Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United States Government Politics

U.S. Voting Software Hashes Made Public 16

fibonacci2000 writes "From the NIST website: 'This effort is a first step in being able to trace software from the vendor through the accreditation process to the states and other purchasers of voting systems. Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors.'"
This discussion has been archived. No new comments can be posted.

U.S. Voting Software Hashes Made Public

Comments Filter:
  • by commodoresloat ( 172735 ) on Tuesday October 26, 2004 @07:04PM (#10637038)
    And I, for one, welcome our new democratically elected overlords!
  • As a general computer geek, I don't trust anything that dosen't have a paper trail. You can kill a computer hardrive and do funky things to code in such a mallicous fashion as to say or do anything you want. If there isn't a carbon trail, it isn't secure.
    • "As a general computer geek, I don't trust anything that dosen't have a paper trail. You can kill a computer hardrive and do funky things to code in such a mallicous fashion as to say or do anything you want. If there isn't a carbon trail, it isn't secure."

      Yeah if it was done with a paper trail people couldn't forge votes receipts or vote for dead people or....oh wait.

      • Except that with paper ballots there is a paper trail. With that you can find out that voter's dead, or the reg is fictitious.

        However, with Diebold you can simply go in and manipulate totals directly. No physical evidence. Much easier to steal an election, in a currently uncontested way. Of course, the aftermath of this election will probably involve a couple orders of magnitude more attorneys and jurisdictions than in 2000, so it remains to be seen whether an election stolen by computer will go unchal
  • by Stochio ( 801005 ) on Tuesday October 26, 2004 @07:15PM (#10637136)
    If you look through the file [nist.gov] it has references to java files, pascal files, C++ files, and perl files. I don't get it. I understand that in this document just the hashes are listed to source code - but does this also imply that the source code is being distributed?
    On an additional note, I see references to jpg, gif,and bmp files. I must be interpreting this files incorrectly. Why else would source code of 4+ high-level languages and 3+ image formats be in the same project?
  • Look people before everyone gets pissed off at me for writing some of the software for these machines let me just tell you I didn't really intend it to be like this. It was originally just some DMV model I wrote in CompSci 212. How it got into the voting system I'm required by NDA to not disclose, but let me just say it was worth the full ride into grad school.
  • by Richard M. Nixon ( 697603 ) on Tuesday October 26, 2004 @07:47PM (#10637393) Homepage Journal
    Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors. However, only digital signatures of the same versions of software voluntarily provided by voting software vendors are available on the web site. Election authorities having other versions, or versions which have been altered for authorized reasons, will be unable to use this web site for a digital signature comparison.

    I'm not sure but I think what this means is that their software can be used to verify that the software that the vendor has sold them is indeed the software that is installed on the machine.

    For example, that DIEBOLD AccuVote-OS CC 2.0.12 AE is installed on a machine.

    If this is true, then it only confirms that you have the software you think you have on the system. It does not mean that said software will tally an accurate vote. (Having competent software is a different question entirely of what software you have installed on a system.)

    Also....

    This data may only be used with software that has not yet been installed on a voting machine. With limited exception, once software is installed on a voting machine, it is incapable of generating a digital signature.

    I'm not sure I understand why it couldn't be verified afterwards.

    Can someone explain this?

    At the very least couldn't you wipe the voting machines harddrive and do a re-install?
  • by schmaltz ( 70977 ) on Tuesday October 26, 2004 @08:33PM (#10637681)
    If I compute the hash an already vulnerable voting machine program, or its server component, what does it matter? It was ready to tamper with when it left Diebold, and with the same hash it'll still be vulnerable.

    This is a red herring. The voting software's already open to tampering, so a hash is meaningless.
  • by j0nb0y ( 107699 ) <`jonboy300' `at' `yahoo.com'> on Tuesday October 26, 2004 @08:34PM (#10637691) Homepage
    wtf? You would think that security would be a foremost concern for a voting machine, but diebold has shown from the beginning that security is an afterthought for them. Cryptographic hashes of the software should have been available *from the very beginning*. Even *Microsoft* signs their code nowadays. But for Diebold, the cryptographic hashes, that are standard in most of the software industry, are an afterthought. Here's the hashes a week before the election! See, aren't we secure? What a joke...

    Diebold's executives should go to jail for pulling this scam on the government. Those in the government who went along for the ride should be severely punished.

    We have enough vote fraud in this country *without* Diebold. The last thing we need are unverifiable voting machines.
    • The last thing we need are unverifiable voting machines.

      Supposedly these Diebold machines print out paper ballots on the fly. If so, my biggest remaining issue is: does the voter get to see said paper ballot before it's shuttled away to the inside of the machine for storage?
    • Turns out that the paper trail is not printed out on the fly. The only thing captured on the fly is an "image" of the voter's ballot. What other kind of data is stored I do not know.

      From the Diebold web site:

      When a voter casts their ballot using the Diebold touch screen system, the ballot selections are immediately encrypted and stored in multiple locations within the voting station. When stored, the order of cast ballots is scrambled to further insure ballot anonymity. The image of each and every bal

  • by timothy ( 36799 ) on Tuesday October 26, 2004 @10:52PM (#10638599) Journal
    This does one necessary thing, which is provide a way to prove (near enough) that the software being used is the software that the voting software company provided, that no one hijacked the delivery truck carrying the voting machine and swapped in one favorable to candidate X. (Or W, or K.)

    What it specifically does *not* do is do anything to prove the actual security, accuracy of the included software when running as intended, or that it can't be used *other* than as intended, in a 99-extra-lives "cheat mode." While incrementing by one a pretty small number of piles several thousand times doesn't sound like a computationally tough job, Bev Harris [blackboxvoting.com] and others have shown the numerous and substantial flaws that current systems have; I'm aware of only one state (Nevada) that will be requiring a paper trail for its electronic voting machines in case of a dispute over the electronic returns.

    Hashes? Great! Put them on the outside of the envelope containing every scrap of the sourcecode in machine-readable form, along with documentation that you have completed the publically available test suite, please, and take a seat in the lobby. The taxpayers will get around to you in your turn.*

    timothy

    *Oh, if it were that simple ;)

  • The software hashes YOU!!!

A person with one watch knows what time it is; a person with two watches is never sure. Proverb

Working...