The media (both professional and social) have been full of news for the last week about an 11-year-old hacking election websites at this year's DEF CON conference. They tell a story - but it's incomplete and misleading. Let's explore why.
The annual DEF CON conference is an interesting beast. It is part serious whitehat hacker conference, part full-party, and contains just enough of the blackhat hacker to keep it interesting. Last year's conference included a Voting Machine Village which attempted (quite successfully) to hack 25 different voting machines. The resulting paper received awards and was considered an alarming report on the security of voting machines (although this was somewhat controversial since some of the hacks required levels of physical access to the machines that were unlikely in the real world). No matter what one's opinion, this work verified that voting machine security has quite a lot of room for improvement.
This year's event also included some events for kids by a group called r00tz Asylum (Formerly DEF CON Kids). At the kids events they're taught a wide range of hacking skills from soldering to exploiting websites, all with an emphasis on ethics. This is great, and I hope that kids continue to be involved in the hacking world, because we're going to need them. By nature software is always imperfect, and in its imperfection often carries security vulnerabilities. Anyone who sits through their interminable computer updates every month is aware of how many issues computers have that need to be perenially patched. Hackers young and old root those out, much more often in a desire to get them fixed than a desire to do evil. Let's hear it for ethical hackers.
So - what's my beef here? It's mostly with the journalistic response to this news, and the desire to build clickbait articles around cybersecurity issues. In this case, in particular, it has been irresistable. A young girl breaks into Secretary of State websites and changes the winners of the elections? Click gold. But the truth is more complicated.
The goal of this exercise for kids was largely to teach them about some simple website vulnerabilities, and how they can be exploited. Don't get defensive about this, many websites have security vulnerabilites. Sometimes they're not known. Sometimes they are known but have not been fixed. These are by far the most dangerous because people who know about these issues and want to hack them in bad ways tend to know about the issues well before the system administrators do. Or at best, at exactly the same time. This makes life for those of us who take care of these systems an "interesting" job.
But the story being derived from this and put into the media is to some extent misleading and missing the point. The kids at DEF CON hacked web sites that were specially built to look like Secretary of State sites around the country. They were also built with known security flaws that the kids could exploit during the conference. There's nothing wrong with any of that as a teaching exercise. But it's an exercise that does not necessarily have much to do with the real world, because these were sites that were built explicitly to be hackable. And the kids were given a quick course on how to exploit them. Reportedly the sites had SQL Injection flaws. God knows, SQL Injection vulterabilities are common enough on websites, and are exploited on a daily basis. I've regularly taken on sites for clients that have not had code updates in their infrastructure for years, and may have hundreds of known security issues. So this happens and lots of sites have issues, as witnessed by breaches of confidential information, site defacements, and other issues.
My guess is that most states have election sites that are much more secure than average. At least I hope that is the case. We do not know what the security issues were in these replica sites, exactly, or of they correspond to any real flaws in any actual election sites. And the organizers have not been forthcoming with details. This seems like a phenomonal lack of transparency from a group that is intending to promote more security on election sites. Let's see the work. And I hope that if they do know of flaws in actual sites, that they have reported them to the agencies involved. If they do know of actual flaws in the sites, it begs the question - how do they know?
As I explained to a friend the other day, from what we actually know about this, it's as if I
- Built walls around my house to make it look like Fort Knox.
- Changed my locks to be easily picked.
- Put up a sign that said "Break in - Expensive stuff inside"
- Gave the gathered crowd a quick lesson in picking locks.
- Watched the breakins happen.
- Somehow got the press to write articles saying that 11-year-olds can break into Fort Knox.
Maybe 11-year-olds can break into Fort Knox, but it would be surprising. In general I don't really have a problem with the organizers of the exercise (other than their not being transparent about what really happened). I do have a problem with the news that has come out of the conference, which seems to have no level of skepticism at all, and has by and large bought the story hook, line, and sinker, and promoted it as a clickbait headline. I applaud the attempt to teach kids real-world skills in security and hacking in general. But my issue here is that we are suddenly all looking at election websites as the big vulnerability. Part of the supposition here that surprises me is the idea that a state would run an election, declare a winner, and then not notice that their website changed the victor??? Actually many states do not publish election results on election night (including Wisconsin) and leave that reporting to news media. Usually they only publish the results after they become official.
People are notoriously bad at judging security risks and acting appropriately. 9/11 happened and since then we need to take off our belts and shoes, throw away our shampoo, and get scanned. While I am certain the most useful security measure to come out of all of this was the simple (and I think obvious) measure of securing the pilot compartment on planes. None of the rest of the measures make me feel any more secure.
Likewise, with elections? I don't think we should keep reacting to individual stories, but really need to develop a nationwide consistent strategy. This is difficult because we have always worked on the theory that elections are local. The federal government may provide money for election security, but often has little to say about how it should be spent. I think it's very clear that the vulnerabilities here are not in the dramatic news stories from hacking conferences, but in the day-to-day boring business of running elections. States and municipalities around the country have wildly different practices re: post-election audits, for example. Many places use voting equipment that is years old and getting crankily unreliable. Parts of the country use voting machines that produce no paper trail.
As a matter of transparency, I need to point out that I have consulted to the Wisconsin Elections Commission and have done work on some of their public-facing information sites.
The video attached to this article is by one of the founders of r00tz Asylum, explaining why teaching hacking to kids is important.
Support local news with a membership!
Steve is a web designer and recently retired from running the hosting and development company Cruiskeen Consulting LLC. Cruiskeen Consulting LLC is the parent company of Wis.Community, and publication of this site continues after his retirement.
Steve is a member of LION Publishers and the Local Media Association, is active in Health Dunn Right, and is vice-president of the League of Women Voters of the greater Chippewa Valley
Add new comment