Guaranteeing that a certain candidate is a very difficult job, I recognize that. However, promoting a specific candidate to have increased chances may be a worth while en devour for certain actors. Additionally, this thought process has one major flaw. This line of thought only focuses primarily on only one way that these voting machines could get breached and does not follow any major security model used by the industry. This does not follow the principles of defense in depth (https://csrc.nist.gov/glossary/term/defense_in_depth), nor does it use other industry standards like the assumption of breach (basically act as if a hacker has already broken in, and you need to weed them out while still keeping other hackers out. See https://www.linkedin.com/pulse/assumption-breach-theory-steve-king.).

What we have been describing, is what is called a threat vector (one method of hacking someone). Specifically we are talking about breaching the central computers using a rubber ducky. There are a million and one other threat vectors out there. What if a supply chain attack is used to poison the machines at the factory.

We have seen this occur in the wild, just look at the solar winds attack carried out by Russia (https://www.cisecurity.org/solarwinds). tldr; russia implanted malware on software that was used by government I.T. personnel, giving them access to a large number of government networks. The extent of this breach was not made fully public but it can be assumed that Russia was able to break into sensitive parts of our military and intelligence agencies.

What if Russian state actors, breached the cards that transport votes. What if a staff member at these voting companies had a political bias and modified a large number of machines. What if I wanted to win a regional election (such as voting for mayor or school board) and breached one or two voting machines. What if an attacker made USB transmittable malware (such as what was seen in the Stuxnet cyber attacks carried out against Iran’s nuclear program) that would carry a payload back to the central voting system. What if there is another attack vector we haven’t thought of? Do these computers stay up to date, as to make it more difficult for hackers to deploy that USB malware as described earlier or other software exploits that are known? Do they take measures to ensure that people who have temporary access (Such as a voter or poll worker) to these systems, are unable to access the admin interfaces of voting machines? Do these voting machines have auto lock out if a built in IPS (Intrustion Protection System) detects that someone may be trying to tamper with votes?

The basic rule of cyber security is this, you can’t know everything. It the reason Microsoft keeps pushing out those silly little update, it’s because they made a mistake that would allow hackers to gain access to any windows system in the world and their trying to patch their mistake before any hacker can figure it out and use it to hack you. There is always a setting that someone mis-configured. There is always the poll worker who may be less attentive. It is information security 101, to use multiple layers of security (such that if a hacker breaks through one layer, they have to break through a second or third layer of protection).

Regardless; if this doesn’t convince you, than we’ll probably have to agree to disagree on the likely hood of a cyber attack. I think what we can agree on, is that these systems need to have better security measures in place. Because the lack of many basic security measures (encryption, hashing, regular updating, security monitoring, security awareness training, etc) is unacceptable, and they should at least be able to keep up with the security measures used with the modern cell phone market. I shouldn’t have to take a mega corporations word, that they have secured my vote. I should be able to audit the code myself (if it seems crazy, look at linux and how capable linux has been security wise despite having open source code). Security by obscurity is not a valid security model.

Sorry for the late reply. I think most of the confusion comes down to the design of lemmy. Because of the federation aspects that allows content to be easily shared between instances, it seems to me (and seemingly most other people newer to lemmy) that lemmy is designed as a primarry single network of multiple maintainers. which may have separate networks that are de-federeated from the rest (mostly private communities or free speech absolutists instances)

Additionally, lemmy.ml does not explicitly say anywhere on their front page that they are intended as a political instance. Neither does [email protected] make any mention that it is intended for political use. If you want to avoid people complaining about this, than some way to distinguish them is absolutely necessary, as I did not know about [email protected] because everyone on my instance just defaulted to [email protected].

If we want to avoid this, there needs to be a clearer indication that [email protected] is intended for political use and individuals should use [email protected] for non political use.

“While you are correct that the cybersec practices on voting machines are embarrassingly bad, we don’t actually rely on them for the integrity of our elections in most districts.”

They are the primary method of verify an election. If they are tampered with and nobody calls for a recount, than an election was tampered with because these system did not have the necessary protections to prevent such an event.

“They are a convenience more than anything else, and at the first sign of any possible tampering, we can audit against paper ballots that get printed off the voting machines (which if you start altering those, it only takes one person to notice somethings off and the jig is up)”

Some voting machines do not have paper ballots, were some districts allow you to go paperless depending on preference. Additionally, would someone be able to notice? If I used a rubber ducky to fiddle with votes while people were not looking and it was set to match the number of ballot collected. Because voting is supposed to be an anonymous matter, the only two ways would be if someone saw something (which may or may not happen), or the vote machine counts a physically impossible result (ie, someone got a negative number of votes)…

“Even with their shit security, an attack would be exceedingly difficult to pull off. The machines are airgapped and audited, so you need physical access without supervision which by itself is a tall order.”

Not outside the scope of nation state actors, (https://en.wikipedia.org/wiki/Stuxnet). Air gapping is normal considered safe for most use cases, however we have seen multiple attacks that have been able to breach air gaps and air gaps should not be considered perfect. Air gaps work best when parts are not often interchanged and all staff are unlikely to be of concern. However, air gaped networks are still vulnerable to social engineering (often times less so, just due to their nature) and you need to be able to fully trust the staff not to compromise your air gap. Add on the fact that these systems are managed by volunteers who may not be as knowledgeable on the threats that exist out there and may of whom may be compromised, and I don’t believe air gaping to be sufficient for these machines. Additionally, audits are performed privately and cannot be scrutinized by the public. Even the biggest corporations such as Microsoft and apple hold public bug bounties to protect their systems. It is also apparent that the audits are not sufficient enough, as any reasonable auditor would not have allowed machines with such glaring flaws to be used in public elections.

“Then, consider that you will need to compromise dozens of machines at minimum to swing even the lowest turnout national election for the most obscure position.”

these vulnerabilities effect the central counting system, their is a single computer in charge of summing up the votes from a whole state. A breach of one of these systems would likely give an attacker full control of a states votes.

“Finding enough people willing to risk a federal pound-me-in-the-ass prison felony charge that are smart enough to do the job and not get caught is going to be a challenge too, because if one person gets caught, then once again, the jig is up.”

Not particularly, using a rubber ducky is not a high skill attack, it is a topic that is taught to many beginner hackers and requires a little bit of scripting knowledge. Please watch https://www.youtube.com/watch?v=e_f9p-_JWZw&pp=ygUZaG93IHRvIHVzZSBhIHJ1YmJlciBkdWNreQ%3D%3D for a basic tutorial on how to use such a tool. We have also found people who were willing to risk it all just to make a little bit of cash, who had much stronger security clearance. People who would sell services to other nation states.

“What is far more realistically dangerous is convincing people that the election was compromised when it wasn’t.”

Lies are always dangerous, however it is apparent that most politicians should stop complaining about rigged elections and more time improving our voting systems. We should have transparency, so I can verify the security of MY VOTES. I should not trust my vote, to a handful of corporations that cut corners and do not take the necessary precautions to protect American votes.

" This gets you way more bang for your buck because it’s so much easier to do, and is the primary reason I think that nobody really bothers trying to compromise the voting machines."

There are almost always claims that an election was rigged. Most of the time, courts are very reluctant to overturn the votes of a particular state. Were as I can change the votes of a state by either a supply chain attack (slightly more difficult), planting malware onto the device while I’m voting (easier but less effective), or by trying to attack the central computer that summarizes the votes for a given state (easy and extremely effective). These are only the methods that we as civilians have access to, imagine what a state actor like Russia could have up their sleeve.

Note that some of your comments I feel are better answered with this video: https://m.youtube.com/watch?v=svEuG_ekNT0 It was shared to me by someone else in the comments and it contains more up to date information than what I initial was informed on.

just finished watching it. That video is spot on (and the information is a little more current).

fair

What in the SCP is this?

I’m not particularly well versed enough to comment on that specific election.

I was speaking to voting machines in general. For reference, I work in I.T. and hold a current A+ and Security+ certification (https://www.comptia.org/). I don’t intend to show proof as I wish to remain anonymous.

From what I have been able to gather, these voting machines have severe security deficiencies. I’m more versed on older models from around 2006-ish. However these voting machines were taken to Defcon (a large cyber security convention), and what I was hearing about them was not particularly great (https://www.cnet.com/news/privacy/defcon-hackers-find-its-very-easy-to-break-voting-machines/). Hoping one of these years, I’ll be able to attend.

To speak about the older models, they lacked many anti tamper protections. There was one well known exploit were you could set the votes for a candidates negative before elections began. Ie, candidate A start with -3 votes, you vote for candidate A, they now have -2 votes. I believe I’ve heard of a candidate getting negative votes in the wild, however take that with a grain of salt because I’m going off memory and I was struggling to pull up any sources.

These voting machines also did not use any cryptographic methods to protect the vote count such as encryption or hashing (https://en.wikipedia.org/wiki/Hash_function). That means on the system that would count up all the votes between districts, it was possible to change the vote counts in a fraction of second using a tool like this (https://shop.hak5.org/products/usb-rubber-ducky) because the votes were stored in a plain text .csv file. Note that tools like the rubber ducky were not publicly available when these models were first put into use, but were known to be used by organizations such as the NSA and Russia. See (https://www.youtube.com/watch?v=e_f9p-_JWZw) for a walk through on how a tool like this could have been used.

Additionally, the closed source nature limits the publics ability to scrutinize these system. Originally it took a hacker breaking into an insecure ftp server that had accidentally been exposed to the public internet, to discover the source code and the lack of security protections involved. I also believe that many of the security verification process that was supposed to be run on these systems, was often skipped to cut down on costs. However I’m recalling from memory and the source is likely so buried, it would take me a week of studying to find.

In summery, our current voting system is poorly maintained and it would be easy for a state actor like Russia to fiddle with votes. Because of this, I take the results of any election with a grain of salt. I hope one day that our government would focus more on securing our elections, than spying on our citizens.

I assume that it is the same for apple business manager.

Most consumers won’t notice. I have to work with apple school manager for my work and it blocks my browser (https://school.apple.com/unsupported_browser/?reason=Browser Type).

This error goes away as soon as I switch my browser agent to safari or edge.

Yep, this add-on has been my best friend over the years (https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search).

I hate that companies have started going against it. I’ve noticed that pierson and apple webpages have started auto blocking you if your user agent says firefox.

I’m on lemmy because closed source solutions such as reddit, microsoft, apple, tesla, etc, have a record of exploiting their consumers.

Apple sells over priced products, designs them to fail, and then claims to protect your data while they secretly steal it (https://www.msn.com/en-us/news/technology/apple-sued-for-collecting-user-data-despite-opt-outs/ar-AA146IUj).

Microsoft lied to consumers about Windows 10 being the last version ever, they do not allow you to opt out of data collection, and they are now forcing edge on the user despite being sued previously for forcing internet explorer on their users.

Closed source solution have a long history of exploiting the consumer. I chose lemmy because I want an open solution that prevents the monopolization users, and has a much better track record for not exploiting their users.

I didn’t come here to listen to political crap. Do I agree with a lot that is said? For the most part, yes. I think a lot of the same minded people are on lemmy for a reason.

However, this does not mean I want to be flooded with politics 24/7. I would like to be able to get away from politics at times.

I have more than a surface level knowledge, I would like to talk about it and grow my knowledge more. NOT ALL THE DAMN TIME.

Please just let me have a break. Not everything has to be about politics. Life is not about politics.

Ultimately with a rigged voting system (Read up on the security practices, and closed source nature of voting machines. Of which some voting machine manufacturers have publicly stated they wanted a certain side to win. This has been a serious concern of mine long before orange man said so, and was a concern during the 2016 elections. https://en.wikipedia.org/wiki/Hacking_Democracy), the sheep like nature of modern voters, and the pleasure addicted modern man. Nothing is likely to get better.

This doesn’t mean you shouldn’t strive for change. This doesn’t mean you should never strive to have a better knowledge of politics and ethics. You just can’t base your life around it.

I want to read memes because I want to enjoy myself. If I wanted your shitty take, I would go to a political sub reddit (I don’t know what we call it on here) and I would debate you there. Please just make funny memes here.

woosh

thank you, I’ll edit my comment.

Important note, this was unrelated to the current stir up. Actually something that is real. Gamers nexus did a video on it.

Figured it out, gamers nexus has two videos on it: https://www.youtube.com/watch?v=FGW3TPytTjc (initial investigation) https://www.youtube.com/watch?v=X3byz3txpso (response to linus forum post)

Makes me sad, man. They were the channel that got me into tech. I learned how to build a PC with their videos. :(

what happened?

I had some thoughts about being vegan. Why does everyone have to be so uptight about it? I’ve had multiple people give me the straw man “it destroyed my health” line. Or people get nervous around the subject. or they think it is their job to educate me?

I get eating meat, used to be the scumbag. I see how there is some complexity to the matter. Like “deer populations can’t get too out of control” is a valid statement. But why does that make me a weirdo or some self righteous POS just because I don’t want my meals to come from animals?

“Above nature”? Jesus, do you honestly think I go home and say to myself “I am above the laws of nature. Screw you God!”? It’s not complicated: I think eating meat is unethical because I am harming another living being.