Slashdot Mirror
Worst Ever Security Flaw in Diebold Voting Machine
WhiteDragon writes "The folks at Open Voting Foundation got their hands on a Diebold AccuVote TS touchscreen voting machine. They took it apart (pictures here), and found the most serious security flaw ever discovered in this machine. A single switch is all that is required to cause the machine to boot an unverified external flash instead of the built-in, verified EEPROM."
You'd think in this day and age we'd have some idea of how to create a secure voting system. Unfortunately it doesn't seem like much of a concern to the politicians. They assume computers are more secure than paper because they don't understand them. Nevermind all the computer scientists warning about the pitfalls of electronic voting. Let's just trust this Diebold sales guy over here! We know he's telling the truth because of the billion dollar contract!
Here's a hint for politicians: If in a population of 300,000,000 only 1,000,000 are capable of understanding how the voting system works, and if only 1,000 people are actually allowed to see how it works, and if there's no verifiable paper trail or any simple and legitimate verification system, then democracy is a farce.
I attribute most of these errors to poor design, not anything intentional. Personally I like the old fashioned lever machines my district uses. It is very hard to hack those, I hear. Unlike computers and paper cards, you never hear bad things spoken about lever voting machines.
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
Electronic voting machines with no paper trail are an insult to democracy. That they come with switches to bypass even the dubious "safeguards" provided is hardly a surprise.
My blog
When will the people wake up? I suspect (some) politicians are well aware of the "flaws" found in the system.
You better watch out, there may be dogs about . .
is if a Libertarian or Green Party candidate wins....
Taking guns away from the 99% gives the 1% 100% of the power.
how will that ever happen WITH these flaws already in place? Diebold machines have been used numerous times already...
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Any company with devotion to a fair and secure voting system would not make such an obvious oversight. If it was in fact an oversight, it shows that Diebold is far too incompetent to be creating voting machines. You would also think that a company in charge of something so important wouldn't show blatant partisanship either. Why are they still employed?
Similes are like metaphors
I thought the biggest flaw was their certification by states for use in actual elections.
--
make install -not war
The AcuuVote machines are what they are, not due to poor design or unintentional mistake. They are the result of a deliberate intent to enable fraud on a massive scale. Viewed from this perspective, the AccuVote design is very good. The real problem comes when Diebold realizes that it needs to become better at obfuscation and makes it harder to detect the fraud.
Sorry, I have never seen the point of these machines. Paper ballots are auditable, user friendly, and if electronics is put into the reporting system, can be counted in a few minutes and submitted. Voting machine are a perfect example of a technology fetish at work. It would make an interesting case study to examine the economic and sociological reasones why we sometimes buy technology that we don't need, don't want and further, serves no useful purpose.
Has anyone answered the question regarding need for automated vote counting in a satisfactory way?
Seems to me that manual counting of votes would be vastly more secure as it would take a huge conspiracy to affect the result either way.
Counting a hundered million votes is hard, counting a thousand votes in a hundered thousand locations is easy.
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
This article is a little high on the hype. The general rule is that if you have physical access to any computer system you can compromize its security.
Don't you think that a flaw that would allow people to vote multiple times or a flaw in the security by which the voting machine uploads results to the central server or flaws in the central server itself are worse than this.
Gee, we have physical access to the guts of a machine and we can do things to it. I'm not terribly impressed.
I don't see how this is the "biggest security flaw ever discovered. Any system will have some method of flashing new code if you have access to the hardware, and while this makes it a little easier, it is not as big of a deal as they make it out to be. After you verify that the system has the correct (independently audited) code loaded into it, you put a tamper-proof sticker on the case, and call it good.
This is nowhere near as bad as the bugs that allowed exploits though the normal user interface, or the fact that the way the votes are stored allows easy tampering by election officials, or the fact that there is no way to recount or verify that the recorded votes are correct.
This is something that can be improved upon, but it isn't a fatal flaw and certainly not one of the main reasons that Diebold machines should be banned.
Not to pick nits here, but whether or not a voting machine is trustworthy is a boolean variable. Either it's trustworthy, or it is not (and therefore worthless).
As far as I'm concerned, every election using any machine found to be compromisable should be invalidated, and a paper ballot revote should be held.
If you don't trust $[POLITICALPARTY] with your democracy, why should you trust the men behind the curtain?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
more aggressive on this issue.
Electronic Voting machines are not a trustworthy technology. They can be made reasonably trustworthy, but only with significant and constant public involvement and oversight. The core element to this happens to be our requirement of anonyminity for our votes. Being unable to link votes to voters means we must then capture the actual votes themselves if we are to be sure the election is just and true.
Roughly 80 percent of Americans will be using these machines in the coming elections. That should scare the tar out of every one of you, regardless of your political bent.
In 2004, this number was about 30 percent and the problems were so great, we really have no assurance our election results actually reflect the will of the American people, whatever that may be.
Think of it this way. Let's say I'm the voting machine counting votes. You tell me what your vote is, and I update my mental count. Can you see that I updated the count correctly? I could report your vote back to you correctly, yet still maintain a different internal count. There is no way to really know is there? That's the problem we face with electronic votes.
The votes are encoded into states stored on devices nobody can directly observe, other than via the proxy of other electronic technology. Essentially, we are voting by proxy when we vote electronically. Without an accounting in the form of a serial voter-verified paper record, or the use of vote storage that is both human and machine readable, we cannot oversee the election results in a manner that brings confidence to the whole affair.
These machines are general purpose computers for the most part. We all know how easily these things are tinkered with because it's what most of us do! Biggest problems are:
-no direct accountability on elections officials to actually hold a just and true election. Technology can and will be blamed for problems, leaving these folks off the hook for failed / unjust elections. Not good. Where the incentive for corruption and manupulation exists, you can bet it's happening. There is too much at stake for it to be otherwise.
-poor understanding of the core technology differences between paper voting and electronic voting. I summarized it above and have a longer, easy to understand, paper here. Mail it to your legislators along with a request for their position on the matter. If you do the mailing, please also do the request. That forces a response, which helps increase the overall perception of the importance of the issue. http://www.opednews.com/dingusDoug_112604_electron ic_voting.htm
Said poor understanding extends to all of us really, legislators and citizens alike. Too many people consider electronic data processing systems as being better than they actually are. Consider this: If they are so infallable, why do ATM machines deliver receipts? Also, be careful about ATM comparisons. The primary difference between an ATM machine and an electronic voting machine lies in the anonymous nature of voting. ATM transactions are keyed to people, electronic voting records are not --thus the need for a voter-verified paper trail.
What do we need to ask for?
Voter verified paper trails that are human readable, serial in nature and easily handled / processed for recounts. Flimsy, thermal rolls that can discolor from improper storage and or handling won't cut it.
Audits at the precinct level. These can catch abnormalities easily and quickly before too much damage is done. Use the paper record to verify issues and act accordingly.
Strong exit polling. Notice how that is being downplayed now? The reason is simple. In 2004, the exit polls did not jive with the voting records, yet we have been exit polling for a good long time. The differences did not appear in this way until the advent of the electronic machines.
Legislation that reinfo
Blogging because I can...
The government being of, for, and by the people, each ballot cast in a public election for federal office shall produce a physical ballot able to be read and counted by a human unaided by electronic computer.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
Even if diebold took out all of the headers to put a different ROM in there, and make damn sure you couldn't connect to it externally, there are still many attack vectors.
* From the article:
So... you can connect an external eeprom that runs your own code within a few minutes. Fromt he above statement, the diebold protocol is pretty hard to crack, and writing your own firmware or such a board is verging on impossible.
Even if it were possible to write your own firmware, you would have the ability to flash the onboard eeprom just as quickly, or even do A quick solder job on the onboard chip, replacing it with your own. I know this is a little harder, and more likely to get get caught out with, but given the possibility of writing a working firmware, it's in a similar scope of difficulty.
Considering you can desolder a 16 pin EEPROM within seconds, or just as easily hijack it's communication interface (probably just I2C) it's not unreasonable that there are going to be lots of flaws in this system. If one were determined enough, you could hack the machines to high heaven, with the further possibility of no forensic traces.
There are other fundamental problems with this argument too, like what happens with the data logging internally whilst running off the eeprom. You would have very accurate firmware to get anything like a good result.
Also I would imagine these machines have internal software auditing to make sure that an reboot/reload of application code is registered. Cryto signatures etc.
There will be no way to make these things so secure that "Open Voting Foundation" will be entirely happy. They would be out of jobs that way.
Signature v3.0, now with 42% less memory usage.
..was discovered awhile back.
Turning it on.
That's it. That's all you have to do.
Given taxi meters and electricity meters both have tamper seals, you would have thought that these would have visible tamper seals as well. If in doubt you could even have two tamper seals: one from Diebold and another from the voting commission, in order to ensure that both parties are satisfied with the state of the machine.
Jumpstart the tartan drive.
The difference is that with a paper voting system there are a lot of participants. For election fraud you need very many persons to know and participate.
With electronic systems, it is possible to modify something in the sofware with only very few people knowing and participating, and still have influence on the end result.
It is of course much easier to have 3-10 persons work with you, than 10.000
I am a computing professional with a background in Computer Forensics and Incident Response. I took a consulting position (specifically a county technician job) with Diebold specifically so I could see what all the hubbub was about with the voting machines.
I went through the entire voting process, from the hardware testing, to the development of the ballots, to the actual election and the tallying of ballots. I can say without a question in my mind that the TSx voting machine and the associated software (assuming the machine is equipped with the voter verifiable printer) is no more susceptable to voter fraud than hand counted paper ballots.
Please keep in mind that I owe nothing to Diebold, have no interest in Diebold, and specifically took this job thinking that I would find gigantic gaping holes in thier product. While the design of the hardware and software leave much to be desired, for someone to assert that commiting large scale voter fraud with this system is easier than with hand counted paper ballots is patently ridiculous in my mind having worked with the hardware and software during an actual election.
The big problem that everyone seems to overlook is that EVERY voting system is inherently operated by humans and is therefore subject to error. My experience during the voting process is that the single most important piece of the "secure election" puzzle isn't the equipment that is used but the processes that are followed and the reasonable inclusion of public scrutiny to the process.
In the case of a hand counted paper ballot, all that is neccesary to commit fraud is a switch of the actual ballots prior to the tally. With the TSx machine (with the attached printer) the audit log of the election (including timestamps and actual votes cast) is present in 3 locations (the actual voting machine, the memory card, and the written record). In order to withstand an audit, all three of these items must be altered to perfectly match the result whereas with paper ballots there is only one record that must be altered.
While it's obviously true that the machines could be programmed in advance to fix an election, keep in mind that voter registration is a completely different process from the actual vote tallying, and that voter turnout is still done by hand. In order for the electronic record to be altered, it would have to be done in such a way as to mirror the actual voter turnout PER POLLING LOCATION, a number which is independant of the voting machines and in any jurisdiction of consequence this number would be effectively impossible to predict. In the case of hand count you need only have a total number of ballots cast as there is no tracking of the votes per polling location whereas with the voting machines this record is kept in each machine.
The bottom line is that the place we need to be concentrating our efforts for voter reform is on the process rather than the specific technologies used to tally votes. The real problem is polling workers being sent home with voting machines. The real problem is no public oversight of the tallying of votes. The technology used is effectively irrelevant unless there is massive voter oversight allowed at every phase of the process, and we must not let our concern over the vulnerabilites of the technology get in the way of the demand for oversight.
In the county that I supported, each machine was kept under lock and key, with a publically accessable camera trained on them at all times. At no time was a single individual allowed access to the machines, including during the travel time to each polling place. When the polls closed, each machine was brought back (again by a team of two) and the actual tallying was done in a room with seating for the general public and a webcam that allowed the public to watch every single part of the process. This is the type of thing we should be advocating.
I will agree that the early technologies used were inadequate to protect our rights, but the voting machine technology has advanced to the p
---
All this has been addressed by the suppliers of Las Vegas casino slot machines. Why not just use them to build the machines?
E Proelio Veritas.
This shouldn't be news to Americans. If you've paid attention to the antics in the last 3 election cycles and the discrepancies between exit polling and actual results, you'd know what's going on. Same thing just happened in Mexico. Expect it to happen here in November. Democrats leading in races by 5% or so, then a miraculous Republican turnout (contradicted by all polls) will maintain their majority. Anyone who protests the results or points out election day shennanigans will be ostracized by the "liberal" media as a whiney sore loser. Welcome to Oceania.
I swear to God...I swear to God! That is NOT how you treat your human!
Now, is there a single convincing reason why the simplest, most secure and easily verifiable system - paper ballots - aren't used? Why all the machines? Lever, butterfly ballots, electronic... What problem is it that these systems are meant to solve?
I suspect it is a combination of "We want some result in an hour or two - we are too impatient to wait for it to be counted properly" and "We want a system that we can manipulate without any audit trails."
Tamper proof sticker? WTF? What planet are you from that anybody with the resources to rig an election can't come up with a way to tamper with stickers? Is the sticker under observation by multiple independent parties at all times? No? Then you can replace it with an identical one after you remove it and screw with the machine. No such thing as a tamper proof sticker....
If I'm going to "call it good", i want a fucking paper trail. I don't mind if you count the physical votes electronically to save time. But a completely digital vote is just bits and therefore can be altered with NO audit trail whatsoever. It isn't worth the paper it's printed on.. oh wait, it's not even ON paper....worthless.
The simple truth is, there's a time and place to use proven technology (paper). And voting is one of those... It's MUCH more difficult to screw with physical records than digital records... And what's worse is that morons think that digital is more secure. The basic problem is that the damn thing is so complex that you don't know whether it's been fucked with or not. With paper, you NEED a conspiracy to rig an election. With digital, you need ONE GUY with an agenda....
These are not flaws, this is intentional and is part of the process of how the criminals in the white house got there and are able to stay there. Democracy ended in this country over 6 years ago.
Here's a depressing comparison, showing the rules surrounding slot machines in Vegas vs. voting machines:
Vegas vs. Electronic Voting Machines
People are worried about the flaws in this voting box when the current method being used is stuffing pieces of paper into a goddamned cardboard box! And they don't even require you to have ID in some states to vote, becuase this would be 'racist'.
I seriously think the DieBold box is the least of our worries.
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
I suggest you take a look at the research into the recent Washington state elections done by SoundPolitics.com. They verified close to a 20% error rate in absentee balloting. The signature verification on absentee balloting is no verification at all due to non-verification being done by those who count the ballots. Additionally, the USPS is not a trusted source, they are just another government beuacracy. The ballots themselves cannot necessarly be traced nor verified and even when the signatures are completly different, they are still counted. Due to the nature of voter rolls, duplicate ballots are sent out all the time due to slight variation in a persons name and the duplicate ballots counts are not caught until after the final tally has been done and the election finished. Finally, mischivious gov officials can always delay sending the military their ballots so those serving overseas do not have time to get their vote in on time. This actually happened in 2004 in Washington state.
Permanent absentee is not the solution. Neither is electronic voting.
The true solution takes elements of the recent Mexican election to prevent fraud (voter id cards, thumb inking, precinct based monitoring and tallying) and combine them with the best paper based voting machine.
Your number is a bit low. It's more likely Democracy ended when the people running the country stopped being called "Statesmen" and became "Politicians".
BTW: The mod war on the above post should prove interesting.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
1968 Democrats?
If the Democrats rigged the 1968 election, they don't deserve to hold office. Richard Nixon, Republican, won the 1968 election.
"I have as much authority as the pope, I just
don't have as many people who believe it" - George Carlin
I would say that Diebold is competent enough to create a secure voting machine that would take a high level of expertise to spoof. Unfortunately, almost by definition, Diebold would be competent enough to create a spoofable voting machine that could be programmed remotely and capable of 'fixing' elections. The opportunity exists, even if the company, or even renegade employees of the company, don't do it. I will assume that they are innocent until proven guilty in a court of law. But I sometimes wonder, because they would be in a perfect position to affect critical elections. Political power can be tempting.
The Nevada Gaming Control Board has technical standards for slot machines. They've had enough fraud over the years that they know what has to be done. Some highlights:
(a) Employ a mechanism approved by the chairman which verifies that all control program components, including data and graphic information, are authentic copies of the approved components. The chairman may require tests to verify that components used by Nevada licensees are approved components. The verification mechanism must have an error rate of less than 1 in 10 to the 38th power and must prevent the execution of any control program component if any component is determined to be invalid. Any program component of the verification or initialization mechanism must be stored on a Conventional ROM Device that must be capable of being authenticated using a method approved by the chairman.
(b) Employ a mechanism approved by the chairman which tests unused or unallocated areas of any alterable media for unintended programs or data and tests the structure of the storage media for integrity. The mechanism must prevent further play of the gaming device if unexpected data or structural inconsistencies are found.
(c) Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent validation information.
(d) Provide, as a minimum, a two-stage mechanism for validating all program components on demand via a communication port and protocol approved by the chairman. The first stage of this mechanism must verify all control components. The second stage must be capable of completely authenticating all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the authentication information must be stored on a Con
Paper trails are just as susceptible to fraud as electronic systems.
Do you actually believe that or are you just playing devils advocate?
The only measure in which that can be accurate is the binary "Is fraud possible?" measure, any measure which takes into account degree of susceptibility, paper is the hands down winner.. Just for starters, we have experience investigating paper trails. There is physical evidence left behind when a paper trail is tampered with. Tampering with the paper trial necessarily require physical access. The list of ways in which paper is demonstrably superior goes on, and on...
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
No, it ended when only a minority of citizens bothered to register to vote, and only a minority of those actually bother to vote.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Not requiring voters to show official picture ID.
I've noticed a disturbing trend... people seem willing to assume that no one in a position of power can possibly be corrupt.
We see this with people defending alledged warrantless spying; we see this with people defending police taking away cameras; we see this with people defending invasive security; we see this with people defending anything that would be a good idea in a perfect world with perfect people.
While I hate to be the one to break it to you, we don't live in a perfect world full of perfect people. There are bad people out there who will abuse power granted to them. The person you hire to protect someone or something may well use the power you gave them to attack what you hired them to protect.
Why do you assume that it has to be a voter on voting day? There's no law of nature that says that an election official, or a security guard, or any of the myrid of other people who have access to the machines isn't corrupt.
Then you should move to a state where everyone votes by permanent absentee ballot or by mail.
Absentee ballots have another major problem: They facilitate vote buying and/or coercion.
The best solution is human-readable paper ballots, filled out (whether by hand or by machine) in the privacy of a voting booth after verification of identity and registration, and dropped into a locked box, sealed, transported, stored and opened according to procedures that we've understood for a long time.
It really is very simple.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm a little mystified by the common belief that more idiots voting will fix anything. The problem isn't a low voter turnout: it's a low incidence of self-education about politics, and a low incidence of the ability to reason clearly, that is the problem with the US electorate.
Unfetter your ideas. Copyfree your mind.
There is a flaw in this testimony. The programmer absolutely states that if exit polling data is different from the totals from the machine it means there has been tampering. You can't make that jump in logic.
Exit polling data has always been inconsistent in that the interviewer picks and chooses what they think is a sample which is representative of the majority. If they choose the wrong people that will affect the sample. And, depending on when the exit polling was done this will influence the exit polling. On any random day there has been statistical skew as to when liberals vote versus conservatives vote. If you end exit polling early on one site or start late on another site you can have exit polling different from what the actual totals are.
Quality Hosting e3 Servers
But this bunch has taken it to entirely new levels --- and again, the US Constitution states that a close election will be decided by the House of Representatives, while the Supreme Court did decide the 2000 election in a most unconstitutional manner.
The follow-up line there is equally excellent:
Opus: Lord knows we need more statesmen...
ATM's have had years to go through many iterations to get to a "secure" and "reliable" system (that even then can have anomolies)?
It's because if your ATM isn't secure, nobody will buy it, because they won't want to lose their money. If your voting machine isn't secure, the state government will buy it anyway.
paintball
I'd be flabbergasted if there hadn't already been. Until real fraud in a real election is detected and proven, nothing is likely to change.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I disagree with you because I think the whole point of these machines is to conceal real fraud, in real elections. I believe the fraud has happend, and will continue to happen until people wake up and accept that it's going on.
I actually spoke with one guy from Ohio who thought that all Diebold machines left a paper trail. My question is how does anyone come to believe something like that? Is that the kind of thing they have on Fox News or what? Are there others like him that simply don't know the truth? If so, then nothing will change until people learn the truth. The fraud is ongoing.
I've seen a lot of things, but I've never been a witness.
I am a software engineer on emebedded systems. I see a lot of boards like this.
The ability to boot from different sources is a normal debugging feature, not in itself sinister. Should they have cleaned that up on the production model? Yeah, sure. But verifiability is ultimately a human concern anyway, not a tech one.
It all comes down to who you trust.
If you don't trust the polling place, make the voting machine tamper proof.
But then you have to trust the guy who built the voting machine.
You have to trust the guy who loaded the software on it at the factory or the elections office.
You have to trust the guy who wrote the code. Even if you inspected the code, you have to trust him to give you a binary based on that and not pull a fast one.
You have to trust his compiler to give him a binary without compiled in back doors.
I feel like I probably haven't listed all the points where this voting machine chain of trust can break down.
On top of all that, voting machines are not cost effective vs hand counted paper ballots. So, I advocate for no voting machines.
Start Running Better Polls