posted 07-29-2003 11:45 PM            

Voting machine fails inspection

By Robert Lemos
Staff Writer, CNET News.com
July 24, 2003, 5:25 PM PT
http://news.com.com/2100-1009_3-5054088.html?tag=prntfr

University researchers delivered a serious blow to the current crop of electronic voting systems in an analysis of one such system's source code in which they concluded that a voter could cast unlimited ballots without detection.

Using an earlier version of the source code that powers machines manufactured by Diebold Election Systems, the security experts--three from Johns Hopkins University and a colleague from Rice University--performed an audit and found NUMEROUS SECURITY HOLES.

"Our analysis shows that this voting system is far below even the most MINIMAL security standards applicable in other contexts," said the researchers in a paper published Wednesday on the Internet, concluding that "as a society, we must carefully consider the risks inherent in electronic voting, as it places our very democracy AT RISK."

The criticisms echo a fundamental issue that many security researchers have raised with most current systems: There is no way to verify that a vote was correctly recorded and no permanent record is kept.

The issues also come as direct recording electronic (DRE) voting systems are taking off. In the 2002 election, 19.6 percent of the electorate could have cast an electronic vote, up from 7.9 percent in 1996, according to Election Data Services.

Diebold, the parent company of the election systems maker, assailed the researchers for using code that was out of date and never actually used in an election. Moreover, the company took issue with the report's focus on only the software and not the other security measures that the company uses.

"While respecting the report, we reserve judgment on the researcher's fundamental conclusions," the company said in a statement. "Our election systems products and services undergo a series of certification processes, which are conducted by federal, state and local officials, including logic and accuracy testing, and represent a sequence of security layers."

The researchers were only able to see the source code to Diebold's system because the company accidentally left the file on an Internet server in January. Manufacturers typically require that security experts sign a nondisclosure agreement before auditing the code.

Several issues became evident when the code was audited, said Avi Rubin, an associate professor of computer science at Johns Hopkins University and one of the authors of the paper.

For one, the manufacturer chose Windows CE as the operating system--a bad choice from a security standard, Rubin said. "Windows has a long history of new releases of patch just about every week," he said. "You can't run voting machines on Windows."

Moreover, the smart cards used by the system to limit a voter to a single vote could be duplicated. By bringing a stack of valid cards to the voting booth, a person could cast several votes.

Rubin warned that other systems are likely to have similar problems and of a similar magnitude.

Yet, not everyone is worried.

David Heller, the project manager for Maryland's voting system implementation, adopted a wait-and-see attitude. The state announced Monday that it had signed a $55.6 million deal with Diebold for the company to provide Maryland's voting systems.

"We are going to analyze the report and make intelligent decisions," he said. "We have been using the systems now for a year and a half. We've had great success in dealing with them."

Heller explained that the aspects of the system not analyzed by the researchers do make a difference. On election day for example, human election workers would count the number of votes cast at each terminal and retain receipts that would tie people to a specific machine (but not to their actual vote). If the voting machine's tally doesn't match the operator's count, then the votes on that machine would be thrown out and those voters allowed to recast their ballots.

"If there is a failure or a compromise of one unit, we know who voted on that unit," Heller said. "We don't know how they voted, but we know who voted."

Still, the researchers argued that the software needs to be secure to prevent abuse of the election process.

Tadayoshi Kohno, a researcher at Information Security Institute at Johns Hopkins University and an author of the paper, said the secrecy that surrounds the creation and certification of electronic voting machines almost ensures that the systems will not be programmed securely.

posted 07-30-2003 09:11 PM            

Machines at risk for fraud, hacking

http://www.denverpost.com/Stories/0,1413,36%7E53%7E1540873,00.html

Article Published: Wednesday, July 30, 2003 - 12:00:00

By Susan Greene, Denver Post Staff Writer
Dangling chads, nothing.

Florida's voting snafus during the 2000 presidential election pale in comparison to the vulnerabilities of high-tech voting machines counties throughout the nation are scrambling to buy in compliance with a new federal law, several top computer scientists are warning.

"What we know is that the machines can't be trusted. It's an unlocked bank vault ..., a disaster waiting to happen," said David Dill, a Stanford University computer science professor who has prompted more than 110 fellow scientists to sign a petition calling for more accountability in voting technology.

The researchers fear that problems with software systems will result in hacking and voter fraud, allowing people to cast extra votes and poll workers to alter ballots undetected.

Others dismiss such warnings as paranoid conspiracy theories.
Christophers Dodge World

"It's fear-mongering by a few people who want to go back to the 19th century-way of voting," Adams County Clerk and Recorder Carol Snyder said.

Techies and election bureaucrats are facing off in Denver this week at the annual meeting of the International Association of Clerks, Recorders, Election Officials and Treasurers, where voting security is a popular topic of discussion.

The scientists have convened a separate, side conference in hopes of convincing those who control the purse strings in local governments to hold off buying billions of dollars in computerized voting equipment until the federal government sets clear and tough standards to ensure their security.

In Colorado, Secretary of State Donetta Davidson's office is heeding their advice by asking Washington for a two-year extension to the 2004 deadline set out in the federal Help America Vote Act (HAVA).

"There's a sense of urgency about complying with the federal mandate. But we're urging counties not to rush into buying expensive equipment before it's proven in the interest of voter integrity," said spokeswoman Lisa Doran.

In response to Florida's 2000 voting debacle, Congress in 2002 passed the voting act to replace archaic punch-card election systems and generally improve voter accessibility nationwide.

Five Colorado counties - Boulder, Jefferson, Mesa, Montrose and Pitkin - are replacing punch-card systems such as those in Florida that made hanging and dangling chads (not fully punched holes in paper ballots) the subject of national headlines.

Statewide, all 64 counties are required to install at least one electronic voting machine in every precinct by 2004. That's at least 3,000 machines that must be purchased within the next several months, unless the feds grant Davidson's request for an extension.

"There's such a rush ... to buy this stuff, but people don't have their acts together," said Dill, who calls HAVA a "collection of back-room deals" that doesn't address real security issues. He derides the law for not requiring paper receipts that ensure voters their ballots are counted exactly as they're cast.

"Why are we putting our democracy on computers that aren't ready to go?" added Rebecca Mercuri, a computer science professor at Bryn Mawr College and an expert on electronic voting.

Meantime, the federal money promised the Centennial State for such expenses has dwindled from $52 million to $35 million. Of that, Davidson's office has received only $7.2 million. The feds also have taken much longer than expected setting technical standards to guide states and counties in purchasing machines that cost thousands of dollars a pop.

"The funds aren't there. The standards aren't there," Doran said. "We've advised counties not to buy machinery that there's no standards for."

Though controversy over those standards has been brewing for years, it heated up last week with news that the software that runs many computerized voting machines has serious flaws that would allow voters to cast extra votes and poll workers to tamper with ballots undetected.

A team at Johns Hopkins University's Information Security Institute examined software from the Ohio-based Diebold Election Systems, which has about 33,000 voting machines in use throughout the nation. The software could be manipulated and the outcome changed by anyone with $100 worth of computer equipment, researchers said.

According to Diebold executives, most Colorado counties use that company's optical-scan units, which help tally paper ballots. Those units are not the subject of controversy. Instead, one of the company's other machines, the AcuVoteTS touch-screen machine, is at issue in the Hopkins study. Diebold executives say there are about 120 AcuVoteTS units in Colorado - including more than 100 in El Paso County, 10 in Weld County and six in Broomfield.

Diebold Election Systems President Tom Swidarski defended his technology Tuesday as the safest, "most advanced out there." He dismissed the Hopkins study as a "homework assignment" by a bunch of graduate students aimed as a "misguided," personal attack" on his company.

Swidarski called computer science election watchdogs such as those gathered in Denver this week "fringe organizations" "without much real practical knowledge of the election process."

Others agree that scientists warnings are overblown.

"I have security in my office. It's not like I let any Tom, Dick and Harry into my alarmed, camera-ed and locked server room," said Snyder, who uses 220 Diebold optical scanners for elections in Adams County.

Doran added that there have been no reports of tampering or defrauding computerized election systems in Colorado.

"Nobody has brought any evidence to us so we're not considering it a problem," she said.

Executives with voting technology companies are hawking their wares at this week's conference at Denver's Adam's Mark Hotel, each plugging their product as the safest from tampering and fraud and booking as many private lunches and dinners with election officials as they could.

"Now there's a big hubbub that the emperor has no clothes," said Jim Adler, chief executive of VoteHere, a voting software company. "The danger here is that Americans don't need another excuse not to vote."

Watchdogs grumbled about the aggressive sales techniques and close ties between voting machine companies and the officials they're trying to woo. In Colorado, for example, the executive director of the Denver Election Commission resigned in 1998 to work for Sequoia Pacific Voting Equipment, Inc., a company that received $6.6 million in contracts from his own department.