Diebold Gets Less Bold

|

E-voting manufacturer Diebold has a serious PR problem. I wrote about the company a little while back in less than glowing terms, and Paul Krugman's most recent column will probably guarantee that he's never invited to CEO Walden O'Dell's place for dinner. Maybe it'll help—a little— that they've apparently decided to back off an attempt to harass critics with lawsuits.

NEXT: International Intrigue

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. All journalism about things you know well is just nonsense. When I looked into this, and thought about it, it fell apart completely. The DB itself has no password, but there is no reason why the entire system it is located on cannot be secured. Diebold does offer the abliity to print out receipts, but the people running the elections are choosing not to do so. It is the municipalities using the system which must be responsible for its security.

    There is nothing inherently secure or insecure about the Diebold system (or any computer system) which makes them more or less fraud proof than paper ballots. The procedures surrounding their use are far far more important to security.

    For example, if my bank kept its servers located in an open office where anyone could carry them off, gave average users the ability to copy files out of them, etc., I wouldn’t think much of its security either.

  2. There is nothing inherently secure or insecure about the Diebold system

    It is inherently insecure to put unencrypted data into a database product without a password, and provide an unencrypted audit trail without a password, especially when the product’s entire line is plagued by security inadequacies and the stigma of being a default hacker. It is dishonesty to advertise such a system as “secure”.

    The DB itself has no password, but there is no reason why the entire system it is located on cannot be secured.

    There’s no reason to put your money in a safe if there’s a lock on your door?

  3. JDM – according to accounts I’ve read, Diebold’s system has no log recording access to the database. This means that if someone with access to the system goes in and tampers with the vote counts, there is no record that anyone did anything.

    This is a must-have requirement for any system that is a likely target of fraud and is supported automatically by any heavy-duty database (Oracle, SQL Server, etc.). Using MS Access for this is a sure sign of incompetence.

  4. It is dishonesty to advertise such a system as “secure”.

    Have they done that? To the extent to which they have said that you can simply drop their software into any insecure network, or provided bad consulting on how to secure it, they are guilty, but this simpy analysis by the media based on random technical facts – there is no password on the DB, a clueless academic couldn’t understand why a number in the code was being divided by one (from another story) – is foolish.

    “There’s no reason to put your money in a safe if there’s a lock on your door?”

    If there are infinite doors you can put in front of your money, you are not limited by any one particular door not being used. Again, real security at, say, a bank involves actual vaults or secured rooms with a real locks and keys. A bank computer system could be composed of monkeys writing everything down on scraps of paper, and would be essentially as secure as the custom secure OSs they run if you trust who’s allowed in with the monkeys, and who watches the people going in with the monkeys, etc.

  5. Included in the memos that Diebold has issue with, and attempted to supress via the orignial lawsuits is a quote from the CEO ‘looking foward to personaly handing GW a win in OHIO’.

    This alone is enough for alarm….

  6. Anonymous,

    It runs on WinNT, which is capable of logging access to files. They probably aren’t doing that, but the point is that any system can be defrauded. Even if it was, you need to trust the people reading the logs to you. The physical arrangement of security, and trust of the system’s operators are more important than these few details of the system that the press is focusing on.

  7. JDM, every computer scientest who has had an opportunity to look at Diebolds voting system has openly said that it on its face, and in its workings is an insecure system. MIT has had a score of thier finest who were happy to go on record denouncing Diebolds machines.

    I would like to see your credentials and your whitepaper writeups on YOUR experiance reverse engineering of the Diebold voting machines.

    Oh whats that you say, youve never actually looked at or worked with one??? Ahhh…. yes, your expert
    BS is just that, BS.

  8. there is no password on the DB, a clueless academic couldn’t understand why a number in the code was being divided by one

    Two completely different issues. The former is a serious design flaw…you DO NOT put sensitive data in unprotected sources, ever, for any reason, in any half-baked architecture your mind might dream up, regardless of what kind of assumptions you have about the surrounding security. There are not “infinite” doors available; infinity does not exist for computers.

    The latter (n/1) is probably a cast semantic.

  9. Methinks perhaps that Diebolder has hit the nail on the head. When the head of the company is that plain about his actual agenda all the talk of whether the system is possibly secure or not is irrelevant. Can you say ?backdoor?? If you think these guys are above stealing an election you haven?t been paying attention. The ONE thing we should have learned from the last election is that election commissions routinely disregard thousands of votes for technical reasons without a qualm. So much for the will of the people.

    To those of you who will say that we are a republic rather than a democracy all I can say is that only a fascist could imagine that whoever the most people vote for is unimportant.

  10. Can you say ?backdoor??

    Back door? Hell, the way the system is designed, you can walk right in the front door. They need to put up a test system and offer a large reward for the person who breaks into it. Otherwise, we all as voters have no reason to trust Diebold. As it stands now, I will not ever vote with Diebold equipment.

  11. Pretty damn sad that people hold “voting” to be such an imporant part of their lies.

    Statism lives!

  12. “Two completely different issues.”

    They are the same issue. Both are insipid anecdotes used by journalists to demonstrate the supposed insecurity of Diebold’s system. The coverage of this thing is absurdly poor. System security can not be determined by pointless anecdotes. The system as used is without a doubt insecure, but there is an evil corporation angle to this that is really mindless propaganda. The blame needs to be placed with the municipalities responsible for running the thing. Diebold could deliver a system with access logs, passwords wherever you want them, secret decoder rings, etc., which could be fraudulently, or more likely, incompetantly used.

    I could buy coverage that emphasized the actual importance of whole process security rather than this crap we are getting. If you want secure computer voting, someone needs to come up with a process which is secure enough to reassure the voters, but the most important part of that sytem is always always always (always) trust in the people running it.

    I guarantee you that I could come up with a process using Diebold’s software that was as secure as needed. I also guarantee that I can come up with a process using MIT approved software that is insecure. Further, you wouldn’t be able to trust either if the operators were crooked.

    Anon,

    I’m sure that given the opportunity I could come up with a whitepaper demonstrating the insecurity of the Diebold system too. That’s neither here nor there, since I’m not saying that the system as used is as secure as it could be. Reporting that there was no password on the database, and pretending that it’s an important point, or proof of the incompetence of Diebold is stupid.

  13. JDM’s argument seems to be that it’s the users’s responsibility to secure the network so that the holes in Diebolds software are not exposed. Apparently it is not Diebold’s responsibility to build a secure product. Real users are probably less forgiving.

    “It runs on WinNT, which is capable of logging access to files.”

    Exactly what has this to do with securing the database ? I doubt that even one in 10 million DBA’s would go about it this way.

  14. System security can not be determined by pointless anecdotes. The system as used is without a doubt insecure, but there is an evil corporation angle to this that is really mindless propaganda.

    You’re right, system security is determined by architecture, and proven by testing. It does not matter your personal opinion on these anecdotes, if it is true that the access database is unprotected by a password, and the log isn’t as secure if not more secure than the application, then the architecture is sorely lacking. If this product ever passed in front of an actual QA person, they’d be obliged to piss on the design spec.

  15. Statism lives (for lack of even an alias to address),

    Voting isn?t important? It?s just what gives us a say in government ?By the people, for the people, and of the people?. What country do you live in?

    FYI, the government intrudes in my daily life very little. I like that a lot. Voting is my only hope of keeping it that way.

    RSM, in the interest of full disclosure- do you happen to work for Diebold?

    And my understanding was that Diebold officials were the ones to decide not to turn the on the printers in Georgia, the election officials didn’t make the decision. My question is WHY? It seems that it would have been a good way to check the veracity of the system.

  16. “JDM’s argument seems to be that it’s the users’s responsibility to secure the network so that the holes in Diebolds software are not exposed. Apparently it is not Diebold’s responsibility to build a secure product. Real users are probably less forgiving.”

    Sigh. My argument is that it NECESSARY for the users to build a secure voting system, whichever route they choose to go. In any working system there is a huge amount of responsiblity on the system’s adminstrators to make sure it is secure. This is a simple irrefutable fact. As I already said, if Diebold is going around saying that they have a system that can be dropped onto random networks, or helping set up systems which are, in their entirety, insecure, we ought to be hearing about that. Whether or not there is a password on a DB in one component of the system tells us absolutely nothing. My problem here is that the coverage tells us nothing about the actual system security situation. It is merely axe grinding against the evil corporations.

    Here’s a nice quote from Krugman:
    “The software was in a folder titled “rob-Georgia.zip.”

    Thank you for the enlightening information. This is blatent fear mongering, as is the out of context quote someone posted above.

    At some point the system spits out a number, and someone tells you what it is. If they lie, who cares what went into getting the number to them. Please feel free to miss my point, rather than thinking about things.

  17. “You’re right, system security is determined by architecture, and proven by testing.”

    Not true. System security is determined by its operation.

    “the architecture is sorely lacking.”

    There is not nearly enough information to determine that. The DB in question is a temporary database used to store the numbers for counting on a desktop application. The desktop app is a small component of the overall system. There is no information anywhere that says whether or not it is the only store for the vote numbers. I’m guessing that it is not. I imagine that anyone can fire up the application and run a count of the numbers. If someone tampers with that particular count it tells us nothing about whether or not the main repository for the votes is secure. Perhaps it isn’t, but there is no information in the news reports to tell anyone one way or the other.

    “Exactly what has this to do with securing the database ? I doubt that even one in 10 million DBA’s would go about it this way.”

    As do I, but there is no reason to think that because there is one Access DB in the larger system that the whole thing is insecure.

    At some point the data passes out of the realm where computers have anything to do with their security. If that happens while they are still in the system, it’s fine as long as they are safer further in.

  18. Electronic voting can never be fraud-proofed, even if you have open source code, because the source you need no longer exists. That’s the complete history of the compilers used. Even the source code of the compiler won’t help, for the same reason – it too is compiled. The compiler does not have to do what the source code says. The classic reference is Ken Thompson’s Turing lecture http://www.acm.org/classics/sep95/

    Nothing has to be invented. Everything exists, and all it takes is sufficient motivation to engage in voting fraud, which I think will not be lacking.

    A non-software audit trail will always be necessary. And it’s not as if people would be unable to count votes these days, by the way. A couple thousand in a precinct, save the records, phone it in. It works fine. Fraud can happen but it’s hard to make it widespread.

  19. from the article:

    the Microsoft Access database used by the Diebold system to collect and calculate votes was not protected by a password.

    If Diebold actually advertised a system like this as being secure, using a Microsoft product and not even protected with a password, then they deserved what they got. Don’t design a secure computer system unless you know something about computer system security.

  20. Yowza . . . I use Access all the time. Wouldn’t trust it as far as I could levitate it.

  21. Access? What a bunch of hacks. “Trusted Computing,” is the holy grail of course, but you aren’t even trying if you are using Access (based on FoxPro). What’s wrong with Oracle or Sybase? Oh, it’s hard.

    :-

  22. Why are we pissed at Diebold?

    Sure they sound incompetent, but let’s not forget that it was morons in the various state governments that bought this crappy technology. That’s the real problem.

    But seriously, why the hell do you need a relational database to count votes? What’s wrong with a simple ASCII text file? Some programmers are so lame. They’re holding a hammer, and everything looks like a nail…

  23. A bunch of incompetent suits make a ham-fisted attempt to suppress bad publicity, and are surprised to get a hundred times more bad publicity as a result. Who knew?

  24. So what ? The argument is not over whether there exists an adamantine, hyper-secure, unbreakable system. It’s over how software A compares to software B, functionally & otherwise. It appears that those who evaluated diebold’s software (i’m talking about the MIT folks here not Krugman so please don’t pummel that strawman) felt that there were better alternatives.

  25. Here is part of the SAIC report for the state of Maryland on the Diebold machine:

    http://www.dbm.maryland.gov/DBM_Search/Technology/toc_Voting_System_Report/votingSystemReportAppB.pdf

    Seems Prof. Rubin wasn’t too clear on what he was looking at.

  26. It doesn’t matter whether you write a secure system. Compilers can have worms put in them, to put it in terms people can relate to. It’s undetectable in the same way that good cryptography is unbreakable: not in this universe.

    Motive is not lacking here, so it will happen.

  27. I was remarking that you can’t use electronic voting at all because all the motive you’d need, and all the ability you’d need, to commit undetected fraud then both exist. The method is described in Thompson’s paper, link far above. The diebold system may or may not have ordinary flaws but it doesn’t matter.

Please to post comments

Comments are closed.