Sony's Rootkit Still Causing Problems For Users

Diebold Brushes Off Yet Another Damning Security Report

from the accountability? dept

Wed, Sep 13th 2006 11:15pm — Mike Masnick

Just a day after Avi Rubin discussed many of the real world problems of some Diebold e-voting machines in action, Ed Felten has come out with his quite damning independent review of the machines -- noting just how problematic the security is and how easy it was to upload malicious programs (including a virus that could spread dangerous software from machine to machine). This is hardly the first time we've seen such a report, but it seems like each report is progressively worse. By this point, you'd have to have lived in a hole to believe e-voting machines are secure. Diebold, in typical fashion, has responded not by admitting to any problems, but by attacking Felten's report -- claiming that his test (done on a machine acquired just a few months ago) was based on older software. Still, given the sheer number of reports of security problems with Diebold machines over the years, it's quite difficult to believe that between a couple months ago and now, they've solved all the security issues. In fact, given Rubin's report from yesterday -- it sounds like their "security measures" are so weak as to be a joke. What's most amazing of all is that Diebold continues to act defiantly about this, despite overwhelming proof that their machines have tremendous fundamental problems. Given the importance of secure and accurate elections, Diebold's continued denial of problems and attitude that there's no problem at all should concern just about everyone. Yet, it seems like they're being used almost everywhere.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

47 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

just one guy, 14 Sep 2006 @ 12:31am

Two months to fix the bugs...
it's quite difficult to believe that between a couple months ago and now, they've solved all the security issues

Mike, I don't think that yours is the real point here. You (as we) still have no clue of whether they in fact have solved or not the bugs of their software. I think the reason to dismiss Diebold's response should be more based on reflections such as:
- How many copies of the "old" bug-ridden software have been installed on machines used in past elections?
- How therefore can we be sure that those elections were fair?
- How did you dare at the time be so confident that no problems existed?
- How many of those machines are still around and will be used in further elections?
- Given the abysmal results of their internal quality control unit in the past, what have they done internally to make sure not only that their past bugs were solved, but that no more bugs have been introduced, and that their released software is now safe?
I think that the real issue here is that Diebold keeps on considering election software as just any desktop applications, and behave accordingly as if disclosure of trade secrets to competition were the only relevant issue.

Their change of attitude is more important than their bug fix: election software is a mission critical software that MUST be independently validated before it is allowed to run and control the most fundamental aspect of modern democracies, such as the vote.
[ link to this | view in chronology ]
Anonymous Coward, 14 Sep 2006 @ 12:52am

This is the only way the Republicans will win in November. Diebold - bought and paid for by the GOP.
[ link to this | view in chronology ]
- yangyang (profile), 14 Sep 2006 @ 2:40am
  
  Re:
  I am British and only recently discovered what GOP means. I am surprised anyone still uses this term. I cannot see anything GRAND about the Republicans.
  [ link to this | view in chronology ]
  - Bubba Nicholson (profile), 14 Sep 2006 @ 5:53am
    
    GOP moniker
    Grand Old Party (GOP) derives from Grand Army of the Patomic (River--runs through the capital district between Virginia & Maryland). It reminds or reminded everyone that it was once perfectly legal to shoot republicans in more than half the country (1861-1872). Shooting republicans was even encouraged and facilitated by state and local governments back then.
    [ link to this | view in chronology ]
    - Chuck Norris' Enemy (deceased), 14 Sep 2006 @ 7:47am
      
      Re: GOP moniker
      Back then weren't the Nationalists more like the current Republicans and the Republicans more like the current Democrats.
      Regardless, Democrats and Republicans are essentially the same. Right in the middle with little skewing to the left or right. Overall they all approve of what is being voted in as law. They are all owned by Big Business and agree that laws passed should benefit corporations who in turn fund these clowns' election campaigns.
      [ link to this | view in chronology ]
    - Charles, 14 Sep 2006 @ 11:57am
      
      Re: GOP moniker
      What? I've never heard about this. Does anyone have any idea whether or not this is true? If so, anyone know where I can read more about this?
      [ link to this | view in chronology ]
      - Charles, 14 Sep 2006 @ 11:57am
        
        Re: Re: GOP moniker
        Sorry, was referring to:
        
        Grand Old Party (GOP) derives from Grand Army of the Patomic (River--runs through the capital district between Virginia & Maryland). It reminds or reminded everyone that it was once perfectly legal to shoot republicans in more than half the country (1861-1872). Shooting republicans was even encouraged and facilitated by state and local governments back then.
        [ link to this | view in chronology ]
    - Anonymous Coward, 15 Sep 2006 @ 6:11am
      
      Re: GOP moniker
      POTOMAC not "Patomic".. They don't even sound remotely alike if you "sound it out"
      [ link to this | view in chronology ]
  - Anonymous Coward, 14 Sep 2006 @ 9:58am
    
    Re: Re:
    Dude, get your teeth fixed and shut up.
    [ link to this | view in chronology ]
- yangyang (profile), 14 Sep 2006 @ 2:47am
  
  Re:
  As an afterthought, maybe there IS something grand about them. They have found countless grand ways of screwing up the USA.
  This, of course, from the perspective of someone desperately trying not to hate this nation.
  [ link to this | view in chronology ]
  - Mike S., 14 Sep 2006 @ 3:30am
    
    Re: Re:
    This, of course, from the perspective of someone desperately trying not to hate this nation.
    
    Don't hate the nation, hate the people. We are run by idiots because idiots elect them (I'm counting Dems here too -- not to discriminate). The nation itself is fantastic.
    [ link to this | view in chronology ]
    - Craig J., 14 Sep 2006 @ 6:20pm
      
      Re: Re: Re:
      The people did not elect Bush in either 2000 or 2004. The Republicans have got election stealing down to a science, literally. Also, the corporate-run media (run by the same corporations which run our govt) will not bring the diebold issue into the mainstream public consciousness because - guess what? The same people who own our government own the media!!! The majority of the american people are not stupid enough to elect someone like Bush. But they're stupid enough to think the american mainstream news (CNN or Fox) is trustworthy.
      [ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2006 @ 9:58am
  
  Re:
  Yeah, it just must amaze you that so many people voted for Bush. If you are going to buy an election shouldn't you win it by a large margin?
  
  Instead of proving to me that somenone could screw with the machines, prove to me someone did. On top of that, I don't even care if the machines are faulty as long as the party of my choice wins. You dumb ass socialist should go to Europe and live there.
  [ link to this | view in chronology ]
  - ebrke, 15 Sep 2006 @ 7:50am
    
    Re: Re:
    Oh, you don't care if the machines are faulty as long as the party of your choice wins? Wake up, some day it WON'T be the party of your choice that wins, it will be the other guys, once they figure out how to hack the system better. It's partisans like you who are ruining this country.
    [ link to this | view in chronology ]
yadda yadda, 14 Sep 2006 @ 2:57am

This story really needs some serious mainstream media attention and a public buzz before this next round of elections if there's anything to be done about this.

Voting is one of the most important exercises in a democracy.. but unfortunately, the people behind the Diebold corporation, as well as most politicians, don't seem to care if the elections could be rigged by these dud e-voting machines.
[ link to this | view in chronology ]
William, 14 Sep 2006 @ 4:30am

A little perspective
I used to prepare the old lever type voting machines for our local elections and talk about insecure! All I had to do while I was in the back of the machine is turn the counting wheel to start say at 1000 instead of 0 and this took no technical training or electronic hacking. At least the new electronic machines take technological savvy to pull off a fraud. The old machines could be rigged by a monkey. I just think a lot of this is fear of technology which always happens with anything new. I am in no way letting Diebold off the hook here. They should tighten up the security on these boxes but it always has been easy to pull off an election fraud.
[ link to this | view in chronology ]
- ebrke, 14 Sep 2006 @ 6:24am
  
  Re: A little perspective
  I'm sorry--I can't buy fear of technology. Many of the people who are most critical of the software are people like Ed Felton who are deeply involved in and invested in responsible software and computer development. They don't fear technology--on the contrary, they are on the cutting edge.
  [ link to this | view in chronology ]
- jsnbase, 14 Sep 2006 @ 7:53am
  
  Re: A little perspective
  The difference between your machines and these is that we didn't have to fight the manufacturer of those machines tooth and nail to provide a verifiable paper record of votes. Fraud becomes pretty obvious then. Also, what you're describing would simply create a miscount in the number of votes, yes? The fear here is that the machines can be programmed to misrecord votes.
  [ link to this | view in chronology ]
  - Anonymous Coward, 14 Sep 2006 @ 8:02am
    
    Re: Re: A little perspective
    I used an electronic machine the past two elections, didn't pay attention to the brand. Both times the machine printed a hardcopy of how I voted. The "goodbye" screen instructed me to review the hardcopy and report any discrepancies to the attendants.
    [ link to this | view in chronology ]
Ed, 14 Sep 2006 @ 5:11am

Look who is the "oversight"
In almost every jurisdiction using these Diebold machines, the people who selected them and defend them are overwhelmingly Republican. There is a concerted effort to KEEP the Diebold machines just as they are, and I think there is a nefarious reason for that. Sure, call me paranoid, but I've seen far too much "monkey business" over the last several years to think such a scenario is now far fetched. It is not in the GOP's interest to allow much of an investigation into these machines.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2006 @ 7:49am
  
  Re: Look who is the "oversight"
  And the reason the Dems don't want them is because, as William put it, a monkey can rig the current machines. No, the electronic machines are not perfect, but it is harder to commit voter fraud with them than any of the old manual systems.
  [ link to this | view in chronology ]
  - Greg, 14 Sep 2006 @ 10:01am
    
    Re: Re: Look who is the "oversight"
    "No, the electronic machines are not perfect, but it is harder to commit voter fraud with them than any of the old manual systems."
    
    Really? With the old machines you would need a person at each and every location to rig the machine. With the new ones, you just need to put out a software update, or get access through the network.
    
    You are way off the mark.
    [ link to this | view in chronology ]
The Original Just Me, 14 Sep 2006 @ 6:05am

The problem isn't with Repub or Dem...
It is with the incumbents.

People who've been in Congress for so long they aren't even connected to people any longer.

Let's vote them all out and start with a fresh new batch in November. Term limits would be a good idea too.
[ link to this | view in chronology ]
- Brad Eleven, 14 Sep 2006 @ 6:33am
  
  Re: The problem isn't with Repub or Dem...
  I concur. FLIP THAT CONGRESS!!
  [ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2006 @ 7:23am
  
  Re: The problem isn't with Repub or Dem...
  It is with the incumbents.
  
  People who've been in Congress for so long they aren't even connected to people any longer.
  
  Let's vote them all out and start with a fresh new batch in November. Term limits would be a good idea too.
  
  That's the whole point. It doesn't matter how many people "vote them out". Those in control of the voting machines have a vested interest in making sure the results come out a certain way. The will of the people will never see the light of day. Does anyone really think Bush won in 2004? I mean seriously speaking?
  
  He's already proved that he doesn't bel;ive laws apply to him, so it it too much of a stretch to consider the voting might have been rigged. Actually, there is a lot of much stronger evidence out there to suggest it was. Of course, kinda difficult to prove now that there's no paper trail. Again, this is not by accident.
  [ link to this | view in chronology ]
- Granny, 15 Sep 2006 @ 7:43am
  
  Re: The problem isn't with Repub or Dem...
  Amen! I'm voting for anyone 'new' in this election, from local elections all the way up.
  Once they've been in too long, they get just as corrupted as the old guys.
  We definitely need the Big Guys to have term limits. No one can stay objective who has made a living perfecting his career as a politician.
  [ link to this | view in chronology ]
Overcast, 14 Sep 2006 @ 6:20am

Some of you people are so blindly polarized it's not even funny. Try using your brain sometime instead of the same old, tired worn out republican bashing. You really think the Democrats are so wonderful? You're narrow minded indeed...
[ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2006 @ 7:26am
  
  Re:
  Some of you people are so blindly polarized it's not even funny. Try using your brain sometime instead of the same old, tired worn out republican bashing. You really think the Democrats are so wonderful? You're narrow minded indeed...
  
  To the contrary, dear Overcast. Those of us who are most polarized are the only ones paying attention. But you are right - it is not funny. It's fucking sick. Believe me, you think republican bashing is tired and worn out? Believe me, it hasn't even started yet.
  [ link to this | view in chronology ]
  - Overcast, 14 Sep 2006 @ 8:00am
    
    Re: Re:
    To the contrary, dear Overcast. Those of us who are most polarized are the only ones paying attention. But you are right - it is not funny. It's fucking sick. Believe me, you think republican bashing is tired and worn out? Believe me, it hasn't even started yet.
    
    Yeah, the bashing's worn out - I don't even listen to it anymore, it's just brainless drivel.
    
    And no, I pay quite a lot of attention that's why I'm not a mindless polarized partizan drone who can't think for hisself.
    
    But go on, Bash bush like the rest of the 'enlightened' ones. I'll just laugh and continue to agree with Einstien when he said there's no limit to human stupidity..
    
    But go one now... go join your fellow Bush bashers for a latte. Maybe you can stroke your own ego a bit more. Bush bashing's so cool!!
    [ link to this | view in chronology ]
    - Sanguine Dream, 14 Sep 2006 @ 8:31am
      
      Re: Re: Re:
      Instead of just discussing opinions like mature people everyone is too busy caught in "cleverly" insulting anyone that doesn't agree with them. Too damn busy trying to accuse the other side of bandwgoning. More concerned with getting the last and best word than just trying to help the other side understand where you are coming from and vice versa. Flamebaiting then running to the moral highground to make yourself feel better when they attack back.
      [ link to this | view in chronology ]
Nilt, 14 Sep 2006 @ 6:37am

Expected this response
Having read the actual report in full, I expected Diebold to come up with exactly this remark. On page 2 of the report it states:
The machine we obtained came loaded with version 4.3.15 of the Diebold BallotStation software that runs the machine during an election.1 This version was deployed in 2002 and certified by the National Association of State Election Directors (NASED) [11]. While some of the problems we identify in this report may have been remedied in subsequent software releases (current versions are in the 4.6 series), others are architectural in nature and cannot easily be repaired by software changes. In any case, subsequent versions of the software should be assumed insecure until fully independent examination proves otherwise.

The real issue at hand, which Diebold refuses to accept responsibility for, is that their previous claim of the software being secure has now been shown to be absolutely false. Why should we now, absent any proof whatsoever, accept that the new version is any different? Hopefully this study will get some attention and we'll see some change.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2006 @ 7:54am
  
  Re: Expected this response
  Have any flaws ever been found at or before an election? If someone finds a bug 4 years after the fact, then I would trust the results of that previous election. The only time I will worry is if someone finds a way to hack the system before the election.
  [ link to this | view in chronology ]
- Sue Simmons, 28 Sep 2006 @ 8:16am
  
  Re: Expected this response
  As a chickasaw citizen, I ran for legislator and lost by 46 votes. I knew going into the election that the machines can be programed with a memory card and with a virus. My votes are to be locked for 3 years. It would take a court order to unseal the ballots. To get the order through our government would be close to impossible.
  A hand count of the votes may prove the machines were right or wrong.
  Another legislator that lost by 18 votes asked for a hand recount and was denied.
  In my opinion our elections are no better than 3rd world countries.
  [ link to this | view in chronology ]
Luna, 14 Sep 2006 @ 6:40am

Alternatives to Diebold...
How about in counties where the Diebolds have taken up residence, concerned voters opt to vote via absentee ballot? That would ensure that there is at least some kind of paper trail... I know that is what I would do if those dratted machines came to my town!
[ link to this | view in chronology ]
Anonymous Coward, 14 Sep 2006 @ 6:43am

I think people should take the new malicous software that was demonstrated today and distribute it to as many tech savy groups and individuals in the US as possible. Then come November when people who were not on the ballot have 100% of the votes someone will wake up and do something. Or the media will just spin it as a "terrorist attack" or the Republicans will blame the dems and vice versa.
[ link to this | view in chronology ]
Sanguine Dream, 14 Sep 2006 @ 7:03am

All it's gonna take...
is some major politician to lose a major election (governor or something). I bet something will be dont then.
[ link to this | view in chronology ]
i4c, 14 Sep 2006 @ 7:33am

they are all going to hell anyway
these are the corrupt scumbags who messed with the voting machines to put monkey boy bush in office in the first place
[ link to this | view in chronology ]
Anonymous Coward, 14 Sep 2006 @ 7:44am

Every report I have heard of a security flaw is based on the tester having their own machine to work on at will. If an attacker has physical access to a network, the network is not secure either.

Show me just one case where there has been a real world exploit of any of an electronic voting machine.
[ link to this | view in chronology ]
Anonymous Coward, 14 Sep 2006 @ 7:59am

I'd like to point out that the e-voting thing has really been pushed forward by democrats.....convinced that the '04 elections were "stolen" from them by hanging chads and what-not. That whole thing was pretty ridiculous excercise overall, but that's what led us to this point.

Why is it when republicans lose by a slim margin and there's some voting irregularity (and there's always SOMETHING) they're mostly willing to let it go, but the reverse is not true? Really it was prefferable before, cuz if something weird happened, you could point to it, hold it in your hand. Now, you might never even realize, and the effects could be much more pronounced.
[ link to this | view in chronology ]
photon11111, 14 Sep 2006 @ 8:18am

I sounds as if most are missing the meat of what has been said. Putting down on political parties has nothing to do with the problem.
[ link to this | view in chronology ]
cycle003, 14 Sep 2006 @ 9:06am

Real world exploits?--How would we know?
Show me just one case where there has been a real world exploit of any of an electronic voting machine.
One of the major problems with the lack of security and accountability of electronic voting machines is that we may never know if tampering occurred. People such as this Anonymous Coward (#21) allow companies like Diebold to continue pushing the "security through obscurity" scam. For the most part, advocates for secure voting machines are not doing so out of some political agenda, but statements made by Diebold executives guaranteeing certain election results certainly provoke partisan mudslinging. We only ask that the system has accountability, which a thorough paper backup system should offer. Elections will always be subject to tampering, but every reasonable effort should me made to secure fair elections.

Finally, Republican-bashing does nothing to help the cause of securing voting equipment. In fact, the name-calling-blame-game only weakens the credibility of those who truly want to see fair elections.
[ link to this | view in chronology ]
Anonymous Coward, 14 Sep 2006 @ 9:24am

I'm not worried in Sanford, FL
When I went to vote in the primary election here a week or two ago, I'd thought some local retirement community or AARP group had been contracted to operate the polling locations. Unless the hack was done by people voting and not the people operating the place, I somehow seriously doubt they'd manage to pull off anything at all. :)

Not to mention, for whatever reason, there were 4 men sitting at a desk off to the side who did nothing but watch the 2 - 3 people voting like hawks. Out of sheer boredom or what, I don't know.

My main concern: Low turnout. Wtf does it matter if voting is 98% fair or 99% of the time fair if turnout is as abysmal, and getting worse, like it is? At 20, I was the youngest person there, except for some grandkids a couple grandparents brought with them. Again, the people voting were like the AARP members who didnt pull the short stick and have to work the polls themselves.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2006 @ 10:10am
  
  Re: I'm not worried in Sanford, FL
  I am ok with only 3 people voting as long as one of them votes the way I do. I don't see why more people voting is better. As long as the proper decisions are made the number of people making that decision is unimportant.
  [ link to this | view in chronology ]
Lay Person, 14 Sep 2006 @ 11:04am

Silly Rubin...
Silly Rubin, security is for kids!

Do you really think anyone wants security?

If the voting machines are slippery regarding security then that's just the way they ordered them.

See, George and his henchmen can slip another one of themselves into office with a customizable voting machine. Without it, they don't have a hell of a chance.
[ link to this | view in chronology ]
leo, 14 Sep 2006 @ 12:24pm

rigging the old machines was easy
It may have been easy to rig the old machines but there was at least a papper trail to inspect election results, with the new machines we lose even that.

Personally i think we should just get it over with, elect an army of killer robots to reign over us carfully watching our every organic move through the cold steele eyes.

alos, their eyes shoot lasers cuz lasers are neat!
[ link to this | view in chronology ]
- William, 15 Sep 2006 @ 8:14am
  
  Re: rigging the old machines was easy
  Actually, there was no paper trail with the old lever type. The lever simply incremented the counting wheel by 1 and the poll workers read the wheel counts in the back of each machine at the end of the night.
  [ link to this | view in chronology ]
Barry K. Byers Sr, 24 Nov 2006 @ 11:58am

election misconduct
It certainly appears that Our Great Nation will be tainted by corruption in and at the highest levels of Our Government...I wish to file formal complaint as a tribal member and would like a response as soon as possible from Our Governor concerning the new election proposal and the reconciliation of past vote assimilation by those same methods as well as a recount by hand to verify accurate counting measures have justified the elections of current leaders within the Chickasaw Nation.
[ link to this | view in chronology ]