Computer scientist shows how to tamper with Georgia voting machine, in election security trial: “All it takes is five seconds and a Bic pen.”::An expert witness for plaintiffs seeking to bar Georgia’s touchscreen voting machines showed a crowded courtroom how he could tamper with election res
https://citp.princeton.edu/our-work/voting/
https://www.youtube.com/watch?v=ZVWIOwSkMew
What’s really sad is this is literally the same guy who proved the same thing in 2006. (I’m going on a limb and assuming this is the same J. Alex Halderman who wrote this paper at Princeton)
This has been an ongoing problem for almost twenty fucking years.
I went looking for this info because it spurred a memory. The “bic pen” was a part of this hack nearly 20 years ago, and the reference to it made me remember the original.
Fucking travesty.
I have said it before and I’ll say it again, electronic voting does not work and is a bad idea.
The election system is dependant on trust, trust that the votes are not changed nor counted incorrectly.
This works with paper ballots, you keep the ballot box sealed and under observation by observers from different parties, they can then verify that the ballots have not been changed after voting, you count the ballots together, in front of everyone, they can then verify that counting was done correctly.
With electronic voting the votes are cast by interacting with buttons on a black box, no one is able to verify that the votes are recorded correctly nor that they are counted correctly during the actual election.
In California we have electronic voting machines that are basically glorified printers. You go through the vote flow, then it prints your ballot and you can verify it’s correct before it goes in the ballot box. All the upside of electronic voting and none of the downsides. Since it’s printed consistently it’s easier to electronically count as well without mistakes that can happen from scanning hand filled ballots. Even human vote counters can mistakenly read a hand filled ballot.
That’s how it is in Georgia to. You make your selection, receive a print out which has your chooses visible on kt, put that into the counting machine which is next to a table where you get your I voted sticker so it’s monitored for tampering. They then take your print out and put it in a box for manual recounts if called for.
But don’t you then put it into a scanner that actually tallies the votes? The paper exists, but my understanding is it’s not a hand count. There is still opportunity to manipulate the scanner.
But you still have the paper ballot so that when it’s time for a recount you can validate the electronic and paper copies match.
How it is in Texas too.
That is fine, and a good usecase
In Australia we have a robust and fast paper voting system administered by the Australian Electoral Commission. We get most results in the evening of election day with only really close races being a couple of days out. There is solid chain of custody on paper ballots and having been used for over a century we have all the kinks worked out.
The USA has about 330 million people, we have about 25 million. The voting population of each is smaller, but it is a much larger percetage of our population due to compulsory voting. If we can do it with less than 10% of the population it could be done there with the same ratio no worries, just assume out country was a state and you can see it can work.
Paper is safe and secure. It is well understood and all the hack and hijinks have been worked out. If you ask experts in IT if they think voting should be dine electronically they answer hell no without much debate.
Ditto in the UK 50 million people putting crosses on paper with pens in one day. First results come in about 2 hours after the close of the polls at 10pm, 95% done by the time you wake up the next day. Electronic voting has plenty of downsides and no upsides for anyone other than the people making the voting machines.
Am an IT professional (and also happen to have a degree in politics, i’ve had a weird life), can confirm.
I am an IT professional, and yep computers should not do election voting
Electronic voting for deciding a conference/meeting venue is fine, but anything involving governance over a large body of people is a strict no-no.
Reason: if other nation states are interested in tampering with the election, they can easily do it with the amount of resources they have. Paper vote is a distributed system which is very hard to tamper AT SCALE.
Germany uses paper ballots. 60 million eligible voters, 3/4 actually voted during the last federal elections.
IT professional:
If I had my way we would all use paper and pen
Am an IT professional (and also happen to have a degree in politics, i’ve had a weird life), can confirm.
xkcd warned us and that didn’t listen.
Tom Scott warned us too: https://www.youtube.com/watch?v=w3_0x6oaDmI
And also literally the guy from the OP article, who is the same guy who first demonstrated this kind of hack in 2006.
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=w3_0x6oaDmI
https://www.piped.video/watch?v=LkH2r-sNjQs
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
I like the system we have in New Mexico. (Yes it’s one of the 50 states)
You can go to any poling place, and they print you a local ballot for where you live, right there. You fill in the bubbles with your choices, then run it through a scanner machine on your way out.
You get instant counting and can track results live all day. If there’s a technical problem, or any uncertainty in the results, you can always go back to the paper and hand count.
It gives the benefits of all the options.
How.is it providing secrecy and result checking at the same time?
There’s no identifiable info on the ballot.
The ballots themselves are available to be recounted if necessary.
Electronic voting works wonders. All you need to sacrifice is anonymity.
Which is why it doesn’t work in real elections.
Voter anonymity is critical to a functioning democracy.
Uh, no. We already have dozens of publicly characterestics to discrinate people against, we can handle one more for a huge benefit of never ever doubting election count results again.
No, just no.
The moment voter secrecy is gone, you will have a far, far , far worse situation.
The moment you can verify what a person voted for, then you have opened the door for violence, intimidation and voter bribery.
The point of voter secrecy is to prevent others from being able to force you to vote on your own.
Immagine a wife of a MAGA husband, with voter secrecy she would have the option to hide voting for the Democrts, without it she would be able to be forced by her husband to vote for the republicans.
This is simply because he would be able to verify her vote, with voter secrecy he has to trust her. (Obviously there are ways he still could come close to verifying her vote, but there remains options for her)
I’m coming from an oppressive dictatorship that kills people for disagreeing with them. One thing to enables them to is voter anonymity. An oppressive MAGA husband example is cute, ofc, but I wasn’t solving “how do we make people vote with there heart is”, this is kinda out of scope and definitely not crucial for a functional democracy, but wishlist-grade at best.
Now, voter bribery is a good one. Never thought of that and can see how this could be a much more sizeable problem.
Ok but how would a lack of voter secrecy prevent the government from killing people who voted “wrong”?
To me that just seems like it would make it easier.
I am a Swede and have luckily never had to think about these things, if I am being arrogant with my staunch support of voter secrecy, I want to know.
You can’t kill 12+% when you’re in a demographics hole.
It scares the shit out of me that the US has so fully adopted voting machines. They are incredibly unreliable and it would be so easy for a bad actor to hack an election. Especially with FPTP, it would be so easy to goose the numbers in a couple of key districts and swing an election for whomever you wanted to win. It’s almost definitely already happened several times.
In Canada we still do voting on paper, but then the votes are counted electronically and the paper copy is kept for recounting by a human later if needed. It’s sort of the best of both worlds.
It’s not everywhere.
States that do vote by mail are just like you describe – paper ballots collected and counted by computer, with the paper preserved.
Not all states are fully electronic. Many districts (including mine) are run on paper ballots that are then scanned.
I would be more concerned about the upstream tabulation systems. The possibility of making bulk changes is much more harmful than tampering with single voting machines.
There was a mad dash to electronic voting after the Bush v Gore hanging chad fiasco. A lot of people are still focusing on the voting machines vs. the integrity of centralized tabulation systems.
Anyone who knows even the slightest bit about how computers work know this is a bad idea.
What is the gdpr reason this website is not available to users in Europe?
I believe some websites say “fuck it, fuck them” and block European IPs rather than put in the work to become GDPR compliant
Can all the big tech sites do this please? Get the fuck out of Europe.
What the actual fuck?
Lols :)
Well, then, we don’t want you here either, with that sort of aggressive rude attitude.
Keep talking like that and people might start to think you’re American.
https://archive.ph/Qt9By is available.
Paywall
Huddled around a voting machine in a federal courtroom, a small crowd watched as expert witness Alex Halderman demonstrated how someone could meddle with a Georgia election within seconds.
Halderman, a University of Michigan computer scientist, changed results of a hypothetical referendum on Sunday alcohol sales. He flipped the winner in a theoretical election between President George Washington and Benedict Arnold, the Revolutionary War general who defected to the British. He rigged the machine to print out as many ballots as he wanted.
All he needed was a pen to reach a button inside the touchscreen, a fake $10 voter card he had programmed, or a $100 USB device that he plugged into a cord connected to a printer, rewriting the touchscreen’s code.
Halderman delivered his presentation during an election security trial evaluating whether Georgia’s voting system is vulnerable to manipulation or programming errors. All in-person voters in Georgia make their choices on touchscreens that print out paper ballots.
Election officials countered Halderman’s testimony with assurances that real-world elections in Georgia have never been hacked and security precautions prevent the possibility of interference.
“All of these things worry me — just how easy these machines would be to tamper with. It’s so far from a secure system,” Halderman testified Thursday. “There are all kinds of politically motivated actors that would be eager to affect results.”
Under questioning from attorneys defending Georgia’s Dominion voting equipment, Halderman said there’s no evidence that the vulnerabilities he showed have ever been exploited in an actual election.
Through eight days of the trial, attorneys for the liberal-leaning Georgia voters and activists who are plaintiffs in the case have tried to convince U.S. District Judge Amy Totenberg that she should order the state to prohibit further use of the voting touchscreens as the 2024 elections approach. Voters would instead fill out paper ballots by hand.
Testimony in the case included evidence about the January 2021 breach in Coffee County, when tech experts hired by supporters of Donald Trump copied Georgia’s election software, then distributed it to conspiracy theorists across the country. The plaintiffs have also sought to prove that the secretary of state’s office hasn’t done enough to protect election security and voters’ rights.
But State Election Board member Matt Mashburn told the judge that hacking would be difficult to pull off during an election.
Credit: arvin.temkar@ajc.com
“There are serious potentialities. Now, how practical they are to put in place is a different question,” Mashburn said Wednesday, according to a court transcript.
Flaws in voting machines would be difficult to exploit at more than one voting machine at a time, minimizing the potential danger, he said.
“I just didn’t think it was realistic,” Mashburn said. “Is it something you’ve got to change the whole system for? … I just don’t believe that is very likely. It is possible, but it is not very likely.”
Halderman testified that he discovered vulnerabilities after he was given access to a Fulton County touchscreen, called a ballot-marking device, as an expert witness in the case. He reported his findings to the U.S. Cybersecurity and Infrastructure Agency, which validated the technology weaknesses in June 2022.
Election officials have said Georgia’s voting equipment is secured by locks and seals, poll workers overseeing precincts, preelection testing and audits of paper ballots.
Halderman said a wrongdoer, hidden behind a privacy screen at a voting precinct, wouldn’t necessarily be caught by election workers. Changing a touchscreen’s programming would take seconds or minutes but potentially create “chaos” in a major election, when it would be difficult to determine which ballots were legitimate, he said.
It isn’t necessary to open up a voting machine or remove security seals to gain “superuser” access to a touchscreen and change its programming, Halderman testified. Any voter could bring a forged voter card, pen or USB drive loaded with malicious code to a voting machine.
In one of Halderman’s hacks, the text on the ballot would reflect the candidate the voter picked, but the computer QR code counted by a ballot scanner would count the opposite choice. Georgia lawmakers are considering legislation that would remove QR codes from ballots.
The vulnerabilities Halderman showed in court would only affect one voting machine at a time, but he also testified that many more votes could be changed if someone gained access to election management servers overseen by state and county election officials.
Attorneys for Secretary of State Brad Raffensperger, the defendant in the case, contend that the mere possibility of election tinkering doesn’t amount to a violation of voting rights protected by the U.S. Constitution, such as free speech and equal protection rights.
“Plaintiffs have failed to produce a single shred of evidence to substantiate the supposed ‘risks’ they fear,” a court filing by the defendants states. “There is no evidence that their ballots or any ballots cast using a BMD (ballot-marking device) were not accurately counted or that any vote has been changed. … Weighing risk is a political and not judicial decision.”
Witnesses for the defendants this week will attempt to dispute the plaintiffs’ allegations with testimony from Georgia election officials and cybersecurity experts.
The case will be decided by Totenberg, who was appointed by President Barack Obama, in the weeks after the trial concludes
Give me 5 seconds and a bic pen. I’ll get it open.
MacGyver, is that you?
Please, call me Richard Dean Anderson
I think you’re thinking of Col. Jack O’Neill.
The 2 “L”s are important, you wouldn’t want to confuse him with Col. Jack O’Neil.