Originally published at: https://boingboing.net/2018/11/04/no-password-required-in-ky.html
…
Somewhere a few people are going “why did we even bother with the extensive spear phishing campaign, they just left the front door open and there’s nobody home”.
Well, Kentucky was probably going to go Red anyway; but Wisconsin could do with upping its voter security for sure.
For fuck sake, EVERY state should be voting by mail. It’s secure and supports the best turnout rates. This is such utter stupidity.
Is the BoingBoing title a bit misleading? From BB’s headline “Voting machines in Wisconsin and Kentucky are running FTP. Seriously.” it sounded to me like they were talking about the machines in polling places where people physically vote were connected to the internet with insecure FTP.
Reading the article though, it doesn’t sound like those specific machines are being talked about, just other ones that are also related to voting. Which of course is still scary.
Developer here. The IDE users who I work with habitually use FTP to upload code for testing. Sometimes the FTP connection is tunneled through ssh , though that won’t guarantee that the FTP daemon won’t accept plant connections on port 21. The authority running the systems should know to lock down open ports though, especially ports with known security issues.
It shouldn’t be possible to just scan a voting system for open ports.
I guess it takes more effort to fix an election that depends on postal votes. You’ve got to physically filter out all the “spoiled” votes and then burn them. Electronically, you can just filter and delete. If I was a dodgy politician, I would go for electronic voting; that way, if I got caught, I could blame the Russians.
Is this today’s most ridiculous election fuck up, and any bets on what will be tomorrow’s?
Is FTP the hackers’ edge?
Is that Keanu Reeves?
Is it way past my bedtime?
This is hardly a mistake. If you’re running unsecured FTP on a voting system, then you’re doing it on purpose. The purpose being election fraud.
Republicans will do anything to win. Go vote them out at every level of government (at least make an effort to try)!
Fraudulent Transfer Protocol
Village halls, black boxes, pieces of paper and ridiculously short pencils on bits of string followed by a Dimbleby on the BBC into the small hours - that’s how it should be done.
Unfortunately, while it does sound like the actual presse-button-for-candidate machines may not be the ones running FTP; the ones further up the chain are not an improvement: depending on the exact setup, the internet-connected systems are typically the servers that gather results and the ones that send each polling location’s results out.
Hitting those wouldn’t necessarily be as elegant and subtle as doing firmware-level attacks on the individual machines; but would be much more efficient for someone with remote access looking to do some bulk modification.
Since Republicans are the folks making these electronic voting machines, and approving them, and suppressing votes, and running most of the elections themselves, it seems the fastest way to improve the system is for some public-minded hacker to hack every damn election in the country, and have Democrats win them with impossible margins.
That is the only way Republicans are going to give up their system.
From what I understand, in the US, not everyone can afford to get to their nearest poling station on a work day. As a result some folk are pushing for voting day to be made a public holiday. Not like over here in Blighty, where everyday is a sun dappled holiday, replete with the thwack of willow on buttocks.
Well that would be a fine idea. Make a day of it like they do in Australia (I think).
Or allow postal voting.
I always hear stories of people queuing for hours to vote in the US which always seems so odd to me, considering it takes me five minutes to go to my local primary school after work and vote in the UK.
Hey, disenfranchising people takes real work!
I’m super lazy and very forgetful; so, despite living about five minutes away from my nearest poling station in the UK, I use a postal vote.
Well that’s just a lie. I don’t care how many “layers” you think you have, an anonymous FTP login breaks right through your “layers”.
We are constantly guarding against foreign and domestic bad actors…
Who decides which actors are “bad” and which are “good”?