This is topic Diebold Machine Hacked in 1 Minute/Electronic Screw Up in Florida(used to be Costume) in forum Books, Films, Food and Culture at Hatrack River Forum.
[ October 31, 2006, 09:44 PM: Message edited by: Alcon ]
Posted by BlackBlade (Member # 8376) on :
Gotta love Foxtrot.
I'm worried about the computers being used, but I wonder how many people actually go out to vote, and then within that demograph how many care to actually hack the computer, and out of THAT demographic how many can do so efficiently?
Also can I just say I LOVE the auto spell checker in Firefox 2.0?
Posted by Raia (Member # 4700) on :
*laugh*
Posted by Launchywiggin (Member # 9116) on :
It won't be ordinary people that hack the computer, it'll be evil republican politicians.
Posted by MrSquicky (Member # 1802) on :
If we're lucky that's not going to be the case. One of the few things that'll change the use of electronic voting is going to be someone breaking into the system and handing an election to say "Bullwinkle the Moose".
Posted by Lyrhawn (Member # 7039) on :
Perhaps a more important number than the 1/3 of districts using electronic voting machines is that 90% of districts either use electronic touch screens or ballots that are counted by a computer.
There's an article in TIME about this right now. It's scary. I really don't see why they can't just add a printer to all those things. Print off a paper copy of the ballots, and save those for later. Makes voting easy, makes counting fast, and safeguards against any cheating.
Posted by Alcon (Member # 6645) on :
There was an article about this and other road blocks to voting this election in the New York times Op-Ed section today (warning, requires login, but registration is free, painless and spamless):
quote:Can hackers get into electronic voting systems or is this just a conspiracy theory? A Brennen Center pannel of top scientists, including President Bush's former cyber-security chief, concluded the machines are highly vunerable. One big risk: wireless components. One hacker with a palm pilot could swing a senate race. Only New York and Minnesota ban wireless components in the districts that use electronic systems.
Why on EARTH would you ever put wireless in a voting machine??
Posted by aspectre (Member # 2222) on :
quote:Debra A. Reed voted with her boss on Wednesday at African-American Research Library and Cultural Center near Fort Lauderdale. Her vote went smoothly, but boss Gary Rudolf called her over to look at what was happening on his machine. He touched the screen for gubernatorial candidate Jim Davis, a Democrat, but the review screen repeatedly registered the Republican, Charlie Crist.
From aspectre's article.
Edit: Notice how all the screw ups go in the Republican direction. If it was a random bug there oughta be some people who voted Republican but had the machine point them Democrat...
Posted by Dan_raven (Member # 3383) on :
Now if I were Diebold, and was busy selling states my voting machines, I would definately push the "Print copy" parts, because I would definately want the contract to supply them the printers, paper and cartridges.
Everyone who uses a printer knows that you spend more money on the print-cartridges than on the printer. Heck, they practically give away the hardware to sell you the supplies.
So why is Diebold so insistant on not-selling hardware from which they could sell supplies?
Posted by Alcon (Member # 6645) on :
*cough* *cough*
Posted by David Manning (Member # 2076) on :
I'm sure that all the votes that should count, will count.
Posted by Alcon (Member # 6645) on :
quote:I'm sure that all the votes that should count, will count.
Umm... What in the hell do you mean by that?
The only way I can interpret that considering what this thread has been discussing is that the only votes that should count according to you are the Republican ones.
Posted by Tarrsk (Member # 332) on :
I think he was being facetious, Alcon.
Posted by B34N (Member # 9597) on :
Did anyone else see Man of the Year? I did, and I loved it.
Talk about life imitating art....except the part where....well, the end. That way anyone who has seen the movie knows what I was going to say, but the rest of you aren't pissed about a spoiler. Posted by Alcon (Member # 6645) on :
quote:I think he was being facetious, Alcon.
Doh. Posted by rivka (Member # 4859) on :
So y'all are saying I shouldn't vote touchscreen?
Posted by Lyrhawn (Member # 7039) on :
I thought Man of the Year was really funny. But a little sad too.
And it really made me want Jon Stewart to run, not necessarily because I want him to win (I don't know his politics well enough), but because the third party spoil keeps people honest.
Posted by DarkKnight (Member # 7536) on :
I think they oversimplified how easy it is to hack into one of these machines....not that the media would ever make things sound so much worse than they actually are.... "Reading too many posts will kill your children, find out more at 11!"
Posted by twinky (Member # 693) on :
quote:Originally posted by DarkKnight: I think they oversimplified how easy it is to hack into one of these machines....not that the media would ever make things sound so much worse than they actually are....
quote:The Ohio Compuware report describes how to turn a voter card into a supervisor card, which can then be used to cast multiple votes, delete votes, or shut down the machine, using a PDA with a smartcard attachment.
In order to use a supervisor card to access the AccuVote, you must first enter a four-digit PIN. In version of the machine that was in use as late as 2003, the exact same supervisor PIN was hard-coded into every single AccuVote TS shipped nationwide. That PIN was 1111. (I am not making this up.) This is still the default PIN for these machines, although the county can change it on a machine-by-machine basis if they have the workers and the time.
All of the AccuVotes have the same lock securing the PCMCIA slot that contains the Flash card with all the votes on it. When I say the "same" lock, I mean the exact same key opens all of the machines. But even if you don't have one of the tens of thousands of copies of this key that are floating around, the lock can be picked by an amateur in under 10 seconds. The Princeton video has a nice demo of this. Once you have access to the PCMCIA slot, you can do all kinds of great stuff, like upload vote-stealing software (a simple reboot will cause the machine to load software from whatever you've put in the PCMCIA slot), crash the system, delete all the votes on the machine, etc.
Some localities have taken to securing the PCMCIA slot with security tape or plastic ties. The idea here is that a cut tie or torn tape will invalidate the results of that machine, because poll workers can't guarantee that it wasn't compromised. There are two things wrong with this scheme:
If you want to invalidate all the results stored in machines in a precinct that favors your opponent, just cut the tape or the ties on those machines. If the election supervisor sticks to the rules, then he or she will be forced to throw out all of those votes.
According to author, security researcher, and Maryland election judge Avi Rubin, one would almost have to have a CIA background to be able to tell if the security tape applied to the AccuVotes in the Maryland primary had been removed and reapplied.
What's worse, though, is the ease with which large scale "wholesale" fraud can be committed undetectably:
quote:If you were going to steal an election with an AccuVote, one of the best and easiest methods is to manipulate the ballot definition file. On the AccuVote, the BDF is completely unencrypted, so it just sits there in the machine's memory open to all comers. Malicious software embedded in any layer of the software stack can easily get at the BDF and alter it so that selections made for one candidate are recorded on the machine's memory card for another candidate. If the software is programmed to remove itself after the election, then there would be absolutely no way for anyone to know that the results are fraudulent.
Of course, an attacker with access to any or all of the layers of the software stack can do more than just manipulate the BDF so that votes are misrecorded in real-time. He could conceivably ignore the BDF entirely and just change the machine's vote totals directly on the memory card, so that they produce a desired outcome. Indeed, just as is the case with a regular personal computer, the possibilities for a malicious Trojan to make mischief on the DRE is limited only by the skill and imagination of the attacker.
Ed Felten's team at Princeton was able to quickly upload a vote-stealing Trojan to the AccuVote via the PCMCIA slot in less time than it would take many people to complete an electronic ballot. Furthermore, they also created a viral version of the Trojan that could infect any card inserted into the PCMCIA slot with vote-stealing software that would then infect any machine into which the tainted card was inserted. The newly infected machines would in turn infect other cards, which would infect other machines, and so on. In this way, the vote stealing "Princeton virus" could travel across an entire precinct or county, given enough time.
The viral nature of the Princeton attack is one way to commit wholesale undetectable vote fraud, but there are others that are even more efficient and require no physical access to a machine at any point. Specifically, if any one of the institutions responsible for loading software onto the AccuVote (or any other DRE for that matter) has been compromised, either by an internal mole or an outside cracker who has hacked into the company's internal network, then something like the Princeton virus could be planted in the firmware, operating system, or system software build that goes on machines across an entire county or state.
quote:The GEMS database stores all of the votes collected from precinct accumulators, and it's used to do the vote tabulation for a county. Because it's so sensitive, you might think it would be tightly secured. But you'd be wrong.
The GEMS database is a vanilla, unencrypted Microsoft Access database that anyone with a copy of Access can edit. So if you have physical access to the GEMS server's filesystem (either locally or remotely), then it's not too hard to just go in and have your way with the vote totals. If Access isn't installed on a particular GEMS server, just install it from a CD-ROM, or connect remotely from a laptop and edit the database that way.
Or, if you want to filch the database, upload vote-stealing software, or do something else evil, you could always carry along a USB drive in your pocket.
Many GEMS servers are connected to a modem bank, so that the accumulators can dial in over the phone lines and upload votes. One team of security consultants hired by the state of Maryland found the GEMS bank by wardialing, discovered that it was running an unpatched version of Windows, cracked the server, and stole the mock election. This great Daily Show segment, in which one of the team members describes the attack, states that they did this in under five minutes.
Empahses mine. The author of the above article was kind enough to make a PDF version freely available so that it can easily be sent to your representatives.
Posted by Blayne Bradley (Member # 8565) on :
...
Posted by TomDavidson (Member # 124) on :
I have been saying for five years that the only electronic voting system I'll trust is one that generates a readable paper ballot, and then counts paper ballots alongside electronic ballots as part of the normal process.
Posted by Alcon (Member # 6645) on :
quote:I have been saying for five years that the only electronic voting system I'll trust is one that generates a readable paper ballot, and then counts paper ballots alongside electronic ballots as part of the normal process.
Here, here. Even just generating a paper ballot isn't enough. The machine could be made to generate the vote you did indeed make in paper, but store the one the hacker wanted. You'd never eve know anything was wrong, unless a count of the paper ones was made.
Posted by Zeugma (Member # 6636) on :
I certainly can't think of any way we could possibly have better spent that 3.8 billion dollars, can you?
Posted by twinky (Member # 693) on :
It's interesting that Diebold's ATMs don't suffer from these myriad security flaws. The voting machines are manufactured by a subsidiary, so for whatever reason it seems like Diebold has not brought their acquisition up to the security standards of the rest of the company over the past 15 years (the acquisition took place in 1991, IIRC).
Posted by Alcon (Member # 6645) on :
ATMs are a little different I would imagine. They're relatively permanent fixtures on a network. They don't actually have to store anything, just send the data back to a central nexous somewhere and then dish out cash as appropriate. In the case of these voting machines, they need to be mobile and self sufficient. So they store the values inside themselves, and that's where one of the major flaws comes in.
Of course that gives no explanation for the whole "I touched the screen for the democrat and the republican came up." thing that keeps happening.
Posted by fugu13 (Member # 2859) on :
Diebold's ATMs also operate in a significantly different context, which makes many of the security concerns found here irrelevant.
Plus, most of the potential 'exploits' for voting machines (changing vote totals) aren't analogously possible for ATMs -- your bank account total is controlled by the bank's software, which has many safeguards.
And we can't forget that ATMs do have large numbers of security issues, often related to the ease of adding hardware to steal information, but also in their software. Its just not a very lucrative thing to exploit much of the time, for the above-mentioned reasons.
Posted by Nighthawk (Member # 4176) on :
Christ, where do they find the programmers to work on these things? Most of the issues are common sense, and a decent group of programmers with half a brain would prevent things like this from happening.
That's what you get from the "lowest bidder" method of software development, I guess. Or perhaps I have too much faith in software developers and hardware engineers.
Posted by MrSquicky (Member # 1802) on :
quote:Christ, where do they find the programmers to work on these things? Most of the issues are common sense, and a decent group of programmers with half a brain would prevent things like this from happening.
That's what you get from the "lowest bidder" method of software development, I guess. Or perhaps I have too much faith in software developers and hardware engineers.
You wouldn't believe some the insanely bad systems I've been hired to fix. I don't understand how people can program so poorly and still get paid more than I do for it.
Posted by Dagonee (Member # 5818) on :
quote:You wouldn't believe some the insanely bad systems I've been hired to fix. I don't understand how people can program so poorly and still get paid more than I do for it.
I figure about 2/3 our business was rooted in recovery projects - that is, we got the clients by coming in and fixing what someone else had done, not that 2/3 the work we ever did was recovery.
It was good enough to pay for law school, so there's some fondness in my heart for incompetent programmers.
Not for incompetent voting machine programmers, mind you.
Posted by aspectre (Member # 2222) on :
quote:Now don’t get me wrong – there’s a 100% chance that the voting machines will get hacked and all future elections will be rigged. But that doesn’t mean we’ll get a worse government. It probably means that the choice of the next American president will be taken out of the hands of deep-pocket, autofellating, corporate ****bags and put it into the hands of some teenager in Finland. How is that not an improvement?
quote:As we move toward the November mid-terms, we're beginning to a more detailed and depressing picture of exactly what we're up against as a nation in less than a week: two major new reports from independent research groups detail the myriad security breaches, and procedural and technical problems in the 2006 Ohio primaries; stories from early voting in Texas indicate that the paperless DREs in at least two counties may have a partisan bias; another major new report from the University of Connecticut details a whole raft of security vulnerabilities in Diebold's optical scan voting machines; finally, BlackBoxVoting.org has released "push this, pull here" instructions for multiple voting on a Sequoia DRE, no hacking skills necessary.
None of this news bodes well for the November mid-terms, which are less than a week away. In fact, what the reports described below indicate is that voters will flock to the polls to vote on fragile, untested alpha systems that, when they break, cannot be fixed by the on-site poll workers; the votes that are recorded cannot be adequately verified by a post-election audit, even if a voter-verified paper "receipt" is printed by each machine and saved by the county; and individual counties may or may not have the technical capacity to actually carry out the task of tabulating all of the electronic results (forget about the paper receipts!) from all of the machines in a coherent and reliable manner.
In sum, people will show up on November 7th at many precincts across America, they will select items on a touch-screen, a lucky few of them will see a paper record of their choices (correctly marked or not) scroll by under a glass, and they will return home having participated in a bit of high-tech political theater that may or may not amount to a bona fide election.
Posted by James Tiberius Kirk (Member # 2832) on :
quote:Originally posted by Alcon:
quote:I have been saying for five years that the only electronic voting system I'll trust is one that generates a readable paper ballot, and then counts paper ballots alongside electronic ballots as part of the normal process.
Here, here. Even just generating a paper ballot isn't enough. The machine could be made to generate the vote you did indeed make in paper, but store the one the hacker wanted. You'd never eve know anything was wrong, unless a count of the paper ones was made.
I believe there's a district in Nevada that actually uses the electronics to choose the canidate, and then counts the paper ballots.
--j_k
Posted by Nighthawk (Member # 4176) on :
quote:Originally posted by James Tiberius Kirk:
quote:Originally posted by Alcon:
quote:I have been saying for five years that the only electronic voting system I'll trust is one that generates a readable paper ballot, and then counts paper ballots alongside electronic ballots as part of the normal process.
Here, here. Even just generating a paper ballot isn't enough. The machine could be made to generate the vote you did indeed make in paper, but store the one the hacker wanted. You'd never eve know anything was wrong, unless a count of the paper ones was made.
I believe there's a district in Nevada that actually uses the electronics to choose the canidate, and then counts the paper ballots.
--j_k
Sometimes I wonder why, if they go through the paper ballots and count them anyway, why do we need the digital count?
There are ways around "hanging chads". Drive a bullet-hole sized stake through the paper if you have to, then verify it with light pass-thru.
It's not rocket surgery. I don't understand how such a simple process can be so massively messed up by so many people that spent so much money.
Posted by Chris Bridges (Member # 1138) on :
And in five counties in Florida, including mine, daylight savings time is screwing up the internal clock in the machines. Diebold notified the elections officials to set them back, then realized these particular models did it automatically. When the officials checked to see if the machines needed to be adjusted they found that the machines were setting themselves back an hour every time they were turned on, which was daily this week to enter early votes. The Volusia County (my county) elections supervisor cracked one open this morning and found it was set to 5 or 6 hours early, calling into question whether it would register votes placed before the polls officially opened or votes made before the polls close but after the machines thought the polls closed. Workarounds are being set up, very quickly.
I have absolutely no reason to trust these machines, and I will continue to insist on a paper ballot as long as I can.
Untrustworthy voting procedures, micro-gerymandering, stricter and stricter rules on constitutional amendments... boy, it sure would be nice to live in a representative democracy.
Posted by Troubadour (Member # 83) on :
What I don't understand is why people think having a paper trail derived from the input of these machines would necessarily show the actual votes cast. Surely any data generated from the machines would be suspect.
Until someone builds a reliable voting machine (which, seriously, can't be as hard as these idiots make it look), unless pen is put to paper, you can't trust the result. Very glad we don't have these suckers in Australia.
Posted by Samprimary (Member # 8561) on :
There's bugs in paper voting too. Silverfish, for instance.
Posted by MrSquicky (Member # 1802) on :
quote:What I don't understand is why people think having a paper trail derived from the input of these machines would necessarily show the actual votes cast. Surely any data generated from the machines would be suspect.
With a paper output, you can audit the machines in two important ways. First, the person who voted sees the paper output and can ensure that it tallies up with their choices. Second, the paper votes can be compared to the electronic votes.
Posted by TomDavidson (Member # 124) on :
quote:What I don't understand is why people think having a paper trail derived from the input of these machines would necessarily show the actual votes cast.
This is why a readable paper trail that is ALSO counted is very useful. Posted by twinky (Member # 693) on :
quote:Originally posted by Samprimary: There's bugs in paper voting too.
While that's true, it's vastly more difficult to undetectably rig an entire paper election than it is to rig an electronic one. That's even more true if the electronic election is using Diebold voting machines, since the vote database is completely unencrypted.
Posted by James Tiberius Kirk (Member # 2832) on :
quote:Until someone builds a reliable voting machine (which, seriously, can't be as hard as these idiots make it look), unless pen is put to paper, you can't trust the result.
That's the type of error that bugs me most -- the one's that display the wrong votes when you go back to "Confirm your choices."
I mean, for crying out loud -- this isn't an extrordinarily difficult program to write. I want to see the source just to figure out how they could possibly mess that one up. Maybe if parts of the code were open source ...
--j_k
Posted by GaalDornick (Member # 8880) on :
From Scott Adams:
"Is it too late to start selling bumper stickers that say “I think I voted”?"
I would so buy one of those.
Posted by GaalDornick (Member # 8880) on :
How do they vote in other democracies? Why are we the only country that's having a huge problem with this?
Posted by mistaben (Member # 8721) on :
GaalDornick,
While I was a missionary in Brazil ('99-'01) I witnessed a few elections. Brazilian citizens were invariably shocked and delighted to discover that there was an area (voting) in which their technology surpassed that of the United States.
I'm not sure if your question is the right one. I think, rather, Republican leaders are wondering "Why are we the last country to figure out this great trick?"
![[Eek!]](eek.gif)
![[ROFL]](graemlins/rofl.gif)
![[Wink]](wink.gif)
![[Blushing]](graemlins/blushing.gif)
![[Smile]](smile.gif)
![[Big Grin]](biggrin.gif)