EP043 – Don’t Rock the Voting Machines
Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin

Greetings & Banter
As a follow up to Episode 41, there’s some research that IoT devices can be used for ransomware. See this story on thermostats for an interesting example. At the very least we can call it extortion which might just have been the motivation behind a massive DDoS attack on DynDNS that happened since our last recording, or they could have just been wanting to make a point or go for revenge, like we saw used against French hosting company OVH and Brian Krebs respectively.

Last episode we assigned homework; manually doing cross site scripting attacks (XSS for short). We produced a video showing our attempts at getting this to work, which you can view on YouTube here. There are many more ways to do XSS so if you come up with some other interesting ways let us know!

Projects & Homework
None this “week”, so maybe take the time to watch MR ROBOT if you haven’t already. Season 2 is over, and I’m not going to lie to you there are some weird episodes in the middle but I promise you it’s all needed at the end where the last 3 episodes clears it all up. It’s so good.

Topic for this week: Electronic Voting Machine hacking
Here are the articles we used for research into the topic that we presented in this podcast. The first few are broadly covering if it’s possible to hack the voting systems as a whole:
Hacking Voting Systems: A Reality Check – This one mentions that actually only Louisiana uses DRE exclusively with not VVPAT. Maybe we misstated that in the show with saying 5 states use DRE exclusively… It’s a little confusing with conflicting information from other articles.
How to Rig a Presidential Election in 1000 Easy Steps – The WIRED article we took a lot of states on and reference as a good read. It’s satirical but points out the impossibility of hacking the vote or exploiting the electoral process at scale.
Edward Snowden on Twitter: “Hacking voting machines: not that difficult. Hiding a secret deviation in votes from after-the-fact statistical analysis: nearly impossible.” – I can’t believe I’m linking a tweet… but there you have it. He makes a good point!

This section of articles speak to testing electronic voting machines:
Voting System Standards, Testing and Certification – A very dry article that speaks to the voting machine standards, and testing requirements.
Voting machine password hacks as easy as ‘abcde’, details Virginia state report – An article by The Guardian that summarizes the out of business voting machine company (Advanced Voting Solutions) responsible for the WinVote machines, and details some of the security problems with it
Meet the e-voting machine so easy to hack, it will take your breath away – An Ars Technica article detailing more about the WinVote machines from a more technical perspective, along with some links to research article providing even more details. Nope… I’m still scared!
Security Evaluation of ES&S Voting Machines and Election Management System – This is a university research paper into ES&S voting machine vulnerabilities. It’s a little out of date, but then again so are many vulnerabilities that we still find out there on the Internet…
Diebold is center stage in the voting machines controversy – a long analysis of deibold’s e-voting woes, but doesn’t get into specifics. Fortune published this in 2006
Which voting machines can be hacked through the Internet? – Not from a website I’m familiar with but seems to have some more decent info on voting machines that are vulnerable from this year. I advise a grain of salt to be taken with it.

This section has some media that discusses this topic more:
DTNS 2887 – An E-Vote Of Confidence? – The Daily Tech News Show podcast has a special feature that dives down this rabbit hole. It’s recommended listening IMO.
Snowden’s Zachary Quinto Explains Voting Machine Hacking in 2 Minutes – A WIRED video that glosses over a lot of details. This is where we got that 5 states DRE exclusively.

And finally this last section is more about fixing the system:
The Problem with Electronic Voting Machines – Schneier on Security a real good analysis of the issue facing e-voting in 2004
Verified Voting – Who votes how

Turned out for what?