Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government United States Hardware Politics

US Voting Machines Cracked In 90 Minutes At DEFCON (thehill.com) 171

An anonymous reader quotes The Hill: Hackers at at a competition in Las Vegas were able to successfully breach the software of U.S. voting machines in just 90 minutes on Friday, illuminating glaring security deficiencies in America's election infrastructure. Tech minds at the annual "DEF CON" in Las Vegas were given physical voting machines and remote access, with the instructions of gaining access to the software. According to a Register report, within minutes, hackers exposed glaring physical and software vulnerabilities across multiple U.S. voting machine companies' products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.
Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed.

By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."
This discussion has been archived. No new comments can be posted.

US Voting Machines Cracked In 90 Minutes At DEFCON

Comments Filter:
  • by FrankHaynes ( 467244 ) on Saturday July 29, 2017 @08:54PM (#54906705)

    In Virginia these machines have been decertified. I imagine other states have acted as well.

    • by fustakrakich ( 1673220 ) on Saturday July 29, 2017 @09:29PM (#54906815) Journal

      Problem is that they replaced them with other machines instead of pen and paper.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        18 states are 100% paper ballots.

        Hard to hack the results in Michigan when its pen and paper.

        • by Anonymous Coward on Saturday July 29, 2017 @09:56PM (#54906889)

          Actually, during the brief recount effort in Michigan before it was shut down, roughly 60% of the ballot boxes opened did not contain the number of ballots they were supposed to. Some were off by pretty significant percentages; I know that one box that according to the ledger should have contained over 350 votes actually contained less than 50. We didn't get even close to opening all of them.

          It may not have been a "hack", but SOMETHING definitely happened....

          • The thing is you still have a real paper trail.

            I'm fine with MI's machines because you get a quick result but still have the actual vote to recount.

            Personally the state should buy some ultra high speed machines from 2 separate vendors and do an 'official' count at the state level. And run them until the 2 machines from 2 vendors agree.

            Fine any local level machine vendors based on how far they deviate from the state's official count. 1% off? Small fine. 10% off? Huge fine and get a new vendor.

            • by JaredOfEuropa ( 526365 ) on Sunday July 30, 2017 @05:31AM (#54907871) Journal

              still have the actual vote to recount.

              That's ridiculous. You get a quick readout from the machine, hopefully accurate enough to announce a preliminary vote count, but by now it should be abundantly clear that the paper ballots should be considered the actual result. Counting the paper ballots is not a "recount", it is the actual count. The only advantage this type of machine offers is the paper trail, but if you don't use it and do a full recount, then what use is that trail?

          • Actually, during the brief recount effort in Michigan before it was shut down, roughly 60% of the ballot boxes opened did not contain the number of ballots they were supposed to.

            According to someone from Michigan I met, that meant that the ballots in those boxes were, under Michigan law, not allowed to be recounted.

            I don't know if that's true, but I am more and more concerned over just how much of a mess the US election system is.

          • by Anonymous Coward

            Bitch lost the election she rigged.

            because everyone vastly underestimated just how hated that evil murdering bitch is...

          • by msauve ( 701917 )
            AC wrote: " I know that one box that according to the ledger should have contained over 350 votes actually contained less than 50. "

            Then it should be easy for you to provide an authoritative reference for that claim.

            'Cause, The Detroit Free Press [freep.com] didn't report anything like that - rather they reported fairly widespread, but minor discrepancies averaging 2 or 3 per precinct both over and under -

            In 158 precincts, the number of ballots tabulated by the optical-scanning voting machines was inexplicably less

          • It may not have been a "hack", but SOMETHING definitely happened....

            Something happened all right.

            The recount was stopped because it wasn't showing the desired result (cheating on behalf of Trump) but rather the opposite (cheating on behalf of Dems).

        • by DaHat ( 247651 )

          Are you sure they are all pen & paper? I live in a 100% mail in voting state and can tell you there exists a serious vulnerability in it's system which could allow a nefarious person to swing an election from a single PC... in their (or parents) basement.

          I'm thrilled to see the focus on the machines... but there is more to hacking an election than just them.

          • by arth1 ( 260657 )

            I live in a 100% mail in voting state

            I'm surprised that any election system that pretends to be democratic allows this at all. It opens for both vote buying and household abuse.
            A curtained election booth where you leave with a sealed envelope is the standard in most democratic countries for a very good reason. Even for absentee and early voting.

            • It seems to me that voting by mail could be made fairly safe if the voter has an opportunity to cancel their ballot after mailing by choosing to cast a replacement vote in person later (so they could perform the coerced vote, but still fix it later secretly -- the the vote buyer couldn't be sure that wouldn't happen). But I don't think that's currently an option anywhere, because there's no system for efficiently locating and removing the previously-mailed ballots.

              • by arth1 ( 260657 )

                It seems to me that voting by mail could be made fairly safe if the voter has an opportunity to cancel their ballot after mailing by choosing to cast a replacement vote in person later (so they could perform the coerced vote, but still fix it later secretly -- the the vote buyer couldn't be sure that wouldn't happen).

                It still wouldn't work for families where the master of the house decides if and where people can go.

                With mandatory voting booths, the worst such a person can do is prevent someone from voting, which while bad, has less than half the impact of controlling a vote.

                • Out of the 235,248,000 eligible voters in the US, I don't think crazy "master of the house" control freaks would really be able to influence the over-all POTUS election. It would be far more of an issue to somehow match all the vote-by-mail ballots up with the vote-by-person ballots to toss out the vote-by-person ones for people that had already voted by mail.
                  • ..and because the only election we have is for the potus, you make complete sense instead of no sense
            • Well, the sealed ballot from a booth AND having to prove your identity. Here in the US it's supposedly "racist" to ask for for proof of identification and it "targets the poor" to not mail ballots to everyone...
              • by dryeo ( 100693 )

                It really depends on how it's done. Here in Canada, we've required proof of who you are for a long time. Used to get a card in the mail that, together with a bill or such was good enough, there was also the option of swearing an affidavit if you didn't have ID or weren't registered.
                The previous Federal right wing government fucked that up, upping the ID required, stopping Elections Canada from encouraging people to vote, including stopping them from registering people in grocery stores and such and various

                • Down here in the US you can almost always get an official, Government issued ID for free, and there are places all over to do so (post offices, DMVs, etc). But we still don't require ID when it's time to vote. You can walk up, claim you are your neighbor - and vote. Then do it again and again and again, moving from voting location to voting location...
                  • by dryeo ( 100693 )

                    All it takes is some austerity to close most of those DMV's etc, declare the post office to be federal rather then state/provincial and more austerity to make those free ID's cost $75, as happened here.
                    Then make the ID requirements more onerous, eg the last government also upped the ID requirements to have your current address on it. Just like that, all the people without a numbered street address such as most native reservations being disenfranchised as well as all those pesky university students who are c

                    • Sure, you can always THINK of ways to make free ID impossible to get - but right now, it's not. And the claims by those opposed to voter ID (such as used in your own country, all of Europe, Asia, etc) is that requiring ID TODAY is racist and exclusionary. Not what might happen in the future, but today. I personally think it's because many on the left (those who claim there is no voter fraud despite thousands of convictions for just such activities) love to keep getting those 83 fake absentee ballots, and
                    • by dryeo ( 100693 )

                      The Provincial austerity measures I mentioned really happened here in BC (no idea about other Provinces). They happened independently of elections, at that the Provincial elections ID requirements are still quite reasonable and judging by the results of the last Provincial election, the government did the election fairly (ignoring taxpayers money spent on propaganda).
                      Even the Federal Conservatives attempt to disenfranchise the natives backfired, with lots of natives, a group that traditionally doesn't consi

                    • Voter suppression? Really? Gerrymandering is used by both sides to benefit incumbents. The most egregious case are Democrat districts [washingtonpost.com]. But as far as other voter suppression - I keep hearing claims about it, but never any evidence is ever put forward other than generic claims. Certainly nothing like armed men, associated with a militant left-wing group, standing right in front of a polling place [wikipedia.org].
                    • by dryeo ( 100693 )

                      By voter suppression, I mean where the government actively suppresses certain parts of the population from voting, whereas your example is also something that shouldn't be allowed. A few minutes on Google shows lots of evidence of various forms of voter suppression, from not having a reasonable number of polling stations, through last minute voter roll purges targeting certain groups, through fucked up laws removing the right to vote due to such stupid reasons as having a joint in your possession many years

            • Well honestly I'd say between abuses it's probably one of the lower ones. There is already a default abuse in place at most polling places, IE shitty availability of the polling locations, long lines etc...
      • Here in Northern Virginia, it has been pen & paper for a while. Haven't seen a voting machine in years.
    • by dbIII ( 701233 ) on Saturday July 29, 2017 @10:23PM (#54906951)
      Maybe, but it's kind of a big deal if they have ever been used live in an election and are found to be this substandard. It's worth looking at the process involved to purchase the things in the first place to see if there were any shortcuts or criminal activity (eg. kickbacks) in the process to avoid the same mistake happening again.
      Also a lot of smug bastards like me get to say "I told you so". Diebold especially were up to a few things that looked very suspicious, including having a convicted fraudster in charge of the project.
      • by MillionthMonkey ( 240664 ) on Saturday July 29, 2017 @10:45PM (#54907011)
        The agency that's supposed to be in charge of securing voting machines is the Election Assistance Commission, which operates on a $10 million annual budget. A House committee voted along party lines for HR 634, the Election Assistance Commission Termination Act, which will completely shut it down by 2018.

        The argument is that "this is a matter best left to the states". According to Rep. Tom Graves from Georgia, "People supporting the EAC are quite frankly proponents for a greater federal role in our elections. States themselves, they're responsible for all the elections. We do not have a federally run election system." Rep. Gregg Harper from Mississippi argued the program has "outlived its usefulness", and that closing it down would save money and cut down the size and scope of government, saying "It is time for the EAC to be officially ended. We don't need fluff".
        • by dryeo ( 100693 )

          Seems weird that the Federal elections aren't a Federal matter like here in Canada. Understandable by 19th century standards but times have changed.
          Also much simpler voting up here. We have a Federal election where I vote for one representative to Parliament and the Members of Parliament decide on the government (or failing that, we have another election). Likewise for the Provincial election, which happens separately and is run by the Province. Municipal elections are more complex, but also happen on a dif

    • Are the newer machines in Virginia better, or are they just newer crap?

      IF they're from the same vendors, they're just newer crap.
  • after dropped from the delivery truck
  • by buss_error ( 142273 ) on Saturday July 29, 2017 @09:23PM (#54906781) Homepage Journal

    By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."

    So, you're saying America got Rick Rolled on November 8th, 2016.

    Explains a lot.

  • Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.

    Does anyone like myself, see this as a reason to support our president?

    Folks, let's join our president's efforts in making "America Great Again!"

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Did you hear of the IT guy (paid millions) just arrested fleeing to Pakistan? Apparently he worked for Debbie Wasserman Schultz, the same DNC bitch that stole election from Bernie.. Why was some random guy making millions? Was he hacking the voter machines?

      DWS even threatened a DC Capitol police chief from investigating that: https://www.youtube.com/watch?v=lAAhMVoeCYg
      How that her henchman is finally arrested, guess who got his case? Assistant attorney that just happens to be DWS's brother! You can't make t

  • by elrous0 ( 869638 ) on Saturday July 29, 2017 @09:34PM (#54906835)

    Physical ballots are still the best way to do it. The added confidence and security is WELL worth it.

    • Electronic machine that prints the ballot out on paper (so you can verify). You deposit the paper into a bin (or the machine does it automatically).

      That way you have the speed and convenience of a machine (no hanging chads), combined with the verifiability of paper.
      • by arth1 ( 260657 )

        Electronic machine that prints the ballot out on paper (so you can verify).

        Bad idea. It opens for voting abuse in that others can demand to see the your vote.

        There's also the real-time problem in that those who run the problem gains a theoretical possibility to see votes as they happen, which not only can thwart anonymity, but can influence election results by focusing external efforts (like busing and harassment) where they'll have the most impact.

        A system where the votes are not counted until the election ends, and are anonymous from the moment cast seems a lot safer. Curtain

        • Bad idea. It opens for voting abuse in that others can demand to see the your vote.

          You don't get to take it out of the voting booth. You are right though, that anything attaching the vote to a person is problematic.

          • by arth1 ( 260657 )

            You don't get to take it out of the voting booth.

            Unless they frisk voters for cameras before entering the voting booth, that's a moot point.

            • That's true of any voting method. No way to prevent that.
              • by arth1 ( 260657 )

                That's true of any voting method. No way to prevent that.

                No, that is not so. The traditional voting booth, stocked with ballots and envelopes prevents that. Any photo taken inside the booth doesn't show what the person really votes. You can fill out multiple ballots in the voting booth, and even seal them in envelopes, but only one envelope is deposited in the monitored urn outside the booth. No one has the foggiest idea what went into the envelope going into the urn except the voter.

                • Once you see the printed out ballot in the electronic system, you can cancel or approve it. You could take a picture of it, then cancel it and re-vote.
                  • by arth1 ( 260657 )

                    Once you see the printed out ballot in the electronic system, you can cancel or approve it. You could take a picture of it, then cancel it and re-vote.

                    Ah. That makes it better. I was under the impression that it was an audit trail, i.e. a receipt of what was cast, and not a potential vote subject to change.

                    But in that case, it's not all that useful either, because you can't really know whether the vote is the same after you hit approve.

                    • Yeah, that's true. It's similar to the problem of false-bottom voting boxes used in history. How was that problem solved and is prevented?
                    • "that it was an audit trail, i.e. a receipt of what was cast" of course, because that actually makes sense. Much of the US voting system is based around the early agrarian system (like why the voting is done when it is) and has little real-world reasoning these days outside of "tradition".
                    • by arth1 ( 260657 )

                      Yeah, that's true. It's similar to the problem of false-bottom voting boxes used in history. How was that problem solved and is prevented?

                      I don't know how it is everywhere, but where I used to live, the voting urns arrived sealed, and the seal inspected by all parties before breaking it and opening the slot, allowing ballot envelopes. After closing, or when full and replaced, a new notarized seal would be placed on the urn, before being transported under observance to the official counting place, where both the seal and the urn itself would be inspected.

                      Unless the ones initially sealing the urn and the counters were colluding, it would pres

                    • Yeah, that's basically how, by having observers from all interested parties making sure no side is doing something illigitimate. Then building the system in a way that if something goes wrong, it will be noticable to one of the observers.
                    • Something like that, yeah
                    • Oh yeah? Who used a false bottom in the last election? (Or even in the last two decades)
      • by msauve ( 701917 )

        Electronic machine that prints the ballot out on paper (so you can verify). You deposit the paper into a bin (or the machine does it automatically). "Be particularly skeptical when presented with evidence confirming what you already believe."

        Your .sig is especially relevant.

    • Well then why don't you have your physical ballot company hire an army of lobbyists and start buying off state politicians, like Diebold et al. did to get them replaced in the first place. No better way to secure your god-given right to profit at the expense of the average person.
      Just ditch that whole 'confidence and security' spiel; nobody cares about that.
    • by aliquis ( 678370 )

      We have physical ballots.

      Physical ballots and information, media and speech controlled by the leaders instead.

      The illusion of a democracy may seem more real then than if you simply lit the ballot box on fire or replace the ballots or whatever... Be smart! Be like Europe!

    • by idji ( 984038 )
      Venezuala has a vote today using machines. Gangs came in and smashed the machines - now people cannot vote..
    • Paper ballots are secure only if you can trust the entire chain of custody of the aforementioned paper ballots, from end-to-end. If someone wants to destroy them, or alter them, or replace them entirely, then they're useless.

      What I want to know is, were the hacks at Defcon done in such a way that they left no traces of having been hacked? If yes then the November election could have been subverted in such a way and we'd never know.
  • by Dutchmaan ( 442553 ) on Saturday July 29, 2017 @09:45PM (#54906871) Homepage
    Where is the Putin/Trump cyber security task force when you need it!?!?!?!
    • I thought they were the ones that hacked the machines so that Trump could become President in the first place. Things were so much easier last millennium when all you had to worry about were some hanging chads in Florida.

    • by Anonymous Coward

      Funny thing is that conservatives have been saying there were issues for years now.. You little douchies didn't start until after Trump was elected. In fact most of you denied voting/voter fraud even happened.

      • You are incorrect sir. Being against black box voting has been a liberal issue for as long as I can remember, something conservatives seem to support if I recall, and there's a difference between voter fraud and election hacking. I would have though someone as enlightened as yourself could have figured that one out.

        Speaking of denying voting/voter fraud ever happened... how do you say that in Russian?

  • by Anonymous Coward

    If you've worked as a programmer, you know this already.
    When someone tells you they want it done by a deadline and they won't hire people who are good at security because they're expensive, instead scowling and saying "you programmers need to make it secure on top of everything else!" what do you think will happen?

  • by StevenMaurer ( 115071 ) on Sunday July 30, 2017 @12:57AM (#54907321) Homepage

    Voters receive their paper ballots about a month in advance. They can either fill it out and put it in the mail, or wait until the last minute and drop it off at any library or county clerk's office (think traffic court). All ballots must be in an envelope signed by the voter or it doesn't count. The county registrar has people trained to check signatures as they come in. If there is a mismatch, they contact the voter when there is time (sometimes older people, or those who have health issues, have shakier handwriting), and the voter can come down to straighten it out.

    The ballots are then put in bins, which are then tabulated (for cost efficiency) by high speed vote counting machines on election night. The machines are certified, tested with special ballot runs to make sure they're working correctly, and are not hooked up to the internet. And to the best of my understanding, don't even have any external interfaces.

    The paper ballots are never thrown away, in case there is a challenge. If the vote is very close, a recount is done automatically by hand. If not, the losing side can pay to have the recount done. All these processes are open to the public and are typically overseen by everyone from the most kook teabagger to the greenest of pretending-not-to-be-communist green.

    About eight years ago, on a special election night in Tillamook, there was a terrible winter storm. The main highway was quite literally flooded by 5 feet of water. Despite this, there was an over 80% turnout. Everyone had mailed in their ballots long before.

    Democrats love the system. Rural Republicans especially love the system. It's secure. Almost impossible to pull dirty tricks with. Basically impossible to hack. And best of all - cheap. Seriously. Because it reuses the US post system and libraries, there is no need to organize election stations, monitors, volunteers, reserve space for people to vote. It's nearly half the cost of all other systems.

    • Problems with this system:
      1) No secret ballot
      2) Signatures are easily faked

      • Not any worse than all the other approaches. Around here they do not even make one sign anything. You go to the polling place, tell them your name and address, they look it up in the list, and if it is on the list you get to vote...and just maybe they cross off the right name. Just be faster to the poll station than the folks across town that you can look up in the phone book.
        • ...Just be faster to the poll station than the folks across town that you can look up in the phone book.

          In small towns the poll worker knows everyone by sight, so that kind of fraud is not possible.

    • LOL, all electronic voting systems have central tabulators which are inherently insecure. There is no way to make electronic voting secure without a blockchain.

      https://www.youtube.com/watch?v=w3_0x6oaDmI

    • It sounds like the best system.... for party operatives to drive around and steal ballots out of selected mailboxes or neighborhoods.

      • My apologies i read your comment more carefully- stealing ballots would require the collusion of the registrar. How honest are these people?
        Considering the Democrats went on a campaign to capture secretary of state seats so they could put their thumb on the scales at that level, a few dirty registrars aren't out of the question.

    • That fine and dandy, but as I just said elsewhere: Unless you can trust the entire chain of custody of the aforementioned paper ballots, from end-to-end, it's useless. If someone wants to destroy, alter, or replace ballots, then it's useless.
    • Re: (Score:3, Insightful)

      Until you get that one house with 83 ballots - all with different names - mailed to it [ktla.com]. Or you get those Democratic elected officials "finding" more votes after the election [wikipedia.org] and you count them anyway, overturning a Gubernatorial election... And of course - no way to prove who actually cast the ballot because there is ZERO identification required (you know, like Canada [elections.ca], Germany, the Netherlands, the UK, and most of the rest of the world requires).
  • That is nobody that followed the developments for the last 10 years or so. Of course, the actual experts have been warning of this far longer, but who in politics listens to mere experts. Pathetic.

  • They were probably not in best shape
  • by Cederic ( 9623 ) on Sunday July 30, 2017 @03:37AM (#54907669) Journal

    Demand that any electronic voting machine survive two days taking votes on something important (e.g. M&Ms vs Skittles) at DefCon before it can be used in an election.

    It's free pen testing, what's not to like?

  • Physical Voting Machines means they had physical access.

    Yeah. Those weird old League of Womens Voters people who volunteer to hang out at the polling places are gonna look at trenchcoat dude and not be suspicious. Right.

  • by Archtech ( 159117 ) on Sunday July 30, 2017 @04:24AM (#54907767)

    The root problem with voting systems is that, fundamentally, they can only be as reliable as the people who operate them. If those people really honestly want to conduct fair, unbiased, honest elections then, on the whole, that is what will ensue. There may be glitches and little pockets of unfairness, but if the people who vote AND the people who run the system all want an honest result, they will get one.

    The trouble arises when a critical fraction of those involved in running an election do not want an honest outcome. Frankly, there are so many ways of cheating that it would be tedious to list them. Just imagine what a highly-trained, experienced security specialist would make of any democratic voting system. They are so full of holes that there are more holes than solid material.

    Sure, voting machines can be hacked. But if you run a system without any machine more complicated than a pencil, there are still ample opportunities for massive cheating. Anyone familiar with the history of elections could write down dozens of examples. As one of the most often-quoted remarks on the subject tells us, it's not who votes that counts - it's who counts the votes. (And who look after the actual ballots in the long watches of the night, and who has control of the totals once they have been written down).

    The situation is just the same as with the US Constitution. Admirable in principle, well-intentioned, and carefully designed to preserve freedoms. But... no piece of paper, in and of itself, can stop people doing bad things. That's obvious. So the missing piece of the puzzle must be that the people who rule choose to act in accordance with the piece of paper. For years now, they haven't.

    In a country where the Supreme Court can solemnly declare that bribery is free speech, and that corporations are people, no statement or declaration of principle is safe. Powerful people can simply "interpret" it to mean something entirely different.

    • Just because paper ballots aren't immune to tampering doesn't mean they're anywhere near as bad as electronic voting machines.

      It is much harder to rig paper ballots *on a massive widespread scale* compared to electronic voting. Period.

      it's not who votes that counts - it's who counts the votes

      Yes, that's the whole point. With paper ballots, the count can physically be observed IN PUBLIC by as many parties as are interested.

      A number of years ago, Germany's highest court found [truth-out.org] that:

      • There is a “constituti
  • Why are voting machine even allowed to be sold on Ebay? Can I buy a used money making machine too?
  • Just think how much money states spent on these machines that were built by companies that are far too close to the Republican party. Send all these electronic machines back to the vendors for a full refund and user paper ballots and a pen. Keep it simple, verifiable, and quite secure. Sure, it will take longer to count the votes, but I rather wait a day and get results anyone can trust than get results in an hour and question for years if they were accurate.
  • But these machines were used prior to the 2016 election, they were bought on eBay. They were used for the previous elections, so...
  • Seriously, why should these voting machines be accessable remotely? Private network, machines talk locally, no WiFi, and all ethernet ports should be locked down. The information can then be uploaded via a manual process, data pull every 30 minutes or something, and then uploaded, again via a closed and secured connection. Local network not being connected to the Internet means any hacking would have to be done locally, local numbers can be verified as well as what was uploaded at each interval. T

No spitting on the Bus! Thank you, The Mgt.

Working...