Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices (bleepingcomputer.com) 62
Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.
food for thought (Score:5, Interesting)
Fruit machines in casinos have to be state certified as honest with their code vetted regularly. Voting machines are largely unregulated.
Re: (Score:3)
What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.
Re: Re:food for thought (Score:2)
What are you basing this statement on? The same testing authorities that certify gambling machines also certify voting machines.
And what are you basing *that* statement on?
Re: Re:food for thought (Score:4, Insightful)
Re: (Score:1)
Re: Re:food for thought (Score:2)
Re: (Score:1)
Re: Re:food for thought (Score:2)
Re: (Score:1)
Quotemine fail
Re: (Score:3, Funny)
And they're both equally fair.
Re: (Score:2)
Actually, payout rates are heavily regulated. The loosest machines actually are gambling machines. The tightest machines generally are arcade machines.
Arcade machines? Yes, those "claw" machines, or "key master" machines or other machines "of skill" actually are gaming machines with payout rates. They will never let you win a prize if they aren't ready
Re: (Score:1)
And even that's pointless (ie certification).
Slot machines in casinos have cameras on them, security personelle, and the ability to see if the machine is 'paying out' too much. Why? They know what the odds SHOULD be, therefore, know if the machine is "off".
Contrast that with voting, which even the best pollsters, and political scientists are often wrong about. There's no camera above you watching you vote, and no security guard hovering over you as you do so either.
My point in all of this? NO computer i
Re:I just wrote them... (Score:4, Informative)
"We hold ourselves to a higher standard, knowing that our products and services help maintain democracy in the jurisdictions we service."
Yeah, right. This is Diebold of former infamy, first changing their name to Premier Election Solutions, and then again merging with Election Systems & Software (ESS).
Same shit, different wrapper. Why would any state give them a third chance after the first screw-ups? The canapés must be very tall and the drinks very big.
Isn't it Ironic? (Score:5, Interesting)
How back in the early 2000s here on Slashdot we all were complaining how these electronic voting machines were the work of the devil in how easy they were to hack?
Fast forward to 2018, they're now viewed as Russian hacking devices.
Seems like we're on a collision course to return to the old style paper ballots.
Shame no one listens to us. It seems most tech crises would be avoided! Thankfully we get to bill $300/hr when Mr. Executive's screw up comes to roost!
Re: Isn't it Ironic? (Score:1)
Voting machines can be made to work, but that requires a lot of money, very careful regulation, extremely high (Orange Book A1+ is your starting point) standards, extremely thorough security and sufficient will to live. It also requires you to forget almost everything you think an electronic voting machine would do, AKA everything Diebold said.
No private enterprise will attempt such a thing, the return for them is too low and they don't have the mad skills needed anyway.
Government can't do it, GOTS software
Re: Isn't it Ironic? (Score:4, Insightful)
What about the other piece of electronic voting, namely that the average (and less then average) person can understand the security?
It's just as important that everyone trusts the voting as it being secure and it's hard to imagine a trustworthy electronic voting machine that most people understand.
When I vote with paper and pencil and watch the whole procedure, it is very understandable.
Re: (Score:1)
The design I would prefer would provide that in three layers.
1. There should be a formal set of openly published theorems (similar to those used by SEL4) that show that all the key functions meet a specification a logician could understand. The average MITS won't understand these theorems, but they know other people, people not in the company, can and that those other people include celebrity geniuses like BiaSciLab. People they can trust to bluntly tell them if there's a problem.
2. There should be complete
Re: (Score:2, Insightful)
OK, number 3 helps a lot, throw in some random recounts as well as any statutory (eg when things are close) recounts of the physical copy and the fact that I have a hard time with numbers 1&2 would go a long way.
Has anyone checked the Money Trail? (Score:2)
I think perhaps these companies need to be thoroughly investigated. In the meantime DUMP THEM and go back to tried-and-true methods.
Re: Has anyone checked the Money Trail? (Score:2, Insightful)
There are tried methods, but few of them true. In paper elections, it was common for officials to discover ballot boxes or misplaced ballot papers after the election. Party workers were also routinely accused of falsely claiming authority to collect absentee ballots and destroying ones for rival parties.
Voting stations were also suspect, with election officials accused of tampering.
In other words, an awful lot of institutionalised vote fraud by the parties.
It got so bad, countries were planning on sending i
I am an election officer and I am dismissive (Score:4, Insightful)
Unless you've spent time running an election, it's hard to appreciate just how distributed the process is. Virginia, where I am an officer, has 2,400+ separate voting precincts.
None of our voting equipment is networked, not even locally within the precinct. None of the equipment even have the hardware necessary to be networked.
Nearly 4 million people voted in the last Presidential race. The recount margin is 1%, so the winner and the loser must be within 1% of each other for a recount to be called.
Thus for a hack to be effective and not be scrutinized by a recount, you'd have to win 1% of 4 million, or 40,000 votes.
How likely is it that you will be able to hack your way into enough precincts, defeat the chain of custody, get your hands on the machines to do your dirty work -- UNDETECTED -- for EACH and every election (each election has a different ballot, and the order is chosen randomly), and change 40,000 votes? Otherwise, what would be the point of the attack?
Local elections are secure, disconnected facilities. Anytime I see some hacker "fair" where they've got the covers off and people are probing the equipment, I just laugh. As if. We run a tight ship, and in 238 years of doing this job, we've learned a thing or two about how people try to cheat.
It's not VOTING you have to worry about, it's REGISTRATION. Registration has many times more attack vectors.
Re:I am an election officer and I am dismissive (Score:5, Insightful)
If you are truly an election officer then first let me commend you for coming to slashdot and taking the time to share your perspective. May I suggest you spend a little more time reading what many of us here have to say. You may be an expert in the election process but we are experts in hardware and software.
We are not skeptical of the security of voting machines because we wear tin foil hats; it's because we've seen what can and has happened. You're far too confident that those systems can't be hacked undetected. I suggest you get on youtube and look up videos of people placing skimmers on credit card terminals and explain to me why that can't happen to a voting machine?
Re: (Score:2, Insightful)
I think you're overlooking his broader point, which is that the distributed architecture of the system (both machines and people) makes it extremely difficult to even plot a coordinated attack much less carry one out.
The question therefore isn't so much whether one individual machine can be hacked -- it's how many would have to be hacked to make a material difference in the outcome, and how many layers of human security would have to be defeated over how wide of an area to get physical access to hack them.
F
Re: (Score:1)
Neither of you are thinking critically. If they know how to corrupt one or a series of vendors, doing so IS TRIVIAL for a funded conspiracy to pull off locally. They don't need to win "all votes" 1%-5% boost is HUGE. Think harder.
Re: (Score:2, Interesting)
Why wait the day of the vote when the machines are distributed everywhere? Why not do it two weeks prior when they are in some warehouse, or from an usb key when somebody plugs in to update, diagnostic or whatever?
It happened to the Iranians with their uranium centrifuges, it could happen to the Ohioans with their machines...
Re: (Score:2)
I think the tinfoil hat version of election tampering centers on the part that is centralized. At some point all those distributed components of the voting system log on electronically to a central system to tabulate the statewide vote. And the real life event that convinced at least some that hacking this central tabulation was Karl Rove's on-air meltdown in 2008 over Ohio calling the state for Obama. It sure looked like he 'knew' that that was not supposed to happen, and to the conspiracy minded, that
Re: (Score:2)
At some point all those distributed components of the voting system log on electronically to a central system to tabulate the statewide vote.
Really? Where are you getting your information? How do you know the precincts don't, for example, report by telephone? And regardless of how the data is aggregated, today you and I can drill down and see the vote tallies on a precinct-by-precinct basis. Do do you really think the precincts themselves aren't watching those numbers like hawks against the ones they reported?
And the real life event that convinced at least some that hacking this central tabulation was Karl Rove's on-air meltdown in 2008 over Ohio calling the state for Obama. It sure looked like he 'knew' that that was not supposed to happen, and to the conspiracy minded, that sure looked like he thought the fix was in somewhere along the chain of custody.
So the evidence for hacking is that hacking didn't happen but somebody acted in a way people say we should interpret as him thinking t
Re: (Score:2)
I said it was a tinfoil hat conspiracy, didn't I?
Re: (Score:3)
Means nothing. This is like a security guard at the bank saying they run a tight ship and will never be robbed. Then that whole bank bailout mess happens... or the bank gets caught laundering or they are caught doing fake loans and false fees etc...
Just because your looking in 1 place for 1 kind of threat doesn't mean that is all there is or that it is safe. An organized attack would be a different game... and do you watch... can you verify the machines were completely untouched since last use? Who does
Re: (Score:2)
Re: I am an election officer and I am dismissive (Score:3)
Unnetworked is part of the problem. It means voting machines tally and store, the source of most of the defects.
Second, that's not a high number. Machines that tally just store a number. It's long past the point where ID is checked. All you need is to preload 40,000 votes in a test (corrupt official) - and that has happened in the past - or you have ten people load in 4,000 votes at the time in precincts with low turnout, OR you hack the election database where the tallies are stored.
Any of those will work
Why do you even need to use a machine anyways? (Score:3)
The Dems keep wining popular votes (Score:2)
Well Senator (Score:2)
I would be happy to answer that right after you explain why you and your colleagues have been ignoring everyone and their fucking brother telling you your electronic voting machines are susceptible to manipulation for the past GD decade or more.
NOW it's a big deal ? :facepalm:
Even a broken clock is right every once in a while (Score:1)
Kamala D. Harris is a horrible legislator and I'm embarrassed to have her a senator from California. But, like a broken clock, she is right every once in a while. Unfortunately, the clock is right probably 729 times more per year than her.