This story appeared on Network World at

http://www.networkworld.com/columnists/2008/010808bradner.html

Election (including security) madness

The continuing saga of poorly designed voting machines

'Net Insider By Scott Bradner , Network World , 01/08/2008

'Tis the season for being drowned in political commentary and ads. It's been a very long season indeed, and it's not over yet by a long shot.

Along with the surfeit of political commentators and more-than-daily polls (each of which comes up with a different truth) there has been an undercurrent of mistrust when it comes to the voting mechanisms many people use. The worry is that the voting machines themselves could have a deciding impact on the election in some cases.

I suppose some of you might wonder why I should take the time to write about this topic again, because so little has changed in the four years I've been commenting on it. While there may be no fundamental change that can be seen, there have been enough changes in degree that I guess it's time to revisit the mess.

There has been a minor change in official attitudes about the suitability of the current generation of electronic voting systems.

While too often local election officials seem to turn a blind eye to any problems -- perhaps preferring pilfered elections to any admission of a mistake -- state- and federal-level officials now are worrying more frequently about making sure that people's votes are accurately counted. For example, the secretaries of state in Colorado and California have decertified all of their current batch of electronic voting machines because of worries about hackability, accuracy and reliability. The state of Ohio undertook an extensive (and expensive) review of electronic voting machines and found serious problems with them. Similar issues were found by a study undertaken by the state of California.

Both reports, along with a number of others, show that the companies building these systems apparently are incapable of learning anything about security. If someone wanted to do a case study in how to not build security into a computer-based system, he or she would have plenty of real-world examples in the electronic-voting-machine industry.

In addition to many technology-related issues related to what seems to be an extraordinarily poor understanding of standard, basic, computer-security practices (for example, the use of virus checkers), many problems have been found with these companies' understanding of common-sense organizational or physical-security practices. For example, one manufacturer decided to put a lock on all its machines -- I guess to prevent unauthorized people from accessing the physical system -- but then negated the value of doing so by using the same key in all its devices and publishing a picture of the key on its Web site.

The election bombardment of attack ads and clueless commentary is quite depressing, but equally depressing is the vision of technology vendors adamantly ignoring years of many people detailing the security issues with their products. I hope this is mostly an isolated case, and other types of vendors actually listen to comments on security issues and try to fix problems.

Disclaimer: Harvard is in the business of learning. From what I can see, these vendors would not make good students, but the university has expressed no opinion on their inability to learn, so the above is my observation.