I’m not a computer geek so I don’t know what to make of this story, but it sure sounds bad:
SACRAMENTO, CALIFORNIA — “This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.
“Diebold has made the testing and certification process practically irrelevant,” according to Dechert. “If you have access to these machines and you want to rig an election, anything is possible with the Diebold TS — and it could be done without leaving a trace. All you need is a screwdriver.” This model does not produce a voter verified paper trail so there is no way to check if the voter’s choices are accurately reflected in the tabulation.
Open Voting Foundation is releasing 22 high-resolution close up pictures of the system. This picture, in particular, shows a “BOOT AREA CONFIGURATION” chart painted on the system board.
The most serious issue is the ability to choose between “EPROM” and “FLASH” boot configurations. Both of these memory sources are present. All of the switches in question (JP2, JP3, JP8, SW2 and SW4) are physically present on the board. It is clear that this system can ship with live boot profiles in two locations, and switching back and forth could change literally everything regarding how the machine works and counts votes. This could be done before or after the so-called “Logic And Accuracy Tests”.
A third possible profile could be field-added in minutes and selected in the “external flash” memory location, the interface for which is present on the motherboard.
This is not a minor variation from the previously documented attack point on the newer Diebold TSx. To its credit, the TSx can only contain one boot profile at a time. Diebold has ensured that it is extremely difficult to confirm what code is in a TSx (or TS) at any one time but it is at least theoretically possible to do so. But in the TS, a completely legal and certified set of files can be instantly overridden and illegal uncertified code be made dominant in the system, and then this situation can be reversed leaving the legal code dominant again in a matter of minutes.
“These findings underscore the need for open testing and certification. There is no way such a security vulnerability should be allowed. These systems should be recalled”
More is explained in DocGonzo’s diary at Daily Kos.
(Cont.)
Geeks know that this insecurity means anyone can use a common keychain “thumbdrive” to start the machine, run any software they want to mess with its data, and walk away without leaving a trace. The thumbdrive can include big complex software to juggle voting data according to formulas that make the changes hard to detect. Those thumbdrives can be networked, even over mobile phones, to run districtwide or nationwide “tweaks” that don’t raise eyebrows too much when compared with overall voting patterns, exit polls, other evidence of the actual public will.
A bad guy can walk up to a machine after the votes are collected, reboot it from their keychain, cheat the election results, shut down and walk away in a few minutes. It might even be possible to start in a few seconds, shut down any displays, walk away while the cheat software works, then just return a few minutes later to unplug and get away.
As they say in the vernacular “Holy Hard Drive, Batman!” Looks like a big smoking gun to me. What say you more computer literate types?
than idiotic design, IMNSHO.
Santa Clara County does not use Diebold — we have Sequoia Systems machines which do produce a verifiable paper trail. What’s Diebold’s excuse?
Diebold’s excuse is they wanted to be able to easily change the system files for “upgrades.”
Having worked in software development for years, I can tell you that’s a bad strategy. In the case of election machines, they should be selling something that is already fully tested and bug free. Bug free IS attainable, but few companies even try to reach that. They simply don’t care, and feel there’s an acceptable risk. Diebold is obviously in this latter category, and figures if what they sell doesn’t work, they’ll implement a “fix” later. That’s lousy business, and a horrific scenario for vote counting.
And it does leave the door wide open for fraud. If you have been following the Clint Curtis story, he was asked to write a program that would be undetectable, compiled, to alter votes in real election scenarios. (He thought he was writing something to prove it could be done, not to actually DO it. He later blew the whistle on his employers for this, but it remains to be seen if anyone will be prosecuted.)
I don’t want to hear a single argument in favor of this technology. There aren’t any to outweigh the inherent dangers.
It’s not important whether fraud has been committed. It’s important whether fraud could be committed, undetectably. It can. Therefore we should not wait for evidence of fraud, but should throw out the machines altogether.
I’d say something more but I’m sworn to secrecy. Suffice it to say that a new movie soon to be released has the potential to raise this issue in a big way. Unfortunately, the cut I saw wasn’t “soup yet”….
Diebold’s excuse is that they don’t want to leave a paper trail. What possible rational explanation could there be to not produce a verifiable paper record of the vote? Not a one….unless you don’t want a record. This is one of the ways Bush won in Ohio in 2004. The head of Diebold is a committed Bushite and Republican financial supporter who publically stated that he would do anything to get Bush elected. Including fraudulent voting machines, I suspect.
You’d think paper trails would be a no brainer. But if you’re trying to steal elections, paper trails are the one thing you can’t tolerate. Bear that in mind as you read these quotes:
Senator Trent Lott:
Los Angeles County Registrar (from Texas) Conny McCormack:
And unnamed election officials:
It appears many of our elected and appointed (like Conny) officials are either:
A. Too stupid to understand how a vote can be stolen electronically,
B. Too lazy to want to do an accurate count,
C. So cynical as to think our vote doesn’t matter, or
D. Out to steal elections and don’t want to get caught.
I really can’t think of any other reasons. None of them are good. The ILLUSION of democracy is to these people preferable to the ACTUALITY of it.
In Mexico, the people are shutting down businesses in protest. We should be prepared to do the same!!
Senator John Ensign, a Nevada Republican:
Then why the hell even use them as that statement can imply that electronic voting will always be insecure?
Dodd also had a point about people with disabilities being denied the ability to check their ballot as due to visual problems. However, it was a weak one but it is necessary to address the issuem despite the fact issues that effect people with disabilities are never taken seriously.
link
See why I dislike being told to wait until after 2008? Been hearing the same thing for decades and nothing ever changes.
In addition you would need the piece of software that would actually change the vote totals, and it would have to be loaded onto external flash memory (I haven’t spent enough time looking at their pictures yet to see what interface they’re using, if it’s USB or what).
Writing that piece of software would require some pretty intimate knowledge of how the machines work. Not just anyone could do it. You’d probably have to either be a diebold employee, or have access to some of their documentation that is no doubt kept ‘secret’.
Also, this is an exaggeration:
The bad guy would have to, in order:
Possible? For sure. But, I would also point out that this ‘feature’ of the machine could have a completely legitimate purpose, which would be in-house testing and/or on-site support. It would allow the Diebold programmers to test new code using code on external flash memory instead of having to install it on the machine. It would also allow them to run debugging code on a machine if it were having problems.
The Open Voting Foundation article claims that the biggest problem is not the switch from flash to external flash, but from flash to EPROM. I didn’t focus on that because I don’t consider that as likely. Here is why:
If the software to change the results were included in the machine itself, it could quite easily be found. All you’d have to do is run a test run and tally some votes, open the machine, switch a switch and change 3 jumpers, then boot it up and see if the totals still matched the original tally. If it didn’t, THAT would indeed be a smoking gun.
So I think it is more likely that if there was fraud, it would be by running code on external flash.
Point taken, but what we’ve done is hand over control of vote counting to individuals who have no business with any of this. Maybe there could be a better system or maybe electronic voting is just too inherently flawed to ever be acceptable. The current technology, as opposed to pencil and paper or purely mechanical systems, appears to be capable of allowing commission of the perfect votefraud crime.
I think some enterprising geek needs to bring a diebold machine to the next hearing (hopefully in a Dem Congress), conduct a straw poll with it, and demonstrate to the digital illiterates who “represent” us how their votes just don’t add up.
Well, he didn’t say that any bad guy could do it, did he. Or are you assuming that Diebold personnell assisting election workers (as I’ve heard are often the case) are always ‘the good guys’?
I am not ‘assuming’ anything. I am merely pointing out what someone would need to do from a technical standpoint, and it requires more than walking up to a machine, plugging in a flash drive and rebooting as the original author claims. Therefore, what he said is an exaggeration.
Okay, so I’m extremely proud of knowing how to do links with html, and that’s about the extent of my computer expertise. But this story and the comments tell me two things:
I don’t know whether this proves that election fraud has happened. But it sounds like it proves that it could happen, which is just as worrisome.
Election fraud has always existed, and even been rampant. Which proves that case that it needs to be made harder and lower level. What we seem to have done with electronic voting is given the bad guys the code to the alarm so they can commit the perfect crime on a much larger scale than was ever possible before.
I think we need serious reconsidering about whether vote machines can ever be secure, and if so the government, not the vendors, need to set the parameters. What we’re doing now is getting Charlie Manson to train our dog to protect us from home invasions. Not too bright.
Call me an optimistic techno-geek, but I think they could be made secure. However, several things need to happen first that have heretofore not happened:
Is such a system immune to abuse? No. No system is, and we can’t make it so. We can only make it as abuse-resistant as possible. I sympathize greatly with those who think all of our elections should be done with paper ballots, and nothing but; however, I can’t help but think that there is a way to do verifiable machine voting and we just haven’t had the will to implement it yet. Abolishing machine-assisted voting for all time because the current system is flawed seems to me like throwing the baby out with the bathwater.
The only technical solution I could get behind, as a former programmer, is the Open Voting Consortium‘s plan for open source voting code, used on regular machines – nothing proprietary or secret. And even then, you’ll still want a vigorous audit protocol to ensure errors can be caught.
When a feature like this exists – and yes, it’s a feature not a bug – you have to realize it’s there for a reason. And a reason that might be offered, that the flash boot option is there for making it easier to test new versions of the boot software, would only be valid for in-house testing equipment. To keep that option alive in equipment that is released to the market must only mean one thing; you’re prepared to use it during live elections.
It’s not the for voting populace to prove that the feature has been invoked during live elections. It’s for the election administration to prove it hasn’t. As long as they can’t prove that – and they wont be able to prove that as long as the feature is there to be used – you have to draw the conclusion that the feature is used during live elections.