Colorado Agency 'Improperly' Posted Passwords for Its Election System Online (gizmodo.com) 93
For months, the Colorado Department of State inadvertently exposed partial passwords for voting machines in a public spreadsheet. "While the incident is embarrassing and already fueling accusations from the state's Republican party, the department said in a statement that it 'does not pose an immediate security threat to Colorado's elections, nor will it impact how ballots are counted,'" reports Gizmodo. From the report: Colorado NBC affiliate station 9NEWS reported that Hope Scheppelman, vice chair of the state's Republican party, revealed the error in a mass email sent Tuesday morning, which included an affidavit from a person who claimed to have downloaded the spreadsheet and discovered the passwords by clicking a button to reveal hidden tabs.
In its statement, the Department of State said that there are two unique passwords for each of its voting machines, which are stored in separate places. Additionally, the passwords can only be used by a person who is physically operating the system and voting machines are stored in secure areas that require ID badges to access and are under 24/7 video surveillance.
"The Department took immediate action as soon as it was aware of this, and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the [country's] essential security infrastructure," The department said, adding that it is "working to remedy this situation where necessary." Colorado voters use paper ballots, ensuring that a physical paper trail that can be used to verify results tabulated electronically.
In its statement, the Department of State said that there are two unique passwords for each of its voting machines, which are stored in separate places. Additionally, the passwords can only be used by a person who is physically operating the system and voting machines are stored in secure areas that require ID badges to access and are under 24/7 video surveillance.
"The Department took immediate action as soon as it was aware of this, and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the [country's] essential security infrastructure," The department said, adding that it is "working to remedy this situation where necessary." Colorado voters use paper ballots, ensuring that a physical paper trail that can be used to verify results tabulated electronically.
Re:What's going on in Michigan? (Score:5, Informative)
five seconds of search revealed the "expert" "is awaiting trial on felony charges related to allegedly breaching election machines". maybe not the best source of information. i recall pjmedia also posted loads of bogus election denial content in 2020
Re: (Score:2)
You mean like the journalist who was facing "hacking" charges because he looked at the HTML for a page and saw passwords in plaintext in the source?
improperly? (Score:5, Funny)
Is there a proper way to post your passwords list on your website?
Re: (Score:2)
Is there a proper way to post your passwords list on your website?
Voting machines with passwords are scary. Just use public key auth so no passwords need to be transmitted at all and every authorized person or system can easily be tracked when they access the system even if they use a single account.
Re: (Score:2)
Voting machines that are connected directly to the internet are scary...
Re: (Score:3)
Voting machines that are connected directly to the internet are scary...
The summary says
so apparently the machines are not connected to the internet,
Re:improperly? (Score:5, Insightful)
Voting machines that are connected directly to the internet are scary...
The summary says
so apparently the machines are not connected to the internet,
The same election officials who had the passwords on a spreadsheet, but thought that "hidden tabs" was good security, and even uploaded them to the Internet is now telling you not to worry. Because you have to go into a "secure" room to mess with the machines.
Or so they think. And you can totally trust anybody they gave an access badge to. And there's nothing anyone with physical access could do, anyway, regardless of passwords. Or so they think.
Forgive me if I do not trust their technical understanding or their security operations.
It actually does NOT say the machines are NOT connected to a network. They probably ARE connected, at least sometimes. Whether that network is connected to the Internet, who knows. I think it's unlikely that someone is going to come over the Internet and corrupt the machines. But when ignorant election officials screw up things this badly, it does not inspire trust in the process nor the people responsible for administering it.
Re: improperly? (Score:1)
As always, these are non-technical people giving answers. I have users claiming all the time they donâ(TM)t have remote access, what they mean is THEY donâ(TM)t KNOW how to get remote access to work. Or they claim shared password is only for a local admin user, so it canâ(TM)t be used over the network.
If it is a Windows system it is almost certain you can get access through one or more of RDP, PSRP/WinRM or PSExec, these custom system vendors may layer on TeamViewer/AnyDesk/VNC or if you
Re: (Score:2)
Ok, now do all that when the machine is disconnected from a network.
Re: (Score:2)
https://www.cnn.com/2024/10/29/us/ballot-box-fires-what-we-know/index.html
Re: (Score:3)
Yeah unfortunately that's happening in my state...
BTW today I found out that those ballot drop boxes are equipped with fire suppression systems - but in that particular case the system didn't work.
Re: (Score:2)
Re: (Score:3)
Even if the system works, how is it going to prevent at least a few of those ballots from being destroyed?
The fire suppression system almost certainly guarantees that some votes ARE going to be destroyed. It's a DOS vector sitting right on the street.
Re: (Score:2)
Where did you get the idea that they were connected to the internet?
Re: (Score:2)
Assume the worst. It is how actual security should operate.
I don't have to "know" they are connected to the internet, when systemic failures are already happening. I just assume they are, until proven otherwise. And since nobody can prove they have NEVER been connected without full Chain Of Custody and Audits, which probably do not exist, my assumption is, they have been connected.
We do not want a "trust me bro" scenario for our elections.
Re: (Score:2)
Depends on the auth system used. Authenticating to the machine? If the voting machine has a good clock that is synced, use Google Authenticator. If no clock use OPIE/SKEY like what BSD used for one time passwords 30+ years ago. Ugly, kludgy, but it works and works well enough. Or, offline authentication with Yubikeys + PINs.
Unlocking a master encryption key? Yubikeys or CAC/PIV cards + PINs. Preferably a share/split system with m of n keys needed to unlock it, like 2 out of 3, or 3 out of 5. This wo
Re: improperly? (Score:1)
Voting machines are built around Windows (not uncommon to still have some XP or 7 embedded) and directly connected to the Internet with both the GUI and the database ports exposed.
There was this guy that exposed it, he got indicted for hacking a voting machine, if we arrest anyone that tells us there is a problem, there is no problem.
Re: (Score:3)
I don't think the bios has that ability.
The article states they were bios passwords.
Re: (Score:2)
How old is your computer? UEFI definitely connects to the internet. My BIOS will download updates directly from the net.
The spreadsheet included the model of computer used by the voting machine, many were standard Dell systems that definitely support it.
See here: https://youtu.be/Ok_LuaRscOU?s... [youtu.be]
Re: improperly? (Score:1)
If you have the UEFI password on a Dell machine (this is true for most systems, unless explicitly locked down) you can actually update the firmware and secure boot keys from the OS. The entire goal of that password is to enable automatic deployment of the MOK key which would otherwise require manual, on-site interaction.
Re: (Score:2)
when are voting machines connected to the internet? I mean if they are doing that then they are doing it wrong.
Re:improperly? (Score:5, Funny)
Is there a proper way to post your passwords list on your website?
A properly configured web server should automatically identify and replace passwords with stars/asterisks. Here, I'll try it with some of my server passwords...
admin: *********************
operator: *************
monitor: ***********
Yup, the "preview" indicates it's working properly, so I can safely post this. Go ahead and give it a try!
Re: improperly? (Score:3)
hunter2
Re: improperly? (Score:3)
Doesn't look like stars to me.
Re: improperly? (Score:5, Funny)
That's because you're viewing your own post - I should have mentioned you have to check with a different browser where you aren't logged in.
Here's what I see when I look at your post:
Re: (Score:3)
Damn. You guys take someone else's perfectly funny joke, then strangle, burn, and bury it for everyone to see
Re: (Score:3)
Mod parent Funny.
Re: (Score:2)
incompetence abounds, it's the inevitable result of classism and corruption
Re: (Score:2)
The Peter Principle
Re: (Score:2)
Homo "Sapiens"
Re: (Score:2)
Classism and corruption are symptoms, not causes. The cause is that half of the population has a below average IQ.
Re: (Score:2)
Classism is a symptom alright, of an entrenched entitled upper class who have so corrupted society and manipulated the masses that they are worshiped and now own everything. Welcome to our plutocracy, isn't elitism wonderful?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Speech to text not your friend?
Re:How quaint (Score:5, Informative)
It was this sort of stuff that Trump was whining about in 2020.
No, he was whining that millions of illegals voted, that Georgia needed to "find" 11,780 votes [cnn.com] after lying about ballots being counted multiple times or how a fake video from Lyin Rudy showed ballot stuffing or lies about ballots being destroyed, how there were tens of thousands of people across the country who voted [cnn.com] while dead [bbc.com], except for all those Republicans [foxnews.com] who cast votes [msnbc.com] for dead people [msnbc.com], and he was whining in general just because he lost. Every single lie he came up with was either shot down or he showed no proof when given the opportunity. In fact, when multiple attorneys were asked during "fraud" trials whether they were saying they had evidence for vote fraud, every single one said no [time.com].
While this incident will certainly bring about more whining from the petulant 4 year old, even if it hadn't happened, he'd still whine when he loses again.
Re: (Score:3)
Re:How quaint (Score:5, Informative)
It was this sort of stuff that Trump was whining about in 2020. And... it was dismissed out of hand in the firm belief that this sort of stuff had. It happened and could not happen. As in, it waits Jen seriously. Audits were token at best.
Remember the Maricopa County Audit in 2020 [wikipedia.org]? The one paid for by Arizona Republicans and One America News and was headed by a GOP-picked Trump-favoring conspiracy theorist? That took six months - and, in the end, it found no proof of any fraud - and even gave Biden 360 more votes!
Trump's whining got "dismissed out of hand" because he and his team couldn't even convince Trump-appointed judges that there was any evidence of fraud. In one of those, when pressed under oath, Giuliani stated "this is not a voting fraud case".
People dismissed all that crap because there was nothing there but bullshit and hot air.
Re: How quaint (Score:1, Insightful)
They were dismissed because Trump had no standing, not because lack of proof. Only the state can pursue those issues in court. There is evidence today that thousands of voters on the rolls are dead, non-citizens or otherwise ineligible and there is plenty of evidence some voted. There is evidence people are voting today that are ineligible, and there is evidence of people tampering with drop off ballot boxes in certain places (stealing them, damaging or putting them on fire). There is also evidence that pos
Re: (Score:2, Insightful)
Every single lawsuit was dismissed, some even by Trump appointed federalist society judges.
Giuliani: Your honor I have a signed affidavit.
Judge: Alright, do you have evidence to corroborate these affidavits?
Giuliani: SIGNED AFFIDAVIT...
Judge: Yes but I need some sort of evidence here.
Giuliani: SIGNED AFFIDAVIT...
Judge: Case dismissed.
And to the surprise of everyone except Giuliani, Trump stiffed him. https://news.bloomberglaw.com/... [bloomberglaw.com]
Re:How quaint (Score:4, Insightful)
Trump raised $250 million dollars to prove the election was "stolen" in 2020.
Where is the proof?
Where did the money go?
https://www.theguardian.com/us... [theguardian.com]
Re: (Score:3)
It was this sort of stuff that Trump was whining about in 2020
So.. why didn't Trump do anything about it? He tweeted in early 2020 that the election was going to be stolen from him, but then did nothing to prevent it. As POTUS, he had enormous resources at his disposal... FBI, CIA, NSA, DIA, etc., and as leader of the Republican party he had the ears of basically half of elected officials, including governors, legislatures, etc., plus unfettered access to communicate with the public. If he didn't trust the agencies, he could have directed his appointed agency heads
Re: (Score:2)
Why do voting machines need passwords? (Score:2)
b. Do they in fact provide a paper-trail?
Re: (Score:2)
The ballots themselves are paper. Nothing stopping a hand count of them all if necessary.
How very unfortunate (Score:2)
... considering that this election is said to be the most important in recent American history.
Standardize on paper ballots or analogue machines only. None of this electronic bs. It's simply too untrustworthy on several fronts.
Re: (Score:2)
I can't recall an election where this was NOT said. Can you?
Re:How very unfortunate (Score:5, Insightful)
... considering that this election is said to be the most important in recent American history.
Standardize on paper ballots or analogue machines only. None of this electronic bs. It's simply too untrustworthy on several fronts.
We have paper ballots which are scanned and then held in case there are issues. A handcount can be done to verify vote totals. The best of both worlds.
Re: (Score:2)
Unfortunately people are now setting the paper ballots on fire, and trying to steal them.
Re: (Score:1)
Why would liberals steal of burn the very ballots they stuffed?
Re: (Score:2)
Indeed one wonders! Well be interesting to learn more about the guy in Washington when he is caught.
Re: (Score:2)
One source I saw said that the passwords were for the BIOS, which wouldn't be much of an exposure except for a very, very determined, motivated, and skilled expert who had physical access.
Re: (Score:2)
"analogue machines"
Wow, this brings back memories of those huge 1950s era metal cabinets on rollers stored in my elementary school's gymnasium which was designated a voting site.. And I remember the teacher scaring us by saying that if we did so much as touch those maxhines we would go to jail.
Re: (Score:2)
"analogue machines"
Wow, this brings back memories of those huge 1950s era metal cabinets on rollers stored in my elementary school's gymnasium which was designated a voting site.. And I remember the teacher scaring us by saying that if we did so much as touch those maxhines we would go to jail.
Those machines you remember were used by over 20% of the country in the 1996 Presidential election.
Those things had no audit trail whatsoever.
They were replaced by electronic machines which were demonstrated to record incorrect votes, and also featured a voter-accessible USB port with which you could trivially p0wn the machine. These wonderful new electronic machines also had absolutely no audit trail. Not sure if they are still in use in some places -- I know they were not that long ago.
The most modern sys
Re: (Score:2)
The most modern system today is pencil-and-paper ballot, read by an optical scanner, outputting the days tally on a USB stick, which is physically transported to a central counting place. There are many computers of varaious sorts and even networking involved. But at the end of the day, there are paper ballots that can be re-counted (by hand or by another optical reader). The last 3 places I lived in he past 25 years does it this way. I don't know how much of the country does this, though. Pretty sure there are LOTS of places doing it another way and that lack audit trails.
This is how it's been done in every place I've lived in MA in the 30 years or so I've been voting. I see no reason to change it.
Re: (Score:2)
The most modern system today is pencil-and-paper ballot, read by an optical scanner, outputting the days tally on a USB stick.
This is how it's been done in every place I've lived in MA in the 30 years or so I've been voting. I see no reason to change it.
I live in Virginia, but when I lived in Watertown, MA, I especially remember the 2004 election. The election officers (who run the polling places, check you in, hand you a ballot, operate the machines, etc.) are (as is usual) volunteers from the town. This is a small town (35,000 people) and you likely personally know several of the election officials at your polling place. In this case, the town library, where the election officials are neighbors you know, and library staff you know, etc.
The reason I remem
Election worker party affiliation (Score:2)
This reflects the overwhelming Democratic majority, and I can assure you (from knowing them personally) that every one of those election officials was a Democrat. Before the "secret ballot" that I cast, they did not know my politics.
The law [malegislature.gov] disallows this:
election officers shall be enrolled voters so appointed as equally to represent the 2 leading political parties, except that, without disturbing the equal representation of such parties, not more than 1/3 of the election officers not representing either of them may be appointed. The warden shall be of a different political party from the clerk, and not more than one half of the inspectors shall be of the same political party.
So either the law was being violated (unlikely, since the lawyers for the Republican candidates would be all over that), or some of your supposed Democrats... were registered Republican.
Re: (Score:2)
The law [malegislature.gov] disallows this:
You apparently have never heard of rampant corruption in MA. I lived there for over 30 years.
Re: (Score:2)
Indiana has an electronic system where you select the party on a screen, it prints out a paper ballot and you take it to a person who scans that and keeps it in case of a recount. Solves the 'fill the bubble in properly' problem.
Re: (Score:2)
... considering that this election is said to be the most important in recent American history.
Standardize on paper ballots or analogue machines only. None of this electronic bs. It's simply too untrustworthy on several fronts.
Of course you realize that the voting infrastructure cannot be changed 5 days before the election.
What you may not understand is that the federal government has little to do with the election -- it is the states (and individual counties/cities) that totally control the infrastructure. Each one makes up their own rules and processes, including whatever kinds of voting equipment they feel like using. It can vary from town to town.
I believe in other countries, the "federal" (at least) elections are run by the
Re: (Score:3)
None of this electronic bs. It's simply too untrustworthy on several fronts.
About 15 years ago, I think it was, it was common to have all-electronic vote casting. The machine was a kind of touchpad, with a paper label on it. (That is, the "screen" was not a video display - just an illuminated paper sign aligned on a touch-sensitive pad). It was demonstrated that these machines would sometimes record the wrong vote because the touchpad was flakey and/or the paper signage could be out of registration (alignment). There was no audit trail on these machines -- no paper ballot or anythi
Re: (Score:2)
Standardize on paper ballots or analogue machines only. None of this electronic bs. It's simply too untrustworthy on several fronts.
Anyone who lived through the 2000 election knows that the above solves nothing. You need actual concrete usability standards and readability standards.
Re: (Score:2)
I tend to agree with you. However it's well known that humans are quite imperfect and every hand recount varies slightly because of human error. Probably not enough error to change the vote outcome. But still much less accurate than the machines theoretically can count. So eliminating the machines will make some people feel better, but it does not make the count more trustworthy.
"Partial Passwords" (Score:2)
While it's not a good look no matter what, I'd like to know what a "Partial Password" looks like.
LGhn644$| with unknown length is not actually that concerning.
Re: (Score:2)
"Partial" was a very misleading word choice. These were (I *hope* that's the correct tense) BIOS passwords, meaning another password was required to boot into the normal application. Presumably, the BIOS password would be sufficient to boot from a thumb drive or similar device that has a fake or altered voting machine application.
https://www.wqad.com/article/n... [wqad.com]
Re: (Score:2)
These were BIOS passwords
Again? That exact thing happened last election.
I wonder if this was something different this time.
There are two unique passwords for each machine (Score:1)
Grab your pearls! (Score:3)
I live in Colorado and have been trying to talk our local news channel out of the tree on this one. The spreadsheet in question had BIOS passwords for machines. We (most of the people who come to /.) know that bios password are only useful when you're physically in front of the machine. These machines are physically secured and the operating systems require multifactor authentication. While this is a horrible optic for such a sensitive election, I'm confident in the mitigating controls.
Re: (Score:2)
Plus, the leak being done by a Trump-hater makes the optics even worse. What is her agenda?
How does one... (Score:2)
...PROPERLY display passwords?
Elections are insecure (Score:2)
Elections are insecure. The best way to secure them is to simply not hold them anymore. Or if you must have elections, since counting is insecure and error-prone, it's best to just arbitrarily declare the winner to be the proper party, since we already know that our jerrymandering has made the district the correct party anyway.
Re: (Score:2)
Yeah, maybe instead of elections there should just be a series of coin-tosses.
Re: (Score:2)
Why take the risk of a coin toss?
Seriously, though, all this talk of election fraud in the US is really bizarre. We have plenty of cases of real election fraud in this world and usually the winner wins by a landslide (and the opposition leaders die from accidents). The fact that things are always 50/50 and swings back and forth from cycle to cycle is a pretty good indicator that election fraud just isn't a significant issue as far as who gets elected is concerned. Unless both parties are actively engaging
Importance of oversight+transparency data security (Score:1)