Slashdot Mirror
Electronic Voting Machine Cracker Challenge
An anonymous reader writes "In the ongoing debate on the security of electronic voting, an Atlanta area programmer has confronted Georgia election officials on the potential for fraud in its statewide electronic voting system. She claims that she can be prepared to crack the system within a week, and officials have accepted the challenge." What makes this even more interesting is that the election officials are encouraging the woman, so that any possible exploit can be found and remedied.
This is a change from the Kevin Mitnick days when ppl would be incarcerated for even *thinking* about cracking a gov system.
Mad props to Georgia for being cool about this.
And unlike the US there was never a Florida voting scam.
And paper is much more immune to fraud: the election sheets are stored for a certain time, so any questions and be sorted out by a recount without any paper pebbles dropping from the holes. And if a fraudelent government wants to pull off a voting scam they have either to forge election sheets, which would be noted afterwards, or they have to destroy sheets, which would be noted, too.
So why use a high-tech solution which isn't immune to fraud and other problems instead of a low-tech solution which hasn't these problems ?
Owner of a Mensa membership card.
God, this is stupid....
Instead of doing such a media hype just open the source code for the public and let about 10'000 people have a look at it.
Idiots.
Please will at least everyone keep in mind that when she wont succeed in cracking the machine that doesn't prove it's security.
You can't prove a product is secure, only showing that it's insecure...
Alan Perlis once said: "A language that doesn't affect the way you think about programming, is not worth knowing"
He put the odds of corrupting the software undetected at 1 billion to one.
If you make a statement like that you are asking for trouble. It's like walking into a bar and saying 'No one here could win in a fight with me.'
Of course, this is assuming Ms Jekot fails to find weaknesses in the voting system.
Even if she does find exploitable flaws, will she find all of them? Probably not, in my opinion.
Am I being cynical and paranoid? Hell yes.
I'll probably turn out okay for her. Remember: the last time anyone was found to have rigged an election, you made him president.
that the companies that manufacture voting machines are not mandated to publish full specifications including technical drawings and listings of firmware, for anyone to look at, any time, for free. It's like they are trying to say mere mortals are not supposed to know the processes by which their representatives are elected.
And don't give me the hand-wringing "important proprietary secrets" crap. Firstly, all companies would be required to show their "secrets", so nobody would be gaining any unfair advantage. Secondly, what the hell is so secret about adding up a bunch of numbers anyway? And thirdly, what corporate secret is more important than the due processes of democracy?
If these companies are not prepared to let the general public - who are, after all, the rightful owners of "Government" property - scrutinise their products, thenthat alone is a good enough reason why the public should reject their products.
Je fume. Tu fumes. Nous fûmes!
This only PROVES their ignorance. If one person fails in one week, that's far from showing that the system is secure.
Open Sourcing it won't make it secure either, but it would probably be the fastest way to fix a ton of the most obvious holes.
Better yet, if they want good PR, they should hire Mitnick to have a go at it. Lord knows he's probably rusty, but his name alone would end the debate one way or the other.
Perhaps I'm missing the point of this, but doesn't an election system just have to be good enough to last one day without being hacked? How many one week long elections are there? As long as you leave the system secluded before you release it, then only expose it to the public for one day (election day), I think that there wouldn't be any time for people to realize exploits on it, providing it is a unique system that doesn't use components that are publicly accessible. After the election, they can do what they want with the system, but I'm guessing a full year is enough time to come up with a newly created system for the next election. It keeps programmers in work, and keeps their system so unique as to be difficult to hack. What do you all think? Am I missing the point on this?
today is spelling optional day.
Sorry to burst your bubble, but paper voting is rife with fraud, that is one of the major reasons it took so long to rid many of it.
Going to digital introduced a whole new system, whereby the exploiters of the previous lost their investment and are forced to start again.
Voter authentication needs to be taken further with the requirement of a picture ID, as it stands now, many dead vote on paper ballots, and many votes that are for one party or another are either lost or damaged so as to become invalid.
If Florida proved anything, it proved just how dangerous paper ballots were, and even how more dangerous subsequent handling of them was. Seems to me many stories of how the same box of ballots yieleded different results depending on who looked at them!!! How is that not an easier source of fraud? Especially when people start introducting "interpetation of intent" into the mix!
Sorry, digital voting will one day be the only true way to avoid fraudelent voting, however for that to come about we will had to shed some of our mickey mouse vanities. Something must be done to not only protect our vote from a fraud at the machine but to protect our vote from fraudelent voters (ie, the dead, the multi-voters, etc)
* Winners compare their achievements to their goals, losers compare theirs to that of others.
The potential for fraud is only part of the problem with electronic voting. The biggest problem is the lack of a hard paper trial to use in the event of a recount or if the machine crashes. Suppose you have a group of booths in a busy voting district that suddenly decide to blue-screen. Potentially, thousands of votes could be lost. The lack of a paper trial has been brought up many times, but proponents of the system have so far dismissed it as unneccessary. This is just asking for trouble.
Even worse is cases like those in Florida where the state purchased new electronic voting machines with the provision that their warranty would be immediately canceled if the state ran tests to verify their performance. Egads! This has fraud and disaster written all over it.
Our system of democracy is very important our liberties. As voters, we should insist that our voting system be beyond question. That means it should be secure, verifiable, and robust. The best way to accomplish this is through open-source peer review of the code and hard-copy backup of voting results for auditing purposes.
When all else fails, run.
" Asked Williams, the computer security expert: "Are you saying there's no such thing as a secure and accurate computer? Do you fly on airplanes?" "
That would be the most insane statement in the whole article. There is no such thing as a secure and accurate computer. Only one way to completely secure a computer. Turn it off, encase it in a 30ft concrete tomb. Very few will get to it, yet it still isn't totally secure, I'm sure there's a bunker buster out there that'll destroy it.
Accurate? Hardly. A computer will tell you what you program it to. If someone can change it's purpose (or results) you've no longer got accuracy. Note how the comment doesn't question the accuracy of input/output to the computer?
And finally, flying on airplanes. I think history has shown that there is no such thing as a failure-proof aircraft. However, I will still fly on them, because I hope that procedures ensure that it's not Williams flying it with a computer only.
Vip
Sorry, don't believe that. A few locations in memory are easier to change than thousands of paper ballots. Hanging chads notwithstanding...
Depends on your definition of "easy to tamper with". Apparently, it's easier to change a single paper ballot than a single electronic ballot, but once you can change one electronic ballot, you probably can just as easily change them all, which is not true for paper.
So while the expected number of tampered ballots might be similar (I am not saying it is), electronic machines are more risky. The question is whether it's compensated with cost-savings and may be somewhat lower expected number of tamperings.
Future Wiki -- If you don't think about the future, you cannot have one.
The difference is that she didn't try to hack it first. She made a challenge and they accepted. This is how normal society acts. Hackers have made a bad name for themselves by doing things without other people's knowledge or permission---often to show off their "superior skills". Hackers may feel this is no big deal or some sort of "good work", but normal people feel very threatened and violated. Hence people like Mitnick go to jail.
If Mitnick had asked and recieved permission like this woman, there would have been no problems.
Brian Ellenberger
Another poster says "at least this is a change from the Kevin Mitnick days" (or something similar)
That poster is mistaken. We had a recent story on slashdot where someone was threatened with legal action for revealing a bug in some code.
IMHO there should be standards for how and when you are allowed to attempt to break into a piece of software or system to demonstrate its vulnerability. I suppose one way to go is:
It's a rather round-about process since you'll usually have to break in (secretly!) in part one to be sure that it really is vulnerable. But you can't let them know you did that or they'll prosecute you in step two. Suggestions?
Furry cows moo and decompress.
A trustworthy system needs to be based on these criteria:
/. If the government wants us to respect the law, it should set a better example.
No one is saying get rid of touch screens, we are saying PUT PAPER IN THE PRINTER which is already built into Diebold and every other touch screen machine. Print ballot, voter verified, it goes in a ballot box, you've got evidence of the vote. Explain why: 1) A person in a wheelchair, or a muscular or neurological difficulty, who can vote on a touch screen suddenly cannot vote on a touch screen if you have paper in the printer. 2) A person who is blind, and uses the headphones to vote, suddenly cannot vote on a touch screen using headphones if you have paper in the printer. This is a prepared talking point sent out by the voting machine industry. Bev Harris Black Box Voting
If she fails, the vendor, and possibly the election officials, will cite this as "proof" that the system is secure.