Burn ES&S to the ground

County Election Office Denied Access to Election Database

The Supervisor of Election, as defined by Florida statutes, is the custodian of all election documents and records, from voter registration to candidate filings and election results. So, you can imagine my surprise when a senior election office official acknowledged that while they maintain custody of the Microsoft SQL Server database where all votes are recorded, no one in the office can log into the database or query its data.

Election Systems & Software, the company who owns the election management system software the county uses, refuses to give them a user account. The company says it is a preventative measure to reduce the risk of record tampering, whether intentionally or accidentally. ES&S also issued a mob-like warning: if the election office accesses the database through a backdoor, or other means, the company will automatically revoke all results pending certification and terminate the contract immediately. [...]

ES&S clients find themselves locked into a system and contract that equates secrecy with security and views data sharing as a high risk threat. What ES&S is doing is nothing short of unethical and runs counter to industry practices regarding data collection systems.

For years, the company has hidden behind the veil of proprietary rights and patents, when asked to share even the most basic components of their software. But a software company can't have proprietary rights to a user's data, and any patented rights surely do not extend to a user's data.

ES&S is based in Omaha, Nebraska and has nearly 500 employees. The company is owned by the McClatchy Group, a private equity firm, which means their financial records aren't public. Conservative estimates say the company controls nearly 50% of the U.S. election system market, which equates to approximately 70 million votes processed using any combination of the company's hardware and software.

The company has a well-earned reputation for routinely filing lawsuits against competitors and election officials when they don't win contracts or has them taken away. They have even gone so far as to sue voting jurisdictions and groups advocating for greater election security.

Not looking to push the issue or make any enemies, Wolf dropped the reporting project and focused on other areas.

Previously, previously, previously.

Tags: , , , , , , ,

10 Responses:

  1. Martin says:

    I went to the Defcon voting village a few years ago and posed this question:

    Why the fuck didn't every state just copy and paste standards for slot machines or lottery terminals (like the ones in every 7/11 in California) to voting machines? Slot machine standards, which are publicly posted, are at least a good start - e.g. full source code access for the government testing labs, independent verification of integrity of approved software, full chain of trust from a socketed (and thus verifable in the field) bios, and in some states they still have fully mechanical 'odometers' that click up for every game played and click up for every dollar won. In other words, decades of hard-won experience against hacks. All of this backed up by legislation. None of this would stop hacking of the voter databases, but lottery, gambling and banking systems have equivalently high standards there too. It didn't make sense to me that the voting machines would be so trivial to hack and so far behind the curve.

    The answer I got:

    Apart from the very obvious corruption, elections are run by counties, not states. Thousands of different standards, each with a different procurement process, and zero knowledge of securing and verifying integrity. Nobody bothered to ask the state-run 'gaming' labs, or even the third party companies that perform much of the slot machine testing work today for their help.

    Even if you went with one of the third party slot machine testing companies, or at a bare minimum just hired some pen-testers it would at least mean that to hack/incompetently get something in the field would need the conspiracy of multiple independent companies.

    Sadly, state governments give a shit about slot machines and the lottery because it makes them money and they want to make sure they're not getting ripped off. Secondarily they don't want their gamblers getting ripped off as this is always bad press. Counties think of voting machines ripping them off only in the sense of paying too much.

    Of course, this is not just the voting machines. The databases, as this article talks about, are far better and bigger targets with just as much oversight.

    I'm not paranoid, but is it even remotely possible that we've had thousands of vulnerabilities exposed across hardware, software and people over the last couple of decades yet we've had zero confirmed hacks of voting systems?

    • jwz says:

      The head-explodo part of this is that the slot machines and the voting machines are made by the same companies.

      It's not like they don't have the in-house expertise. So why is one less secure than the other? The only possible explanation is that they chose that.

      • Big says:

        And more cynically, “they chose that because it’s more profitable that way...”

      • Anonymous says:

        Are they really made by the same companies?

        Six slot machine companies make over 98% of the machines currently installed in the US and not one of them has or has had the slightest interest in voting machines. Not even on the radar.

        I don't know why historically this was the case - the massive barriers to entry for getting into the slot machine business (testing and compliance for hundreds of jurisdictions) also apply for voting machines so yeah they'd be set up to do it, but none of them bothered when the voting machine gold rush happened. Maybe there wasn't enough money in it then, or they didn't have people skilled in the art/bullshit of selling to government (slot machines are almost never directly operated by a government). Who knows. Once the first voting machines were bought, it would become too hard to muscle in, so you probably have the same vendors, or descendants of vendors today.

        I'm as confident as you could be that there's zero crossover between slot machine manufacturers and voting machine manufacturers. Same for lottery terminals also (there are only 3 manufacturers in the world of those), even though those are usually sold directly to governments.

        And speaking of lotteries, there have been some spectacular failures over the years, and they've come to light (e.g. Hot Lotto) in a way that hasn't happened with voting systems. The likelihood of this being because no-one has attempted the same things is...very slim.

  2. thielges says:

    If ES&S is concerned about record tampering then why not simply provide their customers with read-only access to the DB? And if they provide access only via first normal form SQL views they can even conceal the details of their base schema if they’re concerned about a leak of their proprietary design.

    This glaringly obvious solution has been used for decades in other products, including applications with a high bar for data integrity and traceability.

    • jwz says:

      If ES&S is concerned about record tampering

      Hmmmm it's almost as if it is blindingly obvious that that is not what they are concerned about.

  3. Eric says:

    So they're running this on SQL Server -- presumably Windows -- and admit there is a backdoor of some kind. Why does anyone trust this company?

  4. J says:

    I actually used to work for this company, right at the height of the madness. Would not recommend.

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.

  • Previously