[E-voting] Diebold voting machines vulnerability

Justin Mason jm at jmason.org
Thu Sep 2 23:44:07 IST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Adrian Colley writes:
> On Wed, Sep 01, 2004 at 09:16:15AM +0100, Casey, Dermot (GE Consumer Finance) wrote:
> > Diebold voting machines vulnerability
> > *Cory Doctorow*: Diebold's voting machines have a stunning security defect:
> [...]
> >     By entering a 2-digit code in a hidden location, a second set of
> >     votes is created. This set of votes can be changed, so that it no
> >     longer matches the correct votes. The voting system will then read
> >     the totals from the bogus vote set. It takes only seconds to change
> >     the votes, and to date not a single location in the U.S. has
> >     implemented security measures to fully mitigate the risks.
> 
> Incredible.  From http://www.blackboxvoting.org/?q=node/view/77 :
> 
> > Jeffrey Dean, according to his own admissions, is subject to blackmail
> > as well as financial pressure over his restitution obligation. Police
> > records from his embezzlement arrest, which involved "sophisticated"
> > manipulation of computer accounting records, report that Dean claimed
> > he was embezzling in order to pay blackmail over a fight he was
> > involved in, in which a person died.
> >
> > So now we have someone who's admitted that he's been blackmailed over
> > killing someone, who pleaded guilty to 23 counts of embezzlement, who
> > is given the position of senior programmer over the GEMS central
> > tabulator system that counts approximately 50 percent of the votes in
> > the election, in 30 states, both paper ballot and touch screen.
> >
> > And just after he is hired, multiple sets of books appear in GEMS,
> > which can be decoupled, so that they don't need to match, by typing in
> > a secret 2-digit code in a specific location.
> 
> I'm a bit dubious about this, because it sounds too blatant.  But it
> warrants investigation, even if it turns out to be disinformation
> designed to make Ms Harris look like a conspiracy theorist.  I wonder
> what this "2-digit code" is supposed to be?  The story is singularly
> vague on that point.

I've been wondering about this too... the presentation is too keen to jump
to conclusions in my opinion, but I don't know enough about MS Access.

More commentary at Eric Rescorla's weblog btw --
<http://www.rtfm.com/movabletype/archives/2004_09.html#001074>.

I think the connection between Dean's hiring, and this back door (it's a
back door, not a bug), is too paranoid.   in my opinion if such a blatant
hole was added by him for nefarious purposes and so soon after his hiring,
there'd be a spate of resignations from disgusted workmates who wouldn't
want to stick around for that kind of dodginess.

What other possible reasons are there for decoupling the real vote data
from what is tabulated?   Would it be useful for QA?  (and I mean useful
in a practical way, not useful as in it could conceivably be used for that
purpose.)

EKR has a very good point in the weblog entry above btw.  'I expect voting
software to have problems--it's software, and software has bugs. But if
we're going to claim that it's safe then the people writing and operating
it [jm: the election officials] need to be alert to those problems and
responsive when they're disclosed. That doesn't seem to be the case here.'
Well said -- a fundamental issue with all voting machine rollouts so far,
as far as I can see.

- --j.

> This snippet is especially interesting for us:
> 
> > Microsoft Access encourages those who create audit logs to use
> > auto-numbering, so that every logged entry has an uneditable log
> > number.  Then, if one deletes audit entries, a gap in the numbering
> > sequence will appear.  However, we found that this feature was
> > disabled, allowing us to write in our own log numbers.  We were able
> > to add and delete from the audit without leaving a trace.
> 
> because Nathean complained about a lack of autonumbered keys in the
> Powervote IES.  Of course, an attacker could simply delete and restore
> (most of) the contents of the audit log without leaving gaps.
> 
>  --Adrian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBN6I3QTcbUG5Y7woRAtPNAJ9W77uL7kCnmha5MBjZIliPF5IqPgCeMEw4
zeyp7pw/Dy8ZYq1/rCXVi8k=
=2kyc
-----END PGP SIGNATURE-----

More information about the E-voting mailing list