SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
A cybersecurity exercise highlights both new and unaddressed vulnerabilities riddling US election systems.
A report issued Thursday by some of the country's leading election security experts found that voting machines used in dozens of state remain vulnerable to hacks and manipulations, warning that that without continued efforts to increase funding, upgrade technology, and adopt of voter-marked paper ballot systems, "we fear that the 2020 presidential elections will realize the worst fears only hinted at during the 2016 elections: insecure, attacked, and ultimately distrusted."
The 47-page report is the product of researchers who organized a shakedown of voting machines at the annual DefCon conference, one of world's biggest information security gatherings frequented by hackers, government officials, and industry workers. First incorporated into DefCon in 2017 with the aim of improving voting machine security, this year's version of the now-annual "Voting Machine Hacking Village" assembled over 100 machines and let hackers loose to find and exploit their vulnerabilities. While election officials have criticized the effort's utility as a testing ground, deriding it as a "pseudo environment," some have seen value in letting machines' flaws become more known and potentially lead to security improvements.
"Once again, Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room," the authors wrote, pointing out that every piece of assembled equipment is certified for use in at least one US jurisdiction. The report's authors, some of whom have been involved with election machine security research going back more than a decade, noted that in most cases the participants tested voting equipment "they had no prior knowledge of or experience" in a "challenging setting " with less time and resources than attackers would be assumed to marshal.
The report urges election officials to use machines relying on voter-marked paper ballots and pair those with "statistically rigorous post-election audits" to verify the outcome of elections reflects the will of voters. The authors also warn that supply chain issues "continue to pose significant security risks," including cases where machines include hardware components of foreign origin, or where election administrators deploy foreign-based software, cloud, or other remote services. The report lands as officials in several states are working to upgrade election equipment, and as lawmakers in Washington, D.C. debate federal election security legislation and funding.
Source: https://www.motherjones.com/politics/2019/09/defcon-2019-hacking-village/
(Score: 4, Funny) by RamiK on Saturday September 28 2019, @02:19PM (4 children)
Switching from paying advertisers to paying black hats for the elections is one step closer to a meritocracy.
compiling...
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @03:03PM (3 children)
"a meritocracy"
There is some merit to that philosophy, but for a society overall it is toxic.
(Score: 2) by Runaway1956 on Saturday September 28 2019, @04:51PM (2 children)
We might argue that society is toxic.
Abortion is the number one killed of children in the United States.
(Score: 1, Informative) by Anonymous Coward on Saturday September 28 2019, @06:03PM (1 child)
You are toxic, and "meritocracy" is just the little brother of eugenics. Like everything it has value in certain places, but also like everything it is not a good generality for humanity.
(Score: 2) by RamiK on Saturday September 28 2019, @07:18PM
Those generalizations entirely depend on the society in question and the circumstances it's in. If, for instance, there's an resource scarcity and no space expansion in sight, some form of birth control and a meritocracy that prevents waste would be a necessary toxin with the alternative being an endless cycle of war.
compiling...
(Score: 3, Insightful) by Gaaark on Saturday September 28 2019, @02:25PM
"Well, duh!"
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Interesting) by Anonymous Coward on Saturday September 28 2019, @02:48PM (1 child)
Glanced through the full report (available at tfl) and learned that there are now things called, "ballot marking devices". Originally designed to help people with impairments to mark their ballot, they are now being incorporated into a machine that also includes the paper ballot scanner.
While the two functions appear to be separate, in fact they discovered that the marking device and scanner are internally connected, "... hacking the BMD enabled altering votes at the scanning stage". Yikes!
What were the designers thinking? Truly evil, or just incompetent??
(Score: 1, Insightful) by Anonymous Coward on Saturday September 28 2019, @04:05PM
We use OMR scanners. You mark your ballot then hand it to the geezer at the scanner. They put it into the scanner where it is read and dropped into the ballot box. With the addition of random recounts of the ballot boxes with an open source scanner that would need to agree with the original count within a certain percentage, it would be fairly secure.
(Score: 3, Insightful) by Spamalope on Saturday September 28 2019, @05:07PM (2 children)
And this is the 'safe' part.
It's the vote tabulation stage that's best to target to swing votes. Incorporate an alteration designed to look like random noise so that it won't show up with automated audit tools. Nudge all the races with the random noise. Be content with small(ish) alterations so the compromise won't be suspected. In races with at large positions or a third party candidate, move votes from the opponent to other candidates as well. If you do anything that adds more votes, also alter the primary votes in a similar fashion. Go to great lengths to verify dates so the compromise only runs for the actual election and for any recounts. Use a random number seed the first time and store that seed so the alterations are repeatable for recounts. Hide that with stenography somewhere it can be encoded without altering file size like a window theme bitmap within the tabulator's UI. (i.e. everything you can do to make the compromise be invisible and survive code and tabulation audits)
If at all possible compromise the software vendor. Compromise commercial libraries instead of the application source. Heck, be the tabulation software vendor or their subcontractor via winning the gov't bid. Compromise the tool chain and the hardware bios/management engines. Billions of dollars are at stake for a persistent quality compromise so pursue all of the above. As much as possible have these things coded in a way the authors only know it's a compromise but not who or what it's for. And on the go big theme, also compromise pre-election poling so the rigged results are predicted by several poles. Through cutouts be one of them, so if the others are found to be compromised you have your 'uncompromised' system that shows similar results so we can't be sure the folks who compromised altered anything etc etc...
Or put another way, physical vote stealing requires lots of conspirators to manage on a large scale but not much technical skill. A quality electronic voting compromise would be technically challenging but could alter one or more entire states at a time and persist for years. Long enough to gain political control of the vote tabulating agencies so any audits sufficiently detailed can be derailed. (one good enough to uncover this would be very expensive and basically have to be an intel org operation - so expensive and we're not wasting tax payer dollars...)
And no, I don't have faith in electronic voting... I can think of so many ways to attack in in just a few minutes typing this.
But as an example. Look at what Vegas does to prevent compromise of electronic slot machines. (programs in rom, audited source on file, potted circuit boards so alterations are difficult, slow and easier to detect and only possible by a much smaller number of folks... nothing that can't be in place for voting machines but somehow isn't. Hmm...
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @06:05PM
At this point let us drop the pretense. Voting machines were pushed through to make money for shitty companies and allow easier election fraud. No "suspicious" needed.
(Score: 2) by hendrikboom on Tuesday October 15 2019, @02:55PM
I think you mean steganography.
(Score: 3, Insightful) by Grishnakh on Sunday September 29 2019, @01:25PM
Why should anyone be able to hack into a voting machine at all? How is this possible? The fact that it is seems to indicate that the intention is to network these machines. Why would you do that?
If you use electronic machines that have no network connection, and no ports accessible to voters, then this would not be a problem. I don't see any need for these machines to have a network connection at all, and certainly not to be internet-connected. They can be very useful for tabulating votes, as stand-alone devices, and then the data can be exported to laptops and securely communicated to a central server where the totals are calculated.
Seriously, from a security standpoint, this is very, very simple. The only reason it apparently isn't is because they're trying to do things they don't need to.