Election Security...

[Hardpan Curmudgeon SASS #8967]

Well, THIS sure instills confidence!  

 

Reuters - Boy, 11, hacks into replica U. S. vote website in minutes at convention

 

Quote

 

(Reuters) - An 11-year-old boy managed to hack into a replica of Florida’s election results website in 10 minutes and change names and tallies during a hackers convention, organizers said, stoking concerns about security ahead of nationwide votes.

The boy was the quickest of 35 children, ages 6 to 17, who all eventually hacked into copies of the websites of six swing states during the three-day Def Con security convention over the weekend, the event said on Twitter on Tuesday.

The event was meant to test the strength of U.S. election infrastructure and details of the vulnerabilities would be passed onto the states, it added.

 

 

[Dantankerous]

Probably a Russian lad...

[Hardpan Curmudgeon SASS #8967]

Naw... the kid was from Austin. 

 

[Painted Mohawk SASS 77785]

Can't beat those youngins' of today..3 & 4  year olds can use these smart phones way better than me !!

[Pat Riot]

I have never trusted electronics. They will let you down when you need them most. I definitely have never trusted electronic voting regardless of the claims that it’s secure. My @$$! 

 

The need for electronic voting is driven by so many factors that all should be mistrusted. The media, lazy bureaucrats wanting to build empires, our government in general (just because you’re paranoid it doesn’t mean they’re not out to get you).

 

Who flippin’ cares if it takes 3 days to count votes? I knew this electronic voting s*** would really take off after Florida put the “Duh” in voting years ago. Now look where we are...we have foreign countries supposedly influencing elections.

 

By the way, I am no Luddite. Electronics and the systems they control has kept food on my table all my adult life. 

[Sparky Nelson]

This comic pretty well sums up my thoughts on electronic voting:

 

https://www.xkcd.com/2030/

 

[Blackwater 53393]

ALL voting should be on PAPER ballots and should be counted MANUALLY!!  An impartial, manual count, witnessed by representatives of all candidates on the ballot and certified by those witnesses should be conducted IN PUBLIC!!  When completed, it should then be certified by the Secretary of State and then held for ratification by the congress of said state.  No electronic ballots!!  NO mechanical devices of ANY KIND!!  ALL voters should be required by law to be legal residents of the district or precinct in which they vote and be legal citizens of the nation, state, and county!! All voters will be issued and be required to present a voter registration card with photographic representation of the voter and another form of legal photo ID.

 

Representatives of each candidate will certify that ballot boxes are empty and sealed and locked at the time that voting begins.  NO citizen will be allowed to enter the polling place more than once on election day and will be required to show proof of legal citizenship and legal residence at that time.  Early voting will be subject to the same rules and a paper, hard copy of voter participation will be maintained and present at any and all polling places. Absentee ballots will be notarized and sealed, sent through the postal service by registered mail, held (sealed) until election day, opened and counted with, and in the same manner as all other ballots.

 

Voters who fail to vote in three consecutive statewide elections will be purged from the voter rolls and shall be required to re-register and furnish proof of citizenship and residency upon re-registeration.

 

I'm SURE that I have overlooked other safeguards to election integrity.  Add what you see that would further secure fair and safe elections.

[Texas Lizard]

3 hours ago, Painted Mohawk SASS 77785 said:

Can't beat those youngins' of today..3 & 4  year olds can use these smart phones way better than me !!

I guess you own a smart phone...Flip phone user still, no interest in changing..

 

Texas Lizard

[Texas Lizard]

18 minutes ago, Blackwater 53393 said:

ALL voting should be on PAPER ballots and should be counted MANUALLY!!  An impartial, manual count, witnessed by representatives of all candidates on the ballot and certified by those witnesses should be conducted IN PUBLIC!!  When completed, it should then be certified by the Secretary of State and then held for ratification by the congress of said state.  No electronic ballots!!  NO mechanical devices of ANY KIND!!  ALL voters should be required by law to be legal residents of the district or precinct in which they vote and be legal citizens of the nation, state, and county!! All voters will be issued and be required to present a voter registration card with photographic representation of the voter and another form of legal photo ID.

 

Representatives of each candidate will certify that ballot boxes are empty and sealed and locked at the time that voting begins.  NO citizen will be allowed to enter the polling place more than once on election day and will be required to show proof of legal citizenship and legal residence at that time.  Early voting will be subject to the same rules and a paper, hard copy of voter participation will be maintained and present at any and all polling places. Absentee ballots will be notarized and sealed, sent through the postal service by registered mail, held (sealed) until election day, opened and counted with, and in the same manner as all other ballots.

 

Voters who fail to vote in three consecutive statewide elections will be purged from the voter rolls and shall be required to re-register and furnish proof of citizenship and residency upon re-registeration.

 

I'm SURE that I have overlooked other safeguards to election integrity.  Add what you see that would further secure fair and safe elections.

To easy and to safe...Does not fit some peoples needs...And we do not want to upset someone....

 

Texas Lizard

[Grampaw Willie, SASS No.26996]

10 minutes ago, Blackwater 53393 said:

ALL voting should be on PAPER ballots and should be counted MANUALLY!!  

 

you're on the right track.

the ballots should use mark-sense technology so that they are easily understood by people.

 

it's OK to use electronics to read and score the ballots -- provided that there is also an audit process that is completed before the results are certified.

 

Audit:

after the election randomly select -- e.g. -- 1% of precincts for audit.

for the audit: score the ballots manually -- particularly on close or highly contested offices or items.

make sure you have the same number of ballots each time you score them and that this number agrees with voter sign-ins.

re-read the ballots in the scoring machines.  

 

you should get the same total as scored originally,  and this should agree with the scores tallied manually.

 

if there is a discrepancy then this has to be explained.    run the ballots 1 by 1 making sure the machine scores it the same way as marked by the voter.

 

if the voting machines are wrong or inconsistent then the OEM will have to PAY for a complete manual re-count, refund the cost of the machines, and pay civil damages.

 

remember what Edward Snowden taught us:  

Quote

Two things are sold without product liability in these united States: religion and software.

 

In todays world the error can also be in the firmware.

a good virus for this will be non-persistent: after the election: it will disappear itself.

 

if this happens the second time you score the ballots you'll get a different answer.   you have to be able to figure out why

[Allie Mo, SASS No. 25217]

5 hours ago, Pat Riot, SASS #13748 said:

I have never trusted electronics. They will let you down when you need them most. I definitely have never trusted electronic voting regardless of the claims that it’s secure. My @$$! 

 

The need for electronic voting is driven by so many factors that all should be mistrusted. The media, lazy bureaucrats wanting to build empires, our government in general (just because you’re paranoid it doesn’t mean they’re not out to get you).

 

Who flippin’ cares if it takes 3 days to count votes? I knew this electronic voting s*** would really take off after Florida put the “Duh” in voting years ago. Now look where we are...we have foreign countries supposedly influencing elections.

 

By the way, I am no Luddite. Electronics and the systems they control has kept food on my table all my adult life. 

The problem is not the electronics; it is the programmers and testers.

 

As a Systems Software Tester in a former life, I know that all are not created equal. If anyone wants me to back that up with examples, I can.

[Grampaw Willie, SASS No.26996]

Auditing in a Precinct isn't all computer stuff though,......

We need to check the basics, before we run the ballots:

1. How many voters are registered to vote in this PCT?

2. How many votes were cast?

3. Did all the voters' ID's match the roster of registered voters?

4. How many ballots were issued to the PCT?

5. Check to be sure that the number of ballots issued less the number of votes cast equals the number of unused ballots + the number of spoiled ballots

 

about the Audit -- which is actually a "recount"

 

the audit results should match the original reports.   if they don't the process has to be checked and reviewed until the problem is found: the result cannot be certified until the recount produces the same result reliably

 

It's wrong to think you can just recount until you get the answer you want; you have to get the same answer repeatedly in order to certify that answer as correct.

 

Hackers will examine any process they wish to attack -- looking for a Point of Weakness.   If there is anything that can be fudged -- it likely will be.

 

The Audit then requires a balance control check on every factor that can affect the outcome.   If this is not done,..... well..... Here's what Uncle Joe said about it:

Quote

Those who vote determine nothing

Those who count the votes determine the outcome

 

 

[Grampaw Willie, SASS No.26996]

50 minutes ago, Allie Mo, SASS No. 25217 said:

If anyone wants me to back that up with examples, I can.

 

Cyber Crime Costs Projected To Reach $2 Trillion by 2019

the source,..... is Forbes -- Steve Morgan

 

excerpt

Quote

'Crime wave' is an understatement when you consider the costs that businesses are suffering as a result of cyber crime. 'Epidemic' is more like it. IBM Corp.'s Chairman, CEO and President, Ginni Rometty, recently said that cyber crime may be the greatest threat to every company in the world.

 

there is not only the direct financial losses but also the cost of countless labor expended in futile efforts at prevention and control,   underscored and re-capped by the suffering in tears

 

there is a good video,-- here

Mickens keynote address at Usenix 18

 

hopefully this is all strictly informational you wouldn't want to get me started on the topic

[Pat Riot]

1 hour ago, Allie Mo, SASS No. 25217 said:

The problem is not the electronics; it is the programmers and testers.

 

As a Systems Software Tester in a former life, I know that all are not created equal. If anyone wants me to back that up with examples, I can.

Ah...When I say "electronics" I mean the whole package, not just circuits. Computers, PLCs, Circuits, Components, Human functions like assembly and programming...everything.

[Allie Mo, SASS No. 25217]

GW and others,

 

Those are great observations.  Many of us have heard the term "garbage in, garbage out." GW, I agree with your audit of input. Safeguards must be taken against both. My experience was with the "garbage out" side. (I've been retired for 14 years, so maybe things have changed. I doubt it though.)

 

I worked in the System Test Unit at a State Agency. Following are some programming errors that can lead to invalid results. Also, hackers and nefarious insiders could modify programs to give invalid results (that was an area where I have no knowledge). In my examples, I could see a programmer and a tester colluding to give inaccurate results.

 

On one of my first testing jobs, I was told by the programmer area that my tests were too complex. I could mask the problem area. My lead told them that it was the complex test combinations that discovered the problems in different programs working together. The simple tests of individual programs were the coders jobs. Our job as System Testers was determining when these individual programs didn't work together to provide the correct expected results.

 

Once, I was assigned to guide/help with testing in a Program area. They seemed to think they knew more about QA than me.

1. When they were describing test areas, they left out Expected Results. I mentioned it and was told it was "intuitively obvious." Seriously! You develop test data and don't document what you expect to be the outcome.

2. I was the DB2 Wage Record database test expert. The Program area kept getting Abends (abnormal ends to a file load). I told them why. Two people publically told me I didn't know what I was talking about. I got a well respected programmer to call and set them straight. No one apologized. Although, the programmer on the Program side called me a lot afterwards with questions.

3. I went to a management meeting to discuss the same problem and explained the same thing to them. My test manager called and told me I'd overstepped. I was only there to observe. She was an idiot.

4. I packed up my stuff and went back to the main office, refused to have any more to do with them, and was supported by my co-workers. The manager didn't dare chastise me.

 

A simple example was a Report I tested. The input didn't add up to the Expected Result. The Programmer forgot to add in one of the required data streams in the coding.

 

Another simple example was when I didn't test at all. I just looked at the programmer's data and results. I compared them to the requirements and he had left one of the requirements out.

 

Another simple example, I emailed a programmer and told him that he did not code or test for bad incoming data. For example, what would the program do if the input had alphas in a numeric only position. He refused to code for it as the input was coming from a Federal agency and must be correct according to the information they provided to us. The first night the file was attempted to be loaded to our database, the program had an abnormal end due to alphas in a strictly numeric field. He tried to blame me for not testing it. I sent him and his manager his email refusing to code for that event.

 

Another problem is management in a rush to get programs released. They have been known to say with a premature release, "that situation is unlikely to occur" or "we'll fix it later if it actually occurs." Then no one follows up to see if the potential problem occurred. They are too busy taking accolades for getting the programs in production on time.

 

The moral of the story is that just because a program is released to production, that doesn't make it have the correct results. Then there is the risk of inadequate safeguards against hacking.

 

Regards,

 

Allie

[Forty Rod SASS 3935]

I have worked with computers since 1966.  I still don't understand them, don't like them, and don't trust them.

 

My daughter has told me that I should never be allowed near anything with an element of a computer in it....... and very little with an electric current running through it.

Maybe she's on to something.  Where can I get a kerosene powered computer with little people inside?

[Sparky Nelson]

Just now, Forty Rod SASS 3935 said:

Where can I get a kerosene powered computer with little people inside?

 

Back in the 1990s somebody was working on making a fuel cell that would power a laptop computer. I think it ran on butane. (Fuel cells convert hydrogen, or a hydrogen-bearing compound like alcohol or butane, directly to electricity without burning it. The waste product is water, so your laptop might need to wear a diaper.)

 

As for little people, isn't that what grandkids are?

 

 

[Grampaw Willie, SASS No.26996]

4 hours ago, Allie Mo, SASS No. 25217 said:

(I've been retired for 14 years, so maybe things have changed. I doubt it though.)

what a superb post, Allie

 

I used to keep a sign on the wall in my cube:

Quote

Do not come in here with a core dump in your hand, and

a smile on your face, and say your program must be OK

because it ran OK yesterday.

 

Programs are all together too often given only regression testing.   What is needed is structured testing* combined with a peer review.

Expensive to do, but, as we all know: there isn't time to do it right but plenty of time to do it over.

 

Bruce Schneier has pointed out on occasion that this isn't going to change -- until it costs less to do it right than it does to do it quick.   This means product liability.

 

Historically product liability has not been associated with software.   The software was considered a tool, and as such the users were responsible for what they did using such.

 

circumstances are very different now from what they were in 1970.   If you put together a website using some sort of CMS on top of somebody's O/S and the hackers get to the customers' data -- who's responsible?    As website operator you have no control over what's in the CMS or in the supporting O/S, either.   Responsibility has to be assigned to those who do have control over each component.

 

Now,..... just as this is still the Toostone Saloon I'll have to allow as how I have all the available taquilya secured underneath my soapbox where Calico can't get none.   At least not until she finishes balancing Pat's tab ( which has been open all week ) .

 

---

*structured test: as defined for Structured Programming:   all branch tested.   This requires that the programmers have to execute the code in such a way that the proper execution of every instruction can be verified.    I had the opportunity to do this on 1 project, only.    It worked.

 

what the * just happened to my soapbox ??

 

 

[Chantry]

They hacked into the election results website NOT the actual voting machines.  Since election results aren't usually released until after the polls close, hacking into the election results website isn't going to affect an election and the actual vote totals  are still secure.

[Yul Lose]

1 hour ago, Chantry said:

They hacked into the election results website NOT the actual voting machines.  Since election results aren't usually released until after the polls close, hacking into the election results website isn't going to affect an election and the actual vote totals  are still secure.

Doubtful.

 

[Blackwater 53393]

Don't get me wrong!!  AI is a wonderful thing!  It can accomplish multiple functions and make instantaneous adjustments at speeds we carbon based beings can only imagine.  

 

HOWEVER!! AI is EXTREMELY vulnerable to human error, human meddling, power fluctuations, power failures, intentional tampering, and other, more nefarious attacks!!  The best you can hope for is a good working system that requires low maintenance, has exemplary security, and manages to survive natural catastrophes.  

 

REMEMBER!!  Any contrivance created by humans is GOING to fail!!  Making things "fool proof" only promotes the probability that there will be bigger and more complete fools in the future.

 

AI is a tool!!  How we use it is what is important!!  Not having to use it makes things simpler.  Not necessarily easier, but simpler!!  Being able to use AI for it's intended purpose and design, makes us safer, healthier, and more accurate in what we can do!

 

 BUT!, we have allowed AI to be a tool that has been used to "dumb us down" in MANY instances!!  Better security and better quality are essential to our continued wellbeing and control of our own lives!!

 

Finally!!  When the AI that runs my vehicle puts it into "Walk Home Mode", the person or persons responsible for the failure oughta' hafta' come and push my ride home!!  

[Sedalia Dave]

Just keep in mind that the some of the same people that do incredibly stupid stuff and document it for posterity on youtube are also in charge of computer hardware and software. 

 

Most software relies on security through obscurity.  Think of it as hiding the combination to your gun safe and the passwords to all your bank accounts in side the pages of a book or books in a library.  Given a lot of time or a little luck even the dumbest thief will find the right book.  Now imagine what a smart thief can do?

 

 

[Forty Rod SASS 3935]

9 hours ago, Sparky Nelson said:

 

Back in the 1990s somebody was working on making a fuel cell that would power a laptop computer. I think it ran on butane. (Fuel cells convert hydrogen, or a hydrogen-bearing compound like alcohol or butane, directly to electricity without burning it. The waste product is water, so your laptop might need to wear a diaper.)

 

As for little people, isn't that what grandkids are?

 

 

My only grand kid is almost 17 ears old, stands 6'3" and weighs close to 300 pounds.

[Caliope Cupcake #13981]

OI LIKE PROGRESS BUT WONDER IF SOME THINGS ARE REALLY BETTER.  SEEMS LIKE NEARLY EVERYTHING HAS A COMPUTER NOW--FROM HOME APPLIANCES TO TRACTORS.  SUCH A HUGE VULNERABILITY. COMMUNICATION, SECURITY, CREDIT, DEPENDS ON SATELLITES IN SPACE INSTEAD OF WIRES IN YOUR HOUSE OR HARDCOPY. 

WHEN THOSE SYSTEMS SHUT DOWN, IT'S IMMOBILIZING ACROSS THE COUNTRY.  YOU CAN'T GET MONEY OUT OF THE BANK.  ONE CAN'T FIX HI-TECH STUFF AT HOME UNLESS YOU HAVE THAT TRAINING.  SMART PHONES ARE A MARVEL, BUT HONESTLY, THEY AREN'T PHONES; THEY ARE COMPUTERS WITH A PHONE APP.  I DON'T USE ONE,  JUST A FLIP PHONE FOR CALLS AND MSGS., JUST RATHER NOT BE ONLINE ALL DAY.  TECHNOLOGY HAS LEFT THE WORLD WITH NEWER GENERATIONS THAT DON'T KNOW HOW TO USE THEIR HANDS, KNOW HOW THINGS WORK, BUILD OR REPAIR THINGS, BECAUSE THEY OPERATE OBJECTS VIRTUALLY FROM A SCREEN INSTEAD OF IN REALITY.  SO WHEN AN I.T. PERSON WITH A SECURITY CLEARANCE TAKES SOMETHING FROM A VIRTUAL FILE, IT ISN'T LIKE TAKING IT IN REALITY.

 

EXCEPT MS. REALITY WINNER--YES, SHE'S A REAL PERSON SO NAMED BY HER COMEDIC PARENTS!  CONVICTED OF TREASON AND ESPIONAGE, THEFT OF SECRET DOCS, WHICH SHE GAVE TO A PUBLISHER--WHO PUBLISHED IT!  TODAY, SHE WAS GIVEN AN ADDITIONAL 3 YEARS IN PRISON ON TOP OF THE TIME ALREADY SERVED WHILE HELD DURING TRIAL.

Air Force officials confirmed that Winner served active duty from December of 2010 to December 2016; was a cryptologic language analyst, requiring fluency in at least one foreign language which was not divulged.

Winner, an Air Force veteran, pleaded guilty in June after being held in prison at the Lincoln County Jail near Augusta, Georgia. She was arrested in June 2017, and charged under the Espionage Act for removing classified material from a government facility and mailing it to a news outlet, according to the Justice Department.Winner’s 2017 arrest was announced shortly after the Intercept website published a story detailing how Russian hackers attacked at least one U.S. voting software supplier and sent so-called “spear-phishing” emails to more than 100 local election officials at the end of October or beginning of November 2016.

[Caliope Cupcake #13981]

40R 

 MY SON WAS LIKE THAT.  BE SURE TO GET HIS HEART CHECKED. 

[Sparky Nelson]

9 hours ago, Forty Rod SASS 3935 said:

My only grand kid is almost 17 ears old, stands 6'3" and weighs close to 300 pounds.

 

You want to borrow mine? The only requirement is you have to keep them for a month.

[Grampaw Willie, SASS No.26996]

19 hours ago, Chantry said:

They hacked into the election results website NOT the actual voting machines.  Since election results aren't usually released until after the polls close, hacking into the election results website isn't going to affect an election and the actual vote totals  are still secure.

 

are you talking about the Reality Winner case ?

you can read about it here

 

excerpt

Quote

At issue in Winner’s case is a document she leaked to a news outlet. The Intercept published an article on June 5, 2017 about a five-page National Security Agency report that detailed how alleged Russian hackers targeted election vendors with phishing attacks in an attempt to access voters rolls in several states.

 

phishing attacks are hacking?    ROF,LMAO.   they rate about even with SQL injection.   These "attacks" are just exploits of sloppy computer code that should have been fixed years ago.

 

there's somepthin else going on,   and now,   me needs a $5 ceegar and a little o' that Rye Whisky

[Chantry]

4 minutes ago, Grampaw Willie, SASS No.26996 said:

 

are you talking about the Reality Winner case ?

you can read about it here

 

excerpt

 

phishing attacks are hacking?    ROF,LMAO.   they rate about even with SQL injection.   These "attacks" are just exploits of sloppy computer code that should have been fixed years ago.

 

there's somepthin else going on,   and now,   me needs a $5 ceegar and a little o' that Rye Whisky

No I was pointing out the difference between hacking the actual election votes (very bad) as opposed to hacking a state.gov website that reports the results (Needs to be fixed, but at best a minor annoyance)

[Grampaw Willie, SASS No.26996]

9 minutes ago, Chantry said:

No I was pointing out the difference between hacking the actual election votes (very bad) as opposed to hacking a state.gov website that reports the results (Needs to be fixed, but at best a minor annoyance)

 

ok,-- just curious

 

I'll just add a quick note though -- from time to time various Content Management Systems (CMS) have been found to have serious vulnerabilities -- a couple of top ones are in the news again this week.....

 

script kiddies can get the hack code on the "dark net" or other places -- which makes the hack about as hard as installing the latest copy of Submarine Battles on yer laptop.

 

[Forty Rod SASS 3935]

12 hours ago, Sparky Nelson said:

 

You want to borrow mine? The only requirement is you have to keep them for a month.

Thanks, Sparky, I druther cut my own legs off with a wooden spoon than deal with little kids again.  That's why I walked away from teaching in public schools and went to instructing industrial students.    

[Forty Rod SASS 3935]

21 hours ago, Caliope Cupcake #13981 said:

40R 

 MY SON WAS LIKE THAT.  BE SURE TO GET HIS HEART CHECKED. 

He's healthy except for an attitude which I will surgically remove the next time I see him.  (Wonder where that came from!) 

[Sedalia Dave]

13 hours ago, Forty Rod SASS 3935 said:

He's healthy except for an attitude which I will surgically remove the next time I see him.  (Wonder where that came from!) 

 

Is the surgeon removing the attitude or the attitude adjustment tool. (large boot) 

[Painted Mohawk SASS 77785]

On 8/23/2018 at 11:57 PM, Texas Lizard said:

I guess you own a smart phone...Flip phone user still, no interest in changing..

 

Texas Lizard

No I don't have a smart phone...still the flip flop for me..I just marvel at how these 'toddlers' can use the others !!!!

[Allie Mo, SASS No. 25217]

On ‎8‎/‎23‎/‎2018 at 6:57 AM, Texas Lizard said:

I guess you own a smart phone...Flip phone user still, no interest in changing..

 

Texas Lizard

 

7 hours ago, Painted Mohawk SASS 77785 said:

No I don't have a smart phone...still the flip flop for me..I just marvel at how these 'toddlers' can use the others !!!!

Don't tell anyone. I'm with you gents. I buy my minutes once a year. I get 100 minutes for $100. That is less than $9 per month and I always have minutes that roll over. Right now my balance is 172 minutes.

 

As you can probably tell, I'm on the computer often enough without a smart phone. When I'm away from home, I like to be away from the internet too,

[Caliope Cupcake #13981]

 

 

40R, when you take 'em underwater, they be REAL quiet   

 

 I got worn out from other people's kids in public schools, too.  Spec Ed classroom was easier, so I went there.  Glad to be out a few years now, but stay in the pool 6 mos a year.  It's better than workin'!