A particularly interesting article in ComputerWorld:
Q&A: E-voting systems hacker sees `particularly bad' security issues
In this article Herbert Thompson, director of research at Wilmington, Mass.-based Security
Innovation, talks about e-voting security.
Can you tell us about some of your e-voting machine hacking activities? On Tuesday,
Dec. 13, we conducted a hack of the Diebold AccuVote optical scan device. I wrote a five-line
script in Visual Basic that would allow you to go into the central tabulator and change any vote
total you wanted, leaving no logs.
Five lines of Visual Basic is incredible. The fact that you can upload VB programs on the
memory card and have them executed means that not only are the e-voting machines insecure from a
software standpoint but that they can never be secure because the security is based upon external
controls and is not a feature of the software or of the machine. The entire idea that you could
write a secure software program that accepts modified VB code at runtime is truly a Brownie
moment.
An
article in Sunday's Washington Post further details the hacking of Diebold machines:
Sancho's most recent demonstration was last month. Harri Hursti, a computer security expert
from Finland, manipulated the "memory card" that records the votes of ballots run through an
optical scanning machine
...Sancho and seven other people held a referendum. The question on the ballot
"Can the votes of this Diebold system be hacked using the memory card?"
Two people marked yes on their ballots, and six no. The optical scan machine read the ballots,
and the data were transmitted to a final tabulator. The result? Seven yes, one no.
"Was it possible for a disgruntled employee to do this and not have the elections
administrator find out?" Sancho asked. "The answer was yes
In the ComputerWorld Article, Thompson avoids the political issue to try and hit home his
point that this is really bad software:
Is e-voting security a political issue? I'm strictly an independent person donating
my time. It's not political. Bad software is the issue. I'm a software security guy. I see a lot
of bad software. All software has security vulnerability -- this is just particularly bad.
The best part of reading both articles is the Diebold response. In both cases rather than
providing any substantial response, Diebold attacks Leon County Supervisor of Elections, Ion
Sancho for conducting the tests.
From ComputerWorld:
Diebold Responds
Diebold has publicly denounced the Leon County tests as being invalid. In fact, the vendor
contended that Leon County Elections Supervisor Ion Sancho's decision to sponsor the hacking
attempts were potential violations of licensing agreements and intellectual property rights. In a
letter to Sancho on June 8, Diebold said Sancho had committed a "very foolish and irresponsible
act."
From the Washington Post:
Diebold and some officials have criticized Sancho's experiments and said his conclusions about
the vulnerability of electronic voting systems are unfounded.
This is a response truly worthy of (or perhaps even written by) george w. bush/karl rove.
Note to Diebold: Sancho is doing his job, you are not!
In the end, some may believe that stories of vote manipulation in past elections may be
conspiricy theories not worth pursuing. In test after test though it has been demonstrated that
vote manipulation is easily possible. Continuing to believe that vote manipulation will not
happen is wishful thinking, not reasoning.