Hacking experts: High-tech voting flawed

Kevin Rademacher

Friday, July 30, 2004 | 11:07 a.m.

Since a national firestorm over hanging chads plunged the 2000 U.S. presidential election into chaos, efforts have been afoot to upgrade election equipment.

Punch cards are falling by the wayside in favor of high-tech touchscreen machines.

But researchers at a national hackers' conference in Las Vegas said Thursday that technological upgrades still pose significant concerns over the accuracy of election results.

Rebecca Mercuri is president of Philadelphia-based Notable Software Inc. and a researcher on the subject of electronic voting systems. She told a crowd at the Black Hat Briefings computer security conference in Las Vegas that the performance of electronic systems in the recent gubernatorial recall in California indicate that such systems have significant flaws.

In the California recall election, Mercuri said that the "residual vote" rate -- the number of votes beyond the 100 percent total of yes or no votes, due to spoiled or unmarked ballots -- for the election was surprisingly high given the use of some of the newest technology in that election.

The question for or against the recall produced a 4.6 percent residual vote rate and the candidate selection portion produced a 6.6 percent residual vote rate.

"This is very fishy," Mercuri said. "What's actually going on here, we don't know."

More troubling, she said is that California does not require that its counties even report the number of over or under votes.

"This type of crap is going to show up in November," she said.

"You must challenge the data," Mercuri encouraged the crowd.

Fellow researcher Bev Harris also pointed out that nationwide interviews with election officials show that many of the computerized voting systems are largely untested and unsecure.

"I've been called an alarmist, but I am the person out on the front lines talking to election officials," Harris said. "We found software that hasn't been tested followed by inadequate procedures."

Chief Deputy Secretary of State Renee Parker said she doesn't think there will be a problem in Nevada.

Nevada purchased its machines from Sequoia Voting System and not from Diebold, the company that supplied the machines in California. Diebold's software has, in the past, been posted on the Internet. State officials said they found Sequoia's system to be secure.

Parker said the machines were tested by the electronic experts at the State Gaming Control Board that examine programs of slot machines before they are allowed in casinos.

Parker said Clark County Registrar Larry Lomax has run these machines for a number of years without problems.

And, Nevada officials said, the machines are not tied into a network. Each one has a cartridge that is plugged into a central tabulation unit, which is not tied into a network.

"We're confident," said Parker. "There is no network to hack into. Each machine stands alone."

Secretary of State Dean Heller said the security of the machines have been upgraded by adding the paper trail. He said these hackers, who like to be called forensic security specialists, support Nevada. He said they feel Nevada is the most secure by adding the paper trial unit.

Harris noted problems in other parts of the country. She said one Southern U.S. county monitored during an election had no records of who had access to the central tabulator, which compiles all of the precinct results.

"This is what I mean by procedures that are inadequate," Harris said, pointing to an Arkansas county that reported a 115 percent voter turnout.

As a possible solution to what Mercuri and Harris described as a looming disaster, they recommended that the officials turn to accounting professionals to work with computer technicians to spot possible problems.

"The accounting profession is used to looking for fraud," Harris said. "(Election officials need) to use checks and balances because it makes it harder to cheat."

Participants in the crowd of hackers -- decidedly wary of the press -- said election officials should have been bracing for possible problems. They said the general public typically is unaware of the risks posed by the broadening use of technology.

"People outside don't realize it at all," said one New York hacker who refused to give his name.

The Black Hat conference is touted as a digital self-defense conference, bringing together so-called underground hackers as well as corporate and government systems experts.

Other topics for the day included sessions on masking e-mail origination and identifying holes in intrusion defense systems.

One session also outlined the role of "cyberwarfare" in the Middle Eastern power struggle. The presentation said that hacking in an effort to deface or cripple government or corporate Web sites is an increasingly popular tactic.

A recent study showed that more than 20 percent of the Web attacks are done in the name of patriotism or other political reasons, said Peter Feaver, a Duke University professor.

Black Hat was attended by about 1,800 people, about half of those attendees are expected to remain in Las Vegas over the weekend for the less formal and more "underground" Defcon convention.

archive