Slashdot Mirror


More Diebold E-Voting Vulnerabilities

presmike writes "ok, it looks like Diebold has more to worry about now that it is possible to change votes with a 5 line VB script. 'The vulnerabilities involve the Global Election Management System, or GEMS, software that runs on a county's server and tallies votes after they come in from Diebold touch-screen and optical-scan machines in polling places.'"

19 of 535 comments (clear)

  1. Blimey by ackthpt · · Score: 5, Interesting
    vbs script running in the background, well, they don't say it but it seems obvious that GEMS is running in Windows, the most breakable OS in the world. I'd think with that in mind that little scripts are the lease of their worries. If someone compromises their network and server enough to install and run a script, they've got considerably more at their fingertips.

    "There's 14,375 votes for Bush, 14,374 for Kerry and 2,793,036 for Mr. Magoo, let's tell the public about this 4 years after the election, OK?"

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Blimey by Artifakt · · Score: 3, Interesting

      There are several other companies making voting machines. Some of those alternates appear to be better (not necessarily safe enough for this job, but substantially closer). My own state uses machines that produce a partial paper trail (a copy of the aggregate results, per machine, not per individual voter). It's not the per individual paper trail some have discussed here, but it serves for newspaper reporters, party observers, and the general public to see, and helps block SOME forms of possible election fraud. My own state also still supports paper ballots, and it would take amending the state constitution to take away that alternative.
      Right now, the evidence is that one company's voting machines are definitely below any remotely acceptable standard, and that company has indicated a motive for making them flawed deliberately.
      It's not evidence that proves all forms of electronic voting should be rejected, or that paper ballots are axiomatically better. It sure doesn't prove that other forms of felonious electioneering, such as getting voters falsely dropped from the rolls, will stop too if we just go back to paper. It IS increasingly solid evidence of a crime. The public will better serve itself if it focuses on what the facts definitely prove about Diebold than what they may tenetively suggest about the overall principles of electronic information security.

      --
      Who is John Cabal?
    2. Re:Blimey by SpaceLifeForm · · Score: 3, Interesting

      In Missouri, the republicans are asking for lists of voters that have requested absentee ballots. Here's one story.

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
  2. change to our type by alatesystems · · Score: 3, Interesting

    Our voting machines are awesome in Louisiana. In my parish we use the AVC model. You go in and press buttons and then hit "cast vote" and it goes "doo doo doo" and it gives me great satisfaction.

    I think it does have a paper trail and I've never heard of any vulnerabilities for it, and we have no hanging chads. Completely electronic.

    Chris

  3. Re:Get rid of E-Voting now! by blueg3 · · Score: 3, Interesting

    Ah, for the days of taking a pen and a sheet of paper with boxes next to names, and marking an X in the box next to the person you want to vote for.

    Simple and relatively free from error. I'm sure optical scanners today should be able to process these damned quick, too.

    Hopefully New York is not going to be using paperless electronic voting machines. I don't trust them.

  4. Re:Amazing by quelrods · · Score: 3, Interesting

    Well, technically the db backend in access, not the system itself. The amusing thing about access is it supports subselects! There isn't a release of mysql that does this yet. As much as we all hate access, it may have been an ok choice for this. At least there isn't a slammer worm for access. Given the choice between access and ms sql server for our voting machines, I guess access isn't so bad. Though, user permissions on the db is probably something to worry about.

    --
    :(){ :|:&};:
  5. Economist article by rm007 · · Score: 4, Interesting

    For those interested, the current issue of The Economist has an article on voting technology. It does not, of course, discuss this latest development, but gives a good overview of the area, with a great deal of attention given to the issue of paper, paper trails, and making the whole system more transparent.

    --


    I've finally got around to changing my sig
  6. Re:Amazing by Frymaster · · Score: 4, Interesting
    You'd think a company who's been making ATMs since their inception, would have a good understanding of cryptographic security and the "gotchas" inherent in such systems

    understanding? sure. motivation to implement it? maybe not. consider:

    • if the bank machine borks my transaction i find out about it at month end in my statement. if the voting machine borks my ballot, i never know.
    • the atm is just a snazzy client for the bank's server. the banks approves the transaction and returns the balance, the atm just spits out the cash.

    remember: in every first year computing science class assignment #2 is "bank machine".

  7. Re:Get rid of E-Voting now! by Paulrothrock · · Score: 5, Interesting
    The Scientific American article I posted about says that paper ballots are even more subject to jamming than punch card ballots. And while they're human readable, they take much longer to count than electronic ballots.

    Their solution: A dual-method system. First, the person fills out a card with their choices. Then they put the card into a slot which reads it, so they get a chance to review their choices. If they want to make changes, the old ballot is stamped with "Void" and shredded, and a new one pops out, ready to use. If they accept the choices, the ballot is placed in a bin *and* recorded electronically.

    --
    I'm in the hole of the broadband donut.
  8. nice to know by simontek2 · · Score: 4, Interesting

    I was trained to fix those here in Georgia. Sad thing I find out bout this thru /. not them.

    --
    SimonTek
  9. 2 brothers will count 80% of the vote by puke76 · · Score: 5, Interesting

    I submitted this in April, crack mods rejected it.

    Two brothers will count 80% of the vote.

    In a country where no-bid contracts and the VP's corporate relationships aren't questioned, this is worrying.

  10. Voting machines vs. other machines by upsidedown_duck · · Score: 3, Interesting


    I wonder what medicine and aviation would be like if their devices were allowed to be built like Diebold builds their machines. Lives on the line vs. the life of our democracy on the line...I don't see that great a distinction.

    --
    -- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
  11. Diebold Execs: Stupid or Crazy? by Paulrothrock · · Score: 5, Interesting
    Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty.

    WTF?!? Murder is against the law and carries a heavy penalty and people still do it, numbnuts.

    Diebold is saying essentially what the Bush administration and, really, all NeoCons. "Trust us, we'll do what's right. Why shouldn't you trust us? We're respected people in power."

    Hell, that was an argument a White House attorney made in front of the Supreme Court! When asked whether a chief executive could falsify documents he said something to the effect of "Yes, but *this* chief executive wouldn't do that."

    Why not create a system with ways to keep people from doing things that we don't like, instead of *trusting* people you *don't know* to do the right thing. We could call it something like "checks and balances."

    --
    I'm in the hole of the broadband donut.
  12. Exploits in ATMs by Halo- · · Score: 4, Interesting
    I'm too lazy to find the actual paper, but there is a great one out there about errors made in early ATM design. (Dunno if they were Diebold's or not). For quite some time, the PIN used to access and account was stored on the magnetic stripe on the back of the card. When you "authenticated" to the ATM, it compared the PIN keyed in using the keypad to the PIN on the back of the card! Eventually criminals figured this out, and would steal people's wallets, take the ATM cards, and encode a new, known PIN on the stripe, and access the victims account.

    I've worked with banks on other security systems, and in my experience they often "know what they want" but fail to ask the right questions. Of course, as soon as they start losing money, they get the point quickly. :)

    (Okay, laziness over, I think this may be the paper I'm thinking of: Why Cryptosystems Fail)

  13. Re:Blown out of proportion by neitzsche · · Score: 3, Interesting

    Where *did* you get such confidence in your local election poll cronies? Why would you even for a second think that procedures are always followed flawlessly?

    Why would you suggest that having the wrong candidate reported as the winner would not have any effect? What about other polls that are still open, or states that are three or more hours behind?

    That is precisely what happened in Western Florida in the 2000 fiasco. It had been decades since a single vote even seemed like it could matter - so if you've heard the news that your state has already decided on a candidate, why drive out to the poll?

    The combination of many factors (modems? MODEMS!? Web-based? Bugs? Untested? Lack of peer review?!) compromising the security of the system indicates premeditated culpability.

    Where *is* my tin-foil hat?

    --
    "God is dead." - Frederik Nietzsche
  14. My e-voting experience last Tuesday by dtjohnson · · Score: 4, Interesting

    My voting precinct has recently began using an optical scan voting system in which you blacken in little circles on the paper ballot for your choice and then feed your ballot into the vote scanning machine which then tallies the results and records them electronically. At the end of the day, the results get sent electronically to some central point where they are supposedly tallied. Anyway, I voted last Tuesday in a statewide primary and when I arrived about 20 minutes after the polls opened, there was already a long line of people waiting to feed their ballots into the vote scanner machine which was refusing to accept any of them. The voting supervisor guy was a gentleman in his 80s who obviously did not have a clue about what to do to either fix the machine or report the problem. People kept arriving, filling out their votes, and then lining up until the place was jammed. (There were 6 precincts using one vote scanning machine). Finally, one of the poll workers got a cardboard box, wrote 'votes' on the side, and said we could just leave our ballots in the box and they would feed them into the vote scanning machine later when it was 'fixed.' So...that's what everyone did since people had to get on to work and such. My conclusion was that this e-voting system was extremely vulnerable to any sort of problem, easily circumvented with fraud, and, in this case, didn't preserve ballot secrecy. This stuff never even got a mention in a newspaper which reported instead how well the voting went.

  15. Did anyone notice this part in the article? by CodeMonkey4Hire · · Score: 3, Interesting
    Harris and the activist stand to make millions from the suit if they and the state win their case.
    Why the [fh][eu][cl][kl] would he get any money? This is like a whistleblower suing a company for fleecing its investors and paying all the money to him instead of the investors.
    --

    Let's go Hurricanes!!! 2006 Stanley Cup Champions!!!
    1. Re:Did anyone notice this part in the article? by Peyna · · Score: 4, Interesting

      California has a whistleblower statute that would allow them to collect up to 30% of any reimbursement paid to the state.

      It makes sense, the state is awarding people for bringing things to their attention which save them money. A lot of employers engage in the same practice.

      --
      What?
  16. Not That Worrying by angst_ridden_hipster · · Score: 3, Interesting

    Let's face it people, voter fraud is easy with or without computers.

    Personal Anecdote:
    My polling station got upgraded from the punch-out-the-chad-with-a-stylus system to a poke-the-spot-with-an-ink-stylus system between the last two elections.
    My area is heavily Democratic. For efficiency's sake, the polling area has five carrels for Democrats, and two carrels for Republicans. As part of the semi-legendary radical socialist wing of the Republican party, I was waiting for one of the Republican carrels to open up. It was taking a long time, as an elderly Republican neighbor of mine was trying to vote. He complained to the polling place staff that the stylus was not poking out the chads. To demonstrate that it was OK, they pulled a blank ballot off the pad, stuck it in the machine, and stamped a few (possibly) random votes, and pulled it out to show him that the machine was, in fact, working. They then tossed the ballot away. (He was convinced they were trying to invalidate his vote, so he ended up punching each vote all the way through anyway).

    But no-one batted an eye that they had just created an illegal ballot. When I called the election office to complain, they gave me a song and dance about how it would have been impossible for them to insert it into the ballot box without raising red flags, how the register would not match, etc. But they don't let you insert you ballot directly into the box yourself; you hand it to someone and you watch them put it into the box. It would be trivial to do a quick palming of one ballot and insertion of another.

    With the last election being so close, it would only take a few votes per polling station to throw an election. Bruce Schneier calculated it out in a recent article in terms of cost per vote, and it was quite low. Sure, it would be more expensive and would involve more people to do it in the old-fashioned low-tech way than it would with Diebold's patented cheating system, but the difference is only a factor of two or so. Given the stakes in a national election, that's down in the noise.

    So basically, you either have to trust the system and believe that people will not cheat in the election, or assume that cheating is ubiquitous regardless of the physical system used.

    #cynicism on
    OK: cynicism mode on

    In other words, We The People are fucked, we have been fucked, and we will continue to be fucked.

    #cynicism off
    ERROR: Cynicism mode cannot be disabled.

    --
    Eloi, Eloi, lema sabachtani?
    www.fogbound.net