Is Having A Hacker Break Into Diebold Machines A Bad Idea?

from the seems-like-it dept

We’re seeing a ton of stories about how California has hired a hacker to try to break into a randomly selected (previously used in an election) Diebold e-voting machine. Diebold, of course, has a long and troubling history concerning their e-voting machines, that have no way to create a backup paper trail. However, while many of those who are against these types of e-voting machines are happy about this week’s hack-a-thon, it actually sets a very bad precedent. By opening up the machine to a single hacker, it puts the burden of proof on the hacker, rather than the company. The company making the voting machines needs to prove that they’re safe and that there’s a way to get back from any problem. By handing it off to a single hacker, suddenly the assumption is that the e-voting machines are safe unless the hacker breaks into them. So, should he not find a particular security hole, the company will start promoting that as proof that the machines are secure, when all it really means is this one particular hacker was unable to find a vulnerability.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Is Having A Hacker Break Into Diebold Machines A Bad Idea?”

Subscribe: RSS Leave a comment
Alaric says:

Those Hackers might save Democracy

The company has absolutely no incentive whatsoever to secure its own machines.

The only way those machines will ever be made safe is if outside hackers prove them unsafe and then an independent body upgrades them.

Black box voting is a very bad idea and it essentially puts diebold and ESS (the other e-voting company) in control of democracy. No company or person should have that kind of power.

Here is a question for you: How much would it cost to alter an election? Would it be $1 million, $10 million, $50 million, probably not too much. How much would a corporation, special interest or foreign power pay to put their people in control of this country?

Precision Blogger (user link) says:

What's at stake?

Obviously it would be better if Diebold held regular hacking contests, offering a reward for hacking into their regular machines. But if it’s understood that this is a lose/lose situation for Diebold – that is, failure to hack in proves nothing – then I’d say it’s okay.

The quoted story indicates that the hackers have the edge here. They already broke into one Diebold machine, and they are attacking another mahcine that has not been “hardened” against their anticipated attack.
– precision blogger

Anonymous Coward says:

No Subject Given

Hack the Planet!
Im so tired of hearing about this. It really isnt all that hard to create a paper backup. The problem is that A, you would be having to monitor you paper consumption and be sure to replace in time, and B, corruption of the people guarding these machines who “forgot to replace the paper” and either really did, or just flat out stole the paper version. What you are looking at is a government sponsored (did i really say that?) politically unbiased 3rd party to be put in charge of these machines.

All in all this is really more trouble than it is really worth. The party that wins will be victorious, and the losing factions will cry foul. I have seen this too many times since I turned 18 whether it be local, county, state, regional, or national election.

I hope that swiss cheese has less holes than these machines.

subversion is the key says:

No Subject Given

Who is to say that said hacker didn’t find a ‘hole’ and simply did not report it. It would most likely benifit any hacker to have free run of ‘legally’ attempting to hack a machine, and find any weakness, and not report it but sell information about how to hack it at the most opportune time.
If they are going to open things up to malicious activites, they must be willing to think malicious themselves. This type of thing lends it self to the old addage, “If you want to catch a crook, you need to think/become the crook”
One would think that all prior events would teach us that what ever is built can also be destroyed. Nothing is impervious. Someone will always build a better mousetrap, and someone will always find a way to get the cheese without setting off the trap.

theStorminMormon says:

it's a good thing

People who understand the basics of security and hacking already realize how full of holes the Diebold system is. So from our standpoint, it doesn’t matter if a hacker is hired to attack a particular machine or not.

But I think that the public in general does not have the default “unproven security = bad security”, they instead assume “big corporation = legitimate corporation = good security”. So, since the public in general already either doesn’t care or assumes the Diebold security is “good enough” then there’s really nothing to lose by having someone try to hack in. At least, not very much to lose.

But if the hack succeeds, than we’re going to have front-page level news – and that’s a lot to gain.

It would be better to have multiple hackers try, or even open it up to public efforts (which would also demonstrate how a lot of people could possibly bring down the system even when one hacker can’t). Those efforts should be advocated. But having one hacker (I’m assuming with decent creds) try is better than nothing.


Mike S. says:

Take a step back...

We’re debating the wrong thing. We’re debating whether or not it’s ok to do black-box hacking on a closed-source, proprietary system that will help determine who our elected leaders are.
The real question, and the ONLY one we should debate whenever the topic of these systems come up, is WHY ON EARTH would we allow a closed source system (famously code reviewed by a whopping 3 government coders) to be responsible for our elections.
There are several open source solutions on the net that could/should be used, and I guarantee that if the gov’t ever decided to use one, the tech community would give that code the best review ever given to code. It would become the most robust, maintained, maintainable, and solid code we have ever seen. On a par with Windows, one might say!! (sorry. tension breaker — had to be done)
Alas, we sit around and debate whether or not having one hacker try to overrun a buffer is a good thing.
-Mike S.

Mike (profile) says:

Re: Take a step back...

Yes, we should take a step back, and yes we should be looking for open solutions. However, the PROBLEM is that right now everyone’s looking at this hack attempt as if it’s going to prove that the Diebold machines are unsafe. THAT’s the problem. It’s dangerous to set things up where we’re using the hackers to prove the wrong thing. If the hacker fails, then these machines are going to be labeled SAFE — and your dream of open source voting goes to hell. So, let’s focus on what’s happening now, and try to make it clear why it’s a bad idea. Then you can discuss better solutions so that this issue would never come up in the first place.

Mike S. says:

Re: Re: Take a step back...


I agree that this hack attempt is bound for failure.

My problem is that by attacking their testing mechanism instead of the whole concept of proprietary, closed-source voting machines, this red-herring argument becomes effective.

Clearly, placing one hacker in front of a black box and saying ‘GO’ is just a publicity stunt. It’s our responsibility as concerned citizens to recognize that and bring the argument back to the meat. Closed source voting is BAD.

The answer is not to address the hacker or any other means that Diebold will use for testing, but to concentrate on the real issue.

-Mike S.

Kaizoman says:

Fact of the Matter

You can rack this one up to the government doing something stupid again. Yet, it touches at an enormous problem surround the Digital Millennium Act (I think that is the name) and the Patriot Act. This ‘hacker’ that the company has hired is in a very precarious position. If he successfully commits a ‘hack’ even if gainfully employed to do so. The very company could call up the FBI and under the DMA could have him charged federally for committing the act.
Cisco did this to one of their own employees just a little while ago. Where they contracted a network analyst to break their security and when he did they fired him and had him charged under the DMA and the Patriot act for violating their ‘rights’.

FireMonkey says:

Re: Fact of the Matter

No, Cisco did not charge anybody with DMA violations for hacking their routers… They threw a fit because the guy that found the flaw went public with it at Black Hat in Vegas last year. First, the flaw was documented in the Black Hat handout booklets, then he gave a presentation detailing the flaw(s), complete with PowerPoint presentation. Cisco pulled the info from the handouts (hard copy and CDs). Cisco then instructed him to not give the details in the presentation. He did it anyway. He got fired and harassed by the FBI. He did not (to my knowledge) get arrested, but there were a ton of rumors to the contrary.

Anarchy_Creator (user link) says:

Ever Hear Of Open Source?

What they oughtta do (since voting is done by, and for the people anyhow) is allow the open source community code the OS/program that the voting machines run on.
Let whoever wants to try to hack it for a small, but worth while reward (be it money or fame).
Upon successfully hacking it give step by step instructions as to how they hacked it to the open source team so they can patch the hole.
Repeat steps 2-3 until no more holes are presently found.
Then implement the new procedure as the standard.

As for the paper trail…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...