D_Raay
09-13-2004, 02:30 PM
http://www.jhu.edu/~jhumag/0204web/vote.html
Now this is a long article but definitely worth the read. Some excerpts:
"There are more checks and balances on ATMs than on voting machines," says Barbara Simmons,"which is pretty apalling."
One of the first things they had noticed was a single line:
#define DESKEY ((des_key*) "F2654hd4"
It was from a section of the code that told the terminal how to secure, through encryption, the count of the day's vote on that machine. The code used an encryption protocol called DES, and "F2654hd4," to the astonishment of Stubblefield and Kohno, was the key to the encryption — the combination to the lock on the vault, so to speak. The two graduate students knew that if the DES encryption key had been written into a line of the machine's code, the key had to be the same on every Diebold terminal. Says Stubblefield, "That's the canonical example of how not to do [security]. It's as if there were one password for all the computers at Hopkins."
In the AccuVote software examined by the analysts, the ballot definition, which tells the terminal to display the proper listing of candidates for each office, was not protected and could be modified by anyone who gained access to the data file. Before being recorded on a storage device, the vote records in each machine were encrypted, as already noted, but by an outmoded encryption method (DES) that's been proven to be crackable.
Right after the SAIC report was released, Ehrlich authorized the Maryland Board of Elections to proceed with purchase of the Diebold machines. The governor's decision baffles Rubin. "I can't help but wonder how the state of Maryland could possibly go ahead with this."
Now this is a long article but definitely worth the read. Some excerpts:
"There are more checks and balances on ATMs than on voting machines," says Barbara Simmons,"which is pretty apalling."
One of the first things they had noticed was a single line:
#define DESKEY ((des_key*) "F2654hd4"
It was from a section of the code that told the terminal how to secure, through encryption, the count of the day's vote on that machine. The code used an encryption protocol called DES, and "F2654hd4," to the astonishment of Stubblefield and Kohno, was the key to the encryption — the combination to the lock on the vault, so to speak. The two graduate students knew that if the DES encryption key had been written into a line of the machine's code, the key had to be the same on every Diebold terminal. Says Stubblefield, "That's the canonical example of how not to do [security]. It's as if there were one password for all the computers at Hopkins."
In the AccuVote software examined by the analysts, the ballot definition, which tells the terminal to display the proper listing of candidates for each office, was not protected and could be modified by anyone who gained access to the data file. Before being recorded on a storage device, the vote records in each machine were encrypted, as already noted, but by an outmoded encryption method (DES) that's been proven to be crackable.
Right after the SAIC report was released, Ehrlich authorized the Maryland Board of Elections to proceed with purchase of the Diebold machines. The governor's decision baffles Rubin. "I can't help but wonder how the state of Maryland could possibly go ahead with this."