back to article US voting hardware maker's shock discovery: Security improves when you actually work with the community

Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program. Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter …

  1. sanmigueelbeer Silver badge
    Coat

    "Our election infrastructure is designated as critical infrastructure by the DHS

    Let the Kremlin decide if the vulnerabilities have been fixed/patched or not.

    In the meantime, someone stole me coat. WTF. Vlad, was that you?

    1. John Robson Silver badge

      critical, but inherently vulnerable, as opposed to paper versions which have had most of the kinks worked out....

      Given the delay between the election and the implementation of the result, does it really matter if it takes 36 hours to count the votes?

      Obligatory:

      Tom Scott video

      Tom Scott followup

  2. HildyJ Silver badge
    Meh

    Better late than never

    A small golf clap for them now, kudos if they follow through on this. But I've heard too many promises that never come to fruition.

    Too bad they didn't do this before the Russian interference in 2016.

    1. Yet Another Anonymous coward Silver badge

      Re: Better late than never

      Also depends if your intention is to produce a secure system or just one that secures support from the "winners"

  3. Anonymous Coward
    Anonymous Coward

    Those who count the votes

    control the result.

    1. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Those who count the votes

      Which is why it's puzzling there isn't a greater push for voting software to be open source.

  4. Mike 137 Silver badge

    What he didn't say...

    Apparently no mention of improving software development standards though. I would have thought that reducing the prevalence of exploitable bugs might be a better long term strategy than simply expanding the base of folks approved for find them when it's rather late in the day.

    It seems that we have been brainwashed into accepting that software is fundamentally broken and needs constant fixing to be "secure". How about trying to get it right instead? Particularly in domains such as voting, flight and medicine, that seems to me somewhat desirable.

    1. Flywheel Silver badge

      Re: What he didn't say...

      How about trying to get it right instead?

      This costs real money. Most companies are averse to to this. This is why we can't have nice things.

    2. FatGerman

      Re: What he didn't say...

      Testing things properly is very difficult these days. Firstly its enormously time-consuming so it interferes with those 6-monthly release cycles everybody seems to love so much. Secondly you need reasonably intelligent people to do it well, but it is also frequently extremely tedious and repetitive, so intelligent people get bored and move on after a year or so. The answer is automation, but automation isn't intelligent s you still need the people to check what the automation is doing.

      The days of the 1990s, when companies I worked for didn't get to release new products until QA said they were allowed to, are long gone. The irony is that people expect frequent updates, but it's the frequent updates that cause the bugs the frequent updates are needed to fix....

      1. Yet Another Anonymous coward Silver badge

        Re: What he didn't say...

        Difficult to do continuous rollout testing for an election.

        You could decide to redo the elections every month on patch tuesday but people might object

        Best way is some sort of chaos-monkey approach where you try and inject some totally crazy inputs and see if it gets elected

        1. NiceCuppaTea

          Re: What he didn't say...

          "Best way is some sort of chaos-monkey approach where you try and inject some totally crazy inputs and see if it gets elected"

          Didnt they do that already on the last elections?

      2. John Brown (no body) Silver badge

        Re: What he didn't say...

        "The days of the 1990s, when companies I worked for didn't get to release new products until QA said they were allowed to, are long gone."

        In general, those days are still here where the application is life or safety critical. Clearly something as critical as an election should be treated the same way. If only one of the "voting machine" builders would work that way, they'd amortise the cost over the much larger market they could command for a reletivley modest increase in the sale price.

  5. Cuddles Silver badge

    A minor tense problem

    "trying to improve... will soon take... will employ... will beef up... will be able to... plans to involve... plan to use..."

    That's an awful lot of talk about what they plan to start doing at some point in the future. The next major US election is in less than three months. Sure, it's better for them to be thinking about all this than to ignore it entirely, but it really feels a little late to be announcing that they plan to start thinking about maybe improving things at some point.

  6. theOtherJT

    or...

    ...you could just not add a bunch of massive problems to the process of counting votes for absolutely no gain what so ever? I mean, paper, pencil, big clear plastic box... any of this ringing any bells? Pretty much impossible to manipulate on a bulk scale, been used successfully for hundreds of years? I mean, honestly, what does involving computers in this process improve in any way?

    1. Paul Hovnanian Silver badge

      Re: or...

      "pencil, big clear plastic box..."

      You have to get the voters to the pencil and big clear plastic box. This is a major problem in very rural voting districts on this side of the pond. In other parts of the world*, getting people past the various partisan citizens militias standing guard outside polling places is a problem.

      Vote by mail has been proposed. It's actually a pretty secure system once all the bugs have been hammered out. Tampering with it doesn't scale well for national elections. But for local districts, fraud has occurred. Particularly one of the features often added to vote by mail: The volunteer ballot collection. A local GOP election win was invalidated for exactly this reason. The volunteers were picking up ballots and either revising or throwing out ballots from know Democrat leaning voters. And now that vote by mail is a hot topic again, volunteer ballot collection is a 'feature' that now the Democrats are pushing. They either forgot the last controversy. Or they think it's now their turn to fiddle with the results.

      *Our dear mayor tried to invoke scenes of 'Federal troops invoking martial law and standing guard around polling places' come our November election day. No doubt all for the sound bite on a national radio show intended to trigger fear and doubt in the voting process. Because we have no polling places in our state (each state defines its own processes) and she damned well knows that. It's 100% vote by mail. But perhaps others don't know this.

      1. jelabarre59 Silver badge

        Re: or...

        And now that vote by mail is a hot topic again, volunteer ballot collection is a 'feature' that now the Democrats are pushing. They either forgot the last controversy. Or they think it's now their turn to fiddle with the results.

        Knowing the current state of the Democratic party, I think that's *EXACTLY* what they're aiming for.

  7. gormful

    Why don't they just remove the wifi and cell modems from the voting machines? And stop connecting the tabulators to the Internet? And stop using an opaque non-human-readable barcode as the official "paper ballot"?

    But ES&S has an entire C-suite full of rabid Trump donors, so instead they talk about "bug bounties" to stall discussing real issues until after the election.

    Or states could just choose to use hand-marked paper ballots. But that's not the way America rolls. Sad.

    1. Version 1.0 Silver badge

      Paper ballots are reasonably secure and provide a means of verifying the votes to detect any security failures after the election - America hates paper votes.

      1. John Robson Silver badge

        And allows observers from both parties (or all parties if you live in a region with an actual democracy) the opportunity to verify the count, and observe the ballots arriving at the counting facility etc...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021