Biggest Voting Machine Maker Admits -- Ooops -- That It Installed Remote Access Software After First Denying It

from the you-guys-are-soooooooo-bad-at-this dept

We've been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don't mean "bad at security" -- though, that's part of it -- but I really mean "bad at understanding how insecure their machines really are." For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold's flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ.

What's incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system -- and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S -- under questioning from Senator Ron Wyden -- has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago. That was then:

In a statement, ES&S said, ‘‘None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.’’

This is now:

In a letter sent to Sen. Ron Wyden in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

This should be a massive scandal considering the potential impact on our democracy, but considering all the other scandals going on right now with the potential to impact our democracy, expect this one to not get nearly enough attention. Wyden's own comment on this is noteworthy:

Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

As for the pcAnywhere software ES&S had installed on those voting machines, well...

In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.

Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password.

So... that's disturbing.

Anyway, elections are a very tricky problem to do securely. It is a nearly impossible task. But there are lots of things that you clearly should not do, and for some reason, the e-voting manufacturers seem to want to do all of them, and don't seem particularly apologetic about any of it. And, while in the past the idea of hacking an election may have seemed far fetched and conspiracy-minded, these days... not so much. This is a key issue concerning our democracy, and the most incredible thing is how flippant many people are about all of this. Computer security professor Matt Blaze, who knows more about any of this than anyone reading this points out that "in the more than quarter century I've been doing computer security, I've never encountered a problem space nearly as difficult or complex as civil elections."

And yet, we're letting people who don't understand even the slightest bit of the problems and challenges run the show. What a mess.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 18 Jul 2018 @ 10:50am

    Hey Mike - how soon can we expect your "The big bad EU is picking on poor little Google again" corporate apologist article about the latest Google fine?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2018 @ 11:09am

    Don't worry, the antivirus software will protect us!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2018 @ 11:46am

    With something as important as elections I genuinely don't get how some states can be so cheap on how they are done. They already have a bazillion volunteers man the offices for the votes. Why not just have them all on paper, scanned and electronically counted for immediate results. Then have the volunteers and a state election representative hand count the votes for confirmation? Yes it may mean we get a few days of delay in getting certified results, and definitely at least one hanging chad type clusterF____, but at least then there is a viable backup in case there is hacking.

    Maybe I am more patient than most, but I am cool with waiting until that Friday to know who will be responsible for funning the country for the next few years. Hell even if it costs a few million extra dollars to pay the volunteers for overtime, its worth it.

    Is this perfect? Hell no. It is still vulnerable to volunteers who have agendas* and early scanned results being manipulated. But its far better than the current system.

    *I once had an election volunteer who clearly had an issue with a specific demographic voting. I was in college in an area that was a mix of students and residents. This volunteer would clearly single out students for minor issues and put them on provisional ballots. For example, she complained my signature on their dumb electronic pad did not match my ID exactly. I mean it had to match exactly. Every single twirl or slash had to be identical. She made me redo it three times, eventually giving me a provisional ballot. Meanwhile, she barely looked at the ID of the elderly resident who registered after me. So yah no way is a hand count system perfect. But I'd still rather have "Ms I hate Liberals Voting" than Hacker Mc Hacky changing results. At least Ms. I Hate Liberals would face jail time if they found out she lied.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2018 @ 11:55am

    In ES&S' defense I don't think I've ever dealt with a tech goods and services provider that kept any sort of records for longer than seven years. Odds are they legit didn't know if they had installed pcAnywhere when the question was first asked.

    Yes, that still means they're somewhat negligent and irresponsible. It also means though that anyone taken by surprise by this are in for a long bumpy ride in the world of tech.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jul 2018 @ 1:09pm

      Re:

      Is it negligent to use Windows for your voting machine OS?
      It is certainly questionable.

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 18 Jul 2018 @ 3:03pm

        Re: Re:

        Then maybe they should create an OS that is election system specific. Open Sourced of course, but starting with the premise of security, and minimizing the ability to access it without net access, and say two or three factor authentication and outputs to multiple devices that must be locally installed (a usable device and a backup device). Physically moving one of those outputs to another device for uploading to a compilation machine.

        Security is hard, which makes the ability to access the system harder should be the norm. Paper ballots might be the way to go, though as pointed out elsewhere they have issues as well, the question is, can a system be established that is good enough.

        With an open source hardware/software/firmware/OS project, could we create something that is as good, or better that what we have now? While the experts say no, I am thinking they are responding to existing systems. What if they helped to create a new system (maybe blockchains, also mentioned elsewhere, could help) with many eyes looking at it (also mentioned elsewhere). Perfect security might be a panacea, but what about better security?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 18 Jul 2018 @ 3:12pm

          Re: Re: Re:

          If you want security in your operating system there is OpenBSD where:

          As of July 2018, only two remote vulnerabilities have ever been found in the default install, in a period of almost 22 years

          reply to this | link to this | view in chronology ]

          • icon
            Anonymous Anonymous Coward (profile), 18 Jul 2018 @ 3:29pm

            Re: Re: Re: Re:

            That is an idea, but desktop operating systems, I think, have a tendency to have multiple ways of access (API's) and output (the variety of ports on the machine). I am suggesting an OS that doesn't have any of those. Only one focus. Minimal ways to access, with very strong restrictions. Minimal ways to output, with very strong restrictions. Automatic ways to backup inputs. It might be that it is merely a scanner of that paper ballot, but that does not deprecate the necessity of security, or backup or control of access.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 18 Jul 2018 @ 3:57pm

              Re: Re: Re: Re: Re:

              A base OpenBSD installation is a command line environment, as its main target audience is servers. Also the BSDs, like Linux, make a windowing system an optional extra.

              They can also be set up so that one terminal presents the ballot, and a separate terminal has to be plugged in to do anything else on the system, and that can be made so that the case has to be opened to do so for extra security.

              reply to this | link to this | view in chronology ]

              • icon
                Anonymous Anonymous Coward (profile), 18 Jul 2018 @ 4:28pm

                Re: Re: Re: Re: Re: Re:

                I use Linux, though have no experience with BSD. However I don't think a command line interface would be much of a deterrent to hackers. My thoughts are more along the line of the OS's ability to allow access or more importantly disallow, and control outputs, or more importantly disallow except to specific instances. Being built from the ground up, with those thoughts in mind seems like a better way to go. And much less code to review.

                reply to this | link to this | view in chronology ]

          • icon
            techflaws (profile), 19 Jul 2018 @ 10:05am

            Re: Re: Re: Re:

            "As of July 2018, only two remote vulnerabilities have ever been found in the default install, in a period of almost 22 years"

            'have ever been found' being the key phrase here.

            reply to this | link to this | view in chronology ]

            • identicon
              Thad, 19 Jul 2018 @ 1:31pm

              Re: Re: Re: Re: Re:

              I disagree.

              "In the default install" is the key phrase. Because the default install is quite limited.

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Jul 2018 @ 3:49pm

              Re: Re: Re: Re: Re:

              As OpenBSD focuses on security, it is an attractive target for hackers looking to show their prowess. Also, its developers keep an eye on security flaws being found in other systems, and the looking over their code base for potential similar flaws in their own code base. That low rate of remote vulnerabilities being found is the result of hard work focusing on security.

              reply to this | link to this | view in chronology ]

        • identicon
          Yet Another Anonymous Coward, 19 Jul 2018 @ 3:53am

          What if the machine had a self-programming FPGA? Some can take advantage of unique manufacturing flaws in hardware, preventing the resultant software from working on another machine.

          reply to this | link to this | view in chronology ]

  • identicon
    pixelation, 18 Jul 2018 @ 12:35pm

    Of course they did

    How else are they going to sway the vote?

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 18 Jul 2018 @ 12:46pm

      Re: Of course they did

      The same way everybody else does: lobbying and campaign contributions.

      I'm much more inclined to chalk security weaknesses in voting machines up to incompetence than malice -- just like security weaknesses in everything else. If an American company that already has contacts with local politicians wants to influence elections, there are easier, more effective, less risky ways to do it than tampering directly with the voting machines.

      That's not a defense, mind. There's no excuse for bad security practices, especially on voting equipment, and just because I don't see any reason to believe the manufacturers themselves are tampering with election data doesn't excuse leaving the door open for someone else to do so.

      We need better security audits of our voting machines, and there should be serious financial repercussions for companies that make voting machines with glaring security flaws.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 18 Jul 2018 @ 1:13pm

    So we have a vector for a LOT of meddling.

    Can they trace if it's ever been used to tamper with an election?

    Can they fix the machines so they're not remotely accessible?

    Because if the answer is no this is going to crush confidence further regarding elections in the US.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jul 2018 @ 1:32pm

      Re: So we have a vector for a LOT of meddling.

      I think you may be underestimating the general public's level of apathy regarding almost anything of importance.

      Maybe I'm a cynic, but I think it likely that a ridiculously small minority of our countrymen will hear about this, let alone utter a single word to anyone else regarding the matter.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Jul 2018 @ 8:35am

        Re: Re: So we have a vector for a LOT of meddling.

        "the general public's level of apathy regarding almost anything of importance."

        It seems the general public's list of what is important begins with putting food on the table and having shelter. I guess that is not important.

        reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 19 Jul 2018 @ 12:45pm

          Food and Shelter

          That seems to be the first order of business of every dystopian state: Keep the proles busy just sustaining themselves and they'll never have time to look up and see how awful everything is.

          Giving the US the benefit of the doubt, I think we attained that by accident, encouraging everyone to be competitive and to offer themselves as an low-cost, high-performance employee, especially once it became an employers' market.

          So now everyone is overworked and underpaid and has not even the energy to rear their children, let alone be mindful of civic affairs.

          Which is just the way our corrupt aristocracy wants it. Score!

          reply to this | link to this | view in chronology ]

  • identicon
    David, 18 Jul 2018 @ 1:25pm

    Electronic voting machines just don't cut it.

    The ratio and constitution of the part of the populace able to verify their proper functioning throughout an election is too small to put the core tenet of democracy into their care.

    With paper ballots, the amount of votes a particular crook can manage to tamper with is rather limited. With electronic voting machines, not so much.

    I know of large industrial projects in a Western country proceeding without valid permissions because there were billions at stake and the people casting the decision were confident that money would find a way to bribe all the necessary neuralgic points.

    And it did.

    The results of an elections are worth more, and the number of people to bribe quite fewer.

    Bribing your way through paper ballots, in return, is much harder. Essentially you have to bribe the majority of voters (which is what campaign promises are all about) and, well, then it's the voters' fault and/or profit and that's what democracy is about: people at least deserve what they are getting then. But it's also a comparatively expensive manner of tilting the tables.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 18 Jul 2018 @ 2:31pm

      The advantage of electronic voting machines...

      ...is that they count the votes better than humans do.

      Unless we count them much the way we did in the 2000 Florida recount in which a small committee examines each ballot and deliberates over whether hanging chads nullify a vote.

      The problem is not the electronic voting machine, but the security problems presented by them, and if we solve that we might even be able to enable internet voting.

      Open sourcing software would make it difficult to cheat.

      In Europe there's been some looks into using blockchain tech to affirm that votes are registered and counted correctly without interference.

      reply to this | link to this | view in chronology ]

      • identicon
        David, 18 Jul 2018 @ 3:43pm

        Re: The advantage of electronic voting machines...

        Open sourcing software would make it difficult to cheat.

        Nonsense. State-level actors have created awfully involved malware that kept hidden for years. Intel has created processor-level malware (with its "Management engine") that is near impossible to disable. The Spectre and Meltdown vulnerabilities are for us to stay.

        Open Source cannot help against all that, and additionally it does not help against compile chain bootstrap maladies which don't need to remain in the source code after the malware has been bootstrapped.

        A device that cannot be verified and monitored at the time of its operation by nominated non-specialist officials has no place in a crucial point of voting.

        reply to this | link to this | view in chronology ]

      • identicon
        Thad, 18 Jul 2018 @ 3:44pm

        Re: The advantage of electronic voting machines...

        ...is that they count the votes better than humans do.

        But it's possible to use a machine to count votes without using a machine to cast them.

        I'm still inclined to believe that, in most cases, casting a vote with pen and paper is the best option. If a machine is then required to count the votes, use an optical scanning machine.

        Of course, that still means the optical scanning machine is a failure point and a security risk.

        reply to this | link to this | view in chronology ]

        • identicon
          David, 18 Jul 2018 @ 3:47pm

          Re: Re: The advantage of electronic voting machines...

          Well, you still have the ballots and can recount. You don't need to trust the scanning machine.

          reply to this | link to this | view in chronology ]

          • identicon
            Thad, 18 Jul 2018 @ 4:33pm

            Re: tl;dr

            Right. And the likeliest scenarios for vote tampering to make a difference are the ones where the vote is close enough that neither outcome will seem suspicious -- which are also the votes that might trigger a hand recount.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2018 @ 1:34pm

    I find it amusing ANYONE trusts s***antec or M***ee.

    Their software "hoovers up" anything in the documents folder, actively searches for Excel and Word documents, parses them looking for "interesting" words and then sends documents wholesale back to the central server for "processing"
    (i.e. information stealing).

    Also doesn't help that Norton is the equivalent of locking your door at night then blowing a hole in the wall with a grenade.

    Norton will happily run stuff if it even THINKS it came from symantec's website (.exe and .msi files etc) and it's so easy to spoof it's unbelievable anyone would use their software anywhere!

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 18 Jul 2018 @ 2:03pm

    NO SYSTEM is perfect..

    "every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system"

    There are problems with this..IF you can get your hands on the device, and play with it, you can take time to DO ANYTHING..

    Part and parcel of the problem is a bunch of companies that Cant program CRAP, and use the Standards and programming CURRENTLY available..

    There are ALLOT of tricks and hacks that can be done to make it HARD AS HELL to do anything with the hardware..
    you have to get thru the hardware FIRST..
    Then the Software has to PROTECT itself.

    How in hell cant a Programmer and hardware person design something that is FAIRLY protected from instant ONSITE changes??
    Im sorry, but I think a GOOD system could be build, and SHOULD be at least 90% effective.

    NOW if you want to compare a paper system that we use MOSTLY, with what can be done to corrupt that system... You would need a small amount of history and understand of HOW the system WORKED in the past.
    ANd how many persons in this nation have been disuaded from voting..

    reply to this | link to this | view in chronology ]

  • identicon
    Waldo, 18 Jul 2018 @ 2:13pm

    What's the.....

    Vote for Waldo! Because what's the friggin point!

    reply to this | link to this | view in chronology ]

  • icon
    takitus (profile), 18 Jul 2018 @ 2:28pm

    Invaluable to the rest of us

    Quoth Zetter:

    Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit.

    It’s unqualified claims like this that allow voting machine designers to avoid open-sourcing their products. I’d like to think he’s using “hacker” in the old sense of the word, but probably not. Either way, this statement is both too specific and misleading. Source code is also invaluable to those who want to understand/audit this crucial software, and making source code publicly available is, of course, good for security.

    The idea that, for the public’s safety, voting source code should only be available to some NDA-bound developer priesthood needs to be killed dead.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 18 Jul 2018 @ 2:34pm

      That runs contrary to Linus' law

      reply to this | link to this | view in chronology ]

    • icon
      takitus (profile), 18 Jul 2018 @ 2:40pm

      Re: Invaluable to the rest of us

      Correction: It was Symantec’s pcAnywhere source code that was posted, not voting machine software. But of course the point is the same.

      reply to this | link to this | view in chronology ]

    • identicon
      Thad, 18 Jul 2018 @ 3:40pm

      Re: Invaluable to the rest of us

      Source code is also invaluable to those who want to understand/audit this crucial software, and making source code publicly available is, of course, good for security.

      Indeed, what we got here was the worst-case for a security-through-obscurity regime: the source code wasn't publicly available, but it was acquired by a malicious third party. That way, the only people (outside of the developers) who were auditing the source code were malicious actors. If the source code had been released for everybody, then white hats could have searched for vulnerabilities in order to disclose and fix them.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 18 Jul 2018 @ 5:19pm

        Re: Re: Invaluable to the rest of us

        If the source code had been released for everybody, then white hats could have searched for vulnerabilities in order to disclose and fix them.

        Followed by being sued and/or threatened with lawsuits for their actions, because as any good pointy-haired manager knows those flaws weren't there until the blasted hackers told people about them!

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Jul 2018 @ 9:15am

          Re: Re: Re: Invaluable to the rest of us

          Is there a good place to post security findings anonymously? Lists like full-disclosure require an email address, and a lot of the free email providers insist on getting phone numbers or other personal data.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jul 2018 @ 2:56am

      Re: Invaluable to the rest of us

      The hardest part of secure voting to pull off is convincing senior management of the company and governments that the voting machines should not be connected to the Internet, but should combine physical and software security measures so that at least two people need to be present to unlock physical access, and gain software access to do anything other than vote. That is at least one person with a physical key, and another who know the passwords.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 19 Jul 2018 @ 10:27am

        To the contrary, let's connect them.

        As soon as it is feasible to make voting machines robustly secure without the air gap, let us do so. I think that is ultimately what the future of voting holds.

        I get that we're struggling to get there. I get that among the obstacles to a net-secure voting system is lack of concern by those officials who got themselves elected / appointed through outside meddling.

        But ultimately, being able to vote while connected is a step towards being able to vote by connecting, which will increase voter turn out.

        And yes, some people don't want that. Screw those guys.

        reply to this | link to this | view in chronology ]

        • identicon
          Thad, 19 Jul 2018 @ 2:25pm

          Re: To the contrary, let's connect them.

          I can't see the comment you're responding to, but it looks like you're advocating for online voting?

          I don't believe it's ever going to be feasible.

          The problem is this:

          There needs to be a mechanism whereby (1) I can verify that my vote has been recorded correctly, (2) nobody else can tell how I voted, and (3) I can't vote twice.

          I only know one way of doing that: my identity is verified and a record is made that I have voted; my vote is recorded on a piece of paper that does not identify me; I put that piece of paper in a box.

          (Technically this doesn't actually satisfy (1), because it still requires trust that the people responsible for counting my votes are honest and competent. But ultimately, that's inherent in any democratic system; if the people responsible for tabulating the votes cannot be trusted, then the whole system is compromised.)

          reply to this | link to this | view in chronology ]

          • icon
            Uriel-238 (profile), 19 Jul 2018 @ 4:20pm

            Re: Re: To the contrary, let's connect them.

            I think it is possible, if not by using hash-codes, digital signing, asymmetric encryption and blockchaining then by using a technology related to them.

            Eventually there would be a public blockchain of any given election that anyone could access, and confirm that their own vote is still in there. They should also be able to run the tallying software and get a sum of all the votes for any given election.

            Granted it may require that individuals are responsible to keep and back-up their own access keys. If you lose your key, your own data is gone. But this is a degree of password hygiene we've wanted to encourage the public to sustain anyway.

            The problem human beings cannot be assured to be honest or competent. We've just long assumed they were because the darkness in which they worked was securely impenetrable.

            reply to this | link to this | view in chronology ]

            • identicon
              Thad, 20 Jul 2018 @ 9:45am

              Re: Re: Re: To the contrary, let's connect them.

              The problem human beings cannot be assured to be honest or competent. We've just long assumed they were because the darkness in which they worked was securely impenetrable.

              Well, that and election results are usually within the margin of error of polling data.

              reply to this | link to this | view in chronology ]

  • icon
    discordian_eris (profile), 18 Jul 2018 @ 2:52pm

    reply to this | link to this | view in chronology ]

  • identicon
    Steve, 18 Jul 2018 @ 4:12pm

    A little mistake

    No need to publish this. There's a malformed link at the end of the second paragraph: "hrev" instread of "href"

    reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 18 Jul 2018 @ 5:25pm

    is this the same one owned by russian investors?

    reply to this | link to this | view in chronology ]

  • icon
    R2_v2.0 (profile), 19 Jul 2018 @ 11:16pm

    Survivor bias?

    Is this just survivor bias in action? The winning party and their voters have little interest in reforming the system. As far as they're concerned the outcome was 100% accurate.
    For the losers? Rigged election? Well, they would say that wouldn't they?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.