How to rig an election, the Diebold way, with live video

[winmutt]

http://www.ddj.com/dept/security/193000399

Quote:

They Said it Couldn't be Done: Diebold Voting-Machine Hack Announced at SD Best Practices
John Jainschigg
In his Wednesday evening keynote address on Security at SD Best Practices, Boston, Cigital's Gary McGraw discussed a paper and shared clips from a video demo released today by Edward Felten, Ari Feldman, and Alex Halderman of the Princeton Center for Information Technology Policy, titled: Security Analysis of the Diebold AccuVote-TS Voting Machine. The paper details a simple method whereby the Princeton team was able to compromise the physical security of a Diebold voting machine, infecting it with a virus that could change voting results and spread by memory-card to other machines of the same type.

The Diebold machine -- a tablet computer-based tabletop device -- saves program and vote information on standard Flash cards whose slots are secured by a locked metal cover. The video asserted that keys fitting these locks are easily duplicable, and that -- even lacking a key -- a member of Felten's team could routinely pick the locks in less than ten seconds; or gain access to the Flash card by removing six screws from the bottom of the machine and lifting its upper shroud away completely. Once access to the Flash card is gained, the card can be briefly removed, a virus-bearing card inserted, and power cycled -- loading the malicious code into memory. The original card is then re-inserted, exposing it to infection by the virus and making its contents vulnerable to change by viral code. Felten's team was, they assert, able to develop viral code that could "steal votes undetectably, modifying all records, logs and counters to be consistent with the fraudulent vote count it creates." And they were able to embed this functionality in viral envelopes that could propagate from machine to machine during normal pre- and post-election activities (e.g., periodic collection, backup and summary of vote-counts). By compromising just one machine, therefore, an attacker could conceiveably alter results for an entire electoral district, or in some situations, in even more far-reaching ways.

The Princeton team performed its study independently, using a machine obtained from a private party. In his executive summary to the paper, Felten notes that the current work extends and confirms assertions first made by Kohno, Stubblefield, Rubin (all of John's Hopkins) and Wallach (of Rice University) in their well-known 2003 paper Analysis of an Electronic Voting System, which concluded that Diebold machines failed to provide even the most minimal security standards applicable in other contexts (e.g., banking), and asserted that closed-source approaches to building such a device were intrinsically flawed. One of the leaders of that team, Dr. Aviel Rubin, just released a book on this subject, titled: Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting.

Here is the video.
http://www.youtube.com/watch?v=OJOyz7_sk8I

[cmac2012]

No that can't be. Republicans operate Diebold. This is the greatest country on earth. We're honest here.

[Mistress]

ahhh, Diebold takes me back to my banking days....thanks for the memory.

[Brian Carlton]

Quote:

Originally Posted by cmac2012

No that can't be. Republicans operate Diebold. This is the greatest country on earth. We're honest here.

I agree. All republicans in the current administration are honest folks who have the best interests of the electorate in mind. That's why the electorate continues to support them.

[TheDon]

Quote:

Originally Posted by Brian Carlton

I agree. All republicans in the current administration are honest folks who have the best interests of the electorate in mind. That's why the electorate continues to support them.

-dies laughing- sorry i had to

[Botnst]

Which committee in the RNC is responsible for selecting, buying, installing and programming voting machines in all of the states, counties, and cities?

[Brian Carlton]

Quote:

Originally Posted by Botnst

Which committee in the RNC is responsible for selecting, buying, installing and programming voting machines in all of the states, counties, and cities?

That would be the executive director of political operations........he's the one responsible.

[Botnst]

Quote:

Originally Posted by Brian Carlton

That would be the executive director of political operations........he's the one responsible.

This will come as a shocker to our various clerks of court and Secy of State, who think it is their job. Democrats, all. Are they also part of this coup plot?

Bot

[Brian Carlton]

Quote:

Originally Posted by Botnst

This will come as a shocker to our various clerks of court and Secy of State, who think it is their job.
Bot

No, they'd be mistaken..........it's the RNC's job to oversee those machines. I thought you would have known that..........

[Honus]

Quote:

Originally Posted by Botnst

This will come as a shocker to our various clerks of court and Secy of State, who think it is their job. Democrats, all. Are they also part of this coup plot?

Bot

Clerks in this part of the world tend to be Republicans. Not that it has anything to do with voting machines, but I thought I should correct the record on that.

[mgburg]

Just like the phrase, "If you're too stupid to get out of Jury Duty, do I want you as one of 12 jurists in a murder trial?" - I would like to be sure I have someone, smart enough, running this country that can figure out how to "outsmart" a stupid machine!!!

What's the problem here?

#1.) You make a machine...
#2.) You have someone (anyone) try to "break" the machine...
#3.) You fix the first "breakage" and...
#4.) You have someone else try to "break" the machine, again...
#5.) You fix the next "breakage" and...
#6.) Repeat Steps #4 & #5 until...
#7.) You can't find someone to break it...
#8.) T H E N . .
#9.) Unlike Bill Gates/Microsoft, you then market it..."Bill & MS ALWAYS put this step between #1 & #2 ... you end up doing #3 - #7 yourself!"

Do you guys want Bill Gates handling our elections? GEEZ! We'd never know who, or what, got elected...we'd be "re-booting" crashed boxes 'til the next election cycle and the lost data? And you think DIEBOLD has issues?

Life's too short to be worried about some test that was, probably, shot a year and half ago and the "fixes" have already been done...BTW, has anyone checked as to the date of video, when and where it was performed and, more importantly, have the issues been corrected?

The machine that was tested...(the Princeton team's independent study machine, that was obtained from a private party) - did ANYONE check the date of the study, source of the machine, whether it was a prototype or on-line production sample unit, a "beta" machine, or even the report itself, in that it was an "in-house, for our eyes-only" type of report, to be used in the above mentioned style of testing-breaking-fixing scenario that I outlined above?

If you don't know the basics of what the reports is about, the foundation of any arguement is baseless...just as, if the foundation of house is unknown, how do you know whether the house is a "house of cards" or a real castle?

Let's see if someone, out there, can find the real story - ala the "Valerie Pflame" thread we just got done grinding through here for ... how many pages/weeks?

ENJOY THE WEEKEND AND REMEMBER...DRIVE CAREFULLY OUT THERE...'CAUSE YOU KNOW NO ONE ELSE DOES!

[Botnst]

Quote:

Originally Posted by dculkin

Clerks in this part of the world tend to be Republicans. Not that it has anything to do with voting machines, but I thought I should correct the record on that.

Around here they're mostly Democrats who have the major (bureaucratic) role in the voting process. At the state-wide level we have we had an elections commissioner jailed for demanding and receiving kickbacks from .... election machine companies. Most of our currently jailed crop of elected officials are Democrats. I don't know about other states. In Louisiana it isn't because Democrats are more crooked, it is because they vastly out-number republicans, IMO. If the Repos get majority status they'll have their piggy faces in the trough. I hope we have a Fed Prosecutor as tough on political crime and as competent as the guy we have now. He's another one of the good guys. And no, I don't know what party he is in.

Here's the Jefferson Parish C of C's responsibility as relates to elections. It is pretty typical.

Responsibilities

The clerk of court is the Parish's chief elections officer. He qualifies candidates for office in all municipal, parish, and state legislative elections. The Secretary of State qualifies candidates for statewide, congressional, state appellate and supreme court elections, and public service commission elections.

The clerk's elections department conducts all training seminars for commissioners and commissioners-in-charge and sends all notices to supporting elections officials. These notices inform the appropriate officials of the crucial information concerning the election. The department also addresses any problems that may arise on election day.

After the polls close, and during days immediately following an election, the department tabulates totals, checks voting machine counts against the election night print-outs and prepares the payroll for the election workers.

[Larry Delor]

If there is anybody left who honestly thinks that politicians are honest, I have some land I'd like to sell you.

[Matt L]

Quote:

Originally Posted by mgburg

What's the problem here?

#1.) You make a machine...
#2.) You have someone (anyone) try to "break" the machine...
#3.) You fix the first "breakage" and...
#4.) You have someone else try to "break" the machine, again...
#5.) You fix the next "breakage" and...
#6.) Repeat Steps #4 & #5 until...
#7.) You can't find someone to break it...
#8.) T H E N . .
#9.) Unlike Bill Gates/Microsoft, you then market it..."Bill & MS ALWAYS put this step between #1 & #2 ... you end up doing #3 - #7 yourself!"

Let me guess: You're not a software developer.

[mgburg]

Quote:

Originally Posted by Matt L

Let me guess: You're not a software developer.

Nope! Didn't pretend that I did!

But, it seems that between MAC and MS, MS has more problems getting it right, before marketing, than MAC does...

Someone does #4 - #5 better than the other...