back to article DEF CON plans to show US election hacking is so easy kids can do it

Last year, the hackers at DEF CON showed how shockingly easy it was to crack into voting machine software and hardware. Next week, the 2018 conference's Vote Hacking Village will let kids have a shot at subverting democracy. Beginning on Friday, August 10, teams in three age ranges, 8-11, 12-14 and 15-16, will be let loose on …

  1. davenewman

    Hack the politicians?

    The only thing that will persuade the congressmen and senators to vote for better election security is to find their own sites have been hacked.

    1. Someone Else Silver badge
      FAIL

      Re: Hack the politicians?

      The only thing that will persuade the congressmen and senators to vote for better election security is to find their own sites have been hacked.

      ...or, to find themselves out of a job because the election has been hacked. Course, by that time, it will be too late, and the replacement, who won as a result of the hack, will be unmotivated to change anything....

      Gee, I wonder how that might work in real life?

      1. Allan George Dyer

        Re: Hack the politicians?

        @Someone else - "...or, to find themselves out of a job because the election has been hacked."

        Maybe they're not worried, because last time there was an election hack, and they got in?

    2. Mark 85

      Re: Hack the politicians?

      A step further.. what if the election was hacked and they lost. Too late for those morons. But the winner certainly won't support any additional funding either.

      The 3 abstentions is strange... like either they got in due some hanky-panky or there were some outside pressures for them not vote. There's also the factor of the geezers-in-charge not knowing enough to make a decision.

      The best thing might just be to sit back and watch the resulting chaos from any hacking. I'm bringing popcorn and probably a nice red wine.

      1. Tom Paine

        Re: Hack the politicians?

        Popcorn, with red? *shudder* barbarians. You want a nice Sancerre mate.

    3. Tom Paine

      Re: Hack the politicians?

      ISTR that there's usually a small handful of unnoticed joke candidates on the bill - not the semi-serious third party candidates, like the EDS guy a few years back, but Lord Buckethead types. What's needed is for patriotic US hackers to take one for the team and lay themselves open to a long time in the big house by hacking the vote to show "Buckethead, L. (Captain Paxo Party)" sweeping to a landslide victory.

      Besides, they might try to respect the vote. It would certainly liven up the State of the Union address.

  2. Anonymous Coward
    Anonymous Coward

    It's so easy...

    Even Twitler can figure out how to pay Russians to do it for him.

  3. Kev99 Silver badge

    Of course it's easy. The idiots in Washington basically forced everyone to put everything on the internet. And everyone knows how safe & secure the internet is. Right, Macy's? How about it, Experian? You know it, Atlassian.

    1. ecofeco Silver badge
      Facepalm

      Most of the entire U.S. government.

      The list is LONG.

  4. aberglas

    The elections are supposed to be hacked

    Just not by the Russians.

    Some of the voting machines even had an explicit screen for "Adjusting" vote tallies if the election official thought they might be wrong.

    If you wanted to stop hacking of the computers, you would just get rid of them, and use auditable paper ballots, which are also cheaper.

    There is, incidentally absolutely no evidence that the Russians "hacked" the election in any meaningful way. Putting up a few dubious Facebook ads is hardly "hacking" in the normal sense of the word.

    I blame Obama. He had the senate and congress and did nothing. He should have known that the Republicans are far, far better at hacking than the democrats. When know you are beaten at a game, change the rules.

    1. Comments are attributed to your handle
      Facepalm

      Re: The elections are supposed to be hacked

      "I blame Obama."

      There's a fresh point of view.

    2. MiguelC Silver badge

      Re: "He had[has] the senate and congress and did nothing"

      That's Trump, not Obama.

    3. Anonymous Coward
      Anonymous Coward

      Re: The elections are supposed to be hacked

      > He had the senate and congress

      The senate is one half of Congress. The other half is the House of Representatives, or just the House, for short. You could just say "he has Congress" or "he has the House and the Senate." If you're an American then shame on you for not knowing this.

      And if you're a Brit, I'm guessing you probably don't say "he (or she) has the House of Lords and Parliament." Although I'd be willing to grant that these days Parliament might really only mean the House of Commons. I'm not British and I really don't know what role HoL has these days.

  5. Anonymous Coward
    Anonymous Coward

    Contrarianly

    It could just as easily be that the loser hacked and tried to rig elections, thought they had it in the bag, but turns out they didn't rig them well enough, and that's one reason they're so irrationally angry. Something got past the high level selection process that occurs before we peons get to choose from the pre-decided acceptable choices. Not saying it was - just sayin' it could have been. A quickly terminated investigation into some rigging in the US points to the fact it might have been when a district voted more than 100% for what turned out to be the losing side...honest mistake, I'm sure

  6. Bernard

    The Republicans are essentially being asked to vote to close off their current advantage.

    Fat chance.

    They will want better security as soon as the Chinese rig the election to make them lose and stave off a trade war.

    At that point the Democrats will be strangely less concerned about the whole issue.

    And so it goes on.

  7. Charles 9

    So it presents a dilemma. How do you clean up an election process that requires elections to clean up?

    1. 404

      From the inside. Already started.

      ;)

      1. Anonymous Coward
        Anonymous Coward

        Don't think so. Any churn you see on the inside is probably sanctioned and just a changing of the guard. Real change calls for fresh blood, and that has to come from the outside, where the insiders are barring all the gates.

  8. Nick Kew
    Facepalm

    The Solution

    Blighty has a foolproof solution to voting security.

    Just have none in the first place. No checks whatsoever on $person turning up to vote, nor on stuffing electoral registers. No security to break.

    1. phuzz Silver badge

      Re: The Solution

      When turnout is so low, it turns out people can't even be bothered to rig their vote.

    2. Tom Paine

      Re: The Solution

      The UK system works amazingly (if you don't think about it) well. There were 27 allegations of voter impersonation last year.

      There are attacks on our pencil-and-paper, human tabulators system, but they don't scale. Electronic voting is now and always has been a barmy idea, as those who remember the Diebold Wars of 15-20 years ago will remember.

      1. Charles 9

        Re: The Solution

        They don't scale except when it comes to national-scale political parties. They're the only groups large enough to go everywhere.

  9. nuked
    Holmes

    Standard democracy

  10. tom dial Silver badge

    There is no "national democratic infrastructure" for US elections. Anyone who thinks there is, is simply wrong. There is a hodgepodge of 50 state secretaries of state, hundreds of county or other regional boards of election, and probably several dozen commercial vendors of equipment and software used to record and count votes, record voter registrations and maintain voter registration information, and assist in management of election day precinct operations. Some of the software involved might well have been developed by state or local government IT personnel with varying skills operating under management of varying quality. The 51 top-level election officials (assuming the District of Columbia, although not a state, also has one) vary in their management skills and understanding of the IT and other issues involved, may or may not have capable advice from their staffs, and may just possibly be affected by political considerations, since the great majority of them are statewide elected officials.

    The time for panic, as well as the time for providing resources to firm up security of this rather messy infrastructure, so called, is long past. At this point, three months before election day, it is too late to make more than minor changes to either the equipment and software or the procedures to be used for the upcoming election. All in all, it is a bit of a mess.

    The good news, if any, is that in many places, perhaps most, no more than minor changes are necessary to ensure relatively smooth operation, and there probably is time to make them without a lot of additional public expense. For instance:

    Isolate registration data to be used for official purposes from the Internet as much as possible; back it up early and often, not to the cloud; and guard it well. Use printed copies for precinct level voter verification (essentially eliminating the risk that programs used for the purpose are corrupted).

    Monitor Internet connected services for unauthorized activity. Solicit, and hopefully obtain, monitoring by the federal government to augment local monitoring.

    Insist on hand or courier delivery of firmware/software updates for equipment used in connection with election operations, and on appropriate checksums, manually verified after delivery by election officials representing several political parties.

    Control and establish a manual audit trail of all access to equipment and software used in election management and operations. As a minimum requirement, cover access ports with serial numbered seals that cannot be removed without destruction whenever they are not in use, and maintain a manual paper audit record of the serial numbers used for each system, either by or witnessed by several officials not all of whom are of the same political party. Removal and replacement of seals for authorized port access to be similarly witnessed and placement of new seals similarly recorded with each access to a port. Optionally, dispense with such seals and disable ports not required for operation or maintenance by relatively permanent means like filling them with epoxy filler.

    Double down on warnings to all election personnel about social engineering (and hope against the available evidence that they pay attention and act appropriately).

    None of these is very costly to implement and many of them probably already are used in various places. Collectively, they would go quite a ways toward mitigating the undeniable vulnerabilities of existing election systems. For now, discussion of major changes to election systems, and provision of the necessary funding, should be directed at the election cycle of 2020, which begins in under two years..

    1. Tom Paine

      Yes, but they're not doing that. Any of it. That's the problem (and the story.)

  11. Milton

    "... the Republican caucus in Congress shot down an amendment ... that would have allocated $250m to US states to be used for hardening election systems against attack."

    Bizarre, non? If the known multitude of attempts, principally by Russia, to swing US elections had been aimed at helping the Democrats instead of the Republicans, do you suppose these cretins would have voted differently?

    And have they ever scraped up enough of their dregs of conscience to wonder why Vladimir Putin's Russia, America's most dangerous and consistent enemy, is in favour of a Republican president and Republican candidates?

    Beyond all the nonsense about "No collusion" that's now weaselled into "Even if we colluded, it isn't a crime", is it possible that even someone as stupid as Trump hasn't asked himself why an enemy state would like to see him as president? (Yes, the question may be inflammatory: but it's based on facts and principals' statements, of impeccable public record.)

    —"... for if it prosper, none dare call it treason"

  12. Martin Gregorie

    As an outsider to the US election system...

    ... the thing that seems oddest is the attitude of the American voter.

    Judging from from posts here and on comp.risks it appears that the average US voter is commendably keen to do his civic duty and vote but, having voted, has not the slightest interest in what happens after that: he's done his bit for Democracy, so vote counting, verification and associated security is not his job, and hence of no interest whatever. If this impression is wrong, why is there no pressure within the US for securing their voting systems?

    Voters in other countries seem much more concerned about the security of the ballot system and the way its operated. There must be an explanation for this, but I'm damned if I can see one.

    1. Anonymous Coward
      Anonymous Coward

      Re: As an outsider to the US election system...

      well, its not a Democracy, its a democratically (voting) elected Republic, but that doesn't matter.

      All elections above local (and some local) are rigged, both by controlling who runs for office (by black listing people from media coverage - pay for an advertisement and with the same payment keep your opponent from advertising with that source) and election fraud (voting systems, counting). Its not a who will we pick, it's what two are picked that the criminals/shadow government, corporations want. They don't care which one of the two you vote for, as they wouldn't be on the ballot unless they were both in the pocket.

      1. Charles 9

        Re: As an outsider to the US election system...

        How do they control, though, for rich rogue outsiders like Ross Perot who can finance a campaign single-handedly, even to the point of outbidding parties for airtime?

  13. Tom Paine

    SUBS!

    Typo

    "...At this point we wouldn't even know if we were being hackled."

    (Or IS it? Perhaps that's what they WANT us to believe.... sorry, it's been a very hot day, brain needs a nice refreshing Friday night beer bath. Picture R2D2 and C3PO's oil bath on Tatooine, but with hops)

    1. onefang
      Coat

      Re: SUBS!

      "...At this point we wouldn't even know if we were being heckled."

      Is probably what was meant.

  14. Anonymous Coward
    Anonymous Coward

    Real voter fraud

    With crap like this going on: https://freebeacon.com/issues/city-alexandria-stonewalling-investigation-illegally-registered-voters/

    Russia spending money with targeted adds or people hacking around the edges is laughable in comparison.

    And before anyone just dismiss that story above, note that they only caught the numbers they did because people fessed to not being citizens when they renewed their licenses!! In other words these are only the really stupid people that got caught; never mind the people actively working against getting caught. Not that it's hard to do since everything is laughably based on the honor system. For something that's so important we should be freaked out over hackers? Give me a break.

  15. Old one

    All bull until real voter ID

    It doesn't matter what hacking is done until PHOTO voter ID is universal just like India and Mexico. Buss loads of voters can be moved from location to location and totally screw real honest voting results. Tuesday night results can be challenged with ease but actual votes at individual polling locations are much harder to dispute unless people are stupid enough to openly admit double voting.

    If these kids can find the issues then have the Sec of State for each state put bounties out for rewards on each state's systems. Probably cost a lot less than the $250M.

    1. DCFusor

      Re: All bull until real voter ID

      Another old one here. The thing is, there's a particular side of the false-dichotomy partisan business that benefits from illegals voting, and they are dead set against voter ID (not that you can live life without one anyway, at least easily) claiming it discriminates...against who I'm not sure other than illegals and people so dumb we should probably not allow them to vote anyway.

      Pretty hard to have a bank account, drive, or do much of anything with any tie to money or legality - make a contract - without a good ID. Yet somehow those who don't have one are good to vote.

      The cognitive dissonance is strong with anti-ID people. Or they are dishonest. Both?

      1. Charles 9

        Re: All bull until real voter ID

        It's simple. The anti-ID people counter with two words: "Papers, Please!" The basic problem is that it's a dual-use part-and-parcel problem. The very thing you need to prove your identity for such things as voting and benefits can also (and inseparably) be used to prove your identity against your will when (not if) the State should turn against you.

        IOW, the biggest risk about the ability to be identified...is the ability to be identified.

      2. strum

        Re: All bull until real voter ID

        >Pretty hard to have a bank account, drive, or do much of anything with any tie to money or legality - make a contract - without a good ID.

        None of these are a right. Voting is a right.

  16. Anonymous Coward
    Anonymous Coward

    Apparently you Brits don't know how it works here.

    "On Wednesday, the Republican caucus in Congress shot down an amendment to an appropriations bill proposed by Senator Patrick Leahy (D-VT) that would have allocated $250m to US states to be used for hardening election systems against attack."

    If the $250M did get approved, they'd blow it on a massive program to overhaul election security that eventually balloons to $5B and then accomplishes exactly nothing useful. Meanwhile, our national security apparatus detects hacking of US elections systems by North Korea, Russia, China, and Syria. After numerous warnings and bludgeoning the UN Security Council into compliance, we'll be forced to stage a "shock and awe" invasion and regime change mission in New Zealand.

    1. DCFusor

      Re: Apparently you Brits don't know how it works here.

      +100 "funny" or was that "sad but true, and long experience proves it"?

    2. onefang

      Re: Apparently you Brits don't know how it works here.

      ' we'll be forced to stage a "shock and awe" invasion and regime change mission in New Zealand.'

      But but .. I kinda like the current New Zealand government.

  17. Androgynous Cupboard Silver badge

    Hmm

    "DEFCON ... is expected to pull in tens of thousands of the hackers and infosec researchers on the planet."

    Somehow I imagine foreign attendees will be a little thinner on the ground than previous years.

  18. EnviableOne
    Childcatcher

    Creating Voter Apathy Early

    By putting the Youngsters to this task, they are just going to get apathy early and breed a generation of "why vote, whats the point, someone will hack it anyway"

    None of this inspiring American Dream Rhetoric.

    The whole hanging chad problem lead to the push for electronic voting, buts whats more simple than putting a cross in a box with a pencil?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon