SoylentNews is people
SoylentNews
Submitted via IRC for Sulla
The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.
In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software ... to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.
The statement contradicts what the company told me and fact checkers for a story I wrote for the[sic] New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, ... including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.
[...] Election-management systems are not the voting terminals that voters use to cast their ballots, but are just as critical: they sit in county election offices and contain software that in some counties is used to program all the voting machines used in the county; the systems also tabulate final results aggregated from voting machines.
Software like pcAnywhere is used by system administrators to access and control systems from a remote location to conduct maintenance or upgrade or alter software. But election-management systems and voting machines are supposed to be air-gapped for security reasons—that is, disconnected from the internet and from any other systems that are connected to the internet. ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential port of entry for hackers as well.
[...] In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.
Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them.
Source: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
[20180718_130441 UTC; Updated to add: description of election management systems, stolen source code, and report of a critical vulnerability.]
(Score: 2) by Runaway1956 on Wednesday July 18 2018, @03:01PM (4 children)
Would it be essential that malicious software is installed DURING the election? Give me, or any other evil sumbitch, some time to think about that. The election is six months away, but I have access to the networked machines NOW!! All I need is the right time bomb . . .
(Score: 0) by Anonymous Coward on Wednesday July 18 2018, @06:26PM (3 children)
These machines have a CF card that stores per machine data and probably has a detailed log of user activity. We election staff have an IR dongle that we sign onto the machines with when we bring a voter to a (random) machine. I guess it can store timestamps during the day, but it is not in the machine while the voter is voting. At end of day, each machine uploads its count to the dongle, and the last machine will print out the aggregate count on paper. At our desk, we keep a manual list of how many people we have sent to the machines, along with a record of who all came to vote.
A paper copy is displayed at the polling place for public inspection, the dongles go to a regional center where they are compiled into the generally released results. The CF cards are stored separately and are probably only accessed in case of a complaint about the machines' operation.
Most election staff has been there for years, we know our community, additionally at important elections we have party monitors inspect our records and poll voters. If anything is out of the ordinary or doesn't match counts, that raises flags. Electronic voting isn't great, but the insinuation that Russia had its fingers on the screens during the election, without any human noticing, is just not rational, and is pure politicking to discredit President Trump.
(Score: 4, Insightful) by HiThere on Wednesday July 18 2018, @06:31PM
And nobody has ever heard of any malware that tampers with the logs.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Interesting) by Anonymous Coward on Wednesday July 18 2018, @08:24PM
Sounds like you really don't understand hacking and your main defense is "we do exit polls and compare to the actual vote tallies". If the machines are hacked then the CF cards are vulnerable and you can't trust any of the data on it or the machines. How many 3rd party votes got switched to a D or R candidate, how many D votes were switched to a relatively close 3rd party option? How many R votes were switched from relatively close 3rd party to Trump?
This has been an ongoing worry for over a decade now and isn't some new thing with Trump. However, Trump lost the popular vote and won a key swing state by a razor thin margin so along with the accusations of tampering and collusion it seems more and more likely. Bury your head in the sand if you'd like, but don't expect anyone else to share your naive worldview when the evidence of rampant corruption and dirty dealing in US politics is so staggering.
Thanks for your work in trying to ensure fair elections, but many people no longer trust the system especially with the voting machines that have been repeatedly demonstrated to be insecure.
(Score: 2) by ElizabethGreene on Thursday July 19 2018, @12:48AM
The e-ballots that will be loaded onto the individual machines are created from the controller. The risk is that when the controller distributes the e-ballots to the machines (via cartridge or compact flash card) that it will contain malware that permits an attacker to predetermine election results.
This is not a hypothetical risk. It has been demonstrated for at least one type of e-voting machine.
I'll go ahead and attach my own [citation needed] to that. I know I've seen it demonstrated to a set of county election officials, but I can't find the specific disclosure ATM.