method fraud. Postal voting and no-ID voting is rife for abuse in the current system.
-
-
-
-
-
-
Tuesday 23rd January 2018 09:44 GMT AndyS
> "You'd think you could only buy these if you had a government ID and wee in the state of Michigan..."
Exclusively? Or just on occasion? I would certainly qualify if I was in Michigan, and I can categorically say that, when I was in Michigan, I did. But I wouldn't have linked that to any sort of security clearance. I mean, surely even their senators wee elsewhere when they are out of state?
-
Tuesday 23rd January 2018 13:11 GMT Anonymous Coward
Back in the 1990s, I was an election commissioner in South Carolina when the state was looking at electronic voting machines. Discussions with multiple vendors left me uneasy at the quality of their coding and the lack of a printed voting record for verification in the event of a challenge and recount. South Carolina along with most other states purchased the less-than-secure voting machines and operated for 20 years without reports of Russian hacking. One wonders how long it took for the hackers to infiltrate the electronic voting empire before it was finally reported by the media?
-
Tuesday 23rd January 2018 13:16 GMT Jason Bloomberg
Behind every great politician...
Voting isn't about the outcome; it is about perpetuating the system.
Who is running the show at any point in time isn't half as important as the system itself.
As long as people are voting it allows it to be said that the system is perfectly fine. That's why there is often more focus on encouraging people to vote, no matter how much more voter fraud that may produce, than there is in limiting voter fraud.
-
Tuesday 23rd January 2018 14:10 GMT Aodhhan
Ahh yes the old paper voting system.
The argument goes, there's no way you can hack the voting system using this method right and of course you can recount them.
There is absolutely no way to hack the voting system using this 'old fashion' method.
Pfftt... c'mon. A security professional should know better.
The old paper, pen, write in, mark a box, fill in an oval etc. has been hacked for HUNDREDS of years.
Someone grabs/casts more than one ballot. Someone who has access can 'lose, add or change ballots.
With the added number of people involved when it comes to paper ballots, it's open to a lot of fraudulent activities. I.e. the original hacker.
There is good and bad to all methods. Along with strengths, weaknesses, vulnerabilities and risks to ALL methods. This is something all computer security professionals should realize.
So I'm assuming, those who want to damn the use of computerized voting systems are ignorant to
-
Tuesday 23rd January 2018 15:22 GMT Antron Argaiv
Ahh yes the old paper voting system.
Hackable, yes, and has been many times, as you correctly point out.
But it takes effort and is detectable. Ballot slips are stored securely (doesn't mean they can't go missing, bit then, someone wasn't doing their job). Counts can be falsified, marked ballots can be lost. But again, there's a record of how many ballots were cast (and who cast them).
My town has printed voter lists, you have to give your name and address, and they physically cross you off the list. You could pretend to be someone else and vote twice, I guess, but you run the risk of being caught if that person has already voted.
-
Monday 29th January 2018 09:00 GMT MachDiamond
"My town has printed voter lists, you have to give your name and address, and they physically cross you off the list. You could pretend to be someone else and vote twice, I guess, but you run the risk of being caught if that person has already voted."
It's the same where I live. I find that a pretty good check. I also vote early in the day. If a person requests a ballot by mail, they should appear on the list as having been sent a ballot to vote by mail and have to surrender it as a complete package to vote in person. If the package isn't complete or is marked, they must complete the mail ballot and send it in that day.
-
Tuesday 23rd January 2018 22:59 GMT Stork
It takes a lot of effort to change paper results on a scale that matters in the big picture. In the physical World, the larger the fudge the bigger the chance is to be found out. Electronically, change 1 or change a million, (almost) same risk.
FPTP is arguably worse, because you can focus the efforts in the swing districts.
-
-
Tuesday 23rd January 2018 15:42 GMT Anonymous Coward
(I posted the comment re: "far less doubt that the process has been meddled with.")
I appreciate as pointed out, that the paper system isn't perfect. However, many of the issues with it could be tightened up. Bin the postal system, ask for ID when people vote, etc. Of course, nothing is likely to prevent fraud entirely, no-one claimed as such...
What's important though is that even the dimmest of voters can understand how the votes were accumulated and counted. Paper also gives the option of a recount, by entirely separate parties.
Voters shouldn't have to take the word of a Computing graduate that "all is well".
-
Monday 29th January 2018 09:01 GMT MachDiamond
"Bin the postal system, ask for ID when people vote, etc."
What if you know that you will be out of town or the country on voting day? What if you have mobility issues and getting to the polling place is very difficult?
Just today, Washington state stated they will not be requiring that people applying for a driving license or State ID have to give their country of birth. That will make it easier for non-citizens to vote since it is the state that organizes and oversees voting within the state, not the US federal government.
-
-
This post has been deleted by its author
-
Tuesday 23rd January 2018 17:10 GMT JaitcH
Ontario, Canada doesn't have these problems . . .
because voters mark up paper ballots that are then scanned for a vote tally.
The USA, being the self-proclaimed technology 'leader' - paperless voting (in many cases). What could go wrong?
In a word: 'Russia".
In Ontario, and many other jurisdictions, a recount is easy - just rerun the scanning operation.
Watch for the US' next voting revolution!
-
Tuesday 23rd January 2018 19:00 GMT kain preacher
Re: Ontario, Canada doesn't have these problems . . .
It works like that in the sates that have electronic voting . But states like Alabama took things in a weird direction. They only kept the paper ballots. After the election they toss the digital results. IF you were to a de count you can not tell if the paper ballots match the digital count
-
-
Monday 29th January 2018 09:01 GMT MachDiamond
Re: Ontario, Canada doesn't have these problems . . .
"It is my understanding there is a Federal election law that requires election officials to keep a hardcopy of election machine counts for two years."
In the US, the Federal government can't even get the states to do an audit to find out how bad the fraud is in that state. President Trump tried and was given the Bird. I'm guessing that it would be too embarrassing to the states to have to admit that there is any. Quick approximations I did in an area of California that had good census data, voter counts and posted history of voter turn out was very interesting. Not conclusive, but unusual enough to warrant a critical look.
-
-
-
Tuesday 23rd January 2018 19:47 GMT ITS Retired
Re: Ontario, Canada doesn't have these problems . . .
"In Ontario, and many other jurisdictions, a recount is easy - just rerun the scanning operation."
Using different scanners than used the first time!
If there is a discrepancy, first check ballot count against voter count. Then check the accuracy of the original scanners. If election fraud is indicated, then start looking for people to put in prison.
In a few election cycles, honest elections might start happening.
-
-
Monday 29th January 2018 09:01 GMT MachDiamond
Re: Ontario, Canada doesn't have these problems . . .
"So, if the first scan was inaccurate how will a second scan be any better?"
If you are assuming that the physical ballots are ok and it's the counting machines that are wrong, you use machines that have checked with known stack of samples that are indistinguishable from the real ones. The second set of machines should have also gone through a different chain of custody.
-
-
-
Thursday 25th January 2018 12:42 GMT Nimby
a beautiful piece of legislation
Does anyone else see a problem with legislation to require training officials when in the training material election officials are instructed not to change the default password, and if someone had already, to reset passwords to the defaults?
Fortunately it doesn't matter anyway, because especially in the US the system is broken beyond repair, by design. When you have only two choices and they are both bad, no one wins. But it's worse yet when the the ballot system, the "popular vote", can be lost and yet somehow the presidency won. It's especially broken however when a third-party body such as an Electoral College can vote any way that it wants to regardless of the ballot so that even IF everything before it were unfraudulent and clear, the results are not in the voters' hands.
From top to bottom the whole thing is just a bunch of parlor tricks to placate the masses. The only way to "win" this rigged game is to take back your power. "The only winning move is not to play."
-
Thursday 25th January 2018 16:15 GMT TomG
Re: a beautiful piece of legislation
The system, in the US of A is not broken, it works as it was designed to work. BTW, people must realize the President , and by extension, the Vice President are not elected by popular vote. They are elected by the Electoral College. Each state determines how the Electoral College representatives are determined. If you are in favor of the President and VP being elected by popular vote you must realize that Texas, California, Florida and New York voters will ALWAYS determine who is elected to these offices.
-
Monday 29th January 2018 09:04 GMT MachDiamond
Re: a beautiful piece of legislation
"But it's worse yet when the the ballot system, the "popular vote", can be lost and yet somehow the presidency won."
The reasoning for the Electoral college is very similar to why the US has two congressional houses. The House of Representatives gives each state a number of representatives based on population and the Senate allocates only two senators per state and is also give a bit more strength. If you look at the voter choices in the 2016 US Presidential election, it's easy to see that Ms. Clinton's votes were solidly coming from the largest cities and Mr Trump won every place else. Somebody even made a topographical map according to the numbers of votes for each candidate that showed very well that Ms. Clinton's supporters were heavily slanted to the largest cities. She did very poorly in the middle of the US with much lower population density. It is mathematically possible to win the Electoral vote by carrying only 9 states, but the odds are very low against that. Additionally, the states with the highest number of electoral votes are the most liberal. A strong liberal candidate should be able to win both the popular vote and enough electoral votes. The 2016 election demonstrated that when both candidates aren't of very high quality that it can go either way. I'm not elated that Mr Trump won, but I am happy that Hillary lost.
-