Slashdot Mirror


Maryland Electronic Voting Systems Found Vulnerable

snoitpo writes "My fine state (Maryland) has hired some people I can respect to hack into Diebold voting machines. The Washington Post (read it free for 2 weeks) has the details. From this story and the one on NPR, the state hired a company and set up a test voting precinct and had the group try whatever they could to break into the machines. Most of the attacks would probably be noticed by an even-half-awake poll staff, but some vulnerabilities were exposed. The net seems to be that you could really mess up individual machines, but the grail would be to get to the central collection servers and send a megavote to your favorite candidate. The last paragraph mentions problems that voting machines had in the last election in Virginia; it's interesting to note that those use wireless networking--my jaw has dropped onto my keyboard and I can't comment any further." Other readers sent in two stories in the Baltimore Sun (1, 2), and one in the NY Times.

4 of 417 comments (clear)

  1. Diebold knows security like I speak Klingon by akad0nric0 · · Score: 5, Interesting

    I worked for a nameless financial institution. We had a certain number of Diebold Windows XP ATM's. 100% got infected with a virus that exploited a well-known vulnerability. We demanded Diebold agree to forfeit admin control of the systems or patch them within a short window of patch release.

    Their response: "We'll put firewall software on the machines."

    Since the contract was already signed we had no leverage and that ended up being the solution. Nice, eh?

    --
    akad0nric0

    This sentence no verb.
  2. What bothers me by morleron · · Score: 5, Interesting

    I heard the NPR story on yesterday's ATC and was struck by the reporter's failure to ask some hard questions. For instance, there was a statement by a Diebold spokesdrone to the effect that "we fix any security issues that we think could be a problem." There was no followup regarding earlier reports of a Diebold built-in backdoor to the systems "for maintainence purposes.' A back-door which, IIRC, required no password or user id to gain access to the server's databases.

    Also, there was no discussion of the debate between those of us that believe that the e-voting systems should be required to use Open Source software vs. folks at Diebold and other vendors, who foist off the "trust us, we know what we're doing" line on the public. There was no real discussion of the effect that questionable e-voting results could have on the American political system. There was also no mention of the fact that Diebold's president is involved with raising money for the G.W. Bush re-election campaign and has pledged, IIRC, "to do everything I can to deliver the vote to George Bush." All in all I'm afraid that NPR really dropped the ball on this particular issue.

    Just my $.02,
    Ron

    --
    Impeach Barack Obama for violating the Constitutional requirement to be a "natural born" citizen to hold the office of P
  3. I haven't been concerned about outsiders... by praedor · · Score: 5, Interesting

    hacking into the voting computers. It's the insiders with an agenda that I am concerned about. The ONLY way to get around this is with a voter-verifiable paper trail AND taking the vote counting away from corporations that create the machines and putting the counting where it belongs: citizen groups.


    Diebold and ALL the other commercial vote machine vendors are heavy Republican donors and, particularly in the case of Diebold, run by individuals devoted to getting Republicans elected and Bush elected (I can't say "re-elected" as he didn't get elected in the first place). THESE criminals have the means and motive to taint the vote...in secret! They are in control of the machines and the vote tallies. They cannot be trusted, given how openly partisan they are.


    It is NOT the random outside hacker we need to worry about that much (sure, protect against it), it is the machine makers and vote counters themselves that have to be protected against. Ask yourself this: Why is it that EVERY vendor of voting machines are so adamantly opposed to any paper trail possibility? Why are they so strenous in their arguments against it? Because it would queer their ability to tamper with the vote tallies.


    Voter-verifiable paper trail. It's the only way to be sure.

    --
    In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
  4. Re:Need paper receipts by Jerf · · Score: 5, Interesting

    In order to compute an MD5 hash, you must include every last bit of data used to create the hash.

    In order for the voter to verify their vote, you must give them every last bit used to compute the hash.

    If we assume that we are not printing out the voter's vote, then we must give them everything else, plus we must give them exactly how the vote was encoded.

    Otherwise, neither they nor anybody else can every verify the has by re-computing it.

    Once somebody has all the data, plus precisely how the vote was encoded, it is trivial to take the hash of (all voter data + all possible votes) and determine which matches the hash. Thus, we are still giving the voter a piece of paper that confirms exactly how they voted, making them susceptible to all vote-selling and other such nasty scams.

    There is no way to give the voter the ability to verify their vote without also giving someone else the ability to reverse-engineer the vote in trivial time with an MD5 hash. If even one bit is kept from the voter, they can not verify. If all bits are given to the voter, then anyone can verify. There is no in-between.

    (Even if you ask the voter to provide some secret, it can be beaten out of them, and it can be trivially positively determined whether a given secret is the one in the hash; this is one of those cases where more security is bad; see how making cars harder to steal has increased carjackings, a far more dangerous crime.)

    There is no way out. You must not allow the voter to take any proof of their voting out of the booth; they must leave all evidence in the booth or the system breaks. That's why a paper receipt is desirable, but the system must keep it.