September 14, 2006 1:42 PM PDT

E-voting machines again under fire

Concerns about electronic voting machines, whose reliability has been heavily criticized in recent years, resurfaced this week in a recently published Princeton University study.

Released on Wednesday, the Princeton research paper, "Security Analysis of the Diebold AccuVote-TS Voting Machine," says that the e-voting machine, produced by Diebold Election Systems, was vulnerable to malicious attacks and potential voter fraud.

The Princeton report (click here for PDF) comes amid renewed debate over e-voting as the November elections near and onging legal action by the Electronic Frontier Foundation (EFF), which advocates stricter supervision of e-voting systems.

The EFF on Wednesday filed a brief with the U.S. Circuit Court of Appeals, asking the court to reject a request to dismiss an EFF lawsuit against the Ohio secretary of state and governor. The suit alleges the defendants abdicated their responsibilities to ensure Ohio residents had a right to vote. Some e-voting machines in Ohio had malfunctioned during the 2004 election, in some cases causing votes cast for one candidate to go to the opposition.

"Ohio's procedures, like many used elsewhere across the country, simply don't do enough to protect voters from the serious vulnerabilities in the current generation of electronic voting equipment," Matt Zimmerman, EFF staff attorney, said in a statement.

Authorities in some states have grown increasingly uncomfortable with e-voting security measures. California, for example, found last year it could not certify Diebold's electronic voting systems results without adding federal review.

Princeton's research found the AccuVote-TS, as well as a newer version of the machine, the TSx, are expected to be used in 357 counties, representing nearly 10 percent of registered voters.

"Analysis of the machine...shows that it is vulnerable to extremely serious attacks," the report states. "An attacker who gets physical access to a machine or its removable memory card for as little as a minute could install malicious code."

From there, the virus could allegedly steal votes without detection and modify all records, logs and counters so the machine's tabulations would be consistent with the bogus votes it creates, according to the report.

The malicious attack could also spread to other e-voting machines, creating a voting machine virus, the report states. It suggested the machine's software and hardware be updated and strict election procedures be implemented.

But a Diebold executive disagreed and said that the e-voting machine used for the research project has security software that is two generations old.

"By any standard--academic or common sense--the study is unrealistic and inaccurate," Dave Byrd, Diebold Election Systems president, said in a statement.

He noted the unit used in the research allegedly did not have normal security procedures followed. The unit's numbered security tape, 18 enclosure screws and number security tags were allegedly destroyed or missing to allow researchers to get inside the machine.

The latest version of the AccuVote TS software includes 128-bit data encryption, digitally signed memory card data, secure socket layer (SSL) data encryption for transmitting results and dynamic passwords.

"Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day," Byrd said.

See more CNET content tagged:
e-voting, Diebold Inc., Diebold Election Systems, e-vote, Ohio

10 comments

Join the conversation!
Add your comment
Diebold Video
Here's a video that explains it all for the layperson to understand:

<a class="jive-link-external" href="http://www.youtube.com/watch?v=HvwnJqLLgK8" target="_newWindow">http://www.youtube.com/watch?v=HvwnJqLLgK8</a>
Posted by scotty321--2008 (17 comments )
Reply Link Flag
Old versions
"But a Diebold executive disagreed and said that the e-voting
machine used for the research project has security software that
is two generations old."

But the real question is, what version was on the Diebold
systems used in the last presidential election? More than likely,
two -- or more -- versions previous to the current. Meaning
that the votes cast in 2004 *may* have been altered using a
method similar to what Princeton discovered.

Dave
Posted by davemartinatx (16 comments )
Reply Link Flag
Oh well!
Oh well, just what chicken george and his cohorts need, to rig the mid term elections and eliminate the bugbear of the corporate bribeable autocratic sitting politicians from losing in the very dangerous free and uncontrolled elections!
Posted by heystoopid (691 comments )
Reply Link Flag
Lying Diebold Rep
I've looked at the report as well as a video of their findings. All
that's needed is access to the memory card which is simple
through use of one of thousdands of keys or very simple lock
pick.

The paper tape, screws and other items implied as being factors
are *not*.

Dawn Kawamoto, as a responsible reporter, should point this
out.

Perhaps the revised software makes a difference, but if the
Diebold rep is misrepresenting the other factors, I have no
reason to believe him on this.
Posted by gideonblaze (2 comments )
Reply Link Flag
Response to Diebold Response to Princeton
Computer Scientist Doug Jones responds to Diebold:
<a class="jive-link-external" href="http://utahcountvotes.org/Diebold-Princeton-response-DougJones.php" target="_newWindow">http://utahcountvotes.org/Diebold-Princeton-response-DougJones.php</a>

My Response to Diebold:
<a class="jive-link-external" href="http://utahcountvotes.org/Diebold-Princeton-response.php" target="_newWindow">http://utahcountvotes.org/Diebold-Princeton-response.php</a>

Princeton Study of Diebold Voting Machines:
<a class="jive-link-external" href="http://itpolicy.princeton.edu/voting/" target="_newWindow">http://itpolicy.princeton.edu/voting/</a>

-------------------------------------------------------------------

Diebold Election Systems Response to the Princeton University AccuVote-TS Analysis

<a class="jive-link-external" href="http://releases.usnewswire.com/GetRelease.asp?id=72390" target="_newWindow">http://releases.usnewswire.com/GetRelease.asp?id=72390</a>
Diebold's Contact Info: Mark Radke of Diebold Election Systems, 330-490-6633

---------------------------------------------------------------------

MY Response to Diebold's Response to Princeton's Examination of Diebold Voting Machines

Subtitle: Doubletalk, Bosh, and Mumbo Jumbo

by Kathy Dopp


Diebold says:

"The unit [that Princeton studied] has security software that was two generations old, and to our knowledge, is not used anywhere in the country."

Yet:

In March, 2005 the same severe Diebold security problems were discovered in Emery County, Utah by BlackBoxVoting and Bruce Funk that had been originally discovered in the late 1990's and in early 2003 by RABA Technologies in MD and by others previously. (See <a class="jive-link-external" href="http://www.blackboxvoting.org/BBVtsxstudy.pdf" target="_newWindow">http://www.blackboxvoting.org/BBVtsxstudy.pdf</a>)

Diebold advertised dozens of non-existant office locations in the white pages in dozens of states, and originally delivered a mixture of used, rejected voting machines to Utah for the price of new ones. (See <a class="jive-link-external" href="http://UtahCountVotes.org" target="_newWindow">http://UtahCountVotes.org</a>)

Why should we believe Diebold now? Diebold could prove its claims are true by allowing independent thorough examination of its voting system. (Not by The Election Center - an Association of Election Officials and Voting Machine Vendors favored by Maryland's Election Director, Linda Lamone because it includes the same election insiders who pushed through unauditable paperless, fundamentally flawed, hackable voting systems despite public and expert opposition).

The Princeton team noted that Diebold's hardware also needs to be fixed.


Diebold says:

"Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit."

Yet:

Diebold voting machines do not use available common-sense security measures and did not even remove the development tools from its operating system, making its system less secure than an electronic toy.

Insiders are always the biggest threat to any voting system. Insiders include all Diebold staff and election officials and workers.

The Princeton team demonstrated that election stealing software can be inserted without ignoring any security procedures, by simply accessing a memory card prior to an election. Princeton even showed that a savy voter could possibly buy cards and vote multiple times.

To anyone observing an election, election rigging would look exactly like a normal election. (See the Princeton film <a class="jive-link-external" href="http://itpolicy.princeton.edu/voting/" target="_newWindow">http://itpolicy.princeton.edu/voting/</a>)

Diebold says:

"A virus was introduced to a machine that is never attached to a network."

Yet:

The Princeton team did not network the machines and the virus can be transferred from one machine to another on a memory card, such as whenever the software is updated or when an election supervisor installs the election definition files, or if someone like a poll worker has one minute's access to the machine.


Diebold says:

"The current generation AccuVote-TS software - software that is used today on AccuVote-TS units in the United States - has the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more."

Yet:

Edward Felten, director of the Center for Information Technology Policy and professor of computer science at Princeton, claimed that the new safeguards still don't ensure security. "Just because they use a digital signature, just because they use encryption, that's a check-box approach that doesn't pass muster in any security analysis," he said. Felten also noted that encryption doesn't prevent an attack of the kind used in the study because the encryption key is present in the machine.

"The malicious software has the full run of the computer. It has access to everything."


Diebold says:

"In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines - every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering."

Yet:

Malicious software can be most easily installed during the normal course of storing, maintaining, updating, or conducting elections without raising any suspicion. It is virtually impossible to secure these machines using the security procedures in use today in election jurisdictions.

BlackBoxVoting, Princeton, and Avi Rubin, among others, have shown that Diebold's "security tape" is easy to tamper with, without leaving any noticeable evidence. New security tape is also available for purchase. Third, The security tape can be avoided altogether by removing a few screws. (See Avi Rubin's "day as a poll worker" <a class="jive-link-external" href="http://avi-rubin.blogspot.com/2006/09/my-day-at-polls-maryland-primary-06.html" target="_newWindow">http://avi-rubin.blogspot.com/2006/09/my-day-at-polls-maryland-primary-06.html</a>)

Diebold says:

"Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis."

Yet:

Only persons uneducated in computer science would buy that logic. Diebold deliberately avoided having its modified operating system software federally tested. No amount of testing would assure a tamper-free election, as Princeton explained in its movie clip and is further explained in this testimony before the US Congress by DAVID WAGNER, PH.D. COMPUTER SCIENCE DIVISION UNIVERSITY OF CALIFORNIA, BERKELEY, SEPTEMBER 11, 2006 in Question #1 of Responses to "Questions for the Record Submitted by Chairman Ehlers and Chairman Boehlert..."
<a class="jive-link-external" href="http://www.votetrustusa.org/pdfs/qfr-house06.pdf" target="_newWindow">http://www.votetrustusa.org/pdfs/qfr-house06.pdf</a>

Diebold says:

"Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day."

Yet:

To secure the accuracy of election results we must audit - manually count - voter verifiable paper ballot records associated with sufficient vote counts to give a 99% probability of detecting any outcome-altering vote miscount.

Banks, businesses, and churches are subjected to independent audits. Election outcomes determine who controls budgets in the millions to trillions of dollars, yet are not sufficiently audited in any state.

-------------------------

Kathy Dopp
<a class="jive-link-external" href="http://electionarchive.org" target="_newWindow">http://electionarchive.org</a>
The National Election Data Archive
Dedicated to accurately counting elections.

The National Election Data Archive will soon be publicly releasing a new mathematical method of calculating vote count audit amounts that will ensure election outcomes are accurate.
Posted by sunshinekathy (3 comments )
Reply Link Flag
Non Refutable Authentication
Until Non-refutable authentication can be made available... E-Voting is hogwash.

But even if E-Voiting is hogwash. Non-E-Voting is even more hogwash.

If irrefutable E-authentication CAN be performed... at least it will prevent corpses and illegals from voting!!!

Until then, we have to choose the lesser of two evils. However in this case... is E-Voting REALLY the lesser???

Walter
Posted by wbenton (522 comments )
Reply Link Flag
It was a long time coming.
I appreciate CNET's coverage of the Princeton proof. Computer
savvy people have long doubted the veracity of vote counts from
these sloppily designed machines and their even more sloppily
designed software.

It is gratifying that the broken and crooked voting system
thousands of regular Americans have been sounding the alarm
about for years now is finally becoming accepted fact.

Friends, we have been had, and very badly.

Those close "wins" by George W. Bush in 2004 never happened.
They were fiction. Much of Florida and Ohio used the same
voting machines in question in elections which have long been
contested. Finally the evidence is coming into focus to more
Americans.

Does anyone now doubt how much different America would be
now if the rightfully elected man had taken office in 2004? His
fishy appointment in 2000 was bad enough... but the very voting
machines his party (Bob Ney [R-OH] and Diebold) foisted on the
country in 2001 and 02 are clearly involved in phony vote counts
which delivered Ohio and Florida into crooked GOP hands in
2004.

Maybe we are beginning to see the beginning of the end of the
nightmare... as the pretenders to our presidency continue to
unravel both within due to their own massive incompetence, and
now from without, due to the deligence and thankless hard work
of thousands of good dedicated Americans who would not let
this story die.

Thank you CNET for running this story to a computer literate
audience. It was a long time coming.
Posted by bbuc (12 comments )
Reply Link Flag
It was a long time coming.
I appreciate CNET's coverage of the Princeton proof. Computer
savvy people have long doubted the veracity of vote counts from
these sloppily designed machines and their even more sloppily
designed software.

We can certainly have touch screen machines... but we need
voter verified paper ballots as a backup. Vote counts from the
current systems can NOT be recounted in any real sense.

It is gratifying that the broken and crooked voting system
thousands of regular Americans have been sounding the alarm
about for years now is finally becoming accepted fact.

Friends, we have been had, and very badly.

Those close "wins" by George W. Bush in 2004 never happened.
They were fiction. Much of Florida and Ohio used the same
voting machines in question in elections which have long been
contested. Finally the evidence is coming into focus to more
Americans.

Does anyone now doubt how much different America would be
now if the rightfully elected man had taken office in 2004? His
fishy appointment in 2000 was bad enough... but the very voting
machines his party (Bob Ney [R-OH] and Diebold) foisted on the
country in 2001 and 02 are clearly involved in phony vote counts
which delivered Ohio and Florida into crooked GOP hands in
2004.

Maybe we are beginning to see the beginning of the end of the
nightmare... as the pretenders to our presidency continue to
unravel both within due to their own massive incompetence, and
now from without, due to the deligence and thankless hard work
of thousands of good dedicated Americans who would not let
this story die.

Thank you CNET for running this story to a computer literate
audience. It was a long time coming.
Posted by bbuc (12 comments )
Reply Link Flag
Look who was elected president.
I never doubted for a minute that electronic voting machines could easily be tampered with.
Posted by 2Late4us (1 comment )
Reply Link Flag
pay attention e-voting is least of our problems
I find it hard to read this crap. Earth to internet blogers, better wake up before the lights go out. Is anyone paying attention to what just happened, does any one know what this means. Nancy the San Fran rice a ronnie may be talikg lets be friends now, only becouse she has not assumed controll of the house yet. The dems dont want to give the republicans any reason to be upset and possibly pass any new laws to help protect us against the kill America nuts from the middle east. They do not want to appear to be weak on nation security. Let me make it plain and simple for you. My bet is within 90 days funding will be cut for Irac, and our troops will be pulled out. Next Iran will take over Irac, and in another 90 days if it takes that long. All the wackos flocking to Irac to kill Americans will be flocking to America. We will have Muslim terrorist blowing themselves and Americans up in all major and many smaller cities. They want have to kill many, just set off a few bombs. That will be all it takes to distroy our economy, and send the people to the hills fearing for their lives. We my not be winning fas enough in Irac, but what we are doing helps keep them from trying to come over hear.Not to mention, they will our weakness as a victory, and proof we do not have what it takes to win this war at all cost. The dems think we can all get together and talk things. These people want one and only one thing, and thats to distroy the U.S. and Isreal. You think the war is bad now just wait and see, it you are not one of the many killed in the first big wave of killing crazies that will be coming over our boarder like Mexicans to the spring crop picking season. Well I guess we can just kiss our ***** and wat of life goodbye.......................
Posted by cleveland harris (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.