It’s election time, bring back paper, ink, and scales

Another day, another election hack. It’s time to get rid of those fancy online voting machines and switch to something less hackable – like paper, ink, and scales.

At the annual Defcon conference, an eleven year old took down a replica of the election results reporting page from the Florida Secretary of State website with a SQL injection. She did it in less than ten minutes.

Yes, this was a replica found at the Voting Machine Hacking Village – not the real thing. However, you get the idea. News of the hack – and the reportedly flawed methodology used in the Village – was completely panned by the National Association of Secretaries of State.

But according to the organizers, this part of the voting hacks was so simple, they left it to the kids to do.

How secure is my ballot?

Security of the voting process has been an issue for as long as there have been elections. The credo in Chicago used to be, “Vote early, vote often.” In this Defcon case, in addition to the SQL hacks, they also discovered a number security issues such as default passwords, storage of passwords in unencrypted “clear text” and a few other issues such as the ability to corrupt voter lists.

A high-tech issue

New technology antidotes to election security issues also did not do so well at Defcon. They also took a close look at Voatz, a start-up designed to strengthen voter participation by having smartphone voting with voting records stored in a blockchain. This system did get positive notes for being opt-in and for having a real-time paper ballot. However, it was criticized for their application of AWS credentials. As perfectly stated in TechCrunch, “The inefficiency of paper ballots and their handling and collation and tabulation is a feature, not a bug.”.

Just weigh them ballots

It may seem horribly low tech, but one vice principal at my high school had a novel way to count ballots. He simply had the cast ballots sorted, then he weighed them on some scales from the chemistry department. “I never have had an election that was so close where the ballots had to be counted,” said Mr. Fitzgerald. One could say that he had a dual technology option – physically weighing the ballots and then the counting option

The fundamental problem with programming

The problem is that the computerization of the voting process – from registration to casting ballots, to the final tallying – makes it as vulnerable as every other computerized process on your device. That means that the process needs protection from both accidents and from deliberately malicious attacks. As cryptography expert and author Bruce Schneier wrote in his blog, the best defense is to back up as much of the system as possible with paper. Yes, low-tech paper is beautiful.

More than just an American problem

The DEFCON exercise was focused on the particular infrastructure and processes in the US election process. In fact, they conclude that “Americans need the reassurance that their democracy is safe, starting at the ballot box.”

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.