Election Officials And Crackers Challenge Diebold

Rick Zeman writes "The Washington Post is reporting that election officials in Florida have manipulated election results in controlled tests. From the article: 'Four times over the past year Sancho told computer specialists to break in to his voting system. And on all four occasions they did, changing results with what the specialists described as relatively unsophisticated hacking techniques. To Sancho, the results showed the vulnerability of voting equipment manufactured by Ohio-based Diebold Election Systems, which is used by Leon County and many other jurisdictions around the country.'"

Insanely poor program architecture

[James_Duncan8181]

Windows XP + network connection + data held in an *Access DB* and then transferred by memory card with no crypographic checksum.

If I prepared work like that for a client, I'd expect to get chucked out by security.

I'll also note the following:
        a) Diabold say that a paper trail is not needed for security, but provide one on their own ATMs. Apparently independent verification of election results is less important then $$$ transactions.
        b) Both local and remote vulns have been demonstrated on their voting machines, but the ATMs have not been pwned.
        c) Diabold refuses to let the source code be reviewed, and chose to run on Windows XP so neither the program or the OS of the box can be verified safe.
        d) Diabold machines can have the vote totals rewritten on their memory sticks as they do not cryptographically sign or encrypt the totals. That's plain text on a card that can be removed from the machine and has a standard file format.
        e) Diabold security is fucked whether or not they put the same code they have tested on the box. With tested, verfied boxes they cannot add XP security patches for known flaws after te verification date (and if there is one thing worth keeping an 0-day for...). If they do add security patches etc then we are trusting closed source biaries to be added to election counting machines without the possibility of review. One bad actor and the elecetion is up for grabs.

No thanks. I'm not usually a conspiracy theorist but is is as if they were designed to be broken into.

Would a BSD box with one simple program, output to the framebuffer, a results paper trail and a constant SSH tunnel to the FEC be that hard? *sighs*

Fuck Diabold.

Not that sort of paper trail

[gaijin99]

The voter doesn't take the paper with him, as you say that would ruin the whole anonymous ballot thing. The voter gets the paper, looks at the human readable output to verify that his vote was correctly recorded, and drops the paper into a ballot box on his way out. If the paper shows that his vote was incorrectly recorded, he can ask an election official to remove his vote from the machine, destroy that paper ballot, and try again.

The election officials keep the paper ballots, machine printed recepts that is, so that in the event of a dispute they can be hand counted. Since, theoretically, every voter looked at their recept and verified that it recorded what they truly intended to vote for, if someone hacks the machines and falsifies the votes recorded there, the paper ballots get the final say in the event of a dispute.

It also gives you a good indication of where the falsification of the electronic votes got started since you can say: hmmm, district 123 shows 4000 votes for candidate X on the computer, but the paper ballots only show 1000 votes for candidate X, who messed with the machines in district 123?

Essentially we're keeping the old paper method of vote recording as a backup in the event that its suspected that someone hacks the machines.

Someone already is.

[KingSkippus]

There's an organization called the Open Voting Consortium whose mission is "the development, maintenance, and delivery of open voting systems for use in public elections." They are directly opposed to the shenanigans that Diebold has engaged in.

Problem is, they spend their donations on actually developing the system, not in paying off Congressmen to give them lucrative exclusive contracts. Still, one can hope that it changes someday. (And donate to support the effort...)