Slashdot Mirror
The Diebold Voting-Machine Hack
Warm John writes to mention a short article on Doctor Dobbs Journal about the Hack that couldn't be done. "Hacking a Diebold voting machine was the focus of Cigital's Gary McGraw's keynote at SD Best Practices. He discussed 'Security Analysis of the Diebold AccuVote-TS Voting Machine,' a paper released by Edward Felten, Ari Feldman, and Alex Halderman of the Princeton Center for Information Technology Policy. 'The paper details a simple method whereby the Princeton team was able to compromise the physical security of a Diebold voting machine, infecting it with a virus that could change voting results and spread by memory-card to other machines of the same type.'"
Man Diebold looks slimier and slimier every passing week, but I'm more disturbed by Joe Demma's, Salt Lake's chief elections officer, response to Bruce Funk's actions. Granted, Funk acted by going around Demma by calling in Black Box Voting to check the Diebold machines, when presumably Demma is supposed to be responsible for that (just my guess as he's the chief elections officer).
However, Demma seems more incensed at Funk because he may cost the state $40,000 for Diebold's astronomical recertification fee. He doesn't seem to be worried that people might not trust these machines. He doesn't seem to care that a state officer was worried enough to call in a non-profit third party to verify the integrity of these machines. I mean, these things could possibly affect the outcome of a vote, the foundation for a democratic republic! But instead of worrying about these machines he's clearly more upset about the $40,000 and Funk not talking to him about his concerns regarding the voting machines.
And of COURSE Diebold is going to tell you the machines are fine and fair. Sheesh, they want to make money don't they?
Isn't it great that chief elections officers have their priorities straight?
Give me a ballot sheet and a pencil any day over these closed, proprietary black box machines.
Then I don't know what can. We need more information like this to come out because when dealing with elections, the last thing we need--but apparently the opposition wants--is for some kind of shennanigans elecing the wrong person. If electronic voting is ever to be used, it darn well should be open source, and transparent as hell...with two paper receipts (one for the voter and one for the auditors.)
How much more media attention do we need to give these jackasses at Diebold before the person in charge of contracting them goes.. "Hey wait a minute, you guys aren't very good at this ludicrously simple task," and takes a different approach to voting machines that doesn't give ultimate authority to some "company" over whether or not our votes will count.
Meet new people, and kill them.
Sure hackers would be tempted as well, but look at it from a major terrorist network perspective. If they were able to alter the election outcome and prove it (or have it proven), think about the doubt this would cast in all future elections (and possibliy cast doubt on past ones as well if the same tech was used)...and not just for Americans, but world wide. "One man, one vote"....I could see the terrorists laughing as they played video of them voting of a candidate 1 million times or taking down the voting "network" entirely. They wouldn't even need to injure/kill anybody in the process and they would be able to make a major statement.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
It isn't enough for computer software professionals to discover problems like this; we need to be able to communicate our results effectively to the non-technical public. Too often we find something disturbing and decend into technical jargon and lose our audience. The Princeton team has done an excellent job avoiding that pitfall and communicating this threat.
Now, if only we could find a reasonably motivated and alert politician to actually act on this.
my question is this: has diebold's product undergone any sort of peer review?
Unfortunately, yes. Many crooks and liars have deemed the system to be "just fine".
--Phillip
Can you say BIRTH TAX
All the little openings on those things have seals placed over them, so it becomes quite obvious that the box has been tampered with because the seal is broken. True, some county clerk (or Diebold employee maybe) could probably get a replacement to replace it, but it would be hard to cover the evidence. Now i'm not saying that everythings hunky dory just becuase we know if it's been tampered with. Obviously, if a machine is tampered with, you can't trust the votes. Which means they can't (shouldn't) be counted. Which means that some poeple's votes are getting counted when maybe there was no vote changing after all, but you can't tell and the whole process breaks down, because by not counting any of the machines in a certain area of [town|county|state] the vote is, in effect, altered. Similar to what would happen if someone snuck a few hundred forged ballots into the ballot box.... the count wouldn't be right when compared to the rolls, and they couldn't trust the entire precinct's ballots. So why don't they just modify the software so it doesn't 'read' anything from the card, (and yes modify the boot process if need be)... except maybe space left on it. so it can't pick up a virus in the first place. Bah! i never actually post on /. what am i thinking? I'm just a lurker, grrr
Diebold is well known for banking systems, including ATMs, so they know a thing or two about accountability. For some reason, these lessons haven't been transferred to their elections division.
From the referenced paper:
Great minds think alike; fools seldom differ.
It does make a difference. With a punch card, or a paper ballot, or even a mechanical voting both anyone can trace when fraud has occured. And in those cases we implement some security, track where the fraud came from (if we can) and redo the election.
Except that they won't. There have been numerous cases recently in which problems were confirmed beyond any doubt. In every case, even when the number of dubious votes would have been enough to potentially change the results of the election, the courts let the election results stand, and no reelections were called.
We don't need to be able to prove that fraud occurred. We need to be able to eradicate it. The only way that is even remotely possible is if the voting process is transparent. This means:
Check out my sci-fi/humor trilogy at PatriotsBooks.
... paper and pen are cheaper, simpler, and time tested and proven. Plus, a substantial segment of our society still views computer systems with distrust. The goal should be that NO Americans feel there is something shady in the voting process, not just those who are tech savvy enough to understand the issues.
I say this realizing that there will always be people with suspicions, so we have to aim to make that the lowest number possible, which IMO, rules out computerized voting at this time.
"Our morality is good, theirs is repressive."- Partisanship Rule #3
Compromising Diebold machines seems to be a regular method of swinging elections in Florida ( UC Berkeley )
The white hat community needs to start undermining vulnerable e-voting technologies whenever and wherever possible. Just put a few Democrats into office in the bible belt.
The CEO of Diebold is on record as a dyed in the wool Republican: "Our job is to deliver the election to George W Bush". Problematic for a vendor with so much trust. But once their machines start swinging votes for the other side, they'll soon start adding security.
The problem with evil is there is just too much damn money to be made.
~X~
~X~
Ahhh yes, the conspiracy theory. You don't offer any counter example. You don't counter the points made in the article. You just yell 'bullshit'. Great argument.
I, for one, have a better explanation. People are dumb. That's the way Bush got elected last time. I will be honest enough to say I voted for Bush in 2000. But I am, at least, smart enough to admit my mistakes. People got their little payouts in the mail. Bush shored up his base. The folks ignored the two trillion of debt he has piled on us, and the quagmires he lied his way into.
No... I do not buy into the conspiracy theory. You don't need to rig elections except through breasd and circuses.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
So, you're suggesting that the Princeton Center for whatever might have gotten ahold of a machine that someone had already hacked? Yeah, maybe so. Somehow, that doesn't make me feel better about these things.
Oh ... you're suggesting that the flaws identified by the Princeton team may already have been fixed. Possible I suppose, but unless the machine was stolen originally from a back room in the Diebold factory, doesn't that imply that Diebold has, in the past, shipped vulnerable machines? Should that make me feel more secure? Have they been seeking the old vulnerable models out and fixing them?
This may be a case like aircraft safety where really strict, impartial, government monitoring is required to ensure that private industry doesn't screw up. Or we could just go back to paper ballots which are cheap, easy to understand, and auditable.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
I'm an OSS fan, but "voter verified" recountability matters, OSS does not.
There is no way for you to independently verify that the VERSION of the OSS software on a machine is actually what you think it is.
You MUST have a system where the voter can verify what their machine thinks their vote is (eg a slip of paper) in such a way that you can reliably recount it by hand (and by multiple people, of course) However, once you HAVE a recountable system suddenly it doesn't really matter how trustworthy the machines are; if anyone suspects anything or it's close you trigger a hand-recount.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot