Video Shows Easy Hacking of E-Voting Machines 254
Mike writes "The Security Group at the University of California in Santa Barbara has released the video that shows the attacks carried out against the Sequoia voting system. The video shows an attack where a virus-like software spreads across the voting system. The coolest part of the video is the one that shows how the 'brainwashed' voting terminals can use different techniques to change the votes even when a paper audit trail is used. Pretty scary stuff. The video is absolute proof that these types of attacks are indeed feasible and not just a conspiracy theory. Also, the part that shows how the 'tamperproof' seals can be completely bypassed in seconds is very funny (and quite disturbing at the same time)."
Re:Early vote makes your vote count (better chance (Score:2, Informative)
Slashdot links to a 100MB QuickTime movie... (Score:4, Informative)
This can't end well.
I'm downloading now, will convert to mpeg4, and post a torrent to mininova (if the server doesn't melt before the download completes).
Re:Quicktime? (Score:4, Informative)
Except for the fact the cheapest and easiest to use tools are on the Mac (iMovie) and save as quicktime. Why bother using open standards if you want to get your point across, if it will take you 2 weeks to get up and running, especially if you haven't done so before.
Re:paper trail fails? (Score:5, Informative)
It doesn't per se. It relies partly on the voter not checking the paper ballot. If they don't void it, it slips through normally. If they do check it, it fixes the ballot, and acts normal.
Otherwise it tries to convince the voter they're done without actually returning the smart card. When they walk away, it voids the ballot, and pops up the "fled voter" screen. The poll worker comes up, uses the admin "submit" toggle to submit the changed vote, and takes back the card. Most places I've been, the poll workers depend on you returning the card, so that wouldn't work.
To me the most compelling piece was how easily the system was compromised. Even if it only screws with a percentage of the votes, that could be huge.
Coralized Download Link (Score:5, Informative)
Here's the goods:
Full 100mb version: http://www.cs.ucsb.edu.nyud.net/~seclab/projects/voting/ucsb_evoting_attack_dl.mov [nyud.net]
Compressed 10mb version: http://www.cs.ucsb.edu.nyud.net/~seclab/projects/voting/ucsb_evoting_attack_dl_small.3gp [nyud.net]
Posting to YouTube after download finishes...
DOWNLOAD MIRROR (Score:3, Informative)
Re:Quicktime? (Score:5, Informative)
Open standards are important in this case for the simple reason that they ensure that the message will be seen by the largest audience possible.
Re:Quicktime? (Score:5, Informative)
Re:We have a system to protect against this (Score:5, Informative)
*sigh* And these ACs are part the people who help decide the fate of the nation? No wonder we're screwed...
Barack had dual citizenship with Kenya (NOT Indonesia) and the US until 21 years old when Kenyan law required him to abandon it. He was born in Hawaii which makes him a natural born citizen.
McCain was born on a naval base which is considered soverign US soil for the purposes of birth, and has been since the 1790s by an act of Congress. (It's true the wording isn't as clear as it could be, but it's clear what the intent is of the bill.)
Both candidates are US citizens and natural born. This is all a non issue, has been, will be. Go find some other misinformation to spread...
Re:Slashdot links to a 100MB QuickTime movie... (Score:3, Informative)
... hosted on an .edu server?
This can't end well.
It seems to be on youtube:
http://www.youtube.com/watch?v=SWDEZqqqBHE (part I)
http://www.youtube.com/watch?v=moEsgdzZ19c (part II)
It's already on youtube (Score:5, Informative)
Part I:
http://www.youtube.com/watch?v=SWDEZqqqBHE
Part II:
http://www.youtube.com/watch?v=moEsgdzZ19c
Torrent here: (Score:5, Informative)
It's a shame (Score:2, Informative)
that we can't figure out a more relevant form of voting to appeal to a larger contingent of the American populace, maybe more people, more easily accessing voting methods, would allow for a more viable collaboration of opinion in regards to the election of our National officials. But I digress, the super delegate and the Electoral College make my point m00t.
Re:Slashdot effect (Score:4, Informative)
http://www.youtube.com/watch?v=SWDEZqqqBHE [youtube.com] (part I)
http://www.youtube.com/watch?v=moEsgdzZ19c [youtube.com] (part II)
Re:We have a system to protect against this (Score:3, Informative)
"The 1790 law remained in effect until the Naturalization Act of 1795 superseded it. The 1795 law removed mention of natural born citizen status"
Re:Quicktime? (Score:1, Informative)
Lines of output from my media player when playing ucsb_evoting_attack_dl.mov:
Selected video codec: [ffh264] vfm: ffmpeg (FFmpeg H.264)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
Just like what you said. (I've seen H.264 called AVC1 in some of the media files I've made and it uses the same video codec for playback)
In any case, I can play it just fine.
Can't say anything about the container. If it really bugged me, I would strip it out of the Quicktime MOV container and stuff it in a MKV or perhaps (I'm not sure about this one, I would think so) a MP4. (Yeah, there are likely other options, these are just what I know I can do without any extra trouble right now)
But it doesn't, so I won't.
Re:It shows the power of paper trails (Score:2, Informative)
It doesn't matter what the screen and printout say, only what is recorded on the card. The reason is that manual recounts are not done. Even 'random' checking is done in some states by looking at the summary printouts on boxes of votes and checking that they add up to the numbers for the polling location (ie adding the computer summaries for each computer and seeing that it matches the sum for the polling location). The votes are not actually even counted during a random recount.
At least that's how it works in Virginia, from somebody who actually went to observe the process / sham. It doesn't matter what is 'supposed' to be done during a counting only what actually is done. And when people can get away with just adding up the summary numbers and then goofing off for two days instead of actually counting them, they are going to do the former.
Re:Slashdot links to a 100MB QuickTime movie... (Score:3, Informative)
Me thinks most of the people who can't playback the file are using Windows, where "MPEG-4" means whatever Microsoft says, and not what the specification says. MPEG-4 support in FOSS land is actually quite robust these days.
That's BS. Most people on Windows can't play the file because prior to QuickTime 7 (IIRC) .mov files were not containing H.264 and AAC, and H.264 and AAC decoders do not come free with Windows. Even if they did, there are very few file splitters that can handle all varieties of the .mov container and their contents correctly - I know because I have to deal with this problem frequently. Windows users do not like installing QuickTime because it is bloated, it's been bundled with iTunes and other crap in the past, and it doesn't even talk to the Windows DirectShow media system (at least older versions that I've used) so many file types won't play with it. It's UI does not conform to the conventions expected by Windows users and last time I used it Apple were charging you just to be able to watch full screen.
Don't put this problem on Windows or Windows users. If you want to publish video for the web try publishing to a format that isn't a total PITA to work with outside of Apple's platform and applications. MPEG1, MPEG2, DivX, Xvid, are all good candidates that will work on any OS.
Idiot-proofing and tamper-proofing elections (Score:1, Informative)
Idiot-proofing and tamper-proofing elections is not rocket science.
What are the facts?
1) GUIs have a lot of code, and are thus easier to crash and and easier to hack.
2) Elections are one of the most intensely competitive and expensive processes in this country. They determine who gets power.
3) There is a lot of incentive to try and sway elections. Politicians who know their motives are the purest rationalize deception by saying, "If you don't win, you can't institute your policies."
What's the problem?
1) Idiots mis-vote because they claim to be unable to understand the ballot.
2) Tampering with paper ballots or electronic tallies.
The solution:
1) Use the rich, informative GUI interface to assist idiots in selecting the candidates they wish to vote for.
2) At the end of the vote, they can press a button and get a receipt that links them to a serial number on a ballot, if they wish.
2) Have the computer on which the GUI is running generate both a machine-readable and human-readable paper ballot. The machine code should be easily decipherable by a human.
3) Run the paper ballot through a ballot scanner. The ballot scanner internally maintains and also sends an electronic tally of votes to a central location.
4) The ballot scanner nor the central collection location have any GUI. The code on the ballot machines and the central collector would be certified, like flight software is certified (see DO-178B).
This way, you have both an electronic tally and a paper trail. In case of dispute, both would exist.
Re:Theatre (Score:3, Informative)
I'm sure most of us here can come up with a dozen ways of making voting machines far more secure. How about proprietary connectors so that any Joe Schmoe can't sidle up and stick in a USB drive with a virus on it? How about welding (or some other way of sealing) the computer enclosure so that no one, not even the operators sitting at the desk in front it, can open it? How about not using freaking Windows? If you don't want a virus to spread, invest some money and write a completely new proprietary operating system from scratch that no one has ever seen before. That would make any virus or malware completely ineffective.
But that would also cost a LOT of money. So, while stupidity is definitely a factor, I think profit margins are really the root cause. Although, I could go as far as saying that the drive to cut costs is one of the leading causes of stupid decisions - so, I guess stupidity and cost cutting are fairly related.