I watched all the talks, some cought my interest and I took notes.
Defcon 29 (2021) Voting Village speaker abstracts and bios
Defcon 2021, welcome to Voting Village (NO CONTENT)
https://www.youtube.com/watch?v=YIua4a_Jj-U
Hacking to Save Democracy: What Technologists Need to Know About Election Administration
Eddie Perez (OpenSourceElectionTechnology/TrustTheVote)
https://www.youtube.com/watch?v=2cmGTuepFBQ
onsite machines often use removable media for data transfer (and software update)
80% of the market is two vendors, 95% in top 3 vendors
15-year unpatched windows 2000. LOLSOB!
separate Federal and State certifications
Federal "US Election Assistance Comission" certifier & standards org
9 vendors are certified
(~40 State rules)
Certification may be on one strict version - No updates! Not even security patches!
A Deep Dive on Vulnerability Disclosure for Election Systems
Tod Beardsley (Rapid7, Texas)
https://www.youtube.com/watch?v=BsLgWinw3Fs
security.txt tells people how to contact you for security disclosure
SEO: vulnerability disclosure security $ORGNAME
Federal "US Election Assistance Comission" certifier org
9 vendors are certified
5/9 have a 'vulnerability disclosure program'
Wireless Odyssey or why is the federal government permitting devices with wireless networking capability in federally certified voting machines?
Susan Greenhalgh
https://www.youtube.com/watch?v=0MyyW9Q3nQk
she's on a huge rant against having any wireless connectivity possibility in election devices ... and that's going to get harder as more and more things have it by default. e.g. Couldn't build with a Rasberry Pi or any common tablet. This will increase expenses!
I disagree. Software disabling of radios is enough. Nothing can turn them on from the outside. If you can get in and turn them on to enable a hack, you have already hacked the device.
A Journalist’s Perspective on Fake News
Bob Sullivan (NYT/Duke)
https://www.youtube.com/watch?v=GplLmG6JHm8
'psuedo event' news
boring.
Are Barcodes on Ballots Bad?
Kevin Skoglund
https://www.youtube.com/watch?v=jqgr488aKj4
[my hot take before listening: YES]
ES&S 2011-2014 introduction of assistive voting machine
ES&S, Dominion, Unisyn
ES&S Code128-C - 6 digit candidate identifier which maps to timing mark grid bubble coordinate
vote in barcode and vote in text
Dominion QR-code (or multiple QR codes)
QR-code binary mode, densely packed
vote bubbles are a bit stream, bit per bubble
HMAC signature
Unisyn
receipt tape
custom barcode ('compressed' vote bubble grid)
also some Code128
barcodes ARE FUD PRONE!
and unneccessary
Dominion switched from barcode to marking bubbles at Colorado request
Hack the Conspiracies
Barb Byrum (County Clerk of Ingham County Michigan)
https://www.youtube.com/watch?v=M2nKLZu8_R8
~1500 local election regimes in Michigan
rundown of bogus election FUD
Kickoff Remarks (recorded in-person in Las Vegas)
Harri Hursti
https://www.youtube.com/watch?v=CzTko6PzI64
Inventory of hardware they had on hand to take apart and hack
Keynote Remarks
Commissioner Thomas Hicks
https://www.youtube.com/watch?v=LJ2Z--ONVDk
EAC
Secrets of Social Media PsyOps
BiaSciLab
https://www.youtube.com/watch?v=6pse_lOyT14
How to Weaponize RLAs to Discredit an Election
Carsten Schürmann
https://www.youtube.com/watch?v=z8yUes4Uyg4
a surprisingly small number of ballots can be sampled to validate an election. This could be a source of FUD.
High Turnout, Wide Margins
Brianna Lennon, Eric Fey
https://www.youtube.com/watch?v=JB0eDqriQMk
elections officials run a podcast about how elections work
https://anchor.fm/highturnoutwidemargins
Keeping Your Information Security Policy Up to Date
Sang-Oun Lee (Chicago election official)
https://www.youtube.com/watch?v=nIW-HHIumVk
Social Media Security = Election Security
Sebastian Bay (Swedish Defense cybersecurity)
https://www.youtube.com/watch?v=6Xl9lopy_Uo
For only 300 euros they were able to buy fake engagement on social media platforms and drive up their message.
fb getting better
twitter best at anti-abuse
instagram much easier to manipulate than fb
tiktok is the newb, easiest to manipulate, might be getting better
New Hampshire SB43 Forensic Audit
Harri Hursti
https://www.youtube.com/watch?v=YSHQK2zZxwk
Windham, NH election Audit May-June 2020
Many systems with published vulnerabilities from 2007 are still in use in 2020.
Many NH elections are hand counted! (smaller towns)
300 vote discrepancy between machine and hand recount (out of ~10,000 total votes). Weird partisan pattern in that gap. Race was 8 candidates, pick 4.
AccuVote optical scan (very old). Totally weird 80186 embedded system. ~143 kB for kernel and app. (security through obsolescence?)
two hand counts agree, 4 different machines get varying results.
In a few races, machines consistently under-recognize votes
(Some scanners have bulit in 'features' like punch-hole-removal that can screw with ballot scanning!)
mailing out vote-by-mail ballots through a paper folding machine
folds across bubbles cause misread
ballots re-counted 6 months later counted better because they had been flat in stacks
'offset printing powder' fouled a ballot scanning machine
extensive check of tech hacking found none; just physical oops screwups.
Why Hacking Voters Is Easier Than Hacking Ballots
Maurice Turner
https://www.youtube.com/watch?v=4F5noztGSFw
