Category: National

See No Evil, Find No Monkey Business, ePollbook Edition

NPR All Things Considered Russian Cyberattack Targeted Elections Vendor Tied To Voting Day Disruptions

“Voters were going in and being told that they had already voted — and they hadn’t,” recalls Allison Riggs, an attorney with the Southern Coalition for Social Justice.

The electronic systems — known as poll books — also indicated that some voters had to show identification, even though they did not.

Timeline: Foreign Efforts To Hack State Election Systems And How Officials Responded
Investigators later discovered the company that provided those poll books had been the target of a Russian cyberattack…

NPR All Things Considered Russian Cyberattack Targeted Elections Vendor Tied To Voting Day Disruptions  <read>

When people in several North Carolina precincts showed up to vote last November, weird things started to happen with the electronic systems used to check them in.

“Voters were going in and being told that they had already voted — and they hadn’t,” recalls Allison Riggs, an attorney with the Southern Coalition for Social Justice.

The electronic systems — known as poll books — also indicated that some voters had to show identification, even though they did not.

Timeline: Foreign Efforts To Hack State Election Systems And How Officials Responded
Investigators later discovered the company that provided those poll books had been the target of a Russian cyberattack…

“I became really concerned that this might be a cyberattack, some sort of cyber event,” says [Susan] Greenhalgh.

Despite NSA Claim, Elections Vendor Denies System Was Compromised In Hack Attempt
But she had trouble getting anyone’s attention. Greenhalgh says a contact she had at the U.S. Department of Homeland Security was concerned but said there was little federal officials could do unless the state requested help…

“States were very adamant about declaring their independence from the federal government with respect to the 2016 election and, of course, we respected that,” says Ferrante. “However, we wanted to make sure we were prepared and assets were available in the event that states did call us for assistance.”

North Carolina didn’t call for aid. Instead, officials assured federal authorities that things were under control and that they had switched to the paper poll books.

The problem was, on Election Day, the state was operating with limited information. It was unaware that Russian hackers had tried to break into VR Systems, which provided the poll books for 21 North Carolina counties.

It appears from the article that officials may finally be giving more scrutiny, yet the simple case is that we now have no reason to trust the claim that it was all a simple software error, that the Federal and State Governments were actually protecting us.  And it is the very type of ePollbooks the Russians may have hacked.  That is not all.

The investigation was triggered by the leak made public by the Intercept, allegedly from Reality Winner:  Report from North Carolina Makes Reality Winner Leak Far More Important  <read>

Because of the publicity surrounding the VR targeting — thanks to the document leaked by Winner — NC has now launched an investigation…

So this may be the first concrete proof that Russian hackers affected the election. But we’ll only find out of that’s true thanks to Winner’s leak.

Except she can’t raise that at trial.

Last week, Magistrate Judge Brian Epps imposed a protection order in her case that prohibits her or her team from raising any information from a document the government deems to be classified, even if that document has been in the public record. That includes the document she leaked.

The protective order is typical for leak cases. Except in this case, it covers information akin to information that appeared in other outlets without eliciting a criminal prosecution. And more importantly, Winner could now point to an important benefit of her leak, if only she could point to the tie between her leak and this investigation in North Carolina.

More voters than eligible adults? Group makes dubious claim

Our voting rolls are a genuine mess.  But that does not mean election officials are not trying. It does not mean that slews of individuals are voting illegally.

We cannot make a job impossible and then blame officials for not being able to accomplish it.

Our voting rolls are a genuine mess.  But that does not mean election officials are not trying. It does not mean that slews of individuals are voting illegally:

McClatchy story:  More voters than eligible adults? Group makes dubious claim about California <read>

California Secretary of State Alex Padilla has twice rebuffed demands for voter data from a commission created by President Donald Trump to investigate unproven claims of voter fraud last fall. Now a conservative Washington, D.C.-based legal group has threatened to sue the state over what it contends are California counties’ failure to properly maintain lists of inactive voters. The Aug. 1 letter from Judicial Watch to Padilla alleges that 11 California counties have more registered voters than their estimated populations of citizens eligible to vote. The claim was picked up Breitbart and other news sites and prompted Assemblyman Travis Allen, R-Huntington Beach, to post on Twitter, “11 counties in California have more total registered voters than citizens over the age of 18. How is this possible?” Short answer: It’s not. California voter registration stood at 19.4 million as of February. No California county is anywhere close to having more voters than its estimated number of citizens deemed eligible to vote.

Judicial Watch’s claim rests on its inclusion of “inactive voters” – people who have been removed from active rolls after a mail ballot, voter guide or other official document was returned as undeliverable – usually as a result of moving. They aren’t reflected in turnout tallies or signature-gathering requirements, don’t receive election materials, and are ignored by campaigns.

Inactive voters nevertheless underline Judicial Watch’s math suggesting that Los Angeles County has a registration rate of 112 percent, for example, or Stanislaus County has a registration rate of 102 percent. The letter cites a “failure to maintain accurate, up-to-date voter registration lists.”

Like earlier studies that showed many dead voters still on the rolls in Connecticut, it is understandable given what election officials have to work with.  We have no national ID card or ID number.  Officials register voters all the time, but there is no reasonable way of identifying voters who have moved or died, so that they can be removed from the rolls.  It is an especial challenge to cities with many low-income voters which move frequently.

We cannot make a job impossible and then blame officials for not being able to accomplish it.

BradCast DefCon: David Jefferson on hacking of almost every voting machine

As Brad says

Hopefully, what happened in Vegas does not stay in Vegas

We are not so optimistic.  We have a long history of getting excited about voting irregularities and risks, followed by officials and the general public moving on.

As Brad says

Hopefully, what happened in Vegas does not stay in Vegas

We are not so optimistic.  We have a long history of getting excited about voting irregularities and risks, followed by officials and the general public moving on. As Obama said in 2012 “We have got to fix this”. He created a solid commission that made a significant report, yet by then the country had moved on.  This time, starting before the election, we have Secretaries of the State and Homeland Security telling us there is nothing to see here. Misinformed at best, self serving propaganda at worst.  From the BradCast <read>

“That room was just crowded from morning to night,” Jefferson says, describing the room at DefCon. “And the amazing thing is that all of those successful hacks, these were by people who, most of them, had never seen a voting machine before, and certainly not the system sitting in front of them, and they had not met each other before. They didn’t come with a full set of tools that were tailored toward attacking these machines. They just started with a piece of hardware in front of them and their own laptops and ingenuity, attacking the various systems. And it was amazing how quickly they did it!”

Jefferson tells me, after all of these years, he is now seeing a major difference among the public, as well as election and elected officials (a number of whom were also in attendance), regarding the decades-long concerns by experts about electronic voting, tabulation and registration systems.

“I am seeing a kind of sea change here. For the first time, I am sensing that election officials, and the Department of Homeland Security, and the FBI, and the intelligence community, and Congress, and the press, are suddenly, after the 2016 election experience, receptive to our message that these systems are extremely vulnerable and it’s a serious national security issue. As you know, in a democracy, the legitimacy of government depends on free and fair and secure elections. And people are beginning to realize that we haven’t had those for a long time.” 

“I am seeing a kind of sea change here. For the first time, I am sensing that election officials, and the Department of Homeland Security, and the FBI, and the intelligence community, and Congress, and the press, are suddenly, after the 2016 election experience, receptive to our message that these systems are extremely vulnerable and it’s a serious national security issue. As you know, in a democracy, the legitimacy of government depends on free and fair and secure elections. And people are beginning to realize that we haven’t had those for a long time.”

He explains how hacking methods attributed by many to Russians following the 2016 elections “are the same methods that anyone on Earth could use — insiders, criminal syndicates, nation-states other than Russia, as well, or our own political partisans. The fear, of course, is that these hacking attempts will be totally undetectable. But even if they are detectable, it’s difficult often to determine who did it, whether it’s an insider, or a domestic partisan, or some foreign organization.”

He also confirms what I’ve been trying to point out since the 2016 election, that despite officials continuously claiming that no voting results were changed by anyone, be it Russia or anybody else, “they cannot know that. They simply can’t know. Certainly in those states where there are no paper ballots, such as in Georgia, for example, it’s impossible for them to know. And even in states where there are, if they don’t go back and either recount the paper ballots, or at least recount a random sample of them, no, they can’t know either.”

“Election officials have fooled themselves into believing the claims of their [private voting machine] vendors that the systems are secure from all kinds of attack. And it’s just never been true,” Jefferson argues.

Not much different than what we have all been saying for many years.  Let us hope with Brad that this time many will hear and act!

I highly recommend listening to the podcast which has much more than than Brad’s post.  The election discussion starts about 40% into the podcast.

The NEW Rob Georgia

While attention was appropriately aimed at FL and OH respectively in 2000 and 2004, Georgia perhaps remains as the most questionable state for voting integrity in the nation.  Many overlooked the questionable elections there highlighted by Bev Harris in Chapter 11 of Black Box Voting: Rob Georgia, Noun or Verb? <read>

Now we have the story on the vulnerabilities in Georgia in 2017 by Kim Zetter.  Here is her 20 minute interview on yesterday’s Fresh Air: <listen>

And her earlier extensive article at Politico:  Will the Georgia Special Election Be Hacked? <read>

“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” he tells Politico Magazine in his first interview since discovering the massive security breach.

As Georgia prepares for a special runoff election this month in one of the country’s most closely watched congressional races, and as new reports emerge about Russian attempts to breach American election systems, serious questions are being raised about the state’s ability to safeguard the vote…

Be careful what you ask for. Georgia has gone from risky to even more questionable as the Secretary of State’s office is taking over the programming of the voting systems from Kennesaw State U. as the Secretary is running for Governor.

While attention was appropriately aimed at FL and OH respectively in 2000 and 2004, Georgia perhaps remains as the most questionable state for voting integrity in the nation.  Many overlooked the questionable elections there highlighted by Bev Harris in Chapter 11 of Black Box Voting: Rob Georgia, Noun or Verb? <read>

Now we have the story on the vulnerabilities in Georgia in 2017 by Kim Zetter.  Here is her 20 minute interview on yesterday’s Fresh Air: <listen>

And her earlier extensive article at Politico:  Will the Georgia Special Election Be Hacked? <read>

“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” he tells Politico Magazine in his first interview since discovering the massive security breach.

As Georgia prepares for a special runoff election this month in one of the country’s most closely watched congressional races, and as new reports emerge about Russian attempts to breach American election systems, serious questions are being raised about the state’s ability to safeguard the vote…

Be careful what you ask for. Georgia has gone from risky to even more questionable as the Secretary of State’s office is taking over the programming of the voting systems from Kennesaw State U. as the Secretary is running for Governor.

Here is more on calls before the Special Election for Georgia to use a paper ballot  <read>

Join us in the Battle for the Internet

Its actually a battle for the information necessary for citizens to maintain democracy:

Battle fro the Internet: Write the FCC and contact Congress: <Battle For the Net>

Its actually a battle for the information necessary for citizens to maintain democracy:

Battle fro the Internet:  Write the FCC and contact Congress:  <Battle For the Net>

Response to ill-advised Presidential Commission risks democracy

There is much to criticize in the Trump Commission.  Yet there is no excuse for officials to unilaterally disobey the law.  There are reasons for voting lists and voting history to be public documents.  Perhaps we can providing a teaching moment.

Editor’s Note: We sent the following letter to the Hartford Courant in response to their recent editorial. They along with apparently the rest of the media opposed the Trump Commission, in our opinion, for the wrong reasons.  There is much to criticize in the Trump Commission.  Yet there is no excuse for officials to unilaterally disobey the law.  There are reasons for voting lists and voting history to be public documents.  Perhaps we can providing a teaching moment.

To the Editor,

I share the concerns for the ill-conceived Presidential Advisory Commission on Elections shared by Secretary of the State Denise Merrill, officials nationwide, and your editorial on 7/6/2017. Yet in a rush to respond to a clumsy request, the rule of law and the importance of transparent voter rolls is overlooked, at our peril.

Connecticut’s Freedom of Information law is constantly under official attack. We should never condone a unilateral act to disobey the law based on an official’s view of the requester or how they might use the data.  This is no different than the county clerk who refused to follow the law and issue marriage licenses to those she did not approve.

Voter rolls are constantly made available to both political parties. Recently a contractor for the Republican Party exposed all that data and more.  Last year data, likely including voter rolls and more, was insufficiently secured by the Democratic Party.

There is a reason government data, including voter rolls are required to be public.  Not so long ago, UConn students used that data to expose the extent to which the rolls included deceased voters. That same data was used by officials to demonstrate in a way we could verify that hardly any were associated with actual fraud. More recently those pubic rolls were used to uncover and confirm that a state representative had voted for several years and been elected based on an illegal residence.

Public voting rolls provide the only means for individuals and news organizations to independently investigate voting fraud; they provide officials with the only means to provide credible proof that fraud is limited; and for the public to trust in the related decisions by the State Elections Enforcement Commission.

 

4th of July Suggestion

As we often do, a suggested reading for the 4th of July weekend.  It has been a while since we have read the Declaration.  As we said six years ago:

This weekend is a great time to [re-]read the Declaration of Independence. We find it very inspiring to read it sometime around the 4th of July each year.  As we have discussed before, some believe that the right to vote is more fundamental than the Constitution. Here is a link to a copy for your reading <Declaration of Independence>

The Declaration of Independence asserts our rights to determine and change our form of government – without voting integrity we lose that most fundamental of rights.

“The right to vote… is the primary right by which other rights are protected” – Thomas Paine

As we often do, a suggested reading for the 4th of July weekend.  It has been a while since we have read the Declaration.  As we said six years ago:

This weekend is a great time to [re-]read the Declaration of Independence. We find it very inspiring to read it sometime around the 4th of July each year.  As we have discussed before, some believe that the right to vote is more fundamental than the Constitution. Here is a link to a copy for your reading <Declaration of Independence>

The Declaration of Independence asserts our rights to determine and change our form of government – without voting integrity we lose that most fundamental of rights.

“The right to vote… is the primary right by which other rights are protected” – Thomas Paine

Russians not the only threat to our elections

Many articles on the Congressional hearings on the “Russian” hacking or not hacking of our elections.  Brad Friedman and Mark Karlin come closet to my opinions:

Recent article by Mark Karlin referencing Brad Friedman:  Beyond the Russians, Electronic Voting Machines Are Vulnerable to Any Hackers  

Journalists and activists have been sounding the alarm about electronic voting machines and their proprietary software for years. The vulnerability of these machines to hacking has not been front and center for some time — primarily due to the failure of the corporate media and legislative bodies to take it seriously. That changed, to some extent, with the charges about Russian hacking from US intelligence agencies. However, the current emphasis is on the Russians allegedly attempting to influence the 2016 election, not on the flawed electronic voting machines that make hacking possible…

Meanwhile, our Secretary of the State continues to spread myths about the safety of voting systems not connected to the internet and “tamper-proof” seals that are at best “tamper-evident”. 

We add that paper ballots are insufficient.  They need protection from tampering.  We need sufficient audits and recounts.  Audits and recounts that are comprehensive and convincing.  Audits and recounts that are transparent and publicly verifiable.f

Many articles on the Congressional hearings on the “Russian” hacking or not hacking of our elections.  Brad Friedman and Mark Karlin come closet to my opinions:

Recent article by Mark Karlin referencing Brad Friedman:  Beyond the Russians, Electronic Voting Machines Are Vulnerable to Any Hackers   <read>

Journalists and activists have been sounding the alarm about electronic voting machines and their proprietary software for years. The vulnerability of these machines to hacking has not been front and center for some time — primarily due to the failure of the corporate media and legislative bodies to take it seriously. That changed, to some extent, with the charges about Russian hacking from US intelligence agencies. However, the current emphasis is on the Russians allegedly attempting to influence the 2016 election, not on the flawed electronic voting machines that make hacking possible…

Ironically enough today, in the U.S. Senate Intelligence Committee, top intelligence officials from the FBI and DHS testified in regard to concerns about alleged Russian manipulation of the 2016 election. Neither they, nor the elections officials who also testified today, seemed to know much of anything about the actual vulnerability of U.S. voting systems. Or, if they did, they certainly offered a whole lot of demonstrably inaccurate information about whether voting systems are connected to the Internet (they are), whether our decentralized voting and tabulation systems make it impossible to hack a  Presidential election (it doesn’t), and whether actual voting results were manipulated in the 2016 President race (they claimed that they weren’t, even while the DHS finally admitted they never actually checked a single machine or counted a single ballot to find out!)

On the other hand, one computer scientist and voting machine expert, Dr. Alex Halderman of the University of Michigan, also testified today and he actually knows what he’s talking about, because he’s personally hacked just about every voting system in use in the U.S. today, including 10 years ago when he first hacked the exact same 100% unverifiable touch-screen voting machines used in the state of Georgia during Tuesday’s Special Election for U.S. House, the most expensive such election in U.S. History. As he explained in his prepared remarks [PDF] today, 10 years ago, he “was part of the first academic team to conduct a comprehensive security analysis of a DRE [touch-screen] voting machine.” It was a Diebold touch-screen machine, the exact same type used in GA yesterday, as obtained from a source of mine and given to his crew at Princeton University at the time…

The Russian hacking makes for a profitable corporate media narrative — particularly with tweeter Trump tossing gas on the fire. However, if we are looking to secure our voting system from foul play, shouldn’t we also start paying major legislative attention to the electronic voting machines themselves?

I could hardly say it better.

Meanwhile, our Secretary of the State continues to spread myths about the safety of voting systems not connected to the internet and “tamper-proof” seals that are at best “tamper-evident”.

We add that paper ballots are insufficient.  They need protection from tampering.  We need sufficient audits and recounts.  Audits and recounts that are comprehensive and convincing.  Audits and recounts that are transparent and publicly verifiable.

Hacking voting systems is/was easy

Article in the Atlantic summarizes some of the bad news from the last couple of weeks:  There’s No Way to Know How Compromised U.S. Elections Are <read>

So let us not be complacent. Just because you do not understand something, does not mean that hundreds and thousands of others can’t easily hack it.

Article in the Atlantic summarizes some of the bad news from the last couple of weeks:  There’s No Way to Know How Compromised U.S. Elections Are <read>

While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed.

While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed…

The splintered digital infrastructure across and within states; the use of multiple vendors; the overlapping interfaces between municipalities, counties, and states; and the reliance on of volunteers for data entry and verification in both registration and voting mean that there are literally thousands of entry points to compromise elections in each state.

Another case study is the state of Georgia, where organizations have filed lawsuits against the state over the security of its elections in advance of the special election in the 6th Congressional District. A June 14 Politico investigation revealed just how insecure the entire system is, and how much more insecure it was in the past. Last August, cybersecurity researcher Logan Lamb probed the Kennesaw State University’s Center for Election Systems—which programs voting machines for the entire state—and found a structure that basically begged to be hacked.

It had no password protection, and was available on a public site without encryption and lacking even basic security updates. Lamb found millions of registration records, credentials for the central elections server, files for the electronic ballot equipment, and database information for the Global Election Management Systems (GEMS) used by many states for preparing ballots and counting votes. In other words, with rather basic tools that fall well outside the realm of sophisticated “hacking,” as it is known, Lamb would have had a wide-open entry point to disrupting Georgia elections last fall, had he been a malicious actor.

So let us not be complacent. Just because you do not understand something, does not mean that hundreds and thousands of others can’t easily hack it.

If [Connecticut] Voting Machines Were Hacked, Would Anyone Know?

NPR story by Pam Fessler:  If Voting Machines Were Hacked, Would Anyone Know?   Fessler quotes several experts and election officials including Connecticut Assistant Secretary of the State Peggy Reeves:

Still, Connecticut Election Director Peggy Reeves told a National Academies of Sciences, Engineering, and Medicine panel on Monday that many local election officials are ill-equipped to handle cybersecurity threats.

“Many of our towns actually have no local IT support,” she said. “Seriously, they don’t have an IT director in their town. They might have a consultant that they call on if they have an issue. So they look to us, but we’re a pretty small division.”

Reeves said the best protection against hackers is probably the fact that the nation’s voting system isso decentralized, with different processes and equipment used in thousands of different locations.

We certainly agree with that and the cybersecurity experts quoted.

NPR story by Pam Fessler:  If Voting Machines Were Hacked, Would Anyone Know? <read>  Fessler quotes several experts and election officials including Connecticut Assistant Secretary of the State Peggy Reeves:

Still, Connecticut Election Director Peggy Reeves told a National Academies of Sciences, Engineering, and Medicine panel on Monday that many local election officials are ill-equipped to handle cybersecurity threats.

“Many of our towns actually have no local IT support,” she said. “Seriously, they don’t have an IT director in their town. They might have a consultant that they call on if they have an issue. So they look to us, but we’re a pretty small division.”

Reeves said the best protection against hackers is probably the fact that the nation’s voting system isso decentralized, with different processes and equipment used in thousands of different locations.

We certainly agree with that and the cybersecurity experts quoted.