HBO's "Hacking Democracy," a documentary that purports to show that "the top-secret computerized systems counting the votes in America's public elections are not only fallible, but also vulnerable to undetectable hacking, from local school board contests to the presidential race" premiered last night. I haven't had the chance to watch it yet, but I hope to in the next few days. Votelaw's Ed Still says "It's a thrill a minute -- well, maybe every few minutes."
According to this report (also via Votelaw), Diebold claims that the documentary is inaccurate and asked HBO to pull it from the air. See, for instance, here and here. HBO stands by the accuracy of the program. Given that Diebold's pre-broadcast complaints appear were based upon their "understanding" of the program's content -- rather than viewing the program itself -- I will be curious to see what, if any, post-airing response Diebold produces. (Diebold's releases on this and related issues are available here.)
Like Glenn Reynolds, I don't see what's so wrong about paper ballots, and if "Hacking Democracy" lives up to the hype, I expect I will hold ever more strongly to this view.
...and without a network connection, how do you get the malware into the first machine to begin with? Anyone with manual access doesn't need to mess around with malware spread by cards - they can just put it in directly.
In other words, J. Random Hacker won't be able to take advantage of that vulnerability, since the initial infection isn't through a network vector.
See Ken Thompson's Turing Lecture.
Executive summary : don't hire people like me to write compilers.
The same vulnerability extends to assembler and to microcode.
paper is simpler, more reliable, and more secure, with a built in audit trail. the fact that you can't idiot proof any voting method, is merely an indication that idiots shouldn't vote.
sorry for the capitalization i'm in a prague internet cafe and the shift key doesn't work. i'll somehow manage to get by.
ACORN has shown over the last two election cycles that votes can be stolen the old fashioned way.
I'm not sure how that is supposed to have been proven, given that it has been mostly impossible to determine the actual errors in tabulation on the newer systems -- and electronic systems have actually been caught in the act of subtle vote-flipping when they altered votes in the only part of an election that could be double-checked: the absentee ballots.
Votes can still be stolen the old fashioned way, but the new machines make it a heck of a lot easier for someone with the right connections.
See Felten's latest with election workers using personal laptops, brought from hom e to do the vote counting.
I don't know about other polling places, but in my small city of 35,000 souls we have about 14 precincts (2 per ward) and there is rarely a line of more than a few people for any of the bottlenecks: checking in, using any of the many open carrels, and placing the marked ballot into the scanning machine. I assume the ballots are preserved inside the scanning machine. Write-ins aren't individually counted when they don't matter, but they are tallied (eg "Ward 5 Precinct 2, 4 write-ins").
This isn't high-speed data processing!
The ink doesn't even have to be MICR. With scanners distributed to each polling place, a throughput of one per minute wouldn't slow things down, though that slow a turnaround would delay voters who watch the machine suck in their ballots before leaving.
The point is that a bad guy who gets access to one machine can insert a virus that can spread itself to other machines, including machines that the bad guy doesn't have access to. All it takes is physical access to one machine for one minute to insert a virus. See the technical paper and video at http://itpolicy.princeton.edu/voting
Obviously you had to have read the comment you were replying to, but it sure doesn't sound like you understood it. The bad guy puts the malware on a memory card, insert it in machine A...
"Directly" meaning pushing in the bytes, one by one, with their fingers or something? In this context, "directly" only means "not by means of a network connection", i.e. having something on a memory card one physically inserts into a machine is "directly" in computer terms.
I have the same problem with the old mechanical lever-action machines as the new ATM-style machines. You flip a few levers, then move a handle, hearing a satisfying "crunch" as the curtain opens.
But who really knows if anything happened in the machine? Who knows if the votes were tallied for your chosen candidates? Only whoever was adjusting it earlier; that means he/she/it better be both trustworthy and competent.
Re Remarks on lever-machines. The setup and proofing is done under the watchful eyes of representatives from all parties, then the machine is sealed. How does one alter the mechanics of the sealed machine?
I mean, it strikes me as equally likely that a Democrat would hack the system to help his candidate, as a Republican to do the same. The conspiracy-theory folks talk about Diebold "delivering" Ohio, but I can't figure out why Republicans aren't equally worried about Democrats "delivering" New Jersey or Pennsylvania or whatever.
If I were an anti-electronic-voting Democrat, I'd hack into a system with an "obvious" hack, giving the Democrat a 1,000,000 to 0 victory on an electronic system in a close race. (The point being not to swing the election by subtle shifting, but to point out the flaws.)
Suddenly, Republicans would become up in arms over the lack of a "paper trail" and there would be unanimity. Until then, this will remain a partisan issue solely as a result of historical accident.
Our touch-screen machines for disabled voters also have a paper trail: a register tape that the voter sees before pressing the final "okay". So again, there's a detailed audit trail on the tape (which is inside a sealed case) that has to match the info on the memory card. Of course, I don't see how a blind person can check the register tape.
Now, Sequoya (Oakland, CA), the manufacturer of these machines, has been accused of being owned by a parent company that is majority controled by Hugo Chavez, but the facts of the case are only that another subsidiary of the parent sold voting equipment to Venezuala in 2002. And I just heard a report that if you reach around behind the touchscreen machine and pressing something will allow you to vote more than once. But the machine beeps; so with a pollworker standing there, watching you reach around the machine and listening to the beeps, how many extra votes are you really going to be able to register? So all-in-all the paper trail seems to severely reduce the number of problems you can have.
My question is why doesn't every secretary of state refuse to certify any machine that doesn't involve a paper trail?
In other words, J. Random Hacker won't be able to take advantage of that vulnerability, since the initial infection isn't through a network vector.
So the following Drudge Report is no cause for alarm, huh?
You don't have to if the machine is too complex for the observers to understand completely.
Let's get cracking.
Both are sound ideas, IMO.
What does Washington think about that? Would that be the holiday that we were supposed to get 8.5 months prior to the election, or the one that would be coming up in 3.5 months?
Would closing the schools (like we used to in NYC) and the government offices make that much difference? I for one don't want to give up a 3-day weekend which falls out during a school vacation week (do you think the schools that now have a February vacation, because they used to have Lincoln's Birthday and Washington's Birthday, would not have February vacation during election years?) just so I get a whole day off from work mid-week to spend half an hour voting.
Besides, for those who care, Election Day is a day of obligation. I'm not sure what I'd do for the other extra 7.5 hours off on the first Tuesday after a Monday on quadrennial years, but I'd have to be around.
(As for moving days, my city had an override to allow a tax increase to build a new school. Unlike every other election, this one was held on a Saturday and at a central location, to inconvenience the old child-less voters, and convenience the soccer Moms and Dads who were more likely to vote in favor.)
The 90% of private sector employees who don't get Washington's observed birthday off anyway weep at the thought of you having one of your holidays moved from February to November.
I imagine the people who do get a holiday for Washington's birthday tend to vote Democratic. I'm not sure if having the day off would boost or suppress turnout. Any thoughts?
Electronics and paper can be complementary. The electronic trail discourages tampering with the paper trail, and the paper trail discourages tampering with the electronic trail.
As far as I can tell from the article you cited about the "smart cards," that's a different issue. "Smart cards" are used on normal voting. It's been shown they're vulnerable to fraud -- Avi Rubin pointed out that they lacked cryptographic verification, at least at the time of his study in 2003. But they can't change the programming of the machine.
The cards which Felten was talking about are memory cards which are used for loading software into the machine. They're supposed to be kept under high security and not used in the actual voting process. They can be used to reprogram the machine to do anything.
The issue which you mention is a real problem, but a different one.
A cynic would say your question answers itself.
First, I don't accept your assertion that the smart cards can't change the programming of the election machines. At a minimum, the machines are reading memory on the smart cards that is designed to be re-written to insert the proper Ballot Definition File for each voter. As a result, there is the potential for something as basic as a buffer overrun stack smashing attack when a manipulated BDF is read. Without having access to the actual AccuVote software in use, I can't say with any certainty whether this or similar attacks are possible, but having data available to be manipulated outside of the supposed-to-be secure system is not a good thing and does represent at least a potential attack vector to introduce viruses or other malware.
Second, the lack of physical security over the smart cards simply illustrates the basic fact that, contrary to what Diebold marketing would have us believe, the lack of a network connection in no way guarantees the integrity of the software and the vote. There are potentially numerous attack vectors through inadequately secured trusted components, and Felten has concretely demonstrated the actual existence of some of these.
GO TEAM!
http://ignatiev4chancellor.blogspot.com
Doesn't it make more sense to simply fix the problems with these machines that offer so many advantages? It seems many concerns could be eliminated by requiring a verifiable paper trail. Run that through an optical scanner, if need be.
Is it that low? (10% observed)? I can't think of any job I've held (all private sector, but selling to military, to other businesses, to government, to finance, internal research, etc.) where that wasn't a holiday. I've rarely had Patriot's Day (Massachusetts holiday) or Columbus Day; Day-after-Thanksgiving is about 50-50.
Is it that low? (10% observed)? I can't think of any job I've held (all private sector, but selling to military, to other businesses, to government, to finance, internal research, etc.) where that wasn't a holiday. I've rarely had Patriot's Day (Massachusetts holiday) or Columbus Day; Day-after-Thanksgiving is about 50-50.
I hadn't heard of "marksense" before now, but that sounds like what I had in mind.
Sorry for not getting back to you sooner. My computer was tied up doing some work. Sure, most folks don't understand the guts of the gear &lever machines, but they also don't understand the circuit boards in the modern machines. In both cases you observe the input and output, and if they agree you call it good.
I realize that no election boards want to use the gear &lever machines anymore, so there must be a reason. The district I voted in for many years did use them, but after the 2000 fiasco, when money became available to upgrade voting systems, they wanted to dump them, saying they couldn't get spare parts. While no doubt true, if there was a demand, there would be parts.
What you say sounds sensible. However ... in August 2003 Walden O'Dell, Diebold's CEO literally wrote he was
To put things in context, this was in a letter inviting wealthy Ohio residents to a GOP fundraiser. In all likelihood Mr. O'Dell simply failed to spot the irony of his unfortunate choice of wording. Nevertheless, we have a written committment of Diebold's CEO to deliver Ohio to Mr. Bush. To the best of my knowledge Diebold (and the other DRE manufacturers) have yet to go on record with regard to New Jersey and Pennsylvania.
I have spent 20 years programming and I wouldn't trust a Voting Machine if you paid me to. I believe they should ALL be destroyed at once.
The Market and paper ballot counted by an optical scan machine is the only way to go. The machine can be tested with a known batch of ballots to insure it's working correctly. The Ballots are allways there for a manual recount. SAFE and SANE.
The ballots have serial numbers, for instance, and one can keep track of what serial numbers were shipped to each precinct. If a precinct's box has serial numbers from across town, it's a red flag.
Visual examination of the marking on the sheet can determine if a large number were printed by machine, or all scrawled out by the same person in the same way. I know that I can't draw a neat, straight line from one arrow to the next with the black optical-scan marker - I have to make a certain number of strokes and that makes a visual alteration. If you were bent on falsifying a peck of votes, you'd have to devise different strip-writing scrawls to do it.
This isn't rocket science. Heck, it isn't even nearly as complicated as an ATM. If we can make machines that we trust with our money, that are ubiquitous, that are auditable, and that (with rare exception) are not hackable, we can surely design a machine capable of.. um, counting accurately.
How do you tell with votes...
With machine counting of ballots, there was no way to do this, because all counting was in Downey, at Los Angeles County's big data processing center. "So," he says to me with a grin, "when government employees are doing all the tabulating of votes on an initiative that will put some of them out of work by cutting property taxes, how much do you trust them to get the right answers?"
Actually, the "voter-verifiable" part of the VVPT handles this. Voters are asked to look at the printout and double-check it for errors before the printout goes into the locked box. That the human-readable part matches the machine-readable part can be verified by random audits or via a manual recount.
Paper ballots work fine in Canada, or Britain, or Israel, because there is only one ballot position to be tallied. If if the U.S. is to use paper ballots, we have to change what's on the ballot.
SVS is a wholly owned subsidiary of Smartmatic, which is based in Venezuela. Smartmatic has very close ties to high officials in the Chavez government. Its ownership is private and obscure, concealed through a shell company in Curacao, but admitted to be at least partly Venezuelan.
It was founded by two 26-year-old engineers in 2000. In 2004, the Chavista-controlled National Election Council awarded Smartmatic a $100M contract to provide electronic voting machines for Venezuela. The software for these machines was provided by Bizta, another small, new Venezuelan firm which at the time was 28% owned by a Venezuelan government investment fund.
The Smartmatic/Bizta machines were used in Venezuela's presidential recall election of 2004. In that vote, three different exit polls showed 60% for Yes; the official result was 60% for No. No one could prove fraud, but there was no general audit of the vote, and all the machines and the paper receipts were taken into army custody and locked away.
A few months ago, a big hooraw was raised because a company based in a friendly Arab country was going to buy several container terminals at U.S. ports. There seems to be far less concern that a company deeply enmeshed with a hostile government, and suspected of complicity in a massive vote fraud, will be administering elections all over the U.S.