
Hackers at convention to ferret out election system bugs - rbanffy
https://www.reuters.com/article/us-cyber-conference/hackers-at-convention-to-ferret-out-election-system-bugs-idUSKBN1KV0ZQ?il=0&utm_medium=Social&utm_source=Twitter
======
beat
Some useful information about paper ballot process, based on my experience as
a Minnesota election judge. Minnesota has _excellent_ election law and
process, which is how we've survived two high-profile statewide recounts in
the recent past without incident.

First and foremost, paper ballots everywhere. No touchscreens.

Second, from printing time onward, _all_ handling of ballots, whether marked
or unmarked, must be done in the presence of representatives of at least two
political parties. At no point are ballots left alone with individuals or only
one party (this is something a lot of states could learn from us!). This
eliminates many avenues for cheating by adding or removing ballots from the
count.

The ballots themselves are Scantron, fill in the dots with ink. The state
provides standardized pens for this.

All registered voters in a precinct are tracked in a paper roll. In order to
get a ballot, voters must either be in the registration book, or apply for a
provisional ballot (which requires identification). Names are marked off the
registration roll as they get their ballots, and a count is kept. At the end
of voting, the total count of the voting machines must match the total count
of voters _exactly_. Any difference triggers a manual count.

Scantron machines are randomly spot-checked - some percentage of them will be
hand-counted, and those counts checked against the machine results. Multiple
mismatches across the district/state would trigger an election-wide hand
count. This insures against cheating by altering the behavior of the machines.
(This is also where touch-screen machines fall down, imho, and should be
flatly banned! There is _no_ manual guarantee of the integrity of the results
in a touch-screen machine.)

Initial counts on election day are provisional, and need to be certified via
additional checks before being finalized (including the possibility of
recounts).

There's more, but these are the big ones, and you get the idea. This entire
system depends on protecting the integrity of physical ballots, which as you
can see, is pretty straightforward.

~~~
BoiledCabbage
Such incredibly simple steps.

Who thought it was a good idea to "disrupt" voting by going electronic?

~~~
beat
It's not just electronic voting. Let's look at a _real_ attempt to subvert
elections - Voter ID laws. Voter ID is presented as a solution to a problem
that actually does not exist, given this system.

In Minnesota, you show up at the polling place, say your name and address,
they find you on the registration list, check you off, and hand you a ballot.
No need to prove you are who you say you are. If someone pretends to be you
before you vote, then it's immediately and obviously brought to the attention
of the judges (and we aren't seeing a massive wave of fakery now). If someone
pretended to be you after you vote, they'd get caught.

Of course, someone could fake it, with someone's registration that they know
won't vote. But if they repeated it at a single precinct, the odds of being
recognized as a repeat voter by the election judges goes up. So they would
have to move from precinct to precinct, with a list of viable registered non-
voters to use.

Now, consider scale. A statewide Minnesota election is about 1.5M voters. To
move the outcome 1% requires 15,000 votes. If one person can manage to vote
illegally ten times in a day, it would require 1500 people in a conspiracy.
Plus data management, tight enough for no errors. And NO leaks while these
1500 people are trained (and probably paid, if you want that many).

With that in mind, the idea of actually manipulating the election with votes
that could be prevented with Voter ID is absurd. But! If we put ID laws in
place, we could well reduce the number of voters by 1%, and that result would
be biased toward people who are poor or otherwise not fully integrated into
mainstream society.

Election manipulation, completely legal, and more effective than the mechanism
it purports to prevent. Ugh.

And hey, if voters are dumb enough to fall for that, maybe we can get them
excited for touchscreen machines!

~~~
function_seven
This comment has put me firmly in the anti-Voter-ID column. I've always been
on the fence regarding Voter ID.

One one hand, I can see the effect that it would have on the makeup of the
voters: older, richer, more established.

On the other hand, I couldn't shake the idea that voting is too sacred to not
enforce some level of identity verification.

You just swept away my "on the other hand". Thanks.

~~~
patejam
So I still think we should have Voter-ID, but I don't think we're ready for it
yet.

My arguments for:

First, don't people have to register to vote in most places? I don't see how
bundling your Voter-ID acquisition with registering to vote would be bad.

Second, a valid state ID should be enough to vote even with Voter-ID. This
DRASTICALLY reduces the number of IDs we need to handle.

My main argument against not doing it right now:

We'd need proper funding that we're not going to get in the current political
climate. A half-assed solution would be BAD.

~~~
boomboomsubban
> I don't see how bundling your Voter-ID acquisition with registering to vote
> would be bad.

How many times have you forgotten to bring some random item you need for
something you're doing? Why stop someone from voting because of a mistake
virtually anyone could make?

~~~
patejam
I don't think forgetfulness has a political bias

~~~
boomboomsubban
I has a time based pro-wealth bias that becomes much larger when you combine
it with your second argument, as you're less likely to forget something you
take every day.

------
jimrandomh
I don't think the goal here is to secure the electronic voting systems; that's
impossible, and everyone knows it. The goal is to provide ammunition for
getting them decertified.

~~~
d0lph
Is it really impossible though? I feel like we could eventually figure it out.

~~~
michaelt
The threat model is corrupt election workers, who have unmonitored access to
the machines.

And if you find problems after the winner is declared? “Only the losing side
cares, and they’re just sore losers”

Or an adversary could not commit fraud, just trip the fraud alarms in areas
their opponent is strong.

So it’s very, very difficult to secure.

~~~
jedberg
Somehow we manage to secure electronic banking despite possibly corrupt bank
tellers having unmonitored access to the ATMs. I’m sure of the money were
there we could secure voting the same way.

~~~
NullPrefix
>manage to secure electronic banking

Quite a bold statement. Electronic banking is primarily secured by the means
of insurance.

~~~
jedberg
Which detects problems and fixes them. That’s all we really need. A reliable
way to detect problems and fix them.

~~~
tlb
It takes a long time to detect and fix problems. That's OK with ATM machines,
because if you catch the insider who tampered with them months or years later,
you can put them in jail and probably get most of the money back. But
reversing election results more than a day or two after the first announcement
is really bad for the stability of the country.

In fact, people are still digging into whether voting machine fraud happened
in some states in the 2016 election. Any result now is too late.

Also, the nature of hacks is that you can often detect that one occurred, but
not exactly what was changed. How would you take the news, "It looks like the
Russians had root on every voting machine. But we've reconstructed the correct
vote counts from analyzing deleted database files found in the free block
list, and the winner is..." Not too convincing.

------
cabaalis
Are the people at this convention privy to classified information about actual
hacks attempted? [1]

[1] [https://www.nbcnews.com/politics/elections/russians-
penetrat...](https://www.nbcnews.com/politics/elections/russians-penetrated-u-
s-voter-systems-says-top-u-s-n845721)

~~~
rbanffy
I don't think anyone in the attendance who knows that would come forward.

~~~
cabaalis
What I'm getting at is, if not, then wouldn't it become just a thought
experiment? Granted one conducted by very intelligent individuals.

~~~
NegativeK
Voting machine security had a presence at Defcon before the 2016 election. The
2016 election interference might increase its activity, but it's never been
just about that.

------
zestyping
The key property we need to be looking for is software independence.

[https://people.csail.mit.edu/rivest/RivestWack-
OnTheNotionOf...](https://people.csail.mit.edu/rivest/RivestWack-
OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf)

That doesn't mean that securing the software isn't important. But it does mean
that, in any evaluation of a voting system, we should be evaluating the whole-
system design (including the _critical parts_ of the software) in terms of how
software independence is achieved.

------
narrator
Being one who delves into the conspiracy corners of the Internet I got to
thinking on a theory about all this. I am just spitballing here, but what if
the bad guys who put all the bugs in these voting machines at one Intelligence
Agency are in a hacker war with the good guys at some other Intelligence
Agency on election night and the vote total is just the final score of the
hacker battle. Neither side wants to call the other side out, because they
don't want to air all their dirty laundry in public.

~~~
ggggtez
You're being worried about the wrong things. The problem is companies that
make these products care about making money, not making safe votes. As long as
their marketing is good enough, they can hire sub-par programmers to do a
shoddy job. No conspiracy is necessary to end up in the situation at hand.

Consider seeking out a medical professional to help with your delusions.

~~~
narrator
I said I'm spitballing[1] which means purely speculating for fun and not
saying that I'm sure that that's the truth. It's really weird how these days
you can't even throw out ideas for fun without some guy bringing out the heavy
duty personal attacks.

Anyway, if you looked at Wikileaks vault 7 leak, the CIA stockpiles zero days
that they use to remote hack all kinds of different platforms. Other
intelligence agencies do the same. One of the voting machine companies had
pcanywhere installed on their machines which is even known to be full of
holes[2]. Whether this is negligence or malice is really up to a jury to look
into, but certainly the possibility is there.

[1][https://www.urbandictionary.com/define.php?term=spitballing](https://www.urbandictionary.com/define.php?term=spitballing)

[2][https://motherboard.vice.com/en_us/article/mb4ezy/top-
voting...](https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-
machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-
states)

~~~
ggggtez
Let's be clear, your theory is that "bad guys" _put_ the security holes in the
voting machines (not incompetent underpaid workers) and that they are having a
_hacker fight_ with the _good guys_. Watch less tv, and stop reading those
conspiracy theories sites. You are losing your grip on reality.

Security bugs are real. Hacking is real. What you are talking about is not
spitballing. That's just fantasy.

~~~
narrator
Wow, I must have hit a nerve cause this kind of ad hominem arguing that you're
doing is unusual for HN.

People saying the NSA was working with hardware vendors to purposefully insert
backdoors in routers were called crazy too before the Snowden leaks. I guess
you haven't been keeping up with the news or do you think the Snowden leaks
qualify as baseless conspiracy theories?

"A 2012 TAO budget document claims that these companies, on TAO's behest,
"insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets".[1]

[1][https://en.m.wikipedia.org/wiki/Tailored_Access_Operations](https://en.m.wikipedia.org/wiki/Tailored_Access_Operations)

------
irrelative
Obligatory: [https://xkcd.com/2030/](https://xkcd.com/2030/)

~~~
bcaa7f3a8bbc
previous discussion

[https://news.ycombinator.com/item?id=17717676](https://news.ycombinator.com/item?id=17717676)

[https://news.ycombinator.com/item?id=17732437](https://news.ycombinator.com/item?id=17732437)

~~~
js2
I'd like to call attention to what I consider the most informative comment in
either of those discussions:

[https://news.ycombinator.com/item?id=17730681](https://news.ycombinator.com/item?id=17730681)

~~~
rbanffy
That's a pretty good comment.

I helped write the software for the Brazilian voting machines (state issued,
standardized, made to spec by competing companies) and we had a long list of
scenarios we had to guard against. The people who wrote the spec were field
experts who studied attempted and successful (but caught) voting fraud every
election. The resulting combination of hardware, software (the application
itself is ridiculously simple), analysis and (and this is most important)
procedures surrounding the physical devices (never left alone unguarded, clear
chain of custody, created layers of protection and, in the end, a reasonably
secure device. It's possible to make it absolutely secure? I'm not sure. Would
that be usable? I doubt it.

It's foolish to make a flawless voting system when we can't guard against
propaganda and other forms of manipulation through social media or even the
most traditional paying voters (either explicitly or through promises) to vote
a certain way.

~~~
jdietrich
I must offer my congratulations to you and your colleagues. I am broadly
opposed to electronic voting, but the Brazilian implementation seems to be the
most sophisticated, elegant and well-engineered.

~~~
rbanffy
Thank you. It was an interesting experience and I'm proud of what we
accomplished.

