I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming.

By Brian Varner, Wired

28 October 18

n 2016, I bought two voting machines online for less than $100 apiece. I didn't even have to search the dark web. I found them on eBay.

Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.

If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.

My aim in purchasing voting machines was not to undermine our democracy. I'm a security researcher at Symantec who started buying the machines as part of an ongoing effort to identify their vulnerabilities and strengthen election security. In 2016, I was conducting preliminary research for our annual CyberWar Games, a company-wide competition where I design simulations for our employees to hack into. Since it was an election year, I decided to create a scenario incorporating the components of a modern election system. But if I were a malicious actor seeking to disrupt an election, this would be akin to a bank selling its old vault to an aspiring burglar.

I reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system. Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them. Within hours, I was able to change the candidates' names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate's name I invented had received the most votes on that particular machine.

This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines—those that were used in the 2016 election—are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones. Our voting machines, billed as “next generation,” and still in use today, are worse than they were before—dispersed, disorganized, and susceptible to manipulation.

To be fair, there has been some progress since the last Presidential election, including the development of internal policies for inspecting the machines for evidence of tampering. But while state and local election systems have been conducting risk assessments, we’ve also seen an 11-year-old successfully hacking a simulated voting website at DefCon, for fun.

A recent in-depth report on voting machine vulnerabilities concluded that a perpetrator would need physical access to the voting machine to exploit it. I concur with that assessment. When I reverse-engineered voting machines in 2016, I noticed that they were using a smart card as a means of authenticating a user and allowing them to vote. There are many documented liabilities in certain types of smart cards that are used, from Satellite receiver cards to bank chip cards. By using a $15 palm-sized device, my team was able to exploit a smart chip card, allowing us to vote multiple times.

In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure. Try to imagine a major bank leaving ATMs with known vulnerabilities in service nationwide, or a healthcare provider identifying a problem in how it stores patient data, then leaving it unpatched after public outcry. It just doesn’t fit with our understanding of cyber security in 2018.

Those industries are governed by regulations that outline how sensitive information and equipment must be handled. The same common-sense regulations don’t exist for election systems. PCI and HIPAA are great successes that have gone a long way in protecting personally identifiable information and patient health conditions. Somehow, there is no corollary for the security of voters, their information and, most importantly, the votes they cast.

Since these machines are for sale online, individuals, precincts, or adversaries could buy them, modify them, and put them back online for sale. Envision a scenario in which foreign actors purchased these voting machines. By reverse engineering the machine like I did to exploit its weaknesses, they could compromise a small number of ballot boxes in a particular precinct. That's the greatest fear of election security researchers: not wholesale flipping of millions of votes, which would be easy to detect, but a small, public breach of security that would sow massive distrust throughout the entire election ecosystem. If anyone can prove that the electoral process can be subverted, even in a small way, repairing the public's trust will be far costlier than implementing security measures.

I recognize that states are fiercely protective of their rights. But there’s an opportunity here to develop nationwide policies and security protocols that would govern how voting machines are secured. This could be accomplished with input from multiple sectors, in a process similar to the development of the NIST framework—now widely recognized as one of the most comprehensive cybersecurity frameworks in use.

Many of the rules we believe should be put into place are uncomplicated and inexpensive. For starters, we can institute lifecycle management of the components that make up the election system. By simply regulating and monitoring the sale of used voting machines more closely, we would create a huge barrier to bad actors.

The fact that information is stored unencrypted on hard drives simply makes no sense in the current threat environment. That they can be left on devices, unencrypted, that are then sold on the open market is malpractice.

Finally, we must educate our poll workers and voters to be aware of suspicious behavior. One vulnerability we uncovered in voting machines is the chip card used in electronic voting machines. This inexpensive card can be purchased for $15 and programmed with simple code that allows the user to vote multiple times. This is something that we believe could be avoided with well-trained, alert poll workers.

Time and effort are our main obstacles to better policies. When it comes to securing our elections, that’s a low bar. We must do better; the alternative is too scary to consider in our current environment. Through increased training, public policy, and a little common sense, we can greatly enhance the security and integrity of our electoral process.

After My Felony Conviction, I Didn't Know If I Could Vote. It Took Me 12 Years to Find Out.

By Dennis Eckhoff, Vox

28 October 18

17 million Americans with past felony convictions deserve to know their rights.

eventeen million Americans have a past felony conviction and are eligible to register to vote right now. Many of them don’t know this. Until very recently, I was one of them. The absence of voting rights education for those with past convictions has been a quietly effective method of voter suppression for decades, and it’s time for that to change.

17 million citizens is equivalent of the populations of New York City, Los Angeles, and Chicago, combined. This group must navigate their day-to-day knowing that a specter from their past will always be there in some shape or form, even after their proverbial debt to society has been paid.

Most of the restrictions for people with felony convictions are spelled out to avoid confusion — you can’t own a gun and must check the “Yes” box on job applications when asked about prior offenses.

What isn’t clear is whether or not you still have the right to vote, and the efforts to inform this massive segment of our society have ranged from paltry to needlessly vindictive.

After I completed probation, I had no idea if I had the right to vote

In the mid-2000s, I was charged with and convicted of Endangerment, a Class 6 felony in Arizona. I was sentenced in 2004 and by 2006, I had completed that sentence — all jail time served, all fines paid, all probationary requirements satisfied.

I was naive enough to believe that I had put this chapter of my life behind me — a period in which I exhibited very poor judgment and endured the consequences with humility and contrition.

After my time was served and probationary conditions were met, there were zero resources provided to help me understand my voter registration eligibility. Endless internet searches led me to obsolete state and county edicts, laws from other states that were irrelevant, and misinformation of all stripes that yielded only confusion. Whatever quasi-helpful legal advice I found inevitably led to an attorney teasing a paid consult, which wasn’t in the cards for me as a 23-year-old college student.

I also briefly considered taking my chances and attempting to cast a ballot. I had been registered since I turned 18, so I assumed that my name may still be on the voter rolls, but the fear of additional prosecution quickly ended that.

I was right to be concerned. Earlier this year, in Texas, a woman with a prior conviction ?was sentenced to five years in prison for wrongfully filling out a provisional ballot, which was never even counted. In North Carolina, a dozen citizens (the “Alamance 12”) who attempted to vote in 2016 while on probation or parole? have been charged with voting illegally and face up to two years in prison if convicted. That could have easily been me. These dissonant “letter of the law” responses to good faith acts of democracy are wildly inequitable.

States aren’t good about informing people with felony convictions about their voting rights

Felony disenfranchisement laws vary widely by state, and the states with the most confusing laws take no proactive steps to educate the public. When Alabama changed its law last year to effectively re-enfranchise tens of thousands of voters, the secretary of state ?refused to spend state resources? to help educate voters about changes to the law, allowing misinformation and confusion to spread about eligibility.

Most shockingly, several states incorrectly describe their own law on their voter registration forms and then ask the voter to attest to their eligibility under penalty of perjury. Nebraska, for instance, amended their law in 2005 to grant automatic rights restoration for those who had completed their sentence, but neglected to amend the accompanying federal voting form that stated otherwise. Earlier this year, the nonprofit Campaign Legal Center flagged this for election administrators in letters sent to six states? with inaccurate or misleading registration forms, and several have taken steps to correct them, including Nebraska.

The problem states should focus on is not further punishing confused voters with convictions, but rather simplifying a baffling maze of laws on the right to vote for that exact group. Intimidating prosecutions like the Alamance 12 and a lack of public education threaten to deter millions of eligible voters from the polls.

In Arizona, my right to vote was fully restored after all obligations related to my sentence had been fulfilled. That was in 2006. After more than a decade of fruitless searching, I found the basic education I had been seeking from a Twitter post referencing voting rights restoration that led me to ?RestoreYourVote.org. I chose my state and answered a handful of “Yes” or “No” questions, and was told that I could indeed vote.

Because of the lack of available voter education, I lost my chance to vote in the 2008, 2012, and 2016 presidential elections and so many other federal, state, and local elections. But today, I’m eligible. In fact, thanks to Arizona permitting early in-person voting, I made the quick drive to the Mesa Recorder’s Office last week to cast my first ballot since the 2000 presidential election.

I’ve long believed, despite countless opportunities to embrace a more cynical perspective, that government exists to improve the lives of citizens, but those citizens need input for our system to be truly effective. Marginalizing a major swath of our populace, whether by negligence or malice, undermines that and keeps valuable voices on the fringes of society.

Those with past convictions who have completed, or are completing, their legal obligations are US citizens who deserve to know where they stand, and states relying on obfuscation or sheer indifference to deny rights to their constituents is fundamentally wrong. It’s an incredible feeling to be welcomed back to the table of participatory democracy after being told to leave, and I hope many get to share that experience very soon.

It took me 12 years to learn whether I could engage in the most essential of American rights. 17 million others need to know today.