Forgot your password?
typodupeerror

Diebold Disks May Have Been For Testers 182

Posted by Zonk
from the concientious-tester dept.
opencity writes "The Washington Post reports on the two Diebold source disks that were anonymously sent to a Maryland election official this past week. Further investigation has lead individuals involved to believe the disks came from a security check demanded by the Maryland legislature sometime in 2003." From the article: "Critics of electronic voting said the most recent incident in Maryland casts doubt on Lamone's claim that Maryland has the nation's most secure voting system. "There now may be numerous copies of the Diebold software floating around in unauthorized hands," said Linda Schade, co-founder of TrueVoteMD, which has pressed for a system that provides a verifiable paper record of each vote."
This discussion has been archived. No new comments can be posted.

Diebold Disks May Have Been For Testers

Comments Filter:
  • by WhiplashII (542766) on Sunday October 22, 2006 @11:15PM (#16541926) Homepage Journal
    What is funny is that no one has commented on the real story here - Diebold sent a copy of the source code for a security audit, as requested. Maryland's security team then leaked the code to external people and used the incident to claim that Diebold's security is awful...

    The real lesson here is the lengths some politicians will go to so that they appear "right".

    (OK, and Diebold also has security issues - but that is a side issue, everyone has security issues. These are the guys making ATMs, for goodness sake. A voting machine that is as secure as an ATM is probably good enough. You can't stop human fraud via a machine - humans win every time.)
  • by Guppy06 (410832) on Sunday October 22, 2006 @11:20PM (#16541974)
    "The government ought to be hiring a software company on contract to provide the service of writing voting software, not buying a product from them."

    We're talking about Maryland, not California or New York. Annapolis simply does not command the influence to convince companies such as Diebold to change their terms. And even if a state could and did try to influence Diebold to change the terms, I could see Diebold taking the state to federal court based on the "Dormant Commerce Clause."

    Now, as to why they signed onto the idea as-is instead of saying "no, thank you," that's another matter.

  • Re:New tag (Score:2, Interesting)

    by NoTheory (580275) on Sunday October 22, 2006 @11:28PM (#16542038)
    Oh, quit being such a stodgy whiner. Tagging systems aren't replacements for top-down ontologies, and shouldn't be used as such. The source of the information isn't trustworthy or comprehensive, i don't see why the existence of a tagging system shouldn't change the information it seeks to describe. So you're shooting for a moving target, so what? Tagging/user keywords are an imprecise science, at best, and a dark art at worst.

    But then i suppose you think google bombing is a dumb idea too. (even if it's useless, it's kind of amusing, and does in fact indicate what some people think, even if they put it out there consciously).
  • by Hemogoblin (982564) on Sunday October 22, 2006 @11:35PM (#16542094)
    She's probably unhappy because the copies are NOT being made available for public scrutiny. They are being returned to Diebold.

    Also, it is possible that those disks were copied before they were discovered. These copies could potentially get into the hands of someone who wanted to abuse the election. Security through obscurity is no longer a good defense when your enemy has the source code. The only thing they're succeeding at is hiding flaws from the people who wish to fix them.

    Remind me again why people use Diebold products?
  • Re:New tag (Score:5, Interesting)

    by grasshoppa (657393) <skennedy AT tpno-co DOT org> on Sunday October 22, 2006 @11:55PM (#16542208) Homepage
    While tagging in general is an interesting idea, you have to understand that the combination of semi-anonymous tagging + your average internet idiot will completely ruin any hopes for a tagging system that does what you specify.

    Instead, the editors who post the story should be tagging it appropriately. As well as that, there should be a common set of tags that can be voted on for each story ( dupe, inaccurate, comfirmed, ect.. ), with the voting be weighed by user.

    And even that is subject to errors, but it'd be more accurate.
  • by electrosoccertux (874415) on Monday October 23, 2006 @01:42AM (#16542880)
    There are far more serious issues than our voting problems today when people consider wanting to learn about somthing akin to "messing with" it. As if my understanding of the source code behind how my vote is cast at all interferes with our country electing the next president. Unless, that is, there are flaws in the code that say all the votes will be converted to votes for [insert favorite politician here] if I press the upper right hand corner of the screen five times in under ten seconds; and my understanding of such a flaw [even though I wouldn't take advantage of it] stalls the election process. Nows whose fault would that be? Is it somehow my fault, for finding out that the Diebold did a bad job?

    I've heard the likes of your attitude before. It can pretty much be summed up as "Don't ask why, that's just how it is." Imagine if you told your kids that.

    Try appending that statement to the end of different statements:

    -"We can't cure cancer. Don't ask why, that's just how it is." And so nobody bothers researching a cure.
    -"Your computer's Windows installation is broken. Don't ask why, that's just how it is." And so you needlessly spend $$$ on a new computer when all you needed was a fresh installation and anti-vir."
    -"2 + 2 = 5. Don't ask why, that's just how it is." And so the plane crashes.
    -"You're wrong. Don't ask why, that's just how it is."

    I hope you get the point.
  • by strider44 (650833) on Monday October 23, 2006 @01:44AM (#16542890)
    You obviously haven't done any sort of cryptography. (And yes, I have and do do cryptography and cryptoanalysis.)

    I'll address the second and third paragraphs first of all since it's more on topic before refuting the first paragraph.

    I never said that a closed source software has to be inherently less secure than open source software. Whether the source is open or not doesn't have any direct implications on the security of the software. I said or implied that closed alrogithms are inherently less trustworthy than closed algorithms. Peer revue is an old and very well tested notion that lays the foundation for modern cryptography, and it is more than "look at the source and find flaws". I'll quickly outline the reasons for it here.
    On Corey Doctorow's excellent speech on DRM [boingboing.net] he slyly called this Schneider's Law: "any person can invent a security system so clever that she or he can't think of how to break it". In other words if you thought of it then you probably only see its benifits without seeing its flaws. For someone to see the flaws they have to be able to think differently; not necessarily be smarter than you, just be able to think differently from you. The chances of getting someone to be able to do this in a small organisation is slim. Even sending it out to technical officers only increases the chances of it being found slightly.

    The next reason more specific to this situation comes when you look at the likely attackers of the system. When looking at the voting machine you tend to think of politicians to be the most likely to compromise security. You might also have major corporations with a political adgenda, foreign governments, even private citizens. In other words, everyone. Not many people actually realise that this includes the programmers themselves!

    Do you trust every person in Diabold? I don't even know them - who the fuck are they to have control over my vote? (Luckily I'm not American so they don't have control over my vote) If the code is secret then they not only have the means but they also have the ability to do it without getting caught! If you personally don't have access to the code you are simply giving your vote to the programmers and trusting them to do the right thing. I'm not saying that they're necessarily bad people, but there's a lot of money in the US elections, and everyone has a price.

    I haven't really gone through that thoroughly and I think I've missed more than a few things but I don't really have that much time free. I'll get onto the first paragraph now. Firstly, gathering an algorithm without source from a binary is pretty trivial and as I said before the people most likely to attack these machines will have access to the machines themselves and thus have access to the binaries. Even without this, perhaps not knowing the algorithm is a disadvantage to a cryptoanalysist but even then many algorithms have identifiers in their output giving clues as to which algorithm it is. It's definitely not infinitely more useful to know the algorithm when determining what the message says. Even so if you're relying on an algorithm's secrecy to ensure security in your communications then as soon as the algorithm is released (and it most often is in more serious situations) then your communications are compromised. Yes you said all things being equal but the thing is the algorithm isn't supposed to be the secret, the key is.

    Now that was a long rant.
  • meanwhile... (Score:3, Interesting)

    by dangil (167785) on Monday October 23, 2006 @02:34AM (#16543146)
    ... in the backwards, barbarous and poor country of Brasil, our elections have been 99% eletronic for the past 9 years, without any hicup... one can imagine that perhaps the monkeys, snakes and tigers are helping us vote somehow...
  • by Ungrounded Lightning (62228) on Monday October 23, 2006 @02:37AM (#16543164) Journal
    The fact that diebold also makes ATM's indicates nothing less than malice in the design ...

    Diebold BOUGHT the voting machine deisgn (by buying the company that made it). It is unrelated to their ATM designs.
  • by Anonymous Coward on Monday October 23, 2006 @03:35AM (#16543478)
    You don't have gazillions of dollars worth of 'investment' waiting for payback as soon as the guy becomes president (nobody is so naive to believe that (a) an election is won by the best and (b) that nobody wants to see a return on the $$ they funded the candidate with).

    The election in the US HAD to be rigged to ensure that payback (Return On Investment -ROI- of the most insiduous kind), but I must say that in the US history this is about the most blatant example yet. I guess it shows that it's well beyond rescue. Al Gore summed it up best: "we've seen an energy bill written by oil companies, a prescription drug bill written by pharmaceutical lobbyists, and a global warming policy run by the biggest polluters."

    The easiest way to rig an election for a country as large as the US is to impair the fundamentals - hence Diebold getting the job. You could call them the Microsoft of the voting machines - "we don't care about quality as long as it sells". And in this case it appears it's exactly the flaws that enabled them to sell. After all, those that take the 'buy' decision are the ones that need the lack of security. A mild conflict of interest..

    If you want any more evidence, just look at the official outrage that followed the unearthing of all the problems with Diebold. Yes, exactly - none whatsoever.

    And this lot wants to bring 'democracy' to the countries it starts wars in. Yeah, right - let's be a bit more realistic: it keeps the problems off the front page.. See a recent BBC article [bbc.co.uk] for a good example..

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...