Alex Halderman has clarified his earlier remarks about the integrity of the Wisconsin election: in a nutshell: voting machine security sucks, hackers played an unprecedented role in this election; there are statistical irregularities in the votes recorded on software-based touchscreen machines and the votes registered with paper ballots counted by optical scanners, so why the hell wouldn’t we check into this?
Halderman says that paper audit-tapes are the absolute best defense against malware, but they only work if we check them against vote tallies from time to time — and what better place to start than some votes that look janky?
It doesn’t matter whether the voting machines are connected to the Internet. Shortly before each election, poll workers copy the ballot design from a regular desktop computer in a government office, and use removable media (like the memory card from a digital camera) to load the ballot onto each machine. That initial computer is almost certainly not well secured, and if an attacker infects it, vote-stealing malware can hitch a ride to every voting machine in the area. There’s no question that this is possible for technically sophisticated attackers. (If my Ph.D. students and I were criminals, I’m sure we could pull it off.) If anyone reasonably skilled is sufficiently motivated and willing to face the risk of getting caught, it’s happened already.Why hasn’t more been done about this? In the U.S., each state (and often individual counties or municipalities) selects its own election technology, and some states have taken steps to guard against these problems. (For instance, California banned the use of the most dangerous computer voting machines in 2007 as a result of vulnerabilities that I and other computer scientists found.) But many states continue to use machines that are known to be insecure — sometimes with software that is a decade or more out of date — because they simply don’t have the money to replace those machines.
Want to Know if the Election was Hacked? Look at the Ballots [J Alex Halderman/Medium]
(via Techdirt)