After a quick report on Saturday’s primary elections in Hawaii (moderate Democrats did well, more progressive candidates less so), we head straight out to Las Vegas for today’s BradCast, where the 26th annual hackers convention, DEF CON, held its 2nd annual Vote Hacking Village. [Audio link to show follows below.]
After every voting system on display at last year’s event was hacked within minutes by conference attendees, organizers tried to make it a bit more difficult this year. They made unverifiable electronic voting systems, optical-scan paper ballot tabulators and electronic pollbooks from a number of companies — almost all of which will be in wide use across the country once again for this November’s crucial midterms — available for investigation and penetration. Once again, the hackers in attendance made short order of pretty much all of them.
Stunning vulnerabilities [PDF] were discovered, including some that officials have known about (and ignored or tried to keep secret for years) while others were revealed for the first time. Things like Chinese pop song files were found on one system used in actual elections recently, along with a host of other disturbing findings, which we summarize today.
Other disturbing findings regard the ES&S m650, an optical scanner used to tabulate paper absentee ballots in more than half of the country. Hackers discovered several severe vulnerabilities (some of which have been known for more than a decade, and others which election officials hoped to withhold from the public), including the ease with which the machine’s entire operating system can be overwritten by inserting a zipdrive with a file named “update” before powering it on. Also, electronic pollbooks were found to be corruptible in seconds and found to store unencrypted administrative passwords — in plain text format! — on their removable memory cards (one of which was simply “password”.)
There was also a mock election run on the systems still used in states like Georgia. In that election, a candidate not even on the ballot ending up winning. In another case which officials should take note of, a ballot cast via email was intercepted and changed. “The selection of the candidate was changed so that when it was received it was different from what was sent,” the organizers note. “This is a big deal for the real world because we already allow for email balloting, in special cases for Americans living overseas [such as active military]. This is allowed in 30 states plus DC.”
Moreover, the Voting Village organizers also offered replicas of swing-state Sec. of State website available to some 50 children from ages 6 to 17. You’ll be shocked to learn that most were able to hack the mock SoS websites in some fashion, including changing candidates names and parties, and tampering with reported elections results to show, for example, 12 billion votes cast. The fastest exploit of a Sec. of State replica site (Florida’s) was by an 11-year old who did it in 10 minutes!
We’re joined today to discuss all of this by Emmy-award winning journalist and documentarian LULU FRIESDAT whose video from last year’s DEF CON Voting Village went viral (several times) since then, and who was on hand to document this past weekend’s conference once again. She details the extraordinary “sea change” since last year’s event, as many elections officials and U.S. Intelligence Community representatives were on hand for this year’s festivities.
“What’s really great about this year’s Def Con is that we are starting to see a collaboration and communication between three groups that really have been working more as silos previously, and that is election officials, security experts, and hackers,” Friesdat reports. “It was very deliberate on the part of the organizers, Jake Braun, Harri Hursti and Matt Blaze, to really try to bring those three groups together… Because we’re not going to make progress on this issue unless these three groups start communicating with each other.”
“We don’t have a one-size-fits-all solution for this. Every county is going to have to have some different solutions. What we have are principles. And I think the principles remain the same. The principles are yes, every voter who can mark a ballot by hand, needs to mark a ballot by hand. And security experts across the board are really starting to say that, openly publicly.”
“There is a sea change happening. You really could feel it. This year, there was an entire panel of election officials, whereas last year almost none of them actually came,” Friesdat tells me, adding cautiously: “There are thousands of election officials all over the country who are still dragging their feet. You look at states like Georgia, and they are doing everything they can to stay in basically an unauthenticated election protocol. So it is a wide spectrum.”
Among the noteworthy accounts from Friesdat, we discuss California Sec. of State Alex Padilla’s call for more federal funding for election systems (meaning, more money for more computers) and Colorado Elections Manager Dwight Shellman who, though a fan of electronic tabulation, calls for routine post-election audits everywhere (which almost no states do at all.)
We also discuss the remarks at the conference by DHS Asst. Secretary for Cybersecurity and Communications Jeanette Manfra, who admitted last summer during U.S. Senate Hearings that the agency never found evidence that votes were changed in the 2016 Presidential election, in no small part, because nobody ever bothered to look! DHS never carried out any forensic investigations of voting systems, nor even bothered to count ballots to make sure they were accurately tabulated by counting computers in the election, despite the ongoing warnings by the Intelligence Community of Russian cyberattacks and interference. “Could it be done?,” Friesdat asks rhetorically, “The answer, over and over and over again, is yes, it could be done. Election results could be manipulated. And is it difficult? No. It is a piece of cake.”
While this year’s DEF CON Voting Village was another huge leap forward in bringing concerns about all of these systems to the public, it appears we have a long way to go until American figures out the solution. I’d suggest that solution is public oversight of tabulation of hand-marked paper ballots (Not computers, but people! I call it “Democracy’s Gold Standard”.) But, hey, computers — all of which are obviously wildly hackable — could work too, right?
Speaking of which, we close today with an email from a listener who turned one of my recent rants on this issue into a poem…
As per Georgia ..”Instead, plaintiffs seek an order that Georgia’s election officials utilize, for in-person voting, the same already-certified, Diebold paper ballot-based optical-scan system currently used for tabulation of the Peach State’s absentee ballots.” Is this not asking for more trouble given optical scanners dan be hacked too?
Michael Keenan @ 1:
It gets us to hand-marked paper ballots in GA, so we can KNOW that votes cast actually reflect the intent of the voter. Can’t know that about one single vote cast on GA’s existing DRE systems.
We can fight about how to count those hand-marked paper ballots later, but at least we’d have something to fight about/for!
George Skelton’s piece in the LA Times today (Aug 13th) seems pretty naive (i.e.the machines can’t be hacked “because they aren’t hooked up to the internet”, and other such nonsense).
Is the mainstream media really that dumb, or is it intentional, in an effort at avoiding the real issues?
Gotta’ be one or the other.
Kudos to DefCon!! I’d love to see them take it a step further and have this presentation: Man vs. Machine where they include a session with hand counting of paper ballots to demonstrate the transparency and accuracy of that method vs. the nontransparent machines — It could be like a competition to simulate what would happen in a precinct of 2000 voters. DefCon could time each competitor as well as assessing accuracy. Any vulnerabilities with the machines could be exploited the way it could occur in a real election. An adequate number of hand counters enough so no one gets fatigued could be used for the sort and stack method.
Regarding DonL’s comment on George Skelton’s article — I think there is a coverup similar to what the tobacco and oil companies have orchestrated; only this coverup has even higher stakes.
JMO, but I think, after California is finished installing all those easily-hackable touch-screen voting machines (under the order of Democrat Alex Padilla), we are going to see a “purple wave” sweep the state—–In race after race, Progressive Dems will be losing very VERY close elections to “centrist” Dems all over the state, even after the Progressive candidates had a decent lead in the pre-election polls.
Suddenly, “centrism” will be showing a new, miraculous resilience in the face of the “Progressive wave” sweeping much of the state.
Centrists will joyfully proclaim:
“See? California is not as progressive as people think, blah blah blah.”
I say, look for a new “purple wave”, sweeping aside the “blue” in CA after these loathsome machines are fully in place.
And, IMO, it will be totally BS.
Watch for it!
————————————————
Thanks for the response, Allin!