Unisyn voting machine manual instructs election officials to use and recycle weak passwords


#1

Originally published at: https://boingboing.net/2018/11/05/elections-assistance-commissio.html


#2

Here is a vendor that doesn’t want to be called up to do password resets on the morning of the election.


#3

That’s why they just put the password on a Post-It note on the back of the machine or under the keyboard.


#4

Worry when the default password is “Trump2020”.


#5

This is excellent advice for a system that needs very little security, such as my home computer, or the very voting machines that guarantee our democracy.


#6

After three years developing commercial web applications it is my view that users should never be given access to or control of passwords. We have better ways to ensure security between client and server, and the user agent can just live in the user’s pocket.


#7

The lowest rock-bottom bidder has to skimp on something. Competence is always easy enough to cut corners on in that regard.


#8

But is just that pocket agent enough? Or are you implying 2FA is more than necessary?


#9

I completely agree. I see no reason anyone involved should need administrator or superuser access to the machine in order to use it in an election. The core system should not be accessible to the end user (the election commission). All that is needed is for it to allow them to load candidate and election specific information which should have nothing to do with the operation of the device. Similarly, tabulation and paper duplication of votes requires no special machine access to perform. It should be a basic user function to produce a tally and paper trail.
This nation needs to move to open source voting machine design and software ASAP.


#10

That’s pretty much a how not to do it guide.

“write it down here…”

The only way to improve on that would be to write the password ON the machine.


#11

And probably no defense against brute-forcing it, or logging the attempts.


#12

The company took care of that for you.

The root password is the company’s name with the same number appended to it.


#13

show me a vendor who doesn’t want to charge a shitload of money for something they can predict almost to the hour when it will happen.


#14

They probably can’t because it’s a flat support contract and there is no pot of money the government guys could pull from to pay for an extra service.


#15

To think, election safety is being safeguarded by the fact that no one ever reads the manual.


#16

Having worked with State and local documentation I have a sneaking suspicion that this is a manual made on the State or local level.


#17

Premeditated evil? Or just really, really, lazy? Either way, we sure are lucky our democracy hasn’t been riding on this kind of crap for years now. Whew!


#18

This topic was automatically closed after 5 days. New replies are no longer allowed.