Forgot your password?
typodupeerror
United States Bug

Diebold Voting Systems Grossly Insecure 534

Posted by michael
from the vote-early-vote-often dept.
Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'
This discussion has been archived. No new comments can be posted.

Diebold Voting Systems Grossly Insecure

Comments Filter:
  • Ah-ha! (Score:5, Funny)

    by grub (11606) <slashdot@grub.net> on Thursday July 24, 2003 @12:58PM (#6523109) Homepage Journal

    voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.

    Were they testing these in Florida a few years ago?
  • here we go again (Score:2, Insightful)

    by NGTV13 (240114)
    So, can't someone who knows what they're doing write some of these things? This is exactly why jon q public is afraid of things becoming 'technology rich'

    • by bjtuna (70129)
      Try actually researching the subject and you'll realize there are terrible privacy concerns with the very idea of electronic voting.
      • Re:here we go again (Score:3, Informative)

        by edverb (644426)
        A good place to start researching said privacy concern/ballot tampering is Black Box Voting [blackboxvoting.com]

        Diebold accidentally left the AccuVote source on an open FTP site (whoops), which is available here [actrix.co.nz], and Black Box Voting is asking for programmers to review and evaluate the code.
  • by Hayzeus (596826) on Thursday July 24, 2003 @12:59PM (#6523115) Homepage
    till I ascend to the Governorship of Louisiana. Start reaching into your pockets, now folks -- Big Daddy's open for Bidness!
    • by nlinecomputers (602059) on Thursday July 24, 2003 @01:57PM (#6523886)
      Your joke made me laugh. But the sad thing is that it is the whole point of voting machines.

      A paper ballot and a pen is the only form of ballot I trust. And if they don't count the ballots AT THE POLLING PLACE in plain view of the public BEFORE they ship them off to the court house you can't trust the result.

      Paper ballot boxes get tampered with all the time. A machine that most people couldn't understand is NOT going to make voting less prone to fraud. If I can't take apart the machanical voting machine to see if it works correctly and I can't look at the code of a computer program and see if it works correctly then why SHOULD I trust it?

      We allready had a major election full of obvious vote fraud(On both sides. Bush was just better at it THIS TIME. Gore was just as crooked just not as effective.) Voting machines are just one more way to cloud the issue. A voting shell game run by slick con men.

      DEMAND paper ballots! Demand that votes be counted and posted AT THE POLL. Any thing else is a sham!
      • by drooling-dog (189103) on Thursday July 24, 2003 @02:46PM (#6524408)
        I remember hearing shortly after the Florida fiasco that a truckload of ballots got "lost" overnight en route to a counting station only a few blocks away. Then, later on in the storm that ensued, no one talked about it anymore. Thereafter people (especially Republicans) talked about "hanging chads" as if the voters who cast "spoiled" ballots were stupid and thus not worthy of being counted. But this is just the kind of "spoiling" that can be accomplished long after the ballot is actually cast. I've always wondered what the statistics were on the ballots that didn't complete their quarter-mile journey until the next day...
      • Demand that votes be counted and posted AT THE POLL.

        One problem: record low voter turnout. Imagine that you're the only person who can be bothered to vote; do you really want the local election commission knowing how you voted?

        OK, granted, that's a silly extreme. However, I live in a state with many counties with tiny populations. I can imagine that the local sheriff is also the election coordinator, and given twenty people in the town with 19 of them at the Blue Party fundraising picnic, I'd hate to have said sheriff know that I was the only one who voted for the Orange Party candidate. Throwing my vote in with the 500 others from the county seems to provide a better measure of anonymity, for better or for worse.

        I'm a pretty staunch Republican in a predominantly Republican city. Still, I'd hate to be the sole Communist Party Of America or Green supporter in a small place and be afraid to vote because it could be traced back to me so easily.

      • Scrutineers (Score:4, Insightful)

        by Admiral Burrito (11807) on Thursday July 24, 2003 @03:26PM (#6524796)
        And if they don't count the ballots AT THE POLLING PLACE in plain view of the public BEFORE they ship them off to the court house you can't trust the result.

        Here in Canada (and probably most other democracies) we have "scrutineers" so the general public doesn't have to worry about that. Each candidate sends a representative to each polling station to observe and make sure things are handled properly. It is in the candidate's best interests to make sure the other guy doesn't get any unfair advantage, so as long as there is more than one scrutineer and they aren't colluding (which is less likely the more scutineers there are) the system is secure.

        Scrutineers are very effective with paper ballots, but only with paper ballots. They are not equipped to verify an electronic voting system. So yeah, demand paper ballots. Anyone promoting electronic voting is promoting the neutralization of a very important election security mechanism.

      • by decapentaplegic (540107) on Thursday July 24, 2003 @03:28PM (#6524826)
        DEMAND paper ballots! Demand that votes be counted and posted AT THE POLL

        I wish I could disagree with this. But elections here in San Francisco are so "irregular" that it doesn't even phase us when pieces of ballot boxes start washing ashore.

        http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2 002/01/07/MN185094.DTL [sfgate.com]
  • *sigh* (Score:5, Funny)

    by Ummagumma (137757) on Thursday July 24, 2003 @12:59PM (#6523117) Journal
    You would think, with all the qualified unemployed software engineers out there, they could at least hire a few...
    • Re:*sigh* (Score:2, Interesting)

      by Kierthos (225954)
      Hell, with a couple of the unqualified ones, they might have a better system....

      Although, truth be said, I'd love to see a system where they allow unlimited voting, but only a microscopic percentage of the voting public knows about it. You know, the wrong people. The kind who would "write-in" Johnny Depp as governor....

      Kierthos
      • That would make our election system a lot like Slashdot. Especially where trolling is concerned. No matter. That's what Scalia was in the 2000 elections anyway. ;P
    • Re:*sigh* (Score:5, Informative)

      by stefanlasiewski (63134) * <slashdot@NosPAM.stefanco.com> on Thursday July 24, 2003 @01:48PM (#6523784) Homepage Journal
      Very good point.

      In fact, Diebold laid off a good number of their QA, code integrity staff and software developers in late-2001/early-2002, when this product was under heavy development.
    • by Convergence (64135) on Thursday July 24, 2003 @01:49PM (#6523795) Homepage Journal
      This is a computer programmed by invisible software. The only record of a vote is a little counter in the guts of the computer program. There is absolutely no way to make it secure. Any system that records votes directly electronically is wide open.

      The only difference is who can commit vote fraud. Now anyone who walks up to the machine can commit vote fraud. Even if all of these bugs fixed, large classes of vote fraud remain. The only difference would be that any random person on the street couldn't cheat. However, any custodian would still be able to re-image the drive. Any programmer at Diebold would be able to embed a trapdoor. In short, anyone with exclusive access to open the machine can cause it to cheat. And this 'best case' is only if they fix all of the bugs.

      Thats not a lot better. Even the writers of the paper couldn't make a cheat-proof DRE voting program. If an adversary controls the hardware, they control the software. Fundamentally, any non-trivial computer system is not trustworthy; any system whose security depends on a computer should be transformed where the security no longer depends on the correctness of the computer.

      For instance, the only nominally trustworthy computer voting scheme is to have the computer be nothing other than a super-intelligent pencil. The voter uses the computer which prints out a paper ballot. The user observes and confirms the paper ballot is correct, then the ballot is dropped into a box. The computer may record results, but as the computer is untrustworthy, those results are untrustworthy. Now, the security and trustworthyness of the computer doesn't matter.

      Every security researcher, including the authors of the paper advocates this scheme, but they are ignored by election officials. This includes the two professors who authored the paper, Peter Neumann, and Douglas Jones from the NY Times article, Rivest---the R in RSA--- and hundreds of others.

      See: http://www.verifiedvoting.org/index.asp

      This is a secure voting system. Brazil has it (and at a tenth the price). Any system without a printer requires 'trusted hardware' in an adversarial environment. Control the hardware, control the election.

      • What about secure coprocessors [ibm.com] running open-source software?

        There are still issues involved there, particularly with the loading of the coprocessors. (Distribution of the coprocessors shouldn't be an issue because they can prove their identity if the loading is done correctly.) But I would argue that if one threw enough money and effort at that single step, it could be made open and secure as well.

        The other issue is the terminal between the coprocessor and the user. It seems to me that as long as the
  • by kryzx (178628) * on Thursday July 24, 2003 @12:59PM (#6523119) Homepage Journal
    Here the bit from the article that I find most interesting. To have security flaws is one thing. To not fix them even after you know about them is another.

    'But Douglas W. Jones, an associate professor of computer science at the University of Iowa, said he was shocked to discover flaws cited in Mr. Rubin's paper that he had mentioned to the system's developers about five years ago as a state elections official.

    '"To find that such flaws have not been corrected in half a decade is awful," Professor Jones said.'

    • Let this be a lesson to all those that say full disclosure for security issues is wrong and/or dangerous. :)
    • Flaws? I thought they were features...
    • From NYT:

      "We're constantly improving it so the technology we have 10 years from now will be better than what we have today," [Diebold guy] Mr. Richardson said. "We're always open to anything that can improve our systems."

      Like making them non-useless?

    • by Anonymous Coward on Thursday July 24, 2003 @02:06PM (#6523979)
      Let me tell you a story about Diebold.. I almost went to work for them in their North Canton, OH office in the mid-nineties. They were doing some smartcard work themselves (research) and some interested crypto projects that I thought would keep me busy. At least, that was the story I got during the interviews.

      But then I talked to a low-level employee. He was worried because they kept laying off staff, then employing new people. Seems that once a project was "done" (meaning, shipped first version, wrote up your research findings, etc.) they had the nasty habit of laying off the entire team. They would literally hire a team to do a job, then fire them for each project. There was no continuity between versions of software (if there were any), and things tended to languish, while they tried to make a quick buck.

      And based on what I was told, this wouldn't be the first time that one of their products was wholly insecure from the get go. Don't get me started on their ATMs piss-poor security features from that time. Things just didn't get fixed until someone got screwed.

      PS. I turned down their generous offer of employment.
    • by thinmac (98095) on Thursday July 24, 2003 @02:07PM (#6523994) Homepage
      I just checked out the EFF's [eff.org] website, and they have a page where you can read a letter they've prepared about the security of electronic voting systems and the need for open source in that area, sign a copy electronically, and have it sent to your representative. Personally, I'm going to send paper copies, but I can damn well gauruntee that all my representatives in both the House and Senate will be getting copies.

      The page is right here [eff.org]. Let the people who can make changes in this area know that this is important!
    • by pmz (462998) on Thursday July 24, 2003 @02:19PM (#6524116) Homepage
      '"To find that such flaws have not been corrected in half a decade is awful," Professor Jones said.'

      I'm not suprised by this at all. Problems, even very big glaring problems, get stuck in software early on due to naive design decisions, but they persist due to management's unwillingness to either admit the problem is there or put forth the resources to start again from scratch. The result is software that doesn't deliver, cost five times more than if they had started over, and everyone involved feels dirty for having been a part of it.
  • Security flaws or rigged voting procedures...either way someone will be able to alter the election.

  • Well...DUH!!! (Score:2, Insightful)

    by Pig Hogger (10379)
    Who in his right mind would trust a closed-source voting system whose binary executable image is not verifyable by CRC???
  • google (Score:4, Informative)

    by gokubi (413425) * on Thursday July 24, 2003 @12:59PM (#6523126) Homepage
    story [nytimes.com]
  • Well yeah! (Score:5, Funny)

    by cspenn (689387) <financialaidpodcast@@@gmail...com> on Thursday July 24, 2003 @01:00PM (#6523141) Homepage Journal
    You can't expect a secure voting machine! I mean, how else can [insert current party in power] rig the next election unless the machines are grossly insecure?

    What, you were expecting fairness?
  • Aha! (Score:5, Funny)

    by TerryAtWork (598364) <research@aceretail.com> on Thursday July 24, 2003 @01:01PM (#6523151)
    That explains why the L337 P4rt'/ swept the last elections....

  • by ansak (80421) on Thursday July 24, 2003 @01:03PM (#6523175) Homepage Journal
    Anyone who's even briefly perused comp.risks [comp.risks], even before the post-US-Election-2000 debacle, wouldn't be the least bit surprised by these conclusions.

    Scottie's Law strikes again (from Star Trek III): "The more they back up the plumbing, the easier it is to stop up the drains." The simpler the voting system (the less mechanical, electronic, electro-mechanical etc. etc.) is the less open it is to fraud (both officially and unofficially perpetrated) or error (both innocent and culpable).

    One more reason I'm glad to live in Canada...
  • Feature? (Score:2, Funny)

    by fraudrogic (562826)
    For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal

    Diebold Salesman: "This is a feature, an unintentional extra for your customers!"
  • Voting problems (Score:2, Insightful)

    by Casisiempre (691255)
    There are always voting problems. You can fairly easily falsify paper ballots too with $100 worth of equipment. It is even easier in those areas (like Oregon) where all voting is done through the mail. Although there is no excuse to allow known bugs to stick around, there most likely will always be bugs/flaws in whatever method you use for voting.
  • CBN2004 (Score:5, Funny)

    by blowhole (155935) on Thursday July 24, 2003 @01:03PM (#6523190)
    Cowboyneal for office!

    Reporter: "Mr. Neal, under what platform are you running?"
    CBN: "Redhat Linux 9"
    Reporter: "..."
    • Although the RedHat platform is the prefered policy for the Large corporations, the left leaning lobby seems to support the Debian ideology.

      Other inerest groups, including the Anarchists and the Willingly Unemployed Caucus, have called for "More Slack", but this reporter has been unable to determine any consistant policy in the Slackware platform.

      In other news...

  • by SoCalChris (573049) on Thursday July 24, 2003 @01:03PM (#6523191) Journal
    Any time there is a system, someone will be able to break or hack it. Especially a closed system that isn't open to scrutiny.

    At least with the current voting system, while you're there you see everyone being handed 1 ballot, and turning in just 1 ballot. You see the ballot go in the sealed box. There's no secret about what your vote is doing, and no confusion about whether the vote was cast or not, or if anyone is turning in multiple ballots.
  • Open Source? (Score:5, Interesting)

    by chundo (587998) <jeremy&jongsma,org> on Thursday July 24, 2003 @01:04PM (#6523192)
    Time to start a viable open-source voting-machine project. These guys [free-project.org] started something promising, but it looks like development has ceased. Anybody know of a decent, active open-source electronic voting system?

    -j
    • Because, needless to say, even if your election officials publish source code for voting software, it's still a bit tricky to be certain that said voting software is actually what's running on the voting machines.

      I'd like to see a really verifiable election process; check out http://www.vreceipt.com/ for an example system, which makes it essentially impossible for anyone to change or not count your vote. (It doesn't seem to prevent votes from being added, but that's a much easier problem to solve in meats
  • Yay! (Score:5, Funny)

    by JanusFury (452699) <kevin DOT gadd AT gmail DOT com> on Thursday July 24, 2003 @01:04PM (#6523193) Homepage Journal
    It says in the article that this company makes ATMs. I think I'm going to go get some free money.
    • Re:Yay! (Score:3, Insightful)

      by ewhac (5844)

      Nope.

      You see, Diebold's customers for ATM machines -- the banks -- have a vested interest in making certain that no money leaves their hands that isn't supposed to. Even their internal practices and procedures assume the employees to be untrustworthy. So the banks obviously gave Diebold a requirements document that ensures that no money leaves an ATM that isn't supposed to.

      OTOH, Diebold's customers for voting systems -- the Republicans (yeah, I know, cheap shot, so sue me) -- have a vested interest in

  • Not suprised (Score:2, Interesting)

    by Plug1 (588101)
    Considering the fiasco that was the Presidential election can anyone say that they are suprised? This company will make alot of money serving the special interests of some political party. By making it insecure they insure that politicians will again be able to steal the vote from the people, with all the real evidence of this being reported in the British press. Your votes mean nothing even moreso now.
  • Here's an article (Score:5, Interesting)

    by Tarindel (107177) on Thursday July 24, 2003 @01:06PM (#6523228)
    that I ran across a few weeks ago: http://www.cronus.com/electionfraud [cronus.com]

    It IS interesting to note how many dollars have flowed between Diebold and the Republican party...
    • Pure Speculation (Score:3, Insightful)

      by TrollBridge (550878)
      What's so 'interesting' about their little observation? Their implication that Republicans rigged the Georgia election is based purely on baseless speculation, and is absent of any facts to support their claim. After reading that, I had a hard time taking anything else in the article seriously.
  • Wow... (Score:5, Interesting)

    by mhayenga (684912) on Thursday July 24, 2003 @01:06PM (#6523233)
    Their security there sounds a lot like their security here at UT...

    For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal

    The vending machines here around campus (using a diebold system) were used by almost 600 students to get "free" food... In an audit they detected it... Full text here [dailytexanonline.com]

  • Old Saying (Score:5, Insightful)

    by DogIsMyCoprocessor (642655) <dogismycoprocessor@nOspam.yahoo.com> on Thursday July 24, 2003 @01:06PM (#6523238) Homepage
    Never ascribe to malice anything that can be explained by stupidity.

    Some people, in comments widely circulated on the Internet, contend that the company's software has been designed to allow voter fraud. Mr. Rubin called such assertions "ludicrous" and said the software's flaws showed the hallmarks of poor design, not subterfuge.

    • Re:Old Saying (Score:3, Insightful)

      by Angst Badger (8636)
      Never ascribe to malice anything that can be explained by stupidity.

      It's more than just stupidity; as the article notes, some of these problems have been known -- and left uncorrected -- for five years. It may not yet rise to the level of malice, but it certainly qualifies for utter laziness and gross negligence.

      If this were a medical device whose flaws were causing patient deaths and the manufacturer knew about it for five years, stupid would be a rather mild word for the manufacturer.

      On the other han
  • by Gzip Christ (683175) on Thursday July 24, 2003 @01:07PM (#6523248) Homepage
    In practical terms, this means that elections will go from being controlled by corporations to being controlled by script kiddies. Cool! CowboyNeal for president in 2004!
  • by PontifexPrimus (576159) on Thursday July 24, 2003 @01:08PM (#6523262)
    "This is an iceberg that needs to be hacked at a good bit," Mr. Neumann said, "so this is a step forward."
    Isn't that a rather poor choice of words when talking about program code? And is hacking an iceberg permissible under the DMCA?
  • Also read... (Score:2, Informative)

    by DrCreep (564670)
    Found this a while back on

    www.whatreallyhappened.com

    http://www.infernalpress.com/Columns/election.ht ml

  • On purpose? (Score:3, Interesting)

    by DrWho520 (655973) on Thursday July 24, 2003 @01:10PM (#6523285) Journal
    How can such grossly negligent design be produced by someone who wanted such a system to succeed. I do not know why someone would not want this type of system, I only proposed the possibility.
  • by holt_rpi (454352) on Thursday July 24, 2003 @01:10PM (#6523287)
    From the NYT Article:
    The systems, in which voters are given computer-chip-bearing smart cards to operate the machines, could be tricked by anyone with $100 worth of computer equipment, said Adam Stubblefield, a co-author of the paper.


    "With what we found, practically anyone in the country -- from a teenager on up -- could produce these smart cards that could allow someone to vote as many times as they like," Mr. Stubblefield said.
    It would be interesting to see how worried Diebold is about fraudulent misrepresentation in its voting machines as opposed to its ATMs. I wonder aloud how vigilant they are (read: how much money they spend in a year) in each area.

    Just from the above quote, this doesn't sound like the kind of security that any bank would tolerate. Is this a case of lawmakers awarding contracts under duress after being wowed by cool "tecknoligee" in order to avoid being the next "Florida 2000," or is Diebold simply a victim of its own success for having potentially higher standards for commerce than voting?

    [sarcasm]
    It almost seems like the authentication process to make this work would need something as stringent as, say, a National ID card [privacy.org]...

    Ooh, and we could use a Poll tax [wikipedia.org] to pay for the equipment!
    [/sarcasm]
    • "With what we found, practically anyone in the country -- from a teenager on up -- could produce these smart cards that could allow someone to vote as many times as they like," Mr. Stubblefield said

      Ahh, yes. But if DirecTV has their way, posessing equipment to program SmartCards will be illegal [slashdot.org].
  • Finally, the hackers can get someone they like into office. It might even mean the end of the two party system, when mysteriously 300 million (out of 210m) vote for a third party ;o)
  • I guess the FBI and NSA will be tripping over each other to get DirectTV's list [slashdot.org] of people who've bought card programmers. Last week you were just a potential thief. This week, you're a potential anarcho-terrorist.
  • FidoNet handled this (Score:4, Interesting)

    by TerryAtWork (598364) <research@aceretail.com> on Thursday July 24, 2003 @01:16PM (#6523374)
    In FidoNet elections you sent in your vote with a one-time password.

    The election results were sent to all voters with a list of all the passwords who voted for each candidate. You checked to make sure yours was in the right category.

    This is still hackable, though, simply by custom generating for each voter a message with their vote in the correct category, but enough other passwords in the cheating candidate to make sure they win.

    Whats the way to handle this properly in a world of PKI and the web?

  • by cybermace5 (446439) <g.ryan@macetech.com> on Thursday July 24, 2003 @01:26PM (#6523499) Homepage Journal
    A couple years ago, some guys I knew in school were testing voting machines as their senior project. Basically they did every possible thing they could think of, to see how idiot-proof the machines were. Card in backwards, different speeds, bumps, button-mashing, etc.

    Actually I think they were only allowed to test machines from two out of four companies. The companies were quite rude about the idea of some external group testing their machines. They would not provide a machine for testing, and actually forbade them from finding one of their machines elsewhere and testing it. They were threatened with legal trouble if they performed an "unauthorized" test and released the results.

    They probably had good reason to be so wary. On one of the other machines at least, I believe you could vote twice by zipping the card through quickly or something. I don't recall exactly what you had to do, but it apparently wasn't difficult to learn or accidentally come across.
  • No Surprise Here! (Score:5, Interesting)

    by mildness (579534) <bill AT bamph DOT com> on Thursday July 24, 2003 @01:27PM (#6523521) Homepage
    NDAs must have expired by now so...

    Almost exactly 20 years ago Chase Manhattan Bank tasked my buddy Charles (?) and I to hack thier Diebold branch alarm system.

    To our surprise it used a simple lookup table. The mainframe would poll a branch asking about a specific alarm. The server located at the branch would respond with a code for "OK".

    THE SAME CODE EVERY TIME!

    We cut the telco lines and alligator clipped our TRS-100 (way cool early laptop) and using a BASIC program did a look-up (which my partner wrote a coolie algorithm for), responded "Everything's OK Here!", and went to lunch.

    After screwing off for several hours we told our managers that we had spoofed thier branch alarm system.

    They traveled to Diebold who swore up and down how great thier encryption was. The Chase guys slid our report across the table and watched the Engineers turn white as ghosts as they read it.

    HAHAHAHAHA What a bunch of dumbasses!

    The Moral of the Story: Don't trust your security vendors.

    Cheers! (:-{)}

    Bill

    • Re:No Surprise Here! (Score:5, Interesting)

      by LostCluster (625375) on Thursday July 24, 2003 @01:46PM (#6523742)
      True security is impossible. Just can't happen, don't pretend you've done it. Real security is a matter of how hard can you make it to violate the system, and how hard can you make it to cover up any violations.

      In the case of any voting system allowing extra votes, that should be able to be solved by a simple external checksum. If there's more votes in any race than people who passed through the doorway, you've got a problem.
  • by Rogerborg (306625) on Thursday July 24, 2003 @01:29PM (#6523541) Homepage
    In a democracy, we'd have to go to the expense of counting the actual votes. In our brave Republic, our leaders save our tax money by deciding in advance who will win and how many votes they'll get, so we can get back to our bread and circuses. God save the Ki- President!
  • by JessLeah (625838) on Thursday July 24, 2003 @01:35PM (#6523625)
    ...but in practice, it could simply be used as an argument FOR centralized, online voting. Please note that the current e-voting system currently in testing is Windows-specific... this could end up being a very bad thing. ("To vote, you must run one of the following operating systems: Windows 2000, Windows XP, Windows ME, Windows 98. Other systems are not supported on www.evote.gov at this time. We apologize for any inconvenience this might cause...")

    I KNOW I'm paranoid, but still...I like to think long-term.
  • by 73939133 (676561) on Thursday July 24, 2003 @01:37PM (#6523652)
    We have already known for a long time that ATMs are badly flawed as well when it comes to security. Even the basic technology is completely outdated and insecure: magnetic strips with four digit pins are just an abomination when it comes to security. The solution has been for banks to deny the problem, blame customers, and pass on any losses that result from fraud that they can't blame on customers to other customers.

    So, does it come as a surprise that companies that can't produce minimally secure ATMs can't produce minimally secure voting machines either? Blaming Floridians for "hanging chads" (talk about a broken user interfaces) clearly was only the beginning.

    If we want secure voting machines, ATM manufacturers are the last people to go to because they already have proven to be incapable of handling computer security. The only thing they seem to be able to do is make big, heavy metal boxes and pretend that that constitutes "security".
    • by kmac06 (608921) on Thursday July 24, 2003 @01:44PM (#6523714)
      When a bank loses money due to a fraudulent ATM transaction, they pay for it. Yes, the customer pays for it in an abstract sense, but you know what I mean.

      If the bank thought they could save money by upgrading ATMs, they would do so, and pocket the extra money. Obviously they don't think so.
      • by 73939133 (676561) on Thursday July 24, 2003 @02:14PM (#6524060)
        If the bank thought they could save money by upgrading ATMs, they would do so, and pocket the extra money. Obviously they don't think so.

        That is all very true, but that doesn't make it any better. To the bank, an occasional $2000 fraud isn't a big deal--it's a little money added on to some fees, maybe they lose the customer that was defrauded, and putting a secure ATM infrastructure in place would indeed be much more expensive. But to the person losing $2000 and spending hours on the phone trying to get the money back and trying to restore their good name, the loss is much bigger than the financial loss to the bank. That is what makes the bank's attitude so callous. In fact, banks should face stiff penalties when fraud does occur so that their financial objectives are brought in line with the harm they cause; then, they would fix ATMs.

        For voting machines, the situation is even worse: there is little or no auditing or verification possible, either for individuals or auditors, and nobody loses money from misregistered votes. So, if the ATM vendors reason the same way for on-line voting as they do for banking, the kind of reasoning you applied, then they really don't care at all about security. And that's just what we are seeing. And that is exactly the reason why ATM vendors are completely unsuitable to handle these things: they have already demonstrated that they will optimize for profit, not for security. For creating on-line voting systems, we need organizations that are dedicated to security, not profit maximization.
  • Paper 1.0 (Score:5, Interesting)

    by LostCluster (625375) on Thursday July 24, 2003 @01:38PM (#6523656)
    I think all of the electronic voting systems have taken it all too far. What they should be doing is creating a nice glossy touchscreen interface that is clear and easy to read, to allow people to create a PAPER BALLOT that is properly marked. The ideal printout would both be human readable and machine readable for easy counting and recounting. Let physical, rather than technical security processes make sure that people put only one ballot into the box that counts, and voters can have unlimited attempts at trying to get the paper ballot to say what they wanted to say.
  • by SiliconEntity (448450) on Thursday July 24, 2003 @01:50PM (#6523811)
    This is a good analysis, but I think a few of the criticisms are off base.

    First, a number of the supposed weaknesses they present are not actually exploitable; all of the ones relating to the file systems on the voting machines, for example. They offer no proposals for how an attacker could get access to these file systems or alter the files. It's not like he can just stick in a floppy and get it to run his favorite hacking program. As long as these are closed systems running the designer's software, there is no need for file system protection.

    Second, many of the smart-card related attacks present far-fetched scenarios for how a hypothetical attacker could discover the weakness. This is a common flaw among such analyses; working with 20-20 hindsight, the researchers attempt to put themselves in the shoes of an attacker who doesn't have access to the source code but who always guesses right about how things work. It is far-fetched at best to propose that someone could cut the cable to the smart card reader in the voting booth, install some kind of monitoring device, inspect the protocol between machine and card, and then go home and use the data to deduce how to manufacture forged cards. Yet that is exactly what the authors suggest.

    In truth, the real weaknesses of the system are the implicit assumption that the source code would be kept secret. Security through obscurity works only as long as the obscurity is maintained. If the code is leaked or stolen, these assumptions are violated and the system becomes insecure.

    In this context, then, the real question is whether this is a true and up to date representation of the code that is implemented in the machines. One question I had was if so, why they weren't able to validate any of their assumptions about how poll workers were trained to operate the machines by referring to training manuals or at least verbally contacting some workers. At this point it seems to be entirely hypothetical whether this code is actually being used in any current voting machines, and therefore whether the attacks presented would actually work in the field.
  • DMCA in action! (Score:5, Interesting)

    by bigberk (547360) <bigberk@users.pc9.org> on Thursday July 24, 2003 @02:04PM (#6523955)
    From the report:
    A large amount of the other data made publicly available was protected by very weak compression/encryption software known as PKZip, which requires a password for access to the underlying work. PKZip passwords are relatively easy to avoid, and programs for locating passwords for PKZip files are readily available online. Moreover, passwords that others have located for these files have been freely available online for some time. Nonetheless, we decided to limit our research to only the files that were publicly available without any further effort, in part due to concerns about possible liability under the anti-circumvention provisions of the Digital Millennium Copyright Act.
    Now that's kind of funny, isn't it? You have here a system which everyone agrees should be inherently secure. The developers use extremely weak (PKZip) passwords to protect some of their work, probably the more important components. Researchers can not break the password, however, because they will violate the DMCA.

    On the other hand, criminals, terrorists, and anyone else who wants to corrupt the voting process can easily break the password and discover how to mess up the voting.

    Now that's the DMCA in action, protecting your freedom! Oh yes, the DMCA is going to be just excellent for technology research and innovation.
  • by bjtuna (70129) <brian AT intercarve DOT net> on Thursday July 24, 2003 @02:19PM (#6524117) Homepage
    The author of this paper, Dr. Rubin, taught a class at Johns Hopkins University this past spring called Security and Privacy in Computing. I was lucky enough to be in this class. The semester-long project was to design and implement a prototype electronic voting system that solved the problem of "remote poll sites". Basically, the State of Washington had commissioned Dr. Rubin to deliver a system whereby a voter could cast his vote at ANY voting station in the state, and not have to go to his specific poll site. This sounded great: you wouldn't have to lose a day of work so you could vote at the local high school... you could vote at the little kiosk near your office.

    Unfortunately the idea doesn't work. The reason is that you would need every kiosk (or polling station) to be connected to some sort of network in realtime in order to retrieve ballots, cast votes, and update voter status. The problem with this is that you have now created a network that is vulerable to DoS attacks. It wouldn't matter how you structured your network for performance... the minute someone snips a wire at any given kiosk, you have two choices:
    1) make that kiosk unavailable for voting
    2) still accept votes at that kiosk, but cast them provisionally.

    #1 is dangerous because now I could cut the wires at EVERY kiosk I could find (or packet the network, or whatever) and bring the election to a halt.

    #2 is dangerous because the more kiosks I bring down, the more ballots will be cast in which the voterID (which reveals his name, etc) is tied to the ballot. Loss of voter anonymity is unacceptable in American democracy.

    So what happens if you just leave all the kiosks offline and give them all a copy of the master voter registration db? Now you've opened yourself up to voter fraud: you could go from kiosk to kiosk, casting multiple ballots as yourself. If you stuck with voter anonymity, and each of those ballots were cast anonymously, how would the final tallying system know that you cast duplicate ballots? How would it know which to throw out?

    I'm told Dr. Rubin's grant from the State of Washington was eventually rescinded, I suspect because there's no good way to solve this problem, as well as a few others which I will not go into detail about here.

    I have described this problem in the following other Slashdot posts:
    http://slashdot.org/comments.pl?sid=61340&cid=5769 144 [slashdot.org]

    http://slashdot.org/comments.pl?sid=61875&cid=5801 851 [slashdot.org]
  • by Angst Badger (8636) on Thursday July 24, 2003 @02:24PM (#6524183)
    When I was in the eighth grade, our computer teacher wrote a voting program in BASIC to run on our Apple IIs. One of my classmates exploited a security hole (okay, he pressed CTRL-C) in order to examine the source code. He found that our devious computer teacher had written the program so that a vote for Reagan counted as 1.5 votes, and a vote for, um, Mondale or whoever it was, counted as .5 votes.

    So this raises the question -- what's to keep unscrupulous officials from rigging an electronic election? And equally importantly, what technologies and procedures are in place to detect vote fraud after the fact? Analog elections involve a fairly solid system of observers to prevent fraud. It's not perfect, but it usually works. In an electronic election, who will verify the validity of the code in the first place, and after the election, who will check each and every machine to make sure it hasn't been tampered with? I mention each and every machine because only one machine would be necessary to completely skew the numbers in any given precinct.
  • by Featureless (599963) on Thursday July 24, 2003 @02:41PM (#6524341) Journal
    Q: But this is America - who would dare rig an election here?

    A: The first person that thought they could get away with it.
  • Hilariously bad. (Score:3, Informative)

    by Bowie J. Poag (16898) on Thursday July 24, 2003 @02:46PM (#6524409) Homepage

    Makes you wonder why they don't use ATMs as a blueprint for voting systems.

    Does a voting system *really* need Windows 2000 as a base? Or any version of Windows, for that matter?

    Hell, *DOS* is an overkill for this sort of application.

  • by ewhac (5844) on Thursday July 24, 2003 @03:00PM (#6524555) Homepage Journal

    Another bunch of guys who cobbled together a report on Diebold's laughable voting machines is available here [scoop.co.nz], complete with plenty of screen shots.

    Schwab

  • by mcwop (31034) on Thursday July 24, 2003 @03:36PM (#6524944) Homepage
    It happened

    See Here [papillonsartpalace.com]

  • Simple Solution (Score:3, Insightful)

    by Tony (765) on Thursday July 24, 2003 @04:05PM (#6525243) Journal
    I don't know if this has been offered as a solution yet, but the easiest way to verify an election is to keep a paper trail.

    When a person votes, the machine should spit out a piece of paper with the voter's choices listed. The voter verifies the paper, then slides the paper into a slot (in much the same way many current voting machines accept the voter card).

    In that way, the voting machines can automate the tabulation, and we can avoid any hanging chads; but the paper trail still exists.

    Are there any flaws with this?
  • by Fantastic Lad (198284) on Thursday July 24, 2003 @10:39PM (#6528674)
    What happens next?

    A couple of my friends are betting on Shrub hitting the 'Emergency' button and instigating a total lock-down of the U.S., suspension of all rights and the firing up of the 800 or so empty but staffed and waiting American concentration camps [sianews.com] sitting idle around the nation. "Night of Long Knives" and all. . .

    While this IS planned, no doubt, I tend to feel (make that fevrently hope) that we're not quite there yet.

    Here's a quote from a recent interview [rense.com] with Eustace Mullins. . .

    You know Howard Dean's campaign chair is Stephen Grossman, ex- president of AIPAC...

    OH MY GOD! He is? Well, Jewish money is buying this campaign...

    Dean's another blank slate. He's never done anything, and they're raving about him. When you see someone become the darling of the media, watch out for someone like that. You know they're compromised...compromised forever, you can't expect anything from them.

    --Keeping in mind that 'Jewish Money' would more aptly be called 'Zionist Money'. Zionism doesn't have the best interests of the Jews at heart by a long shot!

    Moderators. . . Please at least glance at the link info before you label this message 'Troll' (it's not. I don't have a deficient ego.) If you can't deal with this stuff, please get your fear levels under control rather than irresponsibly use your mod points. This stuff is here and it affects everybody. Cringing denial won't make it go away. Best to learn what it out there so that it can't hurt you.


    -FL

"Marriage is like a cage; one sees the birds outside desperate to get in, and those inside desperate to get out." -- Montaigne

Working...