Diebold Voting Machines Audited by California

Panaqqa writes "Diebold must be wondering what else can go wrong. Considering their arrogance in the past, their comeuppance is truly well deserved. The State of California's source code review [PDF] of the Diebold voting system has been released. Additional reports will be made available as the Secretary of State determines that they do not inadvertently disclose security-sensitive information. One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

Oblig...

[Tuoqui (1091447)]

12345678... That sounds like the password some idiot puts on their briefcase.

Re:

[brywalker (738506)]

12345678... AMAZING! That's the same exact password I have on my briefcase!

Duuuuuuude!

[iknownuttin (1099999)]

12345678... AMAZING! That's the same exact password I have on my briefcase!

We have a psychic bond! I use that exact same password on my luggage and machines!

We're password buddies!

Re:Oblig...

[tverbeek (457094)]

The security code on my house alarm is 789456123... no one would ever guess that!

Re:

[Brian Gordon (987471)]

Argh, what's the from?!

Re:Oblig...

[Martin Blank (154261)]

It's a paraphrase from Spaceballs, when the king of Druidia hands over the code to the air shield.

Re:

[Brian Gordon (987471)]

Oh yes THANK you!

Amazing.. truly amazing

[JustNiz (692889)]

how after all the many serious screw-ups and warnings that Diebold has had in the past couple of years, this report shows they still didn't do anything at all to improve the situation.

I often wondered how managers and CEO's that don't even have a clue get given companies to control. This level of obvious incompetence makes me wonder even more.

Maybe not so obvious

[dereference (875531)]

If you believe this is nothing more than pure incompetence, then you too have been fooled. This level of incompetence is usually indicative of strong intent that Hanlon's razor will be used by others to essentially protect the perpetrators from punishment for their immoral and/or illegal activities. This is just another way to game the system.

Re:Maybe not so obvious

[Martin Blank (154261)]

I believe that it can be (but not necessarily is) pure incompetence. Most developers that I've met have no business writing code that would be usable in a 'secure' environment, and the pen tests that are now done as a matter of practice on our outward-facing systems routinely rip our devs work to shreds. It's gotten to the point that the developers want to know what methods will be used in the pen tests so that they can protect against them. We in the security group have steadfastly refused to provide them anything other than a timespan when the test will be happening, so that they know not to update code in the middle of it, and so that they can't do targeted coding before-hand.

One of the major problems that I see is that the developers rely far too much on security by obscurity, no matter what the project covers, figuring that if the attacker can't see the code, then he can't see vulnerabilities, and they don't read enough about vulnerability research to understand how critically dangerous this is. They do things like requiring SSL for the front-end session, encrypting the back-end FTP transfer, and splitting off the management interface to an internal server, while leaving the access controls for the database identical for both systems, requiring only short passwords, allowing an inordinate number of password retries, using poor seeding techniques for session IDs, and leaving nearly-default configurations of the web server in place.

I tend not to place as much value in accusations of malice as I do in observations of incompetence. When presented with a result like this from any random company, I am far more likely to attribute it to the latter, unless presented with some fairly strong evidence to the contrary.

Re:Amazing.. truly amazing

[Vengance Daemon (946173)]

I often wondered how managers and CEO's that don't even have a clue get given companies to control.

It's really pretty simple: Many companies are no longer run by the visionary people that started them, they are run by accountants and "risk managers."

Just use paper counting

[Lars Clausen (1208)]

Voting machines are a technical non-solution to a non-existing problem. Counting votes by hand in public view is almost as fast, has much fewer things that could go wrong with them, and is intrinsically open to public scrunity like no machine system can ever be. Plus, it's cheaper. It works in Denmark, it should scale perfectly well to the US.

Re:

[sommere (105088)]

Counting votes by hand works when there are one or two issues on the ballot. When you have ballots with hundreds of races, and ammendments, etc. It does not scale well.

Sure it does.

[khasim (1285)]

The votes on 10 ballots are totaled and this total is recorded on a marker sheet placed on top. Then the bundle is tied up. (10 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together. (100 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together. (1,000 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together (10,000 ballots)

And so on. The idea being that any individual bundle can be quickly verified or re-counted. And because it's all base 10, it is easy for MOST humans to visually verify the bundles themselves. The ones that can count to ten, that is.

Re:

[doom (14564)]

sommere wrote:

Counting votes by hand works when there are one or two issues on the ballot. When you have ballots with hundreds of races, and ammendments, etc. It does not scale well.

And you think that the electorate can make intelligent, informed decisions when asked to vote on hundreds of issues? Democracy doesn't scale well up to that level, that's why we're stuck with a Democratic-Republic [1]

Techie geeks have this amazing capability to focus on the wrong problem...

[1] Or we were, before the New

Re:

[Sparr0 (451780)]

No, tradition is why we are stuck with a Democratic-Republic. I am a proponent of direct democracy via direct representation. In short, everyone gets to vote on every issue, or they can delegate their vote to a representative (who can then delegate all of THOSE votes, and so on). I am sick and tired of being "represented" by someone who doesn't share ANY of my views. Or worse, someone who actively promotes the interests of corporations over their own constituents.

Re:

[doom (14564)]

or they can delegate their vote to a representative (who can then delegate all of THOSE votes, and so on).

Interesting. In your system, would I have to hand all of my votes over to a single delegate, or could I sub-divide the issues among multiple delegates?

In any case, I think if you game it out, what ends up happening is that the delegates need to form voting blocks to get anything past the other delegates, and you end up with extreme levels of compromise going on to the point where your input into t

Re:

[Qzukk (229616)]

or could I sub-divide the issues among multiple delegates?

I think subdivision would work best, though at that point, you're basically voting on individual issues in the first place, except instead of personally voting on each issue, you're voting on representatives for each issue. It'd also introduce interesting difficulties, for instance, how do you ensure that when you assign your vote on abortion issues to a given representative, that that representative only spends your vote on abortion issues? There'

Re:

[vidarh (309115)]

Sure it does. In a typical local election in Norway, a largish county essentially will have to tabulate votes for 500-600 candidates (there are 63000 candidates for the next local elections in Norway, or about 1.4% of the population), which include fractional votes (transferred from other lists, as you can vote for a party, but still "tack on" your favorite candidates from other parties to give them a fraction of your vote). Despite the complexities of that voting system (it's a proportional system with lot

Re:

[Grave (8234)]

I'm guessing you're from Norway, so I'll excuse you for not understanding how American government works. You see, the people we elect to "represent" us believe that existing laws are meaningless if they themselves did not write them the previous term. So any issues that arise will need entirely new legislation drafted, often with the help of the corporations and lobbying groups that funded their campaign. Hence, a simple fix to a broken paper ballot system isn't sufficient. No, we need entirely new laws

Re:Just use paper counting

[Durrok (912509)]

Whenever a story on the voting machines comes up many people present your argument. I find it fundamentally flawed however as counting by hand is extremely inefficient. Not only is it a slow, labor intensive task but it is also open to human error and other technical issues (hanging chads, etc). There is no real point of denying it, computer voting is coming. Instead of saying "Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Re:Just use paper counting

[by Anonymous Coward]

Working democracies are based on secret and unprovable votes and a transparent and voter verifiable voting process. The process is intentionally designed in a way which does not require anyone to trust anyone else. If you can come up with a computer voting system which does all that, let's hear it. Consensus among technology-minded people who have looked into the problem from a civil rights point of view seems to be that no computer voting system can work with secret and unprovable votes and at the same time be transparent and voter verifiable. (The basic idea is that, since computer systems are never verifiable as such, verifiability would have to come from being able to recount the votes in some independent way, but one would have to violate the secrecy or make votes provable to do that.)

Re:

[david.given (6740)]

Your vote was counted toward:
Bob

Good day, Mr. Smith. Mr. Jones would like to see your voting receipt now. Naturally I am sure that you voted as agreed in our little business arrangement, because if you didn't, Mr. Jones will be very upset...

Re:

[iluvcapra (782887)]

• Today and today only! 1230 AM is offering $2 for every election receipt you give us with "Bob" on it!
• Come on in to mattress warehouse for our election day special! Get a free comforter with your mattress if you have a receipt for "Bob"!
• Boss: Everybody vote today? Let's see your receipts! Uh... I wanna make sure you're all participating.

If you put a voter's choice on the walk-away receipt, you commoditize the election completely, since the receipts become a call on a vote. You can print the choices

Re:

[vidarh (309115)]

It is inefficient, but it doesn't need to be efficient, it needs to be accurate and efficient enough to be countable in a reasonable amount of time. And while an individual human is inaccurate, there is a paper trail that allowed another human or more to check the first humans work, which frequently or always does happen in most countries.

Hanging chads is a bullshit argument - I've seen nobody argue that it isn't acceptable to use a voting machine that produces a printed voting card that's guaranteed to b

Re:

[houghi (78078)]

If it ain't broke, don't fix it. Voting by hand is not broke, so why fx it?

The ONLY reason to fix it, is so it can be 'fixed' or so we can watch the outcome on the evening news, instead of two days later.

Re:

[vertinox (846076)]

"Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Forging, destroying, or disposing of 100,000 paper ballots can be done but it is rather hard and time consuming.
Forging, destroying, or disposing of 100,000 electronic ballots can be done and with only a few keystrokes.

The thing is, most of the people nay saying the loss of paper ballots aren't Luddites but are

Not hand, mechanical paper counting

[AHumbleOpinion (546848)]

Voting machines are a technical non-solution to a non-existing problem.

Agreed.

Counting votes by hand in public view is almost as fast, has much fewer things that could go wrong with them, and is intrinsically open to public scrunity like no machine system can ever be. Plus, it's cheaper.

Wrong on faster and cheaper. As the recount in some Florida counties showed in the 2000 US presidential election.

Voting on paper is fine, but the paper should be mechanically counted. Hand counts should be a last resort when the machines are unable to read a vote or are malfunctioning.

Re:

[192939495969798999 (58312)]

It's cheaper in the sense that if you need a paper recount, you have to go back to paper voting anyhow. So basically a machine vote is synonymous with a machine + a paper vote. I think that's how the paper-only vote is cheaper.

Re:

[sadr (88903)]

Let us say that a person making $10 / hour can count 1000 votes an hour. That's one cent per vote counted.

Let us assume that a person can enter one vote in 20 seconds on a voting machine. Let us assume that voting machines are busy 10 hours on voting day. Each voting machine will "count" 1800 votes in a day. So for $20, you can count more votes than the voting machine.

If each voting machine costs $400, it will take 20 elections to recoup your investment. And while there are multiple elections a year, y

Re:

[Brett Buck (811747)]

Well, obviously, it was a very serious problem in Florida in 2000. Ultimately it was proven, even by partisan hacks, that Bush would have won, but it would have taken 6 months. So paper vote counting certainly is a "problem".

      That doesn't mean that electronic voting is the solution, of course.

        Brett

Eeeeeeek

[GTarrant (726871)]

Imagine if Diebold, one of the major manufacturers of bank ATMs, hard-coded the passwords to every ATM as "12345678", or insisted to every bank that they couldn't get an ATM that gave people paper verification of their transactions, or that they couldn't guarantee to the bank that the internal records ATMs were reliable, and couldn't give any assurance that they were at all secure.

They'd never sell a single one. No bank would accept an ATM that couldn't accurately track the thousand or so transactions that they see each day, or that anyone could gain control of by typing in a few keys followed by "12345678".

And yet somehow (through much campaign cash, etc.) they managed to convince politicians that all that stuff would be too hard and unnecessary in voting machines, despite the technology already being available from the same company. That it's not hard to count accurately millions, even billions, of dollars in transactions each day, but that it's too hard to simply increase by one the count in the proper register to greater than a few percent accuracy. And despite numerous security incidents, they are still fighting tooth and nail these simple things.

I'm not convinced electronic voting is necessary...but I'm wary of any politician that keeps trying to tell me there's no need to increase the security of such systems. Unless they say they're OK with their own banks using that kind of security, voting shouldn't use it either.

Re:

[xiard (866646)]

That's a good point. Admittedly, though, the issues are somewhat different. If you could issue a magentic unique card to each voter, with a PIN that the voter picked, and have every voting machine hooked up to a network enabling real-time guaranteed transaction against a centralized voting database, then I'm sure you could get the same kind of accuracy as ATMs.

There's also the substantial issue of the requirement to handle processing all voters on the same day within a certain number of hours. That requi

Re:Eeeeeeek

[lexarius (560925)]

Idea: install the voting machines permanently, all over the place. Let people vote whenever they feel like, within about a month of the normal voting date, and see real-time results. The rest of the time, the voting machines can serve as terminals through which people can walk up and inform their local, state, or federal representatives of their opinions on various issues that will be discussed/voted on soon. Maybe even let the people actually vote on things.

Of course, DieBold shouldn't be allowed to touch this kind of thing, and someone will find a way to abuse it, but probably not any worse than we've got right now. I hope.

Secure Cellophane Bank Vaults

[by Anonymous Coward]

It's a step in the right direction, but really, is an audit even needed?

This is like building a nylon tent to hold your valuables, then performing an audit to evaluate the strength of its zipper. The entire concept is idiotic from the start.

There's a simple solution to voting machine security: use paper ballots. The machines can help you fill them out, but the result should always be a paper ballot which is the authoritative record of your vote. Simple, easy, secure. Why isn't this being done? Who knows, but it's clear the concerns of the people in charge are something other than correct vote counts.

Re:

[zippthorne (748122)]

It seems simple, but they mess that up, too. Some counties, for instance, decided to require the ballots to have holes punched in them, and since you can't expect a person to be strong enough to punch a hole in thin card-stock, the sheets were pre-weakened. This was still not sufficient as evidenced by the 2000 presidential election.

Though to be fair, in the two counties I've ever lived in in two different states, they've both used paper ballots marked with indelible marker for the elections I've voted in

Some code howlers from TFA

[noidentity (188756)]

From AV-TSX bootloader code:

void GlibPutPixel(UINT xx, UINT yy, Pixel_t Color)
{
// Check for library not initialized or (x,y) out of range
        if(FrameBuffer != FALSE || (xx < USER_X) || (yy < USER_Y))
        {
// Compute the frame buffer offset and write the pixel
                FrameBuffer[FB_OFFSET(xx,yy)] = Color;
        }
}

TCHAR name;
_stprintf(&name, _T("\\Storage Card\\%s"), findData.cFileName);
Install(&name, hInstance);

First uses logical OR instead of logical AND to check boundaries, second writes a string where there is only storage for one character!

Re:

[DaleGlass (1068434)]

To add to that, if ( FrameBuffer != FALSE ) probably intends to check whether it's a NULL pointer, but NULL isn't guaranteed to be (void*)0. Probably harmless if it happens to work right on that particular architecture, but should they switch to something else it'd be trouble.

"Plausible Deniability", Anyone?

[NickFortune (613926)]

One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

I can almost imagine that being a deliberate ploy. "

I'm sorry your honour, but one of our programmers (no longer under our employ) hard coded a weak password in complete disregard of coding standards. Regretably, the weakness of the password has enabled certain parties to guess what it is, and thereby subvert the electoral process. But it's not our fault."

Hanlon's Razor be dammned. In cases like this we should start assuming malice unless they can prove stupidity beyond any reasonable doubt.

Re:

[NickFortune (613926)]

maybe you should explain a little so we can all understand what you're on about

1, 2, 3, 4, 5...

[demon (1039)]

That's the same code that's on my luggage!

California decertified all machines last night

[by Anonymous Coward]

Last night California decertified all of the electronic voting machines on the market. I thought that would be a bigger story today, but haven't seen it anywhere except for blackboxvoting.org

Re:

[Volante3192 (953645)]

Oh, it would've...if Britney Spears was found voting without panties.

Or if Paris Hilton crashed into a voting machine while DUI.

Or if...yea...

Re:

[SSpade (549608)]

That's misleading. They decertified them, then recertified them with some additional security requirements.

See here: Elections chief gives OK to vote machines [sfgate.com]

Look how others do it?

[rolfwind (528248)]

One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

What it would take is for them to be punished in the marketplace, as in not buying the damned things.

I think we ought to go to other countries with a reputation of a good voting process and see how they do it, and with which, if any, machines they use. Because we obviously forgot how, and in some parts of the country they never had a fair voting process. No need to roll our own

Their conclusions are

[slashdotmsiriv (922939)]

Taken from the experts' review:

"Our study of the Diebold source code found that the system does not meet the requirements for a security-critical system. It is built upon an inherently fragile design and suffers from implementation flaws that can expose the entire voting system to attacks. These vulnerabilities, if exploited, could jeopardize voter privacy and the integrity of elections. An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting mach

My favourite issue

[The Hobo (783784)]

From page 51:

Issue 5.2.24: AV-TSX startup code contains blatant errors.

287 TCHAR name;
288 _stprintf(&name, _T(''\\Storage Card\\%s''), findData.cFileName);
289 Install(&name, hInstance);

Here, name is not a character array but a single character in memory. The stprintf function
expects its first parameter to be a character array, so the programmer had to use the&operator
to get the address of name, rather than its value. The result is an obvious buffer overflow. A
string that includes the filename, which could be under an attacker's control, gets copied over
whatever data resides in the memory region following name.
That this code works at all seems purely accidental. Memory corruption occurs even when
legitimate .ins files are used. An attacker who included a file with a long name or a name
containing particular characters might be able to crash the program or, possibly, execute
malicious code.
This bug sheds light on the vendor's software engineering practices, because it is a very
unusual error for an experienced C++ programmer to make. Characters and character arrays
are very different constructs in C++. Students using the language for the first time might
confuse the two, but experienced programmers who understand basic concepts like pointers
would be unlikely to confuse them. The probability that an experienced C++ programmer
would make such a mistake or overlook it during even a cursory review of the code is
exceptionally low. This suggests to us that after this code was written it was not reviewed
by any other engineers at Diebold.

That's gold Jerry! Gold!

Re:

[vidarh (309115)]

Didn't you even bother to read the sentence you quoted yourself. Fortify was used to find areas to investigate manually. These tools do have many shortcomings, but they do also find many legitimate problems. Using them to find starting points for manual investigations you might otherwise overlook is exactly the right way to use them. Believing them to produce a laundry list of actual problems is, as you pointed out, not.

Re:

[rednip (186217)]

Sorry, but to prove your loyalty, you need to go past simple 'water carrying' statements and pledge your support for the Republican party [thekansan.com], you can find the text here [blogspot.com].

Re:

[zCyl (14362)]

If a ballot-reader counts the votes, fine. We can have fast results without giving up accountability.

Look it up. Ballot readers are compromised as easily as the original machines.

An ideal arrangement is to have a printed ballot as the official ballot, and a supervised hand-counted count which is the OFFICIAL count. Then, the original voting machines can also perform an electronic tally themselves, and this electronic tally can serve as a check for the hand count. If the two differ significantly, somethin