Slashdot Mirror
Diebold Audit Released, BlackBoxVoting.Org Shut Down
Chris Soghoian writes "The State of Maryland requested an audit of the Diebold electronic voting system by SAIC, after a report released by Johns Hopkins University and Rice Researchers (disclaimer: I'm one of Dr Rubin's students) noted several security issues. A condensed, from 200 to 40 pages, and censored version of the report has been released online (PDF link). The report notes that 'SAIC has identified several high-risk vulnerabilities that, if exploited, could have significant impact upon the AccuVote-TS voting system operation.'" However, Diebold says Maryland are moving forward with installation with "new security features" included, and elsewhere, Badgerman points out "Diebold has shut down blackboxvoting.org, apparently with copyright claims made to their ISP. But you can still go to the blackboxvoting.com site."
SAIC's independent review states, "While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland's implementation of the AccuVote-TS voting system...The State of Maryland's procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report."
SAIC's report continues, "Rubin states repeatedly that he does not know how the [Diebold] system operates in an election and he further identifies the assumptions that he used to reach his conclusions. In those cases where these assumptions concerning operational or management controls were incorrect, the resultant conclusions were, unsurprisingly, also incorrect."
if implemented properly, could revolutionise governance in general - pity it's being so badly implemented thus far. If voting were faster and cheaper it could be involved more regularly in all manner of decision making processes. I simply cannot believe that someone would implement such a critical system on any Microsoft platform, especially when there's plenty of alternatives out there. QNX comes to mind. Mind you it is no surprise to me that a company who chooses to start behind the 8 ball by making such a poor choice in platforms is subsequently found to show a disregard for security in general ('compromised' servers, serious flaws, etc.). I hope they're enjoying 'whack-a-mole' because you can bet that for every site they manage to take down, 10 others will pop up!
We are f**ked. If a political system is so broken that it can't keep this from getting through then... well...
We are f**ked.
I really am an IT Auditor for a living and this is exactly the kind of work I do (although I mostly work for Utility Companies like water or electricity) and I know how these reports are created. There is HUGE pressure to "build assurance".
What that means is that you find an risk that is not addressed by a suitible control - and try to find a control - something, anything, that you can call a control to cover that risk. That's all fine and good, but what it means is that the risks that actually make it into the report are the really big, bad, completely unaccounted for ones. Put another way, for every risk that gets in, three didn't that a normal person would have thought should have.
Long and short, I write reports like this for a living and this is way, way, way worse than it looks.
With all the problems with electronic voting, punch-card voting, hanging chads etc, why even use machines for vote counting? Why not just have paper and pencil and hand-count?
Federal elections in Australia with a population of 20 million are run this way with no problem.
Before you say, "but America has many more voters", well, they can also have many more vote counters.
The idea of EVM2003 is to create Free Software voting machine, and to implement machines that also produce voter-verifiable paper trails (i.e. visually readable printed ballots). We will do a number of security things right, where the commercial companies have done them wrong... they have aimed for "security through obscurity" or "just trust us." As well, part of our requirement is to have fully blind-accessible voting that maintains complete anonymity.
Anyway, I (David Mertz) have taken over as Developer Lead recently, and am trying to move the development of the demo along.
Feel free to contact me--the standard ballot system (in the demo version at least) is being done in wxPython; but conceivably we would choose other languages/technologies for bar-code reading, printing, blind-voting, etc. (my preference is to use Python though, for consistency and rapid development).
Buy Text Processing in Python
A system where votes were printed to a machine-readable piece of paper, verified by the voter, then deposited in a secure box, would be simple and secure. By printing votes you create a self-verifying system -- voters can check their vote is correct, and an audit can easily verify that votes were recorded as voters intended. Management of the printed records would be just like the ballots we already are using, but without the reliability problems of punch-card systems. Tallying could be done mechanically, as a barcode could accompany the printed text.
The whole system is very simple. Even if they just used an ATM style of security (printing to an internal paper log) they would be far superior to Diebold. But using logic is difficult in this case, because Diebold is clearly making absurd claims, and it's difficult to refute absurdity.
EVM 2003 is trying to create a complete open source voting system (not just machine). I wish them the best of luck. This is more than just philosophy about copyright and IP, it's the defense of democracy from those that want very much to take away even the slight accountability that currently exists. They've already made it into office with one fraudulent election (2000), and very possibly kept control of congress with another (2002, with many states being won with unverifiable votes that didn't match up with predicted results).
No one wants campaign finance "reform" more than the major media companies. Because the "reforms" that everyone talks about would turn total control of who gets to use the mass media over to the media. As it is now, even the people who are not popular with the media moguls get to be heard because they can spend money, and the media are forced to sell them ads. Once you put in your "reforms", anyone who is not being supported by either Ted Turner or Rupert Murdoch will completely disappear from any coverage at all.
And the best part? They won't have to spend any money to bribe elected officials, all they have to do is give them some attention, and they'll own them. Only it will be from the day they start considering whether to run, not from the day they get elected.
At least two people will be fairly represented. None of the rest of us though.
People should not fear their government. Governments should fear their people.
CEO's are a quite tight group of people. Generally a person who sits on the board of one company sits on the board of up to ten other companies as well. Do you really think that MSNBC, CNN, FOX, ABC, etc, don't a) own stock in Diebold and other voting machine companies, and b) have board members who sit on Diebold's board as well?
Walden O'Dell, President of Diebold is also a board member of Lenox (yes, the heating and air conditioning company). This has nothing to do with media ownership, but demonstrates the amount of spread involved in corporate ownership.
"Mission Accomplished" -- George W. Bush May 1, 2003
A number of CA counties use the touch screen machines, but the big holes are on the servers, not the voting machines. Those who use OCR ballots are also just as vulnerable because the back-end servers are the same.
There was an article on the Blackboxvoting.com site about how time stamps on files found on the Diebold FTP site indicate that Diebold downloaded vote counts DURING an election in Santa Barbara (??) county. For those who are unaware, it is against the law to count votes before the polls close.
So... part of the evidence suggests that employees of Diebold BROKE THE LAW by counting votes before the polls closed. No wonder Diebold wants to keep things secret.
So... this brings up a question. If I obtain a document indicating that a company broke the law, can that document be suppressed by saying it's copy righted? If so, that's a BIG problem.
You mean reforms like forcing those media companies to GRANT free portions of the PUBLIC's air-time to political candidates as part of the fee to let them use their part of the spectrum?
http://yetanotherpoliticalrant.blogspot.com
Great, I live in Alameda County, CA where I remember Diebold machines being used in the last election. Now we have the recall coming up, so I guess we will just have to have some kind of blind faith that our votes are counting. I suppose if the results are other than to be expected from this more liberal area, it will raise some eyebrows.
The horrible thing is, that this is really far below the general public's radar. I find it extremely amusing that we had a court battle over how reliable punch cards are, when electronic voting may be far worse.
The problem is that the general public is very computer illiterate, and have been pretty much been conditioned to accept bugs and viruses as normal. At the same time, strangely, computers seem to be viewed as infallible.
It is very importaint for Democracy that people are able to be able to see and verify that their votes are counted.
My previous experience with the Diebold machines left me more puzzled than anything. Where was my vote counted, on the card that I put in the machine, in the machine itself, or both? Were the votes transmitted via phone, wireless, or physically transported to a centeral location? I don't know for sure, and I'm sure regular people off the street were more puzzled. Then again, maybe the thought never crossed their mind.