Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Government Technology

The Voting Machine Anyone Can Hack 105

Presto Vivace writes about a study published by the Virginia Information Technology Agency outlining just how bad the security of the AVS WINVote machine is. "Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts. The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of 'admin,' 'abcde,' and 'shoup' to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections."
This discussion has been archived. No new comments can be posted.

The Voting Machine Anyone Can Hack

Comments Filter:
  • ever tried shoupping?
    • The name of the company that made these, was Shoup. I guess they would have changed that password to "AVS", but their (ridiculously easy) passwords are actually hardcoded, so it was too much work I guess...

    • shoup is very easy when it's printed on the side of the machine.

      To me voting machines are something that should be handled by the open source community. 100% transparent, by the people for the people in every sense, and ultimately supported financially by governments who buy the machines.

      • by mlts ( 1038732 )

        To me, there needs to be a paper trail. Like the lottery issue a few days ago, if someone tampers with the RNG and does it in a manner that their modifications can be backed out, there is no way to tell it was done.

        This doesn't have to be in a way that causes hanging chads. It just has to be a way of logging people's votes to a physical medium that is both machine readable and human readable.

        This way, when someone votes, they get a paper ballot printed out that they can doublecheck. Then it shouldn't be

    • by Anonymous Coward

      I don't know about "shoupping," but the voters are getting a good schtupping from these machines.

  • windows? diebold you can do better and does this work on there windows based ATM's as well?

  • by Holi ( 250190 ) on Thursday April 16, 2015 @07:20AM (#49484383)
    How the hell did something like this get certified in the first place? Seriously, there needs to be an investigation into that and heads should roll.
    • It matched perfectly customer's requirements, of course!
    • by PopeRatzo ( 965947 ) on Thursday April 16, 2015 @07:40AM (#49484517) Journal

      How the hell did something like this get certified in the first place?

      How, indeed.

      This is not the first time Diebold’s been accused of bribery. In 2005, the Free Press exposed that Matt Damschroder, Republican chair of the Franklin County of Elections in 2004, reported that a key Diebold operative told Damschroder he made a $50,000 contribution to then-Ohio Secretary of State J. Kenneth Blackwell's “political interests” while Blackwell was evaluating Diebold's bids for state purchasing contracts. Damschroder admitted to personally accepting a $10,000 check from former Diebold contractor Pasquale “Patsy” Gallina made out to the Franklin County Republican Party. That contribution was made while Damschroder was involved in evaluating Diebold bids for county contracts. Damschroder was suspended for a month without pay for the incident. Despite the scandal, he was later appointed as Ohio Secretary of State Jon Husted's Director of Elections.

      Diebold was at the center of Ohio’s 2004 election debacle, much of this captured in an article by Free Press Senior Editor Harvey Wasserman and this author, entitled, “Diebold’s Political Machine.” Walden "Wally" O'Dell, chairman of the board and chief executive of Diebold, was a long-time funder of Republican candidates. In September 2003, he held a packed $1,000-per-head GOP fundraiser at his 10,800-square-foot mansion Cotswold Manor in Upper Arlington, Ohio. He was feted as a guest at then-President George W. Bush's Texas ranch, joining a cadre of “Pioneers and Rangers” who pledged to raise more than $100,000 for the Bush reelection campaign.

      Most memorably, in 2003 O'Dell penned a letter pledging his commitment “to helping Ohio deliver its electoral votes to the President.” O'Dell defended his actions, telling the Cleveland Plain Dealer “I'm not doing anything wrong or complicated.” But he also promised to lower his political profile and “try to be more sensitive.” But the Diebold boss' partisan cards were squarely on the table.

      Prior to the 2004 election, Blackwell tried to award a $100 million unbid contract to Diebold for electronic voting machines. A storm of public outrage and a series of lawsuits forced him to cancel the deal. But a substantial percentage of Ohio's 2004 votes were counted by Diebold software and Diebold Opti-scan machines which frequently malfunctioned in the Democratic stronghold of Toledo. It was revealed in 2006 that Blackwell owned Diebold stock.

      Diebold's GEMS election software was used in about half of Ohio counties in the 2004 election. Because of Blackwell's effort, 41 counties also used Diebold machines in Ohio's highly dubious 2005 election.

      Also in the Ohio 2004 election, a whistleblower leaked documents revealing that Diebold had allegedly used illegal, uncertified hardware and software during California election.

      • by Holi ( 250190 )
        Why are you talking about Diebold? The article is not about Diebold voting machines it's about the AVS Winvote. I know all about Diebold's history in with regards to voting machines but that has shit all to do with this article.
        • by Anonymous Coward on Thursday April 16, 2015 @08:15AM (#49484725)

          Howard T. Van Pelt, co-founder of Global Election Systems (now Diebold) became president and CEO of Advanced Voting Solutions in June 2001.

        • Why are you talking about Diebold?

          I'm not "talking about Diebold". I'm talking about how voting machines get certified. I'm talking about where the money comes from. I'm talking about why there is such an effort to change election technology when there is no evidence the old technology is broken.

          but that has shit all to do with this article.

          The history of how it was decided that elections in the United States had to be automated has everything to do with this article.

      • Despite the scandal, he was later appointed as Ohio Secretary of State Jon Husted's Director of Elections.
        So the bloody butcher knife in your hand looks bad, but as long as you play a good game of golf with your buddies, you're in.
    • Comment removed based on user account deletion
  • It's our new feature "DBS" or "double bluff security" to protect against brute force attacks. You see, no one would think we'd be stupid enough to secure a voting machine's admin account with the password "password" so they'd never try it. Ergo it's unhackable. (Also "WinVote" - that's an appropriate name: the machines let you "win" extra votes...)
  • In Canada we use paper ballots and we know the outcome of an election in less than 24 hours.

    What the fuck are you U.S.A.sians doing?

    • Re: (Score:3, Insightful)

      by PopeRatzo ( 965947 )

      What the fuck are you U.S.A.sians doing?

      Rigging elections keeps us free. Aren't you paying attention?

    • Thats easy, we first take a bunch of old people who still have VCR's with the clock blinking 12:00 and we ask them to evaluate the new fangled electronic voting system.

      They then set the criteria of what is needed.

      1) Does it power on?
      2) Can I figure out how to enter my voter?
      3) Can my grandson tell me how to change the votes so the "Right" people win?

    • Bah. That's the backwards way of doing it. Here in the US, we award expensive contracts to large companies so they can make huge profits while delivering sub-par voting machines. The politicians win (in the form of bribes from the large companies and votes "redirected" to them) and the large companies win (aforementioned huge profits) so it's a win-win. Yes, the voters themselves lose, but that's not important when designing voting machines, right?

    • Re:Paper trail (Score:5, Interesting)

      by CastrTroy ( 595695 ) on Thursday April 16, 2015 @07:54AM (#49484579)
      I love the Canadian paper voting method and I hope it never changes. However, there are some differences between the Canadian System and the US system. In Canada, we usually only have one thing on the ballot. Either it's a federal election and you vote for your MP. If it's a provincial election you vote for your MPP. If it's a municipal election, there maybe be three things you can vote for, like mayor, city councillor, and school board trustee. But that's about as complicated as it gets. Compare the US election ballot [guim.co.uk] with a Canadian election ballot [elections.ca]. You could see why they might want to use a computer so they can lay things out a little more clearly. Ask one question per screen and it becomes a little less daunting. However, I think that if they are going to use computers to make the voting easier, it should really just be used to enter and print out your ballot, which is then deposited into the ballot box and counted manually.

      Really though, I don't think computers should be used at all. I've heard too many stories of polling locations not having enough machines and people having to wait hours in line to vote. The greatest part about the Canadian system is that It's never taken me more than 10 minutes to vote, and I've never had to travel more than 10 minutes to vote. I usually just stop by on my way home from work. I once lived in a highrise apartment that had it's own polling station. They basically have one in every school. It's so effortless. And yet we still don't have enough people voting.
      • Why not do what the UK does and use a separate piece of paper for each, and maybe vote on fewer things at any one time?

      • by Noodles ( 39504 )

        Apples and Oranges. How many races on a UK or Canadian ballot? Two? Go ahead and hand count those. Americans typically have dozens of races.

        • Yet here in Minnesota we can still use paper ballots where one just fills in the bubble and sends them through the scantron like machine. We are able to get results shortly after polls close unless a hand recount is needed, the machine is very accurate at counting ballots, and there are paper ballots that in case of a recount or other questions can be manually inspected by anyone with at least one functioning eye.
        • Why so many though? What are the politicians doing if the people have to vote on everything anyway? Isn't the whole point of electing a representative so that they can represent you. How can a voter possibly be expected to be informed on who is the best candidate for dozens of different positions in government?
          • What are the politicians doing if the people have to vote on everything anyway? Isn't the whole point of electing a representative so that they can represent you.

            Can't be done. You won't find an electable candidate who shares my views on important topics.

            Representative government is a necessity, but it's still important to give them explicit and clear mandates on especially important topics. I trust politicians to decide day-to-day topics, but when it's big things like anti-terrorism-snooping laws, or going to war with another country, or human rights issues like gay marriage, there should be a mechanism for the public to be heard. "I don't care what party you

          • by Anonymous Coward

            >Why so many though?

            We have MANY levels of government in the US which are run very different in different locations. City, town, county, state, federal. Just one example, can be more. Some states (any many cities) allow certain laws to be enacted by popular vote, some do not. Some cities fill different positions with popular vote (school board, judges) and some are appointed by elected officials. Basically, its a huge mixed bag on what you actually vote on. Sometimes certain things must be voted on, exam

  • Comment removed based on user account deletion
  • by Anonymous Coward on Thursday April 16, 2015 @07:43AM (#49484531)

    Considering the company gave $32M to various democratic campaign orgs during the 2012 election cycle, this should come as no surprise.

    It is absolutely no coincidence that VA and PA, both reddish states, and both critical to Obama's re-election, somehow fell to the blue category using these voting machines.

    I'm not even a USAian, but even I can see that your election system is a total fraud.

    • Considering the company gave $32M to various democratic campaign orgs during the 2012 election cycle, this should come as no surprise.

      It is absolutely no coincidence that VA and PA, both reddish states, and both critical to Obama's re-election, somehow fell to the blue category using these voting machines.

      Democratic supporters in 2004 claimed that Ohio was "stolen" to help Bush win re-election. It seems funny to me that the losing side always claims the winning side cheated. If the Republicans cheated in 2004, then why did they lose Ohio in the two following elections? I know it's always fun to tout conspiracy theories, but the simple truth is that in presidential elections, a significant number of Democratic supporters vote that can't be bothered to go to the polls otherwise. Florida went to Obama in 2

      • by bondsbw ( 888959 )

        simple truth

        No, the simple truth is that these are really the same folks no matter the letter beside their name. Some of them even switch the letter by their name when it becomes convenient, and the sad truth is, many people don't even realize it.

    • by Holi ( 250190 )
      I have searched high and low, so do you have any source for your assertion. I can't find any listing of political donations from AVS.
    • Virginia is overwhelmingly Democratic at the state executive level, so it's not that surprising that they voted Democratic at the Federal level. Most of VA's population growth over the past decade has been in the urban and suburban NOVA and Tidewater areas as well, which are Democrat voting strongholds.
      https://en.wikipedia.org/wiki/... [wikipedia.org]

      PA has been voting Democratic for decades, so it seems neither of us know WTF you're talking about.
      http://www.270towin.com/states... [270towin.com]

  • by gsslay ( 807818 ) on Thursday April 16, 2015 @07:57AM (#49484599)

    This is about as bad as software development can get, never mind software that's supposed to have basic security. It all points really to a package written by rank amateurs who had no idea what they were doing designing software, far less having the beginnings of a clue about hardening their software to attack.

    I mean, hard coded passwords? Really? Hard coded passwords that are this obvious? It's staggering incompetence. Was this written by a self-taught hobbyist over the course of a weekend?

    • by Anonymous Coward

      No, these were professionals. Amateurs would never be this inept.

    • by Bigbutt ( 65939 )

      Hey! I'm a self-taught hobbyist and I could do a better job of it :)

      [John]

    • As I read it, it was not an issue with the developed software (although there may be issues there as well), but rather an issue with the *setup* of the machines. It was not the developers who failed (passwords not hardcoded) but rather the admins deploying the machines were braindead and the auditors obviously clueless. For something like this they shold have used an randomly generated password or simply shut themselves out of the system (which is possible on Windows).

    • by Anonymous Coward

      They don't want to have basic security. They want them to be easily broken into. They want it that way so they can get the results they want. The software works perfectly to that end.

      Remember: it's not the voters that count, it's who counts the votes.

  • by koan ( 80826 )

    Well lets get a grayhat team over there and make sure Virginia votes entirely for Mickey Mouse.

    It's about time we had a rodent American in office.

    • Unfortunately that would be easily recognized as a glitch. Really what people should do is rig it so that 3rd party candidates start winning entire precincts and make the existing 2 major parties minor parties. For example in Minnesota if your party falls below 5% of the vote in a statewide election it looses major party status. This means it doesn't get automatic ballot access (state law), and also won't be included in any debates(rules setup up by the local media).

      If you are going to hack democracy why
  • Its fairly obvious these are features built in on purpose. Its never a mistake when a profesional that specializes in a field suddenly produces a product with problems such as buffer overruns in key security components that were magically not vetted. Look at Ohio and how Bush got a presidency, and the machines in place.
    This was done on purpose, using crap, making it easy, and hard to track when it happens. Surprise our experts didn't think of that, right!! Its all smoke an mirrors to abuse a system th
  • Unless this was a stripped-hown, hardened version with nothing but a custom kernel and custom-everything else with all unnecessary bits stripped out and hardening put on top of it, I wouln't trust it unless it had a voter-verified, human-manually-coutable paper ballot as part of the voting process for every vote.

    Wait, what am I saying? Even if it was stripped and hardened, I wouldn't trust any voting system that didn't have a way to print a ballot that the voter actually saw which could be examined in a ma

  • Only people can hack it?

    A real voting machine should be hackable by a chimpanzee [youtube.com].

  • If the state's Technologies Agency is equipped to produce damning reports, why wasn't it engaged to do so before the machine went into service ? The state can't make the case it was hoodwinked and simultaneously show it has the chops to uncover what was wrong.
  • by ThatsNotPudding ( 1045640 ) on Thursday April 16, 2015 @12:21PM (#49487067)
    I once asked a man visiting us at work from Norway what voting system they used. "Paper and pen and then we count them.", he said with a facial expression as if I'd asked him how he normally cooked his offspring for consumption.

    You only need voting machines for one thing: FRAUD. Fuck the corporate-owned networks wanting a winner two minutes after the polls close; if it takes a few days to count manually marked paper ballots openly, fully, and properly, SO BE IT.
  • Why should a company like Diebold care about security when they know they're guaranteed a no-bid contract?
  • What person in their right mind thought giving these things any kind of network connectivity was a good idea? Have we not learned from stupid decisions by SCADA system architects/administrators? If a network exists, the scale of a breach that will occur goes up drastically. A human being needs to be involved to physically relocate a certified write-once component from each machine to a central aggregator and then seal those removed components for audit verification. If I can have a hash verified write o
  • What do they imply by "even unskilled people" can hack them. Do they think it's ok for skilled professionals to be able to hack these machines? Those are the ones to worry about.

  • .

    If anyone can hack it, then voting machine got truly democratic.

    The voting process is just a bit skewed: the last to cheat votes for everyone, but at least it can be anyone.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...