Slashdot Mirror


Vote Tabulator Security Hole Exposed

Doc Ruby writes "Black Box Voting has exposed a security hole in Diebold machines that tabulate votes collected from electronic voting machines. A code entered into the tabulator's user interface duplicates the "secure" counts into an insecure count which can be changed, and counted instead. The "double books" vulnerability and exploit were reported to the manufacturer over a year ago, and confirmed, while major customers (California and Washington states) were notified shortly thereafter. In spite of some revisions, the latest version of the software remains insecure. Diebold voting machines running GEMS version 1.18.x are vulnerable, running in about three dozen states. Although the software is widely deployed, and scheduled for use in shortly upcoming elections, risk mitigations are available, mostly protocols restricting physical or network access to the machines. Other auditing/accountability measures for ensuring only trusted access to the system are recommended."

12 of 530 comments (clear)

  1. Captain Obvious Strikes Again… by Izago909 · · Score: 5, Interesting

    For all the banter that goes on here, we all know how this is going to turn out. Everybody bitches and moans about it, and the mainstream press runs toned down stories. In the mean time, people who know what's going on continue to look like crazy conspiracy theorists. End result: The public won't know or won't care until a massive mistake is uncovered after the person enters office and everyone realizes that they've been living under the authority of a false representative. Of course, that's provided said person doesn't pass a law to protect people in his situation once they're discovered.

    1. Re:Captain Obvious Strikes Again… by Anonymous Coward · · Score: 5, Interesting

      The number of security flaws with these machines has been tremendous, not to mention odd little programming tricks like dividing and multiplying the number of votes by 1 (anyone doing a little binary patching should know why this is significant).

      The CEO of Diebold is a friend of Bush and, during a charity dinner, has stated that Diebold will do everything it can to deliver as many votes to the Republicans as possible.

      A few gubernatorial elections using Diebold machines have had upset elections going to the Republicans when exit polls suggested a Democrat victory with 60+% of the vote.

      It could be a coincidence but the secrecy and suspicious number and types of bugs does not bode well.

    2. Re:Captain Obvious Strikes Again… by John+Miles · · Score: 5, Interesting

      The level of complacency after the 2000 fiasco, which no doubt some very sharp minds took note of, underscored that people just really as a whole don't give that much of a damn about democracy in the US anymore.

      One way to interpret hairsplitting fiascos like the Y2K election is that perhaps it doesn't really matter who wins.

      That could explain the lack of revolutionary outrage after the (s)election of Bush. The reason the 2000 election was so close was that the outcome, in the collective hive-mind that is the American electorate, just wasn't that important.

      Landslides tend to happen when things suck, the candidates offer genuinely-different positions, and the need for change is acute (e.g., Carter's loss to Reagan in 1980). We're heading into another epsilon-fest in 2004, it seems, because the public is being given a choice between two rich white guys from Skull & Bones whose policies appear all but indistinguishable.

      --
      Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
  2. So impatient! by Anonymous Coward · · Score: 5, Interesting

    Technology is a wonderful thing.

    But come on. Are we so ADHD in this country we can't vote on paper and wait for real people to count them? Yes, there will be mistakes... but at least if a recount is needed, there's a paper trail.

    If you don't have time to do it right, when will you have time (or in this case, an opportunity) to do it over?

    Can it be? A free PC!?

  3. Wow... by autopr0n · · Score: 5, Interesting

    Is anyone else suprised by how bad diebold's coders are? I mean seriously. I know microsoft can't make their products secure, but they have millions of lines of legacy code and compatability issues. This isn't an excuse, but building a secure system from the ground up should be pretty straight forward, honestly.

    Security should have been the top priority the whole way through, but apperantly it wasn't. Pretty amazing, IMO.

    And wtf, they can't fix a bug in a year? They're not going to have it fixed by Nov? Jesus, what is it with these people.

    Also, this is kind of boring. Anyone involved in the RNC convention or the protests around here?

    --
    autopr0n is like, down and stuff.
  4. Wow. What a perfect "mistake" -- it functions! by CFD339 · · Score: 5, Interesting

    So let me understand. Entirely by accident, if you enter a specific code at the machine, a transparent and highly successful process takes the existing collected data and makes a duplicate of that data which can be altered and fed into the combining and counting process.

    Someone must have REALLY misspelled an important constant, no? I mean, what are the odds? When I screw up, the code usually just fails to compile or takes out the vm. Someone needs to find the guy who "accidentally" did that and get him to buy lottery tickets for all of us.

    wow.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
  5. Re:In times like these one has to wonder... by jd · · Score: 5, Interesting
    Oh, that seems certain. The "enter a code and we'll count the wrong column" 'bug' is almost certainly a left-over from code testing. That sort of "bug" doesn't occur because of a typo in a program, it's a deliberate test for a condition followed by a deliberate change of column selection.


    Once "QA" (or what passed for it) was complete, either they forgot to remove the code, or they thought it might be a useful monitoring/debugging tool in the field.


    Normal coders would wrap any such test-only code in #ifdefs, so that it wasn't active for normal use. But these aren't normal coders, so we can't assume that.


    However, it is entirely on-par with people like Cisco shipping routers with a trivial password for the technicians.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Florida and their e-voting problem by BadluckShleprock · · Score: 5, Interesting

    Back in 2002, Miami-Dade had an election using touch-screen voting. In some circumstances there were more votes than registered voters, and in at least one instance an entire day's votes in one machine were "accidentally" erased. No paper backup means the votes were lost in the ether.

    Since each state is responsible for operating the voting process, you'd think that Jeb Bush (the Governor) and former Orlando Mayor and now Secretary of State Glenda Hood would have been outraged. Jeb's reply was "why can't Democrats learn how to vote?". Glenda Hood's response was "that doesn't mean that we need to have a paper trail." She has this big bug up her ass that printed receipts would cause a repeat of the 2000 debacle when in reality the 2000 debacle was 100% caused by the old punch cards being difficult to scan. A paper printout would simply be a way to recount votes that aren't up to speculation by the person doing the recount (i.e. they know exactly which votes are cast.)

    P.S. Diebold Sucks!

    --


    ------
    There's a fine line between cuddling and holding someone down so they can't get away.
  7. Why this is scary by tedit · · Score: 5, Interesting

    While a lot of people will say that screaming about insecure voting machines is a bunch of FUD, I think there is a legitimate reason to be far more scared of insecurities in digital voting than in the traditional kind. The nice thing about paper/punchcards/crayon is that the scale of fraud is limited by the physical nature of the medium. It's tough to dispose of a lot of votes without anyone noticing a precinct is missing, and it's difficult to make much of a differece forging individual ballots. The problem with electronic voting is that like every other industry that's gone digital (accounting to spreadsheets for example), the scale and efficiency of mundane tasks is amplified by many orders of magnitude. It's tough to make much of a dent in an election by registering under ten names and voting ten times. It's easy (if you have an exploit) to to click once to change 10,000 votes in a manner that looks utterly plausible. So for all the talk of just giving red meat to the media to have another thing to panic about, I'd say why the heck can't we force Florida to print paper reciepts?

  8. Why reprogrammable computers? by gorehog · · Score: 5, Interesting

    I asked this before and am going to ask again.

    Why do we insist on using voting computers which are reprogrammable. These are all Von Neumann architecture machines. As computer scientists we should be able to find a more appropriate architecture for voting. Something where the code is not alterable, something where the counts are not chanegable.

    Think about it. And if you dont understand the question then learn about computing architecture. There are computers other than the multi purpose kind. They tend to be single purpose and far more efficient at their designed jobs.

  9. Dieblod Rep Conversation by jxs2151 · · Score: 5, Interesting
    I had a nice little conversation with a Diebold guy at the Maryland State Fair Saturday. The State of Maryland had a booth set up there allowing people to "vote", showing how "easy" it was to use the machines. I turned around and asked the guy for my paper receipt or some proof of who I voted for. He got real defensive when I suggested the that machines had been compromised. He tried to move me away from the crowd that was there, even though I wasn't being loud. I stated that unless the source code was open to inspection that the public had no way of trusting the voting process. He replied that the code would be held in escrow by a trusted authority- the State of Maryland. I laughed, and laughed some more at the thought of those who had the largest vested interest in the outcome of the vote being "trusted" to ensure the accuracy of that vote.

    Diebold has a huge investment in this and sees dollar signs well into the future if their machines become the standard. Just think about how long the mechanical machines have been around. Diebold wants that kind of longevity for their product.

    I am not against a company making money, far from it. However, making your money off the most important process in America cannnot be ethically supported. I left telling the Diebold guy that I enjoyed toying with him. He was left with a chagrinned look on his face, knowing that the road ahead is gonna be tough.

    I was not willing to return and pay another entrance fee to bring materials back to prove this guy wrong so do me a favor- if you are planning on going to the MD State Fair, take along some materials to back up your arugment and take some potshots at the Diebold guys.

  10. Shhhh by AoT · · Score: 5, Interesting

    Don't tell anyone we have endemic corruption in the US political system! They might start gettting ideas and, gasp, start voting for other parties, or worse, get off their ass and really try to make some changes.

    Shit, I'm an Anarchist, I'm for world revolution and all that, but at this point I'd be pretty fucking content with a government that doesn't put its citizens in what amount to concentration camps for smoking a fucking doobie. I mean come on!

    What I really don't get is why so much of the right wing supports all the roll backs in civil liberties. Do you remember the clinton years? Ruby Ridge and other incidents should worry the hell out of you because there will be another Democratic Administration sometime, even if it isn't '04.