Slashdot Mirror
Video Shows Easy Hacking of E-Voting Machines
Mike writes "The Security Group at the University of California in Santa Barbara has released the video that shows the attacks carried out against the Sequoia voting system. The video shows an attack where a virus-like software spreads across the voting system. The coolest part of the video is the one that shows how the 'brainwashed' voting terminals can use different techniques to change the votes even when a paper audit trail is used. Pretty scary stuff. The video is absolute proof that these types of attacks are indeed feasible and not just a conspiracy theory. Also, the part that shows how the 'tamperproof' seals can be completely bypassed in seconds is very funny (and quite disturbing at the same time)."
Even though l3wdd00d might get 100% of the votes in the Presidential election, the fact that he is only 16 will be disqualifying.
That is why I always early vote. It is on paper where I vote and that stands a better chance of getting counted correctly.
Athiesm is a religion like not collecting stamps is a hobby.
Just be thankful it's not streaming RealVideo or WM11 :)
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
The interesting thing here is that I would expect one of two things. Either physical security should be taken seriously, in which case a 'tamperproof' seal should be just that (not hard to design) or an assumption be made (not unreasonably) that physical attack against the machines is unlikely and easily preventable.
A supposedly tamper-proof seal which can be circumvented shows either a cynical disregard for physical safety (ie "we know it's a threat, so we'll put in a seal to make people think we've taken it seriously") or another TSA-style "theatre" solution (ie "we don't think it's a threat, but we'll let people believe that it is, and that we've done something about it").
Both of these interpretations are disturbing. However Hanlon's Razor ("Never ascribe to malice that which is adequately explained by stupidity") may of course apply.
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
... hosted on an .edu server?
This can't end well.
I'm downloading now, will convert to mpeg4, and post a torrent to mininova (if the server doesn't melt before the download completes).
Schrödinger's cat is not amused—maybe.
Except for the fact the cheapest and easiest to use tools are on the Mac (iMovie) and save as quicktime. Why bother using open standards if you want to get your point across, if it will take you 2 weeks to get up and running, especially if you haven't done so before.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
"That is why I always early vote. It is on paper where I vote and that stands a better chance of getting counted correctly."
Don't be so smug. Early voting gives those who would deny your vote more time to tamper.
Let's say you mail in your ballot 2 weeks ahead of time. They are collected and sorted by precinct, and then held until election day to be opened.
Just sitting there.
And then someone drops some of the ballots from certain precincts in the shredder - you know, the ones that vote overwhelmingly for one party? Not enough to cause a lot of suspicion, but enough to make a difference in a tight race. Now, not only is your vote gone, you don't even know it - the tampering happened before election day. AND, even if it is discovered early enough, they won't know exactly WHO got screwed, so you won't get another shot.
E-voting makes it easy for small numbers of people to tamper on a large scale. That doesn't mean that good old fashioned vote rigging has disappeared. Spam hasn't eliminated junk mail, has it?
"As God is my witness, I thought turkeys could fly." A. Carlson
But faking large numbers of paper ballots at many sites is a large undertaking, and harder to hide without a big (read: hard to keep secret) conspiracy. Faking electronics ballots could be done by a smaller number of people, but on a larger and less detectable scale.
I prefer rogues to imbeciles because they sometimes take a rest.
Even if your 1 vote is counted correctly, a compromised voting machine farm can render it negligible in terms of effect.
This exploit depends on the use of USB keys in the setup process, so it's more a matter of screwing with those keys. Judging by my experience, that would be pretty trivial. The running exploit could be recognized by a competent poll worker, but again, that's not all that likely.
The whole electronic voting thing is hugely flawed. They're building the machines on an extremely hackable (windows) base, rather than a custom firmware. The design does not take into account real security concerns.
While anyone can fake a paper ballot, it would be extremely difficult to fake enough ballots to make a difference. This is not the case with electronic voting. Paper is a much more secure system.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Nah, it shows you how good those paper voter verified paper trails are!
In scenario 2, the careful voter, the voter checks the screen, then checks the printout, then notices the printout is incorrect and gets the vote voided and recast.
But if he was a careful voter he'd raise a stink about how the screen was correct, and people would notice that the machines record the printout differently than the screen shows. There would be investigations, accusations and stuff. It would be videod.
Likewise the careless voter, the machine doesn't know is the voter is careful or careless, so it only takes a few careful voters to screw up the attack no matter how many careless voters there are, who don't double check the paper trail.
Scenario 3 & 4 are so obscure as to be worthless (requiring the voter vote but then leave and nobody noticing the machine doing stuff).
What this video really shows IS JUST HOW DAMN DIFFICULT IT IS TO FOOL THE PAPER AUDIT TRAIL.
It doesn't per se. It relies partly on the voter not checking the paper ballot. If they don't void it, it slips through normally. If they do check it, it fixes the ballot, and acts normal.
Otherwise it tries to convince the voter they're done without actually returning the smart card. When they walk away, it voids the ballot, and pops up the "fled voter" screen. The poll worker comes up, uses the admin "submit" toggle to submit the changed vote, and takes back the card. Most places I've been, the poll workers depend on you returning the card, so that wouldn't work.
To me the most compelling piece was how easily the system was compromised. Even if it only screws with a percentage of the votes, that could be huge.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Take a look at the problems in Palm Beach county again. They lost over 3000 votes.
I swear that they do this just to get attention. Oh and before anybody makes any remarks about Florida or the south let me clue you.
Very few people in Palm Beach county are from Florida or the south. It is New York south.
It looks like this is going to a close election. Which means that the looser will without a doubt claim that they didn't and that somebody lost votes or rigged a machine.
At this point I hope that it isn't close no matter who wins. Well since I am not fond of any of the candidates at this time.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Here's the goods:
Full 100mb version: http://www.cs.ucsb.edu.nyud.net/~seclab/projects/voting/ucsb_evoting_attack_dl.mov
Compressed 10mb version: http://www.cs.ucsb.edu.nyud.net/~seclab/projects/voting/ucsb_evoting_attack_dl_small.3gp
Posting to YouTube after download finishes...
because people also don't want to be profiled for their electoral choices.
for all we know, we already are. in general, it is my understanding that many political activists are already being watched.
furthermore, i'm all for revoking a lot of these churches' tax exempt status. like Carlin said, "If these churches are so interested in politics; let them pay the same price of admission as everyone else."
"If for any reason you're not satisfied with our service, I hate you."
Here is a mirror of the big file: http://porksteak.com/ucsb_evoting_attack_dl.mov Will leave up as long as possible.
Open standards are important in this case for the simple reason that they ensure that the message will be seen by the largest audience possible.
No sig for the moment.
What do you mean by 'Quicktime'? The Quicktime .mov container format exported by recent versions of Quicktime is an open standard (part of MPEG-4 now). What's in this container depends on the user, but the defaults are MPEG-4 (often now AVC) for video and MPEG-4 AAC for audio. These are all open standards, although if you're in a part of the world with a broken legal system they might be patented.
I am TheRaven on Soylent News
The running exploit could be recognized by a competent poll worker
And this highlights the flaw in electronic voting. The more complex the polling system, the more skill required to ensure fairness. In a paper ballot, anyone can act as an overseer and be confident that the votes were not tampered with while they are watching. With an electronic system that drops to, what, 10%? 1%? 0.1%? And with such a small percentage capable of ensuring election fairness, do you really have a democracy anymore?
I am TheRaven on Soylent News
In my opinion, for a modern democracy to work the vote must be mandatory, secret and universal.
This way, no one can pinpoint who voted for whom, thus avoiding temptations of vote buying (at least some of them).
No sig for the moment.
Part I:
http://www.youtube.com/watch?v=SWDEZqqqBHE
Part II:
http://www.youtube.com/watch?v=moEsgdzZ19c
ucsb evoting attack
Schrödinger's cat is not amused—maybe.
Until they get this shit fixed, vote on paper. Even if it is an absentee ballot.
"So long and thanks for all the fish."
I find this comment slightly surreal, and honestly believe only an American could have written it.
Democracy is not a commodity that you can have even though your neighbour doesn't. It is more like peace, or sanitation : everyone has it or no-one has it.
To respond to a demonstration that your democratic system has a very serious problem by saying 'Hey, I reckon I got my vote counted' is, well, bizzare.
http://www.youtube.com/watch?v=SWDEZqqqBHE (part I)
http://www.youtube.com/watch?v=moEsgdzZ19c (part II)
I wasn't debating the value of open standards. The point is the easiest available tools didn't use them. Open Standards are a good thing. But if the apps that use them are either opressivly expensive, or free and difficult to use they will not use them. They are trying to get a point across not start a broadcast company. As for easiest and cheapest it is quite simple. Many college students already have Mac, with iMovie. They got the Mac for other uses but it came with it so they will use it, being that the software tool is easier to use then most other video editing software so it took less time. Now if Apple incorporated iMovie to save as an open standard by default all the better. But surprise they are pushing their own standard (which has many open standards in it btw)
If you think a price at the register level you are taking a very basic view of economics. Time and Inventory have a cost as well. Even if you are doing free work at a college. Every hour you spend working on this project One less hour you have to study for a test, or to go out to a party, or a convenient section of your schedule open for a date. Taking an extra half a day trying to get an Open Standards complaint tool to work may not be worth it. Vs. Just using a widely use non standards complaint tool and get it done in a couple of hours leaving the rest of the day to do more interesting things.
Expensive and Cost don't always equal money.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Voting must be designed to be transparent rather than auditable. In a proper democratic election, you can observe the whole process if you want. The only bit you can't observe is when other people actually mark their ballots, but that doesn't create a corruption opportunity, because you can observe the ballot being issued to the voter and the voter putting the ballot into the ballot box. Whatever the voter did with the ballot, it is still just one ballot and will be counted publicly.
Voting systems where you can't observe one or more of the following steps are corruptible and should not be used in a democratic election: Issuing the ballot to the voter, collecting the ballot (punched cards are collected inside the voting machine: not observable), keeping the votes until the counting starts and finally counting the votes. With electronic voting systems, you can't observe any of these steps. Even paper audit trails don't solve the problem: The audit trail must remain secret during voting, so it stays in the machine, which means you can't observe it continuously until the votes are counted.
A piece of paper per voter and a couple of hours for counting votes in public: Is that really too much to ask when you elect the most powerful person in the world?
One of the things that rubs me wrong about F/OSS or rather complaints against it is that people assume that it takes a long time to learn how to use it, or it doesn't work well or as good as product xyz.
The plain simple truth of the matter, and I have empirical evidence, is that ANY application takes time to learn how to use it well or even at all in the matter of some of the more complex applications.
For all the fanboism over MS Office, I'm willing to bet that less than 10% of the users of that suite know how to use more than 50% of the features. Most people that I've known barely know how to type well, never mind know what setting margins or complex header/footer arrangements are for. Too many people use Excel as a database and Access as a spreadsheet. The point being that what they think they know about one application is just as easy to learn about another application and easier than learning all the features of the application that they know.
Now, I do get the point that you are saying it was probably the easiest for them to use as they got it free when they purchased a Mac. Point taken. Still no need to diss other means of editing video if all you mean is 'that was probably the easiest and cheapest option for that particular group at that particular time' ... The idea that F/OSS is difficult or incomplete is both outdated and luddite-ish. In the face of how established applications and suites are used, it makes NO sense to say F/OSS alternatives are not as good or that they are not better than those established applications.
Now, I'll do what I do with all the people I run into who ask about comptuers:
Try http://www.desktop-video-guide.com/top-5-free-video-editing-software-review.html or search on Google for free video editing software.
From the link:
Conclusion:
Microsoft Movie Maker for Windows users, and Apple iMovie for MAC users are probably the two easiest to use free video editing software programs available. Both of the products will allow you to do what you want to do with your videos. However, trying out the others, you may find that you are able to add more effects and such to your videos as well. Of all the available programs out there, these are the top five free video editing software programs available.
Also from the link:
Of course, most free software does not include the same level or quality of support that you would expect to find with software that you purchase.
Read that as 12 minutes on hold at $3.49 per minute if you want phone support, where as with F/OSS the level of support on the Internet is huge! I always managed to find someone that has posted about whatever problem I've had.
Yes, I like F/OSS, and for a reason. It has real value. Supporting it requires donations AND fighting against luddite reasoning in the greater computing community. That is not to say that I think you should not use any tool at your disposal when you require a tool. I have no problem with using something that came installed on your system rather than go install something new if you have a job to get done and it will work. I use an editor I paid for, but when needed I'll edit with vi or whatever is on the system if that is what makes the most sense for that task.
(end rant)
Support NYCountryLawyer RIAA vs People
Oh really? How many people have DivX codecs already on their computers as opposed to Windows Media or Quicktime? How many people already have Ogg Theora codecs installed? Your argument falls apart completely when you realize that a lot of open codecs are not preinstalled on systems. Grandma doesn't give a damn about how open your codec is. She cares about being able to watch something without having to download and install more crap.
I work as an "Election Judge" every election (they used to call them "Poll Workers". Each year the county hires hundreds of average people, gives them a couple hours of training, and they are the ones who set up the machines, check for ID's, handle the list of registered voters, etc.
Me, I'm a "Machine Judge." I get to the polling area in the morning of the election, the machines are already there, unassemblede. I check the seals, and set up the machines, activate the machines for the voters during the day, get the results out of it at night, take the results to a central location.
Low paying? Not where I live. I get $250.00 for the couple hours training and working on election day at one precinct, which is not bad.
It's well looking into. Take a paid vacation day, get $250 over that, and be the one who protects the democratic process (at least at the precinct you are at).
They need geeks who are computer literate. You should see some of the geezers try to set up those voting machines. It's sad.
Mod down people who tell people how to mod in their sigs