backtop

Print 40 comment(s) - last by JustAnAverageG.. on Sep 17 at 10:25 PM

A vulnerable diebold voting machine
E-voting machines are once again under fire

A Princeton University professor and two graduate students have further proven that electronic voting machines being used across portions of the nation are vulnerable to hackers. A paper on Princeton's web site describes how Edward Felten, professor of computer science and public affairs, found ways to upload malicious programs on a Diebold AccuVote-TS machine. The team was even able to create a computer virus that was able to spread between Diebold voting machines. According to the researchers, they are able to fraudulently change vote counts without the machine detecting the apparent tampering. An unidentified party gave the researchers the Diebold AccuVote-TS in May.

The Electronic Frontier Foundation yesterday announced that it is requesting the 6th U.S. Circuit Court of Appeals to reject the state of Ohio's latest attempt at dismissing an electronic voting case. The lawsuit against the Ohio secretary of state and governor alleges the state's procedures simply do not do enough to protect voters. Other states have also expressed concern over e-voting security measures.

Reports indicate around 80 percent of voters in America will use a type of electronic voting system in the upcoming election. Because of the growing popularity of paperless voting machines, more security and privacy experts are becoming worried of the ease in which programmers are able to penetrate the security of the voting machines.

A demonstration video is available on YouTube.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Simple solution
By wwwebsurfer on 9/14/2006 7:56:16 PM , Rating: 2
People in the gov't need to quit cutting corners. Call those people that make ATM's and be done with it.




RE: Simple solution
By Brandon Hill (blog) on 9/14/2006 8:00:19 PM , Rating: 5
RE: Simple solution
By noxipoo on 9/15/06, Rating: -1
RE: Simple solution
By GhandiInstinct on 9/14/2006 8:03:35 PM , Rating: 3
It's amazing how people don't take this as serious as it should be taken. This is your FREEDOM, this is why this nation prospers because we get to DECIDE who runs the government for the better of us all.

Now if we allow such jeopardization to occur then this will eradicate the fundemntal principle of a Democracy which more than 50% of our people do not take advantage of anyway.

I want to see websites that you can access and make sure your vote was tallied,(enter your social and other info to access this), I want to know that our freedom elections are legit and that more people exercise this right that not many in the world have.

But this should be a #1 priority, to have a Democracy function as a Democracy and not a hacked election that served many meaning in 2000.



RE: Simple solution
By Madellga on 9/15/2006 12:15:09 AM , Rating: 4
And yet, look who is in command today.....


RE: Simple solution
By Furen on 9/15/2006 12:44:22 AM , Rating: 2
That's a horrible idea. Vote has to be secret. Allowing people to verify that their vote has been counted is good and all but what would stop someone with your information (an employer, for example... or Karl Rove, LOL) from checking how you vote and taking measures against you if he didn't agree?

What is needed is a system of electronic machines with paper trails. The electronic results could be used to make preliminary reporting faster but the actual result should always be based on a the paper trail.


RE: Simple solution
By Souka on 9/15/2006 10:16:18 AM , Rating: 2
actually the idea of providing a confirmation number has been investigated.

This would allow the user to check their vote on-line and/or via US Mail.

The primary reason they haven't done such a system is cost.



RE: Simple solution
By knowyourenemy on 9/15/2006 7:25:34 AM , Rating: 2
Something has to give soon, man. Something has to give.


RE: Simple solution
By rushfan2006 on 9/15/2006 10:08:18 AM , Rating: 2
There is one thing we should all be able to agree on, no program, no computer is 100% non-hackable. The second thing is something that should be obvious to just about everyone -- the chances of successfully hacking someone dramatically increase with the number of folks actively hacking it. Simple law of averages. Well a voting machine is something that would be an EXTREMELY attractive target for just about any hacker...so you are going to always have teams of people working to hack any generation of voting machine.

I'm not a programmer. But I'd suggest the following to make the advantages of a machine worthwhile in the first place (which is A) make it dead simple for voters and B) make it very fast)....

1) The folks that make the physical machine SHOULD NOT be the same folks that write the code persay, they should collaborate of course.

2) Military grade encryption has to be used for something as valuable as a voting machine. It should be hard to just decrypt the code to even make sense out of it in other words.

3) Access to the entire codebase and the machine should require authorizations and security clearances...it should be treated as if you are working on a bomb that can explode if you type in the wrong code.

4) During not use cycles (when the machines are in storage)...from transport to storage point and all times in between should be treated as if they are bags of money and guarded as such.

5) Legislation should be created that the penalties for hacking a voting machine are at LEAST double that of current "hacking laws".

6) Open source is a bad idea...at least in the "full" open source meaning -- you can open up the code for select authorized vendors ONLY and they can hash out ideas and control quality and integrity but I wouldn't put it on the 'net for general public consumption.

7) There should be a paper trail...a constant log that logs EVERYTHING...pretty much keystroke for keystroke.

If they did all that..then I'd feel more confident in the system.


RE: Simple solution
By Souka on 9/15/2006 10:18:38 AM , Rating: 2
don't forget the last item

8) Voting machine is packed with 3oz of C4. If unit is tampered with improperly, boom.



RE: Simple solution
By rushfan2006 on 9/15/2006 11:33:04 AM , Rating: 2
This will piss of some people, but its just a joke...

we'd call that a polish anti-theft device....lol.

Tamper with it and blows up the entire thing...;)



RE: Simple solution
By OrSin on 9/15/2006 11:59:28 AM , Rating: 2
Very easy solution.

Let the voting machince print out your choices but not record them. Then the papaer ballots are feed into another system. This leave a paper trail. Since it a computer print out it it can very easily read but some other machine make the hang chd crap a non-issue. YOu can verify the print out yourself so that no hacking can be done at that level. Very easy solution. Also the coputer cna print you 2 copies so you can keep one, in case its "lost".

To further add some record keeping. You can can be assigned a random number when you vote and when your vote is counted you can look up you number. This adds a second level of authentication


RE: Simple solution
By ChristopherO on 9/14/2006 8:24:30 PM , Rating: 4
"Those people that make ATMs" happen to be Diebold... The same company that already makes the voting machines in question.


RE: Simple solution
By ToeCutter on 9/15/2006 10:08:46 AM , Rating: 3
quote:
Call those people that make ATM's and be done with it.


Um, dude, have you used an ATM machine lately and noticed the the large chrome and black nameplate that reads DIEBOLD?

99% of the public doesn't even realize the connection here. And they call those who question the likelihood of voter fraud on these boxes "conspiracy theorists"?

Thank God for the organizations like EFF...


RE: Simple solution
By bysmitty on 9/15/2006 10:09:23 AM , Rating: 3
Do a little research into Diebold. They are those people that make ATMs.

...bysmitty


RE: Simple solution
By Dactyl on 9/15/2006 1:47:20 PM , Rating: 2
Call those people that make ATM's and be done with it.

In addition to the fact that, if you look at an ATM, there's a good chance it will say "Diebold" on it...

How do you think ATM security works?

They keep careful records of the transactions, so they can go back and make things right after the fact. If someone gets away with $100, that's just money. If someone steals an election, or causes us to doubt the validity of election results, there's no way to go back and fix that. For obvious reasons, we don't keep track of who voted for whom (like: if people found out who you voted for, they could attack you, discriminate against you, or intimidate you from voting that way in the first place)

ATMs don't need to be perfectly secure, they just need to be secure enough that it costs too much money to break in to be worthwhile. And if there's a little bit of theft here and there, that's okay. It's just money. We live in a big country with a lot of money. People steal candy bars from convenience stores all the time, and the world doesn't come to an end. Banks are profitable institutions and a little theft/fraud won't bring them to their knees.

We can't tolerate a little bit of fraud in a very close election! In 2000, it was close in Florida. In 2004, it was close in Ohio. It would have only taken a little fraud to change the results, and people knew ahead of time which states would be close.

A stolen election would blow this country apart. If you think Florida 2000 was bad, or if you're distressed by AMLO's bad behavior in Mexico, you ain't seen nothin' yet. EVERY close election will have allegations of fraud and vote-stealing. Democratic legitimacy will suffer. That's the bedrock of our society--any attack on that is an attack on Western Civilization itself. Without legitimate, free and fair democratic elections, we will end up with a government like China's.

That's why ATM-level security, and an ATM attitude towards security, is not good enough for elections.


RE: Simple solution
By Googer on 9/17/2006 10:36:59 AM , Rating: 2
quote:
People in the gov't need to quit cutting corners. Call those people that make ATM's and be done with it.


Huh?

Last time I checked, Diebold was on of the largest ATM makers out there, right next to NCR.

http://www.diebold.com/solutions/atms/opteva/html/...


Simpler Solution
By Ulfhednar on 9/14/2006 7:59:52 PM , Rating: 2
There's nothing wrong with pen and paper voting.




RE: Simpler Solution
By flyboy84 on 9/14/2006 8:17:22 PM , Rating: 2
well, as long as you aren't a melon-head geriatric from Florida, that is


RE: Simpler Solution
By Samus on 9/14/2006 9:27:12 PM , Rating: 1
my thoughts exactly. i've heard of morons actually thinking it throws your ballot out if you don't vote for every option.

generally i go thought and just punch democrat for every house/senator (i'm from chicago, duh) but when i first voted (in 2000) i just voted for Gore and i was out.


RE: Simpler Solution
By Snuffalufagus on 9/15/2006 1:29:34 AM , Rating: 1
lol - the process at work! nothing beats an informed voter :)


RE: Simpler Solution
By oneils on 9/15/2006 9:34:12 AM , Rating: 2
I'm confused, gp or originator for Simpler Solution is talking about pen and paper - not punch cards. Even the elderly shouldn't have a problem with pen and paper.


RE: Simpler Solution
By TwistyKat on 9/15/2006 6:58:55 AM , Rating: 2
quote:
well, as long as you aren't a melon-head geriatric from Florida, that is


Those flippin' Geriatrics. They make me mad. Look what they did in 2000. There we entire precincts of 'em that usually vote for Democrats ended up voting for Pat Buchanan.

They are so old they are dumb. Flippin' Geriatrics.


In other news...
By lemonadesoda on 9/14/2006 8:37:23 PM , Rating: 4
In other news... A Princeton University professor and two graduate students are sentenced to 20 years in jail for the criminal offence of hacking into Government property.




RE: In other news...
By Brainonska511 on 9/14/2006 9:08:57 PM , Rating: 3
or you have the DMCA violations. SUE!


Where am i?
By JohnnyCNote on 9/15/2006 12:54:16 AM , Rating: 2
Let's see, there's one party in control, elections are rigged, they say we have a "democracy". That could be Cuba, North Korea, China, the former USSR.

Strangely, my drivers license says I live in Florida. Last I checked that was in the US.

This is getting confusing....




RE: Where am i?
By Chillin1248 on 9/15/2006 8:06:20 AM , Rating: 2
Elections are rigged....

Can we please downgrade my post and the original post in this thread?


Been happening in the US for decades at least.
By ttowntom on 9/15/2006 3:22:58 PM , Rating: 2
I hate to tell you, but vote fraud has been occuring here in the US for many, many years...probably since the nation was first founded. Usually its not terribly well organized, but in cases like the Cook Couty Democratic Organization (aka the "Chicago Machine") it's capable of regularly tailoring the results of elections to meet whatever numbers it wishes.

These machines might not be perfect. But they'll be a hella lot better than what we have now.




By JustAnAverageGuy on 9/17/2006 10:25:37 PM , Rating: 2
Courtesy of Deadmeat over at Fark:

quote:
Seriously, why do a majority of articles that discuss potential or actual wrongdoings in the political arena inevitably have someone come in and basically say that since similar deeds have been done by the opposite ideology, or becaue everyone does it that we should accept it as business as usual? Non-story: criminalization of crime.


Just because it's happened in the past doesn't make it right.

- JaAG


Why is this possible?
By xKelemvor on 9/15/2006 9:07:42 AM , Rating: 3
Why is it setup so people can hack anything. Why is there not just a touchscreen monitor in the booth and everything else locked in a box outside the booth so no on ehas access to anything. Wouldn't this make it unhackable since there'd be no keyboard, no drives, no PC, no anything that the person woudl have access to?

Maybe I'm missing something but this doesn't seem that complicated to me. You could even just have a flash program asking you who you want to vote for and having their pictures and you just press the picture and it stores that in a database. Seems someone culd program this in about an hour and be done with it.




It Aint a PC Folks
By Dfere on 9/15/2006 9:52:44 AM , Rating: 2
A couple of points here.

1) Of course this machine is a computer, so it needs to be programmed and maintained, thus SOME interface is needed.

2) It does not matter if its programming is open source or not. What matters is someone has access to it , resources and time to alter it.

So the above arguments do not matter.

The legal premise the article was addressing is not that it is unbreakable, the premise is that there are enough safeguards in place such that the Secretary of State of Ohio did his job correctly. Nowhere in this article is an actual description of the machines used apparent. I live in Ohio. At least one of the machine types used had a computer record, AND a paper printout which the voter is supposed to verify (for accuracy),which rolls back into a lockbox. Thus you could change the computer record, but the original tape which is produced would not reconcile and the votes would be thrown out. Access to the machines are restricted and logged when the machines are not in use, and when in public use they are in a public area with several volunteers around.

When it comes to voting security, leave it to the auditors and the Secretary of the State, not to the Geek Squad. And don't assume everyone has the same time to access and alter these machines the way a hacker has with an internet connected computer/server. Also, please don't assume everything is done on a PC, or that the process begins and ends with it. It is but a small part of a much larger system. Anything can be broken or hacked and no automated process, standing alone, is foolproof and noone elected to oversee voting offices relies solely on that.




duh
By sprockkets on 9/15/2006 11:13:19 AM , Rating: 1
The machines run Windows CE 3.0, 'nuff said.




Proprietary Code
By chusteczka on 9/14/06, Rating: -1
RE: Proprietary Code
By michal1980 on 9/14/06, Rating: -1
RE: Proprietary Code
By mindless1 on 9/14/2006 11:28:58 PM , Rating: 2
Open source does not directly equal good, but having anything of consequence open to every left-wing nut to pour over until the holes are plugged, IS good.

Having some system that only seems secure because everyone is ignorant of the tech (and code) behind it, only works until someone is sufficiently motivated to hack it. If nothing else, once the open source version is out there the easy hacks are gone and it would take a far far higher skill level to hack. Security is not about absolutes, it's about putting the prize out of reach.


RE: Proprietary Code
By Dactyl on 9/15/2006 1:38:03 AM , Rating: 3
What an incredibly ignorant thing to say.

First, the previous commenter did not say open source was always good. So your comment doesn't even respond directly to the original.

Second, the conditions under which open source get good are: lots of smart people going over the code, looking for bugs and exploits, to test it. That's exactly what you would get with E-Voting code. Not just "left-wing nut[s]" as another commenter stated, but American hackers from all over the political spectrum, and even foreigners (because let's face it: who gets elected in America matters to the world, AND foreigners like to get famous just as much as Americans)

Third: your comment is not only ignorant, it's also stupid. How would proprietary code produced by paid programmers employed by a company like Diebold suddenly get WORSE when the code is released to the public? It would be the same exact code as before it was opened to the public! Until flaws were pointed out and they could fix the flaws!

I don't think any E-Voting machines should be used that are not completely open source (hardware AND software). The US Gov't could pay for the technology and let anyone else in the world (other governments, etc.) use the IP for free. It wouldn't cost THAT much to develop, whether we paid Diebold to do it, or paid some other entity.

Open source is more secure, because it would be relying on secrets like secret keys, that are different for each machine each time it is used, rather than a "secret" architecture with the same vulnerabilities in every machine (and look how "secret" it is--Princeton got ahold of it and cracked it).

Open source is ALWAYS better than proprietary code, when democracy is concerned. I knew there were open source fanboys on the net, but I didn't know there were proprietary source fanboys who would downgrade intelligent comments saying something good about open source!

You don't have to be a conspiracy theorist to hate Diebold: time and again Diebold has been shown to make flawed voting machines. They've lied about it before http://www.hellerlegaldefensefund.com/journal.html and have no shame about lying in the future.

I don't think any American elections have been stolen with E-Voting yet, but if we keep using insecure machines, sooner or later it will happen, and the consequences will be extremely bad for the country!


RE: Proprietary Code
By darkfoon on 9/16/2006 3:48:27 AM , Rating: 2
Get the guys from OpenBSD to write the code for these things. Be sure to give them a year or two and lots of money, and you'll have a rock-solid voting machine with very difficult-to-exploit holes.

I say "very difficult", not "impossible", because computer security is all about layers. Many layers of security make it less and less worthwhile to hack something given the amount of energy required. It is a case of diminishing returns.
Why do you think that a 4096 RSA key is better than a 1024 RSA key? It's not that the bigger number is better ;) but because the amount of CPU time needed to do a brute-force key search for a 4096 bit number would take lifetimes even with every single computer on the planet working on the problem.

I looked at a security patch for OpenBSD a few months ago. The exploit fixed by the patch involved an attacker having to exploit /dev/fdd (that's the floppy drive for non *nix folks) but it also required several other steps in order to exploit it (involving other, unrelated software). My point is that they know what they are doing when it comes to finding/fixing bugs, and are the perfect candidates for writing code for a voting machine.

In short, I agree with Dactyl


RE: Proprietary Code
By stmok on 9/15/2006 4:20:23 AM , Rating: 1
quote:
I knew there were open source fanboys on the net, but I didn't know there were proprietary source fanboys who would downgrade intelligent comments saying something good about open source!


They ain't fanboys, they're more like people who know they will get a bruised ego if they move to an open-source OS...As they find out they really don't know anything. Other times, its the fear of the unknown. (I've noticed its some of those MCSE people. As they have paid good money to get that certification, only to realise that the skills they have is pretty much useless outside of MS solutions).

In extreme cases, certain companies, pay third-party organisations that hire people (lackeys) to spread disinformation. Its a standard way to influence opinion on the web. (Post unbacked bullshit to change opinion)...The original company that pays the third-party company can then deny anything with having to do with opinions posted by lackeys. (plausible deniability).


Its similar to what Paramount Pictures has done with the Transformers movie. The leaked picts got some serious negative backlash from the fans, so Paramount got some lackeys to do their dirty work by changing opinions of certain forums. (Well, it bloody gets very suspicious when a forum starts off completely negative to something, then all of a sudden, its changed to favouring it!)

I know about these dirty tricks because I have a friend that does this kind of thing for a living. (He only does it to pay the bills...I try to encourage him to seek another career).


RE: Proprietary Code
By Chillin1248 on 9/15/2006 6:59:38 AM , Rating: 3
I am sorry but this post is hilarious.

You suggest that a company like Diebold has its employees scouring the internet for articles about it first of all. Secondly you then suggest they bypass degrading harmful comments like this:

quote:
People in the gov't need to quit cutting corners. Call those people that make ATM's and be done with it....

---

There's nothing wrong with pen and paper voting....


And yet downgrade yours which states:

I will not vote electronically until the software is open source

I have a big ego but the line of thought that you/he are/is being targeted just puts me to shame...





RE: Proprietary Code
By Dactyl on 9/15/2006 1:33:54 PM , Rating: 2
You suggest that a company like Diebold has its employees scouring the internet for articles about it

I don't know if that's what happened here, on this thread, but you had better believe there are marketing firms that have internet operations monitoring blogs and news sites!

Most big companies would want to know what people are saying about them. There are marketing firms who do regular searches of blogs and news sites (via RSS feeds and blog-only search engines). With those tools, they can keep up-to-date very quickly. If the companies are willing to pay for it, they can have it.

And where there are honorable marketing companies, there are also shady companies. Companies that have employees who post fake testimonials about how great Product X is on e-commerce web sites, or trash Product Y.

We've see this in marketing companies that exist in the real world, such as with "push polling" (e.g. asking questions like "if you knew Republican senate candidate John Jacobs wears women's underwear, would you still vote for him?").

We've seen this with pop-under ads, email spam, and adware programs--it used to be, big companies would use those without shame. Nowadays, there's much less of that, and the spammers are mostly pill merchants or other small operations.

If some company thinks it would benefit by "maintaining a web presence" or "shaping opinion at opinion-leader web sites" or whatever jargon they want to use, that's what they're going to do.

I certainly value what other real people say about things. I pay attention to reviews when I buy things online, unless I have firsthand knowledge of the product. But it's very easy to fake. Any successful system will attract parasites. So we have parasites, these companies employing hordes of minimum-wage lackeys to go around the web spreading certain paid-for opinions.


“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith









botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki