Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
United States Government Politics Technology Your Rights Online

More Diebold E-Voting Vulnerabilities 535

presmike writes "ok, it looks like Diebold has more to worry about now that it is possible to change votes with a 5 line VB script. 'The vulnerabilities involve the Global Election Management System, or GEMS, software that runs on a county's server and tallies votes after they come in from Diebold touch-screen and optical-scan machines in polling places.'"
This discussion has been archived. No new comments can be posted.

More Diebold E-Voting Vulnerabilities

Comments Filter:
  • Blimey (Score:5, Interesting)

    by ackthpt ( 218170 ) * on Wednesday September 22, 2004 @11:34AM (#10319612) Homepage Journal
    vbs script running in the background, well, they don't say it but it seems obvious that GEMS is running in Windows, the most breakable OS in the world. I'd think with that in mind that little scripts are the lease of their worries. If someone compromises their network and server enough to install and run a script, they've got considerably more at their fingertips.

    "There's 14,375 votes for Bush, 14,374 for Kerry and 2,793,036 for Mr. Magoo, let's tell the public about this 4 years after the election, OK?"

    • Re:Blimey (Score:5, Insightful)

      by grub ( 11606 ) <slashdot@grub.net> on Wednesday September 22, 2004 @11:36AM (#10319641) Homepage Journal

      If someone compromises their network and server enough to install and run a script, they've got considerably more at their fingertips.

      When you have the CEO of Diebold saying "I am committed to helping Ohio deliver its electoral votes to the President next year." [blackboxvoting.com] why do you think the evilness has to come from outside Diebold?
      • Re:Blimey (Score:5, Insightful)

        by TheLittleJetson ( 669035 ) on Wednesday September 22, 2004 @12:20PM (#10320154)
        indeed. if you live in a state with e-voting machines, vote absentee. tell your friends and family.
        • Re:Blimey (Score:5, Informative)

          by merlyn ( 9918 ) on Wednesday September 22, 2004 @12:43PM (#10320392) Homepage Journal
          At least in Georgia, "vote absentee" won't help. They take those absentee ballots... AND KEY THEM IN ON A DIEBOLD VOTING MACHINE!
        • Re:Blimey (Score:5, Insightful)

          by Anonymous Coward on Wednesday September 22, 2004 @12:48PM (#10320462)
          Here is the only way I see this comming to full public attention. Some haxor changes the votes, not for Dem or Rep (that would be argued as America opinion), so that the green party or the american communist party or something like that won in a landslide then you'd open peoples eyes real quick.

          It's kinda ironic that all of us nerds who love technology are the ones saying that this is a really bad idea. If we're saying this technology is bad you'd think they would listen to us....

          NOTE to FBI, election officials and readers: This is not a suggestion on things to do. I am not saying that someone needs to hack the voting system, I'm just saying that if the worste case scenerio occurs people would notice. I don't want someone doing this and me ending up in Gitmo.

          (For the first time in my /. life I will be posting Anonymously, soon I'll be buying my tinfoil hat...)
        • Re:Blimey (Score:4, Interesting)

          by SpaceLifeForm ( 228190 ) on Wednesday September 22, 2004 @02:18PM (#10321657)
          In Missouri, the republicans are asking for lists of voters that have requested absentee ballots. Here's one story. [dailystatesman.com]
      • Re:Blimey (Score:4, Interesting)

        by Artifakt ( 700173 ) on Wednesday September 22, 2004 @01:51PM (#10321285)
        There are several other companies making voting machines. Some of those alternates appear to be better (not necessarily safe enough for this job, but substantially closer). My own state uses machines that produce a partial paper trail (a copy of the aggregate results, per machine, not per individual voter). It's not the per individual paper trail some have discussed here, but it serves for newspaper reporters, party observers, and the general public to see, and helps block SOME forms of possible election fraud. My own state also still supports paper ballots, and it would take amending the state constitution to take away that alternative.
        Right now, the evidence is that one company's voting machines are definitely below any remotely acceptable standard, and that company has indicated a motive for making them flawed deliberately.
        It's not evidence that proves all forms of electronic voting should be rejected, or that paper ballots are axiomatically better. It sure doesn't prove that other forms of felonious electioneering, such as getting voters falsely dropped from the rolls, will stop too if we just go back to paper. It IS increasingly solid evidence of a crime. The public will better serve itself if it focuses on what the facts definitely prove about Diebold than what they may tenetively suggest about the overall principles of electronic information security.
    • Re:Blimey (Score:5, Informative)

      by AKAImBatman ( 238306 ) * <[moc.liamg] [ta] [namtabmiaka]> on Wednesday September 22, 2004 @11:37AM (#10319648) Homepage Journal
      vbs script running in the background, well, they don't say it but it seems obvious that GEMS is running in Windows, the most breakable OS in the world.

      It's worse than that. From this link [scoop.co.nz]:

      She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden.

      Getting a warm and fuzzy feeling yet?
      • Re:Blimey (Score:5, Funny)

        by ackthpt ( 218170 ) * on Wednesday September 22, 2004 @11:42AM (#10319700) Homepage Journal
        Getting a warm and fuzzy feeling yet?

        I think it's nausea.

        You know... Diebold does a lot of work with financial systems. Is this what they call the Harbinger of Doom?

      • Access (Score:4, Insightful)

        by YrWrstNtmr ( 564987 ) on Wednesday September 22, 2004 @11:50AM (#10319802)
        While MSAccess is assuredley not the tool to use on a system like this, probably no tool would be good in the hands of these clueless cube monkeys (I hesitate to use the word programmer).

        They appear quite capable of screwing up a wet dream.

      • Re:Blimey (Score:4, Funny)

        by Marxist Hacker 42 ( 638312 ) * <seebert42@gmail.com> on Wednesday September 22, 2004 @12:21PM (#10320168) Homepage Journal
        Given that- here's the five lines in pseudocode:

        1. Set an ADODB Recordset
        2. Open recordset with select statement for tables with the totals in them.
        3. rs(fieldforcandidate)=new total
        4. rs.update
        5. rs.close

        Or better yet, if you have a copy of access with you, skip the stupid script, open Access, and simply change whatever totals you want to.
      • Re:Blimey (Score:5, Informative)

        by Thomas Miconi ( 85282 ) on Wednesday September 22, 2004 @01:13PM (#10320799)
        What I don't get is, why do the US insist on having electronic voting machines ? I presume the 2000 fiasco prompted some kind of overreaction, but why not simply go to a plain paper system ?

        In backwards socialist pro-islamofascist hellholes such as France, elections are 100% paper-based. People walk into the local voting point and (after registering and showing their elector card) are presented with a number of bulletins, each of them bearing the name of a candidate. They take several of them, walk into the booth and put the bulletin of their choice in an envelope. Then they walk to the ballot box and drop the envelope.

        The integrity of the vote is ensured by the most primitive (and efficient) method around: after the vote is over, bulletins are counted by officials in each voting point in presence of the public. Bulletins are handpicked from the box, the main official reads the name aloud, and shows the ballot to other officials present and to the public. The names are also written down by two other officials. The total figures are then transmitted to a central office in Paris. On the next morning, people can check in the local newspaper that the vote count reported for their precinct corresponds to whatever was announced at the voting point.

        This system is simple, efficient, and reasonably fool-/fraud-proof. Can someone explain me the exact problem with it ?

        Thomas-
    • by Anonymous Coward on Wednesday September 22, 2004 @11:40AM (#10319684)
      Why, it's used by the FAA to for radio communications! They wouldn't use something like Windows if it wasn't safe...
    • Re:Blimey (Score:5, Insightful)

      by nightcrawler77 ( 644839 ) on Wednesday September 22, 2004 @11:55AM (#10319868)
      Windows security is hard enough to get right when you try. But it sounds like the Diebold flaws would be present regardless of their platform choice.

      Even running the GEMS software on OpenBSD would do nothing to make up for their lousy secuity design.
      • Re:Blimey (Score:3, Informative)

        by Phisbut ( 761268 )
        But it sounds like the Diebold flaws would be present regardless of their platform choice.

        True, this is not a Windows flaw, it is a Dieblod flaw. However, if Diebold ran on another platform, it would probably take more than 5 lines of vbscript written in Notepad to decide who gets elected.

        Part of having a stronger security is making it harder for the crackers to do things.

    • BSOD (Score:3, Funny)

      by sleepnmojo ( 658421 )
      I don't see a problem here. No one will be able to use the machines anyway. They will all be blue screened, so we will have to go back to the old way.
    • by gihara ( 738286 ) on Wednesday September 22, 2004 @12:33PM (#10320285)
      Why not simply license Brazil's Voting System? I am working as a volunteer in Brazil's city elections this years. The machines are simple and reliable, here are the specs. CPU: Geode National - 200 MHz. RAM: 64mb on board. 2 USB and 1 parallel on board. IDE and Floppy interface. 2 30mb flash disks - one for program and the other for the results. 1 floppy disk drive - sadly that's how we deliver the votes... but its quite error free because the votes are also printed. and theres also the flash disk. 9,4" LCD Here's the new model http://www.procomp.com.br/projesp.asp The only real bug in Brazil's votting system is the elector heehe... We elected a drunk last election for president... well... better than Bush... but still a drunk... ehehee
      • Still- how do you know your vote counted for whom you wanted it to count for? Do you have a paper trail, and do you check the paper trail? If not, your system is only slightly better, if at all. If you do- why not just skip the easily monkeyed with electronic systems and stick with the millenia old paper system instead? Despite all the FUD, the old chad system worked and only a fraction of a percent were miscounted. Most of them were because the voter was too stupid to check if the chad got punched cle
  • by Anonymous Coward on Wednesday September 22, 2004 @11:34AM (#10319616)
    After reading all these stories on Slashdot about Diebold voting machines having security holes, I did a little bit of research on my own. I believe I finally found the perfect voting tabulation and candidate selection system, impervious to cheating. Here is the website [musl.com]; it includes video of the machines in operation (Windows ASX format).

    Perhaps some of you security experts could evaluate whether this machine is more or less accurate and secure than Diebold's machines, but I'm pretty confident in its ability to surpass Deibold's accuracy. (Note to foreign readers: To interpret the results from the videos: if the red ball 21 or less, that's a vote for Kerry; 22 or more, Bush.)
    • by gorbachev ( 512743 ) on Wednesday September 22, 2004 @11:47AM (#10319760) Homepage
      Business2.0 had an interesting article [business2.com] on an electronic voting machine idea David Chaum has come up with.

      Dieblod is taking shortcuts trying to maximize short term profits. Corporate greed at its best.
      • Unfortunately the lowest bidder gets the contracts.

        I think that's the ultimate flaw in this process - why spend money on quality when price is the only thing that matters?

        • why spend money on quality when price is the only thing that matters?

          Well, there's the problem. The data can either go directly from each machine to the county elections board, or it can be collected and counted at the precinct level, then sent to the elections board.

          There are a couple of reasons why you would keep the preliminary counting to the precinct level: Cost is one.

          The cost of centralizing the count would mean that every machine has to be given a secure, direct connection to the central compu

  • Amazing (Score:5, Insightful)

    by AKAImBatman ( 238306 ) * <[moc.liamg] [ta] [namtabmiaka]> on Wednesday September 22, 2004 @11:34AM (#10319621) Homepage Journal
    You'd think a company who's been making ATMs [wikipedia.org] since their inception, would have a good understanding of cryptographic security and the "gotchas" inherent in such systems. Yet it seems that this multi-billion dollar company is utilizing nothing more than junior level Microsoft programmers. I mean, who in their right mind would write a national voting system in Microsoft Access?!? [scoop.co.nz]

    Maybe they should claim that all their security experts were hired by Google after they took the GLAT. ;-) Then they could get Congress to sanction Google instead! *rolls eyes*

    (BTW, I love the "Politics" section color scheme. Can we do something similar for IT?)
    • Re:Amazing (Score:5, Informative)

      by Kenja ( 541830 ) on Wednesday September 22, 2004 @11:43AM (#10319713)
      Given that the ATMs run unpatched Windows XP [coed.org] and have in the past been hit by internet worms [theregister.co.uk] I fail to see whats so shocking about any of this. I will not use a Diebold ATM, even if that means I dont eat lunch because there's no other source for cash handy.
    • Re:Amazing (Score:5, Insightful)

      by kiolbasa ( 122675 ) on Wednesday September 22, 2004 @11:44AM (#10319730) Homepage
      A multi-billion dollar company rushed a voting maching product to market to take advantage of the buzz following the 2000 election. Marketing trumped proper design.
    • Re:Amazing (Score:3, Interesting)

      by quelrods ( 521005 ) *
      Well, technically the db backend in access, not the system itself. The amusing thing about access is it supports subselects! There isn't a release of mysql that does this yet. As much as we all hate access, it may have been an ok choice for this. At least there isn't a slammer worm for access. Given the choice between access and ms sql server for our voting machines, I guess access isn't so bad. Though, user permissions on the db is probably something to worry about.
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • Exploits in ATMs (Score:5, Interesting)

        by Halo- ( 175936 ) on Wednesday September 22, 2004 @12:19PM (#10320153)
        I'm too lazy to find the actual paper, but there is a great one out there about errors made in early ATM design. (Dunno if they were Diebold's or not). For quite some time, the PIN used to access and account was stored on the magnetic stripe on the back of the card. When you "authenticated" to the ATM, it compared the PIN keyed in using the keypad to the PIN on the back of the card! Eventually criminals figured this out, and would steal people's wallets, take the ATM cards, and encode a new, known PIN on the stripe, and access the victims account.

        I've worked with banks on other security systems, and in my experience they often "know what they want" but fail to ask the right questions. Of course, as soon as they start losing money, they get the point quickly. :)

        (Okay, laziness over, I think this may be the paper I'm thinking of: Why Cryptosystems Fail [cam.ac.uk])

      • Re:Amazing (Score:4, Funny)

        by c13v3rm0nk3y ( 189767 ) on Wednesday September 22, 2004 @01:34PM (#10321082) Homepage
        They are working for the govt in this case, which is notorious for not paying attention until it becomes and a campain issue.

        Dude, I love this word you created:

        Campain \Cam*pain"\, n. [F. campaigne, It. campagna, fr. L. Campainia the level country about Naples strewn with band-aids, fr. campus field. See Camp, and cf. Champaign, Champaigne.]

        1. An field of pain; a large, open pain without considerable pills. See{Champaign. --Grath.
        2. (Mil.) A connected series of military operations which cause significant pain.
        3. The feeling one gets during and after a political operations preceding an election; a canvass. [Cant, U. S.]
        4. (Metal.) The period during which a blast furnace is continuously in operation while your face is in it.
    • Re:Amazing (Score:5, Interesting)

      by Frymaster ( 171343 ) on Wednesday September 22, 2004 @11:50AM (#10319806) Homepage Journal
      You'd think a company who's been making ATMs since their inception, would have a good understanding of cryptographic security and the "gotchas" inherent in such systems

      understanding? sure. motivation to implement it? maybe not. consider:

      • if the bank machine borks my transaction i find out about it at month end in my statement. if the voting machine borks my ballot, i never know.
      • the atm is just a snazzy client for the bank's server. the banks approves the transaction and returns the balance, the atm just spits out the cash.

      remember: in every first year computing science class assignment #2 is "bank machine".

    • Re:Amazing (Score:3, Insightful)

      You'd think a company who's been making ATMs since their inception, would have a good understanding of cryptographic security and the "gotchas" inherent in such systems

      I'm sure Diebold poeple do understand security, very well. Clearly, the complete absense of security in the voting systems is not a result of accident, oversight, or incompetence. I am sure the absense of security is absolutely intentional.

      These machines are designed, from the start, to rig elections.

    • Re:Amazing (Score:4, Informative)

      by MoebiusStreet ( 709659 ) on Wednesday September 22, 2004 @01:46PM (#10321223)
      To be correct, the system isn't "written in Microsoft Access".

      Access is a RAD development system that uses Microsoft's JET database engine for data storage. (Actually, these days it prefers to use MSDE, which is a stripped-down SQL Server, but JET is still supported).

      I have developed many departmental-scope apps in Access, and more in "real" languages using the JET engine. But anyone who would choose to use Access for such a large-scale system really needs their head examined. This isn't MS-bashing, they tell you what Access and JET are good for, and I don't think that Microsoft themselves would advocate this usage.

      Reading through the Wired article, it appears that the Diebold programmers know very little about the correct usage of relational databases. Anyone who builds a data model that looks like what this article implies should not be entrusted with the keys to our democratic process.
  • by Lord Grey ( 463613 ) * on Wednesday September 22, 2004 @11:34AM (#10319622)
    Ha!
    [David Jefferson, a computer scientist at Lawrence Livermore National Laboratory said] that he doesn't believe that the vulnerabilities show deliberate malice on Diebold's part to aid fraud, as [voting activist Bev Harris] has sometimes contended in public statements. But the vulnerabilities do show incompetence and indicate that Diebold programmers simply don't know how to design a secure system.
    Emphasis mine.

    Another excellent example of why electronic voting software should be open source. Having many programmers looking over code doesn't automatically increase security, but it certainly increases the probability of finding and correcting asinine problems like the one discussed in the article.

    We all know this. Now to convince the U.S. state governments, or the Feds (who should probably fund and sign off on it). Any representatives reading this?

    • Any representatives reading this?

      No.
      • by Anonymous Coward on Wednesday September 22, 2004 @11:44AM (#10319734)
        Any representatives reading this?

        If you make a reference to Guybrush Threepwood in your comment I always mod it up. Go Monkey Island!


        So what you're saying is, we should elect Guybrush Threepwood for president? Viva la Threepwood!!!
  • by Weaselmancer ( 533834 ) on Wednesday September 22, 2004 @11:35AM (#10319631)

    George Bush and John Kerry sign up for MSDN subscriptions.

  • Nothing new.. (Score:5, Insightful)

    by Manip ( 656104 ) on Wednesday September 22, 2004 @11:36AM (#10319635)
    This isn't new at all, just an extreme example of what we have already seen. We already know that they are stored in an insecure access database - changing votes using 'just' a VBS script is nothing new or exceptional.

  • change to our type (Score:4, Interesting)

    by alatesystems ( 51331 ) <chris@NOsPam.chrisbenard.net> on Wednesday September 22, 2004 @11:36AM (#10319636) Homepage Journal
    Our voting machines [louisiana.gov] are awesome in Louisiana. In my parish we use the AVC [louisiana.gov] model. You go in and press buttons and then hit "cast vote" and it goes "doo doo doo" and it gives me great satisfaction.

    I think it does have a paper trail and I've never heard of any vulnerabilities for it, and we have no hanging chads. Completely electronic.

    Chris
    • by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Wednesday September 22, 2004 @11:42AM (#10319701) Journal
      IOW, you don't know shit about them and you still think they are safe.

      We are fscking doomed!
    • by FunWithHeadlines ( 644929 ) on Wednesday September 22, 2004 @12:01PM (#10319921) Homepage
      "You go in and press buttons and then hit "cast vote" and it goes "doo doo doo"

      Then it goes "de da da da," and finally it tells you, "is all I want to say to you."

    • by Idarubicin ( 579475 ) on Wednesday September 22, 2004 @01:01PM (#10320587) Journal
      think it does have a paper trail and I've never heard of any vulnerabilities for it, and we have no hanging chads. Completely electronic.

      You think it has a paper trail, but you're confident it has no vulnerabilities?

      Oh. Well, that's okay then.

      After you push the button for Jones, how do you know that the system recorded a vote for Jones? What if the screen says Jones, but (inadvertently or deliberately) incremented the count for Smith, instead?

      A real paper trail is one that you can see when you cast your vote. It just has to print 'one vote for Jones' on it, then spit it out. You put that printed record into a sealed ballot box before you leave the polling place. (Otherwise, other people could verify your vote and eliminate the benefits of a secret ballot). Then you've got a real paper trail. If you don't trust the machine count, you count the paper ballots.

      A 'paper trail' where the printer spits out whatever number the computer tells it at the end of the day has no verification value whatsoever.

  • by NIN1385 ( 760712 ) on Wednesday September 22, 2004 @11:37AM (#10319647)
    This country wont elect a single representative for themselves until we go back to normal counting of paper ballots! I dont see why we wouldn't do this, it can only help. It is much more reliable and fool-proof and it does nothing but help our economy by having to hire people to count the ballots. In today's world the tech that made the machine is the one who oversees the counting process, not a trustworthy judge that cannot be bribed like it was back in the day.
    • Ah, for the days of taking a pen and a sheet of paper with boxes next to names, and marking an X in the box next to the person you want to vote for.

      Simple and relatively free from error. I'm sure optical scanners today should be able to process these damned quick, too.

      Hopefully New York is not going to be using paperless electronic voting machines. I don't trust them.
      • by Paulrothrock ( 685079 ) on Wednesday September 22, 2004 @11:56AM (#10319873) Homepage Journal
        The Scientific American article I posted about says that paper ballots are even more subject to jamming than punch card ballots. And while they're human readable, they take much longer to count than electronic ballots.

        Their solution: A dual-method system. First, the person fills out a card with their choices. Then they put the card into a slot which reads it, so they get a chance to review their choices. If they want to make changes, the old ballot is stamped with "Void" and shredded, and a new one pops out, ready to use. If they accept the choices, the ballot is placed in a bin *and* recorded electronically.

  • Worry (Score:5, Insightful)

    by MacGod ( 320762 ) on Wednesday September 22, 2004 @11:38AM (#10319661)

    it looks like Diebold has more to worry about

    You mean, it looks like the American people (and the rest of the world) have more to worry about. Diebold has been incredibly resistant to being damaged, no matter how many problems arise with their software.

  • by siskbc ( 598067 ) on Wednesday September 22, 2004 @11:39AM (#10319671) Homepage
    ...Me. After 150,324,123 mysterious write-in votes.
  • GEMS (Score:5, Insightful)

    by savagedome ( 742194 ) on Wednesday September 22, 2004 @11:39AM (#10319675)
    GEMS runs on the Windows operating system.

    Truly a Gem!

    But speaking generally on the vulnerabilities Harris mentions, Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty.

    I am shocked. Shocked.

    He also said that election "policies and procedures dictate that no (single) person has access or is in control of a (voting) system," so it would be impossible for anyone to change votes on a machine without others noticing it. And even if someone managed to change the votes, auditing procedures would detect it.

    And this just is a killer. What is this guy smoking? Auditing is not done by default anyway. I am pretty certain Cthulhu is going to be elected.
  • Priceless (Score:5, Funny)

    by TheJavaGuy ( 725547 ) on Wednesday September 22, 2004 @11:39AM (#10319676) Homepage
    From Yakov Shafranovich's [shaftek.org] blog:

    Microsoft Windows 2000: $200
    Microsoft Access 2000: $200
    PC: $500
    Hiring an embezzler to put in three set of election results into your voting software controllable by a hidden combination of keys known only to you: $60,000 Changing the election results in favor of your candidate: priceless

    "Of course, there are some elections that money can't buy. For everything else, there is Diebold."

  • uh-oh (Score:5, Funny)

    by ch3ch2oh ( 768848 ) on Wednesday September 22, 2004 @11:41AM (#10319691)
    President CowboyNeal?
  • by Doc Ruby ( 173196 ) on Wednesday September 22, 2004 @11:43AM (#10319715) Homepage Journal
    Diebold obviously has nothing to worry about - they're getting away with their demolition of democracy, despite the incontrovertible evidence pouring in for the past several years. It is we who have a lot to worry about. Not only are they destroying the vote, but getting away with it means that those running the system are benefitting, or they'd stop it. The stolen election nightmare in America is getting worse, even when it was already unacceptably bad.
  • by blcamp ( 211756 ) on Wednesday September 22, 2004 @11:44AM (#10319722) Homepage

    I now have been elected governor in 15 states, plus chief justice in 4 others (but not in Caleefornya). I'm also now hold 22 of the Senate seats, 134 of the House, and I'm the Drain Commissioner in 2/3 of all counties in the US... ...and I am now also the Magistrate and/or District Judge everywhere I normally drive my car.

  • by pridkett ( 2666 ) on Wednesday September 22, 2004 @11:46AM (#10319750) Homepage Journal
    This is blown WAY out of proportion. The GEMS system doesn't actually count votes, that is still left up to the board of canvassers for each state. What GEMS does is provide a very fast way to get an UNOFFICIAL vote count for the state. From that aspect it's almost completely designed for the media that wants to know who won right away.

    Yes, it's a fact that GEMS is a web based product that utilizes off the shelf software as parts of interfaces (Windows, Access, etc). But it also should be noted, that web based does not mean connected to the web. If you read about the situation in Maryland, you'll see that the GEMS systems can only be connected to via modem and the modems have to be manually enabled to receive data. Thus you'd need to convince someone to turn on the modem and then call in to run this script. (Insert Kevin Mitnick social hacking commentary here.)

    That being said, that doesn't excuse the programmers from anything. Yes, it's a bug. Yes, in voting systems it shouldn't be there. Yes, open source would be better. But this is misleading because it doesn't have anything to do with an individual vote or the official vote count for the state.
    • by neitzsche ( 520188 ) * on Wednesday September 22, 2004 @12:36PM (#10320321) Journal
      Where *did* you get such confidence in your local election poll cronies? Why would you even for a second think that procedures are always followed flawlessly?

      Why would you suggest that having the wrong candidate reported as the winner would not have any effect? What about other polls that are still open, or states that are three or more hours behind?

      That is precisely what happened in Western Florida in the 2000 fiasco. It had been decades since a single vote even seemed like it could matter - so if you've heard the news that your state has already decided on a candidate, why drive out to the poll?

      The combination of many factors (modems? MODEMS!? Web-based? Bugs? Untested? Lack of peer review?!) compromising the security of the system indicates premeditated culpability.

      Where *is* my tin-foil hat?
  • SciAm (Score:5, Informative)

    by Paulrothrock ( 685079 ) on Wednesday September 22, 2004 @11:47AM (#10319773) Homepage Journal
    If you'd like some more in-depth knowledge about voting machines, Scientific American is running a great article in their 10/2004 issue.
  • Economist article (Score:5, Interesting)

    by rm007 ( 616365 ) on Wednesday September 22, 2004 @11:48AM (#10319780) Journal
    For those interested, the current issue of The Economist has an article on voting technology [economist.com]. It does not, of course, discuss this latest development, but gives a good overview of the area, with a great deal of attention given to the issue of paper, paper trails, and making the whole system more transparent.
  • by Anonymous Coward on Wednesday September 22, 2004 @11:50AM (#10319808)
    "Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty."

    Yeah, that's why there's never been any vote fraud in this country...I gotta remember to keep my shotgun loaded this November, that's when the dead people come out to vote in Chicago...

  • In Canada (Score:5, Insightful)

    by Sophrosyne ( 630428 ) on Wednesday September 22, 2004 @11:52AM (#10319831) Homepage
    ...we just put an "X" in a "box" on something called a piece of paper. On this piece of paper, which we call a "ballot", there is a list of perhaps 4 or 5 names depending on the number of candidates running. You mark an "X" beside the name of the person you wish to vote for... then you take this "ballot" and place it in a cardboard-box.
    It may be a little high-tech but this method could catch on in developing democracies like the U.S.
  • by codepunk ( 167897 ) on Wednesday September 22, 2004 @11:53AM (#10319845)
    del stupidaccess.mdb

  • by dogas ( 312359 ) on Wednesday September 22, 2004 @11:54AM (#10319858) Homepage
    black box voting [blackboxvoting.org] has 5 (!) different demonstrations on how easy it is to hack these things. There is also an online book (in PDF format) all about how bad the situation really is.

    This is serious. Not only are they using a microsoft access (!!) database to store your vote, they are using a non-password protected access database.

    Not only are they using a non-password protected access database, you can gain access to the .mdb by hitting a certain key on the touch screen and manipulating at will. Are we living in crazy world?
  • by Control-Z ( 321144 ) on Wednesday September 22, 2004 @11:55AM (#10319867)
    What's the big deal about voting machine fraud? If you see any fraud being commited, just write an NEGATIVE SCRIPT to offset those fraudulent votes. That way we'll keep the election nice and balanced.
  • nice to know (Score:4, Interesting)

    by simontek2 ( 523795 ) <[SimonTek] [at] [gmail.com]> on Wednesday September 22, 2004 @11:57AM (#10319886) Homepage Journal
    I was trained to fix those here in Georgia. Sad thing I find out bout this thru /. not them.
  • by puke76 ( 775195 ) on Wednesday September 22, 2004 @12:01PM (#10319928) Homepage
    I submitted this in April, crack mods rejected it.

    Two brothers will count 80% of the vote. [scoop.co.nz]

    In a country where no-bid contracts and the VP's corporate relationships aren't questioned, this is worrying.
  • by upsidedown_duck ( 788782 ) on Wednesday September 22, 2004 @12:05PM (#10319968)

    I wonder what medicine and aviation would be like if their devices were allowed to be built like Diebold builds their machines. Lives on the line vs. the life of our democracy on the line...I don't see that great a distinction.
  • by Paulrothrock ( 685079 ) on Wednesday September 22, 2004 @12:05PM (#10319969) Homepage Journal
    Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty.

    WTF?!? Murder is against the law and carries a heavy penalty and people still do it, numbnuts.

    Diebold is saying essentially what the Bush administration and, really, all NeoCons. "Trust us, we'll do what's right. Why shouldn't you trust us? We're respected people in power."

    Hell, that was an argument a White House attorney made in front of the Supreme Court! When asked whether a chief executive could falsify documents he said something to the effect of "Yes, but *this* chief executive wouldn't do that."

    Why not create a system with ways to keep people from doing things that we don't like, instead of *trusting* people you *don't know* to do the right thing. We could call it something like "checks and balances."

  • by dioscaido ( 541037 ) on Wednesday September 22, 2004 @12:13PM (#10320065)
    ... for Diebold's absolutely retarded system design and configuration. Come on people, if you are building a 'secure application', you do not place the interface and the voting data at the same user protection level. Hell, you probably don't want to place the voting data in the same physical location as the interface.

    But really, this is somehow Microsoft's fault. I know it!! :)
  • Yesterday, Diebold sent out a PR piece over BugTraq saying that "Diebold strongly refutes the existence of any 'back doors' or 'hidden codes' in its GEMS software" in response to a BugTraq post in August that announced the discovery of a backdoor in GEMS. The backdoor announcement wasn't substantiated with any technical details.

    While this Slashdot aricle appears to reference a vulnerability rather than a backdoor, I just thought that some might find this to be an interesting related story.

    Here it is from the horse's mouth:

    http://www.securityfocus.com/archive/1/375954/2004 -09-19/2004-09-25/0 [securityfocus.com]
  • by EaglesNest ( 524150 ) on Wednesday September 22, 2004 @12:40PM (#10320370)
    Requirements for paperless machines

    Essential: Build the machine and software from the ground up starting with the proposition that you will have to recount the votes. All other considerations are secondary.

    Parallel testing. On the day of election, randomly select a machine, pull it out, and run a simulated voting process on it. Compare the results with what they should be. Video the entire process. If the results are wrong, go back and investigate the video tape. It should be done for each polling place. This is expensive. The machines cost $3,000-$5,000.

    Test before, during, and after elections.

    California requires mandatory recounting for a random 1% sample of all ballots. This was introduced after optical scan ballots. This should be a national law.

    New Hamphire allows any candidate to demand a recount for up to a 3% margin. Experts know how to count.

    Florida did not know how to count votes correctly like many other states.

    Issues like blind access are important to the blind, but remember our priorities! Recounts are the essential priority!

    Ways to Cheat

    Don't activate the cheating until after the election starts.

    Only cheat with a few machines. Only a margin is required to swing a close election.

    No verifiable audit trial. Design a paperless machine that counts votes and is not voter verifiable.

    Get access to the machine before or after the election. The machines are almost always kept in insecure storage and shipped via insecure delivery.

    Randomly change a number of votes each way each time you check the results. Change some votes for Kerry and some votes for Bush. Just weigh the cheating for your candidate. This way, you can't tell whether the cheating is a bug or malicious code.

  • This is great. (Score:3, Interesting)

    by blueforce ( 192332 ) <clannagael@gmaiPERIODl.com minus punct> on Wednesday September 22, 2004 @12:42PM (#10320388) Homepage Journal
    Diebold is headquartered here in Canton, OH where I work. I have some buddies that are programmers over there.

    Unfortunately, none of my buddies work on the voting software but man, oh man, is this gonna be fun.

    I especially love the quote about "...incompetence and indicate that Diebold programmers simply don't know how to design a secure system." We've always had the friendly "our programmers are better than your programmers" competition but I guess it's obvious we win.
  • by dtjohnson ( 102237 ) on Wednesday September 22, 2004 @12:44PM (#10320414)
    My voting precinct has recently began using an optical scan voting system in which you blacken in little circles on the paper ballot for your choice and then feed your ballot into the vote scanning machine which then tallies the results and records them electronically. At the end of the day, the results get sent electronically to some central point where they are supposedly tallied. Anyway, I voted last Tuesday in a statewide primary and when I arrived about 20 minutes after the polls opened, there was already a long line of people waiting to feed their ballots into the vote scanner machine which was refusing to accept any of them. The voting supervisor guy was a gentleman in his 80s who obviously did not have a clue about what to do to either fix the machine or report the problem. People kept arriving, filling out their votes, and then lining up until the place was jammed. (There were 6 precincts using one vote scanning machine). Finally, one of the poll workers got a cardboard box, wrote 'votes' on the side, and said we could just leave our ballots in the box and they would feed them into the vote scanning machine later when it was 'fixed.' So...that's what everyone did since people had to get on to work and such. My conclusion was that this e-voting system was extremely vulnerable to any sort of problem, easily circumvented with fraud, and, in this case, didn't preserve ballot secrecy. This stuff never even got a mention in a newspaper which reported instead how well the voting went.
  • Bullshit! (Score:5, Insightful)

    by natoochtoniket ( 763630 ) on Wednesday September 22, 2004 @12:45PM (#10320423)
    Jefferson added that he doesn't believe that the vulnerabilities show deliberate malice... But the vulnerabilities do show incompetence and indicate that Diebold programmers simply don't know how to design a secure system.

    I call bullshit!

    I'm sure the Diebold people do understand security, very well. Security is their main business. Clearly, the absense of security in the voting systems is not a result of accident, oversight, or incompetence. I am sure the absense of security is absolutely intentional.

    These machines are designed, from the start, to rig elections.

  • by CodeMonkey4Hire ( 773870 ) on Wednesday September 22, 2004 @01:01PM (#10320588)
    Harris and the activist stand to make millions from the suit if they and the state win their case.
    Why the [fh][eu][cl][kl] would he get any money? This is like a whistleblower suing a company for fleecing its investors and paying all the money to him instead of the investors.
  • by canfirman ( 697952 ) <[ac.oohay] [ta] [52ivadp]> on Wednesday September 22, 2004 @01:20PM (#10320897)
    Jim Marsh's webpage, http://www.equalccw.com/deandemo.html [equalccw.com]"The Howard Dean Demo" shows in pictures how easy it is to manipulate the votes. It makes you wonder why the government pushes ahead with electronic voting when they know there are problems.
  • by garyok ( 218493 ) on Wednesday September 22, 2004 @01:42PM (#10321180)
    Given that one of the 2 main directorates of the NSA is the Information Assurance Directorate, with the mission statement
    IAD's mission involves detecting, reporting, and responding to cyber threats; making encryption codes to securely pass information between systems; and embedding IA measures directly into the emerging Global Information Grid. It includes building secure audio and video communications equipment, making tamper protection products, and providing trusted microelectronics solutions. It entails testing the security of customers' systems, providing OPSEC assistance, and evaluating commercial software and hardware against nationally set standards.
    the question is "How come the NSA haven't gone all Enemy of the State [imdb.com] on Diebold's collective ass?" I mean we are talking about the most important set of communications in the world's most wealthy democracy: who the people want to run their country.

    Someone isn't doing their job.

    Mind you, maybe their Signals Intelligence Directorate will intercept this on the way to your servers in the US (I'm in the UK) and they'll take the piss out of the other Directorate until they can't stand the shame and get their fingers out their asses.

  • Not That Worrying (Score:4, Interesting)

    by angst_ridden_hipster ( 23104 ) on Wednesday September 22, 2004 @01:53PM (#10321309) Homepage Journal
    Let's face it people, voter fraud is easy with or without computers.

    Personal Anecdote:
    My polling station got upgraded from the punch-out-the-chad-with-a-stylus system to a poke-the-spot-with-an-ink-stylus system between the last two elections.
    My area is heavily Democratic. For efficiency's sake, the polling area has five carrels for Democrats, and two carrels for Republicans. As part of the semi-legendary radical socialist wing of the Republican party, I was waiting for one of the Republican carrels to open up. It was taking a long time, as an elderly Republican neighbor of mine was trying to vote. He complained to the polling place staff that the stylus was not poking out the chads. To demonstrate that it was OK, they pulled a blank ballot off the pad, stuck it in the machine, and stamped a few (possibly) random votes, and pulled it out to show him that the machine was, in fact, working. They then tossed the ballot away. (He was convinced they were trying to invalidate his vote, so he ended up punching each vote all the way through anyway).

    But no-one batted an eye that they had just created an illegal ballot. When I called the election office to complain, they gave me a song and dance about how it would have been impossible for them to insert it into the ballot box without raising red flags, how the register would not match, etc. But they don't let you insert you ballot directly into the box yourself; you hand it to someone and you watch them put it into the box. It would be trivial to do a quick palming of one ballot and insertion of another.

    With the last election being so close, it would only take a few votes per polling station to throw an election. Bruce Schneier calculated it out in a recent article in terms of cost per vote, and it was quite low. Sure, it would be more expensive and would involve more people to do it in the old-fashioned low-tech way than it would with Diebold's patented cheating system, but the difference is only a factor of two or so. Given the stakes in a national election, that's down in the noise.

    So basically, you either have to trust the system and believe that people will not cheat in the election, or assume that cheating is ubiquitous regardless of the physical system used.

    #cynicism on
    OK: cynicism mode on

    In other words, We The People are fucked, we have been fucked, and we will continue to be fucked.

    #cynicism off
    ERROR: Cynicism mode cannot be disabled.

Mausoleum: The final and funniest folly of the rich. -- Ambrose Bierce

Working...