Slashdot Mirror
Diebold Voting Systems Grossly Insecure
Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'
Time to start a viable open-source voting-machine project. These guys started something promising, but it looks like development has ceased. Anybody know of a decent, active open-source electronic voting system?
-j
Considering the fiasco that was the Presidential election can anyone say that they are suprised? This company will make alot of money serving the special interests of some political party. By making it insecure they insure that politicians will again be able to steal the vote from the people, with all the real evidence of this being reported in the British press. Your votes mean nothing even moreso now.
Hell, with a couple of the unqualified ones, they might have a better system....
Although, truth be said, I'd love to see a system where they allow unlimited voting, but only a microscopic percentage of the voting public knows about it. You know, the wrong people. The kind who would "write-in" Johnny Depp as governor....
Kierthos
Mr. Hu is not a ninja.
that I ran across a few weeks ago: http://www.cronus.com/electionfraud
It IS interesting to note how many dollars have flowed between Diebold and the Republican party...
For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal
The vending machines here around campus (using a diebold system) were used by almost 600 students to get "free" food... In an audit they detected it... Full text here
How can such grossly negligent design be produced by someone who wanted such a system to succeed. I do not know why someone would not want this type of system, I only proposed the possibility.
The cancel button is your friend. Do not hesitate to use it.
Finally, the hackers can get someone they like into office. It might even mean the end of the two party system, when mysteriously 300 million (out of 210m) vote for a third party ;o)
Beep beep.
In FidoNet elections you sent in your vote with a one-time password.
The election results were sent to all voters with a list of all the passwords who voted for each candidate. You checked to make sure yours was in the right category.
This is still hackable, though, simply by custom generating for each voter a message with their vote in the correct category, but enough other passwords in the cheating candidate to make sure they win.
Whats the way to handle this properly in a world of PKI and the web?
It's Christmas everyday with BitTorrent.
Almost exactly 20 years ago Chase Manhattan Bank tasked my buddy Charles (?) and I to hack thier Diebold branch alarm system.
To our surprise it used a simple lookup table. The mainframe would poll a branch asking about a specific alarm. The server located at the branch would respond with a code for "OK".
THE SAME CODE EVERY TIME!
We cut the telco lines and alligator clipped our TRS-100 (way cool early laptop) and using a BASIC program did a look-up (which my partner wrote a coolie algorithm for), responded "Everything's OK Here!", and went to lunch.
After screwing off for several hours we told our managers that we had spoofed thier branch alarm system.
They traveled to Diebold who swore up and down how great thier encryption was. The Chase guys slid our report across the table and watched the Engineers turn white as ghosts as they read it.
HAHAHAHAHA What a bunch of dumbasses!
The Moral of the Story: Don't trust your security vendors.
Cheers! (:-{)}
Bill
bamph
I think all of the electronic voting systems have taken it all too far. What they should be doing is creating a nice glossy touchscreen interface that is clear and easy to read, to allow people to create a PAPER BALLOT that is properly marked. The ideal printout would both be human readable and machine readable for easy counting and recounting. Let physical, rather than technical security processes make sure that people put only one ballot into the box that counts, and voters can have unlimited attempts at trying to get the paper ballot to say what they wanted to say.
I don't understand the rationale behind casting "virtual" votes. How can you go back and audit the votes? How do you ensure reliability and security?
In Canada whenever I have voted, I have put an "X" in the appropriate spot beside the candidate or question I'd like to vote for. Sure the voting card is then fed (by an elections official) through an automated counter, but the powers that be can always go back and recount the votes, either manually or using the automated counters.
Using this system the results are usually known within a couple of hours of the polls' closing time, and there are no hanging or dimpled chads -- or the possibility of the public at large messing with the system (other than spoiling one's own ballot).
What is wrong with this system? I can't really find too much to complain about -- old fashioned voting cards coupled with technology to speed the counting process.
I know it's been mentioned lots of times. But I can't resist:
Brazil voting system Just Works (TM). Ask Mexico, they used it last elections. Ask Paraguai. Ask here in Brazil. We have more than 100 million voters and still can give results in a matter of hours. And the system is highly secure. Not that I endorse the multitude of problems our political system has, only the voting system (technologically) is very well done.
Flávio Machado
Because, needless to say, even if your election officials publish source code for voting software, it's still a bit tricky to be certain that said voting software is actually what's running on the voting machines.
I'd like to see a really verifiable election process; check out http://www.vreceipt.com/ for an example system, which makes it essentially impossible for anyone to change or not count your vote. (It doesn't seem to prevent votes from being added, but that's a much easier problem to solve in meatspace, just by making sure that the number of ballots a polling place's computer submits matches the number of people an observer saw entering the booths)
This is a good analysis, but I think a few of the criticisms are off base.
First, a number of the supposed weaknesses they present are not actually exploitable; all of the ones relating to the file systems on the voting machines, for example. They offer no proposals for how an attacker could get access to these file systems or alter the files. It's not like he can just stick in a floppy and get it to run his favorite hacking program. As long as these are closed systems running the designer's software, there is no need for file system protection.
Second, many of the smart-card related attacks present far-fetched scenarios for how a hypothetical attacker could discover the weakness. This is a common flaw among such analyses; working with 20-20 hindsight, the researchers attempt to put themselves in the shoes of an attacker who doesn't have access to the source code but who always guesses right about how things work. It is far-fetched at best to propose that someone could cut the cable to the smart card reader in the voting booth, install some kind of monitoring device, inspect the protocol between machine and card, and then go home and use the data to deduce how to manufacture forged cards. Yet that is exactly what the authors suggest.
In truth, the real weaknesses of the system are the implicit assumption that the source code would be kept secret. Security through obscurity works only as long as the obscurity is maintained. If the code is leaked or stolen, these assumptions are violated and the system becomes insecure.
In this context, then, the real question is whether this is a true and up to date representation of the code that is implemented in the machines. One question I had was if so, why they weren't able to validate any of their assumptions about how poll workers were trained to operate the machines by referring to training manuals or at least verbally contacting some workers. At this point it seems to be entirely hypothetical whether this code is actually being used in any current voting machines, and therefore whether the attacks presented would actually work in the field.
On the other hand, criminals, terrorists, and anyone else who wants to corrupt the voting process can easily break the password and discover how to mess up the voting.
Now that's the DMCA in action, protecting your freedom! Oh yes, the DMCA is going to be just excellent for technology research and innovation.
The author of this paper, Dr. Rubin, taught a class at Johns Hopkins University this past spring called Security and Privacy in Computing. I was lucky enough to be in this class. The semester-long project was to design and implement a prototype electronic voting system that solved the problem of "remote poll sites". Basically, the State of Washington had commissioned Dr. Rubin to deliver a system whereby a voter could cast his vote at ANY voting station in the state, and not have to go to his specific poll site. This sounded great: you wouldn't have to lose a day of work so you could vote at the local high school... you could vote at the little kiosk near your office.
9 144
1 851
Unfortunately the idea doesn't work. The reason is that you would need every kiosk (or polling station) to be connected to some sort of network in realtime in order to retrieve ballots, cast votes, and update voter status. The problem with this is that you have now created a network that is vulerable to DoS attacks. It wouldn't matter how you structured your network for performance... the minute someone snips a wire at any given kiosk, you have two choices:
1) make that kiosk unavailable for voting
2) still accept votes at that kiosk, but cast them provisionally.
#1 is dangerous because now I could cut the wires at EVERY kiosk I could find (or packet the network, or whatever) and bring the election to a halt.
#2 is dangerous because the more kiosks I bring down, the more ballots will be cast in which the voterID (which reveals his name, etc) is tied to the ballot. Loss of voter anonymity is unacceptable in American democracy.
So what happens if you just leave all the kiosks offline and give them all a copy of the master voter registration db? Now you've opened yourself up to voter fraud: you could go from kiosk to kiosk, casting multiple ballots as yourself. If you stuck with voter anonymity, and each of those ballots were cast anonymously, how would the final tallying system know that you cast duplicate ballots? How would it know which to throw out?
I'm told Dr. Rubin's grant from the State of Washington was eventually rescinded, I suspect because there's no good way to solve this problem, as well as a few others which I will not go into detail about here.
I have described this problem in the following other Slashdot posts:
http://slashdot.org/comments.pl?sid=61340&cid=576
http://slashdot.org/comments.pl?sid=61875&cid=580
Intercarve Networks, LLC
When I was in the eighth grade, our computer teacher wrote a voting program in BASIC to run on our Apple IIs. One of my classmates exploited a security hole (okay, he pressed CTRL-C) in order to examine the source code. He found that our devious computer teacher had written the program so that a vote for Reagan counted as 1.5 votes, and a vote for, um, Mondale or whoever it was, counted as .5 votes.
So this raises the question -- what's to keep unscrupulous officials from rigging an electronic election? And equally importantly, what technologies and procedures are in place to detect vote fraud after the fact? Analog elections involve a fairly solid system of observers to prevent fraud. It's not perfect, but it usually works. In an electronic election, who will verify the validity of the code in the first place, and after the election, who will check each and every machine to make sure it hasn't been tampered with? I mention each and every machine because only one machine would be necessary to completely skew the numbers in any given precinct.
Proud member of the Weirdo-American community.
Not if Italy is anything to judge by. You just get the Government of the Month club. France isn't much better.
Instead of all or nothing, split the seats with 1/2 of them elected by proportional representation and the other 1/2 by first-past-the-gate. You'll get better minority representation, more opportunity for differing views to be heard (and new parties to form) without paralyzing your government by removing the possibility of a majority when things clearly need to get done.
Another bunch of guys who cobbled together a report on Diebold's laughable voting machines is available here, complete with plenty of screen shots.
Schwab
Editor, A1-AAA AmeriCaptions
What about secure coprocessors running open-source software?
There are still issues involved there, particularly with the loading of the coprocessors. (Distribution of the coprocessors shouldn't be an issue because they can prove their identity if the loading is done correctly.) But I would argue that if one threw enough money and effort at that single step, it could be made open and secure as well.
The other issue is the terminal between the coprocessor and the user. It seems to me that as long as the (correctly implemented) smartcard the voter uses authenticates itself to the coprocessor, and the coprocessor authenticates itself to the smartcard, the worst a hostile terminal can do is deny service... so long as the smartcard itself accepts the input from the voter and not the terminal.
Voting systems are a huge bag of worms, but I'm confident that they can be done right... maybe not in the foreseeable future, but someday.
-Lux
I've had the "privelege" of snarfing down the CVS archive that this analysis is from.
After running doxygen -- a kickass source analysis tool, by the way, if you have it document everything -- I poked around for a while.
1. The ballot station is a WinCE touchscreen doohikey with a smartcard reader and some type of secured (physically, anyway) storage.
2. The station is turned on and reads config information from the storage (who/what's on the ballot, etc).
3. The election is started by an administrator
4. Voter walks up, voter puts in smartcard, voter vots.
5. Vote is recorded on the media. An "audit trail" is, too, but it's just another file on the same
disk with the same information.
6. Voter's smartcard is marked as "used" and ejected
7. Administrator or election worker walk up, put in smartcard, enter PIN, and can end the election / restart the election (deleting all previous votes!) / do a few other things.
Problems with this:
* Smartcards are easy to forge -- especially with the source in the wild, since it includes the authentication passwords for the cards in plaintext!
* The storage is wide open to tampering by folks who can get at it -- there's no reason a simple bait-and-switch (using voting media with modified timestamps) wouldn't be perfectly undetectable.
* Etc -- Download the sources and find your own holes! Then, drive a truck through them! Bonus if you can find a buffer underflow triggered by a smartcard alone....
Malice: Not necessarily
Incompetence: Hell yes. This code was plainly written by underqualified MFC monkeys with no security background whatsoever.
In the end, I agree with you that mandatory voting is dumb - but it is one of our smallest problems
I don't think I would mind mandatory voting, if, and only if, we had a "no confidence" vote on the ballot. Such that, if you didn't like any of the choices presented to you, you could vote to have a whole new slate of candidates put up(e.g. if the "no confidence" choice won, all of the parties have to put up new people and we try again.) God knows I would have voted that way back in 2000.
Necessity is the mother of invention.
Laziness is the father.
I remember interviewing for a QA position at Diebold last year - what I remember then was that the single SW Tester they had was very overworked and not able to keep up on the basic QA tasks. I don't blame the tester for this - she really wasn't being supported by management. So it comes as no surprise to me that they have let serious security issues slide for as long as they have.
I'm a strong believer in the free dissemination and *use* of information, and what is discussed below is public domain. (Don't patent it!)
What is clear, is the votes must be signed to prevent tampering by the authority counting the votes. One way to do this is to sign the ballot to prevent tampering. There are two obvious problems if there is one private key doing the signing: 1) the centeral counting authority (Sec. of State) could forge the votes by taking the private key and signing bogus ballots. 2) A voter can vote twice.
What I propose is that each politcal party create 300 million private keys each (in USA) and distribute their *public* keys before the election. On election day, the voter (with help) would take a smart card and go to one political party to get one private key and then to another political party to get another private key (assuming at least two keys and two political parties). They would go to the voting booth and cast their votes and the votes would be signed by the two private keys. The private keys would be thrown away and never used again. The signed ballot would be put in the smart card and then the smart card would be put into a server that stores the votes for that location (and later, sent to the Sec of State). The card is read, and then erased so that it can be used by another voter. The Secretary of State would count the votes, and check the encryption signatures with the public list of public keys distributed by the 2 (or more) parties. The list of public keys and signed ballots can be made publically so that journalists, political parties, and the general public can download the public keys and signed ballots to verify the votes.
The key part of all this is there is no one person who has all the private keys neccessary to vote (except the voter). The two parties would hold the private keys very closely and it would be impossible (i.e. very difficult) to forge a vote -- much less forge many votes.
The other benefit is there is no one authority that counts the votes. Anyone can count the votes.
A couple of my friends are betting on Shrub hitting the 'Emergency' button and instigating a total lock-down of the U.S., suspension of all rights and the firing up of the 800 or so empty but staffed and waiting American concentration camps sitting idle around the nation. "Night of Long Knives" and all. .
While this IS planned, no doubt, I tend to feel (make that fevrently hope) that we're not quite there yet.
Here's a quote from a recent interview with Eustace Mullins. .
--Keeping in mind that 'Jewish Money' would more aptly be called 'Zionist Money'. Zionism doesn't have the best interests of the Jews at heart by a long shot!
Moderators. . . Please at least glance at the link info before you label this message 'Troll' (it's not. I don't have a deficient ego.) If you can't deal with this stuff, please get your fear levels under control rather than irresponsibly use your mod points. This stuff is here and it affects everybody. Cringing denial won't make it go away. Best to learn what it out there so that it can't hurt you.
-FL