Diebold Source Code Leaked Again -- Is That Such A Bad Thing?

from the should-be-secure-either-way,-right? dept

Mon, Oct 23rd 2006 1:39am — Mike Masnick

The e-voting mess continues to get messier, as the FBI is looking into the possible theft (and leak) of Diebold's e-voting source code. Various articles on this are pointing out how problematic this is, as the source code could help someone discover a vulnerability and cause problems in next month's elections. Of course, to be totally honest, it doesn't seem like it takes all that much work to find security vulnerabilities in Diebold e-voting machines these days with or without the source code. At the same time, it also sounds like this particular source code is a bit old. More importantly, though, if Diebold is really so confident that their e-voting machines are safe (as silly as that may sound), shouldn't they be comfortable with the machines' security even if the source code is public?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

18 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Mike F.M, 23 Oct 2006 @ 2:51am

Well...
...to be honest their security can't get much worse so this leak shouldn't threaten them too much.

It's more how the person got the source code that I would be worried with. If they managed to get that, what else can they get hold of?

(First)
[ link to this | view in thread ]
Daniel (profile), 23 Oct 2006 @ 4:25am

Possibly the best theing to happen to them.
Leaking Diebold's source code could possibly be the best thing to happen to them. With the code out in the open, its problems can get hashed out and its leaks can get plugged. This is obviously MUCH better than leaving them there and hoping no one will catch on. Security through obscurity is just another way of saying "we've got easter eggs - come and find 'em!"
[ link to this | view in thread ]
John B, 23 Oct 2006 @ 4:28am

diebold security
If Robin Williams wins the write-in vote for president, (although considering probable republican/democratic candidates, this may not be a bad thing) we will know how the source code from diebold was used, and how easy it is for an election to be stolen with these so-called "secure" voting machines.
[ link to this | view in thread ]
CuppaJo, 23 Oct 2006 @ 4:32am

Collusion
The relationship between that company and the GOP suggests that your vote will be pwned by the very people who keep the sources locked.
[ link to this | view in thread ]
Sanguine Dream, 23 Oct 2006 @ 5:35am

The sad thing is...
If something goes wrong Diebold will just spin it to make it look like the thief that stole the code is the sole reason for any and all future security issues. I think the theif wanted to prove just how vulnerable their e-voting is but all he/she did was become a scapegoat.
[ link to this | view in thread ]
thecaptain, 23 Oct 2006 @ 5:35am

Frankly,
From what I'm hearing they NEED a little help with vulnerabilities.

The ONLY way I could trust voting machines is if the source code is available. It doesn't have to be open source or free or whatever (ie: available to EVERYONE). But I'd like it available to a LARGE number of people...in other words, too many for a cover up...AND I'd like some sort of process wherein people could verify and certify that the code being shown is the code being run.

If we can't look at it...then there's a chance (and the way Diebold has been acting I'm almost CONVINCED its happening) that the company can "sell" elections to the highest bidder.
[ link to this | view in thread ]
Jamie, 23 Oct 2006 @ 6:24am

Re: Collusion
Haven’t seen a whole lot of collusion here. In this case we are talking about Maryland, a stanch Democrat state. The election officials in MD, who keep spouting the company propaganda that the machines are safe, are Democrats. So to be fair, Diebold seems to have convinced people in both parties.
[ link to this | view in thread ]
Celes, 23 Oct 2006 @ 6:39am

Re: Re: Collusion
And Governor Ehrlich (Republican) is encouraging people to vote via absentee ballot because of the problems we've been experiencing here.

Of course, in Maryland, the vast majority of our politicians usually form opinions just to fight against the other party, not because of what they're fighting for. We're seeing some *weird* races this year...
[ link to this | view in thread ]
PCs, 23 Oct 2006 @ 9:10am

Security
I wonder if anybody noticed this:

Small could not gain access to the GEMS software because the material on two of the disks was protected by a password.

Radke, the Diebold spokesman, said the versions of Ballot Station released since the version identified on the disks have many new security features. The Diebold statement said "it would take years for a knowledgeable scientist" to break the encryption used on the software apparently contained on the disks delivered to Kagan. But Rubin said "the data and files were not encrypted" on the Ballot Station disk he reviewed.

Interesting.
[ link to this | view in thread ]
Anonymous Coward, 23 Oct 2006 @ 9:16am

Re: diebold security
Robin Williams? I'd push for a massive write-in campaign for Chuck Norris.
[ link to this | view in thread ]
Orny, 23 Oct 2006 @ 11:50am

Good scam
Hmmm, they could take money from both sides trying to buy the win, and just let the elections play out (or pick a side). One side would be happy, the other side would be ticked, but what could they do? Go public and say they got cheated trying to buy the election?
[ link to this | view in thread ]
Randy, 23 Oct 2006 @ 12:38pm

Coincidence??? What Movie?
Fact? Fiction? It is just a movie after all... If this happens again, with all that we have been shown over the last two presidential elections (did our votes count then?), then it is but our own fault. What can we do about it? JUST VOTE! and if they try to steal another elction, we can just go to thier offices and carry them out and do it again and again till we get back the democracy that was conceptualized many years ago. We have allowed too much media to control our efforts and our reason. Success is the best revenge from those who want to take your freedom. enJOY you life and let the rest go... BUT DO VOTE! it is your right!!! namaste
[ link to this | view in thread ]
David, 23 Oct 2006 @ 12:53pm

I concur...
I'd vote for Robin Williams for president...
[ link to this | view in thread ]
Cheesy One, 23 Oct 2006 @ 1:26pm

Yeah...I'd rather not know
I prefer not to know how my vote is counted. I'm much more comfortable just knowing that a black box is counting it the right way than worrying if enough geeks have reviewed it to make sure it's error free and honest. I mean what good has this whole open-source thing done anyway? Look at all the problems the *nix systems have.

Just tell me it works and I'll be happy. DO NOT prove it to me!
[ link to this | view in thread ]
Santa, 23 Oct 2006 @ 2:43pm

It's sad to see how slow the US has been to solve
There are third world countries that have 100% electronic voting systems in place for years...without glitches...without any doubts cast on the results. It seems there are people interested in keeping the voting system in chaos in the US. And considering the outcome of the last two elections....it's clear why.....
[ link to this | view in thread ]
DigitalBomb, 23 Oct 2006 @ 4:45pm

I'm a Network Security Administrator. I would never use e-voting and I think any state that would allow it doesn't actually value the voter. Of course the value of our votes is greatly shown with incidents like the Florida count where these people were actually looking at ballots and going "well, it looks like this person poked this hole...but it's not all the way through, so I think he meant to poke this one." Also, take into account our flawed electoral college voting. What a great way to show that this country does not care one lick about what the people want - the Electoral College.

Anyone who has taken ten minutes of an internet security course could tell you that information passing through a network is never 100% safe. Why should we allow a system that isn't 100% safe to be entrusted to the integrity of our votes? The answer is that we should not.

That's what raises my eyebrow as a Security guru and a voter. Now, as a Programmer, anyone who isn't comfortable with their "secure" program's source code being public is someone who does not have a secure program and they know it. If this program's source code was leaked, let us be thankful. Hopefully, some teenage kid hyped up on Starbucks double-shot espressos and Twizzlers will stay up until three in the morning until he finally works out every single security issue. I'd be willing to bet more money than I have that he'd produce something more secure than Diebold's beta testers and top programmers ever will given their uncomfort about the source code being public. Public code shows that you have no flaws whatsoever, because if you did, someone would find it and send you a nice email about it. Most "hackers" will actually tell you how to fix things you missed.

So why do systems like e-voting come around? Laziness. It's that simple. What is wrong with just getting off our butts and going to register and actually stand in line to cast a vote?
[ link to this | view in thread ]
Eugenian, 23 Oct 2006 @ 6:40pm

a better system
Oregon's voting system -- in which everyone votes by mail/absentee ballot, with nonpartisan human elections workers checking each ballot signature against the registrant's signature on file -- is the least-worst voting system I've ever seen. (I've lived in NY, Wisconsin, Michigan, Washington and Oregon, and I've covered many elections as a reporter, witnessing the vote counting, as as a law student/volunteer voting rights observer.) It still relies on optical scanners to count the votes, but the scanners are centrally located in each county's elections office, and there is a provision for hand re-counts. Other states would be wise to adopt this system (and I believe Washington, which has long made it easy but optional to vote by mail, will go all-mail in the near future). We need to take the electronic networking element out of elections and minimize the potential for people to tamper with voting machines at polling places. An added benefit: Vote-By-Mail produces a much higher "turnout" than vote-in-person. Oregon has the highest voter turnout in the nation.
[ link to this | view in thread ]
Steve Savage, 26 Oct 2006 @ 1:50pm

Frankly....
I have ZERO worries about hackers taking down our e-voting systems.

My only real worry is poll workers who palm the memory card and substitute another one, or an insider conspiracy to steal an election. Thats very likely to happen.

Hackers have more ethics and probably would just substitute "Saddam Hussein" for George Bush in the election results central computer just to prove their point.
[ link to this | view in thread ]