Maryland Electronic Voting Systems Found Vulnerable 417
snoitpo writes "My fine state (Maryland) has hired some people I can respect to hack into Diebold voting machines. The Washington Post (read it free for 2 weeks) has the details. From this story and the one on NPR, the state hired a company and set up a test voting precinct and had the group try whatever they could to break into the machines. Most of the attacks would probably be noticed by an even-half-awake poll staff, but some vulnerabilities were exposed. The net seems to be that you could really mess up individual machines, but the grail would be to get to the central collection servers and send a megavote to your favorite candidate. The last paragraph mentions problems that voting machines had in the last election in Virginia; it's interesting to note that those use wireless networking--my jaw has dropped onto my keyboard and I can't comment any further." Other readers sent in two stories in the Baltimore Sun (1, 2), and one in the NY Times.
when will they ever learn (Score:2, Interesting)
Re:Need paper receipts (Score:1, Interesting)
A totally paper based system.
Of course it isn't the whiz bang system that e-voting is but it's 10000 year track record says that it is ready for the mainstream
Re:Need paper receipts (Score:4, Interesting)
August 2003 in Virginia (Score:3, Interesting)
It seems now that Maryland is finally catching on, too.
In other news: (Score:2, Interesting)
Internet voting system for overseas Americans is vulnerable, security experts say [securityfocus.com] - and their comments extend to a scathing debunking of *all* internet voting methods.
A slightly older, but very thorough, article by Scott Granneman entitled the Electronic Voting Debacle [securityfocus.com].
Oh, and I can't leave without mentioning the essential Black Box Voting [blackboxvoting.org] site...
[posted as an AC as I don't want to whore the karma]
Diebold knows security like I speak Klingon (Score:5, Interesting)
Their response: "We'll put firewall software on the machines."
Since the contract was already signed we had no leverage and that ended up being the solution. Nice, eh?
Re:It's not a panacea (Score:5, Interesting)
The other, related issue is whether or not the security model of the voting system is comprehensible to the people who are charged with running the election. I think that, in the case of paper ballots, the model can be understood by any normally-intelligent person. (You only get one ballot paper, it has to be put in the box, no one can mess with the box, etc.)
On the other hand, I would guess that there are fewer than 5 in 100 election officials (including those that select the systems) that actually grok the security model of electronic systems.
The frequently-heard claim by election officials (e.g, here in Fairfax County VA) that the election was held and "it all worked out" is scary evidence of this.
What bothers me (Score:5, Interesting)
Also, there was no discussion of the debate between those of us that believe that the e-voting systems should be required to use Open Source software vs. folks at Diebold and other vendors, who foist off the "trust us, we know what we're doing" line on the public. There was no real discussion of the effect that questionable e-voting results could have on the American political system. There was also no mention of the fact that Diebold's president is involved with raising money for the G.W. Bush re-election campaign and has pledged, IIRC, "to do everything I can to deliver the vote to George Bush." All in all I'm afraid that NPR really dropped the ball on this particular issue.
Just my $.02,
Ron
Re:Need paper receipts (Score:5, Interesting)
What the machines need is a paper roll printer, with a glass window above the print mechanism that allows the viewing of only that last line printed.
When the user casts their vote, they are instructed to verify in the window that the vote they cast is the one that was printed. If not, get an attendant.
Nobody can cach in their vote chit, and with batches of votes on individal rolls of paper it would be a lot easier to tabulate than counting paper ballots.
-Chris
Re:Tamper tape (Score:2, Interesting)
Exactly. This points-out the difference in thinking of the hacker's mind. An election official thinks adding complexity (tamper tape) to the system would raise the bar for mischief. Now, instead of just being armed with a lock pick (and the skill+opportunity to use it effectively), the assaliant must also be equipped to tamper with tamper evident tape without getting caught.
In fact they are lowering the bar. The assaliant now needs nothing more than a fingernail to cause reasonable doubt and get all the votes from that machine thrown into question.
How long does it take to train a set of disgruntled minority (in the sense of how their district usually votes) voters to break the tamper-evident seal?
What's more worrisome... (Score:1, Interesting)
I'm much more worried about the people already in power or who want to be in power screwing with the election than I am about "hacker" vulnerabilities.
Re:What is wrong with paper? (Score:4, Interesting)
A year and a half ago here in Georgia, Gov. Purdue and Sen. Chambliss both overcame 10 point poll deficits to win. There's no paper trail and no recount is possible.
-B
I haven't been concerned about outsiders... (Score:5, Interesting)
hacking into the voting computers. It's the insiders with an agenda that I am concerned about. The ONLY way to get around this is with a voter-verifiable paper trail AND taking the vote counting away from corporations that create the machines and putting the counting where it belongs: citizen groups.
Diebold and ALL the other commercial vote machine vendors are heavy Republican donors and, particularly in the case of Diebold, run by individuals devoted to getting Republicans elected and Bush elected (I can't say "re-elected" as he didn't get elected in the first place). THESE criminals have the means and motive to taint the vote...in secret! They are in control of the machines and the vote tallies. They cannot be trusted, given how openly partisan they are.
It is NOT the random outside hacker we need to worry about that much (sure, protect against it), it is the machine makers and vote counters themselves that have to be protected against. Ask yourself this: Why is it that EVERY vendor of voting machines are so adamantly opposed to any paper trail possibility? Why are they so strenous in their arguments against it? Because it would queer their ability to tamper with the vote tallies.
Voter-verifiable paper trail. It's the only way to be sure.
Re:Tamper tape (Score:2, Interesting)
However, tamper tape need not invalidate the votes; it could merely mean the machine is subject to an extensive review of the logs. Increasing time/cost/unreliability, but not necessarily resulting in total disenfranchisement.
Re:Need paper receipts (Score:2, Interesting)
That would be rather difficult, seeing as paper has only been around for about 2200 years [peopledaily.com.cn]
Re:Need paper receipts (Score:2, Interesting)
then all the hashes are posted on a website somewhere, so you can verify from home that you vote was counted.
With these results... (Score:3, Interesting)
I mean, we remember what happened a while back right? If I recall there were a number of security related risks regarding customer information... or did they release that information on a voluenteer basis?
might do good. (Score:5, Interesting)
Re:Need paper receipts (Score:4, Interesting)
oh, the irony
budget: $5 million
time: 2+ years
result: joe voter drops a paper slip in a box
democracy inaction (Score:4, Interesting)
The most frustrating part is that my county already had perfectly good voting machines: paper-based scantron-type forms where you mark the appropriate rectangle and a simple scanner tabulates the results. Effective, verifiable, well-understood, and relatively inexpensive. In other words, the complete opposite of what the state just bought for us.
--Approve Approval Voting Now! [geocities.com]
Re:Need paper receipts (Score:5, Interesting)
A basic requirement for a fair vote is that the voter does NOT receive a copy of their vote. Otherwise somebody threatening you / bribing you to vote a certain way has a way to confirm that you did like you were told.
What is so hard and confusing about THIS method:People vote by checking off a box on a sheet of paper. People fold this paper over and hand it to a poll worker, and watch while this worker places the folded piece of paper in a locked strongbox. Poll worker has a clicker to count the number of votes placed in the box. When the polls are closed, a public counting occurs, where a third-party counts all of the votes up. If the number doesn't add up to the clicker number, they count again. Once their count has been confirmed, representatives of the various candidates are allowed to count it themselves, if they want, again under observation. If their number doesn't agree with the third-party number, they can dispute the count. Otherwise, the people present sign off that they witnessed the counting.
Now, nobody can hack the system. Can a worker stuff the box? No, the box is plainly visible to public observers. This is VERY important. The press, and public watchdog groups need people at EACH voting station to make SURE the workers arn't on the take. Additionaly, bribing a vote counter or a poll worker, or any other sort of fraud, should be considered treason, and punished by life in prision. Again, there is no good way for the counters to disrupt the vote, because they are being watched. (Behind closed doors, democracy dies) Disputed boxes will be recounted elsewhere by somebody else, but still under public observation. To prevent rampant disputing, the campaign officials and watchdogs will face stiff fines if they dispute a vote, and the recount is not in their favour. Similarily, if the recount differs signifigantly from the original count, the official counters will face punishment. The end result is, it makes it quite hard to foul up a vote without being caught. And the punishments are dire enough to (hopefully) prevent most people from trying. There should also be more stations, so that no group is counting thousands and thousands of votes.
This whole process is time consuming, and expensive (Small poll stations = lots of workers). But if bringing Democracy to other coutnries is worth hundreds of billions, isn't bringing it to yourself worth even 1? Also, I've never understood the need to have results NOW NOW NOW. Can't you wait a day? Is is so necessary to have the vote results within an hour? No doubt it would be nice, but is saving day of suspense worth potentially wrong results?
Re:Need paper receipts (Score:5, Interesting)
In order for the voter to verify their vote, you must give them every last bit used to compute the hash.
If we assume that we are not printing out the voter's vote, then we must give them everything else, plus we must give them exactly how the vote was encoded.
Otherwise, neither they nor anybody else can every verify the has by re-computing it.
Once somebody has all the data, plus precisely how the vote was encoded, it is trivial to take the hash of (all voter data + all possible votes) and determine which matches the hash. Thus, we are still giving the voter a piece of paper that confirms exactly how they voted, making them susceptible to all vote-selling and other such nasty scams.
There is no way to give the voter the ability to verify their vote without also giving someone else the ability to reverse-engineer the vote in trivial time with an MD5 hash. If even one bit is kept from the voter, they can not verify. If all bits are given to the voter, then anyone can verify. There is no in-between.
(Even if you ask the voter to provide some secret, it can be beaten out of them, and it can be trivially positively determined whether a given secret is the one in the hash; this is one of those cases where more security is bad; see how making cars harder to steal has increased carjackings, a far more dangerous crime.)
There is no way out. You must not allow the voter to take any proof of their voting out of the booth; they must leave all evidence in the booth or the system breaks. That's why a paper receipt is desirable, but the system must keep it.
Need a migration path (Score:2, Interesting)
Good break-in; bad conclusion? (Score:2, Interesting)
Perhaps the hackers were respectable, finding the clearly serious flaws. But at least one decision maker still seems to have reached the wrong conclusions:
It's apparently "impossible" to put some of the recommendations in place in time, but they're sticking with the system. How do they add a paper trail without patches of some kind, assuming they don't just make everyone vote twice?
"I don't disagree with what they say -- they're the experts," Lamone said after the Senate hearing. But, she added, "I think it's a very good system."
And how do they put "tamper tape" on a phone number whose answering system the consultant says is "easily" breakable and can't be patched in time?
Their higher priority appears to be that the Diebold systems will fly in March, not that they will use a trustworthy system.
No (Score:2, Interesting)
No, there is NO problem with using a wireless network; if a vulnerablility is created just because it happens to be wireless then you have bigger problems to deal with.
All that is needed is a good implementation of public key and a very small amount of thought as to where an individual vote needs to be guaranteed accurate.
It's perfectly feasible to create an all electronic system that's perfectly accurate, nearly hackproof, massively verifyable, and almost instantly countable. It's a problem a high schooler could lay the foundation for.
So why are we wasting our time with the trash presented so far? Because the states haven't been asking the providers to go through the extra trouble. Let them take the easy way out and of course they will.
But get off this nonsense about paper trails, receipts, and outrage over wireless.
Vulnerability vs Determination (Score:1, Interesting)
If a hypothetical 100% secure system may be controlled by even 1 human, the interested party will compromise this person's integrity.
An ancient workaround is to have systems rely on the input of many people (2 lock safes, numerous people present at the election locations etc.) as at one point it becomes too difficult to compromise enough people and keep it secret.
The paper based voting has been tested in the last few decades and has proven satisfactory.
So, if the goal is controlled and successful election process, the answer is clear.
But is this what the rattle is all about?
Here are a few "benefits" from radically changing the technology:
- votes will be counted faster
- a sihtload of money will be made by private manufacturers and empowered individuals may get a big kickback
- a closed source solution may provide some individuals with power to anonymously abuse the system
I, personally am OK with waiting a few days longer.
This reminds me of a bumper sticker I keep seeing on cars saying "War is not the answer!" Actually, war is exactly the answer... To a different goal set.
NPR - Better link (Score:3, Interesting)
what if... (Score:3, Interesting)
my question is: suppose someone DOES manage to wipe out or tamper a bunch of votes, and the volunteers realize it. would the county actually admit they just lost 10,000, 20k, 30k votes by accident? there's no way you could sue the county, so all these folks would be denied their constitutional rights with no way for recourse.
in the neon of agrajag:
be afraid, be very afraid...