Slashdot Mirror
Diebold Voting Systems Grossly Insecure
Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'
story
I'm much funnier now that I'm a subscriber.
Read the story at the Atlanta Journal Constitiution or the NY Times.
Just from the above quote, this doesn't sound like the kind of security that any bank would tolerate. Is this a case of lawmakers awarding contracts under duress after being wowed by cool "tecknoligee" in order to avoid being the next "Florida 2000," or is Diebold simply a victim of its own success for having potentially higher standards for commerce than voting?
[sarcasm]
It almost seems like the authentication process to make this work would need something as stringent as, say, a National ID card...
Ooh, and we could use a Poll tax to pay for the equipment!
[/sarcasm]
I take it you haven't been unemployed too recently. Fortunately, I'm still employed right now, but I can see the writing on the wall. Our department has been doing some machete-style slashing of the budget, and has been letting A LOT of IT people go (programmers and technicians). And those they let go were great at their job.
A bunch of people at work were saying the SAME THING YOU ARE. They said their skills were current, had qualifications, and were good at their job. Now, it's 3 months later and they're still outta work.
Sure, I know some people (from elsewhere) that got jobs reasonably quick, but that's because they KNEW SOMEONE on the inside, or had some high connections. I'm not being bitter, they've admitted it to me.
Some people with jobs or in school tend to think that everything is fine-and-dandy for people so long as they know their stuff and look hard. But those people are usually the first to start freaking out that they can't find jobs.
It's a cliche, but in today's market it's not what you know, but who you know.
It's a cliche, but in today's market it's not what you know, but who you know.
I can agree with that. The startup I work for is starved for qualified coders -- but half of what we seem to hire these days are people with unremarkable skills who are old friends with our VP of Engineering. He'll personally vouch for the qualifications of each and every one of them, though.
*sigh*.
Very good point.
In fact, Diebold laid off a good number of their QA, code integrity staff and software developers in late-2001/early-2002, when this product was under heavy development.
"Can of worms? The can is open... the worms are everywhere."
Let me tell you a story about Diebold.. I almost went to work for them in their North Canton, OH office in the mid-nineties. They were doing some smartcard work themselves (research) and some interested crypto projects that I thought would keep me busy. At least, that was the story I got during the interviews.
But then I talked to a low-level employee. He was worried because they kept laying off staff, then employing new people. Seems that once a project was "done" (meaning, shipped first version, wrote up your research findings, etc.) they had the nasty habit of laying off the entire team. They would literally hire a team to do a job, then fire them for each project. There was no continuity between versions of software (if there were any), and things tended to languish, while they tried to make a quick buck.
And based on what I was told, this wouldn't be the first time that one of their products was wholly insecure from the get go. Don't get me started on their ATMs piss-poor security features from that time. Things just didn't get fixed until someone got screwed.
PS. I turned down their generous offer of employment.
I just checked out the EFF's website, and they have a page where you can read a letter they've prepared about the security of electronic voting systems and the need for open source in that area, sign a copy electronically, and have it sent to your representative. Personally, I'm going to send paper copies, but I can damn well gauruntee that all my representatives in both the House and Senate will be getting copies.
The page is right here. Let the people who can make changes in this area know that this is important!
Narrative
But the software code (of a brazilian company) is closed source. Just some technicals of the political parties had access to it. In the middle of the counting the most voted candidate had his result changed from millions to a few thousand votes (looks like an integer overflow). You can't trust a closed system.
'"To find that such flaws have not been corrected in half a decade is awful," Professor Jones said.'
I'm not suprised by this at all. Problems, even very big glaring problems, get stuck in software early on due to naive design decisions, but they persist due to management's unwillingness to either admit the problem is there or put forth the resources to start again from scratch. The result is software that doesn't deliver, cost five times more than if they had started over, and everyone involved feels dirty for having been a part of it.
Healthcare article at Kuro5hin
I remember hearing shortly after the Florida fiasco that a truckload of ballots got "lost" overnight en route to a counting station only a few blocks away. Then, later on in the storm that ensued, no one talked about it anymore. Thereafter people (especially Republicans) talked about "hanging chads" as if the voters who cast "spoiled" ballots were stupid and thus not worthy of being counted. But this is just the kind of "spoiling" that can be accomplished long after the ballot is actually cast. I've always wondered what the statistics were on the ballots that didn't complete their quarter-mile journey until the next day...
DEMAND paper ballots! Demand that votes be counted and posted AT THE POLL
2 002/01/07/MN185094.DTL
I wish I could disagree with this. But elections here in San Francisco are so "irregular" that it doesn't even phase us when pieces of ballot boxes start washing ashore.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/
A good place to start researching said privacy concern/ballot tampering is Black Box Voting
Diebold accidentally left the AccuVote source on an open FTP site (whoops), which is available here, and Black Box Voting is asking for programmers to review and evaluate the code.
Vonnegut: "What is the purpose of life? To be the eyes, ears, and conscience of the Creator of the Universe, you fool."