Slashdot Mirror
Opening Diebold Source, the Hard Way
Doc Ruby writes to tell us about an article in the Baltimore (MD) Sun, reporting that someone sent a package to a former legislator containing what appears to be Diebold source code. From the article:
"Diebold Election Systems Inc. expressed alarm and state election officials contacted the FBI yesterday after a former legislator received an anonymous package containing what appears to be the computer code that ran Maryland's polls in 2004... The availability of the code — the written instructions that tell the machines what to do — is important because some computer scientists worry that the machines are vulnerable to malicious and virtually undetectable vote-switching software. An examination of the instructions would enable technology experts to identify flaws, but Diebold says the code is proprietary and does not allow public scrutiny of it." Read on for more of Doc Ruby's comments and questions.
Maryland's primary elections last month were ruined by procedural and tech problems. Maryland used Diebold machines, even though its Republican governor "lost faith" in them as early as February this year, with months to do something about it before Maryland relied on them in their elections.
The Diebold code was secret, and was used in 2002 even though illegally uncertified — even by private analysts under nondisclosure. Now that it's being "opened by force," the first concern from Diebold, the government, and the media is that it could be further exploited by crackers. What if the voting software were open from the beginning, so its security relied only on hard secrets (like passwords and keys), not mere obscurity, which can be destroyed by "leaks" like the one reported by the Sun? The system's reliability would be known, and probably more secure after thorough public review. How much damage does secret source code employed in public service have to cause before we require it to be opened before we buy it, before we base our government on it?
Maryland's primary elections last month were ruined by procedural and tech problems. Maryland used Diebold machines, even though its Republican governor "lost faith" in them as early as February this year, with months to do something about it before Maryland relied on them in their elections.
The Diebold code was secret, and was used in 2002 even though illegally uncertified — even by private analysts under nondisclosure. Now that it's being "opened by force," the first concern from Diebold, the government, and the media is that it could be further exploited by crackers. What if the voting software were open from the beginning, so its security relied only on hard secrets (like passwords and keys), not mere obscurity, which can be destroyed by "leaks" like the one reported by the Sun? The system's reliability would be known, and probably more secure after thorough public review. How much damage does secret source code employed in public service have to cause before we require it to be opened before we buy it, before we base our government on it?
Hopefully more people including journalists will receive that, have experts look at it and expose the scam.
Sounds unlikely though, since this is all illegal.
I don't know. I mean, I'm not sure of the details of the current system, but is the software available before the election?
If not, it is more secure in a way, since malicious users can't test exploits on it before the election, and then they have limited timeframe to do that during the election. If it's open source, and up for review, someone could find the exploit and not tell anyone, right?
This is just my initial reaction to the idea, so I might be way off. Any thoughts?
If this is an insider, then I have to guess that it is somebody who is concerned about some piece of the code. Otherwise, I would guess that it is a cracker who was able to break through the famous Windows security at diebold and grab the source.
I prefer the "u" in honour as it seems to be missing these days.
The difference is that the Princeton team wrote a vote-switching virus which would spread itself through the smart cards used to tabulate votes. Thus, one infection could -- in time -- spread to any arbitrary number of machines without the knowledge of poll workers (or voters).
That outcome is obviously not possible with manual election rigging.
I saw on Lou Dobbs yesterday a piece that showed election officials rushing out to hire grad students to help out with the coming election. The reasoning was that widespread failures (mechanical, networking, software, etc.) were expected and election officials and staffers unanimously considered themselves as both unprepared and unable to deal with anticipated problems. A quick search for election jobs seems to validate the story.
Or maybe they're worried that the code contains evidence of tampering with election results? Otherwise it's just code. Just because it's public doesn't mean Diebold loses their copyright.
But if that code contains evidence of treason...which is what tampering with election results would be...then anyone involved deserves to be stood up against the nearest wall and shot. Then leave the bodies as a permanent reminder to anyone else thinking about ballot stuffing.
The real question is if the results were rigged, what's that do to the Bush presidency? It would seem to invalidate the '04 election. That means anything he's done while in office should be voided and Kerry should be allowed to serve out the rest of his term. It gets really interesting to consider that the deciding vote on the Supreme Court would be one of those invalidated actions.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Proprietary or not, software used in something so critical as our democratic process *should* be under the scrutiny of some sort of bipartisan government software auditing group. Whether or not its completely open, doesn't matter. The fact that democrats haven't attacked this issue further convinces me of their incompetence.
Similes are like metaphors
What about the integrity of the elections?
Isn't this kind of stuff the kind of thing that a typical American would not be surprised if it were reported as having happened in the so called 3rd world countries?
What troubles me also is the fact that after all this, our government goes on preaching democracy. I am disappointed! Period
The paper ballots could be used as forensic evidence, for once. It's a LOT harder to prove who tampered with a diebold machine, since so many people have access to it(the voters touch it, for once, so not all fingerprints would be usable... Paper ballots are also divided into smaller groups(a diebold machine would replace several "ballot boxes") compounding the problem, because of the cost of the diebold machine.
I am however, not working for anyone in the US electoral system, so my information could be incorrect.
Who are the people, other than DieBold, that support DieBold's secrecy? Who are the people who would like to preserve things as they are rather than fix the problems that the rest of the interested public is concerned about?
I think that when we can publically identify who these people are, we can either have a proper public debate on the topic or we can put the matter to rest by exposing the corruption that has been going on.
One would think that the state would require the sourcecode for due diligence...
Not necessarily. The state also does things like approve commercial use of things like scales and compertized gasoline pumps. The look at the results (yes, it actually pumped 100 gallons of gas, and that's what the meter is showing), but probably do not have the chops to review the source code in the pumps, the register systems, and so on. And yet, we all assume that the machines, and people using them, are not lying. Getting into the source code of accounting systems, life-and-death machinery... it's not something most state governments could possibly do without themselves making mistakes.
Don't disappoint your bird dog. Go to the range.
Sorry, you're wrong about the Florida election being applicable. The whole "hanging chad" mess doesn't happen when you limit the ballots as the GP suggested: Ink pen, paper, locked metal box.
/That's/ how you guarantee both anonymity and clean ballots.
Can't fill in a block without bleeding over? You just trashed your ballot. Watch it get shredded, then re-do your vote.
The roll printer idea, where the people see their votes printed, but don't actually get to touch the printout is fine. This should be done regardless, but i'm going to go a few steps beyond that.
Basically for some of the rest of the design, if your going to make it electronic, first look at all the ways the xbox security system, for instance could have been made much harder to hack. [I wouldn't necessarily limit it with that, but that is actually a decent start.] For simplicity I'll list some ideas, off the top of my head, and then justify them.
1) Soldered in main cpu (The cpu will be important, and as such must not be something that can be easily changed.)
2) Security seals on the case that show signs of tampering.
3) Ideally the GPU will be inside the cpu. [This prevents what is display from being easily tampered with, although the need for this can be argued, but what you see on the screen, is, of course, what you hoep you are voting for.]
4) The system on boot will be able to read from only one source for its OS. The CPU will read the OS and compute a crytographic hash on the entire system. The ROM image (or whatever) will also have a separate field which contains a public key encrypted version of that same hash. The cpu will decrypt that hash with its public key and if the two match, the system will finish booting.
5) Obviously the private key originally used to encrypt that hash must be
stored in a very safe place. [The cpu never needs to know that key, and as such, there is no way that possesion of one of the devices can alloy you to create an arbitrary rom image that check out.]
6) The bottom part of the screen should, at minimum show the cryptographic hash of the software, at all times, so that independent people can verify things.
7) Optional: Take the original hash and use say the last so many bits from it to randomly select from a stack of pictures, or perhaps several pictures. The key part here is to create a visual representation of what the cryptographic hash is, at least in part. You can show this to the voter as a series of icons on the bottom of the screen say to the right of that hash, as an additional check on security. If all of the code that does this is in hardware, this provides an additional check to verify the software has not been modified that people might remember. Of course there are lots of variations of this, including just say making the last 4 digits of the hash bold, or whatever.
8) Keep the code open source. There is no particular reason this is 8, it could as easily be (1). If the cpu is a custom chip, it might require releasing an open source emulator so people can test it. Of course, most likely you are going to use some common cpu core, even if you say put the cpu/gpu on the same chip. Just to reinterate, the key with some of this to be on the same silicon is to prevent tampering. If say the chip that verified the hash was elsewhere, then you might be able to just send a "it passes" signal for everything. Similarly if the code that computes the hash or the encryption is elsewhere, you also have a vulnerability. By having everything security related on the same silicon, you can be reasonably assured that when it checks out the election software that it truly is secure.
9) You can argue with the need to be able to update these fast, and if you agree with that, then you might have to boot from a second source, in order to update the flash, or whatever storage the device uses. All in all though, i don't buy that argument. if you say put it on a flash device that is behind a seal, then you can as easily physically change the flash module. Of course, if you are going to allow a second booting source to reprogram the device, it had better pass its own cryptographic checks to insure it comes from a trusted source.
10) Don't forget the paper trail. While, I've tried to make the previous ideas sound, I likely missed things. This is, after all, a relatively quick post, and I'm only one pe
We also have to get rid of our expectations to know the winner of the election on the day of the election or the next. Sane people are willing to wait a few weeks to get all of the counting done I guess.
I read the internet for the articles.
I have a suggestion.
The goal of an electronic voting system is to ease the voting process for voters. The results of which, de facto, become public common knowledge (regardless of geographical scope) within a matter of hours following the vote (if not sooner).
This is my suggestion: Use ONLY publicly-available open-source code for the voting machine software.
This software must be reviewed by groups of seasoned software developers (5+ devs/group, number must be odd to prevent ties in decisions), each group MUST be endorsed by a political candidate, and each political candidate MUST endorce ONE group (to prevent intentional filibuster-style delays caused by opposed views from a political candidate's groups) of developers to review the code.
The code will be publicly available to the masses at all times, the code will be mirrored by servers physically located in each State, each political party must run an equal (or same+1) number of these servers.
The software must also be self-analysing, logging all changes in memory to disk, focusing on user-initiated events and foreign device activity (transferring files or running code from a USB key, for instance).
Results from all voting machines will be communicated using equally open-source protocols, as well as by telephone and/or authorized messengers (physical distance permitting).
----
Seriously, a voting machine should be as simple as "if (vote = 1) i++; elseif (vote = 2) j++".
The only remaining problem, if THAT is done properly, is ensuring the outcome is communicated honestly, both by the sender and the receiver.
how is babby formed?
In my district, where we still have paper ballots, we fill in the oval next to each candidate. Then, instead of putting the ballot directly into a box, we run it through a machine that tells us if we marked two candidates or otherwise invalidated the ballot. If the ballot is okay, it drops into the box. If you marked two candidates, the ballot is rejected and the voter has to fill out a new one.
Forensic evidence indeed. To prove fraud, you simply tally up the paper ballots. If the tally doesn't match the electronic total, fraud occured. So simple.
Also, you can pinpoint exactly where and when and to what advantage the Diebold hack occured. If we had such a system in place in 2004, there would have been hell to pay in Ohio. And it would prevent the upcoming hack in November, as they simply have to pinpoint individual precincts to alter -- no need to hack every machine. The pattern would be obvious if there were a paper trail.
Why else do you think Diebold has fought so hard to prevent paper trails at all costs? It makes no sense, as they would simply make more money with paper trails. Occam's razor: they know that the paper tally would not match their electronic tally, and HELL would break loose. In a rational country, this would be obvious. We aren't rational. The Republican faction in this country has a lot invested in these machines.
I agree with paper elections. I also think that digital machines can have a place in elections. You make your choices on a computer, the computer prints out the ballot. The ballot is plain english and human readable. Nothing computer readable, not even a barcode.
Actually India has a pretty good e-voting system:
Slate magazine pokes fun at America's continuing electronic voting anxiety by using India as an example of how to do things right:
While we in the United States agonize over touch screens and paper trails, India managed to quietly hold an all-electronic vote. In May, 380 million Indians cast their votes on more than 1 million machines. It was the world's largest experiment in electronic voting to date and, while far from perfect, is widely considered a success. How can an impoverished nation like India, where cows roam the streets of the capital and most people's idea of high-tech is a flush toilet, succeed where we have not?
Apparently India uses an incredibly simple technology that may not be as fancy as the machines here, but does the job well.
The result is a machine that looks like a cross between a computer keyboard and a Casio music synthesizer. In fact, it's not much of a computer at all, more like a souped-up adding machine. A column of buttons runs down one side. Next to each button is the name and symbol of a candidate or party. These are written on slips of paper that can be rearranged. That means unscrupulous politicians couldn't rig the machines at the factory, since they wouldn't know which button would be assigned to which candidate. Also, the software is embedded--or hard-wired--onto a microprocessor that cannot be reprogrammed. If someone tries to pry open the machine, it automatically shuts down. After much testing, India adopted the machines for nationwide use this year.
Why do our machines suck?
American machines, by contrast, may be vulnerable to wholesale fraud. Our machines are far more complicated and expensive--$3,000 versus $200 for an Indian machine. The U.S. voting machines are loaded with Windows operating systems, encryption, touch screens, backup servers, voice-guidance systems, modems, PCMCIA storage cards, etc. They have millions of lines of code; the Indian machines hardly any at all.
FalconShould there be a Law?
In any case: the American Democratic-Republic is certainly in bad shape -- it may be in the worst shape it's ever been -- but it's not clear to me that it's dead. It is possible, for example, that the Republican vote-rigging system can shave 5 points, but might have trouble shaving ten: with a big enough upwelling of disgust, with enough people voting against them, you just might see not only the House, but the Senate shift over to Democrat control.
Given that, it then becomes possible to hold actual investigations into some of nasty tricks the Bush regime has been pulling. I wouldn't hold my breath about an actual impeachment, but some nice long hearings grinding people's noses into the crap, we might start seeing some actual improvements.
Things like the Paper Ballot Act might actually become law...
Remember: "Democracy is coming to the USA"
Also, you can pinpoint exactly where and when and to what advantage the Diebold hack occured. If we had such a system in place in 2004, there would have been hell to pay in Ohio. And it would prevent the upcoming hack in November, as they simply have to pinpoint individual precincts to alter -- no need to hack every machine. The pattern would be obvious if there were a paper trail.
In Ohio 2004, only 2 out of 88 counties used Diebold machines.
What's more, 68 out of 88 counties used manual punch card machines rather than any kind of electronic voting.
If there was really a "Diebold hack" there, it should be pretty damn easy to pinpoint.
Businesses spend how many billions of $$$ every year protecting trade secrets? But Diebold isn't like them because...they're in the voting industry? You sir, are not an ardent follower of Occam.
In the case of Diebold, they made this very clear before the 2004 election, when then-CEO Wally O'Dell said - in writing - to the Ohio Republicans that he would deliver their state to George Bush. He lived up to that promise, and there are good grounds to suspect that this wasn't at all accidental. They want their code secret so that we can't find out some of the things they've got hidden there.
From Mother Jones: "Diebold machines were used in only 2 of Ohio's 88 counties."
So how did Diebold's code 'deliver the state to George Bush'? Or are you just making stuff up?
Except for one problem - many states are demanding that Diebold add a paper tally to their machines, but are not willing to change the original contract.
For example, lets say you contract with an entity to offer a set number of widgets, and during delivery the entity demands that you provide more than the contract states without renegotiation of the contract. Would you provide it free of charge?
Neither will Diebold. Don't believe the conspiracy theorists. If Maryland and other states want a paper tally, all they have to do is pay for it. (Which is another matter all together as it was the "Help America Vote Act" passed after the 2000 elections that paid for the machines to begin with - now to "fix" them, Maryland and other states have to find funding elsewhere.)
I haven't lost my mind!
It is backed up on disk...somewhere...