The manufacturers of these machines are generally small businesses with middling Glassdoor reviews. Employees report letting known bugs live
-
-
-
As evidenced by test reports, the engineering ops practices at these organizations is lacking. Line-length violations shipped in cert builds
-
This means they lack a CI environment. It likely means they lack proper code review and VCS practices.
-
So compromising a dev, underpaid compared to their web-space peers, stuck on John Galt Blvd (literally), would be feasible.
-
It would be trivially easy and cheap to pay off a dev to ship a vulnerability in the code.
-
I don't actually believe the machines themselves got hacked to the point of modifying totals. But if I wanted to do it and I was Russia...
-
You bet your ass I would have profiled every engineer working at ES&S
-
Someone might have gambling debts. Someone might be cheating on their spouse. Someone might have a sick kid and shitty health insurance.
-
This is old spycraft. You don't need zero-days to compromise an employee. This is how it's been done for all time.
-
What it boils down to is this: vote-tallying code pathways aren't tested. This is bad. Regardless of the cyber.
-
This is ES&S. Yes, it's actually on John Galt Boulevard in Omaha, Nebraska. (capitalism is a parody) Not exactly Silicon Valley high life.pic.twitter.com/aCE8wvojrI
-
FBI security briefings are full of stories of people that worked at places just like this selling info for a few thousand bucks.
-
Trust me, I know. I had to sit through the comically terrible movies.
End of conversation
New conversation -
-
-
Or access to the software installed/auto-updating on the machines, which is not necessarily either of the two?
-
Possible! But I think that would be the hardest vector.
-
Definitely. I've encountered FUD in the past regarding final build/sign in a cloud, due to fears of post-audit deep swaps, etc.
End of conversation
New conversation -
-
-
In my opinion Russia hacked voter's "brains" through wiquileaks propaganda.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Social engineering is very effective... I would be shocked if they hadn't at least tried (a lot) to get a developer trapped into colluding.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.