In the run-up to the USA's upcoming national election event:
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.
[...] [three days later] the FBI Cyber Division issued a potentially more disturbing warning, entitled "Targeting Activity Against State Board of Election Systems." The alert, labeled as restricted for "NEED TO KNOW recipients," disclosed that the bureau was investigating cyberintrusions against two state election websites this summer, including one that resulted in the "exfiltration," or theft, of voter registration data. "It was an eye opener," one senior law enforcement official said of the bureau's discovery of the intrusions. "We believe it's kind of serious, and we're investigating."
[...] six states and parts of four others (including large swaths of Pennsylvania, a crucial swing state in this year's race) are more vulnerable because they rely on paperless touchscreen voting, known as DREs or Direct-Recording Electronic voting machines, for which there are no paper ballot backups.
[...] the FBI warning seems likely to ramp up pressure on the Department of Homeland Security to formally designate state election systems as part of the nation's "critical infrastructure" requiring federal protection — a key step, advocates say, in forestalling the possibility of foreign government meddling in the election.
The reason designating election systems "critical infrastructure" requiring federal protection is important is that designation means the Feds devote resources to protecting it and threaten a heightened response to entities messing with "critical infrastructure."
[Continues...]
Related / more info:
- Cyber Storm V: Testing the Nation's Ability to Respond to Significant Cyber Incidents
- White House releases a cyber deterrence policy outlining how the United States will respond to cyber attacks from malicious actors.
- Text of the Cyber Deterrence Policy (PDF)
Have you considered the impact on the US if the election for president is disrupted, with the winner unknown because the results are dependent upon the votes in one or more of the states with electronic-only voting systems? Some people might find it beneficial if the US election is disrupted or contested.
Related Stories
The project Protect Democracy is suing the state of South Carolina because its insecure, unreliable voting systems are effectively denying people the right to vote. The project has filed a 45-page lawsuit pointing out the inherent lack of security and inauditability of these systems and concludes that "by failing to provide S.C. voters with a system that can record their votes reliably," South Carolinians have been deprived of their constitutional right to vote. Late last year, Def Con 25's Voting Village reported on the ongoing, egregious, and fraudulent state of electronic voting in the US, a situation which has been getting steadily worse since at least 2000. The elephant in the room is that these machines are built from the ground up on Microsoft products, which is protected with a cult-like vigor standing in the way of rolling back to the only known secure method, hand counted paper ballots.
Bruce Schneier is an advisor to Protect Democracy
Earlier on SN:
Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States (2018)
Want to Hack a Voting Machine? Hack the Voting Machine Vendor First (2018)
Georgia Election Server Wiped after Lawsuit Filed (2017)
It Took DEF CON Hackers Minutes to Pwn These US Voting Machines (2017)
Russian Hackers [sic] Penetrated US Electoral Systems and Tried to Delete Voter Registration Data (2017)
5 Ways to Improve Voting Security in the U.S. (2016)
FBI Says Foreign Hackers Penetrated State Election Systems (2016)
and so on ...
(Score: 5, Insightful) by Anonymous Coward on Monday August 29 2016, @09:32PM
How about instead of foolishly trying to enhance the security of computer systems that mostly run non-free proprietary user-subjugating software, we switch to a voting method that we know can't be easily rigged on a massive scale: Paper ballots. We should not be using computers for something as important as voting, even if we assume it saves a bit of money.
(Score: 0) by Anonymous Coward on Monday August 29 2016, @10:13PM
The "hanging chad" drama of the 2000 elections caused many counties to switch to electronic voting. However, hanging chads may be the least of two evils. Only a small fraction of cast votes will be subject to chad issues, but cyber-attacks could affect vastly more.
(Score: 5, Interesting) by bob_super on Monday August 29 2016, @10:33PM
If what's being hacked is the voter registration data, the question is not so much the corruption of the votes themselves, as the ability to enact massive vote suppression against the people least equipped to fight to get their name back on the list on time.
Obviously, adding records is also possible, but the logistics of acting on the fake registrations are a lot more cumbersome (and exposed to a leak).
(Score: 3, Funny) by Anonymous Coward on Tuesday August 30 2016, @12:48AM
I hear Bobby Drop Tables is now registered to vote in both states.
(Score: 4, Interesting) by JNCF on Monday August 29 2016, @10:58PM
SoylentNews user devlux [soylentnews.org] has an interesting solution to the problem of electronic voting, here's his Votabit whitepaper. [jumpshare.com] The paper is 21 pages long. Additional discussion of it can be found on the NXT forums [nxtforum.org] (NXT is a Bitcoin alternative), where he uses the same username. Basically, he wants an anonymised record of voting to be stored on a blockchain. He assumes the existance of a centralised organization that verifies eligible voter identities, whether that be a government or NGO. Accepting the centralised organization's identity verification process as valid, anybody can verify how the results turned out by reviewing the public record on the blockchain (and there's no reason you couldn't have multiple organizations verifying identities, though I don't remember if devlux makes that point in the Votabit paper).
While I'm not really interested in the problem of large-scale democracy, I don't think that electronic voting is inherently a horrible idea. A blockchain might be much harder to tamper with than a box of paper ballots.
(Score: 2, Insightful) by Anonymous Coward on Monday August 29 2016, @11:43PM
While there might be some solutions that could help alleviate the issues with electronic voting, I have no confidence that they'd be implemented correctly or that the systems would use 100% free software, which should be a requirement. Paper ballots are brain-dead easy.
(Score: 4, Insightful) by frojack on Tuesday August 30 2016, @12:49AM
I tend to agree, adding additional levels of complexity such that the common citizen in the street can no longer understand how it works is absolutely NOT the answer. Neither is tossing it all in a computer where one well timed power failure wipes out entire elections.
Wrong. Criminally Wrong.
You can always draft people to count ballots if you have ballots. You'd have legions waiting to volunteer just to make sure there was no funny business going on.
Lets see you count that blockchain when the lights go out.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by hemocyanin on Tuesday August 30 2016, @05:44AM
I totally agree with you on paper ballots. The system we use in Washington state is really simple. You get a ballot in the mail printed on heavy cardstock about two weeks before the election. You use a pen to mark your vote (no hanging chads from complicated punch machines) -- the place to mark is right next to the specific candidate or ballot measure (no alignment issues). You mail or drop off the ballot at collection location (in the last election I waited less than 10 seconds in line to drop off my ballot). The ballots are then machine read (obviously a place for shenanigans to occur) but of course, there is a paper trail if those shenanigans do occur.
When we first went to all mail-in ballots, I was against it thinking that if people couldn't be bothered to go to a polling location, they didn't deserve to vote. After using it now for years, I wouldn't trade it back. You can sit there with your ballot and search the obscure candidates/issues on the internet which while it may not always be the most accurate source of info, is still more accurate than taking a flying guess in the voting booth. Plus there's the whole no waiting, no fuss advantage. It's a superior system.
As for some kind of bitcoinish voting rigamarole -- it will just make the system more opaque, it can't beat the paper trail, and like all software systems, it will be vulnerable but possibly more difficult to find leaving the system insecure for longer periods. It feels like the tech overkill you often see non-tech savvy people get hooked on -- as soon as someone puts a microchip in a shaver, I'm sure they'll make tons of money off the same sorts of people who would by paperless voting machines. There are places where technology does not actually make life better, easier, or safer.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @05:29PM
So what happens if my boss asks me to bring my heavy cardstock to work so she can make sure I vote for the candidates she wants? Assume that my boss is smart enough to not leave any paper trail so if I report her to the election commission it's her word against mine. How do I not loss my job nor my right to vote for the candidates I want?
(Score: 2) by hemocyanin on Tuesday August 30 2016, @06:22PM
So what if your boss requires you to snap a photo of your finished ballot in the voting booth? We can play that what if game forever, but after seeing long lines of people being disenfranchised of their vote this season, I have a lot respect for WA's system.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @09:01PM
I take the picture, then tear it so the scan tron machine will not accept it, get another, fill it in the way I want, and then work with the election commission so they record her asking for the picture and now we have proof she tried to coerce my vote.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @10:10PM
So what if your boss requires you to snap a photo of your finished ballot in the voting booth? We can play that what if game forever, but after seeing long lines of people being disenfranchised of their vote this season, I have a lot respect for WA's system.
You tell them it is a crime to take any cameras, cell phones, or other things into the polling place... at least it is in Virginia.
I've not tried mailing voting, but on the outside it seems good. I'm concerned at the idea of things like "abusive spouse forces somebody to vote a certain way," but I'm guessing such a thing is an exceptional case which won't affect an election (any more than "abuse spouse traps somebody indoors on election day").
Still, if there was widespread systemic abuses, how would the system catch and fix it? A quick search online found a pdf saying "remote voting systems such as vote-by-mail are generally regarded as providing inferior protection from coercion, and as such, their use is often discouraged by experts"... which could be incorrect but doesn't exactly inspire me with confidence.
(Score: 2) by hemocyanin on Thursday September 01 2016, @06:21AM
Compared to standing 4-10 hours in the baking sun to find out the machines broke, mail-in is a gazillion times better. Besides, if you want a mail-in ballot in states with polling stations, you just ask for one -- now the annoying system is just as weak as the convenient system.
Honestly, I used to think just like you and other naysayers, but after using the WA mail-in system, I love it. It is just better.
(Score: 4, Insightful) by Arik on Tuesday August 30 2016, @12:49AM
If laughter is the best medicine, who are the best doctors?
(Score: 2) by JNCF on Tuesday August 30 2016, @01:42AM
It's inherently a horrible idea based simply on the inevitability that, just like everything else, the technology will not be designed and perfected by passionate geeks seeking perfection, but by the cheapest excuse for programmers the bosses can find, using unsuitable tools, without any formal 'design' phase at all.
Then put devlux in charge of it! He's passionate enough to write a whitepaper about it.
Oh and there are similar problems with the hardware as well. A system like that can never be secured.
That depends on what you mean by secured.
Are you worried about it recording an incorrect vote? If so, devlux has that figured out already. The individual voter can verify that the vote recorded on the blockchain was the one they intended to cast. Any discrepencies would be immediately apparent to the people who cast the votes, which is not true of paper ballots which can be switched with other ones later; we have more gaurantees with a blockchain-recorded vote, not less (and you could print out an extra paper version if it mattered, it just wouldn't). You have to find an issue with the blockchain or this isn't a concern. If simply having red flags pop up when votes are recorded incorrectly isn't good enough, each voter could be given a dedicated piece of hardware that physically connects to the voting machine and sends a vote in the format proposed in the Votabit whitepaper, already cryptographically signed. The dedicated piece of hardware wouldn't need to accept any data from the machine, only send it. This should cost quite a bit less than $100 per voter, and is only necessary if you aren't satisfied with red flags popping up. This should totally isolate the private keys from the voting machines, which means that the individual TREZOR-knockoffs would need to be tampered with -- and if they were tampered with, that should be apparent and detectable after the fact when the voter walks out of the booth with their TREZOR-knockoff in hand. The failure point is placed back on the centralised organization(s) responsible for identity verification, not the hardware.
If you're talking about surveillance concerns, those should all apply equally to paper ballots.
(Score: 3, Insightful) by Arik on Tuesday August 30 2016, @01:53AM
The people that do have that power in our society have neither the knowledge nor the motivation to make, nay *let* this work the way it should.
They were always going to do exactly what they're doing, doling out projects to the well connected, buying whatever they are told to buy, and sticking their fingers in their ears when informed of problems.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by JNCF on Tuesday August 30 2016, @02:05AM
The people that do have that power in our society have neither the knowledge nor the motivation to make, nay *let* this work the way it should.
As I stated originally, I'm not really interested in the problem of large-scale democracy. I wholeheartedly agree that the system is fucked, but that isn't an argument for the blockchain being a more tamper-prone way to record votes than a box full of paper ballots. If I were trying to argue for reforming this mess, I'd argue that voting should be done on a blockchain. I took your original post to be partly concerned with the difficulties of implementing the system securely, and I don't think those concerns are valid. I agree that the system which currently exists wouldn't put devlux in charge of implementation, but that's a problem of politics not a technical issue.
(Score: 2) by Arik on Tuesday August 30 2016, @03:35AM
The powerful have no particular interest in fair elections and little fear of seeing them rigged, as they'll generally be the ones doing the rigging not the other way around.
Combine that with the general technical incompetence and it's simply impossible, in reality this is exactly what you should expect from it:
http://www.counterpunch.org/2016/05/16/clinton-does-best-where-voting-machines-flunk-hacking-tests-hillary-clinton-vs-bernie-sanders-election-fraud-allegations/
If laughter is the best medicine, who are the best doctors?
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 30 2016, @02:29AM
> Accepting the centralised organization's identity verification process as valid,
And that right there is why devlux is on a fool's errand. Not the part about accepting the validity, but the fact that his entire system relies on identity verification. You can not have both a secret ballot and a provably tamper-proof election. That's practically a fundamental law of information theory if not physics in general.
We get around that in real life by putting lots of friction in the parts of the process most vulnerable to deanonymizing ballots and tampering with votes. Its not perfect, but most of the time its good enough. Going electronic is all about taking the friction out of a system. So without the benefit of friction you are left with a choice - no more secret ballots or a totally hackable voting system.
Pick one.
(Score: 4, Informative) by mhajicek on Tuesday August 30 2016, @02:48AM
You could have a system where each voter gets a receipt with a code, and can verify their vote anonymously. They would only need to identify themselves if they wished to contest how their vote had been counted.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 30 2016, @03:08AM
> You could have a system where each voter gets a receipt with a code, and can verify their vote anonymously
No you could not. If you have a receipt with a code then you can be coerced into giving that receipt with a code to someone else and now your ballot is no longer anonymous.
Seriously this is an immutable law, you can not be simultaneously anonymous and verifiable. Any who thinks otherwise just has not thought it through.
(Score: 1, Funny) by Anonymous Coward on Tuesday August 30 2016, @05:15AM
Since I have to show ID and prove who I am to be able to vote, I don't expect my vote to be anonymous in the first place.
(Score: 2) by Scruffy Beard 2 on Tuesday August 30 2016, @07:12AM
has this law been proven?
I would be interested in reading such a proof.
It is my understanding that it has only been postulated that e-votes can not be both anonymous and verifiable.
(Score: 2) by mhajicek on Tuesday August 30 2016, @12:18PM
Regardless of the voting system you could be coerced into revealing your vote.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 2) by deimtee on Tuesday August 30 2016, @01:51PM
Once you've dropped the filled in ballot paper through the slot, you can say you voted whatever way they want. They can't check, and even if you wanted to, you couldn't prove which way you voted.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by JNCF on Tuesday August 30 2016, @03:22AM
You can not have both a secret ballot and a provably tamper-proof election. That's practically a fundamental law of information theory if not physics in general.
You can have a ballot that is secret unless you possess a given private key. This takes away all concerns about secrecy except for vote selling/coercing, and if you were being coerced into voting a certain way you could just find somebody voting the other way who was willing to let you decieve your aggressor with their private key. I would consider this a relatively minor problem compared to election fraud.
(Score: 1, Interesting) by Anonymous Coward on Tuesday August 30 2016, @04:24AM
> and if you were being coerced into voting a certain way you could just find somebody voting the other way who was willing to let you decieve your aggressor with their private key
Lol. Do you even think before posting?
(a) Not only is that not easy to do, it is illegal. If the solution to the problem is to break the law, then it's not an actual solution.
(b) Coercion isn't just about aggression, its also about bribes.
Designing voting systems is like designing encryption systems - if you aren't an expert then you will fuck it up royally. I've been part of verifiedvoting.org since their start back in 2003. You clearly haven't really given this much thought at all.
(Score: 2) by JNCF on Tuesday August 30 2016, @05:54AM
I'm in agreement that your worries about anonymity are valid in the specific case of targeted coercion, and I think my last post makes that clear. I represented it as a minor issue, not a solved problem. It's not like the current system doesn't allow for make-shift evidence of ballots cast -- ballot selfies aren't even illegal in every state, and they're producable everywhere. You just don't have any gaurantees that the ballot in the selfie is actually counted.
The imperfect solution of supplying a false key is worth bringing up because it makes everything more difficult for the would-be ballot buyer; they can't ever really verify how somebody voted, only that a given key matched a given vote, so they incur more cost per vote actually bought. If they wanted greater assurance they'd need to go through the same hassle as today. The secrecy is more comparable to our current system than it is to voting in a place and time where votes were public knowledge.
(Score: 2) by JNCF on Tuesday August 30 2016, @06:05AM
Here's what I actually overlooked until just now: absentee votes are super easy for a third party to confirm with cooperation from the voter, so targeted coercion is even easier than a selfie in the current system. This negates your whole argument unless you oppose absentee voting.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @06:20AM
Yes there are anonymity problems with vote-by-mail and as more and more districts roll that out eventually somebody is going to start exploiting those problems. But at least they still have the friction of physical ballots so scaling the coercion isn't anywhere near as easy as with e-voting. You'd need someone to personally verify the ballot and mail it themselves to assure the coerced vote was actually cast.
Ballot selfies are not a problem because a photograph of a ballot before it is cast is not proof that it was cast.
And what you call a "minor issue" is anything but because, again, scaling. It is no great leap to automate a vote buying scheme where people message their "receipts" and get bitcoin in return. That's 1000x easier than dicking around with ballots in the mail.
And while I haven't mentioned this yet, secure e-voting is impossible too. You can't guarantee that the computer used to cast the vote isn't compromised in such a way that (a) it casts a different vote and (b) intercepts the "receipt" and give you a fake one. For example, everybody who thinks they voted for candidate X but their phone had a virus that voted for Y instead gets the same "receipt" from someone who really did vote for X.
(Score: 2) by JNCF on Tuesday August 30 2016, @06:34AM
The whitepaper is actually an interesting read. We're talking about voting in a booth still.
If you were automatically paying anybody for keys that are tied to a specific vote, you're mostly going to be paying people who were going to vote that way regardless. Very cost prohibitive.
(Score: 2) by JNCF on Tuesday August 30 2016, @06:51AM
I do see your point about taking a ballot selfie and then requesting a new ballot. I was trying to think of a clever way around it, but I haven't yet.
(Score: 2) by JNCF on Tuesday August 30 2016, @06:59AM
Oh, wait, here's the clever solution: video transition from selfie to ballot dropping in hole, obviously. Hurpadurpa.
(Score: 2) by https on Tuesday August 30 2016, @04:20PM
You really, really, really should look at how elections are conducted in nations other than the USA.
I suspect that a major part of the problem is the sheer number of things that must be voted for simultaneously on Election Day - it's unnecessarily complex. You even have a particular day called Election Day. Weirdos.
Offended and laughing about it.
(Score: 2) by CirclesInSand on Tuesday August 30 2016, @02:19PM
There is a much easier and simpler solution. Just publish 2 lists per district.
First list is a list of everyone who voted, not including how they voted.
Second list is each vote that was cast with a serial number assigned to it.
Each voter gets a receipt with a serial number and a record of how they voted.
Anyone can verify that no extra votes were recorded, as the lists must be the same length. Anyone can audit the lists to ensure that only real people voted. Anyone with a receipt knows if their vote was recorded incorrectly. And there is no trusted central government organization.
There is no magic algorithm that can prevent voter fraud, the most you can hope for is that fraud is detectable. There is no magic algorithm that can punish the fraudulent actors, people actually have to be motivated to do that.
(Score: 2) by JNCF on Tuesday August 30 2016, @03:28PM
It seems like basically the same proposal, with a couple of unfortunate differences:
I disagree about this scheme not requiring a trusted central organization. If we need to verify the identity of voters, I can't think of a system that doesn't require trust at some point. I'd like to, but I can't.
(Score: 2) by CirclesInSand on Tuesday August 30 2016, @03:56PM
Exactly how would a "trusted government organization" be able to verify people better than a general audit?
(Score: 2) by JNCF on Tuesday August 30 2016, @04:34PM
Exactly how would a "trusted government organization" be able to verify people better than a general audit?
I don't think I used that terminology. The trusted centralised organization I'm talking about could be an NGO, and there could be multiple independant organizations. You were the one that said "there is no trusted central government organization" in reference to your own proposal, I've been using the term "centralised." I would argue that the general audit is carried out by a (rightly or wrongly) trusted centralised government organization, which is what I meant when I said "I disagree about this scheme not requiring a trusted central organization."
(Score: 2) by CirclesInSand on Tuesday August 30 2016, @05:56PM
I merely thought that "trusted government organization" is such an absurd term that it deserved to be in quotes.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @04:50PM
First of all, in a huge election, there will be error.
Second of all, what can legally be done if an error is detected?
Running the election again is not an option. If you can prove an error, all you've done is undermine the legitimacy of the election. You can't change the result. This could tear the country apart.
(Score: 4, Insightful) by JNCF on Tuesday August 30 2016, @05:22PM
Running the election again is not an option.
Why not? Some folks do it. [telegraph.co.uk]
If you can prove an error, all you've done is undermine the legitimacy of the election. You can't change the result.
Would you prefer to let the vote-thief go unnoticed? If you care about democracy, that seems like a horrible precedent.
This could tear the country apart.
That sounds like the best election result in American history.
(Score: 2) by dingus on Tuesday August 30 2016, @02:56AM
Venezuela's system is pretty good: you fill out a paper ballot slip and feed it into the computer, which reports to a central server and also keeps a copy locally. So there are three records of every vote that can be counted seperately.
(Score: 2) by tangomargarine on Tuesday August 30 2016, @02:23PM
What happens if any of the three results don't match?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by dingus on Tuesday August 30 2016, @09:53PM
Presumably they trust the slip.
(Score: 1, Interesting) by Anonymous Coward on Tuesday August 30 2016, @07:02AM
No, the American way would be to outsource the whole thing to India. Hey they're the world's largest democracy.
Seriously though, those fancy computer methods are weak at one of the requirements of election systems - convincing the losers they've lost. Paper ballot systems are better at convincing losers that they have lost fairly enough and not through some fancy computer trickery.
If an election system can't convince enough of the losers that they lost, then that election system is a waste of money or just for show (like those elections that Dictators like to hold where they win 99% of the votes).
You might as well skip the whole thing and go to a dictatorship or a civil war.
(Score: 2) by tangomargarine on Monday August 29 2016, @09:32PM
Sometimes sneakernet is still the best way to transport your data.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Interesting) by jdavidb on Monday August 29 2016, @09:42PM
Have you considered the impact on the US if the election for president is disrupted, with the winner unknown because the results are dependent upon the votes in one or more of the states with electronic-only voting systems? Some people might find it beneficial if the US election is disrupted or contested.
Also, some people might find it beneficial if they can hack the election but have the blame cast on known "foreign hackers." Is it just me, or does this sound like a convenient cover story?
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 1, Insightful) by Anonymous Coward on Monday August 29 2016, @09:50PM
Its just you.
Using your brain that is.
(Score: 3, Insightful) by PartTimeZombie on Monday August 29 2016, @09:52PM
Is it just me, or does this sound like a convenient cover story?
Could be.
Really though, the actual voting is not necessary under the US political system, the people who run the country have already decided who the next president is going to be.
(Score: 3, Insightful) by jcross on Tuesday August 30 2016, @01:06AM
I think there was a story about this just last week: https://soylentnews.org/article.pl?sid=16/08/23/1342224 [soylentnews.org]
(Score: 3, Interesting) by HiThere on Tuesday August 30 2016, @01:55AM
The last time this happened the Supreme Court decided who won, and then sealed the evidence so nobody could check it.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by jdavidb on Tuesday August 30 2016, @05:18AM
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 2) by JNCF on Tuesday August 30 2016, @06:15AM
When that happened, I was a moron who rooted for the guy who ended up winning. Now I'm a moron who's like to think he's slightly smarter: at least smart enough to never make that mistake again.
I know how you feel; I rooted for Obama in '08. *facepalm* I was hoping for change! I think getting fooled by a given candidate once is far more understandable than voting for their reelection, but I also hope that I never find myself supporting any part of that duopoly ever again. How embarassing.
(Score: 2) by jdavidb on Tuesday August 30 2016, @06:27AM
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 1, Informative) by Anonymous Coward on Monday August 29 2016, @09:52PM
Oh my god guys, I am totally surprised and appalled by this news. Who could have ever seen this coming.
(Score: 4, Insightful) by bob_super on Monday August 29 2016, @10:27PM
Indeed. The congresscritters who got sold these shiny electronic voting machines had been assured, on the vendors' honor, that only they had access to the backdoors.
(Score: 2) by Dunbal on Monday August 29 2016, @09:52PM
Getting ready to annul any Trump victory "because Russia".
(Score: 3, Interesting) by EvilSS on Monday August 29 2016, @09:55PM
So yes, this is a great segway to discussing electronic and internet voting, but the actual crime that occurred was the theft of voter registration information, which is, in Illinois where it was stolen, already part of the public record and pretty easy to obtain. It's data like registration info (date, precinct info, etc), contact info (name, dob, address, phone number) and voting history (1/0 for general elections and what party ballot was requested for primaries). This data can be ordered from the state by just about any candidate, political group or org, or individuals willing to affirm they are not going to use it for illegal purposes (for example, you can't use it to sell people stuff). At the county level you can usually get it from the county clerk's website.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @12:53AM
So yes, this is a great segway
What does your enthusiasm for Dean Camen's two-wheeled monstrosity have to do with voting?
(Score: 1) by khallow on Tuesday August 30 2016, @02:53AM
What does your enthusiasm for Dean Camen's two-wheeled monstrosity have to do with voting?
It is quite relevant! From this documentary [killsixbilliondemons.com] on the subject:
You will know the rulers of the cosmos by two signs: first, the star in their brow, which is the mark of their lordliness, and shows you that they are my kin. Second, you will see that their Segway wheels are oddly shaped. Their rims are made of rough and heavy iron or steel, not at all like the polished and gilded rims which you see carrying mundane royalty. Do not be deceived by their simplicity. They are built this way for the express purpose of grinding the bones of men into a fine powder.
I don't know about you, but better be enthusiastic!
(Score: 2) by EvilSS on Tuesday August 30 2016, @01:45PM
Well my phone's auto-correct sure seems to be a fan. Subliminal advertising confirmed.
(Score: 2) by frojack on Tuesday August 30 2016, @12:54AM
We presume a crime has occurred. But realistically we don't actually know, because its on a need to know basis.
But that won't stop federal over-reach. This could serve as a new impetus for federalizing the whole process. Pat-downs as you enter the polling place. No-Vote Lists.
What's easier to penetrate? 50 different voter registration systems, or one federal one developed by the same people that brought Obama care on line?
No, you are mistaken. I've always had this sig.
(Score: 2) by jcross on Tuesday August 30 2016, @01:09AM
That hardly eases my mind about it, since anyone concerned only with getting that data likely wouldn't bother breaking in. It just makes me wonder what else they might have been up to...
(Score: 2) by EvilSS on Tuesday August 30 2016, @01:41PM
Well if you want the info in bulk, I can see breaking in since that would be the easiest way to get it for an entire state without having to pay for it. The data would most likely be used for identity theft or phishing attempts. But yea, since the feds are being tight lipped about it who knows. The good news is it would be difficult to manipulate an election from the state elections board. Elections get reported up from the precinct to the county to the state so there is a trail of reports and certifications that bubble up to the state level. All these are publicly reported at each step so it would be hard to rig an election from the top. Voter rolls are also kept at the county level, the copy the state keeps is just for their own reporting (and selling to campaigns who want to buy it for the entire state). So even if they could delete all the records it would cause some havoc but wouldn't cause any issues at the polls.
Now if they could get into the individual county systems....
(Score: 2, Insightful) by Anonymous Coward on Monday August 29 2016, @10:00PM
I've seen some people that are invested in the current voting systems claim that election hacking is not a significant risk because there are so many different and distinct voting systems around the country due to them all being locally administered. That all the heterogeneity makes it too complicated to mount an effective attack.
But that logic does not cut it. You don't have to hack every system. You only have to hack strategic systems - skip all of the states (and counties) that are firmly in the bag for one candidate or another. Just target the places where the race is close. Boost a couple percentages in key districts and you can flip the entire election.
I am seriously worried about the situation and it is far too late to make any significant changes in the system.
(Score: 0) by Anonymous Coward on Monday August 29 2016, @10:47PM
They already pulled this off multiple times. The shitty security? Looks like it was built in by default, specifically to make it easier to rig elections. It is never too late to make changes in the system, but it often comes with a lot of loss.
(Score: 0) by Anonymous Coward on Monday August 29 2016, @11:18PM
> The shitty security? Looks like it was built in by default, specifically to make it easier to rig elections.
No. The shitty security in voting machines was built in by default for exactly the same reason shitty security has been built into everything by default: Ignorance, apathy and profit margins.
(Score: 2, Informative) by Anonymous Coward on Tuesday August 30 2016, @12:11AM
That's not a bad first assumption, but given the reaction to revelations of these security issues, it no longer is the simplest assumption.
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @02:13AM
> That's not a bad first assumption, but given the reaction to revelations of these security issues, it no longer is the simplest assumption.
Help us out here, could you describe the reaction you are talking about?
Because the reactions I've seen have been entirely consistent with ignorance, apathy and profit margins. And denial. But that's easily explained by short term thinking.
(Score: 2) by JNCF on Tuesday August 30 2016, @05:39PM
Help us out here, could you describe the reaction you are talking about?
Because the reactions I've seen have been entirely consistent with ignorance, apathy and profit margins. And denial. But that's easily explained by short term thinking.
How about that time when Michael Connell [wikipedia.org] was going to testify about election fraud related to the 2004 election, his lawyer requested security on the grounds that they had been informed of threats made by Karl Rove, the security request was denied, and Michael Connell subsequently died in a plane crash before being able to testify? Does that sound like ignorance, or conspiracy?
(Score: 3, Interesting) by Scruffy Beard 2 on Tuesday August 30 2016, @12:17AM
If they machines are not deliberately insecure, then why has the state-of-the-art rgressed, rather than impoved?
Computer Scientists Take Over Electronic Voting Machine with New Programming Technique [ucsd.edu]
In that paper [ucsd.edu] (pdf), they use a novel "return oriented programming" technique to re-program a machine with Read-only Memory for storing the voting software. To do this, they reverse-engineered the machine, and leveraged a stack over-flow in the configuration routine.
This strip [xkcd.com] came out at about the same time.
Machines running anti-viruses experience constant software updates. No way that is secure.
(Score: 3, Informative) by Scruffy Beard 2 on Tuesday August 30 2016, @12:32AM
Tampering with US voting machine as easy as ‘abcde’, says Virginia report [sophos.com]
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @02:20AM
> If they machines are not deliberately insecure, then why has the state-of-the-art rgressed, rather than impoved?
Lack of anyone in charge giving a shit mean things continue right on down the shitter. New security exploits are developed on a daily basis, but nobody actively working to improve security means stagnation at best. So systems become more and more insecure as time passes.
We regularly hear about newly discovered flaws in general computing systems like iphones and windows that have been around for years, why should voting machines (all of which are built on top of general purpose computers) be any different?
(Score: 1) by Arik on Tuesday August 30 2016, @12:44AM
If laughter is the best medicine, who are the best doctors?
(Score: 2) by tibman on Tuesday August 30 2016, @04:33AM
It's a weak excuse. Nobody will hack it because that would be hard. WTF!
SN won't survive on lurkers alone. Write comments.
(Score: 3, Insightful) by Username on Monday August 29 2016, @11:15PM
From my understanding of electronic votes is that they’re on standalone devices and collected and added to paper votes manually.
If I were to make a voting machine, it would have read only OS, probably dos, hooked up to a unique user input device, a 40" monitor, writes and mirrors to two rom chips located on a single pcb which contains voter id, vote which is the candidates first+last name, machine id, and timestamp all of which is enclosed into a cubicle.
The input device would have a lot of large toaster strudel sized buttons. Each of these buttons will have a candidates first name at the top, last at the bottom and photo of them in the middle. The first row of these buttons would be labeled president to the left and right of the button row and background colored red. Second row for state colored white, third for town colored blue. On screen there will be blank rows colored red, white and blue. Each time you click a button there would be an auditor ding, and reply of the candidates name you selected, probably voiced by john madden, and it would pop up the candidates name in the corresponding row. Once you have selected all three rows, madden will ask you to selected the candidates again to confirm your choice (text popup on screen too). Once you select the same three people again, madden will say you have successfully voted.
Once those pcbs are removed from the machine, both chips are signed in felt pen by two pollsters then are removed and each pollster takes one chip and reads it on another machine which checks voter ids against a voter list that was written/verified onto a rom before the election took place, then all verified votes are tallied and compaired.
(Score: 3, Informative) by Scruffy Beard 2 on Tuesday August 30 2016, @12:43AM
I like your line of thinking, but that is not paranoid enough.
My own comments [soylentnews.org]
(Score: 0) by Anonymous Coward on Tuesday August 30 2016, @01:17AM
Computer prints ballot which has easily readable and OCR-able text. Voter folds that (maybe inserts in envelope), gets out of the closed cabin and puts the paper(s) in the box that is in the table controlled by other people.
Later open the box and count. Use a scanner if you want it fast, for example when voting many issues at the same time. No fucking chads, not fucking pencil marks. Humans and computers must agree about the contents of any randomly selected vote.
Basically what is done in many places, just with the extra of OCR+scan option added.
(Score: 3, Insightful) by bob_super on Tuesday August 30 2016, @01:20AM
That still allows the programmer to change the vote between the screen and the ROM, but only on the first Tuesday of November and when more than N people have voted at a certain pace during the day.
There is nothing safer than a bunch of single-choice papers in an envelope inside a transparent urn, with a crew of people who don't like each other keeping an eye on it and counting together until they agree.
A Spanish guy asked me today why Jury Duty is a mandatory thing, but not Election Day Auditor. It makes so much sense I should claim the idea.
(Score: 4, Interesting) by arslan on Tuesday August 30 2016, @01:47AM
So, how practical is it to build in voter reconciliation into e-voting? On top of whatever mechanism in place, the e-vote is tagged with a one time UUID for the voter to either print out or write-down or take a photo with their mobile, etc.
A large query/read-only online database is then uploaded after tally to show what that UUID have its vote counted against and voters can login and validate it themselves... crowd source reconciliation.
Of course traceability and integrity between that and the actually tallying is very important. The database can also be bulk downloaded by any public or organization to recount themselves if they want or have the resource...
(Score: 2) by dingus on Tuesday August 30 2016, @03:03AM
Notice how the hackers used computers, a known tactic of the GRU, KGB, and the NKVD. Additionally, like a huge assortment of malware, some of it contained cyrillic characters. I think we've just about 10000%$ determined that this hack is Russia trying to make sure that Queen Hillary is unable to claim her rightful throne.