I’m not particularly well versed enough to comment on that specific election.
I was speaking to voting machines in general. For reference, I work in I.T. and hold a current A+ and Security+ certification (https://www.comptia.org/). I don’t intend to show proof as I wish to remain anonymous.
From what I have been able to gather, these voting machines have severe security deficiencies. I’m more versed on older models from around 2006-ish. However these voting machines were taken to Defcon (a large cyber security convention), and what I was hearing about them was not particularly great (https://www.cnet.com/news/privacy/defcon-hackers-find-its-very-easy-to-break-voting-machines/). Hoping one of these years, I’ll be able to attend.
To speak about the older models, they lacked many anti tamper protections. There was one well known exploit were you could set the votes for a candidates negative before elections began. Ie, candidate A start with -3 votes, you vote for candidate A, they now have -2 votes. I believe I’ve heard of a candidate getting negative votes in the wild, however take that with a grain of salt because I’m going off memory and I was struggling to pull up any sources.
These voting machines also did not use any cryptographic methods to protect the vote count such as encryption or hashing (https://en.wikipedia.org/wiki/Hash_function). That means on the system that would count up all the votes between districts, it was possible to change the vote counts in a fraction of second using a tool like this (https://shop.hak5.org/products/usb-rubber-ducky) because the votes were stored in a plain text .csv file. Note that tools like the rubber ducky were not publicly available when these models were first put into use, but were known to be used by organizations such as the NSA and Russia. See (https://www.youtube.com/watch?v=e_f9p-_JWZw) for a walk through on how a tool like this could have been used.
Additionally, the closed source nature limits the publics ability to scrutinize these system. Originally it took a hacker breaking into an insecure ftp server that had accidentally been exposed to the public internet, to discover the source code and the lack of security protections involved. I also believe that many of the security verification process that was supposed to be run on these systems, was often skipped to cut down on costs. However I’m recalling from memory and the source is likely so buried, it would take me a week of studying to find.
In summery, our current voting system is poorly maintained and it would be easy for a state actor like Russia to fiddle with votes. Because of this, I take the results of any election with a grain of salt. I hope one day that our government would focus more on securing our elections, than spying on our citizens.
While you are correct that the cybersec practices on voting machines are embarrassingly bad, we don’t actually rely on them for the integrity of our elections in most districts. They are a convenience more than anything else, and at the first sign of any possible tampering, we can audit against paper ballots that get printed off the voting machines (which if you start altering those, it only takes one person to notice somethings off and the jig is up)
Even with their shit security, an attack would be exceedingly difficult to pull off. The machines are airgapped and audited, so you need physical access without supervision which by itself is a tall order. Then, consider that you will need to compromise dozens of machines at minimum to swing even the lowest turnout national election for the most obscure position. Finding enough people willing to risk a federal pound-me-in-the-ass prison felony charge that are smart enough to do the job and not get caught is going to be a challenge too, because if one person gets caught, then once again, the jig is up.
What is far more realistically dangerous is convincing people that the election was compromised when it wasn’t. This gets you way more bang for your buck because it’s so much easier to do, and is the primary reason I think that nobody really bothers trying to compromise the voting machines.
“While you are correct that the cybersec practices on voting machines are embarrassingly bad, we don’t actually rely on them for the integrity of our elections in most districts.”
They are the primary method of verify an election. If they are tampered with and nobody calls for a recount, than an election was tampered with because these system did not have the necessary protections to prevent such an event.
“They are a convenience more than anything else, and at the first sign of any possible tampering, we can audit against paper ballots that get printed off the voting machines (which if you start altering those, it only takes one person to notice somethings off and the jig is up)”
Some voting machines do not have paper ballots, were some districts allow you to go paperless depending on preference. Additionally, would someone be able to notice? If I used a rubber ducky to fiddle with votes while people were not looking and it was set to match the number of ballot collected. Because voting is supposed to be an anonymous matter, the only two ways would be if someone saw something (which may or may not happen), or the vote machine counts a physically impossible result (ie, someone got a negative number of votes)…
“Even with their shit security, an attack would be exceedingly difficult to pull off. The machines are airgapped and audited, so you need physical access without supervision which by itself is a tall order.”
Not outside the scope of nation state actors, (https://en.wikipedia.org/wiki/Stuxnet). Air gapping is normal considered safe for most use cases, however we have seen multiple attacks that have been able to breach air gaps and air gaps should not be considered perfect. Air gaps work best when parts are not often interchanged and all staff are unlikely to be of concern. However, air gaped networks are still vulnerable to social engineering (often times less so, just due to their nature) and you need to be able to fully trust the staff not to compromise your air gap. Add on the fact that these systems are managed by volunteers who may not be as knowledgeable on the threats that exist out there and may of whom may be compromised, and I don’t believe air gaping to be sufficient for these machines.
Additionally, audits are performed privately and cannot be scrutinized by the public. Even the biggest corporations such as Microsoft and apple hold public bug bounties to protect their systems. It is also apparent that the audits are not sufficient enough, as any reasonable auditor would not have allowed machines with such glaring flaws to be used in public elections.
“Then, consider that you will need to compromise dozens of machines at minimum to swing even the lowest turnout national election for the most obscure position.”
these vulnerabilities effect the central counting system, their is a single computer in charge of summing up the votes from a whole state. A breach of one of these systems would likely give an attacker full control of a states votes.
“Finding enough people willing to risk a federal pound-me-in-the-ass prison felony charge that are smart enough to do the job and not get caught is going to be a challenge too, because if one person gets caught, then once again, the jig is up.”
Not particularly, using a rubber ducky is not a high skill attack, it is a topic that is taught to many beginner hackers and requires a little bit of scripting knowledge. Please watch https://www.youtube.com/watch?v=e_f9p-_JWZw&pp=ygUZaG93IHRvIHVzZSBhIHJ1YmJlciBkdWNreQ%3D%3D for a basic tutorial on how to use such a tool. We have also found people who were willing to risk it all just to make a little bit of cash, who had much stronger security clearance. People who would sell services to other nation states.
“What is far more realistically dangerous is convincing people that the election was compromised when it wasn’t.”
Lies are always dangerous, however it is apparent that most politicians should stop complaining about rigged elections and more time improving our voting systems. We should have transparency, so I can verify the security of MY VOTES. I should not trust my vote, to a handful of corporations that cut corners and do not take the necessary precautions to protect American votes.
" This gets you way more bang for your buck because it’s so much easier to do, and is the primary reason I think that nobody really bothers trying to compromise the voting machines."
There are almost always claims that an election was rigged. Most of the time, courts are very reluctant to overturn the votes of a particular state. Were as I can change the votes of a state by either a supply chain attack (slightly more difficult), planting malware onto the device while I’m voting (easier but less effective), or by trying to attack the central computer that summarizes the votes for a given state (easy and extremely effective). These are only the methods that we as civilians have access to, imagine what a state actor like Russia could have up their sleeve.
Note that some of your comments I feel are better answered with this video: https://m.youtube.com/watch?v=svEuG_ekNT0
It was shared to me by someone else in the comments and it contains more up to date information than what I initial was informed on.
The main point I’m trying to make is that compromising voting machines is not the hard part of rigging an election. It would require a conspiracy so complicated, that I’m not convinced there’s any group on earth that could successfully pull it off. Set aside cybersec arguments for a moment:
Let’s assume the worst case for security, that there is one machine per state that you can easily compromise to alter election results. This alone is doing a lot of lifting for this example.
Now, you have to cross your fingers and hope that the election is close enough that you can fudge the overall result without raising suspicion
Prior to the election, you have to plan which states to compromise, and what districts you will target for altering votes. You can only really do this in swing states and swing districts. It is usually not clear until very close to the election which places will be optimal.
Because you are at the mercy of RNGesus as for where you can compromise, you have to compromise a lot of extra states ahead of time to eliminate risk that you didn’t get enough swingable ones to pull of your plan. This increases head count and creates more liability.
If you swing any given district too far, you can raise suspicion and trigger a recount. If one district raises the alarm, the rest will follow. If you only compromised central machines and not the voting machines and ballots themselves, you fail.
If you can’t find enough districts to subtly alter, you fail.
Let’s assume you prepared for point 4 and compromised voting machines themselves. This requires massively more people involved, and if only one person gets caught, you fail.
To extend 6. every person involved in your conspiracy is a liability. A single double agent gets in your ranks? Fail. Somebody flakes? Fail. Somebody grows a conscious or gets busted and rats you out? Fail.
While yes, theoretically you could overcome all those obstacles, you’d have to get miraculously lucky and you’d need to not get busted for quite a long time after the election. Why even bother when you can just pay a few bucks to the right people and get news channels to convince the voters to put your guy in charge without committing any voter fraud at all?
Now all that said, I absolutely support improved election security. If nothing else, it will make it much harder to spread FUD about election integrity.
Guaranteeing that a certain candidate is a very difficult job, I recognize that. However, promoting a specific candidate to have increased chances may be a worth while en devour for certain actors. Additionally, this thought process has one major flaw. This line of thought only focuses primarily on only one way that these voting machines could get breached and does not follow any major security model used by the industry. This does not follow the principles of defense in depth (https://csrc.nist.gov/glossary/term/defense_in_depth), nor does it use other industry standards like the assumption of breach (basically act as if a hacker has already broken in, and you need to weed them out while still keeping other hackers out. See https://www.linkedin.com/pulse/assumption-breach-theory-steve-king.).
What we have been describing, is what is called a threat vector (one method of hacking someone). Specifically we are talking about breaching the central computers using a rubber ducky. There are a million and one other threat vectors out there. What if a supply chain attack is used to poison the machines at the factory.
We have seen this occur in the wild, just look at the solar winds attack carried out by Russia (https://www.cisecurity.org/solarwinds). tldr; russia implanted malware on software that was used by government I.T. personnel, giving them access to a large number of government networks. The extent of this breach was not made fully public but it can be assumed that Russia was able to break into sensitive parts of our military and intelligence agencies.
What if Russian state actors, breached the cards that transport votes. What if a staff member at these voting companies had a political bias and modified a large number of machines. What if I wanted to win a regional election (such as voting for mayor or school board) and breached one or two voting machines. What if an attacker made USB transmittable malware (such as what was seen in the Stuxnet cyber attacks carried out against Iran’s nuclear program) that would carry a payload back to the central voting system. What if there is another attack vector we haven’t thought of? Do these computers stay up to date, as to make it more difficult for hackers to deploy that USB malware as described earlier or other software exploits that are known? Do they take measures to ensure that people who have temporary access (Such as a voter or poll worker) to these systems, are unable to access the admin interfaces of voting machines? Do these voting machines have auto lock out if a built in IPS (Intrustion Protection System) detects that someone may be trying to tamper with votes?
The basic rule of cyber security is this, you can’t know everything. It the reason Microsoft keeps pushing out those silly little update, it’s because they made a mistake that would allow hackers to gain access to any windows system in the world and their trying to patch their mistake before any hacker can figure it out and use it to hack you. There is always a setting that someone mis-configured. There is always the poll worker who may be less attentive. It is information security 101, to use multiple layers of security (such that if a hacker breaks through one layer, they have to break through a second or third layer of protection).
Regardless; if this doesn’t convince you, than we’ll probably have to agree to disagree on the likely hood of a cyber attack. I think what we can agree on, is that these systems need to have better security measures in place. Because the lack of many basic security measures (encryption, hashing, regular updating, security monitoring, security awareness training, etc) is unacceptable, and they should at least be able to keep up with the security measures used with the modern cell phone market. I shouldn’t have to take a mega corporations word, that they have secured my vote. I should be able to audit the code myself (if it seems crazy, look at linux and how capable linux has been security wise despite having open source code). Security by obscurity is not a valid security model.
I’m not particularly well versed enough to comment on that specific election.
I was speaking to voting machines in general. For reference, I work in I.T. and hold a current A+ and Security+ certification (https://www.comptia.org/). I don’t intend to show proof as I wish to remain anonymous.
From what I have been able to gather, these voting machines have severe security deficiencies. I’m more versed on older models from around 2006-ish. However these voting machines were taken to Defcon (a large cyber security convention), and what I was hearing about them was not particularly great (https://www.cnet.com/news/privacy/defcon-hackers-find-its-very-easy-to-break-voting-machines/). Hoping one of these years, I’ll be able to attend.
To speak about the older models, they lacked many anti tamper protections. There was one well known exploit were you could set the votes for a candidates negative before elections began. Ie, candidate A start with -3 votes, you vote for candidate A, they now have -2 votes. I believe I’ve heard of a candidate getting negative votes in the wild, however take that with a grain of salt because I’m going off memory and I was struggling to pull up any sources.
These voting machines also did not use any cryptographic methods to protect the vote count such as encryption or hashing (https://en.wikipedia.org/wiki/Hash_function). That means on the system that would count up all the votes between districts, it was possible to change the vote counts in a fraction of second using a tool like this (https://shop.hak5.org/products/usb-rubber-ducky) because the votes were stored in a plain text .csv file. Note that tools like the rubber ducky were not publicly available when these models were first put into use, but were known to be used by organizations such as the NSA and Russia. See (https://www.youtube.com/watch?v=e_f9p-_JWZw) for a walk through on how a tool like this could have been used.
Additionally, the closed source nature limits the publics ability to scrutinize these system. Originally it took a hacker breaking into an insecure ftp server that had accidentally been exposed to the public internet, to discover the source code and the lack of security protections involved. I also believe that many of the security verification process that was supposed to be run on these systems, was often skipped to cut down on costs. However I’m recalling from memory and the source is likely so buried, it would take me a week of studying to find.
In summery, our current voting system is poorly maintained and it would be easy for a state actor like Russia to fiddle with votes. Because of this, I take the results of any election with a grain of salt. I hope one day that our government would focus more on securing our elections, than spying on our citizens.
deleted by creator
just finished watching it. That video is spot on (and the information is a little more current).
While you are correct that the cybersec practices on voting machines are embarrassingly bad, we don’t actually rely on them for the integrity of our elections in most districts. They are a convenience more than anything else, and at the first sign of any possible tampering, we can audit against paper ballots that get printed off the voting machines (which if you start altering those, it only takes one person to notice somethings off and the jig is up)
Even with their shit security, an attack would be exceedingly difficult to pull off. The machines are airgapped and audited, so you need physical access without supervision which by itself is a tall order. Then, consider that you will need to compromise dozens of machines at minimum to swing even the lowest turnout national election for the most obscure position. Finding enough people willing to risk a federal pound-me-in-the-ass prison felony charge that are smart enough to do the job and not get caught is going to be a challenge too, because if one person gets caught, then once again, the jig is up.
What is far more realistically dangerous is convincing people that the election was compromised when it wasn’t. This gets you way more bang for your buck because it’s so much easier to do, and is the primary reason I think that nobody really bothers trying to compromise the voting machines.
“While you are correct that the cybersec practices on voting machines are embarrassingly bad, we don’t actually rely on them for the integrity of our elections in most districts.”
“They are a convenience more than anything else, and at the first sign of any possible tampering, we can audit against paper ballots that get printed off the voting machines (which if you start altering those, it only takes one person to notice somethings off and the jig is up)”
“Even with their shit security, an attack would be exceedingly difficult to pull off. The machines are airgapped and audited, so you need physical access without supervision which by itself is a tall order.”
“Then, consider that you will need to compromise dozens of machines at minimum to swing even the lowest turnout national election for the most obscure position.”
“Finding enough people willing to risk a federal pound-me-in-the-ass prison felony charge that are smart enough to do the job and not get caught is going to be a challenge too, because if one person gets caught, then once again, the jig is up.”
“What is far more realistically dangerous is convincing people that the election was compromised when it wasn’t.”
" This gets you way more bang for your buck because it’s so much easier to do, and is the primary reason I think that nobody really bothers trying to compromise the voting machines."
Note that some of your comments I feel are better answered with this video: https://m.youtube.com/watch?v=svEuG_ekNT0 It was shared to me by someone else in the comments and it contains more up to date information than what I initial was informed on.
The main point I’m trying to make is that compromising voting machines is not the hard part of rigging an election. It would require a conspiracy so complicated, that I’m not convinced there’s any group on earth that could successfully pull it off. Set aside cybersec arguments for a moment:
Let’s assume the worst case for security, that there is one machine per state that you can easily compromise to alter election results. This alone is doing a lot of lifting for this example.
Now, you have to cross your fingers and hope that the election is close enough that you can fudge the overall result without raising suspicion
Prior to the election, you have to plan which states to compromise, and what districts you will target for altering votes. You can only really do this in swing states and swing districts. It is usually not clear until very close to the election which places will be optimal.
Because you are at the mercy of RNGesus as for where you can compromise, you have to compromise a lot of extra states ahead of time to eliminate risk that you didn’t get enough swingable ones to pull of your plan. This increases head count and creates more liability.
If you swing any given district too far, you can raise suspicion and trigger a recount. If one district raises the alarm, the rest will follow. If you only compromised central machines and not the voting machines and ballots themselves, you fail.
If you can’t find enough districts to subtly alter, you fail.
Let’s assume you prepared for point 4 and compromised voting machines themselves. This requires massively more people involved, and if only one person gets caught, you fail.
To extend 6. every person involved in your conspiracy is a liability. A single double agent gets in your ranks? Fail. Somebody flakes? Fail. Somebody grows a conscious or gets busted and rats you out? Fail.
While yes, theoretically you could overcome all those obstacles, you’d have to get miraculously lucky and you’d need to not get busted for quite a long time after the election. Why even bother when you can just pay a few bucks to the right people and get news channels to convince the voters to put your guy in charge without committing any voter fraud at all?
Now all that said, I absolutely support improved election security. If nothing else, it will make it much harder to spread FUD about election integrity.
Guaranteeing that a certain candidate is a very difficult job, I recognize that. However, promoting a specific candidate to have increased chances may be a worth while en devour for certain actors. Additionally, this thought process has one major flaw. This line of thought only focuses primarily on only one way that these voting machines could get breached and does not follow any major security model used by the industry. This does not follow the principles of defense in depth (https://csrc.nist.gov/glossary/term/defense_in_depth), nor does it use other industry standards like the assumption of breach (basically act as if a hacker has already broken in, and you need to weed them out while still keeping other hackers out. See https://www.linkedin.com/pulse/assumption-breach-theory-steve-king.).
What we have been describing, is what is called a threat vector (one method of hacking someone). Specifically we are talking about breaching the central computers using a rubber ducky. There are a million and one other threat vectors out there. What if a supply chain attack is used to poison the machines at the factory.
We have seen this occur in the wild, just look at the solar winds attack carried out by Russia (https://www.cisecurity.org/solarwinds). tldr; russia implanted malware on software that was used by government I.T. personnel, giving them access to a large number of government networks. The extent of this breach was not made fully public but it can be assumed that Russia was able to break into sensitive parts of our military and intelligence agencies.
What if Russian state actors, breached the cards that transport votes. What if a staff member at these voting companies had a political bias and modified a large number of machines. What if I wanted to win a regional election (such as voting for mayor or school board) and breached one or two voting machines. What if an attacker made USB transmittable malware (such as what was seen in the Stuxnet cyber attacks carried out against Iran’s nuclear program) that would carry a payload back to the central voting system. What if there is another attack vector we haven’t thought of? Do these computers stay up to date, as to make it more difficult for hackers to deploy that USB malware as described earlier or other software exploits that are known? Do they take measures to ensure that people who have temporary access (Such as a voter or poll worker) to these systems, are unable to access the admin interfaces of voting machines? Do these voting machines have auto lock out if a built in IPS (Intrustion Protection System) detects that someone may be trying to tamper with votes?
The basic rule of cyber security is this, you can’t know everything. It the reason Microsoft keeps pushing out those silly little update, it’s because they made a mistake that would allow hackers to gain access to any windows system in the world and their trying to patch their mistake before any hacker can figure it out and use it to hack you. There is always a setting that someone mis-configured. There is always the poll worker who may be less attentive. It is information security 101, to use multiple layers of security (such that if a hacker breaks through one layer, they have to break through a second or third layer of protection).
Regardless; if this doesn’t convince you, than we’ll probably have to agree to disagree on the likely hood of a cyber attack. I think what we can agree on, is that these systems need to have better security measures in place. Because the lack of many basic security measures (encryption, hashing, regular updating, security monitoring, security awareness training, etc) is unacceptable, and they should at least be able to keep up with the security measures used with the modern cell phone market. I shouldn’t have to take a mega corporations word, that they have secured my vote. I should be able to audit the code myself (if it seems crazy, look at linux and how capable linux has been security wise despite having open source code). Security by obscurity is not a valid security model.