title:

Election (including security) madness

By: Scott Bradner

'Tiz the season for being drowned in political commentary and ads. It's been a very long season indeed and it's not over yet (by a long shot). But along with the surfeit of political commentators and more than daily polls (each of which comes up with a different truth) there has been an undercurrent of mistrust when it comes to the voting mechanisms used by many people. The worry is that the voting machines themselves could have a deciding impact on the election in some cases.

I suppose some of you might wonder why I should take the time to write about this topic again since so little has changed in the 4 years I've been commenting on it. (See "'Go-Away,' he explained" - http://www.sobco.com/nww/2003/bradner-2003-08-04.html, "Lessons from the e-voting mess" - http://www.sobco.com/nww/2004/bradner-2004-05-10.html and "Vote fraud: a business opportunity?" http://www.networkworld.com/columnists/2006/110606bradner.html) While there may be no fundamental change that can be seen, there has been enough changes in degree that I guess it's time to revisit the mess.

There has been a minor change in official attitudes about the suitability of the current generation of electronic voting systems. While too often local election officials seem to turn a blind eye to any problems, (see "SC officials plan to use voting machines banned by other states" - http://www.charlotte.com/205/story/434711.html) perhaps preferring pilfered elections to any admission of a mistake, state- and federal-level officials are now more frequently worrying about making sure that people's votes are accurately counted. For example, in both Colorado and California the secretary of state has decertified all of the current batch of electronic voting machines because of worries about hackability, accuracy and reliability. Ohio undertook an extensive (and expensive) review of electronic voting machines and found serious problems with them. (See "EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing" http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf) Similar issues were found by a similar study undertaken by the state of California (see "Overview of Red Team reports" - http://www.sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf

Both of these reports, along with a number of others show that apparently the companies building these systems are incapable of learning anything about security. If someone wanted to do a case study in how to not build security into a computer-based system they would have plenty of real world examples in the electronic voting machine industry. In addition to many technology-related issues to do with what seems to be an extraordinarily poor understanding of standard basic computer security practices (e.g., the use of virus checkers) many problems have been found with these companies understanding of common sense organizational or physical security practices. For example, one manufacturer decided to put a lock on all their machines, I guess to prevent unauthorized people from accessing the physical system, but then negated any value of doing so by using the same key in all of their devices and publishing a picture of the key on their website. (See Diebold Voting Machine Key Copied from Photo at Company's own Online Store!" - http://www.bradblog.com/?p=4066.)

The election bombardment of attack ads and clueless commentary is quite depressing but equally depressing is the vision of technology vendors adamantly ignoring years of many people detailing the security issues with their products. I hope this is mostly an isolated case and other types of vendors actually listen to comments on security issues and try to fix problems.

disclaimer: Harvard is in the business of learning, from what I can see these vendors would not make good students but the university has expressed no opinion on their inability to learn so the above is my observation.