
11-year-old boy hacks into replica U.S. vote site in minutes - everdev
https://reuters.com/article/idUSKBN1KZ0O2
======
joshstrange
Posted yesterday
[https://news.ycombinator.com/item?id=17748947](https://news.ycombinator.com/item?id=17748947)

Yes it's a different source but same click-bait story.

Also:

[https://news.ycombinator.com/item?id=17744937](https://news.ycombinator.com/item?id=17744937)

[https://news.ycombinator.com/item?id=17757977](https://news.ycombinator.com/item?id=17757977)

[https://news.ycombinator.com/item?id=17752559](https://news.ycombinator.com/item?id=17752559)

[https://news.ycombinator.com/item?id=17756468](https://news.ycombinator.com/item?id=17756468)

------
FactolSarin
It says these are "copies" of the website. Were these full-stack copies,
supplied with help from the states? I can't seem to find this information
anywhere.

In another article I read about this, I saw it downnplayed as "well, these are
just the vote tallies on the website, the real totals weren't affected," but I
think that underestimates the fact that the distinction will be lost on most,
and it'll undermine trust in the system if on election night the website says
one thing while election officials say "ignore that, we got hacked."

------
sparkling
> A screenshot posted on the account showed he had managed to change the name
> of the winning candidate on the replica Florida website to his own and gave
> himself billions of votes.

So he opened the DOM Inspector in Chrome?

~~~
laken
This article isn't very descriptive, but it was actually done via SQL
injection. DEFCON gave the children a SQL injection course, then had them find
vulnerabilities.

Another one, that at least quotes the DEFCON tweet:
[http://www.orlandosentinel.com/opinion/audience/roger-
simmon...](http://www.orlandosentinel.com/opinion/audience/roger-simmons/os-
ae-florida-elections-hacker-20180814-story.html)

~~~
sparkling
Thanks for clarification. In that case: good job kid!

------
athenot
> “It would be extremely difficult to replicate these systems since many
> states utilize unique networks and custom-built databases with new and
> updated security protocols,” the [National Association of Secretaries of
> State] said.

This sound so similar to what an Equifax exec would be saying after a breach,
it's not even funny.

(Background: "unique network" and "custom-built databases" don't have anything
to do with security, it's just obscurity with no way to check for integrity
nor audit for tampering.)

------
Qwertie
This article is really poor quality and gives no useful information at all.
What even is a replica of the vote system? By the sounds of the article they
could have just inspect element substituted words on the page.

>“It would be extremely difficult to replicate these systems since many states
utilize unique networks and custom-built databases with new and updated
security protocols,”

More meaningless words. "unique networks and custom-built databases" Makes it
sound even less secure but I agree with how it would be pretty much impossible
to create a replica unless it's all open source.

------
sp332
While there's probably some cool stuff from the voting village, this doesn't
seem like the most critical result. Hacking a website could cause confusion
but isn't going to change the outcome of an election like tampering with
voting machines or the computers that do the tallying.

Here's a hack I'd like to hear more about:
[https://mobile.twitter.com/mattblaze/status/1028358365993259...](https://mobile.twitter.com/mattblaze/status/1028358365993259009)

------
Rotdhizon
No mention of how he did it. Is the kid some child genius, was the security
non existent, did he memorize a dozen lines of SQL, was the access control so
broken that he clicked his way into this position?

Also, why are they having kids try to hack a voting site? Granted it's
probably a very cheap mockup, but this doesn't seem like the area for kids to
be playing in.

~~~
athenot
Why would reverse-engineering not be "the area for kids to be playing in"?
That's a great way to learn. And doing it on a real-world system is even
better than some mockup.

As for the intent of the conference, it appears it's to shed light on how
poorly designed these voting machines are. They are mostly "happy path
programming" and previous attempts at clarifying the edge cases &
vulnerabilities have been met with hand-waving and dismissal from both the
vendor and the officials who purchases them.

