Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Wednesday July 18 2018, @12:31PM   Printer-friendly
from the idiocracy++ dept.

Submitted via IRC for Sulla

The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software ... to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

The statement contradicts what the company told me and fact checkers for a story I wrote for the[sic] New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, ... including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.

[...] Election-management systems are not the voting terminals that voters use to cast their ballots, but are just as critical: they sit in county election offices and contain software that in some counties is used to program all the voting machines used in the county; the systems also tabulate final results aggregated from voting machines.

Software like pcAnywhere is used by system administrators to access and control systems from a remote location to conduct maintenance or upgrade or alter software. But election-management systems and voting machines are supposed to be air-gapped for security reasons—that is, disconnected from the internet and from any other systems that are connected to the internet. ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential port of entry for hackers as well.

[...] In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.

Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them.

Source: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

[20180718_130441 UTC; Updated to add: description of election management systems, stolen source code, and report of a critical vulnerability.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by ElizabethGreene on Wednesday July 18 2018, @03:12PM (7 children)

    by ElizabethGreene (6748) Subscriber Badge on Wednesday July 18 2018, @03:12PM (#708809) Journal

    They are not networked during an election, but in this instance PcAnywhere was configured for a modem connection and they used the remote access functionality durig the vote tallies in Michigan.

    Note the RA kit is on the controller, not the individual voting machine. It's in the machine you'd need to compromise if you were going to put malware on the cartridge that gets put into every voting machine to set up the vote.

    That's not very clear. I'll try again.

    Election machines are in a disconnected hub and spoke topology. The election is configured per-precinct on the controller (where the RA software is). This programs a card or more often a cartridge that gets put into each voting machine. People vote on the machines and the results are carried back to be loaded into the controller. Then the controller's tallies are spot checked against specific voting machines.

    If you compromise the controller and put malware on the programming cartridge you can own the whole thing.

    That's a problem.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by canopic jug on Wednesday July 18 2018, @03:43PM (6 children)

    by canopic jug (3949) Subscriber Badge on Wednesday July 18 2018, @03:43PM (#708828) Journal

    So in other words the numbers presented in Michigan were fraudulent.

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: 0, Redundant) by Sulla on Wednesday July 18 2018, @05:09PM (1 child)

      by Sulla (5173) on Wednesday July 18 2018, @05:09PM (#708882) Journal

      So where the ones in Louisiana showing Bernie losing heavily to Hillary by the electronic voting but beating her in the paper ballots, he should have lost on paper (boomer democrats still lean conservative) vs millennial (left of boomers).

      --
      Ceterum censeo Sinae esse delendam
      • (Score: 0) by Anonymous Coward on Wednesday July 18 2018, @06:33PM

        by Anonymous Coward on Wednesday July 18 2018, @06:33PM (#708930)

        I have no faith the Democrats are really much better than the Republicans and would be unsurprised if they cheated as well. They had to pull some really shady shit to get Bernie ousted in the primaries.

    • (Score: 2) by HiThere on Wednesday July 18 2018, @06:32PM

      by HiThere (866) Subscriber Badge on Wednesday July 18 2018, @06:32PM (#708929) Journal

      You don't know that. The numbers could well have been fraudulent, and that's as far as the evidence so far presented will let you take things.

      --
      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
    • (Score: 2) by ElizabethGreene on Thursday July 19 2018, @12:39AM (1 child)

      by ElizabethGreene (6748) Subscriber Badge on Thursday July 19 2018, @12:39AM (#709105) Journal

      So in other words the numbers presented in Michigan were fraudulent.

      You can't logically say that. That is a positive assessment of facts not in evidence. You can say that a known security vulnerability existed in the election controller machine at the time of the count. You can also say that this attack verctor would have allowed an intelligent attacker to compromise the vote if it existed prior to the individual voting machines being programmed. You can't say if an attacker exploited that vulnerability to tamper with the voting machines without additional evidence.

      You can reasonably assume that additional evidence, positive or negative, is unlikely to still exist.

      If you don't hack the voting machine before the votes are collected then manipulation at the data at the controller will be caught. Each voting location prints off a slip that can be double-checked against the rolls for the precinct. If you want to change the vote you have to do it early enough in the process that the paper printoff matches the precinct results from the controller.

      Full Disclosure: This is my experience with E-voting in Tennessee. It is a mistake for me to speak with authority about Michigan's system, and I should not do that. My apologies.

      • (Score: 2) by canopic jug on Thursday July 19 2018, @08:34AM

        by canopic jug (3949) Subscriber Badge on Thursday July 19 2018, @08:34AM (#709277) Journal

        If you bother to read the preliminary reports from the aborted vote audit in Michigan from the 2016 election, you would not try to say that, even as a Microsoft shill. You guys hold a major part of the responsibility for what happened around the US through your passing off utter garbarge in place of computer technology and worse, pushing said garbage in place of the only secure method available to-date: paper ballots.

        But it doesn't end there. It turns out that Michigan was one of the states that could not even manage their paper ballots in a responsible manner [usatoday.com]. In some precincts, close to a thousand of them just near Detroit, the ballot count mistmatches were quite large.

        tldr; lacking supporting evidence of their validity, the numbers reported in Michigan were fraudulent

        --
        Money is not free speech. Elections should not be auctions.
    • (Score: 0) by Anonymous Coward on Thursday July 19 2018, @01:05PM

      by Anonymous Coward on Thursday July 19 2018, @01:05PM (#709353)

      No kidding. The Detroit Free Press [freep.com] explains how things are supposed to go:

      A paper ballot is given to each voter. Voters feed their completed ballot into an opti-scan machine when they're finished. At the end of the night, workers count the number of ballots handed out during the day and compare that number to the number on the machines. If the numbers don't match, the operation is shut down until the discrepancy is resolved.

      Greg Palast [gregpalast.com] tells how it actually went:

      Susan, a systems analyst who took part in the hand recount initiated by Jill Stein, told me, "I saw a lot of red ink. I saw a lot of checkmarks. We saw a lot of ballots that weren't originally counted, because those don't scan into the machine." [...] An astonishing 87 machines broke down in Detroit, responsible for counting tens of thousands of ballots. Many more were simply faulty and uncalibrated. [...] I met with [a voter] who, on Election Day, joined a crowd waiting over two hours for the busted machine to be fixed. [...] Detroit is bankrupt, so every expenditure must be approved by [state officials... The city clerk said] "No money was appropriated by the state."