More on the Risks of Computerized Voting Fraud

Last night on the Daily Show, they had a story about a hacker who was able to change results on a computerized voting system. It only took him 5 minutes to break into the system. Here is more on the topic:

Excerpt from:
http://slate.msn.com/id/2086455

"A report released last week by the Information Security Institute at Johns Hopkins University says the touch-screen machines are Swiss cheese—full of holes—for hackers. "Common voters, without any insider privileges, can cast unlimited votes without being detected," the report claims. It's based on an analysis of the software source code for voting machines made by Diebold Election Systems, a division of a company that makes automated teller machines. Someone at Diebold accidentally placed the code on a publicly accessible Internet server in January, resulting in its dissemination around the Net.

...That's probably why report sounds like it's lunging for the emergency brake. "Our analysis shows that this voting system is far below even the most minimal security standards," it thunders on page one. The report claims the code is riddled with "unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats" ... before spelling out a scenario in which a middling hacker steals the vote by stamping out fake voter smartcards using a $100 desktop printer."

Excerpt from:
http://www.blackboxvoting.com/

In January 2003, voting activist Bev Harris was .. searching the Internet for an electronic voting machine manual, when she made a startling discovery.

Clicking on a link for a file transfer protocol site belonging to voting machine maker Diebold Election Systems, Harris found about 40,000 unprotected computer files. They included source code for Diebold's AccuVote touch-screen voting machine, program files for its Global Election Management System tabulation software, a Texas voter-registration list with voters' names and addresses, and what appeared to be live vote data from 57 precincts in a 2002 California primary election.

"There was a lot of stuff that shouldn't have been there," Harris said.

The California file was time-stamped 3:31 p.m. on Election Day, indicating that Diebold might have obtained the data during voting. But polling precincts aren't supposed to release votes until after polls close at 8 p.m. So Harris began to wonder if it were possible for the company to extract votes during an election and change them without anyone knowing.

A look at the Diebold tabulation program provided a possible answer. Harris discovered that she could enter the vote database using Microsoft Access -- a standard program often bundled with Microsoft Office -- and change votes without leaving a trace. Diebold hadn't password-protected the file or secured the audit log, so anyone with access to the tabulation program during an election -- Diebold employees, election staff or even hackers if the county server were connected to a phone line -- could change votes and alter the log to erase the evidence.
"It was getting scarier and scarier," Harris said. "I was thinking we have an immense problem here that's much bigger than me."

Other articles:
http://www.wired.com/news/privacy/0,1848,59925,00.html

http://www.cnn.com/2003/ALLPOLITICS/10/30/elec04.election.worries/