Vales419

Hello all,

I don't usually post too much, unless I feel its really important but I need to tell everyone to watch a documentary that was premeried on HBO this evening. Its called Hacking Democracy.

Below are two links, which you can visit for more information about the film.

First is the HBO's website: http://www.hbo.com/docs/programs/hac...acy/index.html

Second, is the main contributor to the film and really what the documentary is about:
http://blackboxvoting.org/

I HIGHLY recommend every one watching this documentary, if you have HBO of course.

I was very impressed by the film, FACTUAL research and testing of this so called "secured" voting talling machines. It makes me wonder about the Presidential election in 2000 and 2004 and wondering how the upcoming election will turn out this coming Tuesday.

V.

__________________
"Here's ten bucks, bring me the head of Barry Manilow" --Dr. Denis Leary

Xell101

I feel like a sucker for voting. I also feel like George Bush lost both times, and I doubt that this will recieve appropriate attention attention unless in '08 Captain Picard and Captain Kirk come in a dead heat.

newtx

I am really surprised this documentary acually made it to TV. Very interesting. Makes you wonder about the whole vote counting process.

balderdash111

Watched it last night (yay Tivo!), and here is my sense...

I thought it was a little heavy handed in tone and its treatment of the subject. Michael Moore-ish, if you will. The woman crying over the revelation that they could hack the system using the memory cards was a bit much, I thought. You could tell that there was another side to the story which really wasn't getting any air time.

Factually, here is what they proved: the Diebold systems are hackable, even though Diebold says they aren't.

This does not shock me in the slightest. No system is completely secure, and any software developer and/or security specialist knows it. Diebold's problem is that they are keeping all the code secret, so nobody can examine the systems for security.

On the one hand, I can't say I blame them. It is a competitive industry, and their code is their "crown jewels." The last thing they want to do is lift up their skirts so their competitors can rip off their ideas.

On the other hand, to borrow Bruce Schneier's phrase, "security through obscurity" is a bad idea. That is, if the security of the system depends on only the right people knowing how it works, the entire system collapses once other people know the secrets. When Diebold slipped up by making their code available on an FTP site, they lost the obscurity and therefore lost the security.

I am not a security expert, but from what I understand the more you expose a system to the public for security review, the MORE secure it becomes. It is counterintuitive, but there you go.

So, in short, I am not suprised the Diebold system is hackable, and I am not surprised Diebold doesn't want to open up the code to examination by the public. If they did open up the code, it would be more secure, but Diebold would be revealing its secrets to its competitors. Tough spot for them.

---------

But here's an important thing they did NOT prove in the documentary: that anyone actually has tampered with an election by hacking the machines.

From what I understand, Diebold's argument is that while people have been able to show vulnerabilities in the system in test conditions, they would be very difficult to exploit in practice. On the cards, for example, someone would need to get a card, get it to a computer with a card reader to reprogram it, then surreptisiously put it into a machine - all during the hubbub of an election. Maybe an insider could get away with it, but the documentary never showed whether there are internal checks and chains of custody that would make that possible.

Did they ever explain the negative votes thing? Seems like they made a lot of ominous fuss over it, but never gave an answer as to whether it was a deliberate attempt to fudge an election or some sort of weird software flaw. (Self editing - I'm not saying if it's a software flaw it's ok, but it's definitely not as bad as a conspiracy)

They also never pursued the issue of discrepancies between the original print-outs of vote tallies and the summary reports they received a few weeks later. Was there some innocent explanation that they decided not to include? Was there any indication that the certified results were not what was used in the election?

-----------

I guess my point is that the documentary showed sloppiness on the part of some election officials, that they give too much faith to the voting machines, and that Diebold has not been open and honest in discussing security issues.

It did not show that the systems have been used to actually rig an election, and it seems like proper practices by election officials could do a great deal to ensure that they aren't used to do so.

__________________
A little silliness now and then is cherished by the wisest men. -- Willy Wonka

ratbastid

That's their defense, but IMO it's a crock.

What "ideas" are we talking about here? Take input and save it? A first-week CS student can do that. It's recently been revealed that they're not even using encryption on the memory cards.

They're refusing to show their source not because of trade secrets but because they're embarrassed at the security swiss cheese they've deployed. And, if you're conspiracy-minded, because they want to keep the backdoors secret so they can continue guaranteeing elections for the candidate of their choice.

balderdash111

Well, as someone who works a great deal with lawyers at software companies, I have to tell you that keeping the code secret is a paramount concern for all of them, even if the code itself is not all that complicated. It's a reflex. I am sure there is more to the code than taking input and saving it, but I don't know how much more, and that is no doubt what Diebold doesn't want to show to competitors.

I suspect that one of Diebold's motives is security - they don't want to open up the code to allow people to figure out how to hack it. Security through obscurity, as I mentioned above.

If you think about it, they have a number of pressures:

1) The sales guys know that nobody will buy a system that the engineers will say is hackable. They need to sell a product, so they say it is secure.

2) Engineers know that there must be holes they didn't think of, and they know that releasing it to the public will allow the bad guys to find the holes. So, they keep the code secret.

3) Lawyers don't want to reveal trade secrets and propietary methods to the public, so they can preserve their ability to sue if someone rips off their ideas. So, they keep the code secret, too.

4) Auditing firms (like engineers) know that there must be security holes in the systems, and that they will never be able to identify all of them. So, they refuse to certify systems as secure for fear of taking on liability when/if a flaw is disclosed.

Ultimately, what is needed is an open source software system, created by engineers, computer scientists, election officials and security experts. It will take a while, they will need to be paid, and they will need to be public about what they are doing and open the system up to public review, but ultimately I think it could work.

__________________
A little silliness now and then is cherished by the wisest men. -- Willy Wonka

Xell101

The thing is that the security is woefully inadequate for something as serious as voting.