Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday April 16 2015, @04:22PM   Printer-friendly
from the Bzzzt!-Bzzzt! dept.

The Virginia election commission, which is responsible for certifying whether machines are fit to be used in elections, has decertified the Advanced Voting Solutions WINVote and for many very good reasons. Amongst the many security flaws in this product are:

  • Weak administrator passwords such as "admin" or "abcde"
  • Use of an embedded version of Windows XP which hasn't been updated since 2004
  • Use of WEP for Wifi encryption
  • An absence of any firewall

Worse still, this machine has been used in actual elections and its lack of any logging or record-keeping means that we'll never know if its weaknesses were used to manipulate the outcome of an election. As a proof of concept, security researchers successfully demonstrated accessing the machine and manipulating the recorded vote counts.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Mr Big in the Pants on Thursday April 16 2015, @07:41PM

    by Mr Big in the Pants (4956) on Thursday April 16 2015, @07:41PM (#171704)

    To quite frank it would appear that this machine was willfully insecure.

    I mean it has so many easily available back doors it is like....ok not going to go there.

    I mean does anyone actually believe that such a machine was created that way by accident?

    No logs or records!? WinXP!?

    Seriously?

    So in other words, not shocking at all since it was made at the behest of obviously corrupt officials.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=2, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Interesting) by Hairyfeet on Thursday April 16 2015, @10:41PM

    by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Thursday April 16 2015, @10:41PM (#171765) Journal

    I believe the saying is "Never ascribe to malice that which is adequately explained by incompetence." Patches cost money, updating your embedded OS costs money, and as long as you can get away with doing neither you increase your profits. Hell we have seen the same thing in pretty much every use of an embedded OS, how many times have we seen big name routers get pwned because they were using some ancient Linux kernel or Busybox tools that had been exploited years ago?

    The moral of the story is if a company can get away with doing as little as possible? They will as it increases profits.

    --
    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    • (Score: 2) by Mr Big in the Pants on Thursday April 16 2015, @11:17PM

      by Mr Big in the Pants (4956) on Thursday April 16 2015, @11:17PM (#171775)

      That is a rule of thumb not a fundamental law of the universe...

    • (Score: 3, Funny) by stormwyrm on Friday April 17 2015, @04:37AM

      by stormwyrm (717) on Friday April 17 2015, @04:37AM (#171881) Journal

      No the saying that is most apropos to this situation is: "Any sufficiently advanced incompetence is indistinguishable from malice."

      --
      Numquam ponenda est pluralitas sine necessitate.