Diary

The risks of electronic voting machines

The scientists were assured the files were safe by the IT professional. The files had been scanned rigorously and no malware was detected in the update to the devices. This was the fourth scan these files had undergone and they were going to be installed on systems not connected to the Internet. To be very sure they slowly installed the software, only to a few machines at a time. They never detected the installed virus, one hidden deep in the software patch, which was placed into the code at least two years earlier. The effort to get this code to those machines required that five different vendors be hacked, that the hacks be undetected by companies that make very high end code, and that the virus would mostly affect the specifically targeted devices.

Stuxnet was a complete success and demonstrates the viability of a national attack system on other nations via things like viruses, hacks, and trojans.

If you do not know the power of hackers you should be afraid. In the above example the nation (rumored to be Israel and/or the Untied States) had to hack companies that are well prepared for intrusions, they had to modify all examples of the software they were targeting, and they had to get out without ever being detected.

The simplest method is to find a weak user name and password combination. Password123$ for example is not a strong password. Nor is the most well known alternatives that statistically are used by endless numbers of admins, clerks, and users. The email method is often the easiest. There is two-factor methods but I will cover why those won’t help either down below.

The next best way is to test the system for devices that have their own passwords and user names. A router for example is such a device. So is a printer. In one case hackers got into a secure facility’s servers by hacking a fish tank. The weakest link in the chain of security will often be found and exploited.

Zero Day exploits are another significant route. Often these are severe and dramatic weaknesses in the defenses of software, easily exploited if one has found the flaw. I once found a flaw in a gaming website that allowed me to read anyone’s messages with a bit of effort. I also was able to post as a mod or admin and proved this to the moderators of the game. A zero day exploit is bad news. A recent example of this had untold thousands of computers hacked and the contents encrypted with the offer to free the data for $300 in bitcoins. The threat is so very real with a zero day exploit.

SQL Injections is a thing that gets past a lot of defenses. A bit of a brute force method it is very effective if you have failed to set up your code to prevent intrusion. Illinois suffered an attack via SQL Injection and the hacker was able to get access for 3 weeks. Illinois says he only got 90,000 records from them via a slow process of checking each number individually. A script kiddie would not have done it individually, he would have had a system designed to check all possible numbers. Illinois is lying or worse… They just do not know the full extent of the damages.

If you know security for computers then you know that if someone gets access to the root of a server they can do anything. In a game called Uplink you specifically are a hacker hacking banks, businesses, government servers, and more. In most of your actions the number one rule is “remove evidence of your intrusion”. A log file is useful for telling you who had access to the server and from what IP, but that log file can be spiked, it can be altered, it can be deleted. After that point only a forensic analysis of the hard drive(s) that would have had the log file (physically checking the drive, not electronically but physically) can help you possibly recover that data. Oh and if you know that Hillary screwed up using BleachBit to clean her drives… A hacker knows how to scrub the file away, he knows how to make recovery of files not easy. Yes they can make it so you might have a chance with a forensic analysis.

Illinois in my view was completely and utterly dominated by the hacker. So was Arizona despite their saying that the hacker never got into other parts of the server network. If you look at the mathematical models I produced then you are also assured that Utah and other states were statistically in the extremely high probabilities of having suffered a real primary election day hack.

So the States are looking to the Federal Government for guidance. They are using things like two step verification, more complex email user names and passwords, more robust firewalls, specific route only access methods, and even that continuation of their air gapping. They have already failed. Unless they look at the code inserted to every device, verify that the code matches a master file, and make sure that master file has every line of code examined in depth… they cannot be sure the system is safe. Even examining the code line by line will not suffice. If you know of coding then you know a lot of coding calls upon ‘objects’ and other things that can be wildly placed around. It is possible to hide the code for a virus in a hundred different parts inside a real software program. You need to verify every portion of the code with all parts it works with inside the the program itself.

But let us review those security implications.

Two-Step verification systems can be spoofed by cloning a phone. Oh and interestingly enough machines were found in Washington DC which mimicked cellular towers and would have pulled all the information needed to clone a phone. Yes you still need the other side of the verification protocol but the phone is supposed to be the more secure system. When a company has a direct connection to the net (no not the normal connections, but instead a connection to the main lines, the trunks if you will) then hackers can pull massive amounts of data off in just minutes of succeeding in a hack.

How do they get the other side? Phishing is common. Oh I forgot to mention this one eh? There is a reason. Phishing is how the DNC email leaks, how the Podesta email hack was done. Phishing as a prank just got eight of the most important people in the White House recently. One was a supposed cyber security expert. The prankster used an email.com account in various individuals names to email emails for the various people and got some to respond. For example look up email.com prank mooch Priebus. He got mooch entirely spoofed.

I wrote about the electronic voting book issues, the voting machine issues, the ballot reader issues, the many websites that collapsed in my book (available free on Kobo) called The Bear in the Room: Russian Interference in the Elections. I am telling you right now that no way can we continue this path of electronic voting machines.The only States without issues were the ones with Paper Ballot voting methods.

The list of nations that have been hacked in the last 4 years, for their elections, is also startling. This is not an isolated set of incidents. There is a strong and robust effort to hack every nation possible. Ukraine, France, Philippines, Germany, and more.

There was recently an event known as DefCon where an organization had set up one of every voting machine used in the United States. Some were hacked very quickly, some lasted as much as 90 minutes until a ‘solution’ was found. Those same hackers could now hack a similar voting device in a few minutes.

We are not safe with electronic voting machines.