Security flaws in Diebold Software, and sudden Republican election winners
"A quiet revolution is taking place in US politics. By the time it's over, the integrity of elections will be in the unchallenged, unscrutinised control of a few large — and pro-Republican — corporations."
Something very odd happened in the mid-term elections in Georgia last November. On the eve of the vote, opinion polls showed Roy Barnes, the incumbent Democratic governor, leading by between nine and 11 points. In a somewhat closer, keenly watched Senate race, polls indicated that Max Cleland, the popular Democrat up for re-election, was ahead by two to five points against his Republican challenger, Saxby Chambliss.
Those figures were more or less what political experts would have expected in state with a long tradition of electing Democrats to statewide office. But then the results came in, and all of Georgia appeared to have been turned upside down. Barnes lost the governorship to the Republican, Sonny Perdue, 46 per cent to 51 per cent, a swing of as much as 16 percentage points from the last opinion polls. Cleland lost to Chambliss 46 per cent to 53, a last-minute swing of 9 to 12 points.
Shortly after the election, a Diebold technician called Rob Behler came forward and reported that, when the machines were about to be shipped to Georgia polling stations in the summer of 2002, they performed so erratically that their software had to be amended with a last-minute "patch". Instead of being transmitted via disk — a potentially time-consuming process, especially since its author was in Canada, not Georgia — the patch was posted, along with the entire election software package, on an open-access FTP, or file transfer protocol site, on the internet.
That, according to computer experts, was a violation of the most basic of security precautions, opening all sorts of possibilities for the introduction of rogue or malicious code. At the same time, however, it gave campaigners a golden opportunity to circumvent Diebold's own secrecy demands and see exactly how the system worked. Roxanne Jekot, a computer programmer with 20 years' experience, and an occasional teacher at Lanier Technical College northeast of Atlanta, did a line-by-line review and found "enough to stand your hair on end".
"There were security holes all over it," she says, "from the most basic display of the ballot on the screen all the way through the operating system." Although the programme was designed to be run on the Windows 2000 NT operating system, which has numerous safeguards to keep out intruders, Ms Jekot found it worked just fine on the much less secure Windows 98; the 2000 NT security features were, as she put it, "nullified".
Also embedded in the software were the comments of the programmers working on it. One described what he and his colleagues had just done as "a gross hack". Elsewhere was the remark: "This doesn't really work." "Not a confidence builder, would you say?" Ms Jekot says. "They were operating in panic mode, cobbling together something that would work for the moment, knowing that at some point they would have to go back to figure out how to make it work more permanently." She found some of the code downright suspect — for example, an overtly meaningless instruction to divide the number of write-in votes by 1. "From a logical standpoint there is absolutely no reason to do that," she says. "It raises an immediate red flag."
Mostly, though, she was struck by the shoddiness of much of the programming. "I really expected to have some difficulty reviewing the source code because it would be at a higher level than I am accustomed to," she says. "In fact, a lot of this stuff looked like the homework my first-year students might have turned in." Diebold had no specific comment on Ms Jekot's interpretations, offering only a blanket caution about the complexity of election systems "often not well understood by individuals with little real-world experience".
But Ms Jekot was not the only one to examine the Diebold software and find it lacking. In July, a group of researchers from the Information Security Institute at Johns Hopkins University in Baltimore discovered what they called "stunning flaws". These included putting the password in the source code, a basic security no-no; manipulating the voter smart-card function so one person could cast more than one vote; and other loopholes that could theoretically allow voters' ballot choices to be altered without their knowledge, either on the spot or by remote access.
The full article is found here
add a comment on this article
add a comment on this article