Please excuse the length of this one, but I think it’s a good one…
One of the news lists that I am subscribed to by a friend (i.e. he mails me
all the good stuff from it) is the one at http://www.fipr.org/
which discusses privacy issues of pretty much all types (although with a technology focus).
I’m primarily interested in this list because of Claire’s work on location aware technology (which people can describe as a bit "big brother"), but occasionally it turns up gems on other subjects, like the one below
Prof. David Dill is a leader in challenging the new voting machines that are being proposed. Not that he’s against the idea in principal, just that he feels (and so do I) that these things aren’t inherently secure, and that a mixture of big business and Government will sweep the security issues under the carpet to ensure a timely launch… Anyone with any experience of major IT projects will know what that’s like
Anyway, this is from Prof. David Dill’s “verifiable voting” newsletter, which
you can read and subscribe to at: http://www.verifiedvoting.org/article_text.asp?articleid=65″
From: David L. Dill
Sent: 24 July 2003 07:22
Since I entered the fray in January, I’ve been constantly challenged to
“prove that DREs can be hacked.” My answer was usually something like
“It is very hard to find out enough details about these systems to
determine what security flaws they have. However, we know it is
practically impossible to stop tampering by insiders.
Furthermore, any system that has not been designed and thoroughly
scrutinized by top-flight computer security professionals is
guaranteed to have major security holes.”
I believe this to be obvious to anyone with a casual acquaintance with
computer security (such as me).
Now I can “prove that the machines can be hacked” by citing the
following paper which just appeared on the web. Computer security
researchers an Johns Hopkins and Rice Universities have inspected the
Diebold code that appeared on a web site in New Zealand a few weeks ago.
The report appears at: http://avirubin.com/vote.pdf
My understanding is that this analysis took about a week. Very serious
security blunders were discovered in a matter of hours. While I still
believe that insider attacks are still the hardest to stop and
potentially the most damaging, it is now clear that there are serious
security holes that can be exploited by election workers and even
voters. Unlike insider tampering, most of these problems could have
been easily avoided had competent computer security people been involved
in the system design and implementation.
For, example, it appears that it is easy to make counterfeit “voter
cards,” which can be used to vote as often as you like. One can easily
make a fake “administrator” card. Hackers could rearrange the candidate
order on the ballot so that votes are credited to the wrong candidates.
We’ve been told by voting machine vendors, regulators, and election
officials that “hacking” DREs is almost impossible because the machines
are designed carefully, use cryptography, and have proprietary software;
that there are stringent Federal regulations; that Independent Testing
Authorities (ITAs) scrutinize every line of code; that states have
exhaustive certification processes; and localities do extensive Logic
and Accuracy Tests.
It’s just not true. That was obvious before the report, but now it
should be undeniable.
There is no reason to believe that Diebold’s system is less secure than
other vendors. Their code just happened to be available. All the other
vendors are implementing the same indadequate
security requirements and satisfying the same inadequate reviews.
There is also no reason to assume that the worst problems have been
found. The authors felt that it was important to get the information
out quickly. Additional weeks or months of review might reveal even
I hope this settles the debate on DRE security. They’re not secure.
There needs to be an independent audit trail.