Earlier this month, Bianca Lewis, who is eleven years old, was wearing a T-shirt printed with the words “No time for Barbie, there’s hacking to be done” and sitting in front of a computer at the annual Def Con hacking conference, in Las Vegas, meddling with a replica of the Florida Secretary of State’s election Web site. She’d already surreptitiously entered the site’s database through what is known as an SQL injection. “First, you open the site,” she explained, “then you type a few lines of code into the search bar, and you can delete things and change votes. I deleted Trump. I deleted every single vote for him.”

Lewis was visiting an event at the conference run by R00tz Asylum, a nonprofit that teaches hacking to kids, where organizers had replicated thirteen Secretary of State Web sites and invited kids to hack them. The day the conference began, as programmers were finishing coding the sites, the National Association of Secretaries of State issued a press release complaining that Def Con “utilizes a pseudo environment which in no way replicates state election systems, networks, or physical security.” That was true enough—these sites were only look-alikes—but they were constructed from data scraped from the actual state sites, and contained known vulnerabilities that had been exploited by hackers in the past. One of the organizers, Jake Braun, rolled his eyes when I asked him about the association’s letter. “It’s totally tone-deaf,” he said. “A nation-state is literally hacking our democracy—wouldn’t you want to take any help you could possibly get? If they don’t think that the Russians are not doing what we’re doing here all year, as opposed to just a weekend, then they are fucking idiots, right?”

Last year, Braun and a group of other cybersecurity researchers created Def Con’s first-ever Voting Village, a conference within the conference, devoted to election security and its evil twin, election insecurity. Def Con would bring more than twenty-five-thousand of the most avid hackers in the world together, jamming the halls of Caesars Palace, and organizers saw an opportunity to show the American public, still reeling from news of Russian interference in the 2016 Presidential election, how easily voting machines could be compromised. For last year’s conference, Braun and his colleagues purchased roughly two dozen voting machines from government auction sites and eBay, and every single one was successfully hacked, some within minutes.

This year, the Voting Village featured nearly four dozen machines, and, again, their vulnerabilities were on full display. (By lunchtime on the first day, one of the machines had been reprogrammed to project an image of the Illuminati.) “To me, the real value is that everyone who comes through here, the thousands of people, will be leaving with very specialized expertise that can be applied down the road to future systems,” Matt Blaze, another organizer, and a professor of computer science at the University of Pennsylvania, said. “It’s an incredible opportunity to expand the pool of experts who understand how they work and know how to evaluate them.”

Blaze and I were in a windowless conference room on the lower level of Caesars, surrounded by dozens of people earnestly attempting to mess with the different voting-machine models, many of which are still in use around the country, despite well-known security flaws. Nearby, another group of hackers was gathered on what was being called the cyber range, a virtual state-election system, based partly on the one used in Cook County, Illinois. (Hackers breached election systems in Illinois in 2016.) The idea was for attackers to try to break through the system’s firewalls and steal voter-registration data, and for defenders to try to stop them. “We’re using this to train the election officials who are here,” Harri Hursti, another organizer, had told me earlier, noting that some sixty-six hundred election officials had been invited to Vegas. Only about a hundred had actually responded and shown up. “They can see through the eyes of the attacker, they see what this environment looks like when you are the bad guys. You start to think how to defend it. You get the muscle memory.”

Voter-registration databases, like the one in the cyber range and the ones built for the young R00tz Asylum hackers, are rich targets for hackers. “If we look at what happened in 2016, that was all about poking the back-office systems and support systems,” Hursti said. During the 2016 election, Russian operatives targeted election systems in twenty states. Change a letter in the spelling of a voter’s name, change a house number, strike someone from the registry altogether, and when they show up at the polls they’re going to be turned away. This is crucial: votes don’t need to be changed and voting machines don’t need to be tampered with for an election to be hacked.

American elections are overseen by the states and administered by municipalities. Offers of help from the federal government to “harden” voting systems have, in some cases, been met with suspicion by local and state officials wary of losing their autonomy. Even where that’s not the case, the Department of Homeland Security, the federal agency in charge of election security, can help states or municipalities only if they request assistance, and its recommendations, like those of another federal agency, the Election Assistance Commission, are not mandatory. But local election officials often lack the expertise needed to evaluate their systems’ vulnerabilities and, in addition, they have been known to be careless about securing those systems. Software updates go uninstalled; machines are left unguarded and unlocked; election programming and vote tabulation are often outsourced to third-party venders that may have their own vulnerabilities. (According to a leaked National Security Agency document, in 2016, Russian hackers broke into VR Systems, a Tallahassee-based election-technology vender that services eight states, including Florida, where it does work for fifty-eight of the state’s sixty-seven counties. The company said a review found no evidence of a breach.) And local officials have been known to be under the sway of the election-machine manufacturers, who wine and dine and lobby them in an effort to snag their business.

Those same manufacturers have been reluctant to admit flaws in their products, and eager to promote the myth that machines that are not connected to the Internet are not susceptible to hacking. At the start of Def Con, Election Systems and Software (ES&S), the largest voting-machine company in the country, sent a letter to its customers, assuring them that the unfettered access hackers would have at Def Con was nothing like what happens on election day. “Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” the letter said. But the work of security researchers suggests otherwise.

On the second day of Def Con, J. Alex Halderman, a computer-science professor at the University of Michigan, stood by the door of the Voting Village, encouraging everyone who came through to cast a vote for either George Washington or Benedict Arnold in a mock election he was running using a common ES&S-owned touch-screen voting machine, the AccuVote-TSX. The AccuVote is most studied electronic voting machine in the country, Halderman explained, as people pressed their fingers to the screen and watched it register their vote.