Computer Voting Is Open to Easy Fraud, Experts Say

posted by admin on Thursday July 24, @07:38AM

http://www.nytimes.com

By JOHN SCHWARTZ

The software that runs many high-tech voting machines contains serious flaws that would allow voters to cast extra votes and permit poll workers to alter ballots without being detected, computer security researchers said yesterday.

"We found some stunning, stunning flaws," said Aviel D. Rubin, technical director of the Information Security Institute at Johns Hopkins University, who led a team that examined the software from Diebold Election Systems, which has about 33,000 voting machines operating in the United States.

Advertisement

The systems, in which voters are given computer-chip-bearing smart cards to operate the machines, could be tricked by anyone with $100 worth of computer equipment, said Adam Stubblefield, a co-author of the paper.

"With what we found, practically anyone in the country — from a teenager on up — could produce these smart cards that could allow someone to vote as many times as they like," Mr. Stubblefield said.

The software was initially obtained by critics of electronic voting, who discovered it on a Diebold Internet site in January. This is the first review of the software by recognized computer security experts.

A spokesman for Diebold, Joe Richardson, said the company could not comment in detail until it had seen the full report. He said that the software on the site was "about a year old" and that "if there were problems with it, the code could have been rectified or changed" since then. The company, he said, puts its software through rigorous testing.

"We're constantly improving it so the technology we have 10 years from now will be better than what we have today," Mr. Richardson said. "We're always open to anything that can improve our systems."

Another co-author of the paper, Tadayoshi Kohno, said it was unlikely that the company had plugged all of the holes they discovered.

"There is no easy fix," Mr. Kohno said.

more...
http://www.nytimes.com

MSNBC.com: E-voting flaws risk ballot fraud

http://www.msnbc.com

July 24 — Some versions of electronic voting software could allow for ballot fraud on a massive scale, computer security researchers reported Thursday. The claim was based on their analysis of computer code that was purportedly taken from one of the country’s top suppliers of voting equipment. Based on the report, one election examiner is calling for the decertification of any systems containing the software flaws.

< snip>

“Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts,” the researchers reported. Among the issues highlighted were “unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes,” they said.

< snip>

- Analysis of an Electronic Voting System

- Black Box Voting

- What do the Geeks think?

The real scoop on Diebold

25th July, 2003 by Fintan Dunne, GuluFuture.com

On 24th July, 2003 an important story broke. Johns Hopkins University researchers found that electronic voting machines are full of security flaws which can allow fraudulent election results. A scandal indeed.

But like many reported 'scandals' this is a pseudo-investigation. In truth, the news was two weeks old. Alternative media site Scoop.co.nz first broke the unabridged full story, by Bev Harris --back in early July, 2003.

The Johns Hopkins team only decided to commence their investigation precisely when the Scoop story hit the Internet. Now, in double-quick time they are in print in the New York Times (followed by Yahoo News and MSNBC) with what the NYT called "the first review of the software by recognized computer security experts." Author of the Scoop articles, Bev Harris, although a world leader in this field, is sadly unrecognized --by the NYT at least. So the NYT coyly ignores the explosive content of her prior Scoop story.

Why? Note this remark by Aviel Rubin, of Johns Hopkins University, who led the team which examined Diebold software used in voting machines across the USA. When asked to comment on allegations by Bev Allen that the Diebold software may have been designed to facilitate fraud, Rubin described the claim as "ludicrous."

Rubin could dismiss the allegation of deliberately fraudulent design in Diebold software, because his team never examined the Diebold software in question. They only looked at security flaws in the touchscreen terminals and smart cards used by voters. It's true, these are deeply flawed, but not criminally flawed.

The jaw-dropping revelations in the Scoop story did not relate to the touchscreens, but the Diebold software running on the servers which collate the results from many individual touchscreens. It is here that the smoking gun was found.

Incredibly, this software keeps not one, but two Microsoft Access data tables of voting results. It's like a business keeping two sets of account books. The two tables are notionally identical copies of the votes collated from all polling stations. The software uses the first table for on-demand reports which might uncover alteration of the data --such as spot checks of results from individual polling stations.

And here's where it got scary. The second of the two tables is the one used to determine the election result. But the second table can be hacked and altered to produce fake election totals without affecting spot check reports derived from the first table. These will still check out.

The election officials using menu-driven Diebold software are never aware there are two underlying data tables.

Finally, alterations to the second table can be accomplished by dialing into the Diebold server across the Internet through a maintenance port. Whew!

Is this software designed with criminal intent? Consider this: If the IRS called to a business and found two sets of books -one used for IRS spot checks and a second, alterable set used to make IRS returns, do you think they might be a little bit annoyed?

Yet even though the Johns Hopkins team sourced their data from Scoop and surely knew of the full implications of Bev Harris's discoveries, by only looking at touchscreen stations in their investigation, they can with straight faces dismiss the deliberate intent allegations as "ludicrous."

The real Diebold story may have been so hot, that some in US media and academia have co-opted the controversy and have masked it's full scope. It's not the first time this tactic has been used. For the straight dope on Diebold, go to the people who got the scoop!

<  IraqGate UK- David Kelly had MI6 Infos | 911 Report Is Now Available  >