As someone that works in IT and Cybersecurity, it's insane how they were able to get away with what they did re system security.
Common things like Health industry records with HIPAA and CC payment systems with PCI DSS have pretty intense rules and regs.
Elections are theoretically national security level important and clearly no one has lifted a finger to audit the systems and review the reports.
Any external IT (and physical security) audit including penetration testing by skilled testers would have owned them 6 ways from Sunday and flagged the whole system as poorly designed and wide open to attack and fraud.
I work in biotech and all of our equipment that produces results and every action performed is logged. There is an audit trail that is printed along with every result file along with timestamps and everything. It sounds to me like this software has absolutely none of that which is unacceptable. If someone brought me a piece of equipment like this within 15 minutes I would ask about audit trails and if there aren't any the convo is over it's as simple as that. Results in any industry should be verifiable.
Oh yes...In IT security we're all about logs, central recording, analysis and alerts/actions. I can imagine how a voting system doesn't have a SEIM of some sort with FEC/Feds watching it in real time or just after the counting stops.
IMO we can build a completely airtight electronic voting system if it's open source with good design using modern encryption inc blockchain etc. Then bake in strong audit features, immutable logging for years and allow various approved entities to audit each state's elections without needing their permission.
I suspect there is going to be a bit of discussion on this topic once Trump is declared the winner.
I really don't understand why the American people allowed electronic voting to be established in your elections in the first place. Speaking from Ireland and when they tried to introduce that shit in 2002 we kicked up such a ruckus that the government walked it back and eventually scrapped the plan officially in 2018 after over €50m of taxpayer money.
I get that the US a huge country and and im sure holding an election is a logistical nightmare but that was also the case in the 90s and things worked more or less fine. Nothing wrong with the old pencil and paper, if it ain't broke don't fix it.
The electronic part isn't the problem- you can stuff a paper ballot box just as easily if everyone in the room is for the other party. This happens fairly routinely and when the results are contested later, the lockboxes of paper ballots that would be used to recount or audit are suddenly "missing" and nothing happens.
We have far more complicated systems in place now for financial transactions and I've never had any of my money lost at a bank. We can 100% build an airtight system with encryption and blockchain but there also needs to be talk about the fundamentals of voting that go back more than a century- the concept of a secret ballot being one of them.
If we revise what a secret ballot means to be an encrypted ballot which only a select gov't entities can decode and read, then the problem is very easy to solve: Your Gov't ID (SSN in USA) + vote selections get encrypted when cast.
There are no secrets any more. Gov't, Google, Apple, Facebook etc have everything on a person- income, friends, family, med history, party affiliation, emails, web and search history and personal GPS trail down to 3m accuracy- forever. Letting a gov't agency see who you voted for isn't going to tell them anything they don't already know about you. See Carter Page.
Tie all the local systems into a central gov't system and no dead voters, double voters, underage, illegals etc can vote because the SSN is globally unique and can cross-reference that other data.
Any external IT (and physical security) audit including penetration testing by skilled testers would have owned them 6 ways from Sunday and flagged the whole system as poorly designed and wide open to attack and fraud.
I'm basically script kitty level when it comes to pen testing but from what I'm seeing with these machines I feel like I could have full control in under an hour with a standard kali toolkit.
That being said I dont think there was and hacking involved l. These machines come with all of the 'features' you need to make the vote whatever you want it to be.
Agree 100%...the lack of security is also a nice way of prompting an audit which may incidentally discover the real fraud.
I think there's a lot that will come out along these lines:
Everyone is a partisan this election. There is no middle/neutral
In the case of low-level dem election workers, they consider it their sacred duty to 'stop Trump', probably not giving much thought to what prison looks like
Election fraud happened on every level imaginable- individual voters, local election workers/officials, state officials and courts, national party, the voting infrastructure (dominion etc) and the FBI, CIA etc undoubtedly know about it
LOTs of elected officials are probably caught up in the fraud to win their own elections which probably explains why Kemp and other Rs are acting like dems
I've worked as a software engineer in aerospace. The customer always had an independent firm do V&V on our software as part of their acceptance criteria. We hated those guys :), because they held up a couple of deliveries, but it was a necessary function considering we were delivering mission critical software.
As someone that works in IT and Cybersecurity, it's insane how they were able to get away with what they did re system security.
Common things like Health industry records with HIPAA and CC payment systems with PCI DSS have pretty intense rules and regs.
Elections are theoretically national security level important and clearly no one has lifted a finger to audit the systems and review the reports.
Any external IT (and physical security) audit including penetration testing by skilled testers would have owned them 6 ways from Sunday and flagged the whole system as poorly designed and wide open to attack and fraud.
I can't accept this is purely by chance.
I work in biotech and all of our equipment that produces results and every action performed is logged. There is an audit trail that is printed along with every result file along with timestamps and everything. It sounds to me like this software has absolutely none of that which is unacceptable. If someone brought me a piece of equipment like this within 15 minutes I would ask about audit trails and if there aren't any the convo is over it's as simple as that. Results in any industry should be verifiable.
Oh yes...In IT security we're all about logs, central recording, analysis and alerts/actions. I can imagine how a voting system doesn't have a SEIM of some sort with FEC/Feds watching it in real time or just after the counting stops.
IMO we can build a completely airtight electronic voting system if it's open source with good design using modern encryption inc blockchain etc. Then bake in strong audit features, immutable logging for years and allow various approved entities to audit each state's elections without needing their permission.
I suspect there is going to be a bit of discussion on this topic once Trump is declared the winner.
I really don't understand why the American people allowed electronic voting to be established in your elections in the first place. Speaking from Ireland and when they tried to introduce that shit in 2002 we kicked up such a ruckus that the government walked it back and eventually scrapped the plan officially in 2018 after over €50m of taxpayer money.
I get that the US a huge country and and im sure holding an election is a logistical nightmare but that was also the case in the 90s and things worked more or less fine. Nothing wrong with the old pencil and paper, if it ain't broke don't fix it.
The electronic part isn't the problem- you can stuff a paper ballot box just as easily if everyone in the room is for the other party. This happens fairly routinely and when the results are contested later, the lockboxes of paper ballots that would be used to recount or audit are suddenly "missing" and nothing happens.
We have far more complicated systems in place now for financial transactions and I've never had any of my money lost at a bank. We can 100% build an airtight system with encryption and blockchain but there also needs to be talk about the fundamentals of voting that go back more than a century- the concept of a secret ballot being one of them.
If we revise what a secret ballot means to be an encrypted ballot which only a select gov't entities can decode and read, then the problem is very easy to solve: Your Gov't ID (SSN in USA) + vote selections get encrypted when cast.
There are no secrets any more. Gov't, Google, Apple, Facebook etc have everything on a person- income, friends, family, med history, party affiliation, emails, web and search history and personal GPS trail down to 3m accuracy- forever. Letting a gov't agency see who you voted for isn't going to tell them anything they don't already know about you. See Carter Page.
Tie all the local systems into a central gov't system and no dead voters, double voters, underage, illegals etc can vote because the SSN is globally unique and can cross-reference that other data.
Indeed they did: SWORN AFFIDAVIT
Nice!
Thanks, I'm looking through it now!
I'm basically script kitty level when it comes to pen testing but from what I'm seeing with these machines I feel like I could have full control in under an hour with a standard kali toolkit.
That being said I dont think there was and hacking involved l. These machines come with all of the 'features' you need to make the vote whatever you want it to be.
Agree 100%...the lack of security is also a nice way of prompting an audit which may incidentally discover the real fraud.
I think there's a lot that will come out along these lines:
I've worked as a software engineer in aerospace. The customer always had an independent firm do V&V on our software as part of their acceptance criteria. We hated those guys :), because they held up a couple of deliveries, but it was a necessary function considering we were delivering mission critical software.
This is not by chance. Definitely by design.