Schneier on Security
A blog covering security and security technology.
« Alan Cox on Security |
| New Poll Tax in Georgia »
September 19, 2005
A Diebold Insider Speaks
Yes, it's sensationalist. But there's some good information here.
Posted on September 19, 2005 at 7:41 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
quote: "The GEMS software has been used in hundreds of elections and there's never been a security issue."
Bear says that "Diebold machines have never lost a single vote," ....
And how would we EVER know?
you don't know what you got till it's gone, and baby, it's gone. we are the modern rome, and republican (small r) government in the first rome didn't last forever, the caesars eventually gave way to nero and caligula. a working democracy requires peaceful elections, fair vote counting and public confidence in the result; two of the three pillars are gone. face it, most americans are stupid compared to their counterparts in europe and asia, they've been dumbed down by fox news and mtv (moron television) to the point where they don't even care anymore. it will take a major economic reversal on the order of the great depression to galvanize them, then maybe we'll get another revolution. greetings to all from the world's most dangerous nuclear banana republic!
I read this a couple of days ago, and as you say, good points raised but the level of sensationalism really turns me off!
To say this is a non-partison and fair treatment would be more than slightly wrong :)
How come we haven't heard about this Diebold insider elsewhere? Does he/she/it have an ax to grind? Do they even exist? And of course, are they a biased flaming liberal?
Unanswered ?s, but it's well worth a read!
Diebold makes more than voting machines. They also make most of the ATM's out there. Even though I do have a target of opportunity here, I won't start bashing Microsoft. Most of their ATM's are using Windows CE. I'd hazard a guess the voting machines are also using WinCE. Check out MS website and you can d/l the source for WinCE and compile your own. Only knowing which OS they're using isn't helpful (harmful?) because you can do a secure or crappy compile of WinCE.
It's good that the vulnerabilites are being publicized, but I think a lot of people are missing the point here. Whether or not this hole gets closed, the machines still don't leave a verifiable paper trail.
RE: level of sensationalism: yes, let's avoid it and focus on facts. Many facts (demonstrations of ways to hack various electronic voting systems, etc.) are available here (http://www.bbvforums.org/forums/messages/1954/1954.html)
In any case, this isn't a partisan thing: hackable machines are very popular with Democrats, too -- for example, in urban areas. Whoever is in power has an incentive (whether they respond to that incentive with hacks or not).
(Also, FWIW, I believe Canada counts 10 million paper ballots by hand on election night. Alternatives are available, even if they're only electronic systems with paper audit trails and best-efforts computer and network security.)
Why should ATMs be more secure than voting machines, especially when the same companies make both?
This is important, bedrock stuff in an ostensibly democratic republic like ours.
I couldn't get past the semi-informed sensationalism, unfortunately. Can someone please say whether what is in this latest article extends in any way what has already been publicized by blackboxvoting.org?
If I understand correctly, the vulnerability is essentially that the system is based on a password-protected Acess database, with a fairly clear schema, and anyone with the password can modify the data however they want to.
This amounts to pretty much no security at all, unless extremely strict controls are exercised over physical access the central vote tabulating machine and access to any networks it's connected to.
Nothing really new, seems to me, although it is somewhat amusing that the informant is called "DIEB-THROAT".
I noticed the informant completely confuses the terms "vulnerability" and "threat" to their own detriment.
The informant claims the DHS not only knew about a vulnerability but also a threat:
"It blew me away because it showed that DHS, headed by a Cabinet level George Bush loyalist, was very aware of the 'threat' of someone changing votes in the Diebold Central Tabulator."
And yet the proof they point to is a page that reads "We are not aware of any exploits for this vulnerability".
Sounds like DHS said "very vulnerable, but no threat" to me.
At this point it's beyond obvious that the voting devices were horrifically vulnerable to all sorts of tampering and corruption. The question remains why this is not sufficient on its own, and whether fraud/corruption must be demonstrated for things to change.
Warren Harding's cabinet was so scrupulous about fraud that they almost got away with it.
Or howabout this for a change of perspective:
The Payment Card Industry has a set of security standards that you must abide by if you handle credit card data. You do not have to make any promises about security, and yet you are still bound by them to protect cardholder data from disclosure. They do not discuss threats at all -- compliance is measured on vulnerability alone with heavy penalties for failure.
I wonder why web sites with potentially useful information often make it so difficult to read this information through their poor choices for font style, font size, font and background colors and overall design.
"Why should ATMs be more secure than voting machines, especially when the same companies make both?"
Because ATMs are auditable and voting machines can never be (because of anonymity).
(Sometimes) unreliable ATMs can be dealt with by compensating the alleged victim. A single miscounted vote can cast doubt on the entire election.
"ATMs are auditable and voting machines never can be (because of anonymity)."
What's wrong with:
1. I vote
2. Machine prints me a receipt, which shows my vote, and a unique number.
3. Later, I can go to a website, type in my unique number, and see the tallied vote associated with it.
Lots of work to secure the components of the system, but I think that the idea is workable. My vote would be auditable by the most reliable auditor there is - *me*.
>Diebold makes more than voting machines. They also make most of the ATM's out there. Even though I do have a target of opportunity here, I won't start bashing Microsoft. Most of their ATM's are using Windows CE.
The most common OS for ATMs is in fact OS/2. Even Microsoft acknowledges this, although it has been trying its best to convert ATM manufacturers. See: http://msdn.microsoft.com/embedded/getstart/...
What's wrong with your system is simple. The next day you go into work and the local union rep @Daniel:
What's wrong with your system is simple. The next day you go into work and the local union rep (feel free to substitute church & minister or other places & authority figures you don't like) demand to see your receipt. Once the results are posted online, they use this information to make sure you "did the right thing". Oh wait, it's on the receipt so they don't even need to visit the website.(*)
If you refuse to present your receipt, you obviously "didn't do the right thing" by either not voting for the "right guy" or for not voting at all.
Repercussions soon follow.
(*)There's no reason to rig the tallying process if you can simply coerce everyone to vote how you want.
Chris, there are lots of variations on the idea.
For example, *you* give *the voting machine* a string of numbers that you will remember, and your string gets published with the vote. Then if you feel the need to reveal your vote to somebody else, you can pick any string you like from the ones that voted "right".
But then, when somebody like a boss wants to coerce you, pretty often it works OK to tell them "My wife has priority, her threats come first.". Like with unpaid overtime. Look them straight in the eye and say "My wife wants me home tonight.".
Also, we need the tradition that nobody gets to coerce you into telling them how you voted. Maybe start with voter registration. Have a line for each prospective voter to sign. "I understand that if anyone can tell me who to vote for, and require me to prove I did it, then I am not a free citizen."
But anyway, letting individual voters check their individual votes only handles a third of the problem. A second part is that they can still add extra votes that don't belong to anybody in particular, that vote their way. It would help to publish the whole list of voters, for the public to challenge. But if they published the names and addresses of voters that would lead to a lot of junk mail.
A third part is that even if they see that their votes have been falsified, there is nothing they can do about it except make a stink -- they can't prove it. I found a way to let individual voters challenge the official vote without letting anyone else see their secret vote until they challenge it. But it's complicated, it requires multiple organisations controlling multiple databases, and it depends on those organisations not cooperating except when they are officially required to.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.