Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Worst Ever Security Flaw in Diebold Voting Machine 681

WhiteDragon writes "The folks at Open Voting Foundation got their hands on a Diebold AccuVote TS touchscreen voting machine. They took it apart (pictures here), and found the most serious security flaw ever discovered in this machine. A single switch is all that is required to cause the machine to boot an unverified external flash instead of the built-in, verified EEPROM."
This discussion has been archived. No new comments can be posted.

Worst Ever Security Flaw in Diebold Voting Machine

Comments Filter:
  • by Volante3192 ( 953645 ) on Monday July 31, 2006 @01:26PM (#15818421)
    Nothing for you to see here. Please move along

    That's exactly what Diebold wants you to think...
  • by telbij ( 465356 ) * on Monday July 31, 2006 @01:26PM (#15818423)
    You'd think in this day and age we'd have some idea of how to create a secure voting system. Unfortunately it doesn't seem like much of a concern to the politicians. They assume computers are more secure than paper because they don't understand them. Nevermind all the computer scientists warning about the pitfalls of electronic voting. Let's just trust this Diebold sales guy over here! We know he's telling the truth because of the billion dollar contract!

    Here's a hint for politicians: If in a population of 300,000,000 only 1,000,000 are capable of understanding how the voting system works, and if only 1,000 people are actually allowed to see how it works, and if there's no verifiable paper trail or any simple and legitimate verification system, then democracy is a farce.
    • wrong question (Score:5, Insightful)

      by BitterAndDrunk ( 799378 ) on Monday July 31, 2006 @01:28PM (#15818438) Homepage Journal
      When will the people wake up? I suspect (some) politicians are well aware of the "flaws" found in the system.
      • Re:wrong question (Score:5, Insightful)

        by oyenstikker ( 536040 ) <slashdot@sbyTEArne.org minus caffeine> on Monday July 31, 2006 @01:38PM (#15818544) Homepage Journal
        Not until after the people wake up.
      • Re:wrong question (Score:5, Insightful)

        by telbij ( 465356 ) * on Monday July 31, 2006 @01:42PM (#15818590)
        When will the people wake up? I suspect (some) politicians are well aware of the "flaws" found in the system.

        Good point. I guess I figured the one thing politicians should know something about is voting. If it's up to the people then we're pretty much doomed, because the American people don't know and don't care about politics. At this point we're so swamped between work and entertainment that the only way to generate political awareness is if it becomes a fad like it did in the Vietnam era. Either that or a lot more Katrina-style disasters to destroy people's television sets.
      • Re:wrong question (Score:5, Informative)

        by 955301 ( 209856 ) on Monday July 31, 2006 @01:48PM (#15818650) Journal
        you suspected correctly. The current rep, Tom Feeney, representing South Florida rigged the US 2004 election election for his post.

        http://www.youtube.com/v/7WmC4grXdIk [youtube.com]

        http://www.house.gov/feeney/ [house.gov]

        very interesting video. The computer programmer explains what he was asked to do. He gets stupid at the end though and starts rambling off topic, but I blame that on too much time on Slashdot.

      • by ArcticCelt ( 660351 ) on Monday July 31, 2006 @02:00PM (#15818767)
        ...well aware of the "flaws"...

        A flaw? Nahh that one is definitively someone's feature.

      • Re:wrong question (Score:5, Insightful)

        by Y2 ( 733949 ) on Monday July 31, 2006 @02:10PM (#15818867)
        When will the people wake up? I suspect (some) politicians are well aware of the "flaws" found in the system.

        The world makes a lot more sense if you assume that at least a few politicians understand things things quite well.

      • Re:wrong question (Score:5, Insightful)

        by megaditto ( 982598 ) on Monday July 31, 2006 @02:11PM (#15818877)
        One man's "flaw" is another man's "feature". But really, hacking is not a problem if there is a paper trail mechanism in place.

        Is it that hard to put a thermal printer behind a glass shield: a voter can view his vote on paper tape. The current record is hidden when the tape is fed-forward for the next voter.

        Random spot-checks can ensure that a machine reported same number of e-votes as paper-votes. Say, check 500 machines at random, if they all function correctly, accept the electronic results for the whole country.
        • Re:wrong question (Score:3, Insightful)

          by Keebler71 ( 520908 )
          I don't understand this obsession with having a "paper trail". How does having a paper trail make the results any more verifiable? What if there is fraud in the paper trail? What if ballots are (somehow) stolen from (or added to) the paper trail container? How would one distinguish between a good electronic count with a bad paper trail, and a fraudulant electronic count with an accurate paper trail? My point is, without a third independent source, all you know is that there is a disagreement - there is
          • Are you serious? (Score:5, Insightful)

            by TamMan2000 ( 578899 ) on Monday July 31, 2006 @03:42PM (#15819784) Journal
            Paper trails are just as susceptible to fraud as electronic systems.

            Do you actually believe that or are you just playing devils advocate?

            The only measure in which that can be accurate is the binary "Is fraud possible?" measure, any measure which takes into account degree of susceptibility, paper is the hands down winner.. Just for starters, we have experience investigating paper trails. There is physical evidence left behind when a paper trail is tampered with. Tampering with the paper trial necessarily require physical access. The list of ways in which paper is demonstrably superior goes on, and on...
          • Re:wrong question (Score:4, Interesting)

            by Intron ( 870560 ) on Monday July 31, 2006 @04:32PM (#15820260)
            Here in backward Massachusetts I make a black mark on a card which is read into an optical scanner that also securely holds the cards. The election offcials verify that the box starts out empty and ends up with the number of votes that register on the counter on top. If they don't, they can take the ballots and read 'em through again. They can even look through them by hand to make sure the optical counters are working right.

            What do you do when the all-electronic system says that more votes were cast than the number of registered voters in the precinct?
          • Re:wrong question (Score:4, Insightful)

            by IdahoEv ( 195056 ) on Monday July 31, 2006 @08:49PM (#15821924) Homepage
            Dumb dumb dumb. Really:

            How does having a paper trail make the results any more verifiable?

            The same way that checksums and parity bits are useful by telling us that digital data streams have been altered and may contain errors. Even if by themselves they can't reconstruct what the original data stream should have been - the knowledge that your data stream is corrupt is by itself invaluable.

            What if there is fraud in the paper trail?

            Sure, someone can steal and alter the ballot box in which the paper records were stored. But that is a physical crime far harder to pull off and more likely to leave evidence.

            To successfully hack the system, the bad guy would have to simultaneously alter the ballot box AND hack the computer so that they produce identical results. That combination is much harder than just altering a ballot box, and infinitely harder than just hacking a computer. If they only pull off one, then you know a crime has been committed and the election is void.

            Joe teenage computer whiz can hack a diebold machine: the vulnerabilities are published. Certainly Joe Diebold programmer can sneak in malicious code. But can the same Joe simultaneously steal all the ballot boxes, forge new ballots to match the computer's altered count, and sneak them back under the noses of the election? Probably not. That requires people on the ground in many locations at once, working very fast. It's extremely hard to cover up.

            all you know is that there is a disagreement - there is no way to know for sure which count is accurate.

            You know the election is invalid, and you begin an investigation instead of putting the winner directly into office. If the investigation can prove which tally was altered, you still have a good election. If it can't, you hold a new election. Either way, you prevent an invalid election from potentially putting the wrong guy in office.

            In an electronic system, one hacker gets the wrong guy into office and nobody ever knows because there is no evidence to even trigger the investigation.
      • Re:wrong question (Score:5, Insightful)

        by vertinox ( 846076 ) on Monday July 31, 2006 @02:33PM (#15819114)
        "The people who cast the votes decide nothing. The people who count the votes decide everything." -Joseph Stalin
    • by Tackhead ( 54550 ) on Monday July 31, 2006 @01:36PM (#15818519)
      > If in a population of 300,000,000 only 1,000,000 are capable of understanding how the voting system works, and if only 1,000 people are actually allowed to see how it works, and if there's no verifiable paper trail or any simple and legitimate verification system, then democracy is a farce.

      That's not a bug, it's a feature. Using your numbers, that's 1000 government-approved whitew^Wsecurity auditors, and 9,999,000 potential crackers.

      Politicians will wake up when President Stallman of the GNU/Hurd Party is sworn in on January 21, 2009, after taking 53% of the votes, against 47% for the OSS Party, led by candidate Eric Raymond. (Raymond credits his near-victory to having a landslide amongst the "Retired CIA/NSA Agents" demographic, on account of his party having "a more intel-friendly acronym" :)

    • by gid13 ( 620803 ) on Monday July 31, 2006 @01:38PM (#15818548)
      Well, yeah, a government of the people and by the people isn't going to work so well for the people when, by and large, the people are retarded and apathetic.

      "I've said it before and I'll say it again: Democracy simply doesn't work."
      -Kent Brockman

      And no, I haven't got a better idea. Sigh.
      • by Anonymous Coward

        > "I've said it before and I'll say it again: Democracy simply doesn't work."
        > -Kent Brockman

        This is the whole point of our form of governemnt.

        The best form of government is a dictatorship with a good dictator.

        The worst form of government is a dictatorship with a bad dictator.

        I'll leave it to the reader to define good/bad.

        What the founding father's did was set up a mediocre government. It will never be really good or really bad, regardless of what anyone currently thinks about W.

        It's a standard trade
      • Correct Sir, Democracy doesn't work, America's founders realized that and instituted America as a Constitutional Republic. I cringe evertime I hear a politician or judge describe America as a Democracy.
        Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote.
        -Benjamin Franklin
        A democracy is nothing more than mob rule, where fifty-one percent of the people may take away the rights of the other forty-nine.
        -Thomas Jefferson
    • >Here's a hint for politicians:

      I think the politicians currently in power want to make sure a easy reliable quick voting system doesn't work (or at the least isn't trusted.) otherwise once that system is deployed it would be to easy and cheap to allow the voters to:
        A) vote on any issue directly, or worse yet (for them)
        b) call for a midterm election everytime they screw us with crap legislation, and be able to actually clean up the system.
      • B) call for a midterm election everytime they screw us with crap legislation, and be able to actually clean up the system.

        Considering California's (relatively) recent forey into recalling their Governer, perhaps this is exactly what they are afraid of.
    • by SpryGuy ( 206254 ) on Monday July 31, 2006 @01:45PM (#15818615)
      You'd think in this day and age we'd have some idea of how to create a secure voting system.

      Of course we do. But you presume that security was a design goal for these machines. I put it to you that this was certainly NOT a design goal of these machines.

      There's a reason that Diebold's banking and ATM machines are massively secure and auditable, and their voting machines, well, aren't either of those things.

      • by powerlord ( 28156 ) on Monday July 31, 2006 @02:23PM (#15818994) Journal
        There's a reason that Diebold's banking and ATM machines are massively secure and auditable, and their voting machines, well, aren't either of those things.

        To take the "devil's advotate" position for a minute ...

        Is that because ... ... ATM's have had years to go through many iterations to get to a "secure" and "reliable" system (that even then can have anomolies)? ... ATM's operate on a different set of assumptions? (installed in a permanent location, so switches like this might exist be be much more easily shielded from the public through physical security). ... ATM's do not have the privacy concern, which may take getting used to for a company used to tying a given transaction back to a given user? ... Electronic Voting Machines (EVM) have a smaller install base and have had less money spent on them for development? I suspect the average voting district (where EVMs are deployed) has more ATMs than EVMs. ... EVMs have to be much more flexable in allowing lists of candidates to be entered (for district elections + school board elections + statewide reforendums + national elections). ATMs have an established, and rather fixed set of functionality (although it could be argued that different ATMs can support different languages, the comparison is closer to every ATM needing to be set to dispense different amounts of money. So ATM1 gives the user a choice of $20, $40, $60, $100 and ATM2 gives a choice of $10, $30, $60, $200, etc.)

        On a side note, does anyone know:
        - What is the average cost of an ATM vs an EVM?
        - What is the average expeted lifespan of an ATM vs an EVM?

        Now, all those things aside, these problems need to be addressed, and my comments are NOT meant to be excuses.
        All of these problems CAN be addressed through sufficient testing, an open specification and design process, or lots of trial an error / patch and release.

        Guess which one the EVM manufactorers have chosen to go with?
    • Here's a hint for politicians: If in a population of 300,000,000 only 1,000,000 are capable of understanding how the voting system works, and if only 1,000 people are actually allowed to see how it works, and if there's no verifiable paper trail or any simple and legitimate verification system, then democracy is a farce.

      First, democracy may not be a farce, but it is clearly an ideal that is nowhere close to a reality.

      Good, bad, indifferent, look at the current ratings of the guy who is the President of the
  • Lever action! (Score:5, Insightful)

    by andrewman327 ( 635952 ) on Monday July 31, 2006 @01:28PM (#15818433) Homepage Journal
    How do all of the other devices made by this company still work? They are not just a voting technology firm, after all.

    I attribute most of these errors to poor design, not anything intentional. Personally I like the old fashioned lever machines my district uses. It is very hard to hack those, I hear. Unlike computers and paper cards, you never hear bad things spoken about lever voting machines.

    • Re:Lever action! (Score:5, Interesting)

      by markwalling ( 863035 ) <mark-slashdot@markwalling.org> on Monday July 31, 2006 @01:33PM (#15818485) Homepage
      my district switched to electronic from lever based. in 2004, at 715 when i voted on lever machines, there was no line, and just about as many signatures in the book. in 2005, the line was out the door and around the corner at the same time. the person in front of me took 5 minutes to use the electronic machine. people knew how to use the old machines, and they were reliable. these new things take the old people for ever to use, and then they complain that they were hard to read...
    • Diebold also builds automated teller machines (ATM), the definitive model for reliability and accountability.

      The AcuuVote machines are what they are, not due to poor design or unintentional mistake. They are the result of a deliberate intent to enable fraud on a massive scale. Viewed from this perspective, the AccuVote design is very good. The real problem comes when Diebold realizes that it needs to become better at obfuscation and makes it harder to detect the fraud.

      "IN mid-August, Walden W. O'Dell, the c

      • It actually a bit of a paradox. By implementing better obfuscation, the code becomes unreadable, and therefore cannot be certified as being accurate.

        Maybe the solution is to take it to a higher level and reinvent the wheel, so to speak.

        Design it from the ground up. Special use processors, memory, OS, communications protocols. Redesign everything from scratch. Make it completely unique.

        If it doesn't run code that works on ANY other platform, then no one outside the company can write code for it. (Unless
    • Re:Lever action! (Score:3, Insightful)

      I attribute most of these errors to poor design, not anything intentional.

      Poor design? This sort of thing can hardly be a complete accident, although I doubt I could prove that it was done deliberately to enable election tampering.

      Circumstantially, however, this is the same Diebold whose CEO wrote a memo before the last election promising to "deliver the vote" for Republicans all over the country. He may not have meant anything nefarious by that, but it is a very peculiar thing to say for the CEO of a compa
  • by pieterh ( 196118 ) on Monday July 31, 2006 @01:28PM (#15818434) Homepage
    Electronic voting machines with no paper trail are an insult to democracy. That they come with switches to bypass even the dubious "safeguards" provided is hardly a surprise.
  • "AccuVote" (Score:5, Funny)

    by truthsearch ( 249536 ) on Monday July 31, 2006 @01:28PM (#15818437) Homepage Journal
    a Diebold AccuVote...

    At least their marketing department has a sense of humor.
  • There are many good reasons to switch to American Idol call-in voting.
    1. They still have the electoral college, so it's not like a spam vote will elect the "wrong" candidate.
    2. Since the NSA monitors all phone calls, they could track cheaters really easily, compared with this mess we have now.
    3. Way more voter participation, you don't have to go anywhere, you just call in with your social or something, etc.
  • by Anonymous Coward on Monday July 31, 2006 @01:36PM (#15818511)
    This is Diebold. Mirror early, mirror often. They love to sue critics like these. Wget may be the only way to save history.
  • yarrr (Score:5, Insightful)

    by not already in use ( 972294 ) on Monday July 31, 2006 @01:36PM (#15818513)
    Any company with devotion to a fair and secure voting system would not make such an obvious oversight. If it was in fact an oversight, it shows that Diebold is far too incompetent to be creating voting machines. You would also think that a company in charge of something so important wouldn't show blatant partisanship either. Why are they still employed?
  • Bug or Feature? (Score:5, Insightful)

    by Doc Ruby ( 173196 ) on Monday July 31, 2006 @01:39PM (#15818551) Homepage Journal
    I thought the biggest flaw was their certification by states for use in actual elections.
  • by slofstra ( 905666 ) on Monday July 31, 2006 @01:43PM (#15818593) Homepage
    Sorry, I have never seen the point of these machines. Paper ballots are auditable, user friendly, and if electronics is put into the reporting system, can be counted in a few minutes and submitted. Voting machine are a perfect example of a technology fetish at work. It would make an interesting case study to examine the economic and sociological reasones why we sometimes buy technology that we don't need, don't want and further, serves no useful purpose.
  • Why? (Score:5, Insightful)

    by Iamthefallen ( 523816 ) * <Gmail name: Iamthefallen> on Monday July 31, 2006 @01:43PM (#15818594) Homepage Journal
    Has anyone answered the question regarding need for automated vote counting in a satisfactory way?

    Seems to me that manual counting of votes would be vastly more secure as it would take a huge conspiracy to affect the result either way.

    Counting a hundered million votes is hard, counting a thousand votes in a hundered thousand locations is easy.

  • by Anonymous Coward on Monday July 31, 2006 @01:43PM (#15818600)
    This article is a little high on the hype. The general rule is that if you have physical access to any computer system you can compromize its security.

    Don't you think that a flaw that would allow people to vote multiple times or a flaw in the security by which the voting machine uploads results to the central server or flaws in the central server itself are worse than this.

    Gee, we have physical access to the guts of a machine and we can do things to it. I'm not terribly impressed.

    • so what? (Score:3, Interesting)

      by enjahova ( 812395 )
      You must never be impressed. How can we have a secure election if nobody can physically access the machines? If thats not what you want, we will never have a secure election. I can accept that, but what I can't accept is a private corporation exerting its influence on the election process by directly affecting the machines that count our votes.

      This is "impressive" because it shows either incompetence or bad intent. Sure physical access can mean compromising a computer, but that doesn't mean you have to make
  • Not the worst. (Score:4, Insightful)

    by pavon ( 30274 ) on Monday July 31, 2006 @01:45PM (#15818614)
    I don't see how this is the "biggest security flaw ever discovered. Any system will have some method of flashing new code if you have access to the hardware, and while this makes it a little easier, it is not as big of a deal as they make it out to be. After you verify that the system has the correct (independently audited) code loaded into it, you put a tamper-proof sticker on the case, and call it good.

    This is nowhere near as bad as the bugs that allowed exploits though the normal user interface, or the fact that the way the votes are stored allows easy tampering by election officials, or the fact that there is no way to recount or verify that the recorded votes are correct.

    This is something that can be improved upon, but it isn't a fatal flaw and certainly not one of the main reasons that Diebold machines should be banned.
  • Worst ever? (Score:3, Insightful)

    by Red Flayer ( 890720 ) on Monday July 31, 2006 @01:45PM (#15818620) Journal
    Not to pick nits here, but whether or not a voting machine is trustworthy is a boolean variable. Either it's trustworthy, or it is not (and therefore worthless).

    As far as I'm concerned, every election using any machine found to be compromisable should be invalidated, and a paper ballot revote should be held.

    If you don't trust $[POLITICALPARTY] with your democracy, why should you trust the men behind the curtain?
  • more aggressive on this issue.

    Electronic Voting machines are not a trustworthy technology. They can be made reasonably trustworthy, but only with significant and constant public involvement and oversight. The core element to this happens to be our requirement of anonyminity for our votes. Being unable to link votes to voters means we must then capture the actual votes themselves if we are to be sure the election is just and true.

    Roughly 80 percent of Americans will be using these machines in the coming elections. That should scare the tar out of every one of you, regardless of your political bent.

    In 2004, this number was about 30 percent and the problems were so great, we really have no assurance our election results actually reflect the will of the American people, whatever that may be.

    Think of it this way. Let's say I'm the voting machine counting votes. You tell me what your vote is, and I update my mental count. Can you see that I updated the count correctly? I could report your vote back to you correctly, yet still maintain a different internal count. There is no way to really know is there? That's the problem we face with electronic votes.

    The votes are encoded into states stored on devices nobody can directly observe, other than via the proxy of other electronic technology. Essentially, we are voting by proxy when we vote electronically. Without an accounting in the form of a serial voter-verified paper record, or the use of vote storage that is both human and machine readable, we cannot oversee the election results in a manner that brings confidence to the whole affair.

    These machines are general purpose computers for the most part. We all know how easily these things are tinkered with because it's what most of us do! Biggest problems are:

    -no direct accountability on elections officials to actually hold a just and true election. Technology can and will be blamed for problems, leaving these folks off the hook for failed / unjust elections. Not good. Where the incentive for corruption and manupulation exists, you can bet it's happening. There is too much at stake for it to be otherwise.

    -poor understanding of the core technology differences between paper voting and electronic voting. I summarized it above and have a longer, easy to understand, paper here. Mail it to your legislators along with a request for their position on the matter. If you do the mailing, please also do the request. That forces a response, which helps increase the overall perception of the importance of the issue. http://www.opednews.com/dingusDoug_112604_electron ic_voting.htm [opednews.com]

    Said poor understanding extends to all of us really, legislators and citizens alike. Too many people consider electronic data processing systems as being better than they actually are. Consider this: If they are so infallable, why do ATM machines deliver receipts? Also, be careful about ATM comparisons. The primary difference between an ATM machine and an electronic voting machine lies in the anonymous nature of voting. ATM transactions are keyed to people, electronic voting records are not --thus the need for a voter-verified paper trail.

    What do we need to ask for?

    Voter verified paper trails that are human readable, serial in nature and easily handled / processed for recounts. Flimsy, thermal rolls that can discolor from improper storage and or handling won't cut it.

    Audits at the precinct level. These can catch abnormalities easily and quickly before too much damage is done. Use the paper record to verify issues and act accordingly.

    Strong exit polling. Notice how that is being downplayed now? The reason is simple. In 2004, the exit polls did not jive with the voting records, yet we have been exit polling for a good long time. The differences did not appear in this way until the advent of the electronic machines.

    Legislation that reinfo
  • by snowwrestler ( 896305 ) on Monday July 31, 2006 @01:49PM (#15818657)
    The government being of, for, and by the people, each ballot cast in a public election for federal office shall produce a physical ballot able to be read and counted by a human unaided by electronic computer.
  • Tamper seal?? (Score:5, Insightful)

    by Midnight Thunder ( 17205 ) on Monday July 31, 2006 @01:54PM (#15818707) Homepage Journal
    Given taxi meters and electricity meters both have tamper seals, you would have thought that these would have visible tamper seals as well. If in doubt you could even have two tamper seals: one from Diebold and another from the voting commission, in order to ensure that both parties are satisfied with the state of the machine.
  • Voting in the USA (Score:5, Informative)

    by slashflood ( 697891 ) <flow AT howflow DOT com> on Monday July 31, 2006 @02:01PM (#15818773) Homepage Journal
    20 Amazing Facts About Voting in the USA [nightweed.com]

    Everyone who says that Diebold is too incompetent to create a secure voting maschine is following the wrong trail.
    • by geek2k5 ( 882748 )
      I would say that Diebold is competent enough to create a secure voting machine that would take a high level of expertise to spoof. Unfortunately, almost by definition, Diebold would be competent enough to create a spoofable voting machine that could be programmed remotely and capable of 'fixing' elections. The opportunity exists, even if the company, or even renegade employees of the company, don't do it. I will assume that they are innocent until proven guilty in a court of law. But I sometimes wonder,
  • by ajs318 ( 655362 ) <`sd_resp2' `at' `earthshod.co.uk'> on Monday July 31, 2006 @02:01PM (#15818774)
    I have designed a Direct Recording Mechanical vote recording, anonymising and counting machine. It uses no electronics. It can be scrutinised right up until it is required for an election. You can see your vote going through.

    The machine is based around mechanical, add-only tally counters. A column of these are mounted in a transparent polycarbonate housing, one for each candidate and an extra counter for total votes. The candidate counters are surrounded by etched plastic which transmits light but prevents anyone seeing exactly what is behind it. Over each counter except the total counter is a shutter, and a large button. Depressing the button retracts the shutter. If the button is released it will return partway, but the shutter will remain retracted and all the other buttons are now locked: the only way to clear the machine is to depress the button fully. This will advance the adjacent counter and, by means of a slotted bar linkage (which is visible through the clear polycarbonate), also advance the total votes counter. After this, the machine must be primed for another vote by the Presiding Officer: this would probably be done remotely by means of a Bowden cable.

    These machines could be made available for scrutiny almost right up to the election. Anyone can observe that the system allows only one vote per priming operation, that the candidate and total vote counters advance together, and that no other counters are advanced. (For this operation, the shutter mechanism can be modified by removing the actual shutter from the moveable supports; thus allowing full observation of all counters. In an election situation we do not really want to give away the number of votes for each candidate so far, so all but the one being voted for are obscured. The etched plastic nonetheless would allow one to see the counter changing even if one could not see what it changed from or to.) At the opening of polling, the numbers on each of the counters are recorded, signed by witnesses, sealed in an envelope and attached to the machine. At the close of polling, all shutters are retracted to read the figures. The original figures are subtracted from the new figures to give the numbers of votes, which can be checked against the total.

    Note there is no possibility of post-election verification; since anonymisation, recording and counting are done in one operation. This also obviates any need for post-election verification, since one can be satisfied from having examined the machine before an election that it functions as intended and only as intended. A number of people working in concert might be able to discern an approximate result, but this IMHO is much less insecure than e.g. issuing voters with a record of their vote.
  • Las Vegas Slots (Score:3, Insightful)

    by Sqreater ( 895148 ) on Monday July 31, 2006 @02:03PM (#15818793)
    All this has been addressed by the suppliers of Las Vegas casino slot machines. Why not just use them to build the machines?
  • by GodfatherofSoul ( 174979 ) on Monday July 31, 2006 @02:11PM (#15818879)
    This shouldn't be news to Americans. If you've paid attention to the antics in the last 3 election cycles and the discrepancies between exit polling and actual results, you'd know what's going on. Same thing just happened in Mexico. Expect it to happen here in November. Democrats leading in races by 5% or so, then a miraculous Republican turnout (contradicted by all polls) will maintain their majority. Anyone who protests the results or points out election day shennanigans will be ostracized by the "liberal" media as a whiney sore loser. Welcome to Oceania.
  • Not the worst yet... (Score:3, Interesting)

    by bhmit1 ( 2270 ) on Monday July 31, 2006 @02:15PM (#15818916) Homepage
    It won't be long before someone finds a while to build a targeted virus for these machines that changes the counters on that machine and all other machines it can reach on the network. And I won't be surprised when it's as simple as inserting one of those cards in the front of the machine and is done while the hacker is given privacy to cast their vote. The only question is if someone is good enough to do that, will we be good enough to find out, especially if the virus/worm is only memory resident so there aren't any traces.
  • Checks & Balances (Score:4, Interesting)

    by TheDarkener ( 198348 ) on Monday July 31, 2006 @02:18PM (#15818945) Homepage
    ...and the lack thereof is what really sickens me.

    You can't ever trust a computer, no matter what, ESPECIALLY in such an important thing as a governmental election. We *need* checks and balances.

    1) Vote with electronic voting machines.
    2) Receive a paper reciept with a 'checksum' of sorts that add up to your specific votes (this is the only pitfall right now, since obviously printing a paper reciept is WAY too complex to code by Diebold programmers)
    3) Submit your checksum to any number of third party, independent voting "Check & Balance" websites. These sites can independently tally votes from citizens in each voting district, and if descrepencies occur between the official count and any number of these sites, secondary validation routines/alerts can occur.

    Why would this be such a hard solution? I'm sure any number of you can code a simple database/website that tallies citizens' votes. I'll do the hosting for free.

    Let's open source this muther f*cker, whether they like it or not!
  • by Maclir ( 33773 ) on Monday July 31, 2006 @02:19PM (#15818948) Journal

    Now, is there a single convincing reason why the simplest, most secure and easily verifiable system - paper ballots - aren't used? Why all the machines? Lever, butterfly ballots, electronic... What problem is it that these systems are meant to solve?

    I suspect it is a combination of "We want some result in an hour or two - we are too impatient to wait for it to be counted properly" and "We want a system that we can manipulate without any audit trails."

  • by WillAffleckUW ( 858324 ) on Monday July 31, 2006 @02:32PM (#15819102) Homepage Journal
    Because absentee voters get a paper ballot that is not only delivered by a trusted source - the US Post Office - who have a verified date/time stamp - and that the ballots can be audited, traced, and verified - now THAT is a reason to register permanent absentee.

    • by JDAustin ( 468180 ) on Monday July 31, 2006 @02:59PM (#15819391)
      I suggest you take a look at the research into the recent Washington state elections done by SoundPolitics.com. They verified close to a 20% error rate in absentee balloting. The signature verification on absentee balloting is no verification at all due to non-verification being done by those who count the ballots. Additionally, the USPS is not a trusted source, they are just another government beuacracy. The ballots themselves cannot necessarly be traced nor verified and even when the signatures are completly different, they are still counted. Due to the nature of voter rolls, duplicate ballots are sent out all the time due to slight variation in a persons name and the duplicate ballots counts are not caught until after the final tally has been done and the election finished. Finally, mischivious gov officials can always delay sending the military their ballots so those serving overseas do not have time to get their vote in on time. This actually happened in 2004 in Washington state.

      Permanent absentee is not the solution. Neither is electronic voting.

      The true solution takes elements of the recent Mexican election to prevent fraud (voter id cards, thumb inking, precinct based monitoring and tallying) and combine them with the best paper based voting machine.
  • by PunkXRock ( 512777 ) on Monday July 31, 2006 @02:48PM (#15819274) Homepage Journal
    Here's a depressing comparison, showing the rules surrounding slot machines in Vegas vs. voting machines:

    Vegas vs. Electronic Voting Machines [washingtonpost.com]
  • by Animats ( 122034 ) on Monday July 31, 2006 @03:35PM (#15819725) Homepage

    The Nevada Gaming Control Board has technical standards for slot machines. [nv.gov] They've had enough fraud over the years that they know what has to be done. Some highlights:

    • ... must resist forced illegal entry and must retain evidence of any entry until properly cleared or until a new play is initiated. A gaming device must have a protective cover over the circuit boards that contain programs and circuitry used in the random selection process and control of the gaming device, including any electrically alterable program storage media. The cover must be designed to permit installation of a security locking mechanism by the manufacturer or end user of the gaming device.
    • ... must exhibit total immunity to human body electrostatic discharges on all player-exposed areas. ... A gaming device may exhibit temporary disruption when subjected to electrostatic discharges of 20,000 to 27,000 volts DC ... but must exhibit a capacity to recover and complete an interrupted play without loss or corruption of any stored or displayed information and without component failure. ... Gaming device power supply filtering must be sufficient to prevent disruption of the device by repeated switching on and off of the AC power. ... must be impervious to influences from outside the device, including, but not limited to, electro-magnetic interference, electro-static interference, and radio frequency interference.
    • All gaming devices which have control programs residing in one or more Conventional ROM Devices must employ a mechanism approved by the chairman to verify control programs and data. The mechanism used must detect at least 99.99 percent of all possible media failures. If these programs and data are to operate out of volatile RAM, the program that loads the RAM must reside on and operate from a Conventional ROM Device.
    • All gaming devices having control programs or data stored on memory devices other than Conventional ROM Devices must:
      (a) Employ a mechanism approved by the chairman which verifies that all control program components, including data and graphic information, are authentic copies of the approved components. The chairman may require tests to verify that components used by Nevada licensees are approved components. The verification mechanism must have an error rate of less than 1 in 10 to the 38th power and must prevent the execution of any control program component if any component is determined to be invalid. Any program component of the verification or initialization mechanism must be stored on a Conventional ROM Device that must be capable of being authenticated using a method approved by the chairman.

      (b) Employ a mechanism approved by the chairman which tests unused or unallocated areas of any alterable media for unintended programs or data and tests the structure of the storage media for integrity. The mechanism must prevent further play of the gaming device if unexpected data or structural inconsistencies are found.
      (c) Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent validation information.
      (d) Provide, as a minimum, a two-stage mechanism for validating all program components on demand via a communication port and protocol approved by the chairman. The first stage of this mechanism must verify all control components. The second stage must be capable of completely authenticating all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the authentication information must be stored on a Con

  • by Soong ( 7225 ) on Monday July 31, 2006 @09:22PM (#15822092) Homepage Journal
    I am a software engineer on emebedded systems. I see a lot of boards like this.

    The ability to boot from different sources is a normal debugging feature, not in itself sinister. Should they have cleaned that up on the production model? Yeah, sure. But verifiability is ultimately a human concern anyway, not a tech one.

    It all comes down to who you trust.

    If you don't trust the polling place, make the voting machine tamper proof.
    But then you have to trust the guy who built the voting machine.
    You have to trust the guy who loaded the software on it at the factory or the elections office.
    You have to trust the guy who wrote the code. Even if you inspected the code, you have to trust him to give you a binary based on that and not pull a fast one.
    You have to trust his compiler to give him a binary without compiled in back doors.
    I feel like I probably haven't listed all the points where this voting machine chain of trust can break down.

    On top of all that, voting machines are not cost effective [bolson.org] vs hand counted paper ballots. So, I advocate for no voting machines.

"This is lemma 1.1. We start a new chapter so the numbers all go back to one." -- Prof. Seager, C&O 351