Just Because It's Crazy Doesn't Make It Wrong: Bringing Your Hacker POV to the Election

howdy

um welcome to my talk just because it's crazy doesn't make it wrong bringing your hacker point of view to the election hack discourse um I haven't really thought of myself as a hacker much because the only things I've managed to break and you know get into the hood and break are my clients websites and then I have to be the one to fix them and so it kind of cancels each other out but then I read this oh well if that's what being a hacker means well then yes I am one I too know the dark arts of right click view source maybe I have credits after all still I have to admit I'm about to talk about

things that I have no experience with other than being a voter so now might be a good time for this slide I need to say I'm the only one responsible for the opinions posted in this talk I have no election Administration experience whatsoever I have downloaded all 1065 pages of the State of Texas election code for what that's worth I haven't read it of course but I did do a search for risk limiting Audits and guess what it says that texts will will start doing them in 2026 so that is good news okay now back to the talk we all belong to tribes we like people in our tribe we hate people in the other

tribe why my personal opinion is I think it's because no one has time for that many friends also because our lives are short no one has time to really understand everyone's point of view it's just Logistics it's easier to write off the other side is crazy another theory of mine is that the big tribes of yesterday used to be sports teams but that got confusing when the team started moving around and then the Geeks started to rule the world and everyone knows Geeks are an art Sports challenge sure some of them might ride bikes and run marathons but that's really not the same as team sports is it so anyway Geeks ruined it for everybody

and so now we've all streamlined our tribes down to just two the Republicans and the Democrats and also a handful of sour grapes who keep trying to start other tribes and just end up ruining the election for the losers who thought they would have won if it weren't for the sour grapers as if I fall into the unfortunate last category this is because I come from a family that is literally half Democrat and half Republican by refusing to align with either of the major tribes I get a lot of crap from everyone for how I vote but I also get a lot less crap shared with me on social media so I figure like it's a net win

anyway that's the way it was at least until all this election hacking grief started the losing side of the family oh my word they were all boohooing all the time saying how the country was never good was going to be ruined forever never the same all the meaning they watched all their social media channels all their email chains all they could talk about was how the election was hacked so that's all my whole family ever talked about it was infuriating 2016 was so infuriating 2016. do you remember that that was been the before time so it seems like a long time ago but you get my point right here we are five years later 2021 the

official story right now is that the hacking was mostly of the social engineering kind and mostly on social media but if you remember in 2016 that distinction was not made at all I have a Graphic about that 2016 the blue people were all like yeah the election's hacked and the red people are like uh Stupid blue people and then 2020 happened and now the red people are like ah elections hacked and the blue people like stupid red people but we can look on the bright side election security is now a bipartisan thing so let's dive into it all right so we are told this is a truth that this election in 2020 was the most secure

election in U.S history we're also told that that bar is kind of low but I want to ask the question is it really I have to wonder honestly what is that bar actually have we defined it as a society do we know exactly what that is how can we measure something that we haven't completely defined I can't honestly answer that all of that yet but for myself through the research I've done through this talk I've kind of come to my own conclusions and they're not exactly the way I thought they'd be when I first started I have a question for you are you worried about elections if you are you are not alone smart people have been worrying about our

elections for a very long time here's this guy's worries and this is from 1859. I want you to notice the quotes that he Frets over vote early and vote often I didn't realize they were saying that back in the 1800s and it was already like a thing and then the other one that he says how to cast the greatest number of votes the smallest number of Voters you know I think that one needs to make a comeback that's very very pithy the other phrase in his statement that I want to highlight is where he says at the beginning and the excitement of great popular elections frauds will be committed if a chance is given for them

okay so isn't that the core of what we what we want to figure out when we're looking at accusations of election fraud was a chance given and if it was if somebody took advantage of that chance what would the impact be another thing he expresses is a fear a fear that we have all felt at some point that the worst side will prevail that fear comes from somewhere that fear has been a reality at several points in our history and that's kind of a dark thing to contemplate so I think now is a good time to re-answer a question I got at Dallas hackers in September about Mental Health I did a five minute lightning talk and I

got this excellent question that I got it I gave a really crappy answer to so the question was how do you protect your mental health while diving into election security here's my do-over answer that is a great question and we should always be asking that question before we pour ourselves into something that is socially stressful you don't want to break yourself while you're trying to make the world a better place I'm not wise enough to answer for everyone but I can at least share with you some of the things that I try to do to keep my mental health the first one is to protect your mental resilience for me it's you know I I don't have

trouble learning things new I'm in Tech I have to learn things new all the time it's kind of a burden but for me I have to remind myself to walk away from the screen and go outside there's a real world out there that has nothing to do with what I'm seeing on my computer it's shocking but true moving around getting regular sleep sleep patterns protect people are uh spotty so I have a quick hack for you that I discovered um it works for me our I ran across this Consumer Reports article about blue blocking glasses um and I read the you could read this article you don't have to be a subscriber to see it

um that those ones at the top those are these and they were like 15 bucks and the others were over 100 and these are the ones that won go get them on Amazon 15 bucks you put them on two and a half hours free try to go to bed and you will be sleepy now whether or not you go to bed on time that's another matter but you know at least you're setting yourself up for success number two try very hard to reject the rage um I don't know if you've noticed but there's rage everywhere online everywhere it's the new addiction and media Empires literally are being built on it as well as cottage industries

there's money to be made it's flowing it's hard to resist um this is going to be an ongoing thing this is something I'll have to work on all the time I have to work on it constantly but I will say I got a lot out of this particular short it's not very long a little video that this journalist put up at the last voting Village at Defcon I would invite you to check it out he's got a kind of an interesting take on fake news and I I particularly like that that headline sometimes if I'm reading something that just makes me outrageous I just look at that and say you know it's going to come

from a basement in Macedonia so yeah um oops there we go third one Take the Long View this one also helps me history is a great teacher and it's a good perspective setter and with that we're going to go into election history and there's our first headline once upon a time when our Republic was much younger voting was not anonymous did you know that I did not know that until recently to me voting anonymously is a sacred right the government never gets to know how I voted so I just assumed it's been a right from the beginning but it's not been um there was a time when it wasn't a right and as you can guess that created

a lot of dishonest voting people were uh afraid to show how they voted so sometimes they didn't people got harassed when they did and worst of all votes became a commodity to be bought and sold then in 1888 the state of Massachusetts was the first state in the United States of America to adopt the secret ballot they made a ballot that was the same for everybody people voted they didn't have to sign their name and then the ballots were counted by hand and that in my opinion was the very first American Secure election I was at a bar you can still hold some elections to today okay and then next in 1882 just a few

years later you had the invention of the first voting Tech it was the gear and lever voting machine it was used in Lockport New York the lever machine made Anonymous voting possible and it made over votes you know accidentally voting for more than one candidate in a race impossible so lever machines made elections not only more fair and secure but also more accurate uh by 1930 the lever machines were being used in every major city in the United States they were monstrosities they were uh hard to steal at least they were built to last forever lever machines had a long run but they were hard to move around and they were as we discovered sadly like with most tech

not unhackable now we set up rules to deter that uh commissions would would uh say that only two people could unlock and open the back of a lever so you always had the eyes on the other person but sometimes those rules weren't followed and results on the back could be changed supposedly so that was a thing and sometimes the gear stuck uh Mo all of the gear and lever voting machines were decommissioned by 2012. they made one brief comeback in 2013 in New York because the election in 2012 had long long long long long lines in New York because they're new tech broke speaking of new tech there was also a flurry of tech inventions in the 60s and

70s I've got a few listed here punch machines became really popular in using in conjunction with Optical scanners so as a matter if you could get more voters through it didn't take as long to count punch card machines combined with Optical scanners for counting were at that time the next Leap Forward for election Tech much lighter uh easier to use in theory easier to scan in theory but punch card machines fell out of favor with everyone for forever in the because of the presidential election of the year 2000. the Year of yes the hanging shed for those of us who remember the hanging chat election of 2000 you know what I mean when I say that was

all that was on the news on everybody's news channels 24 7. for those of you who are young who were are young or or were pre-born into the year 2000 go to Wikipedia and look up 2 000 United States presidential election recount in Florida wikipediaction is a great comprehensive article on this spoiler the courts ended up deciding that presidential election and hanging Chads were not just a Florida problem get this Nationwide 2 million ballots were disqualified and thrown out due to issues tied to the punch machine Optical scanner combos and if you throw in problems that various places had with inaccurate purges of voter registration records some studies put the Lost vote count for 2000 as high as 6 million

so although they'd had problems with some of this technology for several years that kind of created The Tipping Point Congress said it's the 21st century now why are we still putting up with this old Tech update your Tech everyone here's the specs you need to follow and and here's the money to do it with well the money clinched the deal and that was the help America Voting Act of 2002. a couple of years after the help America Voting Act passed President Carter Democrat James Baker a republican who served in the Reagan Administration they put together a bipartisan commission that put out some election reform recommendations on top of what was in the act and a quote from that report I have

right here it showed how Americans were finally beginning to realize that the bar for election security and accuracy needed to be raised again of significance to us in this discussion is that phrase obsolete voting machines keep that in mind okay but before we move on I just want to take one more look at those incredible gear and lever machines the first ones um the the very first voting machines helped America significantly improve voting security and accuracy it made Anonymous voting a pillar of our election process the first election machine helped make that possible during that date span you see there we saw huge changes not just in how we voted but who who could vote

during that date span we made great advances towards making this country a more perfect union if you are ever tempted to despair over the state of elections today I want you to think of this picture and I want you to just remember how far we've come and then I want you to think about how you can do your part to help continue to push to make things better Okay so 2000 was a bit of a dumpster fire and Congress passed the help America vote act with serious money attached there was hope that this would finally encourage the free market to give boating technology the real boost of iteration it needed unfortunately what we have at the moment

is a near Monopoly do in part to the litigious nature of the lead companies see this article but certainly also due to the important legal process of certification okay when I talk certification here I'm not talking about the certification of election results after election day that's that's separate what I'm talking about here is certification of the actual voting machines and as I understand it so take this with a grain of salt as I understand it it's I think it's sort of like when you manufacture a microwave that has to meet certain standards you take it to a state approved testing facility and you pay to get it tested that certification is for that model if you have new models with

enough variation those models are going to get their own certification well the Health America vote act required something similar to that for voting machines Federal certification guidelines are voluntary but almost all the states have adopted them and they've piled on a few of Their Own this brings us to the election assistance commission the EAC they set the federal requirements right now companies are operating under the requirements set in 2005. um so the man and the manufacturers when they have their machines tested they have to put the cost for that testing to get their Tech certified so certification makes sense when it comes to making sure if voting Tech meets the long long list of requirements

that up for what it needs to do but it does not work so well under the Patch Tuesday model of security updates this is why you have so much old Tech in the voting Machine World and this is why in part you don't have a lot of official penetration testing going on yet so the EAC is coming out with new certification guidelines finally uh so that's that new is good the from 2005 to I guess it's gonna be 2022 news good not everything in there is popular if you are concerned about voting machines being able to connect to the internet you may be interested in this video from the most recent voting Village at Defcon

uh she talks about that um but uh some of the things in there are wins for example the EAC is trying to launch a pilot pin testing program and if you're a pen tester that's something you might want to look into also a useful video in the Defcon voting Village channel for pin testers is this one and I believe I know he's a fellow Texan I believe he's Associated Austin hacker so go watch his video give a fellow Texas hacker a boost it's also very interesting and full of information all right so we're at year 2000 that election spurred Congress to pass a 2002 help America Voting Act counties and States went shopping okay now the next thing up is the

president's presidential election of 2004. lots of accusations uh in Iowa of all places of no I'm sorry Ohio Ohio the other mostly vowel state in Ohio there are accusations of voter suppression machine malfunction and recount Shenanigans two elected officials are convicted in 2007 of said Shenanigans so that was a thing uh fast forward to 2008 and although this isn't directly on the voting system both campaigns both major political uh political campaigns were hacked um I actually don't remember that I guess because I wasn't really paying much attention back then um so I thought it kind of all started with uh the the 2016 campaign hacks but no that was happening way before then um also there was this

and this was actually really big news at the time so this and this is way before voting Builders so there were other people looking at this even before before Defcon was looking at it and um uh this is this was pretty I mean go look this up this was pretty pretty Earth shaking to the election committee because there were a lot of those machines in service now when this was discovered this company that made the voting machines had two years earlier sold itself to esns the market leader um so I don't know if anybody actually caught the heat on this one as uh but um that was a thing okay and then 2012 election okay so this was news to

me a voter took a video of a voting machine while he was trying to vote and he kept pressing the Obama choice and it kept checking the Romney choice so um that now that so this was look there's 10 million views it had its moment right A lot of people have laid eyes on this video um that machine was removed from service but but I'm going to bet that this video had a had an impact on some people and how they perceived the security of our election machines um the article that I found this reference in also had a quote from Pamela Smith a verified voting and she said multiple reports of calibration problems with e-voting machines the type of

problem that results in vote flipping occurred in Virginia Nevada Texas North Carolina and Ohio she said that in 2012. so 2012 was a bad year for Dre's also known as direct recording electronic machines touchscreen voting equipment that lack any paper backup for later recount this brings us to a very important discussion in election Tech Paper Trails if 2012 have been a close election all those Dre disasters would have been a much bigger deal in the news than they were if election Tech can break how can you capture the true intent of the voter well with paper backups and not just any paper backup one that is verified by the voter themselves before the vote is counted

so this is a good time to introduce this website the verifier okay at this point I am going to Escape out of my slides and go to a browser so bear with me for just a moment okay there we go so verified voting is a non-profit nonpartisan organization that is devoted to trying to make our election voting Tech better and the system's better so they have this great database called the verifier let's go there and the verifier is a searchable database maintained by the the by verified voting it's a database of all the election Tech used in U.S elections and it is searchable by state and County so this is important for this talk because I want you to know if you see a

state county or city mentioned specifically in an election vulnerability or hack claim you can go to this site the verifier and you can find out what tech they're using there have been some claims that are accurate when they cite the type of tech that's being used and there are some that were obviously just doing wild guesses this is where you can find out what was really used okay on the verifier map and let's go back let's go down to where we can see that okay on the verifier map Green is good so you can dive into the site and get more information about uh what's um what all their little nuances of the colors mean but essentially green is

good red is bad um so what what do they think of as good they think they say that good is having a paper ballot a very voter verifiable paper ballot at the end of the voting experience and they also consider hand marked paper ballots to be better than machine printed ballot confirmations and I think it's probably because it has more that the the vote record has more attention from the voter than just getting a printout at the end that you look over but but that said a paper record that a voter can verify is better than no paper record so can you 100 trust voting machines I would say no so you must have another way to check

the vote and there is no better way than to have the voter check the vote it's a extremely simplified way to look at it but but that is kind of essentially what I'm saying here and I have a slide I want to go to before we go to the next section so let me go back to that and we will click that and oops oops there we go okay there it is all right another disclaimer this is okay I wrote this this is not certified by anybody it's not endorsed by anybody take it at your own risk but this makes sense to me this makes sense as a logic path for how can I kind of look at how somebody's

running an election and kind of filter through how how is there a basic trustworthiness to it um okay so number one voting machines can be hacked so if you're if your Precinct is not using a voting machine it's just handwritten ballots all the way cool you're good to go you don't have to go through the rest of this list but if if you are like in my precinct you have a voting machine go on to number two um do you get a chance to verify in a printout what you voted um so if you if you can't do that then that's something that you need to that's a problem you need to bring up with your

election board and where you vote tell them that you want to have a paper trail um I that would be worth looking up in the new Texas election laws is that something that we're because they're going to be doing risk limiting audits at some point so it's got to be based on something so hopefully that'll be something that Texas will be able to say yes to and turn green all over our state uh all right so paper printouts are once they're once the voters verified them put in the book about machine it's been counted paper printouts are they then stored well actually does the voter get to put it in storage and then from that point

from the moment the voters fingers leave the ballot does that ballot have a chain of custody a documented chain of custody from that moment on to the moment that it no longer has to be stored and they destroy it if if you cannot say that to yes you still have problems in your in your system there must be chain of custody because this might come as a shock but not only can you not 100 trust voting Tech you also can't 100 trust people so systems that don't rely upon being able to trust individuals necessarily but have checks and balances also for people is a good system to have all right so number four if you made all

to number four then that's going to be talking about the ability to do some kind of audit um spot audit surprise audits you know just to make sure that your what your machines counted matches the sample that you you know this the stats kind of match if you want to learn more about what the risk limiting audit is and that's kind of the hot new audit term these days uh there's a lot of videos talking about that on the voting Village YouTube but you can also go to a site called trustthevote.org do a search for risk limited audit and I think they've got an article on it a lot of people have articles on it's it's the up and

coming thing okay um okay uh at this point I want to kind of go over a few little scenarios you might have heard about uh some some audit drama that was going on in Arizona and some of the theories behind that audit drama um and I want to uh use some of the um let me go back to the kind of this I think and also the and I want you to remember the verified voting what you can look up there and I want to go through a couple of the things that the theories that that were associated with why people want wanted it and why some people wanted an audit in Arizona I recognize that that is an emotionally

charged subject because it was super super super hard to find any articles that didn't already they weren't colored either blue or red so I actually what I want to do let's Let's Escape out this again I'm going to go to an article on that I pulled up and maybe we'll just go through and just pick out a few things it was this one it was from the local station I think out there and so they've got they're they're talking about it and and kind of this is kind of a something that I gleaned from that from Bob Sullivan's video you want to the anytime you're dealing with something especially political things there there's going to be

like you know uh 99 of it's going to be a lot of emotion speculation but somewhere in there there may actually be some some some facts that you can work with so we're going to try to look for those okay so uh one of the claims here that they're talking about is the allegation that uh the voting machine being used there uh Dominion software changed votes so basically flipped boats and and did other stuff um so we we when he says doing all kinds of unfortunate things I have no idea what that means but I do know what changing votes means because we just talked about how in 2012 there were a lot of Dre

machines that were flipping votes essentially we're not voting the way that the voter wanted them to vote so that's something we can work with um so if we were if we were researching this we'd want to get a verified vote and we want to to verify first of all what where are they talking about where and are those machines by that manufacturer actually being used in that election and then we're going to want to find out how what are the machines and how are they being used once you've looked up what machines are being used in that county um you're going to want to see uh verified voting that you click through to the machine and read what the machine

does and sometimes these machines are um creating a an appropriate paper trail that's verified by the voter and if that's the case uh you know like that like that logic flow your investigation has kind of come not completely to an end but it's come to the point where you have to ask okay if I were going to hack an election this way in that location how could I overcome the audit Trail that's going to be totally different than the electronic machine vote count so I think this particular claim depends upon voting machine count only and they're not taking into account an audit if there's not audit capabilities in place then this is something you might look into

but if there are audit capabilities in place I'm not sure they have as much standing as as they might think they have um another one I would like to throw out there this is I'd say it's one of my favorites um because it's one of my favorites because people got so freaked out about it and this is the bamboo paper Theory so I don't know I mean it and I can't even pull up an article like this that it's even halfway you know um non-emotional so uh I'll just tell you that so I'm sure you heard about that some votes were were flipped because of a special type of paper that had certain fibers in it

that were really screwing with the optical scanner machines um and and that came in a variety of different stories so depending on where you heard it from depended on some of the details but if you boiled it down it kind of went it kind of boils down to remember the problems that we had in the 80s 90s 2000s with with some of the old Optical scanners they would they would not read the votes properly and so you know you had in 20 in 2000 you had 20 million uh two million votes that were thrown out um that is unacceptable to us today we have raised the bar you cannot do that today so um if you boil it down to can a piece of

material that the ballot is on screw with the optical scanner that counts the votes and make it vote make it count the voting correctly that answer would be and maybe it depends on what machine you're using it and it have you tested it for that uh so ways to see I think questions to ask if that could be possible if you were thinking okay if I were gonna do that or if I were going to verify whether or not this was done one of the first questions I would ask is did did they use the paper that the ballots were on regardless of whether I had it or not the paper that the ballots were ultimately printed on was that

paper the same paper that they used in their testing and how that turn out the other thing would be again we're back to that paper ballot audit Trail is there a paper ballot audit trail that was a paper ballot that was verified by the voter because again you have these two different counts that you can compare if they do not match up you you they will throw anomalies if something's happening uh on the election on the tech side it will you will see it in the numbers and this video at Defcon that Harry Hershey did um Harry walks through a a situation that he was called in on to investigate that isn't pretty much exactly that so

this is super fascinating he walks you through the entire process I love this video watch it this is this is very much a story of you know here's here's what happened and we're just following where the evidence leads us and sometimes the evidence leads you into places that that are surprising so I'll just say that um okay and then the last thing I want to highlight for you that I think is going to be a great resource if you're as you're doing as you try to understand election claims for yourself you ever wonder about has anybody ever actually gotten arrested persecuted actually not persecuted prosecuted prosecuted arrested prosecuted and had to go to jail over voter fraud has you

know people talk about voter fraud all the time has anybody ever been arrested this is the site where you go to it's a great database and so I will leave you that you can pull up your Texas in any other state and look to see what do we actually good at catching so thank you for listening and that is my talk and I hope you feel a little bit more empowered