Doug Reilly's Weblog

Embedded Reporting of the Information Age...

Monkey Hacks Diebold Voting Machine...

This really is technology related, even though it is also about the election and politics.  Fox News reports on a video showing a monkey hacking a Diebold vote tabulating machine.

OK, so the monkey has to actually get to the vote tabulating machine, but inside the article has somewhat more disturbing news about the GEMS program that handles the tabulation of votes:

GEMS requires users to enter a password to access the vote totals, but Harris showed that the totals can also be opened -- and altered -- with Access, without ever running GEMS.

If you are familiar with Access and how it is used and misused, then you know that the developer of this system did not even use the incredibly hackable Access security on this application.  While there are password crackers aplenty for Access user security (a Google search for "Jet Security Crack" shows about 83,000 results), Diebold did not even use that!  They rely on the application security only, ignoring even the most basic of security offered by the database system they are using. 

A Maryland Election official is also quoted:

But Maryland election officials agreed with Bear that no hacking can happen unless the hacker is physically at the computer.

This sort of thinking makes my head explode!  Of course you need to have access to the machine.  And no one in the Board of Elections has any possible interest in the outcome of an election, right?  And all Board of Election workers are aware of the need to watch these machines, right?  Yea, right.  Anyone besides me want to pick up a copy of the .NET Developer's Guide to Security by Keith Brown and mail it to the software development group at Diebold?  I am reading it now, and there is an execellent section on Defense in Depth, as well as Countermeasures that would hopefully bring the developers to their senses.  Is there any Diebold software developer out there that can defend deploying an election database without at least using all the security tools provided by the database system?  How about defending use of Access rather than MSDE or some other more secure database?  

I have long opposed licensing for Software Developers, however, I think that situations like this, where the scary bad programmers we often have living in the next cubicle are actually the ones controlling the election, perhaps the time has come, at least for elections, clinical applications and other government threatening or life threatening systems.

 

Posted: Sep 25 2004, 11:56 AM by douglas.reilly | with 8 comment(s)
Filed under:

Comments

Monkey lover said:

Person(s) with physical access to machine able to manipulate it, news at 11... And this is different from every other machine on the planet how? If we don’t get why this is an inevitable headline how is the general public ever going to grasp it. They don’t lock up those ATMs just because there is money inside.

I'm not trying to defend Diebold here, but what is the point in your suggestion of using the known bad security integrated into Access? That's just security through obscurity which is one step up from pointless, if they had I'm guessing you'd be deriding them for that. And pray tell, how is MSDE/SQL more secure then Access on a machine you have physical access to?

There are a lot of potential solutions to the voting problem floating around out there, but none that I have seen are as simple as "duh, use MSDE."
# September 25, 2004 2:59 PM

Scott Allen said:

I've seen Diebold billboards in Maryland now. It makes me nervous that they have to put a marketing push behind the machines...
# September 25, 2004 3:14 PM

Douglas Reilly said:

Monkey Lover,

My point is not that physical security is not important. Of course it is. But it should be only one element of security. Yes, of course I would not feel a great deal more comfortable if they used Access/Jet security, but at least they would have used what the platform provided. In this case, they used nothing, and so did not even discourage the curious.

Just as important, the system allows folks with no authentication to modify results, and leave no trace that they have modified results.

The point is that there are many components that make a secure system, and clearly Diebold cannot cause Boards of Elections to use common sense as to physical access to machines. That said, they can make it a great deal more difficult to actually change results if someone with bad intent does get physical access to the machine. This is just common sense. I do healthcare applications all the time, and I would never rely JUST on physical security of the box.
# September 25, 2004 3:21 PM

matthew said:

actually it was a chimp. And chimps are quite a bit more intelligent than monkeys.
# September 25, 2004 4:53 PM

Douglas Reilly said:

OK. I feel lots better now<g>.
# September 25, 2004 4:54 PM

Eric Newton said:

actually i tend not to rely so much on physical security (you can SEE somebody sitting on a box), but I tend to guard the network access a lot more closely.

Obviously that access database was probably shared on a "everyone r/w" share, and so forth.

I'm just astonished that companies like DIEBOLD that supposedly are "security experts" (they do make a lot of ATMs right?) could even think about putting out such a poorly secured application.

But then, they probably contracted it out, and the actual job ended up coming from india or something, where they care more about mindless completion of coding instead of fully understanding the situation.

Thats the difference between quality Software Engineers (which incidentally I'd like to see some kind of licensing too) and weekend hackers that download C# express and suddenly they're experts on web application developement.
# September 28, 2004 2:11 PM

Eric Newton said:

actually i tend not to rely so much on physical security (you can SEE somebody sitting on a box), but I tend to guard the network access a lot more closely.

Obviously that access database was probably shared on a "everyone r/w" share, and so forth.

I'm just astonished that companies like DIEBOLD that supposedly are "security experts" (they do make a lot of ATMs right?) could even think about putting out such a poorly secured application.

But then, they probably contracted it out, and the actual job ended up coming from india or something, where they care more about mindless completion of coding instead of fully understanding the situation.

Thats the difference between quality Software Engineers (which incidentally I'd like to see some kind of licensing too) and weekend hackers that download C# express and suddenly they're experts on web application developement.
# September 28, 2004 2:16 PM

TrackBack said:

/. Discussion of Electronic Voting
# November 1, 2004 9:38 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)