Here’s a glimpse of the scene at Cross Keys, where technical issues have ground voting to a standstill and officials have run out of provisional ballots. #gapol pic.twitter.com/XtezH1Qyrm

— Greg Bluestein (@bluestein) June 9, 2020

The issues have led to many people facing long waits in lines to cast their votes. But even the provisional ballot system isn’t sufficient, as some locations quickly ran out of them. “If you are in line, PLEASE do not allow your vote to be suppressed,” Atlanta mayor Keisha Lance Bottoms wrote on Twitter. “PLEASE stay in line. They should offer you a provisional ballot if the machines are not working.” Engadget has contacted the Georgia secretary of state office, which oversees local elections, for comment.

Georgia’s election security has faced intense scrutiny in recent years. Governor Brian Kemp came under fire over how he handled elections during his time as secretary of state, including accusations that he engaged in voter suppression and abused his power to steal the 2018 gubernatorial election. Last year, a federal judge ordered Georgia to update its outdated machines for the 2020 election cycle. Both of the state’s Senate seats are on the line this year.

A number of states have faced serious technical issues during this primary season. On Super Tuesday in early March, many people ran into problems with new voting machines in Los Angeles. In Iowa, an app designed to report caucus results was a complete failure. An HBO documentary that premiered in March highlighted just some of the many critical problems with America’s voting machines and fragile election system.

While the matter is of grave concern across the country, Kill Chain: The Cyber War on America’s Elections delves into problems with some specific machines and issues in certain states. For instance, back in 2005, security researcher Harri Hursti (a key figure in the film) demonstrated a memory card exploit that could alter votes on an optical scan voting machine. Those Diebold machines are still in operation in 20 states and are slated for use in November, the filmmakers note.

Elsewhere, a judge banned Georgia from continuing to use the vulnerable systems it had in place for well over a decade. In the wake of the contentious 2018 gubernatorial election, officials had new machines in place for this month’s presidential primary. While the replacements can print paper ballots, which are important for proper vote auditing, they’re still very much vulnerable as they run on Windows 7 — for which Microsoft recently ended support.

We also hear from an Indian hacker who says he was able to gain full access to Alaska’s system, including live voting data, during the 2016 presidential election. He claims he’d have been able to remove a candidate from the ballot or change any vote, but decided not to for fear of triggering some kind of alarm.

The documentary adeptly skirts the line between spelling out specific vulnerabilities and making the problems clear enough for the less technically-minded among us. It touches on many other issues related to election security, such as remote access and the case of the NSA whistleblower Reality Winner and some prominent figures weigh in, including recent presidential candidate Amy Klobuchar.

The film is effective in hammering home its message about the technical issues that pervade many US polling machines. It’s not much of a spoiler to reveal its main call-to-action: ask for a paper ballot if you’re not completely certain that your district’s electronic system is secure. Kill Chain: The Cyber War on America’s Elections premieres at 9PM ET on HBO, HBO Now and HBO Go.

The student, who is a minor and therefore must remain anonymous, submitted Andrew Walz’s information to a website called Ballotpedia, a non-profit that keeps track of American political candidates. Twitter partnered with the site last year to identify the official Twitter accounts of candidates and their campaigns. Once Ballotpedia passed Andrew Walz’s information on to Twitter, the company reached out to verify the account, despite the fact that it only had 10 followers as of February 26th. (The student says that he didn’t promote the account at all — he simply wanted to test Twitter’s verification system, rather than deceive the public.) When CNN Business reached out to Twitter for comment, the company terminated the account.

The blue verification badge is meant to assure the public that an account is legitimate and that Twitter has done its due diligence in vetting the account’s owner. Twitter even touts its verification system as a way to help users find reliable information during the election season. However, the student says that the company didn’t ask for any form of identification — it’s only stipulation was that he added a header image to the account. Both Ballotpedia and Twitter have said that they will improve their vetting processes after this slip-up. But with foreign countries actively interfering in US elections — and with US politicians oddly blocking election security measures — users should do their own research and make sure that the accounts they follow are legitimate.

What the fail

With the Pixel 4 face unlock debacle, you really can say that Google’s Android security team did not check itself before it wrecked itself. What we’re thankful for here is the BBC journalist, who probably does not have narcolepsy, but instead pretended to be asleep with his review copy of a Pixel 4 to see if its “face unlock” feature was secure.

It wasn’t.

The Pixel 4’s only biometric security option, facial recognition, unlocked the phone even if the user’s eyes were closed. Google said it would be issuing a fix… in a few months. It made us wonder if everyone at Google was okay. In response to our queries, Google said: “We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months.”

So thank you for learning how to fake naptime, Mr. BBC reporter. You may have saved a lot of ordinary users (who do not have your access and influence) a lot of sleepless nights.

A vote for sanity

Since at least 2004, voting machine hackers — ahem, election security researchers — at Def Con were treated like crazy people or conspiracy nuts (which are kind of the same thing). Usually, both. In 2016, we wrote: “the machines are so badly maintained, historically backdoored, and easily hacked that even Def Con hackers massively stress out about the voting process in their own forums and chat spaces.”

It’s a setup that should seem familiar to any horror fan. The protagonist keeps trying to warn people about some looming danger — the Necronomicon, a clown in the sewer, a possessed car. But no one believes them, so the clown, the car and the gateway-to-hell book win every time. That’s what every day is like for researchers pointing out the insane mess of voting machine and election security year after year.

That is, until this year, when a voting machine (that was not possessed, we think) was filmed by a Mississippi voter actually changing their vote in front of their eyes. That viral video made national headlines, further exposing the numerous, simultaneous issues in electronic voting machines across the state, putting the governor’s race (and more) in doubt.

So let’s give thanks for that seemingly possessed voting machine. It’s time for everyone to start believing those Def Con election security “final girls.”

FCC’d up

The story of the fake FCC commenters could really be old episode of Scooby Doo, with Old Man Jenkins in a bad monster disguise cursing those nosy kids for seeing through his obvious scam. It started in 2017 when the FCC decided to decimate the open internet by killing net neutrality and (cough) miraculously, the FCC’s website was flooded with fake comments supporting the FCC’s widely-opposed move.

Fast forward to October this year, when reports emerged proving those comments were not only fake, but the stolen identities and information of US breach victims. You can’t say no one expected that plot twist: Turns out the people whose names were used in those fake FCC comments were none too pleased about it. Let’s just be thankful that the org behind this reprehensible attempt to hack public opinion, industry group Broadband for America, used the (ahem) brain trust at Media Bridge and LCX Digital to make sure a big stinky pile of breadcrumbs lead right back to the source.

Little green fail-iens

If it turns out that Mark Zuckerberg arrived on this planet promising a better world through his janky tech and carrying around a book called “To Serve Man,” we’d be among the humans saying “I told you so.” But in a way we’re glad Facebook has been so profoundly terrible at everything, because it helps us identify the planet-sized security #fails the company has made.

Like how in April, we found out that the passwords for hundreds of millions of Facebook, Facebook Lite, and Instagram users were stored in plain text. Facebook wanted everyone to know passwords were readable and searchable “only” internally, but with nearly 40,000 full-time employees, that comfort is as cold as Uranus. It’s even more chilling knowing the company discovered this complete and utter failure at password security by way of a 2018 breach, when attackers made off with data from 50 million Facebook users via compromised account access tokens.

Thanks for being terrible, Facebook! You have revealed your intentions on our planet.

We don’t see a problem

Look. No one wants ATMs to be insecure, susceptible to viruses, or hackable by jerks who might try to take money from any unsuspecting individual.

The sad truth is that ATMs are so scattershot in their security, they’re a common theme in hacking presentations. And in organized crime there are “cashing crews” who swoop in to scoop up the Benjamins. In fact, the hacker who makes the ATM spew cash is a persistent and annoying Hollywood trope. But, for good reason: It’s real. In 2010, hacker Barnaby Jack made global headlines when he “jackpotted” ATMs on the Black Hat conference stage.

This is such a known problem, and has been going on so long that it’s hard to feel bad for ATM vendors, or their software and hardware vendors. So when we read headlines like “Malware That Spits Cash Out of ATMs Has Spread Across the World” it’s tough to feel like we’d be anything but grateful if this ongoing security blunder accidentally spit out some extra cash onto our feet this chilly holiday season.

Equifail

In the slums of our cyberpunk future, “Equifax” is the word harsh parents whisper to frighten their children into making strong, complex passwords. That’s thanks to news in October about a shareholder class-action suit over the credit reporting company’s egregious 2017 breach.

This revealed a slew of truly appalling, grossly negligent security practices. Especially, as Hot for Security reported, the use of “admin” as both username and password, “to authorize access to a portal used to manage credit disputes,” which “contained a vast trove of personal information.”

If you read the suit’s laundry list of security #fails it’s not a stretch to think of the company as both a folklore bogeyman of the American credit system, as well as cautionary-tale, monster under the bed for bad practices. We’re just grateful the headlines might’ve scared some people into following better password practices.

Keep on hackin’

not an isolated incident: pic.twitter.com/kVeKPTILT7

— Eli Wirtschafter (@RadioEli) September 2, 2019

Who forgot to secure all those electronic road signs we keep seeing hacked with messages like “THE FUTURE SUCKS”? Whoever you are, I hope you got fired, but I also have a strong urge to buy you a beer. Because in this abysmally wrong alternate timeline, I think many can agree that hackable road signs are bringing us a much-needed bit of levity right now.

The security failings of these signs are kind of two-fold. One is that they’re all issued with a default username and password, according to one manufacturer, ADDCO. If the signs were issued with a one-time password, that would be the end of warnings about “Entering bat country.”

The other #fail is that few people setting up their brand-new electronic road signs are changing those default passwords. Unless the calls are coming from inside the house, and someone working on the road crew was responsible for the sign reading “TRAPPED IN SIGN FACTORY.” In which case, let’s give thanks for anything reminding us that hacks are supposed to be fun, and people still love making each other smile.

Images: Koren Shadmi (Turkey Illustration); Chris Velazco / Engadget (Pixel 4); Mark Wilson/Getty Images (Ajit Pai); Getty Creative (ATM)

“Georgia’s current voting equipment, software, election and voter databases, are antiquated, seriously flawed, and vulnerable to failure, breach, contamination, and attack,” she wrote in her ruling. “The long and twisting saga of Georgia’s non-auditable DRE/GEMS voting system — running on software of almost two decades vintage with well-known flaws and vulnerabilities and limited cybersecurity — is finally headed towards its conclusion.”

Georgia is still using direct-recording electronic (DRE) machines with hardware and software that are well over a decade old. Even as far back as 2006, security researchers found significant flaws with the systems, which were serious enough that California decertified them for state elections.

While Georgia stuck with them until now, it already planned to send the machines out to pasture and bring in ballot-marking machines. It aims to have the new systems in place in time for the presidential primary on March 24th. However, there were concerns there might be delays in rolling out the new machines, and that the state would revert to its old touchscreen setup for the primary and possibly the presidential election in November.

Totenberg’s ruling blocks such a possibility. If Georgia can’t set up the replacement machines in time for the primary or the election, it’ll have to rely entirely on paper ballots.

A group of voters in the state, along with election integrity advocates, sued the secretary of state’s office in 2017, on the basis that the DRE machines were vulnerable to hacking. Totenberg had denied a motion to prohibit their use in the 2018 midterms. However, with regards to the latest motion, voters told the court the machines registered their votes incorrectly during last year’s tight gubernatorial election.

Georgia plans to test the new systems in a few cities during this year’s elections. However, the incoming voting machines are controversial too. Lawsuit plaintiffs say they have many of the same security vulnerabilities as the DRE system. The newer machines print out a paper ballot that includes a readout of the voter’s selection and a QR code. But because a scanner reads the code, and not plain text, voters will have to trust it faithfully represents their intended vote.

Election security, of course, will be a critical topic of discussion as the 2020 election season picks up pace, given widespread evidence that Russia hacked voter databases and systems, and attempted to manipulate the 2016 presidential poll.

Image: AP Photo/Mike Stewart

It’s likely the case that election officials who claimed their systems weren’t online didn’t know any better. “We … discovered that at least some jurisdictions were not aware that their systems were online,” Kevin Skoglund, an independent security consultant, told Motherboard.

At issue isn’t the electronic voting machines themselves, but the SFTP server and firewall that some polling places use to speedily transmit votes. Such systems are only supposed to be connected to the internet during Election Day, and then are promptly disconnected. Researchers told Motherboard that critical backend systems are connected to the firewalls. If a hacker was able to intercept the firewall, they could alter vote totals or infect voting machines with malware.

ES&S disagrees with the conclusion reached by the researchers interviewed for the story. “There’s nothing connected to the firewall that is exposed to the internet,” Gary Weber, vice president of software development and engineering for ES&S, told Motherboard.

This isn’t the first instance of ES&S running into trouble for its handling of election security. Last summer, the vendor admitted to Senator Ron Wyden (D-OR) that some of its election management systems had vulnerable remote-access tools — despite repeated denials in the past. The North Carolina Board of Elections — which uses ES&S systems — recently voted to disqualify the company’s machines for not providing an option for hand-marked ballots.