nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers

DJV Silver badge

Weasels!

"Voting machine vendor ES&S says it did not cooperate with the Voting Village hacking competition at DEF CON because it worried the event posed a national security risk."

Bollocks, more like it posed a risk to exposing how lousy ES&S's security really is! Do they build insecure IoT crap as well?

Anonymous Coward
Anonymous Coward

Oldschool saying comes to mind

Worried about 'National Security' or 'Natural-Insecurity'

big_D Silver badge

Re: Weasels!

Exactly, everybody in the security industry or with any interest in IT security already knew that voting machines are one of the biggest security holes out there - probably only second to PLCs that have been put online with no thought to additional security (i.e. they were designed to be air-gapped, so no security was implemented, now they are online and the only security, the air gap, is gone).

Prst. V.Jeltz Silver badge

Re: Weasels!

already knew that voting machines are one of the biggest security holes

I didnt know that. I had assumed that , unlike iot producers , it might have at least crossed the minds of the voting machine makers that some security would be needed. I'm not saying theyre secure (what is) but surely they tried?

(despite the fact this idiot ceo refuses to show the results of their efforts)

big_D Silver badge

Re: Weasels!

In the past, they (various voting machine manufacturers) have tried several different tactics to stop the devices being tested at all.

For a start, part of the contract of sale prohibited the owner performing security tests or letting security tests be performed on the machines, they tried to restirc the resale of old machines, so they couldn't be bought by pen-testers and they tried using the DMCA to stop the machines being tested.

So, yes, they tried a lot of things in relation to security, but more in the direction of burying their heads in the sand and silencing anyone who could tell them they had loused it up.

Velv Silver badge
Facepalm

Re: Weasels!

clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop clip clop

Yup, that's the sound of the horse already out of the stable, no point finding out how to close and lock the stable door now

Pen-y-gors Silver badge

Re: Weasels!

It could only pose a 'threat to national security' if the voting machines are actually insecure. It's not as if the hackers are creating the security holes.

So the threat is actually the manufacturer.

Giovani Tapini

Re: Weasels!

Why would they fix the issues? The machines are clearly designed to let the Russians dictate the election results. It would not be wise to remove their ability to do so... (depending on who's story you believe)

a_yank_lurker Silver badge

Re: Weasels!

Please do not insult weasels, they like to feast on vermin like ES&S.

Seriously, anything that is linked to the web is vulnerable to attack and needs to be secured. Does not matter what it is, it will be attacked. Some will be harder to get at as they might not be directly accessible, that only makes them somewhat less vulnerable not invulnerable. Anything that is mission critical as a voting machine should be considered should be thoroughly tested by outside experts to find the failures. If they can find them then black-hats can find them also.

JohnFen Silver badge

Re: Weasels!

"I'm not saying theyre secure (what is) but surely they tried?"

From the day that voting machines were put into use, it was readily apparent that they didn't even try. They put some effort into making them look secure, but little effort into making them actually secure. And, also from day 1, when people pointed out the numerous serious flaws in the machines, their response was not to fix the flaws, but to condemn those who were looking for, and found, them.

Just as they continue to do today.

Eddy Ito Silver badge

Re: Weasels!

Do they build insecure IoT crap as well?

Are you giving odds? I'd be willing to put a tenner or two on their voting machines being insecure IoT crap for the right moneyline.

Frumious Bandersnatch Silver badge

Re: Weasels!

clip clop clip clop ...

Viz Top Tip:

Bang two pistachio shells together to recreate the sound of a really small horse on the cheap.

ITS Retired

Electronic voting machines need to be insecure, so that the local precincts can have the correct winner.

That is the why of no paper trail, internet connectable, common admin passwords among machines, Some flavor of windows, propitiatory secret software and firmware and so on.

These people also make very secure ATM machines, so it is not like they don't know how to do voting machine security right.

Nick Kew Silver badge
DryBones

Er...

Perhaps they should try being less rubbish instead. Did they ever think of that? Thought not.

Mark 85 Silver badge

Re: Er...

Security by obsurity, surely. So they won't participate in these kinds of things, that's fine. Now for the disclaimer...if they really wanted to ensure security, they would maybe go open source? Or invite selected white hat hacker types to test either on-site or in very secure locations?

It's not a question of "they're happy to work with outside researchers" but are they actually doing it? This article on the heels of the previous one, smells like a fish that's been left in the sun for a week.

big_D Silver badge

Re: Er...

Going Open Source isn't necessarily going to bring any changes to the security of the product. Plus it is probably considered a "trade secret" and can't be open sourced.

On the other hand, for something as important as a voting machine, the purchasers should be ensuring that what they are buying has been thoroughly, independently tested, before handing over any money.

kain preacher Silver badge

Re: Er...

Open source is worthless if you don't let people see the code.

kain preacher Silver badge

Re: Er...

To the person that down voted me, you think Open source is good if you can't see the source code that is being run. How do you know what back doors are in it ? Open or closed source makes no diff if people can not see what's running under the hood.

JohnFen Silver badge

Re: Er...

"Plus it is probably considered a "trade secret" and can't be open sourced."

That's another issue. Machines that are intended to tally votes should not be allowed to have any secret code at all. Ideally, it would be available to the public. But, if that's too much for their weak stomachs, then at least it should be available to security researchers.

Claiming "trade secret" should automatically mean "no sale".

JohnFen Silver badge

Re: Er...

I didn't down vote you, but I'll take a guess that the person who did was thinking something like "being open source means that people can look at the code". If you can't see the code, then it isn't open source.

kain preacher Silver badge

Re: Er...

"Plus it is probably considered a "trade secret" and can't be open sourced."

That's exactly what Diebold claimed and then promptly sued the state of New Jersey to stop them from looking.

strum Silver badge

Re: Er...

>you think Open source is good if you can't see the source code that is being run

You're being downvoted because you seem to be unaware that if the code can't be seen, it ain't open source.

Allan George Dyer Silver badge

Most Secure Voting Machine

The pencil (with appropriate procedures)

onefang

Re: Most Secure Voting Machine

"The pencil (with appropriate procedures)"

I still think the pen I bring with me is even more secure.

hughca
Coat

Umm...

"I still think the pen I bring with me is even more secure."

Only if it's been rigorously pen-tested...

...sorry...

Anonymous Coward
Anonymous Coward

Re: Umm...

Well it is better than a sword.

onefang

Re: Umm...

Yeah, a sword is just a bit too unwieldy to use to make your mark on a ballot paper. Though it does leave no doubt about your voting intentions if you use it to make your mark on a politician. Which I think was one of the original design goals for swords.

tom dial Silver badge

Re: Most Secure Voting Machine

Traditional "counting" methods include both completing ballots when the voter skipped an office or voted for fewer candidates than allowed and (probably much more often) invalidating voters' choices (by marking additional boxes or bubbles) when they made "mistakes."

It is convenient if everyone is forced to use the same marking instrument (pencils often are preferred because a voter can correct a misplaced mark rather than enduring the fairly significant hassle of having the election judges cancel and issue a replacement ballot. Use of a variant marker will insure, at most, the security of a single ballot; corrupt ballot counters will simply omit it from their correction activities.

Velv Silver badge
Happy

Re: Umm...

"it does leave no doubt about your voting intentions"

There was a case in the UK where instead of an X in the box, the voter had written a bad word against four of the five candidates. While those four candidates sought to have the ballot paper declared excluded, the presiding officer had to agree that the voter had expressed a clear preference for one of the five.

Allan George Dyer Silver badge

Re: Most Secure Voting Machine

@tom dial - Appropriate counting procedures make such malpractice impractical. My personal experience is with UK county council elections, where I acted as an observer. Each candidate could have observers at the count. Observers had to swear in front of a JP that they would not interfere beforehand. Ballot boxes were opened and ballots counted in view of the observers who could raise queries. Spoiled and questionable ballots were reviewed by the Returning Officer with the candidate's Agents. Ballot counters were mostly (all?) local government employees. Nothing is hidden.

It's all scalable - if you're a candidate with a chance of winning, you have enough supporters to act as observers; larger constituencies have larger pools of local government employees to act as ballot counters. A corrupt ballot counter is risking their permanent job, and has very little opportunity to act unobserved.

ivan5

Re: Most Secure Voting Machine

No matter how good the counting methods are the big question is how do you get round the problem that is best expressed as:

'Grandma was a loyal Republican until the day she died. Ever since, she's voted Democrat'

No machine or counting system is going to counter that.

Stork Bronze badge

Re: Most Secure Voting Machine

In Denmark (at least) where everybody is registered to a scary degree, that cannot happen. By law you have to register in the municipality where you have your residence, and the electoral roll is simply the subset of residents who are old enough to vote and have suitable nationality. Yes, prisoners can also vote.

The consequence is that when you status changes to "dead" you are token off the roll.

These are the upsides of the pervasive registers.

a_yank_lurker Silver badge

Re: Most Secure Voting Machine

@ivan5 - That problem is with the voter rolls and their maintenance plus whatever id is required to prove your identity to vote. A different issue altogether than the security of the actual vote. If the actual vote totals can easily be manipulated without easy detection by the counters then all elections are in question as one does not know what the real votes were. Cleaning up voter rolls is important but not as critical as making sure the votes can not be changed without detection. The 2000 US fiasco in Florida was an example of having the actual ballots for a recount (Bush won them all). Even if there were issues about how to count some ballots ("hanging chads") one had the physical evidence to look at.

Claptrap314 Bronze badge

Re: Only Secure Voting Machine

Fixed the title for you.

I've worked about 30 elections, all in Texas.

Giovani Tapini

Re: Umm...

Swords are large and can leave a mess. Why not just stick to hanging Chad instead

onefang

Re: Umm...

"Swords are large and can leave a mess. Why not just stick to hanging Chad instead"

I don't think there are any politicians around here called Chad.

tom dial Silver badge

Re: Most Secure Voting Machine

@Allan George Dyer: Appropriate counting procedures make this misbehavior more difficult, but not necessarily impractical. You describe theory and, as far as I know UK practice, quite accurately. I described reasonably well documented US historical practice, where manual counting, when used, customarily is done by teams of election judges representing at least two political parties. As in the UK, the procedure may be witnessed by independent (i. e., non-official) observers. Skewing the count requires no more than the practical skills of a magician, and has not always been free of corruption.

Voter marked paper ballots clearly are the most transparent and easily understood way to record votes. Vote counting, whether by humans or machines has vulnerabilities. They can be mitigated and rendered less probable, but probably cannot be eliminated entirely and may sometimes affect the outcome of close elections.

strum Silver badge

Re: Most Secure Voting Machine

>manual counting, when used, customarily is done by teams of election judges representing at least two political parties. As in the UK, the procedure may be witnessed by independent (i. e., non-official) observers

That's not how it works in the UK. The counting is done by non-partisan officials. They are supervised by representatives of the parties.

Anonymous Coward
Anonymous Coward

Security

NO votes!

John Smith 19 Gold badge
Thumb Up

"Ignorance of insecurity does not get you security. "

The most succinct description of why security by obscurity (even with special "National Security" BS sauce) doesn't work.

Yes I also wonder if they have a division of code monkeys who sling IoT s88t

Potemkine! Silver badge

Voting machines are nonsense

Every sane democracy should get rid of it. All these companies should be out of business, they are a threat rather than a solution.

Prst. V.Jeltz Silver badge

"Why Electronic Voting is a BAD Idea"

Y'all know Tom Scott, proffessional youtube geek?

https://www.youtube.com/watch?v=w3_0x6oaDmI

Anonymous Coward
Anonymous Coward

Crudbump has a great song about Christmas.

Prst. V.Jeltz Silver badge

When J Clarkson and co ask the manufacturers to loan them their latest hatchbacks for a comparison test, they do it - because even if they dont win the comparison test , to refuse to enter shows they have no confidence in their product. .... and the testers would possibly get one elsewhere anyway.

And to show that lack of confidence when you make VOTING machines??

qwertyuiop

I can't remember where I read (or heard) this, but it seems entirely appropriate here: "Hackers don't break things, they just prove they were broken in the first place".

Mongrel

Hackers don't break things

Not forgetting that these are the good guys, for some slightly fuzzy definitions of good, who are willing to show their work. We generally have no idea how far along the bad guys are in defeating the 'security' on these machines.

This post has been deleted by its author

elvisimprsntr

Don't some of the voting machine manufacturers also make ATM machines which are vulnerable to remote jackpotting and have one key fits all locks? I would not be surprised if they also manufacturer the computer systems in gas pumps. That is all one really needs to know to make an educated guess about security of voting machines.

DropBear Silver badge
Trollface

So, um... (you knew this was inevitable, didn't ya) ...voting based on blockchain, anyone?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing