
An 11-Year-Old Changed the Results of Florida's Presidential Vote at DEFCON - njlern
https://www.buzzfeednews.com/article/kevincollier/voting-hackers-defcon-failures-manufacturers-ess
======
Twisol
> “If you’re saying ‘even a kid can hack into this,’ you’re not getting the
> full story, which can have the impact of the average voter not
> understanding,” Manfra told BuzzFeed News.

BuzzFeed's headline: "An 11-Year-Old Changed The Results Of Florida's
Presidential Vote At A Hacker Convention."

If all you see is the headline, that's exactly the impression you're going to
get. Lampshading it halfway through the article doesn't counteract that.

~~~
shawn
I typed out a big comment criticizing the fact that the kid was also shown how
to do the exploit, as opposed to figuring it out for himself.

But y'know what? Good for them. That's step one to figuring out their own
exploits. And it makes you think: If even a preteen can pick up the gist of
how to do the exploit, you could imagine paying someone to go around and try
to run it on election day. They don't need to be very smart, just hard up for
cash and willing to take a dumb risk.

~~~
thecolorblue
> ...figuring it out for _herself_.

Fixed that for you.

~~~
shawn
Whoops, thank you!

------
floren
I've noticed now it's become almost accepted knowledge among the general
public that Russia literally hacked election machines and changed votes. Even
this article appears to present that view in the first couple paragraphs
before finally stating otherwise halfway through.

~~~
1023bytes
I really don't understand what the media is trying to accomplish by pushing
this narrative. This fear mongering will create distrust in elections and the
election results, undermining democracy.

~~~
Nerdfest
They quite clearly should be distrusted in the current conditions. Electronic
voting should go. This greatly reduces the attack surface.

------
winstonewert
How seriously can we take an article that refers to Windows 4.1?

(100% against voting machines, but this article doesn't seem to know what it's
talking about.)

~~~
close04
Probably referred to Windows CE 4.1. But not encouraging given that this is
their writer focusing on the _cybers_.

And yes, it's important to be precise when you're reporting on something. It's
the details that make the story. What happened if he said "Windows 4.0"? Would
people think Windows CE 4.0 (supported until 2012) or Windows NT 4.0 (out of
support for well over a decade).

------
foxes
Awful title.

>In another area of DEFCON, organizers set up a semicircle of computers
preloaded with copies of secretaries of states’ websites to allow young
children to try to alter the appearance of a vote result .... Notably, the
kids were instructed to use a simple database hacking tactic called SQL
injection .... Within a few minutes, Audrey, 11, had figured it out, and made
it appear that libertarian candidate Darrell Castle had won Florida’s
presidential vote in 2016.

The discussion about the vulnerability and the unwillingness of the companies
to secure them was more important.

------
ecommerceguy
Why do we not have a completely open source government owned voting system? It
seems ownership of voting system companies are partisan.

------
amerine
lol, anyone in the trenches of computering thinks electronic voting is
terrible. I don’t even trust electronic vote tabulation.

~~~
em3rgent0rdr
Unless if done right with end-to-end verifiable manner with auditable paper
trail. [1]

[1] [https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_sy...](https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_systems)

------
humantiy
TL;DR from the title. 11 year old uses sql injection to change the election
results on a voting machine at defcon.

In reading the headline I was expecting they would explain it within the first
few paragraphs but instead buried what the kid did in the last 5 sentences of
the article.

Like most of us though still alarms me that these machines are in use and have
some easily exploitable vulnerabilities but as mentioned by one of the vendors
in the article some/most of these exploits require physical access to the
voting machine. Not to take way from the exploits but it would be pretty
obvious if someone was doing this (plugging a device into the voting machine)
on election day.

~~~
em3rgent0rdr
> "it would be pretty obvious if someone was doing this (plugging a device
> into the voting machine) on election day."

Poll workers (or someone posing as a poll worker) could easily do this and it
wouldn't be noticed as suspicious because poll workers are naturally assumed
to be allowed to interact with the poll machines.

"What are you doing there?"

"Oh, just updating the firmware to protect against a new zero-day threat."

~~~
humantiy
Interact sure, but on election day no way would they be 'updating the
firmware'. From my own personal experience there is always more than one
person watching or hands-on the polling machines. I'm sure some places are
probably more lax than my experience.

There is also variance in where you vote what machine they might have. My
location has always been a scantron type and only one device per voting
location. You'd have to know ahead of time what device is used where and have
the correct exploit handy. Still in my scenario going to be hard to pull off
an exploit while people are waiting to enter their ballots into the machine.

Not saying it couldn't be done but I'd say it is out there for a probable
attack. They do make for good headlines and of course are something no one
wants to see tampered with. I'm glad the one's in my district still have a
paper trail, which has been used in the past to verify votes by hand when the
election was close.

------
jeffreybezos
The headline is a bit sensationalist.

There was a SQL backed lab setup with loaded results from Secretary of States
websites, for kids to attempt SQL injection attacks.

~~~
burnallofit
Source? I believe you, just would like to see for myself.

------
guessthejuice
Is it me or are we seeing a bit too much buzzfeed articles here lately?

SQL injections are child's play. Literally. It's last decade's "hack", if we
can call it that. Using parameterized queries ( which you should be doing in
the first place ) or simple defensive measures nullifies sql injection
threats. The headline is clickbait nonsense.

Also it's a shame that defcon has turned into a "disney" event. Who even
attends it anymore other than families and FBI agents and slimey salesmen
peddling their software.

~~~
bobcat9
Agree that it's a media circus. Most of us attend to catch up with old
friends.

