
I Bought Used Voting Machines on EBay for $100 Apiece. What I Found Was Alarming - aacook
https://www.wired.com/story/i-bought-used-voting-machines-on-ebay/
======
kanyethegreat
_To my dismay, I discovered that the newer model machines—those that were used
in the 2016 election—are running Windows CE and have USB ports, along with
other components, that make them even easier to exploit than the older ones._

Just wait until the _next-next_ generation of voting machines has network
access. Then exploitation can really scale.

------
jrochkind1
The article spends a significant portion of the first part of the article
talking about how it was easier to get hands on the physical machine than it
should be.

And in some cases, contrary to the mantra, "security by obscurity" is indeed
an important _layer_ of security. But I'm not sure if this is one of them. Of
all the domains that one would expect state actors to be trying to exploit,
I'd think voting would be near the top. And I don't think trying to only make
sure "authorized" people can get their hands on a voting machine is going to
be much of a barrier to a state actor. The thing better really be secure no
matter how much an attacker knows about it, to defend against state actors,
no?

And of course these _weren't_. But I don't think making it harder to buy an
old machine on ebay would provide enough barrier to the attackers in the
realistic threat model, to even bother doing it. Better to spend the focus on
the actual security of the machine. I feel like the "lifecycle management" of
machines that the author prioritizes as a solution is a misdirection.

> By simply regulating and monitoring the sale of used voting machines more
> closely, we would create a huge barrier to bad actors.

A HUGE one? To the intelligence agency of a foreign state? I doubt it. If you
think it was a huge one, it's a false sense of security that may lead you to
insufficiently prioritize more important fixes. (Which may be _not using
digital voting machines_.)

------
remify
The vote situation in the US is so fucked ! It's unbelievable.

I'm glad France is sticking to simple paper and ballot are publicly open.

~~~
Cthulhu_
As long as they actually are simple - there have been instances (e.g. in the
US) where poor design of the voting paper caused confusion as to who you were
actually voting for. Then there's the case of improperly filling them in,
invalidating a number of voting papers as well.

Maybe do a combination? Voting machine that prints a hard copy of your vote.
Activate by scanning your passport or other proof of voting right, centralized
secure repository of who has voted or some kind of deduplication of votes when
counting.

~~~
maeln
I don't understand how is it possible to design a paper ballot that is
confusing. In France, you have 1 paper for each candidate with their name +
party on the paper. You receive each paper by the post before an election AND
there is always all the papers in the voting place anyway.

You just put the paper of the candidate you want to vote for in the ballot box
and that is it.

I understand there is more complicated voting system (e.g where you can rate
candidate), but when do you need to choose one option in several, why would
anybody want to use a different voting paper design ?

~~~
theandrewbailey
> I don't understand how is it possible to design a paper ballot that is
> confusing.

Say hello to the butterfly ballot:
[https://www.asktog.com/columns/042ButterflyBallot.html](https://www.asktog.com/columns/042ButterflyBallot.html)

> You receive each paper by the post before an election AND there is always
> all the papers in the voting place anyway.

That opens the possibility to observe people picking up the paper of
$CONTROVERSIAL_CANDIDATE and dropping it into the box, thus revealing who they
voted for.

~~~
baud147258
> That opens the possibility to observe people picking up the paper of
> $CONTROVERSIAL_CANDIDATE and dropping it into the box, thus revealing who
> they voted for.

You are supposed to pick at least two papers and usually there are enough
paper so that everyone can pick one of each. Then you go to a booth, hidden
behind a curtain and put one of the paper in an envelope (given after the
official has checked your elector's card), discard the other paper in a basket
case, then drop the envelope in the ballot box.

Of course it limits the possibilities of the vote: one person can only vote
for one candidate, on the other hand, it's easier to understand for the
voters.

------
bayouborne
It's a little off-point, but I can't help to note a bit of unmentioned fallout
to exploitable voting machines -- I early-voted last week in Atlanta and again
(as on every other voting day in Atlanta for the last 7-8 years) the voting
booth had no curtains and virtually no privacy. I assume this is to make it
more difficult for someone to swap in a card that could compromise that voting
machine somehow. But I'd love to see an article addressing this issue - in
some areas of the country you must vote 'publicly' \- because the touch points
are so huge on each screen (and color-coded) - each of your selections can
[and are] seen by the poll workers. I'm too lazy to research this further, but
isn't voting anonymity guaranteed/implied somewhere in our country's codicils
(incorrect term, but you know what I mean)

~~~
ergothus
Iirc, it is a state decision. It is hard to get firm answers as there are
different concepts that overlap:

Is it legal to pay someone to vote a certain way? Saying 'no' does not mean it
is a truly secret ballot, but it is something.

Is the ballot printed by the govt as opposed to parties or organizations?
(Meaning there is an "official ballot" and not just any piece of paper) At one
point this was a new thing.

Are you doing an oral vote?

As it is, I think in general you end up with no obligation to share your vote,
but that is not the same as any legal obligation to make the voting booth well
concealed, depending on state, but that is no small amount of reading between
the lines and conjecture on my part, so dont trust me too much.

------
rootsudo
They can also be found at local auctions for less than $10 each.

~~~
aacook
What's their positioning? I assume they're sold for parts or scrap? It seems
so strange.

------
oliwarner
The _constantly aghast_ tone makes every paragraph feel like clickbait.
Shockingly. Surely. Alarmingly.

Why is it shocking that you can buy used voting machines? Why is it alarming
the data is there and unencrypted? Why wouldn't a government (or supplier)
sell on used hardware? Why would tamperproof screws stop you getting access?
(They're for proof of access!)

It's _nothing_ like sensitive medical data (a comparison made in tfa). It's
anonymous data that _should_ be publicly available.

The only concerning thing here is that these crappy machines were used in the
first place. At least they're being flogged off now.

------
hkai
Voters on both sides hate the machines because they can be rigged. Why are
they still a thing?

------
crypt1d
Don't want to turn this into another 'blockchains can solve anything'
discussion - but I do feel some form of blockchain tech could be an effective
way to solve e-voting. Here's why:

\- A central authority(government) can control issuance of new keys and
maintain the association between keys and personal information. There are
already plenty of gov ID cards which support digital signatures and can be
used to sign voting keys as well. At the same time personal info would not
show up on the blockchain.

\- Blockchain explorers would be used as a way to verify the votes are legit
by virtually anyone

\- NVOs, governments, etc can run the blockchain nodes to ensure integrity of
the blockchain

In combination with well designed UIs we can have simple voting apps that can
make e-voting a breeze (see the Smart-ID implementation for a great example of
such tech).

Obviously the attack vector shifts to the gov servers running the key issuance
but its easier to do opsec on a datacenter level than on individual voting
machines scattered around the country. There's also a question of the
integrity of the voting app, but that can/should be open-sourced and audited.

We obviously have the tech and the capabilities to create very effective
e-voting solutions. Would even go so far as to say that a proper solution
would drastically change the way we think about voting - it would make on-
boarding a lot easier and provide some form of 'direct' democracy that we are
already seeing flourish in countries like CH. So it seems very shady to me
that we end up with BS like this thats very easily exploited and discarded as
ineffective.

~~~
moviuro
> \- A central authority(government) can control issuance of new keys and
> maintain the association between keys and personal information. [...]

This means that you can tie a vote to a key, thus a person?

That's not how voting should work. Any vote cast must be secret. Or what's to
prevent any one group from blackmailing you (or any other voter)?

> Voting app

You mean that a thug could coerce me into casting my vote from home?...

> There's also a question of the integrity of the voting app, but that
> can/should be open-sourced and audited.

\+ constantly verify that the machine was not tampered with (evil maid) + make
sure the hardware was not compromised (supply chain attacks) + ... on _TONS_
of devices?...

> We obviously have the tech and the capabilities to create very effective
> e-voting solutions.

No, clearly we don't! The current paper ballot model has been battle-tested
since elections became a thing. See
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
crypt1d
> That's not how voting should work. Any vote cast must be secret. Or what's
> to prevent any one group from blackmailing you (or any other voter)?

Fair point, but they do not have to maintain the association with the voting
keys. Derivative keys can be signed without it imho.

> You mean that a thug could coerce me into casting my vote from home?...

Dont be naive, things like this happen already even with paper votes. See
[https://en.wikipedia.org/wiki/Bulgarian_train](https://en.wikipedia.org/wiki/Bulgarian_train)

> \+ constantly verify that the machine was not tampered with (evil maid) +
> make sure the hardware was not compromised (supply chain attacks) + ... on
> TONS of devices?...

I agree that's a problem that needs consideration, but we've solved many such
issues before. There are quite a few ID, banking, authentication, etc. apps
running quite fine and well on consumer devices.

E-voting is a general term that describes methods of voting that involve
electronics. While some solutions are indeed terrible, that doesn't mean all
are.

~~~
moviuro
> Dont be naive, things like this happen already even with paper votes. See
> [https://en.wikipedia.org/wiki/Bulgarian_train](https://en.wikipedia.org/wiki/Bulgarian_train)

That's weird. I don't understand that "filling" paper ballots. In France, we
get to pick N papers with only one candidate's name printed on each. We then
discard and seal in the envelope the papers we want once we're in the
"isolation room".

> I agree that's a problem that needs consideration, but we've solved many
> such issues before.

No, we never had the entire destiny of any one country rely on a single piece
of tech running on untrusted devices. Banks can contact any individual if
their logins were leaked or if their money transfer appear suspicious; but as
votes cast must be kept secret, you can't do anything similar with voting.

> E-voting is a general term that describes methods of voting that involve
> electronics. While some solutions are indeed terrible, that doesn't mean all
> are.

Still waiting for a viable solution - so far I don't know of one.

