Those damned Californians.....

RightIsWrong

Diamond Member
Apr 29, 2005
5,649
0
0
I really like their efforts in trying to verify the validity of their elections. I really like the fact that even though the companies tried to stonewall the process....the truth came out in the end.

I sure hope that the Bush admin is taking notice....no matter how much you try to stall, the truth will always come out eventually.

Linkage

Hackers hired to evaluate the security of e-voting machines used in California found serious flaws that could allow for vote tampering in all three systems studied.

The defects included the ability to overwrite firmware, install malicious applications, forge voter cards and gain access to the inside of voting machines by unfastening screws that were supposed to be inaccessible. The defects were found in machines provided by Sequoia Voting Systems, Hart Intercivic and Diebold Elections Systems.

The team was unable to test equipment sold by Election Systems & Software because the vendor dragged its feet in cooperating with the review, which is authorized under California law.

The e-voting machine assessment was part of a "top-to-bottom" review that Secretary of State Debra Bowen undertook earlier this year into all ballot machines used in the state, whether or not they are computerized. Several "red teams" were given access to the source code and user manuals of e-voting machines and directed to hack them if possible.

"The red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results," wrote Matt Bishop, the study's principal investigator and a professor at the University of California at Davis.

He said the teams probably could have uncovered additional vulnerabilities had they not encountered significant delays in obtaining information and tools from the three vendors involved. Many documents didn't arrive until July 13, just seven days before the five-week study was concluded. Other software was never delivered at all.

"Despite these problems, the red team testing was successful, in that it provided results that are reproducible and speak to the vulnerability of all three systems tested," Bishop wrote.

Among the findings of the study:

* Testers were able to overwrite firmware in the Sequoia's Edge/Insight/400-C, in the GEMS system sold by Diebold and in Hart's System 6.2.1.
* They were also able to bypass physical locks in Sequoia's Edge system by unfastening screws.
* Testers were able to penetrate Diebold's GEMS server system by exploiting Windows as it was delivered and installed by the vendor. That allowed them to make security changes, including the installation of a wireless device, that were never recorded by audit logs.
* Testers found an undisclosed account in the Hart software that an attacker could exploit to gain unauthorized access to the election management database.

All three companies challenged the review, arguing that the laboratory environment under which it was conducted was unrealistic.

"This was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks," Sequoia argued in a press release. "This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that our customers - and all election officials - carry out every day in their very important jobs of conducting elections in California and throughout the United States."

"We believe the process would have been enhanced had the testing team included an experienced election official," Sequoia said in written comments directed to Bowen. "Unfortunately, since no one on the testing team had experience in security procedures and protocols used in California, your team was deprived of having someone with hands-on experience running an election."

I love the excuses by the companies....but, but, but, we weren't there to tell them which areas to not attempt to break into. :(
 

LongTimePCUser

Senior member
Jul 1, 2000
472
0
76
All of this was known 4 years ago. Reported in Computerworld.

Diebold code source code was located in the internet using a Google search.
Reviewer's looked at the code and reported that it was low quality, slopply code that would be very vulnerable to security attacks.

Recent Computerworld article on leaked Diebold code.

Diebold's concept of computer security is so weak that their own source code was posted on insufficiently proteced web servers that were visible on the public internet.
 

techs

Lifer
Sep 26, 2000
28,559
4
0
Originally posted by: 1prophet
Were these companies low bidders?
HAHAHAHAH! Low bidders? On a government contract thats at least 3 times what it should cost.

 

1prophet

Diamond Member
Aug 17, 2005
5,313
534
126
Originally posted by: techs
Originally posted by: 1prophet
Were these companies low bidders?
HAHAHAHAH! Low bidders? On a government contract thats at least 3 times what it should cost.

How did you determine the cost and that it is 3 times what it should be?
 

EagleKeeper

Discussion Club Moderator<br>Elite Member
Staff member
Oct 30, 2000
42,589
5
0
Give the ahckers all the tools needed and uninterupted access, they should be able to break in.


The entity responsible for the voting machines should received sealed units fro mthe factory and set them up according to factory specs.


Put the equipment in locked rooms with the attackers only able to get in via communication or power lines, then a different story would occur.

Then if the hackers get in, it is the fault of the manufacturer. Otherwise it is the fault of the people that montior the machines.
 

1EZduzit

Lifer
Feb 4, 2002
11,833
1
0
Originally posted by: Common Courtesy
Give the ahckers all the tools needed and uninterupted access, they should be able to break in.


The entity responsible for the voting machines should received sealed units fro mthe factory and set them up according to factory specs.


Put the equipment in locked rooms with the attackers only able to get in via communication or power lines, then a different story would occur.

Then if the hackers get in, it is the fault of the manufacturer. Otherwise it is the fault of the people that montior the machines.

you forgot:

Have a paper trail
 

piasabird

Lifer
Feb 6, 2002
17,168
60
91
Attaching a wireless device might be kind of useful if you want to submit some fake votes. Actually being able to have access to the results might enable the companies to make improvements in their systems and firmware. In reality there are no systems that are impregnable. We use a system in Illinois in my precinct that we have been using for over 5 years that reads the paper ballot after you blacken the circles with a pencil. However, my biggest complaint is that the person can not verify that the results were read. So the voter has no chance to even know if his vote was counted. This is much the case with any paper voting system. I would have liked to see an electronic system that saves my voting and can retrieve my results and actually check to make sure I did not vote for two people and give me a chance to make corrections. You should be able to vote, then be offerred to review the results, then store the results and give you the voting key so you can look it up and inspect the results after they are stored.

We used some kind of online testing system at the DMV in Illinois where you can take the driving test on a computer and it tells you which questions you got wrong at the end. I am sure someone could actually hack that system as well.

You know if you can update firmware you can sabotage a system months before an election. Then no one would know there was ever anything wrong. My big thing is that how do you verify any results from these electronic voting systems and still keep a vote anonymous? If everyone was given a random key that was printed out on their receipt or they could write it down, then maybe they could have the option of having the people verify their own vote after the fact. I would even like to be able to have some printed results that I can read.

This is what I would like to see in a system.
1. Voter votes and at the end is given a receipt with a number or code that represents their vote.
2. They go to the verification booth and print out their paper copy.
3. They have to initial the paper copy and drop it in the locked box.
4. Paper copy can be used to verify their vote later if a system failure occurs.
5. If the voter wishes they can revote their vote and also know if their original voting was marked invalid and have a chance to correct it and then to recertify.
 

RightIsWrong

Diamond Member
Apr 29, 2005
5,649
0
0
Originally posted by: Common Courtesy
Give the ahckers all the tools needed and uninterupted access, they should be able to break in.


The entity responsible for the voting machines should received sealed units fro mthe factory and set them up according to factory specs.


Put the equipment in locked rooms with the attackers only able to get in via communication or power lines, then a different story would occur.

Then if the hackers get in, it is the fault of the manufacturer. Otherwise it is the fault of the people that montior the machines.

Your argument doesn't make any logical sense. You dismiss the fact that anyone who votes needs physical access to the machines that isn't monitored to ensure the privacy of their vote. And I am sure that hackers that have been able to get into the banks, the FBI and CIA systems could crack just about anything that Diebold or any other company is going to put out there with enough motivation.

Your dream scenario is just that....a dream.
 

IGBT

Lifer
Jul 16, 2001
17,962
140
106
Originally posted by: LongTimePCUser
All of this was known 4 years ago. Reported in Computerworld.

Diebold code source code was located in the internet using a Google search.
Reviewer's looked at the code and reported that it was low quality, slopply code that would be very vulnerable to security attacks.

Recent Computerworld article on leaked Diebold code.

Diebold's concept of computer security is so weak that their own source code was posted on insufficiently proteced web servers that were visible on the public internet.


..is this by accident or design??

 

imported_Shivetya

Platinum Member
Jul 7, 2005
2,978
1
0
Originally posted by: RightIsWrong
I really like their efforts in trying to verify the validity of their elections. I really like the fact that even though the companies tried to stonewall the process....the truth came out in the end.

I sure hope that the Bush admin is taking notice....no matter how much you try to stall, the truth will always come out eventually.:(

you do realize that electronic voting was implemented by many Democratic leaning areas without any influence of Bush. In fact many selected Diebold using the same flawed logic.

Take off your tin foil hat before posting, we already have enough.
 

RightIsWrong

Diamond Member
Apr 29, 2005
5,649
0
0
Originally posted by: Shivetya
Originally posted by: RightIsWrong
I really like their efforts in trying to verify the validity of their elections. I really like the fact that even though the companies tried to stonewall the process....the truth came out in the end.

I sure hope that the Bush admin is taking notice....no matter how much you try to stall, the truth will always come out eventually.:(

you do realize that electronic voting was implemented by many Democratic leaning areas without any influence of Bush. In fact many selected Diebold using the same flawed logic.

Take off your tin foil hat before posting, we already have enough.

You do realize that I made no mention of Bush or even the GOP implementing them, right?

My comment about Bush was a comparison to his administration and the e-voting machine companies not a declaration that he was responsible for them (e-voting machines) being put in place.

They didn't want to offer up the machines or coding requesting because they knew they would come out looking bad. They waited until the very end in some cases per the article before complying. My reference to Bush was in regards to him and his administration claiming everything is a matter of national security and/or executive privilege instead of giving up requested documents and/or testimony (See...a compare and contrast statement).

As I originally stated.....the truth will eventually come to light and the more that you stonewall, the worse that it looks on you.
 

maddogchen

Diamond Member
Feb 17, 2004
8,903
2
76
It doesn't raise much alarms for me. they were given 5 weeks to hack into these systems. If the article said they found a way to hack into the system and change the voting in under a few minutes and then was able to go to an actual voting booth and replicate the hack without getting caught, then I'll be worried.

if you're worried about the government hacking in and changing your vote, I'm sure if they wanted to they can do it much more easily and don't have to hack probably.
 

Fern

Elite Member
Sep 30, 2003
26,907
173
106
I'd MUCH rather we stuck with paper ballots. I don't care if some 'tards down in South FL have problems or not. To jepordize the validity and trustworthiness of the entire national voting for a few idiots is bad policy.

Fern
 

Hacp

Lifer
Jun 8, 2005
13,923
2
81
Originally posted by: maddogchen
It doesn't raise much alarms for me. they were given 5 weeks to hack into these systems. If the article said they found a way to hack into the system and change the voting in under a few minutes and then was able to go to an actual voting booth and replicate the hack without getting caught, then I'll be worried.

if you're worried about the government hacking in and changing your vote, I'm sure if they wanted to they can do it much more easily and don't have to hack probably.


In theory, you could hire a bunch of hackers, hijack one of the machines a few weeks before the vote, learn how to hack in there, and then do it on election day.
 

Fern

Elite Member
Sep 30, 2003
26,907
173
106
Originally posted by: piasabird
What makes you think your paper ballot will be counted any better than an electronic one?

I like the paper trail and the ability confirm via recount the results.

If a machine screws up and records a vote wrong, no amount of recounts can correct it, IMO.

Fern