October 14, 2003
How to destroy a democracy.
Here's one way: Subvert or co-opt the mechanism used for voting. Of course, it's much easier if the mechanism is already insecure and if you can actually manufacture it yourself then you're home free.
Do you think I'm joking? If you do (or even if you don't), read the article "All the President's votes?" at the Independent. When you finish, you certainly will not be laughing. At this point, any person who seriously thinks that electronic voting is a good idea is a fool. As a very experienced software engineer, I know well how insecure so-called "operating systems" like Windows 98 are, and although the article claims that Windows 2000 "has numerous safeguards to keep out intruders," it is not really that much more secure than Windows 98, particularly in its default configuration. There is a document that defines security for computer systems, known as the "Orange Book" but officially named the Department of Defense Trusted Computer System Evaluation Criteria. Per that reference, Windows NT (which includes Windows 2000) is rated at C2, "controlled access protection." One would think that a system used for voting should be rated at B1 at least, and preferably at B2.
One attribute of all the ratings defined by the Orange Book, the attribute that allows one to select the rating in the first place, is that of being auditable. One must audit a system, typically using a preestablished set of criteria, to determine whether it is secure. In the case of the systems using in Georgia and elsewhere, the systems provided by all three manufacturers (Diebold, Sequoia and Election Systems and Software) not only are not audited, they are protected under "trade secret" agreements which make it a felony to inspect them. One might suspect that this could be an attempt at "security through obscurity," except for the fact that, first, "security through obscurity" doesn't work, second, that all three of these companies have contributed heavily to the Republican Party and, third, that systems from all three of these have been involved in elections with results that were at least questionable.
To add proof to the insecurity of these devices, after Diebold posted an emergency bug fix along with the entire election software package to a public FTP site,
Roxanne Jekot, a computer programmer with 20 years' experience, and an occasional teacher at Lanier Technical College northeast of Atlanta, did a line-by-line review and found "enough to stand your hair on end".
"There were security holes all over it," she says, "from the most basic display of the ballot on the screen all the way through the operating system." … Also embedded in the software were the comments of the programmers working on it. One described what he and his colleagues had just done as "a gross hack". Elsewhere was the remark: "This doesn't really work." "Not a confidence builder, would you say?" Ms Jekot says. "They were operating in panic mode, cobbling together something that would work for the moment, knowing that at some point they would have to go back to figure out how to make it work more permanently." She found some of the code downright suspect - for example, an overtly meaningless instruction to divide the number of write-in votes by 1. … Mostly, though, she was struck by the shoddiness of much of the programming. "I really expected to have some difficulty reviewing the source code because it would be at a higher level than I am accustomed to," she says. "In fact, a lot of this stuff looked like the homework my first-year students might have turned in."
I can easily imagine a reason for that divide-by-one instruction: If you know what you're doing, it is possible, even trivial, to modify that apparent "1" to some other number, on the running system. This would divide the number of write-in votes by whatever number the person making the illicit modification wanted.
And that is just the most obvious potential hack. There are lots more.
Diebold had no specific comment on Ms Jekot's interpretations, offering only a blanket caution about the complexity of election systems "often not well understood by individuals with little real-world experience".
So some people with "real-world experience" examined their software:
… a group of researchers from the Information Security Institute at Johns Hopkins University in Baltimore discovered what they called "stunning flaws". These included putting the password in the source code, a basic security no-no; manipulating the voter smart-card function so one person could cast more than one vote; and other loopholes that could theoretically allow voters' ballot choices to be altered without their knowledge, either on the spot or by remote access.
Diebold's response?
… the Johns Hopkins report was riddled with false assumptions, inadequate information and "a multitude of false conclusions".
Of course, others have made similar findings, or even worse. Diebold now claims that they have upgraded their encryption and password handling on their Maryland machines. Of course, we can't verify that claim, due to the trade-secret agreements, and even if it were true, it leaves out all the other states where Diebold equipment is installed.
Politicians aren't software engineers and I don't expect them to understand the ins and outs of system security. I do, however, expect them to believe software engineers who do understand this stuff. Unfortunately, they have, for the most part, been fed a pack of lies by people at companies like Diebold. These companies have an obvious conflict of interest, given that they have political interests in the outcome of elections and they provide the mechanisms by which the governments conducts those elections. Further, they have managed to hide the evidence of their malice and dishonesty behind draconian "trade secret" agreements that forbid anyone from auditing their devices.
As long as that is the case, electronic voting in the United States is a fraud. Do not trust it, do not use it and demand that your government remove it or avoid it in the first place.
Update: Billmon has a somewhat different perspective on the same story in "Getting Out the Vote."