The Voting Machine Anyone Can Hack

Presto Vivace writes about a study published by the Virginia Information Technology Agency outlining just how bad the security of the AVS WINVote machine is. "Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts. The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of 'admin,' 'abcde,' and 'shoup' to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections."

"shoup" is not easy

[turkeydance]

ever tried shoupping?

Re:"shoup" is not easy

shoup de whoop?

imma chargin mah lazer?

#include <image_macro.h>

Re:"shoup" is not easy

[JMJimmy]

shoup is very easy when it's printed on the side of the machine.

To me voting machines are something that should be handled by the open source community. 100% transparent, by the people for the people in every sense, and ultimately supported financially by governments who buy the machines.

Re:"shoup" is not easy

[mlts]

To me, there needs to be a paper trail. Like the lottery issue a few days ago, if someone tampers with the RNG and does it in a manner that their modifications can be backed out, there is no way to tell it was done.

This doesn't have to be in a way that causes hanging chads. It just has to be a way of logging people's votes to a physical medium that is both machine readable and human readable.

This way, when someone votes, they get a paper ballot printed out that they can doublecheck. Then it shouldn't be an issue to tally up the votes via the printed cards. Hell, universities do this all the time with Scantrons for tests and finals, in far greater volume per location than voting precincts do.

Add Chaum's verifiable voting, and one has an open, secure system.

Re:"shoup" is not easy

I don't know about "shoupping," but the voters are getting a good schtupping from these machines.

I've got the same combination on my luggage.

[wisnoskij]

https://www.youtube.com/watch?...

windows? diebold you can do better and does this

[Joe_Dragon]

windows? diebold you can do better and does this work on there windows based ATM's as well?

Who certified them?

[Holi]

How the hell did something like this get certified in the first place? Seriously, there needs to be an investigation into that and heads should roll.

Re:Who certified them?

[OneSizeFitsNoone]

It matched perfectly customer's requirements, of course!

Re:Who certified them?

[PopeRatzo]

How the hell did something like this get certified in the first place?

How, indeed.

This is not the first time Diebold’s been accused of bribery. In 2005, the Free Press exposed that Matt Damschroder, Republican chair of the Franklin County of Elections in 2004, reported that a key Diebold operative told Damschroder he made a $50,000 contribution to then-Ohio Secretary of State J. Kenneth Blackwell's “political interests” while Blackwell was evaluating Diebold's bids for state purchasing contracts. Damschroder admitted to personally accepting a $10,000 check from former Diebold contractor Pasquale “Patsy” Gallina made out to the Franklin County Republican Party. That contribution was made while Damschroder was involved in evaluating Diebold bids for county contracts. Damschroder was suspended for a month without pay for the incident. Despite the scandal, he was later appointed as Ohio Secretary of State Jon Husted's Director of Elections.

Diebold was at the center of Ohio’s 2004 election debacle, much of this captured in an article by Free Press Senior Editor Harvey Wasserman and this author, entitled, “Diebold’s Political Machine.” Walden "Wally" O'Dell, chairman of the board and chief executive of Diebold, was a long-time funder of Republican candidates. In September 2003, he held a packed $1,000-per-head GOP fundraiser at his 10,800-square-foot mansion Cotswold Manor in Upper Arlington, Ohio. He was feted as a guest at then-President George W. Bush's Texas ranch, joining a cadre of “Pioneers and Rangers” who pledged to raise more than $100,000 for the Bush reelection campaign.

Most memorably, in 2003 O'Dell penned a letter pledging his commitment “to helping Ohio deliver its electoral votes to the President.” O'Dell defended his actions, telling the Cleveland Plain Dealer “I'm not doing anything wrong or complicated.” But he also promised to lower his political profile and “try to be more sensitive.” But the Diebold boss' partisan cards were squarely on the table.

Prior to the 2004 election, Blackwell tried to award a $100 million unbid contract to Diebold for electronic voting machines. A storm of public outrage and a series of lawsuits forced him to cancel the deal. But a substantial percentage of Ohio's 2004 votes were counted by Diebold software and Diebold Opti-scan machines which frequently malfunctioned in the Democratic stronghold of Toledo. It was revealed in 2006 that Blackwell owned Diebold stock.

Diebold's GEMS election software was used in about half of Ohio counties in the 2004 election. Because of Blackwell's effort, 41 counties also used Diebold machines in Ohio's highly dubious 2005 election.

Also in the Ohio 2004 election, a whistleblower leaked documents revealing that Diebold had allegedly used illegal, uncertified hardware and software during California election.

Re:Who certified them?

[Holi]

Why are you talking about Diebold? The article is not about Diebold voting machines it's about the AVS Winvote. I know all about Diebold's history in with regards to voting machines but that has shit all to do with this article.

Re:Who certified them?

Write up explaining how the election fraud was accomplished in the Ohio 2004 Presidential Election "Vote Fraud 2004: How Ohio was 'Delivered' to Bush".

Re:Who certified them?

Howard T. Van Pelt, co-founder of Global Election Systems (now Diebold) became president and CEO of Advanced Voting Solutions in June 2001.

Re:Who certified them?

[seven+of+five]

Despite the scandal, he was later appointed as Ohio Secretary of State Jon Husted's Director of Elections.
So the bloody butcher knife in your hand looks bad, but as long as you play a good game of golf with your buddies, you're in.

Re:Who certified them?

[Holi]

I did not know that, thank you

Re:Who certified them?

[ememisya]

Money? I mean look at how much attention to detail goes to hacking Casino machines, couldn't we have half the code review which goes into that into voting machines as well? Suuuure, but who will fund it?

Re:Who certified them?

[PopeRatzo]

Why are you talking about Diebold?

I'm not "talking about Diebold". I'm talking about how voting machines get certified. I'm talking about where the money comes from. I'm talking about why there is such an effort to change election technology when there is no evidence the old technology is broken.

but that has shit all to do with this article.

The history of how it was decided that elections in the United States had to be automated has everything to do with this article.

Re:Who certified them?

For what it is worth,
https://www.verifiedvoting.org/resources/voting-equipment/avs/winvote/
"In 2007, after failing to gain EAC certification to the 2002 Voting System Standards, AVS discontinued production of voting systems."

So, as terrible as their implementation was, some of the blame has to rest with the counties who continue to use a product that never received this EAC certification and has been out of production for nearly a decade.

Actually that is the easiest one...

[Ecuador]

The name of the company that made these, was Shoup. I guess they would have changed that password to "AVS", but their (ridiculously easy) passwords are actually hardcoded, so it was too much work I guess...

WinXP, of course?

[OneSizeFitsNoone]

I take it was running on WinXP of course, didn't it?

Re: WinXP, of course?

[manu144x]

What does it matter? XP is just fine for a stupid voting app. Besides, it could be running an alien operating system, if they leave the user to admin/1234 it's still not gonna be secure.

Re: WinXP, of course?

[OneSizeFitsNoone]

Using an unsupported, outdated OS would be the perfect match to silly passwords.

Should change their name to AVFS

Advanced Voting Fraud Solutions

Re:Should change their name to AVFS

No - that would be "Advanced Votes For Sale" :)

I'd Like To See Electronic Voting Work

Electronic voting is generally not very popular around here, but I'd personally like to see it work as it could allow for lower cost voting and therefore more direct democracy. I'd like to be able to vote over the internet, and I'd like to be voting on aspects of government policy on a weekly basis.

Maybe I'm living in a fantasy world, both in regards to whether it's possible to produce a viable internet voting system, and on the issue of whether the ruling class would be willing to pass some of their power to the people and allow the public to have a say in how the country is run.

Re:I'd Like To See Electronic Voting Work

[GoddersUK]

whether it's possible to produce a viable internet voting system

The big problem is creating a system where votes are both verifiable (alone, easy: PGP sign them) and where the secret ballot is maintained (alone, easy: use TOR). Nobody's yet come up with a viable way to combine these two required features.

Re:I'd Like To See Electronic Voting Work

[JackieBrown]

Internet voting sounds good in theory. But at the same time, I really feel that at least some effort should be made on behalf of the voter to actually cast a vote.

Honestly, there are many time periods to vote (early polls as well as voting day.) If people cannot be bothered to do this, do you really think that they will investigate any issues before voting? Heck, I still don't like that you can just check one box to vote a party in for all seats on the ballot.

We are already seeing the system rigged by busing voter blocks to the polls while offering food and other incentives. Why make it easier by not even requiring a physical presence?

That said, I think I'd be more in favor of electronic voting if we had more than two viable parties as it would be harder to game.

Re:I'd Like To See Electronic Voting Work

[CastrTroy]

The biggest problem with designing an electronic voting system is how the voter and election officials are supposed to verify that it's running the correct system on election day. Let's say they did develop a perfect system that was proven to work. How do I verify that said system is even running on the computer when I walk up to it on election day? It could be any system that just shows the proper screens to verify that it is a legitimate system. The only way for me to be sure that my vote was counted correctly would be to be able to check later on some secondary system, which would remove the secret ballot feature.

Compare this to a paper ballot system, where everything is completely transparent. I can watch them seal the empty box at the start of the day, watch my ballot go into the box, and then watch all the ballots be counted at the end of the day. It's easy enough for a 10 year old to understand exactly what's happening. There is very little ability to mass game the entire system. You might be able to put a couple extra votes in a few boxes, but it would take a huge conspiracy to vastly shift the vote across multiple polling stations. With voting on computers, it could be done quite easily.

Re:I'd Like To See Electronic Voting Work

[dave420]

The logic has already been figured out, and a computerised version would be far simpler to use, and just as effective.

Re:I'd Like To See Electronic Voting Work

And it's too complicated, at least for jurisdictions allowing universal sufferage. The means of voting has to be understandable by the incredibly stupid: if they're not capable of understanding the voting process then they are in effect being denied the vote. Putting a cross next to the name, photo and symbol of the candidate you like is about the simplest possible means of voting. Numbering candidates on a single paper, as is done in some voting systems, is a bit harder but still within the mental capacity of just about everyone. The ThreeVote system you linked is significantly more complicated to explain to someone, both conceptually and in terms of instructions for what they should do when they arrive at the polling station. It also requires a trusted authority to verify that the ballot has been cast correctly in order to avoid significant problems with multiple voting, which further undermines the transparency and trustworthiness of the system. I still prefer a paper ballot.

Re:I'd Like To See Electronic Voting Work

I see at least the following problems:
1) It's too complicated. Most people won't be able to vote using this method.
2) People can be coerced to remember or otherwise store the serial numbers of all three ballots, allowing for vote coercion and selling.
2b) Several fixes have been suggested, including printing the serial numbers on the ballots after voting, disclosing only one, but see the next point.
3) Designing a machine that tests the three ballots and only casts them when consistent, and prints a receipt to boot, that isn't potentially as exploitable as a regular voting machine is probably as good as impossible.
4) Under realistic circumstances statistical methods can be employed to reconstruct most of the three ballot sets. This causes the same issues as point 2.
These problems are essentially independent of the medium, so they will remain no matter whether you use paper or a computer. Using a computer of course adds whole new classes of vulnerabilities.

Re:I'd Like To See Electronic Voting Work

[Lennie]

If any electronic voting system is going to work, it would be a system that prints what you've voted so the voter can see what he/she voted. And then you have a separate electronic counting of those pieces of paper.

That way you have faster counting of votes and still everything on paper as back up.

Now I know in the past they had some what similar systems in the US and they had problems with printers not working, so I don't know if they'll ever get it right.

There are also a whole lot of people who use terms like math/encryption or blockchain.

So far I haven't seen a system that works.

It does however make for interesting presentations:
http://media.ccc.de/browse/con...

Re:I'd Like To See Electronic Voting Work

[TheRaven64]

There have been allegations in the UK of voter intimidation after postal ballots became easy to obtain: people would require dependents to hand over their ballots, fill them all in, and post them back. Now, it may be that this didn't happen or wasn't statistically significant, but if people are not required to turn up and vote in such a way that they can't prove to someone else how they voted then there's the potential for doing this on a large scale.

Of course one solution would be to allow individuals to vote repeatedly but only count their last vote, though if you capture someone else's voting credentials then it's very easy to vote en mass with everyone's details at one second to the closing deadline...

Re:I'd Like To See Electronic Voting Work

Here's been my idea from day 1. Log everything to dot matrix printers. They're a great way to keep track of write only continuously streaming information, brain dead simple to operate, and highly reliable. Keep a running tally of vote counts on the printers. It easily reveals tampering if you see errant counting anywhere in the chain. And the total number of votes at the end of the day should equal the number of voters that have been logged in and logged out.

Re:I'd Like To See Electronic Voting Work

[goombah99]

From the wiki article you cite:
Broken Encryption

The encryption system used in the three ballot was broken by a correlation attack devised by Charlie Strauss[5] who also showed how it could be used to prove how you voted [6]. Strauss's attack relied on the fact that not all receipt strips can pair with all cast strip pairs since proposed triplets with 3 or 1 vote cast in any race on the ballot (not just one race of interest) can be rejected since the strips could not be from the same ballot. Since there are far more vote patterns on a typical United States precinct ballot than there are ballots cast in a precinct, statistically nearly all of the ballot pairs cast can only be paired uniquely with one receipt strip kept by the voter. This allows a the voters votes to be known by anyone with the receipt. Furthermore a voter conspiring to prove their vote (for money, coercion, or posterity) could mark all the strips in a unique previously agreed pattern that would assure recovery. Rivest et all, acknowledged this logic error in their concept[1], and revised the schema to require tearing off each race individually (destroying the correlation of the races) and having theoretically traceable tracking numbers on each race-level receipt. While this did restore the unbreakable aspect of the scheme, arguably the proliferation of receipts and chopped ballots rendered the mechanics of processing the votes or for a voter reviewing a receipt significantly complex, thus defeating its intended simplicity.

Re:I'd Like To See Electronic Voting Work

[sjames]

I see no reason why a voter can't receive a receipt containing a signed hash for each vote and a website that allows a hash to be verified against the votes cast. They still have no idea who the hash belongs to, but if there is a hash that doesn't match a recorded vote in the database, uh-oh.

Re:I'd Like To See Electronic Voting Work

[sjames]

The problem is that not all areas have equal difficulty. Not everyone can get (or afford) time off to vote. Those factors make it too easy to manipulate the results on a demographic basis.

Re:I'd Like To See Electronic Voting Work

[JackieBrown]

I'd agree if we didn't have early voting

Re:I'd Like To See Electronic Voting Work

[sjames]

That's not all that universal either. We have it where I am, but only at one location in the county. There is also absentee ballots, but if you're already accepting ballots by mail, why not internet?

Re:I'd Like To See Electronic Voting Work

[goombah99]

how are you proposing to salt your hash so that idenitcal votes are not identical hashes? And also does your scheme allow vote selling?

Re:I'd Like To See Electronic Voting Work

[sjames]

Salting is a simple enough matter, just a few random bits, much like the salt in a password hash.

As for the rest, I suggest facilitating the process of selling bogus votes. That is, any polling machine can be used to freely generate a bogus voting receipt which will appear to validate at the website but has a void flag set. For extra fun, someone validating a bunch of voided ballots (that they cannot see are void) will trigger an investigation.

The void flag is just a second election key mixed in with the hashed data. A real vote will have the correct election key hashed in. Election officials WILL be able to distinguish a void vote from a real one.

It wouldn't prevent all problems, but it would leave a great deal of evidence behind distributed among the voters so that it would be quite difficult to make it go away.

I can imagine other schemes which would be more air-tight but would put too many technical demands on the voters.

Re:I'd Like To See Electronic Voting Work

[goombah99]

how would I know my vote was counted if it might have been given a void key?

Salting isn't trivial. if it is simple one can pre-generate all likely ballots with all salts. then you can know the ballot from just it's hash.

Re:I'd Like To See Electronic Voting Work

[sjames]

The simplicity of a salt isn't the issue, it's the size. More salt confounds the process.

As for the question of your ballot being void, you can't know. Any more than you can know that your ballot didn't somehow end up in the river or burning in someone's fireplace before it made it's way to be counted (as I said, not perfect).

However, the election officials and press observers can know if a lot of void ballots get checked from residential addresses (remember, validating void ballots triggers an investigation). Presumably, the large number of void ballot validations after the election might cause such measures as enabling voters to check if their ballot is void or not (now that the election is over and the controversy is starting to boil).

At that point, nobody will be able to prove that their particular ballot was meant to count but was issued void, but there will be enough people complaining that it becomes evident something is wrong and likely of a criminal nature.

Well...

I guess we know now how Obama got elected. :)

Re:Well...

and how hillary will get elected...

Ticket closed: By design

[GoddersUK]

It's our new feature "DBS" or "double bluff security" to protect against brute force attacks. You see, no one would think we'd be stupid enough to secure a voting machine's admin account with the password "password" so they'd never try it. Ergo it's unhackable. (Also "WinVote" - that's an appropriate name: the machines let you "win" extra votes...)

Re:windows? diebold you can do better and does thi

English please?

Paper trail

[ArcadeMan]

In Canada we use paper ballots and we know the outcome of an election in less than 24 hours.

What the fuck are you U.S.A.sians doing?

Re:Paper trail

[PopeRatzo]

What the fuck are you U.S.A.sians doing?

Rigging elections keeps us free. Aren't you paying attention?

Re:Paper trail

But that's the point. You can't steal an election if you have a paper trail to go back to, and the "hanging chads" insured that those who wanted to steal elections in the future would insure that the theft would be hidden, and the results unrecoverable. At that point, stolen elections become a media debate between opposing talking heads.

Re:Paper trail

[Anon-Admin]

Thats easy, we first take a bunch of old people who still have VCR's with the clock blinking 12:00 and we ask them to evaluate the new fangled electronic voting system.

They then set the criteria of what is needed.

1) Does it power on?
2) Can I figure out how to enter my voter?
3) Can my grandson tell me how to change the votes so the "Right" people win?

Re:Paper trail

[Jason+Levine]

Bah. That's the backwards way of doing it. Here in the US, we award expensive contracts to large companies so they can make huge profits while delivering sub-par voting machines. The politicians win (in the form of bribes from the large companies and votes "redirected" to them) and the large companies win (aforementioned huge profits) so it's a win-win. Yes, the voters themselves lose, but that's not important when designing voting machines, right?

Re:Paper trail

[CastrTroy]

I love the Canadian paper voting method and I hope it never changes. However, there are some differences between the Canadian System and the US system. In Canada, we usually only have one thing on the ballot. Either it's a federal election and you vote for your MP. If it's a provincial election you vote for your MPP. If it's a municipal election, there maybe be three things you can vote for, like mayor, city councillor, and school board trustee. But that's about as complicated as it gets. Compare the US election ballot with a Canadian election ballot. You could see why they might want to use a computer so they can lay things out a little more clearly. Ask one question per screen and it becomes a little less daunting. However, I think that if they are going to use computers to make the voting easier, it should really just be used to enter and print out your ballot, which is then deposited into the ballot box and counted manually.

Really though, I don't think computers should be used at all. I've heard too many stories of polling locations not having enough machines and people having to wait hours in line to vote. The greatest part about the Canadian system is that It's never taken me more than 10 minutes to vote, and I've never had to travel more than 10 minutes to vote. I usually just stop by on my way home from work. I once lived in a highrise apartment that had it's own polling station. They basically have one in every school. It's so effortless. And yet we still don't have enough people voting.

Re:Paper trail

[blane.bramble]

Why not do what the UK does and use a separate piece of paper for each, and maybe vote on fewer things at any one time?

Re:Paper trail

[Noodles]

Apples and Oranges. How many races on a UK or Canadian ballot? Two? Go ahead and hand count those. Americans typically have dozens of races.

Re:Paper trail

Why not do what the UK does and use a separate piece of paper for each, and maybe vote on fewer things at any one time?

Oh, sure: carry around a whole sheaf of paper. How easy would it be to drop that stack of paper? How convenient for poll workers to "forget" to give you a sheet for one particular race in the hope you would not notice? Not only would you have to remember how you would vote on each race or question, you'd have to remember what all those races were in order to keep up with them. Now, having being sure that that you haven't overlooked any race, you'd now take that stack to the reader (or, ho hum, a simple box) to feed all the ballots in. For added fun: there may be a separate box for every race. This means you'd have to be in for a fun matching operation.

In the 2012 general election, my ballot had 31 races or questions on it: president, US senator, US representative, state senatator, state representative, local offices like sheriff and property appraiser, county commissioner, retention of state supreme-court justices and of the district court of appeal, school board, state-constitution amendments, and local questions. A few places in my county had one or two more races on them. It was a brute.

This took four sides of paper (two sheets). Vote on fewer things at a time? That would mean more trips to the polls.

Re:Paper trail

[Bob+the+Super+Hamste]

Yet here in Minnesota we can still use paper ballots where one just fills in the bubble and sends them through the scantron like machine. We are able to get results shortly after polls close unless a hand recount is needed, the machine is very accurate at counting ballots, and there are paper ballots that in case of a recount or other questions can be manually inspected by anyone with at least one functioning eye.

Re:Paper trail

[dryeo]

Unluckily our government is paying very close attention.

Re:Paper trail

Watching the tv to see who won so we can go to bed?

Re:Paper trail

[CastrTroy]

Why so many though? What are the politicians doing if the people have to vote on everything anyway? Isn't the whole point of electing a representative so that they can represent you. How can a voter possibly be expected to be informed on who is the best candidate for dozens of different positions in government?

Re:Paper trail

by anyone with at least one functioning eye.

Do you REALLY want Harry Reid counting your ballots?

Re:Paper trail

Indeed. Try the Finnish ballot: http://electoraldemocracy.com/...

Municipal elections, elections for the president, elections for the national parliament, and elections for the European parliament. The ballots all look the same. You put in the candidate's number inside that circle. (The candidates' names, alongside their numbers and parties, are listed on paper printouts on the walls of the voting booth.)

There are hundreds of candidates in a typical election, the exception being the presidential elections where there typically are only eight -- one from each major party. This Sunday we're having the parliamentary election. The most numerous party put forth about 150 candidates. (Of course, there are only 200 seats, and in the current political climate, a single party can't really get more than 60-80 of them.)

Any vote given to a candidate technically goes to the party, and the party's summed-up vote count tells how many seats they get, which are then filled by the candidates by the order of most votes received.

Re:Paper trail

[PsychoSlashDot]

What are the politicians doing if the people have to vote on everything anyway? Isn't the whole point of electing a representative so that they can represent you.

Can't be done. You won't find an electable candidate who shares my views on important topics.

Representative government is a necessity, but it's still important to give them explicit and clear mandates on especially important topics. I trust politicians to decide day-to-day topics, but when it's big things like anti-terrorism-snooping laws, or going to war with another country, or human rights issues like gay marriage, there should be a mechanism for the public to be heard. "I don't care what party you represent, I don't care what colour your campaign sign was, I don't care what general ideology you follow, X% of the population has spoken on this topic... hear, obey, and implement our will."

That would be representative democracy done right(ish).

Re:Paper trail

Some cities in Canada use scantron style forms for municipal elections. I think it's a great compromise. You keep the paper forms, thus having a fully manually auditable paper trail, and you let the machines do the heavy lifting unless there's a need to count manually (accusations of throwing the election or broken machines, very close results, etc).

You get the convenience of computers with the paper trail. Why the US doesn't do this, I don't know. Scantron forms allow for VERY complex elections, which is what those in the US complain about not being possible with paper. I remember 300+ question exams being done with those forms at college.

Re:Paper trail

>Why so many though?

We have MANY levels of government in the US which are run very different in different locations. City, town, county, state, federal. Just one example, can be more. Some states (any many cities) allow certain laws to be enacted by popular vote, some do not. Some cities fill different positions with popular vote (school board, judges) and some are appointed by elected officials. Basically, its a huge mixed bag on what you actually vote on. Sometimes certain things must be voted on, example: in my town if there is a major construction project on any school the voters must approve said construction.

>How can a voter possibly be expected to be informed on who is the best candidate for dozens of different positions in government?

They can't be. Doesn't matter, a community of informed voters is a myth anyhow.

Re:Paper trail

[ArcadeMan]

Any vote given to a candidate technically goes to the party, and the party's summed-up vote count tells how many seats they get, which are then filled by the candidates by the order of most votes received.

That's the most sane thing I've ever heard in my life. Are you sure this is politics?

Can we not get rid of this sillyness?

[houghi]

Can't we remove the sillyness of the middleman and just directly go to auctioning off people in politics.

Large companies pay more in party contribution than in taxes anyway, so they have a right to buy the laws.

Re:Can we not get rid of this sillyness?

That wouldn't be any fun. Right now, it's a game between how much to donate and how much to hack the voting machines. If you don't strike the right balance, your competition might and then they would get their way.

There is one politician that stands above this. He is Honest Gil. He is honest about his positions (whatever his donors want.) He even wears his donors logos on his jacket so everyone knows where he stands on the issues at the moment.

Re:windows? diebold you can do better and does thi

[cyborg_monkey]

you're a moron.

Advanced Voting Solutions

Considering the company gave $32M to various democratic campaign orgs during the 2012 election cycle, this should come as no surprise.

It is absolutely no coincidence that VA and PA, both reddish states, and both critical to Obama's re-election, somehow fell to the blue category using these voting machines.

I'm not even a USAian, but even I can see that your election system is a total fraud.

Re:Advanced Voting Solutions

[Zontar_Thing_From_Ve]

Considering the company gave $32M to various democratic campaign orgs during the 2012 election cycle, this should come as no surprise.

It is absolutely no coincidence that VA and PA, both reddish states, and both critical to Obama's re-election, somehow fell to the blue category using these voting machines.

Democratic supporters in 2004 claimed that Ohio was "stolen" to help Bush win re-election. It seems funny to me that the losing side always claims the winning side cheated. If the Republicans cheated in 2004, then why did they lose Ohio in the two following elections? I know it's always fun to tout conspiracy theories, but the simple truth is that in presidential elections, a significant number of Democratic supporters vote that can't be bothered to go to the polls otherwise. Florida went to Obama in 2008 and 2012 but it will likely be a cold day in Hell before a Democrat can win a state election there in a non-presidential election year. Same with VA and PA.

Re:Advanced Voting Solutions

[Holi]

I have searched high and low, so do you have any source for your assertion. I can't find any listing of political donations from AVS.

Re:Advanced Voting Solutions

[StikyPad]

Virginia is overwhelmingly Democratic at the state executive level, so it's not that surprising that they voted Democratic at the Federal level. Most of VA's population growth over the past decade has been in the urban and suburban NOVA and Tidewater areas as well, which are Democrat voting strongholds.
https://en.wikipedia.org/wiki/...

PA has been voting Democratic for decades, so it seems neither of us know WTF you're talking about.
http://www.270towin.com/states...

Re:Advanced Voting Solutions

[bondsbw]

simple truth

No, the simple truth is that these are really the same folks no matter the letter beside their name. Some of them even switch the letter by their name when it becomes convenient, and the sad truth is, many people don't even realize it.

Re:Advanced Voting Solutions

As other people pointed out, PA has been going blue for decades, and Ohio flips around (went blue in the last two elections).

Also, the correct term is "American", not "USAian".

dem haxxorz

gotz v0ting rites too, knowwhatimsayin

Re:dem haxxorz

Yo, dog! Niggaz be teh 1337 hAxxoRz!

Re:windows? diebold you can do better and does thi

[OneSizeFitsNoone]

"and does this work on their windows based ATM's as well?"

Rank Amateurs

[gsslay]

This is about as bad as software development can get, never mind software that's supposed to have basic security. It all points really to a package written by rank amateurs who had no idea what they were doing designing software, far less having the beginnings of a clue about hardening their software to attack.

I mean, hard coded passwords? Really? Hard coded passwords that are this obvious? It's staggering incompetence. Was this written by a self-taught hobbyist over the course of a weekend?

Re:Rank Amateurs

No, these were professionals. Amateurs would never be this inept.

Re:Rank Amateurs

[Bigbutt]

Hey! I'm a self-taught hobbyist and I could do a better job of it :)

[John]

Re:Rank Amateurs

[benjymouse]

As I read it, it was not an issue with the developed software (although there may be issues there as well), but rather an issue with the *setup* of the machines. It was not the developers who failed (passwords not hardcoded) but rather the admins deploying the machines were braindead and the auditors obviously clueless. For something like this they shold have used an randomly generated password or simply shut themselves out of the system (which is possible on Windows).

Re:Rank Amateurs

You could argue that 'the developed software' isn't as bad as suggested, but if you can't change a password used by the software to (slightly better) protect the database files, that's a strike against the software these nutters created for the system. The software uses the (WEP 'protected') WiFi network to allow 1 machine to be the master node in an election, but downright refuses to operate when a network adapter isn't present and functional. The concept of standalone operation was apparently never considered by this software.

We could argue if it was the software, the hardware or the OS, but the main thing to note is the precincts didn't purchase the software for the device as a separate item, they bought the complete thing to act as an appliance - you get the hardware and the software as a complete package. Not a word on service contracts so how were these systems expected to get patched in the 10+ years since their purchase...
AVS should, in my not so humble opinion, be sued for criminal negligence. These devices were insecure the day they were delivered and it would seem no engineering effort has ever taken place to even attempt to make them more secure. I mean, a voter could access the BIOS (!!!), change the boot order and then boot off a USB device to play around with the thing at his/her leasure. In what universe does it make sense for a voting machine to allow any voter to do this?

Re:Rank Amateurs

[koan]

Yep.

Re:Rank Amateurs

As can be seen here:
http://www.votetrustusa.org/index.php?option=com_content&task=view&id=2663&Itemid=51
back in 2007 a code audit was done, paid for by AVS, to achieve certification for future use. AVS didn't provide payment so they stopped the audit, but by then the code auditors had found " 1,946 source code review anomalies and 26 documentation anomalies".

Re:Rank Amateurs

It used hardcoded database passwords with an access database backend. The software was done horribly, and the developers probably genned up the XPe images, too.

Huh

[koan]

Well lets get a grayhat team over there and make sure Virginia votes entirely for Mickey Mouse.

It's about time we had a rodent American in office.

Re:Huh

[Bob+the+Super+Hamste]

Unfortunately that would be easily recognized as a glitch. Really what people should do is rig it so that 3rd party candidates start winning entire precincts and make the existing 2 major parties minor parties. For example in Minnesota if your party falls below 5% of the vote in a statewide election it looses major party status. This means it doesn't get automatic ballot access (state law), and also won't be included in any debates(rules setup up by the local media).

If you are going to hack democracy why not really hack it.

Re:Huh

[koan]

Pssst.... It was a joke.

Re:Huh

[Bob+the+Super+Hamste]

I got the joke, just carried it a bit farther.

Your premises are 180 degrees out of phase

They don't want to have basic security. They want them to be easily broken into. They want it that way so they can get the results they want. The software works perfectly to that end.

Remember: it's not the voters that count, it's who counts the votes.

Re: Your premises are 180 degrees out of phase

Yeah,it is who counts the votes. Which is why we want paper voting, anyone can verify the process. It doesn't matter that it takes a day to count.

After Ohio and Diabold

[Bonzoli]

Its fairly obvious these are features built in on purpose. Its never a mistake when a profesional that specializes in a field suddenly produces a product with problems such as buffer overruns in key security components that were magically not vetted. Look at Ohio and how Bush got a presidency, and the machines in place.
This was done on purpose, using crap, making it easy, and hard to track when it happens. Surprise our experts didn't think of that, right!! Its all smoke an mirrors to abuse a system that still to this day doesn't have stringent "you go to prison laws" that prohibit the production of such crap and its tamper resistance requirements.
Problem is who is paying to have this continue? Find the money and you find the people making this happen.

Its my firm hope that Americans will get out their Go Team mentalities taught in Highschool and start thinking about things other than themselves. It is a hope, and if I'm hoping, I'm hoping big.

The Robinson Method of voting

http://www.paul-robinson.us/index.php/2008/10/25/the_robinson_method_a_really_simple_way_?blog=5

This would solve all of these problems, but most people don't seem to be able to understand something so simple. Why?

Windows you say?

[davidwr]

Unless this was a stripped-hown, hardened version with nothing but a custom kernel and custom-everything else with all unnecessary bits stripped out and hardening put on top of it, I wouln't trust it unless it had a voter-verified, human-manually-coutable paper ballot as part of the voting process for every vote.

Wait, what am I saying? Even if it was stripped and hardened, I wouldn't trust any voting system that didn't have a way to print a ballot that the voter actually saw which could be examined in a manual recount.

That's it?

[Minwee]

Only people can hack it?

A real voting machine should be hackable by a chimpanzee.

Virginia Information Technologies Agency

[bugs2squash]

If the state's Technologies Agency is equipped to produce damning reports, why wasn't it engaged to do so before the machine went into service ? The state can't make the case it was hoodwinked and simultaneously show it has the chops to uncover what was wrong.

now you have two problems.

[goombah99]

If any electronic voting system is going to work, it would be a system that prints what you've voted so the voter can see what he/she voted. And then you have a separate electronic counting of those pieces of paper.

Now I know in the past they had some what similar systems in the US and they had problems with printers not working, so I don't know if they'll ever get it right.

There are also a whole lot of people who use terms like math/encryption or blockchain.

So far I haven't seen a system that works.

It does however make for interesting presentations:
http://media.ccc.de/browse/con...

Good lord, that did not make the problem better, you just have all the problems of both and none of the advantages.

And a photo of any such paper would allow you to prove how you voted which is antithetical to the secret ballot. Conversely a photo of a marked paper ballot is not proof of how you voted since it's not counted until it is invisible in the ballot box or optical scan. The voting machine makers tried to do something like that with a rolled continuous paper ballot printer the voter could see. However these tape ballots which were longer than a football field proved impossible to manipulate for recounting. With cut sheets it's easy to divide them into piles for any race and then have the observers help you recount the piles. takes very little time to sort and recount fixed page paper ballots for any given race being recounted. Not so with the toilet paper rolls. Furthermore, paper jams and printer malfunctions made these unreliable. paper ballots don't have that problem and if the opscan jams they can be counted later after putting them in a locked ballot box.

finally when a machine does go down or a church bus shows up to vote all at once, long lines ensue. When pen breaks on a paper ballot you get more pens, and you can have as many voting stations as you like.

Finally, which record is the actual record in case of a discrepancy? the electronic one or the paper one? ideally you want one tracable to the voters makrking action not her click-through glance at a printed paper ballot. With DRE's the errors happen during the clumsy touch screen process. (e.g. if you can't make a fist with one finger extended (people with R. Arthtrhitis can't) then you can't use a touch screen accurately. the touchscreens get out of calibration and programming errors result in incorrect recording of votes. pens on paper are generally more accessible (even though DREs can offer some handicap accessible features) and record the voters intent directly.

p>That way you have faster counting of votes and still everything on paper as back up.

faster? no slower. precint counting is not the slow part. the optical scans of paper count instantly. the rate limits are how may voters can vote at the same time (paper ballots win) and the protocols for collation to central tabulation of the precints (for which there's not any difference between opscan and a DRE voting machines).

why does this have wifi

Why does a voting machine need wifi? Did they put a usb port right on the front as well.

Norway

[ThatsNotPudding]

I once asked a man visiting us at work from Norway what voting system they used. "Paper and pen and then we count them.", he said with a facial expression as if I'd asked him how he normally cooked his offspring for consumption.

You only need voting machines for one thing: FRAUD. Fuck the corporate-owned networks wanting a winner two minutes after the polls close; if it takes a few days to count manually marked paper ballots openly, fully, and properly, SO BE IT.

You mean... any of them?

[Rujiel]

Why should a company like Diebold care about security when they know they're guaranteed a no-bid contract?

Lack of an air gap, the first mistake

[grilled-cheese]

What person in their right mind thought giving these things any kind of network connectivity was a good idea? Have we not learned from stupid decisions by SCADA system architects/administrators? If a network exists, the scale of a breach that will occur goes up drastically. A human being needs to be involved to physically relocate a certified write-once component from each machine to a central aggregator and then seal those removed components for audit verification. If I can have a hash verified write once knoppix dvd, why can't they build a verified write once voting machine OS/Application?

Unskilled people

[Darinbob]

What do they imply by "even unskilled people" can hack them. Do they think it's ok for skilled professionals to be able to hack these machines? Those are the ones to worry about.

Truly democratic

[manu0601]

.

If anyone can hack it, then voting machine got truly democratic.

The voting process is just a bit skewed: the last to cheat votes for everyone, but at least it can be anyone.

What the holy f*ck...

Of all the major and massive technoogical achievements of mankind (roads, the engine, the computer, rockets, the power of the atom, quantum physics, Higgs boson), we can't come up with a sure fire way to fucking electronically vote.

It is this problem, that I think, is a sign more than anything else, of how little America really gives a fuck about the democratic process. We should just let Walmart run the country for fucks sake. Make Apple the official religion. And just stop thinking, cause, ya know... Google already knows more about us than we do...

Holy fucking shit... Following this thought through, I'm not sure which is more terrifying, the current state of affairs... Or the thought of every single vote being completely and 100% certain... Imagine Americans having the power to vote with the click of a button, on any issue, from the comfort of their nearest internet connection... It would either be a paradigm shift of a total nightmare...