Join 3,377 readers in helping fund MetaFilter (Hide)


Can we dare call it stolen, yet?
March 5, 2009 12:10 PM   Subscribe

Diebold accidentally releases GEMS software with "Steal Election" button intact.
posted by FatherDagon (90 comments total) 17 users marked this as a favorite

 
.
posted by Freen at 12:12 PM on March 5, 2009 [2 favorites]


Basic user interface design ignored.
"The system provides no warning to the operator that clicking on the [clear] button will result in permanent deletion of records in the log, nor does it require the operator to confirm the action before executing it."
posted by ericb at 12:13 PM on March 5, 2009 [3 favorites]


As awful as I think Diebold's general approach to election machines is and as stupid as this particular problem is, it's not fair to call it a "Steal Election" button. It's a "Clear" button that erases audit logs, and it's not unreasonable to assume it was added in good faith as a way to reset a voting machine. It's dumb that the button doesn't have a confirmation, and it's stupid and wrong that the button is in shipping production versions of the software.

But it's not a "steal election" button. It is a "Diebold is incompetent" button. They should never get contracts for voting machines.
posted by Nelson at 12:14 PM on March 5, 2009 [8 favorites]


Well, it's a button that can only be used for malice or stupidity.
posted by mek at 12:16 PM on March 5, 2009


Surely this......
posted by Pendragon at 12:17 PM on March 5, 2009


Nelson; there is no reason to reset a voting machine.
posted by odinsdream at 12:18 PM on March 5, 2009 [4 favorites]


I mean, no legitimate reason, of course.
posted by odinsdream at 12:18 PM on March 5, 2009


We should give Diebold a few billion of the bailout package dollars to create a "delete 'toxic' asset" button for Wall Street.
posted by webhund at 12:19 PM on March 5, 2009 [1 favorite]


Is there any evidence that this has actually been used to "steal" an election? If anything, I'd think the inclusion of a "clear" button makes it less likely that any election has been stolen using electronic voting machines - clearly if these were being abused by partisan operatives, diebold would have removed it immediately. The fact that it's taken so long for anyone to notice just indicates that no one was using it, except for the occasional honest mistake. That the process of certifying these machines for elections has only now realized the error indicates that the system (eventually) works and there is no need for election reform.

Wow, I always wondered what it would feel like to try to defend electronic voting. My head feels... funny.
posted by logicpunk at 12:22 PM on March 5, 2009


Of course there's reasons to reset a voting machine. Like you're a developer and you're working on it, then need to start over in a clean slate. Or you're selling a tested, used machine in a new market and need to ship it clean. Or a zillion other reasons.

There's no reason to reset a voting machine that's been deployed. It's a terrible, incompetent mistake to ship a machine to an end user that is resettable. But it's not evidence of election stealing.
posted by Nelson at 12:23 PM on March 5, 2009 [1 favorite]


Even if the button was added in good faith, it can still be USED as a Steal Election button by a user. The SoS of Ohio (random example) can just click it and *poof* now the state goes to Bush and there's no way to track that.

I encourage anyone with a strong stomach for WTF to look into how these machines work. SPOILER: It's a Microsoft Access program.
posted by DU at 12:24 PM on March 5, 2009 [1 favorite]


I would like this option for my ATM, please. That last withdrawal? Didn't really happen.
posted by malocchio at 12:24 PM on March 5, 2009 [9 favorites]


SURPRISE!!!!!!

/isn't really surprised
posted by BitterOldPunk at 12:25 PM on March 5, 2009 [1 favorite]


Is there any evidence that this has actually been used to "steal" an election?

Is there any evidence that the evidence-erasing button was used to steal an election?
posted by empath at 12:28 PM on March 5, 2009 [44 favorites]


In most (well designed) security auditing systems, the first log entry after clearing the logs is "log cleared @ date". So you don't know what was erased, but you do know that someone erased it.

But yeah... bad Diebold. How long till this appears on The Daily WTF?
posted by sbutler at 12:29 PM on March 5, 2009


Perhaps the Obama glow still hasn't worn off, but I'm with Nelson for the "incredibly incompetent" explanation, as opposed to the "diabolical conspiracy" (diebold-ic? HA!) explanation. One will never go broke betting on human stupidity.

Plus, really, remind me what their incentive is for helping republicans? Kind of a toxic brand right now. Be warned, I will relentlessly mock any convoluted conspiracy theories with references to the Illuminati and Lizard People.
posted by ScotchRox at 12:30 PM on March 5, 2009 [1 favorite]


Problem is, if they ban "Steal Election" buttons, only criminals will have "Steal Election" buttons.
posted by weapons-grade pandemonium at 12:30 PM on March 5, 2009 [4 favorites]


Also, a completely missing log is quite an obvious indicator of a problem rather than, say, the selectively erased records.
posted by patricio at 12:32 PM on March 5, 2009


"But it's not evidence of election stealing."

Uh, yes, exactly. No evidence.
posted by Smedleyman at 12:32 PM on March 5, 2009 [3 favorites]


They changed their name from Diebold to Premier Election Solutions. Just doing my part here to make sure their new name gets properly slandered, as it so well deserves.

It is an inexcusable obscenity to use closed source election software. There is no legitimate reason. Period. As far as I am concerned, if they are closed source in any part of their system, from bios to drivers to kernel to database to interface, this is a potential source of avenue for fraud. They get paid for the deployment of the machines, not for the licensing of software, so there is no revenue incentive for failing to use a 100% open source system.

With electronic voting, elections could be straightforward to run, cheap to count and verify, and be verified under severe scrutiny, but for some reason we have adopted an electronic system that is much harder to trust and verify, and for all I know it may even cost more to use.
posted by idiopath at 12:33 PM on March 5, 2009 [10 favorites]


Sufficiently incompetent actions cannot be distinguished from conspiracy.

And no, I will reiterate that there is no reason to be able to reset a voting machine. It should require physical disassembly and the replacement of some part with a clean part. This would be a significant technical challenge, which is a good thing.
posted by odinsdream at 12:34 PM on March 5, 2009 [1 favorite]


Pretty much every other country on the planet that isn't run by despots does a better job with their elections than the USA.
posted by chunking express at 12:35 PM on March 5, 2009 [5 favorites]


logicpunk - how are you so sure "diebold would have removed [the clear button] immediately" upon proof of abuse by partisan operatives? While old news, Walden O'Dell, chief executive of Diebold Inc., told Republicans in a 2003 fund-raising letter that he was "committed to helping Ohio deliver its electoral votes to the president next year." Even though O'Dell left Diebold in 2005, there's a lot more ugliness to Premier Election Solutions (formerly Diebold Election Systems, Inc.)
posted by filthy light thief at 12:35 PM on March 5, 2009 [1 favorite]


I encourage anyone with a strong stomach for WTF to look into how these machines work. SPOILER: It's a Microsoft Access program.

Oh thank god. I was worried they were using Excel.
posted by peeedro at 12:38 PM on March 5, 2009 [5 favorites]


Isn't this kind of like placing an automatic "car goes boom" lever right behind your turn signal? I mean, what could be the possible fucking point of this?
posted by Navelgazer at 12:39 PM on March 5, 2009 [1 favorite]


how are you so sure "diebold would have removed [the clear button] immediately

sorry - I was trying for parody of how someone would go about defending diebold. I don't actually believe anything good of them.
posted by logicpunk at 12:40 PM on March 5, 2009


So basically we're left with a choice between "Diebold is evil" and "Diebold is stupid". Considering the results are the same that's no choice at all.
posted by tommasz at 12:41 PM on March 5, 2009 [5 favorites]


This isn't a "Steal Election" button. It's more of a "Burgle Referendum" button.
posted by Damn That Television at 12:42 PM on March 5, 2009 [3 favorites]


For just a moment, I'm going to go with the most charitable possible read of this and assume that this wasn't included for any malicious reasons, that despite their knowledge of the fact that it could be accidentally pressed, they left it in anyway.

And the thing is, even if this best-case-scenario is, in fact, the gospel truth, this should still be sufficient reason to pull their contract and ensure that they never are included in the the voting machine process;

The inclusion of the button violated the federal voting-system standards under which the Premier/Diebold system qualified to be used in elections

They were given a specific set of rules to follow, which they didn't comply with. They should be fired.

Now, if it comes out that this wasn't an act of complete incompetence, well, that's when the indictments for fraud and treason should start popping up.
posted by quin at 12:44 PM on March 5, 2009 [13 favorites]


Sufficiently incompetent actions cannot be distinguished from conspiracy.
Only for those who really want to believe that the conspiracy is real. The rest of us realize that even entities identified as bad actors make stupid mistakes.

On the other hand, the OP makes his motives perfectly clear with his editorializing.
posted by DWRoelands at 12:45 PM on March 5, 2009


Sufficiently incompetent actions cannot be distinguished from conspiracy.

Um, what? They sure can. Conspiracies are intentional, and when one does something intentionally, there is generally a motive. I don't see how a company like Diebold would profit from stealing elections to a degree that would justify the risk of getting caught.

I absolutely think that electronic voting machines are a bad idea, poorly executed. without a doubt. but what we're seeing here is stupidity. to a near criminal degree, to be sure, but still just stupidity.
posted by ScotchRox at 12:46 PM on March 5, 2009 [3 favorites]


Fumbling for his recline button, Frank unwittingly instigates a disaster.
posted by EarBucket at 12:52 PM on March 5, 2009 [5 favorites]


Sufficiently incompetent actions cannot be distinguished from conspiracy.

If you're evil, make people think that you're stupid. If you're stupid, make people think that you're evil.
posted by Navelgazer at 12:52 PM on March 5, 2009 [2 favorites]


I know nothing. But:

there is no reason to reset a voting machine.

Wouldn't that depend on how much information the audit log generates, and the memory and storage of the machines? I mean, if you don't clear the log files, won't they eventually (or not so eventually) consume all memory or storage on the machine or otherwise crash it?
posted by ROU_Xenophobe at 12:58 PM on March 5, 2009 [1 favorite]


Only for those who really want to believe that the conspiracy is real. The rest of us realize that even entities identified as bad actors make stupid mistakes.

Only those who don't want to believe the conspiracy make excuses for it. Or something.
posted by drmanhattan at 1:00 PM on March 5, 2009


I know a number of Republicans that have stopped wearing their Steele election buttons lately.
posted by 0x029a at 1:03 PM on March 5, 2009


ROU_Xenophobe:

We are talking about a voting machine. If it has insufficient room in storage to accurately log the process of an election, then it is broken, and unfit to do the job for which it was purchased or leased.

Part of any reasonable specification for a voting system would be detailed and reliable logs of events that alter the data stored on the device, as comprehensive as is feasible.

They paid for a voting machine and got something else, a toy dressed up as a voting machine, perhaps.
posted by idiopath at 1:05 PM on March 5, 2009 [1 favorite]


"Sufficiently incompetent actions cannot be distinguished from conspiracy."

Oswald? He was doing a rifle drill routine when the gun went off. Three times. From different angles (What. It ricocheted). Plus the lizard people and the Illuminati. But that's just weird coincidence. I mean, Illuminati agents were gonna kill him with lizard people assassins. But then Oswald screwed the whole thing up completely by accident. True story.

"I don't see how a company like Diebold would profit from stealing elections to a degree that would justify the risk of getting caught."

Totally. That's why people don't rob banks.

Y'know, it doesn't really matter whether it's stupid or whether there's evidence or not of a stolen election. If you have the mechanisms in place to eliminate evidence that right there is a conspiracy. And even if it's not illegal - I sure like, y'know, accountability in my government.

Or what, we're supposed to trust these bozos just because there's no evidence of their committing a crime? Do you people hire child care from street solicitations or what?
"Oh, c'mon honey, there's no evidence Charley Short Eyes isn't a perfectly reputable day care center. Why would a man in a van lie? Just because he looks creepy, doesn't mean he is."

This is the mechanism by which we determine our leadership, not a horse race. It should be like Caesar's wife - above suspicion, above even the appearance of impropriety.
posted by Smedleyman at 1:06 PM on March 5, 2009 [9 favorites]


Just to account for the IDRTFA factor - from the piece: "...include a button that allows someone to delete audit logs from the system.
Auditing logs are required under the federal voting-system guidelines, which are used to test and qualify voting systems for use in elections. The logs record changes and other events that occur on voting systems to ensure the integrity of elections and help determine what occurred in a system when something goes wrong."

Law required auditing logs. Button deletes auditing logs. Company told button bad. Company put button on anyway. Other problems with the software include not recording when someone deletes auditing logs. Also, when auditing logs deleted - election officials are not notified.

...you gotta be a delusional paranoid here to spot a pattern?
posted by Smedleyman at 1:15 PM on March 5, 2009


Hey, I just added an item on my "Things to do if I get terminal cancer" list, right under "purchase a Punisher t-shirt and high-powered rifle."
posted by Optimus Chyme at 1:17 PM on March 5, 2009 [2 favorites]


I just got the phone call that I am not coming in to work today because I am laid off, so I may be venting some misplaced rage here, but this shit has me foaming at the mouth. There is no excuse to be using a system this incompetently designed. Whoever vouched for this voting machine, and whoever designed it, are both criminally negligent, at the very least. When you commission a piece of software for a specific task you are supposed to verify that it meets the standards set forth for that task. Have any of you ever tried to get unemployment benefits or food stamps? I am flabbergasted that they hold me to a higher standard in my foodstamp application (worst case - I get free food I don't deserve) than these fucks for a voting machine system (I won't even get into worst case scenarios here).
posted by idiopath at 1:24 PM on March 5, 2009 [7 favorites]


Oh I don't know about all this. I honestly don't believe this is some "Steal Election" button. What in the world would Diebold have to gain from this? Unless the company is run by Loki, I see no reason for Diebold to intentionally cause electoral pandemonium.

No, this is just shitty design.
posted by Holy foxy moxie batman! at 1:26 PM on March 5, 2009


Who says there would be pandemonium? In fact, with a handy button that - hey! - hides the evidence that records might have been changed, there would be no pandemonium, since no one would know that anything had happened.

What in the world would Diebold have to gain from this?

Gosh, I can't imagine what a major corporation would have to gain by currying favor with a major political party. Just can't think of anything.
posted by rtha at 1:33 PM on March 5, 2009 [1 favorite]


No, this is just shitty design.

I vote (heh) for this. Spectacularly shitty design. Shitty design that should cost them any future work.

I just can't imagine that, if they wanted to sneak in a way to steal elections, they'd put it in plain sight, right next to "Print" and "Save As."
posted by brundlefly at 1:33 PM on March 5, 2009


What in the world would Diebold have to gain from this?

Gosh, I can't imagine what a major corporation would have to gain by currying favor with a major political party. Just can't think of anything.



It can be used for both sides is my point.
posted by Holy foxy moxie batman! at 1:34 PM on March 5, 2009


So, erm, just to clarify: The theory is that Diebold is counting on election officials in Democratic counties to accidentally push the "Clear" button on a massive scale?
posted by FuManchu at 1:36 PM on March 5, 2009 [2 favorites]


Law required auditing logs. Button deletes auditing logs. Company told button bad. Company put button on anyway. Other problems with the software include not recording when someone deletes auditing logs. Also, when auditing logs deleted - election officials are not notified.

I'll agree that there's no reason whatsoever for this "feature" (as it's currently implemented) to be present on software which has to meet the guidelines you referenced. I think we're all in agreement there. There might, though, be good reasons to include it if it's properly developed and vetted first - Nelson's example of resetting and reselling a voting machine, for one. And there are definitely benefits to including it in development, testing, and other internal-use-only versions of their software.

I'm certainly no fan of Diebold, but this particular case just sounds like rank incompetence to me.
posted by xbonesgt at 1:37 PM on March 5, 2009 [1 favorite]


Who says there would be pandemonium? In fact, with a handy button that - hey! - hides the evidence that records might have been changed, there would be no pandemonium, since no one would know that anything had happened.


Except, as pointed out above, the logs are required by law in some states. It's not clear what the effect of deleting the log would be - perhaps nothing but it's entirely possible that a missing log would invalidate all the votes.
posted by patricio at 1:47 PM on March 5, 2009


FuManchu: Every election has observers from both parties. Each county has a particular political profile. If some counties had less votes than they ought, the outcome of an election could be very easily swayed.

Each political party, then, has a significant incentive to push the delete button in counties that are unlikely to go in the direction they'd like.

Dig?
posted by Freen at 1:50 PM on March 5, 2009


Also: only diebold knows that this is a complete deletion of all records, and hence, only those friendly with diebold will delete with reckless abandon.
posted by Freen at 1:50 PM on March 5, 2009


If you have the mechanisms in place to eliminate evidence that right there is a conspiracy.

I don't have to explain the definition of a conspiracy here, do I? Cuz that ain't it. All I'm arguing for here is using precise language. Never said anything about "trusting these bozos," or advocating for these machines or anything resembling that. and for the record, yes, I do think a corporation like this would make a more measured decision than some yahoo who robs banks "cuz that's where the money is."

It's just that I'm tired of these Bush conspiracy theories, because they obfuscate the real problems. Like, these Diebold idiots almost certainly got this fat government contract because of their connections and despite their incompetance. which is messed up and corrupt and basically taken for granted as the way things work.

That doesn't mean that if Bush said "hey could you put a button in so I can steal elections" Diebold would say "SURE!" and risk losing said fat government contract and probably going to jail.

The childcare metaphor is actually somewhat apt. I wouldn't entrust my kids to a daycare center that lets toddlers play in unsafe / unsanitary conditions, nor would I entrust them to a daycare center that is actually a front for satanic child molestation rituals. Neither should be in the daycare business. But one of these is a hell of lot more serious, and therefore requires a hell of a lot more proof before I'll believe it.
posted by ScotchRox at 2:07 PM on March 5, 2009 [1 favorite]


"Look, guys, my party was in power for eight years. We plunged the country into war and debt. We've ruined our reputation for years and, because of our gross incompetence and negligence, it seems like a whole generation of voters despises us. We've been reduced to petty infighting about who the 'real leader' of the party is. Currently, we're all being forced to kow-tow to a radio host. In the long run, the Bush presidency was, perhaps, more damaging to us than to the Democrats. Could you please, at long last, stop whining about us stealing the election?"

~My Republican coworker, up on being shown this article.
posted by Joey Michaels at 2:13 PM on March 5, 2009 [2 favorites]


Or "upon," if you insist on proper spelling
posted by Joey Michaels at 2:14 PM on March 5, 2009


It's possible to steal an election by casting doubt on the results. Say someone deletes the data on a voting machine in a heavily Democratic precinct. The observers notice the missing records. Both sides acknowledge that some votes weren't counted. So what happens then? In a close election with Republicans in control of the state house I'm pretty sure that the Republicans would have a chance of getting their win despite the obvious fraud. If you doubt that, just think back to Florida in 2000 or Ohio in 2004.
posted by rdr at 2:18 PM on March 5, 2009


aha! i *knew* Obama stole the election!
posted by UbuRoivas at 2:21 PM on March 5, 2009


This button clears audit history. Is there any mechanism for deleting/swapping actual votes that this button would be useful to conceal?
posted by cj_ at 2:24 PM on March 5, 2009


You know, I've always thought that conspiracy nuts and conspiracy-theory movies are really harmful to themselves. That is, if I were an intelligent, rational conspiracy nut (hopefully that's not an oxymoron) then I'd try my best to suppress conspiracy-theory sounding literature for the sake of sounding insane.

What I mean is -- I find myself very very suspicious of this vote-rigging situation. At the same time, inside my head I'm thinking "Aw, c'mon, this is so far fetched it's in the realm of movie shit". I'm rejecting a plausible theory because 1) conspiracies don't happen that often, or at least we don't know about them and 2) conspiracies are so fictionalized, placed in the realm of sci-fi pulpy thrillers. I connect the implausibility of fiction to a theory and reject it, not through a rational deduction but based on its probability as well as a general 'impression' of improbability. It's ultimately irrational, you know?

There's a germ of irrationality (at least in my thought processes) that claims to be rational, says "that's too far fetched, no way." I mean, all these conspiracy nuts and movies lower the signal-to-noise ratio -- so whenever a theory comes along I'm gonna say "well, the chances are, the probability is that this is just background noise." These conspiracies then don't get rejected on the basis of whether they're true or false according to rational tools of examination. They get rejected on the basis of their similarity to plots in fiction and things that crackpots say. I mean, if the crazy dude on the street passes you and says "it's 9:45pm!" you'd probably doubt him and check your watch or something.

And this is what I suspect goes through most people's heads who say "it's just incompetence" in this thread.

So. From the viewpoint of someone who really wants to know whether these conspiracy theories are true or not, the logical conclusion is to remove the non-rational aspects that end up being part of conspiracy theories.

Starting tomorrow, I will utilize my family inheritance for the sake of this goal. $3 billion will be poured into the creation of an anti-conspiracy-nut and anti-conspiracy-theory organization. Our organization will be in charge of systematically eliminating all conspiracy nuts, utilizing economic tactics and social blackmail to bankrupt and buyout tabloids like Weekly World News, The Enquirer, to takedown websites such as Timecube, silence the Princess Diana conspiracies, the JFK assassination, Roswell, Area 51, the moon landings, and other theories. By 2019, the world will be free of the 'crazies', and conspiracy theories will be free to be legitimately and rationally debated alongside other theories. The stigma attached to conspiracy theory will be gone. In short, there will be a pro-conspiracy-theory anti-conspiracy-nut conspiracy. *rimshot*
posted by suedehead at 2:36 PM on March 5, 2009 [1 favorite]


We are talking about a voting machine. If it has insufficient room in storage to accurately log the process of an election, then it is broken, and unfit to do the job for which it was purchased or leased.

Well, obviously, but you'd still need to clear the log files between elections, or after every so many elections, wouldn't you?

I must be missing something, because it sounds to me like people are saying that the machines should be incapable of deleting log files, ever.
posted by ROU_Xenophobe at 2:38 PM on March 5, 2009 [2 favorites]


t sounds to me like people are saying that the machines should be incapable of deleting log files, ever.

You know what would be even better? If the log file were in simple, easily readable, easily verifiable, easily archivable format. What would this super-format be? What has such magical powers?

Paper.
posted by Nelson at 2:46 PM on March 5, 2009 [3 favorites]


cj_ it's not about swapping votes. It's about disenfranchising counties that have a particular political bent in a way that the vote totals for a given state are more preferential to one party than another.

Swapping is crude and hard. Disappearing a large number of votes in a highly democratic county can be the difference between winning and loosing a national election, and most definitely a state.
posted by Freen at 2:48 PM on March 5, 2009


“I'm certainly no fan of Diebold, but this particular case just sounds like rank incompetence to me.”

You run a red light, you can get a ticket. Doesn’t much matter whether you meant to run it or you screwed up and didn’t see it. If you have a history of running red lights, and you tell me this time it was an accident, I'm going to doubt it. But either way - the deeds have been done.

“yes, I do think a corporation like this would make a more measured decision than some yahoo who robs banks "cuz that's where the money is.”

Yeah, they’re full of rational decision making with respect for the law. Long history of it.

“It's just that I'm tired of these Bush conspiracy theories, because they obfuscate the real problems.”

Like the Bush conspiracy facts? Of torture and whatnot? Hey, I’ll torture people, but rigging an election – whoa, way out of line.

There’s ample evidence of Diebold being committed to helping deliver votes to members of the GOP.
Like, the CEO of Diebold saying “'I am committed to helping Ohio deliver its electoral votes to the president next year” in writing.

Perhaps I fail to address your definition of ‘conspiracy’ but for me – means, motive (y’know, a blatant statement to the effect) and opportunity are enough to establish that maybe something shifty took place and we should look into it with a critical eye. Innocent until proven guilty is for the courts, not for investigation.
So absent mitigating evidence to the contrary, yeah I think it merits looking into as a piece of a whole rather than an aberration.

But I’m not letting the Dems walk on that. Badnarick was ready to scrap in Ohio and Kerry and everyone else took a walk. Why, I don't know. I won't argue the why though.
Most comments here are variations of “I’m ignorant of….” Nothing wrong with not knowing something, but it’s not a good basis for an argument. It's enough that it is, isn't it?
posted by Smedleyman at 2:52 PM on March 5, 2009 [1 favorite]


This button clears audit history. Is there any mechanism for deleting/swapping actual votes that this button would be useful to conceal?

The entirety of the structure of both GEMS and the physical machine itself seem to be designed to delete or swap votes.

"I was shocked by how severe the problems were," he continued. "What's even scarier is that the researchers were looking at certified systems that have been already used in an election."
---
The access panel door on a Diebold AccuVote-TS voting machine – the door that protects the memory card that stores the votes, and is the main barrier to the injection of a virus – can be opened with a standard key that is widely available on the Internet.
---
Diebold claimed their audit log "can't be altered by any human."...Baxter is a chimpanzee, not a human, but alter the audit log he did, in a project for Black Box Voting. He used a real Cobb County, Georgia vote file and the GEMS central tabulator program from Diebold Election Systems. (This is back in '05)
---
The supervisor of elections in Tallahassee tested voting machines several times over the last several months, and on Monday, his workers were able to hack into a voting machine and change the outcome. He said that same thing might have happened in Volusia County in 2000.
---

I mean, hell, that ol' One Arm Bandit only has one tumbler out of three that even spins, and that one only ever comes up lemon, but calling it a FIX? That's crazy talk.
posted by FatherDagon at 2:56 PM on March 5, 2009 [3 favorites]


Man, I *hate* Diebold.. I sincerely believe that at an executive level they were doing things to skew elections towards republicans.

But, as a computer programmer and manager of other computer programmers, I can only say this is just rank bad programming. Stupidity, bad design, bad management and inadequate auditing, but no way purposeful. It's just not the way you would do it if you wanted to do it on purpose. It's not even the way you would do it if you wanted a way to do it but you wanted to look like an accident if people looked at it.

It looks like someone took their stock visual basic form for managing messages. Maybe some copy of a copy of the one that comes as a template, and dropped it in there.

It's a sign of just how f'ing terrible the programming style is. Which by the way has nothing to do with it being VisualBasic/Access/Logo whatever. (For the record, I haven't worked with a VisualStudio language since early college) - But, there is nothing wrong with them. You could build a nicely secure open system with one. Also, you can build something that sorta works, but really sucks in all sorts of interesting ways, very quickly.

So, really, this is not quite a plate of beans, since it's real (as in really stupid) - But, the conspiracy angle. Not so much.
posted by PissOnYourParade at 3:14 PM on March 5, 2009


Oh - Also..

If I did want to skew and steal elections, one way I might do it is to assign really, really incompetent programmers to design the security layer.

If you guys are looking for a conspiracy angle, that's a much stronger vein.
posted by PissOnYourParade at 3:16 PM on March 5, 2009


Swapping is crude and hard. Disappearing a large number of votes in a highly democratic county can be the difference between winning and loosing a national election, and most definitely a state.
Yeah I get that, but that's not what this button does. It clears the audit log file, not erase votes. Is there also a big "erase votes" button in the UI too? That would seem to merit more concern. I'm not saying there isn't (nothing would surprise me at this point), but I haven't heard of such a thing.

The example screenshots show the service startup/shutdown logs, which is not that important. Not that this makes violating Federal regulations OK, but people seem to be conflating this with the ability to wipe out actual votes -- something not supported by TFA nor the 14 page PDF which has a whole section on the shortcomings of the audit log. Just trying to keep things in perspective here.

FatherDagon - Well, hacking into the machine is a whole other kettle of fish. Having a button to erase the audit logs is moot once you have low level access. Presumably anything you did directly to the database wouldn't be logged there in the first place. Agreed that these things need to be locked down to at least the standards banks expect of ATM machines.
posted by cj_ at 3:23 PM on March 5, 2009 [2 favorites]


And yeah, as a programmer myself, I am absolutely certain this was not intentional. This is just not how you would go about it. It's just shit code.
posted by cj_ at 3:29 PM on March 5, 2009 [1 favorite]


"Each political party, then, has a significant incentive to push the delete button in counties that are unlikely to go in the direction they'd like."

No, these are the LOGS that are deleted, not the votes.
posted by lupus_yonderboy at 3:48 PM on March 5, 2009 [1 favorite]


The case against electronic voting machines is already clear, and has been clear since they appeared. It's unanswerable. Whether they interfere with, or permit interference with, free and fair elections is irrelevant. What the machines mean the election cannot be seen to be free and fair. If elections cannot be seen to be free and fair, they cannot be wholly free and fair. Revelations like this are just additional kilos piled onto the megatonnage of that argument.
posted by WPW at 4:32 PM on March 5, 2009


This software really shouldn't have bugs like this in it. I used to work for a guy who had worked on military contracts but was leading us on embedded code for consumer electronics. He said you could be cheap, fast or predictable.

His mil stuff was predictable because there were penalties for coming in late so they'd make sure they bid enough time even if that meant some resources weren't 100% used at every moment during development.

We were supposed to be fast and only kind of cheap (because buying parts for 1st month's production often costs more than 1 year of development), so if we needed a faster computer or better logic analyzer we often got it. The managers constantly combed the schedule looking changes to the critical path & opportunities for "parallelism" (breaking unnecessary dependencies)

Voting machines are not low-margin devices. They are not tamagotchi, so there should be plenty of funds (and time: these things were not rushed) for testing compliance with standards. Just like with military and medical gear where lives are at stake and ATMs (oh yeah...) where the bank's money is at stake, the testing procedures can NOT be shortcut.

I thought the opportunity had been blown, but it seems these machines are so bad as to uncertified by some states and there's a new WPA, so maybe we can get some university-developed GNU/Linux touchscreens now? Security audits by Ed Felten? System-on-Chip by Texas Instruments, Freescale or Intel.
posted by morganw at 4:48 PM on March 5, 2009


Open source e-voting with...
- dual paper trail
- - internal receipt stored in the machine stamped with hash of time of vote + machine serial
- - external receipt given to voter stamped with hash of time of vote + machine serial
- logging
- - log each boot
- - log each access-door open
- - log each media removal/insertion
- - log each vote
- - log each log clear, persistent across log clears (at capacity, this becomes n-item ring buffer)
- - log each vote clear, persistent across log clears (at capacity, this becomes n-item ring buffer)
- access
- - strong pwd required by precinct captain before each election
- - access-door open or media removal/insertion causes alarm unless capt. pwd entered beforehand
- - logs and vote totals cannot be cleared on election day or for 90 days afterward


I'm sure that others can think of other important design elements (write-only remote redundant logging through a local, wired, encrypted network might be nice).
posted by jock@law at 5:08 PM on March 5, 2009


Those saying this only deletes the logs and doesn't change actual votes, well, yes, but we already knew that votes were easily alterable or removable. There have been plenty of links supplied to that effect already here. It seems that the need to refuse to believe "crazy conspiracy theories" is completely obscuring the evidence here. This is criminal, and of the utmost significance.
posted by kaspen at 5:20 PM on March 5, 2009


- - external receipt given to voter stamped with hash of time of vote + machine serial

Absolutely not. Being unable to usefully sell your vote hinges on being utterly unable to prove to anyone how you voted.*

"Open-source" e-voting is really fucking simple.

(1) Use machine to print human-readable ballot.
(2) Count ballots, probably with OCR but the ballots are there to be hand-counted for any close race.

Which isn't really e-voting, I know. There are real uses for electronic voting machines, but there's no really good reason to combine the ballot generation with the counting. Doing so just means buying a little more equipment.

*I'm not sure how realistic this is, as you could video yourself voting with your cell phone if there's enough privacy. Mine has a picture of the little lever ticked over Obama.
posted by ROU_Xenophobe at 5:26 PM on March 5, 2009 [1 favorite]


"Deleting a log is something that you would only do in de-commissioning a system you're no longer using or perhaps in a testing scenario.."

So, big fucking deal. Nice beatup.
posted by mattoxic at 6:17 PM on March 5, 2009


"what we're seeing here is stupidity. to a near criminal degree, to be sure, but still just stupidity."

That's also what a lot of people said about Bush and his administration. I don't believe it.

The biggest pile of money and the most powerful positions in the world are at stake. I have to assume the worst.
posted by krinklyfig at 6:23 PM on March 5, 2009


"I'm sure that others can think of other important design elements"

Pen and paper on ballots counted by election volunteers. Canada still does it like this.

Make it a bubble ballot using optical scan to count, if necessary. Anything more complex is asking for trouble. This doesn't have to be done with the fastest technology, or the latest whatnots. This just has to be done well, with integrity, transparency and accountability. It's still possible to rig a paper ballot election, but with the right level of participation, transparency and accountability, it's much harder to get away with it except on the smallest scale.

Electronic voting systems produced by a single or a few vendors with closed source software make large scale fraud trivial. Open sourcing the software only solves the transparency problem if you're a software developer versed in that language. It has to be transparent to everyone.
posted by krinklyfig at 6:28 PM on March 5, 2009 [2 favorites]


(at capacity, this becomes n-item ring buffer)
No: at capacity, you take out the append-only memory module (do they still manufacture PROMs?), store it in the county archives, and put in a new blank one.
Being unable to usefully sell your vote hinges on being utterly unable to prove to anyone how you voted
This is a pretty big stumbling block for secure voting: being able to prove, even to yourself, that your vote was counted, can usually be leveraged into being able to prove to the mob boss / factory boss / abusive spouse how you voted. If you decline to so prove, they simply assume the worst and kill/fire/beat you. The Rivest Three-Ballot system is an attempt to deal with this problem; it's not perfect but it's a start.

Unfortunately, lots of areas have pretty much given up on protecting against coercion. The entire state of Oregon and most of Washington, for example, are vote-by-mail now. Absentee ballot votes are really easy to coerce. (I assume that this is why you used to have to prove a need before being able to vote absentee.)
posted by hattifattener at 7:01 PM on March 5, 2009 [1 favorite]


You don't need fancy voting machines. You just need to copy how we do things in Canada. Exactly. I think I say this in every thread on this topic. Election Canada is the best thing ever.
posted by chunking express at 7:43 PM on March 5, 2009 [2 favorites]


If you feel we absolutely need to design a system where it's not possible to prove how you voted, please do one of the following:

-- outlaw absentee ballots
-- outlaw cameras, scanners, and human eyeballs

TYVMIA
posted by jock@law at 8:01 PM on March 5, 2009


Could you please, at long last, stop whining about us stealing the election?

This playbook seems eerily familiar.

1. Deny
2. Deny
3. Ridicule critics
4. Deny
5. Block investigations
6. Deny
7. "Oh of course we did but that's ancient history. Get over it."
posted by rokusan at 8:15 PM on March 5, 2009 [5 favorites]


Elections Canada is the best thing ever.

I hear you.

Except if the USA had a similar model, the neocons would have spent the last twelve years appointing, promoting and squeezing as many operatives as possible into the "non-partisan" body in order to ensure that their impartiality was, you know, the kind they wanted in future.

That is, if they could pry out all the embedded Scientologists.
posted by rokusan at 8:17 PM on March 5, 2009


You don't need fancy voting machines. You just need to copy how we do things in Canada.

The first step of doing so would have to be to cease electing every currently elected state and federal office except US Representative and the lower chamber of state legislatures, which I put it to you would be a tad unpopular.
posted by ROU_Xenophobe at 9:49 PM on March 5, 2009


> Well, obviously, but you'd still need to clear the log files between elections, or after every so many elections, wouldn't you?

No. The way to do this is to make a removable log storage device that is periodically replaced. The logs should be stored on a WORM device that only permits append and read operations on the log files. Put the device in a tamper-evident enclosure and give each device some unique marking (like -say- a serial number) that the election officials note in their logs.

If we're going to do electronic voting, we have to do it correctly. There's no excuse for incompetence or inadequate funding.
posted by simoncion at 1:46 AM on March 6, 2009 [1 favorite]


This button clears audit history. Is there any mechanism for deleting/swapping actual votes that this button would be useful to conceal?

Diebold voting machines are basically Windows tablets. All you need is the program to alter the votes on a USB drive.
posted by Pope Guilty at 1:51 AM on March 6, 2009


To be fair, it's not like state senates do anything whatsoever.
posted by mek at 2:53 AM on March 6, 2009 [1 favorite]


apologies for the length, this is from the actual report commissioned by the state of California.

The CIBER report on its evaluation of software and documentation pursuant to the 2002 federal standards is unusually brief (16 pages) given the complexity of the required evaluations. None of CIBER's reports on this system discuss in sufficient detail the methodologies, tests, or results that were obtained, and thus do not permit a reader to formulate an informed opinion on the degree to which the Diebold voting system met or exceeded the minimum federal standards for qualification.

*Security Policy Differences. Pursuant to the federal standards, Diebold submitted to CIBER a set of voting system security policies that it would mandate for localities purchasing the Diebold system. A comparative analysis shows that the security policies Diebold filed with CIBER were considerably more stringent and extensive than those it ultimately documented in Diebold's product manuals. These sharp differences raise the question of whether California counties are provided with adequate information to implement the security conditions under which the Diebold system was tested and approved.

*Configuration Audit. An audit comparing the California-certified configuration of the Diebold voting system with the configured system the vendor provided for the TTBR disclosed numerous differences. A number of these configuration discrepancies involve an uncertified component, and unapproved and largely disabled security settings, raising serious questions about the voting system's accuracy, security, and reliability.

*Security: The vendor documentation misses opportunities to assist election officials who are striving to achieve secure elections. The vendor recommends certain security-oriented practices without an explanation of possible vulnerabilities. This approach tends to minimize serious security risks and sidestep mitigation strategies.


...

The GEMS software application is the “election management system” component. It is used in election preparation to create and configure ballots (both electronic and paper ballots), and programs memory cards for use in Diebold voting devices. Post-election, the main GEMS computer or “server” receives voting data from memory cards, tabulates, and then reports election results. GEMS sends or “uploads” configuration data for the AV-OS and AV-TSx units onto memory cards, which then store voting data from ballots cast in the election. These memory cards are then returned to the election offices for vote tallying after the polls close.
At the close of the election and after the memory cards are returned to the county offices, the voting data must be uploaded from the memory cards into the GEMS system for tabulation. This uploading typically occurs via networked devices of the type in which the voting data was stored. The TSx touchscreen memory cards are read by TSx devices linked to the GEMS PC by Ethernet. The memory cards from precinct-based optical scanners (AV-OS) must be inserted into the same type of scanner that recorded the voting data but this scanning unit is connected to the GEMS server. GEMS then deposits the vote data into its election database that was configured by county election employees prior to Election Day.

...

The federal standards under which the Diebold voting systems were evaluated accord a pivotal role to Independent Testing Authorities’ (ITA) evaluations. At the time that the Diebold systems under review here received California certification (February 17, 2006), the ITA laboratory reports formed the primary basis for the “qualification” determinations made by the National Association of State Election Directors (NASED). The Diebold system was reviewed and qualified by NASED under the technical standards found in the 2002 Voting System Standards (VSS) and not the newer 2005 VSSG. The 2002 VSS is comprised of two volumes which specify performance standards and also the testing and examinations required for VS qualification. At the time the Diebold systems were reviewed for federal qualification, the ITAs exercised an almost unique role and set of powers over voting systems used in this country. Given that the VS vendors have typically asserted proprietary rights and access restrictions over the source code, documentationresources, and election databases, and because State governments have generally deferred to the ITA examination regime, virtually no entities and examiners other than the ITAs have had the opportunity to evaluate the accuracy, security, and other attributes of the voting systems either for compliance with the governing standards or according to independent criteria. The ITA report is expected to reveal in extensive detail the integral parts, component operations, the scope of testing with all test results, and overall systemic functioning of the VS submitted for review. To complete these extensive evaluations, under the 2002 VSS vendors were required to submit their voting system source code, documentation, and hardware to the ITA.

...

The exclusive discussion in the TDP of the platform security specifications of Windows NT 4.0 seems out of place with the repeated assertions in the TDP that GEMS was designed for Windows XP, the fact that the Server Administrator's Guide and other documentation describes installing GEMS on Windows 2000 Server, and the fact that the GEMS server provided to the TTBR study was running Windows 2000 Server.

One troubling finding based on a comparison of the TDP and the customer documentation supplied by Diebold is that the security policy presented in the Diebold customer documentation differed significantly with the mandatory client security policy that Diebold submitted to the ITA. See Section 6.1 for an extensive discussion of this issue.

Uncertified Components and Configurations
As discussed below, we find that certain Diebold VS configurations that are widely used in California counties may not have been federally qualified or State certified. For the affected counties, integration of uncertified VS components among certified components may render the voting system as a whole uncertified for use in California.

4.3.1.1 JResult Client
As part of its GEMS product, Diebold’s distributes a Java-based application program called JResult Client. JResult Client is used for periodically generating visually-appealing updated reports of election results for public display and for posting on the Web as tabulation proceeds on election night. JResult Client is pre-installed on GEMS servers prior to delivery to customers.

It can also be installed and used on Windows-based PCs other than the GEMS server.
We believe that the presence of JResult Client on GEMS servers in California raises a number of very serious concerns about the integrity of the GEMS servers deployed in California, as well as their legal status. As illustrated below, there is no evidence in any documentation we have reviewed that JResult Client has been submitted, with the required documentation and source code, for testing by an ITA. There is no evidence that it has qualified under federal standards, been submitted for certification in California or been certified for use in California. The California certification of GEMS 1.18.24 was granted with the condition that "[n]o additional software developed by the Vendor other than that specifically listed in this certificate shall be installed on a computer running GEMS version 1.18.24."

These facts raise substantial doubt as to the certification status of any GEMS server in use in California that includes JResult Client. As such, it is possible that GEMS servers in use throughout California are used in an uncertified configuration. JResult Client is installed on and can be run on the GEMS server machine, a separate Windows workstation, or both. As its documentation, configuration and persistent interaction with GEMS make clear, JResult Client is a GEMS component and not a COTS item. JResult Client is a Diebold developed application, written and deployed to facilitate election management activities on the GEMS server. The documentation specifies that a Diebold technician or an election administrator shall install JResult Client as a “component” of the GEMS product via the GEMS install wizard.
...

GEMS and was present, in compiled form, on the GEMS server provided by Diebold to CIBER and the GEMS server provided by Diebold for the TTBR study. This server, Diebold representatives assured us, was configured in the same manner as the other GEMS servers sold to California election jurisdictions. A directory listing included in Addendum 5 to the CIBER testing report for GEMS 1.18.22 indicates that the compiled JResult Client application files were present on the GEMS server submitted for ITA testing. This is the only reference to JResult Client contained in the CIBER report. It is not clear why CIBER did not flag this software in its report or seek more information about JResult Client from Diebold prior to recommending qualification of the system. Neither the source code nor the system design for JResult Client appear to have been reviewed by CIBER and were likely not submitted by Diebold for CIBER's review. The CIBER report lists programming languages employed in the source code they reviewed, and Java appears nowhere on this list. The GEMS TDP includes no description of the JResult Client design or testing and includes no coding standards for Java programming. While the non-certification of JResult Client in California, by itself, compromises the integrity of elections in California jurisdictions using GEMS, we discovered several specific issues with JResult Client that we believe make its presence and use on election equipment in California cause for very serious concern. The first issue is that the GEMS documentation describes an approved use case in which JResult Client, running on the GEMS server, posts election results to an FTP server connected to the Internet. The establishment of such a link, however indirect, between the GEMS server and the Internet should be thoroughly examined as a matter of election security. The second issue of great concern is that JResult Client and the GEMS Results Server interact with a common resource on the GEMS machine, or on a networked machine.

An examination should be done into potential concurrency problems that could cause the processes to collide and threaten the stability of the GEMS server during election tabulation. Also of concern is the specific JResult Client configuration as installed on GEMS servers. Both the file listing in the CIBER report addendum mentioned above, and our own configuration audit of the GEMS server provided to the TTBR reveal that the GEMS installation script copies both individual Java class files (bytecode files) and a JAR file containing the class files to the JResult Client installation directory on the GEMS server. This is not only a configuration management problem, but a potential vector for an attack. An attacker with access to the GEMS server could, for example, copy modified class files to the GEMS server in place of the original files. These potentially malicious class files could be executed in place of the code in the JAR file by making a small change to the CLASSPATH environment variable or to a batch file that invokes the JResult Client program. This malicious code may evade detection because anyone verifying the signature on the JAR file would find that it has not been modified and conclude that the JResult Client application in use on the GEMS server has not been modified. The fact that this configuration defect was not noticed or not reported by CIBER is also cause for concern about the thoroughness of their testing of GEMS.

posted by Challahtronix at 6:34 AM on March 6, 2009


Seconding the Scantron option mentioned above. People know how to use them, they're quickly machine readable. And if we are going to have electronic machines, I really don't see why they need to be based on PC hardware and running consumer OSes. Or why it even has a USB port. Let the government commission a dedicated appliance that only knows how to one thing: count and log votes. Better yet, make them dumb terminals that connect to a voting data center administered by an appropriate fruit salad of acronym agencies and crawling with observers. The voter can get a stub with a hash on it identifying the transaction that carried their vote, and the election can be "played back" later if necessary.

I just don't get the current model. At this point, a cheap standardized appliance would even be cheaper than using dumbed down PCs.

It's not actually that hard to come up with a system that works (better.) This isn't a conspiracy, it's a typical pork barrel boondoggle that long ago threw the integrity of its goal to the wind for the promise of profit. Diebold/PES kowtows to Republicans as much out of financial as ideological fealty. We taxpayers didn't get something evil, so much as we got something broken and useless.

Mark my words, we will end up throwing all this Diebold junk away and starting over.
posted by snuffleupagus at 6:41 AM on March 6, 2009


The first step of doing so would have to be to cease electing every currently elected state and federal office except US Representative and the lower chamber of state legislatures, which I put it to you would be a tad unpopular.

I still don't see how it would fail to work in the US. I mean, yes, you'd need to add all your lost dog catchers and cafeteria ladies to the ballots, but a centralised non-partisan body in charge of all elections seems like a good idea.
posted by chunking express at 7:35 AM on March 6, 2009


This button clears audit history. Is there any mechanism for deleting/swapping actual votes that this button would be useful to conceal?

BECAUSE OF THE BUTTON... THERE IS NO WAY TO KNOW.
posted by odinsdream at 10:45 AM on March 6, 2009


Agreed that these things need to be locked down to at least the standards banks expect of ATM machines.

If only Diebold had access to the resource and development of companies that develop ATMs.
posted by odinsdream at 10:57 AM on March 6, 2009 [2 favorites]


Voting Machines Elect One Of Their Own As President
posted by joannemerriam at 8:33 PM on March 6, 2009


« Older "Cathay Pacific has apologized for embarrassing a ...  |  He has documented Pine Ridge; ... Newer »


This thread has been archived and is closed to new comments