Election servers in Michigan and Kentucky running FTP with no password needed - Sensationalist Headlines

https://www.propublica.org/article/file-sharing-software-on-state-election-servers-could-expose-them-to-intruders As recently as Monday, computer servers that powered Kentucky’s online voter registration and Wisconsin’s reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky’s was accessible from other Eastern European countries. The service, known as FTP, provides public access to files — sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states’ infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica’s inquiries. Kentucky left its password-free service running and said ProPublica didn’t understand its approach to security. The states’ reliance on FTP highlights the uneven security practices in online election systems just days before the midterm elections. In September, ProPublica reported that more than one-third of counties overseeing closely contested elections for congressional seats ran email systems that could make it easy for hackers to log in and steal potentially sensitive information. “FTP is a 40-year-old protocol that is insecure and not being retired quickly enough,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. “Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change.” The FTP server in Wisconsin required a password. Kentucky’s didn’t. In addition, ProPublica found Maine’s FTP service on the same internet address as a state website that directs voters to their local polling places. But Kristen Schulze Muszynski, a spokeswoman for the Maine secretary of state, said the FTP service ran on a computer server separately from the lookup tool. It “never jeopardized Maine’s election process, and at no time was voter data at risk of being manipulated,” she said. Major search engines like Google often prominently post voting results gathered automatically from state election commission sites. Magney said Wisconsin’s website ran an FTP service for years because the hosting provider, Cruiskeen Consulting, never turned it off. Cruiskeen is a mostly one-person operation that sometimes uses freelance consultants, according to its website. Cruiskeen did not return phone calls or messages from ProPublica this week seeking comment. Magney said the owner is retiring soon, and the state plans to transfer the election- results website to a state-run computer system. As of late Wednesday, Kentucky’s voter-registration server still allowed users to browse a list of files without a password. Even the names of the files contained clues that could conceivably help an intruder. For example, they indicated that Kentucky may use driver’s licenses on file in its motor vehicle software to verify voters’ identities.

What approach is that? One that's actively inviting malicious parties to mess with shit? Cause that's a kinda retarded security policy.

A ProPublica analysis found election computer servers in Wisconsin and Kentucky could be susceptible to hacking. Little bit of an understatement, ngl.

Bradford Queen, a spokesman for Kentucky’s secretary of state, declined to say if running an FTP server was problematic. “We are constantly guarding against foreign and domestic bad actors and have confidence in the security measures deployed to protect our infrastructure,” he said. “ProPublica’s claims regarding Kentucky’s website lack a complete understanding of the commonwealth’s full approach to security, which is multi-layered. Defenses exist within each layer to determine and block offending traffic.” PR bullshit is their defense

Unfortunately, this type of tech illiteracy will probably only continue. Elected officials will probably never be caught up enough to make informed decisions regarding them. The only way to do so would be to bring in outsiders on some kind of committee specifically on security, but that is prone to other issues.

I know Michigan used to own Wisconsin, but they're not the same thing anymore.

Fuck me I always mix them up

Fascism Transfer Protocol. =/ We still use paper voting in the UK and it amazes me the US doesn't. It's just a much simpler, more secure way of doing things. As an aside, I also think that the commodification of votes by having them virtualised kills some of the satisfaction of investing the time to do it. Something about the tactile nature of paper makes the whole process more meaningful in a surface-level way. That last point isn't terribly important, but I just struggle to see any reason other than money to not go back to a paper system.

Depends entirely on the state. Oregon, for example, relies primarily on paper ballots and just automates the counting process. (To my knowledge on the latter point. They may actually count them by hand, I don't think they do though.)

Honestly, I believe we should be doing both. Paper isn't infallible and mistakes can be made when scanning them. Not to mention the recount fiasco of 2000. By doing both, you have the best of both worlds. You have a way to count votes rapidly and easily. AND if there are any discrepancies, paper provides an audit-able paper trail.

That's actually a pretty great idea. It'd obviously be quite expensive, but voting is literally the most important thing to get right in a democracy, so people who argue against increased voting security options like this frustrate me.

I bet they just forgot to check the sFTP only box on the server

Hey, if you're offering to give it back we won't say no, gives us more bargaining power for Toledo.

That's the thing, its not a revolutionary idea. That's the entire reason why paper receipts exists for credit card transactions. Unfortunately, like you mentioned cost, and "conflict of interest" for candidates and states will probably prevent it from being widely adopted.

Paper voting seeming better and better.

Saying public FTP is susceptible to hacking is like saying an open door is susceptible to forced entry

I'm proud to say that my home state of Missouri follows this practice. You're given a paper ballot that you fill in with a pencil, then you feed it into the machine once you're done. I do wish they would provide some kind of a receipt for the voter, though - the machine shows a green light to indicate it read the ballot properly, but it doesn't show what it read.

I wish the news would be a little more saavy and just say "left completely unlocked" instead of "could be susceptible to hacking"

Pennsylvania uses machines that are electronic but print a paper ballot to be counted alongside the machine.

Yeah, "hacking" in this case would be you opened command prompt, typed in "ftp" and then "open veryimportantelectionserver.virginia.gov" and your in.