Slashdot Mirror
E-Voting Firm VoteHere Discloses October Break-In
linuxwrangler writes "In the ongoing saga of electronic voting 'security,' eVoting company VoteHere is the latest to reveal that they were the victim of a computer break-in. According to VoteHere founder, Jim Adler, the concern isn't about their source code which they plan to reveal 'eventually,' anyway, but is about the possible release of salary and other HR data. Astoundingly, the 'hot poll' associated with this story has (as this is being posted) 28% of respondents saying they would trust their vote on the internet and 41% saying 'not now, but maybe soon.' Feel free to cast your vote." Reader nSignIfikaNt points to the Assocated Press' article as carried by CNN.
Problems with voting are clear and simple proof that fascist dictatorships are the only way to go.
E-Communism and E-Oppression would be far more successful, no doubt.
CC Licensed Serialized Story and Podcast: Ingenioustries
Neato! I caught this story right when it went on slashdot's main page, 0/3 comments and got the vote tally, we can safely say that this is pre /. effect. Now, I think I know which way most slashdoteers are going to vote, and we've already seen vote skewing here when a sig told people to vote no on Verisign all through September and October (it got around 5000 votes at the end of the month as I recall), let's see how slashdot affects a slightly larger traffic/voting site:
/. effect:
So here are the current vote totals, pre
24692 Responces
27% Yes
41% Not today, but maybe soon
29% Never (Likely to spike? Let's see!)
2% None of the above
Since when has this country used intellectual elite as a pejorative term?
Why should we trust their voting systems without auditing?
can you really trust voting results/percentages of an e-voting firm that was hacked?
So what, your telling to vote on the internet to tell them that I dont want to vote on the internet? Quite astounding indeed...
Speaking at Defcon 12 - Credit Card Networks Revisted: Pen
Let's ignore hacking and break-ins. Those are too easy. Vendor bugs are bad enough. There have been bugs that cause automatic medicine dosers in hospitals to give out too much medice and almost (or completely) kill a paitent. I'll go vote for candidate Ham Sandwich, but how do I know some bug won't cause every vote for his oppoent, Mr. Mayor, to be counted 100 times? These things just seem to happen more and more.
So what WILL have me trust it? Let's set it up like a slot machine is set up. It has it's software burned into some ROM. It should be thouroughly tested by independant labs, the code should be available for me to look at, and I should be able to read the ROM chip after the elections are done so I know that it's got what it's supposed to on it (not that many people would do this, but it should be an option). When I'm done voting, it should print out a paper punch ballot that I can look at to see that it voted the way I told it to. The voting commisions can use the electronic results, but a random 5% of all districts every election should check the electronic counts against the paper ballots to make sure nothing weird is going on there. And most importantly of all (and like a slot machine), YOU SHOULDN'T BE ABLE TO CHEAT. Shock it with 10,000,000 volts to make sure it doesn't mess up and let me vote twice. Punch it and kick it and do anything possible (and then some) to make sure it still functions correctly, just like a slot machine. Slot machines go through all that because they might be responsible for millions of dollars. My vote should be worth more than that, and there for should have TOUGHER standards behind it.
In short, I don't trust e-voting. The only way I'd LIKE to see e-voting is that you choose your candidates on the computer, then it prints out a punched ballot (with names and all, so I can see it did things right) that I turn in, and THAT'S my ballot; the machine is nothing more than a ballot punching tool and holds no results of it's own. I should be able to do it all by hand if I want. This is the only way I'd like to see e-voting, and the description above is the only way that I'll accept it.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Someone probably rooted their linux mail server with a cracked account, and took the code for their app in the process.
Anyone want to bet they are in violation of the GPL, and we might just see the code itself under posted to the net any day now?
-- lk t lv ll th vwls t f wrds. T svs lts f tm t wrt bt ts pn n th ss t rd nd mks m lk lk cmplt dpsht.
The poll has apparently been closed already. Not sure what to make of that, but perhaps yet another political slant. At least CNN isn't as imbalanced as Faux News.
Anyway, on the substantive issue of reliable voting, computer security is NOT a done deal. This networking stuff is great in many ways, but there's a big problem when everything is connected together. You hack into one part of the system, and you've exposed various other parts to attack. The old idea was to make a secure perimeter with firewalls and DMZs and so forth, and you could keep something safe inside, but that's called the "eggshell model" now--turns out to be relatively easy to breech and you still need strong security for EVERY machine with ANY sensitive information on it. Someone in the office took his notebook computer home for the weekend, and you can never tell what Trojan backdoor is inside your network now.
Of course, the BIG threat here is abuse of power. No one needs to be protected from weakness, but powerful people often want MORE. Not an independent event--that greed is usually part of how they got there in the first place. Consider the recent example of Arnold in California and the selection in Florida in 2000...
If our votes are to have ANY meaning, they must be protected, and it is very clear that some people will play ANY game that will win more power. Voting machines as secret slot machines? Would you trust Las Vegas THAT much?
Simple. Print the ballots. Let the voters LOOK at what the ballot says, and save it. It's convenient that the machine can also report the results quickly--but NOT convenient that any computer can be hacked.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
E-voting is a reason not to trust e-voting. Slashdot just has story after story of how these big "trust us, our stuff is fair" e-voting companies have problem after problem after problem. Things are bad now, but imagine the kind of stuff that might come up if it was legislated that the 2004 Presidential Election had to be done on these systems. What happened in Florida (which was largly the fault of people who were too desperate to not loose to care about anything else, since the recounts and recounts didn't change anything) would look like a cakewalk compared to finding people who got to vote in 12 districts, those who's votes were counted 10,002 times, and the fact that anyone with a "A" or an "E" in their last name (BUT NOT BOTH) could only vote during odd numbered minutes of even numbered hours in districts that are prime numbers or some other rediculous things that at this rate seems it could easily turn up.
I'm all for MS bashing when they deserve it, and they may be the number one reason people don't trust e-voting (allbeit indirectly); but there are REAL reasons why people shouldn't trust it, and if it were to get reported more, then people still wouldn't trust the things, it would just be for the "right" reason.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
The EFF is organizing a petition to encourage IEEE to set trustworthy standards for electronic voting. Read about it and join the petition here:
http://www.eff.org/Activism/E-voting/IEEE/
"EFF supports the IEEE in taking on the issue of setting standards for electronic voting machines. We also support the idea of modernizing our election processes using digital technology, as long as we maintain, or better yet, increase the trustworthiness of the election processes along the way. But this standard does not do this, and it must be reworked."
Slashdot Moderation: From positive to terrible in 2 "insightful" posts.
I questioned whether it was Alanis Morrisette-like irony or real irony that a company charged with securing internet voting had their servers hacked and also alluded to the possibility that the 2004 presidential election will make us all remiss for the stability of the 2000 elections.
It was actually one of my better submissions. It was funny and yet pithy. It had pith. Real pith.
...
But this submission is ok, I guess...
-- You see, there would be these conclusions that you could jump to
From the little I hear about US elections (and let's face it that's gonna be all the cock-ups & bad press) I wasn't aware that people a) voted much, or b) had much faith that the votes were fairly counted and apportioned anyway...
Then again, perhaps I need to find an alternative to Michael Moore as my sole window into US POlitics.
"It is the prerogative of fools (or noobs) to utter truths that no one else will speak."
Why the love affair with "technology assisted" voting? What is wrong with the good old paper "secret ballot" that is counted by hand. Canada can do it. Australia can do it (and actually invented the "secret ballot").
No chance of dodgy software. No hanging chads. Automatic audit trail. Either number the candidates in your order of preference (automatic runoff style / preferential) or simple tick the person you prefer (or hate the least).
Securing HR data and salaries is basic, basic stuff. I would have some sympathy if Joe Schmoes Pizza barn had there salary and HR data compromised, after all they make pizzas, IT is way down the line for these people.
But lets face it, if you want to manufacture eVoting technology then securing the network is a crucuial part of that technology.
If THEY can't secure there own HR and payroll data then how am I supposed to trust them to handle evoting competently?
I'm not trying to troll here...but hear me out: People simply don't trust electronic voting...as a geek this makes me very sad, because voting is something that could and should be more automated.
Why should voting be more automated? The only reason ballot counters are used is to rig the election. Several contries around the world conduct elections with hand marked and hand counted ballots and do just fine. Automation just makes it that much easier to rig the vote. Voting SHOULD be difficult, hard to quickly count, and should envolve lots of people in the process. When one person or a small group gets to count the ballot or gets to build an automatic system to count the ballots it is far easier to bribe or threaten that small group and rig the election. Any kind of automatic system should be questioned, be it scantron systems, pull lever voting machines, or computers. It is all designed to hide the vote from the public NOT make voting safer. I don't trust computers not because I am ignorant of what they can do because I know exactly what they are able to do and how easy it would be to rig an election.
If it is not a paper ballot and the ballot isn't counted at the polling place in public view then you shouldn't trust that vote. Most places in the USA the ballots are not counted at the poll. They are hauled away to the court house and counted out of public view. No way to be certain that the ballot box is the same one that left the polling place and no way to have the public watch the counting. This is by design to aid in vote fraud. We haven't had a free election in most places in the country in years.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
The only valid reason I've heard of for e-voting is to purely speed up the counting of the votes, so that the result of the election can be known much quicker than via hand counting.
Commonly people seem to assume that this means replacing paper votes, or rather, more specifically, replacing an auditable paper trail.
So we have a additional-efficiency model verses a replacement model.
For some reason, the model that has been adopted (and maybe encouraged by the "US" governement aka GWB) by these E-voting companies is the replacement one. Who knows why, although the conspiracy theorists would suggest Florida 200(? - I'm Australian, don't know exactly when the last US election was).
Of course, as all slashdotters know, under the replacement, electronic only model, security and accountability are a lot harder to do. All these e-voting security stories, such as this one, are evidence of that.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
The future of E-Voting to be decided by an E-Vote.
About fifteen years ago, when last I checked, there were many dead people voting in Philadelphia - however, it was found that roughly as many dead people voted Democrat as Republican, so neither party bothered to invalidate the vote.
It is also only within the last few decades that states have inacted laws to keep campaigners away from voting booths where they could "help" people choose whom to vote for.
Voting in the United States has long been wrought with fraud and inaccuracies, and as long as that fraud is equal on both sides, the system has worked.
Now, if there were more than two viable parties, then it might be a problem. But since there aren't, I will consider my vote as secure electronically as it is non-electronically.
I, for one, welcome our new President, Kevin Mitnick.
pr0n - keeping monitor glass spotless since 1981.
Now, what many of you might not know is that the VoteHere source code has been used in entrapment attempts. Specifically, with me, and I documented the entrapment effort at the time. Pure retaliatory crap designed to find a way to get activists to shut up.
Next, it is not surprising they will try to link it to the Diebold files. But that's bullshit, too, and here's why:
The FTP site wasn't hacked, it was sitting there. Look in any user manual and you'll see the address.
The memos weren't hacked either, they were obtained with an employee ID number.
Now, are you ready for this? I've had dealings with both the Diebold memo leaker and this supposed "VoteHere" hacker. The second person is NOT the same as the first, and I find it extremely interesting that VoteHere is trying to claim it's the same person. I am dead-certain it's not.
This "VoteHere" hacker tried to dump the VoteHere source code on me; it was simply dumb; first of all, VoteHere was supposed to be going public with its source code, so who in their right mind would want to steal it. I certainly didn't want to touch it.
Then this "VoteHere" hacker agreed to a telephone interview with me. He made some claims about who he was, but was unaware that I had additional information from inside sources that would allow me to test the veracity of his claims. The first question I asked was a test question; he put me on "hold" and then came back and offered a lame-ass guess which immediately caused him to fail the ID contest.
I believe this is going to turn into an entrapment scheme. Some activist somewhere is going to get nailed, probably that's already in the works. That's because they were running around offering this honey pot and, unfortunately, some naive activist probably bit on it.
By the way, I asked the supposed "hacker" point blank how hard it was to hack into a company that specializes in encryption. Every time I asked a tough question, he had to put me on hold and go ask someone what to say. His answer was totally unconvincing.
The voice on the phone was quite distinctive, and matches another voice I've heard on the phone. I will be only too delighted to share what I know with the authorities. Just hope I get an honest cop.
The timing on this is very interesting. The chairman of VoteHere, Ralph Munro, is former Washington State Secretary of State and a few things are starting to pop in relation to the use of unauthorized voting software under his watch, and an ethics complaint that's being filed, or has been filed.
I'll be on the Mike Webb Show at 11 p.m. tonight (Pacific time) and will discuss this at more length.
Bev Harris
Black Box Voting
As somebody that worked as an Inspector for my area (that is, the person present and in-charge of a voting site) back in 2002, let me tell you: if more people volunteered and got to see what a chaotic mess ballot-handling is *now* most of them would be all for computers.
The Inspector position requires a grand total of *two hours* of training, during which we sit watching a few lectures and quick run-throughs. That includes everything from what time you show up, how to set up booths, all the way down to tallying votes after the poll closes and where to bring the materials afterwards. Officials working with an Inspector can show up for training but don't have to. This means that at any one polling place, you might have *one* person that *might* know WTF is going on and *might* be there.
My location alone had problems with volunteers not paying attention, marking things wrong -- we at one point were HUNDREDS of votes off in the tally because of one person screwing around -- misplacing things...people showing up and trying (almost successfully) to intimidate pollworkers into letting them vote twice or without an ID...there's no doubt in my mind that half my team could have easily been bribed for very little money, as they were only there to supplement their income.
Overall, the day was a real eye-opener for me. The assumption that having it all done by hand means it's being controlled by professionals, or that public "paid volunteers" are automatically going to be more trustworthy than a trained force is from what I saw simply inaccurate...anybody certain that it's a great setup needs to spend a day volunteering as Inspector to find out what things are *really* like before assuming computers are inherently less reliable, believe me!