11-Year-Old Changes Election Results On Florida's Website: Defcon 2018 (pbs.org) 202
UnknowingFool writes: At this year's DEFCON, a group of 50 children aged 8 to 16 participated in a hack of 13 imitation election websites. One 11-year-old boy changed the voting results in 10 minutes. A 11 year-old-girl was also able to change the voting results in 30 minutes. Overall, more than 30 of the 50 children were able to hack the websites in some form. The so-called "DEFCON Voting Machine Hacking Village" allowed kids the chance to manipulate vote tallies, party names, candidate names and vote count totals. The 11-year-old girl was able to triple the number of votes found on the website in under 15 minutes.
The National Association of Secretaries of State said in a statement that it is "ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections." But the organization expressed skepticism over the hackers' abilities to access the actual state websites. "It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols," it read. "While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."
The National Association of Secretaries of State said in a statement that it is "ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections." But the organization expressed skepticism over the hackers' abilities to access the actual state websites. "It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols," it read. "While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."
Misleading Title (Score:5, Insightful)
should actually be:
Re: (Score:3, Informative)
Also, on the SD-cards pulled from the machines, they found usernames and passwords in plaintext.
Re: Misleading Everything (Score:1)
Disclosure: My Wife was/is part of the organization team so Im posting as AC for this one. The whole thing was a publicity stunt and you shouldn't believe too much of what you read
They kids did not use any type of SQL injection, it was part of the propaganda plan but too complex in execution for the kids. The only way to make it work was an obvious setup which they wanted to try and keep away from. The SD cards (which are normally locked away in the cabinet and not accessible) were similar in structure to a
Re: (Score:2, Insightful)
Likely it is something like that. However, there is NO reason at all, none, not a single reason in the universe, to have any form of automated vote counting. To have electronic voting. To have mechanized voting. I mean, what the flying fuck.... you get a card, you mark an X on it, and you're done.
Here we have representatives from each party, at each voting site, counting the vote together. And we have up to 6 or 7 legitimate parties, even in Federal elections! There is no benefit for mechanized or ele
Re: (Score:2)
I agree.... but just because it's not hard to do, and doesn't even take very long doesn't mean that it's not a reason.
There is a difference between not having any reason and not having any g
Re: Misleading Title (Score:1)
"Hand counting each and every one of those is infeasible."
Yet hand counting was exactly the way it was done for well over two hundred years.
Re: Misleading Title (Score:2)
Solution is three-fold [Re:Misleading Title] (Score:2)
That's just not true in the US. Here a typical ballot may consistent of a hundred different races. Ballot initiatives, sheriff's races, county commissioners, mayor, treasurer, judges, state reps, etc. It adds up. Hand counting each and every one of those is infeasible. The solution is two fold:
...
No, you missed a third solution: don't put so much stuff on the ballot.
Having a hundred different things on the ballot does not make democracy more democratic, it makes democracy work less effectively. Voters aren't paid; there is zero chance that any substantial fraction will do the work required to analyze a hundred different races.
Ballots with a hundred issues and races is the voting equivalent of micromanagement.
Re: Solution is three-fold [Re:Misleading Title] (Score:2)
You make it sound like all these different ballots are only put there to frustrate the voter; they are there as required by law and because that is the point of voting. Barring the national election races, each state, county, city has their own elections of officials. That doesn't include any special districts the voter may reside. Now, to simplify the ballot, there could be multiple separate elections but that require organization and cost by the local authorities. The other thing that you are ignoring is
Re: (Score:2)
You make it sound like all these different ballots are only put there to frustrate the voter;
No, I'm sure that frustrating the voters is not the purpose, merely an unintended side effect.
they are there as required by law and because that is the point of voting. Barring the national election races, each state, county, city has their own elections of officials. That doesn't include any special districts the voter may reside. Now, to simplify the ballot, there could be multiple separate elections but that require organization and cost by the local authorities. The other thing that you are ignoring is that no one is required to vote on all the ballot measures. Some people vote on the elections they care about and ignore the rest. The vote is only counted as long one ballot is filled.
Uh, did you actually just tell me that democracy works fine if most people didn't bother to vote for most of the elections because it's too hard?
You do realize that what this means is that special interest groups-- for whom the minor issue and "unimportant" candidates are important-- dominate the results.
Re: Solution is three-fold [Re:Misleading Title] (Score:2)
Re: (Score:2)
No what I said exactly is how you propose to "simplify" the elections other than not present the voter with all the ballots that are required by law?
Make different laws.
Humans in the loop (Score:2)
Of course there is no need for machine voting. Time that is required to count the votes is relatively short, even if it takes a day. Computers should only be used to verify the human performed count.
The opposite works slightly better: humans used to verify the machine-performed count.
It works better because if there is a flaw, I would want to see humans in the loop doing the final count.
Re: (Score:2)
This. Exactly.
I would argue that you don't even need this... counting is not difficult, and if you have at least two people counting the same ballots, then you've got redundancy that can often catch errors by even a single vote. If there are discrepancie
Re:Misleading Title (Score:5, Interesting)
Which is normally how security demos work, because hacking the real site would be illegal.
The point here is that those sites are vulnerable to literal script kiddie attacks. While the government tries to hand wave it away as just an attack on a site showing preliminary results and correctly points out that such a site would not be used to make the official determination of who won, that's missing the point.
These days such a hack would spawn a brand new QAnon-style conspiracy theory, pushed on social media by the same people did the hack. It would further erode trust in the electoral system, which leads to lower turnout next time. It makes the whole process look like some dictatorship doing a bad job of rigging the votes.
Re: (Score:1)
No, the sites aren't even replicas of the actual vote records and tallies, they are replicas of the systems used to display the results.
Which, unsurprisingly, would exist even if voting was done on paper.
Re: (Score:2)
It may be going too far to claim them to be 'replicas' and more like 'mockups of something that vaguely resembles the actual site'.
At least, that is the claim of the government. Meaning one of: the government helped and admits their mockups aren't reflective of the genuine implementation, the government had nothing to do with it and thus the organizers were just making a mockup, or the government is lying.
Given the age range, and the overwhelming success, but no 'the sky is falling' prior to the exercise d
Misleading Analysis (Score:1)
Hacking the displayed info is a legit issue. Its a sign that the rest of the infrastructure is likely to be similarly poorly defended. One-off systems — like tabulation and voter registration — are inherently more fragile than mass-market systems that have had hundreds millions of hours worth of real world deployment to work the bugs out.
If they can't secure the most basic stuff, the stuff that everybody knows how to secure because its all common building blocks that have been vetted in hundr
Re: (Score:2)
Sure, but that's not what they did here. They made a faked mock-up designed to look similar to the actual site in the resulting html. That's where the resemblance to the real State website ended. The didn't replicate the architecture of the actual sites, it was basically a "If you do this, this happens" demo, then they let the kids play around with what they'd shown them in the demo environment.
Re: (Score:1)
Re: (Score:2)
When I first read this, I tried to figure out which party was which. Then I realized it doesn't matter. Great quote.
Re: (Score:2)
True that.
Challenge from National Association (Score:2)
The response from The National Association of Secretaries of State was:
"While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."
I hate to say it, but that sure sounds like they just issued a challenge.
Re: (Score:1)
Nobody would click on the honest title.
Re: (Score:3, Insightful)
The sad part of this narrative is that you take something that is factually correct and should be used to beat the guilty party into submission to paint an innocent party.
Yes, what was done to police force in UK is fucking horrifying. But it wasn't the media that did it. At most, it is complicit, but the main act was by someone else. It was the government, driven by anti-Western ideologues that its university are now producing. Read the 1998 McPherson report. It literally states that it has found no evidenc
Re: (Score:2)
I have never, not even once suggested that McPherson was a progressive. There's a reason why there's "and" separator between "McPherson" and "his progressive cronies".
Notably, you acted in the very similar way to what was in that report. You condemn me based on something I have never done.
Re: (Score:3)
I think you'll find that stupidity is a fully bipartisan thing.
Re: (Score:2)
https://www.youtube.com/result... [youtube.com]
youre even lazier than ever
Re: (Score:1, Troll)
Government agencies from San Francisco to Stockholm to Berlin to London have had issues and have covered it up. Not all the rape and crime issues are the same. It's the silencing of reporting that counts.
https://sanfrancisco.cbslocal.... [cbslocal.com]
https://www.washingtonpost.com... [washingtonpost.com]
https://www.inde [independent.co.uk]
Re: (Score:1)
Re: (Score:1)
Also, modding me offtopic but not the also offtopic comment I was replying to... I guess it's the right that takes the 'most butthurt by fafalone's unending disdain of both right and left' award today, though maybe this comment will get the center good and pissed too.
Re: (Score:2)
Keeping in mind that a regular, or garden-variety centrist is one who believes that solutions to problems that provide the greatest good for the greatest number,
Centrists are people who believe in a balance of social equality/justice and hierarchy. Supporting things that produce the greatest good for the greatest number of people only goes so far as to not do serious harm to or seriously disadvantage anyone.
For example, taking strident voices and shooting them would be a step too far for centrists... I know you are only joking but it seemed like a good example.
What you want is utilitarianism.
Re: (Score:2)
I bagged 5 with the national guard at Kent state. Nothing like Hippie honey...
Odorous.
Re: (Score:2)
FWIW - I'm somewhat amused to discover that mods have so far twice chosen to mod the above -1 Offtopic.
I was expecting +1 Funny - but then I realized I should not have placed that much faith in the perspicacity and sense of the absurd in moderators here. After all, this is Slashdot, where humor apparently has no place in discussions of politics ...
Re: (Score:2)
think you just about covered everyone on earth. you must be a xenophobic alien. i guess still better than an illegal alien.
We need a visible and unambiguous hack to occur (Score:3)
Something like Bill Gates winning a House of Representatives seat for which he didn't stand with 100% of the vote. Until something that visible occurs, this will remain a phony war.
Hack an election with paper trail (Score:4, Interesting)
OR.... hack an election with the paper audit trail type voting machines, then challenge the result. The recount of the paper trail vs the machine will show the fraudulent nature of the machine count.
If you look at the current state of voting machine, you'll been dismayed. Pennsylvania still has paperless voting machines, it still cannot verify the election result and its not the only state to get unexpected voting results.
https://www.buzzfeednews.com/article/kevincollier/the-voting-machines-in-pennsylvanias-18th-dont-leave-a
The only fix for that is to show how the paper trail reveals the fraud, then block the use of these Fisher Price voting machines in court so trustable paper voting can be used.
Re: (Score:1)
To be effective, the hack has to be totally plausible, then totally confirmed to be fake.
A voting machine that adds 'Bill Gates" to the roll, would immediately be noticed and blocked. And people would pat themselves on the back that they'd caught this error, and so would catch any future error..... it would *encourage* their complacency if anything.
On other other hand, one where a voter wins with 1% more of the vote, and everything *appears* fine and in order, and they're all patting themselves on the back
Re: (Score:2)
We can make election machines verifiable; it requires some strict integrity protocols. You have no integrity if you don't have public observers and known-good ballot boxes.
Today, we have black-box EVMs and poor public understanding of elections security, which has lead to people rushing back to paper ballots without even fully protecting paper ballot integrity. If you had proper handling procedures, you would start with known-good software images for EVMs (yes, that means those images are public, publi
Re:We need a visible and unambiguous hack to occur (Score:4, Insightful)
And why would I do that when I could make Senator A president, become a billionaire in the process and get perpetual legal immunity? It sure beats being hunted down by every three-letter-agency in the US for showing that the emperor has no clothes and then spending the rest of my life in the worst kind of prison in an attempt to not only have the world forget me but also to send a message to everyone who'd dare to repeat my stunt.
Re: (Score:2, Informative)
Hey..., wait... did you already do that?
Re: (Score:1, Insightful)
Try looking at the videos of Trump's election campaign speeches to see the size of the crowds that attended, versus the size of the crowds that attended Clinton's campaign speeches. Notice something? Trump had about FIVE TIMES as many people at his events. Why is that? Because you're an idiot who believes everything the media tells you, and you actually believe that Clinton had 50% of the population supporting her - she clearly did not - as proved by the best evidence possible - the number of people who att
Re: (Score:1)
They don't really. Without some kind of conspiracy, they have no practical way to get to the polls. That mom with 6 kids on welfare would need to find a babysitter. That homeless guy would need to hitchhike to the polls, and then once he got there jump through all the residency and voter registration hoops. Illegal immigrants: also not registered to vote, generally. Gangbangers were generally against Clinton because she called them "superpreditors" in 1996.
If you don't believe me, try being an electi
Re: (Score:2)
Re: (Score:1)
i guess none of them bothered to go to the smallest inauguration ever captured on tape then.
I didn't go for two reasons. 1. I have a job and it would have required two to three days off to get there. 2. I knew the protestors would be out in force and I don't have time for that crap or want to risk it in DC where I cannot legally carry.
I suspect that the difference from the previous Jan 20'th form 4 years previous was FRIDAY vrs SUNDAY.
Re: (Score:1)
Why don't all American hackers get together to hack the election and get some ridiculous clown elected as president...
Why? They didn't need to; Hillary came along. (I don't know anybody that voted for Trump... but there sure as fuck were a lot of legitimate votes against "Cankles McKlanswoman.")
Re: (Score:1)
Re: (Score:2)
Yep. Nevertheless, the article cited [arstechnica.com] shows some pretty shocking stuff:
"We've looked at poor voting security in the state previously. In 2017, a report by a Georgian security researcher revealed a shocking lack [arstechnica.com] of security throughout the state's voting system. Later that year, we discovered that servers that were thought to be key evidence for the same federal lawsuit that has led to this week's news were wiped, then repeatedly degaussed [arstechnica.com]."
I'm a little disturbed that in response to a federal lawsuit
Finally (Score:3)
”The 11-year-old girl was able to triple the number of votes found on the website in under 15 minutes.”
At last we know who to blame regarding the elephants in Africa!
A Replica ? (Score:1)
Re: (Score:3)
Contributing to the delinquency of a minor, such as encouraging them to hack the real page, would be a crime. Suggestions?
Re: (Score:2)
Contributing to the delinquency of a minor, such as encouraging them to hack the real page, would be a crime. Suggestions?
Seems to me that persuading a kid to challenge authority would be sufficient evidence in most courts of contributing to delinquency; the actual hacking attempt would just be symptomatic.
Re: (Score:2)
It would be enough that the courts and prosecutor would WANT to find you guilty, but they'd still be stretching.
Mission Accomplished (Score:3)
"They need to be able to hack into the real site"
https://www.reuters.com/article/us-usa-election-security/u-s-senator-says-russians-have-penetrated-florida-election-systems-tampa-bay-times-idUSKBN1KU003
Re: Of course it could change actual votes (Score:1)
If the polls don't close until 8, they often publish preliminary results before the polls close.
Re: (Score:2)
If the polls don't close until 8, they often publish preliminary results before the polls close.
No, news media could publish exit poll results, but actual voting results--even preliminary results--aren't released until polls close. (And reputable news sources don't even publish exit poll results until the polls close.).
But... if you can hack into the election website, it doesn't matter that the people running the website don't release results until the polls close, because they're not running the website. So you could publish anything you want any time you want.
Re: (Score:2)
No, news media could publish exit poll results, but actual voting results--even preliminary results--aren't released until polls close. (And reputable news sources don't even publish exit poll results until the polls close.).
All news media publish results as soon as they are available, and for national elections in the US that usually means three hours before the west coast polls close, and 6 hours before Hawaii's.
I recall hearing exit poll results in the early afternoon here on the west coast, but certainly by 5PM the news is full of them. In case you're going to try handwaving away that as just "exit polls", then remember that exit polls are considered significant enough that some people will cry "fraud" if the exit polls s
Re: (Score:2)
I'm sorry we are talking about different things.
In your example, you state that Dixville Notch publishes their results immediately after their polls close. That is echoing exactly what I said. They don't publish "preliminary" results before the polls close; they wait until the polls close and publish their results.
Other polls in other places may still be open, yes.
Re: (Score:2)
That is echoing exactly what I said. They don't publish "preliminary" results before the polls close; they wait until the polls close and publish their results.
They wait until THEIR polls close, yes. But the polls for almost every other place in their state, and in every other state in the Union, are still open. You said "the polls", not "their polls", and "the polls" are still open for the same election everywhere else.
Other polls in other places may still be open, yes.
Then "the polls" are not closed. It's the same damn election, voting for the same damn people. Trying to differentiate that THEIR polls are closed so it is just fine to publish the results when all the other polls are still open is ignoring the pro
Re: (Score:2)
Damn, now they have 11-year-old sleepers! (Score:5, Funny)
"One 11-year-old boy changed the voting results in 10 minutes. A 11 year-old-girl was also able to change the voting results in 30 minutes".
But is he Russian?
That's all that matters.
Re: (Score:1)
To be honest when I go vote I can change the voting results in less than 1 second. I put my paper ballot in, and voila, the results are changed!
Not sure if that counts as "hacking" but hey, I'm a logician.
Re: (Score:2)
If you look at todays definition of hacking, youre the leet.
Re: (Score:3, Informative)
Nonsense. What matters is that the boy and the girl both got the same pay for the hack.
Re: (Score:2)
But is he Russian?
According to Fire Marshall Bill [senate.gov], it was Nate Romanoff, an 11 year old transgendered Russian ballet dancer and trained assassin...
Re: (Score:2)
RT shows these claims including a child from this contest saying much the same thing [youtube.com]. This doesn't legitimate the ongoing Russiagate accusations but it helps to further other ends.
how about (Score:2)
How about you do your f*cking job and secure our elections, or you get fired and/or imprisoned?
Relevant (Score:3, Informative)
Re: (Score:3)
Also relevant: https://xkcd.com/932/ [xkcd.com]
Minor Issue (Score:2)
Minors are taking suffrage into their own hands, I see.
Short sighted (Score:3)
Apparently manipulation what is being reported on election night isn't a big deal? What if for example seeing "Candidate A declared a projected winner by all stations" causes people planning to vote for the opponent to simply stay home thinking the election has already been decided?
Re: (Score:1)
That's not how election night (or general post-election) coverage works.
First, election websites only show what polling locations report AFTER the polling locations are closed. All polling locations in a locality close at the same time (unless they stay open later for long lines, etc.) and then begin tallying and reporting to the election authorities. As the election authorities receive and validate results after the closure of all polling locations, they update the website. [Source: my best friend is an of
Re: (Score:2)
First, election websites only show what polling locations report AFTER the polling locations are closed. All polling locations in a locality close at the same time (unless they stay open later for long lines, etc.) and then begin tallying and reporting to the election authorities.
Unless, of course, the "locality" is "the entire US". I have seen no issues claimed or reported with local elections producing early results, simply because local election boards understand the issue and have all their polling places close at the same time.
The issue only comes up during US Presidential elections, where the local polling places span 7 time zones. And each media outlet is anxious to get street cred by announcing the right projected winner.
Second, all (legitimate) news outlets refrain from projecting/declaring a winner until after all polls related to that election are closed to prevent this very thing.
I'm so glad that you thought enough about the issue t
Re: (Score:2)
Isn't this what happened with the primaries?
Re: (Score:2)
planning to vote for the opponent to simply stay home thinking the election has already been decided
OH -- you mean for national elections, not local. Yeah, Hawaii's always been screwed with that. Hours before their polls even close "the election's already been decided" by the mainland, and has been that way for years (decades.) I wonder why they bother to vote at all.
Until ALL polling stations close the shouldn't report early results or guestimates. That wouldn't fly though, all the newscasters would all have heads, bladders, or lungs exploded by then from them holding it in for so long
HEY, WAIT..
Re: (Score:1)
That doesn't work. Since I live in New York and it was decided for Clinton months before the election, I voted for Trump so you couldn't blame me. Didn't turn out well.
Come to think of it, there was no scenario where the election could have turned out well.
quite a summary (Score:5, Informative)
11 year old changes election results! ... er no, news about results posted to a website ... er, no, not an actual website, a fake one ...
Sheesh. I can always count on /.
Re: (Score:2)
Yeah, as far as I can tell, this was an election themed kids hacking competition, designed for them to be able to succeed in large numbers.
Old, sad news (Score:1)
It beggers all belief to think that a tool so simply accessed is not utilized.
Re: (Score:2)
A perfect illustration of people who despite all evidence to the contrary. begger the imagination.
These comments all miss the point (Score:2)
Why is our sexist bias such that young women are not competitive in this sort of activity?
So much slower than the young men! Sad!!
West Virginia (Score:2)
You're forgetting West Virginia that is allowing online voting with your smartphone. https://www.wired.com/story/sm... [wired.com]
Unofficial results matter (Score:2)
While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.
While the preliminary results are by definition not final and not official, they do matter. What people *think* the results are can lead to riots. If the preliminary results are radically different than the final results, people lose confidence in the election process. If results (accurate or not) are published prior to the polls closing, people supporting the "winning" candidate may opt not to vote at the last minute, whereas those in support of the "losing" candidate may rush to the polls.
Re: (Score:2)
What people *think* the results are can lead to riots.
Pretty sad. With a 51 to 49% result (whichever way you think it went), the losing side should just shrug and say "That's the way it goes." It's not like a despot with a few percent of the population backing him (her) got into office.
This country is built on the principle of individual liberty. Someone got elected you don't like? Big deal. Just carry on and things will be OK. If you really are so dependent on a mommy state to care for you, there's always the Soviet Union ..... or maybe not.
Re: (Score:1)
Great job, /. (Score:1)
Fake news. Misleading title, bullshit story that doesn't really mean what they pretend it does to get clicks. Things have kinda slid downhill around here.