Diebold Security Foiled Again

XenoPhage writes "Yet again, Diebold has shown their security prowess. This time they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines. Ross Kinard of Sploitcast crafted three keys based on this photo. Amazingly enough, two of the three keys successfully opened one of the voting machines. But fear not, Diebold has removed the offending picture, replacing it with a picture of their digital card key. Take that, hackers!"

Still in business

[j00r0m4nc3r]

How can these guys still be in business? It seems like every couple weeks for the past 3 or 4 years I have been hearing about them screwing shit up, over and over and over and over again. Any other company would have been history long ago. What's with Diebold? Why don't they die?

Re:Still in business

[MagicM]

Why don't they die?

Because they're called Diebold. Not Diebold.

Duh.

Re:Still in business

[aquabat]

Two words: Government Contracts.

Re:Still in business

[gstoddart]

How can these guys still be in business? It seems like every couple weeks for the past 3 or 4 years I have been hearing about them screwing shit up, over and over and over and over again. Any other company would have been history long ago. What's with Diebold? Why don't they die?

That's because they aren't being viewed with a critical eye by the people buying voting machines.

The people who are making those decisions continue to want to have the voting machines in the face of all of the evidence showing how unsecure/not-tamper-proof these things really are.

Apparently, the government doesn't seem too bothered by a vendor who is selling a product which is completely insecure.

Cheers

Re:Still in business

[drinkypoo]

What's with Diebold? Why don't they die?

I believe the following will explain: "The company came under fire last year for a letter that Diebold CEO Walden O'Dell wrote as a fundraising pitch to Republicans. In the letter, O'Dell said he was "committed to helping Ohio deliver its electoral votes to the president." Diebold is based in North Canton, Ohio." (http://money.cnn.com/2004/08/30/technology/electi on_diebold/index.htm)

Frankly no one in power really seems to want a fair election. If they did, they'd be fighting these e-voting machines all the way - as there is absolutely no need for them.

Re:Still in business

"DieBold, Die" is German for "The, Bold, The" - Bob

Re:Still in business

[pilgrim23]

In the early 20th century, most cities had Trolly Lines. Most were electric. there was no need for road crowding, smoke billowing Buses. But Detroit realized building buses was a gold mine as long as City planning departments, the Mayor's urban task force and other such public servants could be persuaded to rip up the trolly lines. Thus our public leaders made decisions for the good of us all. The more it changes, the more it stays the same....

Re:Still in business

[elBart0]

Wow.
It was funny, right up until you had to explain it.

Re:Still in business

[jc42]

The people who are making those decisions continue to want to have the voting machines due to all of the evidence showing how unsecure/not-tamper-proof these things really are.

There; fixed it for you.

If you think the politicos making the purchase decisions are ignorant of the documented problems, you're incredibly naive.

Re:Still in business

[mspohr]

Actually, GM, Firestone, and Standard Oil went around to various cities and bought up the trolley lines, ripped out the tracks and replaced them with GM buses.

I believe they called it a "triumph of the free market". http://en.wikipedia.org/wiki/General_Motors_street car_conspiracy

Re:Still in business

[cheezedawg]

Halliburton's (specifically Kellog, Brown, and Root) involvement in Iraq is a part of the multi-year LOGCAP contract that they won in 2001 after a competive bidding process. This was the second time that they had won the LOGCAP contract- the first time was during the Clinton administration. The Clinton administration also awarded several other contracts to Halliburton, such as the logistical support for the military action in the Balkans, and praised KBR for their work.

You can choose to see this as a conspiracy if you want, but it doesn't make you look very rational.

Re:Still in business

[Tapi]

"But fear not, Diebold has removed the offending picture, replacing it with a picture of their digital card key. Take that, hackers!" Two words: Google Cache?

DieBold Security.....

[Prysorra]

To Boldy die where no security has died before!

Re:the only thing..

[jfengel]

Apparently they're not very good at that, either.

National Election Commision

[ghoul]

The way to get rid of election controversies is to have a national election commission like in India. India has a lot more voters than the US and a much lower level of education but it manages to pull off general elections a lot more cleanly and fairly just because the standards are same for all elections and all precincts. The decentralized form of elections might have made sense for the age of horse coaches but in the age of internet it is not too tough to have thge same standards everywhere in the US

Also why not have a paper trail .With a paper backup all fraud can be caught given enough time for recounts (again if elections are not controlled by local partisan officials they cant arbitrarily decide not to have recounts).

Re:National Election Commision

[ghoul]

BTW the last Indian general election was an all electronic election with EVMs used in all precincts.

Re:National Election Commision

[Midnight+Thunder]

Also why not have a paper trail .With a paper backup all fraud can be caught given enough time for recounts (again if elections are not controlled by local partisan officials they cant arbitrarily decide not to have recounts).

In many ways Diebold et al. are all showing symptoms of not realising that they are trying to add technology to the wrong part of the process. In many ways the punch card system or optical card reader systems are the better systems, since the paper trail exists before the vote is taken into account: WYSIWYG. The proposed solutions provide a paper trail as a result of the process, if at all. The problem with this is that the paper trail may not be a result of what you inputted.

Remember just because technology can be used for a process, it does not necessarily mean that technology is needed for the process. Technology is there to make a complex task simple, not the other way round.

Google

[Daemonstar]

Diebold has removed the offending picture

However, it remains (scaled down) in Google's image cache. :) Might not be of much use, but it is there.

Re:Google

[mastershake_phd]

Then get off your lazy ass and find it! It's the Internet.....

You mean- Then sit on your lazy ass and find it! It's the Internet!

Re:Google

[daddymac]

boingboing has a copy of the pic here.

New Vendor

[Divebus]

It's time to look at some other vendor for voting machines and whatever else they make. Our future is too important to leave to stumbling bumblers like that. Anything can be defeated but shouldn't be as easy as this.

Security through...

[griffjon]

Hey, at least we know they're not relying on security through obscurity!

This is a security company?

[Schraegstrichpunkt]

Do they even have any security-minded people working at this company? Publishing a picture of a real key is an understandable mistake, but why does the same key open every single voting machine?

Re:This is a security company?

[SatanicPuppy]

When you've only got seconds to doctor the votes, you can't be fumbling around with a big keychain.

Jeez. I'd have thought that was obvious... ;)

It's a pin-based lock?

[RyanFenton]

As long as it's a normal lock, like 90+% of the locks out there (likely including your own front door), then Lock bumping is going to allow just about any person, regardless of skill, to defeat the lock using extremely simple tools, in a matter of seconds, likely with no signs of intrusion at all.

Ryan Fenton

Re:It's a pin-based lock?

[morgan_greywolf]

And if it's not an it uses a registered or otherwise restricted key blank, like, say, a mailbox or P.O. Box key, then bumping is next to impossible because you simply can't get a blank without permission.

Re:It's a pin-based lock?

[bhsx]

Yeah, I guess if you were really serious about trying to rig an election it'd be hard to find someone with those skills... Oh wait...

Re:It's a pin-based lock?

[drinkypoo]

Last I checked, bridgeport operating was a specialized skill that actually pays pretty well in my area (Metro Detroit) because it requires some training and experience to actually know what you're doing.

Last I checked, it was called "milling", not "bridgeport operating". And you can go to a community college and gather the requisite skills in a three unit, one-semester class. Frankly milling is not very hard, it's not even slightly hard. The hardest part is remembering which way the table will move when you turn the crank.

In fact it's probably harder to get accurate measurements with which to make your own key than it is to actually make the key.

Frankly you don't even need to take a class. Everything you need to know is in the Machinery's Handbook, which is why it has over 2600 pages. All you need to know about appropriate cutting tools for different materials, feeds and speeds, it's all in there. It gives you the formulas AND the numbers to plug into them. But if you take that route, you will spend more time noodling around and fucking up than if you just take a class. Regardless, I received very little instruction on the vertical mill and was able to turn out some cute little parts that had no particular utility but were within half-a-thousandth tolerances. (We had learned the basics on the lathe. Most of the concepts are the same.)

Re:It's a pin-based lock?

[Tim+C]

it requires some training and experience to actually know what you're doing.

So? How much time do you think you have between elections anyway?

Undaunted

[imaginaryelf]

Our hero copied the smartcard from their photo on the website and keyed in the password 12345, the master password that unlocks all diebold machines.

Re:Undaunted

[ptbarnett]

Our hero copied the smartcard from their photo on the website and keyed in the password 12345, the master password that unlocks all diebold machines.

1 2 3 4 5? That's amazing! I've got the same combination on my luggage!

What concerns me even more

[Iphtashu+Fitz]

... is the fact that Diebold also manufacturs ATMs. Makes me wonder if my bank account is safe...

Re:What concerns me even more

[Stripe7]

Maybe that is how they stay in business. :D

Re:What concerns me even more

What, are you serious? You think they'd ever put out a system that would lose them money? Sure, every once in a while you hear about an ATM that had the factory default password still in place or took some common key but those are usually the fault of lazy/incompetent banks. Well, maybe not with the key.

But think about it, how often is it that anything errs in your favor? Bank magically gives you an extra $20? Phone company charges you at half rate?

Remember that story about the ATM that was pumping out $20s in place of some other bill? Free money right? Except they had records of every transaction.

If you want to worry about your bank account, place your worries on those holding your money.

Re:What concerns me even more

[wpegden]

No, fear not. Like you, the people up top are much more concerned about correctly counting pennies than votes. Rest assured, your bank account is much more secure than any of your "freedoms" or "rights".

Winner

[liak12345]

This time they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines.

Diebold just won the golden "Are You Fucking Kidding Me?" Award of 2007.

Re:Winner

[imsabbel]

Dont they every year?

Re:Winner

[miro+f]

Sony won it for 2006

Re:Winner

[SeaFox]

We thought they would, but the votes came out strangely skewed for Sony in several key states.

Re:the only thing..

[truthsearch]

Funny how you only seem to be responding to the average media coverage and not the facts. Was no one interested or was the media (even non-mainstream) not interested? Plenty of investigations occurred. You apparently just didn't hear about them.

Re:the only thing..

[SatanicPuppy]

It's because the exit polling was a much closer match to the actual results, rather than having substantial irregularities or, as in the case of the 2004 election, actual instances of election fraud.

Having both sides being extremely skeptical of the computer returned election counts is the only thing keeping anyone honest.

Fear not, indeed

[ReverendLoki]

But fear not, Diebold has removed the offending picture [CC], replacing it with a picture of their digital card key.

Using this picture as a base, I have crafted three digital card keys...

Re:Isn't this...

[Physics+Dude]

Isn't this the same key that will open mini-bars?

Yes. From the article:

" ... and beyond that, it could be opened with the same keys typically used with hotel minibars and jukeboxes."

Florida House 13

[bloodstar]

Why are people ignoring what is going on in Florida House District 13?

The Rebublicans are claiming a 369 vote victory. However the EVMs in Sarasota county, reported an undervote of 18,000. or 1 in 6 of the total votes, which is much higher than the undervote in both the other counties and on average. Sarasota County also happened to be where the Democrat challenger won the vote by 6 percentage points (of the votes cast in that county).

There are some obviously severe issues with Electronic Voting, Particularly when there is no paper trail (as in the case for this district). Sure, there are ways to change the vote on a paper verification ballot, however large scale fraud becomes problematic to implement.

Links Below:
http://www.heraldtribune.com/apps/pbcs.dll/section ?CATEGORY=NEWS0521&template=ovr2
http://en.wikipedia.org/wiki/Florida's_13th_congre ssional_district
http://www.verifiedvotingfoundation.org/article.ph p?id=6423
http://www.cqpolitics.com/2006/12/the_cqpolitics_i nterview_chris_1.html

Re:Its from the please-think-then-vote dept.

[PeeAitchPee]

Perhaps you can explain why Maryland's previous Republican governor Robert Ehrlich fought against the Diebold machines tooth and nail, even asking for millions of dollars instead to support a traditional election process, only to have them rammed down his throat by the (Democratic) MD legislature and state board of elections? Our state elections administrator, Democrat Linda H. Lamone is still fighting their removal and even against adding a paper trail! Hell, she doesn't even want printers because she says adding printers to the existing equipment "would disrupt the voting system."

If you think the Republicans are the only ones who want to use Diebold machines to manipulate votes, you're an idiot.

Living up to the name

[Anon-Admin]

Determining
  Inaugural
  election
  Ballot
  Outcome (on)
  Lousy
  Data

DIEBOLD :)

You're barking up the wrong tree

[inviolet]

This time they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines.

Voting machines should not be relying on physical security in the first place, because it is not practical to physically protect them 24/365. Their trustworthiness should be the result of double-handshake cryptographic authentications between the touchscreens, consoles, memory cards, and the central tabulator. Being able to open the cabinet should not be a vulnerability, because poll workers are invariably going to need to do so.

So, if Diebold machines implement proper authentication, then the cabinet key is not an interesting exposure. But if they don't (and we already know that they don't), then the cabinet key doesn't make them significantly more vulnerable than they already are.

Public Key?

[fahrbot-bot]

they posted, on their website, a picture of the actual key used to open all of their Diebold voting machines

I hear Diebold is looking into different security measures and is interested in this new-fangled "Public/Private" key stuff. Perhaps this was their Public key...

Google link

[SpaceLifeForm]

Link

The real world

[Kilz]

In the real world there are Election Judges. People who watch whats going on. This unlocking and tampering isnt going to happen in front of them. This is a proof of concept idea, and like a lot of them it takes some things for granted. Like "you will be able to do this and no one is looking, or will stop you". But in the real world that isnt the case. Try this in a real polling place and go to jail, go directly to jail, do not pass go , do not collect 200 dollars.

Better yet...

[eclectro]

A picture is worth a thousand votes.

Security... Paper Trail...

[Evets]

There are always a lot of complaints about the security of any Diebold voting machines. Then there's the constant complaint of a paper trail (my county now has paper-trail making diebold machines).

What people should be pushing for is a voting system on commodity hardware. There's no sense in putting a million dollars forward for a small amount of "proprietary" machines that are all crap anyways. The only reason for wrapping a software solution in proprietary hardware like this is security through obscurity.

Instead of complaining all the time about Diebold et all, what we should be doing is putting together a GPL voting solution. Once it is mature and stable, push our representatives to make the move.

I Think It's Great!

[Greyfox]

Based on Diebold's actions in this area I think they must be an extreme case of an equal opportunity employer! Most employers do not disciminate on the basis of Race, Creed and Color. Diebold has obviously taken this to the next level in that they don't disciminate on the basis of Ability, either. We shouldn't be slamming them! We should be applauding them for taking bigotry down another notch! If it weren't for Diebold all those guys would be out on the street or having to work in the exfoliating scrubber factory or something! Hooray, Diebold!

Re:the only thing..

[Sj0]

What does it matter who wins or loses a single election if you hold the keys to the gate?

It's troubling that so many people are such linear thinkers. It makes it really easy to pull off Machiavellian subterfuge.