Slashdot Mirror
The Diebold Voting-Machine Hack
Warm John writes to mention a short article on Doctor Dobbs Journal about the Hack that couldn't be done. "Hacking a Diebold voting machine was the focus of Cigital's Gary McGraw's keynote at SD Best Practices. He discussed 'Security Analysis of the Diebold AccuVote-TS Voting Machine,' a paper released by Edward Felten, Ari Feldman, and Alex Halderman of the Princeton Center for Information Technology Policy. 'The paper details a simple method whereby the Princeton team was able to compromise the physical security of a Diebold voting machine, infecting it with a virus that could change voting results and spread by memory-card to other machines of the same type.'"
if i flash it can i use it as a calculator too?
i support the right to offend.
I'm in your voting machine stealing your election.
Fundamentalism stops a thinking mind.
Man Diebold looks slimier and slimier every passing week, but I'm more disturbed by Joe Demma's, Salt Lake's chief elections officer, response to Bruce Funk's actions. Granted, Funk acted by going around Demma by calling in Black Box Voting to check the Diebold machines, when presumably Demma is supposed to be responsible for that (just my guess as he's the chief elections officer).
However, Demma seems more incensed at Funk because he may cost the state $40,000 for Diebold's astronomical recertification fee. He doesn't seem to be worried that people might not trust these machines. He doesn't seem to care that a state officer was worried enough to call in a non-profit third party to verify the integrity of these machines. I mean, these things could possibly affect the outcome of a vote, the foundation for a democratic republic! But instead of worrying about these machines he's clearly more upset about the $40,000 and Funk not talking to him about his concerns regarding the voting machines.
And of COURSE Diebold is going to tell you the machines are fine and fair. Sheesh, they want to make money don't they?
Isn't it great that chief elections officers have their priorities straight?
Give me a ballot sheet and a pencil any day over these closed, proprietary black box machines.
In Illinois we get a paper printout that you check for accuracy and put in a ballot box; we can actually have a real recount.
That's incredibly weird, considering this IS Illinois, where they say "vote early, vote often," where dead people still have a right to vote, and the last two governors who lost elections went to prison (or will, in the case of Ryan).
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
And no, SpybotSD can't help you.
"Flyin' in just a sweet place,
Never been known to fail..."
I bet either someone is going to have 100% votes for Fred Flintstone, or someone is going to have a 60% write in for some person. Both of which could never happen and would do nothing except expose the voting machines as tamperable. I doubt someone is going to be smart enough to make the election look close, but vote for someone on the ballot. The only way a good ol conspiracy vote could happen is if the hacker got a load of money from a candidate. Well I guess that could happen.
God spoke to me.
I've seen plenty of pro-Microsoft and pro-Diebold posts get modded up. All you have to do is have a clear point, and show it. You didn't manage that. You said the fraud happens, and it doesn't make a difference if we can trace it or not.
It does make a difference. With a punch card, or a paper ballot, or even a mechanical voting both anyone can trace when fraud has occured. And in those cases we implement some security, track where the fraud came from (if we can) and redo the election.
With the current generation of electronic voting machines, we can't do that. I don't care who makes a good machine, but Diebold hasn't made one. And they've defended that design as if they think it is a good machine. Geeks don't like people who pretend a bad design is a good design. We'll tear into them. If they routinely defend bad design by saying it is good design and overlooking what we think are obvious flaws we'll notice, and start to expect that. Until they change, a group that decides who they like on the technical ability of a company won't like them. They are lying about their technical quality; at least in our eyes.
I found the FAQ interesting. I liked the way they set the tenor of the questions, and included such things as "you weren't supposed to say anything about this!" The research seems pretty clear-cut, and the precautions that the researchers took appears to have been well thought out.
I hope that I underestimate the American people on this (including me), because the next tack that will be taken by Diebold will be, "Well, who in their right mind would want to tamper with an election? Calm down, citizens, this is just scaremongering by the right/left/pedestrians..." Once this is followed up with a suggestion that such might be "fomenting a panic designed to cause a breach of the peace," vague threats of arrest for those involved, and nothing changing.
Well, if nothing else, this voter's going to try his hand at absentee balloting this time around. Just in case...
Strike while the irony is hot! -- The Freethinker
Maybe this is an example of free market forces at work.
One customer wants a secure, hardened, auditable, time proven machine with a user verifiable paper trail.
The other doesn't need any of those features.
Therefore two entirely disparate product lines.
One is designed to protect $.
The other is designed to protect democracy.
Who will guard the guards?
The paper details a simple method whereby the Princeton team was able to compromise the physical security of a Diebold voting machine, infecting it with a virus that could change voting results and spread by memory-card to other machines of the same type.
It's not who votes that counts, it's who counts the votes.
The theory of relativity doesn't work right in Arkansas.
it's called 'peer review' and in the science world it's not only expected but mandatory.
my question is this: has diebold's product undergone any sort of peer review? if it's important enough for someone studying the genetic inheretance of grey hair, it's important enough for someone entrusted with running an election for the most powerful person in the world, dontcha think?
2 1337 4 u!
http://www.openvotingconsortium.org/
Sure hackers would be tempted as well, but look at it from a major terrorist network perspective. If they were able to alter the election outcome and prove it (or have it proven), think about the doubt this would cast in all future elections (and possibliy cast doubt on past ones as well if the same tech was used)...and not just for Americans, but world wide. "One man, one vote"....I could see the terrorists laughing as they played video of them voting of a candidate 1 million times or taking down the voting "network" entirely. They wouldn't even need to injure/kill anybody in the process and they would be able to make a major statement.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
You are assuming that the person in charge of contracting Diebold for voting machines actually *wants* tamperproof, accountable systems.
-fb Everything not expressly forbidden is now mandatory.
and the last two governors who lost elections went to prison (or will, in the case of Ryan).
Ryan didn't lose an election - he won, all the way up until he (plagued with scandal) didn't run again.
paintball
I'll get mod-bombed right back down to Good Karma for this- but I have to say that I'm not at all sure it didn't happen in Ohio and Florida in 2004. The exit poll numbers, which had previously been extremely accurate in just about every election I'd ever heard of, were way off in those two states on the Presidential race- but the numbers were close enough that everybody focused on recounts instead (where possible).
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
How come no one seems to be asking the slot machine manufacturers to make voting machines? They deal with millions - or billions - of dollars a day and seem to be able to account for every single penny accurately. As an added bonus, all they'd really have to do is change the 7's to donkeys and jackpots to republicans... Pull the lever for your new rep! Seriously though - they're the people who should be making the machines...
It isn't enough for computer software professionals to discover problems like this; we need to be able to communicate our results effectively to the non-technical public. Too often we find something disturbing and decend into technical jargon and lose our audience. The Princeton team has done an excellent job avoiding that pitfall and communicating this threat.
Now, if only we could find a reasonably motivated and alert politician to actually act on this.
Thank you for stealing an earlier post of mine absolutely verbatim.
-the real jdm
It does make a difference. With a punch card, or a paper ballot, or even a mechanical voting both anyone can trace when fraud has occured. And in those cases we implement some security, track where the fraud came from (if we can) and redo the election.
Except that they won't. There have been numerous cases recently in which problems were confirmed beyond any doubt. In every case, even when the number of dubious votes would have been enough to potentially change the results of the election, the courts let the election results stand, and no reelections were called.
We don't need to be able to prove that fraud occurred. We need to be able to eradicate it. The only way that is even remotely possible is if the voting process is transparent. This means:
Check out my sci-fi/humor trilogy at PatriotsBooks.
Welcome to democratic government, brought to you by Diebold(R)!
Please choose a candidate:
(1) The incumbent guy who's against the terrorists.
(2) The weasly other guy who likes terrorists and wants your child to
be gay.
[press 2]
You have chosen option (2), for gay marriage. Are you sure?
[press no]
Please choose a candidate.
[press 2]
Let's not be too hasty. We don't want the terrorists to feel good.
Do you want the terrorists to feel good?
[press no]
You have chosen option (1), for the incumbent. Are you sure?
[press cancel]
This may forfeit your vote! Are you sure you wish to cancel not
voting for option (1)?
[press yes]
Thank you for your participation in the democratic process! Printing
receipt
Sorry! Out of paper.
This entire thing comes down to the ability to pick a lock so someone can replace the flash card.
Now that we know the machine itself is virus-susceptable, the next steps are:
1) See if the smartcard reader code has a vulnerability. (Any bets on a buffer overflow bug?)
2) If so, design a virus that can do the initial infection via the smartcard slot.
Succeed at 2) and you can carry a bogus smartcard in, insert it while you "vote", and infect a voting machine. Since the machines are apparently capable of passing the infection during the post-election vote collection process, you can take over the precinct (either all the remaining machines or the one doing the totals) by infecting one voting machine.
Design the virus to self-destruct after doing its dirty work and you don't even leave tracks.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Absolutely.
What is the obsession with machine voting anyway? The only advantage seems to be counting speed. Since by the time all the ballots are in, counting speed makes ZERO difference to the outcome of a fair election, it's an irrelevancy - what's a few more hours against an elected term that will go on for years?
The absolute requirement for me is that your voting system be comprehensible and auditable by the common man. Because it concerns us all. The system with the widest comprehensibility is pencil and paper.
While pencil and paper isn't flawless, the key difference is that it's a system that a lot of people understand. Irregularities are far easier to recognise by the common man. With a machine system, only someone who understands the machine can spot the system being subverted.
Print ballots. With boxes on. You make a mark in the box, you voted for that person. No chads, no hanging. And anyone who can count can see that the right thing is done.
Sure, introduce machine systems to help make it harder to subvert the voter system. But the basic counting mechanism should be a wet thumb and a box of rubber bands.
Ed Felten is also the guy who hacked the MS DLL that "integrated" IE into Windows to remove IE without destroying the OS, proving in court that Microsoft's defense of their illegal bundling, "it was technologically necessary", was a lie. Though Felten was not even a Windows specialist, and certainly didn't have the source code to delete IE cleanly, he was the the key to the court finding that MS had violated their antibundling consent agreement, the key to finding they'd violated their monopoly status.
Now he's the guy proving Diebold voting systems are insecure.
Isn't anyone else in our giant, brilliant "computer science" industry doing anything? Or are they all working for the bad guys?
--
make install -not war
>Diebold is well known for banking systems, including ATMs
Diebold ATM turned into jukebox
Diebold ATM infected with Welchia
Compromising Diebold machines seems to be a regular method of swinging elections in Florida ( UC Berkeley )
The white hat community needs to start undermining vulnerable e-voting technologies whenever and wherever possible. Just put a few Democrats into office in the bible belt.
The CEO of Diebold is on record as a dyed in the wool Republican: "Our job is to deliver the election to George W Bush". Problematic for a vendor with so much trust. But once their machines start swinging votes for the other side, they'll soon start adding security.
How can one hack a diebold voting machine when they are open?
Shouldn't these just be considered mods?
"Only one thing, is impossible for god: to find any sense in any copyright law on the planet." Mark Twain