Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

[HOLA]

it's no conspiracy, remote software is for convenience, if it werent for remote software, I'de be driving to an office everyday..... F that.

I could have sworn I posted about open source voting software way back, and warroomers were all opposed to that, so what exactly is the solution to this?

Maybe not, but them lying about it isn't a confidence booster.

Senator Warner, one of the leaders of the Senate Intel was just speaking yesterday about the possibility that voter registrations were deleted in a targeted way. Now this.

 

[Headkicktoleg]

it's no conspiracy, remote software is for convenience, if it werent for remote software, I'de be driving to an office everyday..... F that.

I could have sworn I posted about open source voting software way back, and warroomers were all opposed to that, so what exactly is the solution to this?

I would say they should not be on any network. Remote software is awesome and I'm sitting at home because of it, but voting machines should be far more secure than that. I would think at a minimum it should be off network and have a locked removable drive that is placed into a central machine at the voting site to be tallied.

 

[sub_thug]

Fortunately, this was back in 2006. We have since learned that remote access software is a horrible idea for most machines, and the service is generally disabled as part of a standard deployment on a network. Our collective network security has gotten much better over the last 10 years, although our application security is still far from where it needs to be. Sherdog itself is a pen tester's wet dream.

 

[Falsedawn]

Fortunately, this was back in 2006. We have since learned that remote access software is a horrible idea for most machines, and the service is generally disabled as part of a standard deployment on a network. Our collective network security has gotten much better over the last 10 years, although our application security is still far from where it needs to be. Sherdog itself is a pen tester's wet dream.

The compromising of pcanywhere happened in 2006, they didn't disclose it until 6 years later.

This particular issue with the systems is actually ongoing due to their duplicity on the subject. I don't even trust that they stopped in 2006, much less that they maintained the systems (or removed the software) after the source disclosure in 2012.

Basically you have a bad situation that's evolved into a critical situation due to dishonesty. I'd be shocked if this didn't trigger an outright congressional inquiry.

 

[Cubo de Sangre]

Been against these from the beginning. Shocking how short-sighted most people seem to be. But hey, they must know it's just me being paranoid or something.

 

[sub_thug]

The compromising of pcanywhere happened in 2006, they didn't disclose it until 6 years later.

This particular issue with the systems is actually ongoing due to their duplicity on the subject. I don't even trust that they stopped in 2006, much less that they maintained the systems (or removed the software) after the source disclosure in 2012.

Basically you have a bad situation that's evolved into a critical situation due to dishonesty. I'd be shocked if this didn't trigger an outright congressional inquiry.

Private contractors never have an interest in fessing up because it affects their past performance ratings for getting new government contracts. My wife does government contracting work for a living, and the stories she tells me would blow your socks off. This game is ridiculously dirty, and the government has no idea how to solve the problem (or even where to start). This particular issue is made even more complicated by the fact that states run the elections, so normal entities that would be responsible for the defense of those networks (DHS, USCYBERCOM, the NSA) are out due to legalities surrounding federalism and conflict of interests.

The congressional inquiries are getting funny at this point. When Zuckerburg testified to Congress, it was a riot. It was a young billionaire explaining how the internet worked to a bunch of old people who clearly weren't following him, haha. I get that "cyber" is the hot new buzzword, and if you throw it front of another word, it makes it sound spicy ("cyberwar," "cyberterrorism," "cybercrime"), but 90% of the people using those words don't really have any idea on what they mean. Even people in the tech industry don't fully get them. I do a little pen testing for fun and as a side gig to make some extra money (getting that independent contractor money, playboy), partly because it's cool and partly to develop an additional skill because the skills of a retired Army Green Beret aren't exactly in demand in corporate America. The point is that I don't do this full-time, so I'm not at the top of the field. Well, I was talking to the CTO of my wife's company at a party, and he's clearly been removed from the technical side of the game for a while. The guy probably couldn't even tell you what a CVE number meant, and I think he was legitimately embarrassed that I knew more about this stuff than he did. These IT Managers mostly have the same technical skills as an intern, so when they're deciding on how to approach problems, it's from a bad POV. Security holes aren't addressed because they honestly don't understand the risk, and it makes vulnerabilities like this one persist in the environment for months or years, assuming that the folks at Symantec or McAfee even publish the damn white paper on the vuln, the scanner guys like Nessus pick it up, and the IT team is doing regular scans on the environment. Oh well, at least infosec guys will always have job security...

 

[chardog]

I would say they should not be on any network. Remote software is awesome and I'm sitting at home because of it, but voting machines should be far more secure than that. I would think at a minimum it should be off network and have a locked removable drive that is placed into a central machine at the voting site to be tallied.

are they taken offline during and after voting?

I dont really know, because it's closed sourced software

of course to be sure, you can toss lead mats around the voting booth to make sure wireless entry isnt happening on the premise at least.

 

[Ling Ling]

This is an important subject that never has gotten the attention it deserves. Personally I would like to see a return to paper ballots counted by optical scanners that would allow a proper recount if any system was compromised.

 

[jefferz]

Why would it need a wireless NIC? Any system with TCP 5631 open would be vulnerable to pcanywhere exploitation if it was connected to a network in general (which these would have to be). The only way you would be able to verify that they weren't compromised without a forensic investigation is the lack of pcanywhere during the time period in question. If pcanywhere is on there after 2006, i'm assuming they were targeted.

Last year at DefCon, a hacker conferance, they cracked 30 different machines in less than 2 hours.

 

[chardog]

Last year at DefCon, a hacker conferance, they cracked 30 different machines in less than 2 hours.

these guys had physical access to machines, on top of that, non standard software. Many of these machines run winblows...... have them on a unix system with open source, have all the hackers you can get have a go at it, patch it and do it again..... it'll get hackproof in no time. Voting machines are not rocket science.

 

[Falsedawn]

Private contractors never have an interest in fessing up because it affects their past performance ratings for getting new government contracts. My wife does government contracting work for a living, and the stories she tells me would blow your socks off. This game is ridiculously dirty, and the government has no idea how to solve the problem (or even where to start). This particular issue is made even more complicated by the fact that states run the elections, so normal entities that would be responsible for the defense of those networks (DHS, USCYBERCOM, the NSA) are out due to legalities surrounding federalism and conflict of interests.

The congressional inquiries are getting funny at this point. When Zuckerburg testified to Congress, it was a riot. It was a young billionaire explaining how the internet worked to a bunch of old people who clearly weren't following him, haha. I get that "cyber" is the hot new buzzword, and if you throw it front of another word, it makes it sound spicy ("cyberwar," "cyberterrorism," "cybercrime"), but 90% of the people using those words don't really have any idea on what they mean. Even people in the tech industry don't fully get them. I do a little pen testing for fun and as a side gig to make some extra money (getting that independent contractor money, playboy), partly because it's cool and partly to develop an additional skill because the skills of a retired Army Green Beret aren't exactly in demand in corporate America. The point is that I don't do this full-time, so I'm not at the top of the field. Well, I was talking to the CTO of my wife's company at a party, and he's clearly been removed from the technical side of the game for a while. The guy probably couldn't even tell you what a CVE number meant, and I think he was legitimately embarrassed that I knew more about this stuff than he did. These IT Managers mostly have the same technical skills as an intern, so when they're deciding on how to approach problems, it's from a bad POV. Security holes aren't addressed because they honestly don't understand the risk, and it makes vulnerabilities like this one persist in the environment for months or years, assuming that the folks at Symantec or McAfee even publish the damn white paper on the vuln, the scanner guys like Nessus pick it up, and the IT team is doing regular scans on the environment. Oh well, at least infosec guys will always have job security...

I just wanna say that as much as I fucking hate CPEs, I understand the necessity. Gotta keep the skills sharp or they fall away surprisingly quickly. One day you're laughing at the losers splatting against your IPS, and then next you're sitting in an office fat and rich without a keystroke to your name. It's the circle of life, only with way more money.

Last year at DefCon, a hacker conferance, they cracked 30 different machines in less than 2 hours.

I'm aware of the voting village, the report was actually really enlightening.

https://www.defcon.org/images/defcon-25/DEF CON 25 voting village report.pdf

If you look in the report, they actually specify in the limitations of the village that they didn't have access to exactly the type of machines referenced in the title story. These back end systems generally can't be bought by just anyone, so disclosures of this nature that leave them open are particularly egregious because you're breaking the confidentiality of the system itself.

 

[Falsedawn]

these guys had physical access to machines, on top of that, non standard software. Many of these machines run winblows...... have them on a unix system with open source, have all the hackers you can get have a go at it, patch it and do it again..... it'll get hackproof in no time. Voting machines are not rocket science.

Also yes, physical access is a big deal. Granted they didn't have access to any source code (and some were compromised via open physical ports), but if they have physical access you can generally assume it's a done deal.

 

[illclint]

The Alabama election was rigged against Judge Moore.

 

[BOWHUNTER]

Could this be the beginning of the end of the Trump presidency?

 

[BOWHUNTER]

you've forgotten about Chad already?

#hangingchad

 

[gatchaman]

https://motherboard.vice.com/en_us/...ote-access-software-on-systems-sold-to-states



Thought this was worth a thread separate from everything else.

Note that these are not voting machines, this is the actual management system.



To put this in perspective, imagine you have a critical banking system with transactional information for the past year...and you tape the password to the monitor. That's how idiotic this is.

But let's compound this.

https://gcn.com/articles/2012/01/26/ecg-disabling-remote-pc-software.aspx?m=1



From 2000-2006, this vendor was installing remote access software on these systems, and in 2006 the source code of the software was compromised (at which point these systems would be considered compromised if the software were on the system). Due to the secretive nature of these installs, how many of those do you think were updated to address the source disclosure? Moreover, why did they lie about it?

Conspiracy theorists, smoke em if you got em.

I am curious to see what an election would look like with glass ballot boxes in the public square with subsequent counting in the public square and everyone free to video record the entire proceedings. But I don't think that my idea will gain any traction among the most vociferous election manipulation conspiracy theorists. Is my idea a good one to you?

 

[Bamboozled]

Just in time to prepare for the 2008 election eh?

 

[ineverpost]

So it’s not an outside connection to the voting machines themselves, but rather a connection to a hub that has access to the voting machines.

How the fuck is that any different? Once you’re in the network, then it’s just basic hacking to move further down the line

Voting machines should have 0 connection to any World Wide Web. It should all be a strictly self contained hardwired network at each voting location. Then officials simply report the results on a regular ass secured internet connection to the state official tallyer. The isolated voting machines can all be verified if any discrepancies arise, but you gotta drive your ass to that location and read it off the monitor yourself

Ideally, votes are cast on paper and counted by machines, with boxes of those paper votes kept for 12 years so we can always go back to the original source

If there is massive government contract that can be given to friends of Washington, it shall be so. Logic has nothing to do with it