Is Having A Hacker Break Into Diebold Machines A Bad Idea?

from the seems-like-it dept

We're seeing a ton of stories about how California has hired a hacker to try to break into a randomly selected (previously used in an election) Diebold e-voting machine. Diebold, of course, has a long and troubling history concerning their e-voting machines, that have no way to create a backup paper trail. However, while many of those who are against these types of e-voting machines are happy about this week's hack-a-thon, it actually sets a very bad precedent. By opening up the machine to a single hacker, it puts the burden of proof on the hacker, rather than the company. The company making the voting machines needs to prove that they're safe and that there's a way to get back from any problem. By handing it off to a single hacker, suddenly the assumption is that the e-voting machines are safe unless the hacker breaks into them. So, should he not find a particular security hole, the company will start promoting that as proof that the machines are secure, when all it really means is this one particular hacker was unable to find a vulnerability.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Sv, 28 Nov 2005 @ 3:19am

    or..

    Let's hope he's a good hacker and finds so many holes as to make sony's rootkit story look good.

    link to this | view in chronology ]

  • identicon
    Alaric, 28 Nov 2005 @ 6:06am

    Those Hackers might save Democracy

    The company has absolutely no incentive whatsoever to secure its own machines.

    The only way those machines will ever be made safe is if outside hackers prove them unsafe and then an independent body upgrades them.

    Black box voting is a very bad idea and it essentially puts diebold and ESS (the other e-voting company) in control of democracy. No company or person should have that kind of power.

    Here is a question for you: How much would it cost to alter an election? Would it be $1 million, $10 million, $50 million, probably not too much. How much would a corporation, special interest or foreign power pay to put their people in control of this country?

    link to this | view in chronology ]

  • identicon
    Precision Blogger, 28 Nov 2005 @ 6:14am

    What's at stake?

    Obviously it would be better if Diebold held regular hacking contests, offering a reward for hacking into their regular machines. But if it's understood that this is a lose/lose situation for Diebold - that is, failure to hack in proves nothing - then I'd say it's okay.

    The quoted story indicates that the hackers have the edge here. They already broke into one Diebold machine, and they are attacking another mahcine that has not been "hardened" against their anticipated attack.
    - precision blogger http://precision-blogging.blogspot.com

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Nov 2005 @ 7:36am

    No Subject Given

    Hack the Planet!
    Im so tired of hearing about this. It really isnt all that hard to create a paper backup. The problem is that A, you would be having to monitor you paper consumption and be sure to replace in time, and B, corruption of the people guarding these machines who "forgot to replace the paper" and either really did, or just flat out stole the paper version. What you are looking at is a government sponsored (did i really say that?) politically unbiased 3rd party to be put in charge of these machines.

    All in all this is really more trouble than it is really worth. The party that wins will be victorious, and the losing factions will cry foul. I have seen this too many times since I turned 18 whether it be local, county, state, regional, or national election.

    I hope that swiss cheese has less holes than these machines.

    link to this | view in chronology ]

    • identicon
      Garfiode, 28 Nov 2005 @ 9:33am

      Re: No Subject Given

      Even with a paper trail it is still posible that your vote will not be recorded corectly even on the paper trail. This is because who says that they are going to realy print what you voted for on that paper trail. if it is even there at the end of the day.

      link to this | view in chronology ]

  • identicon
    subversion is the key, 28 Nov 2005 @ 7:43am

    No Subject Given

    Who is to say that said hacker didn't find a 'hole' and simply did not report it. It would most likely benifit any hacker to have free run of 'legally' attempting to hack a machine, and find any weakness, and not report it but sell information about how to hack it at the most opportune time.
    If they are going to open things up to malicious activites, they must be willing to think malicious themselves. This type of thing lends it self to the old addage, "If you want to catch a crook, you need to think/become the crook"
    One would think that all prior events would teach us that what ever is built can also be destroyed. Nothing is impervious. Someone will always build a better mousetrap, and someone will always find a way to get the cheese without setting off the trap.

    link to this | view in chronology ]

  • identicon
    theStorminMormon, 28 Nov 2005 @ 7:48am

    it's a good thing

    People who understand the basics of security and hacking already realize how full of holes the Diebold system is. So from our standpoint, it doesn't matter if a hacker is hired to attack a particular machine or not.

    But I think that the public in general does not have the default "unproven security = bad security", they instead assume "big corporation = legitimate corporation = good security". So, since the public in general already either doesn't care or assumes the Diebold security is "good enough" then there's really nothing to lose by having someone try to hack in. At least, not very much to lose.

    But if the hack succeeds, than we're going to have front-page level news - and that's a lot to gain.

    It would be better to have multiple hackers try, or even open it up to public efforts (which would also demonstrate how a lot of people could possibly bring down the system even when one hacker can't). Those efforts should be advocated. But having one hacker (I'm assuming with decent creds) try is better than nothing.

    -stormin

    link to this | view in chronology ]

    • identicon
      Sissy Pants, 28 Nov 2005 @ 8:07am

      Foolish

      Like elections haven't been bought before... If you have enough money you can get elected... anyone heard of George W. Bush?

      link to this | view in chronology ]

  • identicon
    Mike S., 28 Nov 2005 @ 8:16am

    Take a step back...

    We're debating the wrong thing. We're debating whether or not it's ok to do black-box hacking on a closed-source, proprietary system that will help determine who our elected leaders are.
    The real question, and the ONLY one we should debate whenever the topic of these systems come up, is WHY ON EARTH would we allow a closed source system (famously code reviewed by a whopping 3 government coders) to be responsible for our elections.
    There are several open source solutions on the net that could/should be used, and I guarantee that if the gov't ever decided to use one, the tech community would give that code the best review ever given to code. It would become the most robust, maintained, maintainable, and solid code we have ever seen. On a par with Windows, one might say!! (sorry. tension breaker -- had to be done)
    Alas, we sit around and debate whether or not having one hacker try to overrun a buffer is a good thing.
    -Mike S.

    link to this | view in chronology ]

    • icon
      Mike (profile), 28 Nov 2005 @ 9:06am

      Re: Take a step back...

      Yes, we should take a step back, and yes we should be looking for open solutions. However, the PROBLEM is that right now everyone's looking at this hack attempt as if it's going to prove that the Diebold machines are unsafe. THAT's the problem. It's dangerous to set things up where we're using the hackers to prove the wrong thing. If the hacker fails, then these machines are going to be labeled SAFE -- and your dream of open source voting goes to hell. So, let's focus on what's happening now, and try to make it clear why it's a bad idea. Then you can discuss better solutions so that this issue would never come up in the first place.

      link to this | view in chronology ]

      • identicon
        Mike S., 28 Nov 2005 @ 10:40am

        Re: Take a step back...

        @Mike:

        I agree that this hack attempt is bound for failure.

        My problem is that by attacking their testing mechanism instead of the whole concept of proprietary, closed-source voting machines, this red-herring argument becomes effective.

        Clearly, placing one hacker in front of a black box and saying 'GO' is just a publicity stunt. It's our responsibility as concerned citizens to recognize that and bring the argument back to the meat. Closed source voting is BAD.

        The answer is not to address the hacker or any other means that Diebold will use for testing, but to concentrate on the real issue.

        -Mike S.

        link to this | view in chronology ]

        • icon
          Mike (profile), 28 Nov 2005 @ 11:29am

          Re: Take a step back...

          Mike S.,

          I think we're saying the same thing. :) My point is that this hack attempt takes away from the real issue, and therefore it's bad. I think you're saying the same thing, but are calling me out for bringing it up in the first place.

          link to this | view in chronology ]

  • identicon
    salametti, 28 Nov 2005 @ 9:09am

    lol

    thts funny....u think if someone fugured out how to gain access to diebold system....tht 1st of all they would tell the govt and 2nd chances are thy are going to get more protections and money if thy sold the info to another company....

    link to this | view in chronology ]

  • identicon
    jryan, 28 Nov 2005 @ 9:48am

    agreed

    I wonder if the lone hacker realizes this?

    link to this | view in chronology ]

  • identicon
    Kaizoman, 28 Nov 2005 @ 10:58am

    Fact of the Matter

    You can rack this one up to the government doing something stupid again. Yet, it touches at an enormous problem surround the Digital Millennium Act (I think that is the name) and the Patriot Act. This 'hacker' that the company has hired is in a very precarious position. If he successfully commits a 'hack' even if gainfully employed to do so. The very company could call up the FBI and under the DMA could have him charged federally for committing the act.
    Cisco did this to one of their own employees just a little while ago. Where they contracted a network analyst to break their security and when he did they fired him and had him charged under the DMA and the Patriot act for violating their 'rights'.

    link to this | view in chronology ]

    • identicon
      FireMonkey, 28 Nov 2005 @ 12:33pm

      Re: Fact of the Matter

      No, Cisco did not charge anybody with DMA violations for hacking their routers... They threw a fit because the guy that found the flaw went public with it at Black Hat in Vegas last year. First, the flaw was documented in the Black Hat handout booklets, then he gave a presentation detailing the flaw(s), complete with PowerPoint presentation. Cisco pulled the info from the handouts (hard copy and CDs). Cisco then instructed him to not give the details in the presentation. He did it anyway. He got fired and harassed by the FBI. He did not (to my knowledge) get arrested, but there were a ton of rumors to the contrary.

      link to this | view in chronology ]

  • identicon
    Anarchy_Creator, 28 Nov 2005 @ 12:37pm

    Ever Hear Of Open Source?

    What they oughtta do (since voting is done by, and for the people anyhow) is allow the open source community code the OS/program that the voting machines run on.
    Let whoever wants to try to hack it for a small, but worth while reward (be it money or fame).
    Upon successfully hacking it give step by step instructions as to how they hacked it to the open source team so they can patch the hole.
    Repeat steps 2-3 until no more holes are presently found.
    Then implement the new procedure as the standard.

    As for the paper trail...

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.