back to article Surprise: Ohio's e-voting machines riddled with critical security flaws

Electronic voting machines used in Ohio contain critical security failures that could jeopardize the integrity of state elections, according to a study commissioned by Secretary of State Jennifer Brunner. The report found that the machines were susceptible to numerous hacks, many that required little sophistication on the part …

COMMENTS

This topic is closed for new posts.
  1. Tam Lin

    Ohio is riddled with crooked politicians.

    More to the point, there has never been a single documented case of a honest election in Florida or southern Ohio in the last eight years.

  2. Joe Stalin
    Alert

    Has she been to Scotland?

    The last elections to the Scottish Parliment were done with ballot paper scans, and we ended up with umpteen thousand vote being discounted. Mind that was caused by having two votes on one paper and another vote on a second paper and no-one bothering to explain the procedure. I know that the Americans vote for everything for Presidents to dog catchers (they got the wrong way round the last time), so how many seperate elections will be decided on november? And whats the chance for a screw up? Maybe if they screw up the might get the actual real winner this time.

  3. Anonymous Coward
    Alien

    Re: Ohio is riddled with crooked politicians.

    Hey now! I know we have a few honest ones around here, somewhere .. How about John Glenn (oh wait, he retired), or maybe former Cincinnati Mayor Jerry Springer (wait, maybe not the best example of Ohio politicians). I've actually met former Senator Mike Dewine, and he struck me as an honest person, though he was defeated in a reelection bid last year (maybe he was too honest).

    Alien icon, since they're probably involved, somehow.

  4. Anonymous Coward
    Flame

    Just because they're horribly insecure....

    ...doesn't mean that we'll not soon be swamped by zealots, so enthralled with blinky lights, as to say that "electronic voting is the only way the future can be" and will pooh-pooh any talk of using traditional paper and clockwork voting processes.

  5. Morely Dotes
    Black Helicopters

    Ah, the Bart Simpson defense

    "It is important to note that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States," an executive for Premier said in response to the report. "Even as we continue to strengthen the security features of our voting systems, that reality should not be lost in the discussion."

    Or, as Bart Simpson so succinctly puts it, "I didn't do it! Nobody saw me do it! You can't prove anything!"

    The real question now is not "are the elections crooked," but rhater, "did Republicans utilize these security holes independently, or did they hire the DRE makes to steal the elections for them?"

    Does anyone else suspect that the real reason the software is closed-source is not to protect trade secrets, but to protect crooked DRE makers and politicians?

  6. Anonymous Coward
    Anonymous Coward

    At Anonymous Coward

    Coming from Ohio, as I assume you are too, I agree that Ohio has several crooked politicians (anybody remember James Traficant?) However, I don't believe Mike Dewine was the great person he wanted people to believe. The simple fact that the man never seemed to appear in the news except on election years told me that his family values platform was nothing more than a front-end for a campaign to convince moderate conservatives to avoid the democrats in the last mid-term elections. I did have the opportunity to meet (and have my picture taken with) Senator Sherrod Brown (who was elected over Dewine in 2006). I can't vouch for him personally since I've only met him once; however, just in seeing his active presence in the Senate I believe he has a great political career in his future. As for Jerry Springer, he's not originally from Ohio (or the US, for that matter) and his previous attempts to enter the political scene just seem to be overshadowed by his TV show. I don't even know if I would've voted for him.

    Oh well, cold weather and corrupt politics aside, what's there to complain about Ohio?

  7. Alan Donaly
    Happy

    Cheating was done before

    without electronic voting some of the Mayoral elections in Chicago come to mind even the dead vote for Mayor Daily I think was the joke at the time.

  8. Brian Miller

    The vote monitoring is incompetent anyways

    The last time I voted with touch-screen machines, I found that I would touch on one candidate and the vote would go to another candidate, and I would have to touch on a blank part of the screen for my vote to be registered properly. The person monitoring the polls asked me about my voting experience, and asked the stupidest questions, like if the votes mysteriously changed at the very end. I don't think that the electoral staff have any clue about how the votes can be hacked. At least my county has gone to mail-in ballots instead of polls.

    (And if the election is decided by screwed-up ballots cast by senile or illiterate voters, then chuck *both* candidates and start fresh!)

  9. Duncan Hothersall
    Heart

    @ Joe Stalin

    Given that you seem to be aware that the problems with the Scottish elections were nothing whatsoever to do with the machines that counted the paper ballots, I wonder why you brought it up? If anything, the Scottish elections demonstrate that if we could guarantee secure and verifiable (i.e. open source) electronic voting systems, then many people would benefit from being led through the voting procedure, rather than getting presented with two sheets of paper with misleading names on them and some slightly unclear instructions.

  10. Alex
    Jobs Horns

    Being from Ohio, this is not surprising

    This is just another story in a long legacy of J. Kenneth Blackwell, the former Secretary of State for Ohio. When he realized that the state was swinging from his party (he is a Republican), he did everything he could to stop the shift.

    He forced an old law (which wasn't enforced in over 130 years) that all voter registrations had to be on a certain paper, which his office didn't even have.

    He moved machines away from Democratic districts to add lines and added machines to Republican districts. Some rural areas, with districts of less than 1000 people and generally lean Republican, had just as many machines as more densely populated urban areas, which have about 6000 people and usually lean Democrat.

    He tried to call for an end in provisional balloting, which is more common in urban areas rather than rural.

    There was more than one Republican leaning district that had more votes cast than people living in the district, and he didn't bother investigating the anomaly.

    He tried to run for governor of Ohio, and failed miserably, losing by a ratio of 8:5 (or 1.6:1).

    The voting machines have been suspect for 7 years, so this is nothing new.

  11. Anonymous Coward
    Anonymous Coward

    meh..

    Doesn't matter what the voting medium is, someone will figure out a way screw it up...

  12. Callenby

    Wanna see a really flawed e-voting machine?

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    Now here is a hucked e-voting machine!! Satirical as it is, it's not far fetched.

    http://www.capitalpoliticking.com/vote%203b.ppt

  13. Anonymous Coward
    Coat

    @Morely Dotes

    "Does anyone else suspect that the real reason the software is closed-source is not to protect trade secrets, but to protect crooked DRE makers and politicians?"

    I agree, they probably put a copyright notice in like that one guy put in that virus. Can't remember names, can't be arsed to look it up.

  14. Steve Welsh
    Coat

    Voting - electronic or otherwise...

    As they say in Ireland "Vote early, vote often"

  15. heystoopid
    Paris Hilton

    Ah !

    Ah , that explains much as to why the voting was so far out from the exit poll counts back in 2004 in many places with these "D.......... Crap" machines !

  16. Andy Worth

    Well

    It's easy not to have a "single documented case" of a successful attack if said documents "disappear".

  17. Steve

    Aren't they missing the point?

    "It is important to note that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States,"

    Surely that's because a documented attempt at election fraud is, by defnition, an unsuccessful attack.

    What really worries me about this is all the electronic voting machines that they can no longer be used in the US are bound to be sold on to us - probably using the 1:1 $/£ exchange rate that they seem to use when exporting to us.

    Still, it's not really going to affect me - I've given up on voting until they add a "none of the above" box to the ballot.

  18. Anonymous Coward
    Anonymous Coward

    Let's hear it for North Canton, Ohio

    Funny that the critical study was conducted in Diebold's home state, Ohio. Diebold is the parent of Premier Election Solutions, so the report can't have made happy reading in North Canton.

  19. Anonymous Coward
    Anonymous Coward

    Single documented case...

    Well you'd only actually have a "documented case" in the first place if you'd actually *discovered* that the election had been rigged...

    It's not really worth tampering with the vote in the first place, if it's likely to be discovered and called void!

  20. John Browne

    What about lotto machines

    You tick the boxes on a piece of paper, It gets put in the machine and it spits out the receipt with the numbers on it and then registers your play and numbers centrally. And you can see that the machine read your intentions correctly.

    It's simple and everybody trusts it.

    And more to the point on big jackpot days each individual lotto machine will process more requests in an hour than a voting machine will process in an election.

    Of course the most important thing of all is that it will allow you to do a "quickpick"

  21. regadpellagru

    business case of e-voting machines

    Someone will have, one day, to explain that the sole reason of going from a proper and transparent manual voting system to an e-voting system is in fact concealment.

    Why else pay 7 kE per system + maintenance ? Gain of time ? Rubbish, it's been proved to take longer. Automatic results ? Why care, since it's all benevolent time (at least in France), there's no shortage of people to do it, and it anyway only happens once or twice per year. Faster results ? What's the problem with waiting one night more on top of the usually 5 years between the same elections ?

    Final question, left to the readers, why concealing the voting process ?

  22. BoldMan

    @regadpellagru

    Totally agree.

    What is so broken about hand counting? It works and its difficult to "hack" without leaving evidence. Oh but then the 24 hour running news will have to wait a few more hours before issuing a result as opposed to making up their own minds within 5 minutes of the poles closing and announcing that result.

    Why are people unable to wait for a short time while votes are counted? Is it that difficult to wait?

  23. Brett Brennan
    Pirate

    I've said it before and I'll say it again...

    ...the only companies MISSING from the list that build eVoting machines are the gambling machine vendors - these are the only machines that have a proven track record of being very difficult (but not impossible) to hack. I know they submitted designs; they just never made the short list.

    The bottom line: when there are huge financial rewards hanging in the balance, there will always be some attempt to "guide" the outcome of a vote. It's a very American Tradition to attempt to "fix" elections, dating back to our founding Fathers. American election law is filled with rules designed to prevent hundreds of types of fraud, ranging from the requirement to close pubs and liquor stores during polling hours to more esoteric rules on randomizing the order of candidates and issues on the ballot to prevent the first in the list from getting too many votes.

    And finally, the whole issue of DRE machines and a printed record is nothing more than another good dose of FUD. Or, as Lyndon Johnson put it "I don't really care if he (his opponent for the Senate in Texas) is a pig fucker - I just want him DENYING it."

  24. PolicyWatcher

    A bad case of sloped shoulders?

    "No matter what type of voting system is used, conducting elections requires the involvement of well-trained election officials and poll workers," ES&S said in a statement. "All play an important role in the integrity and security of elections. Elements of this report appear to ignore that important reality."

    In other words, the same "technical holes are irrelevant, they are prevented from becoming exploits by the administrative procedures" rubbish that the NIST explicitly discounted and discredited in its report last year.

  25. James Anderson
    Alert

    People have an innate understanding of tin boxes and sealing wax

    ".. well trained election workers and poll workers ..." ahha they have a $500 per seat training coarse they want every election official to go on.

    In most cases there are not " election workers " but volanteers who give up several hours of there time for the common good. You cannot restrict applications to thos wha are "ACME RNG votong machine certified" and you cannot reasonbly for a resonable amount of money send them all on a "Certification" coarse to whatever snakeoil sales company sold you the re-boxed PCs running Windows 2000 ( which mostof them are.).

    On the other hand a piece of paper, a pencil, a booth with a curtain, a tin box sealed with string and sealing wax. Most people with no previous experience could walk into a manual voting setup and know what to do. What is more most people don't need a computer science degree to recognise when something is wrong with this setup.

    Bruce Schnier had an intersting blog on this where he put a market value on a vote. Not having actual bribery figures to hand he resoned that as the various parties spent approx; $1,000,000,000 to lure 111,000,000 voters an average vote is worth at least $10 dollars. But votes are not average and over half the campaign money was focused on five "swing states" with just 5,000,000 voters i.e. $100 dollers per vote.

    Given that campaining is a very uncertain way to get votes, a guarenteed "I can fix the machine" vote must be worth at least $200 dollars to an unprincipled polititian or his supporters. I think a hacker could reasonably charge $200,000 to swing a thousand votes at a chosen station. A lot more than the average e-bay hack or phishing scam and by all accounts a lot easier.

  26. Ed

    documented cases?

    When you're talking about a device that includes no logs that could report anomalies that could indicate a security breach, it's really difficult to have a documented case.

    When you have a device that records its data on a memory chip, and that data is just the sum for each of the various candidates, and there's either no checksum, or an obvious one (such as a simple sum of the numbers), it's really hard to detect a fake chip, substituted for a real one.

    When you have closed-source software running on the machine, and it leaves no paper trail, it's really difficult to document when it's not doing what it's supposed to be doing. Note that testing before the election doesn't necessarily find the problems, because the hardware could contain a clock chip with its own power supply, and the software could change its behavior based on the date.

    Having a paper trail on a mostly electronic machine doesn't necessarily do that much, because unsophisticated voters are known to not pay attention to things like that. (Personally, I feel that if you don't care enough about your vote to make sure it tallied the way you wanted it to tally, you shouldn't be voting - but that's just me.) Since there are districts where the vast majority of voters are unsophisticated voters, it could be possible to put machines running slightly different software there - or even to have a GPS unit in the machines, so the software can know what precinct they're in, so they know whether to work correctly or not.

    I really like the idea of having the electronic portion of the system simply be a witness to the voting, but it cannot be done via camera. First, the person's hand could block the way, and second, if we're supposed to be anonymous, we can't have a record which might include a person's face or other distinguishing characteristic (for example, a unique ring or hand tattoo). If you have the ballot slid into a device with sensors around each of the holes, to detect which circle the voter punched, you can monitor the vote completely without having any compromise of the desired anonymity.

    As far as the *need* for electronic voting machines... I concur, we don't need them. There are many ways in which the e-voting machines are neat, but the dangers they pose are too great. I especially feel this is true, because most of the attention has been placed on three states: Florida, Ohio, and California. California is in there only because they said no in a big way. What other states are using these machines, and who's to say that their votes weren't also compromised?

  27. Fraggle
    Boffin

    E-voting trade secrets?!!!

    "Does anyone else suspect that the real reason the software is closed-source is not to protect trade secrets..."

    How *could* it be to protect trade secrets? What exactly is so secret about a program to count key/screenpresses? Someone somewhere needs to issue a challenge to the public to build a secure open-source e-voting machine.

    The only non-trivial part of this is the secure storage/retrieval of the data, which is stupid to leave in proprietary hands anyway. The trivial parts (the counting and the screen interface) could be done by just about any code monkey, and be done better than it currently is.

  28. we are all ignorant

    Never been CAUGHT

    Just because we never heard about an 'attack' doesn't mean it hasn't actually happened...first this 7 year old video....

    http://www.youtube.com/watch?v=DzBI33kOiKc

    and this 4 year old article.....

    http://www.theinquirer.net/gb/inquirer/news/2003/07/09/us-election-fraud-scandal-looms

    I love the people who say "I didn't see anything....It never happened!" lol

  29. Larry Adams
    Coat

    @ Steve Welsh

    Seems to me that the motto "Vote Early, Vote Often" was used for Chicago under the first Mayor Daly.

This topic is closed for new posts.