Fact-Checking Election Security Expert J. Alex Halderman

I have two rules of thumb about “experts”:

(1) Never trust anyone who refers to himself as an “expert”. Expertise is something that is granted by others, not assumed by oneself.

(2) Once you’ve verified a person’s expertise, check his facts. A lot of experts are lazy researchers, and they probably got some shit wrong.

Case in point, the Medium article written by J. Alex Halderman entitled “Want to Know if the Election was Hacked? Look at the Ballots”. The following are quotes from that article that are problematic and/or utterly false.

How might a foreign government hack America’s voting machines to change the outcome of a presidential election? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

This scenario is fictional, not factual.

No probing is needed. It’s easier to get inside an election headquarters’ computer than it was for Donald Trump to avoid paying taxes.

Spreading malware into voting machines in any significant numbers isn’t easy at all. You’d have to know the manufacturer (there are over a dozen), obtain the source code, find a vulnerability, write the malware, test the malware, install the malware locally, and hope that it works because these machines aren’t Internet-facing.

Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. And there’s evidence that hackers attempted to breach election offices in several other states.

Wrong. No voter data was stolen in Arizona and no voter data was altered in Illinois. In fact, the only thing that happened in Arizona was that one election official’s username and password was obtained.

While some State election boards reported scanning, scanning is not an attack. Even promoting the idea that a scan is equivalent to an attack is the height of irresponsibility and fear-mongering; something that I would expect from a newspaper hunting for clicks but certainly not from an “expert”.

In all these cases, Federal agencies publicly asserted that senior officials in the Russian government commissioned these attacks.

Wrong. The DHS/ODNI statement specifically excluded the attacks in Arizona and Illinois “we are not now in a position to attribute this activity to the Russian Government”.

In fact, the hackers behind those attacks weren’t even Russian-speaking. They were English-speaking, used Webmoney to pay for their server time, and then ran out on the bill, leaving the owner of the tiny Siberian ISP with an unpaid bill of several hundred dollars.

Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not.

No shit, Sherlock. And you admitting this after four paragraphs of bad fiction and blatantly wrong facts does nothing but hurt your well-intentioned point — that the vote results should be audited.

Yes, let’s audit the vote results because e-voting is broken, and has been broken for years. Say that up front next time, rather than invent something akin to a CSI CYBER episode for the people who are gullible enough to buy it because you‘ve been called an “expert”.