A feature, not a bug.
The FTP server in Wisconsin required a password. Kentuckyâs didnât.
Bradford Queen, a spokesman for Kentuckyâs secretary of state, declined to say if running an FTP server was problematic.
This is actually how a lot of âhackingâ gets accomplished. To stupidity and beyond!
Since the article didnât mention, FTP stands for File Transfer Protocol. And any operating system or sysadmin worth its salt has this service disabled by default.
I swear that they told us that our evoting machines are never on the internet and canât be accessed. I hope thatâs true.
This is up or downstream of the voting machines. So, potentially a bigger problem.
computer servers that powered Kentuckyâs online voter registration and Wisconsinâs reporting of election results
Itâs not just that the files can be accessed (which is after all what FTP is for). If theyâre using FTP outgoing, itâs possible/plausible that theyâre using it incoming, which would mean that an attacker could (re)place files on the serve. If the FTP server is not fully up to date, it could also have vulnerabilities that would let an attacker gain control of that machine and potentially other machines on the stateâs internal networks. Thereâs no transparency about any of this, so itâs tempting to assume the worst.
Yeah I got that it was servers. I just guess Iâm not tech savvy enough to know how that impacts a closed voting system.
I think I get it now. Thanks.
As someone pointed out in 2016âŚ
Electronic voting machines are not âconnectedâ to the internet - they are âloadedâ with the ballot by the various entities in charge of the machines. This ballot is prepared by local entities - because while it may be a ânationalâ election - local entities need to add local elections and ballot measures.
So somewhere in a local office - a person is preparing the ballot to be loaded onto the machine.
They use a computer to do that.
THAT computer IS âconnected to the internetâ.
SO itâs possible to penetrate the local election office computers that prepare the ballot - and initiate a virus.
THAT virus - travels to the voting machine - via the thumbdrive or however the slate is loaded onto the machine.
So yeah - take heart - eVoting machines are ânotâ connected to the internet.
This is what keeps me awake at night.
Thatâs all possible. but it would be far more effective to hack the statewide results rather than hundreds of county election boards. That why this is so dangerous, it makes election fraud much much easier than it was previously.
Thanks for that - sorta. hahahaha
A huge problem. If you wanted to suppress the votes of, say, a predominantly minority district, you hack your way into the server that maintains those voter registration data, change a few flags, and bobâs your uncle, 20 - 40% of those registered voters are suddenly unregistered.
Pros and Cons to both approaches. (I mean that in the worst possible way)
An attack directly on a statewide results is easier - yes - only one target.
But an attack on the software IN the machine would be harder to find. A single line of code could be written to change âevery fifth voteâ for this candidate - to that candidate for instance. Hell it could even stop doing it after a certain time.
Recall that the machines from the 2018 election were NEVER forensically examined. They never opened the machines to check to see if the code had been altered. They were only âcursorilyâ inspected. âA vote for X shows up as X - okay, itâs workingâ
Thereâs a reason why there was never a deep dive into the code after the elections. âThere is no evidence results were changed.â - Well, no there is no evidence. You donât get evidence if you donât look for it. And to be fair âevidence of tally being changedâ - is a bit of a misnomer.
We see reports now of votes being âflippedâ by machines in Texas. And the state is doing⌠what, about it?
Lest we forget.
True. And while itâs a problem, the irony is that because we have a bunch of state elections, not a real national one, the way to âhackâ a national election is to hack the media. Which is precisely what the Russians came up with.
âFTP is a 40-year-old protocol that is insecure and not being retired quickly enough,â said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security.
Todayâs geek trivia: The File Transfer Protocol (FTP) is actually even older than Mr. Hall thinks. It is literally one of the oldest protocols on the Internet, first documented in 1971.
No, thatâs not a typo.
Nineteen seventy one. Nixonâs first term. It was one of the first major protocols defined on the ARPAnet, so FTP predates the Internet as we know it.
And yeah, it is quite insecure by todayâs standards.
Hacking social media is one way - some would say the easiest. Itâs the one that seems most apparent - at this time.
But the fact that they DID breach local/state election offices âwithout apparently changing voter rolesâ - means they were moving on more than one front. Like any self respecting intelligence agency would do.
Quite insecure? I think any protocol that:
a) Typically has anonymous access enabled by default
b) Sends username and password in plain text
Is as insecure as can be imagined.
When I saw âFTPâ my first thought was âWelcome to 1996.â I wonder if they have GOPHER enabled on their network.
I remember it from when I was a freshman in college, and we were literally using punch cards to program in FORTRAN.
ETA: At least in some cases, âsecurityâ was the necessity of calling the computer operators on the other end to have them manually set up the connection to your machine.
Thank you!