Something's rotten in the state of Denmark

Wednesday, November 17, 2004

How to hack the vote

Chuck Herrin, a self-identified Republican and Professional IT Auditor, quickly points out on his website, Hack the Vote, that the electronic voting systems are not worthy of our trust. Hit that link, and start reading about how easy it is to manipulate a Diebold system.

Once you're done with that, The FAQ is a must-read.

Q: How'd you get involved with this? Aren't you a Republican?

A: I get asked this a lot, and it really shows how focused our country is on partisan politics.  I am a voter, first and foremost.  That being said, yes, I am a Republican and have been since being sent to Republican Indoctrination Camp at age 2. That's where we are taught supply-side economics and the values of mutually assured destruction. :-)

I got involved with this because I have been against the adoption of these voting systems for years. It's a dumb-ass idea to implement them this way - our votes are too important. I wouldn't trust my Bank with computer systems this insecure; Hell, I wouldn't keep recipes on a system this insecure. When I saw all of the documentation regarding Diebold and their heavy partisan leanings, and then when the results came flooding in with a clear Bush victory when I seriously expected Kerry to win, I put two and two together. I am, by trade, a professional White-Hat Hacker, so I know how easily "secure" systems can be breached, especially by insiders. Roughly 80% of all computer crimes are perpetrated by insiders, so that's always the best place to look first.

Are you shivering yet? How about now:
I personally don't have conclusive evidence that voter fraud was perpetrated, but I can tell you as an Information Security professional that it would have been very, very easy to do. If I had to choose between someone conspiring with exit poll workers nationwide or someone changing values in an Access Database as the cause of the difference between the poll numbers and the "actual" results, I'll go with the easier, more effective option every time. Why choose the hard way when it's more trouble and you're less likely to succeed? Again, I'm staying clear of making specific allegations - I'll leave that to the activists who are gathering data - but I would be much more surprised if the election weren't hacked than to find out that it was.

Okay, pour yourself some coffee. Now read this explanation of why the individual touchscreen machines probably weren't the number one target, if there was one.
With all of the hype about the touch screen terminals, you'd think they'd be a likely target.  When you look through Hacker eyes, though, that's the best reason to avoid them.  Here's what I think:

I feel that it is unlikely that these individual touch screen machines would be targeted. At greater risk than the individual touch screens are the Central Voting Tabulation computers, which compile the results from many other systems, such as touch screens and optically scanned cards. From a hacker’s standpoint, there are a couple of reasons why these central computers are better targets:

a. It is extremely labor intensive to compromise a large number of systems, and the chance of failure or being detected increases every time an attack is attempted. Also, the controversy surrounding the touch screen terminals ensures that their results will be closely watched, and this theory has been born out in recent days.
b. If one were to compromise the individual terminals, they would only be able to influence a few hundred to maybe a couple of thousand votes. These factors create a very poor risk/reward ratio, which is a key factor in determining which systems it makes sense to attack.
c. On the other hand, the Central Vote Tabulation systems are a very inviting target – by simply compromising one Windows desktop, you could potentially influence tens or hundreds of thousands of votes, with only one attack to execute and only one attack to erase your tracks after. This makes for an extremely attractive target, particularly when one realizes that by compromising these machines you can affect the votes that people cast not only by the new touch screen systems, but also voters using traditional methods, such as optical scanning systems since the tallies from all of these systems are brought together for Centralized Tabulation. This further helps an attacker stay under the radar and avoid detection, since scrutiny will not be as focused on the older systems, even though the vote data is still very much at risk since it is all brought together at a few critical points.

There is much, much more. While some of it starts to border on the Parallax View level of conspiracies, it's also important, in the face of dismissals of "Internet rumors," that we focus on the fact is that these systems are so insecure, and that, regardless of whether or not any hacking did occur, the fact that it would be this possible -- this easy -- for a system to have been hacked has to be corrected for all future elections. For democracy's sake.

Thousands of websites and computer systems of banks and software companies get hacked into all the time. Why wouldn't hackers attempt the same thing with an election?