Hackers show up flaws in e-voting

[padraig]

DUTCH hackers who last week breached the security of electronic-voting machines say they can detect which way a person has voted from 25 metres away.Using a receiver the hackers say they can pick up “accidental” radio transmissions from the machines that provide a unique fingerprint for each candidate.

Matthijs Schippers, from Nedap, the Dutch manufacturer of the machines, has confirmed that emissions from the machines can be picked up but wasn’t convinced they could tell which way a person voted. Timesonline

 

[Johnny]

DUTCH hackers who last week breached the security of electronic-voting machines say they can detect which way a person has voted from 25 metres away.Using a receiver the hackers say they can pick up “accidental” radio transmissions from the machines that provide a unique fingerprint for each candidate.

Matthijs Schippers, from Nedap, the Dutch manufacturer of the machines, has confirmed that emissions from the machines can be picked up but wasn’t convinced they could tell which way a person voted. Timesonline

Our noble Minister for the Environment has rubbished this, however, and claims all is well with these machines. :roll:

 

[ryano]

This is already being discussed here.

 

[rockofcashel]

The Irish government ...

spends 60 million plus on machines no-one asked for, then showed people how to break into them.

Incompetence on a monumental scale.

 

[padraig]

from the same report:

It has now emerged that the contract for the purchase of the bulk of the voting machines was signed just 24 hours after Fianna Fail rushed through a vote in favour of the scheme at a joint Oireachtas committee.

 

[FutureTaoiseach]

Have read it. I think the fears here are exaggerated. First of all, there is no suggestion that you can change the outcome in a machine without being able to physically open it up. Part of the problem from the news seems to be that all machines use an identical key. The solution is to ensure a unique key for each machine, or even a safe-style lock. I am more concerned with the risk of counting-errors. I am pretty sure this will eventually be adequately addressed, paving the way for us to introduce GE's with E-voting. However, I think for the moment this issue has gotten too much bad press in this country and should be wound up until a more fool-proof system can be developed. We trust electronics with most aspects of our lives already e.g. online-banking, online-shopping, chip-and-pin devices in retail-outlets. It seems a logical progression then in a 21st century context that the next step be e-voting.

The Irish government ...

spends 60 million plus on machines no-one asked for, then showed people how to break into them.

Incompetence on a monumental scale.

Monumental is OTT when you consider the annual budget of €50 billion. :roll:

 

[ryano]

We trust electronics with most aspects of our lives already e.g. online-banking, online-shopping, chip-and-pin devices in retail-outlets. It seems a logical progression then in a 21st century context that the next step be e-voting.

I can't let that red herring pass without comment: in all of the examples of "trusting electronics" you provide, the user has the opportunity to verify that the computer's record of the transaction matches his or her own. This is not available in e-voting, unless a voter-verifiable audit trail (VVAT) is provided.

 

[lostexpectation]

but look at crappiness(tm) of the machines, shows you the quality of the companies, and there lack of thought on every aspect.

 

[FutureTaoiseach]

We trust electronics with most aspects of our lives already e.g. online-banking, online-shopping, chip-and-pin devices in retail-outlets. It seems a logical progression then in a 21st century context that the next step be e-voting.

I can't let that red herring pass without comment: in all of the examples of "trusting electronics" you provide, the user has the opportunity to verify that the computer's record of the transaction matches his or her own. This is not available in e-voting, unless a voter-verifiable audit trail (VVAT) is provided.

Well then VVAT should also be incorporated in a new system but in principle E-voting is a logical progression into the 21st century.

 

[ryano]

Well then VVAT should also be incorporated in a new system but in principle E-voting is a logical progression into the 21st century.

Glad you agree with the need for VVAT. Now, any chance you could convince the Minister?

 

[SPN]

Have read it. I think the fears here are exaggerated.

They aren't exaggerated. Ask anyone in the IT Business. Ask the Irish Computer Society. Ask the Association for Computing Machinery.

First of all, there is no suggestion that you can change the outcome in a machine without being able to physically open it up.

The issue is that you can change a machine without the change being detected.

Part of the problem from the news seems to be that all machines use an identical key. The solution is to ensure a unique key for each machine, or even a safe-style lock.

The issue is that the Vendor has such a lax approach to security. If they were that stupid in relation to the physical lock, what other short cuts did they take?

I am more concerned with the risk of counting-errors.

So is the CEV.

I am pretty sure this will eventually be adequately addressed, paving the way for us to introduce GE's with E-voting.

Wouldn't it have been much smarter to address these problems BEFORE we bought the machines. We knew what the problems were, but we ploughed ahead with placing the purchase order anyway.

Why? (other than the €27 million difference in price between the Dutch price and the Irish price which was trousered by somebody)

However, I think for the moment this issue has gotten too much bad press in this country and should be wound up until a more fool-proof system can be developed.

We have a more fool-proof system. We've been using it for decades. The CEV did an analysis and on every important measure paper came out as being more appropriate to the task at hand than a computer.

We trust electronics with most aspects of our lives already e.g. online-banking, online-shopping, chip-and-pin devices in retail-outlets.

What Ryano said.

It seems a logical progression then in a 21st century context that the next step be e-voting.

No it doesn't.

[quote:2wvxai68]The Irish government ...
spends 60 million plus on machines no-one asked for, then showed people how to break into them.

Incompetence on a monumental scale.

Monumental is OTT when you consider the annual budget of €50 billion. :roll:[/quote:2wvxai68]
Monumental is placing the order AFTER you have been told it doesn't work by IT experts.

Monumental is changing the contract so that you still have to pay for the machines even if they don't work ( at a time when you KNOW they don't work).

Monumental is not getting legal advice on the content of the new contract before you sign it.

Monumental is paying €4,500 per machine instead of the list price of €833.

Monumental is when you change the Electoral Law to fit the vagaries of the system, instead of changing the system to meet our Electoral Law.

Monumental is when you realise how many extra Teachers, Doctors, Nurses and Gardai (not to mention Local Authority Planners!) could have been hired with this wasted money.

 

[jmcc]

Have read it. I think the fears here are exaggerated.

And you base this on your expertise in systems insecurity? Forgive me if I don't agree with you.

First of all, there is no suggestion that you can change the outcome in a machine without being able to physically open it up.

Not yet. But I don't think that anyone has examined that possibility yet. It may well be possible to interfere with the counting process remotely.

These machines are not fit for the purpose. The Irish government should get its money back.

Regards...jmcc

 

[EvotingMachine0197]

Have read it. I think the fears here are exaggerated. First of all, there is no suggestion that you can change the outcome in a machine without being able to physically open it up. Part of the problem from the news seems to be that all machines use an identical key. The solution is to ensure a unique key for each machine, or even a safe-style lock. I am more concerned with the risk of counting-errors. I am pretty sure this will eventually be adequately addressed, paving the way for us to introduce GE's with E-voting. However, I think for the moment this issue has gotten too much bad press in this country and should be wound up until a more fool-proof system can be developed. We trust electronics with most aspects of our lives already e.g. online-banking, online-shopping, chip-and-pin devices in retail-outlets. It seems a logical progression then in a 21st century context that the next step be e-voting.

There are overtures and undertones of Dick Roache coming through here. The fact is that the system has no security designed in to any of its hardware or software components, which makes it unusably flawed.(and thats apart from the absence of VVAT) I voted on one of these things in 2002, and have regretted it ever since. Never again.

Monumental is OTT when you consider the annual budget of €50 billion. :roll:

Why do you guys compare everything to the 50 Billion..to make it look insignificant is my guess. 60 Million is monumental when compared with the price of a heart and lung machine for a childrens hospital. Give me a break FT.

 

[Q-Tours]

More reasons, if any were needed, to remain the laughing stock of Europe with our stupid old pencils:

Salon: Diebold voting machines can be hacked by remote control

The new findings of the Vulnerability Assessment Team echo long-ignored concerns about e-voting vulnerabilities issued by other computer scientists and security experts, the U.S. Computer Emergency Readiness Team (an arm of the Department of Homeland Security), and even a long-ignored presentation by a CIA official given to the U.S. Election Assistance Commission.

 

[Thac0man]

Surely e-voting is dead? Those who wanted to make money off it made machines which failed the test of trust. People want to see ballot papers. And even if that process is clumsey and verbose, it is still preferable to flawed evoting machines. The very fact traditional voting is verbose and clumsey makes serious gerrymandering harder to do, and attempts at it easier to detect.

We simply cannot put our faith in a system that runs through a meduim which is vulnerable to new types and avenues of attack. Our democracy is simply to precsious to put at the mercy of suspician and paranoia. Any suprise result where evoting is involved could immediatly be subject dispute and claims of hacking fraud. The process is immediatly tainted.

This latest claim has to finally put a nail in evoting as an issue. Governments can cut corners on costs, but not at the expense of trust in the democratic process.

 

[shiel]

The e-voting saga does more serious damage to the reputation of the previous government than just wasting money on dodgy machines.

The fact that it could not be verified that the votes counted were the votes cast was an obvious flaw from the word go.

The people who were taunting anyone who raised questions refused to countenance remedying that flaw by providing a facility for voter verified paper backup which could be used to independently check the result in the event of a complaint.

Not alone that but they refused to include verification in the terms of reference of the investigation committee that they were forced to set up.

The motto was arrogance will get you everywhere and integrity is for losers.

It is alleged by statisticians that George Bush would not have been elected a second time but for e-voting machines being tampered with in Ohio.

This allegation was made when exit polls were compared to actual results for areas in which non-verifiable e-voting machines were used and the results compared with areas in which the conventional voting methodology was used.

The e-voting saga had a much more serious lesson for how we conduct our elections than is realised.