Power User: Are we gambling on democracy?

John McCormick

Participants in the SummerCon 2004 hacker conference last month in Pittsburgh heard an electronic-voting panel discuss the past year's e-voting failures, such as not encrypting vote data and not sealing the machines to prevent tampering.

As a panelist, I pointed out that the state officials who accepted their share of $3.9 billion from the 2002 Help America Vote Act have a vested interest in the e-voting machines they chose. Nor can they back out if they've already discarded their old equipment.

California's March 2 primary election was disrupted when e-voting machines wouldn't boot. The secretary of state decertified all touch-screen machines, and a judge upheld the decision, which will probably be appealed.

Meanwhile, Johns Hopkins University computer scientist Aviel Rubin's analysis of Diebold Inc. AccuVote-TS systems brought on an e-voting controversy in Maryland. See www.blackboxvoting.org.

A risk assessment prepared for the Maryland Budget and Management Department confirmed many of Rubin's findings about the e-voting source code. It found that the procedural controls did not meet the state's security standards.

Some panelists said they were uneasy that Republican fundraiser Walden O'Dell, CEO of Diebold Inc. of North Canton, Ohio, promised last year to deliver Ohio for the president's re-election. Newsweek magazine last month said Diebold has now banned political activity by executives, but that Ohio has reconsidered use of e-voting machines anyhow.

In another controversy, Florida officials in 11 counties certified e-voting machines with software bugs that could make it impossible to recount manually.

On the SummerCon e-voting panel with me was a Pittsburgh poll supervisor who oversees what he called an 'old codger' process where simple counting mistakes by retiree poll workers are common. He supported e-voting as a change for the better.

Clearly, it doesn't take a hacker genius to foul up elections. Defective hardware or software is enough to make results questionable in crucial precincts. A security expert on the panel said electronic poker and slot machines are much more secure than the current e-voting machines.
As a Pennsylvania resident, I'm glad I can trust a local one-armed bandit, even if I can't trust e-voting systems.

Also at SummerCon, FBI special agent Tom Grasso talked about his realization last year that e-mail spam seriously threatens agencies as well as citizens. Spam clogs servers and is the vehicle for the most popular con games preying on the elderly, the innocent and the naive.

Good advice

It was refreshing to see the FBI take official notice of this threat at last. For years I've advised GCN readers to use spam bucket e-mail addresses, shun HTML e-mails, never open downloads from strangers and never use Microsoft Outlook.

Grasso is FBI liaison to the CERT Coordination Center and a founder of the National Cyber-Forensics and Training Alliance, at www.ncfta.net. He said the alliance last year hosted a meeting of security firms and arranged to collect information about spam-originating servers.

NCFTA learned that most spam comes by way of hijacked systems, either network servers or home computers with always-on connections. The group says a substantial number of the hijacked computers and networks are owned by federal agencies, especially by the military.

That's a bit like learning the local fire chief is an arsonist, which actually happened in a town near me.

No one believes government workers are actually sending out the spam themselves; the servers are just so poorly protected that they're easy to hijack.

I suspect that is not the fault of network administrators but rather of lack of resources and failure by management to enforce good security practices.

John McCormick is a free-lance writer and computer consultant. E-mail him at powerusr@yahoo.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above