Slashdot Mirror

← Back to Stories (view on slashdot.org)

Voting System Test Hack Elects Futurama's Bender To School Board

Posted by Soulskill on from the bite-my-shiny-metal-ballot dept.

mr crypto writes with this quote from El Reg: "In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election. 'It was too good an opportunity to pass up,' explained Professor Alex Halderman from the University of Michigan. 'How often do you get the chance to hack a government network without the possibility of going to jail?' With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory (PDF) on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. ... The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board."

60 of 210 comments (clear)

  1. At least by stillpixel · · Score: 5, Insightful

    the election board had the common sense to ask for this publicly and not cross their fingers and hope no one did this when they used it for real. More gov't entities should open up to testing like this.

    1. Re:At least by ackthpt · · Score: 3, Insightful

      the election board had the common sense to ask for this publicly and not cross their fingers and hope no one did this when they used it for real.

      More gov't entities should open up to testing like this.

      Sure, but if you run Diebold and favor one party over another (justsayin') you don't want some hacker finding your backdoor, do you?

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:At least by Anonymous Coward · · Score: 2, Insightful

      Off course, with paper, you can simply walk in after the fact with boxes full of votes for you guy or gal ( Washington gov and Minnesota Sen, right?)

    3. Re:At least by stillpixel · · Score: 2

      Yep true, so we use the phrase on Gov't that they like to throw at us. "If you have nothing to hide, then you'll have no problem with us taking a look." (paraphrased)

    4. Re:At least by kbob88 · · Score: 3, Insightful

      I agree. Asking the community to test the system out does show remarkable common sense and good intentions, which seems to be lacking in e-voting community.

      Unfortunately, they did not have the common sense (or perhaps judgement) to hire a technical team that knew what they were doing when comes to security. Which is not good in any project, but seems like a huge lapse of judgement in an e-voting project.

      They also appear not to have hired an independent security review group to scan the code and review the implementation, or if they did hire one, they hired one that was no good.

    5. Re:At least by Ihmhi · · Score: 2

      With a challenge like this, the security community does the security testing for free.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    6. Re:At least by Anonymous Coward · · Score: 5, Informative

      The protocol for a proper paper ballot vote is not vulnerable in that way. It goes like this:

      On the morning of the election day, observers of all parties and interested citizens witness the sealing of empty ballot boxes. The ballot boxes don't leave the room, and enough observers to prevent collusion must be present at all times.

      The election is carried out with observers of all parties watching to confirm that only people eligible to vote put one ballot each into the ballot box.

      At the end of the day, the ballots are counted under the eyes of observers of all parties. The result is signed by all observers, each observer makes a note of the result and the signed result is posted locally. The result is relayed upward, where all local results are posted again together with the aggregate result.

      This protocol ensures that no single entity can change a number without other interested parties having the opportunity to notice the manipulation.

      This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly. It is the only protocol with these important properties.

    7. Re:At least by rtfa-troll · · Score: 4, Insightful

      They also appear not to have hired an independent security review group to scan the code and review the implementation, or if they did hire one, they hired one that was no good.

      It's explicitly stated in the summary, let alone the article that this was a good system with a clean Ruby set up. That is more or less "state of the art security". If we take the lesson that this was a "bad" team and that most others would do better we would be deeply wrong. There were IDSis systems and filters in place. That a considerably higher level of protection and a sign of a higher level of security awareness than most competing systems.

      The main message is that the currernt state of the art doesn't come close to providing decent security. Even key military systems have been showing a bunch of failures such as the Windows based battleship propulsion system. That shows that people who know how to build secure systems don't know how to build reasonable sized / commercial systems and are losing in competitive battles to cowboys using completely unsuitable technologies.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    8. Re:At least by rtfa-troll · · Score: 5, Insightful

      This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly.

      This can't be stated strongly enough. If there is any part of this that can't be understood by retired clerk without higher education and with no real interest in mathematics and/or computing then you are getting rid of some of the most important volunteers who can ensure that the voting goes correctly.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    9. Re:At least by sjames · · Score: 2

      As opposed to the usual meticulous attention to electronic security we see in government?

    10. Re:At least by M1FCJ · · Score: 2

      I wonder if I smell a rat. By discrediting the voting system so close to an election they can either discourage people from voting or open it to challenges later on, especially if it goes the other way from what they want or, finally, parachute an expensive, closed-source system by simply stating "this one stinks, here's a proper commercial system" (Diebold anyone?)...

    11. Re:At least by fafaforza · · Score: 2

      I don't know. Giving people 3 weeks to try to pull this off? Seems to me like they were trying to stack the odds in their favor.

      Maybe they wanted to give an appearance of oppenness, assuming no one could get it done in that short of a time, and it backfired on them a bit. They can still fall back on the openness angle.

    12. Re:At least by Pumpkin+Tuna · · Score: 4, Insightful

      I disagree. The key is that equal numbers of representatives from both parties are part of the process and essentially watch each other for cheating. I've run a polling place for several years now as chief judge, and I've seen no way that I could have cheated, even though I transported the paper ballots to the board of elections by myself in my own car. There were too many failsafes. It actually made me feel very good about our democracy. You can't say the same for some code, no matter how secure it is. Security can always be broken.

    13. Re:At least by colinnwn · · Score: 2

      You see no way, it doesn't mean someone else couldn't find a way, or through some unforseen number of circumstances be able to collude with others.

      For a year I was one of 4 people that hired the election judges and alternates for a very large county in Texas (technically we suggested the judges to the party leaders which 99% of the time would accept our recommendation). We discovered an early voting election judge was voting for their preferred candidate once per day. One day he got unlucky and a clerk saw him inserting a ballot into a box for the second day and called us asking if this was legal. Obviously it wasn't and we had him removed. But the county commissioners decided not to refer the case to the county prosecutor for prosecution due to political reasons.

      Not to say there aren't many, many risks in e-voting, but physical voting is far from immune from error and malice.

    14. Re:At least by Anonymous Coward · · Score: 2, Informative

      That's not the protocol. The protocol requires that the ballot boxes are always under the scrutiny of multiple observers with opposing interests, from the moment they're sealed to the time they're opened again for ballot counting. The protocol furthermore requires that the observers confirm both eligibility to vote and that only one ballot per voter is put into the ballot box. This is usually achieved by keeping a list of people who have voted (or in countries without good means of identification, keeping a voter count and marking the right hand of the voter with indelible ink). Then they're handed a ballot, they fill out the ballot and put it in the ballot box. At the end of the day, you can see if mistakes were made by checking if there are discrepancies between the voter count and the ballot count.

    15. Re:At least by laird · · Score: 2

      Physical voting is not immune from error and malice, but it DOES limit the ability to do damage, because one person can only affect a very small number of votes, and it's possible to audit to detect them, and recount to correct them.

      In the example that you give of a judge sneaking in putting in an extra vote every day, I'll point out that the impact was only a few votes, and he got caught. It's unfortunate that he wasn't prosecuted, but hopefully the humiliation will serve as a deterrent. I'll also point out that there was clearly a process problem, because in a well designed process the ballot boxes should be sealed at night, and only unsealed in the presence of multiple observers from multiple parties, with multiple, competing observers throughout the voting process, and re-sealed in front of the observers. The process should, of course, not rely on trusting any individual, but in the competing observers distrusting each other enough to keep each other honest.

      --
      Enable 3D printed prosthetics!
  2. Why... by Daniel_is_Legnd · · Score: 5, Funny

    Why not Zoidberg?

    1. Re:Why... by Reverand+Dave · · Score: 2

      Because Bender will teach those filthy bastards who's lovable!

      --
      I got here through a series of tubes
    2. Re:Why... by squidflakes · · Score: 2

      You still have Zoooooiiidberg. You ALL still have Zoidberg!

    3. Re:Why... by ackthpt · · Score: 3, Funny

      Why not Zoidberg?

      I'm surprised it wasn't Putin.

      --

      A feeling of having made the same mistake before: Deja Foobar
    4. Re:Why... by Alter_3d · · Score: 5, Funny

      Why not Zoidberg?

      I'm surprised it was not Hypnotoad

    5. Re:Why... by snowgirl · · Score: 4, Funny

      Why not Zoidberg?

      I'm surprised it was not Hypnotoad

      All Glory to the Hypnotoad!

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
  3. Bite my shiny metal ass! by bunratty · · Score: 4, Funny

    If elected I promise to KILL ALL HUMANS! Hey, you said there'd be hookers at this convention.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
    1. Re:Bite my shiny metal ass! by Patch86 · · Score: 4, Funny

      Have you ever tried simply turning off the TV, sitting down with your children, and hitting them?

    2. Re:Bite my shiny metal ass! by Anonymous Coward · · Score: 3, Funny

      Fine, I'll go rig my own elections! With blackjack, and hookers! In fact, forget about the election.

  4. "managed to guess the login details" by chemicaldave · · Score: 5, Informative

    If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

    Seriously. Who hired these clowns?

    1. Re:"managed to guess the login details" by Desler · · Score: 4, Funny

      This was a system created by Rubyists. They don't understand security because that's a "low-level detail" they can't be arsed to learn.

    2. Re:"managed to guess the login details" by Anonymous Coward · · Score: 5, Insightful

      Indeed.

      Ruby does a lot of things, but encouraging security isn’t one of them. Building a properly secured application means thinking about security right from the beginning and working it in at the core levels. Upper level code shouldn't even be _able_ to do something insecure without some kind of token from the minimalist security layers at the base. A language designed to "handle that shit for you" leads to a lot of "oh, didn't think about that" type issues.

      See also: diaspora

    3. Re:"managed to guess the login details" by jeffmeden · · Score: 4, Informative

      If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

      Seriously. Who hired these clowns?

      It gets even better. The guys attacking it decided to put in a *modicum* of security since there basically was none AT ALL... I can only hope that they actually wanted a really really really soft honeypot for this whole test, and that it wasn't just the E-voting system that they were testing. If it was, god help us all.

      We realized that one of
      the default logins to the terminal server (user: admin, password: admin) would
      likely be guessed by the attacker in a short period of time, and therefore decided
      to protect the device from further compromise that might interfere with the
      voting system test. We used iptables to block the offending IP addresses and
      changed the admin password to something much more difficult to guess. We later
      blocked similar attacks from IP addresses in New Jersey, India, and China.

    4. Re:"managed to guess the login details" by powerlord · · Score: 5, Funny

      New Jersey, India, and China.

      Ah yes, the new "Axis of Evil"!

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
    5. Re:"managed to guess the login details" by telekon · · Score: 4, Insightful

      This was a system created by Rubyists. They don't understand security because that's a "low-level detail" they can't be arsed to learn.

      Rubyists pay attention to low-level details. This is why we write C extensions rather than executing shell commands from web applications, which is asinine.

      "Rails developers" are rarely Rubyists, properly speaking. This is one of the issues plaguing the Rails community. It could be worse, though. Rails developers can become Rubyists. In the PHP community, given that the preferred development methodology seems to be having two cats copulate on a keyboard, I don't hold much hope.

      --

      To understand recursion, you must first understand recursion.

    6. Re:"managed to guess the login details" by Alex+Zepeda · · Score: 2

      Except this wasn't a failing in Ruby (or Rails). As TFA pointed out, the vulnerability had already been discovered and fixed. The problem was that the voting software was using a custom version of the library in question... based on an older, insecure version no less. While TFA mentions checking the file extension should help remedy the problem, doing something as simple as URL encoding the filenames would work as well (and prevent escape characters from popping up in the filename).

      --
      The revolution will be mocked
    7. Re:"managed to guess the login details" by medv4380 · · Score: 3, Insightful

      Why even use passwords. This is the kind of system that should require a two factor authentication. You shouldn't be able to gain access to an election system unless you actually have the key to the ballot box.

    8. Re:"managed to guess the login details" by rev0lt · · Score: 2

      The point of writing C extensions is to link the libraries and gain access to the function calls that the shell commands themselves invoke.

      So, it's not an extension (it does not provide funcionality by itself), but a wrapper. Even a monkey can make a wrapper.

      Are you even a programmer?

      I could ask you the same, but I guess it would be offensive.

  5. Bender would be great for head of the school board by jizziknight · · Score: 3, Funny

    "Have you ever tried simply turning off the TV, sitting down with your children, and hitting them?"

    --
    Everything I say is a lie. Except that... and that... and that, and that, and that, and that... and that.
  6. Ruby on Fails? LOL by Anonymous Coward · · Score: 4, Funny

    Ruby on Rails

    And there's your problem. Only an idiot would try to run something that needs high security on Ruby on Fails. Rubyists couldn't write secure code if their life depended on it. Next time hire real programmers not hipsters who spend all day sipping lattes and admiring each other's new pair of skinny jeans.

    1. Re:Ruby on Fails? LOL by Anonymous Coward · · Score: 4, Funny

      Ruby on Rails

      And there's your problem. Only an idiot would try to run something that needs high security on Ruby on Fails. Rubyists couldn't write secure code if their life depended on it. Next time hire real programmers not hipsters who spend all day sipping lattes and admiring each other's new pair of skinny jeans.

      Somewhere, in some coffee shop, some guy with a bowl cut and a faint mustache is commenting to his friend that he just got hired back to do another contract for the DC BOE and this time they want him to spend 4 hours on it instead of 2.

    2. Re:Ruby on Fails? LOL by kbob88 · · Score: 5, Insightful

      Nice troll. Actually, it's kind of a lame troll. I suppose, as is normal on /., you didn't read the report from Prof Halderman.

      The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C. This is also pretty basic security stuff, and there are tons of guidelines and tutorials in the Rails community for avoiding this kind of mistake. There are also plenty of code vulnerability scanners that would pick this up. It's amazing that the DC team didn't use one of these to check their code.

      But they had plenty of other problems such as easy-to-guess passwords and a lousy IDS configuration.

      So the real problem was with the people who developed and implemented the system, not with the tools. I've seen plenty of similar mistakes in systems developed using all sorts of technologies. The developers clearly didn't have a very solid background in security. That's OK actually, as long as you have someone on the project who does and who can check their designs and implementation. Sounds like they didn't have anyone well versed in security, which seems a bit odd for an e-voting project. I'm certainly no expert on security, but I am RoR coder, and even I know not to make these mistakes.

      But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates :-) I'll take the bashing along with the money and the ease of programming!

    3. Re:Ruby on Fails? LOL by Anonymous Coward · · Score: 3, Funny

      But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates :-)

      Yeah and we all believe you. No, really, we do. I'm sure the other unemployed Rubyists at Starbucks with you are congratulating you on this great post.

    4. Re:Ruby on Fails? LOL by dgatwood · · Score: 3, Informative

      The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C.

      Not really. In C, you'd have gotten called an idiot within a few seconds if you used system() or popen(). Properly written C code using fork() and exec() does not require you to sanitize the string in any way.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re:Ruby on Fails? LOL by kbob88 · · Score: 2

      I think "properly written" is the key phrase there, which applies to any technology implementation.

      Ideally, they would have used the gpg libraries or gpgme and called it directly from the Ruby code. But that's harder, so they chose the easy way and got burned.

    6. Re:Ruby on Fails? LOL by icebraining · · Score: 4, Informative

      A simple search reveals that Ruby has fork() and exec() too. The problem is the "properly written" part.

      --
      Dilbert RSS feed
    7. Re:Ruby on Fails? LOL by Zedrick · · Score: 2

      Ruby (and RoR) is not hip anymore. This is 2012, not 2008. The hipsters have moved on to whatever, and those who remains are generally not worse than other coders.

    8. Re:Ruby on Fails? LOL by Anonymous Coward · · Score: 4, Funny

      Yeah, and I believe you. That's why I can't find any experience RoR developers to hire. Our recruiters can't find anyone either. They're all busy.

      We have the same issue! It took us six months before we were able to find a Senior RoR developer with 10 years experience.

  7. Election System by necro81 · · Score: 4, Funny

    Ya, well, I'm gonna go build my own election system. With blackjack! And hookers!

    In fact, forget the election system.

  8. why evoting machines by Anonymous Coward · · Score: 5, Insightful

    Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

    1. Re:why evoting machines by GmExtremacy · · Score: 5, Insightful

      If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

      Because what is popular is not always correct.

    2. Re:why evoting machines by jeffmeden · · Score: 5, Funny

      Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

      That's just it, we took a vote on that and as it turns out about 190% of respondents said that they were in favor of electronic voting...

    3. Re:why evoting machines by Attila+Dimedici · · Score: 2

      Because it will be easier to hide voter fraud with electronic voting machines.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    4. Re:why evoting machines by Tackhead · · Score: 5, Insightful

      Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

      Because neither politicians nor voters understand the concept of experimental error.

      And because in 2000, a Presidential election's electoral vote count was close enough that the entire contest depended upon the poopular vote count of a single state, which was itself close enough to fall within the experimental error of the measuring apparatus. (Hanging chads, ballots with improperly marked "X"s, scantron errors, etc.)

      After that, of course, the usual political process took care of itself, to wit:

      Ignorant public: "Something must be done to eliminate all experimental error!"
      Ignorant politicians: "Computers are something!"
      Frustrated techies: "Just because the computer always reports an unambiguous tally, doesn't mean that the tally reflects the will of the voters..."

      They were, of course, drowned out by a chorus of...

      Contractors and Lobbyists: "Hey, you politicians look like you want a whole lot of voting machines, and we happen to know some people who can build them... for a price."

      Most people (with the exception of politicians and rabid hyperpartisans, and in 2000, they were the minority of the electorate), whether they voted Jackass or Elephant, were willing to accept that it was possible that their candidate lost.

      But nobody - and I mean nobody - wanted to accept the possibility that there was insufficient data to discern the actual will of Florida's voters because the margin of victory was within the expected error of a voting process.

      The recorded vote count in Florida was 2,912,790 to 2,912,253. Even ignoring the experimental error associated with the voting process, a traffic accident on a highway leading to/from a Democratic- or Republican-leaning neighborhood (or a bad rainstorm, or any number of a thousand random occurrences) could have changed the outcome by making enough people stay home, delay voters' arrival at the polling stations after closing time, etc., to have changed the outcome. No matter what technology you use, 269 votes out of almost six million isn't signal, it's noise.

    5. Re:why evoting machines by AK+Marc · · Score: 2

      The error rate was much greater than the number needed to swing the vote in 2000 and 2004, rendering the elections statistically invalid. That's not "quite well" in my book, and I question anyone who thinks that acceptable.

      --
      Learn to love Alaska
  9. Need more than just a hack by Todd+Knarr · · Score: 4, Insightful

    What I want to see is a real compromise of one of these systems that can be held up as a true scare story:

    1. The compromise is undetected. At the time the results are reported, the election officials are unaware that the system has been compromised and none of the systems in place for detecting a compromise has indicated any trouble. According to all evidence in the audit trail the results are undeniably correct and true.

    2. There was no indication of tampering at the time of voting. As votes were being cast there was no indication of tampering with the ballots or any other visible indication that the results weren't being correctly recorded and reported.

    3. The results reported are undeniably wrong. Eg., the test voting was done in a controlled manner where everyone knew what the correct results should be and that everyone saw that everyone else had voted the way they were supposed to, so if the system functioned correctly it's known exactly how many votes should be cast for which candidate.

    4. The reported results are undeniably wrong. Eg., according to the reported results 100% of the votes cast were for a candidate who should've received zero votes.

  10. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  11. Re:Futurama rocks! by geekoid · · Score: 2

    wha...?

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  12. Until election commissions understand this... by halexists · · Score: 4, Insightful

    It's not news that electronic systems can be insecure. Those selecting such systems are certainly lobbied to believe that, whatever system they choose, "this time it will be different... this one IS secure."

    The truth is all voting systems -- manually or electronically administered -- are insecure. The feature that traditionally manual voting systems have is that the scale of voting fraud exacted is correlated with the scale of corrupt election officials overseeing the process. To increase fraud you either need a) more conspirators or b) higher-level conspirators in the body that oversees the process. That is a feature that is worth keeping in any new version of voting system.

    This article is just another example of a voting system that has given up the feature. Not all electronic voting systems forsake this feature, but those that keep it are at most electronic-assisted voting systems that retain distributed verification at multiple stages of the counting process. That's because voting is most secure when it's a distributed activity, not a centralized one. With thousands of tiny precincts collecting pockets of votes, any one could tamper with results -- but many would have to tamper to have a big impact. Election commissioners, keep this feature!

  13. Three time-honored non-tech security measures by QuincyDurant · · Score: 2

    "Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea." Three cheers, too, for superstitious luddites (see below). Here are my top three solutions to computer fraud and f**kups:

    1. Wanted posters and long prison sentences. Rob a mail truck, do time. Why should this not work for email and other electronic fraud? Robbing an election is a more serious a threat to democracy than robbing the mails, which is bad enough.

    2. Human signatures and carbon paper (or one-write NCR paper). When a live person signs a check, an invoice, a purchase order or a ballot, he or she thinks twice about the consequences. Anything can be faked, but carbon paper scores high on lie-detector tests.

    3. Letterpress-imprinted sequential numbering. Paper forms, including ballots, with unique numbers and carbons copies, are a solid control for electronic databases.Ancient Letterpress lead-type numbering devices--stamp, crunch, print, and advance the counter-- are older and less screwable-with than computerized typesetting or laser-printing.

    I use all of these systems in my own business because where my money is concerned, I do not entirely trust any computer system. I've seen an entire business of 100+ employees saved by one persnicketly accounting clerk who kept paper copies of all the invoices and payments. She had been ordered not to--don't be so old-fashioned, dear--but ignored the controller's blind faith in his new, shiny, $200K fail-safe automated system. No hacker except Murphy and his law was involved. She was neither thanked nor rewarded for rescuing her employer from catastrophic folly.

    Murphy's corollary: no good deed goes unpunished.

  14. Re:Bender would be great for head of the school bo by an+unsound+mind · · Score: 5, Funny

    Because "Insightful" is Secret Slashdot Code for "Funny, but enough so it deserves karma". And "Funny" is Secret Slashdot Code for "So painfully unfunny it induces groaning."

    Or possibly Groening. Not precisely clear on that.

  15. Very similar to the protocol for DRE by davide+marney · · Score: 4, Informative

    It is the only protocol with these important properties.

    That is incorrect. I am a poll worker in Virginia, and we follow a very similar protocol for our DRE voting machines. We run the machines through a double-blind test prior to the vote, under the observation of multiple parties, and then we seal them. During the vote, the machines are kept in the open and observed by multiple parties. Each hour, the total votes cast are compared to the total voters allowed into the polling place, and the results called in my phone, and independently recorded, by the Registrar. At the end of the voting day, the vote totals are printed on paper, called into the Registrar by phone, and then aggregated by the State Board of Election. We then transfer the totals in ink onto a separate report, make a backup copy of the database, seal our report and the machines, and deliver them to the Registrar. The sealed reports and backup data go to the local courthouse, where they are locked away until the vote is certified.

    In order to defeat our system, you would have to do it in the open, under the (very) watchful gaze of multiple parties both partisan and neutral, and you would have to do it in a way that did not change the total number of votes cast. I'm not saying it's impossible, but it would be really, really hard.

    I have been volunteering for many years, know a thing or two about machine security, and am very confident that we run a clean, fair, and open election with results that are far better than a paper ballot count. If I had a choice between a paper and a machine/electronic balloting process, I would never choose to use paper. Paper is an awful medium for counting. You may have noticed that places where counting is important -- like banks -- paper is no longer used. There's a reason for that!

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
    1. Re:Very similar to the protocol for DRE by laird · · Score: 4, Insightful

      "I am a poll worker in Virginia, and we follow a very similar protocol for our DRE voting machines. "

      While it sounds like you're trying to do a good job, there are many fundamental problems with DRE machines.

      - The software is proprietary, and not open to inspection, only to "black box" testing, which cannot only detect some kinds of errors, and cannot be counted on to detect all errors or intentional fraud.
      - There is no way to prove that the vote recorded by the DRE is the same as the vote cast. The lack of voter verification of the actual recorded vote is the fundamental problem with DREs, rendering them unsuitable for use in elections. Note that printing a record of the vote within the machine does not help, because the receipt inside the machine is not verified by the voter, so there's no way to validate that it reflects actual votes cast, so it cannot be used as the basis of an audit or recount.
      - There is no way to prove that the vote recorded by the DRE cooresponds to the votes reported.
      - There is no way to audit reported vote counts against actual votes cast, so no way to discover fraud or error in the voting system.
      - There is no way to recount actual votes cast by voters. You can recount whatever the software happened to record, but that can easily be different from the vote cost.

      Or, as NIST put it "Simply put, the DRE architecture’s inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important."

      There are advantages the electronic voting systems, such as providing immediate voter feedback to prevent overvoting and warning of undervoting, and assisting seeing impaired voters.

      The right way to go, I believe, is to use electronic voting systems to assist voters in producing a paper ballot (AKA the Voter Verified Paper Ballot), which the voter can then inspect and cast. That gives the advantages of a DRE, but with the added benefit that the election results can be (relatively) trusted. That is, for example, the type of system used in Nevada after the Gaming Commission rejected all of the DRE systems. This is particularly relevant, because they're the only state with significant experience in securing DRE-like devices, because they certify gambling machines, which are under similar attacks to DREs.

      Check out http://www.openvotingconsortium.org/ for an open source system that does the right thing.

      --
      Enable 3D printed prosthetics!
    2. Re:Very similar to the protocol for DRE by rtfa-troll · · Score: 2
      Your system is trivially defeated by someone who has control of the code on the system. The program given to the computer is approximately the following (with tuning for the actual procedures)
      • if the machine has not been used recently this is a double blind test; do not alter ballots; record date of test
      • if the machine has been used recently this may be an election;record date of test; prepare to alter ballots
      • if there are less than 100 ballots cast then do not alter the ballots.
      • if the machine has been running less than three hours do not alter ballots.
      • add 5% of total ballots to the count for supported candidate
      • subtract (0.05 * total ballots * ballots given to candidate / total ballots for opposed candidates) to the count for each other candidate

      (specific parameters might need tuning for a given election procedure; but a generic system should be pretty easy). Alternatively; if we can get a legitimate voter working for us in each area we want to adjust votes.

      • if someone comes in; activates the touch screen but then presses top left ; middle right; top left ; bottom left; middle left; top right
      • then alter outcome as above
      • otherwise do nothing

      Neither system will trigger in a double blind test; The code for this is pretty easy to hide from an audit. The very fact that you think that your testing would reveal insecurities shows exactly why electronic voting should not be allowed.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();