Voting System Test Hack Elects Futurama's Bender To School Board

mr crypto writes with this quote from El Reg: "In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election. 'It was too good an opportunity to pass up,' explained Professor Alex Halderman from the University of Michigan. 'How often do you get the chance to hack a government network without the possibility of going to jail?' With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory (PDF) on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. ... The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board."

At least

[stillpixel]

the election board had the common sense to ask for this publicly and not cross their fingers and hope no one did this when they used it for real. More gov't entities should open up to testing like this.

Re:At least

[ackthpt]

the election board had the common sense to ask for this publicly and not cross their fingers and hope no one did this when they used it for real.

More gov't entities should open up to testing like this.

Sure, but if you run Diebold and favor one party over another (justsayin') you don't want some hacker finding your backdoor, do you?

Re:At least

[JAlexoi]

Most are weasels that are afraid that they will be exposed for their lack of knowledge. So don't pray for it, though it should be like that by law.

Re:At least

Off course, with paper, you can simply walk in after the fact with boxes full of votes for you guy or gal ( Washington gov and Minnesota Sen, right?)

Re:At least

[stillpixel]

Yep true, so we use the phrase on Gov't that they like to throw at us. "If you have nothing to hide, then you'll have no problem with us taking a look." (paraphrased)

Re:At least

[Rockoon]

They wanted publicity because they knew it would fail. They made sure of that by using default passwords and other shit. This is theater at its finest.

Re:At least

[kbob88]

I agree. Asking the community to test the system out does show remarkable common sense and good intentions, which seems to be lacking in e-voting community.

Unfortunately, they did not have the common sense (or perhaps judgement) to hire a technical team that knew what they were doing when comes to security. Which is not good in any project, but seems like a huge lapse of judgement in an e-voting project.

They also appear not to have hired an independent security review group to scan the code and review the implementation, or if they did hire one, they hired one that was no good.

Re:At least

[stating_the_obvious]

You assume that gov't entities would prefer bullet proof systems... How could Bush43 have won the elections in Ohio if SmarTech didn't have the man in the middle exploit set up to rig the results?

/tin_foil_hat
/humor

Re:At least

not if there are observers around from multiple/all (or independent) parties, observing the boxes and count until the result/count is finalized...

Re:At least

[Ihmhi]

With a challenge like this, the security community does the security testing for free.

Re:At least

The protocol for a proper paper ballot vote is not vulnerable in that way. It goes like this:

On the morning of the election day, observers of all parties and interested citizens witness the sealing of empty ballot boxes. The ballot boxes don't leave the room, and enough observers to prevent collusion must be present at all times.

The election is carried out with observers of all parties watching to confirm that only people eligible to vote put one ballot each into the ballot box.

At the end of the day, the ballots are counted under the eyes of observers of all parties. The result is signed by all observers, each observer makes a note of the result and the signed result is posted locally. The result is relayed upward, where all local results are posted again together with the aggregate result.

This protocol ensures that no single entity can change a number without other interested parties having the opportunity to notice the manipulation.

This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly. It is the only protocol with these important properties.

Re:At least

[chinakow]

If common sense is lacking in the e-voting community, is it actually 'common'?

Re:At least

if you watched the MN Senate race, you would have seen there were abnormalities on the GOP side - like one where a vote for Coleman was witnessed days before the person voted (witness signature date was a couple of dates before the voter's signing date)

Re:At least

[rtfa-troll]

They also appear not to have hired an independent security review group to scan the code and review the implementation, or if they did hire one, they hired one that was no good.

It's explicitly stated in the summary, let alone the article that this was a good system with a clean Ruby set up. That is more or less "state of the art security". If we take the lesson that this was a "bad" team and that most others would do better we would be deeply wrong. There were IDSis systems and filters in place. That a considerably higher level of protection and a sign of a higher level of security awareness than most competing systems.

The main message is that the currernt state of the art doesn't come close to providing decent security. Even key military systems have been showing a bunch of failures such as the Windows based battleship propulsion system. That shows that people who know how to build secure systems don't know how to build reasonable sized / commercial systems and are losing in competitive battles to cowboys using completely unsuitable technologies.

Re:At least

[rtfa-troll]

This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly.

This can't be stated strongly enough. If there is any part of this that can't be understood by retired clerk without higher education and with no real interest in mathematics and/or computing then you are getting rid of some of the most important volunteers who can ensure that the voting goes correctly.

Re:At least

[sjames]

As opposed to the usual meticulous attention to electronic security we see in government?

Re:At least

[mcgrew]

Someone please mod the parent AC up so his insightful comment will be seen. How he describes the process is exactly how it works.

Re:At least

[AK+Marc]

That's the theory, but in practice, it's easy and untraceable because all the idiots who assert that it's so improbable that nothing else is done to detect/prevent it from happening.

Re:At least

[AK+Marc]

The protocol for a proper paper ballot vote is not vulnerable in that way.

The protocol is invulnerable. The people executing the protocol aren't perfect, so in practice, real security on a well-designed e-ballot system greatly exceeds the current paper system.

Re:At least

[M1FCJ]

First to check is if the vote rigging is in a significant number. Today, at the local pharmacy, I signed my NHS prescription merrily with yesterday's date and a couple of days ago signed a more important document with the wrong month, no one noticed. Mistakes happen. If the mistakes happen more than the average, the alarm bells should start ringing.

Re:At least

[M1FCJ]

I wonder if I smell a rat. By discrediting the voting system so close to an election they can either discourage people from voting or open it to challenges later on, especially if it goes the other way from what they want or, finally, parachute an expensive, closed-source system by simply stating "this one stinks, here's a proper commercial system" (Diebold anyone?)...

Re:At least

That's an unprovable assertion.

Re:At least

[fafaforza]

I don't know. Giving people 3 weeks to try to pull this off? Seems to me like they were trying to stack the odds in their favor.

Maybe they wanted to give an appearance of oppenness, assuming no one could get it done in that short of a time, and it backfired on them a bit. They can still fall back on the openness angle.

Re:At least

This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly. It is the only protocol with these important properties.

I proudly present the "drunk-guy-in-a-bar" protoocol!
There's a drunk guy sitting on a bar stool.
The voters queue up, walk to him one by one and whisper their vote to him.
After each vote, the guy takes a swig.
After the voting is done, the guy points out the winner on a candidate sheet.

Easy to memorize.... check!
verify that it's followed correctly... check!
understand why it works:... check!

This protocol is only the second protocol to have these important properties. Moreover, it is the first protocol that virtually guarantees a random outcome with any reasonable voter turnout, and its costs are far smaller than a paper ballot election (no need to print more than one sign with candidate names).

PS: on a slightly more serious note: there are plenty of other voting systems which fit the bill more or less (e.g. Threeballot). Most voting systems can somehow be gamed -- either within the system (changing ballots or such) or outside of it (e.g. gerrymandering). Paper isn't perfect. Neither are most other systems.

Re:At least

I don't know which e-voting community you're talking about, but this evoting community is not in favour of evoting for actual elections. Because we feel it isn't ready yet.

But perhaps you were talking about evoting companies, not the community.

Re:At least

[Pumpkin+Tuna]

I disagree. The key is that equal numbers of representatives from both parties are part of the process and essentially watch each other for cheating. I've run a polling place for several years now as chief judge, and I've seen no way that I could have cheated, even though I transported the paper ballots to the board of elections by myself in my own car. There were too many failsafes. It actually made me feel very good about our democracy. You can't say the same for some code, no matter how secure it is. Security can always be broken.

Re:At least

Yes, you couldn't change the initial count but you can make changes so a recount will show up differently. i.e the parent's reference to Al Franken in, who mysteriously started getting minor increases in his votes.

The current system works fine only if you only trust the "first" official count.

Re:At least

[colinnwn]

You see no way, it doesn't mean someone else couldn't find a way, or through some unforseen number of circumstances be able to collude with others.

For a year I was one of 4 people that hired the election judges and alternates for a very large county in Texas (technically we suggested the judges to the party leaders which 99% of the time would accept our recommendation). We discovered an early voting election judge was voting for their preferred candidate once per day. One day he got unlucky and a clerk saw him inserting a ballot into a box for the second day and called us asking if this was legal. Obviously it wasn't and we had him removed. But the county commissioners decided not to refer the case to the county prosecutor for prosecution due to political reasons.

Not to say there aren't many, many risks in e-voting, but physical voting is far from immune from error and malice.

Re:At least

That's not the protocol. The protocol requires that the ballot boxes are always under the scrutiny of multiple observers with opposing interests, from the moment they're sealed to the time they're opened again for ballot counting. The protocol furthermore requires that the observers confirm both eligibility to vote and that only one ballot per voter is put into the ballot box. This is usually achieved by keeping a list of people who have voted (or in countries without good means of identification, keeping a voter count and marking the right hand of the voter with indelible ink). Then they're handed a ballot, they fill out the ballot and put it in the ballot box. At the end of the day, you can see if mistakes were made by checking if there are discrepancies between the voter count and the ballot count.

Re:At least

[trevelyon]

I was in complete agreement right up to where you said it is the ONLY protocol with these properties. There are many other systems with these same properties some even more primitive than the one you stated. Such as using the same basic system but instead of a ballot giving one stone that the voter drops into one of two sealed bins with a drop hole in an otherwise empty room. Only stones from voters are allowed to enter and exit the room. It;s slightly different but used as an example that the statement of it being the ONLY protocol is incorrect. I make this point because thinking it is the only way means you will never advance it and if that never happens the system of voting necessarily can not advance. Without better tools having first, second and third choice voting with instant runoff is not practical. Other than this statement I agree with the rest of your post.

Re:At least

[atisss]

You could always find means to cheat. The question is about price and available tools.

For example, you could dig up to the election office (or access from floor below), and cut a hole into the bottom of election box.
In parallel, an early voter goes to elections and analyses ballot in order to print fake empty ballots (with all anti-counterfeiting marks - expensive but not impossible).

After replacing fake ballots, you get a pro woodsman to glue bottom of election box back into the place.

This is pretty unlikely scenario as it would be expensive as hell (and would have to be replaced for every election office).
Also you could secure elections from this by placing election box on a chair (in order to see it's bottom).

You actually can find some small issue that everyone thinks is unlikely, however with access to mighty tools (unnoticeable gluing, silent drilling, etc) you could achieve it.

As for electronic elections - the situation is the same, just the tools are more available. You just cannot think of every small issue and make it 100% proof.

Re:At least

Your protocol doesn't provide an election that is both secure and secret. Either the different boxes are unobserved, then the vote is not secure, or they are observed, then the vote is not secret. (You can hear stones being dropped into a box, see slight movement, etc.) It is important that the classification of the votes is separated from the casting of the votes.

I did hesitate before I wrote that the paper ballot election protocol is the only protocol that is simple enough, but I am confident that no other protocol has been proposed that satisfies all the basic requirements of an election and is sufficiently simple to understand and implement. I am not ruling out that someone may someday come up with something even better that isn't just the result of a trivial substitution of some element, but you have to admit that the odds are slim.

Re:At least

[laird]

"The protocol is invulnerable. The people executing the protocol aren't perfect, so in practice, real security on a well-designed e-ballot system greatly exceeds the current paper system."

Not even close. A well designed (people) process includes oversight sufficient to prevent any one person from succeeding, requiring large numbers of people to collude to affect more than a very small number of votes, which is easier to detect, and the presence of paper ballots allows for auditing and recounting, which will detect and correct for corrupt vote counting.

Digital voting mechanisms, on the other hand, lack any physical ballot, making cheating relatively easy, auditing impossible, and of course making recounts meaningless. And because it can be done in software, and the software is "proprietary" and cannot be audited, it's an obvious vulterability.

One good system that has the advantages of electronic voting (preventing overvoting, warning on undervoting, support for spoken prompts for the seeing impaired, efficient vote counting, etc.) and the advanages of paper ballots (validated record of votes, for auditing and recounting) is the one invented by the Open Voting Consortium, http://www.openvotingconsortium.org./

Re:At least

[laird]

Physical voting is not immune from error and malice, but it DOES limit the ability to do damage, because one person can only affect a very small number of votes, and it's possible to audit to detect them, and recount to correct them.

In the example that you give of a judge sneaking in putting in an extra vote every day, I'll point out that the impact was only a few votes, and he got caught. It's unfortunate that he wasn't prosecuted, but hopefully the humiliation will serve as a deterrent. I'll also point out that there was clearly a process problem, because in a well designed process the ballot boxes should be sealed at night, and only unsealed in the presence of multiple observers from multiple parties, with multiple, competing observers throughout the voting process, and re-sealed in front of the observers. The process should, of course, not rely on trusting any individual, but in the competing observers distrusting each other enough to keep each other honest.

Re:At least

[AK+Marc]

"both parties" indicates a bias for a 2-party system. "anyone" should be substituted, and *require* people registered to at least 2 parties be present at all times, otherwise destroy the ballot box.

There were too many failsafes.

And yet, there are still records of precincts that have more ballots cast and counted than elligible voters in every of the last 3 presidential elections. Either you are wrong, or fraud happens and is perpetuated by the people not involved because fraud couldn't have happened on their watch, so they are sure that no fraud happened when more ballots are counted than eligible voters.

You can't say the same for some code, no matter how secure it is.

I disagree. Making electronic voting about the code indicates a lack of interest in making it work. Everyone I talk to that doesn't like e-voting doesn't like it on principle, and any hypothetical where it was 100% secure in their definition was still objected to. You can make e-voting just as insecure as regular voting, if you like (by having the e-vote machine print out a human-readable ballot identical to a properly filled out ballot), but even then, the anti-e-voting people would still find some reason to object.

Re:At least

[laird]

"If common sense is lacking in the e-voting community, is it actually 'common'?"

Most of the DRE systems appear to be so easy to commit fraud on a massive scale that they were either to designed by morons who knew absolutely nothing about security out to make a quick buck, or were designed by people who really wanted to make elections extremely easy to rig. Given that in at least one case someone was hired to do the latter, it's hard to believe that the comple lack of security in all DRE systems was by accident. Even an idiot can figure out, for example, that running the voting database with the default usernames and passwords, or collecting votes via WiFi "to eliminate messy cabling", are terrible ideas.

Re:At least

[AK+Marc]

Digital voting mechanisms, on the other hand, lack any physical ballot,

You are artificially creating constraints I didn't put in. Sure, if you state "e-voting machines are coded by monkeys on crack and you must use them while bungee jumping" then the results will be different. Nobody put the "no physical ballot" requirement on digital voting systems until you did. e-voting encompasses everything from Internet voting to ones used along-side regular voting booths.

One good system

Never mind. I thought you wanted to debate what I said "compare the real-world performance of paper systems with a well-designed e-voting system" and you bashed a poorly designed e-voting system, and then suggested one you like, as if it isn't related to e-voting. Either it is a "digitial voting mechanism", and must, by your definition, lack a physical ballot, make cheating easy, be unautidable, and nullify recounts, or you are a liar for arguing against digital voting in one sentence, then pushing one in the next.

My guess is liar.

Re:At least

[rtfa-troll]

Everyone I talk to that doesn't like e-voting doesn't like it on principle, and any hypothetical where it was 100% secure in their definition was still objected to.

I do not object to "paper verified electronic voting" were the paper votes are done right. If you look at verifiedvoting.org you will find that my position is not that rare. The protocol is more or less the same as the paper ballot protocol shown above by AC. It has steps added as follows:

• the voter creates a vote paper
• the voter puts the vote into the ballot box
• after the vote is put into the ballot box the machine counts the vote*
• random locations are count verified against the machine, and in case of discrepancies the entire election is recounted by hand
• any candidate in any circumstances can demand a hand recount of whichever areas they wish to have recounted.
• the votes are stored for at least several months and may be stored longer in case of questions

I am opposed to electronic voting from the home. You might call this "on principle" but it's for simple practical reasons:

• it's almost impossible to secure people's computers so their vote may be remotely observed and possibly modified, depending on the system (e.g. drop a percentage of your opponent's votes whilst making voters think they voted successfully)
• it's almost impossible to ensure that people vote privately at home and that enables vote buying

I am opposed to paperless electronic voting. You might call this "on principle" but it's for simple practical reasons:

• lack of physical records makes forensic analysis of computer failures much more difficult than paper voting
• practical secure computing systems are a research subject which has not given fruit to available commercial devices; this becomes doubly so when you start to invoke networking

Please note, that I also oppose current systems for paper based postal voting for similar reasons to those that I'm opposed to current electronic voting proposals. Remote voting should be done in secured facilities such as consulates abroad with a process very similar to a normal polling station.

Re:At least

Diebold IS the backdoor.

Re:At least

[RockDoctor]

The ballot boxes don't leave the room, and enough observers to prevent collusion must be present at all times.

So ... one way that an election could be invalidated would be to have colluding people asserting allegiance to various of the parties (err, how many do you have? 3, 4, 5?) socially engineer their way into position as observers,

• then one of them leaves, making the observers inquorate. So, the election stops.
• A replacement observer is found ; the election re-starts.
• A second observer departs ; the election re-stops.

Lather, rinse, repeat, until you've run out of pre-placed social engineers, or the ward (whatever your local term is) is simply discounted from the election.

Appropriate gerrymandering could then provide significant manipulation of the election result. If you're responsive to exit polls, then you might be able to bring the number of social engineers down significantly, provided that you can move your assets (observers, so far in good standing) around.

This system also assumes that the ballot is counted where the votes are cast. That may be the habit in your jurisdiction, but it is by no means universal. Ballots in transit are very vulnerable to being adjusted, and many people have died for observing or documenting such electoral fraud.

How would the "observers" who sabotage the election justify their participation in the fraud? That's not remotely difficult - god (Allah, Jahweh, Krishna, or any one of nine billion alternatives,all infallibly correct and all different) could tell them to do it, and as long as it got the theocracy into power, no consequences could be anticipated. (If persecution followed ... well, martyrs get a direct line to the good sort of immortality anyway.) After all, it's not as if there is anything religiously sanctioned about democracy over any other form of government.

Re:At least

[AK+Marc]

it's almost impossible to ensure that people vote privately at home and that enables vote buying

What currently stops your boss from picking up enough absentee ballots for all employees and filling them out with all info other than signature, and calling in all employees one at a time to sign (or fill in anything he can't, though your boss will have your address, DOB and SSN)?

Why...

[Daniel_is_Legnd]

Why not Zoidberg?

Re:Why...

[somarilnos]

Someone wrote him in as "Slick". Although that's not his name.

Re:Why...

[Reverand+Dave]

Because Bender will teach those filthy bastards who's lovable!

Re:Why...

[ByOhTek]

They then wrote in names of fictional IT systems as candidates, [...]

Note the presence of IT and and lack of cthuloid, crustacean or anthropomorphicasied-crustacean, or whatever the hell hie is...

Re:Why...

[squidflakes]

You still have Zoooooiiidberg. You ALL still have Zoidberg!

Re:Why...

[ackthpt]

Why not Zoidberg?

I'm surprised it wasn't Putin.

Re:Why...

[pinfall]

Why not Zoidberg?

I'm surprised it wasn't Putin.

In Russia, Zoidberg votes Putin 140%

Re:Why...

how is that even remotely related to the GP?

Re:Why...

[ByOhTek]

In Soviet Russia, your vote changes hackers!

Re:Why...

[Alter_3d]

Why not Zoidberg?

I'm surprised it was not Hypnotoad

Re:Why...

[hardburlyboogerman]

Hell,I would have went old school->HAL 9000

Re:Why...

[alphatel]

All voting systems need human monitors. Just ask Andrew Brietfart.

I think the fellow you refer to has passed.

Re:Why...

"I'm going to have to go with Bender..."

Re:Why...

[Mystra_x64]

Actually, it's 146%.

Re:Why...

[snowgirl]

Why not Zoidberg?

I'm surprised it was not Hypnotoad

All Glory to the Hypnotoad!

Re:Why...

Because Bender is a fan of Olde FORTRAN Malt Liquor

Re:Why...

All mod points to the parent!

Bender

[rwise2112]

Bite my shiny metal ass!

Re:Bender

Ooh, moderated as redundant! Now I need to meta-moderate THAT to funny...

Re:Bender

Good news, everyone!

Bite my shiny metal ass!

[bunratty]

If elected I promise to KILL ALL HUMANS! Hey, you said there'd be hookers at this convention.

Re:Bite my shiny metal ass!

[Erbo]

Now, did they list his full, legal name, "Bender Bending Rodriguez," on the ballot?

Re:Bite my shiny metal ass!

[Patch86]

Have you ever tried simply turning off the TV, sitting down with your children, and hitting them?

Re:Bite my shiny metal ass!

Fine, I'll go rig my own elections! With blackjack, and hookers! In fact, forget about the election.

Re:Bite my shiny metal ass!

[mkkohls]

I hope not. Then people might learn he can't run being a Mexican citizen.

"managed to guess the login details"

[chemicaldave]

If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

Seriously. Who hired these clowns?

Re:"managed to guess the login details"

[Desler]

This was a system created by Rubyists. They don't understand security because that's a "low-level detail" they can't be arsed to learn.

Re:"managed to guess the login details"

[Rijnzael]

Presumably you mean they cracked /etc/shadow. Still, piss poor is a good assessment for their attempts at securing this process. At least they opened it up for public testing though.

Re:"managed to guess the login details"

Indeed.

Ruby does a lot of things, but encouraging security isn’t one of them. Building a properly secured application means thinking about security right from the beginning and working it in at the core levels. Upper level code shouldn't even be _able_ to do something insecure without some kind of token from the minimalist security layers at the base. A language designed to "handle that shit for you" leads to a lot of "oh, didn't think about that" type issues.

See also: diaspora

Re:"managed to guess the login details"

[jeffmeden]

If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

Seriously. Who hired these clowns?

It gets even better. The guys attacking it decided to put in a *modicum* of security since there basically was none AT ALL... I can only hope that they actually wanted a really really really soft honeypot for this whole test, and that it wasn't just the E-voting system that they were testing. If it was, god help us all.

We realized that one of
the default logins to the terminal server (user: admin, password: admin) would
likely be guessed by the attacker in a short period of time, and therefore decided
to protect the device from further compromise that might interfere with the
voting system test. We used iptables to block the offending IP addresses and
changed the admin password to something much more difficult to guess. We later
blocked similar attacks from IP addresses in New Jersey, India, and China.

Re:"managed to guess the login details"

[X0563511]

Well to be fair, the web developers and sysadmins owning the services the web developers use should be different people. They tend to have different skillsets.

Re:"managed to guess the login details"

[OldGunner]

This just in, Putin bought the unmodified code from them for use in the next election. Now he can announce his victory before the votes are even cast!

Re:"managed to guess the login details"

[Uteck]

They were the lowest bidder, so people got what they paid for. If you want a secure e-voting system then be prepared to dish out a lot of cash to security experts to test and lock it down, then test and lock down again.

Re:"managed to guess the login details"

[quietwalker]

Completely unrelated to the subject, our dev team has recently replaced portions of our product with a ruby implementation that has caused no end of problems. These folks that have managed to up our bug count by a factor of 3 and increase our feature-completion time by a factor of about 2. This has been going on for 8 months, and I'm simply ill-equipped to discuss this since I've not worked on the ruby code, or really picked it up myself yet. I'm convinced this isn't really a problem with ruby itself, but more due to the amateur way in which their code is architected, which makes maintenance difficult.

You sound like you've got some experience and opinions on the subject that might be valuable; would you be willing to discuss this via email? I'm at pdughi@gmail.com (slashdot is still showing 'email not shown publicly' despite my user settings ....)

Re:"managed to guess the login details"

[powerlord]

New Jersey, India, and China.

Ah yes, the new "Axis of Evil"!

Re:"managed to guess the login details"

[telekon]

This was a system created by Rubyists. They don't understand security because that's a "low-level detail" they can't be arsed to learn.

Rubyists pay attention to low-level details. This is why we write C extensions rather than executing shell commands from web applications, which is asinine.

"Rails developers" are rarely Rubyists, properly speaking. This is one of the issues plaguing the Rails community. It could be worse, though. Rails developers can become Rubyists. In the PHP community, given that the preferred development methodology seems to be having two cats copulate on a keyboard, I don't hold much hope.

Re:"managed to guess the login details"

[Alex+Zepeda]

Except this wasn't a failing in Ruby (or Rails). As TFA pointed out, the vulnerability had already been discovered and fixed. The problem was that the voting software was using a custom version of the library in question... based on an older, insecure version no less. While TFA mentions checking the file extension should help remedy the problem, doing something as simple as URL encoding the filenames would work as well (and prevent escape characters from popping up in the filename).

Re:"managed to guess the login details"

In my experience you can't code ruby without testcases all the time for everything. This is probably one of the reasons why Ruby has a bunch of excellent tools for BDD and TDD. Probably you have to introduce those.

Re:"managed to guess the login details"

[rtfa-troll]

] If you want a secure e-voting system then be prepared to dish out a lot of cash to security expert....

Do you have any example where this has been achieved (as demonstrated by standing up to serious peer review with full access to the code and system design) or are you just auditioning for a job as a security consulting salesman.

N.B. For the humor impaired who can't read my signature that was a somewhat sarcastic / bitchy joke.

Re:"managed to guess the login details"

[medv4380]

Why even use passwords. This is the kind of system that should require a two factor authentication. You shouldn't be able to gain access to an election system unless you actually have the key to the ballot box.

Re:"managed to guess the login details"

[Archangel+Michael]

.. that the preferred development methodology seems to be having two cats copulate on a keyboard

There is only one cat, it confuses people because it is both dead ... and alive.

Re:"managed to guess the login details"

They are all just different shades of orange, after all. /horribleperson

Re:"managed to guess the login details"

[tibman]

PHP 5 supports up to three cats now :)

Re:"managed to guess the login details"

[rev0lt]

This is why we write C extensions rather than executing shell commands from web applications, which is asinine.

So what you're saying is that you rely on your own set of utilities developed in C, instead of using the tried-and-true, often secure and in some cases with more than one decade in deployment (as in -stable-) shell commands? And this is your counter-argument to why "rubyists" don't understand security?

Re:"managed to guess the login details"

[Culture20]

Presumably you mean they cracked /etc/shadow

Not necessarily. Since it's a system designed to be single-user, they probably didn't bother with shadow passwords and had everything in /etc/password. Heck, I bet it was based on SunOS 5.0

Re:"managed to guess the login details"

[telekon]

So what you're saying is that you rely on your own set of utilities developed in C, instead of using the tried-and-true, often secure and in some cases with more than one decade in deployment (as in -stable-) shell commands? And this is your counter-argument to why "rubyists" don't understand security?

No, that would be stupid. And we could do that in pure Ruby. The point of writing C extensions is to link the libraries and gain access to the function calls that the shell commands themselves invoke.

Are you even a programmer?

Re:"managed to guess the login details"

[rev0lt]

The point of writing C extensions is to link the libraries and gain access to the function calls that the shell commands themselves invoke.

So, it's not an extension (it does not provide funcionality by itself), but a wrapper. Even a monkey can make a wrapper.

Are you even a programmer?

I could ask you the same, but I guess it would be offensive.

Re:"managed to guess the login details"

[telekon]

It's an extension to Ruby, written in C.

Often it's a "wrapper," in that it wraps a C function call. Either way, much safer (and far less idiotic) than shell invocations.

Nowadays we're using FFI more, though.

Re:"managed to guess the login details"

[rev0lt]

Yes, but the fact remains that you/rubyists you refer actually didn't write the extension, only the wrapper part. And writing a wrapper is hardly a low-level detail regarding security.
While there are a lot of cases when directly linking to a library makes sense, there are a lot of others it does not. Having loose coupling between a given application and a library allows the application to use different available components, and not a specific one. As an example, imagine if you develop your app with a specific imagemagick extension linked in as a library - yes, you somewhat get faster execution, at the cost of sharing the eventual memory leaks of the library, and giving away the ability to use, for example, graphicsmagick instead. And you don't benefit from the additional checks made by the commandline parser. The correct approach isn't as black-and-white as you put it, as performance and security aren't usually the only concerns.

Re:"managed to guess the login details"

[thejynxed]

No, what he was inferring is that it's ridiculously insecure to call secure functions from a known insecure vector, AKA "the web" using "applications" (read: shoddy Flash/Javascript/PHP/etc).

It would be like you writing an application that gives you access to the root account of your server and all of the commands it has access to, but bypassing the secure login, and broadcasting it all over the place just because it was more convenient for you to write scripts/application to do so.

It isn't the shell commands, it's the method of accessing them that's the problem. Web apps will never, ever, be a secure way to access anything meant to be secure. That's the bottom line of it.

Re:"managed to guess the login details"

[rev0lt]

Yes, you're right - the web isn't a secure way of access shell commands, but you are already accessing a bunch of them (webserver, scripting language, etc). It's not the web application's responsability to ensure that the server has the proper security in place, nor discarding the additional protection given by the commandline parser or limits imposed by the environment buffer is a security measure. The library code will still be executed with the same UID/GID, but in the same process space, which - by itself - exposes the application to a whole new range of security issues. Also, in most environments, it is easier to monitor what is going on at a given step by having a proper process tree than a bunch of libraries linked in, that may mask malicious execution on a busy server.

Regarding web/language security, i'ts like everything else. Security is a process, and benefits from multiple layers. Discarding "one layer" because of poor understanding of system internals isn't a security measure, and promotes lazyness from an administrator point of view. I could say that everyday millions of servers are managed using web-facing executables that fork the apopriate binaries (sshd with scp/sftp support, rsync, etc), with much more success securitywise than any ruby/php/whatever application, but that isn't the issue. The issue is that bad programmers will always do bad code, and linking libraries directly (and at least some libraries I've seen already expect fully sanitized parameterts, so will behave poorly during a break-in attempt) without knowing what's inside won't do any good. It will probably create new security issues.

Bender would be great for head of the school board

[jizziknight]

"Have you ever tried simply turning off the TV, sitting down with your children, and hitting them?"

Ruby on Fails? LOL

Ruby on Rails

And there's your problem. Only an idiot would try to run something that needs high security on Ruby on Fails. Rubyists couldn't write secure code if their life depended on it. Next time hire real programmers not hipsters who spend all day sipping lattes and admiring each other's new pair of skinny jeans.

Re:Ruby on Fails? LOL

Ruby on Rails

And there's your problem. Only an idiot would try to run something that needs high security on Ruby on Fails. Rubyists couldn't write secure code if their life depended on it. Next time hire real programmers not hipsters who spend all day sipping lattes and admiring each other's new pair of skinny jeans.

Somewhere, in some coffee shop, some guy with a bowl cut and a faint mustache is commenting to his friend that he just got hired back to do another contract for the DC BOE and this time they want him to spend 4 hours on it instead of 2.

Re:Ruby on Fails? LOL

Totally agree.

I can see some (arguable) uses for ruby.. but writing anything that required a high level of security isn't one of them. Not just the language itself not being geared for it, but as you said, the people who use it tend not to have the mindset for it. Diaspora was a great demonstration of this. Security was kind of sprinkled on top vs properly integrated at all layers and many holes were the result of poorly-understood behaviour or inappropriate use of the language features they were using. Always exceptions, but this is consistent with most ruby code I've seen.

Re:Ruby on Fails? LOL

[kbob88]

Nice troll. Actually, it's kind of a lame troll. I suppose, as is normal on /., you didn't read the report from Prof Halderman.

The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C. This is also pretty basic security stuff, and there are tons of guidelines and tutorials in the Rails community for avoiding this kind of mistake. There are also plenty of code vulnerability scanners that would pick this up. It's amazing that the DC team didn't use one of these to check their code.

But they had plenty of other problems such as easy-to-guess passwords and a lousy IDS configuration.

So the real problem was with the people who developed and implemented the system, not with the tools. I've seen plenty of similar mistakes in systems developed using all sorts of technologies. The developers clearly didn't have a very solid background in security. That's OK actually, as long as you have someone on the project who does and who can check their designs and implementation. Sounds like they didn't have anyone well versed in security, which seems a bit odd for an e-voting project. I'm certainly no expert on security, but I am RoR coder, and even I know not to make these mistakes.

But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates :-) I'll take the bashing along with the money and the ease of programming!

Re:Ruby on Fails? LOL

But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates :-)

Yeah and we all believe you. No, really, we do. I'm sure the other unemployed Rubyists at Starbucks with you are congratulating you on this great post.

Re:Ruby on Fails? LOL

[dgatwood]

The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C.

Not really. In C, you'd have gotten called an idiot within a few seconds if you used system() or popen(). Properly written C code using fork() and exec() does not require you to sanitize the string in any way.

Re:Ruby on Fails? LOL

[Shados]

I really hate Ruby, but its hard to ignore that there's a ton of Ruby shops hiring in the big north american metro areas and that they have more contracts than they can deal with right now. Ruby is pretty hot these days.

Re:Ruby on Fails? LOL

[kbob88]

Yeah, and I believe you. That's why I can't find any experience RoR developers to hire. Our recruiters can't find anyone either. They're all busy.

Re:Ruby on Fails? LOL

[kbob88]

I think "properly written" is the key phrase there, which applies to any technology implementation.

Ideally, they would have used the gpg libraries or gpgme and called it directly from the Ruby code. But that's harder, so they chose the easy way and got burned.

Re:Ruby on Fails? LOL

[icebraining]

A simple search reveals that Ruby has fork() and exec() too. The problem is the "properly written" part.

Re:Ruby on Fails? LOL

[Zedrick]

Ruby (and RoR) is not hip anymore. This is 2012, not 2008. The hipsters have moved on to whatever, and those who remains are generally not worse than other coders.

Re:Ruby on Fails? LOL

Yeah, and I believe you. That's why I can't find any experience RoR developers to hire. Our recruiters can't find anyone either. They're all busy.

We have the same issue! It took us six months before we were able to find a Senior RoR developer with 10 years experience.

Re:Ruby on Fails? LOL

[shadowrat]

I think they still don't hold a candle to the price of a cobol programmer.

Re:Ruby on Fails? LOL

[LordLimecat]

I am neither a Ruby nor C developer.

But question, assuming you are doing something like "exec(pdfparse($input))", and you dont sanitize your data, whats to stop someone from specifying the pdf file "somefile.pdf);rm -rf" as the file?

Re:Ruby on Fails? LOL

The ");" part is only useful when run in an interpreted shell environment. When you exec something, there is no intermediate environment, so your program would try to execute a filename named exactly that, not find it, and return simply an error. That's why the parent was referring to system()/popen(), as these functions tend to run in a shell environment and interpret those characters as separators of multiple commands.

Re:Ruby on Fails? LOL

Never mind that he didnt accuse RoR itself of being piss poor, but instead those who use it, or that you seem to have a real problem with correlation not being equal to causation... Get a little more defensive, why don't you. Of course, you're right, Ruby programmers are the envy of all lesser programmers! Just like Cobol coders. Enjoy your 6 month contract and don't let your latte get cold, it needs to be gone before the world moves on to the next framework after RoR is crushed under the weight of negative exposure like this. Anyone remember coldfusion? No? Wonder why. Lol.

Re:Ruby on Fails? LOL

There's a reason for that. It's not because Rubyists are so great and can command high salaries for their scripting abilities. It's because RoR developers are 99% shit.

Re:Ruby on Fails? LOL

[HarrySquatter]

It would return an errno.

Bender?

Why not Zoidberg?

Election System

[necro81]

Ya, well, I'm gonna go build my own election system. With blackjack! And hookers!

In fact, forget the election system.

Re:Election System

Ya, well, I'm gonna go build my own election system. With blackjack! And hookers!
In fact, forget the election system.

and the blackjack.

Re:Election System

ah screw the whole thing...

Re:Election System

[MurukeshM]

which is where the hookers come in, I suppose. Mmmm.. chicken.

huh?

They guessed the login details of the terminal server? Epic fail. Root.Domain == pwnd. If the admin was hacked so easily with the default pwd then nothing to see here.

why evoting machines

Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

Re:why evoting machines

[Desler]

Because an unemployed hipster with 10 years of Ruby experience needed work?

Re:why evoting machines

[GmExtremacy]

If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

Because what is popular is not always correct.

Re:why evoting machines

[jeffmeden]

Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

That's just it, we took a vote on that and as it turns out about 190% of respondents said that they were in favor of electronic voting...

Re:why evoting machines

[Attila+Dimedici]

Because it will be easier to hide voter fraud with electronic voting machines.

Re:why evoting machines

[Hentes]

Because the goal is not to build a secure system.

Re:why evoting machines

[Tackhead]

Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

Because neither politicians nor voters understand the concept of experimental error.

And because in 2000, a Presidential election's electoral vote count was close enough that the entire contest depended upon the poopular vote count of a single state, which was itself close enough to fall within the experimental error of the measuring apparatus. (Hanging chads, ballots with improperly marked "X"s, scantron errors, etc.)

After that, of course, the usual political process took care of itself, to wit:

Ignorant public: "Something must be done to eliminate all experimental error!"
Ignorant politicians: "Computers are something!"
Frustrated techies: "Just because the computer always reports an unambiguous tally, doesn't mean that the tally reflects the will of the voters..."

They were, of course, drowned out by a chorus of...

Contractors and Lobbyists: "Hey, you politicians look like you want a whole lot of voting machines, and we happen to know some people who can build them... for a price."

Most people (with the exception of politicians and rabid hyperpartisans, and in 2000, they were the minority of the electorate), whether they voted Jackass or Elephant, were willing to accept that it was possible that their candidate lost.

But nobody - and I mean nobody - wanted to accept the possibility that there was insufficient data to discern the actual will of Florida's voters because the margin of victory was within the expected error of a voting process.

The recorded vote count in Florida was 2,912,790 to 2,912,253. Even ignoring the experimental error associated with the voting process, a traffic accident on a highway leading to/from a Democratic- or Republican-leaning neighborhood (or a bad rainstorm, or any number of a thousand random occurrences) could have changed the outcome by making enough people stay home, delay voters' arrival at the polling stations after closing time, etc., to have changed the outcome. No matter what technology you use, 269 votes out of almost six million isn't signal, it's noise.

Re:why evoting machines

the American public's (media's) urge for instant gratification - the poll stations closed 1 second ago - Why don't we have the result? We want it NOW!

Re:why evoting machines

[Anomalyst]

Because what is popular is not always correct.

E.G. Any Apple iProduct.

Re:why evoting machines

[sjames]

Or profitable.

Re:why evoting machines

[yuhong]

Yea, even without this issue, running for President or Congress would be much easier if there was a +/-5% margin. I suggest running the vote again if it falls within this margin.

Re:why evoting machines

[sjames]

I suspect more media than public. I doubt I'm the only person who after the 5th "special election report" wonders why it can't just wait till the 11 o'clock news when more than a single digit percentage of votes have been counted.

Re:why evoting machines

[AK+Marc]

You are now communicating with a technology professional who thinks electronic voting is a great idea.

, why the FUCK are we still making these things?

When you are completely ignorant of the issues, I don't think you've discussed the issues with any "technology professionals". They are (arguably) required by law to allow blind/handicapped people to vote unassisted, as enough politicians think they are required by law, they will never go away until the ADA is amended to explicitly address this issue.

Re:why evoting machines

[AK+Marc]

We've had no lack of fraud in the 150 or so years since we abolished open voting. The "fix" is abolishing secret ballots, all fraud is based on the untracability we value higher than accuracy.

Re:why evoting machines

...and this shows just how stupid the electoral college system is. A state that is roughly 50 / 50 between politicians should not count as 100% for arbitrary politician X.

Re:why evoting machines

Actually once the recount was completed - an unofficial one paid for by a group of newspapers - it turns out that Gore won in Florida by a margin of about 30,000 votes. Only those of us who knew that this recount was underway, and watched carefully for the announced results, know it happened.

Re:why evoting machines

I have to laugh at "improperly marked Xs". Does a psychic read each card to determine the voter's real intent?

Re:why evoting machines

[laird]

Paper ballots, with proper handling and counting procedures, work quite well.

Re:why evoting machines

Bonus karma to anyone who spotted the inconsistent math in the parent post.

Re:why evoting machines

[AK+Marc]

The error rate was much greater than the number needed to swing the vote in 2000 and 2004, rendering the elections statistically invalid. That's not "quite well" in my book, and I question anyone who thinks that acceptable.

Futurama rocks!

[CosaNostra+Pizza+Inc]

Personally, i would have voted for Hubert Farnsworth.

Re:Futurama rocks!

[geekoid]

wha...?

Re:Futurama rocks!

[Jason+Levine]

I'd reply, but I am already in my pajamas. *dozes off*

Re:Futurama rocks!

[otaku244]

Wernstrom!

I'm Bender baby!

[squidflakes]

I'm sure Bender doesn't endorse the cool crime of election fraud. He just needs a big government network to get down with maximum efficiency.

Need more than just a hack

[Todd+Knarr]

What I want to see is a real compromise of one of these systems that can be held up as a true scare story:

1. The compromise is undetected. At the time the results are reported, the election officials are unaware that the system has been compromised and none of the systems in place for detecting a compromise has indicated any trouble. According to all evidence in the audit trail the results are undeniably correct and true.

2. There was no indication of tampering at the time of voting. As votes were being cast there was no indication of tampering with the ballots or any other visible indication that the results weren't being correctly recorded and reported.

3. The results reported are undeniably wrong. Eg., the test voting was done in a controlled manner where everyone knew what the correct results should be and that everyone saw that everyone else had voted the way they were supposed to, so if the system functioned correctly it's known exactly how many votes should be cast for which candidate.

4. The reported results are undeniably wrong. Eg., according to the reported results 100% of the votes cast were for a candidate who should've received zero votes.

Re:Need more than just a hack

Actually, making it so that 100% of votes go to a single person, while a good demonstration, is not all that scary.
The trick would be to make it so that every third or fourth vote goes to the person you want. Unless your candidate is universally hated so that no one would be voting for them, an extra third or quarter of the votes should be enough to push them up above everyone else, without being so obvious. In a controlled environment that should be enough to be really scary, since you wouldn't know it was tampered with unless you knew what the results were supposed to be at the end.

Now, in a live election it would be better if someone got 100% of the votes.
Say, no matter who someone votes for in the November election, Charlie Sheen get's the vote on a write in. That would make the point.

Re:Need more than just a hack

I think you are thinking too much.

Once the server receives a vote it should print it off then the two are compared for tampering. Fixes the issue easily. Also let people know they could vote twice, but would be forced to vote in person at a latter date if that occurred.

Re:Need more than just a hack

And the result would be??

That's right. The expected candidate would probably win by a few percentage points, as they should, and the only shock would be to the original tamperer. And then whom would they tell?

Re:Need more than just a hack

That's why you make every vote go for your candidate with n% probability or their opponent with (100-n)% probability. Just make n > 50.

Re:Need more than just a hack

[OFnow]

5. The bad guys who wanted to control the outcome had no way to know the result was verifiable so their compromise was either a waste of time or worse (for them).

There. Fixed that for you.

Re:Need more than just a hack

We already had this in the 2000 and 2004 elections -- didn't you see what Diebold did?

Re:Need more than just a hack

[scharkalvin]

Hey #1 or #2 is EXACTLY how Bush got re-elected!

Re:Need more than just a hack

[Todd+Knarr]

In a real election, no. But the point of this kind of exercise is to provide a situation where there's no way anybody could deny that the results are wrong (it's not just a few votes miscounted, it's every single vote set incorrectly which simply can't happen by chance or random error), yet at the same time there's absolutely no way to prove it happened and in fact trivial to prove it didn't happen (the audit trail is intact and shows that the reported count is correct and true even when it isn't). Being able to tamper with the results in a way that's blatantly obvious (eg. by changing the ballots presented) doesn't scare people. "We can swing the election any way we want, as blatantly as we want, and you can't prove a thing.", that's the kind of thing headlines and news show lead stories are made of.

Re:Need more than just a hack

4. The reported results are undeniably wrong. Eg., according to the reported results 100% of the votes cast were for a candidate who should've received zero votes.

It would be better if the system recorded the correct number of ballots, yet each ballot contained no votes. Voting a blank ballot is allowable and must be counted correctly -> ballots cast + 1, votes counted + 0.

If one candidate receives 100% of the vote then that candidate is the winner and the courts are going to agree because nobody can prove anything went wrong. The steady stream of people claiming to have voted for the other guy are just that - people claiming to have done something with no proof showing one way or the other.

On the other hand, if no candidate receives a single vote, you have a failed election (at least in the United States). The law has no provisions for dealing with such a situation. No judge will have any precedent to use as a guide and will have to make something up. Some will call for a new election, others will say that the incumbent stays on, still others will come up with something else. The Supreme Court will have to intervene.

Re:Need more than just a hack

Maybe you're thinking of the machines they found in Honduras?
They were supposed to be used in the presidential elections, which didn't happen.
Despite the lack of elections, they gave a result.

Sounds like it suits your request.
(no link on hand and too lazy to google).

Re:Need more than just a hack

[laird]

Easy to do with DREs. Just wait for a secret touchscreen sequence, and until election day "do the right thing." On election day, one person pokes all of the DREs, after which they display whatever the voter wants to see, but record votes however your programmer wants the election to go.

There's absolutely no way to detect this without being able to inspect the code, compile it yourself, and deploy your binaries to the DREs.

Comment removed

[account_deleted]

Comment removed based on user account deletion

umm

[geekoid]

He is a bending unit, not a 'head of the DC school board' unit...guh.~

Re:umm

[0racle]

Well don't blame me, I voted for Kodos.

Re:Election System, but if you don't have a system

what will you do with the leftover blackjack and hookers?

Open Season for Crackers

[walkerp1]

I can't be the only one thinking that this was an excellent opportunity to crack the system with impunity and not report the findings. That leaves you one simple ? from Profit!!!

Bender for POTUS in 2012!

Now that's a candidate I could get behind... hackers consider this a call to arms.

Re:Bender for POTUS in 2012!

[Culture20]

Sorry, He can't be. Bender was built in Mexico. Although if Mom is an American citizen, that could throw a wrinkle in the works.

Re:Bender would be great for head of the school bo

Why is this modded Insightful instead of Funny?

Can they do this for us?

[Ronin+Developer]

Right now, the citizens in Central Bucks are outraged by the recent actions of their school board which is resulting in middle schools students getting longer core classes and must choose between liberal arts and PEN (the gifted program) or taking all the other "fun" electives. And, for you ./ types, they cut out the computer applications class (rather than making them more advanced) at the cost of 8 addition teacher jobs.

When the parents protested at the School Board meeting, over 700 people came and 50 spoke. At the end, the CBSD President (elected...unfortunately), basically said "FU" to the parents and dismissed us with a wave of his hand. The Superintendent (who, I don't care for) has even said that there is no reason to change - the existing system IS working well and kids are getting excellent scores. When asked by a parent WHAT the problem is or WHY they are doing this...the crowd was met with silence. Originally, they said one reason was to give more time to prep for the standardized tests. Interestingly, they are back-peddling on that statement.

Fortunately, the PA Dept of Education is now investigating. But, will it be fast enough? BTW, most of the SB members were elected on the republican ticket (as is most of Central Bucks, PA). Cutting costs, I can deal with. Taking us back to the 19th Century? Ah...that would be a 'No'.

So, I say...I would, frankly, welcome and support our Futurama Overlords right now.

Original Story
http://www.phillyburbs.com/my_town/doylestown/cb-parents-students-we-deserve-better/article_aeaf6fe3-6eba-519c-82a2-e2dfebb1208f.html

Update
http://www.phillyburbs.com/news/local/the_intelligencer_news/opinion/changes-coming-at-cb-middle-schools-but-for-the-better/article_328fffdc-b240-5903-8526-85e5d567def3.html

Re:Can they do this for us?

[Ronin+Developer]

Why is this "Off-topic"...because it indicates how far elected officials will go to screw over their constituants?

What I and the rest of the parents wouldn't do to get them out and replace with Futurama Overloards - they clearly would do a better job representing us than the Republican's elected in on a promise and then breaking it at the first opportunity.

Re:Can they do this for us?

You might want to consider that your posts have everything to do with a dispute between parents and a school board in Bucks County, Pennsylvania, and *absolutely nothing* to do with electronic voting or the article at hand.

Re:Bender would be great for head of the school bo

[gewalker]

Bender doing this should not be a surprise, after all he already messed up the presidential election of 2000 by going back in time and getting Bush elected instead of Gore Act VI, he was probably did this as a lark at the same time. Given Bender's innate robotics skills, there is no doubt he could have done this.

You'll never see that

What I want to see is a real compromise of one of these systems that can be held up as a true scare story:

1. The compromise is undetected. At the time the results are reported, the election officials are unaware that the system has been compromised and none of the systems in place for detecting a compromise has indicated any trouble. According to all evidence in the audit trail the results are undeniably correct and true.

2. There was no indication of tampering at the time of voting. As votes were being cast there was no indication of tampering with the ballots or any other visible indication that the results weren't being correctly recorded and reported.

3. The results reported are undeniably wrong. Eg., the test voting was done in a controlled manner where everyone knew what the correct results should be and that everyone saw that everyone else had voted the way they were supposed to, so if the system functioned correctly it's known exactly how many votes should be cast for which candidate.

4. The reported results are undeniably wrong. Eg., according to the reported results 100% of the votes cast were for a candidate who should've received zero votes.

That's a pretty ridiculous prank to pull just for the lulz.

Tampering with an actual election is a pretty serious crime, so whoever does it is not going to want to get caught. Only an idiot would want to commit a federal crime just to throw, say, the state of Virginia's 2012 presidential vote to a 100% landslide for some cartoon robot. If you're going to do it, you might as well do it to give your pet candidate a definite but believable majority.

Re:You'll never see that

That's a pretty ridiculous prank to pull just for the lulz.

It's not for "lulz". It's to demonstrate, without possibility of denial, the incredibly serious point that e-voting is a bad idea that can never be safely implemented.

Re:You'll never see that

It's not for "lulz". It's to demonstrate, without possibility of denial, the incredibly serious point that e-voting is a bad idea that can never be safely implemented.

Okay, then. It's a pretty serious prank to pull just to make a point.

Re:You'll never see that

[AK+Marc]

e-voting can be simply an safely implemented. All it costs is the untracibility and lack of verification we demand of our current system.

Re:You'll never see that

[Todd+Knarr]

Except that that removes the safety and security of the system. The untraceability is what protects voters from coercion. If it was possible for any party to trace a person's vote and see what it was, it's then possible to threaten voters with repercussions if they don't vote the way you want them to (eg. "Vote for the candidate the CEO likes or we'll fire you.", although in reality it'd probably be a bit more subtle than that).

Oddly it is possible to implement an electronic voting system that's both untraceable and secure. But so far every electronic voting company has been resistant to building an independent audit trail in.

Re:You'll never see that

[AK+Marc]

The untraceability is what protects voters from coercion. If it was possible for any party to trace a person's vote and see what it was, it's then possible to threaten voters with repercussions if they don't vote the way you want them to (eg. "Vote for the candidate the CEO likes or we'll fire you.", although in reality it'd probably be a bit more subtle than that).

That's possible today and doesn't happen. So, that may be your opinion, but I claim the facts of today prove you wrong. We had open ballots for almost 100 years, and it wasn't until votes were taken during a war where one side of the war ran the polls where there was any problem with it, and since then, the fraud under closed ballots has been much higher than when ballots were open before the war.

Re:You'll never see that

[laird]

The trick is to NOT use a DRE, but instead use a Voter Verified Paper Ballot. That is, the electronic device can help you vote, preventing overvotes and warning on undervotes, reading aloud to seeing impaired voters, etc., but the result is a printed out paper ballot which the voter then casts by putting it into a ballot box. The votes can be counted efficiently (i.e. scanned), and the paper ballots can be audited (by a separate system from a seprate vendor) and recounted.

That's untraceable and secure. There are a few systems like this (my favorite is the open source system at http://www.openvotingconsortium.org./ One nice thing is that you only have to trust the voter to verify the ballot - if the count is forged, the audit will find it. This means that you don't have to trust the software, just the process. That's a good thing.

Finally

Someone competent has won the School Board election.

hasn't this already been discussed

in episode #79, "Bender Goes Olde School"?

Page 10

Best part of this is on page 10 of the report, where people from Iran, China and India all attempted to hack the system.

This is not good

[MacGyver2210]

Sad-sack programs like this being compromised fuel the other companies who may be equally as susceptible to attack to press on as if they are somehow better or more secure.

"Sure they hacked that system the government set up, but that was some bloggers scripting in Ruby/Rails in a dark room. They didn't even change the default passwords! We're REAL programmers, writing in a lower-level language with security experience! We can't POSSIBLY do it wrong!"

If you want to actually test an election system, try having a fake Diebold election and see if it can be rigged. Use an ACTUAL e-voting vendor, not some scripts you cooked up to have a hack-off, with the default passwords and everything else right where the attackers expect to find them.

Re:This is not good

LOL @ the butthurt Rubyist. I know I'd be butthurt too if I was only paid 30k while the real programmers make 3 times my salary straight out of college.

Re:This is not good

[laird]

Every national election since DREs were introduced had what look a lot like massive security problems. Of course, since DREs can' t be audited, and the actual votes cast can't be recounted, it's impossible to prove fraud. But based on statistical analysis, DRE and non-DRE voting in different precincts in the same election have resulted in quite suspicious results, such as the non-DRE voting matching the exit polls by a small fraction of a percent, but the DRE voting being off by 7%.

It's a shame that Ben Nelson's proposal that "requires states to provide the federal office with audit reports from the hand counting of the voter verified paper ballots" got stuck in committee. It's almost like most Senators aren't too interested in election fraud. But then, they won their elections...

Until election commissions understand this...

[halexists]

It's not news that electronic systems can be insecure. Those selecting such systems are certainly lobbied to believe that, whatever system they choose, "this time it will be different... this one IS secure."

The truth is all voting systems -- manually or electronically administered -- are insecure. The feature that traditionally manual voting systems have is that the scale of voting fraud exacted is correlated with the scale of corrupt election officials overseeing the process. To increase fraud you either need a) more conspirators or b) higher-level conspirators in the body that oversees the process. That is a feature that is worth keeping in any new version of voting system.

This article is just another example of a voting system that has given up the feature. Not all electronic voting systems forsake this feature, but those that keep it are at most electronic-assisted voting systems that retain distributed verification at multiple stages of the counting process. That's because voting is most secure when it's a distributed activity, not a centralized one. With thousands of tiny precincts collecting pockets of votes, any one could tamper with results -- but many would have to tamper to have a big impact. Election commissioners, keep this feature!

I'm Scruffy, the janitor

[Nidi62]

Everyone always ignores poor Scruffy :(

Re:I'm Scruffy, the janitor

[mkkohls]

Go scruffy. Scruffy Believes in this school board.

Re:I'm Scruffy, the janitor

Judging by the score of your comment, I would agree.

Three time-honored non-tech security measures

[QuincyDurant]

"Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea." Three cheers, too, for superstitious luddites (see below). Here are my top three solutions to computer fraud and f**kups:

1. Wanted posters and long prison sentences. Rob a mail truck, do time. Why should this not work for email and other electronic fraud? Robbing an election is a more serious a threat to democracy than robbing the mails, which is bad enough.

2. Human signatures and carbon paper (or one-write NCR paper). When a live person signs a check, an invoice, a purchase order or a ballot, he or she thinks twice about the consequences. Anything can be faked, but carbon paper scores high on lie-detector tests.

3. Letterpress-imprinted sequential numbering. Paper forms, including ballots, with unique numbers and carbons copies, are a solid control for electronic databases.Ancient Letterpress lead-type numbering devices--stamp, crunch, print, and advance the counter-- are older and less screwable-with than computerized typesetting or laser-printing.

I use all of these systems in my own business because where my money is concerned, I do not entirely trust any computer system. I've seen an entire business of 100+ employees saved by one persnicketly accounting clerk who kept paper copies of all the invoices and payments. She had been ordered not to--don't be so old-fashioned, dear--but ignored the controller's blind faith in his new, shiny, $200K fail-safe automated system. No hacker except Murphy and his law was involved. She was neither thanked nor rewarded for rescuing her employer from catastrophic folly.

Murphy's corollary: no good deed goes unpunished.

Re:Three time-honored non-tech security measures

[laird]

While I agree with your basic point, regarding (2), you can't give out receipts for votes that indicate how you voted, or produce a record of the votes that can be used to prove how someone specific voted, because that enables vote buying, which is a form of fraud that we're trying to prevent. This single requirement is what makes voting systems hard to secure, because you can't apply the mechanisms that have been securing accounting for hundreds of years.

Instead you have to have ballots that can't be tied to specific voters, with multiple observers and a clear chain of custody through the entire process in order to prevent fraud (or, at least, make it very hard to do on a large scale without being detected).

Re:Three time-honored non-tech security measures

[QuincyDurant]

Of course, but the highest sequential number shows the number of ballots actually cast, which must agree with the number of signatures on the polling place sign-in sheets. This at least prevents someone from getting 310 votes in a precinct where only 292 people have voted.

Of course, it's not easy, especially in razor-thin elections like Santorum vs. Romney in Iowa where one of the other won by maybe eight votes. The bookies paid both sides because the results were, given the inherent inaccuracy in counting, basically a tie.

It's very unusual, however, that people from both parties hand-counting paper ballots can't come to a result that all the observers agree with. At some point, it makes sense to flip a (physical) coin.

Obligatory

[ToiletBomber]

Bite my educationally shiny ass!

Every. Single. Time.

[Xupa]

Any voting system that can be hacked should be hacked. We need to see fictional characters elected to every office in the land until people figure out the results for real people have been cooked all along.

Re:Bender would be great for head of the school bo

[an+unsound+mind]

Because "Insightful" is Secret Slashdot Code for "Funny, but enough so it deserves karma". And "Funny" is Secret Slashdot Code for "So painfully unfunny it induces groaning."

Or possibly Groening. Not precisely clear on that.

Not a bad thing at all

[roc97007]

Bender couldn't possibly do any worse.

Explain to me again....

[Radical+Moderate]

why we need computerized voting? We hold elections once every year or two, it's not like counting the vote by hand is some huge drain on society's resources. Yes, hand counting is slow, that's why elections are held well before terms expire. Yes, it's labor-intensive to count by hand, but lots of eyes in the process makes fraud much harder. The Florida debacle did expose flaws in the system, but touch-screen voting is not the solution.

Re:Explain to me again....

[laird]

There's a myth among non-technical people that computerized voting would take out the human element of fraud.

Of course, as with many other things, computers serve as a magnifier, allowing fraud to be performed more efficiently and on a much larger scale than could be possible manually with paper ballots.

It's been done

[Frequency+Domain]

What I want to see is a real compromise of one of these systems that can be held up as a true scare story:

....

3. The results reported are undeniably wrong. Eg., the test voting was done in a controlled manner where everyone knew what the correct results should be and that everyone saw that everyone else had voted the way they were supposed to, so if the system functioned correctly it's known exactly how many votes should be cast for which candidate.

http://en.wikipedia.org/wiki/Hacking_Democracy

All Hail Bender!

[devphaeton]

Let us all welcome our shiny metal overlord. I look forward to his New Washington D.C., with Blackjack and Hookers. In fact, forget the blackjack!

Re:Bender would be great for head of the school bo

[kakyoin01]

Or possibly Groening. Not precisely clear on that.

This being a perfect example of "Funny". I gol'd (groaned out loud).

Re:Bender would be great for head of the school bo

[kakyoin01]

Although I must add, it was actually quite clever. Maybe your definition of "Funny" should be "Humorously entertaining to read, but most likely groan- or facepalm-inducing".

Felons

[almostadnsguy]

As a felon, Bender is barred from holding public office.

Re:Bender would be great for head of the school bo

looking at your +4 funny, oh the irony!

Very similar to the protocol for DRE

[davide+marney]

It is the only protocol with these important properties.

That is incorrect. I am a poll worker in Virginia, and we follow a very similar protocol for our DRE voting machines. We run the machines through a double-blind test prior to the vote, under the observation of multiple parties, and then we seal them. During the vote, the machines are kept in the open and observed by multiple parties. Each hour, the total votes cast are compared to the total voters allowed into the polling place, and the results called in my phone, and independently recorded, by the Registrar. At the end of the voting day, the vote totals are printed on paper, called into the Registrar by phone, and then aggregated by the State Board of Election. We then transfer the totals in ink onto a separate report, make a backup copy of the database, seal our report and the machines, and deliver them to the Registrar. The sealed reports and backup data go to the local courthouse, where they are locked away until the vote is certified.

In order to defeat our system, you would have to do it in the open, under the (very) watchful gaze of multiple parties both partisan and neutral, and you would have to do it in a way that did not change the total number of votes cast. I'm not saying it's impossible, but it would be really, really hard.

I have been volunteering for many years, know a thing or two about machine security, and am very confident that we run a clean, fair, and open election with results that are far better than a paper ballot count. If I had a choice between a paper and a machine/electronic balloting process, I would never choose to use paper. Paper is an awful medium for counting. You may have noticed that places where counting is important -- like banks -- paper is no longer used. There's a reason for that!

Re:Very similar to the protocol for DRE

double-blind test

You need to know statistics to understand and interpret the information which a double-blind test provides. No expertise required? Fail.

Re:Very similar to the protocol for DRE

[laird]

"I am a poll worker in Virginia, and we follow a very similar protocol for our DRE voting machines. "

While it sounds like you're trying to do a good job, there are many fundamental problems with DRE machines.

- The software is proprietary, and not open to inspection, only to "black box" testing, which cannot only detect some kinds of errors, and cannot be counted on to detect all errors or intentional fraud.
- There is no way to prove that the vote recorded by the DRE is the same as the vote cast. The lack of voter verification of the actual recorded vote is the fundamental problem with DREs, rendering them unsuitable for use in elections. Note that printing a record of the vote within the machine does not help, because the receipt inside the machine is not verified by the voter, so there's no way to validate that it reflects actual votes cast, so it cannot be used as the basis of an audit or recount.
- There is no way to prove that the vote recorded by the DRE cooresponds to the votes reported.
- There is no way to audit reported vote counts against actual votes cast, so no way to discover fraud or error in the voting system.
- There is no way to recount actual votes cast by voters. You can recount whatever the software happened to record, but that can easily be different from the vote cost.

Or, as NIST put it "Simply put, the DRE architecture’s inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important."

There are advantages the electronic voting systems, such as providing immediate voter feedback to prevent overvoting and warning of undervoting, and assisting seeing impaired voters.

The right way to go, I believe, is to use electronic voting systems to assist voters in producing a paper ballot (AKA the Voter Verified Paper Ballot), which the voter can then inspect and cast. That gives the advantages of a DRE, but with the added benefit that the election results can be (relatively) trusted. That is, for example, the type of system used in Nevada after the Gaming Commission rejected all of the DRE systems. This is particularly relevant, because they're the only state with significant experience in securing DRE-like devices, because they certify gambling machines, which are under similar attacks to DREs.

Check out http://www.openvotingconsortium.org/ for an open source system that does the right thing.

Re:Very similar to the protocol for DRE

[plover]

Actually, one of the supposed "benefits" of the electronic system that I don't care about is the immediate feedback. It's not needed. The offices are seated months after the election. That delay was important in the days of horseback transmission of results to Washington, but it's still there now.

Let the system do its task, the way it was designed, and report only after the outcome is official. So what if results don't come in until 7AM Wednesday morning? Or even the next week? It doesn't materially change anything except the timing of when the celebrating and crying starts.

Perhaps it would teach patience to people to learn to wait for important things. Or teach people that important things are worth waiting for. As we've become a society of immediate gratification junkies, we could certainly stand to learn a few more of those lessons.

Re:Very similar to the protocol for DRE

[rtfa-troll]

Your system is trivially defeated by someone who has control of the code on the system. The program given to the computer is approximately the following (with tuning for the actual procedures)

• if the machine has not been used recently this is a double blind test; do not alter ballots; record date of test
• if the machine has been used recently this may be an election;record date of test; prepare to alter ballots
• if there are less than 100 ballots cast then do not alter the ballots.
• if the machine has been running less than three hours do not alter ballots.
• add 5% of total ballots to the count for supported candidate
• subtract (0.05 * total ballots * ballots given to candidate / total ballots for opposed candidates) to the count for each other candidate

(specific parameters might need tuning for a given election procedure; but a generic system should be pretty easy). Alternatively; if we can get a legitimate voter working for us in each area we want to adjust votes.

• if someone comes in; activates the touch screen but then presses top left ; middle right; top left ; bottom left; middle left; top right
• then alter outcome as above
• otherwise do nothing

Neither system will trigger in a double blind test; The code for this is pretty easy to hide from an audit. The very fact that you think that your testing would reveal insecurities shows exactly why electronic voting should not be allowed.

Let me axe you this...

Will we have Slurm?

what did you expect?

what did you expect? red team wins...

WTF?

[AliasMarlowe]

Hey, what's wrong with electing Bender?
Let's elect Bender to all offices, just like the Grand Pooh-Bah! It could hardly be worse than the present bunch.