[ISN] Who Hacked the Voting System? The Teacher

From: InfoSec News (isn@private)
Date: Tue May 04 2004 - 04:20:45 PDT

  • Next message: InfoSec News: "[ISN] Bank aims to link scanning and patching"

    http://www.nytimes.com/2004/05/03/technology/03vote.html
    
    By JOHN SCHWARTZ
    Published: May 3, 2004
    
    BALTIMORE, April 29 - The fix was in, and it was devilishly hard to
    detect. Software within electronic voting machines had been corrupted
    with malicious code squirreled away in images on the touch screen.  
    When activated with a specific series of voting choices, the rogue
    program would tip the results of a precinct toward a certain
    candidate. Then the program would disappear without a trace.
    
    Luckily, the setting was not an election but a classroom exercise; the
    conspirators were students of Aviel D. Rubin, a professor at Johns
    Hopkins University. It might seem unusual to teach computer security
    through hacking, but a lot of what Professor Rubin does is unusual. He
    has become the face of a growing revolt against high-technology voting
    systems. His critiques have earned him a measure of fame, the enmity
    of the companies and their supporters among election officials, and
    laurels: in April, the Electronic Frontier Foundation gave him its
    Pioneer Award, one of the highest honors among the geekerati.
    
    The push has had an effect on a maker of electronic voting machines,
    Diebold Inc., as well. California has banned the use of more than
    14,000 electronic voting machines made by Diebold in the November
    election because of security and reliability concerns. Also, the
    company has warned that sales of election systems this year are
    slowing.
    
    In April, the company said its first-quarter earnings rose 13 percent
    compared with the same quarter a year earlier. It also reported $29.2
    million in revenue on nearly $500 million in sales in the latest
    period. But it lowered expectations for election systems sales for
    this year to a range of $80 million to $95 million from $100 million
    in sales a year earlier.
    
    Professor Rubin took center stage in the national voting scene last
    July, when he published the first in-depth security analysis of
    Diebold's touch-screen voting software. The software had been pulled
    off an unprotected Diebold Internet site by Bev Harris, a
    publicist-turned-muckraker who posted the software and other documents
    she found as part of her campaign against what she calls "black box
    voting."
    
    Professor Rubin and his colleagues at Hopkins and Rice University in
    Houston subjected the 49,000 lines of code to a deep review over a
    two-week period. Their report painted a grim picture: "Our analysis
    shows that this voting system is far below even the most minimal
    security standards applicable in other contexts," they wrote. "We
    conclude that, as a society, we must carefully consider the risks
    inherent in electronic voting, as it places our very democracy at
    risk."
    
    That shot across the bow was met with outrage from the industry and
    from election officials who had spent tens of millions of dollars on
    Diebold machines. Mr. Rubin was denounced as irresponsible and
    uninformed.
    
    "I think when he's talking about computers, he's very good and knows
    what he's doing," said Britain J. Williams, a professor emeritus of
    computer science at Kennesaw State University in Georgia, and a
    consultant on voting systems. "When he's talking about elections, he
    doesn't know what he's talking about."
    
    Typically, Professor Rubin decided to confront the issue of whether he
    had experience with elections by taking part in one. During the March
    presidential primary, he signed up to become an election judge and
    found himself sitting all day at a precinct in a church at
    Lutherville, Md., helping voters use the same Diebold touch-screen
    machines that he had criticized so roundly. He then went home and
    wrote a full account and posted it to the Internet.
    
    Over the day, he wrote, "I started realizing that some of the attacks
    described in our initial paper were actually quite unrealistic, at
    least in a precinct with judges who worked as hard as ours did and who
    were as vigilant. At the same time, I found that I had underestimated
    some of the threats before."
    
    Ultimately, he said, "I continue to believe that the Diebold voting
    machines represent a huge threat to our democracy."
    
    When asked to comment on Professor Rubin's work, the company issued a
    statement that did not mention him by name. "Our collective goal
    should always be to provide voters with the assurance that their vote
    is important, voting systems are accurate and their individual vote
    counts," the company said.
    
    While the debate has largely been constructive, Diebold said: "A key
    consideration in this dialogue, though, should be that the debate be
    positive and productive. We must not frighten voters or inadvertently
    provide any type of disincentive to voting, because at that point the
    dialogue itself begins to disenfranchise voters - the very thing this
    beneficial discussion is trying to prevent."
    
    Professor Rubin is not the first person to take on the risks of
    high-tech voting.
    
    Since Professor Rubin's paper came out last year, other reports have
    broadened and deepened his conclusions.
    
    But Professor Rubin is in a class by himself, said David Jefferson, a
    computer scientists at Lawrence Livermore National Laboratory in
    California, who calls him "the most important figure in the United
    States in articulating the security problems with electronic and
    Internet voting."
    
    The only damage Professor Rubin has sustained along the way is largely
    self-inflicted. Last August, he resigned from an unpaid technical
    advisory position for a voting company, VoteHere Inc., and turned in
    stock options that he had received but never redeemed.
    
    Professor Rubin, 36, a child of two college professors, seems too
    soft-spoken to be a firebrand. But his quiet exterior conceals a
    deeply competitive streak: he has played soccer as a blood sport for
    most of his life, breaking both wrists and ankles repeatedly over the
    years. He still plays twice a week, he says, but now it is "a more
    social game, without slide tackles."
    
    Born in Kansas, he grew up in Birmingham, Ala., Haifa, Israel, and
    Nashville, and got his computer science training at the University of
    Michigan, where he earned bachelor's, master's and Ph.D. degrees by
    1994. In late 2002, he became the technical director of the
    Information Security Institute here at Hopkins.
    
    Because of his passionate advocacy for his views, many people expect
    Professor Rubin to be something of a "smart aleck" in person, said
    Gerald Masson, the head of the institute. Instead, he said, "He comes
    across as someone who sincerely believes that what he's doing is
    right, and he has the technological depth to support it."
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue May 04 2004 - 06:20:37 PDT