Exploit contest opened for tykes – meanwhile, Republicans kill new funding for election security

DEF CON Last year, the hackers at DEF CON showed how shockingly easy it was to crack into voting machine software and hardware. Next week, the 2018 conference’s Vote Hacking Village will let kids have a shot at subverting democracy.

Beginning on Friday, August 10, teams in three age ranges, 8-11, 12-14 and 15-16, will be let loose on replica American government websites that report election results. In elections in the Ukraine and Ghana, these were hacked to spread confusion about the voting process and its results – and the village’s organizers hope the youngsters can do the same with US-style tech.

“It’s just so easy to hack these websites we thought the grown-up hackers in the vote hacking village wouldn’t find it interesting,” Jake Braun, cofounder of the Vote Hacking Village and executive director of the University of Chicago Cyber Policy Initiative, told The Register. “When I was discussing it with a colleague, they noted ‘it would be child’s play’ and I said ‘good f**king point!’ and started planning the event with the Capture the Packet crew and the r00tz Asylum group, which trains young hackers.”

The websites were built by Brian Markus, one of the best ethical hackers in the US who, when not who running DEF CON’s Capture The Packet competition, runs a security consultancy, has served on the President’s National Security Telecommunications Advisory Committee and develops hacking training materials for the US and Australian military.

“We’re pretty confident that anything he’s going to make is going to be a good replica of the government election results websites,” Braun said of Markus’ work. “He’s certainly at least as good at locking down websites as anything whoever is running the state’s election security can put out.”

In two three-hour contests held on Friday and Saturday the kids will compete to best derail and meddle with the reporting of election results in 13 key US battleground states, which would, in real life, spread confusion and doubt. Prizes will be awarded to the first to exploit a security hole, whoever comes up with the most innovative and best social-engineering exploits, and the youngest to exploit a vulnerability.

“We think kids will come up with creative ways to socially engineer chaos on the results,” Braun said. “We’re hoping to get some ideas from these fresh eyes that are different from the stuff that we’ve been looking at the last two years.”

This isn’t all about fun and games

With US national midterm elections coming in three months, the need for better election security has never been more pressing. On Wednesday, the Republican caucus in Congress shot down an amendment to an appropriations bill proposed by Senator Patrick Leahy (D-VT) that would have allocated $250m to US states to be used for hardening election systems against attack. One Republican senator, voted for the amendment and three abstained.

“The integrity of our elections, which are the foundation of our democracy, should not be a partisan issue,” Leahy said after the vote. “It is unfortunate that the Senate has followed the same path as House Republicans in blocking the funding our states need to help upgrade their infrastructure and secure our elections. I fully intend to continue pursuing this issue in conference.”

This has become something of a theme for the Republican caucus. In March, Congress allocated $380m for election security spending, after over a decade that saw little investment and shocking lapses of computer security in the national democratic infrastructure. But then in July, the Republicans killed calls for extra funding.

“The $380m that was given out is an order of magnitude lower than it needs to be – it needs another comma in there if they want to make a dent in this stuff,” Braun opined. “Only a handful of state and local governments have received their cyber assessments from DHS and we still have thousands of jurisdictions that don’t yet have the sensors needed to identify if an attack is taking place. At this point we wouldn’t even know if we were being hackled.”