E-Voting Firm VoteHere Discloses October Break-In 172
linuxwrangler writes "In the ongoing saga of electronic voting 'security,' eVoting company VoteHere is the latest to reveal that they were the victim of a computer break-in. According to VoteHere founder, Jim Adler, the concern isn't about their source code which they plan to reveal 'eventually,' anyway, but is about the possible release of salary and other HR data. Astoundingly, the 'hot poll' associated with this story has (as this is being posted) 28% of respondents saying they would trust their vote on the internet and 41% saying 'not now, but maybe soon.' Feel free to cast your vote." Reader nSignIfikaNt points to the Assocated Press' article as carried by CNN.
Um... Suggestion... (Score:1, Interesting)
Just to bite our thumb at them.
Trust In E-Voting? (Score:5, Interesting)
Let's ignore hacking and break-ins. Those are too easy. Vendor bugs are bad enough. There have been bugs that cause automatic medicine dosers in hospitals to give out too much medice and almost (or completely) kill a paitent. I'll go vote for candidate Ham Sandwich, but how do I know some bug won't cause every vote for his oppoent, Mr. Mayor, to be counted 100 times? These things just seem to happen more and more.
So what WILL have me trust it? Let's set it up like a slot machine is set up. It has it's software burned into some ROM. It should be thouroughly tested by independant labs, the code should be available for me to look at, and I should be able to read the ROM chip after the elections are done so I know that it's got what it's supposed to on it (not that many people would do this, but it should be an option). When I'm done voting, it should print out a paper punch ballot that I can look at to see that it voted the way I told it to. The voting commisions can use the electronic results, but a random 5% of all districts every election should check the electronic counts against the paper ballots to make sure nothing weird is going on there. And most importantly of all (and like a slot machine), YOU SHOULDN'T BE ABLE TO CHEAT. Shock it with 10,000,000 volts to make sure it doesn't mess up and let me vote twice. Punch it and kick it and do anything possible (and then some) to make sure it still functions correctly, just like a slot machine. Slot machines go through all that because they might be responsible for millions of dollars. My vote should be worth more than that, and there for should have TOUGHER standards behind it.
In short, I don't trust e-voting. The only way I'd LIKE to see e-voting is that you choose your candidates on the computer, then it prints out a punched ballot (with names and all, so I can see it did things right) that I turn in, and THAT'S my ballot; the machine is nothing more than a ballot punching tool and holds no results of it's own. I should be able to do it all by hand if I want. This is the only way I'd like to see e-voting, and the description above is the only way that I'll accept it.
Eventually (Score:5, Interesting)
Someone probably rooted their linux mail server with a cracked account, and took the code for their app in the process.
Anyone want to bet they are in violation of the GPL, and we might just see the code itself under posted to the net any day now?
Am I missing something here? (Score:5, Interesting)
No chance of dodgy software. No hanging chads. Automatic audit trail. Either number the candidates in your order of preference (automatic runoff style / preferential) or simple tick the person you prefer (or hate the least).
Re:Measure the Slashdot Effect! (Score:5, Interesting)
Re:See? (Score:3, Interesting)
We knew that before. Haven't you heard of Arrow's theorem [wikipedia.org]?
So, how is this worse than non-electronic voting? (Score:5, Interesting)
It is also only within the last few decades that states have inacted laws to keep campaigners away from voting booths where they could "help" people choose whom to vote for.
Voting in the United States has long been wrought with fraud and inaccuracies, and as long as that fraud is equal on both sides, the system has worked.
Now, if there were more than two viable parties, then it might be a problem. But since there aren't, I will consider my vote as secure electronically as it is non-electronically.
Why are businesses being trusted? (Score:3, Interesting)
Why does everyone assume a private business has to or should be involved anyways? I'm not saying kicking private interests out would solve all the problems, but it would certainly help.
That said, until people stop voting based on what TV tells them to this is all moot. I know ardent supporters of George Bush who depend on government programs he's actively trying to eliminate. People don't vote rationally, and I don't see any reason why they're going to start.
Real problem with iVoting. (Score:4, Interesting)
There are a couple more important concerns. One is social engineering... most people have no intuition for computers, and this opens up an avenue of attack much worse than the whole Florida butterfly ballot scandal. Second, the possibilities of coercion, blackmail, bribery etc go WAY up if you can watch someone, or grab server logs, or use a remote desktop, or the like.
My take on this: unconvincing -- and listen up.. (Score:5, Interesting)
Now, what many of you might not know is that the VoteHere source code has been used in entrapment attempts. Specifically, with me, and I documented the entrapment effort at the time. Pure retaliatory crap designed to find a way to get activists to shut up.
Next, it is not surprising they will try to link it to the Diebold files. But that's bullshit, too, and here's why:
The FTP site wasn't hacked, it was sitting there. Look in any user manual and you'll see the address.
The memos weren't hacked either, they were obtained with an employee ID number.
Now, are you ready for this? I've had dealings with both the Diebold memo leaker and this supposed "VoteHere" hacker. The second person is NOT the same as the first, and I find it extremely interesting that VoteHere is trying to claim it's the same person. I am dead-certain it's not.
This "VoteHere" hacker tried to dump the VoteHere source code on me; it was simply dumb; first of all, VoteHere was supposed to be going public with its source code, so who in their right mind would want to steal it. I certainly didn't want to touch it.
Then this "VoteHere" hacker agreed to a telephone interview with me. He made some claims about who he was, but was unaware that I had additional information from inside sources that would allow me to test the veracity of his claims. The first question I asked was a test question; he put me on "hold" and then came back and offered a lame-ass guess which immediately caused him to fail the ID contest.
I believe this is going to turn into an entrapment scheme. Some activist somewhere is going to get nailed, probably that's already in the works. That's because they were running around offering this honey pot and, unfortunately, some naive activist probably bit on it.
By the way, I asked the supposed "hacker" point blank how hard it was to hack into a company that specializes in encryption. Every time I asked a tough question, he had to put me on hold and go ask someone what to say. His answer was totally unconvincing.
The voice on the phone was quite distinctive, and matches another voice I've heard on the phone. I will be only too delighted to share what I know with the authorities. Just hope I get an honest cop.
The timing on this is very interesting. The chairman of VoteHere, Ralph Munro, is former Washington State Secretary of State and a few things are starting to pop in relation to the use of unauthorized voting software under his watch, and an ethics complaint that's being filed, or has been filed.
I'll be on the Mike Webb Show at 11 p.m. tonight (Pacific time) and will discuss this at more length.
Bev Harris
Black Box Voting
Hold would-be vendors feet to the fire. (Score:4, Interesting)
So, in this case, if for some (non-apparent, to me, at least) reason we really, really need paperless voting, the proper framework would look (as an extremely naive first pass) like this -
Potential vendors are made aware that some unknown number of elections, districts, machines, and people would be audited via unknown means.
Potential vendors would be forced to put up a large bond that would be forfeit if a flaw was found that compromised the voting record. (Yes, I mean the whole record - these are infallible counting machines, right? Operator error would be a contractual issue to hash out.)
Any dispute between government purchasers and vendors would be decided via arbitration in full and complete view of the public which is employing the machines, no exceptions.
Anyone who wished to vend would be welcome to.
I will bet you there will be takers. I know I'd be excited to at least have a shot at this.
The reliability of internet polls? Ha! (Score:4, Interesting)
If you think internet voting is unreliable, you really shouldn't trust internet polling. There is no authentication to make sure the poll isn't being spoofed.
Some years ago the provincial government here in Ontario decided to force the six municipalities that made up Metropolitan Toronto to amalgamate. The municipalities decided to hold a referendum. An widely publicized internet poll was conducted predicting that the public would vote strongly in favour of amalgamation. When the referendum was held, the public voted 4 to 1 against amalgamation.
I can't remember exactly how wildly off the poll favoured amalgamation. I think it was something like 2:1. So, the poll was off by a factor of 8. Wildly off.
Honestly (Score:4, Interesting)
E-voting has a lot of problems and the way it's being executed has just as many, but this is definitely a step in the right direction when compared to the problems of Diebold.
Re:Microsoft is responsible (really!) (Score:3, Interesting)
Hell no it doesn't. A little understanding may equal trust -- which leads to all the sorts of horrors that are routinely chronicled in the RISKS digest, and the kind of crap that Microsoft puts out.
The more experienced of us, with more understanding, know the many ways things can be screwed up (accidentally or deliberately) with a computer assist. As the saying goes, "to err is human; to really foul things up requires a computer".
I've been programming for 30 years, and I've worked on (among numerous other things) banking systems. That's why I still pay everything with paper cheques that get returned to me along with the statement.
Stark difference... (Score:3, Interesting)
Of course, security problems at electronic voting companies are always an ominous sign, but at least VoteHere had the forethought to realize that security is bound to be breached somewhere in the chain from development to election, and designed a system that's armored against it.