Hacker News new | comments | show | ask | jobs | submit login
DEF CON report on vulnerabilities in US election infrastructure [pdf] (defcon.org)
546 points by andrewla 74 days ago | hide | past | web | favorite | 135 comments



The conclusion:

Over the last 26 years, DEF CON, and for the last two years, the Voting Village, have operated under two core principles:

1. It is important to derive facts through reason and inquiry rather than blind faith.

2. When we discover new facts, it’s important we share this information with the general public so individuals can decide how best to use the information.

We did not make these principles up ourselves. Rather, these principles are the foundation of the Enlightenment, which has guided modern science to achieve the medical, engineering, and IT advances, among others, that underpin the modern world. Since these principles have largely guided the human race toward progress for the last 500 years, we plan to continue to follow them.

These principles matter most when we put them into practice. Therefore, it is relevant to ask what new facts all the poking and inquiring into our voting systems has identified since the Voting VIllage was established. Among the dozens of vulnerabilities identified in the last two years, four key DEF CON Voting Village findings are grave and undeniable:

1. Supply Chain Insecurity:​ The voting machine parts supply chain is global and has essentially no security procedures to determine whether the machine parts are trustworthy or pre-hacked before the machine is assembled. Thus if an adversary compromised chips through the supply chain, they could hack whole classes of machines across the U.S., remotely, all at once.

2. Remote Attacks Proven: ​Despite insistence the fact that machines are “air gapped” from the Internet protects against all remote attacks, both DEF CON 25 and 26 found exploits to hack machines remotely, requiring physical access to the machine.

3. Hacking Faster Than Voting: ​This year DEF CON also demonstrated that while, on average, it takes about six minutes to vote, machines in at least 15 states can be hacked with a pen in two minutes. It is thus possible for someone to hack a machine while voting in a polling place on Election Day.

4. Hacks Don’t Get Fixed: ​Finally, we discovered that even when vendors are told about serious flaws in machines by their customers, those flaws go unfixed.


> 2. Remote Attacks Proven: ​Despite insistence the fact that machines are “air gapped” from the Internet protects against all remote attacks, both DEF CON 25 and 26 found exploits to hack machines remotely, requiring physical access to the machine.

Did you leave out a word?


without


Conversely, is it possible to physically or remotely access one of these machines and determine if they've been hacked (or pre-hacked?) and how long would that take?

Also, does the hack simply modify the results for that machine, it does it grant access to manipulating the entire county vote?


> it takes about six minutes to vote

Why does voting take 6 minutes? I think I used a voting machine maybe once in my life (in the Netherlands and apparently young enough to not have used those more often). Casting a vote on paper is usually checking a box with a red pencil, takes maybe a minute of dealing with the huge sheet of paper with all the candidates.

Just curious.


When you are voting for a dozen candidates and a dozen ballot measures, it takes time to read through all of them and make sure you are marking the correct boxes, even when you know how you will vote in advance.


This is another reason (along with preventing remote hacks etc.) that vote-by-mail[1] is much more reasonable. It provides you with as much time as you need to look up candidates and issues.

1: https://en.wikipedia.org/wiki/Vote-by-mail_in_Oregon


I don't know about Oregon, but in Washington you also get a thick voter pamphlet that goes over all the candidates and issues in great detail, including candidates' statements about themselves. For initiatives (referendums), it even has statements by pro and con groups, and rebuttals of each others' statements. And you get that way in advance of the election, too, so there's plenty of time to go over it and do any additional research you feel necessary.

Here's an example from this year.

https://www.kingcounty.gov/~/media/depts/elections/how-to-vo...


Yes, same in Oregon, though the pamphlet is oddly organized, with the candidates for different races jumbled together. The for/against arguments after the text of each ballot measure are very useful, as much for their arguments as to see what organizations are spending time and money to defend or defeat them.


Yeh its pretty great. I used the pamphlet and googme to look up all of thr candidates while I had some beer. Best voting experience ever.


Sure, but you lose vote secrecy.


First, the vote is double enveloped, should you choose to do that. Not everyone does.

It gets validated, then passed along for counting.

Second, if you want, you may drop your ballot into any drop box, or hand deliver it to elections, who will validate it and put it into the counting queue.


Not so much, it shifts secrecy from flimsy booths at a polling place to the voter, who presumably fills out their ballot in the privacy of their home, and then you have the option of dropping it off directly at the county elections office dropbox instead of mailing, if you're worried.


Not necessarily. Grab a set of ballots in a public library, randomly from a pile, the way you can grab a set of tax forms.

Send them from an arbitrary public mailbox at a busy place, like a train station or a mall.

This should make tracking impractical, unless you expect "them" to scan for fingerprints.


Can confirm from Colorado. They send everyone a vote by mail application whether you ask for it or not.


That article says: "30% of respondents said they voted more often since vote-by-mail was enacted."

Uh, you're only supposed to vote once.

Now the ballots show up, you can fill them out for all family members, even if recently deceased, and vote for everybody. That spouse doesn't need to vote. The high-school senior is too busy to do their own voting. The truly ambitious can even grab ballots out of mailboxes, adding them to their pile.


They routinely reject ballots for not matching signatures - I had one returned which I had certainly filled out myself.


Voted more often than they used to, which was once every fifteen years.


U.S. ballots also randomize the candidates' names, so that you can't scan each new list quickly by alphabet or political party to look for the person you intend to vote for. The result is that it takes more than a few seconds of sustained concentration to make sure that you're marking your ballot as intended. That's especially true when individual offices attract many small-party candidates.


How few options were on the ballot you cast? In the most recent election here in California, there were a rather ridiculous number of candidates for most positions, plus quite a few propositions. Even if you pre-select your choices before hand, you still have to find those choices on the screen (or on the paper ballot) since the ordering might have changed from the sample ballot. I want to say it took me about 4 minutes to vote even with 100% pre-selected answers on my sample ballot to refer to. Other people who did less research took quite a bit longer.


usually many options to pick 1 from.


American elections are more complicated. A typical November ballot will have upwards of 20 choices on it, for national, state, county, anf municipal positions, judges, and referendums.


Around here, typical to have 1 to 3 federal races, 5 to 8 statewide offices, 10 to 20 county and municipal contests, a handful of judge retention questions, and 1 to 20 other referendums. About half the races are usually uncontested.

It may take some time to fill out a ballot paper. But the act of voting itself is inserting the ballot paper into the locked and monitored ballot box, which takes a second or two.

My polling place is filled with tables and chairs and cardboard privacy dividers, but has just one ballot box, with a scanner-tabulator on top of it.

The electronic voting machines that take the place of the paper ballot are the problem. You need dozens per polling place, and each one is expected by design to be alone with a voter, with physical access and privacy, for tens of minutes. I presume by default that any jurisdiction using them is actively promoting the hacking of their own elections, and such presumption must be rebutted only by exposure of the facts of the process that would mistrust the communications coming from those boxes as compromised and potentially malicious. I cannot fathom how it would even be possible to secure such devices. At least the scanner-tabulators attached to ballot boxes can be watched continuously.


Yes, electronic voting machines are the problem. That is what this article is about.


And I'm saying they can never not be a problem. The usage requirements make them 100% incompatible with election security.

They are broken by design, and utterly unfixable. The specifics of the known exploits are therefore somewhat irrelevant, because there will always be some means of compromising them. So the only way forward would be to treat every last one of them as permanently untrusted hardware.

While there may be some way to make them useful in an election, for now, until that PhD cryptography paper comes out that solves the problem, the only reasonable thing to do is toss them all in the trash, and go back to inked paper.


I didnt get the impression that anyone on this thread thought differently. Even without the theoretical impossibility of the task, the implementations we are seeing are amateur comedy, at best.


Voting ballets in the netherlands are map-like large sheets with columns of names which you fill out behind a screen or on a table before being directed to a locked bin where you insert your folded sheet. In this way, the actual process of voting is over in the fraction of a second. You are not left alone with the bin at any time, and therefor can only effect your own vote, so it's hardly comparable to the electronic voting process of the states that use electronic voter.


In the US they often group together all federal, state, local and various referendums in the same election so it's not uncommon to have over a dozen choices to make when casting a vote.


Sometimes there are 10-25 different votes you’re casting on a single ballot (for example: city council, judges/prosecutors, state representatives and senators, federal reps and senators, president, local and state ballot initiatives)


Aha, that explains.


After Florida 2000, a lot of us take our sweet time double, and triple checking that we're marking the right box, and, in the case of paper ballots, very carefully filling in the box fully, but not too full.


The last time I voted, earlier this year, there were some 20+ races on the ballet and something like 60 candidates. It takes time to read through all that and choose correctly. With voting machines there is also extra UI, in my case related to the dial mechanism and back/next/submit buttons used for "checking boxes".


American elections are very rarely one box. Generally there's a whole series of offices being elected separately, and probably several different measures of various sorts being voted on directly.


Yup. Some states, with more direct democracies, have many citizen initiated propositions that people vote on as well.


In other countries people usually just vote for a few offices or questions at a time. American voters are often presented with 30, 40 or even 50 ballot questions.


I think this is measured on average, and it's possible that people are undecided, or look through everything and take their time making sure to do it right.


Most people would be quicker like a minute if I had to guess. But someone with a physical disability could easily take 6 minute. All you need is someone faking such a disability or ailment they could just pretend they are super slow moving so when they don't come out after 5 minutes no suspicion.


Alternatively, they could say that they were thinking about which candidates to pick! On the ballots I have seen, party affiliations are listed, which means that it is expected that voters will enter the booth without knowledge of at least some candidates.


Ok. So, those are powerful findings of fact. From this, what has been done thus far regarding:

State election boards

State House/Senate committees on elections

Local election judges and boards

Federal House/Senate committees on elections

I would assume that these allegations must be verified. However, since all the procedures and observations are being made in the open, they should be relatively easy to confirm.

But, what are our legislators and boards doing to prevent hacking and malfeasance like this?


Nothing there was a measure to spend money improving security of voting systems but Republican's defeated it. Meanwhile one of the largest manufacturer of voting machines openly came out for bringing in the votes for the Republicans and at least one developer has openly asserted that he was asked to enable fudging the vote.


They intentionally made the machines hackable because they intend to cheat. It’s really that simple.


Virginia went back to paper ballots and optical ballot scanning several years ago. I think the only drawback to this approach is storing the ballots for X years after an election (takes up space). But, it's far more secure and easy for everyone to do. Just like taking a high school test... pencil in the circle.

https://en.wikipedia.org/wiki/Optical_scan_voting_system


And IMO they should do away with "optical ballot scanning", and should move to regular humans counting them with their own eyes.

An electronic scanning system could easily be vulnerable to many of the same issues that are presented here.

Instead, have everyone mark their ballots like normal, then get a bunch of people in a room who all don't trust one another and have them count/tally votes together. Just about everyone that can vote can help count (unlike with electronic counting machines where only a very competent engineer could even begin to audit a machine like that, assuming that they were allowed to even do so), and in places that run elections like this, there is almost never a shortage of people willing to assist counting votes, especially when the election is particularly controversial ("I'm not going to let that [side a] person from screwing over us on [side b]! Let's go get 20 of us there watching to make sure nothing bad is happening!")

Voting should be hard, voting should be expensive (for the country, not for individual people). Why "optimize" the one thing that secures our country with alternatives that are less secure, have more points of failure, and are overall less understood both by the voters and by the people using the machines to tally votes?


> An electronic scanning system could easily be vulnerable to many of the same issues that are presented here

In New York City, optical scanners are used. As a check, random precincts’ ballots are manually tallied. This is a good compromise between cost and security.

(There are additional checks, like a public and private count and vote aggregates being publicly posted at every precinct at the end of the night. Observers can also audit the public and private count of any machine at any time of the day, and they do.)


But what is the motivation for the optical scanners? Why do away with a system that has proven to work and has known, mitigatable (is that a word?) downsides with one that is consistently found to have dangerous gaps in security and time and time again found extremely vulnerable?

Do they significantly improve accuracy? Do they save a significant amount of money? Do they increase the speed that things are tallied, and does that make a significant difference or improvement anywhere (because unless i'm missing something, getting results a few hours earlier is not a good reason to lessen the security of an election)?

I genuinely don't know, and I'd love to see more information if anyone has it on this.

Because to me, without knowing all of the details, it reads like "we trade some security to save costs by just not tallying some precincts at random".

If it's saving a significant amount of money, to the point where the state is much better off because of it, or if the usage of them somehow increases turnout by decreasing the time it takes to count votes, then I would agree with you. But without evidence like that, I'm sitting here wondering why these machines keep getting used.

Often times things that seem like they shouldn't be secure often are, and I'd love to be wrong about this one.


I don't have any specific data here, just a gut feel.

> Do they improve accuracy?

I think they pretty clearly would increase accuracy, modulo any potential tampering. Some of this is structural -- each ballot has multiple elections, some in which the same candidate can be featured multiple times under different party affiliations. Tallying this by hand seems intrinsically error-prone. It's arguable that simplifying the ballot could help both tallying and voting, but given the current design optical scanning seems like a huge increase in accuracy.

> do they save a significant amount of money?

Once again, I suspect yes -- tallying the votes by hand takes a lot of time and a lot of people. Poll workers aren't well-compensated by any means, but there's still a cost.

> Do they increase the speed that things are tallied, and does that make a significant difference or improvement anywhere (because unless i'm missing something, getting results a few hours earlier is not a good reason to lessen the security of an election)?

I think yes to the first and a matter of opinion on the second. I'm with you that speed of results is either a non-goal or an anti-goal -- states that release precinct-level results when voting is still open elsewhere in the country are implicitly engaging in electioneering in my mind, and should be explicitly forbidden from doing so.

An automated system combined with random manual tallies seems pretty good to me from a security standpoint. As an aside, in addition to the random tallies I believe there is a process where any party can request a certain number of explicit audits if they feel that the results seem questionable from a given precinct, and an additional layer of election supervisors who can make a non-partisan request if there are inconsistencies from previous election cycles) seems like

In New York I would prefer that the focus be on distributing voter information earlier and more widely would be a much better use of time than further changing the actual voting. When I lived in Washington state, you got a voter information guide with all the candidates and ballot measures, statements for and against, and an explicit statement as to what is being voted on, well in advance of the election. In New York, half the time I have to really dig to even find out what is going to be on my ballot, and finding the full text of ballot measures is an exercise in futility as you try to navigate through the NY Department of State to try to find the information. Third-party sources like local newspapers actually do a significantly better job than the state does here.


I'm not sure I agree that they increase accuracy to the point that it would be worth the downsides. A room full of people who all don't trust one another I feel can do a fairly good job of reducing the errors down to a minimum. Again, I could be wrong, and I'd love to see a study or some research in this area that proves me wrong! (after all, history shows us that a crowd of like-minded people are capable of some very shitty things without some kind of checks and balances)

And while I'm sure they save some money, is it worth it? I'd like to get an idea of the scale involved. Because saving a few hundred thousand dollars a year for a state would make it absolutely not worth it in my opinion, but a few hundred million might be.

And finding exact numbers is extremely hard (at least for me), combined with the fact that these companies basically never release that kind of information, and I know it's not the best idea to read into these things, but I can't help but think that they would release these numbers if they were significant and showed the company saving tons of money for the state.

But i completely agree that there are much better things we can do to improve voting overall (personally my vote is for changing to a "ranked voting" system), but these machines still feel like a giant red flag to me. There's not a lot that can be done to swing an election by just a few people, but put some kind of electronic or computerized system in the mix, and now there's one dock worker that has access to a large number of the machines as they get shipped, and now you have a single point of failure.


In California audits are required by law but in the 2016 primary a number of municipalities (San Diego and Los Angeles and others) said, "Well the audits cost too much so we just won't do them" and nothing happened.


>An electronic scanning system could easily be vulnerable to many of the same issues that are presented here.

While in school in the 80's I learned that the standardized tests the school were administering didn't mean anything. They had no barring on my ability to graduate or go to college so I stopped caring about them. This opened up the freedom to do things like fill out multiple bubbles per line and otherwise get creative. About a month after filling out a test like this I got called into the office along with my parents. I was a pretty well known hacker at the time, running a couple local BBS's and whatnot. The state superintendent of schools was in the meeting and demanded to know what I did to their test scanning system. It turns out that I most likely caused a buffer overflow as line after line of multiple answers on the bubble sheet caused the system to crash. It took them weeks to figure out it was my test and in the mean time deadlines were being missed, etc.


Sounds like an awful school administration handling their poorly built systems issues with the least grace possible.


I agree, but the optical scanners are like 1000 times better than wirelessly accessible Windows XP laptops... which is what they replaced. One step at a time ;)


That's fair, but it really feels to me like a kind of "token gesture" that makes it seem like it's in good faith (and could actually be done in good faith!) but keeps all the same underlying issues.

After all, a lot of those counting machines are proprietary and un-auditable, so you have no way of knowing if they are actually just windows-xp wireless laptops crammed into a fancy plastic case.

I don't know enough about it in this situation to know, but things like that can sometimes cause a false sense of security or improvement that can actually make things worse in the long run.


I don't like to double post, however after skimming parts of the linked PDF, it turns out that the style of optical scanners you are talking about are actually in there.

One of the models (the ES&S M650) might be the actual scanners you are talking about, and that model has a number of terrifying vulnerabilities!


From the "Next Steps" section in the report:

>Congress Must Fund Election Security:​ National defense is not the role of state and local government. Further, no state or local government will ever be able to raise enough capital to defend itself from a determined nation state. Thus, having codified the basic security standards developed by local election officials above, Congress must finance the implementation of these security standards.

Well. We tried: https://www.pbs.org/newshour/politics/republicans-block-bid-...


I was just going to post that. I'm concerned that since election security is not (just) a technological problem, that very little will be done to improve it in the foreseeable future.

I'm from Idaho which is currently conservative by close to a 2/3 majority, but remember growing up that we had many liberal elected officials like Cecil Andrus and Frank Church. From my perspective, democrats are working to improve election security while republicans are not.

Is this simply a partisan issue? Does anyone from more liberal states have examples of democrats opposing election security?

If so - then how do we work to improve election security when our elected officials refuse to? If not - then how do we accomplish reforms within the republican party or make election reforms into political capital that it might be willing to trade for?


> From my perspective, democrats are working to improve election security while republicans are not.

Does voter ID improve election security?

Which party opposes voter ID laws?


>Does voter ID improve election security?

It does not.


If one defines "election security" as "ensuring that each voter is registered, is alive and present, votes only once, and votes only in the correct location," then obviously requiring voters to legally identify themselves, just as they do when doing any number of everyday activities that involve local government, improves election security. Your assertion seems a bit knee-jerk.


None of those things you've mentioned requires voter ID, so I'm not sure why you're advocating for a solution that fixes nothing you claim is an issue.

Specifically: You can figure out if a voter is registered by cross-checking with the voting rolls, you can figure out if someone is alive by cross-checking obituaries and the other two issues can similarly be figured out by cross-referencing across all elections in a state. None of this requires strict voter ID to figure out and while it's possible that identities could be hijacked to vote for a certain person I believe but voter fraud is incredibly rare in practice.

Additionally all of those checks actually open up more avenues for hackers or less honest individuals to take advantage of said systems. For example dropping a bunch of people off of voter rolls to ensure that they have trouble voting or can't meet the deadline, mistakenly registering people as deceased and so forth. One of the major fears during the possible election tampering was that by altering voter roles you could shift the outcome of an election.

I think your assertion seems more knee-jerk than the person you're responding to.


> None of those things you've mentioned requires voter ID, so I'm not sure why you're advocating for a solution that fixes nothing you claim is an issue.

Respectfully, you're putting words in my mouth. I did not advocate for anything.

I was responding to the OP's assertion that, "democrats are working to improve election security while republicans are not." That assertion is facially incorrect, and Voter ID (whether you like it or not) is a reason why.

> Specifically: You can figure out if a voter is registered by cross-checking with the voting rolls, you can figure out if someone is alive by cross-checking obituaries and the other two issues can similarly be figured out by cross-referencing across all elections in a state. None of this requires strict voter ID to figure out.

Voter ID solves those problems at the ballot box. The volunteers sitting behind the desk aren't cross-checking obituaries or all elections in a state. You know that, so why did you say all that?

> voter fraud is incredibly rare in practice.

Why do you think that? After the last election, we saw video evidence of people being bused across state lines to vote where they weren't registered. That's just one example.

> Additionally all of those checks actually open up more avenues for hackers or less honest individuals to take advantage of said systems.

How would requiring photo ID matching that on the list of registered voters open up more avenues for attack? It's an additional form of authentication.

> For example dropping a bunch of people off of voter rolls to ensure that they have trouble voting or can't meet the deadline, mistakenly registering people as deceased and so forth.

What does requiring photo ID have to do with those forms of attack? Those can be done right now, without requiring photo ID. Why are you confusing the discussion with irrelevant issues?

> I think your assertion seems more knee-jerk than the person you're responding to.

Actually, your comment is the most knee-jerk in this thread so far. You've put words in my mouth and torn down a bunch of strawmen. You've identified me as an enemy when I haven't even advocated for one side or the other. All I'm doing is making logical observations. If you disagree with those observations, by all means, show me why.


To be honest, Voter ID addresses a made up problem. Search for wikipedia for 'Voter ID laws in the United States'.

Regardless of your political persuasion, I suggest you read a bit about how these voting machines are built. Assuming you are in tech, you will be horrified. Do you feel comfortable knowing your voting machine was written in VBA with a Excel spreadsheet as the backing data store? This is the level of incompetence we are dealing with. Integrity of our elections is an incredibly important issue for both parties, and this was a problem before Trump, Russia and the 2016 election.

I also suggest you read up on the stuxnet virus if you want to see what a determined state actor can create given unlimited resources.


Voter ID addresses a threat model that has been repeatedly proven to be minor at worst. It does absolutely nothing for the much more serious threat model of digital tampering.


Why do you think that that threat has proven to be minor? From what I've heard, I suspect we have only seen the tip of the iceberg. Voter fraud has been going on, no doubt, for as long as voting has.

> It does absolutely nothing for the much more serious threat model of digital tampering.

I agree that they solve different problems. I think we should use only paper ballots, and eschew all forms of electronic voting.


The opposition to voter ID laws is usually down to the implementation details of them that make them non-viable - for example, requiring costly IDs that are also difficult to get (while also closing facilities that issue them in some areas which just happen to vote a certain way).

A well-written voter ID law - one that truly guarantees the right to vote for every citizen eligible to do so - might well get enough bipartisan support; I'm just not aware of anyone ever trying such a thing.


Voter ID laws solve a problem that does not exist. I do not support pointless laws that open us up to further abuse by partisans.

Voter ID laws have been written in a way that they can be systematically (and I believe deliberately) abused to disenfranchise minorities. This is done by setting unreasonable office hours or locations to obtain voter IDs among other methods.

There is no need for voter ID laws and so there will be no bipartisan support for them unless both sides are interested in vote suppression.


Can you explain why the vast majority of other countries do have voter ID laws then?

As far as voter suppression, the whole point of what I wrote is that it's not inherent in voter ID. It only happens if the laws are deliberately designed that way. Again, look into how people vote in most European countries to see that it's not what these kinds of laws are actually about, when they're done right.

BTW, my perspective is that of a non-citizen on a track to citizenship. I think that even if real-world voter fraud is very low, there's also the question of symbolism at play. Voting is one of the few rights that are citizen-exclusive, so it is important to protect, even if only as a symbolic gesture. This goes both ways, of course - the right to vote shall not be denied to anyone who has it (and that part has priority for the same reason as presumption of innocence) - but conversely, if it is to be treasured, it needs to be secured to highlight its worth.


First, comparing America to other countries in this case is a poor point. Relative to European countries Americans are spread incredibly far apart with a culture designed around driving. Keep this in mind for the rest of my argument.

In many areas in America the hours for polling stations coincide with the typical workday. It can also take quite literally hours to reach your proper polling station to vote where taking any time off from work for many of the lower-class citizens is impossible. Proper ID for voting can also be harder to come across than you might think especially when access to them in minority or poor neighborhoods is deliberately limited. That's just to reach the location; never mind it potentially taking hours to just vote [1].

When you look at voter ID laws in a vacuum there isn't that much of an issue. However European countries have a far lower barrier to entry both for the act of voting and for getting a proper ID. When people talk about implementing voter ID in various areas; they're putting the cart before the horse, often intentionally because they know it benefits their voter base.

And as I've mentioned before voter ID solves very little. If you make it hard to vote just for a symbolic measure you're essentially admitting that you want to discriminate against minorities and the poor just for the sake of it.

[1] http://www.brennancenter.org/publication/election-day-long-l...


I live in US, so yes, I'm well aware of the specifics. But also, "America is different" is a fairly used excuse by now, and frankly, I don't think it really is as different as Americans like to think it is. That "spread apart" thing and culture designed around driving is not unique, either.

All the issues you describe are, again, issues with a specific implementation. Voting day can (and should) be moved to a weekend. Government-issued IDs should be free and easy - I would even say automatic - to get. And so on, and so forth.

Voter ID does not have to make voting hard. I would not support any proposal that would do so (which is to say, any that I've seen pushed in US to date). However, I cannot in good faith support a principled opposition to voter ID as such. And - speaking as a card-carrying member of the party - I believe that Democrats are shooting themselves in the foot by continually misrepresenting the core idea as racist etc. They should instead come up with a comprehensive voting reform proposal that would tackle all these issues - election security (including ID), voter registration, election day timing etc. And put it on the table with great fanfare. Then let Republicans explain why they're still opposed to it.


There’s already an established history of voter ID laws being used to suppress votes. This is not a hypothetical.


Like I said, I'm well aware.

There's also an established history of voter ID laws in other countries not being used to suppress votes. This isn't a hypothetical, either.

From which directly follows that voter ID is not racist. The right-wing politics around voter ID in US specifically is racist. If lefties keep letting right-wing own the subject, then that's all it'll ever be. But it doesn't have to be that way.


We don’t need symbolic laws. Adding a restriction on our most fundamental rights because it feels good is misguided and extremely dangerous.

This country has a long and well documented history of voter suppression and voter ID is just the latest example.

You’re going to have to do better than “other countries do it” to convince me voter ID laws are a good idea. Start with any evidence of necessity and a how the south won’t abuse the hell out of it. Remember that they have already abused the hell out of it.


Voting is not a fundamental right like by definition, because only citizens have it. Fundamental rights are those that all persons have, innately, by virtue of being a person. Voting is a civic right of citizens.

Furthermore, in US specifically, right to vote is not even a guaranteed right for citizens - there's nowhere in the constitution that says a citizen has an inherent right to vote. There are various amendments that prohibit the government from discriminating based on certain traits (gender, race, age, poll tax etc); but none of them are a blanket grant of the right. This is why the states can prohibit felons from voting, for example, and why the criteria for that are so drastically different between them.

Now, personally, I think this is not a good idea, and every citizen should have an unconditional right to vote that can only be stripped with citizenship. But you insist that we talk about US as it is - and that is how it is.

The way you implement voter ID such that South can't abuse it is by using the constitutional power of Congress to set uniform rules for all congressional elections in the country. Since citizenship is a federal matter, it follows that voter eligibility as it pertains to citizens and non-citizens is also a federal matter, and should be set on the appropriate level. It would completely preempt any state legislation on this, solving the problem once and for all. This also means that the feds should be required to issue an ID that is sufficient to vote to any citizen who asks for one, at no cost to the citizen, and with minimal hassle - ideally, automatically - same as every other government in the world does.

And I disagree that symbols don't matter. The right to vote is valuable in part because of its exclusivity - not everybody has it. If you're unwilling to protect that exclusivity, even symbolically, that diminishes the right.


It does not.

The question you should be asking is what party advocates for voter ID laws in the absence of any evidence to their necessity.

Voter ID laws are a solution to a problem that does not exist to allow political parties that advocate them to suppress votes at will. There is no existing need for voter ID laws and voter ID would not prevent tampering with voting machines.

It may be a worthwhile exercise to see what states advocate insecure voting methods (machines) and voter ID laws.


Elections are not national defense.

State and local governments have been handling their own elections since before the country was founded. This is a good thing, because it keeps elections close to the people, accountable to the people.

The last thing we need is nationalized elections. That would make all of our elections vulnerable together. And that includes federal funding for state and local elections, because federal funding always comes with extensive rules and regulations, which would effectively put elections under federal control.

We need to move more government and accountability closer to the people, not to Washington, D.C.


>That would make all of our elections vulnerable together.

They're already vulnerable, all together.

> which would effectively put elections under federal control.

They are already under numerous federal laws. Strangely enough, counter to your point, federal laws have been the #1 driving force for allowing more people to vote ("closer to the people"). See: https://www.usa.gov/voting-laws


All it means is a foreign entity like Russia just attacks each state differently. It won't stop them. Clearly, we are doing literally what you're saying, and it hasn't worked.

Elections, in the 21st century, should fall within the range of national defense. Power grids and other types of infrastructure are, why not the democratic infrastructure like elections and voting?

> The last thing we need is nationalized elections. That would make all of our elections vulnerable together.

Or you know, the ability for elections to actually be fixed in a systemic fashion. It's really the only way.

I really don't understand this attitude. To take an example from the software industry, would you rather have your users on one OS, for you to secure, or 20+ different ones, where you need to plug holes independently?

Fix one issue with a voting machine, fix them all, as opposed to just fixing Florida's specific homegrown crap.


I don't totally agree with the OS analogy. The federal government should not have absolute control over how individual states run their elections. The federal government can provide guidelines and basic requirements but it is important that states be allowed to make their own decisions as much as possible.

State's rights are comparable to redundancy in the software world but really these analogies are strained.


> All it means is a foreign entity like Russia just attacks each state differently. It won't stop them. Clearly, we are doing literally what you're saying, and it hasn't worked.

This country has been around for over 200 years. Our elections have worked well, or else we wouldn't be having this conversation.

> Elections, in the 21st century, should fall within the range of national defense. Power grids and other types of infrastructure are, why not the democratic infrastructure like elections and voting?

No, they shouldn't. I want my city, county, and state elections run by my city, county, and state, so that when something goes wrong, I can go to the city, county, or state to see about making it right, and even run for office locally to fix it myself, or go to the state capital at worst--not have to go to Washington, D.C. and complain to some bureaucrat that hasn't even heard of my city and couldn't care less about my state.

> Or you know, the ability for elections to actually be fixed in a systemic fashion. It's really the only way.

Bald assertion.

> I really don't understand this attitude. To take an example from the software industry, would you rather have your users on one OS, for you to secure, or 20+ different ones, where you need to plug holes independently?

You're looking at it the wrong way. What is easier to attack: a homogeneous network in which every machine has the same, known vulnerabilities, or a heterogeneous network in which only subsets of machines have certain vulnerabilities? What is easier to destroy: a forest comprised of a single species with the same vulnerabilities to certain pathogens, or a forest with a variety of species?

Recent history shows the inherent risk of homogeneous networks, e.g. the NotPetya worm that took down global IT infrastructure for the biggest companies in the world in a matter of seconds: https://www.wired.com/story/notpetya-cyberattack-ukraine-rus...

This country was designed around compartmentalization. If one state enacts bad policies, has corrupt government, etc, it doesn't necessarily affect every other state. But when the federal government makes bad decisions and becomes corrupt, it does affect every state.

You want our elections to be more easily compromised, more easily controlled by third parties? Nationalize them. Use the same systems and rules and policies everywhere. Make every election, everywhere, have the same, known flaws and vulnerabilities. Make every election, everywhere, reliant on the slow-moving federal government to fix problems that states and localities could fix independently and quickly.

> Fix one issue with a voting machine, fix them all, as opposed to just fixing Florida's specific homegrown crap.

How about letting Florida worry about fixing Florida's elections, and you fix yours. I don't think you'd like Florida telling you how to run your elections, but that's exactly what you propose in reverse. It's antithetical to liberty.


> This country has been around for over 200 years. Our elections have worked well, or else we wouldn't be having this conversation.

Doesn't follow; countries can exist for a long time without elections at all, and, a fortiori, without elections that “work well”. Our existence and ability to debate th topic doesn't prove our elections worked well on average over history, or that they've been working well in their most recent form. Or much of anything else.


The point I'm making is that our elections have worked well, because they're still going on, and our nation still has its original form of government. If we ceased to have elections, as you hypothesize, it would no longer be the same nation, because it would have abandoned its form of government. So the fact that we're having this conversation, talking about elections that have been going on for over 200 years, indicates that, yes, they're actually working pretty well.

When we eventually stop having them, then we can revisit this conversation and long for the good old days. Meet you back here in...a few centuries?


There are a lot of words in this document. What we need is some infographics that boil it down into something people without the time to read and parse all of those findings can understand easily. A map showing vulnerable states, some pictures showing how easy it is to circumvent a particular system. Something that shows what percentage of machines are vulnerable and an easy way to know if the machines in my district are susceptible without having to wade through pages and pages of text.


You should bring this to the attention of USAFActs. Even if you're not a Ballmer fan, they do have the necessary resources for this sort of work and it seems like it would align with their mission.

https://usafacts.org/

Maybe we could start tweeting them? https://twitter.com/usafacts/


Good idea. I tweeted at them.


Specifically, this makes the job much easier for non-tech journalists to report on the findings. Consider that Heartbleed practically became a meme due to the discoverers’ creation of a logo and website. If you want to stop the hack, social-hack the fix.


>If you want to stop the hack, social-hack the fix.

It's a little tangential, but I think this comment is evidence that the verb "hack" has finally completed its evolution into a synonym for "do."


I have a counter proposal:

Demonstrate a model election. As in show what it looks like, explain all the bits.

Voter registration, candidate filing, ballot production, poll books, signature verification, tabulation, ballot summary reports, etc.

This will equip laypersons with the knowledge of what to fight for as they reform (improve) their local elections.

FWIW, the gold standard is paper ballots cast at poll sites, tabulated when the polls close. Variations may be desirable, eg postal ballots to enfranchise, but know the tradeoffs.


I would also like to see some things have more details, such as the 11 yr old hacking a mock up of the Florida election website. Was this a true representation of what Florida used or a learning tool with flaws built into it?

I feel I could spend well over a week going through trying to learn more about each point made.

I've also heard some people claim that a lot of these voting machines are no longer used.


It was a learning tool with built in flaws and the kids were coached.


This is great to say, but just wanting something doesn't get it done. How could we be proactive and accomplish this? I don't have any of the necessary skills, or the audience. This is really important to put attention toward because that is the only way to get those in power to care. How can we find the right people to make digestible press packages about this, and how do we get it published by people?


Some of the vulnerabilities are, appallingly, mundane multi-user operating system misconfigurations that have been known about since the 1960s and 1970s. The one where simply connecting a serial terminal yields a root login session with no password is particularly egregious.


> A second critical vulnerability in the same machine was disclosed to the vendor a decade ago​, yet that machine, which was used into 2016, still contains the flaw.

Sometimes I wonder how some people manage to keep their jobs, and how companies manage to keep their contracts. This is gross negligence.


I was surprised to read that this remote vulnerability is possible in 23 states. I thought that the United States prides itself on its democracy? How come voting machines are possible in a democracy?


The voting population doesn't directly control voting machines. I'd say it's a mix between getting a good representative elected, and getting the facts known and actually debated.

(In case you're not from the US: our government is largely a representative democracy, not a direct democracy, with a few exceptions, such as California's proposition system.)

I would say that voting machines are also a niche issue: whether that's good or not, IDK, but most candidates (I feel) would rather discuss their positions on more mainstream topics such as gun control issues, gay rights, abortion, economics issues (particularly vague economic issues), whether or not we should build a wall, etc. Technology is a rare issue, and even rarer to see a candidate demonstrate an understanding of the facts in the issue.


You're conflating the American idea of democracy with voting. They're only tangentially related. We have one of (maybe the) lowest voter turnout rate and institutionalized voter disenfranchisement is as popular as baseball.


This isn't a remote vulnerability, btw. The attach involves picking the lock a and inserting a device to a parallel port.


The surprising part of most of these vulnerabilities is they are hardware attacks. I had a talk with someone the other day that said she heard people were hacking votes from iPhones. The over simplification of the topic is doing just as much harm as good.

I don't know any security professional that would tell you physical access isn't equal to the ability to hack a device.

The reality is subversion of people managing processes is of a higher probability that attacks of the machines themselves. It's also not unique to electronic voting, people are always the weak link in security and will always be the weak link.


The first new attack described in last year's report was that you could DoS a machine by removing its CPU.

Which, sure, is something to think about. But it's not what I think people are imagining when you say "voting machine hacking."


Right!! It's like saying you could DoS a car by removing it's spark plugs.


With partisanship rising to bitter, angry levels in the US while trust in just about every social group on the decline outside of the record defenders, my nightmare scenario has been a contested election result. Having no way to establish to friend, neutral third parties if there was/was not fraud means we can only rely on people's trust in each other to find a reasonable solution. That seems unlikely to end well right now., so all I can hope for is that we dont have such results.


During the last 2016 automated elections here in the Philippines, the company responsible for it was Smartmatic and just found out their source code was licensed by Dominion.

Now finding out that Dominion's equipments mentioned here is a little bit worrying. There was also an incident during our elections hours before a voting machine was accessed just because they have to change a single letter. It is still disturbing to this day.


Combine modern polling data/models with these exploits and the hackers would only have to target a dozen counties(?) to change the outcome of the presidential election because of the how the Electoral College works.

( This is a guess. Trump won in 2016 by 107k votes across 3 states - inside those states how many counties were actually "swingy"? https://www.washingtonpost.com/graphics/politics/2016-electi...)


I remember when people were laughed at thought of as cooks and quacks if they claimed voting machines were easily hack-able.


Here's a quick summary of the machines that they have reported vulnerabilities in. I've used [ed] to mark where I'm adding relevant content not present in the report.

In my non-professional opinion, none of these vulnerabilities seem earth-shattering, although the potential lack of paper trails makes some of the touch-screen systems very dicey. Both of the touch-screen systems have the option of a voter-verified paper trail, but it's not clear how widely those option are deployed.

Diebold ExpressPoll-5000

- Use: Used to check in voters at the polling station.

- Vulnerabilities: No voting-specific vulnerabilities were found; generally an insecure WinCE machine. Physical access would be needed to compromise.

- Impact: Could change voter polls to selectively exclude individuals, forcing them to use provisional ballots. Could add voters to polls potentially, but not clear [ed] if this would pass a cross-reference with upstream voter registry.

Dominion AVC Edge

- Use: Touch-screen voting machine. Records votes electronically and [ed: has an optional voter-verified paper ballot audit system. Not clear how widely used the paper ballot system is used with this machine.] Verifies voter eligibility with a smart card distributed by poll staff. [ed: Presumably the smart card cross-referenced with the voter rolls during tally.]

- Vulnerabilities: Physical vulnerabilities, including swapping out the electronic storage. [ed: Not clear if this would be detected by audits against the smart card registration or voter rolls].

- Impact: Removed or changed votes or completely synthetic votes, [ed: if not cross-referenced; or the storage could be re-written to change or spoil existing votes]. [ed: If paper option is not used, then no audit would be possible if storage is compromised].

Dominion Premier/Diebold AccuVote TSx

- Use: Touch-screen voting machine. Records votes electronically and has an optional voter-verified paper ballot system. Verifies eligibility with smart card distributed by poll staff.

- Vulnerabilities: Denial-of-service attacks easily available by unplugging a cable. Smart card is supposed to be reset by the machine, but a substitute smart card can be used that allows unlimited votes. [ed Not clear if this would pass a cross-reference with the voter rolls, or if the machine is equipped to allow such an audit.] Malware could be distributed for the device [ed: through unspecified channels]. Such malware would allow an adversary to compromise many machines without requiring physical access to polling stations.

- Impact: Removed or changed votes or completely synthetic votes [ed: if not cross-referenced with voter rolls; or malware could be used strictly to change votes and still pass the cross-referencing with voter polls. The user-verified paper option could mitigate some of this, but the malware could theoretically spoil the user-verified ballot and produce a new non-spoiled ballot with a changed vote.]

ES&S M650

- Use: Strictly for tallying of paper ballots.

- Vulnerabilities: Physical security at the polling place, and network-based attacks in situations where the devices are networked (not at the polling place, but at the clerks office or similar centralized locations). Thought attempts are made on the device to prevent unauthorized software from being installed, there are known vulnerabilities that allow that to be changed, through a serial control port or by modifying the Zip disks (?!) that are used as the underlying file system.

- Impact: Changing vote tallies. [ed: An audit would be possible because this machine uses a direct voter-filled-out paper trail].


The concept of xyz "villages" at DefCon was always pretty silly. Very little, if anything, new is going to come out when people have no real time or access to these devices. Combine that with the technical skill of the average attendee and you get results like this.

Anyone in security could threat model every single of these attacks on the back of a napkin in about six minutes. It is sad that you can replace hard drives in voting machines, but of course that's expected and rather obvious.

It'd be neat if DefCon would use some of its money and sponsor a device roadshow. Ship these things around to different labs and makerspaces for month long stints. Sign up someone who has a vague idea of what he or she is doing that can guide and teach others on weekends. Let people do real work and not just marketing.


I'm almost positive they would if they could, but the companies making these machines keep and iron grip on them. And sometimes they do so with the threat of very serious criminal charges.

It's just another reason why voting machines (or vote counting machines) are so dangerous. Even if the public had the ability to audit and verify the machines are working correctly, they aren't allowed to.


They tried to. The companies manufacturing the devices refused.


Rule one (1) for voting machines should be something along the lines of making examples available for testing to all main political parties; and at cost price to all people who are electoral candidates.

The parties then can have them analysed and choose whether to use them or not, perhaps something like all those with more than 10% of the vote previously could decide whether to use machines or human counting; full consensus required.

Rule two (2) should be something along the lines of all votes requiring an agreed sampling to be counted via alternative methods.

You could even have a sample of electoral wards not use the machines at all - that would suggest irregularities if there was tampering, as the hand [machine] counted wards would have different voting preferences to the others.


It is an absolute farce that there are electronic voting machines in use which are closed-source.


This is terrifying. Full stop.


Every electronic device is hackable with physical access. Every process that has humans involved is exploitable.

I'm more alarmed at the number of people willing to complain and moan about change, yet refuse to volunteer at their local polling station. If awareness is important, we have to start somewhere, yet the vast majority of people complaining expect it to just solve itself.

Sometimes to fix a broken system you have to become a part of it and change from the inside.


> Every electronic device is hackable with physical access. Every process that has humans involved is exploitable.

This is a useless statement. Security is a continuum, and it's perfectly valid to point out voting machines suck on that continuum.

I store my private key on a yubikey, and sure if you had physical access and spent about $300k you could decap it and recover the private key (with a success rate of maybe 10%, an expensive hardware lab, and expertise only a handful of people have).

That's a whole different ballpark from voting machines which don't use a hardware TPM [0] to attest votes, but instead store them in csvs while running windows CE such that an attacker with a jumpdrive can plug it in and alter records using exploits which have been public for years and years.

> Sometimes to fix a broken system you have to become a part of it and change from the inside.

Unfortunately, various people have tried to change it with no success. The voting machine companies have contracts with the government that preclude new entrants to the business.

Security researchers who contact voting machine companies have no impact.

Technology such as TPMs exist, but the voting machine vendors have little apparent interest in these new ideas and technologies.

I don't think it's fair to discount other commentors from providing information and discussing their views just because they're unwilling to go into politics to attempt to fix this silly government contracts (with a low chance of succeeding)

[0]: https://en.wikipedia.org/wiki/Trusted_Platform_Module


"That's a whole different ballpark from voting machines which don't use a hardware TPM [0] to attest votes, but instead store them in csvs while running windows CE such that an attacker with a jumpdrive can plug it in and alter records."

you're not getting any of these access with out modifying hardware at the poling station. If poll monitoring is being performed, they're going to notice someone taking apart a voting machine.

I was at the Voter Village, Two years in a row I spent time disassembling the machines. They're not as easy as you're making it out.

Being a part of monitoring of these systems is not something stopped by big business. That's a cop out.

TPM should be a part of medical devices, but it's not. I would argue that's even more important than a voting machine. Unless you work for a manufacturer or are building a voting machine with these systems, sitting around and saying you could do X or Y doesn't solve a damn thing.


> Every electronic device is hackable with physical access.

iOS 11+ Apple devices are pretty much not.


[flagged]


Please keep partisan flamewar off HN. It incinerates everything it touches.

We detached this subthread from https://news.ycombinator.com/item?id=18112453 and marked it off-topic.


The previous comment specifically says reading to make sure you are voting correctly even if you know how you are going to vote. Having voted in California, I can confirm it takes a sizable amount of time to check your ballot even when you have a cheat sheet with you.


Did you even read the comment you're replying to?


My fault, I missed

> even when you know how you will vote in advance.


I still think you missed the point, though... the point of the finding was that the hack takes less time alone with the machine than the average voter takes to vote.... therefore, a hacker won't arouse suspicion while they are doing the hack.

It doesn't matter if there are things a voter can do to speed up voting, it only matters that it still wouldn't be suspicious if someone was in the booth for 2 minutes.


Oh wow, did they really call it that?

I mean it's not wrong, the net neutrality debate is about deregulating the internet by the government so that the ISPs can regulate it. But you have to know what more freedom for ISPs can entail.

I mean if it was called Unlimited Gun Use Freedom it could be a name for legalized murder.


I totally made it up, but it's not far. For example, here in MO they put a ballot initiative titled "Right to Farm" on the ballot and advertised it as "we're protecting your right to farm! Standing up for the small family farmers!" when in reality it keeps people from having standing to sue a factory farm when runoff from a pig farm pollutes their land.


After California Prop 8 (vote for gay marriage! Where "yes" meant "prohibit it" and "no" meant "don't prohibit it") California adopted a measure where the AG has to verify that ballot measure titles are neutral.


The name of the prop actually wasn't confusing.

Initially it was called "California Marriage Protection Act", which is pretty common for anti-gay-marriage acts.

Later it was called "Eliminate Rights of Same Sex Couples to Marry". Which is 100% obvious.

Only people who lazily called it the "gay marriage prop" were confused.


Thanks! I looked it up and the rewriting of titles preceded prop 8, though the prop 8 folks litigated furiously (amusingly they claimed the new title was "inflammatory" when it was actually text taken from the question).

I remember people being confused about the polarity of the vote, but then again I remembered incorrectly that the title approval had been because of prop 8 so who knows.


It wasn't far from what the FCC called the repeal to net-neutrality: "Restoring Internet Freedom" Order - https://www.fcc.gov/document/fcc-releases-restoring-internet...


Right, you should do that, but not all voters have the means to research beforehand.


You can research at the library for free. You can ask other people's opinions for free. Newspapers are inexpensive and widely available. I'm sure there are other options I'm missing. Who doesn't have the means for free?


I'm willing to send you "Evicted" in ebook format if you email the address in my profile. That's the best way I can think of to share with you the experience of being dirt poor in America, and why the things you just listed are irrelevant to a massive swath of Americans.


> Because that's how Republicans roll.

https://news.ycombinator.com/newsguidelines.html

> Eschew flamebait. Don't introduce flamewar topics unless you have something genuinely new to say. Avoid unrelated controversies and generic tangents.

> Please don't use Hacker News primarily for political or ideological battle. This destroys intellectual curiosity, so we ban accounts that do it.


Any likelihood we could get some white hat hackers on this... Including marking things on the day of, if necessary?


be careful what you wish for, one man's white hat is another man's black hat


This is a lot like consumer cryptography - yes, technical exploits are a problem, but they're overshadowed by social engineering.

In the case of US elections - even with secure infrastructure, the election will be determined by billionaire-sponsored campaign budgets and policies that entrench the 2 party system.

After the DNC email leak, I'm amazed how little attention was placed on hard evidence that the Democratic Party methodically sabotaged candidates in the primaries. Shifting public focus to the "Russian Hacking" was amazing PR work.


Really don't like how political and advocative DefCon has gotten.

Finding and publishing vulnerabilities is fine. But DefCon shouldn't be advocating policy or fixes. That should be left to the government, businesses, etc. The more defcon mixes with authorities, the better.


If [the government, businesses, etc.] could not (or did not) find these vulnerabilities, most of which seem like things your average techie might have checked for, what evidence is there to suggest that [the government, businesses, etc.] know how to fix them either?


The same could be said for any system where a vulnerability is found.

Vulnerabilities exist, it's the efforts we put into addressing them that matters. Yelling about one party or the other being responsible won't solve the problem. The first steps to a big fix would simply be locking down processes, things that can be done by volunteers joining in the efforts of their local and or state voting agencies.

It's easy to sit on the sides lines and say this and that are wrong, I'd rather see more people standing up and trying to find solutions that work.

I volunteer and we are always short and no one every seems to "have the time". The quality of candidates that do volunteer are all over and would have far greater an impact with more tech exposed individuals instead of the common retirees that I work with.


I cannot tell from the wording of the comment, but this seems like a rebuttal. I agree that solutions should be the first thing that happens as opposed to blaming. However, the comment that I replied to seemed to be stating that the solutions should be left to the first order victims of the exploits (which I am stating is nonsense) and that the DEFCON participants had no place in offering solutions.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: