1 February 2004
O. writes:
Here is the actual analysis report as submitted to the Maryland legislature, "Trusted Agent Report Diebold AccuVote-TS Voting System", by RABA Technologies:
http://www.raba.com/text/press/TA_Report_AccuVote.pdf (25 pp., 167KB)
New York Times, January 31, 2004
Editorial
Concerned citizens have been warning that new electronic voting technology being rolled out nationwide can be used to steal elections. Now there is proof. When the State of Maryland hired a computer security firm to test its new machines, these paid hackers had little trouble casting multiple votes and taking over the machines' vote-recording mechanisms. The Maryland study shows convincingly that more security is needed for electronic voting, starting with voter-verified paper trails.
When Maryland decided to buy 16,000 AccuVote-TS voting machines, there was considerable opposition. Critics charged that the new touch-screen machines, which do not create a paper record of votes cast, were vulnerable to vote theft. The state commissioned a staged attack on the machines, in which computer-security experts would try to foil the safeguards and interfere with an election.
They were disturbingly successful. It was an "easy matter," they reported, to reprogram the access cards used by voters and vote multiple times. They were able to attach a keyboard to a voting terminal and change its vote count. And by exploiting a software flaw and using a modem, they were able to change votes from a remote location.
Critics of new voting technology are often accused of being alarmist, but this state-sponsored study contains vulnerabilities that seem almost too bad to be true. Maryland's 16,000 machines all have identical locks on two sensitive mechanisms, which can be opened by any one of 32,000 keys. The security team had no trouble making duplicates of the keys at local hardware stores, although that proved unnecessary since one team member picked the lock in "approximately 10 seconds."
Diebold, the machines' manufacturer, rushed to issue a self-congratulatory press release with the headline "Maryland Security Study Validates Diebold Election Systems Equipment for March Primary." The study's authors were shocked to see their findings spun so positively. Their report said that if flaws they identified were fixed, the machines could be used in Maryland's March 2 primary. But in the long run, they said, an extensive overhaul of the machines and at least a limited paper trail are necessary.
The Maryland study confirms concerns about electronic voting that are rapidly accumulating from actual elections. In Boone County, Ind., last fall, in a particularly colorful example of unreliability, an electronic system initially recorded more than 144,000 votes in an election with fewer than 19,000 registered voters, County Clerk Lisa Garofolo said. Given the growing body of evidence, it is clear that electronic voting machines cannot be trusted until more safeguards are in place.
New York Times, January 30, 2004
By JOHN SCHWARTZ
Electronic voting machines from Diebold Inc. have computer security and physical security problems that might allow corrupt insiders or determined outsiders to disrupt or even steal an election, according to a report presented yesterday to Maryland state legislators.
But authors of the report — which described the first official effort to hack Diebold voting systems under election conditions — were careful to say the machines, if not hacked, count votes correctly. And they said the vulnerabilities the exercise found could be addressed in a preliminary way in time for the state's primaries in March.
"I don't want to beat people up," said Michael Wertheimer, a security expert for RABA Technologies in Columbia, Md., who oversaw the exercise. "I want to get an election that people can feel good about."
Further steps could be taken to ensure a safe general election in November, the report concluded. But ultimately, it said, Diebold election software had to be rewritten to meet industry security standards and limited use of paper receipts to verify votes would be needed.
A spokesman for Diebold, which is based in North Canton, Ohio, emphasized the report's positive elements. "There is nothing that has not been, or can't be, mitigated" before the election, David Bear, the spokesman, said.
In a statement, Bob Urosevich, president of the Diebold election-systems unit, said that this report and another by the Science Applications International Corporation "confirm the accuracy and security of Maryland's voting procedures and our voting systems as they exist today."
Maryland has spent more than $55 million for the machines. Georgia has chosen Diebold for elections statewide, and major counties in California and Ohio, among other states, have picked the machines.
The report's authors said they had expected a higher degree of security. "We were genuinely surprised at the basic level of the exploits" that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.
The report supports the findings of a study released in July, by academic security experts at Johns Hopkins and Rice universities, that found Diebold software lacked the level of security needed to safeguard elections. Diebold stated that the code used by the researchers, which had been taken from a company Internet site and circulated online, was outdated. A subsequent report by Science Applications International found some similar problems.
Aviel D. Rubin, who led the Johns Hopkins effort, said, "If our report was unable to convince Maryland that the Diebold machines were vulnerable, then surely this work will set them straight."
The latest study found that some problems identified in the Hopkins study had not been corrected, and discussed other issues it found equally troubling.
Security experts found that the touch-screen voting machines all used the same key to two locks that protect them from tampering. With handheld computers and a little sleight of hand, they also found, the touch screens could be reprogrammed to make a vote for one candidate count for another, or results could be fouled so that a precinct's vote could not be used.
Communications between the terminals and the larger server computers that tabulate results from many precincts do not require that machines on either end of the line prove they are legitimate, which could let someone grab information that could be used to falsify whole precincts' worth of votes.
The group also found that the server computers did not have the latest protection against the security holes in the Microsoft operating systems, and were vulnerable to hacker attacks that would allow an outsider to change software.
[This is a longer version of the report above.]
New York Times, January 29, 2004
By JOHN SCHWARTZ
Electronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.
Authors of the report — the first hands-on attempt to hack Diebold voting machine systems under conditions found during an election — were careful to say that the machines, if not hacked, count votes correctly, and that issues discovered in the "red team" exercise could be addressed in a preliminary way in time for the state's primaries in March.
"I don't want to beat people up," said Michael Wertheimer, the security expert who ran the attack team for RABA Technologies, a consulting firm in Columbia, Md. "I want to get an election that people can feel good about in March."
Further steps could be taken to ensure a safe general election in November, the report concludes. But ultimately, the report says, Diebold election software has to be rewritten to meet industry security standards and called for limited use of paper receipts to help verify voting.
A representative of Diebold said the issues raised by the new report had already been addressed by the company. "There is nothing that has not been or can't be mitigated" before the election, said David Bear, a spokesman for the company.
In a statement released today, Bob Urosevich, president of Diebold Election Systems, said this report and another by the Science Applications International Corporation "confirm the accuracy and security of Maryland's voting procedures and our voting systems as they exist today."
Mr. Urosevich added: "With that said, in our continued spirit of innovation and industry leadership, there will always be room for improvement and refinement. This is especially true in assuring the utmost security in elections."
Maryland has bought more than $55 million worth of the machines. Georgia has chosen Diebold machines for elections statewide, and they have been chosen by populous counties in California and Ohio, among other states.
The authors of the report said that they had expected a higher degree of security in the design of the machines. "We were genuinely surprised at the basic level of the exploits" that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.
William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, "I can say with confidence that nobody looked at the system with an eye to security who understands security."
The new report vindicates a controversial report that found Diebold software lacked the level of security necessary to safeguard the election process or even to meet the standard practices of the computing industry, and it underscores the results of two subsequent studies. Last July, an analysis of voting machine software by academic security experts at Johns Hopkins and Rice Universities found serious security problems. At the time, Diebold stated that the code used by the researchers, which had been taken from a company Internet site and circulated online, was outdated.
In response, Maryland hired the Science Applications International Corporation to review the Johns Hopkins report and to do a quick risk analysis. The company confirmed that many of the security vulnerabilities discovered in the earlier study did constitute serious problems, but said they could be corrected. An unrelated report for Ohio that was released December found serious security flaws in voting systems produced by all four major makers of electronic voting machines and offered suggestions for reducing risk.
In December, Diebold announced in response to the Ohio report that the problems discovered in Ohio had been "successfully resolved" thanks to its efforts to address issues raised in Maryland reports. The company also said it had created a new "executive-level position dedicated to meeting compliance and certification requirements" to address the issues going forward.
The latest study found that some issues discovered last July in the Johns Hopkins study had not, in fact, been corrected, and that other issues that had not been discovered in other studies were equally troubling. The report can be found at www.raba.com.
In the security exercise, members of the attack team said they were surprised to find that the touch-screen machines used by voters all used the same physical key to the two locks that protect their innards from tampering. With hand-held computers and a little sleight of hand, they found, the touch screens could be reprogrammed to make a vote for one candidate count for an opponent, or results could be fouled so that a precinct's tally could not be used.
In addition, they said, communications between the terminals and the larger server computers that tally results from many precincts do not require that machines on either end of the line prove that they are legitimate, an omission that could allow someone to grab information that could be used to falsify whole precincts worth of votes.
And the server computers do not have the latest protection against the security holes in the Microsoft operating systems, and they are vulnerable to hacker attacks that would allow an outsider to change software, the group found.
The authors of the report also said smart cards that are shipped with the system for voters and supervisors to use during elections have standard passwords that are easily guessed. That problem was cited in the original Johns Hopkins report, and it could allow anyone with a hand-held card reader and small computer to get the access of an election official. The company said that it has provided the capability for election officials change those passwords and increase security, though it still ships the products with the easily broken password.
Mr. Wertheimer said the application of security was inconsistent, with encryption applied in some places without the accompanying technology of authentication to ensure that the machines that are communicating with each other are the ones that are supposed to be communicating and that an interloper has not jumped in. "It's like washing your face and drying it with a dirty towel," he said.
Though individual members of the attack team said that they found the original Johns Hopkins study, which called for the state to abandon the machines, to be alarmist in tone and written in the kind of sound-bite language to grab the attention of the news media, Mr. Arbaugh said this team's results "vindicate" the work of the leader of that effort, Aviel D. Rubin, who goes by Avi, and showed that Diebold did not do enough after the report to fix the problems that he identified.
"Avi told them the door was wide open and unlocked," Mr. Arbaugh said. "They closed the door, but they didn't lock it," he said.
Mr. Rubin said he had not yet seen the study, but had been informed of its results. "If our report was unable to convince Maryland that the Diebold machines were vulnerable, then surely this work will set them straight," he said.
There is much more to be done, Mr. Arbaugh said. Working on the exercise for just a week to prepare for the one-day attack, he said, "we got the tip of the iceberg."
He added, "It seemed everywhere we scratched, there was something that's pretty troubling."
The panel recommended that election officials take several steps to improve security, including placing tamper-proof tape on vulnerable parts of voting machines and installing software that will alert officials to any changes to the machine.
If those steps are taken, Mr. Arbaugh said, "the assurance of this election will be comparable to that of past elections."
"The problem is, people who know elections know there's a lot of play in them already," he said. "We can do better, and we should. It's just going to be a long process."
Linda H. Lamone, the administrator of the Maryland State Board of elections, said that the group had produced "a very good report," and that the state would take its recommendations seriously.
Still, she noted that tampering with voting equipment is a felony. "I'm not sure how many people would be willing to get a felony conviction and risk going to jail over an election," she said. Citing the problem of easily opened locks on the machines, she said an attempt to unlock a machine "would be very unlikely to succeed, because it would have to occur in a public place."
New York Times, January 23, 2004
EDITORIAL DESK
By PAUL KRUGMAN
The disputed election of 2000 left a lasting scar on the nation's psyche. A recent Zogby poll found that even in red states, which voted for George W. Bush, 32 percent of the public believes that the election was stolen. In blue states, the fraction is 44 percent.
Now imagine this: in November the candidate trailing in the polls wins an upset victory -- but all of the districts where he does much better than expected use touch-screen voting machines. Meanwhile, leaked internal e-mail from the companies that make these machines suggests widespread error, and possibly fraud. What would this do to the nation?
Unfortunately, this story is completely plausible. (In fact, you can tell a similar story about some of the results in the 2002 midterm elections, especially in Georgia.) Fortune magazine rightly declared paperless voting the worst technology of 2003, but it's not just a bad technology -- it's a threat to the republic.
First of all, the technology has simply failed in several recent elections. In a special election in Broward County, Fla., 134 voters were disenfranchised because the electronic voting machines showed no votes, and there was no way to determine those voters' intent. (The election was decided by only 12 votes.) In Fairfax County, Va., electronic machines crashed repeatedly and balked at registering votes. In the 2002 primary, machines in several Florida districts reported no votes for governor.
And how many failures weren't caught? Internal e-mail from Diebold, the most prominent maker of electronic voting machines (though not those in the Florida and Virginia debacles), reveals that programmers were frantic over the system's unreliability. One reads, ''I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded.'' Another reads, ''For a demonstration I suggest you fake it.''
Computer experts say that software at Diebold and other manufacturers is full of security flaws, which would easily allow an insider to rig an election. But the people at voting machine companies wouldn't do that, would they? Let's ask Jeffrey Dean, a programmer who was senior vice president of a voting machine company, Global Election Systems, before Diebold acquired it in 2002. Bev Harris, author of ''Black Box Voting'' (www.blackboxvoting.com), told The A.P. that Mr. Dean, before taking that job, spent time in a Washington correctional facility for stealing money and tampering with computer files.
Questionable programmers aside, even a cursory look at the behavior of the major voting machine companies reveals systematic flouting of the rules intended to ensure voting security. Software was modified without government oversight; machine components were replaced without being rechecked. And here's the crucial point: even if there are strong reasons to suspect that electronic machines miscounted votes, nothing can be done about it. There is no paper trail; there is nothing to recount.
So what should be done? Representative Rush Holt has introduced a bill calling for each machine to produce a paper record that the voter verifies. The paper record would then be secured for any future audit. The bill requires that such verified voting be ready in time for the 2004 election -- and that districts that can't meet the deadline use paper ballots instead. And it also requires surprise audits in each state.
I can't see any possible objection to this bill. Ignore the inevitable charges of ''conspiracy theory.'' (Although some conspiracies are real: as yesterday's Boston Globe reports, ''Republican staff members of the U.S. Senate Judiciary Committee infiltrated opposition computer files for a year, monitoring secret strategy memos and periodically passing on copies to the media.'') To support verified voting, you don't personally have to believe that voting machine manufacturers have tampered or will tamper with elections. How can anyone object to measures that will place the vote above suspicion?
What about the expense? Let's put it this way: we're spending at least $150 billion to promote democracy in Iraq. That's about $1,500 for each vote cast in the 2000 election. How can we balk at spending a small fraction of that sum to secure the credibility of democracy at home?