Diebold Voting Machines Audited by California

Panaqqa writes "Diebold must be wondering what else can go wrong. Considering their arrogance in the past, their comeuppance is truly well deserved. The State of California's source code review [PDF] of the Diebold voting system has been released. Additional reports will be made available as the Secretary of State determines that they do not inadvertently disclose security-sensitive information. One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

Oblig...

[Tuoqui]

12345678... That sounds like the password some idiot puts on their briefcase.

Re:

[brywalker]

12345678... AMAZING! That's the same exact password I have on my briefcase!

Duuuuuuude!

[iknownuttin]

12345678... AMAZING! That's the same exact password I have on my briefcase!

We have a psychic bond! I use that exact same password on my luggage and machines!

We're password buddies!

Re:

[HiggsBison]

12345678... AMAZING! That's the same exact password I have on my briefcase!

AMAZING! That's the same exact password I have on my br...

Inconceivable!

Password 12345678

[billstewart]

Dude! You've got an amazingly secure briefcase, with 8 digits! Mine only has 4 digits, and nobody'd ever guess whose birthday the password is (oops...)

Back to reality, though, it's amazing how many Unix passwords were "abc123", back when our systems required at least six characters including some non-letters :-)

Re:Oblig...

[tverbeek]

The security code on my house alarm is 789456123... no one would ever guess that!

Re:

[ilikejam]

2 444 66666 8888888

Re:

[Brian Gordon]

Argh, what's the from?!

Re:Oblig...

[Martin Blank]

It's a paraphrase from Spaceballs, when the king of Druidia hands over the code to the air shield.

Re:

[Brian Gordon]

Oh yes THANK you!

Re:

[Martin Blank]

You're welcome.

And why I deserved an extra three karma points for that, I will never know.

Amazing.. truly amazing

[JustNiz]

how after all the many serious screw-ups and warnings that Diebold has had in the past couple of years, this report shows they still didn't do anything at all to improve the situation.

I often wondered how managers and CEO's that don't even have a clue get given companies to control. This level of obvious incompetence makes me wonder even more.

Maybe not so obvious

[dereference]

If you believe this is nothing more than pure incompetence, then you too have been fooled. This level of incompetence is usually indicative of strong intent that Hanlon's razor will be used by others to essentially protect the perpetrators from punishment for their immoral and/or illegal activities. This is just another way to game the system.

Re:Maybe not so obvious

[Martin Blank]

I believe that it can be (but not necessarily is) pure incompetence. Most developers that I've met have no business writing code that would be usable in a 'secure' environment, and the pen tests that are now done as a matter of practice on our outward-facing systems routinely rip our devs work to shreds. It's gotten to the point that the developers want to know what methods will be used in the pen tests so that they can protect against them. We in the security group have steadfastly refused to provide them anything other than a timespan when the test will be happening, so that they know not to update code in the middle of it, and so that they can't do targeted coding before-hand.

One of the major problems that I see is that the developers rely far too much on security by obscurity, no matter what the project covers, figuring that if the attacker can't see the code, then he can't see vulnerabilities, and they don't read enough about vulnerability research to understand how critically dangerous this is. They do things like requiring SSL for the front-end session, encrypting the back-end FTP transfer, and splitting off the management interface to an internal server, while leaving the access controls for the database identical for both systems, requiring only short passwords, allowing an inordinate number of password retries, using poor seeding techniques for session IDs, and leaving nearly-default configurations of the web server in place.

I tend not to place as much value in accusations of malice as I do in observations of incompetence. When presented with a result like this from any random company, I am far more likely to attribute it to the latter, unless presented with some fairly strong evidence to the contrary.

Re:

[neomunk]

Well, you theory can be tested by looking at the security quality of their OTHER main product... Diebold ATM machines.

No, incompetence is not the answer, or the streets would be flooded with $20s by now, it's intent, not 'opps, I'm so silly'. This company knows how to do security right, they just can't be bothered in this instance.

Three guesses as to why it's not a priority to them, like, say, ATM security is.

Re:

[Martin Blank]

You're presuming that the code in their ATMs is much better. Has anyone done an independent, published code analysis of them where we can compare the results of that to this?

And don't forget that there are still report sections to be released. This may be endemic to the voting machine industry.

Reports like these make me want to bring back the older systems with punch cards. The wholesale move to electronic ballots is a prime example of over-reaction to the discovery of a break in the system (poorly-desig

Re:

[pipingguy]

It's gotten to the point that the developers want to know what methods will be used in the pen tests so that they can protect against them.

This is absurd and dishonest. Did these same people cheat on tests when in school?

Re:

[Martin Blank]

I couldn't tell you. It may be simplistic thinking: if you know someone is going to shoot at you, you consider wearing armor. It may be that they have pride in their work and don't want to have their feelings hurt.

Whatever the case is, neither side gets all that much information prior to the test.

Re:Amazing.. truly amazing

[Vengance Daemon]

I often wondered how managers and CEO's that don't even have a clue get given companies to control.

It's really pretty simple: Many companies are no longer run by the visionary people that started them, they are run by accountants and "risk managers."

Re:

[beyondkaoru]

actually, it appears that all the voting machines that were audited in california were pretty bad, full of 'garden variety' mistakes and security flaws.

http://www.crypto.com/blog/ca_voting_report/ [crypto.com]

Re:

[beyondkaoru]

mmm, i feel awkward replying to a reply like that, but anyway, it's matt blaze; i'd say it's pretty credible, and also was quoted in bruce schneier's blog. blaze is a reasonably well known security and cryptography guy. as far as the psychic powers thing goes, i think you just aren't getting his brand of humor (i have met him in real life, and he's kind of awkward sometimes, but funny)

Re:

[SoopahMan]

Because the metric they are measured by is not technical competence. Business people choose business people to lead technical businesses. Then they make bonehead technical mistakes. It could be argued that a non-technical person in charge of a tech biz is itself a bad business decision, but conventional business thinking would disagree with you. The leaders of the most successful tech businesses would certainly agree, however.

Re:

[pipingguy]

Perhaps most "managers and CEO's" don't have tech backgrounds and think that fundamental problems can be solved with lawyers and more PR/better marketing. It's probably relatively easy to turn a blind eye towards problems and paper over them if one's only concern is money.

Just use paper counting

[Lars Clausen]

Voting machines are a technical non-solution to a non-existing problem. Counting votes by hand in public view is almost as fast, has much fewer things that could go wrong with them, and is intrinsically open to public scrunity like no machine system can ever be. Plus, it's cheaper. It works in Denmark, it should scale perfectly well to the US.

Re:

[sommere]

Counting votes by hand works when there are one or two issues on the ballot. When you have ballots with hundreds of races, and ammendments, etc. It does not scale well.

Sure it does.

[khasim]

The votes on 10 ballots are totaled and this total is recorded on a marker sheet placed on top. Then the bundle is tied up. (10 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together. (100 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together. (1,000 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together (10,000 ballots)

And so on. The idea being that any individual bundle can be quickly verified or re-counted. And because it's all base 10, it is easy for MOST humans to visually verify the bundles themselves. The ones that can count to ten, that is.

Re:

[SoopahMan]

Sorry but regardless of the simplicity of bundling votes, letting Diebold prove to you electronic voting is fundamentally flawed is a bigger mistake than choosing either method.

Re:

[Bearhouse]

"The ones that can count to ten, that is."

So, that's 90% of the US population out then...

Re:

[doom]

sommere wrote:

Counting votes by hand works when there are one or two issues on the ballot. When you have ballots with hundreds of races, and ammendments, etc. It does not scale well.

And you think that the electorate can make intelligent, informed decisions when asked to vote on hundreds of issues? Democracy doesn't scale well up to that level, that's why we're stuck with a Democratic-Republic [1]

Techie geeks have this amazing capability to focus on the wrong problem...

[1] Or we were, before the New

Re:

[Sparr0]

No, tradition is why we are stuck with a Democratic-Republic. I am a proponent of direct democracy via direct representation. In short, everyone gets to vote on every issue, or they can delegate their vote to a representative (who can then delegate all of THOSE votes, and so on). I am sick and tired of being "represented" by someone who doesn't share ANY of my views. Or worse, someone who actively promotes the interests of corporations over their own constituents.

Re:

[doom]

or they can delegate their vote to a representative (who can then delegate all of THOSE votes, and so on).

Interesting. In your system, would I have to hand all of my votes over to a single delegate, or could I sub-divide the issues among multiple delegates?

In any case, I think if you game it out, what ends up happening is that the delegates need to form voting blocks to get anything past the other delegates, and you end up with extreme levels of compromise going on to the point where your input into t

Re:

[Qzukk]

or could I sub-divide the issues among multiple delegates?

I think subdivision would work best, though at that point, you're basically voting on individual issues in the first place, except instead of personally voting on each issue, you're voting on representatives for each issue. It'd also introduce interesting difficulties, for instance, how do you ensure that when you assign your vote on abortion issues to a given representative, that that representative only spends your vote on abortion issues? There'

Re:

[doom]

If the problems could be worked out, it would pretty much fix most of the major problems with representative democracy, the worst of which being voting for people that don't represent you on many issues just to get your voice heard on one or two.

I think I see what you're going for, though as I've already outlined I think in actuality you'd find problems with your system that are very similar to what we already have. The EFF delegate would keep explaining to the troops that they just had to compromise on

Re:

[Qzukk]

The EFF delegate would keep explaining to the troops that they just had to compromise on those DRM issues in order to get the RIAA delegates support on those privacy issues, and so on.

You have a point, if the design isn't careful, we just end up trading one Congress for another. I think we can cut down on vote trading by requiring the candidates for delegation to register for some subset of related issues, so the EFF would not vote on issues that the RIAA would deal with except in those cases where their i

Re:

[Sparr0]

All votes to a single person. Your representative. Subdivision requires, among many other complications, someone to divide the issues to be voted on.

As to your conclusion, I disagree. Voting blocks are the thing I want to eliminate. If my representative starts voting against my interests in order to trade votes with others, then I pick a different representative. The goal is to end up with every vote being cast in the way the citizen would have cast it themselves. Of course that won't happen, but it c

Re:

[vidarh]

Sure it does. In a typical local election in Norway, a largish county essentially will have to tabulate votes for 500-600 candidates (there are 63000 candidates for the next local elections in Norway, or about 1.4% of the population), which include fractional votes (transferred from other lists, as you can vote for a party, but still "tack on" your favorite candidates from other parties to give them a fraction of your vote). Despite the complexities of that voting system (it's a proportional system with lot

Re:

[Grave]

I'm guessing you're from Norway, so I'll excuse you for not understanding how American government works. You see, the people we elect to "represent" us believe that existing laws are meaningless if they themselves did not write them the previous term. So any issues that arise will need entirely new legislation drafted, often with the help of the corporations and lobbying groups that funded their campaign. Hence, a simple fix to a broken paper ballot system isn't sufficient. No, we need entirely new laws

Re:Just use paper counting

[Durrok]

Whenever a story on the voting machines comes up many people present your argument. I find it fundamentally flawed however as counting by hand is extremely inefficient. Not only is it a slow, labor intensive task but it is also open to human error and other technical issues (hanging chads, etc). There is no real point of denying it, computer voting is coming. Instead of saying "Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Re:Just use paper counting

[Anonymous Coward]

Working democracies are based on secret and unprovable votes and a transparent and voter verifiable voting process. The process is intentionally designed in a way which does not require anyone to trust anyone else. If you can come up with a computer voting system which does all that, let's hear it. Consensus among technology-minded people who have looked into the problem from a civil rights point of view seems to be that no computer voting system can work with secret and unprovable votes and at the same time be transparent and voter verifiable. (The basic idea is that, since computer systems are never verifiable as such, verifiability would have to come from being able to recount the votes in some independent way, but one would have to violate the secrecy or make votes provable to do that.)

Re:

[Compholio]

(The basic idea is that, since computer systems are never verifiable as such, verifiability would have to come from being able to recount the votes in some independent way, but one would have to violate the secrecy or make votes provable to do that.)

Paper Printout:
-------------
Thank you for voting! Your democratic republic is at work!

Your transaction ID is:
wxC9!2@67Azs

Your vote was counted toward:
Bob

Please keep this receipt and visit www.CheckYourVote.com or call 1-800-CHK-VOTE to confirm that your

Re:

[david.given]

Your vote was counted toward:
Bob

Good day, Mr. Smith. Mr. Jones would like to see your voting receipt now. Naturally I am sure that you voted as agreed in our little business arrangement, because if you didn't, Mr. Jones will be very upset...

Re:

[iluvcapra]

• Today and today only! 1230 AM is offering $2 for every election receipt you give us with "Bob" on it!
• Come on in to mattress warehouse for our election day special! Get a free comforter with your mattress if you have a receipt for "Bob"!
• Boss: Everybody vote today? Let's see your receipts! Uh... I wanna make sure you're all participating.

If you put a voter's choice on the walk-away receipt, you commoditize the election completely, since the receipts become a call on a vote. You can print the choices

Re:

[gcauthon]

Computer systems are not verifiable? Since when? And why would we be doing a recount? A recount is performed when it's suspected that someone miscounted the votes. When you do a calculation in calc.exe, do you perform the calculation twice so that you can double-check the results? A recount on a computer-based voting system would be equally stupid. Uhh, how many files are in that folder? Better count again to make sure... sometimes the files stick together... Even assuming a recount is needed, what s

Re:

[gcauthon]

In reply to all of that... I would simply review the source code and circuit diagrams. The point of my post was that having an open system makes a system more reliable and improves secrecy, not the other way around. The post before mine was trying to imply that openness and secrecy were mutually exclusive. In any voting system, you should be verifying the system itself, not the act of voting. If you know everything about a computer system, then yes you can prove with mathematical certainty how it will b

Re:

[smash]

You can review source code all you like, you're still trusting that the supplier of the source code gave you the code that was used to generate the voting machine software in use.

Re:

[vidarh]

It is inefficient, but it doesn't need to be efficient, it needs to be accurate and efficient enough to be countable in a reasonable amount of time. And while an individual human is inaccurate, there is a paper trail that allowed another human or more to check the first humans work, which frequently or always does happen in most countries.

Hanging chads is a bullshit argument - I've seen nobody argue that it isn't acceptable to use a voting machine that produces a printed voting card that's guaranteed to b

Re:

[CastrTroy]

Americans vote in November, but the guy who's elected doesn't get into office until January. For some unknown reason, they need the results within 2 hours.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[vertinox]

"Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Forging, destroying, or disposing of 100,000 paper ballots can be done but it is rather hard and time consuming.
Forging, destroying, or disposing of 100,000 electronic ballots can be done and with only a few keystrokes.

The thing is, most of the people nay saying the loss of paper ballots aren't Luddites but are

Re:

[geoff lane]

People keep saying that computerised voting will eventually work. Yet report after report just proves that computerised voting is much, much worse than any of the alternatives. A vote is too important a thing to waste as test data on an alpha implementation.

It would be interesting to know why computerised voting can't count. Counting is one thing that a computer can do well.

Re:

[DragonWriter]

Whenever a story on the voting machines comes up many people present your argument. I find it fundamentally flawed however as counting by hand is extremely inefficient. Not only is it a slow, labor intensive task but it is also open to human error and other technical issues (hanging chads, etc).

Um, hanging chads are a problem with with ballots designed for machine counting that are resolvable only by hand counting, not a problem with ballots designed to be counted by hand.

There is no real point of denying i

Re:

[CryBaby]

I find it fundamentally flawed however as counting by hand is extremely inefficient.

Inefficiency is not intrinsically a flaw, it's simply an attribute. Whether or not it's a flaw depends on the context. If we're talking about a for-profit business venture, then inefficiency is probably a flaw, but we're talking about a vote counting process. Inaccuracy is a flaw, and anything that might lead to inaccuracy such as the vulnerabilities found in all current electronic voting machines, but inefficiency doesn't

Re:

[Lars Clausen]

Slow? No, we get our results the same evening *and* we get an extra count the next day. Prone to human error? Since it's open to the public, there are many eyes checking for errors. Sounds familiar? Hanging chads? I suppose there could be votes that are pencilled in in an uncertain manner (note no machines for marking the vote either, we've seen just how much this helps), but with multiple independent verifiers those can be sorted out. It also scales well with the number of people voting and costs ver

Not hand, mechanical paper counting

[AHumbleOpinion]

Voting machines are a technical non-solution to a non-existing problem.

Agreed.

Counting votes by hand in public view is almost as fast, has much fewer things that could go wrong with them, and is intrinsically open to public scrunity like no machine system can ever be. Plus, it's cheaper.

Wrong on faster and cheaper. As the recount in some Florida counties showed in the 2000 US presidential election.

Voting on paper is fine, but the paper should be mechanically counted. Hand counts should be a last resort when the machines are unable to read a vote or are malfunctioning.

Re:

[192939495969798999]

It's cheaper in the sense that if you need a paper recount, you have to go back to paper voting anyhow. So basically a machine vote is synonymous with a machine + a paper vote. I think that's how the paper-only vote is cheaper.

Re:

[sadr]

Let us say that a person making $10 / hour can count 1000 votes an hour. That's one cent per vote counted.

Let us assume that a person can enter one vote in 20 seconds on a voting machine. Let us assume that voting machines are busy 10 hours on voting day. Each voting machine will "count" 1800 votes in a day. So for $20, you can count more votes than the voting machine.

If each voting machine costs $400, it will take 20 elections to recoup your investment. And while there are multiple elections a year, y

Re:

[Dhalka226]

We're talking about the United States here. I can't speak to every ballot in every jurisdiction, but in mine (Cook County, Illinois, but not Chicago) there were at least 50 and probably closer to 100 things to vote on. Not only that, but the questions were different; there was the standard "select one candidate" lists, there were "select N of the Y below" lists, and there was page after page of "retain or not retain" (mostly for judgeships).

How many people do you know who can keep 50-100 different talli

Re:

[sadr]

If you go with a pure hand-counting system, you put each vote on it's own piece of paper.

You sort the ballots into races, and then sort each race into a stack for each candidate.

Then you count and re-count the stack. Some countries use bank tellers, who, in those countries, get the day off. And they are, of course, very experienced in counting the number of little bits of paper and don't make a ton of money.

The optical scan machines are probably worth it, although I'd resist the temptation to have them be

Re:

[jbengt]

"Wrong on faster and cheaper. As the recount in some Florida counties showed in the 2000 US presidential election."

I can't see the logic in that example.
The recount in Florida was a recount, not a count. A recount of a close, contested vote has a lot of inherent diffuclties not necessarily found in the first count.
Also, it was a visual recount of punch cards, and punch cards are designed for machine counting, not human reading. Hanging chads would not have been a problem in a paper ballot. I know ambigui

Re:

[pipingguy]

"Cheaper" as in "less people are involved"? Aren't elections supposed to be about people? Trying to minimize peoples involvement from the whole process seems a bit odd.

Re:

[mdsolar]

I agree. The vote counters and observers form social bonds that make politics go more smoothly. Having machines do this bit of work is a lost opportunity. Make election day a holiday and things will be even better. Smaller precincts are also a plus. Many hands make light work. E lauhoe mai na wa`a; i ke kâ, i ka hoe; i ka hoe, i ke kâ; pae aku i ka `âina.
--
Solar power with no installation cost: http://mdsolar.blogspot.com/2007/01/slashdot-user s -selling-solar.html [blogspot.com]

Re:

[pipingguy]

Yup. People from opposing "parties" get to know each other personally as they make sure of the honesty of the process. People can disagree on political issues but there's nothing better than bridging that divide. After all, most people have similar goals in life.

With a machine that calculates election results no one can really claim to be part of the verification process.

Re:

[Brett Buck]

Well, obviously, it was a very serious problem in Florida in 2000. Ultimately it was proven, even by partisan hacks, that Bush would have won, but it would have taken 6 months. So paper vote counting certainly is a "problem".

      That doesn't mean that electronic voting is the solution, of course.

        Brett

Re:

[MtViewGuy]

In Sacramento County, California in the USA during the last major election, they went to mark-sense paper ballots where you fill out your selection in PEN. The markings on the ballot are large enough to be read by both electronic optical readers and hand counts in case a close election requires one. Mind you, the big downside was that the paper ballot ended up being a HUGE sheet of paper where you had to fill out both sides, though.

Eeeeeeek

[GTarrant]

Imagine if Diebold, one of the major manufacturers of bank ATMs, hard-coded the passwords to every ATM as "12345678", or insisted to every bank that they couldn't get an ATM that gave people paper verification of their transactions, or that they couldn't guarantee to the bank that the internal records ATMs were reliable, and couldn't give any assurance that they were at all secure.

They'd never sell a single one. No bank would accept an ATM that couldn't accurately track the thousand or so transactions that they see each day, or that anyone could gain control of by typing in a few keys followed by "12345678".

And yet somehow (through much campaign cash, etc.) they managed to convince politicians that all that stuff would be too hard and unnecessary in voting machines, despite the technology already being available from the same company. That it's not hard to count accurately millions, even billions, of dollars in transactions each day, but that it's too hard to simply increase by one the count in the proper register to greater than a few percent accuracy. And despite numerous security incidents, they are still fighting tooth and nail these simple things.

I'm not convinced electronic voting is necessary...but I'm wary of any politician that keeps trying to tell me there's no need to increase the security of such systems. Unless they say they're OK with their own banks using that kind of security, voting shouldn't use it either.

Re:

[xiard]

That's a good point. Admittedly, though, the issues are somewhat different. If you could issue a magentic unique card to each voter, with a PIN that the voter picked, and have every voting machine hooked up to a network enabling real-time guaranteed transaction against a centralized voting database, then I'm sure you could get the same kind of accuracy as ATMs.

There's also the substantial issue of the requirement to handle processing all voters on the same day within a certain number of hours. That requi

Re:Eeeeeeek

[lexarius]

Idea: install the voting machines permanently, all over the place. Let people vote whenever they feel like, within about a month of the normal voting date, and see real-time results. The rest of the time, the voting machines can serve as terminals through which people can walk up and inform their local, state, or federal representatives of their opinions on various issues that will be discussed/voted on soon. Maybe even let the people actually vote on things.

Of course, DieBold shouldn't be allowed to touch this kind of thing, and someone will find a way to abuse it, but probably not any worse than we've got right now. I hope.

Re:

[teaserX]

Why not just add the option of voting to the transaction list on existing ATM's?
I can't be the first guy to think of this, can I?

Re:

[iluvcapra]

Let people vote whenever they feel like, within about a month of the normal voting date, and see real-time results.

Ebay effect would take over -- people would watch how the early people were voting and then mob the machines in the last hour.

Also, the effect of having a polling place in a public area under constant supervision has its benefits, as it can (can) positively prevent electioneering and vote tampering, as the entire process is mediated by responsible individual persons. If the process is compu

Secure Cellophane Bank Vaults

[Anonymous Coward]

It's a step in the right direction, but really, is an audit even needed?

This is like building a nylon tent to hold your valuables, then performing an audit to evaluate the strength of its zipper. The entire concept is idiotic from the start.

There's a simple solution to voting machine security: use paper ballots. The machines can help you fill them out, but the result should always be a paper ballot which is the authoritative record of your vote. Simple, easy, secure. Why isn't this being done? Who knows, but it's clear the concerns of the people in charge are something other than correct vote counts.

Re:

[zippthorne]

It seems simple, but they mess that up, too. Some counties, for instance, decided to require the ballots to have holes punched in them, and since you can't expect a person to be strong enough to punch a hole in thin card-stock, the sheets were pre-weakened. This was still not sufficient as evidenced by the 2000 presidential election.

Though to be fair, in the two counties I've ever lived in in two different states, they've both used paper ballots marked with indelible marker for the elections I've voted in

Re:

[Loconut1389]

machine prints two copies with blacked boxes (for optical scanning), a 2D barcode that is a dump of the votes, and another that is a one way hash- voter verifies both pages (blackened boxes) and gets/keeps a print of the hash, puts full ballot each in separate boxes. recount various districts by randomly either 2d, optical, hand, etc- machine fraud and errors should be easy to catch. users should be able to take their hash to any machine, re/'vote' and have it validate the hash- even after the election.

fortify?

[larry bagina]

We also used the Fortify static analysis tool to identify potential problem areas that warranted further manual investigation.

If I'm not mistaken, Fortify analysis showed more problems in the Linux kernel than in the Windows NT kernel, but most of the linux problems were later shown to be shortcomings with the automated analysis, not a design/programing flaw in Linux.

Diebold may have problems, but the use of Fortify (or similar) doesn't convince me.

Re:

[vidarh]

Didn't you even bother to read the sentence you quoted yourself. Fortify was used to find areas to investigate manually. These tools do have many shortcomings, but they do also find many legitimate problems. Using them to find starting points for manual investigations you might otherwise overlook is exactly the right way to use them. Believing them to produce a laundry list of actual problems is, as you pointed out, not.

Some code howlers from TFA

[noidentity]

From AV-TSX bootloader code:

void GlibPutPixel(UINT xx, UINT yy, Pixel_t Color)
{
// Check for library not initialized or (x,y) out of range
        if(FrameBuffer != FALSE || (xx < USER_X) || (yy < USER_Y))
        {
// Compute the frame buffer offset and write the pixel
                FrameBuffer[FB_OFFSET(xx,yy)] = Color;
        }
}

TCHAR name;
_stprintf(&name, _T("\\Storage Card\\%s"), findData.cFileName);
Install(&name, hInstance);

First uses logical OR instead of logical AND to check boundaries, second writes a string where there is only storage for one character!

Re:

[DaleGlass]

To add to that, if ( FrameBuffer != FALSE ) probably intends to check whether it's a NULL pointer, but NULL isn't guaranteed to be (void*)0. Probably harmless if it happens to work right on that particular architecture, but should they switch to something else it'd be trouble.

Re:

[Jimmy_B]

To add to that, if ( FrameBuffer != FALSE ) probably intends to check whether it's a NULL pointer, but NULL isn't guaranteed to be (void*)0. Probably harmless if it happens to work right on that particular architecture, but should they switch to something else it'd be trouble.

I have heard this claim before, but I have never seen any evidence that it's true. Every major compiler and every compiler I've used has had NULL=0, and using if(ptr) to mean if(ptr!=NULL) is a very common C and C++ idiom. Any platfor

"Plausible Deniability", Anyone?

[NickFortune]

One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

I can almost imagine that being a deliberate ploy. "

I'm sorry your honour, but one of our programmers (no longer under our employ) hard coded a weak password in complete disregard of coding standards. Regretably, the weakness of the password has enabled certain parties to guess what it is, and thereby subvert the electoral process. But it's not our fault."

Hanlon's Razor be dammned. In cases like this we should start assuming malice unless they can prove stupidity beyond any reasonable doubt.

Re:

[NickFortune]

maybe you should explain a little so we can all understand what you're on about

1, 2, 3, 4, 5...

[demon]

That's the same code that's on my luggage!

California decertified all machines last night

[Anonymous Coward]

Last night California decertified all of the electronic voting machines on the market. I thought that would be a bigger story today, but haven't seen it anywhere except for blackboxvoting.org

Re:

[Volante3192]

Oh, it would've...if Britney Spears was found voting without panties.

Or if Paris Hilton crashed into a voting machine while DUI.

Or if...yea...

Re:

[SSpade]

That's misleading. They decertified them, then recertified them with some additional security requirements.

See here: Elections chief gives OK to vote machines [sfgate.com]

Look how others do it?

[rolfwind]

One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

What it would take is for them to be punished in the marketplace, as in not buying the damned things.

I think we ought to go to other countries with a reputation of a good voting process and see how they do it, and with which, if any, machines they use. Because we obviously forgot how, and in some parts of the country they never had a fair voting process. No need to roll our own

Their conclusions are

[slashdotmsiriv]

Taken from the experts' review:

"Our study of the Diebold source code found that the system does not meet the requirements for a security-critical system. It is built upon an inherently fragile design and suffers from implementation flaws that can expose the entire voting system to attacks. These vulnerabilities, if exploited, could jeopardize voter privacy and the integrity of elections. An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting mach

Re:

[MsGeek]

Executive summary: throw the trash out, and sue the bastards for malfeasance.

My favourite issue

[The Hobo]

From page 51:

Issue 5.2.24: AV-TSX startup code contains blatant errors.

287 TCHAR name;
288 _stprintf(&name, _T(''\\Storage Card\\%s''), findData.cFileName);
289 Install(&name, hInstance);

Here, name is not a character array but a single character in memory. The stprintf function
expects its first parameter to be a character array, so the programmer had to use the&operator
to get the address of name, rather than its value. The result is an obvious buffer overflow. A
string that includes the filename, which could be under an attacker's control, gets copied over
whatever data resides in the memory region following name.
That this code works at all seems purely accidental. Memory corruption occurs even when
legitimate .ins files are used. An attacker who included a file with a long name or a name
containing particular characters might be able to crash the program or, possibly, execute
malicious code.
This bug sheds light on the vendor's software engineering practices, because it is a very
unusual error for an experienced C++ programmer to make. Characters and character arrays
are very different constructs in C++. Students using the language for the first time might
confuse the two, but experienced programmers who understand basic concepts like pointers
would be unlikely to confuse them. The probability that an experienced C++ programmer
would make such a mistake or overlook it during even a cursory review of the code is
exceptionally low. This suggests to us that after this code was written it was not reviewed
by any other engineers at Diebold.

That's gold Jerry! Gold!

Limitations on upgrading an important issue

[radarsat1]

From TFA:

In addition, securing Windows requires keeping the system fully up-to-date on all security patches. Unfortunately, the special circumstances associated with voting
systems make it difficult to keep the Windows operating system patched and up-to-date. The
Diebold system is tested and certified with a specific version of Windows; changing or upgrading
that version might invalidate the certification and may not be permissible.

I find this one of the most interesting issues, because I don't see an easy ans

Link to the official 'Top-to-Bottom' Review site

[SpzToid]

Top to bottom review docs:
http://www.sos.ca.gov/elections/elections_vsr.htm [ca.gov]

Also the public hearing where a university computer science professor describes the results of the red team testing. The audio starts very poor but improves after 25 minutes, but I've ONLY been able to watch it *streaming* (which is a drag). The hearing is 6 hours long and if anyone can provide a download link, I'd be grateful.
http://www.calchannel.com/search.php?date=073007&s ource=All&type=All&title=&Search=Submit [calchannel.com]

At

conundrum

[Khashishi]

It seems to me that ballot secrecy is a contrary goal to the goal of fraud resistance. How is it possible to guarantee anonymous ballots and yet be sure that each ballot was generated by a real person?

hand count?

[Khashishi]

I don't get how so many people have some rosy picture of hand-counting votes, as if hand counting were somehow impervious to counting errors and impossible to manipulate. Humans make mistakes. They make them a hell of a lot more often than computers.

Re:

[dbIII]

They make them a hell of a lot more often than computers.

The problem here is precisely that the computer is capable of making of making mistakes far more quickly and effectively than people if directed to do so.

What else could go wrong for Diebold?

[General Wesc]

Diebold must be wondering what else can go wrong.

Here's something that might go wrong for Diebold: The media could stop completely ignoring the reports and inform the millions of people with their heads still in the sand.

But I'm not holding my breath.

right

[smash]

Counting votes is a non-problem for a half competent programmer/engineer.

IMHO, the problems in this software are either due to totally incompetent engineering AND inadequate code review (and how the fuck did BOTH of those happen, if thats the case?), or they were intentionally put in place for some particular motive.

My guess is the latter - but what could the motive be?

• Deliberately broken software to suggest that electronic voting is inherently unreliable
• Intentionally exploitable software to enable s

Re:

[rednip]

Sorry, but to prove your loyalty, you need to go past simple 'water carrying' statements and pledge your support for the Republican party [thekansan.com], you can find the text here [blogspot.com].

Re:

[zCyl]

If a ballot-reader counts the votes, fine. We can have fast results without giving up accountability.

Look it up. Ballot readers are compromised as easily as the original machines.

An ideal arrangement is to have a printed ballot as the official ballot, and a supervised hand-counted count which is the OFFICIAL count. Then, the original voting machines can also perform an electronic tally themselves, and this electronic tally can serve as a check for the hand count. If the two differ significantly, somethin

Re:

[DragonWriter]

Look it up. Ballot readers are compromised as easily as the original machines.

Yes, but you have the ballots. All-electronic systems with no separate ballots don't allow random-precinct hand-count confirmation, or even full-election hand recounts if there is cause.

Systems that generate a ballot, which the voter than confirms and turns in and is then counted by a separate machine do allow that, so even if the ballot reader is just as easily compromised as a voting machine in an all-electronic system would be,

Re:

[vtcodger]

***Why, yet again, is the responsibility for something this important (like the rebuilding of Iraq for example) being entrusted to a private company? Corporations by their very nature don't give a damn about anything that doesn't affect their ability to make money.***

Now, now. If you check Thomas Ricks, "Fiasco", or Seymour Hersh's "Chain of Command", you'll find that most of the cataclysmic mistakes in the reconstruction of Iraq were not made by the military or by private companies. They were made by u

Re:

[dbIII]

Perhaps we should be seeking out civil servants with a few decade's experience in managing elections

That is what other countries do and what the USA does itself when helping to supervise elections in other countries.

Re:

[vtcodger]

***That is what other countries do and what the USA does itself when helping to supervise elections in other countries.***

Indeed. And one of the few things the Bush administration has attempted that was non-trivial and wasn't hoplessly botched was the supervision of reasonably free and fair elections in Iraq and Afghanistan. I don't think the used voting machines in either country.

There's a thought. How about we round up all the voting machines in the US, and ship them off to someone we don't like --