Saturday, December 15, 2007

Machine Error

The New York Times reports this evening on the vulnerablity of electronic voting machines.
All five voting systems used in Ohio, a state whose electoral votes narrowly swung two elections toward President Bush, have critical flaws that could undermine the integrity of the 2008 general election, a report commissioned by the state’s top elections official has found.

“It was worse than I anticipated,” the official, Secretary of State Jennifer Brunner, said of the report. “I had hoped that perhaps one system would test superior to the others.”

At polling stations, teams working on the study were able to pick locks to access memory cards and use hand-held devices to plug false vote counts into machines. At boards of election, they were able to introduce malignant software into servers.
[...]


The study released Friday found that voting machines and central servers made by Elections Systems and Software; Premier Election Solutions, formerly Diebold; and Hart InterCivic; were easily corrupted.
Why did I bold Election Systems and Software? Well, they happen to make the iVotronic touchscreen machines we use here in Centre County I give you their response to the report.
Ken Fields, a spokesman for Election Systems and Software, said his company strongly disagreed with some of the report’s findings. “We can also tell you that our 35 years in the field of elections has demonstrated that Election Systems and Software voting technology is accurate, reliable and secure,” he said.
I wonder which parts he disagreed with? Here's more about the study.
The $1.9 million federally financed study assembled corporate and academic teams to conduct parallel assessments. A bipartisan group of 12 election board directors and deputy directors acted as advisers.

The academic team, made up of faculty members and students from Cleveland State University, Pennsylvania State, the University of California, Santa Barbara, and the University of Pennsylvania, said systemic change was needed. “All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election,” the team wrote.
Maybe we could get those Penn State faculty to sit down with our county commissioners and explain their findings.

In the mean time here's more on what the report found out with respect ot ES&S.
I[,Matt Blaze,] led the University of Pennsylvania-based team, which examined the ES&S source code. This was particularly interesting, because, unlike Hart and Premier, the ES&S source code hadn't previously been studied by the academic security community, although ES&S products are used by voters in 43 US states and elsewhere around the world. The study represented a rather unique opportunity to contribute to our understanding of e-voting security in practice, both inside and outside Ohio.

My group -- Adam Aviv, Pavol Cerny, Sandy Clark, Eric Cronin, Gaurav Shah, and Micah Sherr -- worked full-time with the source code and sample voting machines in a secure room on the Penn campus, trying to find ways to defeat security mechanisms under various kinds of real-world conditions. (Our confidentiality agreement prevented us from saying anything about the project until today, which is why we may have seemed especially unsociable for the last few months.)

As our report describes, we largely succeeded at finding exploitable vulnerabilities that could affect the integrity of elections that use this equipment.

The report is long and detailed, and speaks for itself far better than I can here. A brief statement from Patrick McDaniel and me can be found (PDF format) here. Our full 334 page report can be downloaded (11MB, PDF format) from the Ohio Secretary of State's web site at http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf .
And if the nuts-and-bolts, or should that be motherboards-and-codes, interest you, here are the parts of the report that pertain to the ES&S machines.

Let's take care of this problem in Centre County before the next election so that we may all have confidence in the integrity of the electoral process.






Technorati Tags: , , , ,

Powered by ScribeFire.

No comments: