Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Voting Software Hashes Made Public

Posted by michael on from the hash-and-eggs dept.

fibonacci2000 writes "From the NIST website: 'This effort is a first step in being able to trace software from the vendor through the accreditation process to the states and other purchasers of voting systems. Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors.'"

16 comments

  1. Let me be the first to say by commodoresloat · · Score: 4, Funny

    And I, for one, welcome our new democratically elected overlords!

  2. What about the paper? by FifthRaven · · Score: 2, Insightful

    As a general computer geek, I don't trust anything that dosen't have a paper trail. You can kill a computer hardrive and do funky things to code in such a mallicous fashion as to say or do anything you want. If there isn't a carbon trail, it isn't secure.

    --
    We apologize for the inconvenience.
    1. Re:What about the paper? by NEOtaku17 · · Score: 2, Insightful

      "As a general computer geek, I don't trust anything that dosen't have a paper trail. You can kill a computer hardrive and do funky things to code in such a mallicous fashion as to say or do anything you want. If there isn't a carbon trail, it isn't secure."

      Yeah if it was done with a paper trail people couldn't forge votes receipts or vote for dead people or....oh wait.

      --
      Creative Demolition
    2. Re:What about the paper? by schmaltz · · Score: 2, Interesting

      Except that with paper ballots there is a paper trail. With that you can find out that voter's dead, or the reg is fictitious.

      However, with Diebold you can simply go in and manipulate totals directly. No physical evidence. Much easier to steal an election, in a currently uncontested way. Of course, the aftermath of this election will probably involve a couple orders of magnitude more attorneys and jurisdictions than in 2000, so it remains to be seen whether an election stolen by computer will go unchallenged.

      --
      Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma ... where's Siggy?
  3. Different for the sake of being different. by Stochio · · Score: 3, Interesting

    If you look through the file it has references to java files, pascal files, C++ files, and perl files. I don't get it. I understand that in this document just the hashes are listed to source code - but does this also imply that the source code is being distributed?
    On an additional note, I see references to jpg, gif,and bmp files. I must be interpreting this files incorrectly. Why else would source code of 4+ high-level languages and 3+ image formats be in the same project?

  4. I'm going to get fried for this, but... by St.+Arbirix · · Score: 2, Funny

    Look people before everyone gets pissed off at me for writing some of the software for these machines let me just tell you I didn't really intend it to be like this. It was originally just some DMV model I wrote in CompSci 212. How it got into the voting system I'm required by NDA to not disclose, but let me just say it was worth the full ride into grad school.

    --
    Direct away from face when opening.
  5. Translation for the Layman? by Richard+M.+Nixon · · Score: 2, Interesting

    Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors. However, only digital signatures of the same versions of software voluntarily provided by voting software vendors are available on the web site. Election authorities having other versions, or versions which have been altered for authorized reasons, will be unable to use this web site for a digital signature comparison.

    I'm not sure but I think what this means is that their software can be used to verify that the software that the vendor has sold them is indeed the software that is installed on the machine.

    For example, that DIEBOLD AccuVote-OS CC 2.0.12 AE is installed on a machine.

    If this is true, then it only confirms that you have the software you think you have on the system. It does not mean that said software will tally an accurate vote. (Having competent software is a different question entirely of what software you have installed on a system.)

    Also....

    This data may only be used with software that has not yet been installed on a voting machine. With limited exception, once software is installed on a voting machine, it is incapable of generating a digital signature.

    I'm not sure I understand why it couldn't be verified afterwards.

    Can someone explain this?

    At the very least couldn't you wipe the voting machines harddrive and do a re-install?

    --
    Nobody died when Nixon lied.
    I'm meeting you half way you stupid hippies!
  6. This is meaningless. by schmaltz · · Score: 3, Insightful

    If I compute the hash an already vulnerable voting machine program, or its server component, what does it matter? It was ready to tamper with when it left Diebold, and with the same hash it'll still be vulnerable.

    This is a red herring. The voting software's already open to tampering, so a hash is meaningless.

    --
    Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma ... where's Siggy?
    1. Re:This is meaningless. by commodoresloat · · Score: 2, Funny
      The voting software's already open to tampering, so a hash is meaningless.

      Actually, it's so open to tampering, it makes me want to smoke hash.

  7. they didn't have this already? by j0nb0y · · Score: 2, Insightful

    wtf? You would think that security would be a foremost concern for a voting machine, but diebold has shown from the beginning that security is an afterthought for them. Cryptographic hashes of the software should have been available *from the very beginning*. Even *Microsoft* signs their code nowadays. But for Diebold, the cryptographic hashes, that are standard in most of the software industry, are an afterthought. Here's the hashes a week before the election! See, aren't we secure? What a joke...

    Diebold's executives should go to jail for pulling this scam on the government. Those in the government who went along for the ride should be severely punished.

    We have enough vote fraud in this country *without* Diebold. The last thing we need are unverifiable voting machines.

    --
    If you had super powers, would you use them for good, or for awesome?
    1. Re:they didn't have this already? by Rayonic · · Score: 1
      The last thing we need are unverifiable voting machines.

      Supposedly these Diebold machines print out paper ballots on the fly. If so, my biggest remaining issue is: does the voter get to see said paper ballot before it's shuttled away to the inside of the machine for storage?
      --
      [PowerPoint] is a tool for capitalist presentation
  8. Oops, scratch my previous post by Rayonic · · Score: 2, Interesting
    Turns out that the paper trail is not printed out on the fly. The only thing captured on the fly is an "image" of the voter's ballot. What other kind of data is stored I do not know.

    From the Diebold web site:
    When a voter casts their ballot using the Diebold touch screen system, the ballot selections are immediately encrypted and stored in multiple locations within the voting station. When stored, the order of cast ballots is scrambled to further insure ballot anonymity. The image of each and every ballot cast on the voting station is captured, and can be anonymously reproduced on standard paper should a hard copy of ballots be required for recount purposes. Once voting concludes at a precinct, a printed election results report is printed as a permanent record of all activity at each voting station. This printed record is used to audit the electronic tabulation of votes conducted during the election canvas process, when final, official election results are reported.
    --
    [PowerPoint] is a tool for capitalist presentation
  9. a nice gesture, but only a gesture by timothy · · Score: 5, Insightful

    This does one necessary thing, which is provide a way to prove (near enough) that the software being used is the software that the voting software company provided, that no one hijacked the delivery truck carrying the voting machine and swapped in one favorable to candidate X. (Or W, or K.)

    What it specifically does *not* do is do anything to prove the actual security, accuracy of the included software when running as intended, or that it can't be used *other* than as intended, in a 99-extra-lives "cheat mode." While incrementing by one a pretty small number of piles several thousand times doesn't sound like a computationally tough job, Bev Harris and others have shown the numerous and substantial flaws that current systems have; I'm aware of only one state (Nevada) that will be requiring a paper trail for its electronic voting machines in case of a dispute over the electronic returns.

    Hashes? Great! Put them on the outside of the envelope containing every scrap of the sourcecode in machine-readable form, along with documentation that you have completed the publically available test suite, please, and take a seat in the lobby. The taxpayers will get around to you in your turn.*

    timothy

    *Oh, if it were that simple ;)

    --
    jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
  10. In Soviet Russia by clickster · · Score: 1, Funny

    The software hashes YOU!!!

    --
    If you mod me down, I shall become less powerful than you could possibly imagine.