Diebold voting systems critically flawed

[BobK]

Haven't seen this get any play in the MSM. article

The call--from election watchdog BlackBoxVoting.org--described a critical vulnerability in Diebold Election Systems' touchscreen voting systems that could allow any person with access to a voting terminal the ability to completely change the system code or ballot file on the system. As a professor of computer science at Carnegie Mellon University and adviser to the Commonwealth of Pennsylvania on electronic voting, Shamos realized that, at the very least, a workaround for the flaw needed to be in place by Pennsylvania's next election--at the time, less than three weeks away.

"This one is so bad, that we can't do just nothing," Shamos told the state's election officials at the time. "Any losing candidate could challenge the election by saying, 'How do I know that the software on the machine is the software certified by the state?'"

...

"It is like the nuclear bomb for e-voting systems," said Avi Rubin, computer science professor at Johns Hopkins University. "It's the deal breaker. It really makes the security flaws that we found (in prior years) look trivial."

As long as the voting machine companies are allowed to use secret software, this will be a never ending problem. We'll always have to wonder if the party in control of the state has some special relationship with the vendor they're paying big bucks to each year.

 

[Anti_Hypeman]

Linux gets security updates too. There is no such thing as a unhackable system closed or open source. Technology isnt always better you cant hack a paper card. Diebold programmers vs the world who will win? Microsoft cant make a flawless system will all their money.

We cant even make a unhackable slot machine or soda dispenser. I say stick with the paper and throw out the votes of anyone too dumb to figure it out.

If Diebold wanted to fix the election they dont have to rig all the machines just modify the end results. The results are what Diebold says they are end of story.

 

[ImaginalDisc]

Linux gets security updates too. There is no such thing as a unhackable system closed or open source. Technology isnt always better you cant hack a paper card. Diebold programmers vs the world who will win? Microsoft cant make a flawless system will all their money.

We cant even make a unhackable slot machine or soda dispenser. I say stick with the paper and throw out the votes of anyone too dumb to figure it out.

If Diebold wanted to fix the election they dont have to rig all the machines just modify the end results. The results are what Diebold says they are end of story.

Is this fallacy of the middle ground day? These systems in questions aren't very secure. In fact, they're very easy to tamper with. You're forgotten that paper can be forged and falsified. Voting procedure is something that has to constnatly be examined and refined, to ensure our confidence in the system. It's always a pressing need whatever system we're using. If you'd rather, you can come to Opa-Locka Hialeah, where the even the dead vote early and often!

 

[rocketdodger]

Linux gets security updates too. There is no such thing as a unhackable system closed or open source. Technology isnt always better you cant hack a paper card. Diebold programmers vs the world who will win? Microsoft cant make a flawless system will all their money.

This is flat out untrue. A system can be made completely secure from external attacks quite easily.

The only unsolvable problems regarding security are at the human end. Easily broken passwords, not securing data transfer, etc, running malicious code, etc.

 

[aerosolben]

This is flat out untrue. A system can be made completely secure from external attacks quite easily.

Sure, cut the line.

The only unsolvable problems regarding security are at the human end. Easily broken passwords, not securing data transfer, etc, running malicious code, etc.

All problems involving security are human problems.

 

[Kaylee]

Sure, cut the line.

What about WIFI?

 

[HeavyAaron]

What about WIFI?

What moroon would install a WIFI NIC in a voting machine?!?

Aaron

 

[Kaylee]

...You're forgotten that paper can be forged and falsified. Voting procedure is something that has to constnatly be examined and refined, to ensure our confidence in the system. ...

That's true but a manual system can have more controls in place and be more easily audited -- if the local community has the political will to do so.

Voting machines of the type being created by Diebold can't be audited regardless of whether the local community has the political will to do so or not.

For anyone still living in a community that still uses 1950 style voting mahchines, get a copy of your Board of Elections manual for election workers. I've seen the one for New York City, the controls in place are quite impressive -- and public.

Also -- this is an interesting web site:
www.WheresThePaper.org "Home of the Fraudulent Voting Machine"

The above web site argues that democracy requires verifiable election results, a paper trail for each ballot cast.

 

[Anti_Hypeman]

A system can be made completely secure from external attacks quite easily.

Am I the only one that has connected the dots? The machines use modems to send the results back to the home office. All this traffic is piped to the government through secret rooms at the phone companies. The conspiracy alters the packets and BOOM another Bush wins in a landslide!

 

[aerosolben]

What moroon would install a WIFI NIC in a voting machine?!?

I was speaking of machines in general, so it's a fair point. Maybe the motherboard will even support WIFI. Definitely brings a new dimension to the locked room model - maybe the room should be lined with lead now.

 

[Kaylee]

What moroon would install a WIFI NIC in a voting machine?!?

Aaron

<Anecdotal Evidence> I heard Teresa Hommel (the creator of the www.wheresthepaper.org web site) speak. One of her stories was about how a manufactor of one of the newer style election machines was allowing someone to inspect their machines, but kicked her out once she recognized and started asking about a WIFI component in the machine.
</Anecdotal Evidence>

I wish I remembered the story better and had gotten more of the details. But suppose I had never heard that story. Diebold and presumably their competitors have suceeded in creating a situation where they control the quality of the election process and they are not disclosing anything at all about how they are doing so.

How could you prove that they (or another company) are not using WIFI? Even if they are not using WIFI, how could you prove that they are not using a last minute software patch?

Ms. Hommel has claimed to have seen contracts between companies like Diebold and communities so poorly written, that the election machines and software being demonstrated are not obligated to be the same ones actually sold and used.

 

[aerosolben]

Am I the only one that has connected the dots? The machines use modems to send the results back to the home office. All this traffic is piped to the government through secret rooms at the phone companies. The conspiracy alters the packets and BOOM another Bush wins in a landslide!

Fred Scheneider used to offer a graduate level course in security, with a central project involving building a secure online voting system. He abandoned it for a different project due to the problem being too difficult (if memory serves). I would be highly suspicious of anyone who claims to have solved it.

 

[Grammatron]

How could you prove that they (or another company) are not using WIFI? Even if they are not using WIFI, how could you prove that they are not using a last minute software patch?

Why are we being asked to prove a negative?

Can you prove Diebold machines don't run on baby pandas?

 

[Kaylee]

Can you prove Diebold machines don't run on baby pandas?

Say hello to Amy Wilson for me in my circular file.

 

[Cleon]

Why are we being asked to prove a negative?

Because in this case, you can't prove the positive, either. Therein lies the problem; the system is not publicly accountable. It's faith-based voting.

 

[Grammatron]

Because in this case, you can't prove the positive, either. Therein lies the problem; the system is not publicly accountable. It's faith-based voting.

You can actually detect WIFI connections though.

 

[Cleon]

You can actually detect WIFI connections though.

True, as long as they're active. They don't have to be active 24/7 to do damage.

The point is not whether they're Wifi-capable or not. The point is that they're not auditable and publicly accountable.

 

[rocketdodger]

Am I the only one that has connected the dots? The machines use modems to send the results back to the home office. All this traffic is piped to the government through secret rooms at the phone companies. The conspiracy alters the packets and BOOM another Bush wins in a landslide!

Current encryption technology is well beyond anyone's capability to break it. Even the standard RSA public key system is pretty much uncrackable considering how fast it would need to be done to alter a packet, and there are certainly much more secure systems that can be used than RSA.

Bottom line -- the ONLY way to get around properly designed and implemented computer security is somehow convincing a guy to give you his password.

The logistics of implementing an all-computerized voting system are not difficult because of the computers. They are difficult because managing 150 million people who will choose bad passwords, loose their passwords, have their passwords stolen, try to register more than once, etc... is a non-trivial task.

 

[Kaylee]

My take on the situation is that while many technical people are aware of and concerned about the problem -- it is difficult to get the average person concerned about it.

To borrow some concepts from "The Tipping Point" many Mavens are on board, but apparently the Connectors (networkers) and the Salesmen are not.

Until they are, I don't see any way of getting the political will ignited to protect the integrity of our election system.

Edited to fix link.

 

[chulbert]

As long as the voting machine companies are allowed to use secret software, this will be a never ending problem.

To be fair, this exploit has nothing to do with the openness of the software - it is a hardware security issue.