Slashdot Mirror
More Diebold E-Voting Vulnerabilities
presmike writes "ok, it looks like Diebold has more to worry about now that it is possible to change votes with a 5 line VB script. 'The vulnerabilities involve the Global Election Management System, or GEMS, software that runs on a county's server and tallies votes after they come in from Diebold touch-screen and optical-scan machines in polling places.'"
vbs script running in the background, well, they don't say it but it seems obvious that GEMS is running in Windows, the most breakable OS in the world.
It's worse than that. From this link:
She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden.
Getting a warm and fuzzy feeling yet?
Javascript + Nintendo DSi = DSiCade
the ceo is a good buddy of dubya's. what has diebold got to worry about?
all he (Walden O'Dell) needs to worry about is following through on his promise to "help deliver it's electoral votes to Bush"
vodka, straight up, thank you!
Given that the ATMs run unpatched Windows XP and have in the past been hit by internet worms I fail to see whats so shocking about any of this. I will not use a Diebold ATM, even if that means I dont eat lunch because there's no other source for cash handy.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This is blown WAY out of proportion. The GEMS system doesn't actually count votes, that is still left up to the board of canvassers for each state. What GEMS does is provide a very fast way to get an UNOFFICIAL vote count for the state. From that aspect it's almost completely designed for the media that wants to know who won right away.
Yes, it's a fact that GEMS is a web based product that utilizes off the shelf software as parts of interfaces (Windows, Access, etc). But it also should be noted, that web based does not mean connected to the web. If you read about the situation in Maryland, you'll see that the GEMS systems can only be connected to via modem and the modems have to be manually enabled to receive data. Thus you'd need to convince someone to turn on the modem and then call in to run this script. (Insert Kevin Mitnick social hacking commentary here.)
That being said, that doesn't excuse the programmers from anything. Yes, it's a bug. Yes, in voting systems it shouldn't be there. Yes, open source would be better. But this is misleading because it doesn't have anything to do with an individual vote or the official vote count for the state.
My Slashdot account is old enough to drink...
Business2.0 had an interesting article on an electronic voting machine idea David Chaum has come up with.
Dieblod is taking shortcuts trying to maximize short term profits. Corporate greed at its best.
In Soviet Russia, I ruled you
If you'd like some more in-depth knowledge about voting machines, Scientific American is running a great article in their 10/2004 issue.
I'm in the hole of the broadband donut.
Actually, the Diebold machines were partly responsible for the 2000 election fiasco.
Javascript + Nintendo DSi = DSiCade
black box voting has 5 (!) different demonstrations on how easy it is to hack these things. There is also an online book (in PDF format) all about how bad the situation really is.
.mdb by hitting a certain key on the touch screen and manipulating at will. Are we living in crazy world?
This is serious. Not only are they using a microsoft access (!!) database to store your vote, they are using a non-password protected access database.
Not only are they using a non-password protected access database, you can gain access to the
'When the going gets weird, the weird turn pro.' -HST
There is a more detailed technical and legal analysis over at Politics Web. It seems that Diebold may face federal sanctions as well as lawsuits from several state Attorney Generals. It is a very sticky issue for Diebold indeed, it seems like their time may come, but the damage already done by states that have irreversably replaced their voting machines that they cannot get rid of in time for elections this fall. link to articke.
True, this is not a Windows flaw, it is a Dieblod flaw. However, if Diebold ran on another platform, it would probably take more than 5 lines of vbscript written in Notepad to decide who gets elected.
Part of having a stronger security is making it harder for the crackers to do things.
After 3 days without programming, life becomes meaningless
- The Tao of Programming
It's called a spoiled ballot, and you don't count it.
-Rob
-Rob Ewaschuk
I ran "Diebold" through Google's german to english.. got this..
"Thief old"
from the MySQL documentation... http://dev.mysql.com/doc/mysql/en/Subqueries.html "Starting with MySQL 4.1, all subquery forms and operations that the SQL standard requires are supported, as well as a few features that are MySQL-specific."
Yesterday, Diebold sent out a PR piece over BugTraq saying that "Diebold strongly refutes the existence of any 'back doors' or 'hidden codes' in its GEMS software" in response to a BugTraq post in August that announced the discovery of a backdoor in GEMS. The backdoor announcement wasn't substantiated with any technical details.
4 -09-19/2004-09-25/0
While this Slashdot aricle appears to reference a vulnerability rather than a backdoor, I just thought that some might find this to be an interesting related story.
Here it is from the horse's mouth:
http://www.securityfocus.com/archive/1/375954/200
Why not simply license Brazil's Voting System? I am working as a volunteer in Brazil's city elections this years. The machines are simple and reliable, here are the specs. CPU: Geode National - 200 MHz. RAM: 64mb on board. 2 USB and 1 parallel on board. IDE and Floppy interface. 2 30mb flash disks - one for program and the other for the results. 1 floppy disk drive - sadly that's how we deliver the votes... but its quite error free because the votes are also printed. and theres also the flash disk. 9,4" LCD Here's the new model http://www.procomp.com.br/projesp.asp The only real bug in Brazil's votting system is the elector heehe... We elected a drunk last election for president... well... better than Bush... but still a drunk... ehehee
At least in Georgia, "vote absentee" won't help. They take those absentee ballots... AND KEY THEM IN ON A DIEBOLD VOTING MACHINE!
It's not exactly that way. The counting is done by employees of the government, but it's done out loud, in front of a bunch of witnesses, among which there are up to 2 people representing each party. Only the witnesses are volunteers, the person who does the actual counting (taking the ballot, reading the ballot, saying who the ballots votes for, showing the ballot to all the witnesses) is employed and paid by Election Canada.
P.S. I know all that because my wife did exactly that at the last federal elections.
After 3 days without programming, life becomes meaningless
- The Tao of Programming
Here is the link to the blog post from above.
What I don't get is, why do the US insist on having electronic voting machines ? I presume the 2000 fiasco prompted some kind of overreaction, but why not simply go to a plain paper system ?
In backwards socialist pro-islamofascist hellholes such as France, elections are 100% paper-based. People walk into the local voting point and (after registering and showing their elector card) are presented with a number of bulletins, each of them bearing the name of a candidate. They take several of them, walk into the booth and put the bulletin of their choice in an envelope. Then they walk to the ballot box and drop the envelope.
The integrity of the vote is ensured by the most primitive (and efficient) method around: after the vote is over, bulletins are counted by officials in each voting point in presence of the public. Bulletins are handpicked from the box, the main official reads the name aloud, and shows the ballot to other officials present and to the public. The names are also written down by two other officials. The total figures are then transmitted to a central office in Paris. On the next morning, people can check in the local newspaper that the vote count reported for their precinct corresponds to whatever was announced at the voting point.
This system is simple, efficient, and reasonably fool-/fraud-proof. Can someone explain me the exact problem with it ?
Thomas-
"I wonder what medicine and aviation would be like if their devices were allowed to be built like Diebold builds their machines."
You slept in yesterday.
http://it.slashdot.org/article.pl?sid=04/09/21/
-fb Everything not expressly forbidden is now mandatory.
Jim Marsh's webpage, http://www.equalccw.com/deandemo.html"The Howard Dean Demo" shows in pictures how easy it is to manipulate the votes. It makes you wonder why the government pushes ahead with electronic voting when they know there are problems.
It is not our abilities that show what we truly are... it is our choices.
To be correct, the system isn't "written in Microsoft Access".
Access is a RAD development system that uses Microsoft's JET database engine for data storage. (Actually, these days it prefers to use MSDE, which is a stripped-down SQL Server, but JET is still supported).
I have developed many departmental-scope apps in Access, and more in "real" languages using the JET engine. But anyone who would choose to use Access for such a large-scale system really needs their head examined. This isn't MS-bashing, they tell you what Access and JET are good for, and I don't think that Microsoft themselves would advocate this usage.
Reading through the Wired article, it appears that the Diebold programmers know very little about the correct usage of relational databases. Anyone who builds a data model that looks like what this article implies should not be entrusted with the keys to our democratic process.
Any clear mark counts. A X, Check Mark, circle filled in completely, smiley face, etc. The point is that the voters intention is considered to be more important then the method. A ballot is spoiled if the Scruteneers cannot determine the voters intention, ie two or more names are marked somehow.
OK, some background on how a Canadian Federal Election is held. First of all, there is a fedral agency who handles all fedral voting in Canada, called Elections Canada. These guys take their political nutrality very seriously. Every riding is diveded into polling districts. There is a polling station for a max number of elegable voters in a geographic are (1000 I think, I dont think there is a minimum. I saw polls in the last election returning 6 votes)
Many times multiple polls share the same voting station. Upon entering the station, you are directed to the correct poll, where you show your elegable voter card (they mail this to you a few weeks before the election, I don't know why they don't ask for photo ID) and you name is marked off on the voter list. You then get the ballot. Its one issue per ballot, where the candidates are listed in alphabetical order, with party affiliation after the name. The ballots are printed on a brown construction paper with a ballot ID number printed twice, one on a tear off strip. There is a black bar vertically down the right side of the ballot with a blank circle next to each candidates name. After getting the ballot, you walk to a table in an isolated area with a white shield set up for privacy. You mark the ballot, and fold it up before returning to the poll. There the staff take the folded up ballot, rip off the tear off strip in sight of you, and hand it back to you (although I have seen places tear off the strip before giving you the ballot). You then put the ballot in the ballot box (white cardboard again) and the staff puts the strip in a seperate box. This keeps track of the ballots without identifying who cast it. This way if you spoil your ballot, you can ask for annother one with out them worrying about having extra ballots in the box. btw, the person who crossed you name off the voter list is never the person who gives you the ballot, so no one knows which vote you got, or who you voted for. Also, it allows the staff to determine if a bollot has gone missing. (There is a bizzar tradition of people eating their ballots as a form of political protest.)
Besides the poll staff, there are observers (usually from the political parties) These observers are called scruteneers. They observe the balot box is empty before the poll opens, and is not tampered with durring the course of the election. After the poll is closed, the ballot box is opened, and the counting begins. Technically, any scruteener can void any ballot by claiming it is spoiled, however this is rarely the case (Yes this can lead to vote tampering, as happened in the last Qubec referendum where the Yes side began declaring No votes to be spoiled, however the No side began spoiling an equal number of Yes votes to keep things equal, and reported the abuse afterward)
After the votes are counted, the ballots are put back in the box, and it is sealed again (in case a recount is necessary), and the numbers are reported to the riding (the area that a candidate will represent) level, usually by phone. I believe the repults from each polling station are suppost to bepublished somethere so the observers can double check the caounts, but I don't know how exactly this is done. Anyways, because there should only be a few hundred ballots to be counted in each polling area, the results are usually known in a few hours. A Federal judge can order a recount if a candidate shows just cause, and I believe an automatic recount is called if two candidates are within 100 votes of each other.
To sum up, the major difference between Canada and the US in voting is that there is a (non-partisan) Federal agency responsable for setting up and running the election, with standardised ballots. Provincial elections are run similarly to Federal ones, while Local ones have started using electronic vote counters, but using and keeping paper ballots.
(For the first time in my /. life I will be posting Anonymously, soon I'll be buying my tinfoil hat...)
Interesting how these days even the most innocuous statements cause Americans to look over thier shoulder to see who is listening. I've been around long enough to see many presidents and administrations. I have cursed and cheered them. But until now, I have never feared them. For all the rhetoric about freedom, this administration is the scariest and most oppressive I can remember.
There is nothing so powerful as an idea whose time has come.
Sheesh :)
(yes, that's my page )
Bush sued Gore to grab the presidency in 2000.
--
make install -not war