topic Re: Hacking the election in Tech Talk

Hacking the election

denbesten — Wed, 28 Aug 2019 13:12:50 GMT

It is now being reported that A few voting machines were visibly changing people's votes, and it was caught on video and posted on social media.

Who knows if the video is factual, but regardless I'm sure it will spark much discussion in the media and political arenas. Hopefully, at a minimum, the result will be a mandatory paper trail (which does not exist on the machines in question).

Re: Hacking the election

AppDefects — Wed, 28 Aug 2019 13:14:41 GMT

Dude, we can do anything with AI and software to rig the election. How do we audit the code is one question that we need to ask ourselves.

Re: Hacking the election

Shannon — Wed, 28 Aug 2019 17:08:32 GMT

Bottom line: Your vote counts --- although what you cast might not add up to what you want...

Re: Hacking the election

CraginS — Wed, 28 Aug 2019 18:00:57 GMT

@denbesten wrote:
It is now being reported that A few voting machines were visibly changing people's votes, and it was caught on video and posted on social media.
...

Hacking individual voting machines is a stupid kid trick, demonstrably even more stupid if evidence of the hack is left visible to the voters, as in this situation. It is a waste of time and resources to corrupt the s/w in hundreds or thousands of voting machines. To control an election outcome, you need to hack the vote counting and aggregation steps of the process. For a summary if the issues in selecting the processes involved in elections and voting, see my blog post, DHS Security Tip 19-001, Best Practices for Securing Election Systems. For an excellent discussion by a team of professionals in the many areas needed, see the NAP Press book, Securing the Vote: Protecting American Democracy (2018). This Consensus Study Report is available as free PDF, dead tree version for $45 USD, or eBook (ePub or Kindle) for $36.89 USD.

Re: Hacking the election

rslade — Wed, 28 Aug 2019 19:05:52 GMT

> denbesten (Community Champion) posted a new topic in Tech Talk on 08-28-2019

> Who
> knows if the video is factual

I'm sorry, but this statement is *very* concerning.

It is very much to the point if the video is factual. If it *is* factual, then we have
to ensure that voting machines from that manufacturer do not make it into the
election process.

But if the video *isn't* factual, we have an effort to create mistrust in the election
process, and must ensure that the video is *not* spread, else we are only
supporting the attacker.

> Hopefully, at a minimum, it the
> result will be a mandatory paper trail (which does not exist on the machines in
> question).

Unfortunately, it can have graver and much more damaging results than that ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
`I'm always surprised when I meet an atheist.'
`Mm.'
`I mean, I know you exist, but that's not the same as believing.'
`Yes God, I get it.'
- https://twitter.com/MicroSFF/status/545881676396888064
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Hacking the election

JoePete — Wed, 28 Aug 2019 20:49:58 GMT

@CraginS wrote:
Hacking individual voting machines is a stupid kid trick [snip] To control an election outcome, you need to hack the vote counting and aggregation steps of the process.

Exactly. The publicity stunts pulled relating to this are a huge disservice on multiple levels. Here's the real threat I see, however. The people exaggerating the risk - knowingly or not - are only going to add fuel to the idiots clamoring for some national voting system. Right now our best defense is the extremely disjointed and distributed nature of voting throughout the country. Once some uniform system is in place, then that is where it becomes easy to attack counting and aggregation.

Listen folks, the biggest threat to our system of government isn't the Russians, the North Koreans, the socialists, the fascists, or even 1990s boy bands planning reunion tours. It is an electorate that is incapable of thinking for itself. No one is stealing elections. We're giving them away.

Re: Hacking the election

denbesten — Wed, 28 Aug 2019 21:48:21 GMT

Subsequent news articles indicate that the issue was technical and they make it sound as if the issue arose during transport. Makes me wonder how they handled the 12 votes on the machine that occurred before the issue was reported.

However, this only heightens the risk of being fodder for election tampering claims and instilling distrust in the election process. After all, the video does "explain" tampering in a compelling way that will resonate with even the most novice of voters. Such distrust is the biggest risk to election security.

@CraginS, you might consider adding disinformation-campaigns, voter-disenfranchisement and gerrymandering to your list of election tampering mechanisms.

Re: Hacking the election

rslade — Fri, 30 Aug 2019 18:42:58 GMT

We have, of course, discussed voting systems elsewhere (and elsewhere, and elsewhere), but it is interesting to note that there is a link to another recent topic: homomorphic encryption. Ron Rivest has suggested an interesting system which allows for verification of personal voting (voters can't vote twice), direct counting of ballots without decryption, public audit trail, as well as verification (by the voter) that the vote was correctly counted as cast.

It can be used with paper ballots, but can also be implemented for electronic and online systems.

Re: Hacking the election

rslade — Sat, 31 Aug 2019 08:47:23 GMT

And, at the moment, the US electoral system is pretty much unprotected.

Re: Hacking the election

CraginS — Sat, 31 Aug 2019 15:32:35 GMT

@denbesten wrote:
...
@CraginS, you might consider adding disinformation-campaigns, voter-disenfranchisement and gerrymandering to your list of election tampering mechanisms.

Actually, William, no, not for this community. We have now reached a point in the discussion where we should distinguish between election system hacking and election hacking. Our collective areas of expertise in this forum are focused on the means of interfering with elections through interfering with election systems, primarily involving IT systems. The concept of election hacking is a higher- level construct, that most definitely includes the methods if disinformation campaigns, over-disenfranchisement, and gerrymandering that you have listed.

Societally, yes, we really should address and evaluate all the means of election hacking, including the social and political processes you have listed. However, in our InfoSec community, we should focus on the election systems and processes within our area of expertise. That said, I also believe we should engage with the legal, political, sociological, and psychological experts as a wide-ranging team to address the full challenge of election security and validity. As it happens, I believe that one of the most insidious, and potentially effective tools in this bundle, is disinformation campaigns, which often include lies of fact, implication, and innuendo by the candidates themselves

Re: Hacking the election

denbesten — Sat, 31 Aug 2019 15:30:32 GMT

@rslade wrote:
And, at the moment, the US electoral system is pretty much unprotected.

Seems like another item to add to @CraginS;' list --- ignoring the results.

Re: Hacking the election

denbesten — Sat, 31 Aug 2019 18:38:03 GMT

Your list, your choice, but I liken it to the fact that we concern ourselves with phishing, although it is not a technical hack.

Re: Hacking the election

CraginS — Sat, 31 Aug 2019 21:47:21 GMT

@denbesten wrote:
Your list, your choice, but I liken it to the fact that we concern ourselves with phishing, although it is not a technical hack.

William,

You have a good point to relate the human factor and use of deception to compare phishing to disinformation campaigns. However, the difference I draw is that a phishing attack uses the deception of a human to leverage access into the IT technology. The other social attacks you addressed use deception and psychology to influence humans to take specific action, that is vote a particular way, but that does not grant access into the IT system.

Re: Hacking the election

JoePete — Sat, 31 Aug 2019 22:38:16 GMT

@rslade wrote:
And, at the moment, the US electoral system is pretty much unprotected.

@rslade that might be employing a bit of hyperbole. The news story is about the Federal Election Commission not being able to meet due to a quorum. The FEC has very little to do with electing - more with campaign finance. In the U.S., elections - even those for national office - are run according to each state's make-up. In most cases, it is up to the city or town in question to conduct the elections however it wants. They determine the official count which then gets reported and aggregated at the state level (or possibly first to the county level and then to the state). Each city or town uses its own mechanism, which can change in any given year according to the whim and budget of that municipality. Even if someone were able to compromise the aggregation of votes in an entire state, the contributing cities and towns would have the data with which to cry foul.

In all seriousness, I think these continued claims that election mechanisms are subject to compromise are the attack in and of itself. The first step to truly hacking U.S. election is to convince the people and the politicians to build some monolithic election system. Now you have a single point of attack. The inefficiency of the system is also its strongest defense.

Re: Hacking the election

rslade — Sun, 01 Sep 2019 00:23:52 GMT

> JoePete (Contributor II) mentioned you in a post! Join the conversation below:

> The inefficiency of the system is also its strongest defense.

Normally I would have a lot of sympathy for that position: a lot of things are
done in the name of "efficiency" that shouldn't be done at all.

But, in the case of democracy, I might want to give it a second thought ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I am now alone in the library, mistress of all I survey.
- Jane Austen, September 24 1813
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Hacking the election

denbesten — Sun, 01 Sep 2019 03:31:42 GMT

Personally, I do not view InfoSec as inherently technology bound, nor do I see much difference between "Vote for Alice" vs "Give Bob money". The most common phishing example is "Hey CFO, write Bad Bob a check. Thanks, CIO.". Although this might come via email, it could just as easily come over a phone call, a formal letter or even a post-it. Some, but not all of these involve technology, yet we defend against them all.

To protect an organization, one needs to consider all avenues of attack, not just those for which involve technology, nor just those for which we are responsible for defending. When a risk arises that is outside of our expertise, we need just enough knowledge to recognize its impact, know which experts (PR, legal, management, law enforcement, medical, etc) to engage and with what urgency. Our involvement often comes from the fact that technology amplifies the risk, not necessarily because it is the cause or target.

So if it were my election security list, it would include "disinformation campaign", as a risk but the mitigation would likely be deferred to our partners outside of IT. But, as I said, your list -- your decision. I'm just here because I find the topic and the discussion interesting.

If a "tech tie-in" is a prerequisite, keep in mind that many of the disinformation campaigns are successful precisely because technology has significantly elevated the volume (both amplitude and quantity) of non-vetted sources, particularly social media, and us IT people can definitely play a role in detecting the "fake news".

Re: Hacking the election

rslade — Sun, 01 Sep 2019 07:26:24 GMT

@JoePete wrote:
The inefficiency of the system is also its strongest defense.

Also, as has been pointed out, "A huge breadth and diversity of counties means a huge breadth and diversity of security capabilities."

Re: Hacking the election

JoePete — Sun, 01 Sep 2019 11:27:59 GMT

@denbesten wrote:

To protect an organization, one needs to consider all avenues of attack, not just those for which involve technology, nor just those for which we are responsible for defending.

Lots of good points in that post. I doubt there is a professional among us that hasn't experienced people who really shouldn't own a smartphone, laptop, or possibly a Twitter account. A huge part of our job these days is security awareness, but often it feels like teaching driver's ed to people that already have their licenses and have bought a car. There's a reason why we wait until kids reach a certain maturity, have some preliminary experience, and pass a test before we make them drivers. Even then it is often probationary. Yet, any moron 18 or over can vote.

If certain democracies have failed in their election systems, it's not in the technology. It is in the broad education of their electorate. Classic skills of logic, debate, and reason have atrophied in U.S. society. This has happened despite rising achievement as measured by college degrees attained or high school test scores. What's interesting are the emerging data points that show Millennials are more likely to be caught in confidence schemes than their grandparents. I think a huge factor in this we have raised kids in an environment that when faced with a "problem" they are to select the "correct" answer from the following choices - i.e. standardized testing. That is not how anything in the world works. Sure it generates these great metrics but it teaches kids to discount other possibilities. This pretty much defines politics today: If you don't agree with me, then you are a fascist, radical, elitist, etc. That lack of thinking, empathy, and logic is what makes us so susceptible to the potential social engineering of a campaign. Quite honestly, far more of that kind of garbage originates within the U.S. than outside of it. I don't see the Russians, for example, taking over the Commission on Presidential Debates, which has continually lowered the bar in terms of debate quality by inherently raising the bar to entry to the debate stage.

Re: Hacking the election

rslade — Thu, 05 Sep 2019 04:27:29 GMT

Windows CE 5.0? You've got to be kidding me ...

Re: Hacking the election

rslade — Tue, 10 Sep 2019 16:24:11 GMT

What could possibly go wrong?

(A really great piece, amalgamating all the potential problems ...)