October 9, 2024

Refuting Diebold's Response

Diebold issued a response to our e-voting report. While we feel our paper already addresses all the issues they raise, here is a point by point rebuttal. Diebold’s statement is in italics, our response in normal type.

Three people from the Center for Information Technology Policy and Department of Computer Science at Princeton University today released a study of a Diebold Election Systems AccuVote-TS unit they received from an undisclosed source. The unit has security software that was two generations old, and to our knowledge is not used anywhere in the country.

We studied the most recent software version available to us. The version we studied has been used in national elections, and Diebold claimed at the time that it was perfectly secure and could not possibly be subject to the kinds of malicious code injection attacks that our paper and video demonstrate. In short, Diebold made the same kinds of claims about this version – claims that turned out to be wrong – that they are now making about their more recent versions.

Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit.

This is incorrect. Far from ignoring Diebold’s “normal security procedures”, we made them a main focus of our study.

The tape and seals are discussed in our paper (e.g., in Section 5.2), where we explain why they are not impediments to the attacks we describe. The main attack does not require removal of any screws. Contrary to Diebold’s implication here, our paper accounts for these measures and explains why they do not prevent the attacks we describe. Indeed, Diebold does not claim that these measures would prevent any of our attacks.

A virus was introduced to a machine that is never attached to a network.

This is irrelevant. Our paper describes how the virus propagates (see Sections 2.2.2 and 4.3) via memory cards, without requiring any network.

By any standard – academic or common sense – the study is unrealistic and inaccurate.

This is little more than name-calling.

For an academic evaluation, ask our academic colleagues. We’d be happy to provide a long list of names.

We demonstrated these problems on our video, and again in live demos on Fox News and CNN. Common sense says to believe your eyes, not unsubstantiated claims that a technology is secure.

The current generation of AccuVote-TS software – software that is used today on AccuVote-TS units in the United States – features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more.

As above, Diebold does not assert that any of these measures would prevent the attacks described in our paper. Nor do we see any reason why they would.

These touch screen voting stations are stand-alone units that are never networked together and contain their own individual digitally signed memory cards.

As discussed above, the lack of networking is irrelevant. We never claim the machines are networked, and we explain in our paper (e.g. Sections 2.2.2 and 4.3) how the virus propagates using memory cards, without requiring a network.

Again, Diebold does not claim that these measures would prevent the attacks described in our paper.

In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines – every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.

Our paper discusses physical security, election procedures, security tape, and numbered security seals. See, for example, Sections 3.3 and 5.2 of our paper. These sections and others explain why these measures do not prevent the attacks we describe. And once again, Diebold does not assert that they would.

Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis.

Every voter in every local jurisdiction that uses the AccuVote-Ts should feel secure knowing that their vote will count on Election Day.

Secure voting equipment and adequate testing would assure accurate voting – if we had them. To our knowledge, every independent third party analysis of the AccuVote-TS has found serious problems, including the Hopkins/Rice report, the SAIC report, the RABA report, the Compuware report, and now our report. Diebold ignores all of these results, and still tries to prevent third-party studies of its system.

If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.

Comments

  1. thanks a bunch for doing this work

  2. Brother Bill says

    As a software developer, a voting machine is not rocket science. Just as Las Vegas requires the source code for every gambling machine, and has stiff penalties for fraud, an honest voting machine would be a single purpose computer that is hard-wired to gather ballots and display the result. It must be open source to demonstrate its simplicity and security. As a simple machine, it would take a configuration file (in XML or other text language) describing the posts and choices, and simply tabulate them.

    It would require a voter-verified paper ballot, and not be capable of switching votes. It would maintain a low level audit trail of each check, so that a “recount” could be performed. It could support multiple precincts, but would be pre-programmed, with just a configuration file. This could fit in a 64KB ROM. It should record each vote on a paper ballot, as well as a CD-ROM. By having burned in code, and a simple configuration file, no hacker could break in.

    As in Las Vegas, the manufacturer would be responsible for ensuring that the ROM matched that of the approved ROM. There would be random checks to ensure that the ROM has not been replaced or tampered with.

    Voting machines can be designed to steal elections, or be designed to be honest and secure.

  3. An Early Voter says

    I would like to know if diebold election machines are accurate for the early voting and november election in november 4,2008? …Or are they subject to error and how do we tell if our vote is really being totaled correctly on this so called “new diebold machine” with the paper trail in view on the side ….to see who you actually voted for…and even after viewing the paper within the machine on the side.. …will the vote still be counted accurately and correctly for this November 4, 2008 election?

    An Early Voter

  4. Die Diebold says

    Time to draft that universal letter to the local municipalities, and demanding the removal of Diebold machines.
    Have you seen “Hacking Democracy”?
    There are plenty of municipalities who, even in spite of this evidence, are still moving forward with Diebold.
    Wake up!
    It’s not that hard…
    Google your city in this format: “City of xxx” where xxx is the city.
    email the ‘contact us’ portion – almost every city will have a way to be contacted via online means.
    Begin a dialog with a simple question:
    What is the means for counting election votes – are Diebold machines used?

    It takes voices of many to speak the voice of one! Do your part!

    Tell me you work for Diebold and sleep at night, and I’ll make sure your next sleep is haunted by the blood of innocent Iraq and Afghan citizens and their motherless children – thanks for the ride Bush Admin…

    • An Early Voter says

      Sad to say….they are using the Diebold machines in Rock Island , Illinois for the early voters……with the viewed paper trail on the side of the machine which is suppose to let you know how and who you voted for……I do not know how accurate the count will be for they say they will not be able to count the votes until the end of the election on november 4, 2008. The memory cards that they are using to cast your vote is being used from one computer to the next computer. I pray that there is no virus on the memory cards and Hopefully our Vote is being counted accuratedly and correctly. God Be with Us.

      An Early Voter.

  5. Ok try this. You are the one placing the Digitally Signed memory card into the machine…but first you put your virus card in, dump the virus, then install the digitally signed card? These cards are small {they fit in your camera!} and a little sleight of hand and poof! A Quarter out of your Ear! I mean an Ace of Spades in your poker hand! I mean an Election in your Pocket! Magicians do it all the time. It takes seconds to dump a file and who would know?

  6. My democratic rights as Spanish citizen are sabotaged or frustrated. If it is true that a developed democracy exists, as the coexistence among cultures my case is not that. Since they have to attack me a group to leave a cashier and to stab my head. Then the monarchies the vividores interested in making suffer.

  7. Max ´ntropy says

    What is stopping munocopalities andcounties from sequestering one of their Diebold voting machines and subjecting it to a controlled test such as yours? Let them see for themselves how accurate the tallies are by favoring Democratic and independent candidates and checking the results.

  8. People are the flaw in the system. As long as we have people voting we will have some type of vote fraud.

  9. Papa Smurf says

    I think we should just dig up some old IBM punch card machines and have voters punch their votes in. Feed em through a reader and whammo, results. You can’t argue with a hole poked in a card. Unless you’re in florida I guess. Or maybe the card could have the candidates printed on it real simply, and then you stick it in, cast your vote, it spits the card back out, you check it, and then put it through another machine. Just something that does it with a hard copy from the get go. Getting a paper receipt doesn’t prove anything. It’s not like it shows up on your monthly statement. If I go out to a bar and put $30 on my card, and I get a receipt and sign it, at least I have a statement that shows how much I spent. What about identity theft? Ballot boxes were stuffed back in the day with votes from people that were dead. What’s stopping that from happening now? Let’s not be myopic on one little issue of a voting machine. Besides how much does one voting machine cost anyway? How much do they pay people to count votes manually? Is there REALLLY any benefit? Why use a machine at all why not just have the candidates get on stage and sing and dance and have america call a 1-900-USA-VOTE number to vote for who they liked best. We could even get the american idol people up there to tell them how much they all suck. And if it goes like it is now, Ron Paul’s performance would be on during the commercial break.

    piff

  10. The iVotronic Touch Screen can be hacked as well
    http://blog.wired.com/27bstroke6/2007/12/report-magnet-a.html

  11. That’s how Bullshit won the election.

  12. Captain Canuck says

    We Canadians count our votes the old fashioned way, with paper ballots and public scrutiny of the voting. And we still get the results the same night, with little or no fraud. Because we all know how to mark an “X” and most of us can add numbers together. What’s your excuse, USA?

  13. Hey Angel997 – why don’t you correct your case of rectal-cranial inversion before making such stupid statements? At least the ATM gives YOU (that’s not an acronym) a slip of paper VERYFYING YOUR TRANSACTION. This slip of paper is typically known as a transaction receipt. On it (if you ever bother yourself to read it, that is) you will find that not only does it display the ammount you entered, but it also provides a relatively accurate running balance. Uncashed checks and the like would be the only reason it would not be an accurate running balance 100% of the time.

    If voting machines were equivalent to ATM’s, you would be asked for a PIN number when voting. I’ve never been asked for a PIN number while voting. At least with an ATM, I provide two pieces of a puzzle for the transaction to complete – I provide something I have (a card) and something I know (a PIN number). That’s one more step than Diebold uses with the simplicity of “insert this card and vote.”

    You’re comparing apples and oranges.

    I hope your eyes see the light of day again soon, because the stench where your head currently is must be unbearable… A little tip for you – place your feet on your shoulders and push your feet down really hard. Maybe that will free your head from its current dark and smelly location.

  14. In the pursuit of a “perfect” solution, we lose sight of the purpose. More accuracy is better than less. If you don’t want to progress to a “better” solution, then we should still be standing in bank teller lines to withdraw cash instead of using ATM machines or on line banking. Any system can be critiqued and hacked but I would rather place my trust in technology than chad counting bureaucrats. And why is it that the outcome is only questioned when one side wins?

  15. Elaine Williams says

    As most will recall, the “Help America Vote Act” was conceived and passed in haste, after the Florida chad fiasco. The chad business was an abomination, but the quick fix legislation brought us the Diebold machines, among others. How a company that manufactures ATM machines can insist with a straight face, that they can’t provide a paper record, is beyond me. This careful and scholarly study should be required reading for every voter!

    Hats off to the Princeton Engineers who took on this very important work.

  16. FairVoterInColorado says

    How many man-hours does it take to count the ballots? Now compare that to the number of man-hours spent by voters waiting in line due to insufficient electronic voting equipment or insufficient electronic pollbook capacity? [Denver, Colorado reported 2 hour waits all day — reportedly due to lack of server capacity for the electronic pollbook. And while polls “closed” at 7 PM, throughout Colorado, those already in line were permitted to stay until the lines subsided. The last voter in Douglas County, Colorado is reported by the local media to have cast their vote at 1:30 AM — over six hours in line — reportedly due to an insufficient quantity of equipment.]

  17. I live in Ventura County, California. I voted at the polling place. I did not have a machine to “touch”. I had a black ball point pen and two large double sided cardstock sheets. The method was to use the pen to connect the arrow aside my choice. Once complete, I tore the tabs from the sheet ends and inserted the sheets one at a time into a rather large refuse can looking thing that indicated on a red diode counter that it accepted my ballot sheet by going up one digit. It was a locked box as well.

    A friend in Orange County, California went to the poll. That county combined three polling places into one. Presumably due to having the wonderful computer voting machines. My friend waited willingly for 90 minutes to vote. There were 8 machines, but one was not in service due to its printer being broken.

    My time to vote? 10 minutes.

    Their time to vote? 115 minutes.

    Of course this is subjective because my polling place was not combined, but the point is the pen and paper method was so simple and involved no ‘chads’ ‘ink stamps’ or expensive machines with security issues and failures.

    Goes to prove, the more complicated something gets, the easier it is to break.

  18. the_zapkitty says

    You do a lot of handwaving over of complex issues, and somehow I doubt your security experience is all that extensinsive

    But for Ed’s sake I’ll try to be succinct 🙂

    In other words

    “You’ve literally given us billions of dollars for insecure, unreliable machines that just don’t work right… and we then lied to you about what could and couldn’t be done with those machines… so please let us charge you billions more in upkeep for fixing the mistakes we made in the first place.”

    Paper would be more secure, a hell of a lot faster*, and vastly cheaper.

    *Faster when you consider the hours-long waits for machines that won’t start and the days of waiting after the elections when the machine results are suspect and forensics begin.

    That succinct? Succinct check!

  19. Darren Merritt says

    I’m interested in these security issues and have studied computers.

    Trying to look at it from a security standpoint, nothing is 100% secure but you set up lines of defense and detection strategies if those lines are broken.

    One line of defense is to block access to the memory card reader. Presumably you stop somewhere short of heavy steel plate and key access to it then relies on the security of the keys. One could improve that if it was deemed necessary. It looked necessary in the machine depicted.

    If people do manage to access the card reader, by whatever means, you would like to then detect it, either before, during or after the access, authorized or not. A broken bit of security tape is still considered one of the best strategies there.

    Once people get past all that, and gain access to the card reader, I would have thought it a very trivial matter to block the installation of software from it. The installation of software could require undoing all the screws and security tape.

    The software itself can have intrusion detection, prevention and monitoring. Clearly that’s a bit of a black art in itself. One would imagine a machine running a custom built linux with well-managed code.

    You could argue for the code to be declared open source, but keeping the details locked away does provide a legitimate level of security. While I like the fully open strategy, and hopefully we can get there, I think something that drastic sounds a little counter-intuitive in the short term, depending on what security experts say. Keeping the software under lock and key is a legitimate security strategy, except that it makes people nervous.

    I don’t know what controls are in place, but presumably you need machines to adhere to a set of evolving security standards and someone testing checking to make sure machines meet those standards. The standards should be designed to avoid the problems identified on the video. Personally, I always imagined the best strategy would be for machines to send the data encrypted all the way down the line with no local access to it, but many would imagine that as being less secure. A lot of this is perception as well.

    I’m not the least bit surprised that ways to improve voting machine lines of security are found as we move in that direction. I would be shocked if some weaknesses weren’t found.

    1. The key access to the card reader seemed a little weak in those models, and
    2. A memory card reader programmed to execute code when the machine booted,

    Those issues seemed a little silly and lets hope those issues have been fixed. I would be shocked if they weren’t by now, especially in light of, if not because of, this report.

    I would only suggest that people not use a couple of identified weaknesses to suggest the entire strategy is flawed. Security doesn’t work that way in anything. If it did, you could describe security arrangements for everything in our lives is inherently flawed, even the paper voting system. You identify weaknesses and evolve appropriately to the circumstances. I’m sure banks did that with their ATM security and continue to do so. They certainly master a way for people to enter data to a machine without being able to tamper with it.

  20. 2nd reply to chris:
    as stated above, we in Austria have the same paper ballot system as Germany and again. you can ALWAYS recheck and recount the votes if something is questionable. A thing that can NOT be done with the electronic voting system you have. Yeah, you can recount the numbers given on the printout.. but the problem with faking starts at the machine .. As for the numbers. I do not think it would make a lot of difference. between the US, Germany or Austria. All our polling offices which host 4-10 ppl (2 officials from the state and 3-8 representatives of the parties depending on the district). Depending on the district, they have around 1-5k voters and need an average of 2 hours to count their votes.
    btw from the last report I saw there where about 65 mio ppl allowed to vote in Germany and about 6 mio in Austria

  21. REPLY TO: Chris

    Well, you are right. Having enough people to count is quite easy since it is an honorary appointment to help in the elections. You get a small allowance but there are enough people who take pride in supporting the elections.

  22. First time voter says

    Actually, reading all this and seeing the HBO program, I have a suggestion to the Election Officials…

    Please change the labels “I Voted” to “My Vote was Counted Correctly!”

    Btw, I voted using an absentee ballot … and hope it is counted correctly

  23. REPLY TO: xformer

    How many people do they have counting the votes, and better yet, how many people vote. It can take you an hour to tally 10,000 votes if you have enough people or an hour to count 500 votes if you only have one

  24. Thanks for the great work. Thanks to Diebold for showing that they really don’t have the slightest idea what you are talking about.

    Just one remark: We here in Germany use paper ballots which are counted by hand with representatives of each party among the government workers. There is a rumor that this would take several days to count.

    Not so. The polling stations close at 6 pm and we have 99% of the results by 11 pm and all of them a few hours later.

    There is absolutely no need for voting machines. Paper ballots are easier to handle, faster and much more secure than voting machines.

  25. I hate it when I misspell my name :S

    BTW, go vote!!!

  26. With all of the problems with window, the most used OS in the USA, it is hard to believe that any electronic system would be secure…
    I believe that the solution to the problem is open source code. Open source code tends to be the most secure in the world because everyone goes over it looking for security holes and most of the people that find a hole fix it. Just look at Linux, Linux is one of the most secure operating systems I know of, and it is an open source OS. If only Microsoft and the voting companies would take this approach

  27. Ken (Sept 20) IS ABSOLUTELY RIGHT! WHAT IS THE BIG HURRY FOR

    RESULTS THAT THE NATION LEAVES THE VOTING IN THE HANDS OF

    DIEBOLD OR HACKERS?

    Back to paper ballots and hand counting.

    Bob M.

  28. the_zapkitty says

    But then again Diebold apparently hasn’t changed that particular mode of operation… ever.

    It seems that he State of Maryland orderdd up a study of Diebold voting machines by SAIC in 2003.

    The report delivered to the state was 38 pages long.

    The original SAIC study was almost 200 pages long.

    What happened to the report?

    It seems that the Secretary Of State of Maryland gave Diebold permission to censor the report as they saw fit… “to protect their proprietary trade secrets…”

    Guess what happened?

    But that left-leaning hotbed of e-voting investigation, bradblog.com, has come up with a copy of the original, unredacted, SAIC report… and has made it available for your perusal as 5 pdfs.

    http://www.bradblog.com/

    For your convenience all 5 pdfs of the report and the censored version of the report have been bundled here for your convenience…

    http://74.52.141.18/~zapkitty/SAIC_Diebold_Maryland_090203.tar.gz

    (Seems my republicofnekoslovakia.net domain hasn’t circulated through the dns servers yet)

    In terms of the fox guarding the henhouse, it’s a remarkable read.

    Diebold doesn’t stop lying about its voting machines because it has never been forced to stop lying about its voting machines by the Secretary of States who bought the machines.

  29. Even beyond Steve’s point, Diebold was already using encryption in the system we studied. But they used encryption poorly, so that it provided little or no security benefit. For example, they encrypted the stored ballots, but stored the encryption key on the voting machine where malicious software could easily get it. They locked the door but hid the key under the doormat — and then they bragged about how fancy the lock was.

  30. A number of people have asked, “Why is the Princeton team so skeptical of Diebold’s claims that its new encryption features make these attacks impossible?” It’s a reasonable question. Everyone knows that adding encryption is one way to make a system more secure, so how could adding encryption not help?

    The problem is that encryption is not some magic bullet. Merely adding encryption doesn’t somehow, automatically, make a system more secure. Encryption (like any security measure) must be applied appropriately, and the implementation must be reasonably free from bugs.

    It’s like locks: suppose your house gets burglarized, and your family complains, and you say, “We can’t get burglarized again, because I put a lock on the door now.” But the lock on the door doesn’t do much good if the windows are all still open.

    And encryption is no different. Suppose that some sensitive data is encrypted, but the decryption key is located someplace where an attacker can find it. If so, the system is still insecure. (Analogy: some people leave a house key under their front doormat, and many burglars know this.)

    Or: suppose that the encryption we’re talking about is designed to “protect” a precinct’s election results as they’re transmitted to a central tabulating point. And suppose that the encryption is deployed correctly; there’s no way to break it. But suppose that it’s possible for an attacker to take some fake results, encrypt them using the same scheme, and transmit them to the central tabulating point. The central tabulating point would (obviously) know how to undo the encryption, so if it had no precaution against forged results, it might go ahead tabulate them along with the rest. In that case, the encryption wouldn’t have helped at all. (And, in the world of cryptography, it’s quite possible to have an encryption scheme where anyone can encrypt a message, but only the designated recipient can decrypt it. Another analogy: it’s like a “drop safe” where any employee at a convenience store can drop money into the safe, but only the manager or the armored car company can open the safe to take the money out.)

    In fact, one way (one more way) to notice that Diebold still isn’t taking security seriously enough is precisely the fact that they’re crowing about encryption so loudly — because the important problems here don’t need encryption, they need *authentication*. Authentication isn’t necessarily a harder problem than encryption, but it’s a very different problem. If you’ve got an authentication problem — such as proving that votes are authentic and came from the precinct they’re supposed to, or proving that the person installing new code on a voting machine is authorized to — adding encryption probably doesn’t do much of anything to solve the real problem.

  31. the_zapkitty says

    Crosbie Fitch Said:

    Here’s something hot off the press for comparison:

    “Because of a centralist mental block on the part of designers, most authentication systems (even in 2006!) only attempt to authenticate the human client. It is extremely rare that any attempt is made to enable the human to authenticate the machine.”

    So an average person, say one named “melissa G.”, is told by people melissa trusts that the magic words “computer” and “encryption” are in use… and thus melissa does not chance to look beyond the magic words to the basic logic governing the use of those concepts?…

    Hey… our elections are being phished 🙂

  32. Here’s something hot off the press for comparison:
    http://news.bbc.co.uk/1/hi/england/southern_counties/6109632.stm

    Because of a centralist mental block on the part of designers, most authentication systems (even in 2006!) only attempt to authenticate the human client. It is extremely rare that any attempt is made to enable the human to authenticate the machine. (cf Phishing).

    I have said quite a few times in the past that chip & pin egregiously fails in this respect. The user is never taught to question the card reader nor given any clue as to how to check that it’s bonafide. They surrender their card and decrypt details in a few seconds to a black box that could very easily be that of the perpetrators – as it was in the case above.

    So if even banks have flaws that plebs like me can spot, it is not beyond the bounds of credibility for at least me to entertain the idea that voting machines may have a few blind spots…

  33. the_zapkitty says

    Steve Says:

    I recently heard that about 40% of the voting machines are made by a
    company owned by Hugo Chevez…Is this correct?

    No… but that media soundbite does seem a gift from heaven to Diebold shills as they try and divert attention from their employers’ fatally flawed products.

    “And who owns the DieBold Co. ?

    Isn’t that the brother of the person who runs Sequoia Voting Systems.. the company with Venezeulan involvement?

    Give it up… 🙂

    Sequoia is taking their turn over the barrel for badly flawed e-voting systems… but that does not excuse Diebold’s nonstop lying to the American people.

  34. I recently heard that about 40% of the voting machines are made by a
    company owned by Hugo Chevez…Is this correct? And who owns the
    DieBold Co. ?

  35. the_zapkitty says

    melissa G. Said:

    “Ed,”

    I’m not Ed, but I play him on TV sometimes… not 🙂

    “I didn’t see any discussion about this latest encryption feature in your paper. The key code that the jurisdiction enters into the data base for every election is put on the touchscreens, memory cards, voter access cards and encoders by the jurisdiction, not Diebold. In fact Diebold doesn’t know what it is.”

    And you still have not addressed the issue of what kind of encryption this is supposed to be… not to mention the more relevant questions of how Diebold is supposed to have applied it and how Diebold actually applied it.

    2 points…

    Point 1:

    As Ed said, you are waving the word “encryption” around as if it were a magic wand that somehow solves everything. You have not offered any clues as to how this purported encryption is supposed to have been implemented.

    (I say “purported” because Diebold has a nad habit of exaggerating when it comes to their voting machine security.)

    You do understand, do you not, that many commonly available forms of encryption can be broken… or simply bypassed by using convenient holes left by careless implementation.

    And Diebold’s actual e-voting security record is one solid mass of careless implementation 🙂

    Point 2:

    “None of these devices will do anything for you unless all of the codes on them match. It seems pretty effective to me.”

    As I said before, this type of encryption cannot be considered a shield if the trusted encrypted materials are available to the bad guys, but have not been vetted by computer security types.

    And the bad guys will have had unfettered access to two parts of this purported “trusted encryption”” chain, the memory cards and the voting machines, for weeks come election day.

    And that’s not even counting access possibilities offered by careless oversight (or even the occasional bad apple) in the electoral oversight organization itself.

    (Despite Diebold’s fantasies, bad registrars, overseers, clerks, workers etc etc happen. A simple fact.)

    “There needs to be a balance between the narrow focus on the security of election equipment by academics and on the practical usability of election equipment by voters and poll workers in the field. “

    But there has been no imbalance.

    Elections are power. Pure power. Raw, unadulterated power. And some people cannot leave such power alone.

    And they wil go to great lengths and spend vast amounts of money to get that power.

    And, in addition, some people will commit crimes to get such power.

    And e-voting machines are as vulnerable to effort, money, and crime as any other balloting method used in the past….

    BUT

    Never before in history has one single subverted balloting instrument been able to turn the tide of a nationwide election regardless of how close or how far apart the candidate vote totals actually are.

    And all this… all this is over just one hack described by one group… the Princeton team.

    There are others.

    “It would be much more constructive to try to bridge that gap rather than describe unlikely hacking scenarios.”

    However unlikely you may think it, the reality is very different from the “It’s immpossible” cries of Diebold PR flacks. 🙂

    But about your last line: offers to review the setup were made… and were violently rejected by Diebold and election officials.

    And I mean violently in terms of ordinances passed and lawsuits threatened.

  36. melissa G. says

    Ed,
    I didn’t see any discussion about this latest encryption feature in your paper. The key code that the jurisdiction enters into the data base for every election is put on the touchscreens, memory cards, voter access cards and encoders by the jurisdiction, not Diebold. In fact Diebold doesn’t know what it is. None of these devices will do anything for you unless all of the codes on them match. It seems pretty effective to me. However, one of the drawbacks of it is that if the code is missing from any of the voter access cards, they won’t function on election day and then voters can’t vote. There needs to be a balance between the narrow focus on the security of election equipment by academics and on the practical usability of election equipment by voters and poll workers in the field. It would be much more constructive to try to bridge that gap rather than describe unlikely hacking scenarios.

  37. I just tried to send Diebold my thoughts on how poorly their system is designed and got the following. Looks like they can’t even keep the feedback form on their website running. What a joke!

    HTTP 500.100 – Internal server error: ASP error.
    Internet Information Services

    ——————————————————————————–

    Technical Information (for support personnel)

    Error Type:
    CDO.Message.1 (0x80040213)
    The transport failed to connect to the server.
    /dieboldes/contact_emailform_confirm.asp, line 35

    Browser Type:
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1)

    Page:
    POST 402 bytes to /dieboldes/contact_emailform_confirm.asp

    POST Data:
    name=Mark+Honer&company=Self&email=&phone=408-xxx-xxx&message=Your+rebuttals+to+the+HBO+and+other+analysis+of+your+systems+are+a+joke.++You+point+out+technicalities+and+never+addres . . .

    Time:
    Friday, November 03, 2006, 11:20:54 PM

    More information:

    Click on Microsoft Support for a links to articles about this error.
    Go to Microsoft Product Support Services and perform a title search for the words HTTP and 500.
    Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled Web Site Administration, and About Custom Error Messages.
    In the IIS Software Development Kit (SDK) or at the MSDN Online Library, search for topics titled Debugging ASP Scripts, Debugging Components, and Debugging ISAPI Extensions and Filters.

  38. Melissa,

    Your description sounds like marketing-speak. Could you be more specific about how the feature actually works? For example: you talk about cards that are encrypted. But cards can’t be encrypted, only data can be encrypted.

    Our paper talks about some of Diebold’s encryption features, and why they don’t prevent the attacks we describe. Are you talking about different features? And if so, how do the differences prevent the attacks we describe?

  39. the_zapkitty says

    Melissa G. Says:

    “Diebold has developed a security key feature… a memory card that doesn’t have this encryption code…
    won’t work. … a supervisor card or voter access card that is not encrypted… won’t work.”

    And as Ed pointed out above this statement means nothing in the context of preventing a hack.

    It’s a pretty soundbite for Diebold. Diebold keeps saying this “encryption” mantra over and over and over again and yet never ever explains how it is supposed to stop a hack.

    To forestall your next reply: 10,000 unsupervised Diebold machines were sent home with election workers in CA, Diebold machines loaded with memory cards and with those cards primed for next weeks election… this happened two weeks ago.

    (I kept saying three weeks upthread. My error. The machines will have been out in the world unsupervised for three weeks come election day next week.)

    …weeks….

    Unless Diebold can provide substantial proof otherwise then the encryption cannot, in itself, be regarded as a defense… if the hackers have ready unsupervised access to trusted encrypted cards.

    And Diebold does not ever provide substantial proof of its security claims.

    They have, however, been caught out just flat lying about security several times… actually, many times… in reality… they can’t seem to stop lying zaabout their machines security.

    (Copius, easily verified documentation of this fact available upon request 🙂 )

    This nonstop lying does not help to make a case with people who deal with the real world aspects of computers and are just trying to get the simple facts.

    Do you have the ability to give simple, factual data regarding this encryption and how it is supposed to work?

    If so then I, myself, would be happy to listen… and I think Ed would be overjoyed.

    If not, then that particular hack must stand as something that’s doable.

    But if your response should be the usual Diebold response of no evidence presented amid cries of “trade secret”… well, that would be your choice.

  40. Melissa G. says

    Diebold has developed a security key feature that allows jurisdictions to create their own encryption code which is intalled on all memory cards, supervisor cards, voter access cards and the machine itself and is changed by the jurisdiction for every election. When you insert a memory card that doesn’t have this encryption code into the machine, it won’t work. If someone trys to use a supervisor card or voter access card that is not encrypted, it won’t work. Your hack test was evidently done on a machine that didn’t have this security feature.

  41. Ohio Secretary of State Ken Blackwell, who is now the republican gubernatorial candidate, had invested in Diebold before awarding them the contract to supply electronic voting machines to Ohio precincts. This made the local news only briefly last year when he first announced his intention to run for governor, and I have never heard another word about it. His defense? He claimed that he was not aware that he had invested in Diebold, but rather that his financial advisor manages his money without his input.

    The circumstances around the 2004 election in Ohio warrant some very strong consideration. This study gives credence to what has all too often been dismissed as conspiry theory and sour grapes. Thanks so much for your work!

  42. the_zapkitty says

    Ozymandias Says:

    “Thanks, Ed, but my question is now: why would it have an exposed port? Doesn’t that now mean it’s potentially network enabled?”

    I’m not Ed, but wouldn’t that depend on how much of the Windows CE base functions are enabled? So far it seems that Diebold threw in the standard “everything and the kitchen sink” Windows install and then plopped their code on top of it.

    And Windows CE enables all possible network hardware drivers by default in that lovable “please infect me immediately!” Windows way.

    And Ed has noted elsewhere that the Diebold software has its own network interface installed… despite Diebold’s nonstop lies to the contrary.

  43. Ozymandias says

    Thanks, Ed, but my question is now: why would it have an exposed port? Doesn’t that now mean it’s potentially network enabled?

  44. Ozymandias,

    The machine has an exposed infrared (IrDA) port. This is normally disabled, but an attacker could reenable it, allowing infrared communication with the machine from a distance. Or an attacker could modify the hardware. I don’t think the machines get detailed hardware inspections.

  45. Ozymandias says

    Ed- Not being an engineer or having time to read your entire paper, I wonder if there might be another way to hack the machines. Has the hardware itself been certified? Though not a conspiracy type, I immediately conceived a scenario in which a signal receiver hidden in the hardware could receive instructions from anyone near the machine- the “Garage Door Hack”. Anyone within or near the polling place could infect the entire bank of machines with no detectable intrusion. I imagine a receiver could look just like a diode or resistor or whatever, and the sender could be oblivious of their part in it. Is the hardware inspected to this level?

  46. Jason,

    I recommend that you read our paper and respond to what we actually said, rather than what somebody told you we said.

    For example: You seem to think that we say an attack could only happen on election day. On the contrary, a virus would mostly likely be inserted between elections when the machines are relatively unguarded.

    You ask whether we are aware of election procedures. These procedures are summarized in Section 3.1 of our paper, and we suggest improvements to them in Section 5. All of our analysis is done in light of real election procedures.

    Your assertion that memory cards are never outside of the voting machines is false in most places.

    Your assertion that a valid supervisor card is needed to install anything on a memory card is false. (And supervisor cards are easily forged anyway.)

    I could go on, but my point should be clear by now. If you want to point to anything we actually said in our paper that you think is false, you’re welcome to do so.

  47. I really love that discussion.
    The United States, self proclaimed founder of democracy and holder of the one and only
    truth and the never ending election stories.
    There you have Mechanical lever machines not working properly and thus votes being illegible, there are voters that can not register for voting in time because of some obscure registers no one knows about, and then there’s the e-machines no one can control after the election.
    But of course, you have a president that did not get the majorities of votes in his first election, so no one really wonders if democracy really is the US’s system of choice.
    Most of Europe’s countries have a paper ballot system, and the results are there 3-4 hours after the last election office closes, so the time factor is one very lame reason for the e-machine. The paper votes are counted and checked by a group of ppl representing each party, they are sealed and stored afterwards and can be recounted upon request up to 5 years after election. Ah, and by the way, we have a direct voting system, so every voice counts. Don’t get me wrong, I had my history lessons. I understand the historical reasons for the system used in the states.. and back then it was a really great system. But today everyone has the opportunity to get information and thus make up his own mind of whom to vote without giving my voice to another person to do what he thinks best for me..
    I would never use an e-machine, but not because I do not trust machines (I’m in the IT business myself) but because its so hard (not to say impossible) to check and recheck the data.

  48. the_zapkitty says

    For some unidentifiable reason jason Said:

    “okay, i understand that the older population…”

    Try not to embarass yourself more than you already have.

    … ooops… too late.

    … let’s snip the ad homeinem non sequiturs that read like a newbie attempt at a usenet troll….

    … let’s snip the somewhat addled non sequitur of a history leeson with its concluding ad hominem….

    “So now to the e-machines. Yes they can be hacked. But there are alot of things that would have to go perfectly rright for the chance for someone to get their hands on a memory card or a machine that will actually be used in the election. Even if they could corrupt a card or machine before the election, both get wiped clean and re-installed before they are packed for the election, so that plan would not work.”

    Oh… something like… say for instance… like a certain Registrar of Voters in California breaking state and federal laws by letting 10,00 Diebold voting machines go home with election workers for an “overnight sleepover”…. 10,000 Diebold voting machines already loaded with memory cards primed for next weeks election… 10,000 Diebold voting machines going home for an unsupervised “overnight sleepover” that has lasted for three weeks already

    … that the kind of chance you mean?…

    “Another flaw, in the demonstration yall said “if a criminal is allowed a few minutes alone with a machine”, how would they be able to break into the machine on election day? How would they go about removing hardware, and rebooting the machines without being noticed? Once you pull that off in a real life environment, then i might listen.”

    You ever pay attention to the accurate, detailed descriptions published by many impartial observers of the chaos that occurs when badly understaffed polling stations try to deal with new technologies they have not been properly trained for that suddenly glitch, crash, switch votes, or just stop working for no discernable reason… while the voters are piling up in lines that stretch for blocks?

    No? Strange, that. But since you apparently live in a world where such things never happen the rest of your questions are pretty much irrelevant as the actual reality observed in a multitude of polling stations nationwide seems to conflict with your worldview.

  49. okay, i understand that the older population in this country would be afraid of the ‘new’ electronic machines, but when somone who is younger and has grown up w/ this gets all up in paranoid, i get just plain anoyed.

    I will start out saying that, frankly, i know yall are from Princeton and all, but, as my bro worded it, yall are nieve.

    Lets look at the last to mediums we have used for elections. The infamous punch card. All one needed to do to cancel any ballot was know which numbers to punch on the cards, and then there would be a vote for each canidate and it would be canceled, ANY election official could do it, ballots were HAND COUNTED, then after they arrived at the board, they were fed into a COMPUTERIZED tally machine BY HAND. If this system does not have room for human intervention, i really would like to have some of what your smoking…

    The system before that, hand writen ballots, i’m not even going to start on this…

    So now to the e-machines. Yes they can be hacked. But there are alot of things that would have to go perfectly right for the chance for someone to get their hands on a memory card or a machine that will actually be used in the election. Even if they could corrupt a card or machine before the election, both get wiped clean and re-installed before they are packed for the election, so that plan would not work.

    Another flaw, in the demonstration yall said “if a criminal is allowed a few minutes alone with a machine”, how would they be able to break into the machine on election day? How would they go about removing hardware, and rebooting the machines without being noticed? Once you pull that off in a real life environment, then i might listen.

    Have you even reviewed the “election procedures” that Deibold was refering to before you completely ignored them? (and you say they were dancing around your questions?) In order for any, ANY thing to be done with the machine there has to be a D & R there to insure fairness and a valid supervisor card to install anything on the new memory card.
    The memory cards on locked inside the machine before the polls open, and is not removed until the polls have closed. They are signed by the workers and put in a bag that is then locked & signed by the workers. This bag is taken to the office where the lock is removed by a group of officials, and is then placed in a machine to tally the votes stored. There are many different checks and balances in the whole process.

    I am speaking from experience, I have worked for my local Board of Elections for 8 years. I was also involved in the test of another e-machine. I have worked expensively with the setup and testing of these machines.

    If you can actually pull this off with 12+ pollworkers watching you (along with countless voters), then i will give you more credit, until then, you have my pity.

  50. A wanderer says

    To contain any inherent value, a word must be communicated;
    let the word on this spread as wildfire, for the majority must be assured that their say is listened to, and respected, in any enlightened society’s government: Democratic, Republican or Other –
    we have to live together on this world of ours, let our consensus count!

    (Caveat: The Government needs People; People can Govern Themselves.)

  51. Eric Edgerton says

    Thank you “the_zapkitty” I did not know about Diebolds’ history in misleading the public. That helps to explain the broad language in their rebuttal.

  52. You have done an excellent job of outlining and exposing the problem. Now it would make sense, and you would serve your country best, if you would use your skills to offer a solution.

  53. As for Canada- our big elections (federal, provincial) are much simpler- there is only one position to vote for, the local Member of Parliament or member of Provincial Legislature, so each person just does one ballot. It really does work to count them by hand.

    Local elections (school board, city /town councils, regional districts) have more ballots at the same time. They are usually done with paper ballots, where the voter fills in a circle to mark his/her choice. These paper ballots are then fed into a machine that counts them by reading the dots, and the ballot goes upside down into a plastic bin under the counter. If the count isn’t trusted for some reason, they can be counted again by machine, or by hand even, over and over.

    Each candidate can nominate an observer of each ballot box to make sure no-one stuffs it. The ballot box stays in sight, and it’s impossible to defraud.

    Really simple, cheap, and trusted.

    I understand now why Mr. Bush is so sure that the election will go his way. I thought it was denial, but his handlers can deliver !

  54. Votes for Democrats are registering for Republicans

    From the Miami Herald

    . . . .Several South Florida voters say the choices they touched on the electronic screens were not the ones that appeared on the review screen — the final voting step.

    Election officials say they aren’t aware of any serious voting issues. But in Broward County, for example, they don’t know how widespread the machine problems are because there’s no process for poll workers to quickly report minor issues and no central database of machine problems.

    Debra A. Reed voted with her boss on Wednesday at African-American Research Library and Cultural Center near Fort Lauderdale. Her vote went smoothly, but boss Gary Rudolf called her over to look at what was happening on his machine. He touched the screen for gubernatorial candidate Jim Davis, a Democrat, but the review screen repeatedly registered the Republican, Charlie Crist. . . .

    See the full story at http://www.miami.com/

  55. the_zapkitty says

    Eric Edgerton Says:

    “I mean nothing malicious by these questions; I’m simply looking for clarification. Diebold says the software you used in your study is 2 years old;… … How do you address Diebolds claims that the current memory cards are individually signed and usable only in their specific machines?”

    Valid questions, but the problem with that approach is assuming that it would actually make a difference.

    In the past it has not made a difference.

    For it to make a difference you would have to assume that Diebold is telling the truth, that they understand what they are saying, and that they have actually made substantive changes.

    All three assumptions have been proven to be baseless in the past… several times. And Diebold refuses to let their machines be inspected by the people who paid for them so we can only find out for sure the hard way… as we have learned the hard way with Diebold again and again and again.

    Understand that the Diebold source code was placed on the net accidentally years ago… Diebold was made painfully aware of that fact… and yet the vulnerabilities that the Princeton team hacked went uncorrected all that time.

    Diebold has a proven habit of proclaiming “All is secure everything is fixed, keep giving us money…” … then it has been proven not to be secure, that nothing was fixed, or that things were fixed incorrectly.

    So Diebold is on record as lying about their voting machines, often, and of grandiously overstating the security of their voting machines… equally often.

    And now Diebold is waving pretty soundbites of “improved security” in the air… soundbites that may well have absolutely nothing to do with what may (or may not) be happening in their machines.

    They are supposed to have implemented the encryption you mention, but without outside review there is no way of knowing that they did it right this time.

    But we aren’t allowed to have the machines be independently tested so we can be sure.

    Diebold only lets its machines be tested by certain selected ITA’s… the so-called “Independent Testing Authorities”… “so-called” because these are companies that actually have Diebold as clients and are paid by Diebold.

    The ITA’s that reviewed the version of the Diebold software that was hacked by the Princeton team certified that software as as secure for use in actual elections. And it was an ITA that somehow let the source code of more recent Diebold software loose in Maryland.

    Diebold is trying to “run on their record”… and in turn they wind up yammering nonstop in attempts to cover up the fact that their record is verifiably and demonstrably piss-poor.

    And the whole point of the Princeton exercise, which Diebold desperately hopes you will overlook, is that it wasn’t any particular hack or hacks that was the shocker… it was the glaringly obvious conclusion that these machines were not designed with any security in mind.

    The states bought Diebold. They thought they were buying ATM-class technology. What they got were kludged-together PC’s with touchscreens that had the software security of a Windows PC and the physical security of an office file cabinet.

    THAT is the point.

    And if Diebold machines can’t be garanteed to be “electronically secure”, and they can’t, how about the real-life physical security in elections that Diebold harps on when pressed about their electronic failings?

    Well… it’s turning out that some of these “inherently unhackable” and “vigilantly guarded” Diebold machines in Tennessee have had some very strange software running on them… not via “conspiracy theorists” but via court documents:
    http://www.votetrustusa.org/index.php?option=com_content&task=view&id=1935&Itemid=113

    Meanwhilem thousands of Diebold machines in California have been left effectively unguarded in public hands for a three week long “sleepover”…

    So Diebolds “refutation”, when sifted carefully for verifiable facts, fails.

    And it fails miserably.

  56. Eric Edgerton says

    I mean nothing malicious by these questions; I’m simply looking for clarification. Diebold says the software you used in your study is 2 years old; regardless of whether or not it was the most recent technology available to YOU, is it the same used in the currently used machines? How do you address Diebolds claims that the current memory cards are individually signed and usable only in their specific machines?

  57. If someone were to intentionally introduce such a virus to electronic voting machines that would change the names of the candidates to names from American history, such as George Washington and Benedict Arnold, not only would it do the country an incredible service, it would foster so much material in the world of comedy that such a thing should be attempted on the basis of reaping the entertainment value alone!

    -Would this foster an era of Electoral-Terrorism?

  58. Mr. Anderson says

    ****************************
    PRINCETON SHOULD RELEASE THE CODE TO THE PUBLIC DOMAIN. THAT WAY, EVERY CANDIDATE CAN CHEATING ENSURING A FAIR ELECTION.
    ****************************

  59. the_zapkitty says

    wow… this time lou spammed a whole web page to the commentary including irrelevant links…. perhaps just to try to drown out the horrible truth detailed above lou’s sprawl? 🙂

    Lou Bawled:

    “Finally……a viable alternative to the Diebold system! Let’s keep directing all of our attention to Diebold and ignore the activities of the other vendors…”

    Who says they are being ignored? For all you know copies of their respective machines may have already fallen into the paws of… the Evil Princeton Alumni Conspiracy.

    Too bad I never qualified for Princeton… the Somewhat Evil Ivy Tech Alumni Conspiracy just doesn’t have the same ring 😉

  60. Finally……a viable alternative to the Diebold system! Let’s keep directing all of our attention to Diebold and ignore the activities of the other vendors…Sequoia, ES&S, Hart, et al…..who collectively have a much larger customer base than Diebold. If you think the Accuvote-TSx is technologically “weak” start to examine some of the competitive systems. The TSx may be the Cadillac of the industry??
    At least Diebold is a public company that is required to disclose certain “confidential” data. The other companies are closely & privately held companies that operate “under the radar” and love all the attention that the media and academia is directing at Diebold. In the meantime these market savvy vendors continue to secure lucrative contracts and expand their customer base while Diebold continues to be the whipping boy for the industry.
    Sometime (in the not too distant future) the Diebold shareholders will request that the Board get out of this volatile and not too profitable business and concentrate on what they do best…..banking industry!
    Lou Taylor

    U.S. Investigates Voting Machines’ Venezuela Ties

    By TIM GOLDEN
    Published: October 29, 2006
    The federal government is investigating the takeover last year of a leading American manufacturer of electronic voting systems by a small software company that has been linked to the leftist Venezuelan government of President Hugo Chávez.

    Skip to next paragraph

    Tim Boyle/Getty Images
    A touch-screen machine by Sequoia Voting Systems was used this month during early balloting in Chicago.

    Politics Blog
    News, updates and insights on the midterm elections, the race for 2008 and everything in-between.
    Go to Election Guide
    More Politics News
    The inquiry is focusing on the Venezuelan owners of the software company, the Smartmatic Corporation, and is trying to determine whether the government in Caracas has any control or influence over the firm’s operations, government officials and others familiar with the investigation said.

    The inquiry on the eve of the midterm elections is being conducted by the Committee on Foreign Investment in the United States, or Cfius, the same panel of 12 government agencies that reviewed the abortive attempt by a company in Dubai to take over operations at six American ports earlier this year.

    The committee’s formal inquiry into Smartmatic and its subsidiary, Sequoia Voting Systems of Oakland, Calif., was first reported Saturday in The Miami Herald.

    Officials of both Smartmatic and the Venezuelan government strongly denied yesterday that President Chávez’s administration, which has been bitterly at odds with Washington, has any role in Smartmatic.

    “The government of Venezuela doesn’t have anything to do with the company aside from contracting it for our electoral process,” the Venezuelan ambassador in Washington, Bernardo Alvarez, said last night.

    Smartmatic was a little-known firm with no experience in voting technology before it was chosen by the Venezuelan authorities to replace the country’s elections machinery ahead of a contentious referendum that confirmed Mr. Chávez as president in August 2004.

    Seven months before that voting contract was awarded, a Venezuelan government financing agency invested more than $200,000 into a smaller technology company, owned by some of the same people as Smartmatic, that joined with Smartmatic as a minor partner in the bid.

    In return, the government agency was given a 28 percent stake in the smaller company and a seat on its board, which was occupied by a senior government official who had previously advised Mr. Chávez on elections technology. But Venezuelan officials later insisted that the money was merely a small-business loan and that it was repaid before the referendum.

    With a windfall of some $120 million from its first three contracts with Venezuela, Smartmatic then bought the much larger and more established Sequoia Voting Systems, which now has voting equipment installed in 17 states and the District of Columbia.

    Since its takeover by Smartmatic in March 2005, Sequoia has worked aggressively to market its voting machines in Latin America and other developing countries. “The goal is to create the world’s leader in electronic voting solutions,” said Mitch Stoller, a company spokesman.

    But the role of the young Venezuelan engineers who founded Smartmatic has become less visible in public documents as the company has been restructured into an elaborate web of offshore companies and foreign trusts.

    “The government should know who owns our voting machines; that is a national security concern,” said Representative Carolyn B. Maloney, Democrat of New York, who asked the Bush administration in May to review the Sequoia takeover.

    “There seems to have been an obvious effort to obscure the ownership of the company,” Ms. Maloney said of Smartmatic in a telephone interview yesterday. “The Cfius process, if it is moving forward, can determine that.”

    The concern over Smartmatic’s purchase of Sequoia comes amid rising unease about the security of touch-screen voting machines and other electronic elections systems.

    Government officials familiar with the Smartmatic inquiry said they doubted that even if the Chávez government was some kind of secret partner in the company, it would try to influence elections in the United States. But some of them speculated that the purchase of Sequoia could help Smartmatic sell its products in Latin America and other developing countries, where safeguards against fraud are weaker.

    A spokeswoman for the Treasury Department, which oversees the foreign investment committee, said she could not comment on whether the panel was conducting a formal investigation.

    “Cfius has been in contact with the company,” said the spokeswoman, Brookly McLaughlin, citing discussions that were first disclosed in July. “It is important that the process is conducted in a professional and nonpolitical manner.”

    The committee has wide authority to review foreign investments in the United States that might have national security implications. In practice, though, it has focused mainly on foreign acquisitions of defense companies and other investments in traditional security realms.

    Since the political furor over the Dubai ports deal, members of Congress from both parties have sought to widen the purview of such reviews to incorporate other emerging national security concerns.

    In late July, the House and the Senate overwhelmingly approved legislation to expand the committee’s scope, give a greater role to the office of the director of national intelligence and strengthen Congressional oversight of the review process.

    But the Bush administration opposed major changes, and Congressional leaders did not act to reconcile the two bills before Congress adjourned.

    Foreigners seeking to buy American companies in areas like defense manufacturing typically seek the committee’s review themselves before going ahead with a purchase. Legal experts said it would be highly unusual for the panel to investigate a transaction like the Sequoia takeover, and even more unusual for the panel to try to nullify the transaction so long after it was completed.

    It is unclear, moreover, what the government would need to uncover about the Sequoia sale to take such an action.

    The investment committee’s review typically involves an initial 30-day examination of any transactions that might pose a threat to national security, including a collective assessment from the intelligence community. Should concerns remain, one of the agencies involved can request an additional and more rigorous 45-day investigation.

    In the case of the ports deal, the transaction was approved by the investment committee. But the Dubai company later abandoned the deal, agreeing to sell out to an American company after a barrage of criticism by legislators from both parties who said the administration had not adequately reviewed the deal or informed Congress about its implications.

    The concerns about possible ties between the owners of Smartmatic and the Chávez government have been well known to United States foreign-policy officials since before the 2004 recall election in which Mr. Chávez, a strong ally of President Fidel Castro of Cuba, won by an official margin of nearly 20 percent.

    Opposition leaders asserted that the balloting had been rigged. But a statistical analysis of the distribution of the vote by American experts in electronic voting security showed that the result did not fit the pattern of irregularities that the opposition had claimed.

    At the same time, the official audit of the vote by the Venezuelan election authorities was badly flawed, one of the American experts said. “They did it all wrong,” one of the authors of the study, Avi Rubin, a professor of computer science at Johns Hopkins University, said in an interview.

    Opposition members of Venezuela’s electoral council had also protested that they were excluded from the bidding process in which Smartmatic and a smaller company, the Bizta Corporation, were selected to replace a $120 million system that had been built by Election Systems and Software of Omaha.

    Smartmatic was then a fledgling technology start-up. Its registered address was the Boca Raton, Fla., home of the father of one of the two young Venezuelan engineers who were its principal officers, Antonio Mugica and Alfredo Anzola, and it had a one-room office with a single secretary.

    The company claimed to have only two going ventures, small contracts for secure communications software that a Smartmatic spokesman said had a total value of about $2 million.

    At that point, Bizta amounted to even less. Company documents, first reported in 2004 by The Herald, showed the firm to be virtually dormant until it received the $200,000 investment from a fund controlled by the Venezuelan Finance Ministry, which took a 28 percent stake in return.

    Weeks before Bizta and Smartmatic won the referendum contract, the government also placed a senior official of the Science Ministry, Omar Montilla, on Bizta’s board, alongside Mr. Mugica and Mr. Anzola. Mr. Montilla, The Herald reported, had acted as an adviser to Mr. Chávez on elections technology.

    More recent corporate documents show that before and after Smartmatic’s purchase of Sequoia from a British-owned firm, the company was reorganized in an array of holding companies based in Delaware (Smartmatic International), the Netherlands (Smartmatic International Holding, B.V.), and Curaçao (Smartmatic International Group, N.V.). The firm’s ownership was further shielded in two Curaçao trusts.

    Mr. Stoller, the Smartmatic spokesman, said that the reorganization was done simply to help expand the company’s international operations, and that it had not tried to hide its ownership, which he said was more than 75 percent in the hands of Mr. Mugica and his family.

    “No foreign government or entity, including Venezuela, has ever held any stake in Smartmatic,” Mr. Stoller said. “Smartmatic has always been a privately held company, and despite that, we’ve been fully transparent about the ownership of the corporation.”

    Mr. Stoller emphasized that Bizta was a separate company and said the shares the Venezuelan government received in it were “the guarantee for a loan.”

    Mr. Stoller also described concerns about the security of Sequoia’s electronic systems as unfounded, given their certification by federal and state election agencies.

    But after a municipal primary election in Chicago in March, Sequoia voting machines were blamed for a series of delays and irregularities. Smartmatic’s new president, Jack A. Blaine, acknowledged in a public hearing that Smartmatic workers had been flown up from Venezuela to help with the vote.

    Some problems with the election were later blamed on a software component, which transmits the voting results to a central computer, that was developed in Venezuela.

    Simon Romero contributed reporting from Caracas, Venezuela.

    =

  61. the_zapkitty says

    Sean Cleary Says:

    “The only way that these machines will be shown to be bad is if it is obvious that they are bad.”

    Yes, and they are doing a good job of that all on their own… and have been displaying their faults from the very beginning.

    The only problem was that the people entrusted to protect us from such things were the very people who spent all their time screaming as loud and as long as they could that it was “all in your paranoid imaginations” etc etc etc etc etc etc etc etc….

    “So if an entire election votes for a write in candidate, or better a fictional one, then the election will look fraudulent.”

    Highly illegal (multiple felonies) and a bad idea anyway. See:

    http://www.freedom-to-tinker.com/?p=1071

    The solution is to vote and verify… and ‘verify’ don’t mean “taking the damned machines word for it.”

    How to verfify when the election officials insist on hiding the very workings of our democracy from us in the name of “trade secrets”?

    Is this the answer? : Why, in so short a space of time, did exit polls go from being “too reliable… East Coast exit polls are influencing the elections on the West Coast!”

    to

    “What the exit polls tell us now has no relation to who the machines said won.”

    The media, savior of democracy?… only if someone kicks them in the ass hard enough often enough.

  62. Sean Cleary says

    The only way that these machines will be shown to be bad is if it is obvious that they are bad. So if an entire election votes for a write in candidate, or better a fictional one, then the election will look fraudulent. We need a fraud like this where the real candidates are not voted for to expose the danger.
    Generally the fraud seems to need a precint worker to do it.
    Like: “I’m from Geek squad, I want to volenteer”
    But it is likely against some law to advocate the above*, and I certainally would not do it, If caught everybody will suggest that you acted inapproprately and disavow your actions.

    Sean
    * especially as the constitution has been so weakened that 1st admendment rights are in question.

  63. the_zapkitty says

    Funny how all these election officials, try to talk of their perfect, infallible election routines while court documents say that such “perfected routines” are decidedly lacking in real life…

    http://www.votetrustusa.org/index.php?option=com_content&task=view&id=1935&Itemid=113

    Of course low voter turnout could not possibly be the fault of the piss-poor performance of their duty by these said same election officials, could it?

    The alternative is Absentee Ballots!… oh… wait… those are counted by the same tabulating software as counts the polling station ballots, right? The same invulnerable, never hackable, never networked, never subverted tabulating software.. right?

    Still and always, peple should vote.

    I’ve heard some say that they would rather play the lottery rather than chance casting a ballot, but my response to them has been that playing the lottery costs money while voting is free and, just like the lottery, if they don’t play they can’t win.

    Free… oh… wait… the “voter ID” laws that mean that voting is no longer free, even though there is absolutely no evidence of the supposed “widespread voter fraud” that the ID’s were purportely going to stop…

    (… unless, that is, you count certain efforts on California to register everybody and their cat as a Republican no matter what they may have said to the contrary.)

    … the election officials blather all this nonstop while hand-waving away any logical objections so vigorously that they should, by rights, take flight and float around the press conference while bloviating thusly…. and yet their arguments are apparently so weak that they feel forced to return to the same “Evil Princeton Alumni Conspiracy” themes as the media industries?

    Ed, what is the symbol of the Evil Princeton Alumni?… perhaps a monkey wrench… 🙂

    Vote. And if it doesn’t seem to make a difference then take the trouble to find out why. Ignore the wacked-out conspracy theorists who are their own worst enemies in PR… maybe your particular cause simply lost.

    But don’t ignore the simple fact that election fraud is and has been a reality in American history… and that the evidence of this simple fact is as close as certain inmates in your local state penitentiaries. Wherever you may live.

    And, given that simple fact, remember that e-voting as currently instituted is more subject to such… “problems”… and by its nature amplifies the effects of such… “problems”… than any method used previously in American history.

    Vote, but don’t take anyones word, or any machines word, that you have voted.

    Vote… but verify.

    And, BTW, as a blind person, let me tell you that the “SENSE OF EMPOWERMENT!” puportedly given by the e-voting machines to… carefully selected… individuals who are supposed to represent my disability… that “sense of empowerment” doesn’t mean a damn thing if the heart of the “enabling” medium is something as easily corrupted as a Diebold tabulator.

    But still and always, despite all the BS thrown my way, I’ll vote… with my sister and her camera by my side this time 🙂

  64. Lyndon Johnson stole his first election to Congress — literally. His deputies stole at least one entire ballot box; he would likely have lost the election had that box been counted. Paper ballots aren’t the solution; transnparency and security (and honor, maybe?) are what’s needed.

  65. I didn’t spend a lot of time thinking about this, so perhaps I’ve missed something obvious. Why not take advantage of the best of both DRE and paper. Use the terminal to cast and tally votes, then print out the results on a paper card. The voter can look at and verify his votes and if satisfied with it, carry it to another counting/holding machine/box. Like is done with the optical type ballots. You get the convienience/speed of DRE and the paper trail of hardcopy and if counters are used at both, a double check right away. Sorry if this has been suggested already, I just could’t get through all the replies in one sitting.

  66. “It’s not the voting that’s democracy, it’s the counting.”
    – Tom Stoppard

  67. With regard to the internal printer, Diebold could design their machine so that the printer output is viewable through a clear window. Of course this only shows a voter what printed, not what was recorded digitally.

  68. Another cause for concern that I saw in the video was the use of the access cards. From the looks of it, it is just an ASIC chip akin to that of what Dish Network/DirecTV use for their signal integrity. The access cards for Dish are compromised and can be programmed to receive free TV very easily. DirecTV’s current P4 and P5 cards are currently not accessible, but their previous generation cards were. It wouldn’t be hard to hack that access card and change it into a “Supervisor” card if they were using sub-standard encryption technology.

    All of this is still academic so long as the “get out the vote” drives at all the local cemetaries are so successful and the courts in Georgia claim it’s un-constitutional to require picture ID. Then again here in Oregon we give drivers licenses to illegal aliens like it’s going out of style so picture ID isn’t all that dependable either.

    We’re doomed.

  69. In response to a comment about releasing the malicious code to the public domain…

    The paper states why the malicious code was witheld. And I think that makes perfect sense to everyone. However, if you gave a timetable, i.e. ‘We will release this code in 2 years.’ it would put considerable pressure on Diebold and Congress. You would not be guilty of handing the election to criminals due to the advanced warning you gave. That puts the ball in their court. Diebold can fix the machines and the process. Or Congress can act. Or, if there’s no problems, as they claim, you can release the code and see what happens – resting in their claim of security. I think a timetable would make people sufficiently nervous to deal with the issue.

    ‘As of next election, there will be a proven virus in circulation that can steal votes.’
    Does that make you nervous?

  70. Richard Minner says

    When I was a kid and we wanted to decide who would go first at something we used a simple procedure with a coin. I would go in the next room, flip the coin, and return with a printed report of whether it came up heads or tails. None of my friends seemed to mind, because I would never cheat and they knew that.

    Thanks for the study. Incredible situation.

  71. When voting fails at the ballot box, we must have no choice but to use the ammo box.
    Thank goodness for our second amendment!
    “MOLON LABE”

  72. Canadian Elections: It’s important to remember that Canadian elections are far simpler affairs than their American counterparts. As someone once generalized, “Canadians appoint people to the positions Americans elect, and Canadians elect people to the positions Americans appoint”. In federal elections, one is issued a single ballot from which to choose a single candidate from the names one is presented with, and for that reason tabulation is a simple matter. Furthermore, because of the small scale of the enterprise, every political party is also permitted to have a scrutineer present during the counting of the ballots, and the whole process is very open and transparent.

    However, in the United States, they elect everyone from president to dog catcher, and although I’ve not participated in an American election, I imagine ballots to look something like phone books. You’ve got your ballot for President, Senate, Congress, Sheriff, Judge, County Comissioner, School Board, Trustee, etc., etc., and so on.

    Clearly the broad scope of elections is such that the Canadian system would not translate well to the American environment. On the other hand, to see what the American voting system has devolved to only makes me shudder.

  73. Thank you for responding so quickly; I appreciate it. I would like to offer rebuttals to your resposnes.

    First, the privacy screens on ALL the Diebold machines I have ever worked with cover the access panel. The pannel CANNOT be accessed without the screen being detached and swung to the right.

    Yes, I said the machines are left unattended overnight. Howerver, I also said that they were secured to a cart with a cable, and that each machine has a numbered seal on it…meaning that if one of the machines had been tampered with it would be immediately evident. As it was, all the seals applied by the Board of Elections were intact.

    As to the memory cards being shared, if you mean that returning the cards to a the election board after the polls close is “sharing” them, then yes, they are shared. However, they are NOT shared during the elections, the time during which you purport the virus replication could occur.

    The memory cards are in the machines when we recieve them, and there is numbered tamper tape placed across the access door of each machine so that if anyone DOES attempt to tamper with the card it is immediately eveident. Part of our chain-of-posession procedure is the recording of the outer case tage and inner tamper tape serial numbers. Plus, when we do closeout at the end of the day we remove the original tamper tape and adhere it to the back of the report, then remove the memory card and place a new strip of tamper tape across the access panel, recording its number so that the BOE knows nothing happened to the machine from the time the polls closed until they recieved it.

    Furthermore ,we check the tapes every hour to ensure their integrity.

    With regard to why some people – such as myself – suspect the process is partisan is because our Governor, Robert L. Ehrlich Jr., is a Princeton graduate and pushed for the Diebold machines after he was elected – yet now that his re-election is dependent upon the same machines he suddenly doesn’t trust them and is encouraging people to vote absentee.

    As to your final point, I am sure that the cards are left unattaended in between elections – to think otherwise is naive. But, being a logical person (mainfram programming plus web/pc prorgramming for 23 years) I also suspect that they are secured in a locked or otherwise restricted area – meaning anyone who had access to them would be fairly easily identified.

    And yes, I assert that on election day the cards are not left in the custody of one person for even one minute EXCEPT after they have been placed in a heavy canvas pouch which is then locked – and only the BOE has the key to unlock it. Anne Arundel County policy mandates that the closing out of each machine, and delivery of the memory cards to the Board of Elections, be done by the chief judges of both major parties TOGETHER.

    Best regards,

    Mike Calo

  74. Mike C,

    Some quick responses to your questions.

    (1) The privacy screens might be a barrier to attacks by voters on Election Day — though I know of another county that is building special devices to clip on to the privacy panels so that they cover the memory-card door, which implies that the door isn’t normally covered in their setup. But what about access at other times. You admit that the machines are left unattended the night before the election.

    Your assumption that machines with bad seals are not used is contradicted by Avi Rubin’s experience in the recent Maryland election. At the precinct where he is a judge, they found some machines didn’t have the right seals. They called the Board of Elections, who told them to use the machines anyway. The ESI study of the May election Cuyahoga County, Ohio found the same thing: though official doctrine was not to use machines with seal problems, in practice more than 15% of precincts had seal problems and the usual response was to use the machines anyway.

    (2) As explained in our paper, what matters is whether memory cards are moved from machine to machine. My understanding of Maryland procedure is that the memory cards come from the Board of Elections before the election and are returned there afterward. Whether you, in the precinct, share cards between machines doesn’t matter. What matters is whether cards are ever shared — and we know that they are.

    (3) The party who gave us the machine asked not to be identified, and we are respecting that request. We know the machine is legitimate. Diebold representatives have seen the machine and read our paper, and they have not disputed the machine’s legitimacy. Our paper is scrupulously nonpartisan, as is everything we have said. I’m still mystified as to why some people want to make accurate vote-counting a partisan issue.

    Regarding your final point, our experiments did simulate real conditions — the attacks require only that one machine or one memory card be left unattended, or in the custody of a single person, for more than one minute. Are you really asserting that this never happens, not even between elections?

  75. I was a chief election judge for the past primary election (October 12) in Anne Arundel County, Maryland as well as a book/check-in judge for six elections prior to that, and I have several coments/questions.

    First, I note that you claim to have picked the lock to the side panel in less than 10 seconds – yet you fail to mention how you gained access to the side panel. As anyone who has ever used one of these machines to vote knows, there are two plastic privacy “screens” that loudly snap into place on either side of the machine – the right-hand one covering the access panel to the memory card. To access the card one would have to unsnap the wall, remove the security tag (NOT an easy task in itself in Anne Arundel County), and THEN pick the lock. It is extremely unlikely that all of these events could come to pass without being noticed.

    Further, we do not have “sleepovers”, so no one has the opportunity to disassemble the machine to access the motherboard. The voting machines are delivered to the polling place the night before the election and are secured to a cart with a vinyl-covered cable that passes through the handles of each voting unit.

    In addition each voting unit has a seal on the outer case, the serial number of which is recorded in our paperwork; if we come across a seal whose number does not match our log we call the election board immediately and that machine is not used until it is checked by a technician.

    Second, our machines do not call in to anything or anyone, they are not networked in the polling place, and we do not use an acuulator machine into which the memory cards of the other voting machines are inserted. Even if one were able to perform the three time-consuming tasks described above, the virus would have no way to spread from the infected machine.

    Third, why the secrecy about the party from whom the tested unit was obtained – unless it was a political entity with an interest in destroying public confidence in the viability of the machines, thereby affecting the election to their favor?

    In that you have failed to disclose the source of your machine and the fact that your “experiments” apperently failed to simulate real-life scenarios – that is, you did not perform any of your subversive activities in a setting where election judges are watching the voters and the machines, making the possibility of accesding the side panel and memmory card less likely – I find little of value in your conclusions.

  76. This is scary. I sent in my early paper ballot today.

  77. Cathal Toomey says

    It is terrible that somebody can tamper with electronic voting machines so easily.
    It is a problem that requires urgent attention.
    Cathal Toomey from Ireland

  78. Neo,

    SOX is short for Sarbanes-Oxley, a post-Enron law intended to strengthen financial reporting by public companies, but criticized for being overly burdensome. See Wikipedia for more information on Sarbanes-Oxley.

  79. anon, circumvention of a TPM is only a violation of the DMCA if done in order to infringe copyright contrary to the TPM protected license.

  80. SOX?

  81. Look at the diebold truck with a bush/cheney sticker on it at my blog.

  82. David Locke says

    Why are we worried about security? We are supposed to be worried about accuracy.

    When Enron crashed, the congress passed SOX as an intention. But, Enron was an inside job, not an outside hack. So SOX is something else entirely.

    Dibold can do whatever they want with their voting machines, and they will never engender TRUST. Trust is earned, not asserted, not validated by security claims. It is Dibold we don’t trust. Go paper, stay paper. Paper is trusted.

  83. Democracy favours the mob.
    The mob is easily led by demagogues.
    It takes a mob to defeat a mob.
    Where is the mob, our saviour?
    China?

    Take a leaf out of Hari Seldon’s book. The west has jumped the shark.

  84. We have the Diabold machines that count actual ballots here in Allegan County, Michigan. They were installed new after the 2004 election saw these machines steal Florida. We recently had a recount on the Primary Election in August, and in violation of state election law, our Republican county clerk would not allow us to view the actual ballots. They did the recount using another machine from Diabold. We are preparing a Writ of Mandamus to require them to follow the law and allow us to view the ballots. See video on blackboxvoting.org.

  85. the_zapkitty says

    Rich Said:

    “Why is it that these electronic voting machines cannot produce a receipt, even compressed into a hash code for a true paper trail. “.

    Because building in such a thing using reliable printers designed for such a load would have cut into Diebolds profit margin, and they have lobbied very strongly to avoid that wherever they can.

  86. the_zapkitty says

    Andrew Said:

    “I think it is able to inject attack code to any computer using the method you mentioned , but the problem is, onbody will allow you to “hack the mother board” or doing Input rather than the touch pad.”

    This, and the rest of your comment, show that you have not understood the reports on the vulnerability of the Diebold machines.

    The short answer is: Yes, you can.

    And as was noted elsewhere: the security surrounding the machines has been purely lip-service and literally nonexistent.

    Now there are a few last-minute court-ordered efforts underway that involve expensive constant surveillance for the machines… but want to bet that they still miss the point?

    “In my inexperienced opinion, it may be better to use ROM to store record, as the record can not be modified after the vote is made. (that may cause other secutiry problem, too lol)”

    “Write once” memory is perfectly possible. How loudly will the vendors scream about their profit margins if forced to implement it? By the examples they have set to this date: loudly indeed.

    “Do I want to use the Diebold machine? Surely N, but I have no choice.”

    Vote absentee! …

    … of course your absentee ballot will be counted electronically by networked machines running software created by the same vendor that sold your state the e-voting machines.

    “When e-vote expert asked for testing the diebold machine, I have come with an idea, Why don’t e-vote expert forms a group and make a better system for us? Academic professions should convince us.”

    First they have to find out if the current technology even permits secure, reliable e-voting. They are working on that.

    http://accurate-voting.org/

  87. the_zapkitty says

    Lou Taylor Said:

    “Just a couple of thoughts relative to the aforementioned Diebold matter….this is a situation that exists with every certified/approved touch screen voting system utilized in the US. ES&S, Sequoia Voting Systems and Hart Intercivic all manufacture voting equipment with similar design functionality and features. It is not unique to Diebold!”

    Who said it was? Diebold was just unlucky enough to be first up 🙂

    “Rather than bashing the vendor why don’t the appropriate election governing boards at the Federal and State level mandate that the system architecture in all DRE machines be designed to prevent these potential problems?”

    Because, in practical terms, the vendors were given a free hand to write their own specs… and often didn’t adhere to even the loose rules that were handed out.

    (See the variety of court cases coming up for vendors violating the rules)

    The manner in which e-voting regulation was implemented was not our government’s most shining hour… and 2000 and HAVA made things worse.

    “All of the voting equipment (touch screen or optical scan) used throughout the country must meet or exceed federal voting system standards before it can be sold.”

    Or not. See above.

    “If the standards and/or certification process is lacking then our legislators (Rep & Dem) need to adopt tougher regulations.”

    Yep… but if many of the legislators, electoral overseers, and vendors are busy yammering in lockstep chorus that “everything’s ok, we didn’t screw up to the tune of billions of dollars, ignore all the evidence that says otherwise, any contrary opinions are just paranoid left-wing terrorist blogger geeks…” it makes it kind of hard to get a word in edgewise. Not impossible, of course…

    “Regarding the Diebold “owner” (Diebold is a public company) promising to deliver the votes for Bush…..he was terminated! Diebold inherited a weak product line, some questionable personnel and some real political challenges when they acquired Global Elections in ‘2002. Virtually all of the management team that came over from Global is no longer employed by Diebold.”

    But Diebold bought the company and Diebold bought the technology and Diebold continued the development and Diebold sold the resulting bill of goods.

    The e-voting machines are Diebold machines built by Diebold, promoted by Diebold, sold by Diebold, and serviced by Diebold.

    The profit from them went to Diebold.

    “Obviously Diebold has the capacity and ability to design the best “mousetrap” in the marketplace as exemplified in their ATM product design and manufacturing.”

    Really? Ever had a virus run rampant through your ATMs, Diebold?

    “However, no election vendor was given the luxury of time to develop a quality election product after the Florida punch card debacle of ‘2000. Every vendor rushed through an R&D program in order to satisfy the federal Help America Vote Act (HAVA) and brought a product line to market before it was sufficiently tested.”

    Perhaps… but the “Vaccumvotes” er “Accuvotes” were out out there and “certified” before 2000. Diebold knew exactly what they were buying. Diebold knew exactly what product line they were supporting… and Diebold dived in with a will.

    “Fortunately, the federal (EAC) and state election authorities have required that some, if not all, of these products be refined or retrofitted to incorporate the necessary safeguards. It’s a slow & tedious process that requires too many meetings and involving too many “experts” that can’t come to an agreement on what constitutes a secure system.”

    Assuming they aren’t shouted down by the vendors… and their money. Millions spent by the vendors in lobbying has been difficult to match by just calmly stating the plain facts involving computer security.

    “I’m sure they’ll finally get it figured out once the respective pool of experts get some federal grant money.”

    Hmmm? This attack on the researchers assumes several “facts” with regards to the researchers that are definitely not in evidence.

    “In the interim don’t punish the vendors, demand more from the decision makers & legislators who adopt the policies and procedures!”

    Wasn’t it Diebold who launched an all-out campaign of disinformation when the problems first started coming to light?

    Yes, it was Diebold.

    Wasn’t it Diebold who spent millions of dollars lobbying and buying off certain consumer interest groups when it became obvious the problems could not be solved without totally revamping the Accuvote architecture?

    Yes, it was Diebold.

    Isn’t it Diebold who even now stalls, obfuscates and delays rather than fixing the damn problems?

    Yes, it is Diebold.

    “The real concern (in my opinion) are issues pertaining to accurate voter registration, absentee voting procedures and pollworker training. If collusion exists in a voting system not even paper ballot voting is secure, as was fairly evident in the 1960’s before punch card voting was introduced.”

    Yep, these are serious issues indeed… in addition to the e-voting problems.

    “Why don’t you propose that every election vendor submit their product for inspection and testing. I doubt that you’ll get many volunteers!”

    Such requests have been made by researchers to all e-voting machine vendors from the beginning.

    The vendor response: to buy regulation that forbade such testing from being required… by equating the democratic process with “trade secrets”…

    “It’s too volatile of a business/industry…..too many poltics. That’s why there are only a handful of vendors. I’ll bet you that had Diebold known the volatility and public scrutiny of this business they would have never acquired Global Elections in ‘2002.”

    “The election revenue for Diebold constitutes only 10% of their total corporate revenues. I sincerely doubt that it has been worth the headaches & hassles.”

    “Lou Taylor
    (retired election printer) “

    Wishful thinking. The fact of Diebolds nonstop lobbying says different.

  88. Why is it that these electronic voting machines cannot produce a receipt, even compressed into a hash code for a true paper trail. The receipts themselves wouldn’t have to be any bigger than your average ATM/cash machine receipt and would prove Diebolds good faith in assuring us, the voting public, that the system is secure. Anyone, or any district, who feels they were erroneously represented could re-tally receipts.

  89. I think it is able to inject attack code to any computer using the method you mentioned , but the problem is, onbody will allow you to “hack the mother board” or doing Input rather than the touch pad.

    Absolutly, I am doubted with any kind of technologies used in voting; if they are secure. There is no such a system that can resist any attack, But I am afraid that the real “sysem problem” of diebold is rather than your point. Anyway, I think you are right, physical security is a very big problem, even if a “perfect” system is existe.

    Who can change the flashmemory of mother board? May be engineers, etc.

    Will Dieold verify every pieces of code in every machine after they god installed? may be not.

    In my inexperienced opinion, it may be better to use ROM to store record, as the record can not be modified after the vote is made. (that may cause other secutiry problem, too lol)

    Do I want to use the Diebold machine? Surely N, but I have no choice.

    When e-vote expert asked for testing the diebold machine, I have come with an idea, Why don’t e-vote expert forms a group and make a better system for us? Academic professions should convince us.

  90. Lou Taylor says

    Just a couple of thoughts relative to the aforementioned Diebold matter….this is a situation that exists with every certified/approved touch screen voting system utilized in the US. ES&S, Sequoia Voting Systems and Hart Intercivic all manufacture voting equipment with similar design functionality and features. It is not unique to Diebold! Rather than bashing the vendor why don’t the appropriate election governing boards at the Federal and State level mandate that the system architecture in all DRE machines be designed to prevent these potential problems?
    All of the voting equipment (touch screen or optical scan) used throughout the country must meet or exceed federal voting system standards before it can be sold. If the standards and/or certification process is lacking then our legislators (Rep & Dem) need to adopt tougher regulations.
    Regarding the Diebold “owner” (Diebold is a public company) promising to deliver the votes for Bush…..he was terminated! Diebold inherited a weak product line, some questionable personnel and some real political challenges when they acquired Global Elections in ‘2002. Virtually all of the management team that came over from Global is no longer employed by Diebold. Obviously Diebold has the capacity and ability to design the best “mousetrap” in the marketplace as exemplified in their ATM product design and manufacturing. However, no election vendor was given the luxury of time to develop a quality election product after the Florida punch card debacle of ‘2000. Every vendor rushed through an R&D program in order to satisfy the federal Help America Vote Act (HAVA) and brought a product line to market before it was sufficiently tested.
    Fortunately, the federal (EAC) and state election authorities have required that some, if not all, of these products be refined or retrofitted to incorporate the necessary safeguards. It’s a slow & tedious process that requires too many meetings and involving too many “experts” that can’t come to an agreement on what constitutes a secure system. I’m sure they’ll finally get it figured out once the respective pool of experts get some federal grant money. In the interim don’t punish the vendors, demand more from the decision makers & legislators who adopt the policies and procedures!
    The real concern (in my opinion) are issues pertaining to accurate voter registration, absentee voting procedures and pollworker training. If collusion exists in a voting system not even paper ballot voting is secure, as was fairly evident in the 1960’s before punch card voting was introduced.
    Why don’t you propose that every election vendor submit their product for inspection and testing. I doubt that you’ll get many volunteers! It’s too volatile of a business/industry…..too many poltics. That’s why there are only a handful of vendors. I’ll bet you that had Diebold known the volatility and public scrutiny of this business they would have never acquired Global Elections in ‘2002. The election revenue for Diebold constitutes only 10% of their total corporate revenues. I sincerely doubt that it has been worth the headaches & hassles.
    Lou Taylor
    (retired election printer)

  91. I should add that I am likewise disappointed by Diebold’s response to “Analysis of an Electronic Voting System” by Kohno et al.

  92. Wow, I’m surprised by Diebold’s “propaganda” response. I know that intellectually nonsensical profiteering seems to be accepted in much of the USA’s commercial domain, but it is accepted in areas such as croutons, laundry detergent, and political lobbying inside companies, and not in areas where one can be held legally accountable for one’s statements. I hope this Diebold company is held legally accountable for its statements, and I hope third party audits of voting machines continue, as this is a serious matter and not just some “commercial profiteering” babble; this is the foundation of our democracy. – Connelly Barnes @ cs.princeton

  93. 4. The chairman and CEO of Diebold is a major Bush campaign organizer and donor who wrote in 2003 that he was “committed to helping Ohio deliver its electoral votes to the president next year.” I present the President, brought to you by Diebold. (check out conspiricyplanet.com for more good stuff) And as for primary elections- there are House seats in “secure” Republican Districts where the Democratic challenger is fresh from the CIA. Heads they win, tales you lose.

  94. Doesn’t surprise me; I’ve seen a voter printout from our local board of elections. It shows ‘votes’ seven months before an election. What surprises me is that I have offerred to numerous medias and attorneys, and none are interested. The only person who was is no longer working for the t.v. station that made the inquiry.

  95. I had initially thought that absentee voting was a solution. But Diebold stills controls the counting. They have absentee ballot scanners that just supposedly dump the absentee results to the master database that maintains the tallies as I understand it. One solution I see is to have “open voting” where everybody knows how everybody else voted.

    Now, let’s see do I want to vote for the crusty moldy cheese or the rotten egg?

  96. Your group is truly doing truly patriotic research.
    Bravo.

  97. the_zapkitty says

    “Mark G. Radke, director for marketing at Diebold, said that the AccuVote machines were certified by state election officials…”

    These being state election officials like the Colorado staff worker who admitted in court that he did not have any computer security credentials, and merely “checked that the machines included security documentation”… and then certified the Diebold machines as “secure”.

    “… and that no academic researcher would be permitted to test an AccuVote supplied by the company.”

    And there you have it. Once again Diebold says “Go to hell, America.” loud and clear.

  98. Richard Gadsden says

    Problems with absentee voting:

    1. Can you apply for your absentee ballot to be sent to an alternate address (eg the hotel where you’re on holiday?) – if so, someone else can forge the application and have hundreds of ballot papers sent to their house (or a drop-point).

    2. How secure is the USPS – can someone follow the postie around and steal the ballot papers?

    3. There is no way to be certain that the ballot was cast by the named person and not someone else living in the same place. This is particularly an issue in some patriarchal communities (ie husbands using their wives’ votes) and in shared-mailbox HMOs (eg student housemates).

    4. If you follow the postie, can you intimidate people into handing over their ballot paper or into voting the way you want?

    The classic example of absentee-ballot (postal vote) fraud is Birmingham

    The main campaigning blog on this is stolen votes: http://www.stolenvotes.org.uk/

  99. Typo: “demostrated”

    [It’s fixed now. Thanks. — Ed]

  100. the DRE machines allow the visually impaired voters to cast their votes in secret (using an audio ballot) without the need for assistance from a person who, of necessity, learns how the voter intends to vote.

    Why not have a machine that visually-impaired or illiterate people (or anyone who wants to take the time to use it) can use which will print out an optical-scan ballot which may then be counted in the normal fashion for optical-scan ballots?

  101. What did you expect them to say?

  102. The processing power and hardware needs for building a voting machine are not expensive or hard to use. Basically all of the needed free software for making one of these machines exists, there are well established methods of building hardened boxes that many amateurs do at home.

    So my question is, why aren’t there more people working on this themselves? Just because we have a government doesn’t mean we have to sit around and wait for them to do things, let’s do this ourselves!

    And in the end, I’ll bet such grassroots machines, will be far more secure and far cheaper.

  103. The Princeton team is to be commended for its thorough and well-written report. As a concerned voter, I thank you! I am a motion picture director and am somewhat familiar with the security and encryption measures that have been successfully deployed in recent years in the delivery of so-called digital cinema to theatres. In reading your paper and learning of the unbelievable lack of security inherent in Diebold electronic voting machines and their software, I couldn’t help but wonder if the electronic voting industry wouldn’t benefit from the level of care, for instance, that has gone into the design of keys and the physical security for Dolby Laboratories’ Digital Cinema Processor? It’s a sad comment that our society’s vested financial interest in protecting intellectual property appears to exceed its interest in protecting the integrity of its voting system. Perhaps Dolby Laboratories should start building electronic voting machines.

  104. Above there was mention of providing voters a paper receipt. Not only is vote-buying a concern, but also vote extortion, when workers have to report to management or union officials. Or batterers insist that their partners vote a certain way. And what constitutes vote-buying? Is it acceptable for a restaurant to give free appetizers for people who vote for Candidate Brown. Delivering a receipt directly to voters essentially violates the secrecy of the ballot. It would actually undermine an important pillar of our voting process in order to help halt a theoretical threat to it that arises from the introduction of the DRE technology.

    Besides, I’m not sure what added measure of protection a voter receipt gives us if there’s a VVPT that doesn’t leave the polling place.

    The secrecy of the ballot concern is actually one of the big reasons why the DRE machines got the nod under HAVA. Unlike the cheaper (by almost half), equally accurate, and “as secure as any other” optical scanning systems, the DRE machines allow the visually impaired voters to cast their votes in secret (using an audio ballot) without the need for assistance from a person who, of necessity, learns how the voter intends to vote.

    Of course, if those secret votes are compromised and stolen, I’m not sure why it would be so important to maintain their secrecy. But that was a large — and rarely discussed — motivating factor in spending as much as $2 billion more on DRE machines. Yeah, yeah, I know it’s all about political cronyism and all that…but there are actual policy reasons that slanted in favor of the DREs.

  105. John Gebhardt Did Say:

    “Seems to me that a good short-term fix would be to use the existing printers to print out a paper result for each vote cast in 2 copies. One goes to the voter, and one stays in the polling place. A barcode would be very helpful in case a recount is needed.”

    That also enables easy vote-buying; someone can use their receipt to prove to someone which way they voted.

    There’s a reason VVPT machines show the printout behind a pane of glass, but keep it locked inside the machine.

  106. Absentee ballots present one major problem: vote-buying.

    I don’t see an easy way to prevent someone proving what way they voted without the existing system of having designated polling sites with observers at each.

    Making polling sites more accessible, and maybe paying for peoples’ transport there and declaring any polling day a holiday (so that you can take the whole day off work with impunity, and there’s no school — some highschoolers and most college and university students are eligible to vote), would be better. Subsidized day-long free bus use in every area is a possibility. Making these days holidays with free bus use would also make it stand out more in the public mind, get people into a celebratory spirit, and get people out of their usual routines and out of the house and into the community. The potential benefits are frankly enormous, and not just to the voting process and outcome itself.

    Oh, and let prisoners vote. (Those that’re old enough.) It can’t hurt (what will they do, vote in the Legalize Murder Party? Maybe the Marijuana Party, but that’s because you’ve put so many pot users in the slammer to begin with, and maybe they, like, have a point, y’know?) and denying them the vote may distort elections (maybe they’re more likely to vote dem, like lower-class people; denying them the vote may therefore stack things in favor of republicans). And maybe being able (and encouraged!) to participate in at least one civic type of activity will help rehabilitate some of them.

  107. the_zapkitty says

    George Said:

    “Most of the criticisms of Oregon’s system apply equally well to most states’ absentee ballot system… and absentee ballots have decided many elections.”

    Criticisms? Which ones in particular are you referring to?

    As has been stated here repeatedly by various parties: no balloting system currently in use is without problems.

    But are the terrors of absentee balloting so awful that we should trust Diebold instead… insecurities, deceptions, evasions, and all ? 😉

  108. Oregon (where I live) does, indeed, use 100% vote-by-mail, though a person can go to an election office to vote, marking the ballot there and handing it in. Most of the criticisms of Oregon’s system apply equally well to most states’ absentee ballot system–and absentee ballots have decided many elections. One result is very high turnout, among the highest in the US. In 2004, over 86% of registered voters, 70+% of eligible voters, actually voted. The overall US figures were 73% & 60%, a very high turnout nationwide.

  109. the_zapkitty says

    George Martin Did Rant Thusly:

    “Since Diebold makes about half of the ATMs in the US and the voting machines use the same security measures (for the most part)”

    No, it has been documented that the Diebold vote machines are horribly insecure and do not even come within a light year of matching the security of Diebold ATM’s.

    Indeed, it’s been a cause of wonder as to why Diebold turned out something so shoddy and insecure as their voting machines when Diebold is known for security.

    A cause of wonder, and unfortunately a cause of suspicion.

    The real reason, of course, was Diebold’s greed in trying to snatch as much of the billions of dollars in HAVA funding, funding provided to states to upgrade their systems, as quickly as it possibly could.

    Afterwards Diebold’s amply illustrated “go to hell” attitude towards the voters who paid for the resultant buggy, insecure systems ain’t helping.

    “then a simple measure should be to hack an ATM machine. I will gladly supply an account. Clean me out.”

    You realize, of course, that this is a complete non sequitur?

    “Prove that you can actually beat the encryption/security measures on a machine that hasn’t been floating around the “academic” realm for three years or so.”

    Princeton didn’t release Diebold’s code on the internet. Diebold released Diebold’s code on the internet. Ever-so-secure Diebold did that.

    “It won’t happen…it can’t happen.”

    Then Diebold should not be so terrified of allowing third-party inspection of its machines… should it?

    “Why wasn’t these same “techniques” used in the recent primary contests?”

    That’s the reason for the uproar, you fool. Because due to Diebold’s multiple screwups and evasions afterwards we can’t be sure that it didn’t happen.

    “Should’ve been a simple thing to hack the machine while a confederate with a video camera documented the “hack”.

    The people who would have done this with a live election would have had no interest in anyone documenting them.

    “Put up with a current generation device or shut up once and for all.”

    Then tell your bosses at Diebold to stop lying, to stop evading, to stop living in denial and to cough up a “current generation” machine for third-party inspection. Or better yet, ask your bosses to supply a replacement machine for any balloting district that volunteers an actual deployed“current generation” machine for third-party inspection.

  110. the_zapkitty says

    John Gebhardt Did Say:

    “Seems to me that a good short-term fix would be to use the existing printers to print out a paper result for each vote cast in 2 copies. One goes to the voter, and one stays in the polling place. A barcode would be very helpful in case a recount is needed.”

    Hmmm… Essentially turning the machine into an improvised paper-trail evote machine? Proper thought, yes, trying to make use of available materials 🙂

    But the printer setup is designed to be sealed away while the machine is in operation, and is not designed to dispense continuously to the public at large. Could the printer remain open while balloting was in process? And what additional security holes would leaving the printer cover off open?

    And who will stand by the voter to insure that the paper that comes out of the printer is correctly distributed and handled?

    Also, given the cheapness of Diebold’s other components in the machine… is there any guarantee that the printer could even take that level of use without glitching itself to death?

  111. George Martin says

    Since Diebold makes about half of the ATMs in the US and the voting machines use the same security measures (for the most part) then a simple measure should be to hack an ATM machine. I will gladly supply an account. Clean me out. Prove that you can actually beat the encryption/security measures on a machine that hasn’t been floating around the “academic” realm for three years or so. It won’t happen…it can’t happen. Why wasn’t these same “techniques” used in the recent primary contests? Should’ve been a simple thing to hack the machine while a confederate with a video camera documented the “hack”. Put up with a current generation device or shut up once and for all.

  112. John Gebhardt says

    It is unclear from reading the various responses, whether Diebold’s digital signatures on their memory cards would prevent the malicious software from being injected into the machines. This is a big question that Diebold should answer in a complete and professional manner

    The big problem is that Diebold will not disclose their security strategy and techniques except in the most general terms. If they did, the security community would could take a crack at them and the result would/could be a bullet-proof system.

    Seems to me that a good short-term fix would be to use the existing printers to print out a paper result for each vote cast in 2 copies. One goes to the voter, and one stays in the polling place. A barcose would be very helpful in case a recount is needed.

    The paper would have to be replenshed more often, but at least each vote would be recorded on paper in a form the voter could verify, and the precinct’s copy could be used in a recount, making it pretty foolish to try and hack the machines.

  113. the_zapkitty says

    Note to those Diebold shills living in a corporate-mandated fairyland.

    Yes, older election techniques have had troubles, but look up “Maryland” “Election” and “Debacle”. And that’s just the latest edition of the Diebold follies.

    Diebold has had severe problems in getting its “perfect” election solution to work right… and then Diebold proceeds to lie nonstop about said solution.

    And this is with people one would assume were doing their best to make the Diebold system work properly.

    Now add to that the very real and verifiable potentials for deliberate misuse as documented by the Princeton team, mix in Diebold’s nonstop lying, deception and evasion regarding those potentials, and you lay the groundwork for a truly monstrous perversion of the electoral process.

    Which would lead to the grimly humorous scenario of senior citizens not only being unable to vote properly because of Diebold’s screwups, instead of the old-fashioned punch card screwups, but of them then realizing that their entire effort would have been wasted anyway… because someone injected malicious code into the software.

  114. There are already problems with the election process. As a precinct worker, I have seen at least one ballot be made meaningless at every election I have worked for in the past ten years, even without e-voting.

    Voters have neglected to check their ballot after it has been marked, and placed in the ballot box, with every available technology, chad punch spikes, and ink marking devices.
    The precinct workers don’t know about it until the polls are closed, when the ballots are being checked not for votes, but just to count the number of ballots to make sure that figure matches the number of voters according to the roster.

    There is no way to go back and see if the voter intended to submit a blank ballot, perhaps sending some sort of “signal” that they are objecting to the election. At the precinct level, we see the reality of secret ballot one-man one-vote, and how fragile that can be. I know for sure that sometimes the elderly infirm voters have complained that the spikes didn’t work right, and that they have become confused by the rubber stamp that has replaced the spikes (altho they look superficially the same), and they thought something was wrong.

    Once recently, a voter slipped her ballot into the voting machine when it was folded, and the precinct inspector (the boss of the other precinct workers) didn’t realize the machine was jammed until a few other voters had used the same voting machine, so at least a few votes didn’t get counted properly. That’s only a few in my precinct, but multiply that by every precinct, and that’s a significant chunk of the voting population.

    It’s hard to believe that this is happening here and now. It feels like speculative fiction.
    It’s awesome that researchers at a respected university have gone to the trouble to try to save and restore election integrity.

  115. Forgive someone commenting from England on US Election processes but we’ll probably follow where you lead …

    Aren’t you making the mistaken assumption that Diebold want the machines to be secure? They want the voters to be deceived about this – but maybe it is useful to Diebold and other parties if the machines are easy to hack …

  116. Why anyone is surprised with the findings of Diebold’s electronic voting machines is what amazes me! After all at a political fund raising event for current President George Bush, the president/owner of Diebold stated he guaranteed the election for Bush……

    Several years ago it was pointed out that Diebold’s system had over 400+ errors that prohibited accurate votes from being counted! Duh????

  117. Geeks United and Elect Geek Politicians who can actually understand what they are writing laws about.

  118. I’m quite sure CNN or Fox would love to see you and your assistants try to hack some other Diebold machine at random that would be used in the upcoming election (not one specially prepared by them).

    Anyone who lived during the 3.5″ floppy era remembered they were the first way viruses were spread – via sneakernet!. Even if you encrypted all the data on the floppy, the boot sector could still install the virus.

    And I don’t know of any way to show it up except to do something obvious like a 3rd party candidate getting 95% of the vote in the upcoming election.

  119. Sandie: I am quite serious, please read the first entry in this FAQ:

    http://www.elections.ca/content.asp?section=faq&document=faqelec&lang=e&textonly=false#elecmedia

  120. You’ve got to hit them in the pocketbook.

    My suggestion is here.

    Jim H.

  121. Posible solution: Simply triple check!

    From one side you could have a “choosing box” where you choose your candidate, once you’ve chosen, the ballot is stored in that machine, and it BOTH prints your vote (indicating your vote and the machine from which it was cast) and record it on the voting card. Then you go with this card to a SECOND machine (the “Hub” Ballot box machine) in which all of the votes for a number of choosing boxes is stored, and here you can recheck your vote, consolidating it (the time per voter in this machine would be very low because you would only need to confirm your ballot.

    Finally you deposit the voting paper given by the first machine on a third box, (from which some % should be manually verified to match in BOTH tipes of machines). The sum of all choosing machines should match perfectly by number of votes per candidate and per machine with the information on the Hub machine.

    In this way ALL the votes would finally be on paper if any trouble appears with the checking of the machines, and the probability of hacking all of the choosing machines involved in order to have a perfect match between all of them and the final ballot box machine is much much lower.

    Is my process too complicated?

  122. About the digital signing of memory cards:

    6 years ago when we broke SDMI, one of the components was a digital signature of compact discs—to identify factory originals, under the assumption that all CD burners would refuse to propogate the signature.

    The signature track was whopping huge in size, but only encoded a 16-bit signature (!!) which didn’t even seem to be uniformly distributed. We found hash collisions in SDMI’s own sample data of 100 signatures.

    That was more properly a checksum, since the phrase “digital signature” carries some connotation of security, or difficulty of forgery. As far as we could tell, it was unreliable as a digital signature.

    The message is: trust these things only when the software people actually tells you what they are doing. Are they signing code and firmware updates? Using what signature algorithm, what hash? It is customary for these things to be disclosed in security products that people trust.

  123. Rob Adams said:

    >I’m not sure if this is known on the latest generation of the machines, but it seems to me if they’re requiring that the code updates that it automatically installs from the card be digitally signed, then this _would_ defeat the attack described in the paper.

    Such an attack need not replace true votes with fraudulent counts (plus a valid signature), but could also be used simply to invalidate the results of individual machines. Say, in a precinct which heavily favors your opponent. With enough machines invalidated, chaos ensues. This seems more likely as a scenario because each precinct knows (independent of the machines) how many voters came through, so a machine with a record of 4000 votes for Mr. X is obviously invalid when the entire precinct only had 720 voters show up that day … so the vote forger would need to shift votes from Mr. Y to Mr. X while staying fairly close to the real vote total that was on that machine (but need not be exact, since not every voter votes in every race), but without seeing that number boforehand.

    Keep up the great work, Ed.

  124. the_zapkitty says

    Overseer Said:

    “If someone was desperate enough to want to swing a vote in someones favour, they could. Knowing the right people and having a large enough Bank balance can get you almost anything.”

    True for sufficiently large values of “right people” and “bank balance” but that’s American politics, right?

    “In a way paper voting is just as suseptable to errors as electronics when you think about it.’

    But we’re not talking about errors here (except in regards to Diebold’s engineering errors)
    we’re talking about an insecure setup that allows one voter to screw with the votes of many… a system that Diebold insisted long and loudly was “perfect”.

    “Perhaps a better method is needed for the future of voting…”

    Yes, but even the current fiasco can be improved with some effort… and some research… and some expenditure… on Diebold’s part… with some external oversight…

    “mind probe voting perhaps? :)”

    Forcing the evolution of a better voting machine… with Diebold paying… 🙂

  125. Im all for the good old fashioned Paper voting system. But lets admit it. If someone was desperate enough to want to swing a vote in someones favour, they could. Knowing the right people and having a large enough Bank balance can get you almost anything. In a way paper voting is just as suseptable to errors as electronics when you think about it. Perhaps a better method is needed for the future of voting… mind probe voting perhaps? 🙂

  126. A woman on another website came up with this idea, which is along the lines of John J’s idea:

    “I can think of a solution to the voting machines debacle. It can be done too. If the voting machines are already rigged and they can be hacked as easily as it seems, then I hope someone comes along with the bright idea of making the machines come up with such an impossible win (say they show that Ghengis Khan wins by 99% of the votes) that the elections will have to be held again, only with paper ballots. It’ll be proven once and for all that they are RIGGED AND RIGGABLE!”

  127. Note: I was incorrect above, the MAC encryption on the TSx appears to cover almost all data stored on the memory card.

  128. RE the note about paper voting in Canada:

    Surely, you jest. It’s extremely difficult to get enough pollworkers as it is–and those people spend 15+ hours now (an hour early to set up, 7a to 8 p polling, an hour to take down [paperwork too], plus taking vote stuff to the central location–county courthouse here).

    I firmly agree we need to fix this electronic voting problem, but I think paper printouts would be better. Or allow several days to count paper.

    Meanwhile, I vote early on paper.

  129. Also, on the TSx (the newer model), the digital signing was only of election data…

  130. the_zapkitty says

    Now how long will it be before someone claims that they are “digital signatures just like the ones used by UN nuclear inspection teams!”

  131. Rob,

    Based on documents we have seen, we believe that Diebold’s claimed “digital signature” is not really a digital signature, in the sense that a cryptographer would use that term. To be effective, a “digital signature” would have to (a) really be a digital signature, (b) cover the correct data, and (c) be checked at the right time. Based on the documents, we believe that at least one, and possibly more, of these criteria are not met by Diebold’s current design.

  132. I’m not sure if this is known on the latest generation of the machines, but it seems to me if they’re requiring that the code updates that it automatically installs from the card be digitally signed, then this _would_ defeat the attack described in the paper.

    Do they sign only the data from the election, or are the code updates also digitally signed? If this is being done, how does the attack get around the signature check?

  133. the_zapkitty says

    Brian Jones Said:

    “So, Diebold says that the machines are never networked, but that they employ SSL?”

    And Ed Felten Then Said:

    “The machine can dial up to the central election office to download the ballot before an election or to upload the results afterward. SSL would be used over those dialup connections.”


    … … …
    … … … …
    … So Diebold doesn’t understand what “network” means…

    And the machines issuing ballots and taking the results are…?

  134. My virus will kill the ballot download process and create use it’s own instead. My ballot will look like this:

    ———————————————
    o Democratic Candidate
    o Candidate of the Democratic Party
    o Libertarian Candidate
    o other Democrat _______
    ———————————————-

  135. In the security world when a vendor fails to cooperate with whitehats identifying vulnerabilities in their software, pretty much the only choice is to force them to deal with their problems by making them as public and exploitable as possible. I hope you’ve considered releasing the injectable software to the public and making the coming election as insecure as possible.

  136. Brian,

    The machine can dial up to the central election office to download the ballot before an election or to upload the results afterward. SSL would be used over those dialup connections.

  137. What we really need is a person to win the election that is truely detestable to all parties (say, Saddam or bin Laden). That way, we will have both the minority party and the majority party working on election reform!

  138. > “If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.”

    If you’ve contacted them requesting the opportunity to do this, have they responded? If so, could you print the exchange in a blog post and link to it from this one?

  139. So, Diebold says that the machines are never networked, but that they employ SSL?

    Ed, can you tell us what SSL is used for on these machines?

  140. Diebold’s response convinced me (long before I read your reply to it) that they don’t even understand what the security issues are.

  141. Personally, I’m worried about political parties using these “features” in order to “win” an election. I’m not even convinced that it wasn’t intended to be the way it is (insecure). Of course, I always lean towards conspiracy theories when given the opportunity. What? Bush won a third term? How the hell did that happen? Oh… Diebold….

  142. Canada also uses paper ballots, which are counted by the polling officers from Elections Canada, the federal, non-partisan body responsible for holding elections. Tabulation is performed at the polling place, and is completed within hours of the poll closing. There is no reason why this system could not be used in the United States; efficiency is not a real issue as the manpower necessary to staff the polling places is the same manpower used to count the votes. Indeed, the decentralization necessary to efficiently count the votes is a excellent deterrant to large scale vote tampering, as no one person has access to ballots from more than one small precinct.

  143. I agree with the “absentee ballot” protest. I plan to use one this year!
    – Precision Blogger

  144. Germany uses paper ballots, which are counted by representatives of each party among the government workers; it takes a couple of day, which no one minds. My German friends are praying that we may soon return to a real democracy, the kind we helped them achieve after WWII.

    And bless you Princeton guys for having done this work and putting it out there.

  145. Who do you want to win?

    The totalitarians or the terrorists?

    Vote wisely.

  146. Apparently, nobody at Diebold has been using computers long enough to remember the days when viruses spread by floppies.

  147. The solution is for every voter to request an absentee ballot. I believe Oregon uses mail in ballots exclusively. While this may not be possible for 100% of voters, wouldn’t it work for +90%?

  148. This comment on reddit deserves to be addressed:

    “Digitally Signed memory card data”

    “As above, Diebold does not assert that any of these measures would prevent the attacks described in our paper. Nor do we see any reason why they would. ”

    while I don’t claim it couldn’t be cracked, if the machine requires that a memory card be signed with a Diebold private key, that would seem to answer the question of why their modified memory card hack would be a lot harder than the description in the original paper in which they simply loaded their own code.

  149. Yes, I see they’re really concerned about security; enough for the marketing department to throw out buzzwords and acronyms in an attempt to fool those who think computers are magic. And they’re arrogant enough to think this bullshit will work on _professionals that know far more than they do_.

    That in itself is reason to reject any use of their product.

  150. Thank you for doing this important work.

    Do you plan to put the virus code in the public domain?

  151. In the mcLibel case the trial was a huge win for the anti mcDonalds movement. In court they will have to prove their claims. This could backfire big time for Diebold.
    Sue them!

  152. When I voted last week in Maryland, I was confronted by one of these machines. When I asked the election official at the polling place if it was possible to do a paper verified hand-recount, I was told that there was a printout, but it was sealed within the machine. I asked if it was possible for me to verify that my vote was recorded appropriately (or even recorded at all), I was told that it was not possible.

    Why do we need instant feedback and results on election day? Why not use printed paper ballots on which we use an ink pen to mark our choice and publicly monitored hand counting — even if it takes a few days to get results?

    Any “voting machine” that uses closed technology with no way to indendendently verify machine settings or compare results with the voter’s intention is a fraud. The voter is unable to verify that the machine actually recorded their ballot as they voted, or even if their vote was recorded at all!

  153. Ed: I know this sounds far-fetched, but I don’t think it would be a bad idea to talk to a lawyer about possible libel claims against Diebold. They have used factual misrepresentations to support a public statement about your professional inadequacy. Perhaps Princeton’s in-house counsel could provide an opinion and/or a referral.

  154. Diebold, for the best election results the highest bidder can buy!

    Surely, the foundation of democracy is in its honest, free, open, transparent, independent and verifiable elections. Diebold machines, clearly, cannot provide these and indeed, the very use of these machines hinders the accuracy and honesty and open-ness of elections, and the democracy upon which these are supposed to stand.

    Elections must be clear and open and beyond reproach. They should be honest and accurate and seen to be so. For if The USA is going to lecture and then launch wars in pursuit of democracy elsewhere, surely their own elections MUST be unquesationably honest and accurate.

    This creates BIG questions and so long as these questions are there, the whole of the democratic election of the government MUST remain in doubt.

    The USA is not a democracy and nobody can indpendently verify that GW Bush was ever democratically elected.

  155. Sounds like Diebold uses the minibar keys for more than just their voting machine locks.