
American Elections Will Be Hacked - hourislate
https://www.schneier.com/essays/archives/2016/11/american_elections_w.html
======
jedberg
Had a funny conversation on Facebook on Tuesday related to this. It basically
went like this:

"It'll take a while to find out how the election went in California because we
don't use computers"

"You're the biggest state in the country and you don't use freakin
computers?!" <-Texas resident

"You work in IT, you of all people should know why we don't use computers"

~~~
zanny
There are plenty of sound arguments for electronic voting. The perfect system
would be way more trustworthy than backroom hand counting by party insiders
where the only metric to try to avoid corruption is to have two parties
counting at the same time.

Just black box stand alone machines that are networked together with no
outside scrutiny while popping out a magical final number is completely
unreasonable.

~~~
taejo
> The perfect system would be way more trustworthy than backroom hand counting
> by party insiders where the only metric to try to avoid corruption is to
> have two parties counting at the same time.

I studied cryptography, and it's hard for me to imagine a cryptographic proof
I'd trust more than that system; it's almost impossible for me to imagine an
implementation that I'd trust as much.

Most people have never studied cryptography, and will never trust a
cryptographic proof at all.

~~~
jedberg
You don't need crypto. You just need a machine that prints out a human
readable receipt that the voter can see but not alter, which then drops into a
secure holding area on the machine.

At the end of the day, you randomly select say 1% of all the machines and hand
count all the ballots inside, making sure the counts and votes match. If they
do, then you can be reasonably sure it wasn't tampered with, and if they don't
match, then you can hand count all the paper ballots using the old system to
verify the computer.

~~~
specialist
_" You just need a machine that prints out a human readable receipt..."_

Why? Because marking a ballot is the challenge?

How about we simplify ballots?

~~~
jedberg
So that the human who voted can verify it is correct and the person who might
have to hand count it can read it.

------
1stPostLastPost
[https://www.wired.com/wp-content/uploads/2015/08/WINVote-
fin...](https://www.wired.com/wp-content/uploads/2015/08/WINVote-final.pdf)

Windows XP Embedded not patched since 2004.

WEP network password 'abcde'

RDP open on voting machine.

User: 'Administrator' password: 'admin'

MS Access database, password 'shoup' (company that made the machine)

The machine I used was a Hart eSlate with comic sans fonts, microsoft clipart
graphics, and exposed ports. What happens when I plug in a rubber ducky that
presses shift 5 times?

If you Google the secretary of state election results sites (where everyone
scrapes the information from), you see html tables straight out of the 90s,
and some of the servers run Windows Server 2003.
[https://www.google.com/search?q=secretary+of+state+election+...](https://www.google.com/search?q=secretary+of+state+election+results&oq=secretary+of+state+election+results&aqs=chrome..69i57.6255j0j7&sourceid=chrome&ie=UTF-8)

Were some hacked? You tell me.

~~~
linkregister
The first link is broken.

~~~
1stPostLastPost
Huh, they took it down recently.

Here's a mirror: [https://www.wired.com/wp-content/uploads/2015/08/WINVote-
fin...](https://www.wired.com/wp-content/uploads/2015/08/WINVote-final.pdf)

and another just in case:
[https://www.documentcloud.org/documents/2167420-winvote-
fina...](https://www.documentcloud.org/documents/2167420-winvote-final.html)

------
triplesec
And the unacknowledged problem is, we don't really know if it's already
happened.

To quote from the article: 'Electronic voting machines can be hacked, and
those machines that do not include a paper ballot that can verify each voter's
choice can be hacked undetectably. Voting rolls are also vulnerable; they are
all computerized databases whose entries can be deleted or changed.'

It doesn't need visible chaos or detection on voting day.

~~~
paulmd
Also, even the machines that generate paper trails are never actually
recounted unless there's a problem. If you don't test your restore procedure
then the value of a backup is effectively zero.

A lot of the paper trails aren't necessarily even in machine-readable form. We
are drastically unprepared for a large-scale recount (anything more than a
county is going to take weeks+).

Also, the backup is effectively the checksum here too - unless you actually
look for an error, how would you ever know if one occurred? We need x% of
counties to be randomly recounted from the paper trail to validate the
tabulations.

------
youdontknowtho
I did get a very sinky feeling when they scanned my vote and I didn't get a
paper copy.

Lowest bidder development doesn't seem like it should be the way we engineer
everything.

Don't Blame Me, I Voted for Kodos...

~~~
undersuit
The FEC should be in charge of the entire voting process. What is worse: a
custom designed U.S. government voting machine for all federal elections made
by the FEC, or tens of different companies, selling their closed source
machines to state governments for profit.

I see issues in both systems, and in fact I'll take the current set up because
my proposal requires me trusting the government more than I do now.

~~~
jerf
"What is worse: a custom designed U.S. government voting machine for all
federal elections made by the FEC, or tens of different companies, selling
their closed source machines to state governments for profit."

Um, I see what you're getting at, but the government would definitely create a
monoculture and may create a single point of failure. The choice is less
obvious than you may think is based on your phrasing.

To which I'd say the solution is less about getting the FEC to do it, and more
about the process. This needs to be an open and very public affair. It doesn't
help us to have the FEC do it if they do it behind closed doors and create a
closed-source computer-based system that requires all voting machines to be
hooked over insecure networks to a central closed-source insecure server or
something.

~~~
undersuit
>It doesn't help us to have the FEC do it if they do it behind closed doors
and create a closed-source computer-based system that requires all voting
machines to be hooked over insecure networks to a central closed-source
insecure server or something.

I did say the FEC isn't a good option now and I didn't really want to
enumerate all my reasons, but you are covering a good number of them.

------
losvedir
It's interesting thinking about the threat models of the way the U.S. is
designed.

For example, when I voted in MA I didn't have to show ID or anything, just
said my name and confirmed my address; I _think_ the idea here is we're
protecting from disenfranchising citizens who don't have IDs?

And there's no _national_ ID because I think the founders didn't want there to
be a single record of all citizens at the federal level? Or was it just a
logistical reason? I know that was part of the reason the SSN system is so
brittle and crappy - there was great pushback against a national database, but
it _still_ ended up as one, kind of, but it's a shitty one because it wasn't
designed for it.

Another example is you don't really have a way to verify your vote was counted
/ tallied. Imagine if when you voted you got a UUID, and all votes were made
public and searchable at the end of the election: UUID, Voting District, Vote.

This system would let everyone verify that their vote was counted and correct,
and statistics could be done per voting district to try to make sure no
_extra_ votes were included. However, it's susceptible to vote-buying, which
is a major part of the current election system's threat model.

But is that really still a concern? I feel like catching and prosecuting vote
buying in my scenario is a lot easier than identifying large-scale vote fraud,
hacking, or errors, in the current scenario. Or maybe there's a solution that
fixes both?

~~~
grzm
There are known methods of vote verification and auditing that prevent the
actual vote from being disclosed, voluntarily or otherwise. See Punchscan or
Scantegrity for examples.

Pretty interesting stuff from a comp sci point of view.

[0]:
[https://en.wikipedia.org/wiki/Punchscan](https://en.wikipedia.org/wiki/Punchscan)

[1]:
[https://en.wikipedia.org/wiki/Scantegrity](https://en.wikipedia.org/wiki/Scantegrity)

~~~
specialist
I addressed this upthread.

[https://news.ycombinator.com/item?id=12927983](https://news.ycombinator.com/item?id=12927983)

~~~
grzm
Thanks. Gives me something to chew on.

------
coldcode
Hacking individual voting machines is possible but not on scale one at a time.
Far more likely is hacking at the place where the votes go later, in the end
they are just a few numbers. As Stalin said, it doesn't matter who votes, it
matters who counts the votes.

~~~
Retric
People are spending 10's of $ per vote in some areas, flipping a few per
machine would easily be worth it. Just the presidential race can spend up to
40$ per vote, add in senators and local officials and votes are worth quite a
bit.

Remember some poling places have 10,000+ votes. If you change 500 votes that's
both hard to detect and frankly likely to tip many local elections. Now,
different people doing this to a few different locations and well it adds up.

~~~
coldcode
However both parties are equally able to do the same thing. So would it make a
material difference?

~~~
Retric
Not all voting systems are easy to compromise or standardized across states.
Simply crashing the machines to create long lines is some areas is enough to
tip a close election.

Sure this might not be a denial of service attack but map long lines with
party preferences and well... [http://www.nbcnewyork.com/news/local/Polling-
Problems-New-Yo...](http://www.nbcnewyork.com/news/local/Polling-Problems-New-
York-New-Jersey-Connecticut-Vote-Report-Issue-400380091.html)

------
jandrese
I wonder what the odds are that the voting machines are hacked vs. abuse of
absentee ballots? It seems to me that any solution that requires a person to
physically appear at scattered polling places and tamper with hundreds of
machines in a single day is probably not a huge problem.

If you can mass mail fake ballots to the registrar then that could be more of
a problem. I would presume that most absentee ballot systems have some sort of
check that they're not receiving a ballot back from someone who did not
request one, but I also know that this sort of thing could fall through the
cracks if there aren't proper safeguards in place.

~~~
scottcha
At least in Washington there is a 1:1 mapping between your registered address
and the envelope send your ballot in (I don't believe its to the ballot itself
but I could be wrong). Once you send in your ballot you can verify on the
county voting site that your ballot has been counted. I'm guessing this is the
main way they check that fraudulent ballots aren't being submitted as you
would then have > 1:1 mapping in many cases.

~~~
jandrese
That makes sense, but has anyone verified that the check is being performed?

~~~
r00fus
And that's the problem with US elections - I would love to see a public
showing (instead of the incessant back and forth) after the election of a good
old review/audit of the election process.

Even if it's only a few who participate/watch, knowing the process is audited
would make me a lot more invested in it.

------
Retric
American Election(s) _Have_ been hacked. This may or may not have changed the
outcomes, but looking at various machines that where used at various times the
odds that nobody hacked any of them, ever, is very low.

------
imgabe
If it's not (and I think it isn't) the code used in the voting machines needs
to be open source and publicly available in a government repo. That would be a
start. There's still the issue of ensuring that that code is the code that is
running on the actual machines, and that the compiler used to compile that
code hasn't been compromised, and that the source for the compiler is
available and on and on....

I'm not a security expert, but what would be a good way to publicly verify all
this?

~~~
dcherman
I'm not a security expert either, but my very first thought was that if we've
successfully maintained a public ledger of financial transactions ( blockchain
via bitcoin ), then that technology seems useful for large scale voting which
is nothing more than another series of transactions.

Maybe someone more educated about blockchain could illustrate some of the
pros/cons about using it in this manner?

~~~
eridius
An immediate huge problem is the fact that the blockchain works because the
signer can prove their ability to sign, but voting is supposed to be
anonymous. If every vote was a transaction then every vote would be public
knowledge, but anonymity of voting is one of the cornerstones of our voting
process.

~~~
paulmd
Probably solvable. Here's one solution that would only require registration of
write-ins (which many states already do).

Issue everyone a secret key (the digital equivalent of a ballot). They publish
hash($key, $name). There are only N values for $name so that can be solved in
O(N) time, but without knowledge of $key you couldn't determine whom someone
voted for. For the sake of the user you could even pre-compute the hash values
so it literally becomes "publish this string to vote for X".

You could authenticate the user by having them give their pubkey at their
secretary of state. The pubkey signs the hash like a standard blockchain
transaction.

~~~
Spivak
Here's the problem. Anyone who has $key could determine who they voted for.
Not only would the average person not know how to sufficiently protect this
key but it makes votes trivially verifiable by the voter which is equally as
bad.

~~~
paulmd
Well, I disagree that having keys be trivially verifiable by the voter is a
problem. That's a selling point - you can be sure that your vote wasn't
altered in-transit. In fact that's largely the point of the system.

This is a general problem with absentee/mail voting, though, and it's a strong
argument. If your boss/spouse/etc is being an asshole there's little to stop
them from coercing you to show your paper absentee ballot, marking it in for
you, etc. Yes, it's illegal, but what are you going to do about it after your
at-will employment is terminated without cause next month? In the privacy of a
voting booth, you can vote however you want and nobody will ever know. It's
real easy.

I think you can still keep votes secret if you have in-person voting. Just
have the secret key never leave the polling place, it's equivalent to
collecting the ballot after tabulation (we have paper ballots that are run
through a ScanTron machine, we don't get to keep the ballots). You get a
printout of the hash values you selected (but not the key) and can validate
that the hash exists on the blockchain afterwards (signed by the polling
place's private key), but there's no proof as to what the particular hash
values actually indicated.

Really though you have to trust that people will treat their electronic ballot
with just as much import as their paper ballot. I don't think an electronic
works without some kind of secret key/token.

~~~
eridius
If you haven't seen it, Spivak's other comment explains why you don't want
voters to be able to verify their vote later
([https://news.ycombinator.com/item?id=12923958](https://news.ycombinator.com/item?id=12923958)).

~~~
paulmd
I don't think you actually read my comment. His point is fully responded to.

------
jefurii
We need to have voter registration and vote tally databases that have the
characteristics of Git repositories. Because every piece in a Git repo has a
SHA1 hash, you can verify that each and every piece is what it says it is and
has the correct relationships to each and every other piece. You can verify
that copy A is exactly the the same as copy B and has not been tampered with.
All modifications are recorded; you may not know exactly _who_ made each
change (author info can be falsified) but you can at least know exactly what
changes were made.

------
MichaelBurge
I wouldn't mind seeing electronic machines that print paper ballots. They
could even record the count into a database somewhere for ease of use. And
it's important for the voter to see the paper ballot that gets printed, before
he drops it in.

That way, we can all find out who won in real-time, while the counties recount
the paper ballots by hand over the next week to confirm. When you count the
ballots, record a video and allow independent citizen auditors to view the
video.

------
riprowan
Also note that because American elections tend to hinge on a handful of swing
states (and then, often only on particular counties in those states) you do
_not_ need to commit fraud on a wide scale to commandeer the election. It
should be possible to measurably influence the election by hacking a handful
of influential counties, actually.

------
blizkreeg
Ok, so it's 2016 and I'm not naive in suggesting this but does anybody think
that we should figure out how people can vote from their homes/phones?

DoS attacks are a massive threat to this but wouldn't voting percentages go
way up if we could make this happen?

~~~
joveian
The Oregon/Washington/Colorado vote by mail system is very convenient. We get
paper ballots by mail which can be returned by mail or dropped in official
boxes and the results are scanned. This leaves a paper trail that is possible
to recount if necessary.

Voters in a little over half of US states can vote at home[0], but they need
to explicitly request ballots.

The ability to vote at home does seem to increase voting percentages. It is
hard to compare before/after since all states that have so far switched
entirely to vote by mail had a popular option for a while before, but all
three states seem to do fairly well in national rankings, maybe particularly
so in non-presidential election years. I found a site that collects such data
[1] (relative to voting eligible population not registered voters) and in 2014
Colorado was 4th highest, Oregon #5, and Washington #21. For this election it
looks like Colorado was #6, Oregon #13, and Wasington #16. So voting
percentages might not go way up if everyone did this, but seem likely to go up
some at least.

[0]
[https://en.wikipedia.org/wiki/Absentee_ballot#United_States](https://en.wikipedia.org/wiki/Absentee_ballot#United_States)

[1] [http://www.electproject.org/home/voter-turnout/voter-
turnout...](http://www.electproject.org/home/voter-turnout/voter-turnout-data)

------
tmcbride23
After the 2000 election the yongest bush's company created the new voting
systems in Florida and ohio. Check who sits on diebold's board.

------
pmoriarty
The possibility of voting fraud will make a blip in the news and then be
forgotten, just as it was in the much more contentious election of Bush v
Gore.

~~~
greeneggs
"Voting fraud"? That wasn't an issue in 2000 (or ever in the US, as far as I
know). There were famously problems with Florida's ballot. I don't know what
Florida did, if anything, but there was federal legislation in 2002. This is
how everyone got the money to buy electronic voting machines.

[https://en.wikipedia.org/wiki/Help_America_Vote_Act](https://en.wikipedia.org/wiki/Help_America_Vote_Act)

~~~
pmoriarty
You are correct. I meant Bush v Kerry, 2004. That's when the whole electronic
voting machine debacle happened.

------
piotrjurkiewicz
> The risks of ineligible people voting, or people voting twice, have been
> repeatedly shown to be virtually nonexistent

How someone like Bruce Schneier can be so ignorant to facts?

