
Hacking Voting Machines at Defcon - maxerickson
https://blog.horner.tj/post/hacking-voting-machines-def-con-25
======
vowelless
I used to think electronic voting was the logical next step. But now, I think
voting is too important to be left to electronics. It should be done on paper.

 _We trust billions of dollars every day to electronic banking, so why not a
vote?_ Electronic banking comes with many types of federal guarantees to
protect against fraud. The government can step in to investigate and prosecute
the fraud as well. But there is no such guarantee for the voting to select the
government itself!

 _But it takes so long to aggregate the votes if done with paper ballots._
Precisely the point. Electronic voting allows _scalable attacks_ where the
number of weak points is dramatically reduced. It is very hard to scale
attacks on paper ballots. You would need a coordinated effort in many voting
stations to make it work as opposed to hacking a more central electronic
system.

That is why I moved from thinking that electronic voting is the logical next
step to thinking that we probably need to revert back to paper ballots.

~~~
raverbashing
Electronic voting is fine (WITH a paper trail)

You just need regulation to prevent the abysmal idiocy of manufacturers

Also standardize the interface (ADA compliant, etc)

Hire the Nevada Gaming Commission to regulate it and so be it. Make the
machine print a paper backup that is put on a ballot box as well

~~~
yflu
But is there any advantage to e-voting?

Assuming that we can achieve exactly equal security to paper voting for a
moment, what have we achieved other than adding another few layers of
middlemen and cost?

~~~
edelans
e-voting enables more sophisticated voting methods, such as [Range
Voting]([https://en.wikipedia.org/wiki/Range_voting](https://en.wikipedia.org/wiki/Range_voting)).

Range voting is arguably more democratic than some other voting methods. But
much more complicated to put in place with paper ballots :/.

~~~
dragonwriter
There's a fundamental issue in voting, which is that ballot markings may not
have a consistent meaning from voter to voter. Most analysis of voting methods
ignore this and it's impacts, which are difficult to quantify, but it's pretty
clear the effect is maximized in two cases:

(1) systems which limit rankings to a fixed number (the most extreme case for
real ballot methods being two) of ranks (approval and FPTP both are two-ranks
methods), and

(2) system which use numerical ranking systems that draw fiber distinctions
than mere ordinal ranking (range/score voting being the main example.)

The problem is minimized in ranked-ballots methods, though there is room for
debate over whether forced or unforced rankings are better in this regard.

For this reason, I would reject range voting for most public elections
independent of practical difficulty (there might be exceptional cases where a
consistent meaning can be attached to range ballots, but it's not the case in
normal public elections.)

OTOH, ranked ballots Condorcet methods which need to compare pairwise results
are probably more tractable with e-voting (or, rather, e-tallying.)

~~~
ClayShentrup
Basyesian Regret calculations show Range Voting to be superior, even when
accounting for your objections.

[http://scorevoting.net/BayRegsFig.html](http://scorevoting.net/BayRegsFig.html)

There's even a theorem that it tends to elect Condorcet winners under
plausible models of voter strategy.

[http://scorevoting.net/AppCW](http://scorevoting.net/AppCW)

Believe me, its advocates have heard every criticism you can imagine, and the
counter-argument is robust. I recommend you check out the book "Gaming the
Vote".

------
Klathmon
Electronic voting is dangerous and is a very bad idea. Voting should be done
on paper, using pencils, put into ballot boxes, and counted by people.

Paper works, and it works well. It's a system that has worked well enough for
thousands of years, and we have figured out most of the issues with it during
that time. Anyone that can count can validate a single precinct. You can have
one person, or 100 people all standing there watching a ballot box all day for
tampering. You can have a whole group of people count the results, or just a
few.

In a traditional paper system, swaying a single precinct with "blackhat"
methods takes a lot of physical resources, a lot of time, and in most cases a
lot of people. Then multiply that by every precinct in the country, and it
quickly becomes pretty much impossible to do and get away with. Plus it leaves
a physical "paper trail" (in the form of payment for people, communications,
and physical materials or the receipts for those materials).

Electronic voting gives us very few benefits, and a significant amount of
downsides. And it doesn't matter if it's FOSS, it doesn't matter if it's
vetted, it doesn't matter what safeguards are put in place, all it takes is
one mistake. One fuckup, and someone can now choose the leader of a nation,
and in some cases that leader can change the rules of the next election,
meaning it only takes one single mistake to ruin it for many many generations
in the future.

And replacing a system where literally everyone can validate a system on
voting day if they want to with a system where only a _fraction of a fraction_
of people can even read and understand the code, let alone validate the code
(and can't actually validate the hardware, or make sure what is running on the
hardware is actually that code, or make sure that the hardware is even what it
says it is), and it takes a magnitude more time to do so, just isn't a good
idea.

~~~
TeMPOraL
I know it's tangential to the point you're making, but I have to ask:

> _using pencils_

Why pencils? Aren't pens more secure (more difficult to erase / alter without
leaving a visible mark on paper)?

~~~
simias
You could just have pre-printed ballots with the name of the person you're
voting for on them. That's how we do it in France, no pen or pencil required.

I think in the USA there tends to be several issues on the ballots however, so
I guess it's not very practical in that case. It probably makes the counting
harder however.

~~~
dx034
Ballots are usually pre-printed. But you still need a pen or pencil to check
the right box.

~~~
simias
Right, but it's still probably slightly harder to fill and count. Not
massively so of course but maybe enough to slow things down.

Compare
[https://upload.wikimedia.org/wikipedia/commons/d/dc/France_%...](https://upload.wikimedia.org/wikipedia/commons/d/dc/France_%C3%A9lections_pr%C3%A9sidentielles_6_mai_2012_bulletins_de_vote_second_tour.JPG)
with [http://etc.usf.edu/clippix/pix/2012-presidential-election-
ba...](http://etc.usf.edu/clippix/pix/2012-presidential-election-
ballot_medium.jpg)

------
cyborgx7
The Chaos Computer Club did some extensive educational work a couple years
back to make sure we keep our paper ballots here in Germany. And this work
keeps going to this day. I'm very greateful, seeing all the issues we are
avoiding because of this, but the fight against misinformed or malicious
politicians is still going on.

A very important factor in their work was making sure people called them
"voting computers" instead of "voting machines". Most people have a sense by
now that computers are hackable and insecure, if only through movies where
hackers can hack every system. Calling them machines gives people the sense
they are a unhackable mechanical appliances.

~~~
dx034
Voting in Germany is very efficient anyway as votes are usually counted within
1-3 hours and a final result overnight. It's hard to see the advantage of
computers, buying the machines will likely outweigh paper costs.

That's a bit different in other countries where counting paper ballots can
take days. Doesn't make voting machines safer, though.

~~~
cyborgx7
>That's a bit different in other countries where counting paper ballots can
take days.

Seems to me the solution is to figure out what makes german voting and vote
counting so efficient and replicate that, rather than switching to voting
computers.

~~~
greenshackle2
It's that ineffable German efficiency.

------
iainmerrick
I think the key problem with electronic voting is the possibility of a "class
break", as explained here by Bruce Schneier:
[https://www.schneier.com/blog/archives/2017/01/class_breaks....](https://www.schneier.com/blog/archives/2017/01/class_breaks.html)

If there's a flaw in the system -- and there will be flaws, the only question
is how soon they're found -- there's a risk that the whole thing can be
compromised in one fell swoop.

Whereas pen and paper voting, counted by hand, is slower and less accurate and
has plenty of its own flaws, but there's no simple way to compromise the
entire vote at once. You'd have to fool a whole bunch of different people in
different ways, and/or recruit them into a huge conspiracy.

Other countries use pen and paper and it works fine. Electronic voting
machines should be banned.

------
Canada
After more than a decade of security researchers raising the alarm over
critical electronic voting machine vulnerability, I hope this finally causes
some real demand for verifiable ballots.

~~~
ThomPete
No one really claims that the voting machines were secure because it was
technically advanced. The voting system is secure because it is irregular and
physically distributed and not connected.

In other words. Hacking the election is up there with the us planned 9/11 it
would require social engineering of unheard proportions.

~~~
learc83
In a close election it's potentially feasible to flip an election by hacking
the machines in a few hundred precincts across 2 or 3 states. Still unlikey
but potentially feasible given a determined, well funded adversary.

And you wouldn't have to actually flip the election to undermine it's
legitimacy.

>In other words. Hacking the election is up there with the us planned 9/11

9/11 happened, so someone planned it. Very few people are worried about the US
government hacking voting precincts. They're worried about a foreign
government doing it.

~~~
waqf
If an election were flipped in such a way, it would be noticeable because the
candidate would lose the popular vote (since the popular vote is a robust
statistic and can't be flipped without a large number of hacked machines) but
would somehow happen to win by a very narrow margin in a few critical swing
states.

(Of course the same is true of any other campaign technique, legitimate or
illegitimate, that relies on targeting specific precincts.)

~~~
learc83
Was this sarcasm?

In case it wasn't, in the last election the candidate that won lost the
popular vote by about 3 million votes. But won 3 critical swing states by
about 80k votes total.

There was no widespread auditing of the voting machine code after this
happened.

------
tcbawo
I am not a fan of electronic voting as it exists today. But, I expected to see
someone advocate a blockchain-like trail to ensure election integrity.

Also, why don't we have automatic voter registration? Let's pay this cost once
and move on.

~~~
Larrikin
It's not to the advantage of all parties to ensure everyone can vote

------
cobookman
I'm for both. Aka you submit your ballot on paper. Have a machine and people
both count the vote. If the machine count has a different outcome vs people
then you know you've got an issue.

By outcome I mean something like machine had person A winning, people count
has person B.

~~~
JorgeGT
We do something similar in Spain. We vote with paper ballots. Then, when polls
close, the volunteers at each table count the ballots and input the data into
an electronic system, which makes the aggregates. In a few hours (4-5) we have
the results of the election.

However, paper ballots are returned to the voting urns and sealed. The sealed
urns are then sent to a few centralized counting locations where they are
manually counted again by civil servants during the corse of a few weeks.
(Party representatives can witness both countings).

Usually there are some very very small differences between the first and the
second counting, but I don't recall even a seat changing because of them. This
has the advantage of being both fast and safe.

------
corpMaverick
In my country a losing presidential candidate has been able to convince part
of his base that there was electronic fraud using an 'algorithm' even though
the whole process was done manually. Imagine if it was really done
electronically. That is why I am convinced voting should be done with paper
and pencils.

~~~
itodd
In my country, it was the winning presidential candidate complaining about
fraud.

------
thrillgore
Put us back on paper ballots. Christ, some systems should be as simple as
possible.

~~~
maxerickson
Much of the US does use optical scan paper ballots:

[https://ballotpedia.org/Voting_methods_and_equipment_by_stat...](https://ballotpedia.org/Voting_methods_and_equipment_by_state)

Hopefully the message that paper ballots are simpler and provide a strong
audit trail will continue to beat back the new and shiny.

~~~
CWuestefeld
Are optical scan ballots really "paper ballots"? It seems to me that in all
the relevant criteria, this is just electronic voting with a different input
method.

~~~
maxerickson
Yes, they are paper ballots. The "machine" is a pen and the ballot and the
official record of the vote is the paper ballots, the electronic tally is just
for convenience.

So for example, if the machine in a precinct catches fire and explodes, the
vote proceeds, except the ballots are placed in a box. If the numbers reported
by the machine are nonsensical, the machine is set aside and the ballots are
counted manually. If there is a recount, the ballots are counted manually.

~~~
radarsat1
> If the numbers reported by the machine are nonsensical

The problem is that this is not a sufficient criteria for detection.
Presumably a hacked machine would spit out "sensical" counts that are biased
to one side, not 99% for one party or something like that. How would you
detect that by just looking at a simple sum?

I can't really see how to verify the count without having everyone check that
the machine printed what they thought, and having multiple people perform
independent counts that must match.

You could have people count _later_ and check that the machine got it right,
but then consider the problems that would cause if the media was reporting bad
numbers before the official count is finished.

~~~
maxerickson
The point of that remark was to point at the ballots being the actual record
of the vote rather than the result provided by the counting machine.

It is certainly the case that trust in such machines could be misplaced.

~~~
radarsat1
> It is certainly the case that trust in such machines could be misplaced.

Right but if that's the case, you're going to have to count them by hand at
some point. So what do the machines bring to the table, if their whole purpose
is to avoid that?

~~~
tveita
You usually only need to hand count a small number of randomly selected votes
to verify the result statistically. The exception being very close results
where a handful of votes makes the difference.

~~~
radarsat1
That is a good point, as long as "randomly selected" can be assured.

------
tribby
I like paper voting but there should be a holiday and the vote should be
mandatory even if only to check off "none of the above." The reason I like
electronic despite its flaws is someone can do it while on the toilet, and
here in the US where there is low turnout and voter suppression, that's about
where I want the bar to be.

------
em3rgent0rdr
Where is the memory card physically stored? Is that something that a hacker
could easily gain access to without being noticed?

~~~
tjhorner
Top of the device, secured with a simple philips head screw during use, easily
accessible.

------
elbac
There is an excellent podcast series on the subject of electronic voting,
where several experts give their opinions.

[https://www.predictingourfuture.com/online-
voting/](https://www.predictingourfuture.com/online-voting/)

After listening, I became convinced that electronic/internet voting is a
terrible idea.

------
alistproducer2
I'm old enough to remember the when e-voting was brought about by the Bush
administration. At the time those of us on the far left were convinced that
Bush was the American incarnation of Hitler (seems quaint now, doesn't it) and
Diebold e-voting machines were going to precipitate the end of democracy.

~~~
cr0sh
What if we've gotten into some kind of weird feedback loop where every swing
of the pendulum between the two parties has been leading to more and more
"extreme" candidates on each side?

Or what if the extremism is only on one side, because they perceive the other
side as being too extreme, when that side is just trying to be for the people?

I'll leave you to decided which side is which, of course...and where all this
might lead (it ain't pretty, should this actually be what is playing out).

------
bdz
I'm more surprised that you can buy voting machines from eBay

------
jvandonsel
A voting machine with frickin' open USB and Ethernet ports?

~~~
kuschku
Almost all of them have open USB and Ethernet ports, or just connect to the
alphabetically first WiFi they can find.

~~~
tempay
> just connect to the alphabetically first WiFi they can find

Do you have any sources for that?

~~~
kuschku
Hm, apparently I misunderstood, someone found some voting computers that just
connect to the first WiFi they find with the correct name.

------
em3rgent0rdr
Voting needs something called "homomorphic encryption", which allows simple
arithmetic to be performed on encrypted data without decrypting it.

------
UltimateFloofy
Very nice. Voter McVoteyFace deserves an upvote.

------
miheermunjal
this just re-stresses the point to COMPETITION in the electronic voting space.
If you had a monopoly over the systems, what encouragement would you have to
upgrade them? There are all sorts of ways to innovate "e-voting", and all of
them are objectively improved over the current US methods

~~~
cyborgx7
Yap, let's introduce the "invisible hand of the free market" into the voting
system. As we have all experienced, that always leads to the safest and most
ethical outcome.

~~~
lurker456
especially when the customer differs from the users

------
lngnmn
One word: Microsoft.

------
5trokerac3
Depending on how conspiratorially minded you are, being able to
exfiltrate/alter voter rolls could be seen as more of a feature than a bug.

~~~
hammock
Yep. So could not having a lock on your car.

~~~
kmbriedis
Lack of feature can't be called a feature

~~~
hammock
Excuse me, by "no lock on your car" I meant "ability to exfiltrate car and/or
its contents without a key." Better?

------
dec0dedab0de
Every time this comes up, it seems to me that the obvious answer is that we
should get rid of the secret ballot. If everyone's vote is public then
everyone can check that their own vote was counted correctly. I know the
argument is that people may face pressure at home and be afraid to vote, but
is there anyone left who doesn't tell everyone how they voted? Maybe I'm
living in a bubble, but I know exactly who all of my friends, and family voted
for, none of them ever tried to keep it a secret.

~~~
herrkanin
Not only is secret voting an integral part of a democratic voting system, it
is also entirely possible to implement a system where everyone can check their
own vote while keeping their vote secret. Each registrant can simply be given
a unique string that is connected with their vote.

~~~
Klathmon
Having the _ability_ to verify your own vote is still dangerous.

There's a fine line between "can be verified by the government at any time who
you voted for" and "can be forced to show proof of who you voted for" or even
"if you don't publicly show your proof of who you voted for, you are on a
list". not to mention the ability to "sell" your vote to whoever and have
proof that you followed through.

In a truly "secret ballot" voting system, you should be incapable of proving
who you voted for. You can still tell others who you voted for, but there
shouldn't be any "proof".

~~~
SAI_Peregrinus
Look up Scantegrity. It provides the ability to prove that your vote was
counted as cast, but not the ability to prove who you voted for.

~~~
Klathmon
I'm perfectly fine with being able to prove your vote was cast (I'd actually
prefer if you were required by law to vote. You can make a vote of "nobody",
but you'd need to vote), but that is very different from being able to verify
who you voted for.

But even still paper ballots where you check off a square and put it in a box
can give the same assurances as that complicated Scantegrity system as long as
you stick around and watch the ballot box yourself till it's counted. yes,
it's a day of time, but it's something you or literally anyone else can do
regardless of age, gender, ethnicity, social status, education, or anything
else.

~~~
pm24601
Not possible to watch it being counted.

* The ballot gets mixed in with others * the bundle gets divided up (A cards go in 1 bundle, B cards go another) * taken to a vote counting location; * each bundle is then divide between ballot counting machines.

The whole point is that an individual ballot becomes untraceable before the
counting actually starts.

