Saturday, November 11, 2006

Perhaps It Is Accurate(For Really Large Values Of Zero)

Another e-voting machine issue:
Randy Wooten figured he'd get at least one vote in his bid for mayor of this town of 80 people even if it was just his own.

He didn't. Now he has to decide whether to file a formal protest.

I don't think these things are ready for prime time. And I'm not sure they will ever be ready as long as they rely on the PNATTMBTC* school of security.

There have been reports of the software being updated by technicians without any notification to the election board. A group in Norway has managed to break into a machine in less than 30 seconds. There is no third-party auditing of these devices. This last is important because there have been some cases reported of the machines locking up (did it take my votes?) and pre-selecting candidates.

The first two are easily solved through well implemented procedures by the election boards with these devices. The second by updating and hardening the housing these systems use. But the last one will only happen with government regulation, I fear. Security professionals (myself included) have long held that a security system that relies on obscurity is as bad as no security at all (not always, there are cases where obscurity is definite asset --this is not one of them). Diebold has claimed that its source code is proprietary and contains trade secrets, so no one gets to look at it. This is bad for any groups or governments that use their system, and they are pretty much the only major player.

Granted the article I linked to didn't actually come out and say it was a Diebold machine, but it's a fairly likely it was.

With a combination of Nondisclosure Agreements and the use of reputable code-auditing firms, this should be a non-issue. For some reason Diebold will not do it. So far all auditing and quality-control remains in house. This is a bad idea. It is very difficult to catch subtle mistakes that you yourself made.

I know of at least one open source project that is trying to get off the ground, but a lot of times these projects whither away due to lack of interest, lack of funds and lack of developers. I can only hope it's not the case here.

As much as I am against the "regulate everything and let God sort it out" mindset that seems to pervade the US government, I think in this particular case it is earnestly needed.

* - Pay No Attention To The Man Behind The Curtain