Tuesday, August 21, 2018
[W]e head straight out to Las Vegas for today's BradCast, where the 26th annual hackers convention, DEF CON, held its 2nd annual Vote Hacking Village.
After every voting system on display at last year's event was hacked within minutes by conference attendees, organizers tried to make it a bit more difficult this year. They made unverifiable electronic voting systems, optical-scan paper ballot tabulators and electronic pollbooks from a number of companies —- almost all of which will be in wide use across the country once again for this November's crucial midterms —- available for investigation and penetration. Once again, the hackers in attendance made short order of pretty much all of them.
Stunning vulnerabilities were discovered, including some that officials have known about (and ignored or tried to keep secret for years) while others were revealed for the first time. Things like Chinese pop song files were found on one system used in actual elections recently, along with a host of other disturbing findings, which we summarize today.
Other disturbing findings regard the ES&S m650, an optical scanner used to tabulate paper absentee ballots in more than half of the country. Hackers discovered several severe vulnerabilities (some of which have been known for more than a decade, and others which election officials hoped to withhold from the public), including the ease with which the machine's entire operating system can be overwritten by inserting a zipdrive with a file named "update" before powering it on. Also, electronic pollbooks were found to be corruptible in seconds and found to store unencrypted administrative passwords —- in plain text format! —- on their removable memory cards (one of which was simply "password".)The post continues, mentioning one positive: "Many elections officials and U.S. Intelligence Community representatives" attended this year's DEF CON after reading about the disturbing ease with which people hacked into election systems last year. However, in a different article, a few journalists from ProPublica throw cold water on the idea that elections systems may get their acts together in time to detect and deflect problems in the November elections.
There was also a mock election run on the systems still used in states like Georgia. In that election, a candidate not even on the ballot ending up winning. In another case which officials should take note of, a ballot cast via email was intercepted and changed. "The selection of the candidate was changed so that when it was received it was different from what was sent," the organizers note. "This is a big deal for the real world because we already allow for email balloting, in special cases for Americans living overseas [such as active military]. This is allowed in 30 states plus DC."
Moreover, the Voting Village organizers also offered replicas of swing-state Sec. of State website available to some 50 children from ages 6 to 17. You'll be shocked to learn that most were able to hack the mock SoS websites in some fashion, including changing candidates names and parties, and tampering with reported elections results to show, for example, 12 billion votes cast. The fastest exploit of a Sec. of State replica site (Florida's) was by an 11-year old who did it in 10 minutes!
The Election Assistance Commission, the government agency charged with distributing federal funds to support elections, released a report Tuesday detailing how each state plans to spend a total of $380 million in grants allocated to improve and secure their election systems.A "Probably Nobody Cares About This Except Me (and Maybe Mike Bryan)" Note: My first blog posts were on BradBlog in 2007, summarizing that year's Pima County election integrity trial. I wrote the summaries of the day's proceedings, and Mike Bryan, lawyer and founder of Blog for Arizona, wrote the analysis and commentary, both of which made daily appearances on BradBlog. At the time, Mike was the sole writer, chef, cook and bottle washer at BfA. I asked over lunch one day if he would let me write about education on the blog. He grilled me lawyer-style to see if I had anything to say and decided I did. Mike gave me my own password and the keys to the kingdom. A number of other writers have joined the BfA community since, and I left a few years ago for my current spot on The Range. Eleven years later, I'm still at it.
But even as intelligence officials warn of foreign interference in the midterm election, much of the money is not expected to be spent before Election Day. The EAC expects states to spend their allotted money within two to three years and gives them until 2023 to finish spending it.