Pennsylvania's Voting Machines Are Running Windows XP

Slashdot reader rmurph04 writes: As reported by CBS News, the battleground state of Pennsylvania might as well have a target on its back as Election Day nears, the cybersecurity company Carbon Black warned in a new report released Thursday. Across the state, most Pennsylvania counties use particularly high-risk electronic voting machines that leave behind zero paper trails, which could be useful to audit the integrity of votes cast. In addition, many of these machines -- called "direct-recording electronic" machines -- are running on severely outdated operating systems like Windows XP, which has not been patched by Microsoft since 2014.

According to the survey more than one in five registered U.S. voters may stay home on Election Day because of fears about cybersecurity and vote tampering. Respondents believe a U.S. insider threat poses the most risk (28%), followed by Russian hackers (17%) and then the candidates themselves (15%).

Re:XP, or Windows Embedded Standard 2009?

[BarbaraHudson]

Microsoft is supporting it to 2019 [microsoft.com]. People have reported, and Microsoft has confimed ta registry hack that lets regular XP and XP Professional also get support by pretending to be Windows Embedded Stardard 2009 [zdnet.com].

Re:

[AlphaBro]

Security fixes are great, but the lack of mitigations present in newer versions of Windows make it more vulnerable in comparison.

Re:

[BarbaraHudson]

They're still releasing patches for XP Standard Embedded. You can obtain and apply these patches to ANY XP with a registry hack.

Desktop XP or XP POS

[lister king of smeg]

Are they running the POS or embeded that are still getting updates? Just saying XP isn't exactly helpful.

Re:

[0dugo0]

Who cares about the OS, these things could be running UNIX v6. The implementation matters. I'd stick with crayons though.

Re:

[invictusvoyd]

No wonder George Bush won .

Re:

[605dave]

You joke, but in 2004 I watched a machine in Texas change my vote from Kerry to Bush. I had selected Kerry but when I got to the final page it said Bush. I had to scroll back and change it. Not that it would have mattered in Texas.

Re:

[invictusvoyd]

Wow !! I was joking !!.

Re:

[thegarbz]

The OS matters because some OSes are more forgiving to poor implementations than others.

Re:

[BarbaraHudson]

The summary is probably wrong (what else is new). How would they have tested without actually hacking into the machines? This is just one security firm claiming it,, without any proof. Also, Windows XP Standard Embedded is supported until 2019. Nothing to see here except an attention whore making speculations.

Re:

[vux984]

To be fair, you don't have to hack a thing to necessarily know its running on XP. Maybe they saw one start up.

But you are right, the summary is probably wrong, and the leap from XP to "seriously outdated systems that haven't been updated since 2014" is sadly more likely to be mouthbreathers just looking up when XP Pro was EOL on google rather than actually finding out when the last time the units were updated.

Re:

[Zak3056]

I do agree with your point about paper trails (they are important, so a physical recount can be performed as both an audit tool and in the event of an issue with the machines), but the rest of your post is uninformative.

1. This is not one election, it's 51 separate elections. The elections determine the members of the electoral college, who actually vote for the president. Strictly speaking, there doesn't have to be an election at all--the states determine how to appoint electors. All of them currently ch

Re:

[Coren22]

In Maryland, civics is a graduation requirement, my assumption is that that was a nationwide requirement as most education stuff is done federally now.

When I went to school, it was called US Government.

Re:

[BarbaraHudson]

This story has NOTHING to do with audit trails. Why? Because your stupid voting machines were purposefully designed so as to not provide an audit trail. Other countries manage to do paper ballots and have a winner within hours of the polls closing.

Re:

[Anonymous Coward]

You are right, XP is a piece of shit.

Stay at home, they may try rigging the election

[thegarbz]

What a dumb thought process. Someone may try rig the election so I'm not going to bother going to vote? Who's brain works like this?

Re:Stay at home, they may try rigging the election

[Anonymous Coward]

What a dumb thought process. ... Who's brain works like this?

The same idiots who gave us a choice between Ms. repulsive and Mr. truly scary.

Re:

[Anonymous Coward]

What a dumb thought process. ... Who's brain works like this?

The same idiots who gave us a choice between Ms. repulsive and Mr. truly scary.

What's "truly scary" about Trump? The press will do it's job if Trump wins, and keep him honest.

Crooked Liar Hillary! is the truly scary one - the press has already completely abdicated it's role in keeping Crooked Liar HIllary! honest.

The press is so fawning over Crooked Liar Hillary! that she's allowed to get away with lying over and over again about commiting multiple felonies with her mishandling of classified data that "never existed" on a personal server that also "never existed".

"They weren't marked

Re:

[Coren22]

Perhaps you should point out anything in the rant above that is inaccurate, I am having trouble finding anything there that is actually "ignorant".

Re:

[Coren22]

Please, point out what is false about those statements above, provide citations as well, as I can provide citations of each statement the AC made.

Re:

[hambone142]

Try watching George Carlin's video on why he doesn't vote.

We have no choices. They're both idiots and the American population seems to believe that they can't vote for anyone but a Democrap or a Repugnican.

Why do people watch George Carlin?

[Brannon]

He's not funny, and he's not insightful.

In my experience only truly stupid people find him to be either.

Also, in my experience truly stupid people think that not voting is somehow political action.

Re:

[Sique]

Not voting always means voting with the majority. Not voting means agreeing with whoever wins. Whatever George Carlin thinks he's doing, the arithmetics of elections means that he just becomes a majority voter.

Re:

[overshoot]

Someone may try rig the election so I'm not going to bother going to vote? Who's brain works like this?

Someone who wasn't going to vote anyway, but this makes a better excuse than "Luke Cage is on."

Re:Stay at home, they may try rigging the election

[Hognoxious]

Who's brain works like this?

I have no idea who is brain. Pinky's friend?

Re:

[Anonymous Coward]

Who's brain works like this?

I have no idea who is brain.

No, the OP seems to be questioning whether the brain of "Who" works like this. Unfortunately, we're no closer to knowing who's Who.

Re:

[Anonymous Coward]

He's on first base

Re:

[thegarbz]

Who's brain works like this?

I have no idea who is brain. Pinky's friend?

Whose Pinky?

Re:

[Bob_Who]

Who's brain works like this?

I have no idea who is brain. Pinky's friend?

My Brain, that's Whose...
Who's me
Horton Hears me.
He never forgets a dinky pinky.

Re:

[rtb61]

Apparently the corporate executive team that asked the questions. Going from link to link, finally to get some of the question, it is pretty clear the correlation between fears the vote will likely be hacked by the current US government and not bothering to vote is purely speculation, not going to vote actually reflects the dissatisfaction with the current election cycle.

It makes much more sense to vote third party than not to vote at all. It will be a very messy four years after the election, whom ever

This is Clinton's problem

[tomhath]

Who's brain works like this?

Clinton's big problem is voter indifference. People don't like Trump, but they don't like Clinton enough to vote for her.

Articles like this are intended to nudge tepid Clinton supporters to get out and vote.

Re:

[unixisc]

In PA, where Trump has been talking non stop about the trade deals, there is likely to be a surprise blue collar support for him. The people who don't like him are the politicos anyway

Used to suck, but not network connected

[ArtemaOne]

Granted, XP sucked SO bad when it launched. It was nearly unusable for the first year, then it just became tolerable to switch from Windows 2000 with SP1. But why the complaint? These are not network connected, so the concerns of the OS are really pointless. If there's a security threat, like open physical ports, then address those. XP isn't some boogey man. Be specific.

Re:

[BarbaraHudson]

The person making the claim can't be specific. Being specific would not only get him exposed to hacking charges, but XP Embedded Standard is supported by Microsoft until 2019. The guy is an attention whore. OMG say it isn't so - an obscure CyberSecurity company trying to get attention and a TV station falling for it?

Re:

[ArtemaOne]

XP sucked really badly at launch. Maybe if you went from Windows 98 or ME to XP, it could have seemed like an upgrade. But if you went from Windows 2000, which was probably the most solid operating system they've ever made, it was a huge let down. Tons of capability lost, despite the fact that it was just a transition from NT5 to NT5.1, much like going from Windows 7 Pro to Windows 10 Pro. The move also screwed with the NTFS making reverting back to Windows 2000 next to impossible without a huge pain in

Re:

[ArtemaOne]

To be clear, after SP1 it was a great OS, but the bugs in that first year far exceeded any of their releases since, including Vista and 10.

Re:

[ArtemaOne]

Yeah, you just talked around all the points I made. Got it.

Re:

[ArtemaOne]

Those are vulnerabilities to read information from them, which does not affect the outcome of an election. Maybe you should realize that before posting.

Re:

[ArtemaOne]

Clearly you have no idea what you're talking about. Being able to read data off a closed system that contains public owned information is not a vulnerability. I am very familiar with OPSEC, and there is no data to be read from these machines that would affect anything. What are they going to read, the public owned vote data? They're closed systems, so anything read cannot be used as a vulnerability. Perhaps you should study about INFOSEC.

Re:

[ArtemaOne]

There has been no discussion. You simply are repeating a buzzword that doesn't seem to apply to an intrusion with manipulation as the result.

That's surprising

[overshoot]

I would have figured Win98 or maybe WinME.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Fire_Wraith]

At least it isn't Win10, so we don't have to worry about them forcing an update on themselves the day before election day, then failing and going into an update loop.

What's the threat model?

[Chelloveck]

Unpatched XP? So what? What's the threat model? Are these things online? I'd be worried about the latest OS running today's patch set online. Are they worried about tampering by election officials? Physical access is access. Again, the latest patches won't help. What threat do they think will be thwarted by current software?

Re:

[dwywit]

Exactly. Imagine the collective *gasp* if the machines were running Win 10!

Re:

[thegarbz]

No we'd be perfectly secure in that case. They would receive an update and reboot on election day, after coming up the touchscreen driver would magically have disappeared and all voting would cease. It's about the best possible outcome.

Re:

[jrumney]

Any OS patch made since the candidates were announced should be considered suspect. Voting machines should be offline an not allowed to be patched during the election cycle.

Re:

[Bert64]

Voting machines should be simple devices for counting votes, not full blown computers running a general purpose OS. With a bare minimum of functionality there is less attack surface and less need to patch anything.

Re:

[fgouget]

Voting machines should be simple devices for counting votes, not full blown computers running a general purpose OS. With a bare minimum of functionality there is less attack surface and less need to patch anything.

Even the simplest electronic voting machine can cheat and yet even they cannot be audited by voters on election day. So you're telling us that voters should trust the people they are voting out of office to organize fair elections! That's quite insane.

Re:

[thegarbz]

Physical access is access. Again, the latest patches won't help.

You're ignoring an entire world of security upgrades and patches that have been released to countless OSes over the year to patch security holes that help prevent escalations when you have physical access. Not everything is about being online.

Re:

[rubycodez]

all that gets you nothing in an election polling machine. the OS is almost irrelevant for this use case.

Any computer can be compromised with physical access regardless of OS

Re:

[fgouget]

Unpatched XP? So what? What's the threat model?

Right. Patched or unpatched does not make much difference. The important thing is that they run a full blown OS, specifically Windows XP, which means 45 million lines of proprietary unauditable code [wikipedia.org] (trade secret). And that's not counting all the other software the manufacturer added on top of it to turn it into a voting computer.

So an attacker has a wealth of juicy targets: the display driver, touchscreen controller, hundreds of drivers, etc. Anything he changes will be a straw in the middle of a haystack

Not a problem

[rsilvergun]

I vote early. If you can't vote early in your state it's because somebody doesn't want you to. Let that thought sink in for a moment.

They sure don't want me to vote in Texas

[shanen]

It's possible I'll get to vote anyway, but they rejected my ballot application the first time with several BS reasons (selected from a long list on the rejection form). Over the last few elections, it has been getting harder and harder to vote, and this latest voter-ID bogosity makes it much more difficult. And stupid.

The hilarious part is that my vote had already been rendered meaningless by the partisan gerrymandering and double-gerrymandering. My so-called Representative is such a worthless tool that they had to rejigger his district to keep it "safe". They are running out of room in the sacrificial districts where they pack in and waste the Democratic votes. They can't draw the district boundaries house by house! Or can they?

I sure hope it's worse than that from the dictators' perspective. The so-called Republicans (really former Dixiecrats "betrayed" by LBJ) have been driving Texas to the bottom so hard and making the state so cheap that a lot of damn Yankees have moved south. Maybe they are about to flip the state back to the Dems, even though the polls have trouble tracking and accounting for first-time-in-district voters. No evidence, but "some people are saying", as the Donald says.

(Also hurts them that Trump is killing the Hispanic vote. This latest insane TwitterWar is NOT the temperament of a potentially great president. If she would have just given him the damn blowjob as payback for maker her a winner, then none of this would have happened!)

Re:

[shanen]

Hate typos. Meant to say "making", not "maker" near the bottom.

Also thinking I should have mentioned that the tool is question is McCaul. He serves on 4 committees, including "Science, Space and Technology" and has frequently proved he knows NOTHING about science. However, the big laugh is the "Ethics" committee, since one of my degrees included philosophy of the Socratic sort. What a SAD joke, though Trump is the biggest joke to day.

Re:

[thegarbz]

I let it sink in and I don't get your point. You're implying early voting is some arbitrary switch rather than a long complicated and expensive process requiring systems and infrastructure in place to allow it.

Money talks and makes a far more compelling reason than any rigging scenario you could come up with.

Re:

[jfdavis668]

The funny thing is that early votes are counted last. Not sure how voting early helps.

Re:

[Patent Lover]

Not everybody can just take time off from work on a Tuesday. Red states have given early voting a hard time. I wonder why.

Re:

[account_deleted]

Comment removed based on user account deletion

Why OS?

[ChrisMaple]

Voting machines should be open-source coded in assembly language to run directly on the hardware, and the hardware should be open source - something like a clean-room recreation of a 6502 or Z80. Every gate, every mask, should be verified by hand against the schematics, and every machine code in ROM disassembled by hand and compared against the source listings.

Nothing in the voting mechanisms should be capable of being hidden, nor should it be so complex that one person can't understand and verify the whole thing in a reasonable time, say 1 year.

That means no OS, no proprietary hardware or software, nothing but obvious routines running on "metal".

Re:

[sinij]

Voting machines should be open-source coded in assembly language.

You can backdoor hardware just like you can backdoor compiler. Assembly only wins you lack of code readability so it is easier to hide code-based backdoors.

Re:

[Bert64]

Assembly is only less readable than higher level source code, in many cases no source code is provided at all which is just as bad if not worse than providing assembly.

Re:

[fgouget]

Voting machines should be open-source coded in assembly language to run directly on the hardware, and the hardware should be open source

Open-source software and hardware is useless for voting computers. What matters is allowing voters to verify that the hardware and software used on election day is the one that was audited. But of course nobody in their right mind would allow a random voter to hook up a hardware probe or run his own code(*) on the voting computer on election day!

(*) I hope you were not thinking of letting the (lying?) voting computer audit itself!

US State of Georgia only runs on Windows 2000

[Garrett Rhodes]

Georgia, which in 2002 set out to be an early national model for the transition to computerized voting, shows the unintended consequences. It spent $54 million in HAVA funding to buy 20,000 touchscreen voting machines from Diebold, standardizing its technology across the state. Today, the machines are past their expected life span of 10 years. (With no federal funding in sight, Georgia doesn’t expect to be able to replace those machines until 2020.) The vote tabulators are certified to run only on Win

Re:

[Joe_Dragon]

diebold for GOP anyways but there ATM's are updated

Hyperbole and Strawmen....

[Lumpy]

The voting machines are NOT connected to the internet. They are also running EMBEDDED XP not desktop XP. No they can not be infected easily unless someone has physical access... and at that point every OS on the planet is easily cracked wide open if the attacker has their hands on the device.

Re:

[Anonymous Coward]

On the contrary, it's super-easy to infect them by infecting the developer machines first, because these guys patch the machines manually and there is no additional safeguard that protects against running untrusted code. For an effective attack you need to have the source code anyway, so you pawn the developer machines first in any case. I guarantee you that this is fairly doable even for private and fairly unorganized attackers.

Optical scan

[trout007]

What's wrong with optical scan? We use it in my country and its great. Just fill in the line. What's nice is you can 50 people in a room filling out the forms and one or two scanning machines that read then in a second and depot the paper in a locked box. Instant check to make sure you votes and o dublicates and easy to rescan later or manually count.

Logic problem

[RightwingNutjob]

Either it's running an old OS and it's vulnerable to unpatched exploits or it's always running the latest and greatest and it's vulnerable to code breaking because of changes to the OS. Can't have latest and greatest AND high reliability.

Say it again

[ThatsNotPudding]

AS INTENDED.

zOMG! Old Is Bad!

[kackle]

"...are running on severely outdated operating systems like Windows XP, ..."

So? News flash: Software doesn't wear out.

These things were designed by ATM makers

[Anonymous Coward]

The fact that any voting machine leaves no paper record is criminal.

old SQL? time for write in candidate drop tables!

[Joe_Dragon]

old SQL? time for write in candidate drop tables!

Let the viruses romp!

[Applehu Akbar]

Pennsylvania will probably find itself electing Ruth From Card Services, or some guy in India who promises to repair your PC.

The big fail is...

[pentagramrex]

XP embedded doesn't get security updates. Because it is pick-and-mix, windows update doesn't work. Trying to make a Sasser fix was VERY hard work.

Hand Counted Paper Ballots are the answer

[Anonymous Coward]

Don't be fooled with claims of paper backup trails and the like, it is not possible to verify a vote on any electronic black box voting machine.

The only way to verify a vote is using hand counted paper ballots.

prsdntl

Use state lottery machines ..

[khz6955]

"most Pennsylvania counties use particularly high-risk electronic voting machines that leave behind zero paper trails, which could be useful to audit the integrity of votes cast."

Why not use the same machines as state lotteries. They're reliable and secure and produce a fully audited paper trail.

The question isn't who will hack the election

[CityZen]

It's whose hacks will be the most effective?

And I'm not referring just to people playing with code. The people playing with money have been hacking pretty effectively as well.

Re:

[Kvasio]

opinion from outside the USA: both options are scary. But while Hilary is likely to "only" make wars in predictable places like Middle East so SE Asia, Trump seems like the guy who would for example make alliance Russia to nuke China, sacrificing Europe for Russian support.

I mean, many past presidents were horrible scum and liars; but DT makes no slightest trace of consistency, he denies obvious facts, invents stats etc.