Friday, November 03, 2006

America's media reports how easy it is to HACK computerized voting.. mere HOURS before election 2006!

America's electronic voting debacle is an international EMBARRASSMENT foisted on America by Republicans, and Republican owned voting-machine companies, with more than a little complicity from "major media" and even the "opposition party" Democrats.

As this lengthy MSNBC report explains, details of THESE SECURITY FLAWS and "looming voting nightmares" WERE KNOWN TO EXPERTS back in 2004.

HOW could VOTING, the process AT THE VERY CORE of America's democracy, be SUCH A CHAOTIC NIGHTMARE, with practically DOZENS of computer security experts now providing detailed analysis and tests that DEMONSTRATE how easy it is to HACK THE VOTE?

answer- America's voting process is a nightmare MESS (reminding us, in fact, of the administration of the Iraq occupation)**BECAUSE REPUBLICANS in LEADERSHIP, POWER POSITIONS WANT IT THAT WAY.

**note: for a textbook example of how gross corruption appears to be a DESIRED part of the Iraq war /US occupation, this article by the New York Times details how the Bush administration has secretively "fired" the INSPECTOR GENERAL from the job of oversight of Iraq war contracts, spending, and operations. The Bush-Cheney-Rumsfeld administration's scorn for, not just Iraqis, not just American voters, BUT EVEN AMERICA's TROOPS serving in Iraq - is now clearly criminal and pathological.
http://www.nytimes.com/2006/11/03/world/middleeast/03reconstruct.html

===============================================

<< He showed how easy it would be for someone with access to the hardware that counts votes to launch Microsoft Access, edit the table containing the totals, clean up any traces of his vote-rigging and close the program.

He showed how easy it would be for someone with access to the hardware that counts votes to launch Microsoft Access, edit the table containing the totals, clean up any traces of his vote-rigging and close the program.

When a state official suggested removing Microsoft Access from the machine to foil hackers, Thompson showed how to do the same thing with a five-line program written on Microsoft’s basic text-editing program, Notepad. >>


E-voting grows, concerns remain
by Bob Sullivan
Friday, November 3 2006
http://redtape.msnbc.com/2006/11/post.html


Dr. Herbert H. Thompson was ready to hack democracy, but he had to wait an extra two hours.

Thompson was sitting outside the California Secretary of State’s Office, ready to demonstrate that electronic voting machines could be fooled into miscounting ballots, but there was a glitch. A “60 Minutes” camera crew was on site and eager to film the demonstration, but state officials balked at the melodrama and refused to allow the crew in. The meeting was almost canceled.

After some tense negotiations, Thompson and a group of electronic voting detractors were allowed inside – sans the cameras.

That didn’t make the meeting any less dramatic. Over the next hour, Thompson, an adjunct professor at the Florida Institute of Technology and author of four books on computer security, virtually undressed California’s new voting tabulation machines.

He showed how easy it would be for someone with access to the hardware that counts votes to launch Microsoft Access, edit the table containing the totals, clean up any traces of his vote-rigging and close the program.

When a state official suggested removing Microsoft Access from the machine to foil hackers, Thompson showed how to do the same thing with a five-line program written on Microsoft’s basic text-editing program, Notepad.

Open Notepad, hack democracy. It is that easy, Thompson said.

That was Aug. 18, 2004. Thompson, who also works as a computer security consultant, has been highlighting e-voting problems ever since. It’s a big part of the HBO documentary “Hacking Democracy” which premiered Thursday night. But despite his road show, and similar demonstrations of other flaws by computer security experts, little has changed since 2004, other than this: Next Tuesday, one third of the country will face new voting equipment – the largest such change in voting procedures in our nation’s history, according to the Washington D.C.-based Election Data Services.

The machines are fragile, and security flaws are rampant, Thompson maintains. The recent Robin Williams movie “Man of the Year,” where a computer bug leads to the incorrect election of a candidate for president, is not far-fetched, he said.

“It's just remarkable, it just doesn’t seem like progress has been made in the face of a continual barrage against these systems,” Thompson said. “Here we are in 2006 but we have the same kinds of problems we had in 2004, problems that are pretty obvious to anyone in the security space.”

Diebold spokesman David Bear bristles at the idea that electronic machines aren’t safe.

“It’s important to separate fact from fiction,” he said. “The technology has been successfully used for 15-20 years. Touch screens are more accurate than other forms of voting.”

He also says the company has been responsive to many suggestions from security experts, such as the ability to protect computers with better password schemes.

And not all outside election experts are critical of the new system. A recent study released by the Massachusetts Institute of Technology says more votes were lost using old voting machines, such as punch cards, than with electronic voting machines.




Dr. Herbert H. Thompson talks with MSNBC's Lester Holt about the flaws in electronic voting machines. Click to watch


Other computer security experts aren’t convinced. Many believe the country rushed headlong into the digital voting age without addressing major security issues because a lot of money was at stake. After the hanging chad debacle of 2000, Congress passed the Help America Vote Act (HAVA), and offered $4 billion to states so they could buy the latest voting technology.

All parties agree the legislation was well-intentioned, but the stick to that carrot was a deadline, which has arrived. States that wanted the money had to spend it by this year, for this federal election.

Like a mystery novel
The e-voting saga has taken many twists and turns, and at times has the flavor of a spy novel.

Earlier this month, computer disks containing the secret source code to Diebold Election Systems voting machines were anonymously dropped off Deep Throat-style at the Washington Post.

Last week, partial Venezuelan ownership of voting machine vendor Sequoia Voting Systems became an issue, as the Miami Herald reported that the U.S. Committee on Foreign Investment was investigating the possibility of a link between Sequoia and Venezuelan President Hugo Chavez, a fierce critic of the Bush administration. Sequoia denies any involvement by the Venezuelans government.

A small army of bloggers and independent researchers chronicle every electronic vote misstep at sites like BlackBoxVoting.org and BradBlog.

Even off the Web, the machines have been accused of fomenting chaos. Primary electronic voting headaches in Maryland led Gov. Robert Ehrlich, who is running for re-election, to withdraw his support for the systems and urge residents to vote with paper absentee ballots instead. After his comments, requests for absentee ballots jumped threefold.

The e-voting controversy has garnered much mass media attention. In addition to the HBO documentary, news outlets around the country have aired investigations into the machines. And Diebold was named Keith Olberman’s ‘Worst Person in the World” this week for asking HBO not to air its e-voting documentary.

How are consumers to know?
While voters are awash in critiques of the systems, they are hardly in a position to evaluate their safety or accuracy – no more than fliers are in a position to judge the airworthiness of an airplane. For that, they must rely on the public sparring match between software vendors and security experts.

On one side are the geekiest of geeks, computer security experts who can sound paranoid, and at times are guilty of conjuring up the unlikeliest of disasters to make their points. On the other side are technology vendors led by Diebold (the ATM maker), Sequoia and Election Systems & Software. They at times sound condescending (Just trust us) or dismissive (these attack scenarios presume election officials are corrupt, and they’re not).

The two sides tend to duke it out using inexact metaphors, which don’t help. Vendors say the machines are capable of printing out a “zero-vote” sheet at the beginning of the day to, showing vote totals start at zero, comparing that to officials looking into an empty ballot box at poll opening. Critics say that converting punch-cards systems to touch screens is hard on aging poll workers, like asking coal miners to suddenly work at a nuclear power plant.

The controversy matters. According to The New York Times, votes in about half of the 45 most competitive congressional races will be cast on paperless machines. Some states have anticipated that problem, and now legally require electronic machines to be outfitted with a printer that produces a paper receipt. But those receipts have their own issues, including the fact that they may unintentionally make it easy for an observer to determine who voted for which candidate. The receipts are sometimes stored in order, so a poll watcher could identify the 14th voter at a machine by looking at the 14th receipt, thereby destroying the fundamental anonymity of the ballot box.

Avi Rubin, a professor at Johns Hopkins University and author of the new book “Brave New Ballot,” was the first outside security expert to analyze Diebold computer source code. It was left on an Internet site by accident, and discovered in 2003 by e-voting critic and activist Bev Harris of Black Box Voting.

Rubin said the program appears amateurish and sloppy. Experienced programmers can look at a programmer’s code and tell if it’s professional by examining its style – how clear the commented internal documentation is, for example – just as an English professor can quickly judge the writing level of students.

Geeks and politics: A strange marriage
Rubin, who as an election judge in Maryland witnessed problems with September’s primary voting, thinks the relentless march towards electronic democracy is purely a function of money and timing.

“A lot of states locked themselves into this, and now they are finding out (the machines) are not as secure and reliable as vendors said they were, but there isn't an alternative to them. They are backed into a corner,” he said. “Election officials who spent hundreds of millions will lose a lot of faith if they admit it’s a mistake.”

The political arena is a strange one for computer security geeks. Thompson makes his living as chief security strategist of a consulting firm Security Innovation. There, he spends much of his time fighting denial from clients who can’t believe their million-dollar technology is so fragile. When he describes the process, it sounds strangely similar to psychiatrist Elizabeth Kulber-Ross detailing the five stages of acceptance in her book “On Death and Dying.”

"When you realize you have a risk, you can practice risk avoidance or risk mitigation,” Thompson said, indicating that companies can quit using the faulty software or add a process that makes it safer. Then, there’s the third option: Do nothing. He calls is “Risk acceptance.” That’s what election officials around the country have decided to do, he said, despite all the warnings.

There are many different types of electronic voting machines, but all systems must have two basic components: a machine that collects votes and one that tabulates votes. Voters only see the collector – in decades past, a lever machine, or even an empty box. Next week, about 60 percent of voters will see a touch screen device or an optical scanner that accepts paper ballots marked up SAT-style.

But the real mathematics happen in the tabulator. Votes collected by individual machines must be centrally tabulated, generally by a computer housed at county offices. In many precincts, couriers will hand carry memory cards similar to laptop PC cards from polling places to country offices. Some counties allow transmission of the data via modem.

Hackers can attack either collectors or tabulators -- or they can attack the transmission of data between them.

Hacking possibilities demonstrated
Earlier this year, Princeton University Professor Edward Felten and his graduate students attacked collectors. They found a method for injecting a computer virus onto voting collection machines in as little as 60 seconds by picking the lock that guards a removable memory card, and swapping the card with an infected card.

Last year, Finnish researcher Harri Hursti also demonstrated he could change the vote calculations on a machine by swapping memory cards.

Those attacks required physical access to a voting machine, but Thompson doesn’t believe proximity is necessary. He’s focused his attention on attacking he tabulator machines, some of which are at least temporarily connected to the Internet, he said. Such machines often run Microsoft Windows and require regular installation of security patches. Downloading such patches would open a pathway for a long-distance attack, he said.

Diebold’s Bear dismissed the vote hacking demonstrations as “magic tricks”

“These are things that could not be done except in the sanitary environment of a laboratory,” he said. “...They are not representative of a real election environment. These what-if scenarios are all based on complete and unfettered access to system, working around pass codes and (with) unlimited amount of time.”

He said Diebold appreciates the public discourse on voting hardware and software, but accused detractors of engaging in scare tactics.

“When the dialog turns to rhetoric, it only serves to confuse and frighten voters,” he said.

For the most part, electronic voting critics have focused their attention on the flaws of paperless touch-screen machine, known in the industry as DREs, for Direct Recording Electronic. Users can have a strange, unsatisfying feeling after voting on a DRE. With no paper to touch or no lever to pull, voters can be left wondering if anything happened when their ballot was cast.

But Thompson’s worries are even broader. In studying vote-counting machines, he’s exposed weaknesses even on hand-marked ballots that are fed into optical scanners, which had been considered safer by many than touch-screen machines. Even optical-scan votes must eventually be added in a central tabulation machine. There are multiple ways someone with access to the machine could alter the results, he said.

Poll workers aren’t tech pros
Thompson’s biggest concern isn’t hardware or software; it’s people. Elections officials are rarely professional IT security experts.

“I’m giving you something that does magical things," Thompson said. “That’s all you know.”

Computer security experts stay up late nights working and reworking policies that are at the heart of a security system, such as, “Only managers can have remote modem access to servers.” But in the voting world, such policies are often unwritten, or non-existent, Thompson said.

For example, there have numerous examples of notorious “sleepovers,” where election officials allow poll workers to take voting machines home with them for a night or two before the election to ease the burden of distribution on Election Day. Any one of them could commit the kinds of election fraud Thompson describes, and so could anyone who knows the machines are in their homes for the night.

Of course, no election is perfect. Recent history proves that vote counts can be markedly imperfect. Some argue that electronic voting, while still fighting its own unique set of kinks, is still a grand step forward for U.S. voters. Thompson doesn’t think so.

In the past, he said, someone who wanted to rig results of an old-fashioned lever machine had to work very hard and recruit multiple assistants to create large tabulation errors. Technology voting allows a single person to do the work of a small army.

“If someone wanted to affect the results of an entire county, I could potentially do so fairly easily as single individual,” he said.

There is no telling how electronic balloting will fare on Tuesday. There might be obvious glitches, such as lost memory cards or power outages that lose votes. But these glitches don’t concern Avi Rubin. He’s much more worried about the glitches that no one will ever see. As Thompson has demonstrated, someone could retabulate votes, erase their tracks, and no one would ever know. Because of this, when asked if an election had already been hacked in America, Rubin said he couldn’t answer the question.

“The answer to that is I don't know, and it will always be I don't know,” said Rubin, who advocates a permanent return to paper ballots.

Thompson is not so severe. But he’s wondering why electronic voting has been rolled out so quickly with little public dialogue about its safety. Sure, he’s enjoying a bit of notoriety this week, as he did in November 2004. But he’s concerned that interest in hacking of democracy will quickly fade again. As a computer scientist, he knows a week of attention is no way to solve a computer security issue.

“What we need is sustained attention to the problem,” he said. “But I’m worried that now people are just desensitized to it.”

For more information on your state’s voting technology, see a detailed state-by-state map compiled by Computerworld.

No comments: