
DEF CON report on vulnerabilities in US election infrastructure [pdf] - andrewla
https://defcon.org/images/defcon-26/DEF%20CON%2026%20voting%20village%20report.pdf
======
texuf
The conclusion:

Over the last 26 years, DEF CON, and for the last two years, the Voting
Village, have operated under two core principles:

1\. It is important to derive facts through reason and inquiry rather than
blind faith.

2\. When we discover new facts, it’s important we share this information with
the general public so individuals can decide how best to use the information.

We did not make these principles up ourselves. Rather, these principles are
the foundation of the Enlightenment, which has guided modern science to
achieve the medical, engineering, and IT advances, among others, that underpin
the modern world. Since these principles have largely guided the human race
toward progress for the last 500 years, we plan to continue to follow them.

These principles matter most when we put them into practice. Therefore, it is
relevant to ask what new facts all the poking and inquiring into our voting
systems has identified since the Voting VIllage was established. Among the
dozens of vulnerabilities identified in the last two years, four key DEF CON
Voting Village findings are grave and undeniable:

1\. Supply Chain Insecurity:​ The voting machine parts supply chain is global
and has essentially no security procedures to determine whether the machine
parts are trustworthy or pre-hacked before the machine is assembled. Thus if
an adversary compromised chips through the supply chain, they could hack whole
classes of machines across the U.S., remotely, all at once.

2\. Remote Attacks Proven: ​Despite insistence the fact that machines are “air
gapped” from the Internet protects against all remote attacks, both DEF CON 25
and 26 found exploits to hack machines remotely, requiring physical access to
the machine.

3\. Hacking Faster Than Voting: ​This year DEF CON also demonstrated that
while, on average, it takes about six minutes to vote, machines in at least 15
states can be hacked with a pen in two minutes. It is thus possible for
someone to hack a machine while voting in a polling place on Election Day.

4\. Hacks Don’t Get Fixed: ​Finally, we discovered that even when vendors are
told about serious flaws in machines by their customers, those flaws go
unfixed.

~~~
ragebol
> it takes about six minutes to vote

Why does voting take 6 minutes? I think I used a voting machine maybe once in
my life (in the Netherlands and apparently young enough to not have used those
more often). Casting a vote on paper is usually checking a box with a red
pencil, takes maybe a minute of dealing with the huge sheet of paper with all
the candidates.

Just curious.

~~~
flatline
When you are voting for a dozen candidates and a dozen ballot measures, it
takes time to read through all of them and make sure you are marking the
correct boxes, even when you know how you will vote in advance.

~~~
blacksmith_tb
This is another reason (along with preventing remote hacks etc.) that vote-by-
mail[1] is much more reasonable. It provides you with as much time as you need
to look up candidates and issues.

1: [https://en.wikipedia.org/wiki/Vote-by-
mail_in_Oregon](https://en.wikipedia.org/wiki/Vote-by-mail_in_Oregon)

~~~
hackandtrip
Sure, but you lose vote secrecy.

~~~
ddingus
First, the vote is double enveloped, should you choose to do that. Not
everyone does.

It gets validated, then passed along for counting.

Second, if you want, you may drop your ballot into any drop box, or hand
deliver it to elections, who will validate it and put it into the counting
queue.

------
w8rbt
Virginia went back to paper ballots and optical ballot scanning several years
ago. I think the only drawback to this approach is storing the ballots for X
years after an election (takes up space). But, it's far more secure and easy
for everyone to do. Just like taking a high school test... pencil in the
circle.

[https://en.wikipedia.org/wiki/Optical_scan_voting_system](https://en.wikipedia.org/wiki/Optical_scan_voting_system)

~~~
Klathmon
And IMO they should do away with "optical ballot scanning", and should move to
regular humans counting them with their own eyes.

An electronic scanning system could easily be vulnerable to many of the same
issues that are presented here.

Instead, have everyone mark their ballots like normal, then get a bunch of
people in a room who all don't trust one another and have them count/tally
votes together. Just about everyone that can vote can help count (unlike with
electronic counting machines where only a very competent engineer could even
begin to audit a machine like that, assuming that they were allowed to even do
so), and in places that run elections like this, there is almost never a
shortage of people willing to assist counting votes, especially when the
election is particularly controversial ("I'm not going to let that [side a]
person from screwing over us on [side b]! Let's go get 20 of us there watching
to make sure nothing bad is happening!")

Voting should be hard, voting should be expensive (for the country, not for
individual people). Why "optimize" the one thing that secures our country with
alternatives that are less secure, have more points of failure, and are
overall less understood both by the voters and by the people using the
machines to tally votes?

~~~
JumpCrisscross
> _An electronic scanning system could easily be vulnerable to many of the
> same issues that are presented here_

In New York City, optical scanners are used. As a check, random precincts’
ballots are manually tallied. This is a good compromise between cost and
security.

(There are additional checks, like a public and private count and vote
aggregates being publicly posted at every precinct at the end of the night.
Observers can also audit the public and private count of any machine at any
time of the day, and they do.)

~~~
Klathmon
But what is the motivation for the optical scanners? Why do away with a system
that has proven to work and has known, mitigatable (is that a word?) downsides
with one that is consistently found to have dangerous gaps in security and
time and time again found extremely vulnerable?

Do they significantly improve accuracy? Do they save a significant amount of
money? Do they increase the speed that things are tallied, and does that make
a significant difference or improvement anywhere (because unless i'm missing
something, getting results a few hours earlier is not a good reason to lessen
the security of an election)?

I genuinely don't know, and I'd love to see more information if anyone has it
on this.

Because to me, without knowing all of the details, it reads like "we trade
some security to save costs by just not tallying some precincts at random".

If it's saving a significant amount of money, to the point where the state is
much better off because of it, or if the usage of them somehow increases
turnout by decreasing the time it takes to count votes, then I would agree
with you. But without evidence like that, I'm sitting here wondering why these
machines keep getting used.

Often times things that seem like they shouldn't be secure often are, and I'd
love to be wrong about this one.

~~~
andrewla
I don't have any specific data here, just a gut feel.

> Do they improve accuracy?

I think they pretty clearly would increase accuracy, modulo any potential
tampering. Some of this is structural -- each ballot has multiple elections,
some in which the same candidate can be featured multiple times under
different party affiliations. Tallying this by hand seems intrinsically error-
prone. It's arguable that simplifying the ballot could help both tallying and
voting, but given the current design optical scanning seems like a huge
increase in accuracy.

> do they save a significant amount of money?

Once again, I suspect yes -- tallying the votes by hand takes a lot of time
and a lot of people. Poll workers aren't well-compensated by any means, but
there's still a cost.

> Do they increase the speed that things are tallied, and does that make a
> significant difference or improvement anywhere (because unless i'm missing
> something, getting results a few hours earlier is not a good reason to
> lessen the security of an election)?

I think yes to the first and a matter of opinion on the second. I'm with you
that speed of results is either a non-goal or an anti-goal -- states that
release precinct-level results when voting is still open elsewhere in the
country are implicitly engaging in electioneering in my mind, and should be
explicitly forbidden from doing so.

An automated system combined with random manual tallies seems pretty good to
me from a security standpoint. As an aside, in addition to the random tallies
I believe there is a process where any party can request a certain number of
explicit audits if they feel that the results seem questionable from a given
precinct, and an additional layer of election supervisors who can make a non-
partisan request if there are inconsistencies from previous election cycles)
seems like

In New York I would prefer that the focus be on distributing voter information
earlier and more widely would be a much better use of time than further
changing the actual voting. When I lived in Washington state, you got a voter
information guide with all the candidates and ballot measures, statements for
and against, and an explicit statement as to what is being voted on, well in
advance of the election. In New York, half the time I have to really dig to
even find out what is going to be on my ballot, and finding the full text of
ballot measures is an exercise in futility as you try to navigate through the
NY Department of State to try to find the information. Third-party sources
like local newspapers actually do a significantly better job than the state
does here.

~~~
Klathmon
I'm not sure I agree that they increase accuracy to the point that it would be
worth the downsides. A room full of people who all don't trust one another I
feel can do a fairly good job of reducing the errors down to a minimum. Again,
I could be wrong, and I'd love to see a study or some research in this area
that proves me wrong! (after all, history shows us that a crowd of like-minded
people are capable of some very shitty things without some kind of checks and
balances)

And while I'm sure they save some money, is it worth it? I'd like to get an
idea of the scale involved. Because saving a few hundred thousand dollars a
year for a state would make it absolutely not worth it in my opinion, but a
few hundred million might be.

And finding exact numbers is extremely hard (at least for me), combined with
the fact that these companies basically never release that kind of
information, and I know it's not the best idea to read into these things, but
I can't help but think that they would release these numbers if they were
significant and showed the company saving tons of money for the state.

But i completely agree that there are much better things we can do to improve
voting overall (personally my vote is for changing to a "ranked voting"
system), but these machines still feel like a giant red flag to me. There's
not a lot that can be done to swing an election by just a few people, but put
some kind of electronic or computerized system in the mix, and now there's one
dock worker that has access to a large number of the machines as they get
shipped, and now you have a single point of failure.

------
kadendogthing
From the "Next Steps" section in the report:

>Congress Must Fund Election Security:​ National defense is not the role of
state and local government. Further, no state or local government will ever be
able to raise enough capital to defend itself from a determined nation state.
Thus, having codified the basic security standards developed by local election
officials above, Congress must finance the implementation of these security
standards.

Well. We tried: [https://www.pbs.org/newshour/politics/republicans-block-
bid-...](https://www.pbs.org/newshour/politics/republicans-block-bid-to-
extend-election-security-grants)

~~~
explainplease
Elections are not national defense.

State and local governments have been handling their own elections since
before the country was founded. This is a _good thing_ , because it keeps
elections close to the people, accountable to the people.

The last thing we need is nationalized elections. That would make _all_ of our
elections vulnerable together. And that includes federal funding for state and
local elections, because federal funding always comes with extensive rules and
regulations, which would effectively put elections under federal control.

We need to move more government and accountability _closer_ to the people, not
to Washington, D.C.

~~~
jorblumesea
All it means is a foreign entity like Russia just attacks each state
differently. It won't stop them. Clearly, we are doing literally what you're
saying, and it hasn't worked.

Elections, in the 21st century, should fall within the range of national
defense. Power grids and other types of infrastructure are, why not the
democratic infrastructure like elections and voting?

> The last thing we need is nationalized elections. That would make all of our
> elections vulnerable together.

Or you know, the ability for elections to actually be fixed in a systemic
fashion. It's really the only way.

I really don't understand this attitude. To take an example from the software
industry, would you rather have your users on one OS, for you to secure, or
20+ different ones, where you need to plug holes independently?

Fix one issue with a voting machine, fix them all, as opposed to just fixing
Florida's specific homegrown crap.

~~~
explainplease
> All it means is a foreign entity like Russia just attacks each state
> differently. It won't stop them. Clearly, we are doing literally what you're
> saying, and it hasn't worked.

This country has been around for over 200 years. Our elections have worked
well, or else we wouldn't be having this conversation.

> Elections, in the 21st century, should fall within the range of national
> defense. Power grids and other types of infrastructure are, why not the
> democratic infrastructure like elections and voting?

No, they shouldn't. I want my city, county, and state elections run by my
city, county, and state, so that when something goes wrong, I can go to the
city, county, or state to see about making it right, and even run for office
locally to fix it myself, or go to the state capital at worst--not have to go
to _Washington, D.C._ and complain to some bureaucrat that hasn't even heard
of my city and couldn't care less about my state.

> Or you know, the ability for elections to actually be fixed in a systemic
> fashion. It's really the only way.

Bald assertion.

> I really don't understand this attitude. To take an example from the
> software industry, would you rather have your users on one OS, for you to
> secure, or 20+ different ones, where you need to plug holes independently?

You're looking at it the wrong way. What is easier to attack: a homogeneous
network in which every machine has the same, known vulnerabilities, or a
heterogeneous network in which only subsets of machines have certain
vulnerabilities? What is easier to destroy: a forest comprised of a single
species with the same vulnerabilities to certain pathogens, or a forest with a
variety of species?

Recent history shows the inherent risk of homogeneous networks, e.g. the
NotPetya worm that took down global IT infrastructure for the biggest
companies in the world in a matter of seconds:
[https://www.wired.com/story/notpetya-cyberattack-ukraine-
rus...](https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-
crashed-the-world/)

This country was designed around compartmentalization. If one state enacts bad
policies, has corrupt government, etc, it doesn't necessarily affect every
other state. But when the federal government makes bad decisions and becomes
corrupt, it _does_ affect _every_ state.

You want our elections to be more easily compromised, more easily controlled
by third parties? Nationalize them. Use the same systems and rules and
policies everywhere. Make every election, everywhere, have the same, known
flaws and vulnerabilities. Make every election, everywhere, reliant on the
slow-moving federal government to fix problems that states and localities
could fix independently and quickly.

> Fix one issue with a voting machine, fix them all, as opposed to just fixing
> Florida's specific homegrown crap.

How about letting Florida worry about fixing Florida's elections, and you fix
yours. I don't think you'd like Florida telling you how to run your elections,
but that's exactly what you propose in reverse. It's antithetical to liberty.

~~~
dragonwriter
> This country has been around for over 200 years. Our elections have worked
> well, or else we wouldn't be having this conversation.

Doesn't follow; countries can exist for a long time without elections at all,
and, a fortiori, without elections that “work well”. Our existence and ability
to debate th topic doesn't prove our elections worked well on average over
history, or that they've been working well in their most recent form. Or much
of anything else.

~~~
explainplease
The point I'm making is that our elections have worked well, because they're
still going on, and our nation still has its original form of government. If
we ceased to have elections, as you hypothesize, it would no longer be the
same nation, because it would have abandoned its form of government. So the
fact that we're having this conversation, talking about elections that have
been going on for over 200 years, indicates that, yes, they're actually
working pretty well.

When we eventually stop having them, then we can revisit this conversation and
long for the good old days. Meet you back here in...a few centuries?

------
rotten
There are a lot of words in this document. What we need is some infographics
that boil it down into something people without the time to read and parse all
of those findings can understand easily. A map showing vulnerable states, some
pictures showing how easy it is to circumvent a particular system. Something
that shows what percentage of machines are vulnerable and an easy way to know
if the machines in my district are susceptible without having to wade through
pages and pages of text.

~~~
rapind
You should bring this to the attention of USAFActs. Even if you're not a
Ballmer fan, they do have the necessary resources for this sort of work and it
seems like it would align with their mission.

[https://usafacts.org/](https://usafacts.org/)

Maybe we could start tweeting them?
[https://twitter.com/usafacts/](https://twitter.com/usafacts/)

~~~
rotten
Good idea. I tweeted at them.

------
JdeBP
Some of the vulnerabilities are, appallingly, mundane multi-user operating
system misconfigurations that have been known about since the 1960s and 1970s.
The one where simply connecting a serial terminal yields a root login session
with no password is particularly egregious.

------
outworlder
> A second critical vulnerability in the same machine was disclosed to the
> vendor a decade ago​, yet that machine, which was used into 2016, still
> contains the flaw.

Sometimes I wonder how some people manage to keep their jobs, and how
companies manage to keep their contracts. This is gross negligence.

------
Klover
I was surprised to read that this remote vulnerability is possible in 23
states. I thought that the United States prides itself on its democracy? How
come voting machines are possible in a democracy?

~~~
hvdhh7
This isn't a remote vulnerability, btw. The attach involves picking the lock a
and inserting a device to a parallel port.

~~~
ganoushoreilly
The surprising part of most of these vulnerabilities is they are hardware
attacks. I had a talk with someone the other day that said she heard people
were hacking votes from iPhones. The over simplification of the topic is doing
just as much harm as good.

I don't know any security professional that would tell you physical access
isn't equal to the ability to hack a device.

The reality is subversion of people managing processes is of a higher
probability that attacks of the machines themselves. It's also not unique to
electronic voting, people are always the weak link in security and will always
be the weak link.

~~~
hvdhh7
The first new attack described in last year's report was that you could DoS a
machine by removing its CPU.

Which, sure, is something to think about. But it's not what I think people are
imagining when you say "voting machine hacking."

~~~
ganoushoreilly
Right!! It's like saying you could DoS a car by removing it's spark plugs.

------
ergothus
With partisanship rising to bitter, angry levels in the US while trust in just
about every social group on the decline outside of the record defenders, my
nightmare scenario has been a contested election result. Having no way to
establish to friend, neutral third parties if there was/was not fraud means we
can only rely on people's trust in each other to find a reasonable solution.
That seems unlikely to end well right now., so all I can hope for is that we
dont have such results.

------
dirtylowprofile
During the last 2016 automated elections here in the Philippines, the company
responsible for it was Smartmatic and just found out their source code was
licensed by Dominion.

Now finding out that Dominion's equipments mentioned here is a little bit
worrying. There was also an incident during our elections hours before a
voting machine was accessed just because they have to change a single letter.
It is still disturbing to this day.

------
noetic_techy
I remember when people were laughed at thought of as cooks and quacks if they
claimed voting machines were easily hack-able.

------
538Hack
Combine modern polling data/models with these exploits and the hackers would
only have to target a dozen counties _(?) to change the outcome of the
presidential election because of the how the Electoral College works.

(_ This is a guess. Trump won in 2016 by 107k votes across 3 states - inside
those states how many counties were actually "swingy"?
[https://www.washingtonpost.com/graphics/politics/2016-electi...](https://www.washingtonpost.com/graphics/politics/2016-election/swing-
state-margins/))

------
andrewla
Here's a quick summary of the machines that they have reported vulnerabilities
in. I've used [ed] to mark where I'm adding relevant content not present in
the report.

In my non-professional opinion, none of these vulnerabilities seem earth-
shattering, although the potential lack of paper trails makes some of the
touch-screen systems very dicey. Both of the touch-screen systems have the
option of a voter-verified paper trail, but it's not clear how widely those
option are deployed.

Diebold ExpressPoll-5000

\- Use: Used to check in voters at the polling station.

\- Vulnerabilities: No voting-specific vulnerabilities were found; generally
an insecure WinCE machine. Physical access would be needed to compromise.

\- Impact: Could change voter polls to selectively exclude individuals,
forcing them to use provisional ballots. Could add voters to polls
potentially, but not clear [ed] if this would pass a cross-reference with
upstream voter registry.

Dominion AVC Edge

\- Use: Touch-screen voting machine. Records votes electronically and [ed: has
an optional voter-verified paper ballot audit system. Not clear how widely
used the paper ballot system is used with this machine.] Verifies voter
eligibility with a smart card distributed by poll staff. [ed: Presumably the
smart card cross-referenced with the voter rolls during tally.]

\- Vulnerabilities: Physical vulnerabilities, including swapping out the
electronic storage. [ed: Not clear if this would be detected by audits against
the smart card registration or voter rolls].

\- Impact: Removed or changed votes or completely synthetic votes, [ed: if not
cross-referenced; or the storage could be re-written to change or spoil
existing votes]. [ed: If paper option is not used, then no audit would be
possible if storage is compromised].

Dominion Premier/Diebold AccuVote TSx

\- Use: Touch-screen voting machine. Records votes electronically and has an
optional voter-verified paper ballot system. Verifies eligibility with smart
card distributed by poll staff.

\- Vulnerabilities: Denial-of-service attacks easily available by unplugging a
cable. Smart card is supposed to be reset by the machine, but a substitute
smart card can be used that allows unlimited votes. [ed Not clear if this
would pass a cross-reference with the voter rolls, or if the machine is
equipped to allow such an audit.] Malware could be distributed for the device
[ed: through unspecified channels]. Such malware would allow an adversary to
compromise many machines without requiring physical access to polling
stations.

\- Impact: Removed or changed votes or completely synthetic votes [ed: if not
cross-referenced with voter rolls; or malware could be used strictly to change
votes and still pass the cross-referencing with voter polls. The user-verified
paper option could mitigate some of this, but the malware could theoretically
spoil the user-verified ballot and produce a new non-spoiled ballot with a
changed vote.]

ES&S M650

\- Use: Strictly for tallying of paper ballots.

\- Vulnerabilities: Physical security at the polling place, and network-based
attacks in situations where the devices are networked (not at the polling
place, but at the clerks office or similar centralized locations). Thought
attempts are made on the device to prevent unauthorized software from being
installed, there are known vulnerabilities that allow that to be changed,
through a serial control port or by modifying the Zip disks (?!) that are used
as the underlying file system.

\- Impact: Changing vote tallies. [ed: An audit would be possible because this
machine uses a direct voter-filled-out paper trail].

~~~
rhexs
The concept of xyz "villages" at DefCon was always pretty silly. Very little,
if anything, new is going to come out when people have no real time or access
to these devices. Combine that with the technical skill of the average
attendee and you get results like this.

Anyone in security could threat model every single of these attacks on the
back of a napkin in about six minutes. It is sad that you can replace hard
drives in voting machines, but of course that's expected and rather obvious.

It'd be neat if DefCon would use some of its money and sponsor a device
roadshow. Ship these things around to different labs and makerspaces for month
long stints. Sign up someone who has a vague idea of what he or she is doing
that can guide and teach others on weekends. Let people do real work and not
just marketing.

~~~
NikolaeVarius
They tried to. The companies manufacturing the devices refused.

~~~
pbhjpbhj
Rule one (1) for voting machines should be something along the lines of making
examples available for testing to all main political parties; and at cost
price to all people who are electoral candidates.

The parties then can have them analysed and choose whether to use them or not,
perhaps something like all those with more than 10% of the vote previously
could decide whether to use machines or human counting; full consensus
required.

Rule two (2) should be something along the lines of all votes requiring an
agreed sampling to be counted via alternative methods.

You could even have a sample of electoral wards not use the machines at all -
that would _suggest_ irregularities if there was tampering, as the hand
[machine] counted wards would have different voting preferences to the others.

------
reversengineer
It is an absolute farce that there are electronic voting machines in use which
are closed-source.

------
mrnobody_67
This is terrifying. Full stop.

~~~
ganoushoreilly
Every electronic device is hackable with physical access. Every process that
has humans involved is exploitable.

I'm more alarmed at the number of people willing to complain and moan about
change, yet refuse to volunteer at their local polling station. If awareness
is important, we have to start somewhere, yet the vast majority of people
complaining expect it to just solve itself.

Sometimes to fix a broken system you have to become a part of it and change
from the inside.

~~~
TheDong
> Every electronic device is hackable with physical access. Every process that
> has humans involved is exploitable.

This is a useless statement. Security is a continuum, and it's perfectly valid
to point out voting machines suck on that continuum.

I store my private key on a yubikey, and sure if you had physical access and
spent about $300k you could decap it and recover the private key (with a
success rate of maybe 10%, an expensive hardware lab, and expertise only a
handful of people have).

That's a whole different ballpark from voting machines which don't use a
hardware TPM [0] to attest votes, but instead store them in csvs while running
windows CE such that an attacker with a jumpdrive can plug it in and alter
records using exploits which have been public for years and years.

> Sometimes to fix a broken system you have to become a part of it and change
> from the inside.

Unfortunately, various people have tried to change it with no success. The
voting machine companies have contracts with the government that preclude new
entrants to the business.

Security researchers who contact voting machine companies have no impact.

Technology such as TPMs exist, but the voting machine vendors have little
apparent interest in these new ideas and technologies.

I don't think it's fair to discount other commentors from providing
information and discussing their views just because they're unwilling to go
into politics to attempt to fix this silly government contracts (with a low
chance of succeeding)

[0]:
[https://en.wikipedia.org/wiki/Trusted_Platform_Module](https://en.wikipedia.org/wiki/Trusted_Platform_Module)

~~~
ganoushoreilly
"That's a whole different ballpark from voting machines which don't use a
hardware TPM [0] to attest votes, but instead store them in csvs while running
windows CE such that an attacker with a jumpdrive can plug it in and alter
records."

you're not getting any of these access with out modifying hardware at the
poling station. If poll monitoring is being performed, they're going to notice
someone taking apart a voting machine.

I was at the Voter Village, Two years in a row I spent time disassembling the
machines. They're not as easy as you're making it out.

Being a part of monitoring of these systems is not something stopped by big
business. That's a cop out.

TPM should be a part of medical devices, but it's not. I would argue that's
even more important than a voting machine. Unless you work for a manufacturer
or are building a voting machine with these systems, sitting around and saying
you could do X or Y doesn't solve a damn thing.

------
liftbigweights
Really don't like how political and advocative DefCon has gotten.

Finding and publishing vulnerabilities is fine. But DefCon shouldn't be
advocating policy or fixes. That should be left to the government, businesses,
etc. The more defcon mixes with authorities, the better.

~~~
Skrillex
If [the government, businesses, etc.] could not (or did not) find these
vulnerabilities, most of which seem like things your average techie might have
checked for, what evidence is there to suggest that [the government,
businesses, etc.] know how to fix them either?

~~~
ganoushoreilly
The same could be said for any system where a vulnerability is found.

Vulnerabilities exist, it's the efforts we put into addressing them that
matters. Yelling about one party or the other being responsible won't solve
the problem. The first steps to a big fix would simply be locking down
processes, things that can be done by volunteers joining in the efforts of
their local and or state voting agencies.

It's easy to sit on the sides lines and say this and that are wrong, I'd
rather see more people standing up and trying to find solutions that work.

I volunteer and we are always short and no one every seems to "have the time".
The quality of candidates that do volunteer are all over and would have far
greater an impact with more tech exposed individuals instead of the common
retirees that I work with.

~~~
Skrillex
I cannot tell from the wording of the comment, but this seems like a rebuttal.
I agree that solutions should be the first thing that happens as opposed to
blaming. However, the comment that I replied to seemed to be stating that the
solutions should be left to the first order victims of the exploits (which I
am stating is nonsense) and that the DEFCON participants had no place in
offering solutions.

------
artemisyna
Any likelihood we could get some white hat hackers on this... Including
marking things on the day of, if necessary?

~~~
deadmik3
be careful what you wish for, one man's white hat is another man's black hat

------
sebleon
This is a lot like consumer cryptography - yes, technical exploits are a
problem, but they're overshadowed by social engineering.

In the case of US elections - even with secure infrastructure, the election
will be determined by billionaire-sponsored campaign budgets and policies that
entrench the 2 party system.

After the DNC email leak, I'm amazed how little attention was placed on hard
evidence that the Democratic Party methodically sabotaged candidates in the
primaries. Shifting public focus to the "Russian Hacking" was amazing PR work.

