Tuesday, September 13, 2005
Hacking the Vote: Easy Like Sunday Morning
http://www.chuckherrin.com/hackthevotedemo.htm
Chuck Herrin, a certified ethical hacker, shows that anyone with enough knowledge of windows and Microsoft access (i.e. your mom, or your mom's mom) could quickly, easily, and silently modify election results to any outcome they wish.
In short, our modern, technological voting system is comically bad. I read about these systems before the 2000 election in Wired Magazine (I'm not linking to them because they're not link worthy). Being Wired magazine, I took it with a grain of salt. I read the articles, I talked about it to some people, and wrote a few letters.
In 2001, the CEO of Diebold promised then President G.W. Bush that thanks to his systems, Ohio would be going red. It was in a speech he made to a crowd of republicans. He had no idea the media is there.
Ohio happened to be THE crucial deciding state this year. Evidence, alluded to in this article (and I haven't really followed up on), shows that many "blue counties" had their vote split reversed -- the majority went republican, when historically they always went democrat.
So why hasn't the media thrown up the red flag? Screamed bloody murder and outrage?
Well, we all know that until the weather machine that I'm developing in WV got out of control and totaled America's primary source of girls gone wild porno tapes, the media was not the fourth estate it claimed to be. Hard hitting questions weren't as important as stories like "Scientists find that chocolate is good for you."
And, let's face it, we're all naive. We don't think something this shadowy or inherently evil could happen. It reeks of conspiracy theory, up there to be speculated about like those mysterious phone calls on sept. 11th, telling all the Arabs not to fly that day. Its so ridiculous, every rational fiber of your being tells you to dismiss it. Its a bankrupt idea like intelligent design, to be mocked openly in front of everyone.
But seriously, Microsoft Access is a toy. Its good for small projects, like taking care of your DVD library, and maybe middle school level programming projects. As a database backend, it falls flat on its face, even MySQL performs database functionality better then access does, backend wise.
What I'm trying to say is that Access is not the sign of a professional. If someone told me they were going to store my medical records in an access backend, I'd probably contact a malpractice lawyer on the spot (that whole HIPPA thing, you know). If someone told me they were going to store my blog posts in an access database, I'd still be so furiously pissed off at them that I'd probably punch them in the face. Even if it was a free service, I'd still punch them in the face.
And voting is important. Even the people who don't do it recognize that in some way, they are cheating themselves and the system. Disenfranchisement is a highly sensitive issue, but I'd say every registered votes views their vote as sacred as their medical record. Which means it should have similar access controls to prevent theft, tampering, or even accidental (Or malicious) modification. Out of all the engineers in Ohio chugging away on this system, someone should've recognized that Americans view their electoral system as something in need of securing. Not one of those engineers ever thought to bring up to management the fact that an Access backend is, well, insecure and negligent?
Chuck Herrin, a certified ethical hacker, shows that anyone with enough knowledge of windows and Microsoft access (i.e. your mom, or your mom's mom) could quickly, easily, and silently modify election results to any outcome they wish.
In short, our modern, technological voting system is comically bad. I read about these systems before the 2000 election in Wired Magazine (I'm not linking to them because they're not link worthy). Being Wired magazine, I took it with a grain of salt. I read the articles, I talked about it to some people, and wrote a few letters.
In 2001, the CEO of Diebold promised then President G.W. Bush that thanks to his systems, Ohio would be going red. It was in a speech he made to a crowd of republicans. He had no idea the media is there.
Ohio happened to be THE crucial deciding state this year. Evidence, alluded to in this article (and I haven't really followed up on), shows that many "blue counties" had their vote split reversed -- the majority went republican, when historically they always went democrat.
So why hasn't the media thrown up the red flag? Screamed bloody murder and outrage?
Well, we all know that until the weather machine that I'm developing in WV got out of control and totaled America's primary source of girls gone wild porno tapes, the media was not the fourth estate it claimed to be. Hard hitting questions weren't as important as stories like "Scientists find that chocolate is good for you."
And, let's face it, we're all naive. We don't think something this shadowy or inherently evil could happen. It reeks of conspiracy theory, up there to be speculated about like those mysterious phone calls on sept. 11th, telling all the Arabs not to fly that day. Its so ridiculous, every rational fiber of your being tells you to dismiss it. Its a bankrupt idea like intelligent design, to be mocked openly in front of everyone.
But seriously, Microsoft Access is a toy. Its good for small projects, like taking care of your DVD library, and maybe middle school level programming projects. As a database backend, it falls flat on its face, even MySQL performs database functionality better then access does, backend wise.
What I'm trying to say is that Access is not the sign of a professional. If someone told me they were going to store my medical records in an access backend, I'd probably contact a malpractice lawyer on the spot (that whole HIPPA thing, you know). If someone told me they were going to store my blog posts in an access database, I'd still be so furiously pissed off at them that I'd probably punch them in the face. Even if it was a free service, I'd still punch them in the face.
And voting is important. Even the people who don't do it recognize that in some way, they are cheating themselves and the system. Disenfranchisement is a highly sensitive issue, but I'd say every registered votes views their vote as sacred as their medical record. Which means it should have similar access controls to prevent theft, tampering, or even accidental (Or malicious) modification. Out of all the engineers in Ohio chugging away on this system, someone should've recognized that Americans view their electoral system as something in need of securing. Not one of those engineers ever thought to bring up to management the fact that an Access backend is, well, insecure and negligent?
