www.verifiedvoting.org
....Now I can "prove that the machines can be hacked" by citing the following paper which just appeared on the web. Computer security researchers an Johns Hopkins and Rice Universities have inspected the Diebold code that appeared on a web site in New Zealand a few weeks ago. The report appears at:
http://avirubin.com/vote.pdfMy understanding is that this analysis took about a week. Very serious security blunders were discovered in a matter of hours. While I still believe that insider attacks are still the hardest to stop and potentially the most damaging, it is now clear that there are serious security holes that can be exploited by election workers and even voters. Unlike insider tampering, most of these problems could have been easily avoided had competent computer security people been involved in the system design and implementation.
For, example, it appears that it is easy to make counterfeit "voter cards," which can be used to vote as often as you like. One can easily make a fake "administrator" card. Hackers could rearrange the candidate order on the ballot so that votes are credited to the wrong candidates.
We've been told by voting machine vendors, regulators, and election officials that "hacking" DREs is almost impossible because the machines are designed carefully, use cryptography, and have proprietary software; that there are stringent Federal regulations; that Independent Testing Authorities (ITAs) scrutinize every line of code; that states have exhaustive certification processes; and localities do extensive Logic and Accuracy Tests.
It's just not true. That was obvious before the report, but now it should be undeniable.
There is no reason to believe that Diebold's system is less secure than other vendors. Their code just happened to be available. All the other vendors are implementing the same indadequate
security requirements and satisfying the same inadequate reviews.
There is also no reason to assume that the worst problems have been found. The authors felt that it was important to get the information out quickly. Additional weeks or months of review might reveal even worse problems.
I hope this settles the debate on DRE security. They're not secure. There needs to be an independent audit trail.
DIEBOLD SCOOP
http://www.scoop.co.nz/mason/stories/HL0307/S00065.htmAt worst, what is described is a security hole, not actual wrong-doing or election fixing. At best, it is harmless.
The technical discussion appears to me to be sound (although some readers will know more about this than I do). However, the implications are unclear to me.
The discussion is about the process of adding up vote counts at a central office. For example, a county has many precincts. Vote totals for each candidate are calculated at the precincts and sent in to the main office, where they are tallied, along with absentee votes to get vote totals for the county. From the discussion, it seems clear that a malicious user could modify vote totals.
How bad is an insecure tally system? It depends on what election procedures are in place. In California, the parties get precinct data before the election is certified and analyze it to death (I just talked to the guy who does this for the Democratic party). They feel confident that they would catch any problems in the tally system. This illustrates the advantage of having an independent audit trail: the vote totals can be reconstructed from the original precinct data, independently of whatever happens in the central office.
On the other hand, I have also heard that candidates do NOT have access to timely precinct totals in some parts of the country, and cannot compute their own vote totals. If this is true, it is a very bad situation because tally systems probably have lots of other holes.
What does this have to do with voter verifiable audit trails? It is independent, but illustrates some points: For a system to be trustworthy, you have to have meaningful audit trails, and you have to use them. If similar problems were found in the DRE software (for example, if someone could modify the recorded votes in the DRE), it would be a fatal flaw, because there is no independent audit trail.
I'd like to hear from people who know how things really work whether candidates have timely access to trustworthy precinct data.