Skip to main content

Electronic pollbooks are an attractive attack vector on elections


See http://www.politico.com/magazine/story/2017/06/14/will-the-georgia-special-election-get-hacked-215255

This appears to be a very easy and effective attack on election systems that does not even involve trying to flip votes.

"The center also distributes the voter registration list to counties for use on their ExpressPoll pollbooks; if attackers were to delete voter names from the database stored on the center’s server or alter the precinct where voters are assigned, they could create chaos on Election Day and possibly prevent voters from casting ballots. This is not an idle concern: During the presidential election last year, some voters in Georgia’s Fulton County complained that they arrived to polls and were told they were at the wrong precinct. When they went to the precinct where they were redirected, they were told to return to the original precinct. The problem was apparently a glitch in the ExpressPoll software."

-- http://www.politico.com/magazine/story/2017/06/14/will-the-georgia-special-election-get-hacked-215255

In other words, the very system that had major security problems and a lack of due diligence in fixing them, maintains the "source of truth" for the per-precinct registration lists. Merely deleting voters from lists in precincts which are known to lean towards one party or the other would probably be enough to tip an election (even if they are allowed to vote provisionally, that doesn't always go smoothly, and it always slows things down and creates confusion; if you can get them shuttling between precincts through manipulating the files, even better.)

This is an attractive attack vector because it's easy, it doesn't require attacking voting machines at all, could be done by attacking a "low security" system, and could be blamed on "glitches" quite plausibly. And we already know from the leaked report last week that state-level actors were attempting to modify voter roll information in other systems.

[This was originally published Jun 14, 2017 at https://plus.google.com/115608553892438743738/posts/QxYGgrETgwh]

Comments

Popular posts from this blog

The problem with creation date metadata in PDF documents

Last night Rachel Maddow talked about an apparently fake NSA document "leaked" to her organization.  There's a lot of info there, I suggest you listen to the whole thing:

http://www.msnbc.com/rachel-maddow/watch/maddow-to-news-orgs-heads-up-for-hoaxes-985491523709

There's a lot to unpack there but it looks like somebody tried to fool MSNBC into running with a fake accusation based on faked NSA documents, apparently based on cloning the document the Intercept published back on 6/5/2017, which to all appearances was itself a real NSA document in PDF form.

I think the main thrust of this story is chilling and really important to get straight -- some person or persons unknown is sending forged PDFs to news organization(s), apparently trying to get them to run stories based on forged documents.  And I completely agree with Maddow that she was right to send up a "signal flare" to all the news organizations to look out for forgeries.  Really, really, really import…

Personal Web Discovery (aka Webfinger)

There's a particular discovery problem for open and distributed protocols such as OpenID, OAuth, Portable Contacts, Activity Streams, and OpenSocial.  It seems like a trivial problem, but it's one of the stumbling blocks that slows mass adoption.  We need to fix it.  So first, I'm going to name it:

The Personal Web Discovery Problem:  Given a person, how do I find out what services that person uses?
This does sound trivial, doesn't it?  And it is easy as long as you're service-centric; if you're building on top of social network X, there is no discovery problem, or at least only a trivial one that can be solved with proprietary APIs.  But what if you want to build on top of X,Y, and Z?  Well, you write code to make the user log in to each one so you can call those proprietary APIs... which means the user has to tell you their identity (and probably password) on each one... and the user has already clicked the Back button because this is complicated and annoying.

My faxed letter to both my Senators this morning

My faxed letter to both my Senators this morning.

Senators Grassley and Graham, this morning, engaged in an obvious act of witness intimidation. They leaked a letter to the Justice Department referring criminal prosecution against Mr. Steele for alleged but unspecified false statements to, apparently, the FBI.

This is on the heels of Senator Grassley refusing to release the testimony of Fusion GPS, refusing to allow the public to evaluate the claims of Simpson vs. selective and apparently inaccurate leaks of said information from the Republican members of the committee.

This is outrageous.

It is unacceptable. It is un-American. These Senators are trying to achieve in then court of public opinion what they have no chance of doing in a real court. They are themselves engaging in witness intimidation & obstruction of justice.

I call on you to denounce this desperate and illegal act by your colleagues and to introduce a motion to censure these two sitting Senators who have demeaned th…