Aug. 3, 2007

Even More Trouble For E-Voting Firms: Source Code Review Finds All Sorts Of Scary Vulnerabilities

from the doesn't-look-good dept

This has not been a good week for e-voting companies. First came the report out of California that the security had problems on every machine tested by independent security experts, followed quickly by security experts finding problems with other machines in Florida. This should come as no surprise. Every time a security expert seems to get a chance to check out these machines, they find problems. What was odd, though, about the announcement on Monday coming out of California, was that the state had only released some of the reports. It left out the source code review. However, late Thursday, the source code reports were finally released and things don't look much better. Apparently all of the e-voting machines are vulnerable to malicious attacks that could "affect election outcomes." The report also points out: "An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive -- malicious code could spread to every voting machine in polling places and to county election servers." This, of course, is what others have been saying for years, and which Diebold always brushes off. Ed Felten has gone through the reports and is amazed to find that all of the e-voting machines seem to have very similar security problems -- and that many problems that Diebold had insisted it fixed in 2003 were still present. Remember how Diebold had used the master password "1111" in their machines? Now their machines use hard-coded passwords like "diebold" and (I kid you not) "12345678." At some point, isn't it time for Diebold (and the other e-voting machine makers) to stand up and admit that their machines aren't secure and, in fact, were never secure? At the very least, the company owes the world a huge apology -- but somehow, given its past behavior whenever its machines are shown as insecure, that seems unlikely to happen.

One of several comments:

Voting Machines by J.M. Skillman on Aug 3rd, 2007 @ 9:03pm

Can someone please explain to me why a machine is needed to record and/or count ballots? It seems a perfect example of using technology where it is not needed. Coloured paper, cardboard boxes and pencils marking an X next to a name or Yes/No question. That's how it works in Canada and we always have the results the same night. Results are phoned into a central spot and everything is finalized officially within a couple of days.
Every party has scrutineers at every polling station who supervise the counting and everywhere, two or more people are watching each other to make sure there's no funny business. Every position or proposition uses a different colour of paper, which go into different boxes that are supervised by two little old ladies or students who are picking up a couple of extra bucks for working that day and a couple of evenings previously for 'training'. How can any machine beat that idiot-proof, low-tech, inexpensive, extremely simple system?
While personally I think the overall system of party-based democracy has lots of problems, the one thing I don't doubt is that the vote totals reported are legitimate and represent the intention of those who have chosen to vote. If I had to trust a machine, I would be extremely leery of trusting the results...

(reply to this comment) (link to this comment)