[IP] E-Vote Software Leaked Online (I love the security by secrecy statement djf)
E-Vote Software Leaked Online
By
<http://www.wired.com/news/print//news/feedback/mail/1,2330,1246,00.html>Kim
Zetter<http://www.wired.com/news/print//news/feedback/mail/1,2330,1246,00.html>
[]
Story location:
<http://www.wired.com/news/privacy/0,1848,61014,00.html>http://www.wired.com/news/privacy/0,1848,61014,00.html
05:00 PM Oct. 29, 2003 PT
Software used by an electronic voting system manufactured by Sequoia Voting
Systems has been left unprotected on a publicly available server, raising
concerns about the possibility of vote tampering in future elections.
The software, made available at ftp.jaguar.net, is stored on an FTP server
owned by Jaguar Computer Systems, a firm that provides election support to
a California county. The software is used for placing ballots on voting
kiosks and for storing and tabulating results for the Sequoia AVC Edge
touch-screen system.
The files on the server also revealed that the Sequoia system relies
heavily on Microsoft software components, a fact the company often has been
coy about discussing since Microsoft software is a frequent target of hackers.
Jaguar, based in Riverside, California, left the data unencrypted and
unprotected. The FTP server allowed anyone to access it anonymously.
Once a visitor gained access to the server, a small note stated that the
server was meant for employees and clients of Jaguar. However, the
company's own website directed visitors to the FTP server and noted that
"our '/PUB' directory is stuffed with many of the files that we use." The
website has since been changed by Jaguar.
Sequoia's AVC Edge voting machines were used in California's Riverside
County for the 2000 presidential election and for last month's California
gubernatorial recall election. The system also has been used in counties in
Florida and Washington state.
It's the second time this year that voting machine code has been leaked on
the Internet.
In January, source code for the AccuVote-TS system made by Diebold Election
Systems was found on an unprotected FTP server belonging to the company.
Researchers at Johns Hopkins and Rice universities who read the Diebold
code found numerous security flaws in the system and published a
<http://avirubin.com/vote.pdf>report (PDF) that prompted the state of
Maryland to conduct its own audit of the software.
A key difference between the Diebold and Sequoia leaks has to do with the
type of code used. The Diebold code was source code, a raw form of code
that contains programmer notes and comments and allows anyone to quickly
see how a system works.
The Sequoia code is binary code, which is already compiled with the
comments and other information stripped away. It's working code, which
means that the program must be reverse-engineered, or taken apart, in order
to understand how it works. This is not hard to do, but it takes more time
than working with source code. The Johns Hopkins researchers were able to
write their report on the Diebold code in two weeks. The Sequoia code would
take at least two months, the researchers said.
But even binary code reveals a lot of information about a program, said Avi
Rubin, one of the Johns Hopkins researchers who wrote the report on the
Diebold system.
"With binary code you can create most of the program and analyze it," he
said. "All the information about what the program does is there. Maybe 60
percent of what you can get from the source code you can also get from the
binary."
On its website, Sequoia makes a point of
<http://www.wired.com/news/print/'http://www.sequoiavote.com/article.php?id=50"'>stating
that its system is much more secure than the Diebold system, since it
doesn't rely on Microsoft software. The website reads: "While Diebold
relies on a Microsoft operating system that is well known and understood by
computer hackers, Sequoia's AVC Edge runs on a proprietary operating system
that is designed solely for the conduct of elections."
In fact, the system uses WinEDS, or Election Database System for Windows.
WinEDS runs on top of the Microsoft Windows operating system. According to
<http://www.sequoiavote.com/bAVCEdge.php>Sequoia, "WinEDS is used to
administer all phases of the election cycle, create electronic ballots for
the AVC Edge, and tally early voting, as well as official election and
absentee votes."
The system also appears to use MDAC 2.1, or Microsoft Data Access
Components, which was found in the WinEDS folder on the server. MDAC is
code used to send information between a database and a program. According
to the computer programmer who discovered the FTP server containing the
Sequoia code, version 2.1 was found to be insecure. He said Microsoft
currently distributes an upgraded version 2.8, which has been available
since August, but the version on the Jaguar site doesn't include a patch to
fix the security problems.
Also, because MDAC is off-the-shelf software, it's not subject to the same
certification processes and audit that is standard for proprietary voting
software.
Neumann, the security expert, said, "This means that anyone could install a
Trojan horse in the MDAC that won't show up in the source code." Jaguar
employees, Sequoia employees or state election officials could insert code
that wouldn't be detectable in a certification review of the code or in
security testing of the system, he said.
Neumann said this points to the necessity for using only voting machines
that provide a voter-verifiable paper trail.
"The idea of looking at source code to find problems is inherently
unsatisfactory," he said. "You need to use a machine with accountability
and an audit trail."
The source who discovered the unprotected server containing the Sequoia
system code said the files include Visual Basic script, which is uncompiled
script that can be changed very quickly and easily.
"You can swap out a file and plant a Trojan horse in this," he said.
"There's also SQL code in there that sets up a database. The SQL gives you
details about the database that you can use to alter the contents of the
database."
The companies making electronic voting systems long have said that their
systems are proprietary and their code needs to remain secret in order for
the systems to be secure.
Cindy Cohn, an attorney at the Electronic Frontier Foundation, said
information gained from the discovery of the Diebold and Sequoia codes
indicates the exact opposite.
"Our society and our democracy is better served by open voting systems,"
she said. "The way to create a more secure system is to open the source
code and to have as many people as possible try to break into the system
and figure out all the holes. The clearest way to have an insecure system
is to lock it up and show it to only a few people."
Cohn said her organization is trying to convince election officials and
companies to make their systems more secure. "That doesn't seem to be
happening," she added. "So I have a lot of admiration for these people who
are taking it upon themselves to try to figure out whether these machines
are secure. I think we are all better off because of researchers who are
taking the time to say the emperor doesn't have any clothes."
Rubin said the focus shouldn't be on keeping systems secret but on creating
systems that are more secure so they can't be easily exploited or rigged
for fraud.
"This argument that everything needs to be kept secret is not viable
because the stuff does get out whether companies intend it or not," he
said. "Now two out of the three top companies have leaked their system.
"Scientists are being made to feel afraid to look at these things which in
the end will be bad for our society. Why shouldn't everyone want scientists
to look? If there's any feeling that there may actually be danger to our
elections, how can we not be encouraging researchers to look at our
systems?" Rubin said.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/