Diebold Disks May Have Been For Testers 182
opencity writes "The Washington Post reports on the two Diebold source disks that were anonymously sent to a Maryland election official this past week. Further investigation has lead individuals involved to believe the disks came from a security check demanded by the Maryland legislature sometime in 2003." From the article: "Critics of electronic voting said the most recent incident in Maryland casts doubt on Lamone's claim that Maryland has the nation's most secure voting system. "There now may be numerous copies of the Diebold software floating around in unauthorized hands," said Linda Schade, co-founder of TrueVoteMD, which has pressed for a system that provides a verifiable paper record of each vote."
First post1 (Score:0, Insightful)
If the attackers can use the source to attack it (Score:5, Insightful)
Having numerous copies floating around is a good thing if disclosure of security holes is encouraged, and the fact that Diabold are implying that the security of their systems rely on people not having access to the source code is a very bad thing.
Lets look at things logically. The only people who would rig the election using those machines would have to have physical access to the machines, and if they did they wouldn't need the source code to highlight security holes. If the source code was released then the people who would be advantaged would be the people who would responsibly disclose security holes.
Stupid (Score:5, Insightful)
Instead, I bet it's a pile of shit. Recycled code, buffer vulnerabilities, piles of ad hoc crap, with poor documentation.
I hope someone does find a way to exploit the code. People need to wake the hell up.
Just joking. (Score:4, Insightful)
Although, if they did vote by email, imagine the junkmail vote....
You gotta wonder about any politician that wants no paper trail of his own votes. Why is he not interested in having hardcopy proof that he really did win this or that election? (or she, or she, I hope to the gods that Americans aren't backward enough to have only male options in parliament).
What's the problem again? (Score:5, Insightful)
If I didn't misunderstand, someone in D.C. should give this lady a call and explain to her the pitfalls of "security through obscurity" and why openness is a Good Thing.
I find it very interesting... (Score:4, Insightful)
Copyright vs. election security (Score:5, Insightful)
This is assuming, of course, that there's any overall benefit to digital voting in the first place, which there really isn't. Digital elections are a terrible idea -- stick with paper. Oh no! We'll have to wait a few more hours to have complete results! Big fucking deal.
Security doesn't matter if the machines are rigged (Score:5, Insightful)
Who gives a fuck if J0e Hax0r can compromise a voting machine when secret code can be installed on thousands, if not all, of the voting machines at the last minute with absolutely no oversight and nobody knowing about it? Voting, to borrow from one of the current "President's" minions, is a "quaint" and outdated practice.
So why did we move to electronic voting again? (Score:4, Insightful)
Re:So why did we move to electronic voting again? (Score:5, Insightful)
and the voter gets a carbon copy of the paper
You had me up until that part. The voter should be able to SEE the paper copy and verify it is accurate without being able to touch it. It is then whisked away, dropped down, or whatever onto a roll, stack or whatever so poll workers have a way to verify the machine counts with paper counts. If they are given receipts, this would provide proof they voted a certain way. Voters should not be given a copy since this opens the door to people being paid or intimidated to vote a certain way. Other than that point, I agree with your post.
be cautious of a Diebold paper trail - not right! (Score:5, Insightful)
I early voted on a Diebold voter verified machine - and it's NOT good enough. I even had a nice conversation with the technical election judge, and since it did print a verified trail I did have to go home and think about this before I realized how it sucked.
They totally and complete circumvented the idea of a voter verified paper trail.
The way this machine works is you vote, it prints, you can see-but-not-touch the printout. You can vote AGAIN (up to 3 times) and it voids the previous printouts. Again, without you touching them. Which means the process expects that some percentage of its paper trail will be voided. The printouts get sent into some magic compartment.
So 1) there's no way except by noise for the election monitors to know if it printed a variety of extra votes. And they were pretty quiet.
2) There's absolutely zero way to know if it went back and voided your vote, because there's plenty of precedent for voiding votes.
3) It can absolutely tell via paper alone who voted in which order; it's on a spool. Which could be easily tracked by anyone who watched what order people voted at that machine. Your votes are even less anonymous.
*sigh*
(Ok, so I posted this on the previous Diebold story - sue me. It's important, so I reposted it, Karma be damned.)
Re:What's the problem again? (Score:5, Insightful)
In other words: If diebold can't manage to secure their source code from theft then how the fuck can they be trusted to secure your vote from theft.
Comment removed (Score:5, Insightful)
Re:If the attackers can use the source to attack i (Score:5, Insightful)
If the system were as secure as an ATM network I would have to agree. An ATM gives you a bit of paper to prove the transaction took place and are fully auditable by the bank, the voting machines in question do not give a receipt and do not leave an audit trail. The fact that diebold also makes ATM's indicates nothing less than malice in the design of such a piss poor security scheme for their voting machines.
Re:So why did we move to electronic voting again? (Score:5, Insightful)
Later:
"I lost the receipt."
"Our company no longer requires your services, we, uh, have decided to consolidate our action points to improve the synergy blah blah blah."
Re:If the attackers can use the source to attack i (Score:5, Insightful)
Re:New tag (Score:5, Insightful)
Not 1337 h4x0rs! (Score:5, Insightful)
Re:Can't do much with these disks (Score:5, Insightful)
And, frankly, the AI is horribly unrealistic. All the little guys that you tell to cast votes... Most of them just ignore you. It's like they don't even notice you, or anything going on. And, the guys being voted for are like crazy over the top cartoon villains. Whoever made this game is obviously a moron, and has no understanding of a decent plot.
Actually, on a more serious note... I haven't been able to find a torrent. This shit is pretty fucking fundamental to our democracy, and when it finally gets 'leaked,' it manages to stay buttoned up? Seriously, do we know anything about the source? Does anybody have a torrent, or at least asn assessment from somebody qualified to be frightened by looking at it? As far as I'm concerned, every citizen of the US not only should have the right to see the mechanics of demacracy, but an obligation to do so. Anybody who doesn't try to get ahold of the source code running their local voting machines should be considered grossly negligent.
Re:If the attackers can use the source to attack i (Score:5, Insightful)
That's not what we're getting, as the research and disclosures have made painfully clear.
In any case, Diebold has had some trouble with ATMs, including the ATM reprogrammed as a jukebox [thetartan.org] and the ATMs infected by a virus [windowsfordevices.com].
Voting machines are a harder and more safety-critical application than ATMs. Voting machines have to preseve anonymity. Imagine how that would complicate banking. Then, the worst case failure of an ATM is that some money changes hands inappropriately and laywers earn lots of money sorting it out. The worst case failure of a voting system is an election lost to fraud, meaning the victors are the crooks. The damage is potentially incalculable: think of the nations ruined by having the wrong leaders.
Re:New tag (Score:5, Insightful)
Oh, and I wasted my mod points so I could tell you how people with senses of humour work.
Re:If the attackers can use the source to attack i (Score:2, Insightful)
Re:Can't do much with these disks (Score:5, Insightful)
Kagan did the right thing, which was to contact the state elections officials, who in turn contacted the FBI, who went and talked to Kagan.
She was part of the Government and respects it enough to try and work within the system. Good luck explaining that to a judge. The penalties for messing with anything relating to an election are no joke. Why do you think those discs were delivered anonymously?
Re:If the attackers can use the source to attack i (Score:1, Insightful)
That would work fine for voting as long as the nation is willing to give up the tradition of the secret ballot. Until then, what auditable record exists of your individual vote, with your name attached to it so you can contest the way it was counted?
Counting secret ballots is *not* the same as posting transactions to audited financial accounts.
Re:If the attackers can use the source to attack i (Score:3, Insightful)
There's even more money and power in cracking elections then there is in cracking ATMs, so no it's not good enough.
Give it a rest! (Score:3, Insightful)
Melissa
Not a laughing matter... (Score:1, Insightful)
Unless your initials are G Dubya B...
Re:If the attackers can use the source to attack i (Score:4, Insightful)
The ATM analogy is a bad one since banks must connect an individual to a transaction. Voting machines must not connect an individual to a transaction while still ensuring one vote per person. It's not particularly hard to do, the issues have been well understood for at least a couple of centuries.
Having said that, diebold have shown they understand security and auditing issues by producing reliable ATM's, they have not done the same for voting machines. Given diebold's experience with ATM security issues it is hard to see how incompetence has played a part in this particular cock-up.
Receipts solve wrong problem (Score:3, Insightful)
If you have a leaky roof, the correct solution is not to install a drainage trough in the floor. If you go down the floor drain route you will eventually end up installing an alarm system to detect blockages, a plug-in air freshener to deal with the smell when the blockage alarm fails to go off and the drain gets blocked, joss sticks for use during power failures when neither the alarm nor the plug-in air freshener work, and you'll still have a leaky roof.
If there is any way for the person who cast a vote to be able to identify it as theirs, then there is also a way for someone else to do identify who cast a vote. Which creates the opportunity for corruption. If voters are issued with a receipt for the transaction, which they remove, then a failure mode is introduced where the receipt does not match the ballot. Also, unless receipts are readily falsifiable, an opportunity for corruption is created (imagine a boss allowing workers time off to vote as long as they shew their receipt, showing a vote for the local Tory candidate and the boss's cousin, on returning to the factory). And if receipts are readily falsifiable then they are of questionable value. If there is a separate audit log stored within the machine, there is still the failure mode where the log does not match the ballot.
Much better would be to ensure that procedures are in place such that it is as difficult as possible for the result to be interfered with after a ballot is cast. The easiest and best way of doing this is still pencil-and-paper, one race per ballot, one box per race (with different coloured and/or sized papers, so that a ballot in the wrong box can quickly be identified and moved to the right pile) and manual counting in the polling station, under the scrutiny of representatives of all candidates. Disabled voters should be allowed to bring a carer whom they trust to help them use the same system as everybody else.
Re:If the attackers can use the source to attack i (Score:4, Insightful)
I'll let you in on a dirty little secret. When it comes to security, "good enough" is good enough.
In the case of ATMs, banks make a huge amount of money (or at least avoid losign a huge amount of business) by having them. But they don't have to be particularly secure -- just secure enough that the marginal cost of adding a bit of security is greater than the marginal increment of savings. In other words in business you don't "spend a buck to save a buck".
"Good enough" security systems abound; for example credit cards and checks. The security of these systems are extremely lax, and consequently there is a _ton_ of fraud commited with them. But the cost of paying for fraud (to the banks) is less than trying to get an increment of security. Businesses do not subscribe to the "millions for defense, not one dollar for tribute" theory of security.
It seems like a manufacturer of ATMs would be the perfect manufacturer of voting machines, until you take into account the difference between "good enough" for an ATM and "good enough" for a voting machine. Money is fungible -- a bit of fraud here and there is amply made up by profits elsewhere. Votes are not like that. Having a fair election in 95% of the districts doesn't make up for having a fraudulent election in 5%, especially when those districts can be strategically chosen.
It would be better to pick somebody with experience in systems where system failures have horrible, unthinkable results rather than a vendor where failures are just an incovenience. Somebody who makes avionics, or medical instrumenation, or defense command and control systems.
Re:Can't do much with these disks (Score:4, Insightful)
Let's just suppose, hypothetically like, that I...um....have a friend who has access to the current source stream for all Diebold software, and has no problems with peeking at (or more), and is extremely well qualified to understand it (let's just say, again, hypothetically like, that he was the key architect for the system, and wrote most of the code himself), and is much more interested in seeing his own vote counted correctly than in seeing Diebold or any politically motivated individual rig the election. Let's also assume, hypothetically like, that while completely reliable, he's one of the tin-foil hat crew who is already convinced that someone is trying to rig the election through rigging voting machine software. More to the point, let's assume that preusing Diebold source code is this dude's full-time job, and if he wants to stay late reviewing code, his employer pays him time and a half.
How would you suggest my friend go about making sure that the software running on the box he uses to cast his vote is the same one he just finished building at Diebold? Let's assume he knows what version is current, what patches are appropriate, and what every last function in the source does, and he's verified it's all clean. He knows an unrigged machine will display buildID 8675309, but he also knows how easy it would be to make a rigged machine display that as well.
If you were "my friend", how would you?
If the software running on the box were "open source" by law, it might solve the problem of clueless coders, and it might allow us to catch the unscrupulous ones, but it wouldn't allow us to address the fundamental problem of having to trust the machine count.
In this application, having the source code buys you nothing, whether you're allowed to have it or not.
In all seriousness... (Score:3, Insightful)
No, we are talking about software licensing violations and copyright protections. Diebold has a mile-long list of things you can and cannot do with their software -- and they agressively use their lackies inside the BoEs to wield those contract terms in a way that is designed to intimidate those who would try to secure our elections by threatening their jobs.