Biggest Voting Machine Maker Admits — Ooops — That It Installed Remote Access Software After First Denying It
from the you-guys-are-soooooooo-bad-at-this dept
We’ve been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don’t mean “bad at security” — though, that’s part of it — but I really mean “bad at understanding how insecure their machines really are.” For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold’s flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ.
What’s incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system — and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S — under questioning from Senator Ron Wyden — has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago. That was then:
In a statement, ES&S said, ??None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.??
This is now:
In a letter sent to Sen. Ron Wyden in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software ? to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them.
This should be a massive scandal considering the potential impact on our democracy, but considering all the other scandals going on right now with the potential to impact our democracy, expect this one to not get nearly enough attention. Wyden’s own comment on this is noteworthy:
Wyden told Motherboard that installing remote-access software and modems on election equipment ?is the worst decision for security short of leaving ballot boxes on a Moscow street corner.?
As for the pcAnywhere software ES&S had installed on those voting machines, well…
In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn?t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.
Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password.
So… that’s disturbing.
Anyway, elections are a very tricky problem to do securely. It is a nearly impossible task. But there are lots of things that you clearly should not do, and for some reason, the e-voting manufacturers seem to want to do all of them, and don’t seem particularly apologetic about any of it. And, while in the past the idea of hacking an election may have seemed far fetched and conspiracy-minded, these days… not so much. This is a key issue concerning our democracy, and the most incredible thing is how flippant many people are about all of this. Computer security professor Matt Blaze, who knows more about any of this than anyone reading this points out that “in the more than quarter century I’ve been doing computer security, I’ve never encountered a problem space nearly as difficult or complex as civil elections.”
And yet, we’re letting people who don’t understand even the slightest bit of the problems and challenges run the show. What a mess.
Filed Under: e-voting, electronic voting, pcanywhere, remote access, remote access software, ron wyden, security, voting
Companies: diebold, es&s
Comments on “Biggest Voting Machine Maker Admits — Ooops — That It Installed Remote Access Software After First Denying It”
Hey Mike – how soon can we expect your “The big bad EU is picking on poor little Google again” corporate apologist article about the latest Google fine?
Re: Re:
I know it’s hard but can you focus on the current topic?
Re: Re:
How soon can we expect a comment relevant to the actual article?
Flagged.
Re: Re: Re:
Flagged? Thank goodness there’s the comment police on patrol.
Re: Re: Re:
Maybe say something relavent and you won’t get DMCA votes handed out to you like candy on Halloween.
Re: Re:
I have no life.
Don’t worry, the antivirus software will protect us!
Re: Re:
There is an xkcd for everything.
With something as important as elections I genuinely don’t get how some states can be so cheap on how they are done. They already have a bazillion volunteers man the offices for the votes. Why not just have them all on paper, scanned and electronically counted for immediate results. Then have the volunteers and a state election representative hand count the votes for confirmation? Yes it may mean we get a few days of delay in getting certified results, and definitely at least one hanging chad type clusterF____, but at least then there is a viable backup in case there is hacking.
Maybe I am more patient than most, but I am cool with waiting until that Friday to know who will be responsible for funning the country for the next few years. Hell even if it costs a few million extra dollars to pay the volunteers for overtime, its worth it.
Is this perfect? Hell no. It is still vulnerable to volunteers who have agendas* and early scanned results being manipulated. But its far better than the current system.
*I once had an election volunteer who clearly had an issue with a specific demographic voting. I was in college in an area that was a mix of students and residents. This volunteer would clearly single out students for minor issues and put them on provisional ballots. For example, she complained my signature on their dumb electronic pad did not match my ID exactly. I mean it had to match exactly. Every single twirl or slash had to be identical. She made me redo it three times, eventually giving me a provisional ballot. Meanwhile, she barely looked at the ID of the elderly resident who registered after me. So yah no way is a hand count system perfect. But I’d still rather have “Ms I hate Liberals Voting” than Hacker Mc Hacky changing results. At least Ms. I Hate Liberals would face jail time if they found out she lied.
Re: Re:
Is ‘funning’ a mash up for running and fucking? It sure seems appropriate taken in context with your sentence.
In ES&S’ defense I don’t think I’ve ever dealt with a tech goods and services provider that kept any sort of records for longer than seven years. Odds are they legit didn’t know if they had installed pcAnywhere when the question was first asked.
Yes, that still means they’re somewhat negligent and irresponsible. It also means though that anyone taken by surprise by this are in for a long bumpy ride in the world of tech.
Re: Re:
Is it negligent to use Windows for your voting machine OS?
It is certainly questionable.
Re: Re: Re:
Then maybe they should create an OS that is election system specific. Open Sourced of course, but starting with the premise of security, and minimizing the ability to access it without net access, and say two or three factor authentication and outputs to multiple devices that must be locally installed (a usable device and a backup device). Physically moving one of those outputs to another device for uploading to a compilation machine.
Security is hard, which makes the ability to access the system harder should be the norm. Paper ballots might be the way to go, though as pointed out elsewhere they have issues as well, the question is, can a system be established that is good enough.
With an open source hardware/software/firmware/OS project, could we create something that is as good, or better that what we have now? While the experts say no, I am thinking they are responding to existing systems. What if they helped to create a new system (maybe blockchains, also mentioned elsewhere, could help) with many eyes looking at it (also mentioned elsewhere). Perfect security might be a panacea, but what about better security?
Re: Re: Re: Re:
If you want security in your operating system there is OpenBSD where:
Re: Re: Re:2 Re:
That is an idea, but desktop operating systems, I think, have a tendency to have multiple ways of access (API’s) and output (the variety of ports on the machine). I am suggesting an OS that doesn’t have any of those. Only one focus. Minimal ways to access, with very strong restrictions. Minimal ways to output, with very strong restrictions. Automatic ways to backup inputs. It might be that it is merely a scanner of that paper ballot, but that does not deprecate the necessity of security, or backup or control of access.
Re: Re: Re:3 Re:
A base OpenBSD installation is a command line environment, as its main target audience is servers. Also the BSDs, like Linux, make a windowing system an optional extra.
They can also be set up so that one terminal presents the ballot, and a separate terminal has to be plugged in to do anything else on the system, and that can be made so that the case has to be opened to do so for extra security.
Re: Re: Re:4 Re:
I use Linux, though have no experience with BSD. However I don’t think a command line interface would be much of a deterrent to hackers. My thoughts are more along the line of the OS’s ability to allow access or more importantly disallow, and control outputs, or more importantly disallow except to specific instances. Being built from the ground up, with those thoughts in mind seems like a better way to go. And much less code to review.
Re: Re: Re:2 Re:
“As of July 2018, only two remote vulnerabilities have ever been found in the default install, in a period of almost 22 years”
‘have ever been found’ being the key phrase here.
Re: Re: Re:3 Re:
I disagree.
“In the default install” is the key phrase. Because the default install is quite limited.
Re: Re: Re:3 Re:
As OpenBSD focuses on security, it is an attractive target for hackers looking to show their prowess. Also, its developers keep an eye on security flaws being found in other systems, and the looking over their code base for potential similar flaws in their own code base. That low rate of remote vulnerabilities being found is the result of hard work focusing on security.
Re: Re: Re:
What if the machine had a self-programming FPGA? Some can take advantage of unique manufacturing flaws in hardware, preventing the resultant software from working on another machine.
Of course they did
How else are they going to sway the vote?
Re: Of course they did
The same way everybody else does: lobbying and campaign contributions.
I’m much more inclined to chalk security weaknesses in voting machines up to incompetence than malice — just like security weaknesses in everything else. If an American company that already has contacts with local politicians wants to influence elections, there are easier, more effective, less risky ways to do it than tampering directly with the voting machines.
That’s not a defense, mind. There’s no excuse for bad security practices, especially on voting equipment, and just because I don’t see any reason to believe the manufacturers themselves are tampering with election data doesn’t excuse leaving the door open for someone else to do so.
We need better security audits of our voting machines, and there should be serious financial repercussions for companies that make voting machines with glaring security flaws.
So we have a vector for a LOT of meddling.
Can they trace if it’s ever been used to tamper with an election?
Can they fix the machines so they’re not remotely accessible?
Because if the answer is no this is going to crush confidence further regarding elections in the US.
Re: So we have a vector for a LOT of meddling.
I think you may be underestimating the general public’s level of apathy regarding almost anything of importance.
Maybe I’m a cynic, but I think it likely that a ridiculously small minority of our countrymen will hear about this, let alone utter a single word to anyone else regarding the matter.
Re: Re: So we have a vector for a LOT of meddling.
“the general public’s level of apathy regarding almost anything of importance.”
It seems the general public’s list of what is important begins with putting food on the table and having shelter. I guess that is not important.
Re: Re: Re: Food and Shelter
That seems to be the first order of business of every dystopian state: Keep the proles busy just sustaining themselves and they’ll never have time to look up and see how awful everything is.
Giving the US the benefit of the doubt, I think we attained that by accident, encouraging everyone to be competitive and to offer themselves as an low-cost, high-performance employee, especially once it became an employers’ market.
So now everyone is overworked and underpaid and has not even the energy to rear their children, let alone be mindful of civic affairs.
Which is just the way our corrupt aristocracy wants it. Score!
Electronic voting machines just don't cut it.
The ratio and constitution of the part of the populace able to verify their proper functioning throughout an election is too small to put the core tenet of democracy into their care.
With paper ballots, the amount of votes a particular crook can manage to tamper with is rather limited. With electronic voting machines, not so much.
I know of large industrial projects in a Western country proceeding without valid permissions because there were billions at stake and the people casting the decision were confident that money would find a way to bribe all the necessary neuralgic points.
And it did.
The results of an elections are worth more, and the number of people to bribe quite fewer.
Bribing your way through paper ballots, in return, is much harder. Essentially you have to bribe the majority of voters (which is what campaign promises are all about) and, well, then it’s the voters’ fault and/or profit and that’s what democracy is about: people at least deserve what they are getting then. But it’s also a comparatively expensive manner of tilting the tables.
Re: The advantage of electronic voting machines...
…is that they count the votes better than humans do.
Unless we count them much the way we did in the 2000 Florida recount in which a small committee examines each ballot and deliberates over whether hanging chads nullify a vote.
The problem is not the electronic voting machine, but the security problems presented by them, and if we solve that we might even be able to enable internet voting.
Open sourcing software would make it difficult to cheat.
In Europe there’s been some looks into using blockchain tech to affirm that votes are registered and counted correctly without interference.
Re: Re: The advantage of electronic voting machines...
Nonsense. State-level actors have created awfully involved malware that kept hidden for years. Intel has created processor-level malware (with its "Management engine") that is near impossible to disable. The Spectre and Meltdown vulnerabilities are for us to stay.
Open Source cannot help against all that, and additionally it does not help against compile chain bootstrap maladies which don’t need to remain in the source code after the malware has been bootstrapped.
A device that cannot be verified and monitored at the time of its operation by nominated non-specialist officials has no place in a crucial point of voting.
Re: Re: The advantage of electronic voting machines...
But it’s possible to use a machine to count votes without using a machine to cast them.
I’m still inclined to believe that, in most cases, casting a vote with pen and paper is the best option. If a machine is then required to count the votes, use an optical scanning machine.
Of course, that still means the optical scanning machine is a failure point and a security risk.
Re: Re: Re: The advantage of electronic voting machines...
Well, you still have the ballots and can recount. You don’t need to trust the scanning machine.
Re: Re: Re:2 tl;dr
Right. And the likeliest scenarios for vote tampering to make a difference are the ones where the vote is close enough that neither outcome will seem suspicious — which are also the votes that might trigger a hand recount.
I find it amusing ANYONE trusts s***antec or M***ee.
Their software “hoovers up” anything in the documents folder, actively searches for Excel and Word documents, parses them looking for “interesting” words and then sends documents wholesale back to the central server for “processing”
(i.e. information stealing).
Also doesn’t help that Norton is the equivalent of locking your door at night then blowing a hole in the wall with a grenade.
Norton will happily run stuff if it even THINKS it came from symantec’s website (.exe and .msi files etc) and it’s so easy to spoof it’s unbelievable anyone would use their software anywhere!
NO SYSTEM is perfect..
“every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system”
There are problems with this..IF you can get your hands on the device, and play with it, you can take time to DO ANYTHING..
Part and parcel of the problem is a bunch of companies that Cant program CRAP, and use the Standards and programming CURRENTLY available..
There are ALLOT of tricks and hacks that can be done to make it HARD AS HELL to do anything with the hardware..
you have to get thru the hardware FIRST..
Then the Software has to PROTECT itself.
How in hell cant a Programmer and hardware person design something that is FAIRLY protected from instant ONSITE changes??
Im sorry, but I think a GOOD system could be build, and SHOULD be at least 90% effective.
NOW if you want to compare a paper system that we use MOSTLY, with what can be done to corrupt that system… You would need a small amount of history and understand of HOW the system WORKED in the past.
ANd how many persons in this nation have been disuaded from voting..
What's the.....
Vote for Waldo! Because what’s the friggin point!
Re: What's the.....
Where is he..?
Invaluable to the rest of us
Quoth Zetter:
It’s unqualified claims like this that allow voting machine designers to avoid open-sourcing their products. I’d like to think he’s using “hacker” in the old sense of the word,
but probably not. Either way, this statement is both too specific and misleading. Source code is also invaluable to those who want to understand/audit this crucial software, and making source code publicly available is, of course, good for security.
The idea that, for the public’s safety, voting source code should only be available to some NDA-bound developer priesthood needs to be killed dead.
Re: That runs contrary to Linus' law
Given enough eyeballs, all bugs are shallow
Re: Invaluable to the rest of us
Correction: It was Symantec’s pcAnywhere source code that was posted, not voting machine software. But of course the point is the same.
Re: Re: Invaluable to the rest of us
Yes, they do not want their shitty coding practices exposed.
Re: Invaluable to the rest of us
Indeed, what we got here was the worst-case for a security-through-obscurity regime: the source code wasn’t publicly available, but it was acquired by a malicious third party. That way, the only people (outside of the developers) who were auditing the source code were malicious actors. If the source code had been released for everybody, then white hats could have searched for vulnerabilities in order to disclose and fix them.
Re: Re: Invaluable to the rest of us
If the source code had been released for everybody, then white hats could have searched for vulnerabilities in order to disclose and fix them.
Followed by being sued and/or threatened with lawsuits for their actions, because as any good pointy-haired manager knows those flaws weren’t there until the blasted hackers told people about them!
Re: Re: Re: Invaluable to the rest of us
Is there a good place to post security findings anonymously? Lists like full-disclosure require an email address, and a lot of the free email providers insist on getting phone numbers or other personal data.
Re: Re: Re:2 Posting security findings anonymously
Even the super-temporary fake-email address services?
Re: Invaluable to the rest of us
The hardest part of secure voting to pull off is convincing senior management of the company and governments that the voting machines should not be connected to the Internet, but should combine physical and software security measures so that at least two people need to be present to unlock physical access, and gain software access to do anything other than vote. That is at least one person with a physical key, and another who know the passwords.
Re: Re: To the contrary, let's connect them.
As soon as it is feasible to make voting machines robustly secure without the air gap, let us do so. I think that is ultimately what the future of voting holds.
I get that we’re struggling to get there. I get that among the obstacles to a net-secure voting system is lack of concern by those officials who got themselves elected / appointed through outside meddling.
But ultimately, being able to vote while connected is a step towards being able to vote by connecting, which will increase voter turn out.
And yes, some people don’t want that. Screw those guys.
Re: Re: Re: To the contrary, let's connect them.
I can’t see the comment you’re responding to, but it looks like you’re advocating for online voting?
I don’t believe it’s ever going to be feasible.
The problem is this:
There needs to be a mechanism whereby (1) I can verify that my vote has been recorded correctly, (2) nobody else can tell how I voted, and (3) I can’t vote twice.
I only know one way of doing that: my identity is verified and a record is made that I have voted; my vote is recorded on a piece of paper that does not identify me; I put that piece of paper in a box.
(Technically this doesn’t actually satisfy (1), because it still requires trust that the people responsible for counting my votes are honest and competent. But ultimately, that’s inherent in any democratic system; if the people responsible for tabulating the votes cannot be trusted, then the whole system is compromised.)
Re: Re: Re:2 To the contrary, let's connect them.
I think it is possible, if not by using hash-codes, digital signing, asymmetric encryption and blockchaining then by using a technology related to them.
Eventually there would be a public blockchain of any given election that anyone could access, and confirm that their own vote is still in there. They should also be able to run the tallying software and get a sum of all the votes for any given election.
Granted it may require that individuals are responsible to keep and back-up their own access keys. If you lose your key, your own data is gone. But this is a degree of password hygiene we’ve wanted to encourage the public to sustain anyway.
The problem human beings cannot be assured to be honest or competent. We’ve just long assumed they were because the darkness in which they worked was securely impenetrable.
Re: Re: Re:3 To the contrary, let's connect them.
Well, that and election results are usually within the margin of error of polling data.
http://blackboxvoting.org/
A little mistake
No need to publish this. There’s a malformed link at the end of the second paragraph: “hrev” instread of “href”
is this the same one owned by russian investors?
Re: Re:
“russian”
That didn’t take long, did it?
Survivor bias?
Is this just survivor bias in action? The winning party and their voters have little interest in reforming the system. As far as they’re concerned the outcome was 100% accurate.
For the losers? Rigged election? Well, they would say that wouldn’t they?