Voter Rolls – The Easy Target

One element of the Russian Investigation that has drawn a lot of attention is what the Russians hacked and why.

We know they hacked email accounts from the Democratic National Committee, and we’ve heard reports that they hacked the Republican National Committee as well.  They were hacked for compromising information.We know that they have hacked the emails of several journalists, and  they exploited Social Engineering techniques to manipulate people on FaceBook, Twitter, YouTube, and other social media sites.  We’ve seen reports about how the state voter rolls were compromised, and how chaos was created at the polling places through DDoS’s and other methods.

But one thing we haven’t heard any reports about were the voting totals themselves. There have been rumors, reports, and analyses from the edges of the spectrum, but no reports from any official, semi-official, or under-the-table sources.

Why is that?

The fringes will say that this is because the real evidence of the scope of the corruption is being hidden and obfuscated from the public, because this would cause a complete and total collapse in the fabric of democratic society.  The official sources say that there was no evidence of vote totals being changed.  Then the fringes will say that the totals were changed without a trail, and talk about how easy it is to hack a voting machine, the official sources say that this isn’t how it works, then they start arguing with each other and calling each other names.

So, two groups people argue about whether or not the vote totals themselves were changed, while completely ignoring everything else that took place.

What do I think?

From what I’ve seen, there is not enough evidence to suggest that vote totals were changed.  Not only that, but they wouldn’t need to be changed, and the amount of effort needed to change them wouldn’t be worth the return on investment.  Instead, hacking the voter rolls would be more effective, require minimal effort, and would slide under the radar, not being detected until someone went digging.

 

THE HACKER MENTALITY

Before I go into details about how the American Voting System works, let me describe how a hacking a little bit, and what a hacker thinks.

When most people think of hackers, they think of some neckbeard sitting behind a keyboard punching out obscure code to bring down a secure server while sipping energy drinks and talking about how corruption of “The Man”.  Okay, that’s part of it, but there’s more to hacking than bad hygiene and a caffeine addiction.

Hacking is about exploring a system, finding the weakness inherit in the system. That weakness could be a code exploit, a network weakness, or a PEBKAC* weakness.  What they do with that information depends on the hacker.  Good hackers, or White Hats, will inform the system owner of the exploit and seek to get it fixed.  Evil hackers, or Black Hats, will use that information for nefarious means.  The morally ambiguous Grey Hats fall somewhere in the middle.

How do I know so much about this?  I’ve been in IT most of my life, and, when I was younger, many years ago, may or may not…

Look, I’m pretty sure EVERYTHING I might have done is beyond the Statute of Limitations, but I’m still not going to go into details.  Just in case.  Needless to say, I know the hacker mentality.

 

FINDING THE EXPLOIT

Any system designed by man or used by man can be defeated or compromised by man.  Whether it’s a security system, a computer network, or the mail server at a Fortune 500 company, anything can be broken into.

The questions that a hacker asks are “What is the end goal?”, “Is it worth the effort?”, “What’s the risk?”, and “Is there an easier way into the system?”

What is the end goal?

Most hackers go into a system with an end goal in mind.  It could be exploration, curiosity, trying to find incriminating evidence, grabbing information for personal gain, or getting access for future use.  Sometimes, it’s just to say “I did it.”

Is it worth the effort?

This part varies from hacker to hacker.  Sometimes, it’s an easy job, like a brute-force attack* to get into an email account when most of the password is known.  Other times, the hack could require months of work and weeks of meticulous planning, but the reward is amazing.

What’s the risk?

Once again, this varies from hacker to hacker, and job to job.  Getting access to a secured laptop containing a rival company’s secrets might carry some significant legal risk if caught, but is nothing compared to trying to get into the NSA’s database from the outside.  The biggest reason I greatly scaled down when I did was the penalties involved jumped up from a couple weeks in Juvi to several years in Federal prison.

Is there an easier way into the system?

This is a question that every decent hacker asks.  Is there an easier way to get what I need than what’s given.  Is there an easier way into the database than trying to hack it from an outside connection?  Can I get into the mail server from any computer in the company, or only some of them?  Could I get someone else to get me in to the building by pretending that I’m lost and on my way to an interview or presentation?

This is called finding the exploit.  Finding and researching the easiest way into the system.  IT Professionals, Disaster Recovery Specialists, Security Specialists, Mechanics, and Engineers do this all of the time.  They’ll study all of the aspects of a system, whether it’s a computer network, a data center, a shopping mall, a car, or a bridge, and look for ways to break it.  They’ll go out of their way to find new and exciting ways of destroying things, then redesign them to stand up to that weakness.

Hackers do the same thing.  They study a system, and look for the weakest part of it.  They’ll find the easiest way to do the most amount of work, or damage.  Sometimes, that easiest part is an open wireless network, or a known code exploit, or it’s person who doesn’t know how to use their computer.

 

DOING THE JOB

Now that the hacker has studied the system for an exploit, they have to find a way to pull it off.  An exploit can have multiple ways of being, well, exploited.

Let’s say that a hacker wants access to a corporate mail server so that they can read the mail of the board members, and while researching the system found that there’s a code exploit that allows for a program to sit on the server, hidden from the world, and silently forward all mail sent to selected people and groups to a dummy mailbox for future collection.  Anything that gets sent to Bill@Microsoft.com would get forwarded to some random and obscure mail account hosted in Azerbaijan.

But how does the hacker get the program on the server?

There’s a few different ways they could do this.  They could go phishing* for an employee or contractor to get them to run the program.  Similarly, they could go spear-phishing* to one of the board members directly, and get their login information so then the hacker could login as the board member and install the code themselves.  They could set the program up in some other file to run as a trojan* once it gets downloaded onto a computer.  They could execute a bit of social engineering* and get their way into the building with direct physical access to the computers.  They could set up a man-in-the-middle attack and pretend to be the help desk, after causing someone to call in a help ticket.  Or, they could brute force* their way in with Systems Administrator credentials.

How they go about doing the hack is up to their own personal interest and skills.  It only matters that it works.

 

WHAT DOES THIS HAVE TO DO WITH VOTER ROLLS?

Let’s say you’re Hacker Hackovsky, the famous Eastern European hacker, and you’ve been approached by a shady Mr. NOT-RUSSIAN speaking with a terrible American accent, to find a way to influence the American Presidential Election.  At first, you say no, but Mr. NOT-RUSSISAN drive a truckload of bitcoin up to your house, and says “We don’t need a win, we need chaos.  A win for our guy would be good, but chaos is better.”  After doing the math and realizing that this much bitcoin could be turned into real money somewhere, you accept the job.

You have a month to do research before deciding on the methods and targets.  During this month, you discover the following:

• The American Voting System is ugly.  The voting machines change from state to state, and county by county.
• Some machines are brand new with a paper trail, while others are more than 15 years old, and not connected to any network.
• Vote totals are meticulously scrutinized.  A deviation of a couple votes in a polling place out of 1,000 could trigger a full-scale investigation.
• Most towns and communities have individual polling places.
• Several states have laws that require new voters to show ID before voting.
• American Media is ugly, with multiple “sides” reporting the same story to the delight of their audiences.
• The higher the population density, the more likely the populace is liberal.
• Older white people love “our guy”, but the young and minorities don’t.
• Social Media allows people to share ideas, regardless of the truth behind the claims.
• There are a lot of Americans who do not use critical thinking skills, and therefore don’t ask if the person on the other side is even a person, let alone where they come from.
• While each county has control over their individual voting machines, the states have control over the voter rolls, the list of who gets to vote where.
• This list is stored on government databases maintained by each state.
• While some states have caught up to modern times with security features and real-time change tracking, most of them are on old systems with no change tracking at all.
• The couple months before the election are the busiest time for these voter rolls to be changed, and there’s little to no way to slow down access to them.
• “Our Guy” has access to multiple national databases, including a health care company that can access all Americans based on address.  One of these databases includes all voters in America.
• “Our Guy” also has access to a data analysis firm that can crunch all of this down to specific areas of the country to minimize the amount of work needed, allowing for microtargeting of people.
• “Our Guy” is very divisive.  Violent extremists and racists love him.
• “Our Guy” is running against “Her”, a woman that will make life miserable for your benefactor, should she be elected.
• Two other minor candidates are running, and one of them, “The Other Woman”, is an asset and ally of the cause, and friendly to your benefactor.
• “Our Guy” is a sore loser, and likely to whine about his loss for years.
• You also have access to one of the most sophisticated propaganda machines in the world, and several friendly Americans that are willing to spread it, whether they know it or not.

Give the above, what’s the best course of action to cause chaos, and possibly get “Our Guy” elected?

Changing the vote totals at the machine level is out.  There are too many machines, and many of them require physical access.  That means having someone walk into a polling place, knowing the machine ahead of time, plug a USB drive in to the machine or connect an even older peripheral to it, and upload data to corrupt the vote totals.  All while standing in wide view of dozens of people, without drawing any attention.  Then, having to do this for multiple machines, per polling precinct, across the country.  Let’s say there’s 100,000 places to vote in the United States, and an average of 6 machines.  To affect half, this would require 300,000 people with direct access to the voting machines.  Then, those 300,000 would have to stay silent and execute the job perfectly.  Not gonna happen.

Changing the vote totals at the county or state levels are out, too.  There’s a very short window in which to operate, and these systems will be protected, monitored, checked, and double checked throughout the night.  The results have to be hand delivered to the county office under police guard, and once they’re certified, that paper trail will be used to show what it’s supposed to be.

So if you can’t change the vote totals, you can change who votes and how they vote.

How?  Alter the voter rolls, and target specific groups with the propaganda you want.

The voter rolls are different from state to state, but all have basic information like name, date of birth, address, precinct, party, and how often or last time they voted.  They likely also have a social security number, which is used as an ID number in a lot of systems, even though it shouldn’t be used that way.

What else uses SSN’s in their database?  Health care databases.  You could take data from the voter roll database, search for a matching SSN, then see if the information is up to date.  If it’s not, no need to worry, the person doesn’t live there and won’t vote.  If it does match, you could take that data, then see what their party is, how often they vote, and compare that to any active social media profiles that match, and compare that to known demographics and stats, like the likelihood that a Democrat who votes every year and follows progressive causes on FaceBook would vote for Trump.

Once this data is collected, you could determine whether propaganda or voter suppression is the best weapon for certain areas.

The propagandists can craft the messages that will get the best outcome to the right location.  You could buy advertising on Social Media to target largely white areas of Michigan, Pennsylvania, and Ohio with ads that show “Her” supporting the boogeyman of the day, whether it’s Muslims, Blacks, or Mexicans.  You could also have the propagandists craft a message showing “Her” attacking minorities and have it run in inner cities.  You could have them buy ads promoting “The Other Woman” as a protest vote, knowing that it would not affect “Our Guy.”

Meanwhile, you edit the voter rolls in states and cities where your work will have the greatest impact.  Choose states that require active checking of the voter rolls, like Texas, or have new Voter ID laws like Wisconsin or North Carolina.  Change some entries on the voter rolls, like middle initials, or street addresses, or zip codes.  Add or remove a Jr. suffix in the database.  Flip party affiliations.  Change the spelling of the last name.  Something small, innocuous, but devastating.  Remember, if the information on the ID doesn’t match what the voter rolls say it should be, they can’t vote.

One of these by themselves will create chaos, but all of it together has a small chance of electing “Our Guy”, but only if everything and everyone works.  It’s a stretch, but can be done with the resources available.  Meanwhile, changing the vote totals would require a small army and/or time travel to pull off, and if your plan requires time travel, it’s a bad plan.

 

THE HOUSE WITHOUT LOCKS

Any system made by man can be defeated by man.

When it comes to breaking into a house, or a computer, or a system, it’s not always about whether or not security is used, but whether the security is worth the hassle.

Think of a burglar looking for a house to rob.  They look at the security that each house has in place.  One has a fence, another an alarm system, another several REALLY BIG FUCKING DOGS, and another has absolutely nothing.  No deadbolt, no locks, no “Beware of Dog” sign, no alarm, no random gun crap lying around, nothing.  Each house has about the same stuff, but this one has no security.

Were the vote totals changed?  Highly unlikely.  The amount of time, effort, energy, and resources needed to pull that off would be astronomical, and would be outed faster closeted Bible-thumping politician.  The vote totals are the house with 10 locks, big dogs, and an alarm with camera controlled machine guns.

The voter rolls, on the other hand, are relatively unsecured.  They were easy to access, easy to change, and easy to manipulate.  They were the house with no locks, the windows are open, and the big screen TV is visible from the street.

So, that’s why there are no credible reports about the vote totals being hacked, but several confirmed reports of voter rolls being attacked.  Why change the vote totals themselves when suppressing those who can vote can be done for 1/100th the cost?

 

TERMINOLOGY

PEBKAC: Problem Exists Between Keyboard And Chair.  An IT acronym used to describe the location of an error.  Also called a PBKC error, it is used by IT technicians to describe a problem or issue created by a user.  If you’re IT person ever says this you, they’re a dick.

Brute Force Attack:  Repeatedly attempting to force ones way into a system, usually by attempting different passwords over and over again.  This is very effective on older systems without failed user login lockouts on a few attempts, or if most of the name and/or password are known.

Phishing:  A method of gaining access to a system by sending out bait and getting the user give over the required information, all while pretending to be a legitimate source.

Spear Phishing:  A focused phishing attack, targeting one member or small group, often including personalized information in the attack.

Trojan:  A piece of software, usually malware*, hidden in another piece of software to get it past security.

Man In The Middle:  A type of hacker attack where the user is tricked into communicating with a malicious third party, often while trying to contact a legitimate person.

Social Engineering:  The art of hacking people, businesses, and society.  Exploiting people and their weaknesses for personal benefit.  This could be done through researching the target and/or taking advantage of existing societal norms.

Malware:  Malicious Software.