In 2017 someone in Canberra bought a couple of used filing cabinets from a second hand store for $10 each.
They turned out to contain hundreds of highly classified documents detailing years of cabinet discussions of successive Australian governments ("cabinet" here meaning the core group of senior ministers). This probably happened because the (filing) cabinets were locked and no-one could find the keys, so someone at parliament house got lazy and didn't dispose of them properly.
The documents were handed over to journalists and the whole saga became known as "the cabinet files".
It's good that people can get these and reverse engineer them, do a security audit, and publish the results (which are that they are easily hackable and insecure).
> The fact that voter information is left on devices, unencrypted, that are then sold on the open market is malpractice
I disagree with him that what he describes is "voter information".
There's vote information and election information, both which are already public information and are not sensitive information at all. The machines do not have voter information on them nor does he give any evidence of it. What he describes finding was:
> The information I found on the drives including candidates, precincts, and the number of votes cast on the machine, were not encrypted.
All these things are public information already.
> Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.
When government agencies auction off surplus cars they seldom repaint them first. It's common to find them with the logos. Example:
That reminds me of how The KLF (as The Timelords) bought a used Ford Galaxie police car and used it as the "frontman" for their group, calling it Ford Timelord. They repainted the logo on the doors, but the black and white coloring is original I think and they kept the siren.
In the UK, it's not unusual for polling stations to have 'tellers' [1] outside, asking voters to volunteer their electoral registration numbers (which can easily be converted into their name). Nothing stops them recording the time too, and many rural polling stations are small enough that only a single voter is in there at a time.
Luckily, we don't have electronic voting machines.
Well it says "Over $5000.00 in Police Equipment being marketed to Law Enforcement only." I read that as that there's optional gear that is a restricted buy, not the car itself. You could be right though. Also, no matter who buys it they'll have to remove the decals before driving since it's not going to be bought by the same agency that sold it.
A good question though is how much do you have to change before you can legally drive it?
This guy here seems to believe that driving a police car with lights and even "911" and "Dodge Law Enforcement" is Ok as long as it doesn't say the word "Police" at which point it would be impersonating a police officer.
In this police forum where they are discussing the issue one person notes that in California driving anything that remotely looks like a police car is illegal, and another states that in Tennessee you can drive a police car if you feel like it. So state laws perhaps vary as to whether you have to remove the decals and/or repaint the whole thing before driving a decalled surplus acquisition.
Sweden. My boss’ teenage son bought a Volvo, same model used for police cruisers. Did the police paint job, logo, everything. Even found a source for the flashing lightbar.
Then proceeded to cruise around town. The Police were, of course, not amused. He got it impounded twice, but they had to return it on both occasions with no charges filed.
Seriously though are they the only state left with "Constables" which are completely independent law enforcement officers who have to buy their own cruisers, guns, and uniforms, which they get to design themselves?
It sounds pretty cool, like there's no possibility of conspiracy with other cops in their department since there aren't any, there's no supervisor so they can't say they were just following orders, and if the entire local police force is corrupt, one can use the constable as a last form of justice. And if people don't like the job they are doing they can simply vote them out.
Recently @hackerfantastic on Twitter has a few videos of hacked Diebold voting machines [1,2,3,4] along with a blog post [5] and the git repository [6]. From this I followed the link to a video on twitter on how to get admin access on some voting machines.[7]
Banking and medical information are kept secure through federal regulations. Why should we trust the states that have already shown either their inability or unwillingness to remedy the issue?
Lowest-cost bidding among companies is going to do better? Security is often the first thing to go when your company’s survival depends on tiny margins
> ATMs are secure because banks would lose money if they weren’t. Not because of regulation.
Banking is heavely regulated. I agree that security is good business practice. But, to disregard regulations without proof is a big leap of faith.
Banking have survived thanks to government intervention. And to start with got itself in a mess because Great Depression era regulations where removed.
> ATMs are secure because banks would lose money if they weren’t
Now that's wishful thinking. Do you know how hard it is to get your money back from fraudulent transactions caused by compromised ATMs (card skimmers etc - the kinda thing Krebs routinely writes about)?
The banks don't lose their money, they lose your money, and good luck proving this in many countries around the world including the US, UK, Europe.
> The same common-sense regulations don’t exist for election systems. PCI and HIPAA are great successes that have gone a long way in protecting personally identifiable information and patient health conditions.
One of these is not like the other. ;)
PCI-DSS = Payment Card Industry Data Security Standard. It’s not a regulation (as in law), it’s a self imposed industry standard as the name implies.
HIPAA - Health Insurance Portability and Accountability Act, as in an actual law passed by Congress and signed into law by President Clinton.
While PCI can end up with huge fines and/or inability to process payment transactions for non-compliance, it’s not a law.
With voting, the simplest solution is the best solution: paper and ink. A few people to tally locally from each opposing party, report the numbers on up. Unhackable. Verifiable.
It's the best solution because attempts on it don't scale; any attempt at it requires either everyone in the room be in on the fraud (and it takes just one person to break that) and even then, going through ballots by hand takes a long time, where the crime can be found at any point due to physically being there.
E-voting? One hacker can reprogram thousands of machines, possibly not having to even be in the country, anonymously. It gets even worse when you have online voting, because then you have a whole host of potential exploits, like MITM, DDOSing targets like libraries, gathering IDs, etc. When you consider the amount of money running on elections, it's not unthinkable to consider there could be state-sponsored hackers, so there's no problem of resources there. And this is all assuming the hardware and software aren't already compromised by the manufacturers; considering we've seen compromised hardware coming from China it's a very likely possibility.
At this point, you might be right this is a better solution, but it is hackable. Add or remove paper ballots, mark existing ballots with your own pen to change or invalidate it. But at least the physicality of it creates some limit on the scale of fraud.
The recent Canada federal election used paper ballots (all of them have), and those attacks are mostly preventable. Ballots are counted by two people from Elections Canada, and all candidates can watch. The match up the number of ballots with the number of people crossed off on the list of people who were eligible to vote at that polling station. They also compare it to the number of ballots at the start of polling and end of polling. If votes were added or removed, those checks wouldn't work out (and there would probably be a re-vote for people who voted at that polling station). Adding marks before people vote wouldn't work since voters would probably notice, and it'd be hard to add marks between marking the ballot and it being put in the ballot box. Ballots also need to be signed by the chief returning officer.
Terrible article, perfuse with one terrible, fatal misconception: Systems openness is essential to confidence. Concealing breaches or even vulnerabilities does orders of magnitude more damage to public confidence than disclosing them and remediating them. The cover-up mentality is why the constitutional heroine Reality Winner is imprisoned & gagged.
Obligatory reminder that, prior to Trump winning, Wired magazine ran a (popular, widely viral) article claiming that the idea that the vote could be rigged by hacking voting machines was a nutty conspiracy theory: https://www.wired.com/2016/10/wireds-totally-legit-guide-rig...
Like, I'm sure there are some folks whose concern about voting maching hacking isn't just a partisan tactic - especially on places like HN - but Wired magazine isn't one of them. Given that the last time this was such a major mainstream topic was after the 2004 election, well...
Ironically trump makes me feel more secure that the elections are not rigged. Nobody in the GOP, civil service, military, and intelligence communities wanted him. All were very outspoken against him throughout the primaries and even into the election.
And apparently you only needed to flip 4000 votes in swing states to secure the electoral college numbers... 4000 targeted ads on Facebook, how much did that cost? Cambridge Analytica knows.
> Well, apparently through Facebook ads they did...
Where did you get that idea? We know from the Mueller report that they indeed paid to try to influence the election, but the sums were tiny compared to what the actual candidates paid. Also, please remember that Cambridge Analytica was hired by Trump ('s people) , not the Russians.
They turned out to contain hundreds of highly classified documents detailing years of cabinet discussions of successive Australian governments ("cabinet" here meaning the core group of senior ministers). This probably happened because the (filing) cabinets were locked and no-one could find the keys, so someone at parliament house got lazy and didn't dispose of them properly.
The documents were handed over to journalists and the whole saga became known as "the cabinet files".
https://www.abc.net.au/news/about/backstory/news-coverage/20...