Results 1 to 6 of 6

Thread: Pair of $100 surplus voting machines bought on eBay contained data on voters

  1. Top | #1
    Veteran Member phands's Avatar
    Join Date
    Feb 2013
    Location
    New York, Manhattan, Upper West Side
    Posts
    1,976
    Archived
    1
    Total Posts
    1,977
    Rep Power
    26

    Pair of $100 surplus voting machines bought on eBay contained data on voters

    Unbelievable in this day and age. Disk erase/destruction is mandatory in any company I've worked at this century.

    IN 2016, I bought two voting machines online for less than $100 apiece. I didn't even have to search the dark web. I found them on eBay.
    Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.

    If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still.
    The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped.
    The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted.
    Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.


    My aim in purchasing voting machines was not to undermine our democracy. I'm a security researcher at Symantec who started buying the machines as part of an ongoing effort to identify their vulnerabilities and strengthen election security.
    In 2016, I was conducting preliminary research for our annual CyberWar Games, a company-wide competition where I design simulations for our employees to hack into. Since it was an election year, I decided to create a scenario incorporating the components of a modern election system. But if I were a malicious actor seeking to disrupt an election, this would be akin to a bank selling its old vault to an aspiring burglar.


    I reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system.
    Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them.
    Within hours, I was able to change the candidates' names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate's name I invented had received the most votes on that particular machine.
    My bold.

    I'm shocked that this isn't a huge scandal.

    https://www.wired.com/story/i-bought...hines-on-ebay/
    “Light thinks it travels faster than anything but it is wrong. No matter how fast light travels, it finds the darkness has always got there first, and is waiting for it.” Terry Pratchett

  2. Top | #2
    Veteran Member
    Join Date
    Oct 2018
    Location
    Colorado
    Posts
    1,447
    Rep Power
    5
    Good article. While this is a risk to direct physical attack on these machines, no such attack in the wild has ever occurred, nor does anything here imply the possibility. It is the same deal as getting a slot machine from a casino and figuring out that if you remove the hard drive you can manipulate how it works. OK... good luck taking a hard drive out of a slot machine in the middle of a casino... likewise... good luck mucking with a voting machine in the middle of your town hall with hundreds of people all around you.

    A bigger risk is with the vendors and suppliers of the manufacturers of these voting machines. If they can be manipulated in the factory, or at a component's supplier's factory, and then placed into service, that is where there might be risk of knowing how to manipulate them.

    This was core to the plot of one of the Oceans movies (Ocean 12, maybe?), where they needed loaded dice in the casino they were robbing. They had to mess with the plastic the dice maker used and keep track of the lot number to make sure they went where they needed them to be.

  3. Top | #3
    Elder Contributor Underseer's Avatar
    Join Date
    May 2003
    Location
    Chicago suburbs
    Posts
    11,413
    Archived
    39,172
    Total Posts
    50,585
    Rep Power
    73
    Quote Originally Posted by Gun Nut View Post
    Good article. While this is a risk to direct physical attack on these machines, no such attack in the wild has ever occurred, nor does anything here imply the possibility. It is the same deal as getting a slot machine from a casino and figuring out that if you remove the hard drive you can manipulate how it works. OK... good luck taking a hard drive out of a slot machine in the middle of a casino... likewise... good luck mucking with a voting machine in the middle of your town hall with hundreds of people all around you.

    A bigger risk is with the vendors and suppliers of the manufacturers of these voting machines. If they can be manipulated in the factory, or at a component's supplier's factory, and then placed into service, that is where there might be risk of knowing how to manipulate them.

    This was core to the plot of one of the Oceans movies (Ocean 12, maybe?), where they needed loaded dice in the casino they were robbing. They had to mess with the plastic the dice maker used and keep track of the lot number to make sure they went where they needed them to be.
    But it does demonstrate that the state government either doesn't understand or doesn't care about the security of its voting data.

  4. Top | #4
    Veteran Member
    Join Date
    Nov 2017
    Location
    seattle
    Posts
    4,857
    Rep Power
    12
    I am shocked.

  5. Top | #5
    Veteran Member
    Join Date
    Nov 2017
    Location
    Layton, UT
    Posts
    1,275
    Rep Power
    8
    Quote Originally Posted by Underseer View Post
    Quote Originally Posted by Gun Nut View Post
    Good article. While this is a risk to direct physical attack on these machines, no such attack in the wild has ever occurred, nor does anything here imply the possibility. It is the same deal as getting a slot machine from a casino and figuring out that if you remove the hard drive you can manipulate how it works. OK... good luck taking a hard drive out of a slot machine in the middle of a casino... likewise... good luck mucking with a voting machine in the middle of your town hall with hundreds of people all around you.

    A bigger risk is with the vendors and suppliers of the manufacturers of these voting machines. If they can be manipulated in the factory, or at a component's supplier's factory, and then placed into service, that is where there might be risk of knowing how to manipulate them.

    This was core to the plot of one of the Oceans movies (Ocean 12, maybe?), where they needed loaded dice in the casino they were robbing. They had to mess with the plastic the dice maker used and keep track of the lot number to make sure they went where they needed them to be.
    But it does demonstrate that the state government either doesn't understand or doesn't care about the security of its voting data.
    More importantly, I think, it demonstrates that once the polls close, the machines are taken in and the votes are counted, it is very easy to change the results. There is no paper trail or any kind of audit process except in a few states.

  6. Top | #6
    Veteran Member Tigers!'s Avatar
    Join Date
    Sep 2005
    Location
    On the wing waiting for a kick.
    Posts
    1,716
    Archived
    2,558
    Total Posts
    4,274
    Rep Power
    53
    That is so careless I am astounded.

    Though the paper audit is not as good as we would like.
    In western Australia in the 2013 Commonwealth election 1375 paper votes were lost.
    https://www.abc.net.au/news/2015-04-...-finds/6395716

    Carelessness is the curse of the complacent.
    NOTE: No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced.

Similar Threads

  1. Replies: 2
    Last Post: 10-29-2018, 07:38 PM
  2. At Least 12 Killed in Pair of Terrorist Attacks in Iran
    By dismal in forum Political Discussions
    Replies: 34
    Last Post: 06-14-2017, 04:55 PM
  3. How will Instant Runoff Voting in Maine effect voting reform?
    By Blahface in forum Political Discussions
    Replies: 22
    Last Post: 01-13-2017, 12:13 AM
  4. Suspicious voting machines in Georgia
    By southernhybrid in forum US Presidential Politics
    Replies: 7
    Last Post: 10-29-2016, 06:12 PM
  5. SO, can you buy Windows 7 on eBay safely?
    By Jimmy Higgins in forum Miscellaneous Discussions
    Replies: 9
    Last Post: 01-06-2016, 09:03 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •