Diebold Voting Machines Audited by California

Panaqqa writes "Diebold must be wondering what else can go wrong. Considering their arrogance in the past, their comeuppance is truly well deserved. The State of California's source code review [PDF] of the Diebold voting system has been released. Additional reports will be made available as the Secretary of State determines that they do not inadvertently disclose security-sensitive information. One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

Oblig...

[Tuoqui]

12345678... That sounds like the password some idiot puts on their briefcase.

Re:Oblig...

[brywalker]

12345678... AMAZING! That's the same exact password I have on my briefcase!

Re:Oblig...

[tverbeek]

The security code on my house alarm is 789456123... no one would ever guess that!

Re:Oblig...

[ilikejam]

2 444 66666 8888888

Re:Oblig...

[HiggsBison]

12345678... AMAZING! That's the same exact password I have on my briefcase!

AMAZING! That's the same exact password I have on my br...

Inconceivable!

Re:Oblig...

[Brian+Gordon]

Argh, what's the from?!

Re:Oblig...

[Martin+Blank]

It's a paraphrase from Spaceballs, when the king of Druidia hands over the code to the air shield.

Re:Oblig...

[Brian+Gordon]

Oh yes THANK you!

Re:Oblig...

Baah - 12345678 is 1000x more secure than 12345!!

Re:Oblig...

[Mysterious+Stranger]

Next time they should use the password 87654321.

Re:Oblig...

[Martin+Blank]

You're welcome.

And why I deserved an extra three karma points for that, I will never know.

Re:Oblig...

Oh, I don't know - I bet you $1000 I could guess it!

What's your address so we can settle the bet?

;-)

Re:Oblig...

1600 Pennsylvania Ave NW
Washington DC

Have at it!

Re:Oblig...

[dscruggs]

I'm partial to a number I found on a bathroom wall. It's 8675309.

Re:Oblig...

[ozphx]

Nobody said you deserved them.

Amazing.. truly amazing

[JustNiz]

how after all the many serious screw-ups and warnings that Diebold has had in the past couple of years, this report shows they still didn't do anything at all to improve the situation.

I often wondered how managers and CEO's that don't even have a clue get given companies to control. This level of obvious incompetence makes me wonder even more.

Re:Amazing.. truly amazing

[Vengance+Daemon]

I often wondered how managers and CEO's that don't even have a clue get given companies to control.

It's really pretty simple: Many companies are no longer run by the visionary people that started them, they are run by accountants and "risk managers."

Re:Amazing.. truly amazing

[beyondkaoru]

actually, it appears that all the voting machines that were audited in california were pretty bad, full of 'garden variety' mistakes and security flaws.

http://www.crypto.com/blog/ca_voting_report/

Re:Amazing.. truly amazing

Good piece of sarcasm there. Might be too subtle for the younger slashdot readers, though.

Re:Amazing.. truly amazing

[SoopahMan]

Because the metric they are measured by is not technical competence. Business people choose business people to lead technical businesses. Then they make bonehead technical mistakes. It could be argued that a non-technical person in charge of a tech biz is itself a bad business decision, but conventional business thinking would disagree with you. The leaders of the most successful tech businesses would certainly agree, however.

Re:Amazing.. truly amazing

[pipingguy]

Perhaps most "managers and CEO's" don't have tech backgrounds and think that fundamental problems can be solved with lawyers and more PR/better marketing. It's probably relatively easy to turn a blind eye towards problems and paper over them if one's only concern is money.

Re:Amazing.. truly amazing

[beyondkaoru]

mmm, i feel awkward replying to a reply like that, but anyway, it's matt blaze; i'd say it's pretty credible, and also was quoted in bruce schneier's blog. blaze is a reasonably well known security and cryptography guy. as far as the psychic powers thing goes, i think you just aren't getting his brand of humor (i have met him in real life, and he's kind of awkward sometimes, but funny)

Just use paper counting

[Lars+Clausen]

Voting machines are a technical non-solution to a non-existing problem. Counting votes by hand in public view is almost as fast, has much fewer things that could go wrong with them, and is intrinsically open to public scrunity like no machine system can ever be. Plus, it's cheaper. It works in Denmark, it should scale perfectly well to the US.

Re:Just use paper counting

[sommere]

Counting votes by hand works when there are one or two issues on the ballot. When you have ballots with hundreds of races, and ammendments, etc. It does not scale well.

Re:Just use paper counting

[Durrok]

Whenever a story on the voting machines comes up many people present your argument. I find it fundamentally flawed however as counting by hand is extremely inefficient. Not only is it a slow, labor intensive task but it is also open to human error and other technical issues (hanging chads, etc). There is no real point of denying it, computer voting is coming. Instead of saying "Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Re:Just use paper counting

[doom]

sommere wrote:

Counting votes by hand works when there are one or two issues on the ballot. When you have ballots with hundreds of races, and ammendments, etc. It does not scale well.

And you think that the electorate can make intelligent, informed decisions when asked to vote on hundreds of issues? Democracy doesn't scale well up to that level, that's why we're stuck with a Democratic-Republic [1]

Techie geeks have this amazing capability to focus on the wrong problem...

[1] Or we were, before the New Regime took over.

Re:Just use paper counting

democracy is also less efficient than totalitarianism. get over it.

Re:Just use paper counting

[Sparr0]

No, tradition is why we are stuck with a Democratic-Republic. I am a proponent of direct democracy via direct representation. In short, everyone gets to vote on every issue, or they can delegate their vote to a representative (who can then delegate all of THOSE votes, and so on). I am sick and tired of being "represented" by someone who doesn't share ANY of my views. Or worse, someone who actively promotes the interests of corporations over their own constituents.

Re:Just use paper counting

Working democracies are based on secret and unprovable votes and a transparent and voter verifiable voting process. The process is intentionally designed in a way which does not require anyone to trust anyone else. If you can come up with a computer voting system which does all that, let's hear it. Consensus among technology-minded people who have looked into the problem from a civil rights point of view seems to be that no computer voting system can work with secret and unprovable votes and at the same time be transparent and voter verifiable. (The basic idea is that, since computer systems are never verifiable as such, verifiability would have to come from being able to recount the votes in some independent way, but one would have to violate the secrecy or make votes provable to do that.)

Re:Just use paper counting

[c6gunner]

If the person wants to sit and the seat is up, possible ass contact with disgusting toilet water.

Ah, so you're a proponent of mass-suicide. Cool!

Re:Just use paper counting

[vidarh]

It is inefficient, but it doesn't need to be efficient, it needs to be accurate and efficient enough to be countable in a reasonable amount of time. And while an individual human is inaccurate, there is a paper trail that allowed another human or more to check the first humans work, which frequently or always does happen in most countries.

Hanging chads is a bullshit argument - I've seen nobody argue that it isn't acceptable to use a voting machine that produces a printed voting card that's guaranteed to be valid.

But for that matter, that's overcomplicating it. In Norway, voting is handled by pre-printed lists of candidates for each party (we have proportional voting, so in county elections each list may have up to 60 or so names on it depending on the size of the local council, in parliament elections up to about 20 depending on region), and while people may alter the lists (see below) the simplest way to vote that most people use is to simply pick one of the lists and drop it in an envelope that is then dropped in the ballot box.

A rough count is then done simply by counting the number of lists from each party. It is simple, and it is extremely trivial to count and recount, and since any party can provide observers or people to participate in the counts there is accountability: Anyone participating in the count is under constant scrutiny and doing the count out in the open where a number of people can see any attempt at cheating.

This system works for a country where typically at least around 12-20 parties raise lists for any election, depending on region and whether it's a local election or for parliament. For the US where you in most circuits have the choice between 2-3 candidates it would be trivial, and you could brightly color the list to make the count a total no-brainer. Handle other ballot issues separately.

There is some complication in counting the number of votes for candidates for a party, as the order of which candidates are assigned to the seats won by each party is determined by the number of votes for that person. By default that is the same number of votes as number of lists of the party, but the number can be increased or decreased by certain allowed modifications of the list. Depending on whether it's a local, regional or parliamentary election, this can include for example adding names of people from other lists, altering the order or striking people of your list.

Despite that it rarely takes more than a day to finalize the count and there are rarely conflicts over the results.

Don't even think about arguing about how this only works for simple elections. In a local election for a county with 50 councillors and 12 parties raising lists, that means probably tabulating votes and alterations for at least 600 people (often somewhat more, as you also elect a number of people as stand in's in case of sickness or other valid leave), which includes fractional votes (if you add someone from another list to the list you vote for, a proportional fraction of your vote is transferred to the list of the candidate you add)

Re:Just use paper counting

[houghi]

If it ain't broke, don't fix it. Voting by hand is not broke, so why fx it?

The ONLY reason to fix it, is so it can be 'fixed' or so we can watch the outcome on the evening news, instead of two days later.

Re:Just use paper counting

[joseph449008]

As long as there is a way to manually audit the machines at random (a paper trail) I think computer counting is fine. Exit polls also act as a sort of double-check, but then, Kerry won the exit polls in 2004.

Re:Just use paper counting

[doom]

or they can delegate their vote to a representative (who can then delegate all of THOSE votes, and so on).

Interesting. In your system, would I have to hand all of my votes over to a single delegate, or could I sub-divide the issues among multiple delegates?

In any case, I think if you game it out, what ends up happening is that the delegates need to form voting blocks to get anything past the other delegates, and you end up with extreme levels of compromise going on to the point where your input into the system becomes nearly unrecognizeable... not unlike the American system of representative democracy.

(Or at least, that's the way representative democracy worked some decades ago, before it became totally corrupted. Part of the trouble is it's hard to distinguish the "normal" level of compromise from "representatives" that are only pretending to represent you.)

Re:Just use paper counting

[vidarh]

Sure it does. In a typical local election in Norway, a largish county essentially will have to tabulate votes for 500-600 candidates (there are 63000 candidates for the next local elections in Norway, or about 1.4% of the population), which include fractional votes (transferred from other lists, as you can vote for a party, but still "tack on" your favorite candidates from other parties to give them a fraction of your vote). Despite the complexities of that voting system (it's a proportional system with lots of little wrinkles like the partial transfer mentioned), the results rarely cause conflicts or recounts and the results are generally complete or close enough within a day. Since vote counting is a trivially parallelisable problem, I simply don't see the problem.

Electronic voting is a "solution" that's only on the table due to massive lobbying from companies seeking to cash in on it that's managed to coopt the debate over how to fix a flawed paper system that would've been trivially fixable just by altering the ballots used.

Re:Just use paper counting

[Brett+Buck]

Well, obviously, it was a very serious problem in Florida in 2000. Ultimately it was proven, even by partisan hacks, that Bush would have won, but it would have taken 6 months. So paper vote counting certainly is a "problem".

      That doesn't mean that electronic voting is the solution, of course.

        Brett

Re:Just use paper counting

[Grave]

I'm guessing you're from Norway, so I'll excuse you for not understanding how American government works. You see, the people we elect to "represent" us believe that existing laws are meaningless if they themselves did not write them the previous term. So any issues that arise will need entirely new legislation drafted, often with the help of the corporations and lobbying groups that funded their campaign. Hence, a simple fix to a broken paper ballot system isn't sufficient. No, we need entirely new laws and methods to be created, and make them as expensive as possible while sounding as awesome and clever as possible. Also, at least one additional item must be added to each piece of legislation that is totally unrelated, such as funding for a new music program for the local deaf and mute school. This way if the bill is blocked, the representatives who supported it can slam those who didn't for not caring about "the children" during the next election. That's how we do things in America. Brilliant, isn't it?

Re:Just use paper counting

[vertinox]

"Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Forging, destroying, or disposing of 100,000 paper ballots can be done but it is rather hard and time consuming.
Forging, destroying, or disposing of 100,000 electronic ballots can be done and with only a few keystrokes.

The thing is, most of the people nay saying the loss of paper ballots aren't Luddites but are often the people who know technology well enough to understand what can potentially happen if there is a breach of security.

If electronic voting does happen it needs to print a paper receipt so not only will they have to smash a hard drive or two but also burn a few truckloads of paper ballots.

Re:Just use paper counting

[Qzukk]

or could I sub-divide the issues among multiple delegates?

I think subdivision would work best, though at that point, you're basically voting on individual issues in the first place, except instead of personally voting on each issue, you're voting on representatives for each issue. It'd also introduce interesting difficulties, for instance, how do you ensure that when you assign your vote on abortion issues to a given representative, that that representative only spends your vote on abortion issues? There's also issues of making sure that you don't end up voting through two representatives on an issue.

If the problems could be worked out, it would pretty much fix most of the major problems with representative democracy, the worst of which being voting for people that don't represent you on many issues just to get your voice heard on one or two.

Re:Just use paper counting

[doom]

If the problems could be worked out, it would pretty much fix most of the major problems with representative democracy, the worst of which being voting for people that don't represent you on many issues just to get your voice heard on one or two.

I think I see what you're going for, though as I've already outlined I think in actuality you'd find problems with your system that are very similar to what we already have. The EFF delegate would keep explaining to the troops that they just had to compromise on those DRM issues in order to get the RIAA delegates support on those privacy issues, and so on.

One advantage of your delegates, though, is that it would be easier to fire them.

(I send notes every couple of weeks to Nancy Pelosi begging her to just impeach the bastards, and it's getting old...)

Re:Just use paper counting

[jon_anderson_ca]

Simple solution: stop burying things hundreds of check-boxes deep.

It's like "that movie" (you know, the one with the lawyers): the defence counsel receives hundreds of boxes of paper from the prosecution, so they know that there's something of consequence in them; they just can't find it.

I mean, really, does the average voter really know or care whether the State should use 7" or 8" pipe for its water mains (silly example, but probably not outside the realm of what's been voted on). This is why representatives and a professional civil service exist: for opinions, ask the former (who, presumably, should know/care what their constituents want). For technical/professional decisions, ask the latter (who, presumably, are competent enough to be hired in the first place).

Re:Just use paper counting

Agreed. It's amazing that a highly valued part of our government process is constant being separated from us. Voting is the very basis of our form of government and we're worried about spending money on it? It seems to me confidence and public awareness would be at an all time high if the public were kept in the system. Of all excuses money? Don't build the extra nuclear sub, or meaningless bridge, and start unmentionable culture-breaking wars. Then there is efficiency. So what, hire more people to count if you need it sooner, at least it would generate some jobs. Voting is the most important part of our government structure, as it allows the public to interact and see the system work. It would definitely be a confidence builder. If the rest of government can be inefficient, never mind the candidate spending, why not something so necessary as our voting process, its not like it happens every day. Besides, why are they so bent on separating us from the voting process, if not to manipulate it?

Voting Machines:
You were so busy trying to prove that you could, you didn't think whether you should! -- Jurasik park

Re:Just use paper counting

[Qzukk]

The EFF delegate would keep explaining to the troops that they just had to compromise on those DRM issues in order to get the RIAA delegates support on those privacy issues, and so on.

You have a point, if the design isn't careful, we just end up trading one Congress for another. I think we can cut down on vote trading by requiring the candidates for delegation to register for some subset of related issues, so the EFF would not vote on issues that the RIAA would deal with except in those cases where their interests overlap. Then for any given item, people can choose to have a delegate they feel represents them on that issue (out of a field of delegates that can only vote on such issues), cast their own ballot, or decide not to vote.

The final goal could be an automated system of government... everyone enters their preferences into the machine, and the computers sort out each bill, tallying up everyone's vote based on their preferences. Scary ;)

Re:Just use paper counting

[geoff+lane]

People keep saying that computerised voting will eventually work. Yet report after report just proves that computerised voting is much, much worse than any of the alternatives. A vote is too important a thing to waste as test data on an alpha implementation.

It would be interesting to know why computerised voting can't count. Counting is one thing that a computer can do well.

Re:Just use paper counting

[Compholio]

(The basic idea is that, since computer systems are never verifiable as such, verifiability would have to come from being able to recount the votes in some independent way, but one would have to violate the secrecy or make votes provable to do that.)

Paper Printout:
-------------
Thank you for voting! Your democratic republic is at work!

Your transaction ID is:
wxC9!2@67Azs

Your vote was counted toward:
Bob

Please keep this receipt and visit www.CheckYourVote.com or call 1-800-CHK-VOTE to confirm that your vote was properly counted. If your vote was not properly counted, or was improperly disqualified, then you will need to take this receipt to your local election office.
-------------

Re:Just use paper counting

[david.given]

Your vote was counted toward:
Bob

Good day, Mr. Smith. Mr. Jones would like to see your voting receipt now. Naturally I am sure that you voted as agreed in our little business arrangement, because if you didn't, Mr. Jones will be very upset...

Re:Just use paper counting

[yoyoq]

hanging chads was a problem with electronic counting , not hand counting.

Re:Just use paper counting

[DragonWriter]

Whenever a story on the voting machines comes up many people present your argument. I find it fundamentally flawed however as counting by hand is extremely inefficient. Not only is it a slow, labor intensive task but it is also open to human error and other technical issues (hanging chads, etc).

Um, hanging chads are a problem with with ballots designed for machine counting that are resolvable only by hand counting, not a problem with ballots designed to be counted by hand.

There is no real point of denying it, computer voting is coming.

What kind of machine (if any) you produce a ballot on is a logically orthogonal question to how the ballots are counted. Computer voting can be done with hand counted ballots. Hand-filled ballots can be counted by machines. Whether ballots should be counted by machine, and what kind, and what kind of relation that machine should have (if any) to the production of the ballots are all open questions that cannot just be waved away out of the discussion.

Instead of saying "Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

And the answer to that may well be "we should change it back into the old way". Or it may not. But its certainly a valid response, and you've provided no counterargument to it except that you apparently don't like the option even being considered and wish people would eliminate it without thought.

Re:Just use paper counting

[gcauthon]

Computer systems are not verifiable? Since when? And why would we be doing a recount? A recount is performed when it's suspected that someone miscounted the votes. When you do a calculation in calc.exe, do you perform the calculation twice so that you can double-check the results? A recount on a computer-based voting system would be equally stupid. Uhh, how many files are in that folder? Better count again to make sure... sometimes the files stick together... Even assuming a recount is needed, what secret/private information would the computer recount need that the old-fashioned ballot recount didn't?

Re:Just use paper counting

[MtViewGuy]

In Sacramento County, California in the USA during the last major election, they went to mark-sense paper ballots where you fill out your selection in PEN. The markings on the ballot are large enough to be read by both electronic optical readers and hand counts in case a close election requires one. Mind you, the big downside was that the paper ballot ended up being a HUGE sheet of paper where you had to fill out both sides, though.

Re:Just use paper counting

How do you check that a computer that I put in front of you does what I say it does? Can you make sure that it will not do something entirely different now? When the next voter votes?

For a recount, you would need something that you can count and can't be manipulated. As you correctly noted, there's no point in recreating the first result if you have no data which has the potential of leading to a different result. This "something" that you need to count would have to be the votes, but since you can't identify who voted for whom, the votes are just arbitrary numbers. "A vote for candidate C" can't be trusted unless the voters can observe that the "ballot box" hasn't been tampered with. With paper ballots and real ballot boxes, voters can make sure that the ballot box is empty at the start of the election and that only one ballot per registered voter enters the box. They don't need to trust anyone, because they have the right to observe all crucial steps of the election. An electronic ballot box cannot be observed. Voters have to trust that the person who cleared the card didn't preload it with votes. Voters have to trust that the machine counts the vote for the right candidate and doesn't drop or alter votes.

In these discussions, someone usually mentions cryptographic methods which enable a voter to check that his vote was counted correctly. These schemes usually also enable the voter to prove that he voted for a certain candidate. That is unacceptable because it enables coercion. The slightly more advanced version gives the voter as many tokens or hashes as there are candidates, each "proving" a vote for a different candidate. Only the voter knows what the token for the actual vote is. Let's assume that this enables the voter to check his vote, but that it also enables him to believably pretend that he voted any other way. Then nobody else can verify that that voter's vote was counted correctly. Consequently you have to trust everybody else that they checked their vote and didn't change their mind after the election. The only way to solve this is to make all steps of the election observable. Otherwise you need to know things that must not be known in a proper election.

Re:Just use paper counting

[gcauthon]

In reply to all of that... I would simply review the source code and circuit diagrams. The point of my post was that having an open system makes a system more reliable and improves secrecy, not the other way around. The post before mine was trying to imply that openness and secrecy were mutually exclusive. In any voting system, you should be verifying the system itself, not the act of voting. If you know everything about a computer system, then yes you can prove with mathematical certainty how it will behave. It's not a crystal ball, there actually is some science behind the curtain.

Re:Just use paper counting

[Sparr0]

All votes to a single person. Your representative. Subdivision requires, among many other complications, someone to divide the issues to be voted on.

As to your conclusion, I disagree. Voting blocks are the thing I want to eliminate. If my representative starts voting against my interests in order to trade votes with others, then I pick a different representative. The goal is to end up with every vote being cast in the way the citizen would have cast it themselves. Of course that won't happen, but it could be quite close. There must be a few hundred people out there who would vote with me on at least 99% of issues. I imagine that among republicrats the numbers are much higher, possibly with millions willing to be represented by the same person. ONE of us could represent the rest.

Re:Just use paper counting

It is election day. There is a computer in front of you. You're supposed to vote. How do you verify that the computer in front of you will do what you expect it to do? Are you going to open it up, review all layers of the circuit board, the binary code, all masks of all microchips? No, you can't verify that the actual voting machine in use on election day works correctly, hasn't been fed false data and that the result will be extracted correctly. You have to trust that it was stored in a secure location, that all people who handle the machine are trustworthy, etc. etc.

Re:Just use paper counting

[CastrTroy]

Americans vote in November, but the guy who's elected doesn't get into office until January. For some unknown reason, they need the results within 2 hours.

Re:Just use paper counting

[iluvcapra]

• Today and today only! 1230 AM is offering $2 for every election receipt you give us with "Bob" on it!
• Come on in to mattress warehouse for our election day special! Get a free comforter with your mattress if you have a receipt for "Bob"!
• Boss: Everybody vote today? Let's see your receipts! Uh... I wanna make sure you're all participating.

If you put a voter's choice on the walk-away receipt, you commoditize the election completely, since the receipts become a call on a vote. You can print the choices on a sheet of paper, but it must be private to the voter and have no personal IDs or other data on it between the voter and the ballot box. No information associating a voter with a vote must leave the polling place.

Re:Just use paper counting

[smash]

You can review source code all you like, you're still trusting that the supplier of the source code gave you the code that was used to generate the voting machine software in use.

Re:Just use paper counting

[CryBaby]

I find it fundamentally flawed however as counting by hand is extremely inefficient.

Inefficiency is not intrinsically a flaw, it's simply an attribute. Whether or not it's a flaw depends on the context. If we're talking about a for-profit business venture, then inefficiency is probably a flaw, but we're talking about a vote counting process. Inaccuracy is a flaw, and anything that might lead to inaccuracy such as the vulnerabilities found in all current electronic voting machines, but inefficiency doesn't prevent the process from achieving its goal (an accurate vote tally), so it's clearly *not* a flaw.

Not only is it a slow, labor intensive task but it is also open to human error and other technical issues (hanging chads, etc).

Oh boo-hoo. The last time I checked, human error and hanging chads cannot be automatically propagated across any number of voting machines in the form of a virus designed to alter the outcome of an election. And who cares if the process is slow and labor-intensive? Again, this is not a business we're talking about. Efficiency just isn't very important. Correctness, confidentiality, integrity and the ability to accurately assess security risks are important.

There is no real point of denying it, computer voting is coming.

That is an outrageous statement. It's like saying "there's no real point of denying it, global warming is going to melt all the polar ice so we might as well get used to it and not bother trying to fix the problem." I'd rather do the obvious,

Instead of saying "Oh this new system doesn't work in it's current incarnation, we should go back to the other method" we should be asking "The new method we are trying to implement is flawed, how should we change it?"

Easy answer: don't use the new, flawed system. Use the existing system that has fewer flaws, is better suited to the task at hand, and carries a vastly lower overall risk. Your logic is backwards. Instead of saying, "we should replace all of our voting machines so let's come up with a better replacement" we should say "if we can find a better way to conduct our voting process, let's use it". So far, a better alternative has not materialized.

Re:Just use paper counting

[Lars+Clausen]

Slow? No, we get our results the same evening *and* we get an extra count the next day. Prone to human error? Since it's open to the public, there are many eyes checking for errors. Sounds familiar? Hanging chads? I suppose there could be votes that are pencilled in in an uncertain manner (note no machines for marking the vote either, we've seen just how much this helps), but with multiple independent verifiers those can be sorted out. It also scales well with the number of people voting and costs very little.

The only real problem I can see is if somebody were to try to bully everybody during the counting process, but if that happens, I'm not sure the country is ready for democracy.

Duuuuuuude!

[iknownuttin]

12345678... AMAZING! That's the same exact password I have on my briefcase!

We have a psychic bond! I use that exact same password on my luggage and machines!

We're password buddies!

Eeeeeeek

[GTarrant]

Imagine if Diebold, one of the major manufacturers of bank ATMs, hard-coded the passwords to every ATM as "12345678", or insisted to every bank that they couldn't get an ATM that gave people paper verification of their transactions, or that they couldn't guarantee to the bank that the internal records ATMs were reliable, and couldn't give any assurance that they were at all secure.

They'd never sell a single one. No bank would accept an ATM that couldn't accurately track the thousand or so transactions that they see each day, or that anyone could gain control of by typing in a few keys followed by "12345678".

And yet somehow (through much campaign cash, etc.) they managed to convince politicians that all that stuff would be too hard and unnecessary in voting machines, despite the technology already being available from the same company. That it's not hard to count accurately millions, even billions, of dollars in transactions each day, but that it's too hard to simply increase by one the count in the proper register to greater than a few percent accuracy. And despite numerous security incidents, they are still fighting tooth and nail these simple things.

I'm not convinced electronic voting is necessary...but I'm wary of any politician that keeps trying to tell me there's no need to increase the security of such systems. Unless they say they're OK with their own banks using that kind of security, voting shouldn't use it either.

Re:Eeeeeeek

[xiard]

That's a good point. Admittedly, though, the issues are somewhat different. If you could issue a magentic unique card to each voter, with a PIN that the voter picked, and have every voting machine hooked up to a network enabling real-time guaranteed transaction against a centralized voting database, then I'm sure you could get the same kind of accuracy as ATMs.

There's also the substantial issue of the requirement to handle processing all voters on the same day within a certain number of hours. That requirement, along with the rarity of elections, requires that you have a very large number of voting machines that are not permanently installed in a particular location. Imagine the logistical nightmare of having to quickly install thousands upon thousands of temporary ATM machines, hook up communications so they can communicate over a network in a completely secure fashion, have them work perfectly for 12 hours or so, and then uninstall them and put them back in storage.

I'm certainly not saying it couldn't be done, by any means. But comparing voting machines to ATM machines isn't exactly comparing apples to apples.

Re:Eeeeeeek

[lexarius]

Idea: install the voting machines permanently, all over the place. Let people vote whenever they feel like, within about a month of the normal voting date, and see real-time results. The rest of the time, the voting machines can serve as terminals through which people can walk up and inform their local, state, or federal representatives of their opinions on various issues that will be discussed/voted on soon. Maybe even let the people actually vote on things.

Of course, DieBold shouldn't be allowed to touch this kind of thing, and someone will find a way to abuse it, but probably not any worse than we've got right now. I hope.

Re:Eeeeeeek

Search for ATM hack on Google. Several ATM vendors publish default master passwords in their manuals. We know how often people change default passwords, so it might as well be hard coded. I also wouldn't be surprised if a source code audit of ATM code turned up either a hard coded back door. How else would ATM owners reset their master password if they forget it?

Re:Eeeeeeek

[xiard]

I'm totally with you. I think that was kind of where I was heading with my previous comment. Once you add in permanence and remove the time crunch, accurate electronic voting becomes much more feasible. Hell, you could even allow people to change their vote if they change their mind during the course of the (more drawn out) election. And I love the idea of it being a permanent feedback mechanism. I could actually envision a further extension. Come up with a secure way to handle it all over the internet, including the inclusion of the physical security token (i.e., the "ATM card" would need to be part of the process when voting or providing feedback). While I don't like the implications for personal privacy (that is, it is close cousins with the concept of a national identity card), I like the overall concepts of increased feedback to our elected representatives, improved security for voting, and ability to factor the actual voting process out from the "voting precinct". And if done correctly, the physical token could be tied to "a" unique identity, not "your" unique identity (thus providing anonymity while still ensuring one vote per person).

Re:Eeeeeeek

[teaserX]

Why not just add the option of voting to the transaction list on existing ATM's?
I can't be the first guy to think of this, can I?

Re:Eeeeeeek

[xiard]

I thought about that, but it seems like the immediate problem would be the sheer number of people needing to vote. ATMs are feasible because the percentage of people that need to get money out at a particular point in time is relatively small. Imagine everyone in your neighborhood going down to Kroger to try to vote before heading into work. It would never work, particularly considering how long it can take to vote when there are a lot of candidates and a lot of issues. Think about how many voting machines there are in your polling place, and how long the line is even with that many voting machines. That's why you need the concept of stretching voting out over a longer period of time, to reduce the load on a smaller number of permanently installed machines (which, like you say, could potentially even be the ATM machines).

Re:Eeeeeeek

[iluvcapra]

Let people vote whenever they feel like, within about a month of the normal voting date, and see real-time results.

Ebay effect would take over -- people would watch how the early people were voting and then mob the machines in the last hour.

Also, the effect of having a polling place in a public area under constant supervision has its benefits, as it can (can) positively prevent electioneering and vote tampering, as the entire process is mediated by responsible individual persons. If the process is computerized, it's almost impossible to assign blame when something goes wrong. When it's all manual, you can positively throw people in jail if they screw up, and people who volunteer for election poll work are generally receptive to the disincentive of jail time (unlike computers or Diebold executives).

Secure Cellophane Bank Vaults

It's a step in the right direction, but really, is an audit even needed?

This is like building a nylon tent to hold your valuables, then performing an audit to evaluate the strength of its zipper. The entire concept is idiotic from the start.

There's a simple solution to voting machine security: use paper ballots. The machines can help you fill them out, but the result should always be a paper ballot which is the authoritative record of your vote. Simple, easy, secure. Why isn't this being done? Who knows, but it's clear the concerns of the people in charge are something other than correct vote counts.

Re:Secure Cellophane Bank Vaults

[zippthorne]

It seems simple, but they mess that up, too. Some counties, for instance, decided to require the ballots to have holes punched in them, and since you can't expect a person to be strong enough to punch a hole in thin card-stock, the sheets were pre-weakened. This was still not sufficient as evidenced by the 2000 presidential election.

Though to be fair, in the two counties I've ever lived in in two different states, they've both used paper ballots marked with indelible marker for the elections I've voted in.

Re:Secure Cellophane Bank Vaults

[Loconut1389]

machine prints two copies with blacked boxes (for optical scanning), a 2D barcode that is a dump of the votes, and another that is a one way hash- voter verifies both pages (blackened boxes) and gets/keeps a print of the hash, puts full ballot each in separate boxes. recount various districts by randomly either 2d, optical, hand, etc- machine fraud and errors should be easy to catch. users should be able to take their hash to any machine, re/'vote' and have it validate the hash- even after the election.

Re:Secure Cellophane Bank Vaults

If barcodes are used, the recounts must be mandatory for all districts. They must take a random sample, then for each sampled ballot compare the barcode to the user-verifiable portion. If any mismatches are found in a district, that district must have a complete recount based solely on the user-verifiable portion. (Discarding ballots with mismatches is not an option, since a malicious voting machine would just write incorrect barcodes on ballots it didn't like).

If a user-verifiable hash is used, it will still let people be coerced into voting a certain way (assuming a third party can take the hash and verify it). There are ways to get around this -- like a multi-password algorithm that uses different passwords to confirm different vote sets (only one of which is the real one) -- but that might make the system too complicated for voters to use.

(Coercion is already a problem with absentee ballots in existing election systems.)

fortify?

[larry+bagina]

We also used the Fortify static analysis tool to identify potential problem areas that warranted further manual investigation.

If I'm not mistaken, Fortify analysis showed more problems in the Linux kernel than in the Windows NT kernel, but most of the linux problems were later shown to be shortcomings with the automated analysis, not a design/programing flaw in Linux.

Diebold may have problems, but the use of Fortify (or similar) doesn't convince me.

Re:fortify?

[vidarh]

Didn't you even bother to read the sentence you quoted yourself. Fortify was used to find areas to investigate manually. These tools do have many shortcomings, but they do also find many legitimate problems. Using them to find starting points for manual investigations you might otherwise overlook is exactly the right way to use them. Believing them to produce a laundry list of actual problems is, as you pointed out, not.

Jeb Bush Fla.

[mikeabbott420]

Just because Jeb Bush fought so hard against paper trails is no excuse for conspiracy nuts to go wild. Please remember I said that when the time comes to round up the disloyal.

Re:Jeb Bush Fla.

[rednip]

Sorry, but to prove your loyalty, you need to go past simple 'water carrying' statements and pledge your support for the Republican party, you can find the text here.

Some code howlers from TFA

[noidentity]

From AV-TSX bootloader code:

void GlibPutPixel(UINT xx, UINT yy, Pixel_t Color)
{
// Check for library not initialized or (x,y) out of range
        if(FrameBuffer != FALSE || (xx < USER_X) || (yy < USER_Y))
        {
// Compute the frame buffer offset and write the pixel
                FrameBuffer[FB_OFFSET(xx,yy)] = Color;
        }
}

TCHAR name;
_stprintf(&name, _T("\\Storage Card\\%s"), findData.cFileName);
Install(&name, hInstance);

First uses logical OR instead of logical AND to check boundaries, second writes a string where there is only storage for one character!

Re:Some code howlers from TFA

[DaleGlass]

To add to that, if ( FrameBuffer != FALSE ) probably intends to check whether it's a NULL pointer, but NULL isn't guaranteed to be (void*)0. Probably harmless if it happens to work right on that particular architecture, but should they switch to something else it'd be trouble.

Re:Some code howlers from TFA

Rubbish. NULL is simply defined as

#define NULL 0

possibly with a pointer type.

As the '98 standard puts it:

[diff.null]
C.2.2.3 Macro NULL
The macro NULL, defined in any of <clocale>, <cstddef>, <cstdio>, <cstdlib>, <cstring>,
<ctime>, or <cwchar>, is an implementation-defined C null pointer constant in this International
Standard (18.1).

Take a look in those header if you don't believe me.

Re:Some code howlers from TFA

What part of "implementation-defined" do you not understand? While (probably) every current implementation defines "NULL" as "0" (possibly type-cast to "void*"), there is nothing in the standard that mandates it. You could come up with your own implementation and define "NULL" as whatever the fuck you want.

Re:Some code howlers from TFA

[noidentity]

FALSE is fine since an integral constant of the value 0 is implicitly convertible to a pointer of any type (this applies to ISO C, C99, and C++ as far as I know). This happens at compile-time, so it's easy for the compiler to provide the appropriate implementation-specific (and even pointer-type specific) representation for a null pointer. As far as I know, you don't have to use NULL (and in fact, Bjarne Stroustrup recommended using plain 0 in C++). As I understand it, the main value of using NULL is readability and a little more safety when naively passing NULL to a vararg function that expects a pointer (though it's still probably not fully safe since pointers of different types can be represented differently, thus a null void* may not be a substitute for an int* or func pointer).

Re:Some code howlers from TFA

The standard does not say "implementation-defined" but "implementation-defined C null pointer" which means, contrary to your suggestion, you cannot define it as "whatever the fuck you want".

Re:Some code howlers from TFA

[Jimmy_B]

To add to that, if ( FrameBuffer != FALSE ) probably intends to check whether it's a NULL pointer, but NULL isn't guaranteed to be (void*)0. Probably harmless if it happens to work right on that particular architecture, but should they switch to something else it'd be trouble.

I have heard this claim before, but I have never seen any evidence that it's true. Every major compiler and every compiler I've used has had NULL=0, and using if(ptr) to mean if(ptr!=NULL) is a very common C and C++ idiom. Any platform that had a non-zero value for NULL would find that most C code would break. I don't have time to go digging through the standard, but I would be shocked if nonzero values for NULL were allowed.

Re:Some code howlers from TFA

[Fuzzy+Eric]

Although "# define NULL 0" means replace source instances of "NULL" with source of "0", this doesn't mean what you think it means. The constant "0" used in a pointer context is syntax for the semantic "null pointer". It provides no insight into the representation of the null pointer. This is a common error because "null" and "NULL" are overloaded in the syntax, semantics, and description of C and C++. These words can mean:

A) The abstract language concept "the NULL pointer", defined to be a pointer that specifically points *no where*. It is language illegal for there to be an object at the target in this use of "the NULL pointer".

B) The internal or run-time representation of "the NULL pointer", which may or may not be zero when interpreted as the bit pattern of an integer, and which may be different for different pointer types. This representation is implementation defined and shouldn't be visible to programmers because they use...

C) The language syntax for "the NULL pointer" which is "0" used in any pointer context -- initialization, assignment, comparison, or argument in a prototyped not-varargs-ed function call -- except for un-prototyped function calls and varargs arguments, where "0" or should be cast to the correct type.

D) The NULL macro, which you mention, which only works because the language is already performing the translation magic on the source "0".

E) And other unrelated uses as (1) "the null character", ASCII NUL, whose magic syntax is '\0'; and (2) "the null string", "\0" (as a sequence of ASCII values), whose magic syntax is "".

The fundamental *failure* of representing the NULL pointer with a value whose integer interpretation is zero is that you can't point at physical address zero with a non-NULL pointer. So, a v86 pointer to the interrupt table (starting at physical address zero) is a NULL pointer on any compiler that represents NULL as an all-zeroes address.

Sane *implementations* pick some valid address in the subsequent object code to be the implementation address of the NULL pointer. Then comparisons are to an address that can actually be guaranteed to not be the address of an object. This breaks passing NULLs between separately bound object modules (binding is typically rolled into the last stage of linking-to-an-executable in current PC compilers) unless NULL will live in a common library (in which case it can live in the binding library). Passing NULLs between processes is entirely outside the scope of the C/C++ standards and therefore any guarantees have to be made by whatever mechanism marshalls/unmarshalls values for inter-process calls. (This can be done by having a special encoding for a pointer that compares NULL in this process, that is unwrapped to the NULL representation in that process.) ... and I've wandered a bit off-topic.

In any event, you've over-assumed what "0" means in the code you cite.

Re:Some code howlers from TFA

[Fuzzy+Eric]

From Frequently Asked Questions in comp.lang.c, Section 1, 1.14: "Seriously, have any actual machines really used nonzero null pointers, or different representations for pointers to different types?":

The Prime 50 series used segment 07777, offset 0 for the null pointer, at least for PL/I. Later models used segment 0, offset 0 for null pointers in C, necessitating new instructions such as TCNP (Test C Null Pointer), evidently as a sop to all the extant poorly-written C code which made incorrect assumptions. Older, word-addressed Prime machines were also notorious for requiring larger byte pointers (char *'s) than word pointers (int *'s).

The Eclipse MV series from Data General has three architecturally supported pointer formats (word, byte, and bit pointers), two of which are used by C compilers: byte pointers for char * and void *, and word pointers for everything else.

Some Honeywell-Bull mainframes use the bit pattern 06000 for (internal) null pointers.

The CDC Cyber 180 Series has 48-bit pointers consisting of a ring, segment, and offset. Most users (in ring 11) have null pointers of 0xB00000000000.

The Symbolics Lisp Machine, a tagged architecture, does not even have conventional numeric pointers; it uses the pair (basically a nonexistent handle) as a C null pointer.

Depending on the "memory model" in use, 80*86 processors (PC's) may use 16 bit data pointers and 32 bit function pointers, or vice versa.

The old HP 3000 series computers use a different addressing scheme for byte addresses than for word addresses; void and char pointers therefore have a different representation than an int (structure, etc.) pointer to the same address would have.

So, yes, there are real machines whose implementation of the NULL pointer was not "all zeroes". And no, there has never been a C/C++ standards compliant compiler that didn't represent the null pointer with the syntax "NULL" or "0". Don't confuse the language specified syntax, "0", with the value generated to implement the semantics.

In fact, implementing "NULL"/"0" with zero would be incorrect. On most architectures, there can be a valid object at (real) memory address zero, e.g., an interrupt table, although many other examples exist. The compiler has to implement "NULL"/"0" with an address that absolutely cannot be the address of a valid object. This means that it has to be some address that the running code can actually control and so very likely is not the address zero.

Although it's common to imagine that a "0" in source means a zero in implementation, in this one instance the C/C++ standards are very clear that they need not *and* that the programmer has no need to know what the implementation form is.

"Plausible Deniability", Anyone?

[NickFortune]

One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

I can almost imagine that being a deliberate ploy. "

I'm sorry your honour, but one of our programmers (no longer under our employ) hard coded a weak password in complete disregard of coding standards. Regretably, the weakness of the password has enabled certain parties to guess what it is, and thereby subvert the electoral process. But it's not our fault."

Hanlon's Razor be dammned. In cases like this we should start assuming malice unless they can prove stupidity beyond any reasonable doubt.

Re:"Plausible Deniability", Anyone?

Maybe you should imagine yourself understanding employment/agency law.

Re:"Plausible Deniability", Anyone?

[NickFortune]

maybe you should explain a little so we can all understand what you're on about

Maybe not so obvious

[dereference]

If you believe this is nothing more than pure incompetence, then you too have been fooled. This level of incompetence is usually indicative of strong intent that Hanlon's razor will be used by others to essentially protect the perpetrators from punishment for their immoral and/or illegal activities. This is just another way to game the system.

Re:Maybe not so obvious

[Martin+Blank]

I believe that it can be (but not necessarily is) pure incompetence. Most developers that I've met have no business writing code that would be usable in a 'secure' environment, and the pen tests that are now done as a matter of practice on our outward-facing systems routinely rip our devs work to shreds. It's gotten to the point that the developers want to know what methods will be used in the pen tests so that they can protect against them. We in the security group have steadfastly refused to provide them anything other than a timespan when the test will be happening, so that they know not to update code in the middle of it, and so that they can't do targeted coding before-hand.

One of the major problems that I see is that the developers rely far too much on security by obscurity, no matter what the project covers, figuring that if the attacker can't see the code, then he can't see vulnerabilities, and they don't read enough about vulnerability research to understand how critically dangerous this is. They do things like requiring SSL for the front-end session, encrypting the back-end FTP transfer, and splitting off the management interface to an internal server, while leaving the access controls for the database identical for both systems, requiring only short passwords, allowing an inordinate number of password retries, using poor seeding techniques for session IDs, and leaving nearly-default configurations of the web server in place.

I tend not to place as much value in accusations of malice as I do in observations of incompetence. When presented with a result like this from any random company, I am far more likely to attribute it to the latter, unless presented with some fairly strong evidence to the contrary.

Re:Maybe not so obvious

[Atomic+Punk]

Couple countless vote rigging and voter suppression stories in the past with this story and
the fact that Republicans are still trying to 'game the system'shows that they are out to win regardless of principle or honesty.

California electoral vote split proposed
http://washingtontimes.com/apps/pbcs.dll/article?A ID=/20070731/NATION/107310062/1001

They got their asses kicked in 2006, polls show more is coming in 2008 yet they still act
like thugs. I guess these cretins are gluttons for punishment and deserve to be in
the political Siberia they are due for.

Re:Maybe not so obvious

[neomunk]

Well, you theory can be tested by looking at the security quality of their OTHER main product... Diebold ATM machines.

No, incompetence is not the answer, or the streets would be flooded with $20s by now, it's intent, not 'opps, I'm so silly'. This company knows how to do security right, they just can't be bothered in this instance.

Three guesses as to why it's not a priority to them, like, say, ATM security is.

Re:Maybe not so obvious

[pipingguy]

It's gotten to the point that the developers want to know what methods will be used in the pen tests so that they can protect against them.

This is absurd and dishonest. Did these same people cheat on tests when in school?

Re:Maybe not so obvious

[Martin+Blank]

You're presuming that the code in their ATMs is much better. Has anyone done an independent, published code analysis of them where we can compare the results of that to this?

And don't forget that there are still report sections to be released. This may be endemic to the voting machine industry.

Reports like these make me want to bring back the older systems with punch cards. The wholesale move to electronic ballots is a prime example of over-reaction to the discovery of a break in the system (poorly-designed butterfly ballots, pregnant chads, etc), rather than a metered, carefully-evaluated response that addresses the problems found instead of throwing it out wholesale.

Re:Maybe not so obvious

[Martin+Blank]

I couldn't tell you. It may be simplistic thinking: if you know someone is going to shoot at you, you consider wearing armor. It may be that they have pride in their work and don't want to have their feelings hurt.

Whatever the case is, neither side gets all that much information prior to the test.

Sure it does.

[khasim]

The votes on 10 ballots are totaled and this total is recorded on a marker sheet placed on top. Then the bundle is tied up. (10 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together. (100 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together. (1,000 ballots)

10 of those bundles are totaled on a different marker sheet and bundled together (10,000 ballots)

And so on. The idea being that any individual bundle can be quickly verified or re-counted. And because it's all base 10, it is easy for MOST humans to visually verify the bundles themselves. The ones that can count to ten, that is.

Re:Sure it does.

[SoopahMan]

Sorry but regardless of the simplicity of bundling votes, letting Diebold prove to you electronic voting is fundamentally flawed is a bigger mistake than choosing either method.

Re:Sure it does.

[Bearhouse]

"The ones that can count to ten, that is."

So, that's 90% of the US population out then...

Re:Sure it does.

Um, how many percent, sorry?

Re:Sure it does.

[gacl]

Yeah, but people in the US hate anything metric.

1, 2, 3, 4, 5...

[demon]

That's the same code that's on my luggage!

Re:1, 2, 3, 4, 5...

[rlh100]

Your luggage is more cecure than mine. It only has three digits on each lock.
And I set them to 000 so that Home Land Securit can search them. Maybe Dibold
was thinking about Home Land Security too.

RLH

Not hand, mechanical paper counting

[AHumbleOpinion]

Voting machines are a technical non-solution to a non-existing problem.

Agreed.

Counting votes by hand in public view is almost as fast, has much fewer things that could go wrong with them, and is intrinsically open to public scrunity like no machine system can ever be. Plus, it's cheaper.

Wrong on faster and cheaper. As the recount in some Florida counties showed in the 2000 US presidential election.

Voting on paper is fine, but the paper should be mechanically counted. Hand counts should be a last resort when the machines are unable to read a vote or are malfunctioning.

Re:Not hand, mechanical paper counting

[192939495969798999]

It's cheaper in the sense that if you need a paper recount, you have to go back to paper voting anyhow. So basically a machine vote is synonymous with a machine + a paper vote. I think that's how the paper-only vote is cheaper.

Re:Not hand, mechanical paper counting

[sadr]

Let us say that a person making $10 / hour can count 1000 votes an hour. That's one cent per vote counted.

Let us assume that a person can enter one vote in 20 seconds on a voting machine. Let us assume that voting machines are busy 10 hours on voting day. Each voting machine will "count" 1800 votes in a day. So for $20, you can count more votes than the voting machine.

If each voting machine costs $400, it will take 20 elections to recoup your investment. And while there are multiple elections a year, you have to buy enough machines to handle the presidential elections every 4 years. Most elections (i.e. primaries, run-offs, etc.), the machines will be significantly underutilized, so so only register a few dozen or hundred votes on average.

It may not be quite as fast as a mechanical system, but it certainly would be a heck of a lot cheaper.

Optical scan, i.e. standardized test style, isn't a bad way to have a machine count ballots, and leaves a paper trail, and is cheaper than the video machines (since you can use one machine for all of the votes), but probably isn't really that much better.

Re:Not hand, mechanical paper counting

[jbengt]

"Wrong on faster and cheaper. As the recount in some Florida counties showed in the 2000 US presidential election."

I can't see the logic in that example.
The recount in Florida was a recount, not a count. A recount of a close, contested vote has a lot of inherent diffuclties not necessarily found in the first count.
Also, it was a visual recount of punch cards, and punch cards are designed for machine counting, not human reading. Hanging chads would not have been a problem in a paper ballot. I know ambiguities will always be possible in marking ballots, even paper ones. But humans are more accurate (even though maybe less consistent) than machines at interpreting ambiguities.

Re:Not hand, mechanical paper counting

[pipingguy]

"Cheaper" as in "less people are involved"? Aren't elections supposed to be about people? Trying to minimize peoples involvement from the whole process seems a bit odd.

Re:Not hand, mechanical paper counting

Every time the Americans vote on a president we have to wait ages to find out that it was basically a tie, and will be decided based on a system that doesn't make any sense. Then we hear that many votes were lost, miscounted or screwed up by machines.

Meanwhile a British election, counted by hand for very little money is usually all over by the time newspaper headlines are printed for the morning newspapers.

Wanna know where the screw-ups and controversy were in the last major British election? Experimental voting machines.

Clue: Machines are a poor fit to this task. Don't buy more complicated machines, throw them out and count by hand. Can't trust officials to count ballots by hand in your country? Congratulations, you don't live in a democracy, time to hold another revolution?

Re:Not hand, mechanical paper counting

[mdsolar]

I agree. The vote counters and observers form social bonds that make politics go more smoothly. Having machines do this bit of work is a lost opportunity. Make election day a holiday and things will be even better. Smaller precincts are also a plus. Many hands make light work. E lauhoe mai na wa`a; i ke kâ, i ka hoe; i ka hoe, i ke kâ; pae aku i ka `âina.
--
Solar power with no installation cost: http://mdsolar.blogspot.com/2007/01/slashdot-users -selling-solar.html

Re:Not hand, mechanical paper counting

[pipingguy]

Yup. People from opposing "parties" get to know each other personally as they make sure of the honesty of the process. People can disagree on political issues but there's nothing better than bridging that divide. After all, most people have similar goals in life.

With a machine that calculates election results no one can really claim to be part of the verification process.

Re:Not hand, mechanical paper counting

[Dhalka226]

We're talking about the United States here. I can't speak to every ballot in every jurisdiction, but in mine (Cook County, Illinois, but not Chicago) there were at least 50 and probably closer to 100 things to vote on. Not only that, but the questions were different; there was the standard "select one candidate" lists, there were "select N of the Y below" lists, and there was page after page of "retain or not retain" (mostly for judgeships).

How many people do you know who can keep 50-100 different tallies going on in their heads independently without making a mistake, while simultaneously verifying that the "vote for N" questions in fact have no more than N votes? I'd be surprised if you could (honestly) say you know even one such person, but if you did they're fairly unlikely to work for $10/hr. If by some miracle you found such patriotic souls it's even more unlikely that you'll find enough to man even a handful of districts in one state, much less the entire nation.

Continuing with your hand-count methodology, this forces some sort of paper tallying system. Without getting into the unwieldyness of having a piece of paper with 50-100 different boxes you can tally votes up in (each large enough to hold however many votes you'll need to hold), you introduce an extra delay of finding the proper box and writing it down, and another much larger delay at the end where people tally up each box. Which itself is exceptionally easy to make a mistake doing, from losing count to double-counting to not counting to bad handwriting to things I can't even think of right now.

An electronic but manual tallying system (some sort of spreadsheet) is better, but is still vulnerable to typos, computer illiteracy and training costs, data retention problems (those spreadsheets ARE auto-saving every 5 or 10 seconds right?), etc, and doesn't eliminate the delays of finding the proper place to make your tally.

I'm not sure electronic voting machines are the best solution, but there are really problems with every potential method I can think of. Hand counting is okay provided you trust the counters and are willing to accept some degree of human error, but it's definitely not a fast method at least for districts that have many offices and issues to vote on. It may be that "shut up and deal with the time it takes" is the best solution though.

Re:Not hand, mechanical paper counting

[sadr]

If you go with a pure hand-counting system, you put each vote on it's own piece of paper.

You sort the ballots into races, and then sort each race into a stack for each candidate.

Then you count and re-count the stack. Some countries use bank tellers, who, in those countries, get the day off. And they are, of course, very experienced in counting the number of little bits of paper and don't make a ton of money.

The optical scan machines are probably worth it, although I'd resist the temptation to have them be programmed to understand which races are which, and to automatically report things. The more configuration you have, the more opportunities to corrupt the process.

But I recall a case where mis-calibration of the optical scan machines caused a number of SAT scores to be reported in error. I think I would be willing to accept a very small error rate by human counters (keeping in mind that the error rate on handling money is VERY low), to prevent occasional large-scale mechanical failures.

California decertified all machines last night

Last night California decertified all of the electronic voting machines on the market. I thought that would be a bigger story today, but haven't seen it anywhere except for blackboxvoting.org

Re:California decertified all machines last night

[Volante3192]

Oh, it would've...if Britney Spears was found voting without panties.

Or if Paris Hilton crashed into a voting machine while DUI.

Or if...yea...

Re:California decertified all machines last night

[SSpade]

That's misleading. They decertified them, then recertified them with some additional security requirements.

See here: Elections chief gives OK to vote machines

Re:California decertified all machines last night

[Climate+Shill]

You've just given me a fabulous idea. It involves Paris Hilton, a Republican cubicle, Britney Spears, a Democrat cubicle, some tubing, and a couple of buckets. It is guaranteed to give the correct vote by the only measure that everyone agrees is fair and right. (although it still has the problem of keeping backdoor exploits to a minimum)

Re:California decertified all machines last night

[Volante3192]

Is it really an exploit if it's left wide open?

It's not being done because...

[brianeisley]

...the Republican-owned and -operated companies that make these things are doing their damnedest to convince states it shouldn't be done, using "security" and the urge to computerize everything under the sun as excuses.

Their true goals, of course, are (a) to increase their business, and (b) to help their favorite crooks get in office and stay there--where they can then send even more business their way. Lather, rinse, repeat.

Take your Oblig... pick

Thats the number on MY briefcase, you insensitive clod!

or

Hello, I have a patent on 12345678 as a "source to unlock, lock, relock any device which may contain anything"

captcha: respite

Look how others do it?

[rolfwind]

One wonders what it will take to convince voting machine manufacturers not to do things like hard coding passwords as '12345678.'"

What it would take is for them to be punished in the marketplace, as in not buying the damned things.

I think we ought to go to other countries with a reputation of a good voting process and see how they do it, and with which, if any, machines they use. Because we obviously forgot how, and in some parts of the country they never had a fair voting process. No need to roll our own solution if one exists. Maybe Switzerland has something.

I'm beginning to believe that the average DIYer could build a better voting machine than Diebold.

Come on...

I bet most high school graduates can't even count that high. And if someone is smart enough to guess such super-extra-difficult passwords such as those, perhaps they are smart enough to pick our next president. Hillary Obama, YEAH!

Commercialisation

[Moniker42]

Why, yet again, is the responsibility for something this important (like the rebuilding of Iraq for example) being entrusted to a private company? Corporations by their very nature don't give a damn about anything that doesn't affect their ability to make money.

Re:Commercialisation

[vtcodger]

***Why, yet again, is the responsibility for something this important (like the rebuilding of Iraq for example) being entrusted to a private company? Corporations by their very nature don't give a damn about anything that doesn't affect their ability to make money.***

Now, now. If you check Thomas Ricks, "Fiasco", or Seymour Hersh's "Chain of Command", you'll find that most of the cataclysmic mistakes in the reconstruction of Iraq were not made by the military or by private companies. They were made by unqualified and utterly incompetent Republican apparatchiks sucked into the government by Bush, Cheney, et al. There may be a lot of good reasons for watching over private companies. But the fundamental fault in both cases is putting decisions that should be made by experienced, non-partisan professionals in the hands of inexperienced idealouges.

Perhaps we should be seeking out civil servants with a few decade's experience in managing elections and seeing what they think about voting machines.

Re:Commercialisation

[dbIII]

Perhaps we should be seeking out civil servants with a few decade's experience in managing elections

That is what other countries do and what the USA does itself when helping to supervise elections in other countries.

Re:Commercialisation

[vtcodger]

***That is what other countries do and what the USA does itself when helping to supervise elections in other countries.***

Indeed. And one of the few things the Bush administration has attempted that was non-trivial and wasn't hoplessly botched was the supervision of reasonably free and fair elections in Iraq and Afghanistan. I don't think the used voting machines in either country.

There's a thought. How about we round up all the voting machines in the US, and ship them off to someone we don't like -- Iran or Cuba or Myanmar or Darfur? Two birds with one stone as it were.

heres a thought

[thatskinnyguy]

Maybe they should be hacked and have the admin password changed to 31337

Re:heres a thought

Yes, I for one would love to hack in and change the hardcoded password.

Re:heres a thought

[thatskinnyguy]

...exactly. That is what would make it so... ummm... 1337!

Their conclusions are

[slashdotmsiriv]

Taken from the experts' review:

"Our study of the Diebold source code found that the system does not meet the requirements for a security-critical system. It is built upon an inherently fragile design and suffers from implementation flaws that can expose the entire voting system to attacks. These vulnerabilities, if exploited, could jeopardize voter privacy and the integrity of elections. An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive--malicious code could spread to every voting machine in polling places and to county election servers. Even with a paper trail, malicious code might be able to subtly influence close elections, and it could disrupt elections by causing widespread equipment failure on election day.

We conclude that these problems arose because of a failure to design and build the system with security as a central focus, which led to the inconsistent application of accepted security engineering practices. For this reason, the safest way to repair the Diebold system is to reengineer it so that it is secure by design.

We discussed a number of limited solutions and procedural changes that may improve the security of the system, but we warn that implementing any particular set of technical or procedural safeguards may still be insufficient. Similarly, fixing individual flaws in the system--even all of the issues identified in this report--may not yield a secure voting system because of the possibility that unidentified problems will be exploited. We are also concerned that future updates to the system may introduce new, unknown vulnerabilities or fail to adequately correct known ones. We urge the state to conduct further studies to determine whether any new or updated voting systems are secure."

Re:Their conclusions are

[MsGeek]

Executive summary: throw the trash out, and sue the bastards for malfeasance.

My favourite issue

[The+Hobo]

From page 51:

Issue 5.2.24: AV-TSX startup code contains blatant errors.

287 TCHAR name;
288 _stprintf(&name, _T(''\\Storage Card\\%s''), findData.cFileName);
289 Install(&name, hInstance);

Here, name is not a character array but a single character in memory. The stprintf function
expects its first parameter to be a character array, so the programmer had to use the&operator
to get the address of name, rather than its value. The result is an obvious buffer overflow. A
string that includes the filename, which could be under an attacker's control, gets copied over
whatever data resides in the memory region following name.
That this code works at all seems purely accidental. Memory corruption occurs even when
legitimate .ins files are used. An attacker who included a file with a long name or a name
containing particular characters might be able to crash the program or, possibly, execute
malicious code.
This bug sheds light on the vendor's software engineering practices, because it is a very
unusual error for an experienced C++ programmer to make. Characters and character arrays
are very different constructs in C++. Students using the language for the first time might
confuse the two, but experienced programmers who understand basic concepts like pointers
would be unlikely to confuse them. The probability that an experienced C++ programmer
would make such a mistake or overlook it during even a cursory review of the code is
exceptionally low. This suggests to us that after this code was written it was not reviewed
by any other engineers at Diebold.

That's gold Jerry! Gold!

+5 Troll

The human troll was here.

That was a fun episode.

[Snowtide]

Sorry to be off topic, but it was a fun episode.

"This program was made possible by a grant from the Ultra-Humanite, and viewers like you."

Voting Machine == Ballot Printer

Keep it simple. The only thing a "voting machine" should do is print human-readable ballots.

• Anyone who's literate can see how they voted.
• Humans can recount, if necessary.

If a ballot-reader counts the votes, fine. We can have fast results without giving up accountability.

Re:Voting Machine == Ballot Printer

[zCyl]

If a ballot-reader counts the votes, fine. We can have fast results without giving up accountability.

Look it up. Ballot readers are compromised as easily as the original machines.

An ideal arrangement is to have a printed ballot as the official ballot, and a supervised hand-counted count which is the OFFICIAL count. Then, the original voting machines can also perform an electronic tally themselves, and this electronic tally can serve as a check for the hand count. If the two differ significantly, something has gone wrong, and an audit must be performed.

If the media want to report the electronic tally as a preliminary result, let them. Simply declare that only the hand count (which can be supervised) is official.

Re:Voting Machine == Ballot Printer

[DragonWriter]

Look it up. Ballot readers are compromised as easily as the original machines.

Yes, but you have the ballots. All-electronic systems with no separate ballots don't allow random-precinct hand-count confirmation, or even full-election hand recounts if there is cause.

Systems that generate a ballot, which the voter than confirms and turns in and is then counted by a separate machine do allow that, so even if the ballot reader is just as easily compromised as a voting machine in an all-electronic system would be, the election is more secure.

This issue is not how secure is the machine, it is how secure is an election using the machines; using vote counting machines like, e.g., optical scan machines, that count voter-produced or voter-verified ballots which are both human and machine readable and which are available for auditing produces a more secure election than using systems where the "ballots" exist only as electronic data within the system.

Limitations on upgrading an important issue

[radarsat1]

From TFA:

In addition, securing Windows requires keeping the system fully up-to-date on all security patches. Unfortunately, the special circumstances associated with voting
systems make it difficult to keep the Windows operating system patched and up-to-date. The
Diebold system is tested and certified with a specific version of Windows; changing or upgrading
that version might invalidate the certification and may not be permissible.

I find this one of the most interesting issues, because I don't see an easy answer for it. I have a disdain for Windows matching any of the most avid Linux fanboys, but this is one issue that doesn't seem to be Windows-specific. Leaving a machine unpatched and un-upgraded can leave it open to vulnerabilities. Upgrading it can invalidate the certification. Is there any way out of that situation? I think it would be an issue no matter what operating system they used.

Re:Limitations on upgrading an important issue

[marcansoft]

Use an OS that doesn't have a dozen or so open ports by default, and that doesn't require dozens of system daemons to hang around waiting to be exploited.

Just like the report says, a very good way of making things secure is to make them simple. What are the chances of hacking into a box with zero open ports?

Re:Limitations on upgrading an important issue

[jfmiller]

There are a couple of solutions I can see. First, using an older maintained kernel version like the 2.0 series that is unlikely to have a major security issue discovered between certification and election day. Second, certify the system then allow for additional patches to be certified as time goes on.

Re:Limitations on upgrading an important issue

[innocent_white_lamb]

Leaving a machine unpatched and un-upgraded can leave it open to vulnerabilities. Upgrading it can invalidate the certification. Is there any way out of that situation? I think it would be an issue no matter what operating system they used.
 
I think the solution would be to use machines based on either a custom single-purpose "system" (think of the electronic thermostat that turns the heat and air conditioning up and down in your house) or FreeDOS.
 
Either one should get you where you're going with a simple task like "tally votes as input".
 
On the other hand, the real and best solution from my point of view is to do it with paper ballots by hand where everyone marks X on a piece of paper.

Link to the official 'Top-to-Bottom' Review site

[SpzToid]

Top to bottom review docs:
http://www.sos.ca.gov/elections/elections_vsr.htm

Also the public hearing where a university computer science professor describes the results of the red team testing. The audio starts very poor but improves after 25 minutes, but I've ONLY been able to watch it *streaming* (which is a drag). The hearing is 6 hours long and if anyone can provide a download link, I'd be grateful.
http://www.calchannel.com/search.php?date=073007&s ource=All&type=All&title=&Search=Submit

At 5 hrs, 26 min. Jim Soper presents a very good technical rebuttal to the manufacturers official positions, and receives some good applause from the crowd.

An amazing lack of regulatory oversight

Their lack of regulatory oversight just amazes me.

I work in the casino equipment business, and in many jurisdictions, we must submit the source-code for the embedded software in our devices. Some jurisdictions rebuild the source-code to make sure that it matches our eproms.

Our eproms are checksummed, and gaming regulators can (and do), at any time, pull an eprom to checksum it in the field. Same for cdrom-based systems.

I would expect nothing less of voting machines.

Why AFTER deployment?

[morten_tor]

Why is it that the scrutiny of the Diebold machines takes place after they've been used?
One would assume that in a matter as important as casting a vote, the integrity of the apparatus should be ensured, or at least surveyed, before use.

Any assesment of the quality of the system that originates from Diebold is naturally irrelevant. Any responsible public officer in charge should have set up an independent review before the machines were used.

People no longer consider the source when they digest information :

Tobacco is safe - says the tobacco companies
There's no global warming - says the automakers and oil companies
Our voting machine is safe - says the vendor

Password 12345678

[billstewart]

Dude! You've got an amazingly secure briefcase, with 8 digits! Mine only has 4 digits, and nobody'd ever guess whose birthday the password is (oops...)

Back to reality, though, it's amazing how many Unix passwords were "abc123", back when our systems required at least six characters including some non-letters :-)

The best part of the report is the conclusion...

[ph4s3]

...from the executive summary:

Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.

Re:Oblig... (missed product opportunity)

Bad default passwords or even defaults themselves show faulty design, faulty thinking, and ignorance.

But, passwords are only one part of the problem.

I would prefer to have no computers when I vote. Just a pen and a paper. Now, if that paper could be scanned for cast votes AND manually counted, I'd be pleased. There should be no hidden steps where democracy is concerned. Voting over the internet will never be secure enough because I don't have trust in the transmission, the counting or the reporting process. It cannot be audited with absolute certainty that every vote cast is counted as cast.

Our countries rush to electronic voting was a mistake. A dumb mistake. As long as companies can sell products to solve non-problems they will. It was only after the Bush-Gore results were evident did we learn how awful the IBM card system was. It was in use for 20 or so years. How many election results from it were incorrect over the decades?

My employer makes security systems and long before the election by hanging chads took place, one of our engineers suggested we enter the voting machine market. Management ignored him and invested in different products. Shame, because we don't do things like we've seen in these reports and I think we would have a made a secure product. Still, I'd rather use pen and paper.

Our evaluation of Fortify was also poor. Too many false positives to be of any value. A government agency came to same conclusion in using it to evaluate product source code from vendors like my employer.

Voter Verifiable

[Gaveen]

I'm not sure if this has been mentioned by someone else in a previous discussion but... Why not have electronic voting machines with an option to print out a receipt containing a unique number linked to your vote. This would allow the votes to be counted efficiently while giving the voters the ability to verify that their voted was counted properly. If you happen to be paranoid about privacy simply don't take the number or destroy it.

It's simple, it's verifiable, and I don't see how it encroaches on anyones privacy but I'm sure someone on /. will prove me wrong.

Re:Voter Verifiable

[innocent_white_lamb]

"Go and vote for Vinny and bring me your receipt. If you fail to do so I will break your legs.
 
  I'm sure someone on /. will prove me wrong.
 
There you are, then.

conundrum

[Khashishi]

It seems to me that ballot secrecy is a contrary goal to the goal of fraud resistance. How is it possible to guarantee anonymous ballots and yet be sure that each ballot was generated by a real person?

Re:conundrum

[hidave]

In Iraq's first vote last year, each person who cast a written ballot then dunked a finger into a purple dye that would last a few days.

hand count?

[Khashishi]

I don't get how so many people have some rosy picture of hand-counting votes, as if hand counting were somehow impervious to counting errors and impossible to manipulate. Humans make mistakes. They make them a hell of a lot more often than computers.

Re:hand count?

[dbIII]

They make them a hell of a lot more often than computers.

The problem here is precisely that the computer is capable of making of making mistakes far more quickly and effectively than people if directed to do so.

What else could go wrong for Diebold?

[General+Wesc]

Diebold must be wondering what else can go wrong.

Here's something that might go wrong for Diebold: The media could stop completely ignoring the reports and inform the millions of people with their heads still in the sand.

But I'm not holding my breath.

Re:Link to the official 'Top-to-Bottom' Review sit

[zestyping]

I've sliced up the audio of the public hearing and posted it at http://usablesecurity.com/ttbr/. Enjoy, and feel free to pass it on.

Also Fails to check result codes

[Anomalyst]

It also exhibits a pet peeve of mine, neglecting to check the return value, probably learned by using MS defective by design sample code. Checking the return code of "_stprintf" would show the buffer overflow coding error
"Return Value
The number of characters written, or -1 if an error occurred. If buffer or format is a null pointer, sprintf_s and swprintf_s return -1 and set errno to EINVAL."http://msdn2.microsoft.com/en-us/library/c e3zzk1k(VS.80).aspx
Of course this only lets you know something screwed up after the stack has been corrupted. Properly coded it should probably be using some variant of snprintf where the size of the target buffer is passed and the overrun avoided. I haven't written or audited a lick of code in more than five years, but the unsuitability of this code for production is pretty obvious. This should have never been allowed to be checked in, although if this is the quality of code produced one has to wonder if any kind of source code control is in place either.

right

[smash]

Counting votes is a non-problem for a half competent programmer/engineer.

IMHO, the problems in this software are either due to totally incompetent engineering AND inadequate code review (and how the fuck did BOTH of those happen, if thats the case?), or they were intentionally put in place for some particular motive.

My guess is the latter - but what could the motive be?

• Deliberately broken software to suggest that electronic voting is inherently unreliable
• Intentionally exploitable software to enable swinging the vote to/for the highest bidder

Which is it?

In other news....

{prediction of tomorrow's headline}
A mild mannered software auditor is mysteriously arrested for 20 federal offenses and whisked away during the night.