Hackers Fail To Crack Brazilian Voting Machines

blueser writes "From Nov 10th to Nov 13th the Brazilian Government hosted a public hacking contest to test the robustness of its voting machines. 38 participants from private and public IT companies (including the Brazilian Federal Police) were divided into 9 teams, which tried several different approaches to try to tamper with the software installed on the machines, and even to physically interfere in other stages of the process. All attempts (aside from a minor one which would not compromise the overall results) failed, and observations from the participants and neutral observers will be taken into account to improve the process even further. Here is the official announcement for the contest (Google translation; Portuguese original). A summary of the results is available in the Brazilian press (original). Brazilian voting machines use Linux." US voting officials ought to be envious of their Brazilian counterparts, or ashamed, or both. Perhaps this MIT-developed cryptographic voting system offers a way forward.

Everyone raise your hand...

[Loopy (41728)]

...if you think the person who actually cracked it would admit it before cashing in.

for what it is worth...

[Sir_Lewk (967686)]

Cracking contests are warning sign number 9 on Bruce Schneier's list of security snake oil warnings. [schneier.com]

Warning Sign #9: Cracking contests.

I wrote about this at length last December: . For now, suffice it to say that cracking contests are no guarantee of security, and often mean that the designers don't understand what it means to show that a product is secure.

Re:for what it is worth...

[Narpak (961733)]

Yet I find the concept of actively encouraging people to hack your system, through for instance competitions, far more comforting than insisting that the only security is total secrecy. Particularly in the field of electronic voting systems.

Re:for what it is worth...

[Narpak (961733)]

Particularly in the field of electronic voting systems a cracking contest is snake oil. That is because the real threat for voting system integrity is not hackers but corruption of people that are in some way in control over the voting systems.

I will claim that open and verifiable oversight over any voting process is of the utmost importance. However I can not agree that that simply having a cracking contest is "snake oil"; unless it is presented as absolute proof that the entire process itself is incorruptible. The "corruption of people" is an potential threat in all voting systems regardless of method; electric, paper, mechanical, or what have you.

Re:for what it is worth...

[Yvanhoe (564877)]

I would also add that having an uncrackable machine from an exterior attacker says nothing about the ability of a government to tamper an election.

Re:

[C0vardeAn0nim0 (232451)]

except that if you read the arcticles, you'll see that it was more an auditing proccess done by several diferent professionals than an actual contest.

Re:

[swillden (191260)]

Cracking contests are warning sign number 9 on Bruce Schneier's list of security snake oil warnings. [schneier.com]

Warning Sign #9: Cracking contests.

I wrote about this at length last December: . For now, suffice it to say that cracking contests are no guarantee of security, and often mean that the designers don't understand what it means to show that a product is secure.

It should be pointed out that Schneier was talking about ciphers, not voting machines, and he was talking about companies announcing cracking contests and using the announcement as an indication of security, in lieu of actually providing enough information to allow serious review of security.

It's the combination of secrecy and cracking contests that is the snake oil warning sign. The only way we can determine if something is secure is to have lots of smart, knowledgeable people with full access to the de

Re:

[BoppreH (1520463)]

Given the low prize, it's highly possible.

But Brazil does have a stable political climate. Lot's of claims of corruption, but everything have been on its tracks for so long that is boring.

Nice idea

[quantaman (517394)]

Of course this doesn't really guarantee it's secure (nothing does) but it indicates they're taking security seriously. I am curious if they had full access to machines for a while before the competition, 3 days is a lot of time to try out a bunch of exploits you've worked out, but it's not a lot of time to try to find those exploits if it's the first time you've seen the system.

Re:

[quantaman (517394)]

It indicates no such thing. The only thing it shows is that they understand public relations. It's a marketing effort.

It's not a great indicator but it is an indicator.

There are a zillion things you can do to improve security, a hacking contest is one of them.

Now this is relying on the fact that the contest was done fairly, which I don't know. That's one of the reasons I questioned if they had access to all the available info before hand.

And voting machines aren't a typical software security situation. For software you can make the software available to anyone who wants a crack at it (har har!). But for voting machines the

What is the threat model?

[Beryllium Sphere(tm) (193358)]

Is this exercise realistic given the need to protect against well hidden back doors, tampering by election officials, and sloppy procedures (like letting a vendor install uncertified patches just before an election)? They tested only a narrow range of dangers.

The right way to do something like this is at design time.

They deserve credit, though, for doing things so much better than the US.

What incentive is there?

[Skapare (16644)]

If there was a strong incentive or motive, that might have made a big difference. If all you get from success in cracking is the recognition, that won't bring in all the possible methods. OTOH, if there was a genuine and significant prize, like actually taking leadership of the country, or a billion dollars, you might find the machines can be cracked.

Easy

[lord_rob the only on (859100)]

If I were here, I'd have cracked the machine with a hammer

Working link of pics, video of the voting machines

[cameigons (1617181)]

http://br-linux.org/2009/video-e-fotos-do-boot-do-linux-em-uma-urna-eletronica-brasileira/ [br-linux.org] (scroll down the page a bit)

The successful atempt wasn't about the system

[joaobranco (55662)]

According to the newspapers, the successful attempt was on the carrying bag for the media (which I assume carries the data required). It seems lack of physical security still can happen, but the media is supposedly cryptographically signed, so replacing it would be hard in any case.

Wrong way to look at it.

[PopeRatzo (965947)]

It's funny that they'd crow about the fact that "hackers" couldn't break their security in three days. Hacking a voting machine isn't a timed athletic contest. It might take 4 days, or a week, or a year, but once it happens, the damage from a hacked election could be catastrophic for a nation.

The problem with voting machines is that somebody has to make them, usually a private company. Private companies are after profit. Profit + elections can be a disastrous combination. The effects of private money have turned the US political system into a bad joke.

The way to secure and fair elections is not through any proprietary technology, that's for sure.

Ridiculous prize

[BoppreH (1520463)]

It's important to note that the prize for the winner is of just R$ 5.000, a little under $ 3.000. This certainly scared most experts away.

On a side note, you guys have just slashdotted our fucking Superior Election Court website. I hope you are happy.

Misleading headline

[Legion303 (97901)]

More accurate: "Successful Brazilian voting machine hackers stay quiet, wait for election day."

Proves nothing

[dskoll (99328)]

While cracking the machines would prove that they are insecure, failing to crack them proves nothing. It only proves that one group of people at a particular time couldn't crack them.

obligatory...

[TheSHAD0W (258774)]

Hackers Fail To Crack Brazilian Voting Machines

Give them time, a brazilian is a lot of machines!
Ba-doom-boom-tss.

Re:Hmm...

[Z00L00K (682162)]

Obviously this puts a lot of software produced in the US to shame.

Today it seems like it's all about selling something crappy for money in the US with an EULA where you free yourself of all responsibility.

And when someone points out the flaws the lawyers are called in to hide the fact that there is a gap that can put Grand Canyon to shame.

No wonder that the world has suffered so much malicious software.

Sure - call me a troll, but it's also an observation. Time to market is more important than quality.

Re:

[darkpixel2k (623900)]

Time to market is more important than quality.

Yeah look at Ubuntu. Every 6 months on the dot no matter what the quality.
And uuh...yeah...Look at Vista. Was that 6 or 7 years to market?

Your statement doesn't hold up. ;)

Re:

[timmarhy (659436)]

Yeah look at Debian, many years was it between releases?

Re:

[ThePhilips (752041)]

Debian is server-centric. (Though also hihgly-usable as workstation too.) Long release/support cycles there is the feature, because stability is the priority.

On other side, I have used for about two+ years Debian Sid [debian.org] as desktop at home. I had only three major breakages in all the time which required me too boot system in single user mode to repair it. And that is unstable branch which is literally "just compiled software". That easily compares to rate of reinstalls I had to do on my Windows workstation,

Re:

[PopeRatzo (965947)]

Look at Vista. Was that 6 or 7 years to market?

You've got it all wrong. Vista was just Win7 beta.

Re:

[phantomfive (622387)]

Sure - call me a troll, but it's also an observation. Time to market is more important than quality.

Customers get what they pay for. If they aren't willing to make security a priority and pay more for it, then they won't get it.

Re:

[buchner.johannes (1139593)]

Simplicity --> greater security (I'm not saying the contest measured something).

http://en.wikipedia.org/wiki/Elections_in_Brazil#The_Brazilian_voting_machines [wikipedia.org]

The source is available to the parties.

Re:

[sslayer (968948)]

The voting system has been widely accepted, due in great part to the fact that it speeds up the vote count tremendously. In the 1989 presidential election between Fernando Collor de Mello and Luiz Inácio Lula da Silva, the vote count required nine days. In the 2002 general election, the count required less than 12 hours. In some smaller towns the election results are known minutes after the closing of the ballots.

I just don't get it. In Spain we know the results of the election with more than the 90% of votes counted at 21:00, while the election itself ends at 20:00. In an hour more or two, we got the 100% minus the postal votes. And of course our system is just the goold old ballot.

Re:

[Wooky_linuxer (685371)]

Yeah, but what is your population? From Wikipedia, about 46M. Check Bras(z)il's: 190M. Your area? 500.000 square km, versus 8 millions and a half. And bear in mind that some of the brazilian population live in areas that only can be acessed by boat or airplane - not a big fraction, of course, but we have much bigger dispersion than Spain or any other European country.

Re:

[stevelinton (4044)]

Interesting. Sounds like you count at every polling place. Most countries don't do that. They gather the boxes up some smaller set of places (in the UK it's one per constituency) and count them all there. Obvious advantage -- much easier for parties and the press to scrutinise the count; obvious disadvantage -- it takes longer.

In the US they also have a curious attachment to having huge numbers of elections all at once and putting them all on the same piece of paper. I guess this probably is easier for the

Re:

[ThePhilips (752041)]

Sure - call me a troll, but it's also an observation. Time to market is more important than quality.

If I had mod points, I would have modded you down. In context of Linux, or any software which wants to give you a choice, you point is largely misplaced and wrong.

Personally, I'm tired of the overrated excuse - to shuffle half-baked software on users. "Time to market" is a great metric - if you also cut on features. (E.g. what Debian does by excluding from releases software which cannot be stabilized in timely manner.)

But no commercial company would *ever* do it - because software is sold (or rather

Re:

[Z00L00K (682162)]

If you look at the market in general and don't focus on single products the perspective is different.

The number of products through history that haven't made it far outweighs the number of products that have survived.

And this isn't limited to applications, look at cars and a lot of other items.

Re:

[C0vardeAn0nim0 (232451)]

brasil isn't latin america, duffus. barsil is brasil. plain and simple.

our democracy is a lot more solid than our neighbor's.

Re:

[Z00L00K (682162)]

From a linguistic point of view it is latin america, but you may see latin america as central america.

Re:Try again!

[C0vardeAn0nim0 (232451)]

they were designed under the electoral court's orders by universities and private companies. after the design was ready, the manufacturing was outsorced to several comapnies, one of them was procomp, that later was purchased by diebold.

diebold doesn't own the designs or the copyright to the software. the electoral court does. so if diebold is thinking about selling similar machines in US, they'll have to pay our govt. royalties.

Re:Doesn't change a thing

[gzipped_tar (1151931)]

1. How do you know that "A paper ballot vote is completely observable and does not require trust"?

2. "Electronic voting is unnecessary and undemocratic." -- There are democratic political systems and undemocratic ones. There are no such thing as "democratic" or "undemocratic" technology. Technology is neutral; it depends on who is using it and how it is used.

Paper vote inspection is sampled

[mangu (126918)]

You can simply look at all the steps in the design and see that you can observe what's going on.

How can you, personally, be sure that every vote in every ballot in the country was counted correctly? Paper votes are sensitive to "economic power" frauds. The party which can put more inspectors in the process is the one which controls the counting.

In Brazil there was a big affair in the 1982 Rio de Janeiro state governor elections, when the leftist candidate Brizola [wikipedia.org] denounced an attempt to subvert the vote counting, in what became known as the "Proconsult scandal" [google.com]. According to Brizola's party [pdt.org.br], this fraud attempt was performed with the collusion of the right-wing media organizations, which presented fake exit polls indicating a victory for the rightist candidate.

In any major election there are many people working together and one must inevitably trust a lot of people involved in the counting. No ordinary citizen has the resources to monitor an election by himself, the support of the party is needed.

In these days, any political party should have lots of people who know and understand computing technology. It's much easier and cheaper to let a trusted team of computer experts do a thorough audit on the software than to get a large team of scrutineers to watch every little detail where a paper ballot can be defrauded.
 

Re:

[AndrewRUK (543993)]

I beg to differ. Of course it's not possible for one individual to observe the entire election, but with paper ballots anyone can understand how the election works:

1. voter goes to polling centre
2. collect & mark ballot paper
3. place ballot paper into locked ballot box
4. when polling is over the locked boxes are taken to the counting location and opened
5. ballot papers are then counted by hand (machines can be used the speed up the counting, but the option of hand-counting is still there) and the result is announce

Re:Doesn't change a thing

[dvice_null (981029)]

> Failure to find a flaw does not prove absence of a flaw.

And failure to find an unicorn doesn't prove absence of a unicorn. I claim that there is no flaw. It is now your job to find the flaw and prove me wrong.

> A paper ballot vote is completely observable and does not require trust.

So you think that computers can't be trusted, because you don't trust people handling them, but you can trust paper, because you trust people handling them?

Re:Doesn't change a thing

[Mr. Freeman (933986)]

"I claim that there is no flaw. It is now your job to find the flaw and prove me wrong."

Not really. It is your job to prove to me that there is no flaw. It's the same thing with a paper ballot. You still have to prove to me that there is not a flaw in the paper ballot. Of course, I can look over the ballot in all of about 15 seconds and see that it's the correct ballot. It's far harder to find a race condition in a voting machine running proprietary software that causes miscounted votes.

Re:

[icebraining (1313345)]

It's far harder to find a race condition in a voting machine running proprietary software that causes miscounted votes.

That's why these voting machines run Linux and an OpenSource counting software.

Re:

[Patch86 (1465427)]

Proving the absence of something is impossible, or close to it. No matter how hard he looks and says "it still seems to be flawless", you can ALWAYS claim that there is still the possibility of a hidden flaw.

It's always the job of the person claiming the existence of something to prove it, not the other way around. If you think there is a flaw, show us your proof, or at least your reasoning. If you can't, we wont have reason to believe you.

Is a Lie from Brazilian TSE

[TheDarkMaster (1292526)]

First, is not the Brazilian goverment but the Tribunal Superior Eleitoral (supreme election jury or something like this in English).

And all the test is a ugly lie.

The... "hackers" are public workers, not really hackers. And they are forbidden to use really "hacker" methods like disassemblers, sniffers and etcetera, only the "approved" methods. Is like you ask to a thief to try to bypass your security system, but allows then to use only a paper clip. Ridiculous, but the TSE do not care.

Re:

[Mr. Freeman (933986)]

There is no way for you to verify that the paper ballot you are using is an actual legitimate ballot. I suppose you could call some city department and have them certify the ballot, but you could do the same thing for the voting machines. Electronic voting is not necessarily undemocratic. It's only undemocratic if it's being used in an undemocratic way. You could abuse paper ballots the exact same way you could abuse electronic machines.

The only real difference here is that no one has tried to sell the

Florida 2000

[mangu (126918)]

A paper ballot vote is completely observable and does not require trust

I beg to disagree. Apart from things like hanging chads and butterfly ballots [wikipedia.org], which can be corrected by proper voter instruction, paper ballots are subject from a large number of possible frauds, ranging from relatively unsophisticated methods like ballot stuffing to more advanced methods like ballots numbered with invisible ink.

Besides, as every corrupt politician knows, the best way is not to commit fraud at the ballot itself, but at

Re:

[mangu (126918)]

the democratic system of using a pen to make a cross in front of the name of the candidate or party of your choice

Don't you mean after [dccofc.org] the candidate's name?

That box is usually opened at the end of the day, also under public supervision, and the votes are counted (again, in public)

Yes, and being in public means no mistake is possible [wikipedia.org], right?

only where necessary

[reiisi (1211052)]

Electronic balloting machines should be used only where necessary, for people who physically need help.

And they should simply print a bubble sheet like the ballots everyone else uses.

A ballot recorded only electronically is too hard to observe in a meaningful way.

Re:

[Mr. Freeman (933986)]

And then how do you verify the million or so people that misread the paper or just want to cause shit and claim their vote was not counted properly? Not trying to rail on your idea, but this does present one hell of a practical problem that needs to be taken into account.

Re:

[KClaisse (1038258)]

How could you then verify a person's claim that their vote was changed? How do you prove that they aren't just changing their own mind at the last minute? I mean if every single vote in a voting machine was changed then you could very easily say that there was some tampering involved, but say a person tampered with many many systems across many states. And then say this person tampered with only a small percentage of votes on each machine and only to a randomly selected group of people (no connections to ea

Re:

[agoliveira (188870)]

The source *is* open. Anyone from any political party or organized entity can request and have access to all source and follow all the procedures. The final binaries are signed by all interested parties as well and the system can be audited at any time. I know no system is fail proof but I believe they covered as much as they can and honestly, the paper system is also week to social pressures and bribing as well. That's the week link: people, not technology.