Worst Ever Security Flaw in Diebold Voting Machine

WhiteDragon writes "The folks at Open Voting Foundation got their hands on a Diebold AccuVote TS touchscreen voting machine. They took it apart (pictures here), and found the most serious security flaw ever discovered in this machine. A single switch is all that is required to cause the machine to boot an unverified external flash instead of the built-in, verified EEPROM."

Re:Lever action!

[markwalling]

my district switched to electronic from lever based. in 2004, at 715 when i voted on lever machines, there was no line, and just about as many signatures in the book. in 2005, the line was out the door and around the corner at the same time. the person in front of me took 5 minutes to use the electronic machine. people knew how to use the old machines, and they were reliable. these new things take the old people for ever to use, and then they complain that they were hard to read...

Mirror early, mirror often

This is Diebold. Mirror early, mirror often. They love to sue critics like these. Wget may be the only way to save history.

Re:About the only way they'll ever "fix" these thi

[PeeAitchPee]

Not so sure about that. Here in Maryland, our (Republican) governor budgeted $20,000,000 to allow us to use paper ballots instead of the Diebold crap -- and he was shot down by our State Senate (democrat)and prinicpally by our State Administrator of Elections, who claimed that going back to old-style ballots would "stifle development."

I'm sure you can find the parties flip-flopped in other states. The point is that if a) people actually gave a shit and b) people really understood the issue instead of blindly assuming "computer = good, paper = bad," any cronyist jackass who supported Diebold would get booted stratight out of office next election -- assuming their evil scheme hadn't yet been implemented. ;-)

Re:Diebold lobbied slashdot...

[Da_Weasel]

I beg to differ. I belive this is the worst security flaw yet:

http://video.google.com/videoplay?docid=8112825559 202389150&q=hacking+the+vote

re: the other party

[BitterAndDrunk]

Call me Machiavellian, but I'd wager this goes across party lines. Self interest of those in power to maintain said power. Just as gerrymandering isn't a one party phenomenon, neither is vote-rigging. (1968 democrats, possibly 2000 and 2004 republicans)

Checks & Balances

[TheDarkener]

...and the lack thereof is what really sickens me.

You can't ever trust a computer, no matter what, ESPECIALLY in such an important thing as a governmental election. We *need* checks and balances.

1) Vote with electronic voting machines.
2) Receive a paper reciept with a 'checksum' of sorts that add up to your specific votes (this is the only pitfall right now, since obviously printing a paper reciept is WAY too complex to code by Diebold programmers)
3) Submit your checksum to any number of third party, independent voting "Check & Balance" websites. These sites can independently tally votes from citizens in each voting district, and if descrepencies occur between the official count and any number of these sites, secondary validation routines/alerts can occur.

Why would this be such a hard solution? I'm sure any number of you can code a simple database/website that tallies citizens' votes. I'll do the hosting for free.

Let's open source this muther f*cker, whether they like it or not!

Re:When Will Politicians Wake Up?

[powerlord]

There's a reason that Diebold's banking and ATM machines are massively secure and auditable, and their voting machines, well, aren't either of those things.

To take the "devil's advotate" position for a minute ...

Is that because ... ... ATM's have had years to go through many iterations to get to a "secure" and "reliable" system (that even then can have anomolies)? ... ATM's operate on a different set of assumptions? (installed in a permanent location, so switches like this might exist be be much more easily shielded from the public through physical security). ... ATM's do not have the privacy concern, which may take getting used to for a company used to tying a given transaction back to a given user? ... Electronic Voting Machines (EVM) have a smaller install base and have had less money spent on them for development? I suspect the average voting district (where EVMs are deployed) has more ATMs than EVMs. ... EVMs have to be much more flexable in allowing lists of candidates to be entered (for district elections + school board elections + statewide reforendums + national elections). ATMs have an established, and rather fixed set of functionality (although it could be argued that different ATMs can support different languages, the comparison is closer to every ATM needing to be set to dispense different amounts of money. So ATM1 gives the user a choice of $20, $40, $60, $100 and ATM2 gives a choice of $10, $30, $60, $200, etc.)

On a side note, does anyone know:
- What is the average cost of an ATM vs an EVM?
- What is the average expeted lifespan of an ATM vs an EVM?

Now, all those things aside, these problems need to be addressed, and my comments are NOT meant to be excuses.
All of these problems CAN be addressed through sufficient testing, an open specification and design process, or lots of trial an error / patch and release.

Guess which one the EVM manufactorers have chosen to go with?

This is NOT a reason to register absentee

[WillAffleckUW]

Because absentee voters get a paper ballot that is not only delivered by a trusted source - the US Post Office - who have a verified date/time stamp - and that the ballots can be audited, traced, and verified - now THAT is a reason to register permanent absentee.

Today.

Re:wrong question

[idesofmarch]

I missed the computer programmer. When did he talk? There was a bit about Diebold in the beginning, but nothing about the programming of the machine.

Re:wrong question

[Intron]

Here in backward Massachusetts I make a black mark on a card which is read into an optical scanner that also securely holds the cards. The election offcials verify that the box starts out empty and ends up with the number of votes that register on the counter on top. If they don't, they can take the ballots and read 'em through again. They can even look through them by hand to make sure the optical counters are working right.

What do you do when the all-electronic system says that more votes were cast than the number of registered voters in the precinct?

Re:When Will Politicians Wake Up?

[Thuktun]

From one of the linked pages:

• Broward Co., FL - ES&S software on their machines only reads 32,000 votes at a precinct then it starts counting backwards (see this update): http://www.news4jax.com/politics/3890292/detail.ht ml
• # Guilford Co., NC - ES&S equipment "could report only about 32,600 early and absentee results". This seems very similar to the case above, (see this update) save that Guilford Co. uses optical scan for it absentee voting and may use the older Votronic system for early voting (although it would make a more consistent story if they used optical scan for all absentee and early voting).: http://newsobserver.com/news/story/1852104p-817980 2c.html
  

How interesting. Counting on a 16-bit signed integer (two's complement) and dropping the sign during formatting would do that:

7FFB => 32763
7FFC => 32764
7FFD => 32765
7FFE => 32766
7FFF => 32767
8000 => 32768
8001 => 32767
8002 => 32766
8003 => 32765
8004 => 32764
8005 => 32763

Re:Diebold lobbied slashdot...

[nido]

... and a low incidence of the ability to reason clearly, that is the problem with the US electorate.

This is why it's important to subvert a country's system of education first, before taking over the rest of the government.

Horace Mann (instigator of the compulsory government school) was much enamored with the Prussian system of schooling, which inspired in the subjects passive obedience to the government (source: Two Hundred Years of American Educational Thought, by Henry J. Perkinson). He thought he could take the good parts of the system without the bad. Haha...

... But his [Mann's] contention is that this spirit of the system is separable from the manner of teaching itself. And here American teachers can learn much.

The Prussian schoolmaster, he [Mann] discovered, combined complete mastery of subject matter with superb pedagogical finesse. They taught from "the head," never relying on a textbook. Beginning not with abstract theories -- neither principles, rules, nor axioms -- but with objects and phenomena familiar to each child, these master teachers encompassed elements of reading, spelling, writing, grammar, drawing, and general information into every lesson. Students in the Prussian schools, unhampered by the artificial formalisms of rote memorization, enjoyed learning; the liked their teachers and held them in high esteem. The teachers rarely used physical punishment; they secured discipline through the affection and respect -- even awe -- the students had for them. The Prussian schoolmaster was the complete authority; children unquestionably accepted and believed what he said.

Horace Mann dreamed of making American teachers as authroitative as their Prussian counterparts. ... (Perkinson pg. 77. Italics in original, bold my emphasis)

See also John Gatto's Underground History of American Education. Gatto tells us in his works that a Prussian "education" is exactly what we receive in the standardized government school experience.

So remember: The purpose of government schooling is the installation of obedience in the population, so the masses won't mutiny when word gets out that we're being screwed (this story also) in a dog-and-pony-show sorta way.