Slashdot Mirror
Diebold Audit Released, BlackBoxVoting.Org Shut Down
Chris Soghoian writes "The State of Maryland requested an audit of the Diebold electronic voting system by SAIC, after a report released by Johns Hopkins University and Rice Researchers (disclaimer: I'm one of Dr Rubin's students) noted several security issues. A condensed, from 200 to 40 pages, and censored version of the report has been released online (PDF link). The report notes that 'SAIC has identified several high-risk vulnerabilities that, if exploited, could have significant impact upon the AccuVote-TS voting system operation.'" However, Diebold says Maryland are moving forward with installation with "new security features" included, and elsewhere, Badgerman points out "Diebold has shut down blackboxvoting.org, apparently with copyright claims made to their ISP. But you can still go to the blackboxvoting.com site."
I don't see how anyone will accept electronic voting systems as insecure as this. Diebold should be as open in security vunerabilities as many open source projects are and support full public disclosure along with prompt patching.
SAIC's independent review states, "While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland's implementation of the AccuVote-TS voting system...The State of Maryland's procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report."
SAIC's report continues, "Rubin states repeatedly that he does not know how the [Diebold] system operates in an election and he further identifies the assumptions that he used to reach his conclusions. In those cases where these assumptions concerning operational or management controls were incorrect, the resultant conclusions were, unsurprisingly, also incorrect."
if implemented properly, could revolutionise governance in general - pity it's being so badly implemented thus far. If voting were faster and cheaper it could be involved more regularly in all manner of decision making processes. I simply cannot believe that someone would implement such a critical system on any Microsoft platform, especially when there's plenty of alternatives out there. QNX comes to mind. Mind you it is no surprise to me that a company who chooses to start behind the 8 ball by making such a poor choice in platforms is subsequently found to show a disregard for security in general ('compromised' servers, serious flaws, etc.). I hope they're enjoying 'whack-a-mole' because you can bet that for every site they manage to take down, 10 others will pop up!
The problem really stems from the fact that as soon as you mechanize the process, you have essentially hidden it from direct scrutiny (it's almost encapsulated). There is a layer of technical junk between you and the actual results.
And what is worse is the data is physically very sensitive (easy to destroy or tamper with). The fact that the information is drawn from many sources (all across the country), means a lot room for any sort of problem.
Unfortunately, any electronic voting system will probably never be open source. I do not think the government will show that kind of trust.
I think these voting machines may end up forcing recalls, albeit electronically, even though the Supreme Court clearly wants to prevent that kind of precedence (for good reason).
Let us not forget that the supreme court had a hand in the bullshit that happened in the link in my sig.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
See, I mentioned in another post I work right next to Diebold, and its just a tiny ass little company like mine.
I work in the public safety field, we sell integrated dispatching and records systems to cops. I busted my ass working 80 hour weeks for about six months to complete a rewrite of the records system. It worked exactly like it should, it was completely intuitive and followed police procedures to a T.
Then I go out onsite to a client in california, and dipshit politically appointed top cops fuck the whole thing up. They want to book people before they arrest them. (Ie, data is imported into the arrest module from booking, not the other way like it was designed) Put people in jail, then arrest them? wha?
They want to automatically generate bills for false alarms that havent been registered. And send them where? Huh? You call 911 because your neighbours alarm went off, thats the only address I have to work with, so you get a bill.
The dispatchers want to clear calls with F1 so that they dont have to "reach off of the keyboard". They have no problem taking their hands off the keyboard to reach into a fucking bag of cheetos.
Oh and the fucking buzzwords. The bullshit bingo they play. "We want security, does this communicate to the database using RSA?" wtf?
But hey, we gotta eat. Baby gets what baby wants. One day that bungled up gang of keystone cops is going to drop the ball, and blame our systems rather than their own incompetence.
In short, government folks are idiots. I wouldnt be surprised if Diebolds system worked flawlessly before some jackass civil servants got their moronic ideas of how computers should work into it.
Anyhow, as someone who busts his ass off to make the morons in charge of government contractors happy, I cant help but side with Diebold in the end. Ensuring the elections are secure and without fraud is the governments fault, not theirs.
We are f**ked. If a political system is so broken that it can't keep this from getting through then... well...
We are f**ked.
I really am an IT Auditor for a living and this is exactly the kind of work I do (although I mostly work for Utility Companies like water or electricity) and I know how these reports are created. There is HUGE pressure to "build assurance".
What that means is that you find an risk that is not addressed by a suitible control - and try to find a control - something, anything, that you can call a control to cover that risk. That's all fine and good, but what it means is that the risks that actually make it into the report are the really big, bad, completely unaccounted for ones. Put another way, for every risk that gets in, three didn't that a normal person would have thought should have.
Long and short, I write reports like this for a living and this is way, way, way worse than it looks.
These techies just trying to make living wouldn't happen to have a few sales people just trying to make a living as well?
These sales people wouldn't, perhaps, have represented the machines as somewhat better than "substandard," now would they?
No, the states aren't forced to buy them, but "just trying to make a living" don't cut it.
How else is the same sentiment sometimes phrased? Oh, yeah.
"A girl's got to make living."
KFG
With all the problems with electronic voting, punch-card voting, hanging chads etc, why even use machines for vote counting? Why not just have paper and pencil and hand-count?
Federal elections in Australia with a population of 20 million are run this way with no problem.
Before you say, "but America has many more voters", well, they can also have many more vote counters.
I was laughing for a while, now I am just sitting here in silence trying hard to convince myself that was a joke.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The idea of EVM2003 is to create Free Software voting machine, and to implement machines that also produce voter-verifiable paper trails (i.e. visually readable printed ballots). We will do a number of security things right, where the commercial companies have done them wrong... they have aimed for "security through obscurity" or "just trust us." As well, part of our requirement is to have fully blind-accessible voting that maintains complete anonymity.
Anyway, I (David Mertz) have taken over as Developer Lead recently, and am trying to move the development of the demo along.
Feel free to contact me--the standard ballot system (in the demo version at least) is being done in wxPython; but conceivably we would choose other languages/technologies for bar-code reading, printing, blind-voting, etc. (my preference is to use Python though, for consistency and rapid development).
Buy Text Processing in Python
I've been researching this stuff for three years now.
.htm
VERY scary shit.
About Diebold:
http://www.bartcop.com/diebold.htm
About ES&S:
http://www.commondreams.org/views03/0131-01.htm
A Diebold machine is hacked, step-by-step and an election rigged here:
http://www.scoop.co.nz/mason/stories/HL0307/S00064
Congressman Rush Holt's bill:
http://holt.house.gov/display2.cfm?id=6282&type=Ho me
Contact your Congressman here:
http://action.eff.org/action/index.asp?step=2&item =2754
A personal letter from Bev Harris I just received:
I like what I'm hearing. I'm not decided on what to do, but as far as mobilizing thousands, we need mirrors on the memos, and here is an update you may find interesting.
Please, send, tell or distribute this as widely as possible, including to blogs, your email list, and the media:
An update from Bev at Black Box Voting: Diebold, of course, demanded shut down of http://www.blackboxvoting.org (see London Inquirer article, "Diebold takes down blackboxvoting.org" http://www.theinquirer.net/?article=11743 ) because we published a link to another web site. More on this here http://www.blackboxvoting.com , and you'll find the letter from the Diebold attorney http://www.thoughtcrimes.org here -- and for a small hoot, please notice that the letter, which is not copyrighted, INCLUDES THE LINK (three times) which they object to, and therefore republishing the letter telling people not to publish the link actually serves to publish the link. We're working on replacing the site.
Here's what I've been doing for two days now:
REPORTER: Why is Diebold sending cease and desists?
ME: Because they don't want anyone to see their memos
REPORTER: Oh. What is in the memos?
ME: Oh, admissions by their top programmers about security flaws and using uncertified software and using cell phones to intercept and transfer votes and discussions of how to fake things...
REPORTER: Wow. Where can I download these?
ME: At this web site http://211.117.160.48:8000/s/lists/index.html or this web site
http://www.smashthetrifecta.com/diebold-memos-1.ht m
REPORTER: Okay I'm going there now, okay, it's downloading, when I'm done will you give me a guided tour?
ME: Sure. And also, go to this article for an easy-to-read primer: http://salon.com/tech/feature/2003/09/23/bev_harri s/index.html and also, here is a neat little web page
http://new.globalfreepress.com/mnogosearch/search. cgi
where you just enter any search term and it instantly searches and find you the Diebold memos that match
REPORTER: What search terms should I start with?
ME: Try "boogie man" and also "hack" "cel phone" "broken" "fake" "vaporware" and one of my personal favorites, "King County is famous for it" (I live in King County)
REPORTER: Here's one: "What good are rules" -- Gosh, what is he doing? Is that legal?
ME: No. And so it goes. Excellent plan, Diebold. Yes, shut down a web site, that'll help. Besides reporters, the memos have now been downloaded by the U.S. House of Representatives.
Postscript: Today, the SAIC report came out evaluating Diebold. It summarizes: FAILURE TO MEET THE MINIMUM STANDARDS SET FORTH BY THE STATE OF MARYLAND Information Security Policy and Standards indicates that the system is vulnerable to exploitation. The results of a successful attack could result in voting results being released too soon, altered, or destroyed. The impact of exploitation could lead to a failure of the elections process by failing to elect to office, or decide in a ballot measure, according to the will of the people. The impact could be a loss of voter confidence, embarrassment to the State, or release of incomplete or inaccurate election results
Let's say we got a secure electronic voting system working that people could use over the internet, maybe it mapped to your social or something. Well, now you don't have to wait till election day to vote on stuff. Should we go to war? Let's vote on it. Should we raise taxes? Let's vote on it. It could pave the way for something that has never happened before in history -- a true rule by the people.
c-hack.com |
In Oklahoma, they use paper cards. There is a broken line with each of the canidate choices. You complete the line to make your selection. THe ink is magnetic, and you put it in the reader and it counts it electronically. It works quite well, is nearly fail safe, and is fast. I don't know why more states don't do something similar. Its kinda like best of both..
That's not odd if you consider that the ACLU is owned by one of the political parties.
Hint... Did the ACLU sue when the US Coast Guard found several ballot boxes floating in the San Francisco Bay after the last election?
- High Tech workers, please say NO to Union Carpenters, their Union sees fit to control our compensation.
A system where votes were printed to a machine-readable piece of paper, verified by the voter, then deposited in a secure box, would be simple and secure. By printing votes you create a self-verifying system -- voters can check their vote is correct, and an audit can easily verify that votes were recorded as voters intended. Management of the printed records would be just like the ballots we already are using, but without the reliability problems of punch-card systems. Tallying could be done mechanically, as a barcode could accompany the printed text.
The whole system is very simple. Even if they just used an ATM style of security (printing to an internal paper log) they would be far superior to Diebold. But using logic is difficult in this case, because Diebold is clearly making absurd claims, and it's difficult to refute absurdity.
EVM 2003 is trying to create a complete open source voting system (not just machine). I wish them the best of luck. This is more than just philosophy about copyright and IP, it's the defense of democracy from those that want very much to take away even the slight accountability that currently exists. They've already made it into office with one fraudulent election (2000), and very possibly kept control of congress with another (2002, with many states being won with unverifiable votes that didn't match up with predicted results).
No one wants campaign finance "reform" more than the major media companies. Because the "reforms" that everyone talks about would turn total control of who gets to use the mass media over to the media. As it is now, even the people who are not popular with the media moguls get to be heard because they can spend money, and the media are forced to sell them ads. Once you put in your "reforms", anyone who is not being supported by either Ted Turner or Rupert Murdoch will completely disappear from any coverage at all.
And the best part? They won't have to spend any money to bribe elected officials, all they have to do is give them some attention, and they'll own them. Only it will be from the day they start considering whether to run, not from the day they get elected.
At least two people will be fairly represented. None of the rest of us though.
People should not fear their government. Governments should fear their people.
CEO's are a quite tight group of people. Generally a person who sits on the board of one company sits on the board of up to ten other companies as well. Do you really think that MSNBC, CNN, FOX, ABC, etc, don't a) own stock in Diebold and other voting machine companies, and b) have board members who sit on Diebold's board as well?
Walden O'Dell, President of Diebold is also a board member of Lenox (yes, the heating and air conditioning company). This has nothing to do with media ownership, but demonstrates the amount of spread involved in corporate ownership.
"Mission Accomplished" -- George W. Bush May 1, 2003
So is that how you explain your Republican governor?
I know this because Tyler knows this.
A number of CA counties use the touch screen machines, but the big holes are on the servers, not the voting machines. Those who use OCR ballots are also just as vulnerable because the back-end servers are the same.
There was an article on the Blackboxvoting.com site about how time stamps on files found on the Diebold FTP site indicate that Diebold downloaded vote counts DURING an election in Santa Barbara (??) county. For those who are unaware, it is against the law to count votes before the polls close.
So... part of the evidence suggests that employees of Diebold BROKE THE LAW by counting votes before the polls closed. No wonder Diebold wants to keep things secret.
So... this brings up a question. If I obtain a document indicating that a company broke the law, can that document be suppressed by saying it's copy righted? If so, that's a BIG problem.
What's amusing is that these companies could make more money selling voting machines with printers attached than they do with their current line.
Printers are cheap and totally NOT the issue. How much does a couple of thousand printers cost? A million bucks with a fat markup? Chicken feed for these people.
They will make a heck of a lot more money by rigging elections and putting people in office who will perpetuate the scam. Diebold also sells a lot more things to the government than voting machines.
The president of Diebold has personally promised to deliver the state of Ohio to Bush in 2004. If that's not conflict of interest, I don't know what is...
Oh... and the other voting machine company -- partly owned by Sen. Chuck Hagel, another prominent Republican.
Conflict of interest? Noooooo....
You mean reforms like forcing those media companies to GRANT free portions of the PUBLIC's air-time to political candidates as part of the fee to let them use their part of the spectrum?
http://yetanotherpoliticalrant.blogspot.com
Great, I live in Alameda County, CA where I remember Diebold machines being used in the last election. Now we have the recall coming up, so I guess we will just have to have some kind of blind faith that our votes are counting. I suppose if the results are other than to be expected from this more liberal area, it will raise some eyebrows.
The horrible thing is, that this is really far below the general public's radar. I find it extremely amusing that we had a court battle over how reliable punch cards are, when electronic voting may be far worse.
The problem is that the general public is very computer illiterate, and have been pretty much been conditioned to accept bugs and viruses as normal. At the same time, strangely, computers seem to be viewed as infallible.
It is very importaint for Democracy that people are able to be able to see and verify that their votes are counted.
My previous experience with the Diebold machines left me more puzzled than anything. Where was my vote counted, on the card that I put in the machine, in the machine itself, or both? Were the votes transmitted via phone, wireless, or physically transported to a centeral location? I don't know for sure, and I'm sure regular people off the street were more puzzled. Then again, maybe the thought never crossed their mind.
and you'll be happy to know they can do this by land line modem, wireless modem or cell phone.
But nothing in your post explains why the media would look out for Diebold, a maker of banking and security equipment. You seem to be going on the assumption that corporations just like to help each other out, but that same short-sighted greedy nature you correctly identified means that corporations generally don't help each other out, even when it would be easy or beneficial.
The media has covered (to death) lots of stories that hurt corporations, big and small. Alar? Firestone tires? Faked truck explosion?
If you take off the biased glasses, you'll see that the media is just dumb and slow to respond. Eventually some lazy, plagiarizing journalist will copy the story from Salon and Wired, and it will trickle through the normal channels. About six months after you're completely sick of it. See RIAA lawsuits for another example.
When I left America around 2000, one of the major reasons was that for the previous 7 years, I was well aware that America was fallen.
I came to Lithuania, and my students asked me why I came. I told them "because America has fallen". Nobody believed me.
Anyhow, immigration screwed up my papers, and I had to go back to America to reapply for entry. On 9/11, I was on a flight Warsaw-JFK. The towers fell -- but still it wasn't obvious to most that America was fallen.
I think it's becoming obvious to more people, now.
What do they mean by fallen? That the economy is going or gone; that freedom is going or gone. What do I mean by fallen? Then righteous living, honesty, and morality are gone, and therefore everything else is going to go too.
Let me be clear that although it was during Bill Clinton's term that I realized the US was fallen, it was not Clinton's fault. Clinton was a symptom. If he hadn't been born, then there'd be someone else. In the same way, our current predicament isn't GW's fault; Bush is a symptom. If it weren't him, it could as easily have been Gore, same Patriot Act, different signature.
If you want to trace it back to something, I'd probably suggest it was the 4/5 comprise in writing the US Constitution -- everything from there has been pretty logical in its progression.
That said, I have to say I'm no longer afraid, for two reasons; and I say that knowing that we again have tickets back to America, and we may well end up living there for the rest of our lives, my intended plans aside. I won't say the first reason I'm no longer afraid; but the second is the book of Habakkuk, only three chapters long.
But as for voting, I don't think there's a lot that can be done. However, my uncle wondered if maybe a voter could sue to have his votes counted by hand, since that lawsuit was successsful against the Educational Testing Service.
Here's what he said:
I wonder if there is court common-law precedence against automatic vote counting. I had a lot of complaints against ETS whon I applied to graduate school, about the way they have poor security on their tests, the way they lost all of the tests from Montreal, and then informed my application schools that I had failed to show up to write the GRE. But in doing that complaining, I found out that people had taken them to court about machine scoring, and the court ruled that if test takers want their exams scored by hand, then ETS has to do that. Also, the court ruled that ETS must reveal what they think are the correct answers to their questions. I wonder if those kinds of rulings from the 1970s (New York Supreme Court, I think) could be carried over to this. That a voter could insist that their vote be counted by hand, not machine.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
I wonder why they (I forget exactly who) were trying to stop the California recall election until electronic voting systems (Diebold's?) were in place in all districts?
Makes you wonder if their intentions were nobel.
Jaysyn
There is a war going on for your mind.
I find it very interesting that the State of Maryland redacted almost anything of value from the report that it released. In contrast, the Department of Justice redacted only 1 line from the Carnivore report. The voting report as posted tells very little about what was really found. Perhaps there should be some public call for the unredacted version. Maybe the Baltimore Sun can do a FOIA request.
Greetings all. So far all the information that has been presented here has been useful. That's good. But I think we've all overlooked one other issue with this electronic vote system: immunity & privacy.
While in the United States, you're not scared of the currently 'lawfully-elected' dictator shooting you because you didn't vote for him in the election, it's still considered to be a sacrosanct 'right' that you and only you know exactly how you voted. You can tell the exit-pollers anything you want, but voting itself is anonymous.
My state recently obtained "anti-Florida" electronic voting machined (ie, touch-screen) even though we had been using push-button electronic machines for 15+ years (Diebold, btw). These new touch-screen machines (I didn't bother to check manufacturer, hindsight is 20-20) were 'unique' in my mind because of one of the features they had: Smart-cards.
The process I used to vote using these machines is as follows:
1) State your name to the represenative of the County Clerk. (No identification is required, but that's a different issue entirely)
2) Take a form that has your Name, Address, and SSN on it to a second clerk in the voting room. They enter your information onto a computer terminal connected to the County Voter Registration Database (somehow). This is to verify that you are indeed registered to vote in this county. They call out a number (I'm assuming a voter number, but it uniquely identifies you).
3) Recieve a smart-card which just downloaded something from the terminal used to check voter-numbers.
4) Insert smart-card into voting machine.
5) Select from presented options.
6) Save your vote onto the smart-card.
7) Give this smart-card back to the clerk and go about your business.
Now... What here seems like a vote-tracking system to you? The voting terminals were all connected back to something via Ethernet, and my votes were saved off-device. Now, I talked with a friend of mine who says you can get smart-cards to cough up their information, without encryption, if you do something right. Steal a crate of those cards (or loose them, as is oft in my state) and the information recorded on them (most likely voter number and votes cast) and bam! You know that I voted against Joe Schmoe.
Like I said earlier, in the US, this isn't a big problem, killing your opposition isn't smiled upon... but what about imprisoning them under the Patriot Act?(more info: read about the Alien and Sedition Acts...Congress overturned those, haven't touched PATRIOT)
I spoke with a poll-worker about this issue (vote-tracking, not getting oppressed) at the recent election (using the traditional voting machines, I might add), and she expressed concern as well, stating "You seem to have a different perspective on this, probably because you are more familliar with the technology". Meaning? The county clerks have no idea what they're implementing, just that they're implementing an electronic system, which obviously can't cause hanging-chads...
Will the intelegencia ever be consulted, or are we doomed to be legislated and regulated by politicians who don't have time to learn about a subject? Sinclair Lewis once wrote a book entitled "It Can't Happen Here", but if this continues unchecked, it just might.
May You Live in Interesting Times
BaronJ
-- Now we see the violence inherent in the sysadmin
I used to work for a computer manufactuerer who had a number of computers installed at a Diebold facility and I occasionally had to assist a Diebold engineer with problems.
It was frustrating. The computers were interfacing with ATM style machines and polling some sort of data from them. The concept was not difficult but sometimes there were strange results. I'd ask questions about how the serial port (or modem or whatever) was connecting to their machine. Questions about protocols for instance and he would not tell me because it was confidential information! It would be something like "What baud rater are you using?" and he could not tell me but then he would ask me what baud rate I'd recommend!
I think that for years their security has had as much to do with obscurity as it has had to do with real security!
http://www.clevelandfed.org/about/BODclev.cfm
Diebold has the Chairman of the Board of Directors of the Cleveland Federal Reserve Bank.
Robert W. Mahoney, retired Chairman and CEO of Diebold, is a Class C member of the Board of Directors.
3 Class A members represent banks.
3 Class B members represent businesses, but are chosen by the banks.
The 3 Class C members are intended to represent the public interest.
Diebold's main business is building ATMs for banks.
You do the math.
(Just to make things more fun, note that another Class C member of the Cleveland FRB BoD is the CEO of Cox Financial Corporation (but it's not a bank!)
It will not stop big media's control over elections, it will enhance it.
Just ask yourself what's better for the media companies:
I'd say they'd prefer the second, wouldn't you?
To make that happen, they need to be able to rig elections. They can't do so right now because there's no central point of control. But with the Diebold machines in place, there's a central point of control: Diebold. So now it becomes a question of how to control Diebold.
The media corporations won't say anything about it as long as Diebold plays ball with them. If Diebold stops cooperating, the media corps blow the whistle with a big scam that would immediately remove Diebold's control and would make the media corps a bunch of money as a result of the heightened interest on the part of viewers and readers. That would put the media corporations back into the current situation, in which their control is probabilistic and not certain, but it would reduce Diebold to irrelevance.
And that is why the media hasn't said shit about it, and won't; and why Diebold will defer to the media corporations when necessary.
Now: what part of the above is "weak"?
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
If you take a look at the board membership of the
publically traded companies in the U.S., you will
very quickly come to see that the interests of the
media corporations coincide with those of the
corporations which are outside of the media sector:
The set of persons who occupy the boards of the
publically traded companies is quite small, and
a few notables occupy seats on a large number of
boards. It is the interests of this elite few
that dictate the policies of the bulk of the
publically traded corporations in the U.S., and
they are fully capable of coordinating the
policies and efforts of their various companies
to any self-interested purpose.
-I like my women like I like my tea: green-
Hi. My boyfriend (from Rio) told me about the computer voting system they used in Brazil's recent presidential election. Portable machines (with no internet connection) that compliled results & burned to a CD. These CDs were carted (by heavy security) to a central location where the totals were all tallied. (Don't know what software or OS they used for the machines.) From most accounts, the system worked extremely smoothly and was very accurate.