Hotel Minibar Key Opens Diebold Voting Machines 341
Billosaur writes, "As if Diebold doesn't have enough to worry about! On the Freedom To Tinker blog, Ed Felten, one of the co-authors of the recent report 'Security Analysis of the Diebold AccuVote-TS Voting Machine', reveals an even more bizarre finding related to the initial report. It turns out that you can gain access to an AccuVote-TS machine using a hotel minibar key. In fact, the key in question is a utilitarian type used to open office furniture, electronic equipment, jukeboxes, and the like. They might as well hand them out like candy."
Wonderful (Score:3, Interesting)
And why does Diebold design these machines in such a way that they *CAN* be hacked? I think that involving an Operating System and software in the design of such a machine is a critical error. As a computer engineer, I realize that overcomplicating things can lead to errors. DSP's can make hardware extremely cheap, but there are places where analog circuits are cheaper and more realiable! Why hasn't Diebold designed a hardwired electronic circuit or a mechanical system with failsafes such that the machine can't be hacked, and the wrong candidate will not be selected if the machine fails? There are so many places where their current design can and will go wrong. I believe that it's time for these loonies (or preferrably someone else who has more sense) to come up with a more rudimentary and failsafe design!
You would be amazed at what keys will open what (Score:3, Interesting)
Who will lose their job for this? (Score:2, Interesting)
Re:Why would we expect anything else? (Score:3, Interesting)
Keep fighting the good fight, brother.
Re:Why would we expect anything else? (Score:5, Interesting)
A more relevant question is: What are the penalties (criminal or civil) for using a key to open a voting machine during polling and doing nothing else.
You don't have to actively fsck things up to get the machine pulled. IMHO, merely opening the machine up would make for a good act of civil disobediance.
If the punishment is not something trivial, videotape yourself in the act and release it anonymously onto the internet the same day.
Even if the election officials do absolutely nothing, it'll show up on the evening and nightly news. That will be good or bad, depending on your perspective, but will definitely be noticed.
Re:The point of electronic voting again? (Score:3, Interesting)
There is a simple solution to this.
Assuming a paper trail, everything goes as normal, the polls close, and the machine spits out results -- Candidate X - nnnn votes. Candidate Y - mmmm votes, etc. These are passed up the line, however they are supposed to be.
Next, the worker in charge of the operation of that poll rolls a die 3 times. If it comes up 6 all three times, the vote box is opened and a manual check of the paper records is done. This means there is a random check of about 0.5% of the machines, which verifies the integrity of the voting machines. If there has been any widespread tampering, it will show up here. If the totals are tampered with higher up, there is the opportunity to compare the numbers published at the polls with the final totals.
But again, without a paper record, there is no way of verifying anything .
grnbrg.
Re:Can't say I'm surprised... (Score:4, Interesting)
Really, do you think so? On the surface, that's a perfectly rational response, I mean, everyone has the same access to these machines, right? What's the point of deliberately making a system everyone can cheat at?
Perhaps not everyone does have the same access. Peerhaps certain voting machine companies favor one party or the other, and provide detailed instructions to their favored candidates. Perhaps something is going on further behind the scenes, giving certain favored groups privileged access to the counting machines themselves, making cheating at the machine level a moot point.
It just seems odd that a company with the skills to make ATM machines nearly impenetrable can't make a voting machine as secure. The track record of ATMs seems to rule out incompetance. Despite your scanty anecdotal evidence to the contrary, ATMs are on the whole very secure. Banks are notoriously picky about that sort of thing, and any company that could not make a secure ATM would find themselves out of the ATM market very quickly, and probably facing massive lawsuits.
What, then, is your explanation of why these machines are so insecure?
An idea I've been working on... (Score:2, Interesting)
The machines print you an official receipt indicating your vote and tag it with a random number. At the end of the election, all the data (a large random number and vote table) could be posted (website and otherwise) so anyone who wanted could verify the tally and their vote.
To avoid the injection of a bunch of bogus votes, it would also be necessary to allow anyone who wanted to (specifically a representative from each party) to come out on voting night and count the turnout.
The system can also be easily extended to avoid voter coercion and untrustworthy machines.
The coercing problem comes from the fact that third parties can now insist the voter shows them their receipt to verify they voted as instructed. This can be avoided by providing every voter with two receipts. One would be their actual vote, and one the other would be, at their option, a random one or a specifically chosen alternative.
The system would then make the bogus vote verifiable, so the coercer won't be able to tell it is bogus, by searching its database for an already cast vote that matches and using the associated random number on the receipt. The individual would then be able to claims to the person doing the coercing that the fake vote is their actual vote and their actual vote is the fake vote.
The machine problem comes comes from the fact that it could rig the random numbers. For example, it could choose the numbers such that all of one candidates votes get counted under one vote, and then correct the balance (so this is undetectable) by generating counter bogus votes. This is easily fixed by requiring the random number be a combination of machine and user.
That is, the machine first selects a random number and displays it to the user. The user then enters another to multiply it by. That way, neither the machine nor the user (unless the former can do long division of very large numbers in their head) are able to determine the final random number.
This stops both the machine from being able to rig the final number and the user from being forced to (by someone attempting to coerce them). Both numbers would be printed on the receipt so anyone could verify the machine didn't cheat on the multiplication.
Note this does not interfear with the coercing avoidance scheme, as a fake vote can still easily be produced. The machine would have no problem doing the required long division to make sure the vote was verifiable (the machine cannot do this for the actual vote as it has to show its number to the user before it gets to know what the user's number is).
Re:The point of electronic voting again? (Score:3, Interesting)
Voter votes and gets a printout of his votes from machine A. He verifies that the votes are correct (if not, the printout gets shredded) and puts the printout into machine B (which signals to machine A that it got the printout). Note that machine A and machine B could be made by seperate vendors, and B also contains a paper trail in case a recount is needed.
If machine A and B don't agree, you recount the paper ballots. Gee, sounds quite a bit harder to subvert eh? With added paper ballot goodness no less.
Re:Can't say I'm surprised... (Score:5, Interesting)
The phrase you are looking for is "Plausible Deniability". If you design a machine that can only be comprimised by a single party then you're clearly a crook. If it can be hacked by a pre-school class with plastic hammers then you can claim to be merely hopelessly incompetant.
Re:Why would we expect anything else? (Score:1, Interesting)
WHy, why, WHY is this so hard??
Each polling place should have a bunch of terminals that boot over the network off a server secured in the corner. The voting software is nothing more than a web page served from the server. (The OS for the server is on a DVD.) The terminals have touch screens, and people simply touch the face or name of the person they are voting for. At the end, after the vote appears on-screen for verification, a dual receipt prints out. One copy for the voter to keep, and one that remains on a giant spool of receipt paper locked inside the machine. The internal receipt appear under glass for the voter to confirm that it matches the copy they have. When they confirm, the internal vote paper is advanced so the next person can't see their vote.
Whenthe polls close, the server inthe corner of the room already has the results, so it dials the local voter office computer (or whatever)and reports them. The local voter office computer adds the figures togather and dials the county computer, etc. A few more rounds later (and less than an hour later), the Nationa resulkts have been tabulated and reported.
Is the case of a recount being needed, the internal receipt rolls can be pulled and looked at.
Simple. Accurate. Practically Fool Proof.
Re:What's needed now (Score:2, Interesting)
In Applied Cryptography, Schneier describes a system that in theory would allow up to maintain a one vote per person system and only the voter him or herself would be able to confirm that their vote was properly counted. The biggest problem with it is that the people who are most likely to vote are the ones least likely to be able to implement it. For the most part, people born in the 1930s aren't the ones who comprehend topics like public key crypto, signatures, hashes and the like.
LK
Re:Why would we expect anything else? (Score:1, Interesting)
Or, if that's even too heavy for your tastes, just get everyone you know to wear an office furniture key jewelry (on a necklace or lanyard, perhaps) on voting day. T'would make 'em nervous, no doubt.
If you are looking to merely invalidate votes in a particular machine, I wonder how well protected the data is against EMP or high voltage? I seem to remember phone phreaks could futz with payphones using piezo-electric gas lighters, and I'm sure some electric engineer could whip up something that would induce either high current or high voltage in the right place. Invalidating the votes for a district that votes solidly for one party could be useful for the opposition. Generating brown-outs, spikes, millisecond drop-outs, over-voltage etc in the electricity supply for the voting station could have interesting effects as well.
Having seen what military radar does to automobile electronics, rigging up a klystron or magnetron in the back of a van could make the voting station inoperable, or at least unreliable enough to get the machines pulled.
Pencil and paper really does seem better. Short of throwing a lit Molotov cocktail into a ballot box (which would probably get you noticed), it is difficult to invalidate the votes.
Key number? (Score:3, Interesting)
Really though, this is nothing new. People always pull stupid shit like this with physical security. The local Union Bank branch I do work for (as a locksmith) has double locks on every teller drawer. One lock takes a key only the teller has and is different for each drawer, the other takes a key the manager has and fits all the drawers. Well, the "manager" key is another absurdly common key, the National "915". If they're expecting the manager lock to keep anyone out, they're sorely mistaken. I've told them, but they don't seem to care...
Die Harder (Score:3, Interesting)