
U.S. Election Agency Breached by Hackers After November Vote - bootload
http://www.reuters.com/article/us-election-hack-commission-idUSKBN1442VC
======
valgaze
To calm things down a bit keep in mind the target was a backwater agency
called the "Election Assistance Commission" which is not exactly the hive-
center of democracy:

"The security firm, Recorded Future, was monitoring underground electronic
markets where hackers buy and sell wares and discovered someone offering log-
on credentials for access to computers at the U.S. Election Assistance
Commission, company executives said.

Posing as a potential buyer, the researchers engaged in a conversation with
the hacker..."

Sounds like somebody found a vuln in probably a creaky lowest-bid government
contractor website and wanted to monetize.

I've never heard of this "Election Assistance Commission" agency before but it
sounds like they exist to help US states implement a law from 2002 called the
Help America Vote Act (HAVA.)

I'm not at all comfortable with all these infiltrations, but this "American
Election Commission" has done a pretty awful job, hacked or not.

The fact that voter fraud/suppression shenanigans exist or that there's any
ambiguity about how votes gets counted indicates to me they're assisting a
pretty screwball election system.

~~~
arghnoname
I know someone who used to work there. They don't do much. One of their
initial responsibilities was ensuring that funds for HAVA (Help America Vote
Act) were dispensed and electronic voting machines were certified following
the hanging chad adventure.

As we all know, electronic voting machines aren't so hot and in my personal
opinion, the EAC hasn't done much very effectively and has been under fairly
regular attack in congress and under (maybe toothless) threat of being shut
down.

I don't think they have any actual power over much of anything in elections
because that power is distributed to the the state level secretary of state's,
so their role is more advisory at best and also is disjoint from the more
powerful FEC.

~~~
ethbro
The amount of power they have isn't as important as the amount of network
access they have.

Have there been any steps towards coming up with a formal graph of privileged
network links between government organizations? If A works with B & C, then if
A is penetrated then B & C should be formally notified and audited as well.

------
shakna
Bobby Droptables!

How is SQL vulnerabilities like this still happening to systems that _need_ to
be secure?

~~~
Animats
PHP. It's just too easy to do it wrong in PHP.

~~~
MiddleEndian
It's been awhile since I used PHP but even if you're not using a framework I'm
pretty sure you can just wrap your strings with mysql_escape_string or some
similarly named function.

~~~
stormbrew
It has also been a long time since I've used php, but when I did there were a
few problems here.

One is that mysql (opposed to oracle or pgsql) is kind of unusual in allowing
quotes indiscriminately for all column types, so in order to do this right you
have to only do it for string type columns and prevent injection on different
types some other way.

Another is that most of the APIs around the more sprintf-style quoting (eg:
`query("SELECT * FROM table WHERE x = %", someStr);`) are tied into prepared
statements, which carry their own problems that also differ per engine.

It's actually not as simple as you might think. On top of that, php used to
have the whole automatic quoting thing that just made a hash out of things.

------
Fej
Obligatory Tom Scott/Computerphile video on why electronic voting machines are
awful.

[https://youtu.be/w3_0x6oaDmI](https://youtu.be/w3_0x6oaDmI)

------
danielvf
"Though much of the commission’s work is public, the hacker gained access to
non-public reports on flaws in voting machines."

~~~
sandworm101
And how accurate was that data? I'd assume that the commission only has was
has been provided to it by others. Someone really wanting to exploit a machine
should probably start elsewhere. The russians would do better by just buying
some machines and testing them themselves under the guise of 'evaluation'.
Russia does have elections and therefor a reason to aquire and test such
machines.

~~~
sixothree
That is certainly reassuring in this case. But this is a reminder that either
our voting system is secure from tampering or we are pretending that our
elections are honest and that the people in office are who we voted for.

I think most people here would have a difficult time saying our voting system
is secure from tampering.

------
cryptarch
I like this! Hopefully it sends some kind of signal and reduces the chance of
electronic voting being implemented where I live.

~~~
KirinDave
This isn't what you want.

Because even if there are hand counted votes, if humans use computers to
tally, communicate, or check the vote then that will certainly be open to
vector of attack that use personal credentials (the easiest to lose).

There is no escape from a desperate need for competent electronic voting and
comprehensive government security in every department.

------
ChrisNorstrom
I'm confused, is this click-bate? Because just this past Friday, December 16,
2016 during President Obama's speech he mentioned there is no evidence that
the election itself was hacked. The DNC (Democratic National Committee.
Hillary Clinton's party) was hacked and had emails stolen, the election
(voting machines etc...) was not.

[https://www.youtube.com/watch?v=LBvK-
Rb681I](https://www.youtube.com/watch?v=LBvK-Rb681I) at 48:30 President Obama
says "I can assure the public that there was not the kind of tampering with
the voting process that was a concern. The votes that were cast were counted
and they were counted appropriately, we have not seen evidence of machines
being tampered with. That assurance I can provide. "

A lot of news outlets from ABC to BBC news show "Russians hack election" in
their article's titles to get more clicks, then further down into their
articles state the DNC was hacked. "DNC emails stolen" does NOT equal "USA
presidential election hacked". Revealing damaging information on a candidate
is interfering with an election but not "hacking the election", which makes it
sound like the russians cast fraudulent votes using hacked machines. Plus the
recount in Detroit revealed this:
[http://www.detroitnews.com/story/news/politics/2016/12/05/re...](http://www.detroitnews.com/story/news/politics/2016/12/05/recount-
unrecountable/95007392/)

Plus, didn't democratic candidate Hillary Clinton win the popular vote anyway?

~~~
angry-hacker
There has never shown any evidence about the state of Russia being involved in
these hacks. Diplomats would choose their words wisely but media writers
whatever their readers want. . It's fake news to one side, and truth serum to
another. Repeat other way around...

~~~
kurthr
You may not like or accept the evidence, but there has been plenty over the
last 6 months. If you demand more, then you will likely never get it from a
spearphishing email dump so asking for it is pointless.

[https://www.crowdstrike.com/blog/bears-midst-intrusion-
democ...](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-
national-committee/)

[http://arstechnica.com/security/2016/12/the-public-
evidence-...](http://arstechnica.com/security/2016/12/the-public-evidence-
behind-claims-russia-hacked-for-trump/)

Do you demand the same level of proof that the emails are genuine?

~~~
3131s
Most all of the DNC / Podesta emails are DKIM verified. That is a level of
proof far beyond the word of a single security company with close ties to the
FBI and the US government. I scanned through those two links you posted and
I've read other interviews with Alperovitch, and I still have not seen proof
that Russia was involved. Appeal to authority is not proof. With a password
like "p@ssw0rd" it's not hard to imagine that many, many state-level actors
and others had access to those emails.

------
noahlt
This is dated Dec 15—I'm surprised that I haven't heard of this before today.

~~~
anigbrowl
I posted it the day of and it sank like a stone, perhaps people were sick of
politics and the mention of the election turned them off.

------
solarengineer
Given how much the US messes about with itself and the rest of the world when
the Government is supposed to have been elected fairly, I shudder when I think
of the impact on the world when the elections have been unfair and rigged.

I am appalled at how candidates from the same party - e.g. Hillary and
Sanders, Hillary and Obama, Trump and who-ever - first criticise each other a
lot, raking muck, raising FUD, casting aspersions, indulge in a lot of rabble-
rousing - just to win some popularity contest. If the candidates stoop so low
for their own party, then how much lower they must stoop to "defeat" the
candidates of the opposing parties.

The world has been seeing regular evidence of how easy it is to tamper with
the voting machines, with the votes, and what-not. Does this call for a
special situation where the elections are held again but with such concerns
addressed?

Otherwise, this farce of elections would simply continue, and the world would
continue to be in a worse situation.

~~~
mzw_mzw
Before you panic (well, before you continue panicking) you should probably
read the article. There is nothing in there that even remotely suggests
anything untoward happened in this past election.

> Does this call for a special situation where the elections are held again
> but with such concerns addressed?

No.

------
whyenot
I am so frustrated with how muted the current administration's response has
been to the recent hacks. This is an attack on the most fundamental part of US
democracy. It should be considered an act of war. Not only should that shape
the US response to whoever is responsible, but also the amount of resources it
devotes to defending against attacks like this.

Obama telling Putin to "cut it out" isn't enough. No matter what is happening
behind the scenes. Our next president might not even go that far.

~~~
PKop
The "hacks" (so far all we know is Podesta clicked on a phishing email and
gave away his password) revealed shady behavior on the part of:

1\. The DNC coordinating with the Clinton campaign to ensure victory over
Bernie in the primary.

2\. Collusion between the media and the Clinton campaign (giving questions
ahead of debates) to favor Clinton over Bernie

3\. Signs of pay for play or general corruption of the Clinton foundation
through foreign government donations.

To the hackers, I say: Thank you very much! Thank you for releasing
information on the Democratic party that we would never have been told
otherwise (certainly not by the mainstream media).

And you want to fight a nuclear war over this? Ridiculous. Utterly ridiculous.

~~~
andreyf
I'll give you (1), but that's on the DNC, not the Clinton campaign. (2) and
(3) seems pretty tough unlikely to be substantiated by the evidence I've seen.
Hackers released dirt on only one side -- a clear attempt to influence the
election, not expose corruption overall.

~~~
PKop
2 for sure happened: [https://www.washingtonpost.com/news/the-
fix/wp/2016/11/07/do...](https://www.washingtonpost.com/news/the-
fix/wp/2016/11/07/donna-brazile-is-totally-not-sorry-for-leaking-cnn-debate-
questions-to-hillary-clinton/)

You can view it as not that big of a deal, or unavoidable by the nature of
employing biased pundits at a news organization that carries out the debates.
Whatever. But it happened.

My larger view is that none of these things were overall that significant of
factors to a huge portion of the electorate.

More significant were the economic uncertainties of midwest states who viewed
Trump's ideas as appealing... while the Democratic candidate failed to
campaign in many of these states (Minnesota (she barely won it), Michigan,
Wisconsin, Pennsylvania). Hillary Clinton was a terrible candidate. She almost
won, and should have. But I don't think she can blame Russia for her failures.

~~~
andreyf
That sounds like (1), not (2). The DNS head leaked a single question to one of
the candidates, and it never even did Hillary any good. It's not just not-a-
big-deal, it's literally an issue of zero importance that had zero impact on
Hillary beating Berney.

Not blaming Russia for Hillary's failures, of course, just pointing out that
even intelligent people are super confused by the disinformation that happened
this year.

~~~
PKop
If you're talking about Donna Brazile, she was not the head of the DNC at the
time she was giving the Clinton campaign debate questions.

She was employed at CNN. If she acted alone, then maybe you can argue it
wasn't "the media" but one person. But how was she able to view the questions
ahead of time? She was a known Clinton supporter, no?

[https://www.washingtonpost.com/lifestyle/style/cnn-drops-
don...](https://www.washingtonpost.com/lifestyle/style/cnn-drops-donna-
brazile-as-pundit-over-wikileaks-
revelations/2016/10/31/2f1c6abc-9f92-11e6-8d63-3e0a660f1f04_story.html?tid=a_inl)

"From time to time, I get the questions in advance."

"I'll send a few more."

\- Donna Brazile to John Podesta

Wikileaks references:

[https://wikileaks.org/podesta-
emails/emailid/38478](https://wikileaks.org/podesta-emails/emailid/38478)

[https://wikileaks.org/podesta-
emails/emailid/39807](https://wikileaks.org/podesta-emails/emailid/39807)

~~~
tanderson92
> She was a known Clinton supporter, no?

No, that's part of the problem. She was a mover and shaker behind the scenes
but had not formally and publicly declared an allegiance (of course, it was
obvious from the way she talked on CNN). She was an ostensibly unaffiliated
commentator who had a secret allegiance.

It's an excellent case study of why news agencies and networks should not have
paid political operators (hacks) on their payroll and the fact that it went
wrong is entirely predictable.

------
whybroke
The logical extension of your statement means the Russians should be invited
to hack the DNC or any enemies of Trump forever because in your opinion leaks
about debate questions and Pizzerias are so very, very critical to democracy.
Perhaps denying the hacks every time they happens because, after all, they
serve such a 'noble' purpose.

And I imagine I am not remotely the first one to realize this.

(Edit) My goodness but this is earning a lot of down votes. How very odd.

~~~
PKop
I just think it's very childlike and immature to blame others for your own
mistakes.

The Democrats were unhappy embarrassing information they hid from voters was
leaked to voters. They have no one to blame but themselves. If they didn't do
the things talked about in the emails, there would be nothing to leak. How
many people even viewed the emails, anyways?

I think both: [0] the info in the emails was bad and [1] not that many people
knew about it, or needed the Wikileaks info to not want to vote for Hillary
Clinton.

I think she just lost.

~~~
whybroke
And I think a hostile nation affecting one's internal politics is an act of
war, successful or not.

This didn't just damage Hillary, although the media you so deprecate made it
into just that. The hack also serves to de-legitimatize Trump. It is also
causing Trump to fight with and denounce all the intelligence agencies
critical to US functioning. Beside refusing their intelligence, the
demoralization affect alone is huge (who will risk their life for a president
who calls them a liar?). It has also thrown the whole electoral process into
doubt. etc.

And they hacked the RNC too. You can bet that will be used to to maximum
damage at some point.

It is no doubt that most damaging and successful attack on the US in decades.

But even more shocking is that it is condoned because it furthers certain
parties political ends. What happens if both political parties start using
acts by hostile nations to help them win elections?

------
sqldba
I don't believe it. I feel the public service is just continuing it's attack
against a Trump presidency by reinforcing mini narratives that he shouldn't be
in power vs Hillary.

Yes the article doesn't say this (of course the hacker is Russian, which isn't
out of the ordinary). But your average person won't read that far or even past
the headline and when it gets republished those parts will disappear.

That's my read.

~~~
peterwwillis
You shouldn't trust anything you read without multiple independent sources to
verify it. But that's what credible news organizations (usually) do. And
government organizations don't (usually) lie just to provide a fuzzy narrative
of doubt over something which literally no longer matters. That's my read.

------
petre
Now Obama can claim election fraud and point a finger at Russia. Which he has
been doing anyway since they lost the election.

------
vfulco
How come we know so much about the "stolen" US elections through hacking but
very little about HRC's unsecure private server which was likely hacked due to
her wanton irresponsibility and likely treasonous actions?

