I hate writing about this, but I wouldn’t feel the need to do so if we took the integrity of the vote seriously. This is awful (boldface mine):
A 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia, wanted to assess the security of the state’s voting systems. When he learned that Kennesaw State University’s Center for Election Systems tests and programs voting machines for the entire state of Georgia, he searched the center’s website.
“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.
“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” he tells Politico Magazine in his first interview since discovering the massive security breach.
He wasn’t even trying to break in.
This is bad, really bad:
Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.
The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.
No, wait, this is really bad:
And there was another problem: The site was also using a years-old version of Drupal — content management software — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers dubbed the vulnerability, got a lot of attention when it was first revealed in 2014. It would let attackers easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014.
Lamb was concerned that hackers might already have penetrated the center’s site, a scenario that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s network, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving attackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.
The center has played a critical role in the state’s elections for more than a decade, not only by testing the touch-screen voting machines used throughout the state and maintaining the software that’s used in the machines, but also by providing support for the GEMS servers that tabulate votes and creating and distributing the electronic ballot definition files that go into each voting machine before elections. These files tell the machines which candidate should receive a vote based on where a voter touches the screen. If someone were to alter the files, machines could be made to record votes for the wrong candidate. And since Georgia’s machines lack a proper paper trail — which would allow voters to verify their choices before ballots are cast and could also be used to compare against electronic tallies during an audit — officials might never know the machines recorded votes inaccurately. There have been no public reports indicating that this has ever happened in Georgia, but computer security experts say it’s not clear officials would be able to uncover this even if they tried.
The center also distributes the voter registration list to counties for use on their ExpressPoll pollbooks; if attackers were to delete voter names from the database stored on the center’s server or alter the precinct where voters are assigned, they could create chaos on Election Day and possibly prevent voters from casting ballots. This is not an idle concern: During the presidential election last year, some voters in Georgia’s Fulton County complained that they arrived to polls and were told they were at the wrong precinct. When they went to the precinct where they were redirected, they were told to return to the original precinct. The problem was apparently a glitch in the ExpressPoll software.
Being able to hack the GEMS system is the most disturbing piece, as that would directly alter the vote counts–and there’s no paper trial.
There’s more in the article, such as the technology really isn’t supported anymore. That could be a problem too.
This is no way to run a democracy.