Five years ago, Vladimir Putin publicly fumed that the US was interfering with internal Russian politics. He felt that the US emboldened local protestors by claiming that the 2012 Russian elections (which he won with more than a 46 point margin) were rigged. It's been said he's seeking payback by discrediting American elections. Not necessarily to help one candidate over another (Putin has said "We don't back anyone – it's not our business"), but to throw the legitimacy of US elections into doubt the same way he believes the US delegitimatized his landslide victory of 2012.
We've been told that hacking the vote would be difficult due to the wide variety of locally implemented voting systems. But that doesn't necessarily apply to state-level voter registration databases. Introducing minor amounts of errors, even just 1% of the total records could cause chaos on election day. If 1 in every 100 voters is turned away from the polls, that would have enormous repercussions on the election, far greater than the hanging chads had in Florida. There have already been reports of the exfiltration of registration data in two states and attacks on registration systems in another 20 states.
Now a white hat hacker has demonstrated just how easy it is to modify registration data in Indiana using only publicly available data.
Related Stories
A press release, dated 11 May, posted to the White House Web site (archived copy) announces (all links and party affiliations were added by the submitter):
[...] the issuance of an executive order forming the bipartisan Presidential Commission on Election Integrity. The President also named [Republican] Vice President Mike Pence as Chairman and Kansas Secretary of State [Republican] Kris Kobach as Vice-Chair of the Commission.
Five additional members were named to the bipartisan commission today:
Connie Lawson [Republican], Secretary of State of Indiana
Bill Gardner [Democratic], Secretary of State of New Hampshire
Matthew Dunlap [Democratic], Secretary of State of Maine
Ken Blackwell [Republican], Former Secretary of State of Ohio
Christy McCormick, Commissioner, Election Assistance Commission
[...]
The Commission on Election Integrity will study vulnerabilities in voting systems used for federal elections that could lead to improper voter registrations, improper voting, fraudulent voter registrations, and fraudulent voting. The Commission will also study concerns about voter suppression, as well as other voting irregularities. The Commission will utilize all available data, including state and federal databases.
Secretary Kobach, Vice-Chair of the Commission added: "As the chief election officer of a state, ensuring the integrity of elections is my number one responsibility. The work of this commission will assist all state elections officials in the country in understanding, and addressing, the problem of voter fraud."
Additional Commission members will be named at a later time. It is expected the Commission will spend the next year completing its work and issue a report in 2018.
(Score: 2) by Snotnose on Saturday October 15 2016, @02:19AM
When 10% of your registered voters were dead before election day, some bells should have been ringing somewhere.
When the dust settled America realized it was saved by a porn star.
(Score: 1) by gmrath on Saturday October 15 2016, @05:57PM
Yes. 10% of DEMOCRATIC registered voters were dead before election day and voted anyway. Move along, nothing to see here. Business as usual. Say NO to voter ID!
(Score: 4, Insightful) by Runaway1956 on Saturday October 15 2016, @02:20AM
"difficult due to the wide variety of locally implemented voting systems"
So the states are relying on security through obscurity. The same thing for which *nix has been mocked through the years. With the major differences being, the owners aren't obscure even from the outset. And, these datasets can be considered as "high value" as opposed to some nerd running a strangely configured Linux.
I short, they are assuring us that because their community organizers don't know how to hack the systems, they feel safe.
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @03:13AM
> The same thing for which *nix has been mocked through the years.
lolwut?
Your persecution complex is showing again.
BTW, it isn't security through obscurity in this case either. Its security through level of effort, which is the cornerstone of all security. In this case, the effort necessary to individually analyse and then hack thousands of voting systems rather than script-kiddee it with one automated tool that directed by a single master cracker.
(Score: 2) by Runaway1956 on Saturday October 15 2016, @05:21AM
Lolwut right back at you. Security through effort? The only "effort" put into this security "scheme" is, competing interests from various vendors. One vendor sold one solution to this customer, another vendor sold a competing scheme to another, etc ad nauseum. Somewhat like Linux, there are a number of different "flavors" of electronic voting schemes in use. And, exactly like Linux, no individual can know for sure (until he starts hacking/cracking the system) which security measures have been implemented. This is "security through obscurity". My (or your) first approach to any given system is completely blind. You have to start really simple, and find out whether the system responds to common inquiries (ping?) before you can begin to decide on any approach that might get you into the system.
Effort? Really? Somewhat like banks and government agencies, they rely more on the law punishing anyone getting into the system, than they rely on preventing unauthorized entry. Log everything, then go after the dumb chump who was exploring. Except - since we aren't even logging the votes in many instances, I wonder if there are logs of attempted access. Probably not. The mysterious "they" want to log our telephone calls, but see no need to log votes, or unauthorized access to voting machines.
Whatever point you're trying to make here, that don't don't hunt. You might as well leave it lying under the porch.
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @12:40PM
> Security through effort? The only "effort" put into this security "scheme" is, competing interests from various vendors.
I see you have no actual experience with security. All security is about raising the level of effort for the attacker. There is no such thing as perfect security, there is only cost to compromise versus value of a successful compromise. Figuring out how to compromise a thousand different systems is literally 1000x more expensive than figuring out how to compromise a single system. You've been around long enough you must have heard the arguments about exploits of a microsoft monoculture.
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @05:06PM
> Trump says mean things sometimes. Clinton means things all the time.
FTFY
(Score: 2, Insightful) by Anonymous Coward on Saturday October 15 2016, @02:48AM
For me any hacking the Russians might do doesn't matter. From the various polls that are run during the years leading up to the election to the selective media coverage, I know the system is screwed and unfair. The only reason I will vote this year is to bump up the third party percentage.
Or I might go the George Carlin route so I can bitch and moan and blame the Trump and Clinton supporters for whatever shit they put us into.
(Score: 3, Interesting) by Gaaark on Saturday October 15 2016, @03:11AM
and are the Russians the 'scape goat'?
Hillary and the CIA bring up "it's the Russians". Maybe it's the Hillary, but blame it on Trump and his Ruskie ties, yep!
Maybe it's Hillary AND Donald.
Or just the CIA?
Or some fat guy on a couch.
It used to be the Chinese... or North Koreans. Now that Putin is doing bad, it's the Russians..... and they wonder why we don't believe ANYTHING the U.S. government says.
The American government (and it's secret government) just. need. to. die.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: -1, Troll) by Anonymous Coward on Saturday October 15 2016, @03:13AM
I'd like some FUD with my MUD, then I can just be a BUD with some SUDS.
(Score: -1, Troll) by Anonymous Coward on Saturday October 15 2016, @03:56AM
You appear to be having an epistemological crisis.
Too much Trumping has convinced you that all statements are equally valid.
The end result of that logic is that all decisions will be made based on the feels, which in most humans, usually devolves into tribalism. And ironically, that appears to be your primary criticism of the FBI's analysis.
(Score: 3, Interesting) by butthurt on Saturday October 15 2016, @03:19AM
In this year's primary election in California there were 1,173,943 provisional ballots, according to Greg Palast. A provisional ballot, if I'm not mistaken, is offered when someone goes to the polling place but there's some irregularity with the person's registration. The state's population is roughly 30 million, and not all vote; hence there were irregularities with well over 1% of the votes.
http://www.gregpalast.com/bernie-won-california-official-un-count/ [gregpalast.com]
Someone made a video about possible improprieties in that election.
https://web.archive.org/web/20160704135940/http://www.nakedcapitalism.com/2016/07/uncounted-the-true-story-of-the-california-primary.html [archive.org]
In Ohio's general election in 2004, 5,625,613 votes were cast altogether. [wikipedia.org] According to Palast, over 200,000 provisional ballots were never counted in that election. That would be 3.6% or more of the total votes.
https://www.washingtonpost.com/news/post-politics/wp/2016/06/22/californias-lengthy-vote-count-stokes-theories-that-sanders-actually-won-the-primary/ [washingtonpost.com]
The Chicago Tribune story says
The FBI has detected a variety of "scanning activities" that are early indications of hacking, Comey told the House Judiciary Committee this week.
As I wrote the first time that story was posted here, every Web site receives attempts at intrusion; they are automated.
(Score: 1, Interesting) by Anonymous Coward on Saturday October 15 2016, @04:13AM
> hence there were irregularities with well over 1% of the vote
"irregularities" sure sounds ominous.
But it turns out not really. [latimes.com] If you aren't registered as a democrat you get a provisional ballot which only lets you vote for the presidential candidate and none of the down-party races. Bernie brought in a ton of people who were not previously registered, so they got provisional ballots. Not quite so irregular after all.
> As I wrote the first time that story was posted here, every Web site receives attempts at intrusion; they are automated.
On what evidence do you base your claim that Comey is only talking about background level scans?
(Score: 3, Interesting) by butthurt on Saturday October 15 2016, @05:06AM
"irregularities" sure sounds ominous.
Provisional ballots are supposed to be given out when someone comes to vote but the people at the polling place can't confirm the person's eligibility to vote.
But it turns out not really. If you aren't registered as a democrat you get a provisional ballot which only lets you vote for the presidential candidate and none of the down-party races. Bernie brought in a ton of people who were not previously registered, so they got provisional ballots. Not quite so irregular after all.
No, you're confusing a cross-over ballot with a provisional ballot. From the story you linked:
Independent voters, known in California as having “no party preference,” were allowed to vote in the Democratic primary between Hillary Clinton and Vermont Sen. Bernie Sanders. But they were banned from voting in the Republican presidential primary.
The Democratic Party required unaffiliated voters to use a special “crossover” ballot so they couldn’t vote for the party’s governing committee — but voters had to proactively ask elections officials for the special ballot.
In other words, the voters who received the "no party preference" ballot rather than the cross-over ballot were not allowed to vote for the Democratic Party's presidential candidates.
It's claimed that, in that election, voters who had registered were not listed on the voting rolls; that is an irregularity, hence they were given provisional ballots.
It's also claimed that, in that election, voters who came to their polling places were told that they had already voted by mail, when (according to those voters) they had not.
Here's a direct link to the video:
https://www.youtube.com/watch?v=D5ugmNoanx8 [youtube.com]
On what evidence do you base your claim that Comey is only talking about background level scans?
Eh, I should have corrected myself. "They are usually automated" is the meaning I meant to convey. I could find evidence for that, but would you bother to read it? Anyway, my opinion is that the great majority of intrusion attempts are automated, hence the reasonable initial assumption to make on seeing such attempts is that they were automated. If there are indications that the assumption is wrong, then abandon it. I'm suggesting that the FBI may be incompetent at identifying a targetted attack, and I'm applying Hanlon's razor.
In the stories I've read there's no indication that the attacks were directed specifically at government-run sites, rather than at a variety of sites. I'm not asserting that these were general attacks on every site; rather I'm saying that they could be. Have you any knowledge that they specifically targetted election-related sites?
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @12:36PM
> I'm suggesting that the FBI may be incompetent at identifying a targeted attack, and I'm applying Hanlon's razor.
In that case, why only 20? Since essentially all sites are subjected to a background level of scanning then why would the FBI say only 20 sites were affected?
(Score: 2) by butthurt on Saturday October 15 2016, @04:35PM
In that case, why only 20? Since essentially all sites are subjected to a background level of scanning then why would the FBI say only 20 sites were affected?
The body of the article uses the words "more than 20 states." I seem to recall from reading another report about that story that not all the states have Web sites containing the rolls of voters, and that of those that do, not all are working with the FBI.
I think I found the ABC News article [go.com] and it says
Hackers working on behalf of the Russian government are suspected in the onslaught against more than 20 state election systems, according to sources with knowledge of the matter.
If I may be somewhat inconsistent by assuming competence on the part of the Russian government: if they attempted such attacks, I should think they'd know how to disguise the Russian backing (origin?) of the attacks. I should also think that they'd want to disguise that. I think that they want to be perceived as a democratic government; interfering with elections in other countries doesn't fit with the image they want to put forth.
If they wanted the voter registration lists, those are available by request (for a fee) although at least one state asks that the information not be sent outside the U.S.A.
A database with information on all American voters [...] might go for about $270,000, according to one marketing firm consulted by researcher Chris Vickery.
[...]
On December 20, [2015] researcher Chris Vickery contacted DataBreaches.net to say he had found a database with 191,337,174 million Americans’ voter information exposed due to a misconfiguration of the database.
--https://web.archive.org/web/20151228191313/http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/ [archive.org]
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @05:28PM
You've turned hanlon's razor into just another rationale for conspiracy theory.
Exceptions for what confirms your biases, strick adherence for anything that contradicts them.
Congrats!
(Score: 2) by butthurt on Sunday October 16 2016, @01:11AM
I acknowledged that I was being inconsistent. I do tend to think that the Russian government is more competent than the FBI in this area. And again, I'm not asserting that the Russian government is not behind these attacks. I'm just saying that isn't necessarily what's happened.
Conspiracies do exist, of course. However, I'm not the one positing a conspiracy theory here. It's the FBI who are doing so. What's the evidence that the Russian government is attacking? Oh, it's secret, so you'll forgive me for remaining unconvinced.
(Score: 2) by butthurt on Monday October 17 2016, @02:10PM
> [...] not all [states\ are working with the FBI.
From a story dated 21 September:
Less than 20 percent of states have asked the Homeland Security Department for help assessing the security of machines at the polls and for scans of online voter registration databases ahead of the presidential election, a DHS official says.
[...]
As of Wednesday, "we have received requests and are currently working with nine states on scans and assessment services," DHS spokesman Scott McConnell told Nextgov.
[...]
The on-site risk and vulnerability assessments can take up to three weeks, Johnson said.
-- http://www.nextgov.com/cybersecurity/2016/09/9-states-accept-dhss-election-security-support/131741/ [nextgov.com]
(Score: 2) by butthurt on Monday October 17 2016, @02:16PM
A story from 20 September says:
The DHS official — speaking on background because of the subject’s sensitive nature — explained that hackers of all stripes are constantly testing the digital defenses of every state’s public-facing election systems. But in 20-plus states, the agency determined that these intrusion attempts have become what DHS calls “probing of concern.”
-- http://www.politico.com/story/2016/09/states-major-election-hacking-228978 [politico.com]
That would seem to be at odds with the statement about the nine states.