
I bought used voting machines on eBay for $100 apiece (2018) - djsumdog
https://www.wired.com/story/i-bought-used-voting-machines-on-ebay/
======
peterkelly
In 2017 someone in Canberra bought a couple of used filing cabinets from a
second hand store for $10 each.

They turned out to contain hundreds of highly classified documents detailing
years of cabinet discussions of successive Australian governments ("cabinet"
here meaning the core group of senior ministers). This probably happened
because the (filing) cabinets were locked and no-one could find the keys, so
someone at parliament house got lazy and didn't dispose of them properly.

The documents were handed over to journalists and the whole saga became known
as "the cabinet files".

[https://www.abc.net.au/news/about/backstory/news-
coverage/20...](https://www.abc.net.au/news/about/backstory/news-
coverage/2018-02-03/the-cabinet-files-and-how-they-were-found/9393008)

~~~
akimball
And that much to public benefit. Governmental secrecy is the essential
precondition of governmental corruption and criminality.

------
droithomme
It's good that people can get these and reverse engineer them, do a security
audit, and publish the results (which are that they are easily hackable and
insecure).

 _> The fact that voter information is left on devices, unencrypted, that are
then sold on the open market is malpractice_

I disagree with him that what he describes is "voter information".

There's vote information and election information, both which are already
public information and are not sensitive information at all. The machines do
not have voter information on them nor does he give any evidence of it. What
he describes finding was:

 _> The information I found on the drives including candidates, precincts, and
the number of votes cast on the machine, were not encrypted._

All these things are public information already.

 _> Worse, the “Property Of” government labels were still attached, meaning
someone had sold government property filled with voter information and
location data online, at a low cost, with no consequences. It would be the
equivalent of buying a surplus police car with the logos still on it._

When government agencies auction off surplus cars they seldom repaint them
first. It's common to find them with the logos. Example:

[https://www.copcarsonline.com/2018_Dodge_Charger_Largo_FL_35...](https://www.copcarsonline.com/2018_Dodge_Charger_Largo_FL_35020052.veh)

Even comes with the original light bar and the radar!

~~~
noja
> I disagree with him that what he describes is "voter information".

If you combine a voting machine ID from a certain time and place, can you
determine with good certainty the way that a particular person voted?

~~~
bryanrasmussen
if you know exactly what time the person you're targeting went to vote -
maybe.

~~~
michaelt
In the UK, it's not unusual for polling stations to have 'tellers' [1]
outside, asking voters to volunteer their electoral registration numbers
(which can easily be converted into their name). Nothing stops them recording
the time too, and many rural polling stations are small enough that only a
single voter is in there at a time.

Luckily, we don't have electronic voting machines.

[1]
[https://en.wikipedia.org/wiki/Teller_(elections)](https://en.wikipedia.org/wiki/Teller_\(elections\))

------
rmetzler
Recently @hackerfantastic on Twitter has a few videos of hacked Diebold voting
machines [1,2,3,4] along with a blog post [5] and the git repository [6]. From
this I followed the link to a video on twitter on how to get admin access on
some voting machines.[7]

[1]:
[https://twitter.com/hackerfantastic/status/11874911773035520...](https://twitter.com/hackerfantastic/status/1187491177303552002)

[2]:
[https://twitter.com/hackerfantastic/status/11881873784368046...](https://twitter.com/hackerfantastic/status/1188187378436804610)

[3]:
[https://twitter.com/hackerfantastic/status/11872782894353899...](https://twitter.com/hackerfantastic/status/1187278289435389952)

[4]:
[https://twitter.com/hackerfantastic/status/11881788254876057...](https://twitter.com/hackerfantastic/status/1188178825487605760)

[5]: [https://hacker.house/lab/hacking-elections-diebold-
accuvote-...](https://hacker.house/lab/hacking-elections-diebold-accuvote-tsx-
runs-space-invaders/)

[6]: [https://github.com/hackerhouse-
opensource/electionhacking](https://github.com/hackerhouse-
opensource/electionhacking)

[7]:
[https://twitter.com/RachelTobac/status/1028437783050776576](https://twitter.com/RachelTobac/status/1028437783050776576)

------
lhball
The conclusion that nation wide legislation would fix this is, at best,
wishful thinking.

ATMs are secure because banks would lose money if they weren’t. Not because of
regulation.

Regulation leads to a bare minimum of safety, not a best-in-class security.

One thing banana-republics all have in common is nationalized voting
commissions. Doesn’t turn out as well as the author here suggests.

~~~
Omnitaus
Banking and medical information are kept secure through federal regulations.
Why should we trust the states that have already shown either their inability
or unwillingness to remedy the issue?

~~~
lhball
Experian fiasco (and others that came* long before) taught us the shortcomings
of these types of regulations.

Do you really feel like banking and medical records are being kept secure? If
so I envy your confidence.

Compare that to the way our messages are being encrypted these days (iMessage
comes to mind) and i think we’d find the regulation to be lacking.

The incentive provided by regulations (I.e. jail time or fines) doesn’t
compare to incentives derived from competition, or (heaven forbid) profit.

It’s, for better or for worse, human nature.

------
jsjohnst
> The same common-sense regulations don’t exist for election systems. PCI and
> HIPAA are great successes that have gone a long way in protecting personally
> identifiable information and patient health conditions.

One of these is not like the other. ;)

PCI-DSS = Payment Card Industry Data Security Standard. It’s not a regulation
(as in law), it’s a self imposed industry standard as the name implies.

HIPAA - Health Insurance Portability and Accountability Act, as in an actual
law passed by Congress and signed into law by President Clinton.

While PCI can end up with huge fines and/or inability to process payment
transactions for non-compliance, it’s not a law.

~~~
projektfu
It could be called a regulation, however.

~~~
jsjohnst
True in retrospect, it’s an industry regulation, just not a legal regulation.
Thanks for catching that!

------
cpach
Previous discussion:
[https://news.ycombinator.com/item?id=18306992](https://news.ycombinator.com/item?id=18306992)

------
qrbLPHiKpiux
With voting, the simplest solution is the best solution: paper and ink. A few
people to tally locally from each opposing party, report the numbers on up.
Unhackable. Verifiable.

~~~
WillPostForFood
At this point, you might be right this is a better solution, but it is
hackable. Add or remove paper ballots, mark existing ballots with your own pen
to change or invalidate it. But at least the physicality of it creates some
limit on the scale of fraud.

~~~
smitop
The recent Canada federal election used paper ballots (all of them have), and
those attacks are mostly preventable. Ballots are counted by two people from
Elections Canada, and all candidates can watch. The match up the number of
ballots with the number of people crossed off on the list of people who were
eligible to vote at that polling station. They also compare it to the number
of ballots at the start of polling and end of polling. If votes were added or
removed, those checks wouldn't work out (and there would probably be a re-vote
for people who voted at that polling station). Adding marks before people vote
wouldn't work since voters would probably notice, and it'd be hard to add
marks between marking the ballot and it being put in the ballot box. Ballots
also need to be signed by the chief returning officer.

------
akimball
Terrible article, perfuse with one terrible, fatal misconception: Systems
openness is essential to confidence. Concealing breaches or even
vulnerabilities does orders of magnitude more damage to public confidence than
disclosing them and remediating them. The cover-up mentality is why the
constitutional heroine Reality Winner is imprisoned & gagged.

------
dang
Url changed from [https://boingboing.net/2018/10/25/windows-ce-and-
usb.html](https://boingboing.net/2018/10/25/windows-ce-and-usb.html), which
points to this.

------
makomk
Obligatory reminder that, prior to Trump winning, Wired magazine ran a
(popular, widely viral) article claiming that the idea that the vote could be
rigged by hacking voting machines was a nutty conspiracy theory:
[https://www.wired.com/2016/10/wireds-totally-legit-guide-
rig...](https://www.wired.com/2016/10/wireds-totally-legit-guide-rigging-
presidential-election/)

Like, I'm sure there are some folks whose concern about voting maching hacking
isn't just a partisan tactic - especially on places like HN - but Wired
magazine isn't one of them. Given that the last time this was such a major
mainstream topic was after the 2004 election, well...

~~~
jdsully
Ironically trump makes me feel more secure that the elections are not rigged.
Nobody in the GOP, civil service, military, and intelligence communities
wanted him. All were very outspoken against him throughout the primaries and
even into the election.

~~~
moonbug
and the US has no geopolitical adversaries of note.

~~~
1000units
You think they have more influence over the American public than the parties
the parent listed?

~~~
netsharc
Well, apparently through Facebook ads they did...

And apparently you only needed to flip 4000 votes in swing states to secure
the electoral college numbers... 4000 targeted ads on Facebook, how much did
that cost? Cambridge Analytica knows.

~~~
tsimionescu
> Well, apparently through Facebook ads they did...

Where did you get that idea? We know from the Mueller report that they indeed
paid to try to influence the election, but the sums were tiny compared to what
the actual candidates paid. Also, please remember that Cambridge Analytica was
hired by Trump ('s people) , not the Russians.

