Forgot your password?
typodupeerror
Security Government Politics

Damning Report On Sequoia E-Voting Machine Security 200

Posted by kdawson
from the worse-than-you-thought dept.
TechDirt notes the publication of the New Jersey voting machine study, the attempted suppression of which we have been discussing for a while now. The paper that the Princeton and Lehigh University researchers are releasing, as permitted by the Court, is "the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine." What's new is the release of a 90-minute evidentiary video — the researchers have asked the court for permission to release a shorter version that hits the high points, as the high-res video is about 1 GB in size. See TechDirt's article for the report's executive summary listing eight ways the AVC Advantage 9.00 voting machine can be subverted.
This discussion has been archived. No new comments can be posted.

Damning Report On Sequoia E-Voting Machine Security

Comments Filter:
  • Don't look (Score:5, Funny)

    by Anonymous Coward on Tuesday October 21, 2008 @06:19PM (#25460925)
    Don't read the report about voting machines. It contains spoilers about who wins next month.
    • by BorgAssimilator (1167391) on Tuesday October 21, 2008 @06:38PM (#25461155)
      It's ok, the spoilers were already announced:

      http://www.theonion.com/content/video/diebold_accidentally_leaks [theonion.com]
  • by Anonymous Coward

    My reading comprehension must have failed a saving throw. I can't understand the summery.

  • by l0ungeb0y (442022) on Tuesday October 21, 2008 @06:21PM (#25460961) Homepage Journal

    "We provide this voting booth for entertainment purposes only. Use of this machine does not constitute the actual act of voting for a bill or candidate. The State of [INSERT_STATE_NAME_HERE] and the United States Federal Government are not liable for any damages that may arise through the use of this entertainment apparatus."

    That ought to do it.

    • by TechwoIf (1004763)
      That would be a good way to protest. Go to vote and place that sticker on the machine. Get a few to do to it to modify all the machines in the voting place.
    • Re: (Score:2, Interesting)

      by waferbuster (580266)
      You forgot the most important part that appears on lottery machines (and by association should appear on voting machines): "Any malfunction voids play results."
      • Re: (Score:2, Insightful)

        by waferbuster (580266)
        I know... it's not couth to reply to my own posting, but on reflection I had it wrong above. Or rather, I posted poor concepts. Just voiding play on a voting machine is very different from voiding play on a lottery machine.
        The reason is that from the viewpoint of lottery, an individual player gets an individual result (win/lose). A voter is placing a vote which is aggregated with the corresponding inputs from other voters to determine the election winner (we'll ignore the electoral college as being ove
  • by corsec67 (627446) on Tuesday October 21, 2008 @06:21PM (#25460965) Homepage Journal

    An oxymoron.

    The only thing a e-voting machine should be used for is printing a paper ballot.

    Count the paper ballots.

    Anything else means you have to trust the voting machine, or the people who verified the voting machine.
    (You have to make sure that there are no hidden things in any of the chips, the software, any memory card that comes into contact with the machine, the network that the machine is connected to, etc. Seriously, who can possibly think that a E-voting machine with a Sprint data card in it is secure?)

    • Re: (Score:3, Insightful)

      by penguinbrat (711309)

      You have a very good point here - why are these things even doing all the "tallying" on there own? Wasn't the overall MAIN issue was the validity of "hanging chads" and the like - why in the hell can't we have a simple machine with all the same bells and whistles that simply punches the damn things for us?!?!

      On a side note - how hard can this stuff be? It's not like they aren't making a fortune from these things - it's seeming like they are barely able to break even so they have to hire "below the barrel" t

      • by corsec67 (627446) on Tuesday October 21, 2008 @06:50PM (#25461315) Homepage Journal

        On a side note - how hard can this stuff be? It's not like they aren't making a fortune from these things - it's seeming like they are barely able to break even so they have to hire "below the barrel" talent...

        Making a machine that counts or tallies votes shouldn't be very hard, and should be a first year programming assignment.

        Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)

        From Ken Thompson's essay Reflections on Trusting Trust [bell-labs.com], he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.

        • by log1385 (1199377)
          Is it all that hard to create a secure voting system? People send their credit card numbers over the internet all the time. Insurance companies and hospitals use computers to store some very sensitive information. Why can't voting machines be as secure as these?
          • by corsec67 (627446) on Tuesday October 21, 2008 @07:08PM (#25461487) Homepage Journal

            Because those are different cases.

            The user isn't going to hack his own computer to get his credit card number. Hope that persons computer doesn't have a virus or key logger.

            That insurance company or hospital hopefully will have physical security protecting their machines. That doesn't always work, surely you have seen the articles about x million peoples data lost from (company of the week).

            Securing E-voting is really like DRM: you want to distribute a device to potential hackers, and keep it secure from those hackers.

            • by LrdDimwit (1133419) on Tuesday October 21, 2008 @09:00PM (#25462657)
              There is also the not-at-all-a-small-issue of anonymity. Your voting mechanism must ensure that a particular account number (i.e. a voter's identity) can be used at most one time per election. And you have to record what it was used for anonymously so that what was done with the account literally cannot be traced back to the account holder.

              Most of the common credit card fraud-prevention schemes (such as date/time stamping every transaction) violate this. Not really a surprise, since the credit card system is designed to enforce accountability, the antithesis of anonymity (the whole purpose of anonymity is to avoid accountability).

              Fundamentally, anonymity is about removing traceability information, and fraud prevention is about maintaining it. These are both core requirements, and they directly work against one another.
              • by SUPAMODEL (601827) on Wednesday October 22, 2008 @05:38AM (#25465779)
                This weekend, I voted in an election in the place where I live in Australia. I used one of their electronic voting things. Note that voting is compulsory here. I walked in, they use a computer to work out that I had not gone to another area where I could vote. They then gave me a card with a barcode on it, which is randomly picked up from a pile. It is not associated with my name in any way. The only association was "yes, this person has elected for electronic voting", but no barcode info was recorded. I then go to the system, swipe the barcode. The barcode thing had an approximately 70 character string underneath it. I think it was a hash or something to verify that a) the barcode related to the electorate that the voting booth was related too and b) that it was issued from this site. Each barcode had a different identifier. I then vote for the candidates as I wish. The system would not allow you to make an invalid vote (we use a preferential system here; needed to vote in order of preference of at least 7 candidates, 35 on the ballot paper in total). I did this, and hit the button to let me review it. The system then displays the preference information you've put in. You have to swipe your barcode again to verify that it is the correct one. If it would not swipe, or you needed help, you could hide the vote on the screen and get an election official to help. Once the barcode is swiped, my vote was stored in the system. I then had to place the barcode into the ballot box that paper voters would place their completed ballots in. My vote would not have been counted from the system if my barcode had not been present. Would I prefer an open system? Yes, most definitely, and I have written my comments to those running the election. I would have preferred it to print out a completed ballot paper I could check and lodge that. I think it covers most of the fraud. Is the number of barcodes equal to the number of voters? If not, then fraud has been commited by someone trying to stuff the ballot box. My name is not in any way associated with my vote, but it is counted if the barcode is placed into the ballot box. The barcode also could not be used at different voting booths, even in the same electorate (at least that is my understanding). So, for me, I think the issue of nontraceability and fraud prevention is somewhat solved by this system. Fraud could still occur in how the system records the vote, but at least you are given ample opportunity to see if your candidates have been correctly preferenced. Also, if it fucks up and you aren't happy with it, at any time you can say "no, clear my vote", your barcode is torn up, and you can do it by paper. I think that should always be an option.
        • Re: (Score:3, Informative)

          Making that whole system *secure*, otoh, is almost impossible,

          Making a human and machine readable, voter verified, printout is far from impossible in fact it's simple. Safely getting Paper ballots from the voting locations to a central polling place is simple. Counting the human and machine verifiable ballots with a high degree of accuracy is simple.
          Now making a e-voting system that is obtuse and vague enough that elections can be skewed with a good sot at deniablity and a complete lack of papaer trail?
        • Re: (Score:3, Insightful)

          by peragrin (659227)

          you do realize that most e-voting machines run windows right?

          The base OS in these machines is fscked from the beginning, there is no way to secure them completely.

          If they used Open BSD, stripped of all unnecessary components compiled from scratch from at least two different compilers to double check all the out puts and inputs then you have a reasonable base to start with. DRM on all software pieces is also needed. at the very least a hash system to approve updates unless they occur 10 days before and 10

          • Re: (Score:3, Informative)

            by GigaplexNZ (1233886)
            Or perhaps just use a micro and run an embedded application rather than running a pre-emptive multitasking operating system. It doesn't need to do much.
        • Re: (Score:3, Insightful)

          Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)

          From Ken Thompson's essay Reflections on Trusting Trust [bell-labs.com], he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.

          I would like to respectfully disagree here. Your comment can be too easily be summarized to "well, if you can't solve every possible flaw, you don't have a secure system, and so there's no point in trying, if they're all insecure anyway, any system is as bad as any other."

          This belief is flawed. Even if you can't prove that there isn't any possible attack, it is nevertheless true that there are better systems and worse systems, and you don't want a worse system. Being able to check the source code-- and

          • Re: (Score:3, Insightful)

            by TapeCutter (624760)
            Suppose we had such a situation as you suggest and thousands of reviewers pawed over the code making it "as good as it gets". How do you verify the code that was reviewed is the code that is running?

            "if they're all insecure anyway, any system is as bad as any other."

            It is true that all voting systems are open to fraud, however rigging a paper election is orders of magnitude more difficult than rigging an electronic election simply because of the number of people needed to implement the "hack".

            With
            • Re: (Score:3, Insightful)

              Suppose we had such a situation as you suggest and thousands of reviewers pawed over the code making it "as good as it gets". How do you verify the code that was reviewed is the code that is running?

              If the code that's reviewed is not the same as the code that's running, this is in itself evidence of fraud. You don't need to look for a back door in this case; you don't need to even know what the code that's running does, you have already shown fraud.

    • by entgod (998805) on Tuesday October 21, 2008 @06:36PM (#25461131)
      They could, in addition to printing the paper ballots, count the votes. That way it would be possible for people to see the votes being cast in almost real-time. I would like it. Of course, the official count would be done by hand.
    • Re: (Score:2, Insightful)

      by SlashDev (627697)
      It's just as reliable as the computers, network, memory and hard drives you used to keep your bank records and run the stock market. I don't see anyone complain about those....
      • by corsec67 (627446) on Tuesday October 21, 2008 @07:11PM (#25461527) Homepage Journal

        Because the people with *physical* access aren't (usually) the people trying to hack the systems.

      • by fuzzyfuzzyfungus (1223518) on Tuesday October 21, 2008 @07:37PM (#25461819) Journal
        There are three problems with that analogy: Centralization vs. distribution, steady load vs. bursty load, and willingness to pay.

        Things like financial recordkeeping and stock trading are relatively steady, constant, loads that can be handled in a fairly small number of highly centralized locations, for which people are willing to pay a great deal of money.

        Voting is a highly bursty and uneven load, spread across tens of thousands of sites and systems, for which people don't seem willing to spend all that much.

        It is definitely true that voting machines can be made secure in theory(and we know that they could be made far more secure than the are: not only are the current models not good enough, they aren't even as good as current generation consoles); but the analogy between voting systems and financial systems is weak and misleading. More accurate might be an analogy between voting machines and point of sale systems. Unfortunately, those are plagued by card skimmers and similar, despite the fact that they have the advantage of it being possible to calculate the "correct" outcome. It is fairly easy to detect and rectify fraudulent transactions just by looking at financial records. You can't do the same with votes.
    • by HTH NE1 (675604)

      The only thing a e-voting machine should be used for is printing a paper ballot.

      Count the paper ballots.

      You also have to make sure it prints completed ballots when and only when a voter is present and voting, once per voter.

      And only when the voter has made all his choices and warns the voter if he leaves without completing the ballot submission process.

    • by mangu (126918) on Tuesday October 21, 2008 @07:39PM (#25461843)

      Count the paper ballots

      Yeah, right! NO ONE can cheat in an election with paper ballots! The concept of a corrupt government did not exist before the invention of electronic voting.

      *BULLSHIT*

      Reading TFA: This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this ``hack'' takes just 7 minutes to perform.

      Do you want to make a bet? Let's see how many paper ballots I can stuff in 7 minutes, given the same level of physical access one needs to change a chip in a computer. This means I can open a box, right? It doesn't matter if the box is electronic or not, it should have a padlock. If I can open the box, with no one noticing, it doesn't matter if the content is electronic or paper.

      The intrinsic safety of electronic voting comes from the agility in counting. Counting a paper ballot box takes much longer than it takes to fill that box with a totally different set of votes. By the time you have counted, recounted, and counted again those paper votes, they could have been substituted a dozen times.
       

      • by corsec67 (627446) on Tuesday October 21, 2008 @08:04PM (#25462103) Homepage Journal

        Lets change your bet a little bit. The 7 minutes are 2 days before the election. You get private time with the ballot box, I get private time with the voting machine.

        What can you do to the ballot box that wouldn't be noticeable 2 days later and still affect the vote?

        I was an election judge for Boulder County in 2004. Part of my duties as the head election judge for the precinct was to make sure that there was noting in the ballot box and seal it. From that time until I handed the box to the county officials, it was not left in the presence of any single person, so nobody would have 7 minutes during the election day.

        You can't stuff the ballot box 2 days before the election with nobody being able to notice.

        **THAT** is what they are complaining about. The machines were left in publicly accessible areas for days before the election. Replace one of the chips with that 7 minutes, and it would take a very detailed examination to notice the problem.

        • by mangu (126918) on Tuesday October 21, 2008 @09:18PM (#25462815)

          I was an election judge for Boulder County in 2004

          And I was an election judge for Itatiaia, in Brazil, in 1998. I had more or less the same duties as you had. It was an electronic box.

          I inserted a flash card with the software, including the operating system, which was given to me by an officer of the electoral court minutes before the election started.

          If you can corrupt a representative of the judge who is responsible for declaring if the vote is correct, does it matter if the box is electronic or paper?

          From that time until I handed the box to the county officials

          You are ready to swear for the honesty of those county officials, yet you don't trust the people who handled the electronic box before the election?

          The machines were left in publicly accessible areas for days before the election.

          That's *WRONG*, no matter if the ballots were paper or electronic. No part of an electoral process should be left unattended at any time at all.

          To sum up, you have absolute trust in the paper voting system, because you have absolute trust in the way the paper ballot was handled *AFTER* the election, but you mistrust the electronic vote because you mistrust the way the electronic box is handled *BEFORE* the election.

          For me, both systems can be corrupted, but the electronic system is better because, given the same level of precaution before and after the election, the electronic system gives faster results. To cheat, you need physical access to the system, so the quickest system is safer.

          • Re: (Score:3, Insightful)

            by corsec67 (627446)

            If you can corrupt a representative of the judge who is responsible for declaring if the vote is correct, does it matter if the box is electronic or paper?

            Not really, no.

            That's *WRONG*, no matter if the ballots were paper or electronic. No part of an electoral process should be left unattended at any time at all.

            What about when the stuff is in storage? What if someone replaces the processor with a near duplicate that changes the voting output when certain conditions are true (time, the ID of the election, n

            • by innerweb (721995)

              Except that it is really hard to corrupt a paper ballot before the election. Faster vote tallying also means faster vote tampering. I don't know why you think fast processing means safe. Paper voting isn't perfectly secure. It is just that almost all tampering will leave evidence. That isn't true at all for pure electronic voting

              Bravo, my sentiments exactly!

              Paper is hard to corrupt before the election, yet, it has been done. I think the real problem is that we the people care to little about the security

      • by rtb61 (674572) on Wednesday October 22, 2008 @02:57AM (#25465127) Homepage

        You obviously have no idea how a regulated manual system works wnen the government is corrupt and already using force to sustain it's rule. In a manual system, there are volunteers from all parties attending the ballot process, including, sealing of empty ballot boxes, handing out of the ballots, monitoring the filling of the ballot boxes, unsealing and emptying of the ballot boxes, and counting of the ballots. Normally the voting and ballot counting occur at the same location avoiding transport of ballot box problems.

        In addition to the volunteers from all parties doing all the work, their are paid officials who supervise and monitor the activities of the volunteers. In a lot of countries the election takes place on a Saturday, to ensure easy access for volunteers and well as of course for voters and enabling the use of the numerous school halls available around most countries for the voting and vote counting process.

        So cheating is enormously difficult and only really happens in regional areas, where the volunteers are all from one party and the election official is also corrupt, catch is only one or a handful of polling booths out of thousands is corrupted and, in reality only has negligible impact upon the election as a whole (and the risk is huge and the penalties severe).

        With electronic voting machines and electronic vote counting machines of paper ballots, all with secret unverifiable code, as well as unverifiable electronic chips (how many are removed from their plastic housing and microscopically scanned and analysed), the whole election can be rigged and the electorate has absolutely no means by which to verify the validity of the electronic election process and even with receipts of electronic votes, the winning party will simply deny the chain of legal possession of those receipts to verify their authenticity. Only a fool would think that stuffing one election box at one polling booth, would compare with hacking the voting machines, the transfer of the output of the vote counting machines to the data analysis location and of course the data output of the analysis device.

        Elections are all about people governing other people, so people should be fully involved in the control of and verification of every part of the process. The election is the single most fundamental part of any democracy and every step should be taken to ensure it's safety and validity, from voter registration to the final vote tally.

    • by flyingsquid (813711) on Tuesday October 21, 2008 @08:42PM (#25462475)

      The only thing a e-voting machine should be used for is printing a paper ballot. Count the paper ballots. Anything else means you have to trust the voting machine, or the people who verified the voting machine. (You have to make sure that there are no hidden things in any of the chips, the software, any memory card that comes into contact with the machine, the network that the machine is connected to, etc. Seriously, who can possibly think that a E-voting machine with a Sprint data card in it is secure?)

      Nonsense. The vast majority of computer security experts agree that electronic voting machines are the safest, most secure way to conduct an election, and that they are virtually immune to tampering or forging of votes.*

      *results of a poll of 1000 experts conducted using Diebold voting machines. 93 of 1000 said electronic voting was not secure, 1237 out of 1000 said that it was.

    • by mi (197448)

      Count the paper ballots.

      Anything else means you have to trust the voting machine, or the people who verified the voting machine.

      Or the people, who count the paper ballots... I'd rather trust a machine, however imperfect...

    • Anything else means you have to trust the voting machine, or the people who verified the voting machine.

      Because the people counting the paper ballot are implicitly trustworthy? For that matter, can you trust people to vote intelligently? The technology is just a piece of equipment. Trust is something we place in people, or not. The machine has nothing to do with it.

  • by circletimessquare (444983) <circletimessquare&gmail,com> on Tuesday October 21, 2008 @06:28PM (#25461021) Homepage Journal

    could be made 100% secure, foolproof, etc., it should still not be used

    simply because of the PERCEPTION of what happens to your vote in electronic voting

    it is a black box. your votes go in, sausage comes out. meanwhile, a piece of paper has no secrets. it stays in a box, it can retallied. it can be messed with and falsified and burned, sure. but not with such ease and not in so many quick secret and immensely powerful ways electrons or magnetic marks on a disk can be messed with

    all nations should use paper ballots, doesn't matter how rich they are. joe schmoe needs to touch and feel and smell his vote. voting machines and electronic voting represents a black box system, and therefore represents too much fundamental distrust. distrust undermines the legitimacy of democratically elected governments in the eyes of the people

    it is not good enough that joe schmoe vote in absolute security and privacy and integrity. joe schmoe must also BELIEVE that. but in an irreducibly black box system, distrust is inescapable

    electronic voting is the greates threat to democracy, ever. no ideological system or intolerant set of beliefs can undermine faith in democracy more than a method of tallying votes that the technofetishist loves, but the general populace views with suspicion

    you don't need to say "gee whiz" when you vote

    we need to end electronic voting, in the name of strengthening democracy

    • Re: (Score:3, Funny)

      by db32 (862117)

      joe schmoe needs to touch and feel and smell his vote.

      This certainly explains a lot. Apparently this is how we keep winding up with Republicans in office. If I had to sit and count poo streaks on a paper ballot all day I would demand E-voting too. There is clearly some confusion about what the booth is there for and what to do with the paper provided.

      • LOL (Score:5, Funny)

        by circletimessquare (444983) <circletimessquare&gmail,com> on Tuesday October 21, 2008 @06:49PM (#25461293) Homepage Journal

        actually, i was referring to a scratch and sniff voting system

        "hmmm... obama"

        scrathscrathscratch

        "yay! smells like jesus and cupcakes! ok, now... mccain"

        scrathscrathscratch

        "uggh. smells like depends and denture cream"

        • Re:LOL (Score:5, Insightful)

          by db32 (862117) on Tuesday October 21, 2008 @09:06PM (#25462711) Journal
          I can't bring myself to make a scented Palin joke.

          Every time I get upset about the tremendous disaster that our modern voting is with the rampant election fraud I remind myself... I am getting upset over the fairness of a system that will only let me choose between two criminals for who should be the leader. It seems to me that getting up in arms about the whole voting trainwreck is pretty stupid considering what we are demanding our votes get counted for. When I am faced with a choice more complex than liar/asshole vs asshole/liar I will be more concerned about how my vote gets counted. As it stands now I can rest assured that no matter what I do my vote would go towards putting a liar and an asshole in office.

          I mean really now...its like being lost in the woods and choosing if you want to wipe the shit off your ass with your left hand or your right hand. Which hand you choose is pretty tangent to the fact that you are lost in the damned woods. Seems to me we should be a little more concerned about getting out of the woods than to be upset about which hand got shit on it.
          • Re:LOL (Score:5, Interesting)

            by TheLink (130905) on Wednesday October 22, 2008 @03:23AM (#25465231) Journal
            "... I am getting upset over the fairness of a system that will only let me choose between two criminals for who should be the leader."

            Aren't there more than two candidates? Can't you vote for the others instead?

            Apparently in the past election 60+ million voted for X and 59+ million voted for Y.

            But 80+ million didn't bother to even show up.

            Think X and Y might notice if the 80+ million voted for Z?

            I bet X and Y might also notice even if the 80+ million walked up to the voting booths and voted "none of the above" and thus "spoilt" their vote.

            At least the foreign media would be reminding them of it e.g. "Mr President, how can you say you have support of the people?".
        • Re:LOL (Score:5, Funny)

          by db32 (862117) on Tuesday October 21, 2008 @09:10PM (#25462765) Journal
          Oh yeah...and what does Jesus smell like?
          I am torn between sort of a dusty smell or a 2000 year old zombie smell. I guess it depends on your take on the story. Even best case scenario of coming back non rotted they didn't exactly bathe much back then and washing feet was a big damned deal. No matter what, I can't imagine Jesus is a good smell. (love or hate the fan club, regardless of the divine/not divine, the J man was a cool guy...and thankfully he was a Jew so probably has a good sense of humor so I don't have to sweat it much if he was divine)
    • by corsec67 (627446) on Tuesday October 21, 2008 @06:58PM (#25461411) Homepage Journal

      I think you have the perception most people have of computers wrong.

      Most people think computers are incapable of being incorrect. Microsoft is trying hard to change that, but they are getting less effective.

      If the computer is wrong, it must have been something that the user did incorrect. "I shouldn't have clicked on that link to that page", instead of "The browser is broken, it shouldn't have been vulnerable to the stuff on that page"

      I agree that paper ballots should be used, but most people think that if a computer is involved it will not be incorrect.

      • Most people think computers are incapable of being incorrect.

        I strongly disagree, and I'll explain why.

        Microsoft is trying hard to change that, but they are getting less effective.

        Heh :) A large portion of people remember the days of windows 95 and apps crashing all over the place, and the infamous blue screen of death. Even in XP you run into the neat dialog box "[App crashed! Send us your private information yes-no?]".

        If the computer is wrong, it must have been something that the user did incorrect.

        True some of the time. If the user can connect in their mind something they did with an undesired outcome, the outcome will act as a punishment [don't you love B.F. Skinner?] and they will learn to not do those things. Yo

    • Re: (Score:3, Insightful)

      For the majority of people, damn near everything in their lives is a "black box." Very few people understand how simple devices actually work. To most people:
      • The automobile is a black box: put gas in, motion comes out.
      • The computer is a black box: put electricity in, naked women come out.
      • Television is a black box: put electricity in, naked women come out.

      People have put their trust in black boxes for a long time. I'm neither for nor against electronic voting, but I do think there ought to be a paper tr

      • no (Score:3, Insightful)

        people can use computers, television, and the car, but they don't have to trust them. in fact, they don't. the tv has the biased media on it. the computer spies on them with cookies. the car is always breaking down. sure, they still use thes tools, but that's not a question of trust going on with these things in the same way it is going on with their voting system. you do not have the same relationship you have with your tools that oyu have with your social environment

        a government is a purely human construc

        • I disagree. (Score:2, Interesting)

          Personally, I disagree. You seemed rushed in reply, but I don't think I would qualify those devices as "tools." A tool is a single-purpose object designed to solve or repair a problem, and can be checked for operating performance against a known standard. By that definition, that's all a voting machine should be, although I'm not sure I'd ever refer to a voting machine as a "tool." Then again, perhaps some election workers would argue that it solves the problem of hand-counting all those votes.

          a government is a purely human construct. its all about social structure and where you fit into it. its all about trusting or not trusting the other people around you.

          Yes, the

        • Re: (Score:3, Funny)

          by Falconhell (1289630)

          "people can use computers, television, and the car,'

          But not apparently, capital letters.

    • by AK Marc (707885)
      People in the US don't care. Brasil has a working electronic system that is trusted, so your premise is wrong. Less than 1% in the US care, and they are the ones making a stink, the other 99% believe whomever tells them the system works (whether paper, which has seen its share of fraud, or electronic).

      Electronic voting gives freedom to those with disabilities. Electronic voting gives instant results. Electronic voting allows for things like Internet voting. Electronic voting could eliminate all the wa
      • electronic voting in any democracy is wrong. it is nothing about americans or brazilians, it is baout putting your trust in a system which is more easily exploitable

        do you think electornic voting is more or less exploitable than paper voting?

        if you think it is less exloitable, you fail at logic

        assume system a is more complex than system b. out of a simple logical conseuqence of it being more complex, it has many more avenues for exploitation in it

        you need the cooperation of dozens of campaign workers to mak

        • Re: (Score:3, Insightful)

          by AK Marc (707885)
          electronic voting in any democracy is wrong.

          It's what I said. You aren't arguing about it. You have made up your mind and are on a religious rant against the antichrist, I mean, e-vote. You aren't making coherent thoughts. You are arguing one point one time, and one the other. "No one can trust it" "OK, Brasil trusts it, but the entire country is wrong to do so." You'll change your statements to mold to whatever counter-arguments someone comes up with. Pick a fact, and I'll prove it wrong, but I c
          • 1. it helps when criticising someone to not commit the same crime you criticize them of. i leave it to your vast superior intellect to understand what i am talking about (snicker)

            2.

            However, that aside, take a system where you have paper ballots and holes to punch out. Would you find that more or less reliable than having a computer terminal for every vote and that computer printed out a human-readable "recipt" for every vote that the person takes and drops into the vote bucket with the hole-puncher? Well, t

            • by AK Marc (707885)
              a. observation: system a is more complicated than system b

              Assertion without support. Paper ballot A is more complex than paper ballot B? The system to generate the ballot may be, but the ballots themselves are both paper ballots, but one is mechanically generated for uniformity, and you are claiming that is less reliable than one that a person tries to mark, which is proven to be unreliable.

              b. observation: electronic voting is more complicated than paper voting

              A false statement. Walking up to a com
              • congratulations

                you've utterly defeated and humbled me beyond the pale

                i stand here in abject pain at how thoroughly you have spanked my rotten ways

                i am now reeducated:

                (drum roll)

                a paper and a pencil are more complicated than a computer kiosk

                (!?)

                BWAHAHAHAHAHAHAHAHAHAHAHAHAHA

                you sir, are a fucking retard, beneath even a consideration of intellectual charity

                adios, stubborn moron

    • Re: (Score:2, Interesting)

      by MyMistake (620068)
      I'm a "technofetishist" and so are many of my friends. We all think voting should be paper. It's a hell of a lot easier to fix the hanging chad bug than to build, debug, and secure a system like that.
      I've heard people cite the ATM network when they talk about big, distributed hardware/software systems that anybody can access, and it works pretty well. It's a false-equivalence though. You get a paper statement at the end of every month (or online, immediately) which provides the paper trail. If my account g
      • you are not a luddite if you oppose electornic voting. you are simply someone with a better grasp of what is exactly being risked and what is exactly being gained. as in: trust and integrity in your government being risked, and slight pointless convenience being gained

        electronic voting is the greatest threat to democracy in the world today

    • Re: (Score:3, Informative)

      by Falconhell (1289630)

      Surpisingly I agree with you on this one.

      Heres how we do it in OZ.

      All paper ballots. Voters must be on the electoral roll 2 weeks before the election, at a minimum.

      At all times opening and closing of ballot boxes is done in the presence of representatives of the political parties and the electoral commision.

      When you go to the polling station, you are asked your name and ID, which is then marked as voted on the electoral roll.

      Votes are then counted under the eyes of party scrutinneers from all parties that

  • Actual report: (Score:5, Informative)

    by Anonymous Coward on Tuesday October 21, 2008 @06:36PM (#25461127)

    http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf

  • Elections of 2010 (Score:3, Interesting)

    by TubeSteak (669689) on Tuesday October 21, 2008 @06:38PM (#25461153) Journal

    My first thought was "what's the point of publishing this now?"

    Everyone (yes, even the clueless people in charge) knows that electronic voting machines are SNAFU, they just didn't have the time/money to do anything about it this election cycle.

    2010 should be much different.
    Hopefully they'll take the next 2 years to do some criminal investigations into all the substituting and patching of firmwares while they're at it.

    • by mr_josh (1001605) on Tuesday October 21, 2008 @06:49PM (#25461307)
      The thing is, I don't think that everyone DOES know. I sincerely HOPE that they don't know, because no one is COMPLETELY OUTRAGED about it, and seriously, I think this should be a "people in the streets with torches and pitchforks" kind of issue. There simply seems to be zero public interest in this (and by "public" I of course mean the non-Slash-reading public) and it boggles the mind that some public figure hasn't jumped on this and made it a platform.
  • by Gat0r30y (957941) on Tuesday October 21, 2008 @06:45PM (#25461241) Homepage Journal
    Is very simple, and in fact I used it Today! - The Paper Ballot. I marked my choices, and turned it in. Voters in NJ should demand paper ballots, issue solved (sort of).
  • Public outcry, inquiry, and (in some cases) mockery are well and good, and hopefully lead to policy change. However, when it comes time to vote, what's an individual voter to do when faced by an electronic voting machine at the polls? Boycotting doesn't seem like the right course of action here.
    • by ryanov (193048)

      I've seen "vote absentee" floated as the answer, though I'm not sure that works everywhere. I'm also not sure I consider that more reliable (what if it never gets there? how can I prove it?).

  • by enos (627034) on Tuesday October 21, 2008 @06:49PM (#25461301)

    California ordered a review of all the machines used in the state last year. They would give access to university security labs to one manufacturer's machines at a secure location. I mean the machines were held in cages over night and there was controlled access for only the researchers, etc.
    They were asked to evaluate the machines.

    UC Santa Barbara did ES&S, and their analysis is here. [ucsb.edu]
    They also have a short video on the subject, here it is on youtube [youtube.com]

    In short, all the machines were utter crap. The "seals" can by bypassed by bending some plastic. The locks can be bypassed with a screwdriver. Plus the software is susceptible to viruses, and they managed to make the machine vote for whoever they wanted. Even though all the machines have the VVPT (voter-verified paper trail).

    • by ComputerSlicer23 (516509) on Tuesday October 21, 2008 @11:55PM (#25464249)

      I've done work for ES&S at a couple of different points, and can point out several things. First, the reports are mostly accurate (there are a few points which I'd disagree with, but there are a number of legitimate concerns in there). Second, no system is secure without physical security, and a number of the attacks ultimately come down to the state needing to ensure that these machines are treated as such. States are very lax about this, and that is a serious problem (personally I think precinct counters should be there to validate the ballot for the voter and give feedback/warnings or errors, and all tabulation should be done via high speed central scanners. The tabulation of the precinct counters might be kept as checks against voter fraud during ballot transport). Physical security is the single most important aspect of any voting system, with enough physical access any security system can be beaten (see every DRM or anti-cheat system for gaming). Unless it's fairly far into the videos, the video stuff is actually about the Sequoia not about ES&S systems. The PDF report linked to does include several chapters about the ES&S systems (all of part II).

      Most of those that are dealing with the M100 and the M650 should be dealt with with the next generation of hardware/software for the newer paper scanner products (don't want to comment on the others as I didn't work on or with any of those). Not sure what ES&S's view is, but my personal view is that all DRE machines should be shipped to the nearest blackhole for permanent storage.

      There is also some help in addressing some of the concerns about the review of proprietary software. Other then the Java compiler and the cryptography pieces (which are required to have FIPS complaince that most OSS products lack due to expense), all of the software is Open Source and is compiled during the system builds. I believe only one or two libraries aren't compiled from scratch on the machine (the commercial crypto tools, and the Sun JDK). I wouldn't be shocked to find out that OpenJDK is compiled on some future release. Every tool and/or line of source used to build the system has an MD5SUM, and a SHA1SUM along with the external site the software was retrieved from. Other then the crypto and the Java tools, all of the tools are built from source (a LiveCD distro with a minimal dev environment to build GCC, glibc, make, perl and a couple of other tools are bootstrapped into a chroot). It is fairly straight forward to use walk into a secure room and a blank PC with no software on it and end up with 99% of the software that ends up on the M100 replacement product. Two embedded compilers require windows that are built separately.

      Another issue is that resolving issues quickly on election day is internally an important quality to the company. There are some security aspects that would be a disaster if the slightest thing goes wrong. With a deployment that large, by a mostly volunteer group, there are always significant mistakes and "proper" security would get in the way. The inability to do field firmware upgrades, because somebody in the state failed to upgrade the hardware before it shipped would be a disaster. It happens in every election despite all the procedures and guidelines. So part of the "only one key" thing falls into this category.

      Finally, the most serious problem with all of the software is that no programmer in their right mind can deal with the various rules and obligations for VVSG compliance. I'd spend a day writing, unit testing, and writing "normal" documentation. Followed by at least a day or two of writing all of the required documentation, none of this included the stuff we had tools to auto-generate. I had to write the code first and document afterwards because it was hard to be concise and see all of the related code at a time when it was fully documented.

      They require the generation of inane and superfluous documentation, and are bureaucratic and dogmatic about enforcing the rule co

      • Re: (Score:3, Interesting)

        by enos (627034)

        You're right, the ES&S system was for a different study. The one presented is Sequoia. That's what I get for posting tired ;)

        Thank you for the post, it's great to hear about how the companies are run. Don't take the rest personally, it's a reply to you but addressed to your (former) bosses:

        Though most of the difficulties you talk about are things faced by any large project. File management and documentation? Please. All projects have to handle this. Apparently the Sequoia system is also a hodgepodge of

  • by bboxman (1342573) on Tuesday October 21, 2008 @06:50PM (#25461311)

    Simple paper ballot. Allow observers from all interested (political) parties to monitor the voting station and the count.

    Presto, solves verification of the internals of the not so obvious "voting machines". Voting machines aren't truly verificable.

    • Re: (Score:3, Insightful)

      by AK Marc (707885)
      Voting machines aren't truly verificable.

      Why not? What if the "machine" was a huge wheel with a counter for each candidate. There is a back room that has every candidate represented, and they verify that for every person that enters (they can't see the person) that the wheel only moves one slot. The person voting picks who they want and watch the wheel increment by one, then leave. That's a "machine" that is truly verifiable, isn't it?

      And what about a machine that casts the votes, but doesn't tally t
  • by WillAffleckUW (858324) on Tuesday October 21, 2008 @07:10PM (#25461523) Homepage Journal

    You know, if I didn't know any better, I'd say that this was the same company as Diebold.

    Oh, wait, it is ...

    • You know, if I didn't know any better, I'd say that this was the same company as Diebold.

      Oh, wait, it is ...

      No, it's not; it's the other one. (Diebold is the same as "Premier Election Solutions".)

      cf info at eff.org [eff.org]

      (blackboxvoting.com [blackboxvoting.com] isn't a bad source of info, either).

  • by tonytnnt (1335443) on Tuesday October 21, 2008 @07:18PM (#25461617)
    My state uses optically read paper ballots. I think it's the best of both. It can be machine read, but the paper ballot is still there to double check or recount. Is it really that hard to fill in a bubble with a #2 pencil?
  • Ya know, I don't think I've ever voted for anyone that has won in my life. I'm so agaisnt everything that is going on.. Bush, Obama, McCain.. whatever.. none of these idiots believe in my liberty.

    Why not just let politicians vote for us.. its cheaper and as far as I can tell it produces the same results. Why bother keeping up the charade that the people control this country?

    • by Urza9814 (883915)

      Uh, politicians _do_ vote for us. This isn't a democracy, it's a republic. Sure, most states require them to vote the same way we do, not always, and there have been cases where they haven't.

  • by Dzimas (547818) on Tuesday October 21, 2008 @07:34PM (#25461783)
    Why doesn't the US revert to paper ballots? We just held a federal election in Canada, and things worked just fine with a good old fashioned pencil and a small paper ballot (well, actually more like thin card). It took us a matter of hours to successfully decide the fate of the country for the next X years without the need for millions of dollars worth of mysterious electronic machinery.
    • Because people in America are dumb and assume that since paper is simple it's necessarily less secure than computers.
      • by TheLink (130905)
        Or because people in America are dumb and it is beyond the average volunteer to be able to count votes by hand accurately in a timely manner.

        OK now... 1, 2, Uh what comes after 2? *asks bystanders* One thousand and fifty two? OK.
    • My guess would be that we are either very comfortable with the way things are, or we are to stressed out with the day-2-day stresses of our chosen lifestyle to bother with any possible fiasco that could occur - while the powers that steer us are corrupt and only concerned with their money and taking more of ours.

    • Re: (Score:3, Funny)

      by rrohbeck (944847)

      One argument I heard, and you won't believe this:
      "Because then the recounts would take forever, and we might not have a valid result by January with all the court cases as a result."
      I don't remember which corner that came from, but it sounds as if it would take weeks to count a couple 1,000 votes in any contested districts.

  • 20 minutes in (Score:5, Informative)

    by DreadPiratePizz (803402) on Tuesday October 21, 2008 @08:16PM (#25462217)
    Pretty much 20 minutes into the video, it describes how a poll worker can simulate activating the machine so that everybody in the room believes it is active, and the voter will notice nothing suspicious, yet the vote cast is not counted. The activation chirp is played, and the correct light display when the voter picks the candidate, and even says "vote counted thanks you", when in reality, no vote has been cast. Unbelievable. It's obvious that a malicious poll worker could absolutely use this to his or her advantage and deny people votes.
  • by SLi (132609) on Tuesday October 21, 2008 @09:22PM (#25462875)

    Here you go, a torrent for the 1 gigabyte hi-res video:

    advantage-insecurities-exhibit-hires.mp4.torrent [homeunix.net]

  • And they don't use this Machine but they use other ones and the voter card activator does have a HD, USB ports for the touch screens usb keys that the votes are on as well a cartage port for the Optical scan reader. It also does have a Cell phone modem in it and the ZERO tape does print its IP address.

  • Hmm (Score:4, Interesting)

    by ShooterNeo (555040) on Tuesday October 21, 2008 @11:12PM (#25463897)

    An electronic voting machine should be simple. Why the f- are they even using an operating system at all? Wouldn't a stripped down the bone OS do the job? How about using DOS?

    (before you laugh or say to use free software, the reason I say DOS is there is ZERO chance someone 20 years ago inserted code that would corrupt a voting machine)

    Also, with DOS you could easily verify the md5 of the OS image.

    I say use DOS, and write the vote counting program in terminal graphics mode, with those colored ASCII characters for a GUI. A SIMPLE GUI. The feature count on this program should be limited to the crucial things only.

    And NO network access. The only way to count votes should be to physically gather all the flash memory cartridges in one place. Each cartridge would have a ONE TIME PAD encryption lock. There would be a central "vote counting" terminal that would be the only machine in the county with the other copy of the one time pad used.

  • Why so backwards? (Score:5, Interesting)

    by lord_sarpedon (917201) on Tuesday October 21, 2008 @11:36PM (#25464103)

    Funny I think that people are so cautious to trust computers here, but they're fine for everything else. Just make it open. We can gain some advantages.

    -Immediately before voting, you are handed a number. How we generate these numbers is up for debate. Perhaps they are centrally generated and serial. Perhaps a hash of name + DOB + other stuff. Each choice here opens different doors.

    -Barcode equivalent to said number must be scanned at the machine. Number must also be entered on an onscreen key pad.

    - Number + voting choices + timestamp + voting machine id are stored in a central database. Immediately. Nothing local.

    -You get a receipt with your Number + voting choices + timestamp + machine ID. It also has these other handy value on there. A digital signature, created by said central authority with its private key. The public key is well known long in advance.

    -After the election, the entire result set is made available for download. Yeah, a recount is a big fucking deal. We have these neat machines that are good at math. The bigger deal here is that if you check the database after you voted and the entry for your number doesn't match, you scream bloody murder. If you don't trust the machine, any party can verify the central authority's signature.

    -But in addition to 'any' party, it is critical to have a non-networked verification appliance, which does nothing but verify the central signature for you before you physically leave. If you scream bloody murder at this point, we can consider the plain-text part of the receipt trusted. You obviously couldn't have faked the entire receipt while being watched by everyone. More on this soon.

    Nice huh? Let's recap some advantages here:
    -You can verify that your vote was counted and correctly
    -You can't determine who voted for whom, except yourself.
    -The receipt actually means something

    Let's elaborate on that third point.
    There are several means of lying to you, which can't easily be solved without adding machines into the mix

    -What if the receipt says you voted for X but the machine recorded you as voting for Y? This is as good as pressing the wrong button. The signatures will both be valid. But if the plain-text portion shows the wrong candidate, you'll notice and scream. If the plain-text portion doesn't match the the central signature (the one most directly relevant to proper recording) you will catch this at the non-networked verifier. The receipt can still be trusted having not left the polling place, so you will be allowed to vote on another machine, as meanwhile the machine you previously used is marked for a serious investigation...

    -What if the central authority records whatever it wants but produces a normal signature? The receipt will be considered entirely valid and endorsed. People will notice quickly as they check the database from home. You have a paper trail that can be trusted. What if the signature is bogus? People notice before they leave the polling place.

    Up to this point? Criminal negligence bordering on treason. Open source needs to step up.

  • by radarsat1 (786772) on Wednesday October 22, 2008 @08:03AM (#25466417) Homepage

    To me the messed up thing in all this e-Voting stuff is that the counties are using e-Voting machines that are shown to be hackable... implying that they are using the machines without fully testing them. That is, they have decided on the machines (presumably after a convincing marketing presentation), and only *after* using them, have people come along and said, hey, these aren't safe.

    In usual situations, a system would be tested for hacking *before* being deployed. Until such time as it can be independently declared safe, the old, trusted system would remain in place. This rule applies to every major server in the world, why does it not apply to something as fundamental as VOTING?

    We shouldn't just be mad about hackable eVoting machines, we shouldn't just be mad at the companies that make them, we should be mad about bad decisions being made by those in power to use these machines without properly testing them.

    (By "we" of course I mean people who actually have to use e-Voting machines.. myself, I'm from a place that banned them [slashdot.org], thankfully.)

I am the wandering glitch -- catch me if you can.

Working...