back to article DEF CON hackers' dossier on US voting machine security is just as grim as feared

Hackers probing America's electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking …

  1. Winkypop Silver badge

    Land of the free!

    Free to vote any way (or number of times) you like.

    1. Anonymous Coward
      Anonymous Coward

      Re: Land of the free!

      Vote Early, Vote Often

      1. ivan5

        Re: Land of the free!

        Even your dead grandmother can vote.

        1. A.P. Veening Silver badge

          Graveyard voting

          Nothing new about that, that has been going on for the last two hundred years (at the least).

          1. Dr Dan Holdsworth
            WTF?

            Re: Graveyard voting

            Yes, democracy was famously so popular in places like Chicago that the occupants of quite large cemeteries would lurch down to the voting booths to cast their votes, sometimes several times!

            1. tony2heads

              Re: Graveyard voting

              That would account for the zombies they have in office

        2. IglooDude

          Re: Land of the free!

          "Even your dead grandmother can vote."

          She couldn't change the "12:00" blinking on her VCR, but it sounds like these voting machines are still within her hacking abilities.

    2. GnuTzu
      Coat

      Re: Land of the free! -- Accountability

      We're now so conditioned to accept both weak security and lack of true representation that it will take a major, apocalyptic, catastrophe for anything meaningful to be done about this. That is, the people who are responsible for this crap will not be sent to jail, will not be fined, and won't be fired. If anything, they'll create a commission to look into creating a standard that won't get implemented. We'll be lucky if we get a law requiring a paper trail. Sigh.

      1. Someone Else Silver badge

        @GnuTzu -- Re: Land of the free! -- Accountability

        We're now so conditioned to accept both weak security and lack of true representation that it will take a major, apocalyptic, catastrophe for anything meaningful to be done about this. That is, the people who are responsible for this crap will not be sent to jail, will not be fined, and won't be fired. If anything, they'll create a commission to look into creating a standard that won't get implemented. We'll be lucky if we get a law requiring a paper trail.

        In other words, the status quo....

  2. ThatOne Silver badge
    Big Brother

    Shush, those are just the means to correct incorrect vote results.

  3. Anonymous Coward
    Anonymous Coward

    Government of the Vote Grabbers, by the Vote Grabbers, for the Vote Grabbers

    or I'm a pussy.

  4. Anonymous Coward
    Anonymous Coward

    Centralized incompetence

    The article heavily promotes the idea of federal fixes for voting security, but in fact there are NO federal elections whatsoever. All national elections are held at the state level with each state responsible for its own separate voting system. If the Feds try to stick their big oar into that existing system it will constitute a major change far more sweeping than just tightening security.

    Currently the states are generally moving away from voting machines and towards paper ballot systems. The problem may still partially exist for the upcoming election but the future looks better. I, as a small government proponent, would prefer the Feds keep their sullied hands off our election apparatus. A distributed system seems safer than a centralized system to me, even with a few temporary vulnerabilities.

    1. phuzz Silver badge

      Re: Centralized incompetence

      Perhaps there's a case for the federal government setting some standards ("your voting machine must be this secure to enter"), and leaving it up to the individual states to come up with whichever way they like to meet those requirements.

      1. Claptrap314 Silver badge

        Re: Centralized incompetence

        That would seem to me to be a stretch. The only clause that I can think of that would permit is that "congress shall guarantee to each State a republican form of government". I'm pretty certain that this clause, if ever tested, is a reactive clause.

        1. Someone Else Silver badge

          @claptrap314 -- Re: Centralized incompetence

          The only clause that I can think of that would permit is that "congress shall guarantee to each State a rRepublican form of government".

          Yes, that was Tom DeLay's dream, wasn't it...

          Link provided for those of you too young, or too East, to remember this sorry-assed bastard. Pay special attention to the section about his trial...

          1. Anonymous Coward
            Anonymous Coward

            Re: @claptrap314 -- Centralized incompetence

            Funny, that Wiki page has this:

            "The trial court's judgment was overturned by the Texas Court of Appeals, an intermediate appellate court, on September 19, 2013, with a ruling that "the evidence in the case was 'legally insufficient to sustain DeLay's convictions'", and DeLay was formally acquitted.[1] The State of Texas appealed the acquittal to the Texas Court of Criminal Appeals[2][3] On October 1, 2014, the Texas Court of Criminal Appeals affirmed the appellate court decision overturning DeLay's conviction."

            So DeLay was indicted for technical violations of election law, in the only county in Texas that isn't Republican-leaning, and that court was finally slapped down twice, exonerating DeLay. But in the mean time Tom Delay was made to suffer and his career was ended, the true goal of the exercise. I suppose he was just too effective a legislator for some people's taste.

        2. Claptrap314 Silver badge

          Re: Centralized incompetence

          Uggh. I read a case a couple of months back where the Court stated that they have previously ruled that clause "non-justicable". Which is USSC-speak for "we decided to delete this from the Constitution."

      2. Anonymous Coward
        Anonymous Coward

        Re: Centralized incompetence

        I agree, the federal government should set standards like:

        1) all votes for federal office (i.e. president, senate, congress) must leave a human readable paper trail

        2) every state must conduct a hand recount of a statistically significant portion of precincts for votes for federal office, prior to final certification, and if sufficient statistical deviation is found must conduct a full state-wide hand recount of all votes for federal office that will be the final certified total

        3) if states require state/federal issued ID to vote, the state must issue state approved voter IDs for free to any resident who doesn't already have another form of state approved ID (such as driver's license) and provide transportation to/from the site where this is available for any resident who lives more than 5 miles away, or is disabled (for those who wonder why, this is to discourage states making the locations inaccessible to make voting more difficult for the poor or minorities)

        4) states that require state/federal issued ID to vote must accept social security cards, along with a signature attesting they are that person and whether they filed federal taxes last year and if so in what state and attest they have moved if not this state, as proof of identity to obtain a free stated issued voter ID. The forms filled out for all IDs issued in that manner will be forwarded to the federal government to be cross checked and confirm that a) that person is still alive, b) there are no duplicate voter IDs with that SSN issued elsewhere in the US, c) what they said about if/where they filed federal taxes matches IRS records

    2. Anonymous Coward
      Anonymous Coward

      Re: Centralized incompetence

      "Currently the states are generally moving away from voting machines and towards paper ballot systems."

      Having worked on federal elections as a CPS (integrity) - basically a roving troubleshooter / problem solver / support person reporting to the riding returning officer (the person with total responsibility for running the election in the riding), I now appreciate that a properly designed and run paper ballot based system is extremely secure and difficult to compromise.

      Anyone who wants to take a hard core look at the processes and safeguards hidden behind the relatively simple outward face of the election process, for an example electoral system, can find them here, in the Elections Act:

      http://laws-lois.justice.gc.ca/eng/acts/E-2.01/

      Unlike many acts this does not just allow for establishing regulations, it specifies in great detail exactly how things *must* work. Fair warning - as a result it runs over 500 pages, but the section and subsection headings are fairly clear and useful for finding specific issues, solutions, and processes.

      There are very strict laws about confidentiality, validation, custody of materials and ballots, and so on, and electoral workers are bound under oath to maintain these things in a secure manner.

      Anyway - lots of stuff there if you like process details, or you are having trouble getting to sleep.

      Have fun.

  5. Pascal Monett Silver badge

    A malicious voter ?

    "If the card reader has wireless NFC support, you can hold your NFC smartphone up to the voting machine, and potentially cast a ballot many times over."

    A "malicious voter" may do that on purpose, but I'll bet that many perfectly honest voters might just present their NFC-enabled phones more than once simply because they're not sure their vote was recorded properly. No malice needed.

    The whole sorry saga of electronic voting machines paints a vast canvas of clueless PHBs barking orders at harassed coders who couldn't give a shit and just churned out whatever met the specs, with a cursory test to make sure the bloody thing didn't crash on the first try.

    Facing such incompetence, I think it is very unlikely that the NSA had anything to do with this - it's just the cherry on top of a mountain-size cake of incompetence and carelessness, frosted with greed.

  6. Anonymous Coward
    Anonymous Coward

    LOL

    You can fix the voting machines, but we will still put in office who ever we want to, and they will do exactly what we tell them to.

    I would tell you more, but I have some hate spreading memes to make to keep you fools arguing amongst yourselves.

    Shadow. G.

  7. Robert Helpmann??
    FAIL

    Controversy? What controversy?

    The DEF CON village was not without its share of controversy. Voting machine maker ES&S condemned the conference's workshops and contests as a security threat...

    The controversy here is ES&S claim that anyone looking at the man behind the curtain (the level of security they provide) is a security threat while bunch of security professionals is laughing at them by way of rebuttal. "Controversy" in the sense of "contention or argument against well established practices and in complete disagreement with common sense".

    1. IglooDude

      Re: Controversy? What controversy?

      When even Senators can see through a manufacturer's objection to the workshop, you know the manufacturer has been remarkably dumb.

  8. MadonnaC

    I wonder if the politicians will care when some hacker gets them voted out of office?

  9. Anonymous Coward
    Anonymous Coward

    Th Feds are doing (almost) nothing because the current system favors the party in power. Despite the fact that actual voter fraud has been proven to be minuscule, the fear of system being abused inflames their voter base, as well as creating impetus for stricter voter ID laws that tend to limit the turnout of some of the voters that tend to favor the other party. WE ARE ONLY DOING THESE THINGS TO KEEP THE ELECTION SACROSANCT (re: fear and paranoia that brings out our base)

  10. Destroy All Monsters Silver badge
    Black Helicopters

    Can't access the report

    "An error occurred during a connection to defcon.org. SSL received a malformed Server Hello handshake message. Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO"

    What's going on here?

  11. sanmigueelbeer

    As far as I can see, ES&S is reluctant to lift a finger about the security vulnerabilities uncovered. Why?

    1. There are only 207 units out there (and it's all about the money);

    2. There are no proof that anyone has exploited the vulnerabilities at any time;

    3. No proof-of-concept exploit code available; and

    4. It's a "cultural" thing: The strong believe that "it can't happen in America".

  12. Tim99 Silver badge
    Coat

    FTFY

    "It would require the crookslocal political supporters to get their hands on the machines long enough to meddle with the hardware"

    1. Anonymous Coward
      Anonymous Coward

      Re: FTFY

      ...or for someone with sufficient resources to craft a specialist piece of malware to infect the computers used to load the settings or software onto the voting machines to modify what gets loaded to achieve whatever nefarious intent they have in mind, as was done with PLCs with Stuxnet.

  13. Raedwald Bretwalda
    FAIL

    A lack of computer security is sad, but not having tamper seals on the boxes? That makes the boxes less secure than my gas meter at home.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like