Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government Politics

Diebold Security Foiled Again 201

XenoPhage writes "Yet again, Diebold has shown their security prowess. This time they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines. Ross Kinard of Sploitcast crafted three keys based on this photo. Amazingly enough, two of the three keys successfully opened one of the voting machines. But fear not, Diebold has removed the offending picture, replacing it with a picture of their digital card key. Take that, hackers!"
This discussion has been archived. No new comments can be posted.

Diebold Security Foiled Again

Comments Filter:
  • Still in business (Score:5, Interesting)

    by j00r0m4nc3r ( 959816 ) on Thursday January 25, 2007 @04:16PM (#17758362)
    How can these guys still be in business? It seems like every couple weeks for the past 3 or 4 years I have been hearing about them screwing shit up, over and over and over and over again. Any other company would have been history long ago. What's with Diebold? Why don't they die?
    • Re: (Score:3, Funny)

      by MagicM ( 85041 )
      Why don't they die?

      Because they're called Diebold. Not Diebold.

      Duh.
      • by Zordak ( 123132 )
        People would be modding this "Funny" if they only got the joke. Go on mods---look up the proper pronunciation of "Diebold" and compare it to how you thought it was supposed to be pronounced.
    • by aquabat ( 724032 ) on Thursday January 25, 2007 @04:18PM (#17758406) Journal
      Two words: Government Contracts.
    • There ATM's if they where to post the atm key then they may go down fast.
    • Re:Still in business (Score:5, Interesting)

      by gstoddart ( 321705 ) on Thursday January 25, 2007 @04:20PM (#17758444) Homepage
      How can these guys still be in business? It seems like every couple weeks for the past 3 or 4 years I have been hearing about them screwing shit up, over and over and over and over again. Any other company would have been history long ago. What's with Diebold? Why don't they die?

      That's because they aren't being viewed with a critical eye by the people buying voting machines.

      The people who are making those decisions continue to want to have the voting machines in the face of all of the evidence showing how unsecure/not-tamper-proof these things really are.

      Apparently, the government doesn't seem too bothered by a vendor who is selling a product which is completely insecure.

      Cheers
      • by jc42 ( 318812 ) on Thursday January 25, 2007 @06:21PM (#17760168) Homepage Journal
        The people who are making those decisions continue to want to have the voting machines due to all of the evidence showing how unsecure/not-tamper-proof these things really are.

        There; fixed it for you.

        If you think the politicos making the purchase decisions are ignorant of the documented problems, you're incredibly naive.

    • Re:Still in business (Score:5, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday January 25, 2007 @04:20PM (#17758448) Homepage Journal
      What's with Diebold? Why don't they die?

      I believe the following will explain: "The company came under fire last year for a letter that Diebold CEO Walden O'Dell wrote as a fundraising pitch to Republicans. In the letter, O'Dell said he was "committed to helping Ohio deliver its electoral votes to the president." Diebold is based in North Canton, Ohio." (http://money.cnn.com/2004/08/30/technology/electi on_diebold/index.htm [cnn.com])

      Frankly no one in power really seems to want a fair election. If they did, they'd be fighting these e-voting machines all the way - as there is absolutely no need for them.

      • by pilgrim23 ( 716938 ) on Thursday January 25, 2007 @04:39PM (#17758774)
        In the early 20th century, most cities had Trolly Lines. Most were electric. there was no need for road crowding, smoke billowing Buses. But Detroit realized building buses was a gold mine as long as City planning departments, the Mayor's urban task force and other such public servants could be persuaded to rip up the trolly lines. Thus our public leaders made decisions for the good of us all. The more it changes, the more it stays the same....
        • Re:Still in business (Score:4, Informative)

          by mspohr ( 589790 ) on Thursday January 25, 2007 @07:19PM (#17760994)
          Actually, GM, Firestone, and Standard Oil went around to various cities and bought up the trolley lines, ripped out the tracks and replaced them with GM buses.

          I believe they called it a "triumph of the free market". http://en.wikipedia.org/wiki/General_Motors_street car_conspiracy [wikipedia.org]

    • by Anonymous Coward on Thursday January 25, 2007 @04:38PM (#17758750)
      "DieBold, Die" is German for "The, Bold, The" - Bob
    • Maybe it's because Diebold has other lines of business. Or did you think they popped out of the ground yesterday?

      This only makes me more puzzled, really, when I see what kind of impenetrable tanks they use to store money (cash dispensers and ATMs) but they use flimsy pre-teen diary locks on voting machines.

  • by Prysorra ( 1040518 ) on Thursday January 25, 2007 @04:17PM (#17758374)
    To Boldy die where no security has died before!
  • by ghoul ( 157158 ) on Thursday January 25, 2007 @04:17PM (#17758384)
    The way to get rid of election controversies is to have a national election commission like in India. India has a lot more voters than the US and a much lower level of education but it manages to pull off general elections a lot more cleanly and fairly just because the standards are same for all elections and all precincts. The decentralized form of elections might have made sense for the age of horse coaches but in the age of internet it is not too tough to have thge same standards everywhere in the US

    Also why not have a paper trail .With a paper backup all fraud can be caught given enough time for recounts (again if elections are not controlled by local partisan officials they cant arbitrarily decide not to have recounts).
    • by ghoul ( 157158 )
      BTW the last Indian general election was an all electronic election with EVMs used in all precincts.
    • The problem isn't the decentralized standards. Once they're centralized the standards will probably still be inadequate.
      • by nuzak ( 959558 )
        Tell that to the Nevada Gaming Commission. They have tough standards, but that's because the state's revenue depends on it.
    • by Midnight Thunder ( 17205 ) on Thursday January 25, 2007 @04:23PM (#17758488) Homepage Journal
      Also why not have a paper trail .With a paper backup all fraud can be caught given enough time for recounts (again if elections are not controlled by local partisan officials they cant arbitrarily decide not to have recounts).

      In many ways Diebold et al. are all showing symptoms of not realising that they are trying to add technology to the wrong part of the process. In many ways the punch card system or optical card reader systems are the better systems, since the paper trail exists before the vote is taken into account: WYSIWYG. The proposed solutions provide a paper trail as a result of the process, if at all. The problem with this is that the paper trail may not be a result of what you inputted.

      Remember just because technology can be used for a process, it does not necessarily mean that technology is needed for the process. Technology is there to make a complex task simple, not the other way round.
    • by cdrguru ( 88047 )
      Yes, but...

      You are talking about one more area where the federal government intrudes, takes over and replaces a function that is left to the states now. This is not just a little troublesome for some people. The "War Between the States" was essentially over state's rights in one form or another. You should be prepared to believe that many states do not like losing out to the federal government powers that they have held for 200 years and will call out the National Guard (a state militia) to defend their
      • You might get it elevated from a county to a state level, but that is as far as it is going to go.

        As with the Indian example we have a federal election commission in Australia, and it works very well. Votes are cast by pencil on paper, counted by casual workers, and the count is mostly finished in a couple of hours. Manual counting doesn't really cost anything because the same people who do the counting are also needed to man the polling places during the day.

        I can't see how any kind of count or survey co

        • by Zordak ( 123132 )
          There is no such thing as a "federal election" in the United States. The very broadest elections are state-wide. That includes electing the President. There is no national "popular vote." It is a fiction created by newscasters, I assume to gauge the popularity of the candidates. The only thing that matters is whom you elect to the Electoral College. And I don't think MORE centralization will be a good thing. Power is already too heavily concentrated in Washington, D.C. If we had a single election sy
      • by Gropo ( 445879 )

        You might get it elevated from a county to a state level, but that is as far as it is going to go. Today it is that way in many states already so it wouldn't be that big a leap. But no way could it be taken away from the states.

        That may not be necessary. Strongarm states that don't conform their own laws to national 'standard' election laws by threatening Federal funding sanctions. That's been the common practice for quite a while, as far as I understand it. For instance, when the legal drinking age was rai

  • Google (Score:5, Informative)

    by Daemonstar ( 84116 ) on Thursday January 25, 2007 @04:19PM (#17758424)
    Diebold has removed the offending picture
    However, it remains (scaled down) in Google's image cache. :) Might not be of much use, but it is there.
  • New Vendor (Score:3, Interesting)

    by Divebus ( 860563 ) on Thursday January 25, 2007 @04:20PM (#17758426)
    It's time to look at some other vendor for voting machines and whatever else they make. Our future is too important to leave to stumbling bumblers like that. Anything can be defeated but shouldn't be as easy as this.
  • by griffjon ( 14945 ) <`GriffJon' `at' `gmail.com'> on Thursday January 25, 2007 @04:23PM (#17758484) Homepage Journal
    Hey, at least we know they're not relying on security through obscurity!
  • by Schraegstrichpunkt ( 931443 ) on Thursday January 25, 2007 @04:24PM (#17758498) Homepage
    Do they even have any security-minded people working at this company? Publishing a picture of a real key is an understandable mistake, but why does the same key open every single voting machine?
    • Publishing a picture of a real key is an understandable mistake

      How? I've never heard of anyone ever intentionally taking a picture of a key. And if it's a master key it's absolutely not an understandable mistake.
    • by cdrguru ( 88047 )
      Can you actually imagine the operational nightmare that would ensue if every machine had a unique key?

      Ignoring the potential for screwups in distribution (machine ships with no key, machine ships with wrong key), you have the wonderful situation of a large county (like Cook County, IL) with 10,000 machines and 10,000 unique keys.

      Of course, you cannot access the machine to do anything without the single, unique, correct key.

      I am sure that unique keys would be much, much worse than one key fits all.
      • by e4g4 ( 533831 )
        I agree that a unique key for each machine would be a logistic nightmare, but a single key that can open every machine used in the US? That's a disaster waiting to happen. A reasonable solution would be a single key for every 10-20k units, or perhaps even more.
      • by rblum ( 211213 )
        Yes, let me think about that. Secure elections, or convenience for the election officials? Clearly, we must choose the latter!
    • by SatanicPuppy ( 611928 ) * <Satanicpuppy@nosPAm.gmail.com> on Thursday January 25, 2007 @04:49PM (#17758892) Journal
      When you've only got seconds to doctor the votes, you can't be fumbling around with a big keychain.

      Jeez. I'd have thought that was obvious... ;)
    • why does the same key open every single voting machine?

      I am pretty sure that the same flat head screwdriver would open each of those locks as well.

      • But the key will open it without anyone knowing that it was done, which is the whole trick to rigging something. You don't want anyone to know it's been tampered with.
    • A better question would be why are they using a key? We all know that a simple key lock is not suitable security. You can defeat locks through bumping or picking. Or if you can get multiple people onto the same voting machine in sequence, one can spray into the lock, another can insert a blank and wiggle it, the key can then be cut out from the marks, and then the key can be brought back in and used. A key is simply not any kind of security whatsoever. It would make more sense just to put time locks on them
  • by RyanFenton ( 230700 ) on Thursday January 25, 2007 @04:25PM (#17758516)
    As long as it's a normal lock, like 90+% of the locks out there (likely including your own front door), then Lock bumping [wikipedia.org] is going to allow just about any person, regardless of skill, to defeat the lock using extremely simple tools, in a matter of seconds, likely with no signs of intrusion at all.

    Ryan Fenton
    • Re: (Score:3, Informative)

      And if it's not an it uses a registered or otherwise restricted key blank, like, say, a mailbox or P.O. Box key, then bumping is next to impossible because you simply can't get a blank without permission.

      • And if it's not an it uses a registered or otherwise restricted key blank, like, say, a mailbox or P.O. Box key, then bumping is next to impossible because you simply can't get a blank without permission.

        All I need is one cut key and an upright mill and I can make as many blanks as you want. How many do you need? You can score a nice BIG bridgeport upright mill on ebay, typically with some tooling, for around $1500 plus an obscene charge for shipping something that heavy. And you'll need three phase power

        • You, uh, also have to know how to operate a bridgeport upright mill.

          Last I checked, bridgeport operating was a specialized skill that actually pays pretty well in my area (Metro Detroit) because it requires some training and experience to actually know what you're doing.
          • Re: (Score:3, Insightful)

            by bhsx ( 458600 )
            Yeah, I guess if you were really serious about trying to rig an election it'd be hard to find someone with those skills... Oh wait...
          • Re: (Score:3, Interesting)

            by drinkypoo ( 153816 )

            Last I checked, bridgeport operating was a specialized skill that actually pays pretty well in my area (Metro Detroit) because it requires some training and experience to actually know what you're doing.

            Last I checked, it was called "milling", not "bridgeport operating". And you can go to a community college and gather the requisite skills in a three unit, one-semester class. Frankly milling is not very hard, it's not even slightly hard. The hardest part is remembering which way the table will move when yo

            • Around here people put in ads for 'Bridgeport Operator' when they mean they want someone who can operate a manual lathe like the Bridgeport. Otherwise, the ads are for 'NC Machinist' or 'CNC Machinist', when they are looking for an operator skilled with a computer-operated mill.

              • Around here people put in ads for 'Bridgeport Operator' when they mean they want someone who can operate a manual lathe like the Bridgeport.

                that's pretty hilarious. I guess they figure that people willing to work churning out parts may or may not even know that it's called a "vertical mill", but that a significant (maybe dramatic is a better word) percentage of vertical mills are made by bridgeport.

                After all, an actual "machinist", someone who can make things by hand on horizontal mill, or vertical mill,

          • Re: (Score:3, Insightful)

            by Tim C ( 15259 )
            it requires some training and experience to actually know what you're doing.

            So? How much time do you think you have between elections anyway?
        • There are plenty of tool and die makers around. I could order a few blanks ^W, - I mean custom metal parts, for a hell of a lot less than $3,000.
          • I'm just pointing out that the technology is neither expensive nor hard to acquire. I'm aware that there are already people out there who have the technology. If you make the blanks yourself, though, you eliminate other people from the mix. You keep a secret by not telling anyone and there's a zillion legitimate business uses for a milling machine.
  • Undaunted (Score:5, Funny)

    by imaginaryelf ( 862886 ) on Thursday January 25, 2007 @04:26PM (#17758526)
    Our hero copied the smartcard from their photo on the website and keyed in the password 12345, the master password that unlocks all diebold machines.
    • Re: (Score:3, Funny)

      by ptbarnett ( 159784 )
      Our hero copied the smartcard from their photo on the website and keyed in the password 12345, the master password that unlocks all diebold machines.

      1 2 3 4 5? That's amazing! I've got the same combination on my luggage!

    • by Goaway ( 82658 )
      You know, if you look at the photo of that key, it sure looks a lot like it encodes a value very similar to "12345".
  • by Iphtashu Fitz ( 263795 ) on Thursday January 25, 2007 @04:26PM (#17758528)
    ... is the fact that Diebold also manufacturs ATMs. Makes me wonder if my bank account is safe...
    • Re: (Score:3, Funny)

      by Stripe7 ( 571267 )
      Maybe that is how they stay in business. :D
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      What, are you serious? You think they'd ever put out a system that would lose them money? Sure, every once in a while you hear about an ATM that had the factory default password still in place or took some common key but those are usually the fault of lazy/incompetent banks. Well, maybe not with the key.

      But think about it, how often is it that anything errs in your favor? Bank magically gives you an extra $20? Phone company charges you at half rate?

      Remember that story about the ATM that was pumping out
    • Re: (Score:3, Insightful)

      by wpegden ( 931091 )
      No, fear not. Like you, the people up top are much more concerned about correctly counting pennies than votes. Rest assured, your bank account is much more secure than any of your "freedoms" or "rights".
    • ... is the fact that Diebold also manufacturs ATMs. Makes me wonder if my bank account is safe...

      I would *think* if someone managed to open an ATM, I think the money would be the first thing to grab. I don't know how much cash your average cash machine holds but
      http://www6.diebold.com/gssssps/pdfs/DBD_ATM_Cash_ Mgt_PC.pdf [diebold.com]
      Diebold machines do employ cash maangement, making sure to keep track of how much is needed.

      Besides, and pointed out in other slashdot articals, phishing schemes seem to be most effective.
  • Isn't this the same key that will open mini-bars?

    I think the hotel owners should be able to sue over this release.
    • Re:Isn't this... (Score:4, Interesting)

      by Physics Dude ( 549061 ) on Thursday January 25, 2007 @04:54PM (#17758956) Homepage
      Isn't this the same key that will open mini-bars?



      Yes. From the article:

      " ... and beyond that, it could be opened with the same keys typically used with hotel minibars and jukeboxes."


    • by pla ( 258480 )
      Isn't this the same key that will open mini-bars? I think the hotel owners should be able to sue over this release.

      For the non-refridgerated mini-bars, you don't actually need the key. Grasp the handle firmly and push/rotate it outward (hard to describe but trivial to do - Basically you want to put torque on it so the bolt of the lock on the inside rotates away from the door jamb).

      As an aside, this works on a lot of simpler locks on thin-metal cases - The weakness comes from the fact that the door and
  • Winner (Score:5, Funny)

    by liak12345 ( 967676 ) on Thursday January 25, 2007 @04:32PM (#17758650)
    This time they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines.
    Diebold just won the golden "Are You Fucking Kidding Me?" Award of 2007.
  • ..... So will they not rest until our security is completely compromised?
  • by ReverendLoki ( 663861 ) on Thursday January 25, 2007 @04:33PM (#17758672)

    But fear not, Diebold has removed the offending picture [CC], replacing it with a picture of their digital card key.

    Using this picture as a base, I have crafted three digital card keys...

  • these guys cannot accidentally conjure up this many screwups in a row. it has to be by design. the interesting question is, what are they pulling while we're laughing ourselves onto the floor over this butch?

    hillary vs cheney, perhaps, in 2008?
  • It could have been this Diebold key that provided access

    http://images.google.com/images?svnum=10&hl=en&lr= &q=GS-567331-1000_d.jpg&btnG=Search [google.com]

    At least with the key under discussion, one had to do some metal work to duplicate it from a photo.

    For the key in that image, I suspect that the same trick using a bic pen [wired.com] to open that kind of lock would work.

    Hmm.... I wonder what that GS-567331 was supposed to open..... The page isn't working right now :)
  • Florida House 13 (Score:5, Interesting)

    by bloodstar ( 866306 ) <blood_star@nospAM.yahoo.com> on Thursday January 25, 2007 @05:05PM (#17759136) Journal

    Why are people ignoring what is going on in Florida House District 13?

    The Rebublicans are claiming a 369 vote victory. However the EVMs in Sarasota county, reported an undervote of 18,000. or 1 in 6 of the total votes, which is much higher than the undervote in both the other counties and on average. Sarasota County also happened to be where the Democrat challenger won the vote by 6 percentage points (of the votes cast in that county).

    There are some obviously severe issues with Electronic Voting, Particularly when there is no paper trail (as in the case for this district). Sure, there are ways to change the vote on a paper verification ballot, however large scale fraud becomes problematic to implement.

    Links Below:
    http://www.heraldtribune.com/apps/pbcs.dll/section ?CATEGORY=NEWS0521&template=ovr2 [heraldtribune.com]
    http://en.wikipedia.org/wiki/Florida's_13th_congre ssional_district [wikipedia.org]
    http://www.verifiedvotingfoundation.org/article.ph p?id=6423 [verifiedvo...dation.org]
    http://www.cqpolitics.com/2006/12/the_cqpolitics_i nterview_chris_1.html [cqpolitics.com]

  • by Anon-Admin ( 443764 ) on Thursday January 25, 2007 @05:22PM (#17759402) Journal
    Determining
      Inaugural
      election
      Ballot
      Outcome (on)
      Lousy
      Data

    DIEBOLD :)
  • by inviolet ( 797804 ) <slashdotNO@SPAMideasmatter.org> on Thursday January 25, 2007 @05:38PM (#17759620) Journal
    This time they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines.

    Voting machines should not be relying on physical security in the first place, because it is not practical to physically protect them 24/365. Their trustworthiness should be the result of double-handshake cryptographic authentications between the touchscreens, consoles, memory cards, and the central tabulator. Being able to open the cabinet should not be a vulnerability, because poll workers are invariably going to need to do so.

    So, if Diebold machines implement proper authentication, then the cabinet key is not an interesting exposure. But if they don't (and we already know that they don't), then the cabinet key doesn't make them significantly more vulnerable than they already are.

  • Public Key? (Score:3, Funny)

    by fahrbot-bot ( 874524 ) on Thursday January 25, 2007 @05:47PM (#17759736)
    they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines

    I hear Diebold is looking into different security measures and is interested in this new-fangled "Public/Private" key stuff. Perhaps this was their Public key...

  • The real world (Score:3, Insightful)

    by Kilz ( 741999 ) on Thursday January 25, 2007 @05:55PM (#17759848)
    In the real world there are Election Judges. People who watch whats going on. This unlocking and tampering isnt going to happen in front of them. This is a proof of concept idea, and like a lot of them it takes some things for granted. Like "you will be able to do this and no one is looking, or will stop you". But in the real world that isnt the case. Try this in a real polling place and go to jail, go directly to jail, do not pass go , do not collect 200 dollars.
    • by grommit ( 97148 )
      You're forgetting that in the real world many precincts allow election workers to take the voting devices home in the days prior to an election. This would give them both plenty of time and plenty of privacy to do whatever they want with the machines.
    • by pilkul ( 667659 )

      Great. So bank vault locks don't need to work properly either, since in the real world there will usually be people around. Antivirus programs aren't necessary, since the firewall ought to block everything. Restricted user accounts aren't necessary, since bad guys should be stopped from entering the system in the first place.

      The point of multilayer security is that they provide essential fallbacks when other layers fail. If an inner layer fails, despite the fact that it is mitigated by the existence

  • by Evets ( 629327 ) on Thursday January 25, 2007 @06:02PM (#17759938) Homepage Journal
    There are always a lot of complaints about the security of any Diebold voting machines. Then there's the constant complaint of a paper trail (my county now has paper-trail making diebold machines).

    What people should be pushing for is a voting system on commodity hardware. There's no sense in putting a million dollars forward for a small amount of "proprietary" machines that are all crap anyways. The only reason for wrapping a software solution in proprietary hardware like this is security through obscurity.

    Instead of complaining all the time about Diebold et all, what we should be doing is putting together a GPL voting solution. Once it is mature and stable, push our representatives to make the move.
    • by Danse ( 1026 )

      There are always a lot of complaints about the security of any Diebold voting machines. Then there's the constant complaint of a paper trail (my county now has paper-trail making diebold machines).

      It's not just about having a paper trail. It's about how that trail is created, and whether the procedures are sufficient to make it effective. From what I've seen, the paper trails in many places are unreliable, and practically useless for getting an accurate recount and preventing vote tampering.

  • by Greyfox ( 87712 ) on Thursday January 25, 2007 @07:04PM (#17760816) Homepage Journal
    Based on Diebold's actions in this area I think they must be an extreme case of an equal opportunity employer! Most employers do not disciminate on the basis of Race, Creed and Color. Diebold has obviously taken this to the next level in that they don't disciminate on the basis of Ability, either. We shouldn't be slamming them! We should be applauding them for taking bigotry down another notch! If it weren't for Diebold all those guys would be out on the street or having to work in the exfoliating scrubber factory or something! Hooray, Diebold!

No spitting on the Bus! Thank you, The Mgt.

Working...