Defcon vote-hacking village shows that "secure" voting machines can be broken in minutes

Originally published at: http://boingboing.net/2017/07/30/voter-hacking-village.html

…

This is so silly. We have real anti-democratic manipulations of the vote going on, stuff that’s swinging millions of votes right out there in the open, and you’re fantasizing about this small-scale, totally impossible to pull-off in an actual election stuff cause tech I guess.

Also…

surplus voting machines (purchased in secondary markets like Ebay)

…these were mostly old decertified machines. Decertified because they were found to be insecure years ago, and taken out of use because of it.

Fricking slashdot :

7 years ago:

11 years ago:

12 years ago:

15 years ago:

Unless it’s done by the people operating the machines. Without secure audit trails, we’re only whistling in the dark, hoping that it’s honest.

He’s talking about the overall decentralized nature of our elections. The same factors that largely make individual fraudulent voting a non-factor have an effect here. For “the people operating the machines” to swing national scale elections this way. Especially since hacking these machines typically involves physical on site access to the machines. Would involve thousands of individual election board workers. Immediately before or during an election. Logistically that’s pretty hard to organize in the first place. And conspiracies with thousands of participants are typically pretty difficult to keep quiet.

However in many cases these security researchers are outlining ways in which these voting machines, or at least certain models could be compromised en masse by much smaller groups of people without direct access well before an election. Sometimes even at the factory. Where the thousands physically interacting with the machines are unknowing participants. And in smaller, non-national elections it can absolutely be a factor with just one person manipulating a handful of voting machines.

That’s a different risk. And one enabled rather than prevented by our decentralized election model.

So its definitely something we should be concerned about and deal with. But @GideonTJones has a pretty good point. In that its not nearly as pressing as the very real, very broad, and actually happening right now manipulation of of elections and suppression of the vote. You’ll notice the GOP isn’t hacking voting machines. Just changing the laws to prevent people from voting or prevent their vote from having an effect. And where the Russians got up to hacking a whole shit ton of stuff, including state voter rolls and boards of elections. They don’t appear to have bothered with voting machines.

You don’t need to fuck with people’s votes if its simpler, more deniable, and more effective to keep them from voting in the first place. Or fool them into voting a particular way.

“It’s really just a matter of plugging your USB drive in for five seconds and the thing’s completely compromised at that point,”

Thanks for that horrifying moment.

I’m afraid that is an assertion that cannot be proven or disproven at this time, but I won’t take that as a given for the sake of argument.

Um it can pretty easily be disproven or proven. All you have to do is check.

And in all these ongoing, continual investigations. Those politically motivated and otherwise. Into voter fraud. And the current rather large and prominent one into Russian manipulation. Repeated and ongoing journalistic deep looks into voter irregularities, and into these machines themselves. Not once has there been an indication that this sort of voter machine hacking is or has taken place. Nor has a plausible accusation even been made.

These warnings and this coverage are entirely about the possibility that it could happen. And research into how it might work and how to prevent it.

By the same note I won’t take it as given for the sake of argument that most leading world politicians aren’t secretly lizard people.

it’s your assertion, I don’t have to do any such thing.

No weak mechanical locks here:

The only truly secure computer is one not plugged in, encased in cement, and dumped into the bottom of the deepest part of the ocean.

First its not my job to google things for you.

Second you misunderstand. “The GOP isn’t hacking voting machines” is not an unfalsifiable statement. It can be looked into and either proven or disproven. All it takes is some one doing so. Like in all those ongoing and regular checks into our elections. The 7 year long investigation G-Dubs did into voter fraud. The continual investigative journalism into the vulnerabilities of voting machines, and voter irregularities over the past few national elections. The ongoing congressional and federal investigations into Russian election meddling and possible effects on the outcome. The public hearings into concerns about security of voting machines. And the ongoing, academically published research into the same subject. As well as research about election dynamics, and real world effects of these machines.

I am not aware of any serious accusation of a real world attempt to swing an election by compromising these machines in the US. On the part of the GOP or otherwise. That has come out of any of that.

So not only is it something that we could rather easily find out about if we suspected it was going on. Its something we have very little reason to suspect is going on.

Why try to bring about an outcome in a way that is riskier, less efficient, and illegal. When you’ve spend the last decade or more changing the legal frame work to bring about that outcome anyway? And been lauded for it by your electoral base.

Once in the past 40 years did they look at the voter logs - that effort was not finished before the lawsuit stopped it.

The investigations you are talking about are trying to prove illegals voted.

And one would think if they had come across anything suspicious. Or the newspapers looking into things other than in person voter fraud, or the security researchers publishing research papers specifically looking for funny business with regards to voting machines and hacking. Or any of the other vectors on the subject had turned up anything suspicious we would have heard about it. And that those people who are doing the important work of warning us about the risks might be pointing at plausible examples of those risks having come to fruition.

Like I said there’s very little indication that anything like that has happened or had an effect on the outcome of any major US election. Doesn’t mean its not a risk. Doesn’t mean action shouldn’t be taken to prevent it.

But it does mean that its somewhat less pressing than the voter suppression and manipulation of our elections that we know full well is actively happening. Right now and by whom. And where we know there is an actual significant effect on election outcomes.

Voting machine security is less of a pressing issue in its own right. Then it is one of many smaller issues contributing to our desperate need for electoral reform and reassertion of voting rights. There are much more major and immediate contributors to the problem. Like gerrymandering and new voter suppression laws.

You have no evidence to back this up. It is untrue. Statistically the votes in Wisconsin and Michigan were close enough that small scale hacking would have thrown the race. It doesn’t take large scale hacking to swing a national election due to our wonderful electoral college system. Trump won by like less than 30,000 votes in total (if you just count counties that flipped).

This was lawsuited dead - you are correct that it doesn’t mean it happened - but we DO NOT CHECK. What needs to happen is that we have a random pull of a % of voting machines nationwide that receive an automatic audit every election.

Something randomly pulled and done - that doesn’t depend on lawsuits from political parties to start and stop - that is protected by law from suits to stop.

Awesome source there:

That particular claim wasn’t particularly solid. IIRC even at the time other scientists, statisticians and security researchers weren’t buying it. The “persuasive evidence” involved was essentially a little number crunching that said Clinton had received fewer votes than she should have. There didn’t seem to be any actual look at the machines, claim to have, actual security research or anything more than that backing it.

We’ve got very good demographic analysis explaining how those areas “flipped”. Depressed turn out among key DNC demographics combined with actual real live humans who actually voted for Obama then voted for Trump. We’ve been hearing about that last group rather incessantly.

Along with the fact that the claimed disparity completely disappeared if you properly controlled for demographics.

So yeah not exactly a plausible claim that it did happen. As opposed to a messy warning that it might have.

If there was any play there one would think the voting reform activists and security researchers involved would still be pointing to it. As it is I haven’t seen anything on the subject that doesn’t just repeat the original reporting.

Sure. But not neccisarily because OMG VOTING MACHINES ARE BEING HACKED ALL OVER. But because they might. Its a real, legitimate risk. And there are a number of other troubling things in our elections that such a practice would minimize, uncover, or prevent.

But obsessing over what MIGHT be skewing our elections. If you squint real hard and believe. Or even as something that might actually happen in the future. Seems pretty odd to me when we know for a fact. 100%. See it happen. Know it happens. And know how it happens. And that again 100% it is happening and having a real confirmable and measurable effect RIGHT NOW. That actual American citizens are being denied their right to vote. That there is a concerted effort by a particular political party to deny them their right to vote. And deny the right to vote to even more Americans. Along with a long standing, clear, real and quite successful program to restructure our electoral systems to dilute the vote of those who they can’t find a way to bar from the polls.

One is immediate and pressing. T’other is part of a large group of things that are disturbing about our elections but probably can’t be fixed unless the first thing gets sufficiently pushed back on.

ETA: Think of it this way. Its quite important to fix this issue with voting machines. But if we did that today. None of those people who have been bared from the polls would get their vote back. It would not be any easier to register to vote or get to the polls. Your congressional district would still be just as Gerrymandered. The GOP would still gain elected offices disproportionate to their share of the vote. We would still sit in a system where it is possible for a presidential candidate to win the popular vote by a healthy margin and yet not win that election on a technicality.

Our elections are pretty fucked right now. But the source of the problem is not voting machines. Its in all that stuff that wont have changed if we secure the voting machines entirely. Or even if we eradicated all digital voting machines from the face of the earth. And most of those issues vastly predate their adoption.

I would classify myself as conservative on many elements, but progressive on social issues. I wish the republican party was one I could have anything to do with as aren’t they supposed to be conservatives? As is I see them as the party that champions xenophobia and ultra nationalist bigotry with corruption similar to but distinct from the democrat party’s corruption.

Mostly I wish the republicans were competent to govern so that the democrats would be forced to also improve and become fit to govern. As is they are both five year olds squabbling over who gets to be in charge while the house burns down around them. Then they will argue over who lit the match.

like health care. i view that as something we should be conservative on. As in ‘as few middle men a possible, have an exact cost of care established so that can be factored into the national budget so as little money is spent on end care while providing reasonable service.’ Because to put blunt ‘a healthy population that gets regular checkups and preventive care is a PRODUCTIVE one that is not so stressed they do not participate in anything other than the treadmill of paying off debts.’

Likewise a well educated population means a more productive population. These may seem like ‘liberal’ views, but I view it as conservative investments in societal good so that that society itself can tackle issues that are outside of government scope such as research, space, and commerce and government itself veering away from feeling like it needs to concern with how society views itself. It just needs to make sure the infrastructure society is built upon functions.

Have you seen the news? Aside from the horseshit politically motivated looks at voter fraud from the GOP which have been pretty continual since the 00’s we’ve got a rather big series of investigation into electoral manipulation by a foreign power going on right now. At least one of which in the early offings assured people the Russians didn’t hack voting machines. These subjects are rather continually being investigated by the press. And the researchers and activists that are the subject of the article we’re commenting on right now are in the business of investigating this very subject.

The claim that made people want to look at the machines in the first place is spurious. Clinton did not receive 7% fewer votes (or whatever the number was) in districts using the machines in question. Clinton received 7% fewer votes in districts with certain demographics, consistent with demographic breakdowns across the whole state. Enough of those districts used the machines to make it look like something if you did your math improperly.

Wasn’t for me, certainly on the front page. But its weird that you went with a right wing aligned conspiracy mongering blog, that was attacking your own claim. Rather than the original source article it linked through to. Or any of the other more reliable mainstream sources also on the front page. And it wasn’t reporting a fact it was reporting a claim by a group of people. One that has not been confirmed, and seems to have been rather easily refuted.

If you are pissed that our elections might be undermined by future hacking of voting machines. Or if you suspect it may have already happened. Then you should be flaming pissed about the existing undermining of our democratic elections. Often done in more nefarious and entirely legal fashion. A skewed, undemocratic election with secure voting machines is still a skewed, undemocratic election.

I went with the first link I found - more effort that you’ve put into anything other than attacking my facts. Yes, facts. Please re-read what I wrote, here I’ll restate it (word for word) :

What I stated was a fact. The statement stands on its own without links. The link is to real life evidence that small scale hacking may have occurred.

The math might not have checked out - I’m not a statistician, but 3 of them agreed it needed to be checked out - you know how you check it out? By actually checking it out. That didn’t happen due to lawsuits.

Unless you are a statistician you are choosing to believe one expert over another. There is a real world way we can actually validate these things, you argued they are being done - I am saying no they aren’t and when they are asked for - people shut them down, oddly enough using the very same argument you are making.

Repeat - unless you are a statistician and did the math yourself - you are just picking one expert over another.

I work with computers all day and every day. They are wonderful machines. Our accounting department would be 10x as large without them. Oddly we spend a great deal of money to audit ourselves every few years and a greater deal of money to audit the auditors every so often as well. I think that without audits any system that is easy to manipulate will be manipulated.

Going with all the other experts Silver was hardly the only person to point out their error. Nate Cohn from the NY Times made the same point iirc. As did many security researchers, science bloggers, and political analysts. A point that wasn’t nearly as well reported as the initial shock headline or Jill Arron’s use of it to demand recounts.

It is being manipulated. Theres just no real indication that it’s currently being done via hacking voting machines.

I’ve repeatedly said that those risks are real and have to be dealt with. I’m just in agreement with some one else up thread that the entirely legal, more persistent manipulattion that we already know as in 100% is going on is a far bigger issue.

The GOP does not need to break the law carrying out a complex, unreliable and potentially easily discoverable plot to rig a single election. Because they have carried out a decades long process of changing the laws to give themselves an unfair advantage in every election.

What you’re worried about is already happening. It just isn’t as simple, direct, or play as much to your interests as “hacked voting machines”. The fact that our elections are skewed and easy to manipulate is the bigger issue than any one way in which that might happen.

More over if we secure those voting machines (which we should) it won’t change the fact that our elections are skewed and easily manipulated. Or the ways in which they have become so.