Security Of E-Voting Systems Seriously Questioned

Information Week ^ | July 26, 2003 | By George V. Hulme

[TaxRelief]

Three computer researchers from the Information Security Institute at Johns Hopkins University, with help from a computer scientist at Rice University, say they've uncovered vulnerabilities in the software purportedly used by Diebold Election Systems. As a result, one person can cast multiple votes, elections can be delayed, the anonymity of voters can be breached, and cast votes can be modified or even deleted, the researchers say.

However, the code analyzed by the researchers could be up to a year old. The code included modifications through 2002, the researchers said in a statement. The code they analyzed was discovered on a publicly accessible Diebold Web site in January. A spokesperson for Diebold Election systems was not immediately available for comment on the findings.

According to information from Diebold's Web site, more than 32,000 Diebold voting systems were used in general elections in November 2002. Earlier this week, the company said it had closed a $56.6 million contract with Maryland for 11,000 Diebold touch-screen voting systems.

Avi Rubin, technical director of the Information Security Institute, said in a statement that a 15-year-old computer enthusiast could make counterfeit smart cards that the system would accept as legitimate.

"A few months ago we didn't know what was going on inside these machines because no one would tell us," says David Dill, a computer science professor at Stanford University. Dill says he hopes the research will shed light on potential security problems with electronic voting. "There are election officials that just don't want to hear about the potential security problems. They won't listen."

[TaxRelief]

"There are election officials that just don't want to hear about the potential security problems. They won't listen."

Perhaps, because they already know a good hacker?

---

Anyway, here is a link to an AP article containing Diebold's response or if you want more info on this situation.

[swilhelm73]

Election fraud is a serious problem in America. Making voter fraud easier will only make the problem worse.

What benefit do we get from this kind of system that is worth that?

And why do I have a sinking suspicion that it is a bunch of hacking savvy lib election officials that are pushing this?

After how tough the voting fraud proved to be in St Louis and Florida I'm sure they are looking for an easier route...I mean, think about it, the Dems almost got caught with their stolen voting machine in Florida...this would be so much easier!!!

[Jay D. Dyson]

Is this where Golden Eagle shows up and preaches the mantra of "security through obscurity" and evangelizes us all about how great Micro$loth is?

Guh. Anyway, I know a number of the most outspoken critics of the security of these electronic ballot systems. The folks to whom I refer (Rubin, Schneier, and Mercuri) have _forgotten_ more than most self-described "experts" will ever _know_ when it comes to what's absolutely essential for voting system security.

But, as always, hubris champions serious review in many government circles.

It was bad enough that the dead were being forced to vote Democrat. Now, thanks to the inherent insecurities of the electronic voting systems going into play, ALL OF US can be just as readily drafted to support the next Democrat.

Comforting thought? Hardly...

-Jay

[Djarum]

The code should be public. With paper we can at least see the system and its potential flaws.

[.cnI redruM]

"I love myself. My online vote SHOULD count about 500 times." - Howard Dean

[forewarning]

"A few months ago we didn't know what was going on inside these machines because no one would tell us"

Here, at least, demand open source!

[johnboy]

"I mean, think about it, the Dems almost got caught with their stolen voting machine in Florida"

actually, they WERE caught. just nothing was done about it.

[exDemMom]

The only way I could accept e-voting is if, after doing the touch-screen thing, the machine spit out a card that would be clearly marked with my choices, and I handed that card to the elections officials for tabulation. Any system where the vote count is stored electronically is inherently untrustworthy.

In my county, we vote by physically punching holes in a card. While the pre-scored cards used in Florida were problematic ("Gee, I swear that Gore chad fell out all by itself when I picked up the card to count it"), I don't think plain unscored cards are a problem.

[backhoe]

-The Vote Fraud Archives--

[TaxRelief]

The only way I could accept e-voting is if, after doing the touch-screen thing, the machine spit out a card that would be clearly marked with my choices, and I handed that card to the elections officials for tabulation.

Excellent idea. Now how do we get it implemented?

I wonder, too, if we have some sort of right to refuse to vote electronically and to demand a paper ballot.

[Maria S]

See how easy it will be for you-know-who to get herself elected?

[exDemMom]

Excellent idea. Now how do we get it implemented?

If I knew that, I'd be living in a nicer house and driving a Jaguar right now with the proceeds from selling my fraud-resistant voting machine.

[Goldwater Girl]

For what it's worth, Diebold could not get their election system certified in Florida. We identified them as lousy 2 years ago. None in use here- but Georgia uses them statewide, Maryland, Kansas and parts of California also.

The touch screen with a print out isn't ready for prime time yet- each machine has to have its own printer (no sharing permitted)- problematic paper jams, ink running out etc. They are working on making it more dependable and cost effective, but it will be a while. Like you, I would prefer a more tangible ballot.