Sunday, February 26, 2006

Watch Votergate



LA Times: Integrity of E-Balloting System Still in Doubt
...[T]here's no excuse for exposing the integrity of our election system to computer hackers. Yet that's what California Secretary of State Bruce McPherson may have done last week by approving electronic voting machines from Diebold Election Systems for use in California elections through the end of this year. (...)

As the last two presidential elections demonstrate, ballot results are of profound interest to everybody — including determined hackers with partisan agendas. Therefore, it's proper to demand of the high-tech machines replacing the paper ballots and punch cards of yore that they be technologically bulletproof. The Diebold systems certified by McPherson — an optical scanner that reads hand-marked ballots and a touch screen that totes up votes directly — fall well short of that standard.

How do we know this? It's the conclusion of a panel of computer security experts McPherson commissioned specifically to study Diebold's software. Three days after they issued their report Feb. 14, McPherson gave Diebold thumbs up, noting that the panel regarded the software problems it found as "manageable" and had said the risks could be "mitigated" if election officials took care.

But the experts were plainly troubled by flaws in Diebold's systems. The panel, which included David Jefferson of Lawrence Livermore National Laboratory and David Wagner of Berkeley, observed that the removable memory cards used by Diebold were vulnerable to undetectable acts of tampering.

The panel found 16 software bugs that could cede "complete control" of the system to hackers who might then "change vote totals, modify reports, change the names of candidates, change the races being voted on," and even crash the machines, bringing an election to a halt. Hackers wouldn't need to know passwords or cryptographic keys, or have access to any other part of the system, to do their dirty work. Voters, candidates and election monitors wouldn't necessarily know they'd been rooked.

The bugs lead some computer professionals to believe that Diebold's software designers never treated security as a high priority. "It's like they were making a mechanical device, and never heard of computer security," says David Dill, an expert in electronic voting at Stanford University who wasn't on the panel.

The bugs pale next to another discovery by the panel. This is the presence of a cryptographic key written into the source code, or basic software, of every Diebold touch-screen machine in the country. The researchers called this blunder tantamount to "a bank using the same PIN code for every ATM card they issued; if this PIN code ever became known, the exposure could be tremendous."

Here's the punch line: The Diebold key became known in 2003, when it was published by researchers at Johns Hopkins and Rice universities. It can be found today via a Google search. What's worse, the key was first identified in 1997 by a University of Iowa researcher, who promptly warned the manufacturer of the flaw, apparently to no avail.

Diebold contended in 2003 that the Hopkins-Rice researchers had examined "an older version" of its code, suggesting that the flaw had been removed. But that doesn't explain why the same defect was found this year by the Berkeley panel, which wrote that it was hard-pressed "to imagine any justification" for continuing to use a cryptographic key that had been publicly compromised
...(more)

(related posts)
AP: Group Claims 2004 Election Was Flawed
PA News Takes a Look At Voting Machines
Wash Post: Election Hackers ♥ Diebold
More Evidence of a Stolen Election
Evidence of Ohio 2004 Vote Miscount
Again, Al Gore Won in 2000
Ohio Rep. Bob Ney, Abramoff, and Election Fraud
Counting on Diebold
NYT: The Business of Voting
Fla Ch2 News Video: Voting Machines Hacked?
Powerful Government Accountability Office report confirms key 2004 stolen election findings
Did you know? 20 Amazing Facts About Voting in the USA

|

Links to this post:

Create a Link

<< Home