More Diebold E-Voting Vulnerabilities

presmike writes "ok, it looks like Diebold has more to worry about now that it is possible to change votes with a 5 line VB script. 'The vulnerabilities involve the Global Election Management System, or GEMS, software that runs on a county's server and tallies votes after they come in from Diebold touch-screen and optical-scan machines in polling places.'"

Re:Blimey

[AKAImBatman]

vbs script running in the background, well, they don't say it but it seems obvious that GEMS is running in Windows, the most breakable OS in the world.

It's worse than that. From this link:

She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden.

Getting a warm and fuzzy feeling yet?

Re:Amazing

[Kenja]

Given that the ATMs run unpatched Windows XP and have in the past been hit by internet worms I fail to see whats so shocking about any of this. I will not use a Diebold ATM, even if that means I dont eat lunch because there's no other source for cash handy.

Re:A Better Voting Machine

[gorbachev]

Business2.0 had an interesting article on an electronic voting machine idea David Chaum has come up with.

Dieblod is taking shortcuts trying to maximize short term profits. Corporate greed at its best.

SciAm

[Paulrothrock]

If you'd like some more in-depth knowledge about voting machines, Scientific American is running a great article in their 10/2004 issue.

Re:Amazing

[AKAImBatman]

Actually, the Diebold machines were partly responsible for the 2000 election fiasco.

obligitory plug for blackboxvoting.org

[dogas]

black box voting has 5 (!) different demonstrations on how easy it is to hack these things. There is also an online book (in PDF format) all about how bad the situation really is.

This is serious. Not only are they using a microsoft access (!!) database to store your vote, they are using a non-password protected access database.

Not only are they using a non-password protected access database, you can gain access to the .mdb by hitting a certain key on the touch screen and manipulating at will. Are we living in crazy world?

Re:Amazing

from the MySQL documentation... http://dev.mysql.com/doc/mysql/en/Subqueries.html "Starting with MySQL 4.1, all subquery forms and operations that the SQL standard requires are supported, as well as a few features that are MySQL-specific."

Brazil's Voting System

[gihara]

Why not simply license Brazil's Voting System? I am working as a volunteer in Brazil's city elections this years. The machines are simple and reliable, here are the specs. CPU: Geode National - 200 MHz. RAM: 64mb on board. 2 USB and 1 parallel on board. IDE and Floppy interface. 2 30mb flash disks - one for program and the other for the results. 1 floppy disk drive - sadly that's how we deliver the votes... but its quite error free because the votes are also printed. and theres also the flash disk. 9,4" LCD Here's the new model http://www.procomp.com.br/projesp.asp The only real bug in Brazil's votting system is the elector heehe... We elected a drunk last election for president... well... better than Bush... but still a drunk... ehehee

Re:Blimey

[merlyn]

At least in Georgia, "vote absentee" won't help. They take those absentee ballots... AND KEY THEM IN ON A DIEBOLD VOTING MACHINE!

Re:Blimey

[Thomas+Miconi]

What I don't get is, why do the US insist on having electronic voting machines ? I presume the 2000 fiasco prompted some kind of overreaction, but why not simply go to a plain paper system ?

In backwards socialist pro-islamofascist hellholes such as France, elections are 100% paper-based. People walk into the local voting point and (after registering and showing their elector card) are presented with a number of bulletins, each of them bearing the name of a candidate. They take several of them, walk into the booth and put the bulletin of their choice in an envelope. Then they walk to the ballot box and drop the envelope.

The integrity of the vote is ensured by the most primitive (and efficient) method around: after the vote is over, bulletins are counted by officials in each voting point in presence of the public. Bulletins are handpicked from the box, the main official reads the name aloud, and shows the ballot to other officials present and to the public. The names are also written down by two other officials. The total figures are then transmitted to a central office in Paris. On the next morning, people can check in the local newspaper that the vote count reported for their precinct corresponds to whatever was announced at the voting point.

This system is simple, efficient, and reasonably fool-/fraud-proof. Can someone explain me the exact problem with it ?

Thomas-

Re:Amazing

[MoebiusStreet]

To be correct, the system isn't "written in Microsoft Access".

Access is a RAD development system that uses Microsoft's JET database engine for data storage. (Actually, these days it prefers to use MSDE, which is a stripped-down SQL Server, but JET is still supported).

I have developed many departmental-scope apps in Access, and more in "real" languages using the JET engine. But anyone who would choose to use Access for such a large-scale system really needs their head examined. This isn't MS-bashing, they tell you what Access and JET are good for, and I don't think that Microsoft themselves would advocate this usage.

Reading through the Wired article, it appears that the Diebold programmers know very little about the correct usage of relational databases. Anyone who builds a data model that looks like what this article implies should not be entrusted with the keys to our democratic process.