Diebold Voting Systems Grossly Insecure 534
Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'
google (Score:4, Informative)
Re:I'll just wait for the link (Score:5, Informative)
Re:Ah-ha! (Score:0, Informative)
No, they were using a ballot designed by the Democratic Party, home of such paragons of fair voting as Richard Daley Sr., Tammany Hall, and "Landslide" Lyndon Johnson.
Also read... (Score:2, Informative)
www.whatreallyhappened.com
t ml
http://www.infernalpress.com/Columns/election.h
Are Diebold ATMs more secure? (Score:5, Informative)
Just from the above quote, this doesn't sound like the kind of security that any bank would tolerate. Is this a case of lawmakers awarding contracts under duress after being wowed by cool "tecknoligee" in order to avoid being the next "Florida 2000," or is Diebold simply a victim of its own success for having potentially higher standards for commerce than voting?
[sarcasm]
It almost seems like the authentication process to make this work would need something as stringent as, say, a National ID card [privacy.org]...
Ooh, and we could use a Poll tax [wikipedia.org] to pay for the equipment!
[/sarcasm]
Re:Well...DUH!!! (Score:3, Informative)
Why would you trust [acm.org] the CRC?
Secondhand experience (Score:3, Informative)
Actually I think they were only allowed to test machines from two out of four companies. The companies were quite rude about the idea of some external group testing their machines. They would not provide a machine for testing, and actually forbade them from finding one of their machines elsewhere and testing it. They were threatened with legal trouble if they performed an "unauthorized" test and released the results.
They probably had good reason to be so wary. On one of the other machines at least, I believe you could vote twice by zipping the card through quickly or something. I don't recall exactly what you had to do, but it apparently wasn't difficult to learn or accidentally come across.
Re:Don't you realize that ... (Score:3, Informative)
Read all about it [gregpalast.com]. [PDF] Get over that.
Re:*sigh* (Score:5, Informative)
A bunch of people at work were saying the SAME THING YOU ARE. They said their skills were current, had qualifications, and were good at their job. Now, it's 3 months later and they're still outta work.
Sure, I know some people (from elsewhere) that got jobs reasonably quick, but that's because they KNEW SOMEONE on the inside, or had some high connections. I'm not being bitter, they've admitted it to me.
Some people with jobs or in school tend to think that everything is fine-and-dandy for people so long as they know their stuff and look hard. But those people are usually the first to start freaking out that they can't find jobs.
It's a cliche, but in today's market it's not what you know, but who you know.
Re:*sigh* (Score:3, Informative)
I can agree with that. The startup I work for is starved for qualified coders -- but half of what we seem to hire these days are people with unremarkable skills who are old friends with our VP of Engineering. He'll personally vouch for the qualifications of each and every one of them, though.
*sigh*.
Re:*sigh* (Score:5, Informative)
In fact, Diebold laid off a good number of their QA, code integrity staff and software developers in late-2001/early-2002, when this product was under heavy development.
Re:*sigh* (Score:3, Informative)
Re:Flaws still unfixed after ***5 Years*** (Score:5, Informative)
But then I talked to a low-level employee. He was worried because they kept laying off staff, then employing new people. Seems that once a project was "done" (meaning, shipped first version, wrote up your research findings, etc.) they had the nasty habit of laying off the entire team. They would literally hire a team to do a job, then fire them for each project. There was no continuity between versions of software (if there were any), and things tended to languish, while they tried to make a quick buck.
And based on what I was told, this wouldn't be the first time that one of their products was wholly insecure from the get go. Don't get me started on their ATMs piss-poor security features from that time. Things just didn't get fixed until someone got screwed.
PS. I turned down their generous offer of employment.
Do something about it! (Score:5, Informative)
The page is right here [eff.org]. Let the people who can make changes in this area know that this is important!
Re:Ah-ha! (Score:4, Informative)
Re:Flaws still unfixed after ***5 Years*** (Score:4, Informative)
I'm not suprised by this at all. Problems, even very big glaring problems, get stuck in software early on due to naive design decisions, but they persist due to management's unwillingness to either admit the problem is there or put forth the resources to start again from scratch. The result is software that doesn't deliver, cost five times more than if they had started over, and everyone involved feels dirty for having been a part of it.
Re:Don't you realize that ... (Score:1, Informative)
First, take a look at Mr Palast's [gregpalast.com] website. That is not the place to go to find unbiased information about the election- Palast appears to have staked his career on attacking Bush and conservatives in general. He also has a significant financial interest in promoting his version of the story to sell his book.
Now lets talk about what really happened. Mr Palast wants people to believe that there was a vast conspiracy by Jeb Bush and Katherine Harris to keep minority and democratic voters from voting, but the facts just don't support that.
After discovering widespread fraud where several convicted felons and even dead people voted in a 1997 Mayoral election, the Florida legislature (not the Governor or Secretary of State) passed a law that called for a statewide list of convicted felons to be generated
In 1998, Elections supervisor Ethel Baxter (a Democrat) contracted with Database Technologies to compile the list (Database Technologies later merged with Choicepoint). The list had about 57,000 names on it.
According to the Florida Statute, the intent of the list was to generate as many possible matches as they could. This list was then forwarded to each county where the County Election Supervisors were required to verify the names before they took any action against the voters.
Many counties decided to ignore the list completely. However, if somebody actually was incorrectly kept from voting, by law the county election supervisor (once again, not Jeb Bush or Katherine Harris) is to blame.
If the County Elections Supervisor did validate a name as being a convicted felon, the voter was given notice well in advance of the election that their name had been removed from the voter registration, and they were given a procedure to dispute the decision.
Aside from some anecdotal evidence of minorities being turned away at the polls, there are no actual documented cases of people be incorrectly kept from voting. When the Federal Election Commission held hearings about the election, NOBODY stepped forward to claim that they were denied the right to vote.
The NAACP, who was called in to Florida to represent the minority voters, states very plainly in this settlement [naacp.org] that the "Plaintiffs have not alleged that Defendants acted in a purposefully discriminatory manner toward any group". The NAACP also concedes that most of the changes that they requested were already implemented before they filed suit.
Katherine Harris had very little to do with any of this, and Jeb Bush had absolutely nothing to do with it. The law was passed by the legislature, the firm was hired by a democrat, and the final decision on each name on the list was made by the individual counties!
So Palast's shocking story boils down to this:
-Out of the 57,000 people on the list, an unknown number of them were not felons
-Out of that unknown number of innocent people, an unknown number actually lived in counties that decided to use the list
-Out of that unknown number, an unknown number were incorrectly verified by the County Election supervisor and removed from the voter registration
-Out of that unknown number, an unknown number didn't follow the procedure to dispute their removal from the voter registration
-And out of that unknown number, probably about 50% of them would have actually voted anyway (voter turnout)
Palast wonders why nobody else is talking about this- its because this isn't a story at all!
Re:Voting Machines = easy vote fraud. (Score:4, Informative)
Hilariously bad. (Score:3, Informative)
Makes you wonder why they don't use ATMs as a blueprint for voting systems.
Does a voting system *really* need Windows 2000 as a base? Or any version of Windows, for that matter?
Hell, *DOS* is an overkill for this sort of application.
Online Petition re: Computers/2004 Elections (Score:2, Informative)
Sponsored by Martin Luther King III and Greg Palast [gregpalast.com] (author of "The Best Democracy Money Can Buy") this petition calls for a halt to computerizing the elctions until the process is shown to be resistant to manipulation, fraud, and racial bias.
Read some of Palast's book (pertinent chapters available on his website) for the hardest-hitting investigation into the 2000 Florida elections. Quite the eye opener as to how corrupt the system, irregardless of who won, actually is. The most shocking part, however, is that the main stream press, still to this day, has never picked up on any of his findings.
Us voters, Republican, Democrat or otherwise, have a responsibilty to see that our democratic process is never again misused so horribly.
Ballot Boxes in the San Francisco Bay, 2002 (Score:4, Informative)
I wish I could disagree with this. But elections here in San Francisco are so "irregular" that it doesn't even phase us when pieces of ballot boxes start washing ashore.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/
A little worse (Score:3, Informative)
Actually, you should say "the software code (of many companies)...". Each bid winner has used a different system and a different codebase. The Court is slowly replacing older machines, but in 2002, for instance, machines from 1996 running a flavour of DOS were still used. And not all winners were Brazilian companies. The 2002 machines and software were made by Unisys.
Re:here we go again (Score:3, Informative)
Diebold accidentally left the AccuVote source on an open FTP site (whoops), which is available here [actrix.co.nz], and Black Box Voting is asking for programmers to review and evaluate the code.
PKI would help (Score:2, Informative)
Given public-key encryption, a user would submit their vote signed with their private key. Their vote could be easily verified against their public key and forging of their vote would require breaking or stealing their private key. To prevent replay attacks, include in the vote a nonce generated for that specific election.
Of course, this doesn't deal with the major issues of verifying the voter submitting the vote is unique and is authorized to vote in that election.
Re:Scrutineers (Score:3, Informative)
Re:Don't you realize that ... (Score:2, Informative)
As the Government of the United States of America is not, in any sense, founded on the Christian religion; as it has in itself no character of enmity against the laws, religion, or tranquillity, of Mussulmen [Muslims]; and, as the said States never entered into any war, or act of hostility against any Mahometan nation, it is declared by the parties, that no pretext arising from religious opinions, shall ever produce an interruption of the harmony existing between the two countries.
(Article 11, Treaty of Peace and Friendship between The United States and the Bey and Subjects of Tripoli of Barbary," 1796-1797. Authored by American diplomat Joel Barlow in 1796, the treaty was sent to the floor of the Senate, June 7, 1797, where it was read aloud in its entirety and unanimously approved. John Adams, haven seen the treaty, signed it and proudly proclaimed it to the Nation.)