Diebold Voting Systems Grossly Insecure

Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'

Flaws still unfixed after ***5 Years***

[kryzx]

Here the bit from the article that I find most interesting. To have security flaws is one thing. To not fix them even after you know about them is another.

'But Douglas W. Jones, an associate professor of computer science at the University of Iowa, said he was shocked to discover flaws cited in Mr. Rubin's paper that he had mentioned to the system's developers about five years ago as a state elections official.

'"To find that such flaws have not been corrected in half a decade is awful," Professor Jones said.'

You didn't read it here first

[ansak]

Anyone who's even briefly perused comp.risks, even before the post-US-Election-2000 debacle, wouldn't be the least bit surprised by these conclusions.

Scottie's Law strikes again (from Star Trek III): "The more they back up the plumbing, the easier it is to stop up the drains." The simpler the voting system (the less mechanical, electronic, electro-mechanical etc. etc.) is the less open it is to fraud (both officially and unofficially perpetrated) or error (both innocent and culpable).

One more reason I'm glad to live in Canada...

Re:Ah-ha!

[perdelucena]

Maybe you should try those ones. Weve been using those in Brazil for almost a a decade. Software code can be evaluated by independent institutions, and as far as I know it does not run Win32. Last elections the whole country used voting machines (no manual votes) And weve got the result (>100,000,000 in few hours).

There is no way to do it securily.

[Convergence]

This is a computer programmed by invisible software. The only record of a vote is a little counter in the guts of the computer program. There is absolutely no way to make it secure. Any system that records votes directly electronically is wide open.

The only difference is who can commit vote fraud. Now anyone who walks up to the machine can commit vote fraud. Even if all of these bugs fixed, large classes of vote fraud remain. The only difference would be that any random person on the street couldn't cheat. However, any custodian would still be able to re-image the drive. Any programmer at Diebold would be able to embed a trapdoor. In short, anyone with exclusive access to open the machine can cause it to cheat. And this 'best case' is only if they fix all of the bugs.

Thats not a lot better. Even the writers of the paper couldn't make a cheat-proof DRE voting program. If an adversary controls the hardware, they control the software. Fundamentally, any non-trivial computer system is not trustworthy; any system whose security depends on a computer should be transformed where the security no longer depends on the correctness of the computer.

For instance, the only nominally trustworthy computer voting scheme is to have the computer be nothing other than a super-intelligent pencil. The voter uses the computer which prints out a paper ballot. The user observes and confirms the paper ballot is correct, then the ballot is dropped into a box. The computer may record results, but as the computer is untrustworthy, those results are untrustworthy. Now, the security and trustworthyness of the computer doesn't matter.

Every security researcher, including the authors of the paper advocates this scheme, but they are ignored by election officials. This includes the two professors who authored the paper, Peter Neumann, and Douglas Jones from the NY Times article, Rivest---the R in RSA--- and hundreds of others.

See: http://www.verifiedvoting.org/index.asp

This is a secure voting system. Brazil has it (and at a tenth the price). Any system without a printer requires 'trusted hardware' in an adversarial environment. Control the hardware, control the election.