Democratic Underground Latest Greatest Lobby Journals Search Options Help Login

Just found this... Not sure if it is a Dupe or not....

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » The DU Lounge Donate to DU
NamVetsWeeLass Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Nov-14-04 03:44 AM
Original message
Just found this... Not sure if it is a Dupe or not....

God Save us From Journalists | Main | Five Things to Make You Smile
September 23, 2004
Diebold Machines Easily Changed
by Kevin
This does not make me feel confidant:

The trick was uncovered by Herbert Thompson, director of security technology at Security Innovation and a teacher of computer security at the Florida Institute of Technology. Thompson has authored several nonfiction books on computer security and co-authored a new novel about hacking electronic voting systems called The Mezonic Agenda: Hacking the Presidency.

After Harris met Thompson at the Defcon hacker conference this year, she asked him to examine the GEMS program. He found he could write a five-line script in the Notepad text editor that would change the vote summaries in GEMS without changing the raw precinct data. The auditing log in GEMS wouldn't record the change because it only tracks changes that occur within GEMS, not changes that occur on the computer outside of GEMS.

After writing the script, Thompson saved it as a Visual Basic file (.vbs) and double-clicked it to execute it.

The command happens in the background where no one can see it. To verify that the changes occurred, Thompson could write another script to display the vote data in a message box after the change. Once the scripts finished their work, they would go into the Recycle Bin, where Thompson could delete them.

When Harris demonstrated the vulnerability to officials in California, she opened the GEMS program to show that the votes changed as the script commanded them to.

Frankly, based on the bits of code and the discussion around the system, I am surprised it took this long to find this kind of vulnerability. These systems are simply not secure in any meaningful way. They are poorly designed and poorly coded, and should not inspire confidence. Diebold claims that there are procedures in place to prevent that kind of manipulation, and that no one has ever broken the law. Seriously:

But speaking generally on the vulnerabilities Harris mentions, Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty. He also said that election "policies and procedures dictate that no (single) person has access or is in control of a (voting) system," so it would be impossible for anyone to change votes on a machine without others noticing it. And even if someone managed to change the votes, auditing procedures would detect it.

The problem, of course, is that people do break the law, and procedures are not always followed:

Jefferson, the Lawrence Livermore computer scientist, agreed that election procedures usually indicate that there should not be one person operating the counting software. He also agreed with Bear that officials could catch discrepancies in vote totals if they went back and manually added up the results from every individual polling place and compared the totals with the tallies in the summary report. But Jefferson said that election officials and poll workers don't always follow procedures. In the California March primary, he pointed out, several counties refused to follow procedures that were requested by the secretary of state's office and others failed to follow procedures that are mandated under California election law.

Now, there is always the matter of access. But it is common for Diebold employees to assist poll workers with the machines, and poll workers themselves have access to the machines. I cannot stress how simple this change would be, and how easily it could affect the vote. There are simply no real safeguards for preventing people with access to the machines from changing the results of the elections, and no real ability to tell that it has been done. It is simply inconceivable to me that these machines would be allowed anywhere near an election. Their design and implementation -- speaking as someone who codes and designs for a living -- is incredibly poor. I am literally struggling to find words to convey just how awful this design really is. "Inexcusable" and "bug-stupid" just don't do it justice. I cannot believe anyone approved this design -- literally, cannot believe that anyone with a day's worth of experience or an ounce of common sense thought this was an appropriate design. If these machines were toasters, they would not only set your house on fire the first time they were used, they would set your neighbors' houses on fire and disable all the phones so that no one could call the fire department.

Steve Gilliard is constantly pounding on the fact that no one needs to mess with the voting machines because voter intimidation tactics work so well. He is partly correct -- it is already obvious that voter suppression is beginning to stir. But voter suppression is hard, dirty work that leaves finger prints and trails of evidence. The kind of manipulation that is possible with these machines is almost undetectable. In a close election with poor polling models -- such as this one -- there will be very few outside clues to point fraud. If I wanted to steal an election, and I had a choice, I would prefer fixing these Diebold machines to trying to keep people away from the polls. It is quicker, more reliable, and less likely to be discovered.

Steve is right that the old-fashioned methods work well. But we cannot afford to ignore the more modern, high-tech fraud now possible. This vulnerability is a perfect example of the potential for fraud waiting at polling places all over the country.

| Other weblogs commenting on this post
I really love the 'nobody would do it because it's against the law' defense; apparently all those prisons are just figments of our imagination!

Posted by: Garnet on September 23, 2004 02:21 PM
Yeah, those "prisons of the mind", they're everywhere...

I think the Repubs are covering all their bases, too. In which state were they encouraging their own to vote absentee? Ohio, maybe? I think the idea is that, if there's a giant mess, THEY'LL have paper trails to prove how they voted -- "your side got no paper trail, well cry me a river, get over it, you lost...!"

Posted by: Jeff on September 24, 2004 11:52 AM
Post a comment
Printer Friendly | Permalink |  | Top
UL_Approved Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Nov-14-04 04:25 AM
Response to Original message
1. A VBS script?
For a script of that short of a code to be able to alter the results would require that NO encryption was performed upon the election summary data. With the ability to produce a phony summary, the actual ballots may also be stored as unencrypted data. This is EXTREMELY dangerous for sensitive data. With a network connection and access to Windows networking facilities (NetBIOS) or a VNC client, one could read, download, alter, and upload defrauded result. This is even worse than the hard-coded cypher key in the software. You could literally reduce the "secure" election results to a Microsoft Office file.
Printer Friendly | Permalink |  | Top
Droopy Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Nov-14-04 04:34 AM
Response to Original message
2. I haven't seen this before
It needs to be posted in a more serious forum than the lounge, though.
Printer Friendly | Permalink |  | Top
NamVetsWeeLass Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Nov-14-04 04:45 AM
Response to Original message
3. Mods Please move to a "more serious place"
Droopy, where should it be?
Printer Friendly | Permalink |  | Top
Droopy Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Nov-14-04 04:57 AM
Response to Reply #3
5. General discussion
You're likely to get more views there.
Printer Friendly | Permalink |  | Top
NamVetsWeeLass Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Nov-14-04 04:54 AM
Response to Original message
4. here is the link I followed.
Printer Friendly | Permalink |  | Top
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Sat Jan 20th 2018, 03:22 AM
Response to Original message
Advertisements [?]

Home » Discuss » The DU Lounge Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC