
The Security of Our Election Systems - yarapavan
https://www.schneier.com/blog/archives/2016/07/the_security_of_11.html
======
Dowwie
There's a strong moral argument in favor of the DNC leaks: the American people
_ought_ to know that its political process was corrupted by powerful actors
within its own institutions.

Schneier said, "This kind of cyberattack targets the very core of our
democratic process. " In this case, though, the attack targeted actors who
_prevented_ democratic process.

Were we exposed to fictitious narratives intended to advance pro-Russian
agendas? Was truth revealed, without manipulation of content? It seems to be
the latter.

Attacking the polls would be unacceptable and deserve retaliation, but it
hasn't happened yet. Attacking a whistle blower who has helped to reveal a
corrupt political process isn't something I'd agree with. Schneier speculates
that foreign influence will continue into the polls -- I guess we had better
strengthen the election process and ensure transparency, then.

~~~
jonathankoren
The thing is about the leaks, is that there's isn't anything there that anyone
paying attention didn't already know. Of course DWS was putting the thumb on
the scales for Hillary, who schedules something you want people to see on a
Saturday night? [0]

As far as "corrupted" and "preventing" democratic process where's the
evidence? Seriously. What votes were not counted?Where's the voter fraud? I'll
tell you. Nowhere. It didn't happen. As Bernie Sanders's former press
secretary, Symone Sanders, said, "We weren't cheated. We lost."[1]

Look, we know what a stolen election looks like. This ain't it. There's no
reason to be an election truther.

[0] [http://www.uspresidentialelectionnews.com/2016-debate-
schedu...](http://www.uspresidentialelectionnews.com/2016-debate-
schedule/2016-democratic-primary-debate-schedule/) [1]
[http://gawker.com/former-sanders-spokeswoman-we-
lost-1784282...](http://gawker.com/former-sanders-spokeswoman-we-
lost-1784282813)

~~~
wwwdonohue
"Putting the thumb on the scales" is itself a violation of the DNC's own
charter, under which they are obligated to treat every Democratic candidate
for president with impartiality and evenhandedness. There was a massive amount
of coordination with the Hillary campaign, anti-Bernie stories were crafted
and distributed from inside the DNC, and planting audience questions designed
to undermine him was floated as an idea (even if it was never acted upon,
that's an egregious misuse of DNC resources and an egregious breach of the
charter). You don't have to hack a voting machine to "corrupt" the democratic
process, you just have to violate the terms of your own party's charter.

I also wonder why you think the fact that DWS scheduled debates for low-
visibility nights in order to help Hillary is so "obvious". I mean, maybe to
us, but a few months ago bringing that up would get you labeled as a
conspiracy theorist. It probably would even now.

And just one last thing -- on Symone Sanders. What _else_ is she going to say?
That they got cheated? She was the press secretary. If she wants any kind of
future in politics she's going to take a graceful L.

~~~
jonathankoren
I'm not saying that DWS and the rest weren't biased. They were. I'm saying
that it didn't matter, because of both the strengths and weaknesses of
candidates' campaigns, and the fact that biases were pretty minor league.

The reason why I said the Saturday debates were obvious, because they were
reported that way at the time.[0] They were opposite NFL playoff games for
crying out loud.

[0] [https://www.washingtonpost.com/news/the-
fix/wp/2015/12/19/ho...](https://www.washingtonpost.com/news/the-
fix/wp/2015/12/19/how-democrats-saturday-debates-are-very-friendly-to-hillary-
clinton/)

------
eternalban
The OP is a shameful blot on Bruce Schneier's record [imo].

For "evidence" we are directed to The New York Times -- a political
organization. This sort of evidence certainly suffices for the non-technical
set but that HN is accepting this without subjecting the assertion to the
rigor that we apply to topics that are not conflated with emotional and
psychological triggers is disconcerting.

I would like to pose the question here to my fellow geeks: Do you really think
Russians are so incompetent that they would not avail themselves of e.g. Tor
to cover their tracks?

[edit: take courage & answer the question instead of downvoting.]

~~~
chvid
Of course you cover your trails if you do a hack.

As a minimum you get a server to work from (and have your backdoors point back
to) that does not directly link back to you. Typically another hacked machine
- not necessarily hacked by you - you can buy them cheaply on dark net market
places.

DNC has an obvious interest in spinning this and they seem to have done this
very successfully.

What bothers me is that no-one seems to be able to separate politics from
technical assessment. Even people with deep technical insights such as mr.
Schneier.

I think the chance of Trump's presidency scares a lot of people and that scare
clouds judgement.

I don't have any say in the american election but I think that people
overestimate what the presidential post means and underestimate the check-and-
balances of the rest of democratic system (congress, legal system, existing
GOP apparatus, press and so on).

~~~
specialist
_" What bothers me is that no-one seems to be able to separate politics from
technical assessment."_

What bothers _me_ is that anyone thinks their emails are private.

------
brudgers
A political party's computers are not part of the "critical election
infrastructure" unless the party [or parties] has become the state.

Exceptionalism is political crack. States seek to influence elections in other
states. Always have, always will. Having a candidate aligned explicitly
aligned with the interests of a foreign state is quite common in Americas. As
is having a foreign state explicitly align themselves with a candidate.

~~~
rpgmaker
Not to mention that the US has a particularly awful history of subverting
other countries' elections.

------
revelation
I think you would be quite silly to just outright accept intelligence agency
declarations of "it was Russia". As history shows, not only are these people
frequently ignorant to technical realities, but political reasons at every
single layer of these organizations obscure and pervade the truth.

~~~
jonathankoren
Of course it's not just intelligence agencies saying this. There's plenty of
independent investigations [0] and they are pointing the same direction.

There's the metadata on the leaked files indicating that at least the metadata
was modified with a cyrillic computer. There's reports from two separate
security firms implicating the same two Russian based actors. There's the fact
that "Guccifier 2.0" had no online presence until after the the Crowdstrike
report implicating Russian intelligence services. There's the fact that
"Guccifier 2.0" claims to Romanian, but can't type fluent Romanian (I've heard
this independently from a Romanian I know), and drops smilies typical in
Russian forums, but not Romanian.

None of this is fire, but there's plenty of smoke.

[0] [https://www.wired.com/2016/07/heres-know-russia-dnc-
hack/](https://www.wired.com/2016/07/heres-know-russia-dnc-hack/)

~~~
chvid
I think this a good article explaining why there is not enough evidence in the
public linking the DNC hack to Russian secret service:

[https://medium.com/@jeffreycarr/can-facts-slow-the-dnc-
breac...](https://medium.com/@jeffreycarr/can-facts-slow-the-dnc-breach-
runaway-train-lets-try-14040ac68a55#.r5o053fbs)

The IP-address (176.31.112.10) that links the DNC hack to the Bundestag hack
is a machine in France (appearantly) controlled by a Pakistani hosting
company. This article says the machine was closed because of abuse over a year
ago. The material in the DNC hack is just one month old:

[https://netzpolitik.org/2015/digital-attack-on-german-
parlia...](https://netzpolitik.org/2015/digital-attack-on-german-parliament-
investigative-report-on-the-hack-of-the-left-party-infrastructure-in-
bundestag/)

------
cwisecarver
Schneier is weaving two problems into one.

Yes, our election systems could be compromised by foreign (or domestic)
attackers. This is something we should all fight against. I don't think any
voter would agree that our votes shouldn't count. Computer security is hard
and the companies running and making voting machines have time and again been
proven incompetent. We should work to fix that.

The separate issue is that in our two party system it's come out that one
party was proven to have worked to influence an election for one of the
candidates of that party. Sure, Bernie was an outsider. Sure, Hillary was
practically anointed from the start. Sure, it was fairly obvious that the DNC
was favoring HRC and working harder for her than for Sanders. But there's
actual proof now. If it came from a lone-wolf domestic hacker, or from
Snowden, or from Putins own laptop I don't think it matters. It matters that
it happened and the people need to know it did. No media is talking about that
at all. Not even NPR.

I think any organization that's working to get someone elected by the people,
in order to work for the people should want it's emails to be public. Why
wouldn't it want that? Why shouldn't the media have the option to investigate
and shine a bright spotlight on everything regarding our elections? They just
had this opportunity and they're wasting it to instead talk about Russia
influencing our elections. Since we're internally influencing our own
elections maybe we should worry about that first.

------
troiter
What influence? It's called exposing lies and corruption within the DNC. If
anything, I praise Putin for it. Let's not lose perspective of reality
thinking about tech security.

~~~
rpgmaker
There's no reason why you can't do both: worry that another country _could_
influence the electoral process via hacking _and_ see the value in having this
information exposed. The media and the Democrats only want people to focus on
the former.

------
specialist
_" This means voting machines with voter-verified paper audit trails..."_

I've attended "audits" of VVPATs. They merely verify that the printer still
worked as expected. Nothing more.

This turf has been hashed and rehashed. The Election Verification Network
(academics, administrators, activists) have covered this many times. Auditing
electronically mediated elections is impractical and adds little more
certainty in the results.

No, crypto voting doesn't help.

------
youngButEager
This is a WHISTLE BLOWER situation.

First identify who is trying to persecute the whistleblower.

There, you've found the party that has committed untoward acts who is now
trying to SILENCE THE WHISTLEBLOWER/CHANGE THE SUBJECT.

I was a Bernie supporter. A LOT of people were/are. Not at all happy with the
DNC.

Having a whistleblower confirm our idea that the DNC was trying to hurt Bernie
--

\-- now I know how a parent feels when they finally solve the tragedy of a
missing family member.

REALLY CATHARTIC.

And really depressing.

~~~
eternalban
Possibly related [1] Seth Conrad Rich, DNC's Data Director [2]. And the late
Mr. Rich was not Russian.

[1]: [http://www.nbcwashington.com/news/local/Man-Shot-Killed-
in-N...](http://www.nbcwashington.com/news/local/Man-Shot-Killed-in-Northwest-
DC-386316391.html)

[2]:
[https://www.reddit.com/r/The_Donald/comments/4v34fk/this_is_...](https://www.reddit.com/r/The_Donald/comments/4v34fk/this_is_seth_conrad_rich_the_dncs_27_year_old/)

------
chvid
Why is this not flag killed like all the other (politically biased) articles
on the DNC hack?

~~~
jacquesm
Because it is Bruce Schneier who tends to have a technical rather than an
outright political angle.

~~~
chvid
Well - not here.

------
buddapalm
I'm surprised most all comments latch onto the political nature of the DNC
hack vs. the point Bruce is making: the act demonstrates overt attempts of a
foreign government to mess with our election system, and the ___voting portion
of the system ___ is what remains vulnerable despite many years of warnings
from industry experts. We ignore this at our peril.

------
DanielBMarkham
Timely, well-reasoned, and excellent article by Schneier.

But there's a problem.

Elections are managed by state governments by design. This is to prevent
centralized _political corruption_. Having the feds "take the lead" is a
little too nebulous to be practical.

What could be done is a certification system for electronic voting that
requires a paper audit trail and individualized printed receipts for each
voter. (Which would be encrypted to prevent others from determining which
votes were cast)

The big leap is that electronic-only systems are never going to work. For
various reasons, I don't think most folks are ready to go there. _That_ is the
major problem that must be solved. After that's fixed, the other stuff will at
least be easier to address.

~~~
thaumasiotes
> Timely, well-reasoned, and excellent article by Schneier.

I thought it was pretty breathless. He says

>> Retaliation is politically fraught and could have serious consequences, but
_this is an attack against our democracy_. We need to confront Russian
President Vladimir Putin in some way ­ politically, economically or in
cyberspace ­ and make it clear that we will not tolerate this kind of
interference by any government.

(my emphasis)

I don't see that the New York Times, releasing the same information, would
come in for criticism, much less this level of demonizing. If other countries
want to interfere in our elections by giving us accurate information, what's
the problem supposed to be? That's the whole point of _having_ elections.

~~~
DanielBMarkham
To be clear, my complaint was that it skimmed the surface. Your "breathless"
was my "you missed some important parts"

I'm willing to cut him slack for adding his own politics in to the article.
With the election approaching, it's like the Ponn Farr here in the states. If
anything, it was a bit reserved.

His over-arching points are important and need attention. 1) We are basically
in an ongoing cyber-war with other major international powers, and 2) we've
been busy buying electronic voting systems that are terribly insecure.

It's a message that needs to be transmitted, and he's one of the best folks to
transmit it.

I don't think there's any demonizing going on. This is the state of affairs.
We must be aware of it and act accordingly.

~~~
thaumasiotes
> It's a message that needs to be transmitted, and he's one of the best folks
> to transmit it.

> I don't think there's any demonizing going on.

Ok, what is it that we're not supposed to tolerate from Russia? They spied on
our documents and released them for public review. Schneier himself would be
the first to tell you that they're not going to stop spying on us and we
shouldn't expect them to. The phrase "attack against our democracy" can only
refer to making accurate public representations to our electorate. That's not
an attack against democracy.

~~~
jonathankoren
Accurate or not, foreign influence is something to worry about. Let's be
honest here. Governments don't release intelligence on foreign leaders in some
sort of magnanimous and innocent gesture to help inform the foreign populace.
No. They do it for influence. They choose what to release and when.

For the sake of argument, let's say that your had evidence that a major
candidate for office in a strategically important foreign country was engaged
in, or had recently engaged in some tawdry or perhaps illicit affair. What do
you do with it? Realpolitik dictates that all that matters is that if it's
more advantageous for the candidate to lose or not. If you want the candidate
to lose, but he's winning, you release it. If not, you don't. Sure, it's
transparency, but it's outside influence, for your gain, not the foreign
country's.

~~~
thaumasiotes
So what? You appear to be defending the idea I originally mocked, that this is
a good thing when the New York Times does it and a bad thing when Pravda does
it. You won't ever be able to make that argument coherently; _all_ information
releases serve the goals (or are intended to) of the person releasing the
information, and those goals are never your goals. Why are Russia's US federal
policy goals more nefarious than Salt Lake City's US federal policy goals? If
they are, how does it matter?

~~~
jonathankoren
I am defending the idea you mocked.

Why does it matter who's releasing the information? Because they're not us.
It's that simple. It's same reason why you can talk shit about your proverbial
sister, but no one else gets to.

If you don't understand the concepts of national sovereignty and self-
determination, I can't help you.

~~~
thaumasiotes
Your argument here is not compatible with your argument two levels up. You've
retreated from the idea that foreigners talking to us is _bad_ by any metric,
and gone to the more defensible (?) idea that it makes you personally
indignant.

Good luck.

~~~
jonathankoren
If you think ice changed position, you never understood it to begin with.

Thanks for playing!

------
lr
For once in my life, I am glad we have the Electoral College.

------
fncndhdhc
And yet a Democratic Party IT administrator was shot and killed in DC two
weeks ago. The media is trying to attribute it to a mugging, but no items were
found taken off of his body.

[http://www.nbcwashington.com/news/local/Man-Shot-Killed-
in-N...](http://www.nbcwashington.com/news/local/Man-Shot-Killed-in-Northwest-
DC-386316391.html)

~~~
e40
I don't own a tinfoil hat, but... man, that incites all sorts of ideas.

