Saturday, January 27, 2007

Technofascism II - Hacking Democracy

You have to see the HBO documentary “Hacking Democracy”.

It is riveting. I did not realize that more than 80% of US elections are already carried out using electronic voting machines. I did not realize that the tabulation program is basically a simple database program running on a Windows workstation - with files that I can access right out of “My Programs”. I did not realize there is no effective security event log.

I did not realize that election staffers are taking these machines home with them (thank you NPR, for ruining my day yesterday). Most of all, I did not realize until watching this show that these things are *so* badly designed: i.e. so easy to break into and hack. The lock on the back of those voting machines isn’t remotely tamper-proof - or sealed.

Building on the previous solid work of Johns Hopkins and Princeton, the Hacking Democracy program employs Harry Hursti, the former CEO of F-Secure, a very well-respected security company based in Finland. In the program, Harry claims to find an executable hidden on the AccuVote memory card. The manufacturer denies this could have happened. I, for one, am pretty sure that if Harry says he found an executable, he found one.

What Harry does with the memory card in the next sequence is worth watching the program for by itself - as is the tearful reaction of one well-meaning official.

Folks, this is what happens when trust is place exclusively in one organization. Cliche alert: Absolute power corrupts absolutely. Software can always be hacked, and if there are not excellent controls, and dire consequences, it *will* be hacked. Without an audit trail, and without sophisticated and open monitoring systems, democracy in America is indeed going to become compromised beyond recognition, and may eventually be destroyed (see my last post on this below for the Episode Four version of this post).

The annoying thing about this is that the fix is so easy - simply audit the code, plug in the printers, and monitor every single input to the device - every keystroke or on-screen input into the system (including logging the screen coordinates during interaction: if hackers can do this during your online banking transaction, and they can, it should be easy enough to plug this technology in here).

The question is, does anyone, other than Bill Richardson and a resourceful Erin Brockovitch-like grandmother in California, care enough about the coming demise of democracy to fix it?

No comments: