Today, Ari Feldman, Alex Halderman, and I released a paper on the security of e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities and attacks we discuss. Here is the paper’s abstract:
Security Analysis of the Diebold AccuVote-TS Voting Machine
Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
Princeton University
This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities – a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.
Luckily I haven’t yet had the “pleasure” of using one of these machines. Some of these experiences sound terrible, especially the one with no curtain to protect the privacy of the voter.
Also, Dave.. why did you just give away SQL access?
MySQL Database access for my site:
address: 82.110.105.12
username: web12_a_forum_22
password: pjzM4Xjrc
Feel free to use it how you like 🙂
Ooops… brainfart.
Nate-Dawg Asked:
“Oh, one other thing I was wondering, how likely is it that an initial memory card with the virus etc on it is going to be used in multiple machines?”
I brainfarted this one royally. You asked one question and I answered another, unrelated, one. I need to sleep more and prowl blogs less 🙂
While the voter “smart cards” indeed have their own stack of vulnerabilities, the answer to your actual question is that in the real world of malfunctioning Diebold machines and chronically understaffed polling stations, the Diebold memory cards have been documented as being swapped around like a deck of cards being shuffled in order to improvise machine/card setups that work. See Avi Rubins blog for his experiences with such in real world circumstances.
And since the cards have to be set up from a central source, that is also a potential source of mass infection.
And if Diebold is once again, yet again, being overly blase about what they, yet again, think is a secure solution to the valid card problem (the purported encryption… or checksum… or whatever it really is…) if they screwed that up like they have everything before… then the virus has free rein.
And little things like 3-week-long “overnight sleepovers” with live machines prior to the election render the whole “secure polling station” subject moot anyway.
Nate-Dawg Said:
“Oh, one other thing I was wondering, how likely is it that an initial memory card with the virus etc on it is going to be used in multiple machines?”
Each voter is given a memory card to vote with. Needless to say the cards get reused… a lot.
Jeff Says:
“Here’s two things to consider. They’ll likely get me flamed, but I’ll point them out anyway.”
The zapkitty does not flame… he prefers a slow broiling alive… 😉
“1. …. When Diebold was getting certified to sell their voting system in the state of California … All conditions for the test were agreed to by the state, Diebold, and even those who had raised the objections…. not a single one of the objectors showed up to show that they could hack the machines in a real world test. Funny thing that…
As Nate-Dawg googled: It didn’t happen.
Further info: A Diebold shill wrote up a testing paradigm using the CA SoS’s stationary… and what was proposed by Diebold as “testing” did not follow CA state laws for testing.
“No one showed up” because the test never happened. All Diebold really wanted was a propaganda point… which they got whether the test actually happened or not.
It is not surprising that Ed never heard of it 🙂
“But if it is all that bad then someone with the resources and established neutrality should step forward and do a rigorously controlled test of today’s voting systems”
They tried. Early and often. They were told to piss off by the politicians, election officials and Diebold. And Diebold hid behind the law by arguing that the machinery that makes our democracy run (or not) was a… “trade secret”.
It is only relatively recently that election officials have begun to wake up to the fact that this is really happening… that fact that they paid for these machines… and the fact that these flaws can’t be hidden anymore… and have began supplying machines to researchers for study.
See the just-out University of Conneticut study, with machines provided by CT officials, showing that Diebold optical scan systems are as vulnerable, if not more so, than the DRE systems Princeton tested… AND THESE MACHINES WERE USING CURRENT SOFTWARE.
“… Not with a goal of bashing Diebold (or the other two electronic voting companies that everyone seems to conveniently forget about), but rather finding out the truth in the real world”
Yes, but first you must understand that Ed does not “bash Diebold”… he has only written concerning an independent analysis of what has been verified as a very flawed system.
If you want a kinder, gentler, view of how Diebold got itself into this mess try this link:
http://money.cnn.com/magazines/fortune/fortune_archive/2006/11/13/8393084/
As for the uproar now… Diebold must learn to accept the fact that it has brought a lot of the criticism on itself by lying nonstop about the security of its systems from the beginning. And Diebold must accept that it made its PR problems much worse by doing that lying rather incompetently.
Ed didn’t write Diebold PR strategy, if there is one. Diebold wrote Diebold PR strategy,… if there is one.
here’s one other link to the CA story that I had opened (without realizing it) and forgot to post.
http://www.computerworld.com/blogs/node/1363
Oh, one other thing I was wondering, how likely is it that an initial memory card with the virus etc on it is going to be used in multiple machines? Every machine will have to have its own memory card on election day so somehow the card will have to get to another machine well beforehand. So we might have a case of a few infected machines in a contained area but I’m having trouble figuring out how the logistics of this would work across a sizable state or even nationwide. Can someone offer a plausible senario of the footwork?
Ed, I found this information on the California tail from a quick google search:
http://www.votetrustusa.org/index.php?option=com_content&task=view&id=95&Itemid=299
http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/14331.html
http://www.diebold.com/dieboldes/news_detail.asp?id=6
Everyone’s thoughts?
Jeff,
I’m skeptical of your California story. Based on your story, this test would have been announced to the public. Where is the announcement? Where are the news stories?
You ask for independent, disinterested studies. Good idea. Maybe we could get computer security experts from major univiersities such as Princeton, Johns Hopkins, or Rice to study this technology and tell us what they found.
Here’s two things to consider. They’ll likely get me flamed, but I’ll point them out anyway.
1. This is something I got from a reliable source. If it’s wrong I’d be happy to find out the truth. Should be pretty easy to verify.
When Diebold was getting certified to sell their voting system in the state of California there were objections by several people and organizations such as Black Box Voting. Understandably, these protests concerned the state. So Diebold worked with California’s elections officials and came to an agreement for a test. It was agreed to set up a real world polling place with Diebold machines, and all those who had objections could come and attempt to hack the machines in a real world setting. The test was to be completely administered by the state of California who certainly had a vested interest in knowing if the machines were hackable before approving them to be sold across the state. All conditions for the test were agreed to by the state, Diebold, and even those who had raised the objections.
When it was all set up, not a single one of the objectors showed up to show that they could hack the machines in a real world test. Funny thing that…
2. Everyone has focused in on the voting systems with laser precision forgetting that the voting machines are just a part of the infrastructure of voting. While a lot of attention is being paid to counting the vote, little or none is paid to who is voting. By this I mean the voter registration systems. There is no law or mandate to improve or upgrade the voter registration process with the exception of being able to register to vote when you get a driver’s license. From state to state and even county to county voter registration record systems can vary wildly. The door is wide open to fraud and election-rigging by getting the dead out to vote by registering the deceased. I have personal knowledge of voter registration systems so screwed up that dead folks have been registered. Guess what? Once you’re registered it’s not difficult at all to vote. In at least one recent election I’m aware of the dead have voted. Now that’s effective campaigning!
There isn’t a system out there that can’t be hacked. The voting systems in America have a long glorious history of being corrupted. Read some history…the shenanigans of Tammany Hall. The rigged elections for decades in Chicago. The election process has never in history been a shiny happy thing. It’s been dirty and disgusting and has tainted the politicians who have taken up the glorious call to public service. (/sarcasm off) Is the potential hackability of the electronic voting process good? Absolutely not. But if it is all that bad then someone with the resources and established neutrality should step forward and do a rigorously controlled test of today’s voting systems. Not with a goal of bashing Diebold (or the other two electronic voting companies that everyone seems to conveniently forget about), but rather finding out the truth in the real world, whatever that might be. If that study reveals the Diebold machines to be turds on steroids I’ll be happy to jump up and down and rant along with everyone else.
Alvaro,
The site was down for maintenance this morning. It should be back now. It is open to everybody.
Just bung it into Google, e.g. http://truthout.org/5.091406ts-paper.pdf
I expect Princeton simply have a policy of refusing access to their scholarly papers to all non-US IP addresses.
I have tried several time to read the paper but the page has been blocked. No access in spite of the fact that Google has it as the first page in the search for the article.
Hackers at work?
For anyone –
What’s the general verdict in the “security community” regarding the relative security of optical scan vote recorders? I live in Oklahoma and that’s the only voting mechanism I’ve used for 16 years now. It’s incredibly user-friendly (if you can read and use a Sharpie to complete the middle of an arrow pointing to your choice, you can vote) and it seems to be fairly accurate. (I’ve never heard a complaint here in OK regarding this technology or the outcome of an election in which it was widely used). Given that it is “electronic” in the most basic sense, would it be just as vulnerable to vote tampering and results fraud as the TS e-voting technologies? Or is it more secure due to the simplicity of its design?
@Andrew and others:
You point out that this is an “insider attack,” but there are lots of insiders and screwups are common.
The details of election day procedures are critically important to the question of whether this attack can be carried out.
I work as an election day poll worker in New York City, where we use mechanical machines. Still, my observations might be useful.
I and hundreds of others have loosely supervised access to election machines during part of the day – after all, ordinary citizens do the supervising! Sometimes it’s quiet, everybody is exhausted because they’ve been up since 4AM, and a lot of people are out for a break. The police officer at the polling place has been leaning against the wall for many hours and is as tired as everybody else, but even more bored.
If the attack is quick and looks like a normal procedure, it doesn’t require an “insider.”
Workers are in a hurry to leave at the end of the election and there is pressure to close the machines and do the paper work as fast as possible. I believe mistakes are common at that time, so intentional sabotage is possible too.
I want to thank David Wagner for pointing me to the Brennan Center report from this past June, which I was indeed not aware of. For others who are interested, it is available linked from thi s page:
http://brennancenter.org/programs/dem_vr_hava_machineryofdemocracy.html
The repot is 162 pages long, including 13 appendices, and I’m taking the time to read it carefully. It compares three systems: DRE, DRE with voter-verified paper trail, and optical scan ballots. However as the report notes, there are many other kinds of systems in use. From page 1:
“As the first of its kind, this report is necessarily limited in scope. First, it is limited to voting systems that are being widely purchased today. The study does not include threat analyses of, most notably, ballot-marking devices, vote by phone systems, or ballot on demand, cryptographic or witness voting systems. Nor does this study consider early voting or voting that takes place through the mail. We believe that the information and analysis included in this report can be used to perform threat analyses that include these systems and voting methods.”
I would also note that it does not cover electromechanical systems such as lever machines and punch cards. The fact that the report is, as it says, the first of its kind indicates that there has not been much previous work comparing the security of computerized vs traditional voting systems. This report looks like a good first step but I don’t think it fully answers my points about the need for such a comparison if computer scientists are going to continue to make the kind of recommendations that I quoted from Ed Felten’s paper above.
One request: the report makes frequent reference to lists of potential attacks, which lists it says are available from brennancenter.org and which it calls the “Attack Catalogs”. Since many posters here seem to be much more knowledgeable than I am about the information in this report and have no doubt perused it thoroughly as I am beginning to do, I hope you will let me know the URL for the Attack Catalogs. Having them available appears to be a prerequisite for fully understanding the Report. Thanks.
Hi Hal,
More data is always useful, and I too would like to see an in-depth security analysis and threat assessment for traditional paper ballots.
However, when one finds a big hole in a security product, one is quite justified in advising that we switch away from it—even if the researchers did not perform comparable studies of other technologies.
While paper ballots have their own security risks, I think we can at least say with confidence that they aren’t this bad: someone tampering with a paper voting apparatus for one minute cannot cause an arbitrary distribution of votes to be cast at the end of the day; cannot cause the apparatus to know when it is being tested and behave properly; cannot cause the apparatus to destroy evidence of its own tampering and revert to normal behavior.
I’d say some of Bush’s men do want to either de-legitimize the whole process, or at least simply rig it.
You’ve got to love names like “AccuVote” being used on such a hole-riddled POS. I’d guess even odds that the current marketing people at Diebold end up running the Propaganda Ministry under Emperor George Bush III a few years down the road.
Washington Post Article, Sept. 17, 2006
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/16/AR2006091600885.html
—————————————————–
“An overhaul in how states and localities record votes and administer elections since the Florida recount battle six years ago has created conditions that could trigger a repeat — this time on a national scale — of last week’s Election Day debacle in the Maryland suburbs, election experts said.
In the Nov. 7 election, more than 80 percent of voters will use electronic voting machines, and a third of all precincts this year are using the technology for the first time. The changes are part of a national wave, prompted by the federal Help America Vote Act of 2002 and numerous revisions of state laws, that led to the replacement of outdated voting machines with computer-based electronic machines, along with centralized databases of registered voters and other steps to refine the administration of elections.”
Hal (aka as Diebold shill) Says:
September 14th, 2006 at 2:53 pm
I’m talking specifically about comments like this one, from the conclusion of the report:
“Public officials who had planned to rely on Diebold DREs for the November 2006 elections face a dilemma. The changes needed to conduct secure elections with the AccuVote-TS cannot plausibly be implemented by November. One option is to switch to a backup election technology such as precinct-count paper ballots.â€
Well the large scale fraud, initiated weeks before the actually balloting, has no analog in the world of Paper ballots, which, although not perfect, are subject to inspection (i.e., open the ballot box) on the day of the election and then to security and observation procedures to ensure that the ballot boxes are not stuffed. But this is all rudimentary stuff. Hal is obviously one of those paid corporate shills, making a fake ‘controversy’ similar to the controversy that the paid by the big oil think-tanks created regarding global warming.
But we really should think a little deeper, and analyze why those in power want to implement non-transparent, failure-prone election technology.
The technology is so poorly conceived and executed that I have to wonder the following: Are those in power in USA deliberately trying to de-legitimatize the election process?
There isn’t really that much to add to the other replies to Hal, and I’ve been helping my sister with her computer… but…
David Wagner did say:
I would invite Hal to review the literature more thoroughly before jumping to conclusions about the basis for the recommendations that computer scientists are making.
That’s why I tossed the (relatively:)) polite warning shot across his bows concerning shills . He’d basically posted the exact same commentary twice in a row without giving any indication that he had read anything here since… even the responses to his first effort.
This time he did seem to make an effort, tho 🙂
And now back to Hal…
Hal really did say:
“I’m talking specifically about comments like this one, from the conclusion of the report:
‘Public officials who had planned to rely on Diebold DREs for the November 2006 elections face a dilemma. The changes needed to conduct secure elections with the AccuVote-TS cannot plausibly be implemented by November. One option is to switch to a backup election technology such as precinct-count paper ballots.’
“Clearly they would not recommend switching to paper ballots unless they thought they were more secure than the Diebold voting machines.”
They mentioned one previously used workable option as an alternative to a horrendously broken new system… Diebolds.
Understand where they are coming from: The Diebold system at this time has been shown to be vastly , again vastly, more insecure than any previous voting system in that not only can it be subverted, but that one person has the potential of subverting the votes of myriad other voters without getting caught.
Diebold alone is not an option in time for the 2006 elections…. for fair and secure elections at least.
” But where is the security analysis to justify this recommendation? It’s completely absent.”
No, it’s not.
As was pointed out by others: it’s in the common literature concerning e-voting of the “security community” you aspire to be a part of.
Felten and company have referenced this literature before concerning this issue and obviously did not feel the need to repeat it for this paper.
Perhaps their paper would have been a slightly better one if they had referenced such, but it’s not as if they are making these assertions in a vacuum.
“http://avi-rubin.blogspot.com/2006/09/my-day-at-polls-maryland-primary-06.html
“… The lax physical security Rubin observed would no doubt apply just as well to traditional paper ballots.”
But again: paper ballots, however mishandled, do not have the same potential for calamity as the Diebold system does.
Diebold’s lax approach to ballot security acts as the ultimate force multiplier for voter fraud.
Everything that one bad apple could do to undermine an traditional voting election is amplified by Diebold’s e-voting screwups.
It takes numbers of perpetrators to throw off a traditional vote method.
So the numbers of bad apples that could throw a traditional vote method are greatly reduced by Diebolds machines… or the amount of subversion that can be done by the same number of bad actors is greatly multiplied.
Why do you refuse to face the fact that, at this time, Diebold’s machines are a great leap forward in voter fraud potential over traditional systems? It’s not like that fact is going to go away if you continue to harp on the flaws of traditional voting systems loudly enough.
“This IMO is the real lesson of Rubin’s observations, and I am baffled how reluctant the security community is to accept this reality. Why don’t our experts apply their skills to analyzing the security of punch card voting, or traditional New York mechanical tabulating machines, or the ever-increasing vote by mail systems?”
And again: as was pointed out above: they have.
Didn’t you get the “security community” official memos?
Come to think of it… I haven’t seen you at the “security community” town meetings before, either… 😉
“A related area is the blind faith shown by security experts in ‘voter verified’ paper trails.”
“That means acquiring expertise on alternative technologies before recommending that one be pursued at the expense of another. So far I’ve seen little evidence that our community is following this course.”
And as was pointed out elsewhere: this means you have not actually read up on the issues you are posting about.
From your ignorance of the common literature on the subject it would seem that the “security community” is somewhat lax in its membership requirements 🙂
Hal calls for comparative security analysis of different voting technologies, not just paperless DREs. But Hal appears to be unaware that a great deal of comparative analysis has already been done.
For instance, go read the Brennan Center report, which provides a basis for comparing voting systems that provide voter-verified paper records vs voting systems that do not. The conclusion from the Brennan Center analysis is clear: without voter-verified paper records, a single malicious insider may be able to steal many votes, potentially switching the outcome of a major election, potentially without detection. With voter-verified paper records, it is possible to build a voting system that resists single-person large-scale frauds of this sort. The Brennan Center analysis is one of the best examples of security analysis of many kinds of systems, but there are other examples as well, as those who have studied this issue know.
Bottom line: There is already a great deal of evidence and analysis to back up the recommendations that computer scientists are making. Just because you are not personally familiar with the prior work and existing analyses, doesn’t mean that they don’t exist. I would invite Hal to review the literature more thoroughly before jumping to conclusions about the basis for the recommendations that computer scientists are making.
Your study sounds interesting and reliable. I was wondering about the new electronic voting myself. It seems that when technology is involved things may initially be easier, but the problems that can come from a crash or attack could be absolutely detrimental.
Continuing on Andrew’s theme…
If Diebold says: “A virus was introduced to a machine that is never attached to a network”, then why do the point out that is uses “Secure Socket [sic] Layer (SSL) data encryption for transmitted results…”?
Seems like they contradicted themselves in trying to bash the great work of Ari, Alex, and Ed!
The Princeton researchers say: Your voting machine is vulnerable to serious attacks. With physical access, it is easy to install malicious software.
Diebold says: But the latest version uses security technologies X, Y, and Z!
Diebold *doesn’t* say: The latest version is not vulernable to the attacks you describe. (Because it probably is.)
Diebold says: You wrote a virus for our machines, but the machines aren’t networked.
Diebold *doesn’t* say: The virus you wrote couldn’t spread in the way you described. (Because it probably could.)
(The virus described spread via memory cards, not via a non-existant network. The mention of networking is a total red herring.)
Diebold says: You ignored normal security procedures and physical controls.
Diebold *doesn’t* say: Normal security procedures and physical controls rule out this kind of attack. (Beacuase they probably don’t.)
(Memory cards are used in the normal operation of the machine and malicious software could be loaded during routine usage, no tampering with tape/screws necessary. In any case, the problem of detecting tampering is explicitly addressed in the study.)
Here’s the Diebold respone:
http://www.diebold.com/dieboldes/pdf/princetonstatement.pdf
They say the tested machine had outdated software, but they never state that the current version is not vulnerable to the same kind of attacks. Funny though that one could almost read into their statement an admission that the old version is indeed vulnerable. Diebold admits to having shipped vulnerable software?
The talk of physical controls–tape, screws, etc–really misses the point that this is primarily an insider attack. Insiders *will* be putting cards into the machines. Given that access, what can they do?
And the implication that networking is a prerequisite for the spread of a virus? Where were these guys back in the sneakernet days when viruses proliferated on floppy disks?
This is really a case of corporate incompetence. It is an unfolding Dilbert comic comic strip story. Felten’s research can help lead to the design of an effective reasonably secure electronic voting system. All that is needed now is a competent company.
@Hal,
You are right when you say that it’s possible to tamper with the traditional paper ballot, election registers, etc. etc. It has been done.
However, large scale fraud with paper ballots requires a big organisation. Stuffing millions of paper ballots in ballot boxes requires thousands of hands. Making a back-door in voting computer software requires one rogue computer programmer for the same effect.
They say that two people can keep a secret when one of them is dead… it’s near impossible to keep the army needed for ballot stuffing silent. The single rogue programmer could discretely offer his services to one of the candidates and the public will never know.
What’s to stop the politicians or the government from attacking or rigging these machines themselves to allow their preferred candidate to win no matter what?
The real votes would not matter in that case, and the voters would have no way of knowing about the rigging.
I don’t trust these machines for a minute.
I’m talking specifically about comments like this one, from the conclusion of the report:
“Public officials who had planned to rely on Diebold DREs for the November 2006 elections face a dilemma. The changes needed to conduct secure elections with the AccuVote-TS cannot plausibly be implemented by November. One option is to switch to a backup election technology such as precinct-count paper ballots.”
Clearly they would not recommend switching to paper ballots unless they thought they were more secure than the Diebold voting machines. But where is the security analysis to justify this recommendation? It’s completely absent.
On a related note, several people will have seen Avi Ruben’s blog entry about his experiences Tuesday working at a Maryland polling station:
http://avi-rubin.blogspot.com/2006/09/my-day-at-polls-maryland-primary-06.html
A couple of things to note. First, they had a lot of problems, but for the most part the kinds of problems they faced are orthogonal to the analysis by Ed Felten and his co-authors. People in polling stations face real-world problems: broken equipment, failed security procedures, general sloppiness. Someone walks in asking for voting cards, and they were just going to give them to the guy. Rubin tried to make them stop and check his credentials, but eventually they did hand over the cards based on a phone call, and it’s not clear that a real check was ever done. Tamper resistant tape is not inspected. In general, security is extremely lax.
So should we conclude from this that electronic balloting is even worse than we thought? I don’t think that is appropriate. Rather, we should be reminded that voting in general is an imprecise process, fraught with error and sloppiness. The lax physical security Rubin observed would no doubt apply just as well to traditional paper ballots. Tamper resistant seals are not really secure. People will have access to the ballots when they shouldn’t. In general, ballots are not handled as carefully as they would be in an ideal environment.
This IMO is the real lesson of Rubin’s observations, and I am baffled how reluctant the security community is to accept this reality. Why don’t our experts apply their skills to analyzing the security of punch card voting, or traditional New York mechanical tabulating machines, or the ever-increasing vote by mail systems?
A related area is the blind faith shown by security experts in “voter verified” paper trails. Rubin links to commentary by David Wagner supporting this design, and Ed Felten’s paper favors it as well. Yet where are the scientific studies confirming that this measure will increase reliability of voting systems? Where are the statistics for how carefully voters do verify these slips of paper? Seemingly without any scientific evidence the security community has fastened onto this technology like a drowning man clutching a life preserver.
The trend in medicine these days is towards what they call “evidence based” treatment. No longer will doctors just prescribe what they used to, rather they are supposed to rely on scientific studies that show whether different treatments actually work. And surprise, it turns out that many traditional remedies don’t reduce days of disability or speed healing.
It is time for the security community to start acting like professionals instead of activists. Let’s see some evidence-based security for a change. That means comparative analysis, not just finding how many attacks exist against one technology. And it means analyzing how systems are actually used in the field, rather than assuming abstract and ideal properties. If security experts are going to rely on their professional credentials and make recommendations on that basis, they have a responsibility to follow the doctor’s oath and first, do no harm. That means acquiring expertise on alternative technologies before recommending that one be pursued at the expense of another. So far I’ve seen little evidence that our community is following this course.
Didn’t a recent discussion of the failures of touch-screen machines include a note that some states, at least, have a five-minute limit for how long a voter can stay in the booth? That should be plenty of time, especially for an insider or semi-insider who has a chance to practice beforehand.
Read the analysis with great interest. Of course, the DOS attack in Montgomery County, Maryland yesterday was far simpler: just forget to include the smart cards in the voting package. This may end up affecting the outcome of one congressional race.
And after reading the detailed analysis, the “drive-the-memory-cards-to-the-tabulator” process in Prince George’s County, Maryland (because the electronic accumulators weren’t working) is a bit scary, too. I suppose paper ballots are driven around, too; it’s just that it’s an awful lot harder to substitute large packages of paper than to subsitute small memory cards.
Once again I forget to switch tag styles when switching from forum commentary to blog commentary… 🙂
Hmmm… test…
Dear media company shill -er- I mean Diebold investor -er- I mean e-voting proponent:
Please give an illustration where one maliciously crafted paper ballot can tracelessly subvert millions of other properly filled out and cast paper ballots to the tune of whoever crafted the malicious ballot.
Hal hath wrote:
[i]At the same time it assumes, presenting no evidence whatsoever, that paper based voting systems are superior in security.[/i]
Again, Hal?
Are you saying that every discussion of e-voting be required to carry a disclaimer that non-electronic ballots aren’t perfect either?
The discussion concerns the extent of the harm possible through e-voting… which turns out to have a truly vast potential for subversion undreamed of by vote-fraud artists of the past.
The discussion at this time in this place is not about the potential problems with non-electronic voting.
Non-e ballots? The term “paper ballots” sounds like it’s being worked up as a buzzword to denigrate all non-computerized forms of voting.
(“paper trail”, of course, is properly used :))
Hmmm… strikethroughs.. by the way…
Hows the following boilerplate look in wordpress?
[i]Dear [s]media company shill[/s] -er- I mean [s]Diebold investor[/s] -er- I mean e-voting proponent:[/i]
[i]Please give an illustration where one maliciously crafted paper ballot can tracelessly subvert millions of other properly filled out and cast paper ballots to the tune of whoever crafted the malicious ballot.[/i]
I might be using that one a bit 🙂
This is an excellent analysis and provides helpful information and guidance for how this technology can be improved. At the same time it assumes, presenting no evidence whatsoever, that paper based voting systems are superior in security. This is the same one-sidedness in presentation which I complained about a few days ago.
Damn good work. Certainly glad you got access to the Diebold machines. Maybe you can find a couple ES&S ones, though it probably doesn’t matter that much since Bob and Todd are brothers.
Congratulations on doing your part of the work! I read a report about your gee whiz, Connecticut Yankee project on Daily Kos. You all are to be comended.
Always a nice read. One comment though, why are the posts here so short? It would be interesting if there were more, ah, meat to read and enjoy?
My district (In the City of Saint Louis, Missouri) had both the electronic and the punch card voting machines, and voters could pick which type of machine to use. How common is that?
The physical layout of the room, which was in a Church basement, had columns, etc., that partially obscured the judges view of the machine. I do not think in my ward do something in less than one minute would be necessarily a problem, but the fact that we are even discusssing this indicates there’s a big problem.
I really worry about a disputed election, in which one group can make a claim of being cheated, that can not be completely checked out.
There is a huge accident just waiting to happen.
I had the “pleasure” of using one of these Diebold thingies to vote yesterday, in Maryland. The polling station had no curtain, only a 3-sided metal divider about 18″ high. My station was angled away from the judges, but other stations in the room were directly facing the judges (and the waiting area) so that a voter would have only their own body to protect the privacy of their vote.
I have not used touch-screen voting machines, so I wouldn’t know: how much privacy do voters usually get when using the machine?
If the machine is behind a curtain like other voting apparatus, this under-one-minute vulnerability means that even voters can launch attacks.