Over the last 26 years, DEF CON, and for the last two years, the Voting Village, have operated under two core principles:
1. It is important to derive facts through reason and inquiry rather than blind faith.
2. When we discover new facts, it’s important we share this information with the general public so individuals can decide how best to use the information.
We did not make these principles up ourselves. Rather, these principles are the foundation of the Enlightenment, which has guided modern science to achieve the medical, engineering, and IT advances, among others, that underpin the modern world. Since these principles have largely guided the human race toward progress for the last 500 years, we plan to continue to follow them.
These principles matter most when we put them into practice. Therefore, it is relevant to ask what new facts all the poking and inquiring into our voting systems has identified since the Voting VIllage was established.
Among the dozens of vulnerabilities identified in the last two years, four key DEF CON Voting Village findings are grave and undeniable:
1. Supply Chain Insecurity: The voting machine parts supply chain is global and has essentially no security procedures to determine whether the machine parts are trustworthy or pre-hacked before the machine is assembled. Thus if an adversary compromised chips through the supply chain, they could hack whole classes of machines across the U.S., remotely, all at once.
2. Remote Attacks Proven: Despite insistence the fact that machines are “air gapped” from the Internet protects against all remote attacks, both DEF CON 25 and 26 found exploits to hack machines remotely, requiring physical access to the machine.
3. Hacking Faster Than Voting: This year DEF CON also demonstrated that while, on average, it takes about six minutes to vote, machines in at least 15 states can be hacked with a pen in two minutes. It is thus possible for someone to hack a machine while voting in a polling place on Election Day.
4. Hacks Don’t Get Fixed: Finally, we discovered that even when vendors are told about serious flaws in machines by their customers, those flaws go unfixed.
Did you leave out a word?
Also, does the hack simply modify the results for that machine, it does it grant access to manipulating the entire county vote?
Why does voting take 6 minutes?
I think I used a voting machine maybe once in my life (in the Netherlands and apparently young enough to not have used those more often). Casting a vote on paper is usually checking a box with a red pencil, takes maybe a minute of dealing with the huge sheet of paper with all the candidates.
Here's an example from this year.
It gets validated, then passed along for counting.
Second, if you want, you may drop your ballot into any drop box, or hand deliver it to elections, who will validate it and put it into the counting queue.
Send them from an arbitrary public mailbox at a busy place, like a train station or a mall.
This should make tracking impractical, unless you expect "them" to scan for fingerprints.
Uh, you're only supposed to vote once.
Now the ballots show up, you can fill them out for all family members, even if recently deceased, and vote for everybody. That spouse doesn't need to vote. The high-school senior is too busy to do their own voting. The truly ambitious can even grab ballots out of mailboxes, adding them to their pile.
It may take some time to fill out a ballot paper. But the act of voting itself is inserting the ballot paper into the locked and monitored ballot box, which takes a second or two.
My polling place is filled with tables and chairs and cardboard privacy dividers, but has just one ballot box, with a scanner-tabulator on top of it.
The electronic voting machines that take the place of the paper ballot are the problem. You need dozens per polling place, and each one is expected by design to be alone with a voter, with physical access and privacy, for tens of minutes. I presume by default that any jurisdiction using them is actively promoting the hacking of their own elections, and such presumption must be rebutted only by exposure of the facts of the process that would mistrust the communications coming from those boxes as compromised and potentially malicious. I cannot fathom how it would even be possible to secure such devices. At least the scanner-tabulators attached to ballot boxes can be watched continuously.
They are broken by design, and utterly unfixable. The specifics of the known exploits are therefore somewhat irrelevant, because there will always be some means of compromising them. So the only way forward would be to treat every last one of them as permanently untrusted hardware.
While there may be some way to make them useful in an election, for now, until that PhD cryptography paper comes out that solves the problem, the only reasonable thing to do is toss them all in the trash, and go back to inked paper.
State election boards
State House/Senate committees on elections
Local election judges and boards
Federal House/Senate committees on elections
I would assume that these allegations must be verified. However, since all the procedures and observations are being made in the open, they should be relatively easy to confirm.
But, what are our legislators and boards doing to prevent hacking and malfeasance like this?
An electronic scanning system could easily be vulnerable to many of the same issues that are presented here.
Instead, have everyone mark their ballots like normal, then get a bunch of people in a room who all don't trust one another and have them count/tally votes together. Just about everyone that can vote can help count (unlike with electronic counting machines where only a very competent engineer could even begin to audit a machine like that, assuming that they were allowed to even do so), and in places that run elections like this, there is almost never a shortage of people willing to assist counting votes, especially when the election is particularly controversial ("I'm not going to let that [side a] person from screwing over us on [side b]! Let's go get 20 of us there watching to make sure nothing bad is happening!")
Voting should be hard, voting should be expensive (for the country, not for individual people). Why "optimize" the one thing that secures our country with alternatives that are less secure, have more points of failure, and are overall less understood both by the voters and by the people using the machines to tally votes?
In New York City, optical scanners are used. As a check, random precincts’ ballots are manually tallied. This is a good compromise between cost and security.
(There are additional checks, like a public and private count and vote aggregates being publicly posted at every precinct at the end of the night. Observers can also audit the public and private count of any machine at any time of the day, and they do.)
Do they significantly improve accuracy? Do they save a significant amount of money? Do they increase the speed that things are tallied, and does that make a significant difference or improvement anywhere (because unless i'm missing something, getting results a few hours earlier is not a good reason to lessen the security of an election)?
I genuinely don't know, and I'd love to see more information if anyone has it on this.
Because to me, without knowing all of the details, it reads like "we trade some security to save costs by just not tallying some precincts at random".
If it's saving a significant amount of money, to the point where the state is much better off because of it, or if the usage of them somehow increases turnout by decreasing the time it takes to count votes, then I would agree with you. But without evidence like that, I'm sitting here wondering why these machines keep getting used.
Often times things that seem like they shouldn't be secure often are, and I'd love to be wrong about this one.
> Do they improve accuracy?
I think they pretty clearly would increase accuracy, modulo any potential tampering. Some of this is structural -- each ballot has multiple elections, some in which the same candidate can be featured multiple times under different party affiliations. Tallying this by hand seems intrinsically error-prone. It's arguable that simplifying the ballot could help both tallying and voting, but given the current design optical scanning seems like a huge increase in accuracy.
> do they save a significant amount of money?
Once again, I suspect yes -- tallying the votes by hand takes a lot of time and a lot of people. Poll workers aren't well-compensated by any means, but there's still a cost.
> Do they increase the speed that things are tallied, and does that make a significant difference or improvement anywhere (because unless i'm missing something, getting results a few hours earlier is not a good reason to lessen the security of an election)?
I think yes to the first and a matter of opinion on the second. I'm with you that speed of results is either a non-goal or an anti-goal -- states that release precinct-level results when voting is still open elsewhere in the country are implicitly engaging in electioneering in my mind, and should be explicitly forbidden from doing so.
An automated system combined with random manual tallies seems pretty good to me from a security standpoint. As an aside, in addition to the random tallies I believe there is a process where any party can request a certain number of explicit audits if they feel that the results seem questionable from a given precinct, and an additional layer of election supervisors who can make a non-partisan request if there are inconsistencies from previous election cycles) seems like
In New York I would prefer that the focus be on distributing voter information earlier and more widely would be a much better use of time than further changing the actual voting. When I lived in Washington state, you got a voter information guide with all the candidates and ballot measures, statements for and against, and an explicit statement as to what is being voted on, well in advance of the election. In New York, half the time I have to really dig to even find out what is going to be on my ballot, and finding the full text of ballot measures is an exercise in futility as you try to navigate through the NY Department of State to try to find the information. Third-party sources like local newspapers actually do a significantly better job than the state does here.
And while I'm sure they save some money, is it worth it? I'd like to get an idea of the scale involved. Because saving a few hundred thousand dollars a year for a state would make it absolutely not worth it in my opinion, but a few hundred million might be.
And finding exact numbers is extremely hard (at least for me), combined with the fact that these companies basically never release that kind of information, and I know it's not the best idea to read into these things, but I can't help but think that they would release these numbers if they were significant and showed the company saving tons of money for the state.
But i completely agree that there are much better things we can do to improve voting overall (personally my vote is for changing to a "ranked voting" system), but these machines still feel like a giant red flag to me. There's not a lot that can be done to swing an election by just a few people, but put some kind of electronic or computerized system in the mix, and now there's one dock worker that has access to a large number of the machines as they get shipped, and now you have a single point of failure.
While in school in the 80's I learned that the standardized tests the school were administering didn't mean anything. They had no barring on my ability to graduate or go to college so I stopped caring about them. This opened up the freedom to do things like fill out multiple bubbles per line and otherwise get creative. About a month after filling out a test like this I got called into the office along with my parents. I was a pretty well known hacker at the time, running a couple local BBS's and whatnot. The state superintendent of schools was in the meeting and demanded to know what I did to their test scanning system. It turns out that I most likely caused a buffer overflow as line after line of multiple answers on the bubble sheet caused the system to crash. It took them weeks to figure out it was my test and in the mean time deadlines were being missed, etc.
After all, a lot of those counting machines are proprietary and un-auditable, so you have no way of knowing if they are actually just windows-xp wireless laptops crammed into a fancy plastic case.
I don't know enough about it in this situation to know, but things like that can sometimes cause a false sense of security or improvement that can actually make things worse in the long run.
One of the models (the ES&S M650) might be the actual scanners you are talking about, and that model has a number of terrifying vulnerabilities!
>Congress Must Fund Election Security: National defense is not the role of state and local
government. Further, no state or local government will ever be able to raise enough capital to
defend itself from a determined nation state. Thus, having codified the basic security standards
developed by local election officials above, Congress must finance the implementation of these
Well. We tried: https://www.pbs.org/newshour/politics/republicans-block-bid-...
I'm from Idaho which is currently conservative by close to a 2/3 majority, but remember growing up that we had many liberal elected officials like Cecil Andrus and Frank Church. From my perspective, democrats are working to improve election security while republicans are not.
Is this simply a partisan issue? Does anyone from more liberal states have examples of democrats opposing election security?
If so - then how do we work to improve election security when our elected officials refuse to? If not - then how do we accomplish reforms within the republican party or make election reforms into political capital that it might be willing to trade for?
Does voter ID improve election security?
Which party opposes voter ID laws?
It does not.
Specifically: You can figure out if a voter is registered by cross-checking with the voting rolls, you can figure out if someone is alive by cross-checking obituaries and the other two issues can similarly be figured out by cross-referencing across all elections in a state. None of this requires strict voter ID to figure out and while it's possible that identities could be hijacked to vote for a certain person I believe but voter fraud is incredibly rare in practice.
Additionally all of those checks actually open up more avenues for hackers or less honest individuals to take advantage of said systems. For example dropping a bunch of people off of voter rolls to ensure that they have trouble voting or can't meet the deadline, mistakenly registering people as deceased and so forth. One of the major fears during the possible election tampering was that by altering voter roles you could shift the outcome of an election.
I think your assertion seems more knee-jerk than the person you're responding to.
Respectfully, you're putting words in my mouth. I did not advocate for anything.
I was responding to the OP's assertion that, "democrats are working to improve election security while republicans are not." That assertion is facially incorrect, and Voter ID (whether you like it or not) is a reason why.
> Specifically: You can figure out if a voter is registered by cross-checking with the voting rolls, you can figure out if someone is alive by cross-checking obituaries and the other two issues can similarly be figured out by cross-referencing across all elections in a state. None of this requires strict voter ID to figure out.
Voter ID solves those problems at the ballot box. The volunteers sitting behind the desk aren't cross-checking obituaries or all elections in a state. You know that, so why did you say all that?
> voter fraud is incredibly rare in practice.
Why do you think that? After the last election, we saw video evidence of people being bused across state lines to vote where they weren't registered. That's just one example.
> Additionally all of those checks actually open up more avenues for hackers or less honest individuals to take advantage of said systems.
How would requiring photo ID matching that on the list of registered voters open up more avenues for attack? It's an additional form of authentication.
> For example dropping a bunch of people off of voter rolls to ensure that they have trouble voting or can't meet the deadline, mistakenly registering people as deceased and so forth.
What does requiring photo ID have to do with those forms of attack? Those can be done right now, without requiring photo ID. Why are you confusing the discussion with irrelevant issues?
> I think your assertion seems more knee-jerk than the person you're responding to.
Actually, your comment is the most knee-jerk in this thread so far. You've put words in my mouth and torn down a bunch of strawmen. You've identified me as an enemy when I haven't even advocated for one side or the other. All I'm doing is making logical observations. If you disagree with those observations, by all means, show me why.
Regardless of your political persuasion, I suggest you read a bit about how these voting machines are built. Assuming you are in tech, you will be horrified. Do you feel comfortable knowing your voting machine was written in VBA with a Excel spreadsheet as the backing data store? This is the level of incompetence we are dealing with. Integrity of our elections is an incredibly important issue for both parties, and this was a problem before Trump, Russia and the 2016 election.
I also suggest you read up on the stuxnet virus if you want to see what a determined state actor can create given unlimited resources.
> It does absolutely nothing for the much more serious threat model of digital tampering.
I agree that they solve different problems. I think we should use only paper ballots, and eschew all forms of electronic voting.
A well-written voter ID law - one that truly guarantees the right to vote for every citizen eligible to do so - might well get enough bipartisan support; I'm just not aware of anyone ever trying such a thing.
Voter ID laws have been written in a way that they can be systematically (and I believe deliberately) abused to disenfranchise minorities. This is done by setting unreasonable office hours or locations to obtain voter IDs among other methods.
There is no need for voter ID laws and so there will be no bipartisan support for them unless both sides are interested in vote suppression.
As far as voter suppression, the whole point of what I wrote is that it's not inherent in voter ID. It only happens if the laws are deliberately designed that way. Again, look into how people vote in most European countries to see that it's not what these kinds of laws are actually about, when they're done right.
BTW, my perspective is that of a non-citizen on a track to citizenship. I think that even if real-world voter fraud is very low, there's also the question of symbolism at play. Voting is one of the few rights that are citizen-exclusive, so it is important to protect, even if only as a symbolic gesture. This goes both ways, of course - the right to vote shall not be denied to anyone who has it (and that part has priority for the same reason as presumption of innocence) - but conversely, if it is to be treasured, it needs to be secured to highlight its worth.
In many areas in America the hours for polling stations coincide with the typical workday. It can also take quite literally hours to reach your proper polling station to vote where taking any time off from work for many of the lower-class citizens is impossible. Proper ID for voting can also be harder to come across than you might think especially when access to them in minority or poor neighborhoods is deliberately limited. That's just to reach the location; never mind it potentially taking hours to just vote .
When you look at voter ID laws in a vacuum there isn't that much of an issue. However European countries have a far lower barrier to entry both for the act of voting and for getting a proper ID. When people talk about implementing voter ID in various areas; they're putting the cart before the horse, often intentionally because they know it benefits their voter base.
And as I've mentioned before voter ID solves very little. If you make it hard to vote just for a symbolic measure you're essentially admitting that you want to discriminate against minorities and the poor just for the sake of it.
All the issues you describe are, again, issues with a specific implementation. Voting day can (and should) be moved to a weekend. Government-issued IDs should be free and easy - I would even say automatic - to get. And so on, and so forth.
Voter ID does not have to make voting hard. I would not support any proposal that would do so (which is to say, any that I've seen pushed in US to date). However, I cannot in good faith support a principled opposition to voter ID as such.
And - speaking as a card-carrying member of the party - I believe that Democrats are shooting themselves in the foot by continually misrepresenting the core idea as racist etc. They should instead come up with a comprehensive voting reform proposal that would tackle all these issues - election security (including ID), voter registration, election day timing etc. And put it on the table with great fanfare. Then let Republicans explain why they're still opposed to it.
There's also an established history of voter ID laws in other countries not being used to suppress votes. This isn't a hypothetical, either.
From which directly follows that voter ID is not racist. The right-wing politics around voter ID in US specifically is racist. If lefties keep letting right-wing own the subject, then that's all it'll ever be. But it doesn't have to be that way.
This country has a long and well documented history of voter suppression and voter ID is just the latest example.
You’re going to have to do better than “other countries do it” to convince me voter ID laws are a good idea. Start with any evidence of necessity and a how the south won’t abuse the hell out of it. Remember that they have already abused the hell out of it.
Furthermore, in US specifically, right to vote is not even a guaranteed right for citizens - there's nowhere in the constitution that says a citizen has an inherent right to vote. There are various amendments that prohibit the government from discriminating based on certain traits (gender, race, age, poll tax etc); but none of them are a blanket grant of the right. This is why the states can prohibit felons from voting, for example, and why the criteria for that are so drastically different between them.
Now, personally, I think this is not a good idea, and every citizen should have an unconditional right to vote that can only be stripped with citizenship. But you insist that we talk about US as it is - and that is how it is.
The way you implement voter ID such that South can't abuse it is by using the constitutional power of Congress to set uniform rules for all congressional elections in the country. Since citizenship is a federal matter, it follows that voter eligibility as it pertains to citizens and non-citizens is also a federal matter, and should be set on the appropriate level. It would completely preempt any state legislation on this, solving the problem once and for all. This also means that the feds should be required to issue an ID that is sufficient to vote to any citizen who asks for one, at no cost to the citizen, and with minimal hassle - ideally, automatically - same as every other government in the world does.
And I disagree that symbols don't matter. The right to vote is valuable in part because of its exclusivity - not everybody has it. If you're unwilling to protect that exclusivity, even symbolically, that diminishes the right.
The question you should be asking is what party advocates for voter ID laws in the absence of any evidence to their necessity.
Voter ID laws are a solution to a problem that does not exist to allow political parties that advocate them to suppress votes at will. There is no existing need for voter ID laws and voter ID would not prevent tampering with voting machines.
It may be a worthwhile exercise to see what states advocate insecure voting methods (machines) and voter ID laws.
State and local governments have been handling their own elections since before the country was founded. This is a good thing, because it keeps elections close to the people, accountable to the people.
The last thing we need is nationalized elections. That would make all of our elections vulnerable together. And that includes federal funding for state and local elections, because federal funding always comes with extensive rules and regulations, which would effectively put elections under federal control.
We need to move more government and accountability closer to the people, not to Washington, D.C.
They're already vulnerable, all together.
> which would effectively put elections under federal control.
They are already under numerous federal laws. Strangely enough, counter to your point, federal laws have been the #1 driving force for allowing more people to vote ("closer to the people"). See: https://www.usa.gov/voting-laws
Elections, in the 21st century, should fall within the range of national defense. Power grids and other types of infrastructure are, why not the democratic infrastructure like elections and voting?
> The last thing we need is nationalized elections. That would make all of our elections vulnerable together.
Or you know, the ability for elections to actually be fixed in a systemic fashion. It's really the only way.
I really don't understand this attitude. To take an example from the software industry, would you rather have your users on one OS, for you to secure, or 20+ different ones, where you need to plug holes independently?
Fix one issue with a voting machine, fix them all, as opposed to just fixing Florida's specific homegrown crap.
State's rights are comparable to redundancy in the software world but really these analogies are strained.
This country has been around for over 200 years. Our elections have worked well, or else we wouldn't be having this conversation.
> Elections, in the 21st century, should fall within the range of national defense. Power grids and other types of infrastructure are, why not the democratic infrastructure like elections and voting?
No, they shouldn't. I want my city, county, and state elections run by my city, county, and state, so that when something goes wrong, I can go to the city, county, or state to see about making it right, and even run for office locally to fix it myself, or go to the state capital at worst--not have to go to Washington, D.C. and complain to some bureaucrat that hasn't even heard of my city and couldn't care less about my state.
> Or you know, the ability for elections to actually be fixed in a systemic fashion. It's really the only way.
> I really don't understand this attitude. To take an example from the software industry, would you rather have your users on one OS, for you to secure, or 20+ different ones, where you need to plug holes independently?
You're looking at it the wrong way. What is easier to attack: a homogeneous network in which every machine has the same, known vulnerabilities, or a heterogeneous network in which only subsets of machines have certain vulnerabilities? What is easier to destroy: a forest comprised of a single species with the same vulnerabilities to certain pathogens, or a forest with a variety of species?
Recent history shows the inherent risk of homogeneous networks, e.g. the NotPetya worm that took down global IT infrastructure for the biggest companies in the world in a matter of seconds: https://www.wired.com/story/notpetya-cyberattack-ukraine-rus...
This country was designed around compartmentalization. If one state enacts bad policies, has corrupt government, etc, it doesn't necessarily affect every other state. But when the federal government makes bad decisions and becomes corrupt, it does affect every state.
You want our elections to be more easily compromised, more easily controlled by third parties? Nationalize them. Use the same systems and rules and policies everywhere. Make every election, everywhere, have the same, known flaws and vulnerabilities. Make every election, everywhere, reliant on the slow-moving federal government to fix problems that states and localities could fix independently and quickly.
> Fix one issue with a voting machine, fix them all, as opposed to just fixing Florida's specific homegrown crap.
How about letting Florida worry about fixing Florida's elections, and you fix yours. I don't think you'd like Florida telling you how to run your elections, but that's exactly what you propose in reverse. It's antithetical to liberty.
Doesn't follow; countries can exist for a long time without elections at all, and, a fortiori, without elections that “work well”. Our existence and ability to debate th topic doesn't prove our elections worked well on average over history, or that they've been working well in their most recent form. Or much of anything else.
When we eventually stop having them, then we can revisit this conversation and long for the good old days. Meet you back here in...a few centuries?
Maybe we could start tweeting them? https://twitter.com/usafacts/
It's a little tangential, but I think this comment is evidence that the verb "hack" has finally completed its evolution into a synonym for "do."
Demonstrate a model election. As in show what it looks like, explain all the bits.
Voter registration, candidate filing, ballot production, poll books, signature verification, tabulation, ballot summary reports, etc.
This will equip laypersons with the knowledge of what to fight for as they reform (improve) their local elections.
FWIW, the gold standard is paper ballots cast at poll sites, tabulated when the polls close. Variations may be desirable, eg postal ballots to enfranchise, but know the tradeoffs.
I feel I could spend well over a week going through trying to learn more about each point made.
I've also heard some people claim that a lot of these voting machines are no longer used.
Sometimes I wonder how some people manage to keep their jobs, and how companies manage to keep their contracts. This is gross negligence.
(In case you're not from the US: our government is largely a representative democracy, not a direct democracy, with a few exceptions, such as California's proposition system.)
I would say that voting machines are also a niche issue: whether that's good or not, IDK, but most candidates (I feel) would rather discuss their positions on more mainstream topics such as gun control issues, gay rights, abortion, economics issues (particularly vague economic issues), whether or not we should build a wall, etc. Technology is a rare issue, and even rarer to see a candidate demonstrate an understanding of the facts in the issue.
I don't know any security professional that would tell you physical access isn't equal to the ability to hack a device.
The reality is subversion of people managing processes is of a higher probability that attacks of the machines themselves. It's also not unique to electronic voting, people are always the weak link in security and will always be the weak link.
Which, sure, is something to think about. But it's not what I think people are imagining when you say "voting machine hacking."
Now finding out that Dominion's equipments mentioned here is a little bit worrying. There was also an incident during our elections hours before a voting machine was accessed just because they have to change a single letter. It is still disturbing to this day.
( This is a guess. Trump won in 2016 by 107k votes across 3 states - inside those states how many counties were actually "swingy"? https://www.washingtonpost.com/graphics/politics/2016-electi...)
In my non-professional opinion, none of these vulnerabilities seem earth-shattering, although the potential lack of paper trails makes some of the touch-screen systems very dicey. Both of the touch-screen systems have the option of a voter-verified paper trail, but it's not clear how widely those option are deployed.
- Use: Used to check in voters at the polling station.
- Vulnerabilities: No voting-specific vulnerabilities were found; generally an insecure WinCE machine. Physical access would be needed to compromise.
- Impact: Could change voter polls to selectively exclude individuals, forcing them to use provisional ballots. Could add voters to polls potentially, but not clear [ed] if this would pass a cross-reference with upstream voter registry.
Dominion AVC Edge
- Use: Touch-screen voting machine. Records votes electronically and [ed: has an optional voter-verified paper ballot audit system. Not clear how widely used the paper ballot system is used with this machine.] Verifies voter eligibility with a smart card distributed by poll staff. [ed: Presumably the smart card cross-referenced with the voter rolls during tally.]
- Vulnerabilities: Physical vulnerabilities, including swapping out the electronic storage. [ed: Not clear if this would be detected by audits against the smart card registration or voter rolls].
- Impact: Removed or changed votes or completely synthetic votes, [ed: if not cross-referenced; or the storage could be re-written to change or spoil existing votes]. [ed: If paper option is not used, then no audit would be possible if storage is compromised].
Dominion Premier/Diebold AccuVote TSx
- Use: Touch-screen voting machine. Records votes electronically and has an optional voter-verified paper ballot system. Verifies eligibility with smart card distributed by poll staff.
- Vulnerabilities: Denial-of-service attacks easily available by unplugging a cable. Smart card is supposed to be reset by the machine, but a substitute smart card can be used that allows unlimited votes. [ed Not clear if this would pass a cross-reference with the voter rolls, or if the machine is equipped to allow such an audit.] Malware could be distributed for the device [ed: through unspecified channels]. Such malware would allow an adversary to compromise many machines without requiring physical access to polling stations.
- Impact: Removed or changed votes or completely synthetic votes [ed: if not cross-referenced with voter rolls; or malware could be used strictly to change votes and still pass the cross-referencing with voter polls. The user-verified paper option could mitigate some of this, but the malware could theoretically spoil the user-verified ballot and produce a new non-spoiled ballot with a changed vote.]
- Use: Strictly for tallying of paper ballots.
- Vulnerabilities: Physical security at the polling place, and network-based attacks in situations where the devices are networked (not at the polling place, but at the clerks office or similar centralized locations). Thought attempts are made on the device to prevent unauthorized software from being installed, there are known vulnerabilities that allow that to be changed, through a serial control port or by modifying the Zip disks (?!) that are used as the underlying file system.
- Impact: Changing vote tallies. [ed: An audit would be possible because this machine uses a direct voter-filled-out paper trail].
Anyone in security could threat model every single of these attacks on the back of a napkin in about six minutes. It is sad that you can replace hard drives in voting machines, but of course that's expected and rather obvious.
It'd be neat if DefCon would use some of its money and sponsor a device roadshow. Ship these things around to different labs and makerspaces for month long stints. Sign up someone who has a vague idea of what he or she is doing that can guide and teach others on weekends. Let people do real work and not just marketing.
It's just another reason why voting machines (or vote counting machines) are so dangerous. Even if the public had the ability to audit and verify the machines are working correctly, they aren't allowed to.
The parties then can have them analysed and choose whether to use them or not, perhaps something like all those with more than 10% of the vote previously could decide whether to use machines or human counting; full consensus required.
Rule two (2) should be something along the lines of all votes requiring an agreed sampling to be counted via alternative methods.
You could even have a sample of electoral wards not use the machines at all - that would suggest irregularities if there was tampering, as the hand [machine] counted wards would have different voting preferences to the others.
I'm more alarmed at the number of people willing to complain and moan about change, yet refuse to volunteer at their local polling station. If awareness is important, we have to start somewhere, yet the vast majority of people complaining expect it to just solve itself.
Sometimes to fix a broken system you have to become a part of it and change from the inside.
This is a useless statement. Security is a continuum, and it's perfectly valid to point out voting machines suck on that continuum.
I store my private key on a yubikey, and sure if you had physical access and spent about $300k you could decap it and recover the private key (with a success rate of maybe 10%, an expensive hardware lab, and expertise only a handful of people have).
That's a whole different ballpark from voting machines which don't use a hardware TPM  to attest votes, but instead store them in csvs while running windows CE such that an attacker with a jumpdrive can plug it in and alter records using exploits which have been public for years and years.
> Sometimes to fix a broken system you have to become a part of it and change from the inside.
Unfortunately, various people have tried to change it with no success. The voting machine companies have contracts with the government that preclude new entrants to the business.
Security researchers who contact voting machine companies have no impact.
Technology such as TPMs exist, but the voting machine vendors have little apparent interest in these new ideas and technologies.
I don't think it's fair to discount other commentors from providing information and discussing their views just because they're unwilling to go into politics to attempt to fix this silly government contracts (with a low chance of succeeding)
you're not getting any of these access with out modifying hardware at the poling station. If poll monitoring is being performed, they're going to notice someone taking apart a voting machine.
I was at the Voter Village, Two years in a row I spent time disassembling the machines. They're not as easy as you're making it out.
Being a part of monitoring of these systems is not something stopped by big business. That's a cop out.
TPM should be a part of medical devices, but it's not. I would argue that's even more important than a voting machine. Unless you work for a manufacturer or are building a voting machine with these systems, sitting around and saying you could do X or Y doesn't solve a damn thing.
iOS 11+ Apple devices are pretty much not.
We detached this subthread from https://news.ycombinator.com/item?id=18112453 and marked it off-topic.
> even when you know how you will vote in advance.
It doesn't matter if there are things a voter can do to speed up voting, it only matters that it still wouldn't be suspicious if someone was in the booth for 2 minutes.
I mean it's not wrong, the net neutrality debate is about deregulating the internet by the government so that the ISPs can regulate it. But you have to know what more freedom for ISPs can entail.
I mean if it was called Unlimited Gun Use Freedom it could be a name for legalized murder.
Initially it was called "California Marriage Protection Act", which is pretty common for anti-gay-marriage acts.
Later it was called "Eliminate Rights of Same Sex Couples to Marry". Which is 100% obvious.
Only people who lazily called it the "gay marriage prop" were confused.
I remember people being confused about the polarity of the vote, but then again I remembered incorrectly that the title approval had been because of prop 8 so who knows.
> Eschew flamebait. Don't introduce flamewar topics unless you have something genuinely new to say. Avoid unrelated controversies and generic tangents.
> Please don't use Hacker News primarily for political or ideological battle. This destroys intellectual curiosity, so we ban accounts that do it.
In the case of US elections - even with secure infrastructure, the election will be determined by billionaire-sponsored campaign budgets and policies that entrench the 2 party system.
After the DNC email leak, I'm amazed how little attention was placed on hard evidence that the Democratic Party methodically sabotaged candidates in the primaries. Shifting public focus to the "Russian Hacking" was amazing PR work.
Finding and publishing vulnerabilities is fine. But DefCon shouldn't be advocating policy or fixes. That should be left to the government, businesses, etc. The more defcon mixes with authorities, the better.
Vulnerabilities exist, it's the efforts we put into addressing them that matters. Yelling about one party or the other being responsible won't solve the problem. The first steps to a big fix would simply be locking down processes, things that can be done by volunteers joining in the efforts of their local and or state voting agencies.
It's easy to sit on the sides lines and say this and that are wrong, I'd rather see more people standing up and trying to find solutions that work.
I volunteer and we are always short and no one every seems to "have the time". The quality of candidates that do volunteer are all over and would have far greater an impact with more tech exposed individuals instead of the common retirees that I work with.