Diebold Disks May Have Been For Testers 182
opencity writes "The Washington Post reports on the two Diebold source disks that were anonymously sent to a Maryland election official this past week. Further investigation has lead individuals involved to believe the disks came from a security check demanded by the Maryland legislature sometime in 2003." From the article: "Critics of electronic voting said the most recent incident in Maryland casts doubt on Lamone's claim that Maryland has the nation's most secure voting system. "There now may be numerous copies of the Diebold software floating around in unauthorized hands," said Linda Schade, co-founder of TrueVoteMD, which has pressed for a system that provides a verifiable paper record of each vote."
Re:If the attackers can use the source to attack i (Score:5, Interesting)
The real lesson here is the lengths some politicians will go to so that they appear "right".
(OK, and Diebold also has security issues - but that is a side issue, everyone has security issues. These are the guys making ATMs, for goodness sake. A voting machine that is as secure as an ATM is probably good enough. You can't stop human fraud via a machine - humans win every time.)
Re:Copyright vs. election security (Score:2, Interesting)
We're talking about Maryland, not California or New York. Annapolis simply does not command the influence to convince companies such as Diebold to change their terms. And even if a state could and did try to influence Diebold to change the terms, I could see Diebold taking the state to federal court based on the "Dormant Commerce Clause."
Now, as to why they signed onto the idea as-is instead of saying "no, thank you," that's another matter.
Re:New tag (Score:2, Interesting)
But then i suppose you think google bombing is a dumb idea too. (even if it's useless, it's kind of amusing, and does in fact indicate what some people think, even if they put it out there consciously).
Re:What's the problem again? (Score:4, Interesting)
Also, it is possible that those disks were copied before they were discovered. These copies could potentially get into the hands of someone who wanted to abuse the election. Security through obscurity is no longer a good defense when your enemy has the source code. The only thing they're succeeding at is hiding flaws from the people who wish to fix them.
Remind me again why people use Diebold products?
Re:New tag (Score:5, Interesting)
Instead, the editors who post the story should be tagging it appropriately. As well as that, there should be a common set of tags that can be voted on for each story ( dupe, inaccurate, comfirmed, ect.. ), with the voting be weighed by user.
And even that is subject to errors, but it'd be more accurate.
Re:Can't do much with these disks (Score:5, Interesting)
I've heard the likes of your attitude before. It can pretty much be summed up as "Don't ask why, that's just how it is." Imagine if you told your kids that.
Try appending that statement to the end of different statements:
-"We can't cure cancer. Don't ask why, that's just how it is." And so nobody bothers researching a cure.
-"Your computer's Windows installation is broken. Don't ask why, that's just how it is." And so you needlessly spend $$$ on a new computer when all you needed was a fresh installation and anti-vir."
-"2 + 2 = 5. Don't ask why, that's just how it is." And so the plane crashes.
-"You're wrong. Don't ask why, that's just how it is."
I hope you get the point.
Re:If the attackers can use the source to attack i (Score:4, Interesting)
I'll address the second and third paragraphs first of all since it's more on topic before refuting the first paragraph.
I never said that a closed source software has to be inherently less secure than open source software. Whether the source is open or not doesn't have any direct implications on the security of the software. I said or implied that closed alrogithms are inherently less trustworthy than closed algorithms. Peer revue is an old and very well tested notion that lays the foundation for modern cryptography, and it is more than "look at the source and find flaws". I'll quickly outline the reasons for it here.
On Corey Doctorow's excellent speech on DRM [boingboing.net] he slyly called this Schneider's Law: "any person can invent a security system so clever that she or he can't think of how to break it". In other words if you thought of it then you probably only see its benifits without seeing its flaws. For someone to see the flaws they have to be able to think differently; not necessarily be smarter than you, just be able to think differently from you. The chances of getting someone to be able to do this in a small organisation is slim. Even sending it out to technical officers only increases the chances of it being found slightly.
The next reason more specific to this situation comes when you look at the likely attackers of the system. When looking at the voting machine you tend to think of politicians to be the most likely to compromise security. You might also have major corporations with a political adgenda, foreign governments, even private citizens. In other words, everyone. Not many people actually realise that this includes the programmers themselves!
Do you trust every person in Diabold? I don't even know them - who the fuck are they to have control over my vote? (Luckily I'm not American so they don't have control over my vote) If the code is secret then they not only have the means but they also have the ability to do it without getting caught! If you personally don't have access to the code you are simply giving your vote to the programmers and trusting them to do the right thing. I'm not saying that they're necessarily bad people, but there's a lot of money in the US elections, and everyone has a price.
I haven't really gone through that thoroughly and I think I've missed more than a few things but I don't really have that much time free. I'll get onto the first paragraph now. Firstly, gathering an algorithm without source from a binary is pretty trivial and as I said before the people most likely to attack these machines will have access to the machines themselves and thus have access to the binaries. Even without this, perhaps not knowing the algorithm is a disadvantage to a cryptoanalysist but even then many algorithms have identifiers in their output giving clues as to which algorithm it is. It's definitely not infinitely more useful to know the algorithm when determining what the message says. Even so if you're relying on an algorithm's secrecy to ensure security in your communications then as soon as the algorithm is released (and it most often is in more serious situations) then your communications are compromised. Yes you said all things being equal but the thing is the algorithm isn't supposed to be the secret, the key is.
Now that was a long rant.
meanwhile... (Score:3, Interesting)
Voting and ATM machines unrelated. (Score:5, Interesting)
Diebold BOUGHT the voting machine deisgn (by buying the company that made it). It is unrelated to their ATM designs.
Nah - easier answer .. (Score:1, Interesting)
The election in the US HAD to be rigged to ensure that payback (Return On Investment -ROI- of the most insiduous kind), but I must say that in the US history this is about the most blatant example yet. I guess it shows that it's well beyond rescue. Al Gore summed it up best: "we've seen an energy bill written by oil companies, a prescription drug bill written by pharmaceutical lobbyists, and a global warming policy run by the biggest polluters."
The easiest way to rig an election for a country as large as the US is to impair the fundamentals - hence Diebold getting the job. You could call them the Microsoft of the voting machines - "we don't care about quality as long as it sells". And in this case it appears it's exactly the flaws that enabled them to sell. After all, those that take the 'buy' decision are the ones that need the lack of security. A mild conflict of interest..
If you want any more evidence, just look at the official outrage that followed the unearthing of all the problems with Diebold. Yes, exactly - none whatsoever.
And this lot wants to bring 'democracy' to the countries it starts wars in. Yeah, right - let's be a bit more realistic: it keeps the problems off the front page.. See a recent BBC article [bbc.co.uk] for a good example..