[ISN] Can You Hack the Vote?

From: InfoSec News (isn@private)
Date: Fri Aug 06 2004 - 05:17:29 PDT


http://www.pcworld.com/news/article/0,aid,117261,00.asp

Tom Spring
PC World
August 05, 2004

Electronic voting systems have drawn fire from courts, lawmakers, and
citizens groups--and now they're under attack by hackers.

It's an organized assault, too. E-voting technology expert Rebecca
Mercuri, a Harvard research fellow who has been outspoken in her
opposition to such systems, has issued a "Hack the Vote" challenge,
trying to illustrate what she calls their unreliability and
vulnerability.

She unveiled the so-called Mercuri Challenge at the recent Black Hat
Briefings and Defcon 12 security conferences.


Preelection Action Urged

Mercuri suggests electronic voting machines be hacked during their
preelection testing, so officials will abandon them before an actual
election.

"People in the election community say this technology is bulletproof,"  
Mercuri says. "It's not." She especially opposes use of electronic
voting technology in its current state, which does not allow for a
verifiable backup.

"I'm not asking anyone to break any laws, we just want the opportunity
to hack e-voting systems to prove that it can or cannot be done," she
says.

Mercuri says the likeliest e-voting fraud would involve unauthorized
remote access to voting machines, when a hacker manipulates results;  
or backdoor access to voting systems by workers with approved access
but their own agenda. She described her concerns at a Defcon keynote
address, "Hack the Vote."

As part of her challenge, Mercuri is calling on e-voting system
vendors VoteHere and Advanced Voting Solutions to supply any
challengers "full specifications" of their voting system for review.  
The first person to undetectably change vote tallies can claim $10,000
from a separate challenge.


Who's Got the Cash?

That $10,000 is being offered by noted e-voting proponent and Carnegie
Mellon University computer scientist Michael Shamos. His $10,000 bet,
the Direct-Recording Electronic (DRE) Hacking Challenge contends no
one can hack undetectably into a DRE voting machine.

"It is impossible to tamper with e-voting systems without being
detected," he said in a telephone interview countering Mercuri's
claims. Shamos says no one has ever taken him up on the challenge
because, as he puts it, "the fundamental system is unhackable."

Shamos recently added another twist to his challenge. Takers must fork
over $5000 to be held in escrow for Shamos. If the contestant fails to
undetectably tamper with the e-voting results, Shamos keeps the $5000.

Both Shamos and Mercuri acknowledge they are using the same vehicle
while on opposite sides of the e-vote debate. Mercuri says her public
challenge is meant to draw attention to Shamos's DRE Hacking
Challenge.

However, a growing number of e-voting naysayers agree with much of
what Mercuri claims. For example, in April California banned the use
of touch-screen voting machines in a handful of counties until it
could be proven the systems are secure and bug-free.


Rebuttals, Responses

Tom Mereckis, head of marketing for VoteHere, says he is "puzzled" by
Mercuri's challenge because VoteHere makes full specifications of its
voting systems available to anyone.

"Our full source code and cryptography specs have already been
published," Mereckis says. "We did answer Mercuri's challenge last
month on our Web site."

Conversely, the president of Advanced Voting Solutions says he has no
intention of ever releasing the proprietary workings of its voting
systems.

"We aren't interested in participating in a hacking carnival
sideshow," Howard Van Pelt says. For the same reasons that American
Airlines and Bank of America do not make the full specifications of
their systems available to the public, Advanced Voting Solutions
doesn't either, he adds.

Mercuri says VoteHere forces anyone who wants to test its system sign
a restrictive licensing agreement that makes it a felony to examine
its systems and share that data with the public. "That's not what we
consider open and available," Mercuri says.

"There is nothing in the licensing agreement that you can't find bugs
and talk about them," VoteHere's Mereckis says.

Prospective contestants seemed ambivalent about the e-voting hacking
challenge.

"Sounds like a good way to land in prison," said one Defcon attendee
who preferred not to give his name. Other attendees said hackers are
always interested in a challenge--with $10,000 riding on it or not.



_________________________________________
Help InfoSec News with a donation: http://www.c4i.org/donation.html



This archive was generated by hypermail 2.1.3 : Fri Aug 06 2004 - 06:39:32 PDT