After a quick report on Saturday's primary elections in Hawaii (moderate Democrats did well, more progressive candidates less so), we head straight out to Las Vegas for today's BradCast, where the 26th annual hackers convention, DEF CON, held its 2nd annual Vote Hacking Village. [Audio link to show follows below.]
After every voting system on display at last year's event was hacked within minutes by conference attendees, organizers tried to make it a bit more difficult this year. They made unverifiable electronic voting systems, optical-scan paper ballot tabulators and electronic pollbooks from a number of companies --- almost all of which will be in wide use across the country once again for this November's crucial midterms --- available for investigation and penetration. Once again, the hackers in attendance made short order of pretty much all of them.
Stunning vulnerabilities [PDF] were discovered, including some that officials have known about (and ignored or tried to keep secret for years) while others were revealed for the first time. Things like Chinese pop song files were found on one system used in actual elections recently, along with a host of other disturbing findings, which we summarize today.
Other disturbing findings regard the ES&S m650, an optical scanner used to tabulate paper absentee ballots in more than half of the country. Hackers discovered several severe vulnerabilities (some of which have been known for more than a decade, and others which election officials hoped to withhold from the public), including the ease with which the machine's entire operating system can be overwritten by inserting a zipdrive with a file named "update" before powering it on. Also, electronic pollbooks were found to be corruptible in seconds and found to store unencrypted administrative passwords --- in plain text format! --- on their removable memory cards (one of which was simply "password".)
There was also a mock election run on the systems still used in states like Georgia. In that election, a candidate not even on the ballot ending up winning. In another case which officials should take note of, a ballot cast via email was intercepted and changed. "The selection of the candidate was changed so that when it was received it was different from what was sent," the organizers note. "This is a big deal for the real world because we already allow for email balloting, in special cases for Americans living overseas [such as active military]. This is allowed in 30 states plus DC."
Moreover, the Voting Village organizers also offered replicas of swing-state Sec. of State website available to some 50 children from ages 6 to 17. You'll be shocked to learn that most were able to hack the mock SoS websites in some fashion, including changing candidates names and parties, and tampering with reported elections results to show, for example, 12 billion votes cast. The fastest exploit of a Sec. of State replica site (Florida's) was by an 11-year old who did it in 10 minutes!
We're joined today to discuss all of this by Emmy-award winning journalist and documentarian LULU FRIESDAT whose video from last year's DEF CON Voting Village went viral (several times) since then, and who was on hand to document this past weekend's conference once again. She details the extraordinary "sea change" since last year's event, as many elections officials and U.S. Intelligence Community representatives were on hand for this year's festivities.
"What's really great about this year's Def Con is that we are starting to see a collaboration and communication between three groups that really have been working more as silos previously, and that is election officials, security experts, and hackers," Friesdat reports. "It was very deliberate on the part of the organizers, Jake Braun, Harri Hursti and Matt Blaze, to really try to bring those three groups together... Because we're not going to make progress on this issue unless these three groups start communicating with each other."
"We don't have a one-size-fits-all solution for this. Every county is going to have to have some different solutions. What we have are principles. And I think the principles remain the same. The principles are yes, every voter who can mark a ballot by hand, needs to mark a ballot by hand. And security experts across the board are really starting to say that, openly publicly."
"There is a sea change happening. You really could feel it. This year, there was an entire panel of election officials, whereas last year almost none of them actually came," Friesdat tells me, adding cautiously: "There are thousands of election officials all over the country who are still dragging their feet. You look at states like Georgia, and they are doing everything they can to stay in basically an unauthenticated election protocol. So it is a wide spectrum."
Among the noteworthy accounts from Friesdat, we discuss California Sec. of State Alex Padilla's call for more federal funding for election systems (meaning, more money for more computers) and Colorado Elections Manager Dwight Shellman who, though a fan of electronic tabulation, calls for routine post-election audits everywhere (which almost no states do at all.)
We also discuss the remarks at the conference by DHS Asst. Secretary for Cybersecurity and Communications Jeanette Manfra, who admitted last summer during U.S. Senate Hearings that the agency never found evidence that votes were changed in the 2016 Presidential election, in no small part, because nobody ever bothered to look! DHS never carried out any forensic investigations of voting systems, nor even bothered to count ballots to make sure they were accurately tabulated by counting computers in the election, despite the ongoing warnings by the Intelligence Community of Russian cyberattacks and interference. "Could it be done?," Friesdat asks rhetorically, "The answer, over and over and over again, is yes, it could be done. Election results could be manipulated. And is it difficult? No. It is a piece of cake."
While this year's DEF CON Voting Village was another huge leap forward in bringing concerns about all of these systems to the public, it appears we have a long way to go until American figures out the solution. I'd suggest that solution is public oversight of tabulation of hand-marked paper ballots (Not computers, but people! I call it "Democracy's Gold Standard".) But, hey, computers --- all of which are obviously wildly hackable --- could work too, right?
Speaking of which, we close today with an email from a listener who turned one of my recent rants on this issue into a poem...
(Snail mail support to "Brad Friedman, 7095 Hollywood Blvd., #594 Los Angeles, CA 90028" always welcome too!)