Maryland Electronic Voting Systems Found Vulnerable 417
snoitpo writes "My fine state (Maryland) has hired some people I can respect to hack into Diebold voting machines. The Washington Post (read it free for 2 weeks) has the details. From this story and the one on NPR, the state hired a company and set up a test voting precinct and had the group try whatever they could to break into the machines. Most of the attacks would probably be noticed by an even-half-awake poll staff, but some vulnerabilities were exposed. The net seems to be that you could really mess up individual machines, but the grail would be to get to the central collection servers and send a megavote to your favorite candidate. The last paragraph mentions problems that voting machines had in the last election in Virginia; it's interesting to note that those use wireless networking--my jaw has dropped onto my keyboard and I can't comment any further." Other readers sent in two stories in the Baltimore Sun (1, 2), and one in the NY Times.
Need paper receipts (Score:5, Insightful)
Bruce Schneier [schneier.com], author of Beyond Fear [slashdot.org] and the fantastic Applied Cryptography [amazon.com], has an old but good commentary [schneier.com] on the some security issues of electronic voting machines in his Crypto-gram newsletter.
why not use retinal scanners at each location? (Score:2, Insightful)
If you want accountability, put in some form of VERY hard to break security and go with it.
Voter apathy is going to occur whether people can vote online or not.
This is a rehash of all the other Diebold crap down in Fla. Until it's secure, imo this is non-news.
Is it because it's in a different state? Or because it's an attempt at accountability?
Trying to invent solutions to non-problems... (Score:5, Insightful)
The phone-in system is also a bit nonsensical. Ideally, the local counts should be published in each locality as quickly as possible, so that news organizations can do the math on their own, and any error introduced at any step in the way would quickly be noticed when numbers that are supposed to be the same don't check.
Diebold seems to be in the business of selling solitions that are worse than the problems they claim to solve.
It's not a panacea (Score:4, Insightful)
Electronic voting will not help if two candidates are neck and neck or the election becomes complicated in some other way. They also throw in a very significant variable: hackability.
Re:Need paper receipts (Score:5, Insightful)
What is wrong with paper? (Score:5, Insightful)
Argument for open source (Score:4, Insightful)
Re:Need paper receipts (Score:5, Insightful)
Tamper tape (Score:5, Insightful)
(Can they cover the software issues with tamper tape, too? That might be helpful.)
-Trick
Re:No No No! (Score:5, Insightful)
The voter might be able to see the paper (under glass), but that's about it.
Thats the WHOLE POINT of paper receipts! How useful is a machine if you can't verify it's results? The big thing with paper reciepts is that the voter then has proof for himself that *he* voted in a particular way.. he can't walk away with that proof... that proof is left for verification purposes only. How hard is that to grok?
Why voting machines? (Score:5, Insightful)
In the Canadian federal elections, IIRC, as well as the Ontario provincial elections, voting and counting is still done by hand. At every stage a paper record is created, so that if any irregularities are suspected, the whole process can be audited. I believe such an inquiry was undertaken in Quebec after some tricky vote counting in Quebec after the last referendum.
Security of paper voting machines (Score:3, Insightful)
If I could pick the lock or steal a key to the paper ballot box, I could tamper with the votes too.
Re:No No No! (Score:3, Insightful)
Re:why not use retinal scanners at each location? (Score:3, Insightful)
Oh Canada! (Score:5, Insightful)
We use a simple paper ballot,
That all can understand.
My favorite quote (Score:2, Insightful)
Can't think of anything else to add to that comment.
Re:Need paper receipts (Score:3, Insightful)
2) Voting machine spits out receipt with a MD5 hash key of his vote record, it's one way, it can never be decrypted again to determine how user voted. MD5 hash is also stored on server
Worst Case Scenario: Votes are suspected to be tampered. All voters are asked to submit their receipt. MD5 hashes are compared to what is on the server. If MD5 hash isn't the same, Joe Schmoe is asked to vote again.
This isn't 100% foolproof, but vote tampering and stuffing is tricky now, and as long as a MD5 has remains irreversible nobody will know Joe Schmoe voted. Thoughts?
If I may reason... (Score:4, Insightful)
The reasoning is simple:
ATMs exist.
Liberal Bias (Score:1, Insightful)
Who's looking out for you?
Re:Need paper receipts (Score:4, Insightful)
Use the computer to make a human and machine readable paper ballot, walk ballot over to box, leave it there... any complexities beyond that is just asking for trouble.
Re:Need paper receipts (Score:4, Insightful)
Of course, you could sidestep the whole issue if you do it my way [slashdot.org]. I propose that no counting be done by the polling machine, but by a separate sealed tabulator. Further, I propose that the mechanism for getting the ballots tabulated be optical character recognition scanning of the printed text of the ballot -- no barcodes, no punchholes, no encryption keys. This way the tabulator has no programming and does not need to be loaded with data prior to counting.
Re:Security of paper voting machines (Score:3, Insightful)
Re:Trying to invent solutions to non-problems... (Score:0, Insightful)
Other problems (Score:4, Insightful)
Suppose I know the tendency of a district and I would rather that districts results are lost. Examples of activity to interfere would include:
- Cutting Power
- Electromagnetic Interference (burst device wiping out memory cards)
- Knocking out wireless infrastructure (cell towers, radio repeaters, whatever they use)
Some folks would say that we are overreacting and that all of these criminal activities have current-day equivalents. But without a paper-trail you only need to wipe one memory card remotely to kill hundreds of votes before they are sent to the server.Re:Liberal Bias (Score:1, Insightful)
Story from Fox [foxnews.com]
The story is there but it is buried on the Politics page which you can get to from the front page. The link appears just over halfway down the page.
Perhaps you all should read our report. (Score:5, Insightful)
MyDoom says Hi (Score:5, Insightful)
Still, she noted that tampering with voting equipment is a felony. "I'm not sure how many people would be willing to get a felony conviction and risk going to jail over an election," she said. Citing the problem of easily opened locks on the machines, she said an attempt to unlock a machine "would be very unlikely to succeed, because it would have to occur in a public place."
This woman should be fired from her job. She basically states that because some act would be a crime that no one would do it!!!
Did that stop Richard Nixon?
Did that stop whoever blew valerie Plame's cover?
Did that stop the authors of MyDoom from writing the virus?
Did that stop all the people in the US who committed crimes last year?
Did that stop Ken Lay and the fine folk at Enron?
Did that stop Halliburton from overcharging the Army?
What a fucking joke. It could have been a Microsoft security advisory for all the good it will do.
My premontion: There will be massive irregularities in the 2004 elections and guess who will win again?
Re:Need paper receipts (Score:5, Insightful)
President: John Adams
Vice-President: Thomas Jefferson
Treasurer: Etc
This way, the user gets a visual confirmation, and it's crystal clear who voted for whom. They put that chit into the ballet box (which is locked). Chits are stored. In the event of a question of fraud, the old ballot chits can be pulled out and verified - no "hanging chads" here. Users feel good "knowing" what they voted for, and the system can still be paperless.
I'd also want to see a 5% of all results double checked against what was reported, with random precincts checked to always keep things in line.
Internet not ready for something as big as this... (Score:3, Insightful)
The last thing we need is a botched up election with later claims that the system was found vulnerable, etc..
It's handy, no doubt, but maybe we should wait a bit...
Why the rush? (Score:3, Insightful)
One more thing. Where are these people from, who authorized computerized voting. Have these people never used a computer before? Have they never lost their work due to a system problem? I can only assume that they don't give a damn about election integrity, and that is telling.
What's wrong with mechanical voting systems? (Score:5, Insightful)
Mechanical voting machines have proved effective and relatively reliable for many, many years. I've heard the claim that the company that once manufactured them has gone out of business and that spare parts are no longer available. I say, BUNK. Given the amount of money that will undoubtedly be spent on engineering incredibly vulnerable systems which will be obsolete in a few years as compared to the previous systems which worked fine for a few decades, it would be a trivial task to have new parts designed and produced for the older machines.
Whose boondogle is the whole idea of electronic voting?
Re:No overloading terms (Score:1, Insightful)
Slashdot is lame.
All moderators deserve to be fucked up the ass 'til they bleed to death.
Re:Need paper receipts (Score:2, Insightful)
2) Voting machine spits out receipt with a MD5 hash key of his vote record, it's one way, it can never be decrypted again to determine how user voted"
Yeah, that'll be real hard to search for hash collisions on...
if(md5("joe schmoe: CandidateA") == $STORED_MD5)
print "Joe voted for candidate A"
if(md5("joe schmoe: CandidateB") == $STORED_MD5)
print "Joe voted for candidate B"
Re:Need paper receipts (Score:3, Insightful)
No, this is a good idea in concept but it won't work. There's generally only a very small set of possible voting outcomes, generally in the thousands, and that's brute-forcable in trivial time.
You can't pad with a random number or any of the other tricks usually used to make MD5 useful even in these circumstances because then you make it useless as a checksum.
Non-reversible algorithms only work when the potential inputs are much, much larger then the checksum itself. MD5, with its 128-bit size, is itself larger then most elections by a long shot.
Consider the California recall election: A yes/no/abstain (recall the governer?), a selection from ~200 candidates (IIRC), and a handful of yes/no/abstains for proposals that rode on the election (again IIRC); that's only 200*3^(~5) possible voting outcomes, nor was that a terribly unusual ballot (just selecting the governor is equivalent information-wise to 5 yes/no/abstain choices).
Yeah, you can pad it with the voter's name or other information but anybody who has that information can just add it in trivially.
MD5, in this domain, is reversible because this domain is trivially reversible. (In other words, weakness of the domain, not MD5.)
Again, good thought; I don't want to imply it's a bad idea. But it won't work.
Re:If I may reason... (Score:5, Insightful)
Yes, and they give you a paper receipt. And the banks are audited by a third party. And they can count the money still left in the machine to see if it matches what the machine says it should have, and that money is paper cash.
Why not do this: have the machine ask you all the questions, and print it out in human readable form with a 2D barcode of the same information. You check the sheet over and verify it's what you really wanted, or you put it in the handy-dandy shredder right beside it, and do it again. When you're satisfied with the result, fold it in half, take it to the ballot box and stuff it in there.
Then, to count it, open the box, scan the 2D code on every piece of paper, and the results are tabulated. If any of the results look suspect, then you can still use the paper for a manual recount, using human eyes.
Also, for every election, select 10% of the ballots at random and manually verify that the 2D barcode matches the human readable portion, just to audit the system. Obviously the auditing system has to be from a different vendor than the voting terminal.
Just one Canadian's opinion. Myself, I'm happy with a pen and paper.
Re:Need paper receipts (Score:2, Insightful)
Where would they put it?
In a lucky case, it disappears behind a cupboard within minutes. In a less lucky case they switch slips with their neighbors because they mix them up with bingo charts.
But probably they would just throw it away.
So what would be the whole point of those printouts?
IMHO you can not use automata to count votes until you can assure, no tampering with the machines is possible, at least not within a reasonable amount of time (a year? two?).
But equally, no personnel involved in the whole process should be allowed until it is proven they will not tamper with anything they count.
Re:If I may reason... (Score:3, Insightful)
No, all it takes is less corruption between the vote-machine makers and the politicians currently in office.
Take back the power, before it's totally out of your reach.
--rhad
Re:Need paper receipts (Score:3, Insightful)
Independent of whether this is electronic-voting-from-home or show-up-at-the-polls-and-touch-a-screen-voting, there's a simple concept from the business world that can be adapted for this situation
MERCHANT COPY / CUSTOMER COPY.
Just wish the PR spin ... (Score:1, Insightful)
http://www.corporate-ir.net/ireye/ir_si
Re:What bothers me (Score:3, Insightful)
Good point! All this talk about hackability of the system and paper receipts and back doors obscures what should be the basic necessary but insufficient condition for any electronic voting system. Let me lay it out:
If the code isn't open and viewable to the public, I don't trust it...and neither should you.
How to Steal an Election (Score:5, Insightful)
Would you like to steal an election? Here's a quick survey of how to do it. I'm absolutely serious: I've been involved in political campaigns for years, and have held elected public office. And one of the reasons I'm no longer actively involved in party politics (per se) is that I caught one of my committee people doing some of the shenanigans I mention below.
First--don't waste your time trying to cheat inside the polling place.
You would think the obvious place to steal votes would be in the voting booth, right? After all, bank robbers rob banks--so election crooks would gravitate toward polling places. Right?
Wrong. The place to steal elections is in absentee ballots.
Absentee ballots: the mother lode of vote fraud
Let's suppose that you learn that you've been scheduled for a trip out of state that will keep you from voting. You can call your county courthouse and ask for an absentee ballot application. They'll send you a form, which you fill out and return, and then you'll get an absentee ballot in the mail. You fill out the ballot and send it back to the courthouse by the due date--congratulations! You have voted absentee, and your vote has made the nation stronger. In a perfect world, that's how absentee ballots are supposed to work.
Over the past twenty or twenty-five years the absentee ballot process has, um, changed. In a blowout absentee ballots are meaningless--but in a closely-contested race a handful of absentee ballots can be the difference between a "moral" victory and the real thing. (As a college student I functioned as an "absentee ballot captain"--identifying college students in the Philadelphia area who lived in the 10th congressional district in Illinois. I got them registered to vote at home, and made sure they voted absentee. I put in scores of hours of work--and turned in something like a dozen votes. In 1978 we lost the election by 6 votes--in a special election in 1979 we won by something like 120.) As the value of absentee ballots has become more apparent, people have started to cheat. (The rules for absentee ballots, and the opportunity to cheat, really expanded dramatically with the "Motor Voter" bills that got jammed through state legislatures in the early 1990s.)
How to steal absentee ballots
The simplest way to steal absentee votes is to work your way through nursing homes. The ideal method is to have a dedicated party worker who is a resident of the nursing home--but you can also send in a "volunteer." Nursing homes love volunteers who come to visit--so it's easy to plant somebody. However you do it, your party worker announces that she (or he) wants to help everybody participate in the election. Nothing wrong with that, right? So she distributes voter registration cards (perhaps with your party already checked), and promises to make sure that all the cards get turned in to the courthouse. When election time rolls around, she points out that senior citizens can get absentee ballots without question, and without anything like a doctor's note. All you have to do is ask. So Helpful Sally signs up everybody for absentee ballots. And since the absentee ballot is a bit confusing, Helpful Sally helps everybody fill out their ballot. As a general rule, Helpful Sally is going to get in trouble if she tries to buffalo people into voting for her candidate for governor--but practically nobody knows the names and/or positions of candidates for judge, for district magistrate, for local races--even for state legislative positions. All Helpful Sally has to do is say, "if you don't know the candidates, just leave the ballot blank." Oh, how helpful Sally really is. And to be really helpful, Helpful Sally offers to save the voter the cost of the stamp: she'll take the ballot to the courthouse herself, so your vote won't get lost in the mail.
Once the ballot is done, Helpful Sally can do two things. If the voter picked the wrong office, Helpful Sally can simply "lose" the ballot. Unless the senior citiz
Maybe we should do this differently (Score:3, Insightful)
1) Start with each machine being configured to run stand-alone.
2) The voter places their votes, and is issued a paper reciept containing who you voted for, and what booth you used (perhaps a machine readable only side to give to the attendant, and a human readable side that you keep, for privacy) with their entries encoded into a bar code of sorts, as well as being recorded locally.
3) They bring the reciept to the person administrating the voting at that location, who takes their reciept and runs it though a reader which tabulates the votes for the whole voting session.
In the end those results are tallied against the individual voting booths, and as well as having a paper trail to fall back on, and it prevents someone in the booth from being able to do any more damage than corrupt whatever was done on their machine. And if the attendant tries anything with his machine, the count between the different booths will also be thrown off, and it would be very difficult (never say impossible) to destroy reciepts for one specific person because of the encoding.
Throw strong encryption and a minimal and hardened OS into the mix, and it might actually be reliable.
Re:Tamper tape (Score:2, Insightful)
So we have a smart card protected by tamper tape protected by a locked access panel protected by more tamper tape. That makes it more difficult, right?
Now imagine you are the election official and I point out that the outermost tamper tape on a certain machine is broke. Clearly you take the machine off-line, but do you a) leave it off-line through the end of the election (DOS vulnerability) or b) open the access panel to inspect the inside tape?
If you open the panel (explain to me again why allowing the keys to this access door into the precinct isn't itself a vulnerability) and discover the inner tape intact, you have also a) introduced a situation where the access panel door was opened during an election (what was the point of having that locked door again if standard procedure allows it to be opened?) and b) only gained assurance that the attack vectors specifically protected against by the inner tamper tape are safe. If access to the inside of the access panel offers any new attack vectors which aren't protected by tamper tape, any one of these vectors could have allowed an election compromise.
The key to security in this style is to ensure that every unit of added complexity you (as the defender) must add to increase security requires a order-of-magnitude (or more) increase in the amount of complexity I (as the attacker) have to deal with to defeat that security. If your actions fail that test, you're probably doing something counter-productive. It's a tall order, because the attacker always has the option of ignoring the vectors you've protected yourself most strongly against and choosing a less-protected target.
Oh, and BTW, while you and half the untrained volunteer election officials were deciding what to do about that potentially compromised access panel, I walked over to the next machine in the row and scratched the tamper tape off the outer door of that one as well. "This one too..."
Ain't I a stinker?
Hacks--Not Hack(ers) (Score:5, Insightful)
What does all this tell us? Well, I think anybody with a modicum of sense can see that the Diebold system is badly flawed. The Baltimore Sun has spelled it out in words that even non-technical people can understand.
What we have here is an elections board made up of political hacks, all trying to cover their individual and collective arses so they can continue to feed at the government trough. They made an ill-considered and ill-advised purchase of these machines, and they'll stop at nothing to excuse themselves and to see that we're forced to vote under the ridiculous circumstances they've imposed on us. Trying to make logical sense of what they say is an exercise in futility.
Didn't somebody once say that the OSI model had an eighth layer--the political layer? Well, fellow Marylanders and assorted interested parties, that's where we're functioning now. The merits (and lack of merits) of the Diebold system are a moot point, and I fully expect to be voting on one in November.
I have to echo a question asked by someone else: What is/was wrong with the voting machines we used for so many years?
Anne
Re:Need paper receipts (Score:3, Insightful)
Indeed, you don't want the voter to take it away with him as that provides a verification method for vote buying schemes. As it is now, you can bribe someone to go in and vote for your favorite candidate(s), but you have no guarantee that that's who they actually voted for.
Re:Need paper receipts (Score:2, Insightful)
Huh? So if I feel that there may have been some form of fraud, but cannot prove it, and wish to have the results rechecked, I will face punitive retribution (i.e. a fine) for wishing to make sure that the system has not been tampered with? Cool, only the rich can dispute the elections.
As to your second point, who faces punishment? The original counters? Is this done with no proof of where the possible fraud occured? The assumption is that since there is a discrepency the original counters are the criminals?
"Hey Tony, I was dicking around down at the courthouse that was built in the 1930's and found a way to sneak into the official store room. Lets go stuff the ballot box for our precinct, call a recount, and get old man Thompson sent to jail. HAHAHAHAHAHAH"
Re:The Best Democracy Money Can Buy - (Score:2, Insightful)
There was no attempt made to change the 'electoral process', only to cause it to adhere to its principles (i.e., the electoral college votes for a given state being cast for the candidate that got the most votes in that state).
Surely you understand the difference between "I am not accusing you of intentional wrongdoing" and "I believe you did not engage in intentional wrongdoing"? This is standard language when one's case does not pivot on intent; if in fact the behavior violated the rights of black voters, it becomes irrelevant from a *constitutional* standpoint whether or not that violation was intentional. Thus the NAACP gains nothing by accusing someone of wilfully violating the Constitution, and the opposite party is more likely to concede an inadvertent violation than an intentional one.
It's simple to make unfounded assertions. Do you understand what "vested interest" means? You gave no information that suggested anything other than Mr. Palast belives that George Bush is a Bad Guy, not that there was any vested interest in that position for him. Explain to me what Mr. Palast's 'vested interest' is (like, for instance, Cheney's Vested Interest in the Iraq war is that he will profit from the assignment of Halliburton as the primary contractor - that is a 'vested interest') in this issue is? You haven't illustrated any of the 'ignorant facts' (what the hell is an ignorant fact, anyway/) 'blatant mistruths' (I'm assuming you mean 'untruths' or 'lies',right?), or logical fallacies you mention, and have no evidence I seethat Mr Palast engages in 'artisan rhetoric' other than the fact that he's not a GeeDubya supporter.
Electronic selection, paper ballot (Score:3, Insightful)
Re:What bothers me (Score:3, Insightful)
He led the discussion with the whole Diebold 'committed to raising $100,000 for GWB' thing.
Actually, I think he should have led with the paper trail issue - as others have said before, the GWB fund-raising thing is a red herring that makes voting machine critics look like tin-foil hat-wearing nutcases.
At the end of the day, the Diebold people are clearly incompetent, and the system is hugely flawed. Those facts are hard-to-dispute.
The idea that large groups of Diebold staffers are involved in a massive right-wing conspiracy is significantly harder to prove, and fails the Occam's Razor test - why ascribe to malice what can easily be ascribed to incompetence?
I agree that Diebold got off the NPR hook too easily on their security flaws...
Well DUH! (Score:2, Insightful)
With no audit, no paper trail, and no accountability, it'll be a cake walk. Of course if they get exposed, they say "We didn't know" and then put the decision into the hands of the Supreme Court of Kangaroos and you know how that story goes.