backtop


Print 76 comment(s) - last by iNGEN.. on Aug 4 at 12:51 PM

Criticizing the criticisms in an ongoing e-voting saga

Representatives from three voting machine companies expressed their criticisms against a California state-sponsored “top-to-bottom review” that found “very real” vulnerabilities in their products.

The study was lead by UC Davis professor Matt Bishop, who discussed the study at a hearing held by Secretary of State Debra Bowen, whose office is currently deciding whether or not to allow the machines’ use during the Feb. 5 presidential primary.

Under a contract with UC Davis and Bowen’s office, Bishop’s study examined machines from Diebold Election Systems, Hart Intercivic, and Sequoia Voting Systems. The conclusions, partially released last week, included findings that the voting systems posed difficulties for voters with disabilities and were vulnerable to intrusion. "It may be that all of [the vulnerabilities] can be protected against. It may be that some cannot,” said Bishop.  According to Secretary Bowen, a fourth company, Election Systems & Software, was also to be included in the review but was omitted because it was late in providing needed information to her office.

According to state law, Bowen has until Friday to set the rules for the upcoming primary election.  "I intend to go through a methodical process to determine what to do next," she said.

Sequoia Systems, in a statement released Monday on their web site, called the study’s findings “implausible,” objecting to the fact that the study was conducted in a closed lab environment over a period of weeks as opposed to a true election environment or in accordance with ISO criteria. “None of the attacks described … are capable of success,” said Sequoia sales executive Steven Bennett to a panel of officials from the Secretary of State’s office.

Diebold and Sequoia further pointed out that the study evaluated outdated versions of the voting machines and their software. “While it cannot be guaranteed that all of the extremely improbable vulnerabilities identified are prevented by subsequent product development and updates, many are specifically addressed,” said Sequoia. However, Sequoia acknowledged that it is working to insure that the “few system vulnerabilities” found could not be used to tamper with election results.

“Voting system reliability is something we're always working at improving … security is never finished,” said Sequoia spokeswoman Michelle Schafer.

Hart Intercivic also objected to the study’s laboratory environment, stressing it was not a considerable substitute for real-world “people, processes, procedures, policies, and technology” and, in the company’s official statement, suggested that a better study might “define a realistic threat that faces all layers of security in an election.”

Even members of the security community have questioned the study’s approach: “While the goals of this effort were laudable, our organization is concerned about its execution,” writes Jim March of watchdog group Black Box Voting, to Secretary Bowen. “Your agency's review only partially examines the risks of inside manipulation with these systems. Procedural remedies can be circumvented by those with some level of inside access. In fact, we would contend that the most high risk scenario of all is that of inside manipulation, and we would also contend that the systems used in California cannot be secured from inside tampering.”

Since their inception, voting machines in the US have received a bad rap amidst a storm of negative press, mishaps, and concern about their ability to be tampered with:

In September 2006, Princeton researchers were able to hack Diebold’s AccuVote-TS machine, going so far as to write a computer virus that spread between other Diebold machines. Later, voting machines from Sequoia were also found to have similar vulnerabilities. “You can’t detect it,” explained Princeton Professor Andrew Appel.

In the same month, a team of untrained 54-year-old women from Black Box Voting, using 4 minutes’ worth of time and $12 in tools, were able to circumvent tamper-proof seals on a Diebold vote scanner, and were able to replace the device’s memory card.

Also in September 2006, a consulting firm working for Ohio’s Cuyahoga County -- which includes Cleveland -- found huge discrepancies between the electronic and paper records kept by Diebold voting machines. Ohio was a key swing state for the tight 2004 presidential election, and its electoral votes help decide the result.

Earlier that year in August, Diebold voting machines botched the Alaska preliminaries in several precincts as they failed to connect to their dial-up servers to upload vote results, slowing the election considerably. Officials had to hand-count votes and manually upload the totals to the central server.

In December 2005, a Diebold whistleblower under the name of “Dieb-throat,” who was once a “staunch supporter of electronic voting’s potential” gave a scathing interview to The Raw Story accusing Diebold of mismanagement and burying known backdoors in their own products, including one that made the Department of Homeland Security’s National Cyber Alert System for the first week of September 2004.

In 2004, Black Box Voting released a video demonstrating that a chimp, given an hour of training, was able to hack a Diebold voting machine. “What you saw was a staged production ... analogous to a magic show,” said Diebold spokesman David Bear, in response.

These findings, as well as others both negative and positive, culminated in a March 2007 warning from the US Government Audit Office as it testified before the Subcommittee on Financial Services and General Government: “[E-voting] security and reliability concerns are legitimate and thus merit the combined and focused attention of federal, state, and local authorities responsible for election administration.”



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Do it the same way as banks.
By theapparition on 8/1/2007 7:57:02 AM , Rating: 2
There are millions of ATM machines. Billions of transactions happen per day without incident, and where there is money, it is not for lack of trying. I don't understand the problem.

Design a system that collects votes electronically, but also prints out a receipt for the voter (and keeps an internal printed receipt, think cash registers with the double paper rolls). Best of both worlds. It would be pretty hard to forge copy transfer paper.

Going back to the botched elections of the past, people have the right to vote, but they have the responsibility to know how to vote. That also include those who do not take the time to know the candidates platforms, and instead vote on party affilitation. Those who miss closing times, get turned away for improper ID, or are just too damn stupid to check next to their candiates name get no sympathy from me.

I also think that news agencies should refrain from posting results or "exit polls" until the entire country has voted, but that is another issue.




RE: Do it the same way as banks.
By Duraz0rz on 8/1/2007 8:49:59 AM , Rating: 2
IIRC this is how it was done with the voting machines I used in Ohio. I'm sure there's an electronic tally in there, as well as a paper sheet that prints your results behind a clear plastic cover.

What they seem to be worried about is security around the electronic storage device for the machines. I do agree that there should be a central server that receives voting information immediately after someone confirms their vote, but imagine the infrastructure involved with that. Each voting precinct would need a voting server. Those servers would need to hook up to one for each township, then city, then county, etc etc etc.


RE: Do it the same way as banks.
By Master Kenobi (blog) on 8/1/2007 9:14:12 AM , Rating: 2
Not really. We did something similiar to this with the Y2K project, we had one central server down in Washington DC (In the building that now headquarters the Homeland Security Agency) with a backup server in California. Everything was piped into the server immediately so we could see if anything went wrong. Having the voting machines maintain a constant encrypted VPN connection to the server cluster and then tallying them at the central location would be childs play. The server could track where it came in from and tally it accordingly. As a backup you could have them continue to print the paper hard copies into a sealed box.

Not difficult.


RE: Do it the same way as banks.
By omnicronx on 8/1/2007 9:18:37 AM , Rating: 2
Not difficult sure, but remember whatever can be made, can be hacked. Theres a lot of venerabilities in no matter what system is picked, especially with a big state like california, where it would be much harder to verify wrongdoings. And although VPN and many other system are secure for ATM etc etc.. none of these things can manipulate who becomes the next president. Just a weee bit more at stake here thats all im saying ;)


RE: Do it the same way as banks.
By Flunk on 8/1/2007 9:52:44 AM , Rating: 2
But not doing it like that is completely stupid. If the votes are stored at each precinct you have thousands of possible hack points.


RE: Do it the same way as banks.
By rtrski on 8/1/2007 9:36:44 AM , Rating: 2
Maybe that's the key. You should be payed for your vote...not by a given candidate as in the alleged vote-purchasing that happens at homeless shelters at every election, but by the government, for doing your civic duty. Like jury pay, but enough to make it a real incentive not to avoid it.

One vote, you get $100 or something. It comes out of your tax return, so the net monetary equation is zero in terms of budgets (obviously neglecting costs of implementing the system, but can they really be different than the costs involved now?)

I bet more people would vote, AND more people would be incentivized to be prepared to vote correctly to get their $100. And if you don't get to get your $100 because someone else hacked 'your' vote, you'd raise a stink too.

Let the flames begin... ;)


By omnicronx on 8/1/2007 9:44:02 AM , Rating: 2
while i do not see how this would help protect anything, it is a damn good idea to get people to vote.
but then again, republicans bank on people not voting every election ;) Most gun-ho republicans are the first to the ballot boxes, at least here in a Canada.


RE: Do it the same way as banks.
By rcc on 8/1/2007 12:04:28 PM , Rating: 2
If they won't do it be cause they want to, need to, or consider it their duty to, I sure don't want them voting because they are getting paid to. By choosing to vote, or not, they are getting pretty much what they deserve.

Even if you get them to the polls, they aren't going to research the candidates or issues, at all.


By theapparition on 8/1/2007 12:46:29 PM , Rating: 2
quote:
Even if you get them to the polls, they aren't going to research the candidates or issues, at all.

Yep, I'd rather have 1,000 people who are knowledgeable about the candidates vote, than 1,000,000 people who don't have a clue.

In retrospect, sounds a lot like the electoral college!


RE: Do it the same way as banks.
By Ringold on 8/3/2007 3:56:31 AM , Rating: 2
quote:
Let the flames begin... ;)


Let me take a step further! And before I do, allow me to credit Robert Heinlein for the following idea.

Lets throw out this universal suffrage crap. Even my 12 year old niece knows there's a lot of idiots out there that shouldn't be handed the right to vote on a silver platter.

Lets chop American's up in to two categories. Legal residents, and Citizens. Citizens can vote, and receive access to the full array of government services, while others do not. One becomes a citizen only be public service, be it volunteering for military duty, extensive community service or some other route where time and effort are sacrificed in the name of the country.

This right could be bestowed individually, so one isn't born a Citizen and one can't through marriage become a Citizen. Once citizenship is attained, it's for life.

Asides from a college degree, it would also be the new sole method of entry to the United States; volunteering for our military, learning English, and then being granted the title.

No more uncaring voters. And through virtue of having spent time either defending the community or serving it (auto-citizenship, perhaps, for firefighters, police, etc), voters would also have a more.. broad view of society from which to base their votes.

Oh, and if some guy in another country wants to volunteer to serve in our Army so that his family can have a better life and doesn't mind, say, a slightly longer than normal contract compared to residents, then that'd be okay by me too, just the kind of people we need.

I don't believe it'd necessarily be any sort of divergence from the intentions of the framers of the constitution, either. Suffrage was FAR from universal then.. I'd even say they might like the idea.

Somebody can flame me, don't really care. It'll never get implemented. :)


RE: Do it the same way as banks.
By rtrski on 8/3/2007 1:15:15 PM , Rating: 2
Yeah, I've always liked that idea myself. Frankly I was throwing out the whole pay for votes incentivizing idea as a lark. I was expecting far more flames than I got.

I'm with you - I don't want unmotivated, unintelligent voters voting. They'll always vote for short-term comfort at best, or at the worst based solely on surface aesthetics.


RE: Do it the same way as banks.
By iNGEN on 8/4/2007 12:51:51 PM , Rating: 2
Remember that line from Starship Troopers about the difference between a resident and a citizen? That was actually an adaptation from a 1801 comment made by then President Thomas Jefferson that the difference between a resident and a citizen is that a citizen makes the individual liberty of each and every one of his countrymen his personal responsibility.

If you are willing to modify your comment to say that citizenship is not granted, but instead that citizenship is intrinsic; displayed or recognized through some form of civil service your idea has my support!


RE: Do it the same way as banks.
By KristopherKubicki (blog) on 8/2/2007 3:06:47 AM , Rating: 2
quote:
There are millions of ATM machines. Billions of transactions happen per day without incident, and where there is money, it is not for lack of trying. I don't understand the problem.

I think the scary thing you'll find is that ATMs are made by the same companies. Maybe that says something for existing ATMs.


By TomCorelis on 8/2/2007 2:37:41 PM , Rating: 2
Voting machines are a whole new set of challenges compared to ATMs. Most of the polling places around where I live are run out of peoples' garage or the local elementary school. Quick to set up, quick to take down; there on voting day and gone the next. I bet if Diebold et al could design voting machins like they design ATMs we'd already have successful implementations, but they can't. Voting machines need to be extremely portable, almost disposable in their role. Short of making them a dumb terminal (which is its own can of worms) I think it's very hard to make a system that is both resistant to tampering but easily set up and configured by the polling volunteers.

What I'm trying to say is that I am not surprised that it's taking this long. Frankly, I don't know what's so hard on the data end, but locking down the machines is tricky.


"We shipped it on Saturday. Then on Sunday, we rested." -- Steve Jobs on the iPad launch

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki