
DHS, FBI say election systems in all 50 states were targeted in 2016 - howard941
https://arstechnica.com/information-technology/2019/04/dhs-fbi-say-election-systems-in-50-states-were-targeted-in-2016/
======
motohagiography
It's worth the down votes each time I add a comment on this topic, but it
bears repeating that since electronic elections are not verifiable in any
meaningful way, their legitimacy is suspect, and electronic voting actively
creates the conditions for violence in response to contested results.

Everybody knows this now and the effects are so predictable it brings into
question the motives of people who have an interest in both undermining and
discrediting the democratic process by using these machines.

~~~
nathan_long
> since electronic elections are not verifiable in any meaningful way

As I once saw someone point out here, the crucial thing is that they be
verifiable by _the average person_.

Imagine a technically perfect electronic voting system, immune to tampering,
preserving anonymity, etc. It's provably perfect - but only to the handful
people who can understand the proof.

Average people could not have confidence in such a system, so it undermines
democracy. (This may also be a barrier to using vote counting systems better
but more complex than "first past the post" unless they can be explained
clearly.)

"Put your paper ballot in that bin everyone can see and we'll all count them
together at the end of the day" is a process that anyone can see is
legitimate. So that's what we should do.

~~~
AngryData
I think a lot of the verification problems for electronic voting could be
solved by simplification and using old 'outdated' technology. You don't need a
full fledged PC to tally votes, you need the computing power of a 30 year old
calculator that could be built on a 2-foot wide board with large and simple
traces. Something somebody at home with a multi-meter could probe around and
test.

We need the equivalent of a moped to do what we need done, but are being sold
on F1 racecars which end up being built by equivalent of rednecks in a
scrapyard to line the pockets of the scrapyard owners.

~~~
CharlesColeman
> I think a lot of the verification problems for electronic voting could be
> solved by simplification and using old 'outdated' technology. You don't need
> a full fledged PC to tally votes, you need the computing power of a 30 year
> old calculator that could be built on a 2-foot wide board with large and
> simple traces. Something somebody at home with a multi-meter could probe
> around and test.

Even that's too complicated to be trustworthy. That's why I think optical scan
ballots are the way to go: even a totally unskilled, untrained regular person
would feel fairly confident that they could count them.

IMHO, all the technology investment should be put into processing and
validating ballots _after_ they've been filled out. Personally, I like the
idea of a voter being able to feed their optical-scan ballot into a machine at
the voting booth that will let them verify it will be read exactly as they
intend. Then they carry it over to the ballot box to be tallied by a separate
machine there.

~~~
nathan_long
> IMHO, all the technology investment should be put into processing and
> validating ballots after they've been filled out

I think the opposite. When filling a ballot, the voter can use a machine with
a touchscreen. The person with poor sight can use huge fonts, the blind can
use a screen reader, etc. The output from this is a printed paper form, filled
out with perfectly legibility. No hanging chads, ambiguous marks, etc.

At this point, the voter (or an assistant) can verify the form just as if a
human had filled it out for them.

From there, these perfectly-filled forms can be counted the old-fashioned way
with many witnesses.

------
throwaway5752
This is incredible. Rules of engagement are in profound need of overhaul. This
is nothing less than a military attack on the US, via computer. No
sufficiently large nation state is innocent, but targeting voting systems (and
potentially vote totals) should be a glaring red line that has consequences,
taking into account that attribution is falsifiable and hard.

~~~
everdev
How do you feel about any foreign political intervention?

I'd guess that 50+% of 3rd world leaders are supported by some foreign
government financially or militarily which keeps them in power.

But yes, it doesn't feel good when a foreign government tries to pick a winner
in our elections.

~~~
throwaway5752
Correct me if I am wrong, but it sounds like you are asking me if I think
changing voting results is equivalent to attempting to influence voters?

No, I do not think those are remotely equivalent.

~~~
everdev
Sorry, I think the point I was trying to make was that most governments try to
openly influence politics in other countries rather than protecting free
elections.

I totally agree that vote rigging would be particularly egregious. However,
I'm not sure that backing a regime with money / weapons / training, etc. that
then goes ahead and rigs the vote is that much better.

I think it's more like one scenario is stealing money and the other is
investing in a gang that steals money.

I just find it interesting that we openly try to pick political winners and
losers in other countries.

~~~
edmundsauto
Not picking winners is also a decision that impacts other countries. It's like
a default option in a UI -- there are no neutral options.

~~~
everdev
Sure, but I guess by that same logic not rigging a foreign election would
impact a country too.

------
charlesdaniels
One of the faculty at my university has conducted some detailed analysis on
the practice of electronic voting in the US.

I believe this is the most up-to-date publication on the subject:
[https://cse.sc.edu/~buell/Public_Data/2019_VotingMachines.pd...](https://cse.sc.edu/~buell/Public_Data/2019_VotingMachines.pdf)

I would also recommend the documentary "I Voted"
([https://www.imdb.com/title/tt4081950/](https://www.imdb.com/title/tt4081950/)).

These aren't about the 2016 election in particular, but it would seem that
there is strong evidence that the security practices in place by many US
states are inadequate, and there is often no "paper trail" to verify that
results were tallied accurately after the fact if a recount is needed.

Considering the poor security, if the 2016 election was targeted, it is likely
that the attacker(s) succeeded.

------
zaroth
> _Between June and October of 2016, the group associated with the election
> hacking "researched websites and information related to elections in at
> least 39 states and territories, according to newly available FBI
> information," the bulletin states. "The same actors also directly visited
> websites in at least 30 states, mostly election-related government sites at
> both the state and local level—some of which overlap with the 39 researched
> states."_

> _The "actors" performed their research "in alphabetical order by state
> name," the bulletin states, "suggesting that at least the initial research
> was not targeted at specific states." The research focused on Secretary of
> State voter registration and election results sites, but it also drilled
> down on some local election officials' webpages. As they accessed sites,
> actors "regularly attempted to identify and exploit SQL database
> vulnerabilities in webservers and databases."_

Voter registration information is public (although not technically to Russian
citizens!).

Visiting the front end websites of the state election authorities and
attempting SQL injection on the web forms is not what some downthread are
calling a military attack.

However, I think it’s great to be sent such a wake up call in the form of a
“tap on the shoulder” because these systems should be heavily monitored and
better protected.

The true _election systems_ should require feet on the ground to compromise in
any form. And they should not be electronic without a proper auditable paper
record.

------
carrja99
But what will they do about it? Absolutely nothing. Republican politicians
don't care and I honestly don't understand why not. Election security should
be a truly non-partisan issue, yet whenever they talk about election security
it's not this it's about disenfranchising certain voting blocks.

~~~
blackflame7001
Then why are Democrats against showing an ID to prove you are who you say you
are? Why are Democrats OK with allowing ballot harvesting in California when
the election in North Carolina was invalidated for the same reason?

~~~
mikeash
Because there’s no significant amount of fraud occurring that ID requirements
would fix, and ID requirements are often made to unfairly disenfranchise
certain groups.

~~~
daenz
>ID requirements are often made to unfairly disenfranchise certain groups

It's interesting to hear what those "certain groups" think about that:
[https://www.youtube.com/watch?v=odB1wWPqSlE](https://www.youtube.com/watch?v=odB1wWPqSlE)

~~~
mikeash
A video with anecdotes, this is sure to be worth my time!

~~~
daenz
Saying that the thoughts of people affected by policies you claim to support
isn't "worth your time" really undermines the idea that you have their best
interests in mind.

~~~
mikeash
I don’t have the time or resources to interview all 235 million eligible
voters in the US. I’ll have to rely on others to sample them. Any sample comes
with the potential for bias or error so it needs to be done well. I see no
reason to think that this four-minute video, whose description says it has
interviews with people from Harlem, comes even remotely close. Am I wrong?

~~~
daenz
>Am I wrong?

You're conflating a scientific study on who does and does not have a valid ID
with what people think about people assuming they have no ID because of their
skin color. They're orthogonal concepts.

All of the black people interviewed in that video found it ignorant and
offensive that people assume that because they're black, they likely don't
have ID or know how to get ID, and the white liberals had no problem making
broad, negative assumptions about black people, if it supported their
political views. That's the point I'm trying to make.

~~~
mikeash
Were those people a representative sample? What was the sample size?

~~~
blackflame7001
You start off speaking for a group and end saying you’re only speaking for a
percentage of that group. You just totally invalidated the basis of your
argument from earlier

~~~
mikeash
Where was I speaking for a group?

------
everdev
Does anyone know the details of these "election systems"?

> Russian cyber actors in the summer of 2016 conducted online research and
> reconnaissance to identify vulnerable databases, usernames, and passwords in
> webpages of a broader number of state and local websites than previously
> identified

This makes it sound like just election-related state websites.

> a Russian campaign seeking vulnerabilities and access to election
> infrastructure

For me, the term "Election infrastructure" sounds like it would include voting
machines, voter registries, vote counts, etc.

------
zyxzevn
Until now this has all been bullshit accusations. The "false positives" are
very common in these security reports, because they want a warning when there
might be an attack.

They do not list the numerous internal attacks that were reported too. These
actually modified the votes. These votes can only be changed via physical
access. But this is probably not politically interesting, and it involves
corrupt staff members and such.

I have been following a lot of this kind of security news. But let's follow
the money. Homeland security has already prepared a plan to take over the
election system in all states (from before 2016). It seems to me that these
accusations are used to push to take over the voting system.

Such a change would theoretically be good, but who watches the watchers? And
why does DHS not report on the internal problems that actually changed votes?

------
dahfizz
Do we know anything about what these hackers accomplished / what effect they
had on the election?

The idea that our election infrastructure is "targeted" is scary but not very
surprising. Every web server on the internet is "targeted", so why wouldn't
something as valuable as election infrastructure?

~~~
howard941
> Do we know anything about what these hackers accomplished / what effect they
> had on the election?

Reports of attacks that aren't repelled corrodes trust in the integrity of
elections. [http://time.com/5510100/risk-limiting-audit-election-
securit...](http://time.com/5510100/risk-limiting-audit-election-security/)

~~~
dahfizz
>.. attacks that aren't repelled...

I guess this is what I'm asking. Were the attacks repelled, or did the hackers
actually hack/break/change something? What was that thing? I'm genuinely
asking.

------
OneWordSoln
Does anyone know if there is a statistically significant difference between
the electronic and paper machines in the swing states? I seem to remember
hearing that Wisconsin had a very skewed correlation based upon county machine
type, but would love to see the actual breakdown.

------
Top19
Yeah not surprising. Used to work for the Texas Gov Storage IT. Those guys
left the single file server for all of Secretary of State (department that
manages elections) up on the internet for months to make remote access /
working from home possible. SSL certs, keebase backups, it was all there.

Behind a single user/pass form with a 12 char pass. Would be stupid to not
target these states.

This was in September 2018.

~~~
veryworried
Not sure why you posted something so specific and fairly recent, it was easy
to find more data. They could put you in prison for this dox.

------
mrobot
Is there really proof of much of anything in here? Seems like more Russia
hysteria.

Lots of use of the word "probably" and "likely" in this article.

