> “If you’re saying ‘even a kid can hack into this,’ you’re not getting the full story, which can have the impact of the average voter not understanding,” Manfra told BuzzFeed News.
BuzzFeed's headline: "An 11-Year-Old Changed The Results Of Florida's Presidential Vote At A Hacker Convention."
If all you see is the headline, that's exactly the impression you're going to get. Lampshading it halfway through the article doesn't counteract that.
I typed out a big comment criticizing the fact that the kid was also shown how to do the exploit, as opposed to figuring it out for himself.
But y'know what? Good for them. That's step one to figuring out their own exploits. And it makes you think: If even a preteen can pick up the gist of how to do the exploit, you could imagine paying someone to go around and try to run it on election day. They don't need to be very smart, just hard up for cash and willing to take a dumb risk.
I've noticed now it's become almost accepted knowledge among the general public that Russia literally hacked election machines and changed votes. Even this article appears to present that view in the first couple paragraphs before finally stating otherwise halfway through.
I really don't understand what the media is trying to accomplish by pushing this narrative. This fear mongering will create distrust in elections and the election results, undermining democracy.
This is tricky, because it's a very easy thing to convince oneself of, given the desire to do so. From my experience, I don't think that particular misinterpretation of the interference is unusually prevalent. In fact, it might even be less prevalent than "normal", considering how these things usually go. My pessimistic side expected far more calls of "Russia changed the votes!" than there are. What I've actually seen in news and conversations a surprising amount of the time is a more accurate definition of the scope of what did happen and what we don't know.
Probably referred to Windows CE 4.1. But not encouraging given that this is their writer focusing on the cybers.
And yes, it's important to be precise when you're reporting on something. It's the details that make the story. What happened if he said "Windows 4.0"? Would people think Windows CE 4.0 (supported until 2012) or Windows NT 4.0 (out of support for well over a decade).
What's the problem, without looking I can't tell if the device was running WinCE 4.1 ... I don't really know the Windows eco-system, is that impossible?
>In another area of DEFCON, organizers set up a semicircle of computers preloaded with copies of secretaries of states’ websites to allow young children to try to alter the appearance of a vote result .... Notably, the kids were instructed to use a simple database hacking tactic called SQL injection .... Within a few minutes, Audrey, 11, had figured it out, and made it appear that libertarian candidate Darrell Castle had won Florida’s presidential vote in 2016.
The discussion about the vulnerability and the unwillingness of the companies to secure them was more important.
TL;DR from the title. 11 year old uses sql injection to change the election results on a voting machine at defcon.
In reading the headline I was expecting they would explain it within the first few paragraphs but instead buried what the kid did in the last 5 sentences of the article.
Like most of us though still alarms me that these machines are in use and have some easily exploitable vulnerabilities but as mentioned by one of the vendors in the article some/most of these exploits require physical access to the voting machine. Not to take way from the exploits but it would be pretty obvious if someone was doing this (plugging a device into the voting machine) on election day.
> "it would be pretty obvious if someone was doing this (plugging a device into the voting machine) on election day."
Poll workers (or someone posing as a poll worker) could easily do this and it wouldn't be noticed as suspicious because poll workers are naturally assumed to be allowed to interact with the poll machines.
"What are you doing there?"
"Oh, just updating the firmware to protect against a new zero-day threat."
Is it me or are we seeing a bit too much buzzfeed articles here lately?
SQL injections are child's play. Literally. It's last decade's "hack", if we can call it that. Using parameterized queries ( which you should be doing in the first place ) or simple defensive measures nullifies sql injection threats. The headline is clickbait nonsense.
Also it's a shame that defcon has turned into a "disney" event. Who even attends it anymore other than families and FBI agents and slimey salesmen peddling their software.
[+] [-] Twisol|7 years ago|reply
BuzzFeed's headline: "An 11-Year-Old Changed The Results Of Florida's Presidential Vote At A Hacker Convention."
If all you see is the headline, that's exactly the impression you're going to get. Lampshading it halfway through the article doesn't counteract that.
[+] [-] shawn|7 years ago|reply
But y'know what? Good for them. That's step one to figuring out their own exploits. And it makes you think: If even a preteen can pick up the gist of how to do the exploit, you could imagine paying someone to go around and try to run it on election day. They don't need to be very smart, just hard up for cash and willing to take a dumb risk.
[+] [-] close04|7 years ago|reply
[+] [-] floren|7 years ago|reply
[+] [-] 1023bytes|7 years ago|reply
[+] [-] happytoexplain|7 years ago|reply
[+] [-] winstonewert|7 years ago|reply
(100% against voting machines, but this article doesn't seem to know what it's talking about.)
[+] [-] close04|7 years ago|reply
And yes, it's important to be precise when you're reporting on something. It's the details that make the story. What happened if he said "Windows 4.0"? Would people think Windows CE 4.0 (supported until 2012) or Windows NT 4.0 (out of support for well over a decade).
[+] [-] pbhjpbhj|7 years ago|reply
[+] [-] foxes|7 years ago|reply
>In another area of DEFCON, organizers set up a semicircle of computers preloaded with copies of secretaries of states’ websites to allow young children to try to alter the appearance of a vote result .... Notably, the kids were instructed to use a simple database hacking tactic called SQL injection .... Within a few minutes, Audrey, 11, had figured it out, and made it appear that libertarian candidate Darrell Castle had won Florida’s presidential vote in 2016.
The discussion about the vulnerability and the unwillingness of the companies to secure them was more important.
[+] [-] ecommerceguy|7 years ago|reply
[+] [-] amerine|7 years ago|reply
[+] [-] em3rgent0rdr|7 years ago|reply
[1] https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
[+] [-] hoffs|7 years ago|reply
[+] [-] humantiy|7 years ago|reply
In reading the headline I was expecting they would explain it within the first few paragraphs but instead buried what the kid did in the last 5 sentences of the article.
Like most of us though still alarms me that these machines are in use and have some easily exploitable vulnerabilities but as mentioned by one of the vendors in the article some/most of these exploits require physical access to the voting machine. Not to take way from the exploits but it would be pretty obvious if someone was doing this (plugging a device into the voting machine) on election day.
[+] [-] em3rgent0rdr|7 years ago|reply
Poll workers (or someone posing as a poll worker) could easily do this and it wouldn't be noticed as suspicious because poll workers are naturally assumed to be allowed to interact with the poll machines.
"What are you doing there?"
"Oh, just updating the firmware to protect against a new zero-day threat."
[+] [-] jeffreybezos|7 years ago|reply
There was a SQL backed lab setup with loaded results from Secretary of States websites, for kids to attempt SQL injection attacks.
[+] [-] burnallofit|7 years ago|reply
[+] [-] guessthejuice|7 years ago|reply
SQL injections are child's play. Literally. It's last decade's "hack", if we can call it that. Using parameterized queries ( which you should be doing in the first place ) or simple defensive measures nullifies sql injection threats. The headline is clickbait nonsense.
Also it's a shame that defcon has turned into a "disney" event. Who even attends it anymore other than families and FBI agents and slimey salesmen peddling their software.
[+] [-] bobcat9|7 years ago|reply
[+] [-] shekelstien|7 years ago|reply
[deleted]