
'It's easier to hack an election than eBay': confessions of a Belarusian hacker - adamnemecek
https://www.theguardian.com/world/2017/mar/29/hack-election-ebay-confessions-belarusian-hacker
======
PKop
Were voting machines hacked? No.

Was damaging information about a candidate made public? Yes.

Does the substance of that information matter at all, or simply that it was
released?

"Hacked the election" is ridiculous. As if these people[0], or any other
midwest-Obama-voter-turned-Trump voter needed WikiLeaks to tell them they were
unhappy with the way things were going, had economic anxiety, and didn't see
anyone but Trump speaking to their concerns, or simply didn't vote. What
Vladimir Putin or Julian Assange wanted, never factored into their decision.

No evidence that Russia was WikiLeaks source has ever been presented, has it?
We certainly DID learn from WikiLeaks that the DNC and media "fixed" the
debates to favor Hillary Clinton though[1], but where's the outrage at that?

[0] [https://medium.com/@Chris_arnade/trump-politics-and-
option-p...](https://medium.com/@Chris_arnade/trump-politics-and-option-
pricing-or-why-trump-voters-are-not-idiots-1e364a4ed940)

[1] [http://www.nydailynews.com/news/politics/donna-brazile-
final...](http://www.nydailynews.com/news/politics/donna-brazile-finally-
admits-giving-debate-questions-clinton-article-1.3002221)

~~~
Avenger42
> Were voting machines hacked? No.

It's been more than 10 years since researchers showed that voting machines
were _hackable_ , and I have yet to see any visible progress down the path of
"make voting machines less hackable / more transparent". All it would honestly
take is a requirement that all voting machines print out a receipt of the
vote. Then you could drop that into a box on your way out, and someone counts
those votes to make sure they line up with what the database says the final
vote was.

~~~
tempay
> All it would honestly take is a requirement that all voting machines print
> out a receipt of the vote.

I'm not sure if this would actually help, what should happen in the event that
somebody claims the printed ticket disagrees with their vote? Especially
considering the vote itself should remain secret in many countries.

~~~
Avenger42
I'm not sure how it works elsewhere (I'm in Texas), but when I voted in
November, they gave me a 4-digit number to enter when I first walked up to the
machine. If I told them "this receipt doesn't match the ballot I cast", I
suppose they could type my 4-digit number into the computer and say "delete
this ballot", feed the receipt into a shredder, and then give me a new 4-digit
number to try again. They wouldn't need to see what my receipt says to do
that.

~~~
smitherfield
But you could very easily forge a receipt to commit fraud,* so there would
have to be some kind of biometric or cryptographic security.

*Possibly in conjunction with targeting precincts that heavily favor one party, or individual voters registered with a specific party.

~~~
mox1
Yes, you probably could. Local person votes twice, 5 people commit fraud type
stuff is incredibly hard to prevent and probably happens every election. As
long as it requires X people to move X votes fraudulently, I would say we are
going to be OK. Can you move a local election in a small town via this method?
Probably, but our election system has defense in depth (recounts, election
judges, polling, every-knows-everyone, voting receipts, etc. etc) so this
isn't exactly easy.

It becomes a problem when 1-10 people can change the outcome of a district+
size voting block. "Hacking a voting machine" falls into this category. If
1-10 people can change a Red state to Blue via any method, that is what we
should be concerned about. Again, defense in depth applies here. They would
have to do many things perfectly AND get lucky for this to even be a
possibility (no recounts, no voting machine inspection, no election judges
intuition, etc. etc. etc.)

If my crazy uncle wants to vote twice, eh go ahead. Its difficult to do, takes
a medium amount of effort and might work or might not.

------
tuxidomasx
This is only marginally related, but I have a story about how I "hacked" Ebay
way back in 200x.

At the time they provided a free VIN report whenever you listed a vehicle for
sale. VIN reports provide details of the history of your car (liens,
accidents, maintenance, title transfers, etc). And the leading VIN services
charge about $10 per report.

I wrote a PHP script that, when given a VIN number, would create a listing on
Ebay for a car with that VIN number. The script then kicked off a website
scraper which would monitor the listing page for the VIN report data to be
populated (sometimes took a few seconds). Once the data was captured, the
script would unlist the item (so I wouldn't be stuck selling a car that didnt
exist). Bam! Free VIN reports.

So I took it a step further and registered and designed a website for it. It
looked very semi-professional and web 2.0-ish as I have some decent design
skills. There were sample reports and calls-to-action and everything.

A user would provide a VIN, pay with paypal checkout, and get the VIN report
emailed to them within minutes. The report was stripped of all data pointing
to the original source, and reformatted & rebranded with my site's name. All
automated of course, since I had already wrote the scripts to do the heavy
lifting.

I then set up an Adwords campaign, researched price points and settled on
$7.99 per report. My ad campaign used targeted keywords that displayed my ads
whenever people searched for "carfax" and "vin report", with my price
displayed prominently in the ad block. The more money I allotted for ads, the
more money the hack made.

For about 3 weeks I just sat back and watched the money roll in. In the
interest of not drawing too much attention, I would disable the entire site
and ad campaign during the day, only running it at night. I was thinking 'slow
and steady wins the race.' But the whole time I was working on it, I felt a
rush: part paranoia about getting caught, part excitement at crafting such a
sneaky, sophisticated hack with so many moving parts.

In the end, ebay noticed an anomaly in their api usage data caused by me
creating and deleting so many car listings, and sent me a nastygram.

I decided to shut up shop before they realized what I was really up to. Greed
will get you 'got' quicker than not.

In the end, I learned a lot -- it was my first experience working with ad
campaigns, writing parses/scrapers, and working with ebays api.

~~~
nickpsecurity
Pretty clever hack/scheme. I'd classify it as a parasitic model. I'm sure
there's tons more of those left including in eBay despite their increased
efforts in stopping malicious posts.

------
janwillemb
The Netherlands returned to voting with paper and pencil since a university
proved that the voting machines could be hacked. It takes a day or two more to
count the votes, but who cares, apart from the media? If a technology creates
more problems than it solves, it should be abandoned.

~~~
chx
This. There's no reason to use voting machines. None. Paper ballots work and
can't be hacked.

~~~
dragonwriter
> There's no reason to use voting machines. None. Paper ballots work and can't
> be hacked.

Many voting machines produce paper ballots, and voting machines may be more
accessible to those with certain disabilities.

I think what you mean is that there is no reason to transmits votes from the
voting machines to tabulators on electronic media rather than paper ballots.

------
rdtsc
> While Pavlovich says he won’t comment directly on the US election hacking
> allegations

Right. Finally the evidence we've been waiting for. Or, ... not.

Are we grabbing at the straws here with the "Russian" narrative. By now I
think we are.

They don't say it but that's why the article was probably written. The more
they write articles like these without clear evidence, the more they discredit
the whole PR story and lessen its value.

------
ITN1nja
It annoys me that the headlines keep claiming the election was hacked. The
election was fine. The DNC was mined and information found was released. This
MAY have been in an effort to sway opinion in an election, which, at best,
would be scatter-shot social engineering. But the election was not hacked. At
least, not that I've seen reports of.

~~~
sharemywin
I think they are using it in the social hacking sense.

Social hacking describes the act of attempting to manipulate outcomes of
social behaviour through orchestrated actions. The general function of social
hacking is to gain access to restricted information or to a physical space
without proper permission.

------
ve55
What's the purpose of this article?

As far as 'hacking', it states that this person has purchased credit card
numbers online and then used them. This can be done by anyone, you only need
to know basic things such as how to use a credit card and where to purchase
the numbers.

Then somehow this is turned into a headline about the US election, when there
is not a single line of actual content pertaining to it. Even if there was, to
go from that to 'the election was hacked'...

You guys are better than this, come on.

------
Drazcmd
This is why we need risk-limiting audits. Check out recent work on end-to-end
cryptographically verifiable voting systems:
[https://www.usenix.org/conference/evtwote13/workshop-
program...](https://www.usenix.org/conference/evtwote13/workshop-
program/presentation/bell)

(On a side note, hand counting the entire thing is infeasible for US elections
due to all the other races/proposals on the ballots).

------
akeck
Let's have a contest where different AIs compete to get the best election
results. Hmmm... that sounds like a plot to a movie.

------
sharemywin
That's because people believe anything they read. If it's on the internet it
must be true.

