Even More Trouble For E-Voting Firms: Source Code Review Finds All Sorts Of Scary Vulnerabilities

from the doesn't-look-good dept

This has not been a good week for e-voting companies. First came the report out of California that the security had problems on every machine tested by independent security experts, followed quickly by security experts finding problems with other machines in Florida. This should come as no surprise. Every time a security expert seems to get a chance to check out these machines, they find problems. What was odd, though, about the announcement on Monday coming out of California, was that the state had only released some of the reports. It left out the source code review. However, late Thursday, the source code reports were finally released and things don't look much better. Apparently all of the e-voting machines are vulnerable to malicious attacks that could "affect election outcomes." The report also points out: "An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive -- malicious code could spread to every voting machine in polling places and to county election servers." This, of course, is what others have been saying for years, and which Diebold always brushes off. Ed Felten has gone through the reports and is amazed to find that all of the e-voting machines seem to have very similar security problems -- and that many problems that Diebold had insisted it fixed in 2003 were still present. Remember how Diebold had used the master password "1111" in their machines? Now their machines use hard-coded passwords like "diebold" and (I kid you not) "12345678." At some point, isn't it time for Diebold (and the other e-voting machine makers) to stand up and admit that their machines aren't secure and, in fact, were never secure? At the very least, the company owes the world a huge apology -- but somehow, given its past behavior whenever its machines are shown as insecure, that seems unlikely to happen.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Ajax 4Hire, Aug 3rd, 2007 @ 8:20pm

    The reason there is not more outrage is

    an indication of the apathy of the US electorate.

    I have noticed for years that no one votes, in fact the younger you are the more likely you are to brag about not voting.

    It will take a Democrat clearly loosing an election to fraud/crack voting machine before something will be done. And that something will be worse that what is present now.

    I have no faith in the US Government ability to do anything right and it seems that millions of US voters share that feeling.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    ocdude, Aug 3rd, 2007 @ 8:44pm

    Re: The reason there is not more outrage is

    It will take a Democrat clearly loosing an election to fraud/crack voting machine before something will be done. And that something will be worse that what is present now.

    I'm sorry. You appear to have misused the word "loose."

    Hopefully the above site will help you on your quest to better understand the differences between "loose" and "lose"

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Aug 3rd, 2007 @ 8:55pm

    How did diebold guess my password!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    J.M. Skillman, Aug 3rd, 2007 @ 9:03pm

    Voting Machines

    Can someone please explain to me why a machine is needed to record and/or count ballots? It seems a perfect example of using technology where it is not needed. Coloured paper, cardboard boxes and pencils marking an X next to a name or Yes/No question. That's how it works in Canada and we always have the results the same night. Results are phoned into a central spot and everything is finalized officially within a couple of days.
    Every party has scrutineers at every polling station who supervise the counting and everywhere, two or more people are watching each other to make sure there's no funny business. Every position or proposition uses a different colour of paper, which go into different boxes that are supervised by two little old ladies or students who are picking up a couple of extra bucks for working that day and a couple of evenings previously for 'training'. How can any machine beat that idiot-proof, low-tech, inexpensive, extremely simple system?
    While personally I think the overall system of party-based democracy has lots of problems, the one thing I don't doubt is that the vote totals reported are legitimate and represent the intention of those who have chosen to vote. If I had to trust a machine, I would be extremely leery of trusting the results...

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Gore, Aug 3rd, 2007 @ 10:43pm

    As a presidential candidate who had my election stolen from me, and invented the internet, i'm getting a kick from these replies.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Aug 3rd, 2007 @ 11:43pm

    Subverting all the Devices in a County...

    Now being able to compromise one machine is one thing. The damage should
    be limited to the votes recorded on that machine. At the very minimum,
    this would force the attacker to compromise a large number of machines in
    order to affect an election result.

    "The damage could be extensive -- malicious code could spread to every voting
    machine in polling places and to county election servers."

    Holy ****! They've made it easy to compromise enough machines to
    compromise an election. Nevermind the bad default password...

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    A. L. Flanagan, Aug 4th, 2007 @ 4:46am

    One vulnerability they've overlooked...

    is the possibility that a mutant child with the power to telepathically control machinery could rig an election even without cracking a password. Then a flying man gets elected, and the next thing you know New York is exploding...

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Aug 4th, 2007 @ 6:07am

    Re: Voting Machines

    Can someone please explain to me why a machine is needed to record and/or count ballots?
    Because it makes it easier to automatically rig elections. Seriously, that's the main thing they're good for.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Aug 4th, 2007 @ 7:15am

    Re: One vulnerability they've overlooked...

    "...and the next thing you know New York is exploding..."

    Let's hope so, besides Sylar would be a better president than your current one ;-p

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    GoblinJuice, Aug 4th, 2007 @ 7:20am

    If it isn't open, it isn't secure.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Diebold Inc., Aug 4th, 2007 @ 8:39am

    Wanted: Former Diebold Salesperson for County Elec

    The reports have also talked about former salespeople becoming elections officials. Isn't their a "cooling off" period, or does that only work when you go from Gov't to industry?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    reed, Aug 4th, 2007 @ 10:39am

    Re: The reason there is not more outrage is

    "I have noticed for years that no one votes, in fact the younger you are the more likely you are to brag about not voting."

    Don't blame it on the youth though. It isn't their fault politicians do not pay attention to them and have ignored the majority of the US in general.

    Politicians and the political system is broken and it will take a peaceful revolution and a complete restructuring of our electoral system to solve the problems we face. The simple fact is that politicians, especially on the federal level, are completely out of touch with what it is like to be a typical person in the US.

    I would hazard to say that the Federal Government is no longer capable of controlling the country effectively. I do not think our founding fathers could imagine a single government body in control of almost 300 million people. With the concentration of any power there is corruption and our system should be designed to limit it not encourage it.

    The simple answer may very well be to allow the states more power and take it away from the federal government. At the very least the presidential powers should be taken completely away and he should return to being a figured head and our foreign representative.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    hofbrau, Aug 4th, 2007 @ 11:51am

    What's the surprise here?

    Honestly, who didn't know this story by now? These articles have been coming out since before the 2004 election.
    At some point, isn't it time for Diebold (and the other e-voting critics) to stand up and admit that their machines aren't secure and, in fact, were never secure?
    The only thing Diebold stood up for was promising the Ohio election in 2004 to Dubya. Hey who remembers that one? Talk about a conflict of interest. Even that didn't raise many eyebrows.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Chris, Aug 4th, 2007 @ 12:04pm

    What's really needed...

    REVOLUTION

    The Cold War is not over; our foreign policy is still nothing but containment, and our own government is responsible for the "terrorist" attacks on 9/11. The majority of American citizens do not care to inform themselves of the truth of what’s going on around them. They will believe whatever they’re told from scripted news reports, from an even more corrupt and bent Media. The 2003 elections were rigged, and no one gave a shit then, so why should anyone now even when reports like these come out? World War III has already begun, and everyone’s too stupid to realize it. China is gearing up to become the next industrial superpower. Their foreign relations with the most prolific nations are becoming more and more favored.

    The EU UN and the US keep pushing for “a New World Order” and are trying to dictate the rest of the world’s decisions. They say they’re policing the corrupt tyrannical governments, but really they’re just mobilizing troops. Granted most of this seems like a conspiracy theorists rant, but if you take a step back and look at the big picture you can see the steps are already being taken to try and implement some form of a global governing body. Much like how the US’s government gains more power with every new president, and becomes more and more federally controlled, NAFTA the EU, and the UN will keep slowly increasing their power until they’re the sole governing bodies of the world, which will likely be the result of another World War.

    I wouldn’t be the least bit surprised if another “terrorist” attack were to happen sometime very close to the 2008 elections. More than likely a string of attacks to delay the election because “Our Nations Under Attack.” Considering Bush’s sole purpose as the president has been to do nothing but push for more and more legislation giving the Government the ability to do whatever it pleases with no repercussions whatsoever. The man refuses to pass any legislation that he doesn’t agree with. Not what the people of the US want, but what he specifically decrees as the “right” thing to do. The Patriot Act has become the new constitution, and if the FICA reforms being considered go into effect everyone’s rights become void. All the government has to do is say they believe you’re part of a terrorist organization and they can whisk you away never to be seen again.

    Never before, and never since, has a steel structure building ever collapsed due to fire. 110-story buildings don’t fall straight down if they’re going to collapse. Thousands of reinforced joints don’t simultaneously fail at the same time, even if they are weakened. WTC building 7 we’re told collapsed because of fires as well. But WTC buildings 3, 4, 5, and 6 were left standing even though they took the brunt of thousands of tons of falling debris. The owner of the WTC buildings obtained the rights no less than six weeks prior to the incident, made exclusively sure that his insurance policy covered terrorists attacks, and received billions of dollars in return for the few millions he invested. Wake up, open your eyes, ask questions, and get involved. The youth is our future, but so long as we keep pulling the wool over their eyes, they will never be anything more than sheep herald to do the Sheppard’s whims.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Aug 4th, 2007 @ 2:56pm

    Re: What's really needed...

    "Granted most of this seems like a conspiracy theorists rant"

    So long as you realize it....

    "Never before, and never since, has a steel structure building ever collapsed due to fire" --- And yet steel buildings need to have fireproofing....Also no steel building of that height has EVER been hit that high up by a 737 size craft, fully laden with jet fuel, with that type of force.

    My point? Just because it hasn't happened before does not mean it has to be conspiracy. Bridges collapse as we have seen both recently and in the past due to stress and sudden impacts, why would a steel building be any different?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Arlene Montemarano, Aug 4th, 2007 @ 2:58pm

    Re: Voting Machines

    You are so right. We seem to be enamored with the technical in the US. Perhaps it is the macho aspect. Perhaps it is seen as more modern and "cool".

    But the question needs to be asked about voting is, is it appropriate?

    Keep in mind that voting is ANONYMOUS and that fact means we cannot follow our vote as we can in other computer transactions.

    Ergo, no electronics at all should be allowed.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Paul`, Aug 4th, 2007 @ 10:50pm

    Re: What's really needed...

    The reason a steel building hasn't collapsed due to fire until 9/11 is because when was the last time buildings that high where hit so high up with a few hundred ton plane full of jet fuel?

    There was no precedent of that so you can't say it's impossible.

    Go watch Loose Change again or something. You obviously arn't going to believe the reality of the situation.

    P.S: You may enjoy this one too, if you believe that crap. Unfastened Coins

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Paul`, Aug 4th, 2007 @ 10:50pm

    Re: What's really needed...

    The reason a steel building hasn't collapsed due to fire until 9/11 is because when was the last time buildings that high where hit so high up with a few hundred ton plane full of jet fuel? There was no precedent of that so you can't say it's impossible. Go watch Loose Change again or something. You obviously arn't going to believe the reality of the situation. P.S: You may enjoy this one too, if you believe that crap. Unfastened Coins

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Chris, Aug 4th, 2007 @ 10:57pm

    Re: Re: What's really needed...

    The WTC was built with the idea in mind that a 767 (the largest plane at the time) might accidentally run into the towers in instances such as fog. If you have ever seen footage of controlled demolitions, and buildings collapsing, there's just no debate about it. You can see squibs coming out of the main support sections of the buildings, plus survivor testimony even states they felt explosions underground. Building 7 just "falling down" is even further proof. The photos of ground zero show melted steel, most experts think due to the use of thermite(ate). The "meteorite" that was found had never been seen before by anyone in their respective fields. All the steel that was recovered from ground zero was disposed of as quickly as possible, seems rather odd considering the breadth and scope of the incident.

    As far as a plane running into the building, as noted it was designed for the impact. Not only that but the towers were built to withstand hurricane force winds in excess of 140 miles per hour. So one lonely plane smacking into the side of the building has nowhere near the amount of stress that winds can produce for days on end.

    Flight 93 we're told to believe crashed into the ground. However if you've ever seen an actual plane crash, most of the wreckage is in a fairly close proximity to the crash site. Flight 93's was spread out over a very large area, more indicative of it being shot-down mid-air. At the pentagon; no damage done to the building would indicate a plane hit it. No engines were found, no 4-story tail section, no nothing. More importantly is how a plane hours later after the initial attacks could ever get through the most heavily air-traffic controlled region of US airspace. Also we're to believe that only one camera at the very center of our military could have seen the event. If you have ever been to the pentagon, you can clearly see they have cameras along the roofline spaced apart from each other about every 50ft. or so. Not to mention all the ones in the parking lots, and more than likely all the others they don’t want you to see.

    Not a truth that's easy to swallow but if you allow yourself to just accept whatever the government tells you, then you're already failing as a true American in my eyes. Do some research, look up "steel building fires" and you'll notice that some buildings have had infernos, literally 10-stories engulfed in flames burning for over 24 hours. Yet they remain standing, in EVERY instance since and after. However, the fires in the WTC were starved of oxygen, which is why they put out such thick black smoke. Firefighter communication recordings say they encountered small pockets of fire that could have been put out with as little as two lines. As I said before, ask questions, get involved, become informed, and don’t just simply accept whatever the most power-hungry government in the world spoon-feeds you.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Chris, Aug 4th, 2007 @ 11:04pm

    Re: Re: What's really needed...

    Steel doesn't melt until it reaches a temperature around 2300 degress feranheit, the highest temperature an open-flame fire can reach is 1200. The temperature on your propane stove is even hotter, yet what are your pots and pans made out of? Steel. Go to youtube, serach "collapsing building" then serach "building implosions" and then re-watch the WTC building 7 footage.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Aug 4th, 2007 @ 11:06pm

    Re: Re: What's really needed...

    As to the "conspiracy theorists rant" that was to be directed at my presumption about World War III, not the events that occured on 9/11.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Aug 5th, 2007 @ 6:00am

    Re: Re: What's really needed...

    Titanic Love it thanks for the laugh

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Kristiyan Kirchev, Aug 5th, 2007 @ 6:39am

    What is scary is not that machines are bogus. It is the fact that their output determines the course of history.

    Given the US President is pulling the strings of the world's most powerful country.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Brad Eleven, Aug 5th, 2007 @ 7:43am

    FP nailed it

    Ajax 4Hire said:
    > The reason there is not more outrage is an indication of
    > the apathy of the US electorate.

    I didn't understand voter apathy until I got involved with politics. Those pampered figureheads either don't have any idea what people want, or they truly believe that the people are fools. See also, you know, any government regulatory agency.

    We are not represented in our government any more than we are represented in mainstream media. We are not the customers, and there's no room at the table for us because all of the seats have been bought and paid for by lobbyists who represent wealthy clients.

    I don't see any grand conspiracy--just a widening disconnect between the government and the governed.

    I do think that the GOP has conspired in the same way that it did in the 1970s, on a much larger scale. If they're caught, the party's over; if not, their influence will reach across political party lines. It's not a great time for democracy--but then again, it wasn't 100 years ago, when Teddy Roosevelt decided to screw J.P. Morgan and the rest of the capitalists. Hundred-year cycle, anyone?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Proxy318, Aug 5th, 2007 @ 11:39am

    password

    12345678? that's the kind of combination an idiot would have on his luggage!

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Lawrence D'Oliveiro, Aug 6th, 2007 @ 2:02am

    It's not hopeless

    Other countries have succeeded in building trustworthy e-voting systems. this article cites the Australians as a good example.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    CDR R., Aug 6th, 2007 @ 3:42am

    Open flame maxes at 1200F ? Then you've never worked with furnaces...which would be what the inside of WTC would be like.
    Yes, the WTC was designed to be able to absorb a plane hit, but they never calculated that the fire-coating sprayed on the steel would blow off in the impact. The engineers knew that steel would melt in a fire and coated it, but now it's gone and only a matter of time until structural failure.

    Wake up and realize the only pawns in this whole debate are the gullible people who believe the first, worst ideas they herar, and then are manipulated to try to undermine the world's greatest country which is under attack from terrorists, and now from idiots. For God's sake, LET IT GO!

    CDR R., United States Navy

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    mkam, Aug 6th, 2007 @ 5:38am

    Re: password

    That's amazing! I have the same combination on my luggage!

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Chuck Norris, Aug 6th, 2007 @ 6:54am

    Re: One vulnerability they've overlooked...

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Chuck Norris' Enemy (deceased), Aug 6th, 2007 @ 6:57am

    Re: One vulnerability they've overlooked...

    Aw man! I was on episode 20, thanks for spoiling the ending. Well, I guess I knew that anyway thanks to constant forecasting. (sorry for the mistake above, the curse of having the ' key next to the enter key)

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Enrico Suarve, Aug 6th, 2007 @ 8:47am

    Re:

    Not sure of the rest of it but there is a substantial difference between jet fuel burning on an open surface and a furnace - the latter being a highly controlled burn

    For reference jet fuel burns at a lower temperature than even regular petrol

    I agree that there a certain amount of generalised conspiracy nonsense muddling the whole thing and to be honest I'm not sold on either story, but I have seen WTC7 collapse after a few sporadic (non kerosene fueled) fires in a top corner

    It collapsed straight down which architects and engineers tell me is unlikely (actually they told me it was absofuckinglutley impossible for the type and amount of damage sustained)

    If you want your country to remain the greatest country on earth it may be a good idea to have a proper analysis of what happened that day because somebody (terrorist or traitor) knows something that has so far gone unexplained and unnoticed - the first step in protecting yourself against any threat is to find out EXACTLY what you are protecting against

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Yankee Snafus, Aug 9th, 2007 @ 3:42am

    "At the very least, the company owes the world a huge apology..."

    The world? Oh, you mean 'cos they helped put an absolute moron in charge of the supposed 'greatest country on earth' and now he's out of control and bashing up whichever country catches his fancy?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This