Slashdot Mirror
Diebold Audit Released, BlackBoxVoting.Org Shut Down
Chris Soghoian writes "The State of Maryland requested an audit of the Diebold electronic voting system by SAIC, after a report released by Johns Hopkins University and Rice Researchers (disclaimer: I'm one of Dr Rubin's students) noted several security issues. A condensed, from 200 to 40 pages, and censored version of the report has been released online (PDF link). The report notes that 'SAIC has identified several high-risk vulnerabilities that, if exploited, could have significant impact upon the AccuVote-TS voting system operation.'" However, Diebold says Maryland are moving forward with installation with "new security features" included, and elsewhere, Badgerman points out "Diebold has shut down blackboxvoting.org, apparently with copyright claims made to their ISP. But you can still go to the blackboxvoting.com site."
The Supreme Court is always most willing to hear cases when they involve political speech and voting, and this involves both.
Pending: your vote is now the property of Diebold, Inc. Any attempt on your part to ascertain the disposition of your vote is hereby declared to be in violation of federal law, e.g., the Digital Millenium Copyright Act.
You have the right not to vote. Any vote you make can be used against you in a court of law. The judge presiding in such a court of law may be appointed by Diebold, Inc., and need not require a jury, but if a jury is summoned, it need not be a jury of your peers.
By acting to vote you consent to our determining whether your vote is valid, and in the event it is judged not to be valid, you consent to our voiding your vote and further voiding your right to vote in the future.
You furthermore acknowledge that owing to storage and bandwidth limitations that Diebold, Inc., may experience, your vote may be digitally compressed in a way such that your true intent in casting the vote may be lost. If such an eventuality should occur, your vote may be determined using statistical data derived from any source we deem appropriate or convenient.
You have the right to protest if your vote is cancelled, altered, or in any way modified as the result of such action on our part, however, you hereby acknowledge that in such an eventuality, Diebold, Inc. may determine that your right to vote is deleterious to democracy as implement by Diebold, Inc., and therefore may be considered to be an overt act against the national security of these United States.
You have 10 seconds to comply.
God Bless America.
Is this truly the only Earth I can live on?
Are we going to have to check the bit bucket for hanging bits?
-William
God is everything science has yet to explain.
How else can I add one option at the end of the ballot:
__X__ CowboyNeal
This totally need to be crammed down every voting American's throat. Lather, rinse, repeat.
SAIC's independent review states, "While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland's implementation of the AccuVote-TS voting system...The State of Maryland's procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report."
SAIC's report continues, "Rubin states repeatedly that he does not know how the [Diebold] system operates in an election and he further identifies the assumptions that he used to reach his conclusions. In those cases where these assumptions concerning operational or management controls were incorrect, the resultant conclusions were, unsurprisingly, also incorrect."
if implemented properly, could revolutionise governance in general - pity it's being so badly implemented thus far. If voting were faster and cheaper it could be involved more regularly in all manner of decision making processes. I simply cannot believe that someone would implement such a critical system on any Microsoft platform, especially when there's plenty of alternatives out there. QNX comes to mind. Mind you it is no surprise to me that a company who chooses to start behind the 8 ball by making such a poor choice in platforms is subsequently found to show a disregard for security in general ('compromised' servers, serious flaws, etc.). I hope they're enjoying 'whack-a-mole' because you can bet that for every site they manage to take down, 10 others will pop up!
The meme for the 21st Century seems to be "if your product is faulty, abuse IP laws to squash anyone who mentions it", rather than, say, fixing the damn problem.
Sheesh, evil *and* a jerk. -- Jade
I wonder how many precincts in CA plan to use the Diebold system, with its well-known cracks, in the upcoming Gubernatorial Recall election.
With a broad field of candidates splitting the vote, and the field-leader taking the race, small margins could easily swing the election - which means a small number of compromised precincts could swing the election.
And with no human-readable audit trail, if you thought the stink over the Florida Presidential results was bad you ain't seen NOTHING yet.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Just read this quote from a Diebold press release that is being refuted on blackboxvoiting.com:
"The thorough system assessment conducted by SAIC verifies that the Diebold voting station provides an unprecedented level of election security." (emphasis mine)
Unfortuantely, in this case, blackboxvoting is quite wrong, and Diebold press release is entirely correct. You see, the word "unprecedented" doesn't necessarily mean "good". It means "without precedent". The level of security offered by these voting machines is most certainly "without precedent".
What has *science* done?!? -- Dr. Weird (ATHF)
We are f**ked. If a political system is so broken that it can't keep this from getting through then... well...
We are f**ked.
I really am an IT Auditor for a living and this is exactly the kind of work I do (although I mostly work for Utility Companies like water or electricity) and I know how these reports are created. There is HUGE pressure to "build assurance".
What that means is that you find an risk that is not addressed by a suitible control - and try to find a control - something, anything, that you can call a control to cover that risk. That's all fine and good, but what it means is that the risks that actually make it into the report are the really big, bad, completely unaccounted for ones. Put another way, for every risk that gets in, three didn't that a normal person would have thought should have.
Long and short, I write reports like this for a living and this is way, way, way worse than it looks.
OK Dieboldt, do you really think that suing computer scientists will give you any good PR?
Look, your voting software has more holes than swiss cheese. We are willing to help you, but there are some requirements you must follow.
1) your voting machines must have a printer attached
2) the votes must be counted electronically, optically, and by humans
3) if the printout doesnt match whats on screen, then remove the machine.
4) the paper ballot is the final record.
Look let the computer science community improve your software. We all want the election to go through in an error-free way. No one wants a florida to happen again.
But, if you fight this tooth and nail, you will have no fiercer enemy. Ignore the Slashdot nation at your own peril
6,000,000,000 people placed type-in votes for an independent candidat known as "I.P. Freely"
"I.C. Weener" of the Cryoget Washington Head party and "Amanda Hugenkiss" tied for second with exactly 42424242 votes apiece.
You can't judge a book by the way it wears its hair.
With all the problems with electronic voting, punch-card voting, hanging chads etc, why even use machines for vote counting? Why not just have paper and pencil and hand-count?
Federal elections in Australia with a population of 20 million are run this way with no problem.
Before you say, "but America has many more voters", well, they can also have many more vote counters.
...we're screwed. I mean all kinds of screwed.
Not just "they messed up my vote" screwed, but entire-election-results-legitimately-contested screwed.
The problem is that they're raising the margin of error by an unknowable amount. No matter which party wins in the 2004 Presidential election, the loser will easily be able to argue that the voting system was highly flawed and vulnerable to foul play. It will be a replay of 2000, except worse.
Using a system that's known to be insecure for national elections... it's just a guaranteed disaster. We'll have another election settled in court, and the populace of the U.S. will become even more polarized.
For the elections to be so obviously and openly rigged is to make sure that there is no dissenting opinion available. The Communists and Facists regularly skewed and falsified election results to prevent anyone from actually challenging their methods and agendas. Which, I might remind you all, was mass murder, wholesale pilliaging of national treasuries and imprisonment of dissedents. Fact is, Americans already have accepted the Fascist philosophy now being touted as "patriotism". Call me a nut, but thats what we are looking at. If Bush wins, I will consider this to be the end of the United States, and I will make serious efforts to leave the country. It would no longer be worth my time, effort or loyalty if the Fascists win another election.
And these men ARE fascists people, in every sense of the word. You think there would be any "open source" after that? This administration has already made little noises about Linux and BSD being "hackers" operating systems, there have been several years worth of propaganda about "freeware" being something only criminals use to steal and sabotage. You can damn well bet that it would be outlawed, or at least, brought under private control of some sort where it would be rigidly controlled.
Can you say heil SCO? Whether or not they actually have a claim, which they don't, it would only take a few lines of obscure law written into some other peice of legislation to change all that. It would be nothing for the fascists to declare something to be criminal or subversive and use that as an excuse for a major crackdown on the information industry.
But nobody really cares, as long as they can have their Hummers and Porches and Rolex watches.
Stupid Humans.....
The idea of EVM2003 is to create Free Software voting machine, and to implement machines that also produce voter-verifiable paper trails (i.e. visually readable printed ballots). We will do a number of security things right, where the commercial companies have done them wrong... they have aimed for "security through obscurity" or "just trust us." As well, part of our requirement is to have fully blind-accessible voting that maintains complete anonymity.
Anyway, I (David Mertz) have taken over as Developer Lead recently, and am trying to move the development of the demo along.
Feel free to contact me--the standard ballot system (in the demo version at least) is being done in wxPython; but conceivably we would choose other languages/technologies for bar-code reading, printing, blind-voting, etc. (my preference is to use Python though, for consistency and rapid development).
Buy Text Processing in Python
That's what the lack of a human-readable audit trail avoids: those pesky "ballots" that people might want to recheck for accuracy. The Diebold systems might not be any better than hanging chads, but you can be sure they'll seem better because there won't be any way to remeasure the results and get a different number.
And the report itself continues:
A system where votes were printed to a machine-readable piece of paper, verified by the voter, then deposited in a secure box, would be simple and secure. By printing votes you create a self-verifying system -- voters can check their vote is correct, and an audit can easily verify that votes were recorded as voters intended. Management of the printed records would be just like the ballots we already are using, but without the reliability problems of punch-card systems. Tallying could be done mechanically, as a barcode could accompany the printed text.
The whole system is very simple. Even if they just used an ATM style of security (printing to an internal paper log) they would be far superior to Diebold. But using logic is difficult in this case, because Diebold is clearly making absurd claims, and it's difficult to refute absurdity.
EVM 2003 is trying to create a complete open source voting system (not just machine). I wish them the best of luck. This is more than just philosophy about copyright and IP, it's the defense of democracy from those that want very much to take away even the slight accountability that currently exists. They've already made it into office with one fraudulent election (2000), and very possibly kept control of congress with another (2002, with many states being won with unverifiable votes that didn't match up with predicted results).
A number of CA counties use the touch screen machines, but the big holes are on the servers, not the voting machines. Those who use OCR ballots are also just as vulnerable because the back-end servers are the same.
There was an article on the Blackboxvoting.com site about how time stamps on files found on the Diebold FTP site indicate that Diebold downloaded vote counts DURING an election in Santa Barbara (??) county. For those who are unaware, it is against the law to count votes before the polls close.
So... part of the evidence suggests that employees of Diebold BROKE THE LAW by counting votes before the polls closed. No wonder Diebold wants to keep things secret.
So... this brings up a question. If I obtain a document indicating that a company broke the law, can that document be suppressed by saying it's copy righted? If so, that's a BIG problem.
Great, I live in Alameda County, CA where I remember Diebold machines being used in the last election. Now we have the recall coming up, so I guess we will just have to have some kind of blind faith that our votes are counting. I suppose if the results are other than to be expected from this more liberal area, it will raise some eyebrows.
The horrible thing is, that this is really far below the general public's radar. I find it extremely amusing that we had a court battle over how reliable punch cards are, when electronic voting may be far worse.
The problem is that the general public is very computer illiterate, and have been pretty much been conditioned to accept bugs and viruses as normal. At the same time, strangely, computers seem to be viewed as infallible.
It is very importaint for Democracy that people are able to be able to see and verify that their votes are counted.
My previous experience with the Diebold machines left me more puzzled than anything. Where was my vote counted, on the card that I put in the machine, in the machine itself, or both? Were the votes transmitted via phone, wireless, or physically transported to a centeral location? I don't know for sure, and I'm sure regular people off the street were more puzzled. Then again, maybe the thought never crossed their mind.
Now hackers can use this to get rid of Bush and put in whoever is willing to part ways with the DMCA and the Patriot act.
Faux News election night:
"And the results are in for the popular election, Jane"
"75 million votes for..wait.. who the fuck is Lawrence Lessig?"
"I would say he's our new President, Steve."
The memos were sent to me by an insider, and I just got them 2 1/2 weeks ago.
This is important, because one is similar to software piracy (though debatable, because they are under some obligation to protect things if they want to call them trade secrets, and no one in their right mind would want to pirate this system, called "junk shit" by their own technicians, to resell it.
The memos, though, are just internal communications that were leaked, and once leaked and public, which they certainly are by now, when used only for fair use reasons in the public interest, the legal issues are quite different.
"in August, the Cleveland Plain Dealer reported that Walden O'Dell, the CEO of Diebold, is a major fundraiser for President Bush. In a letter to fellow Republicans, O'Dell said that he was "COMMITTED TO HELPING OHIO DELIVER ITS ELECTORAL VOTES TO THE PRESIDENT NEXT YEAR."
The internal memos from Diebold (they get referred to from Salon) show a shockingly cavalier chief engineer 'managing' the security concerns of various clients, steadily resisting the idea of even password protecting the .mdb file (.mdb file!?!) so that just anyone couldn't overwrite audit logs. Nothing overtly political in those memos, though, thank God.
Still -- how does it affect the credibility of any (new, or old) voting system for the people overseeing it to be acknowledged partisans? Imagine a Florida 2000 in which there were no physical records, and in which the systems that counted votes were frighteningly insecure and had been programmed by a company headed by a partisan figure. We already had more than enough partisan elements there -- the brother who happens to be governor, the Supreme Court justice who has a wife on Bush's transition team, the different standards for counting absentee ballots in different counties, and so on.
The thing about those memos is, they really show the states to be one more relatively uninformed client of an IT company. They'll buy the FUD of the Diebold person as long as he sounds assured enough, you know? Even when it comes to something as obvious as "I double-clicked the file of votes and it opened with no password, is that bad?" Which is all the more reason to be sure you're dealing with someone who has no conflict of interest, right?
"Fundamentalism" isn't about divine morality. It's about human authority.