Diebold Audit Released, BlackBoxVoting.Org Shut Down

Chris Soghoian writes "The State of Maryland requested an audit of the Diebold electronic voting system by SAIC, after a report released by Johns Hopkins University and Rice Researchers (disclaimer: I'm one of Dr Rubin's students) noted several security issues. A condensed, from 200 to 40 pages, and censored version of the report has been released online (PDF link). The report notes that 'SAIC has identified several high-risk vulnerabilities that, if exploited, could have significant impact upon the AccuVote-TS voting system operation.'" However, Diebold says Maryland are moving forward with installation with "new security features" included, and elsewhere, Badgerman points out "Diebold has shut down blackboxvoting.org, apparently with copyright claims made to their ISP. But you can still go to the blackboxvoting.com site."

Diebold sure liked that report

[exhilaration]

From: http://www.diebold.com/dieboldes/maryland.htm

SAIC's independent review states, "While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland's implementation of the AccuVote-TS voting system...The State of Maryland's procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report."

SAIC's report continues, "Rubin states repeatedly that he does not know how the [Diebold] system operates in an election and he further identifies the assumptions that he used to reach his conclusions. In those cases where these assumptions concerning operational or management controls were incorrect, the resultant conclusions were, unsurprisingly, also incorrect."

Electronic Voting...

[samj]

if implemented properly, could revolutionise governance in general - pity it's being so badly implemented thus far. If voting were faster and cheaper it could be involved more regularly in all manner of decision making processes. I simply cannot believe that someone would implement such a critical system on any Microsoft platform, especially when there's plenty of alternatives out there. QNX comes to mind. Mind you it is no surprise to me that a company who chooses to start behind the 8 ball by making such a poor choice in platforms is subsequently found to show a disregard for security in general ('compromised' servers, serious flaws, etc.). I hope they're enjoying 'whack-a-mole' because you can bet that for every site they manage to take down, 10 others will pop up!

Auditor Weighs In

[Inexile2002]

We are f**ked. If a political system is so broken that it can't keep this from getting through then... well...

We are f**ked.

I really am an IT Auditor for a living and this is exactly the kind of work I do (although I mostly work for Utility Companies like water or electricity) and I know how these reports are created. There is HUGE pressure to "build assurance".

What that means is that you find an risk that is not addressed by a suitible control - and try to find a control - something, anything, that you can call a control to cover that risk. That's all fine and good, but what it means is that the risks that actually make it into the report are the really big, bad, completely unaccounted for ones. Put another way, for every risk that gets in, three didn't that a normal person would have thought should have.

Long and short, I write reports like this for a living and this is way, way, way worse than it looks.

Why not hand-count?

[daffmeister]

With all the problems with electronic voting, punch-card voting, hanging chads etc, why even use machines for vote counting? Why not just have paper and pencil and hand-count?

Federal elections in Australia with a population of 20 million are run this way with no problem.

Before you say, "but America has many more voters", well, they can also have many more vote counters.

Help the Electronic Voting Machine Project

[Lulu+of+the+Lotus-Ea]

I've posted some similar notes to most of the recent articles about problems with commercial voting machines. For this one, I really want to actively recruit some developers to help out. There are parts of EVM2003 that are on track, but other parts need more developers. In particular, we really need some people with experience in blind-accessessibility for that portion of the project (both a system to allow voting, and one to vocalize printed ballots).

The idea of EVM2003 is to create Free Software voting machine, and to implement machines that also produce voter-verifiable paper trails (i.e. visually readable printed ballots). We will do a number of security things right, where the commercial companies have done them wrong... they have aimed for "security through obscurity" or "just trust us." As well, part of our requirement is to have fully blind-accessible voting that maintains complete anonymity.

Anyway, I (David Mertz) have taken over as Developer Lead recently, and am trying to move the development of the demo along.

Feel free to contact me--the standard ballot system (in the demo version at least) is being done in wxPython; but conceivably we would choose other languages/technologies for bar-code reading, printing, blind-voting, etc. (my preference is to use Python though, for consistency and rapid development).

Machine voting not the problem

[Ian+Bicking]

Machine voting isn't the problem, Diebold is. They've created a horrible, insecure system. It's simple enough to create a more secure system that it's hard not to believe Diebold is deliberately enabling fraud.

A system where votes were printed to a machine-readable piece of paper, verified by the voter, then deposited in a secure box, would be simple and secure. By printing votes you create a self-verifying system -- voters can check their vote is correct, and an audit can easily verify that votes were recorded as voters intended. Management of the printed records would be just like the ballots we already are using, but without the reliability problems of punch-card systems. Tallying could be done mechanically, as a barcode could accompany the printed text.

The whole system is very simple. Even if they just used an ATM style of security (printing to an internal paper log) they would be far superior to Diebold. But using logic is difficult in this case, because Diebold is clearly making absurd claims, and it's difficult to refute absurdity.

EVM 2003 is trying to create a complete open source voting system (not just machine). I wish them the best of luck. This is more than just philosophy about copyright and IP, it's the defense of democracy from those that want very much to take away even the slight accountability that currently exists. They've already made it into office with one fraudulent election (2000), and very possibly kept control of congress with another (2002, with many states being won with unverifiable votes that didn't match up with predicted results).

Re:Why is the mass media not all over this????

[gaijin99]

Of course it needs to be aired publicly. Its a potential threat to the very basis of our government. The reason why it isn't is quite simple: corporate ownership.

CEO's are a quite tight group of people. Generally a person who sits on the board of one company sits on the board of up to ten other companies as well. Do you really think that MSNBC, CNN, FOX, ABC, etc, don't a) own stock in Diebold and other voting machine companies, and b) have board members who sit on Diebold's board as well?

Walden O'Dell, President of Diebold is also a board member of Lenox (yes, the heating and air conditioning company). This has nothing to do with media ownership, but demonstrates the amount of spread involved in corporate ownership.

Diebold is aleady screwing California.

[tinrobot]

A number of CA counties use the touch screen machines, but the big holes are on the servers, not the voting machines. Those who use OCR ballots are also just as vulnerable because the back-end servers are the same.

There was an article on the Blackboxvoting.com site about how time stamps on files found on the Diebold FTP site indicate that Diebold downloaded vote counts DURING an election in Santa Barbara (??) county. For those who are unaware, it is against the law to count votes before the polls close.

So... part of the evidence suggests that employees of Diebold BROKE THE LAW by counting votes before the polls closed. No wonder Diebold wants to keep things secret.

So... this brings up a question. If I obtain a document indicating that a company broke the law, can that document be suppressed by saying it's copy righted? If so, that's a BIG problem.

Public Beta Test in 13 Days...

[chickenwing]

Great, I live in Alameda County, CA where I remember Diebold machines being used in the last election. Now we have the recall coming up, so I guess we will just have to have some kind of blind faith that our votes are counting. I suppose if the results are other than to be expected from this more liberal area, it will raise some eyebrows.

The horrible thing is, that this is really far below the general public's radar. I find it extremely amusing that we had a court battle over how reliable punch cards are, when electronic voting may be far worse.

The problem is that the general public is very computer illiterate, and have been pretty much been conditioned to accept bugs and viruses as normal. At the same time, strangely, computers seem to be viewed as infallible.

It is very importaint for Democracy that people are able to be able to see and verify that their votes are counted.

My previous experience with the Diebold machines left me more puzzled than anything. Where was my vote counted, on the card that I put in the machine, in the machine itself, or both? Were the votes transmitted via phone, wireless, or physically transported to a centeral location? I don't know for sure, and I'm sure regular people off the street were more puzzled. Then again, maybe the thought never crossed their mind.