WTF Community

Election Hacking Thread


Interesting Opinion piece…in NYT which discusses how a perfect technology of today - electronic voting machines, could end up being more of a problem. We face so many areas of vulnerability.

Every government is a machine, and every machine has its tinkerers — and its jams. From the start, machines have driven American democracy and, just as often, crippled it. The printing press, the telegraph, the radio, the television, the mainframe, cable TV, the internet: Each had wild-eyed boosters who promised that a machine could hold the republic together, or make it more efficient, or repair the damage caused by the last machine. Each time, this assertion would be both right and terribly wrong. But lately, it’s mainly wrong, chiefly because the rules that prevail on the internet were devised by people who fundamentally don’t believe in government.
The Constitution itself was understood by its framers as a machine, a precisely constructed instrument whose measures — its separation of powers, its checks and balances — were mechanical devices, as intricate as the gears of a clock, designed to thwart tyrants, mobs and demagogues, and to prevent the forming of factions. Once those factions began to appear, it became clear that other machines would be needed to establish stable parties. “The engine is the press,” Thomas Jefferson, an inveterate inventor, wrote in 1799.

In the spring of 2000, an article in Wired announced that the internet had already healed a divided America: “We are, as a nation, better educated, more tolerant, and more connected because of — not in spite of — the convergence of the internet and public life. Partisanship, religion, geography, race, gender, and other traditional political divisions are giving way to a new standard — wiredness — as an organizing principle for political and social attitudes.” Of all the dizzying technological boosterism in American history, from the penny press to the telegraph to the radio, no pronouncement was battier. In the years since, partisan divisions have become fully automated functions, those wires so many fetters.

The machine is no longer precisely constructed, its every action no longer measured. The machine is fix upon fix, hack after hack, its safety mechanisms sawed off. It has no brake, no fail-safe, no checks, no balances. It clatters. It thunders. It crushes the Constitution in its gears. The smell of smoke wafts out of the engine room. The machine is on fire.


Some defensive maneuvering on protecting votes in a hypothetical blocked/corrupted voting scenario. An experiment is testing the ‘system’ in a pretend way, for now.

On Thursday, Cybereason, a Boston-based cybersecurity firm, will game out an exercise that puts pretend hackers up against pretend city emergency responders to see what would happen if cybercriminals aimed to disrupt an election by keeping people from voting.

The experiment is happening without computers, however.


Why it matters: There are dozens of ways to interfere with an election without touching voting equipment, ranging from causing traffic jams to blasting air conditioning in a polling place on an already cold day. Nearly all of our attention to election security has focused on attacks Russia has already tried or on the most obvious target — the voting machines themselves. But the next wave of attacks won’t play by the rulebook we expect bad guys to use.

Tabletop exercises are group games that are sort of like a two-team Dungeons & Dragons — no computers, just paper and brains. It’s an interesting scenario to play out in your head. What needs to happen …

Voters need to know where and when to vote. A hacker could conceivably depress voter turnout by uploading false stories about polling place changes or extended hours for polls that plan to close on time.

Voters need to get to the polls. Hackers could close a major bridge, preventing people from getting to the polls. They could tie up transportation by informing bus drivers they’ve been given an extra day off.

Voters need to wait in line to cast a vote. False reports of gun violence near polling places or a nearby explosion might reduce the amount of time someone might be willing to wait.

Ross Rustici, Cybereason’s senior director of intelligence services, says the experiment likely will be harder for the pretend city team which has to anticipate and defend, but the more difficult it is now, the better prepared local and state officials may be come the midterms.


This is what an end game would be for Russian influencers. Polls do show we are caught in a unending skepticism about the validity of our upcoming elections.

What happens next…fewer voters perhaps?

I know the midterms are galvanizing many to urgently get to the polls, but the underlying mistrust of how safe our voting systems are is now at an all time low. (31%)

Significant quote
the intense focus by the media and the federal government on Russia’s election interference efforts could be eroding voters’ confidence in democratic institutions.

About 1 out of every 3 American adults thinks a foreign country is likely to change vote tallies and results in the upcoming midterm elections, according to a new NPR/Marist poll released Monday.

The finding comes even as there is no evidence Russia or any other country manipulated or tried to manipulate the vote count in 2016 or at any other point in American history.

The results give credence to what election officials have been worried about since at least the summer of 2016: that the intense focus by the media and the federal government on Russia’s election interference efforts could be eroding voters’ confidence in democratic institutions.

The U.S. intelligence community agrees Russia used a number of different strategies to influence the minds of voters leading up to the 2016 election: posing as Americans to spread false and misleading information on social media, hacking into campaign and political party servers to release narrative-shifting emails, and targeting voting infrastructure like registration databases.

But there’s been no indication any ballots were ever manipulated, as 31 percent of Americans think is likely to happen in November.


U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms

The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the group’s operations against the United States are not cost-free.

The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladi­mir Putin, was part of the first offensive cyber campaign against Russia designed to thwart attempts to interfere with a U.S. election, the officials said.

“They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut ‘em down.”

The operation marked the first muscle-flexing by U.S. Cyber Command, with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities.

Whether the impact of the St. Petersburg action will be long-lasting remains to be seen. Russia’s tactics are evolving, and some analysts were skeptical of the deterrent value on either the Russian troll factory or on Putin, who, according to U.S. intelligence officials, ordered an “influence” campaign in 2016 to undermine faith in U.S. democracy. U.S. officials have also assessed that the Internet Research Agency works on behalf of the Kremlin.


Very little has been done to shore up the election process. #FixIsIn

State election officials opt for 2020 voting machines vulnerable to hacking

The new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China.

The machines that Georgia, Delaware, Philadelphia and perhaps many other jurisdictions will buy before 2020 are an improvement over the totally paperless devices that have generated controversy for more than 15 years, election security experts and voting integrity advocates say. But they warn that these new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China.


A 23-page report is downloadable here discussing the prospect of getting accurate vote counting which is nearly impossible, including paper ballots.

It is up to the States to determine their own voting ‘platform’ and there are very few regulations nor guidance about this. In other words, nothing has changed since 2016…:anguished:


Computers, including all modern voting systems, can be hacked and misprogrammed. The scale and complexity of U.S. elections may require the use of computers to count ballots, but election integrity requires a paper-ballot voting system in which, regardless of how they are initially counted, ballots can be re- counted by hand to check whether election outcomes have been altered by buggy or hacked software. Furthermore, secure voting systems must be able to recover from any errors that might have occurred.

However, paper ballots provide no assurance unless they accurately record the vote as the voter expresses it. Voters can express their intent by hand-marking a ballot with a pen, or using a computer called a ballot-marking device (BMD), which generally has a touchscreen and assistive interfaces. Voters can make mistakes in expressing their intent in either technology, but only the BMD is also subject to systematic error from computer hacking or bugs in the process of recording the vote on paper, after the voter has expressed it. A hacked BMD can print a vote on the paper ballot that differs from what the voter expressed, or can omit a vote that the voter expressed.

It is not easy to check whether BMD output accurately reflects how one voted in every contest. Research shows that most voters do not review paper ballots printed by BMDs, even when clearly instructed to check for errors. Furthermore, most voters who do review their ballots do not check carefully enough to notice errors that would change how their votes were counted. Finally, voters who detect BMD errors before casting their ballots, can correct only their own ballots, not systematic errors, bugs, or hacking. There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

Risk-limiting audits of a trustworthy paper trail can check whether errors in tabulating the votes as recorded altered election outcomes, but there is no way to check whether errors in how BMDs record expressed votes altered election out- comes. The outcomes of elections conducted on current BMDs therefore cannot be confirmed by audits. This paper identifies two properties of voting systems, contestability and defensibility, that are necessary conditions for any audit to con- firm election outcomes. No commercially available EAC-certified BMD is contestable or defensible.

To reduce the risk that computers undetectably alter election results by printing erroneous votes on the official paper audit trail, the use of BMDs should be limited to voters who require assistive technology to vote independently.


FBI to shed some light on FL hacking…link to article inside tweet.

The briefing is in response to a request that House Representatives Stephanie Murphy, Democrat of Florida, and Michael Waltz, Republican of Florida, made in a letter to Attorney General William Barr and FBI Director Christopher Wray on May 2.

Florida’s governor and secretary of state have also said that they were unfamiliar with the 2016 hack, and have requested answers. Gov. Ron DeSantis has also requested an FBI briefing on the subject, but does not have a date set, though his office says it wants it to take place before DeSantis visits Israel on May 25.