Invit­ing hack­ers to at­tack vote ma­chines

L.A. County of­fi­cials hope new Defcon chal­lenge will help ex­pose vul­ner­a­bil­i­ties in elec­tion equip­ment as they plan a sys­tem change

Los Angeles Times - - BUSINESS - By Jill Leovy

Lo­cal elec­tion of­fi­cials are look­ing for some good hack­ers.

As part of an ef­fort to cre­ate a new vot­ing sys­tem, Los Angeles County com­puter spe­cial­ists are headed this week to Defcon, one of the world’s largest hack­ing con­ven­tions, where at­ten­dees will try to com­pro­mise a new tar­get — vot­ing equip­ment.

County Regis­trar-Recorder Dean C. Lo­gan said he hopes Defcon’s new Vot­ing Vil­lage will give his staff more to worry about as they work to re­vamp the way Los Angeles County votes.

Defcon, which draws 20,000 par­tic­i­pants to Las Ve­gas yearly, has set aside a space this year for hack­ers to pick apart vot­ing ma­chines, as­sail voter-reg­is­tra­tion data­bases and carry out mock at­tacks on var­i­ous vot­ing pro­cesses from around the coun­try.

In time-hon­ored Defcon style, some will play of­fense and some will play de­fense, and the point is to ex­pose vul­ner­a­bil­i­ties.

Defcon founder and Chief Ex­ec­u­tive Jeff Moss, known by the on­line moniker Dark Tan­gent, said he and fel­low Defcon plan­ners have spent months buy­ing vot­ing equip­ment on EBay to pre­pare for the event.

He said he hopes the Vot­ing Vil­lage will spur new in­ter­est in prob­lems in U.S. elec­tion sys­tems.

“Hack­ers are al­ways look­ing for some­thing new to play with,” said Moss, who seemed al­most to be rub­bing his hands. “It’s go­ing to be such a rich area!”

The event comes at a mo­ment of height­ened in­ter­est in pos­si­bil­i­ties for elec­tion tam­per­ing.

Amer­i­can in­tel­li­gence of­fi­cials re­leased an as­sess­ment in Jan­uary say­ing that, al­though the vote count was not af­fected, Rus­sian-gov­ern­ment hack­ers in­ter­fered in the 2016 na­tional elec­tion. The re­port said they hacked Demo­cratic Na­tional Com­mit­tee net­works and of­fi­cials’ emails and se­lec­tively leaked ma­te­rial in an ef­fort to dam­age Demo­cratic can­di­date Hil­lary Clin­ton.

Rus­sian hack­ers had gained ac­cess to state and lo­cal elec­toral boards in an ef­fort to learn about their pro­cesses and equip­ment, ac­cord­ing to the as­sess­ment, and Krem­lin-linked sources pushed neg­a­tive sto­ries about Clin­ton’s health and char­ity. In ad­di­tion, the sources spon­sored so­cial me­dia cam­paigns to am­plify scan­dals about her and mar her can­di­dacy.

Last month, Home­land Se­cu­rity of­fi­cials went even fur­ther, say­ing the FBI had found ev­i­dence that Rus­sian-backed hack­ers had pen­e­trated elec­tion sys­tems in 21 states in 2016, in­clud­ing Illi­nois and Ari­zona.

Se­cu­rity ad­vo­cates are “very, very wor­ried” about hack­ers’ next moves, said Bar­bara Simons, a San Fran­cisco com­puter sci­en­tist who leads Ver­i­fied Vot­ing, a non­profit elec­tion-se­cu­rity ad­vo­cacy group.

Simons, who will open the Defcon event Fri­day at Cae­sars Palace, said she hopes to use the oc­ca­sion to kick off her group’s na­tional aware­ness cam­paign about “our bro­ken vot­ing sys­tem” and re­quire voter-marked pa­per bal­lots na­tion­ally.

Los Angeles County of­fi­cials, mean­while, are years into a $15-mil­lion ef­fort to de­velop what they call a new “vot­ing ex­pe­ri­ence” to re­place the card-and-sty­lus sys­tem now in use be­cause, they say, it’s too hard to re­place bro­ken parts on the old sys­tem, and too hard to adapt it to re­forms aimed at mak­ing vot­ing eas­ier.

They have pro­posed a re­place­ment that fea­tures a pro­to­type elec­tronic, touch­screen bal­lot marker and an open-source soft­ware plat­form for tal­ly­ing. A pi­lot pro­gram will be in vot­ers’ hands next year, and all county vot­ers may be switched to the new sys­tem as early as 2020.

In con­cept, L.A. County’s plans dove­tail with what se­cu­rity ad­vo­cates such as Simons have been call­ing for — in part be­cause they pre­serve the pa­per bal­lot.

Pa­per bal­lot­ing may seem anachro­nis­tic. But in the new world of ram­pant cy­ber-in­se­cu­rity, pa­per is al­most seen as cut­ting edge. “Pa­per is a very good thing,” said Simons, whose group also ad­vo­cates manda­tory au­dits of com­puter tal­lies.

Lo­gan, the regis­trar, said pa­per bal­lots are key to keep­ing the pro­posed sys­tem se­cure and con­vinc­ing vot­ers to trust it. Af­ter us­ing the touch screen, he said, vot­ers will be able to ex­am­ine their printed bal­lot and place the card in a box by hand, he said.

The pro­posed switch to open-source tal­ly­ing soft­ware also ref lects cur­rent se­cu­rity think­ing, Lo­gan said.

Open-source sys­tems don’t rely on se­cret, pro­pri­etary code. And al­though they aren’t im­mune to in­tru­sions of ma­li­cious code, “you have a bet­ter chance of find­ing it than with pro­pri­etary code,” Simons said.

De­spite the plau­dits the county’s vot­ing re­form ef­fort has won — it was a semi­fi­nal­ist for a Har­vard gov­ern­ment award — Lo­gan said he wants the pro­posed sys­tem to face even tougher tests.

En­ter Defcon, with its whiff of out­law cred­i­bil­ity and its demo­cratic style of fer­ret­ing out the lat­est com­puter break-in tech­niques.

“There is a past his­tory in the elec­tion com­mu­nity ... to kind of re­sist this kind of event,” Lo­gan said. “But we need to em­brace this. We need to know what the threats are.”

Lo­gan said it’s too early to send the county’s proofof-con­cept for a new elec­tion sys­tem to Defcon, but that’s in the works for next year.

For now, three spe­cial­ists plan to go — all of whom are in­volved in re­view­ing the pro­posed new vot­ing sys­tems. They aim to learn how to bet­ter de­tect, and de­fend against, hacks, Lo­gan said. They’ll be on the look­out for hack­ers with what he called “hands-on” ex­pe­ri­ence. Lo­gan plans to in­vite the hack­ers to at­tack the pro­posed sys­tem as a test down the line — to “kick the tires,” as he put it.

Moss, the Defcon founder, said the idea for the Vot­ing Vil­lage grew out of con­ver­sa­tions with fel­low re­searchers af­ter the 2016 na­tional elec­tion and hack­ing con­tro­versy.

As he talked to cod­ing ex­perts and dug up aca­demic stud­ies, he said he was struck by how lit­tle had been done to put man­u­fac­tur­ers’ equip­ment-safety claims to the test.

In par­tic­u­lar, he said there’s been a dearth of re­cent stud­ies of com­plete, end-to-end elec­tion sys­tems.

Tight pro­pri­etary con­trol of back-end soft­ware makes it dif­fi­cult to sim­u­late such sys­tems, he said. So this year’s Defcon at­ten­dees will have to set­tle for dis­man­tling pieces of them.

Or­ga­niz­ers have col­lected 25 pieces of elec­tion equip­ment, most of which is still used. Pa­per will not be spared: poll books and the punch-card sys­tems, whose am­bigu­ous hang­ing chads caused headaches in the Ge­orge W. Bush-Al Gore pres­i­den­tial race in 2000, will be on hand and ready to be preyed upon.

Defcon draws soft­ware spe­cial­ists and me­chan­i­cal hack­ers — lock pick­ers, for ex­am­ple. So code-based and ana­log sys­tems will get a work-over, Moss pre­dicted.

Moss said he hopes to get elec­tion of­fi­cials and cy­ber­se­cu­rity re­searchers talk­ing, and he’s seek­ing a com­plete sim­u­lated elec­tion sys­tem for Defcon’s elec­tion event next year.

The de­fi­cien­cies of ex­ist­ing sys­tems are se­ri­ous, Moss said.

“But it’s not an in­sur­mount­able prob­lem,” he said. “The prob­lems are mostly hu­man prob­lems, like not hav­ing re­sources, or do­ing some­thing be­cause it’s new, not be­cause it’s bet­ter.”

Chris­tian Science Mon­i­tor

PLAN­NERS of Defcon, an an­nual event for hack­ers, have spent months col­lect­ing vot­ing ma­chines for hack­ers to work on. Above, code is dis­played last year at the Black Hat cy­ber­se­cu­rity conference.

Ir­fan Khan Los Angeles Times

DEFCON FOUNDER and Chief Ex­ec­u­tive Jeff Moss said he hopes the Vot­ing Vil­lage will spur new in­ter­est in prob­lems in U.S. elec­tion sys­tems. Above, vot­ers cast their bal­lots in Novem­ber at the Watts Tow­ers Arts Cen­ter.

Ir­fan Khan Los Angeles Times

L.A. COUNTY of­fi­cials have pro­posed a re­place­ment sys­tem that fea­tures a pro­to­type elec­tronic, touch­screen bal­lot marker and an open-source soft­ware plat­form for tal­ly­ing. Above, vot­ers in Kore­atown in June.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.