Wednesday, December 21, 2005

The Illusion of Democracy 

Bad news first: a North Carolina judge has cleared the way for the State Board of Elections to purchase Diebold voting machines, rejecting a challenge from the EFF:
The Electronic Frontier Foundation contended that the board and its experts who picked the vendors didn't examine some software that belongs to third parties such as Microsoft Corp. . . .

That's not good enough, said Matthew Zimmerman, a foundation attorney who filed a complaint on behalf of Winston-Salem voting reform activist Joyce McCloy. The law requires vendors to provide all software, third-party or not, Zimmerman told Rand in Wake County court . . . .

McCloy and others contend that the state hasn't worked to ensure another voting machine mistake doesn't occur like the one last year in Carteret County, when more than 4,400 electronic ballots were lost.
Good news second: in California, the Secretary of State has ordered independent testing for all Diebold machines (including, presumably, the optical-scan ballot-counters that were recently hacked in Florida):
Diebold Election Systems relies on its own, nonstandard software language, known as AccuBasic, to program local election details into virtually all of its voting machines, using memory cards or PC cards. Voting-system experts say the practice appears to violate federal voting system standards, and independent computer experts have been using Diebold's own code to hack vote totals on its machines.

Tuesday, California Secretary of State Bruce McPherson cited "unresolved significant security concerns" in ordering Diebold to submit the software on its memory cards and PC cards to a designated testing lab for review.
The mention of memory-card software is significant because, as Techdirt explains,
First, the memory card used in the machine doesn't encrypt the vote counts at all -- making it much easier for someone to access them and change them using an ordinary card reader. Second, and more importantly, the logic to check whether or not the card is zeroed out at the beginning of an election is on the card itself, rather than on the machine. In other words, all anyone has to do is hack the card to tell the machine that the initial results are zeroed out -- even if they're not. As for states where they inspect the code being used, they're inspecting the code on the machines, but not on the card.
States such as . . . North Carolina, perhaps?

Scary news third: Even if state election boards wise up and heave all their Diebold equipment into the dumpster, there's no reason to believe that machines from other vendors will be any more secure:
Election officials in Florida's Leon County, where the test occurred, promptly announced plans to drop Diebold machines in favor of optical-scan machines made by Election Systems & Software, or ES&S. But Hugh Thompson, an adjunct computer science professor at the Florida Institute of Technology who helped devise last week's test, believes other systems could also be vulnerable.

"Looking at these systems doesn't send off signals that ... if we just get rid of Diebold and go to another vendor we'll be safe," Thompson said. "We know the Diebold machines are vulnerable. As for ES&S, we don't know that they're bad but we don't know that they're (good) either" . . . .

Thompson said in a real race between candidates someone could pre-load 50 votes for Candidate A and minus 50 votes for Candidate B, for example. Candidate B would need to receive 100 votes before equaling Candidate A's level at the start of the race. The total number of votes on the machine would equal the number of voters, so election officials wouldn't become suspicious.

"It's self-destroying evidence," he said. "Once ... the machine gets past zero and starts counting forward for Candidate B, there's no record that at one point there were negative votes for Candidate B."

Thompson said a second vulnerability in the cards makes it easy to program the voting machine so that it thinks the card is blank at the start of the race. This is important because before voting begins on Election Day, poll workers print a report of vote totals from each machine to show voters that the machines contain no votes . . . .

David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and chair of California's Voting Systems Technical Assessment and Advisory Board, said that programming software on a removable memory card raises grave concerns.

"The instant anyone with security sensibility hears this, red flags and clanging alarms happen," Jefferson said. "Because this software that is inserted from the memory module is not part of the code base that goes through the qualification process, so it's code that escapes federal scrutiny."
Infuriating news fourth: Wondering about Diebold's response to the Florida hacking debacle? It was so crass, so flip, so full of pusillanimous mendacity that we thought the company rep who said it should be working for George W. Bush. Then we remembered --oh yeah, he already is:
[T]he test was not about Diebold's electronic touchscreen systems -- which have been the focus of most of the controversy over the past few years. Instead, the hack was of a Diebold scanner -- which is used on the more traditional paper ballots. A Diebold representative used this fact to joke about the hack: "Now we're not trusting paper. Somebody could also steal the pencil and then you couldn't mark the ballot."

Of course, if you have even the slightest respect for the integrity of our voting system, the results of the test and Diebold's response should scare you silly. It raises serious questions about why we would ever trust any Diebold machine without also hand counting a paper trail.
Oh -- have we mentioned H.R. 550 lately?

| | Technorati Links | to Del.icio.us