Researchers Crack Every Certified CA Voting Machine 154
ewhac writes "The San Francisco Chronicle is reporting that computer security researchers throughout the University of California system managed to crack the security on every voting machine they tested that has been approved for use in the state. The researchers are unwilling to say how vulnerable the machines are, as the tests were conducted in an environment highly advantageous to the testers. They had complete access to the devices' source code and unlimited time to try and crack the machines. No malicious code was found in any of the machines, but Matt Bishop, who led the team from UC Davis, was surprised by the weakness of the security measures employed. The tests were ordered by Secretary of State Debra Bowen, who has until Friday of next week to decide whether to decertify any of the machines for use in the upcoming Presidential primary election."
And the problem with paper was? (Score:4, Insightful)
Now, as if that's not bad enough, in addition to all of them we have a whole team of hackers who have proven that they know SPECIFICALLY how to do it. And by the way, they hacked both the voting machines themselves AND the back-end remote machines that do the tabulating.
And those facts are all public knowledge now!
So if these machines were merely "ridiculously" insecure to begin with, now they're just split wide open like a dvda. Yay democracy. What exactly does Ms Bowen need until next Friday to fucking think about?
And please, can we quit calling them "computer security researchers"? What's wrong with hackers? When did we start on the euphemism treadmill [wikipedia.org]?
Re:And the problem with paper was? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Hacking??? (Score:5, Insightful)
Since I have on my computer the software for many of the major voting machine companies and I worked reviewing it for one of our big US States, (Not California) I might have a thing or two to say on the issue.
The first thing to understand is that the audits under the voluntary national standard for voting machine software do nothing about securing a ballot. The next thing to understand is that the public authorities don't want secure software on voting machines. -As politely as it can be said- Who in the hell do you think steals elections? --- Not the voters I can assure you! It is election officials. Next you have to understand that the purpose of modern voting machines isn't to prevent errors, it is to eliminate any evidence that they happened. Next you have to understand that some company or another wants to sell all the machines to run the election and that they don't want the election officials to be able to buy machines by another brand without having to go to the cost of ripping out the entire system by its roots and halting the whole world. In short they want to hold the political agents hostage to their company and make them pay through the nose on every election. How else does a scanner machine which might be worth $200 become a machine worth $30,000?
Now that we have identified the motives in play here and there may be a few more nasty habits around like companies wanting to control political events..... Lets get down to the brass tacks here! Any election system worth anything should have some of the following attributes and possibly some more.
(1) It must be machine independent. So that any device that fails can be easily replaced.
(2) It must be transparent in its software where anyone can see the code and see that it does what it says.
(3) It must be receipt based where it can be checked by additional 3rd party methods. Recounting must be possible and not just memory buffer checks.
(4) It should be isolated from external attack only reporting via network and protected from intrusion by device isolation. This means no USB drives and no standard internet connections etc.
(5) It must be custody of data prevented from having the political authorities being able to destroy the evidence of an election fraud.
Making elections report totals quickly accurately and with receipts and such is no problem. Technically this is very easy. I probably could write in a few days the structure and code it in a matter of months myself. I would get nowhere because the political leaders would find their methodology of stealing elections in great trouble. Unless the voters rise up and get really angry on this one, expect the development of a silent dictatorship in which you hold elections and keep on loosing to the powers that be. (Maybe it already is here????)
Mod Parent Up (Score:3, Informative)
Re: (Score:2)
OP is a loon who regularily posts semi well informed bullshit claiming he worked for every government agency in the world. Last time I called him on it, I listed off his claimed jobs, but I made one up, saying he worked at NASA. He confirmed his dribble chinned nuttiness by saying yes, he had been consulted by NASA several times. Wahooo!
Re: (Score:2)
Re: (Score:2)
Perhaps they can now modify the sourcecode to make it secure?
And please, can we quit calling them "computer security researchers"? What's wrong with hackers?
In popular culture, the word hacker has become a euphamism for 'black-hat hacker'. They need to indicate that these guys are white-hats.
Re: (Score:2)
An excuse.
Re: (Score:2, Informative)
Re: (Score:2)
Fraud (Score:4, Insightful)
There are VERY good reasons for going to computers. Sadly, not only has the computers obviously not been designed and built well, but the vetting process in nearly all states has left a LOT to be desired. In nearly all cases, the groups have been willing to accept systems that several major companies thrust on us. What fascinated me, and should have been of interest to all the groups, is that NONE of these major machines wanted back-up paper system added in. In ALL cases, it would be their paper (i.e. get to gouge), and of course, they would be required to have somebody around to handle things (at least at the county level). This would be a recurring revenue stream for them. And yet, they fought it esp. diebold. That should be making ALL of those groups nervous, and instead it takes a judge to be looking at this issue.
The computer systems ARE the right idea. The choice and implementation have been disasters. Welcome to Amerika.
Re: (Score:2)
In the voting locale we have a list over everyone legible to vote in our boxes (around 1000 people fo
Re: (Score:2)
The big problem (or blessing) in the United States is there are at least a dozen issues to vote on, even in by-election years. It would be easy if the only issue was "which party," as it is in PR-type parliamentary democracies, but in the US you vote for people, and lots of them for lots of different offices, and bond referenda, and (in many states) ballot propositions, judgeships, etc. Counting a single issue on a ballot wo
Re: (Score:2)
Re: (Score:2)
Uh. And how many people can watch a computer system do its count?
This is not a programming quality issue. Replacing existing systems with ones which do not allow direct supervision and oversight is a step backwards.
I agree and yet you are wrong (Score:2)
Security through obscurity? (Score:2, Insightful)
Aren't you glad it is public knowledge now how rediculously insecure those machines are? These machines should never have been used and the people you call "hackers" have done what the government should have done BEFORE using them for black-box voting.
Are you advocating security though obscurity where the safety of the democratic process depends on a small group of people we trust not to abuse their position? I'd much rather have a verifiable solution.
I say someo
Re: (Score:2)
Of course I am! What on earth gave you the idea that I was complaining about the machines being proven insecure? The point is that whereas before, one might have tried to dismiss hackability of the machiens as speculation, now there is no excuse for _anyone_ to allow them to be used. Perhaps the tone of my comment was lost on you?
Re: (Score:2)
We can't in this case because these people really are computer security researchers. They are top academics from strong institutions.
Re: (Score:2)
Ooh, Shiney! (Score:4, Insightful)
Re: (Score:3, Insightful)
i'm not sure the average citizens need to understand more than 'press here for candidate a', 'press here for candidate b' (obvious side-discussion regarding knowledge empowering voters to select better candidates avoided here), but those who make decisions about what procedures and machines are used to ensure the votes are tallied fairly have to consider it. poll workers ar
Re: (Score:1)
But how will we choose the people to make those decisions? How will we know that we really had freedom of choice?
Re:Ooh, Shiney! (Score:5, Insightful)
The best argument against democracy is a five minute conversation with the average voter. -- Winston Churchill.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, which leads us directly to the obvious solution: no government at all.
Re: (Score:2)
There's no point in addressing the rest of the post, since the whole thing was just a series of unfounded assertions and this sums them all up nicely.
The difference between the two options you give here -- e
Re: (Score:2)
Citizens should feel confident that they know what is going on when tney 'pull the lever' If they do not, then the voting method is flawed.
With paper, there's less chance for confusion if the ballots and method to cast the vote are des
What's wrong with paper? (Score:4, Insightful)
Re: (Score:2)
That's no justification in the real world, but unfortunately that is a perfectly logical reason to move to electronic balloting for most people.
Re:What's wrong with paper? (Score:5, Interesting)
The problem with paper is...it's slow. Don't get me wrong, I don't see that as a problem; I am of the school of thought that it is no disadvantage to take a week or so to count ballots by hand. However, the public has an expectation (cultivated as it has been by TV media, mostly) that elections are to be decided ASAP. I don't know how to ween folks off of such an expectation, esp. since there is a profit motive in minute-by-minute coverage. It is hard in the Internet age to get people to understand why everything can't be as fast as a Google search.
I'm not crazy about exit polls, either, though if done accurately enough (i.e. large enough sample sizes, unbiased methodology) should be able to provide a good indication of results quickly even with a paper ballot system.
I'm completely spitballing here, but I imagine that psychologically the image of a computer as the instrument of an election is more reassuring to people (who, by and large, use computers for many routine tasks) than paper, which conjures notions of impermanence and fragility and a history of "stuffed ballot boxes" and other shenanigans; while computers in reality may be more vulnerable to such shenanigans, they do not as easily lend to such an image, and so combined with their inner mysterious mechanics, they are more easily trusted. People, scarred by the disintegrating trustworthiness of their government, desperately want some part of the political process to place their faith in.
Re: (Score:3, Insightful)
Re: (Score:2)
Our voting ballots are rather simple. There is a different color for each party and each party has a list of candidates. You just mark the candidate you vote for or no mark for the default candidate (1). The vote
Re: (Score:2)
Re: (Score:2)
One salient difference is that here in the US ballots tend not to be simple; we have elections for local, state, and national offices on the same ballot, plus local and state ballot inquiries and referendum questions in many localities. So I don't think it is quite as easy to tabulate as the Swedish ballot you describe. However, even if our ballot wouldn't take hours to tabulate, I can't imagine it would take more than a day or two.
Re: (Score:2)
One vote for the local (Komun)
Then one for the regional (Län)
Then lastly for the country (Stat)
Also we sometimes add a fourth for a local issue.
Still only takes hours to figure out what party won and then a few days to calculate what candidates got seats.
Re: (Score:2)
Ahh. Party discipline and party loyalty are quite weak in the US compared to most parliamentary democracies. This is due in great part to the fact that in the US, we don't have party slate elections. The shortcuts that that would allow via counting are thus not available to us. As such, our time-table would probably be closer to the few days than the few hours. Either way, I don't see the big deal in waiting.
Re: (Score:2)
Re: (Score:2)
Local elections are crazier. Imagine having all 20 of those people on one ballot, and 5 of them being serious contenders (this isn't too crazy for mayor's race, maybe the numbers a touch high,
Re: (Score:2)
You could even have, national, state, local, and special ballots.
Count national first.
What is the maximum number of choices you guys need to make for a national election with no special votes?
all the best,
drew
Re: (Score:2)
A decent idea. At most three offices are up for national election in any given district (with extremely rare exceptions where some states have at-large house representatives), President/Vice-President (elected on a unified ticket), one Senator (66% chance), and one House Rep.
Re: (Score:2)
Right now, it's riddled with more trouble than it's worth. It'll have lots of public failures. But, each failure will lead to an improvement, and eventually it's pretty decent.
The problem most have with electronic ballots is the threat of indetectable corruption. But how much corruption do we have in paper ballot systems? Considering the cost of the counting process, we can't really use the paper trail very often. Instead
Re: (Score:2)
Re: (Score:2)
In a UK general election all votes are paper and counted by hand and unless there's a recount the results are are always available within 12 hours (and normally much quicker). ie polling closes at 10pm and when you wake up the next day the results are known. I can't see any reason to need the results quicker than that.
If it takes a week they need to either employ more counters (they're unpaid volunteers in the UK AFAIK) or re-examine their methods.
Re: (Score:2)
Substituting efficiency accuracy and security solves _no_ problems when it comes to democracy.
Instead, it creates problems.
Besides, what the fuck is wrong with scantron style sheets?
--
BMO
Re: (Score:2)
Re: (Score:2)
Would that be because poor neighbourhoods contain a lot of people likely to vote for parties of the revolutionary Left, by any chance?
Re: (Score:2)
That's not a disadvantage of paper ballots, its a disadvantage of doing a full hand count rather than a mechanical count with random-sample manual audit. Many jurisdictions that currently use manual or mechanical (that is, not electronic) "paper ballot" systems are already using ballot counting machines, with or witho
Re: (Score:2)
A computer program can present a GUI that forces all ballots to be valid. Votes are binary yes/no and clearly indicated. Voting for a second candidate for the same office unselects the first candidate or gives a nasty error message. The resulting ballot (whether digital or paper) can potentially be unambiguously and accurately counte
Re: (Score:2)
Re: (Score:2, Insightful)
the push (in the u.s.) for electronic voting machines seems to have been made after the 2000 election recount fiasco. need i mention the words, "hanging chad?" i don't think you can have one of those with an electronic machine. besides, paper ballots are easy to invalidate. remember the pictures on the news of people holding them up to the light, and others handling stacks of paper ballots? one small wire shoved through a stack lik
Re: (Score:1)
Re: (Score:2)
With software, you're relying on things which:
a) are not known by many people - computer security is a very non-mainstream subject and will likely remain so for many many years
b) are easy to change without a trace
c) you need to trust the machines about. You can't change reality as easily
Re:What's wrong with paper? (Score:5, Insightful)
Speaking as degree qualified programmer with 20yrs experience, I don't trust the machines and TFA clearly demonstrates why.
My number one reason for distrusting computerised systems is that they enable "wholesale fraud" with a single point attack, it might be "unlikely" but it is a technical possibility that the result of the whole election could be predetermined and the "race fix" can be implemented by one person sitting at a desk. Worse still it's a technical possibility that a "fix" can be done in such a way that it is undetectable after the fact.
Contrast that risk with old-fashioned paper and international observers. With that system the best a cheat can hope for is "retail fraud" - some stuffed boxes over here, the senator's hound dogs voting over there, ect. Fraud and corruption are a fact of life, nowhere on the planet can they be totally eliminated from such high stakes "games" as national elections.
The traditional paper system with it's well-known and thouroughly tested procedures minimizes the risk of a "fixed race" simply because of the fact that it is much more difficult and requires a hell of a lot more people to get away with "wholesale fraud". Speed is not a big issue since there are plenty of counters in the form of eager voulenteers from the various parties. And it's crucial to security that you pair off "opposing counters" since they also embody the imporatnt "checks and balances" of watching each other like hawks and arguing so loudly about something as mundane as "hanging chads" that even I remeber it and I live 10,000 miles away!
Re: (Score:2)
"I've been an election integrity activists for about 2 years now."
My interest came about from the diebold machines a few years ago, I wouldn't call myself an activist but I usually put my $0.02 in on the many
Re: (Score:2)
Re: (Score:1)
Paper ballots are even MORE insecure... (Score:3, Informative)
Re: (Score:3, Funny)
Re: (Score:2)
Almost every form of manually and non-electronic mechanically-marked paper ballots has some type of accessibility problem with regard to the handicapped, and many of the ones commonly used until recently also have problems in terms of reading them (i.e., the "hanging chad" problem of punch card ballots). Machines with a common output (whether its digital or printed ballots that
Voting machines (Score:3, Insightful)
The quote is completely right.
a) What is wrong with pen&paper voting?
b) Voting machines do not solve any problems: If we say for example a) was about the money: Voting machines cost all-in-all more money than pen&paper voting.
Not true! (Score:5, Funny)
Re: (Score:2)
Sure, one can argue you can print out however many ballots you need in however many languages, but it's hard to judge how many you'll need, plus I wouldn't rely on having a translator available. With a voting machine, it's a simple matter of changing
Re: (Score:2)
I really don't understand what fast tallying problem exists. In my country (Portugal), votes are counted by hand and the results come out the same day. Counting votes scales linearly with population size so all you need is the same percentage of people counting votes, is it that hard or slow?
Re: (Score:2)
You put your votes on three voting strips. On each voting strip you can have one vote for each candidate (but each candidate must ha
Re: (Score:2)
Who needs to crack the system? (Score:1)
Link to SOS Site (Score:5, Informative)
http://www.sos.ca.gov/elections/elections_vsr.htm [ca.gov]
The overview by Matt Bishop is actually quite an interesting read. In it, he says that they could have found more problems with the three systems, but they were limited by time:
It should also be noted that a fourth vendor, Election Systems and Software (ES&S) missed the deadline for submitting their systems for the review. I'll be cynical and just assume that they decided to skip the initial review than to have a bunch of computer researchers hack their systems.
Real Test is the Presidential Election (Score:2)
Re: (Score:2)
Hmm... (Score:2)
Looks like she won't need to decertify any, then. They'll all be able to deliver the Republicans the next election.
Re: (Score:2)
That line would work better if Debra Bowen [smartvoter.org] was a Republican.
Security is tough. (Score:3, Insightful)
Re: (Score:1)
I'm all for pointing out how insecure a machine is for voting, and that nothing was wrong with the old paper system, but he's really hit the nail on the head on how much we shouldn't really worry about this without more specifics.
Are they vulnerable only to someone who is there at the time of the vote toying with the machine?
Or is this something that can be triggered remotely or set up on time-delay.
Is it something that is easily detectable if we have people watching over the machines/running
Move your ass guys (Score:4, Informative)
How did the election Official get his job? (Score:5, Insightful)
Re: (Score:1)
Re: (Score:3, Informative)
From the article:-
Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.
This is simply not true! The analogue in the real world of locks and keys is that you have given a burgler the design blueprints of the lock. NOT the code combination or the key lever settimgs. The demonstrated ignorance of the said Steve Weir about secure computing begs the question "How did he get appointed to his positions?"
This is directly responded to in the Overview of Red Team Reports [ca.gov] in section 3.1 (page 5): (NB: emphasis added.)
Finally, no security should ever rely solely on secrecy of defensive mechanisms and countermeasures. [2] While not publishing details of security mechanisms is perfectly acceptable as one security mechanism, it is perhaps the one most easily breached, especially in this age of widespread information dissemination. Worse, it provides a false sense of security. Dumpster diving, corporate espionage, outright bribery, and other techniques can discover secrets that companies and organizations wish to keep hidden; indeed, in many cases, organizations are unaware of their own leaking of information. A perhaps classic example occurred when lawyers for the DVD Copyright Control Association sued to prevent the release of code that would decipher any DVD movie file. They filed a declaration containing the source code of the algorithm. One day later, they asked the court to seal the declaration from public view--but the declaration had been posted to several Internet web sites, including one that had over 21,000 downloads of the declaration! [9] More recently, Fox News reported that information posing "a direct threat to U.S. troops ... was posted carelessly to file servers by government agencies and
contractors, accessible to anyone online" [8], and thefts of credit card numbers and
identities are reported weekly and growing in number. Thus, the statement that attackers
could not replicate what red team testers do, because the red team testers have access to
information that other attackers would not have, profoundly underestimates the ability
and the knowledge of attackers, and profoundly overestimates the infallibility of
organizations and human nature.
[2] This is often called "security through obscurity".
Re: (Score:2)
It's outrageous for a person in his position to misstate such an elementary security principle. Fine, if he doesn't know about security then he can just keep modestly quiet. The creepy thing is that he pretends to know. We could use a lot less of that.
Re: (Score:2)
That doesn't mean that he realized anything about the complexity of system security when he ran, and certainly doesn't mean that the general popul
Re: (Score:2)
The office of Clerk-Recorder in Contra Costa County is an elected county office [cocovote.us].
A shocking discovery! (Score:2)
Jeb Bush discounted these flaws as unmerited after he was seen at the security conference this was revealed taking notes.
Joking aside I have to wonder about
Re: (Score:2, Insightful)
Re: (Score:2)
There's nothing to stop someone pouring a bottle of water in ballot boxes with paper ballots and invalidating a poll but this doesn't happen because it would result in a conviction
Presidential fund raising and voting machines (Score:2)
Louis V. Bockius III, Christopher M. Connor, Richard L. Crandall, Eric C. Evans, Gale S. Fitzgerald, Phillip B. Lassiter, John N. Lauer, William F. Massy, Walden W. O'Dell, Eric J. Roorda, W. R. Timken, Jr. and Henry D. G. Wallace
Perhaps these voting machines were simply portfolio builders for the wealthy elite.
Priority straightening (Score:2)
How would you do it? (Score:2)
Ok Slashdot people, How would YOU implement electronic voting?
RegardselFarto
Re: (Score:3, Insightful)
If I *had* to, I'd have the computer be the means of *printing* a ballot only. It wouldn't tabulate.
It would then print a ballot that was both human and machine readable (OCR font anyone?).
That ballot would be placed in a box, and counted.
Re: (Score:2)
But why does the electronic record have to be *the* vote? The voter can do his thing on a touchscreen, hit submit ballot, then a human and machine readable ballot is printed and deposited by the voter in a locked ballot box. The printed ballot is *the* vote. A preliminary count can be made within minutes of the poll
Re: (Score:2)
If you need electronic ballot creation and automatic ballot counting (the two are both conceptually and often in practice separate, though "voting machine" and "electronic voting" are often used to refer to either or both), I'd have the voting machine print a machine and human readable ballot that would then be counted by a separate machine, with random-sample confirmation of the mechanical counts and the physical ballots available for public ins
Why even have electronic/computer voting? (Score:5, Insightful)
Paper ballots do have their problems. People don't always mark them consistently. Sometimes they mark one candidate then try to rub it out and mark another. The paper ballot was hard to read by electronic means and manual counting was too time consuming to get the quick results most people wanted.
Punch cards that people have to do the punching on don't always get punched right (remember the hanging chad problem). Sometimes people start to punch one hole, and realize they are in the wrong hole or change their mind real fast and try to punch another instead. Sometimes 2 or more holes are punched. Sometimes holes are punched partially. In most cases people could check, but they don't, or don't really know they should.
Computer voting was intended to eliminate these things. But that's its fundamental misguidance. Instead, it should be used to enhance them and correct the issues.
Voting station computers should do nothing more than assist a voter in creating a reliably readable paper ballot. The voting station should not be networked, and not even have any storage space. It would be an embedded machine booted from flash that is hardware wired to be unwritable, or booted from a CDROM or equivalent. It should boot very fast (embedded developers know how to do this and bring a minimal system and application up in a second). It should be rebooted between each voter.
The voting station would have a simple single sheet printer and an LCD flat screen with touch sensors. The voter would "touch" their votes and always have the ability to go back, or even jump around randomly to various offices/issues to vote on. Once done, the voter can press the "I am finally done" button to print the choices on paper.
What is printed on the paper is a combination of scannable text and bar codes with strong checksums (SHA1). The text shall be human readable (although in big elections some people might need optical reading assistance). Visually impaired people can ask for a poll worker to read back their ballot to them.
The next step is the paper ballot is taking to the reading station. The ballot is read in by another computer with a scanner. This computer scans the text and reduces it to a set of simple vote codes. These vote codes are checksummed and that is compared against the bar codes. If there is a mismatch, probably a scanner error took place, or the ballot was damaged or smudged. It flashes and beeps a warning the the ballot is not readable. This may require the voter to re-do another ballot (this one is marked as bad and the voter is given another sheet and front-of-line access to a voting station).
The scanner keeps tallies and may send results to a central office. Larger voting places may have more than one scanner and tallies will be done by a central computer. The paper ballot is then inserted UNFOLDED into a locked box.
The voter gets a receipt for having voted, but does NOT get a copy of what votes they made. If they want to remember their own votes, they must make their own notes themselves. The reason for this is that no voter should have any official statement of who they voted for to ensure no voter can "prove" to someone else who they voted for. This has been a long time standard to impede vote buying/selling, and should not change.
The computers that tally the votes could give nearly instant 100% results shortly after polls close. But that's not the end of it. Those results are not certified. The voting officials will, in the next few days, monitor the process if re-scanning all the paper ballots to ensure the results are consistent. If they are satisfied of this, then they certify the election results. If there are any issues, then the paper ballots can be manually checked.
This process is still paper based, and still just as auditable and recountable as any paper based system. It gains the avantages of consistency in the marking of ballots. Instead of being hand marked, they are "computer marked" (in a way that humans c
Re: (Score:2)
What happens when the barcode incorporates a boolean value which says "When this vote is confirmed, display the user's vote to the user, and record the opposite vote electronically"?
# You voted for the "rigged" candidate, pre-cho
Re: (Score:2)
There is a level of trust you have to have in the system. If the voting officials are all determined to see candidate X win, and are willing to violate the public trust to do so, then candidate X will "win".
But at least there is the opportunity for a paper ballot to be available for rescanning with better software, or human vision in a recount. It's better than just hiding everything inside some proprietary system.
How come they never test hacking the old system? (Score:2)
I hate to go out on a limb here, but my guess is that the entire election system is incredibly insecure, and that there has been vote fraud going on for decades. New voting machines won't make it any better or any wor
Unintended consequences (Score:2)
Re: (Score:2)