Tuesday, August 10, 2021

Defcon 29 (2021) Voting Village notes

I watched all the talks, some cought my interest and I took notes.

Defcon 29 (2021) Voting Village speaker abstracts and bios


Defcon 2021, welcome to Voting Village (NO CONTENT)

https://www.youtube.com/watch?v=YIua4a_Jj-U


Hacking to Save Democracy: What Technologists Need to Know About Election Administration

Eddie Perez (OpenSourceElectionTechnology/TrustTheVote)

https://www.youtube.com/watch?v=2cmGTuepFBQ

onsite machines often use removable media for data transfer (and software update)

80% of the market is two vendors, 95% in top 3 vendors

15-year unpatched windows 2000. LOLSOB!

separate Federal and State certifications

Federal "US Election Assistance Comission" certifier & standards org

9 vendors are certified

(~40 State rules)

Certification may be on one strict version - No updates! Not even security patches!

trustthevote.org/EA-resources

A Deep Dive on Vulnerability Disclosure for Election Systems

Tod Beardsley (Rapid7, Texas)

https://www.youtube.com/watch?v=BsLgWinw3Fs

security.txt tells people how to contact you for security disclosure

SEO: vulnerability disclosure security $ORGNAME

Federal "US Election Assistance Comission" certifier org

9 vendors are certified

5/9 have a 'vulnerability disclosure program'

Wireless Odyssey or why is the federal government permitting devices with wireless networking capability in federally certified voting machines?

Susan Greenhalgh

https://www.youtube.com/watch?v=0MyyW9Q3nQk

she's on a huge rant against having any wireless connectivity possibility in election devices ... and that's going to get harder as more and more things have it by default. e.g. Couldn't build with a Rasberry Pi or any common tablet. This will increase expenses!

I disagree. Software disabling of radios is enough. Nothing can turn them on from the outside. If you can get in and turn them on to enable a hack, you have already hacked the device.

A Journalist’s Perspective on Fake News

Bob Sullivan (NYT/Duke)

https://www.youtube.com/watch?v=GplLmG6JHm8

'psuedo event' news

boring.

Are Barcodes on Ballots Bad?

Kevin Skoglund

https://www.youtube.com/watch?v=jqgr488aKj4

[my hot take before listening: YES]

ES&S 2011-2014 introduction of assistive voting machine

ES&S, Dominion, Unisyn

ES&S Code128-C - 6 digit candidate identifier which maps to timing mark grid bubble coordinate

vote in barcode and vote in text

Dominion QR-code (or multiple QR codes)

QR-code binary mode, densely packed

vote bubbles are a bit stream, bit per bubble

HMAC signature

Unisyn

receipt tape

custom barcode ('compressed' vote bubble grid)

also some Code128

barcodes ARE FUD PRONE!

and unneccessary

Dominion switched from barcode to marking bubbles at Colorado request

Hack the Conspiracies

Barb Byrum (County Clerk of Ingham County Michigan)

https://www.youtube.com/watch?v=M2nKLZu8_R8

~1500 local election regimes in Michigan

rundown of bogus election FUD

Kickoff Remarks (recorded in-person in Las Vegas)

Harri Hursti

https://www.youtube.com/watch?v=CzTko6PzI64

Inventory of hardware they had on hand to take apart and hack

Keynote Remarks

Commissioner Thomas Hicks

https://www.youtube.com/watch?v=LJ2Z--ONVDk

EAC

Secrets of Social Media PsyOps

BiaSciLab

https://www.youtube.com/watch?v=6pse_lOyT14

How to Weaponize RLAs to Discredit an Election

Carsten Schürmann

https://www.youtube.com/watch?v=z8yUes4Uyg4

a surprisingly small number of ballots can be sampled to validate an election. This could be a source of FUD.

High Turnout, Wide Margins

Brianna Lennon, Eric Fey

https://www.youtube.com/watch?v=JB0eDqriQMk

elections officials run a podcast about how elections work

https://anchor.fm/highturnoutwidemargins

Keeping Your Information Security Policy Up to Date

Sang-Oun Lee (Chicago election official)

https://www.youtube.com/watch?v=nIW-HHIumVk

Social Media Security = Election Security

Sebastian Bay (Swedish Defense cybersecurity)

https://www.youtube.com/watch?v=6Xl9lopy_Uo

For only 300 euros they were able to buy fake engagement on social media platforms and drive up their message.

fb getting better

twitter best at anti-abuse

instagram much easier to manipulate than fb

tiktok is the newb, easiest to manipulate, might be getting better

New Hampshire SB43 Forensic Audit

Harri Hursti

https://www.youtube.com/watch?v=YSHQK2zZxwk

Windham, NH election Audit May-June 2020

Many systems with published vulnerabilities from 2007 are still in use in 2020.

Many NH elections are hand counted! (smaller towns)

300 vote discrepancy between machine and hand recount (out of ~10,000 total votes). Weird partisan pattern in that gap. Race was 8 candidates, pick 4.

AccuVote optical scan (very old). Totally weird 80186 embedded system. ~143 kB for kernel and app. (security through obsolescence?)

two hand counts agree, 4 different machines get varying results.

In a few races, machines consistently under-recognize votes

(Some scanners have bulit in 'features' like punch-hole-removal that can screw with ballot scanning!)

mailing out vote-by-mail ballots through a paper folding machine

folds across bubbles cause misread

ballots re-counted 6 months later counted better because they had been flat in stacks

'offset printing powder' fouled a ballot scanning machine

extensive check of tech hacking found none; just physical oops screwups.

Why Hacking Voters Is Easier Than Hacking Ballots

Maurice Turner

https://www.youtube.com/watch?v=4F5noztGSFw


No comments: