If you think about it, the very system demands corruption (i'm referring to the current American government). Politicians can't succeed if they don't lie. And no one can really see the hidden deals with corporations, so why not make so extra money for next election's campaign? And what else besides politics can these people do? The point i'm trying to make is not just that these people will do anything they can to get re-elect, but they MUST get re-elected. Power unchecked results in abuse, so what is to stop a congressman/congresswoman from making a deal, however illegal, that no one will ever know about? Also, I believe that it is wrong to have a group of people whose only job is to make more laws (thus necessitating more and more laws despite lack of need), but that is beyond the issue.

oops - the 2002 midterm elections may have been stolen, and nobody cared enough to investigate.


http://news.independent.co.uk/low_res/story.jsp?story=453116&host=3&dir=70

Fears of more US electoral chaos after flaws are discovered in ballot computers

By Andrew Gumbel in Los Angeles

14 October 2003

Fears of more US electoral chaos after flaws are discovered in ballot computers

Is democracy under threat in America? Special investigation

Next year's US presidential election may be compromised by newvoting machines that computer scientists believe are unreliable, poorly programmed and prone to tampering.

An investigation published in today's Independent reveals tens of thousands of touch screen voting machinesmay be less reliable than the old punchcards, which famously stalled the presidential election in Florida in 2000, leaving the whole election open to international ridicule.

The machines are said to offer no independent verification of individual voting choices, making recounts impossible, and the software is shielded from public scrutiny by trade secrecy agreements.

The shortcomings have appeared in two academic studies and have prompted calls for urgent oversight legislation. They have also cast doubt on the accuracy of last November's mid-term election results, especially in Georgia, the first state to switch to touch screen voting.

David Dill, a computer science professor at Stanford University, said: "These machines do not allow the voters to check that their votes are accurately and permanently recorded. No one can prove that the machines are trustworthy."

The three leading voting machine manufacturers are substantial Republican campaign donors, and one of their chief executives, Walden O'Dell of Diebold, in Ohio, wrote a letter to Republican supporters saying he was "committed to helping Ohio deliver its electoral votes to the President next year". That raised serious concerns of bias. "The rush towards computerisation is very dubious," Rebecca Mercuri, a research fellow at Harvard University, said. "It takes away the checks and balances of a democratic society."

In Georgia, citizens were alarmed at apparent anomalies in the election results forgovernor and one of the state's two Senate seats. Both offices were won by Republicans in last-minute voting swings away from Democrats.

Causes for alarm included a serious malfunction in the voting software, discovered after the machines were packaged for shipment, which had to be repaired with a programming "patch", and the fact that the patch showed up on an open-access internet page. Hundreds of security flaws were identified in subsequent follow-up studies. There were also several election day glitches, including the loss of 67 voting memory cards in the Democrat stronghold of central Atlanta.


http://www.wired.com/news/print/0,1294,60563,00.html

Did E-Vote Firm Patch Election? By Kim Zetter

Story location: http://www.wired.com/news/politics/0,1283,60563,00.html
02:00 AM Oct. 13, 2003 PT
Diebold Election Systems has had a tumultuous year, and it doesn't look like it's getting any better.
Last January the electronic voting machine maker faced public embarrassment when voting activists revealed the company's insecure FTP server was making its software source code available for everyone to see.

Then researchers and auditors who examined code for the company's touch-screen voting system released two separate reports stating that the software was full of serious security flaws.
Now a former worker in Diebold's Georgia warehouse says the company installed patches on its machines before the state's 2002 gubernatorial election that were never certified by independent testing authorities or cleared with Georgia election officials.
If the charges are true, Diebold could be in violation of federal and state election-certification rules. The charges also raise questions about the integrity of the Georgia election results and any other election that uses patched Diebold systems that have not been re-certified.
According to Rob Behler, an engineer hired as a contractor to work in Diebold's Georgia warehouse last year, the Diebold systems had major functioning problems.
Behler said 25 to 30 percent of the machines in one shipment to the warehouse either crashed upon booting or had problems with their real-time clocks, causing the systems to register the date inaccurately then boot improperly or freeze up altogether.
"They did not meet what I would deem standard operation," he said.
Behler said Diebold provided warehouse workers with at least three patches to apply to the systems before state officials began logic and accuracy testing on them. Behler said one patch was applied to machines when he came to the warehouse in June, a second patch was applied in July and a third in August after he left the warehouse.
Behler first informed Bev Harris, owner of the BlackBox Voting site, of the situation. Harris has spent a year investigating problems with electronic voting systems, and is the author of a forthcoming book on the technology. She said the practice of patching systems after they've been certified opens the possibility for anyone -- from Diebold employees to local election officials -- to install malicious code on a machine that could alter election results and then delete itself to avoid detection.
According to Harris, this scenario is particularly worrisome in light of what happened in the Georgia gubernatorial race, which ended in a major upset that defied all polls and put a Republican in the governor's seat for the first time in more than 130 years.
Republican candidate Sonny Perdue managed to unseat Democratic incumbent Roy Barnes with only 51 percent of the vote. It was the first time an incumbent governor had not won his second term since Georgia law allowed back-to-back terms in 1978.
Pundits have attributed the upset to dissatisfaction with the incumbent for altering a Confederate symbol on the state flag and to effective stumping by President George W. Bush on behalf of Perdue.
Harris acknowledged no proof exists that anyone rigged the election systems, but she said, "We'll never know exactly what happened in Georgia because there's no paper trail to verify the votes."
Harris and other voting activists around the country are calling for states and certifying authorities to open the election process and electronic voting systems to public scrutiny to ensure public confidence in elections.
Officials in Georgia's secretary of state's office did not respond to repeated calls for comment.
Behler was hired by Automated Business Systems and Services, a large contracting agency, to work in Diebold's Georgia warehouse from mid-June to mid-July 2002, five months before the gubernatorial election.
He was in charge of assembling about 20,000 machines for the election, testing them and shipping them to 159 counties. But, he said, the work was complicated by misbehaving machines that presented few clues to their problems.
"It's hard to track down a problem when you go out to your car and the first time it starts, the next time the headlights don't work, the next time you start it the brakes are out, and the next time you start it the door falls off," Behler said. "That's really the way they were."
Behler said Diebold programmers posted patches to a file-transfer-protocol site for him and his colleagues to apply to the machines.
Diebold did not respond to repeated calls for comment, but in an interview with Salon a few weeks ago, company spokesman Joseph Richardson denied the company applied any patches to the Georgia machines.
"We have analyzed that situation and have no indication of that happening at all," he said.
Rebecca Mercuri, a computer science professor and research fellow at Harvard University's Kennedy School of Government who is an expert on voting machines, says an unregulated change to voting software would raise big concerns for her.
"Having any change to the operating system allows someone to slip in anything to the code. If (a patch) was not run through the inspection process, then there could be a violation of the Georgia state law," she said.
Indeed, Georgia law requires that companies that make changes to fix defective systems after they are certified must let state officials know about the changes and provide test documentation showing that changes do not do anything to the system other than fix the defect.
Before machines are used in an election, state election boards conduct logic and accuracy tests (PDF) on them with a mock election to make sure the machines perform properly. Academics at Kennesaw State University, led by professor emeritus Brit Williams, have a contract with the state to perform this testing.
But Behler said Diebold instructed him and his colleagues to fix problems with the machines before Kennesaw State would see them.
"If they started erring in mass quantities, Kennesaw State's going to raise a red flag, the secretary of state's going to raise a red flag and Diebold wouldn't get paid," Behler said.
He said the machines were patched not only in the Diebold warehouse, but also in county warehouses after they were shipped from Diebold.
At one point, Behler said he went to a warehouse in DeKalb County with "a high-level Diebold executive" to examine systems that were freezing up. Behler patched 1,387 machines but said, "We were still running upwards of 20 to 25 percent errors."
Diebold programmers contacted him and his colleagues and told them the patch was incorrect and they'd have to load a new one.
"JS equipment is what we were calling it at the time," said Behler. "Junk shit. Everyone in the warehouse was familiar with the term, to say the least."
Behler said the patches he applied were never certified. No third party, other than the Diebold engineers who created the patches, knew what was in the patches. And once machines were patched, they did not undergo re-certification.
When he told Kennesaw professor Williams in July that the machines were being patched, Behler said Williams told him: "Do whatever you need to do now, but you won't be touching the machines once we start our systems-testing on them."
Diebold officials, including company president Bob Urosevich, were angered that he had talked to Williams, according to Behler.
"I literally got called on the carpet and ... told that I was not to speak a word to any of the Kennesaw State people," Behler said.
Behler said as far as he knows, election officials in the Georgia secretary of state's office were never told about the patches.
"That's the last thing Diebold wanted," said Behler. "They made that very clear.... I sat around tables where (Diebold people) discussed whether they were going to tell them the truth, the half-truth or a complete lie.
"I understand if a company has information that they need to keep under tight lip. But when you sit around discussing lying to a client in order to make sure you're getting paid ... it's an ethics issue."
Williams of Kennesaw State University denies Behler ever mentioned patches to him and said, to his knowledge, no uncertified patches were applied to the machines. He said he would be very concerned if this happened.
"If they were changing the configuration of the machine, that would certainly be a concern because that would violate the certification," he said.
Williams does acknowledge, however, that a month and a half before the November election, he worked with Diebold to apply a patch to the Windows CE operating system. The voting machines run on version 3.0 of Windows CE, he said, and they patched it to correct problems they were having with the system.
But he said this patch was passed by Wyle Laboratories, the independent testing authority that originally certified the machines.
"We asked (Wyle) to take a quick look at it, but we didn't have time to do a full qualification on it. This was a month and a half before the election. To go through the full ITA qualification and state certification takes about six months. We asked them to look at it from the point of view of whether or not it would have any impact at all on the main line of the voting software."
As for other patches, Williams said, "We have no idea what Diebold or anybody else does when they go in their warehouse and shut that door."
Williams said they compare the system when it comes out of the Diebold warehouse to make sure it's the same software version that was certified by the ITAs. But he acknowledges that this does not include reading the source code.
He added, however, "We have absolutely no reason to believe that Diebold did anything in that warehouse that we're unaware of."
As for Behler, Williams said he's a disgruntled employee who was fired from the project by Diebold and Automated Business Systems and Services. ABSS, however, said this isn't true.
Initially, Terrence Thomas, ABSS vice president for the southwest region, told Wired News that Behler was dismissed for "lack of performance." But when pressed to elaborate, Thomas consulted Behler's employee file, which he said he had previously not read, and admitted there was no indication that Behler was fired or that anyone at Diebold or ABSS had been disappointed with his performance.
"He was released because his part of the project was completed," Thomas said. He repeated that it wasn't a performance issue. "Officially in my files, there's nothing to indicate that," he said.
James Rellinger, another contractor who worked in the Diebold warehouse until November, confirms that both Diebold and ABSS seemed happy with Behler's work.
Rellinger said workers were surprised when they learned Behler had been replaced and hinted that internal politics were likely the cause. Behler was replaced by a friend of an ABSS project manager, who was later hired as a full-time employee of Diebold.
Behler denies he's a disgruntled employee, saying he is going out on a limb by revealing information that could cost him future work.
"I have seven children to support," he said. "This is not the kind of thing I would say if it wasn't the truth."

January 29, 2004

Security Poor in Electronic Voting Machines, Study Warns
By JOHN SCHWARTZ

lectronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.

Authors of the report — the first hands-on attempt to hack Diebold voting machine systems under conditions found during an election — were careful to say that the machines, if not hacked, count votes correctly, and that issues discovered in the "red team" exercise could be addressed in a preliminary way in time for the state's primaries in March.

"I don't want to beat people up," said Michael Wertheimer, the security expert who ran the attack team for RABA Technologies, a consulting firm in Columbia, Md. "I want to get an election that people can feel good about in March."

Further steps could be taken to ensure a safe general election in November, the report concludes. But ultimately, the report says, Diebold election software has to be rewritten to meet industry security standards and called for limited use of paper receipts to help verify voting.

A representative of Diebold said the issues raised by the new report had already been addressed by the company. "There is nothing that has not been or can't be mitigated" before the election, said David Bear, a spokesman for the company.

In a statement released today, Bob Urosevich, president of Diebold Election Systems, said this report and another by the Science Applications International Corporation "confirm the accuracy and security of Maryland's voting procedures and our voting systems as they exist today."

Mr. Urosevich added: "With that said, in our continued spirit of innovation and industry leadership, there will always be room for improvement and refinement. This is especially true in assuring the utmost security in elections."

Maryland has bought more than $55 million worth of the machines. Georgia has chosen Diebold machines for elections statewide, and they have been chosen by populous counties in California and Ohio, among other states.

The authors of the report said that they had expected a higher degree of security in the design of the machines. "We were genuinely surprised at the basic level of the exploits" that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.

William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, "I can say with confidence that nobody looked at the system with an eye to security who understands security."

The new report vindicates a controversial report that found Diebold software lacked the level of security necessary to safeguard the election process or even to meet the standard practices of the computing industry, and it underscores the results of two subsequent studies. Last July, an analysis of voting machine software by academic security experts at Johns Hopkins and Rice Universities found serious security problems. At the time, Diebold stated that the code used by the researchers, which had been taken from a company Internet site and circulated online, was outdated.

In response, Maryland hired the Science Applications International Corporation to review the Johns Hopkins report and to do a quick risk analysis. The company confirmed that many of the security vulnerabilities discovered in the earlier study did constitute serious problems, but said they could be corrected. An unrelated report for Ohio that was released December found serious security flaws in voting systems produced by all four major makers of electronic voting machines and offered suggestions for reducing risk.

In December, Diebold announced in response to the Ohio report that the problems discovered in Ohio had been "successfully resolved" thanks to its efforts to address issues raised in Maryland reports. The company also said it had created a new "executive-level position dedicated to meeting compliance and certification requirements" to address the issues going forward.

The latest study found that some issues discovered last July in the Johns Hopkins study had not, in fact, been corrected, and that other issues that had not been discovered in other studies were equally troubling. The report can be found at www.raba.com. (http://www.raba.com.)

In the security exercise, members of the attack team said they were surprised to find that the touch-screen machines used by voters all used the same physical key to the two locks that protect their innards from tampering. With hand-held computers and a little sleight of hand, they found, the touch screens could be reprogrammed to make a vote for one candidate count for an opponent, or results could be fouled so that a precinct's tally could not be used.

In addition, they said, communications between the terminals and the larger server computers that tally results from many precincts do not require that machines on either end of the line prove that they are legitimate, an omission that could allow someone to grab information that could be used to falsify whole precincts worth of votes.

And the server computers do not have the latest protection against the security holes in the Microsoft operating systems, and they are vulnerable to hacker attacks that would allow an outsider to change software, the group found.

The authors of the report also said smart cards that are shipped with the system for voters and supervisors to use during elections have standard passwords that are easily guessed. That problem was cited in the original Johns Hopkins report, and it could allow anyone with a hand-held card reader and small computer to get the access of an election official. The company said that it has provided the capability for election officials change those passwords and increase security, though it still ships the products with the easily broken password.

Mr. Wertheimer said the application of security was inconsistent, with encryption applied in some places without the accompanying technology of authentication to ensure that the machines that are communicating with each other are the ones that are supposed to be communicating and that an interloper has not jumped in. "It's like washing your face and drying it with a dirty towel," he said.

Though individual members of the attack team said that they found the original Johns Hopkins study, which called for the state to abandon the machines, to be alarmist in tone and written in the kind of sound-bite language to grab the attention of the news media, Mr. Arbaugh said this team's results "vindicate" the work of the leader of that effort, Aviel D. Rubin, who goes by Avi, and showed that Diebold did not do enough after the report to fix the problems that he identified.

"Avi told them the door was wide open and unlocked," Mr. Arbaugh said. "They closed the door, but they didn't lock it," he said.

Mr. Rubin said he had not yet seen the study, but had been informed of its results. "If our report was unable to convince Maryland that the Diebold machines were vulnerable, then surely this work will set them straight," he said.

There is much more to be done, Mr. Arbaugh said. Working on the exercise for just a week to prepare for the one-day attack, he said, "we got the tip of the iceberg."

He added, "It seemed everywhere we scratched, there was something that's pretty troubling."

The panel recommended that election officials take several steps to improve security, including placing tamper-proof tape on vulnerable parts of voting machines and installing software that will alert officials to any changes to the machine.

If those steps are taken, Mr. Arbaugh said, "the assurance of this election will be comparable to that of past elections."

"The problem is, people who know elections know there's a lot of play in them already," he said. "We can do better, and we should. It's just going to be a long process."

Linda H. Lamone, the administrator of the Maryland State Board of elections, said that the group had produced "a very good report," and that the state would take its recommendations seriously.

Still, she noted that tampering with voting equipment is a felony. "I'm not sure how many people would be willing to get a felony conviction and risk going to jail over an election," she said. Citing the problem of easily opened locks on the machines, she said an attempt to unlock a machine "would be very unlikely to succeed, because it would have to occur in a public place."