
Utah voting system fending off 1B hacking attempts per day - ChuckMcM
https://utahpolicy.com/index.php/features/today-at-utah-policy/17116-utah-is-fending-off-one-billion-hacking-attempts-per-day
======
Blackstone4
What are they including in the metrics?

Are they including SSH port scanning and attempts on port 22?

~~~
civility
My guess is they're including requests for /

A billion "hacks" per day seems a bit far fetched. At that point, it's either
a visible act of war (if external to the US) or the FBI would be much more
involved (if internal). Both of those would be much larger news.

~~~
orbitingpluto
Wouldn't it be a good estimator to include ANY connections coming outside of
Utah?

I hope that whoever is attempting to hack the Utah voting system has no
nefarious purpose greater than changing "Mitt" to "Mittens.

~~~
eslaught
It would be like calling every individual connection made during a DDOS event
an "attack". No, it's one attack. The number of connections merely indicates
the size of the attack, and in this case possibly less because if it's
implementing a brute force search over passwords, it could be very, very
inefficient.

In other words, it's marketing language designed to scare people who have no
understanding of computer security.

------
propman
Paper ballots, no machines and especially no machines connected to the
internet...if we were able to get that crazy bug into Iranian nuclear reactors
without direct transfer from Internet, then you can bet North Korea, Russia,
Israel, and China will pour billions to do the same thing.

Voting ID cards too, though I admit I don’t know enough about that. Even if it
costs billions to get it done, confidence in fair and free elections is the
cornerstone of our democracy.

~~~
jadedhacker
The first is a good idea, but the second is not. Voter ID cards are
historically used to make it harder to vote and thus compromise elections. In
person fraud is very uncommon, and it would be very difficult for a foreign
government to pull off a large scale interference without being detected.

After all, we struggle to get people to show up to vote once already! The idea
of mass ballot fraud seems difficult to countenance without literally paying
masses of people to vote (which I believe is extremely illegal).

EDIT:
[https://www.law.cornell.edu/uscode/text/18/597](https://www.law.cornell.edu/uscode/text/18/597)

EDIT 2: If you want to see real foreign interference, check out that time that
Bill Clinton publicly aided the election of Boris Yeltsin.

[https://www.nytimes.com/1996/02/23/world/russia-and-imf-
agre...](https://www.nytimes.com/1996/02/23/world/russia-and-imf-agree-on-a-
loan-for-10.2-billion.html)

~~~
mikejholly
Voting requires ID in almost every other western democracy, including Canada.
The rest of the world see it as very reasonable to identify yourself at a
polling station. It's odd that this is so contentious in the US.

[https://en.wikipedia.org/wiki/Voter_ID_laws](https://en.wikipedia.org/wiki/Voter_ID_laws)

~~~
rectang
IDs are not issued automatically in the US; they take money and effort to
acquire. Therefore as implemented in the US, voter IDs are a poll tax.

Unsurprisingly, this makes voter ID a political issue: those who benefit from
poll taxes support them, and those whose voters are suppressed by poll taxes
oppose them.

~~~
squirrelicus
I think it would be reasonable to create a national ID card system and fund it
through taxes. It could replace driver licenses and social security cards. I
do not know why it would be unreasonable to require such a card for voting. It
could also serve as a PKI system with the govt acting as a CA (i.e. manage
issuance and revocation). There are non zero benefits. And this doesn't have
to operate like a poll tax. I don't understand why this isn't already a thing.
Seems obvious.

~~~
kodablah
> I don't understand why this isn't already a thing. Seems obvious.

Because people don't want yet another mandatory way to be tracked by the
government. It is especially opposed by those here illegally, their
supporters, and others historically disenfranchised by more and more
centralized requirements. Not everyone has driver's licenses or ssn cards.
There are non-zero problems so what should be obvious is why some oppose even
if you don't.

~~~
ric2b
> Because people don't want yet another mandatory way to be tracked by the
> government.

I constantly hear that (the majority of) people don't care about NSA spying,
Facebook and Google spying, ad tracking, etc, etc, etc.

But somehow when it comes to being issued a number and a piece of plastic it
would never work because people would oppose it based on privacy? I find that
very hard to believe.

------
jlmorton
If there is no online voting, why is the system even connected to the
Internet? What exactly are the attacks against? The voter registration site?
The election results site?

~~~
bschilke
From what I understand the greatest vulnerability is modification of voter
registration data. If you show up to vote and they don't have you in that
district's voter rolls because your address was changed to another state, your
vote has just been taken away.

~~~
jlmorton
If this is the case, it begs the question why voter registration data is
directly connected to the Internet. Yes, we want to allow online registrations
and modifications, but surely we could have a batch process to make changes to
the canonical source, with a signed log of changes.

~~~
hrktb
Could you clarify how you would see these batch data transfered outside of the
internet ?

We are speaking of dispatching that data to every single voting stations, set
in schools, small town offices, etc. Most "secure" solutions (private lines,
central update and physical dispatch of the machines days before the
elections, etc) seem difficult and/or crazy costly to me.

------
foota
Translation: 1 billion Brute Force ssh attempts rejected

~~~
086421357909764
So much this, yes i'm sure people were attempting to scan it up but I
guarantee you could show the same for almost every network out there. I
understand the fear mongering to a degree but its projecting things in the
wrong place and it's almost like crying wolf.

------
xeeeeeeeeeeenu
What does "hacking attempt" even mean? I smell FUD.

~~~
User23
Sadly I smell FUD virtually every time a security engineer opens his mouth.
Yes there are some great ones, but I’ve never worked with one directly.

Part of my skepticism is rooted in the prevalent ignorance of basic computing
theory. If you can’t define the operational semantics of a system then you
can’t rigorously convince yourself or anyone else that it is “secure.”

~~~
throwawayjava
_> If you can’t define the operational semantics of a system then you can’t
rigorously convince yourself or anyone else that it is “secure.”_

Well. This means no one can provide any security guarantee for any remotely
realistic system because no modern stack has a completely
understood&formalized operational semantics. But I definitely know that some
systems are much more secure than others! So this seems like a situation where
perfect is very much the enemy of "1000x better than it could've been".

Furthermore, formalization is "above and beyond" best practice, so you're
unlikely to be accused of negligence if you do "better than best practice but
still not formalized".

Finally, the original claim is not true. There are many systems with non-
operational semantics that are useful for proving security properties. And
sometimes no semantics is needed at all for large swaths of the system.
Sandboxing is an excellent example of the latter. For some very reasonable
attacker models, you need an operational semantics for the sandbox but don't
need an operational semantics for whatever's running inside the sandbox in
order to provide fairly strong security guarantees.

~~~
User23
There are realistic systems that are operationally secure by the given
standard. Nuclear launch systems are the obvious example.

“Best practice” is a euphemism for whatever it is the majority does. Nobody
ever got fired for buying IBM. That’s not even reasoning.

Finally, your paragraph about sandboxing is ill considered, but not that
wrong. First all programs have operational semantics, the only question is how
well understood they are. Second sandboxing is a constraint that is easily
formally expressed by way of the logical consequence. I’m surprised you’re
taking issue with that since you give a great example thereof.

~~~
throwawayjava
_> There are realistic systems that are operationally secure by the given
standard. Nuclear launch systems are the obvious example._

AFAIK there aren't really any examples of production systems that have
meaningful, formally verified security properties without gaping holes.

Do you have a good paper about the full stack formalization/verification of a
nuclear launch system?

 _> “Best practice” is a euphemism for whatever it is the majority does.
Nobody ever got fired for buying IBM. That’s not even reasoning._

1\. Companies are sometimes sued, _successfully_ , for _not_ following "best
practices". And on technical merits. Ex, Toyota lawsuits.

2\. It most definitely is reasoning! Here's the cartoon derivation: "If I buy
IBM I do not get fired. Therefore, I will buy IBM". This is reasoning about
the social system, not the technical system. But then, security is both a
technical problem and a social problem. $Billions on formal verification can't
stop the simplest of phishing attacks.

 _> First all programs have operational semantics, the only question is how
well understood they are. _

Well... I guess technically. But that's not typically what people mean when
they say something "has a(n operational) semantics".

Typically when people say "X has an operational semantics" they mean "someone
has actually tex'd/coq'd/pencil'd the transition rules and maybe proved things
about them".

Example: If I implement a programming language without doing any theory and
you ask if I have an operational semantics, the only non-confusing answer is
"no" or perhaps "the semantics is defined by the implementation of the
compiler", which is just a tongue-in-cheek way of saying "no". This doesn't
mean that no operational semantics _exists_ , it just means I haven't written
it down in the form of transition rules or a coq file or whatever.

If I give my language a denotational semantics and you ask if I have an
operational semantics, I'll say "no". But again, that doesn't mean that the
operational semantics don't exist. It just means I haven't written them down
and proven a correspdonence.

 _> I’m surprised you’re taking issue with that since you give a great example
thereof._

I think you missed the fundamental moral of the sandboxing example: perfect is
the enemy of good enough.

Sandboxes allow for security guarantees _without_ formalizing every aspect of
the system. In fact, I conjecture that these sorts of "don't try to formalize
everything" approaches toward formal security guarantees are really the only
ones that scale.

If you try to formalize everything, you'll drown. If you strategically concede
defeat and admit that some parts of the system aren't possible to formalize,
you can get a lot of strong guarantees. As long as the concessions are
strategic. Ex, sandboxing whenever the permissions interface is simple but the
implementation is complex and the failure modes permit sandboxing.

Or, to put that observation in a pithy phrase: "perfect is the enemy of good
enough."

~~~
User23
> Do you have a good paper about the full stack formalization/verification of
> a nuclear launch system?

Bwahahaha you're funny.

> If you try to formalize everything, you'll drown. If you strategically
> concede defeat and admit that some parts of the system aren't possible to
> formalize, you can get a lot of strong guarantees.

You're contradicting yourself again. There's a reason why weakness is a
strength in formalisms.

~~~
throwawayjava
_> Bwahahaha you're funny._

No, I'm curious and would use that citation! Even just a paper saying "this
has been done" without any details? I have a hard time believing this has been
done, and people are allowed to talk about it on online forums, but there
isn't a _single_ citation even acknowleding its existence.

 _> You're contradicting yourself again. There's a reason why weakness is a
strength in formalisms._

I'm not sure what this means, but it sounds a lot like what I've been saying
all along?

------
erentz
That number is insanely high. Are they talking about all voting machines being
connected to the internet? Or is it some back office set of systems?

For the life I me I don’t know why voting machines and voting systems need to
be connected to the internet. It’s just a flat out unnecessary risk.

That’s not to say that they shouldn’t be built so secure you could connect
them to the internet. But nothing is perfect and unnecessary risks should be
avoided with such an important system.

Which is probably why we should be using paper ballots and scanners with
results called in from the regional counting centers. And manual count
available then as much as needed or desired post election night for
verification. This rush to electronic voting boggles my mind.

------
cmurf
I encourage all citizens who typically do not vote, to vote your conscience,
and then lie. Already no one expects you to vote anyway, so just lie per their
expectations and say you didn't vote. That way you don't have to justify or
argue your choice any differently than you have in the past.

Yes it's a bit chicken s* but so f'n what? You don't actually owe anyone an
explanation anyway, but you're entitled to vote. So just get on with it, and
lie. Everyone is lying about something or other anyway and this kind of lie is
pretty benign. And it's in the public good that you vote even if you don't
like arguing about why you voted the way you did.

------
tedunangst
11500 per second.

~~~
TomK32
modems are getting faster and faster...

------
perlgeek
If this were true, and the error rate in defending was only 0.00001%, it would
still be hacked several times a day.

What's the lowest error rate you have ever seen in a practical security
product?

~~~
amelius
But what if all the hacking attempts are coming from basically the same
software, trying the same thing over and over again?

------
masonic
Why is their _voting_ system (as opposed to voter registration) even publicly
accessible outside of election cycles?

------
ddingus
Vote by mail works, is efficient and easy.

Autoregister on State ID or Drivers License.

Online party management.

Signature validation, collected at registration.

Voters can mail it, use a drop, or vote in person at an elections office.

My favorite is voting parties. Everyone brings ballots, talk abot the options,
vote, eat, smoke, drink, done.

------
krrrh
How can the cost of securing these systems be less than the cost of using a
fully paper system?

~~~
fooker
You can use the same argument for banks.

~~~
greglindahl
The number of transactions in voting and at banks are pretty wildly different.

~~~
fooker
It doesn't have to be. If online voting ever becomes widespread, there is a
reasonable chance there will be more votes and referendums.

~~~
pessimizer
There would be a absurd cognitive overhead for people to have to study and
prepare an opinion for as many votes as they have financial transactions.
Every other productive activity in the US would grind to a halt.

~~~
fooker
Why would polls like :

Do you want a bridge built here? Yes, No, Don't Care.

be a cognitive overhead?

~~~
danso
The California voting guide for June 2018 is 96 pages long:

[http://voterguide.sos.ca.gov/pdf/complete-
vig.pdf](http://voterguide.sos.ca.gov/pdf/complete-vig.pdf)

The info associated with each ballot measure is considerably more extensive
than you seem to realize.

~~~
fooker
That's because there are so few votes. Imagine having one single exam at the
end of 4 years of education.

~~~
danso
No, this is the 2018 guide for the primary election. That is less than 2 years
after the 2016 general presidential election. In 4 more months, there will be
another 2018 guide for the general election. That means there will be 6
elections in 4 years, not counting any special elections:

[http://vigarchive.sos.ca.gov/](http://vigarchive.sos.ca.gov/)

You don't even know how many votes we have even though they are so purportedly
few. Imagine what little the average voter knows.

------
pietroglyph
Is there any reason for a voting system to ever be connected to the internet?
(I assume this system is, because I can't think of any other attack vectors
that enable the reported volume of "hacking attempts".)

------
zemnmez
to put this in perspective, this is one-quarter of Google's _global_ search
traffic, in hack attempts. 'hack attempts' are always bullshit but this is
especially impressive

~~~
not_kurt_godel
Google isn't going to count port scanning and other such malicious activity in
their global search traffic metrics. It's very possible that such traffic is
more prevalent than legitimate search traffic by orders of magnitude. I have
personally operationally managed sites which are only very moderately high
profile and yet still receive a constant stream of malicious requests from
foreign IPs pretty much 24/7 even with aggressive, proactive & reactive
firewalling in place. The costs to execute such tasks are negligible for a
nation-state. To be honest I'd be more inclined to believe the numbers are
real and that you're posting this comment as an agent of a belligerent nation-
state trying to spread mininformation than the other way around (though I
sincerely do hope you are posting in good faith and are just naive).

------
tlrobinson
"1B hacking attempts" is, of course, incredibly vague. It could be 100
sophisticated groups using their 1B 0-days, or one dude running a script on
repeat.

------
ilovetux
I don't get it. If these systems are not air-gapped then that is gross
negligence.

There is absolutely no reason that these systems are exposed to the internet.

------
g0dg0d
Why would a voting system even need to be online?

~~~
azernik
Depends what you mean by "voting system". Individual voting machines rarely
are - they're usually air-gapped, read the ballot from a physical memory card
transported by sneakernet from administrative offices, and write vote totals
back to those cards for sneakernet transmission to same offices.

However, those central locations use a lot of internet-connected machines,
mostly to communicate their numbers to outside systems. The computers that
program the ballot descriptions pre-election (a vector for attacking voting
machines) are also usually internet-connected - they're plain old desktop
workstations of some elections official.

Air-gapping _those_ systems is probably doable, at a minor loss of
convenience, but there _is_ a reason they're internet-connected.

~~~
_bxg1
Geez, just like... Give the voting software its own isolated network, and for
external reporting force somebody to dump the results to a flash drive before
uploading them to the web. I'm not even a security expert, but maybe I could
get a job as one working for the US government.

------
chiefalchemist
Frankly, 18 feels low. I would expect the number to be 10x or even 100x that.

~~~
woogley
1B (one billion), not 18

~~~
chiefalchemist
OH. Oops. Where are my reading glasses :)

------
ChuckMcM
It is an interesting data point, and it makes me wonder if we can use this as
a side channel attack to figure out who the hackers "like" and who they "don't
like" running for office. Might give us more insight into the hacker's goals.

------
_bxg1
...how are these systems not airgapped?

~~~
prolikewh0a
So the status quo can stay in power.

------
drfuchs
Title should say “fending off”.

~~~
dang
Fixed now.

------
king_nothing
If they have such hacking attempts, console access should be gated by a
jumpbox that SSH/ipsec secured by SPA portknocking. For external services,
have transparent proxies with deep SPI/IPS and IP acls out in front.

~~~
danielhlockard
Port knocking is security by obscurity. How about a VPN like a real company.

~~~
azinman2
Google famously ditched VPNs because you can’t trust the inside networks
either.

[https://www.blog.google/products/google-cloud/how-use-
beyond...](https://www.blog.google/products/google-cloud/how-use-beyondcorp-
ditch-your-vpn-improve-security-and-go-cloud/amp/)

~~~
gray_-_wolf
Sure but it still adds another layer.

