Feeds

Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'

SANS - Survey on application security programs

When Bruce Funk called in BlackBoxVoting to look at some strange memory issues with Diebold voting systems in Utah, finding the "nuclear bomb" of e-voting security was not on his agenda.

As the auditor and clerk for Emery County, a large rural bite out of the middle of Utah, Funk had noticed that the county's voting machines - provided by Diebold - were having various maintenance issues. Because Utah had adopted a requirement for a verified voter paper audit trail - essentially a printout of a person's vote - Funk needed the printers to work flawlessly. However, they frequently jammed. Moreover, electrical cords had pulled out from the machines with components attached. Those issues made Funk believe the machines may not have been new, but refurbished.

A Diebold technician told the county auditor early this year that any components with problems would have to be replaced. Funk decided to do a manual check of the systems to find any other issues and discovered that the machines had a variety of different file sizes on backup memory. Uncertain why that should be and wanting an independent opinion, he contacted the e-voting muckraking group BlackBoxVoting to come and look at one of the systems, he said.

In March, BlackBoxVoting flew in Harri Hursti, a Finnish voting-machine security expert with whom the group had frequently collaborated. Funk remembers that he was surprised by what Hursti could do with only poll-worker-level access to the machine.

"He was able to - from the keyboard that appears on the machine - create a macro that doesn't even show up that you created it, go and pickup a program through the modem, and run it," Funk said during an interview with SecurityFocus from his home in Clawson, Utah. "I was thinking that this was not right."

As Hursti got more familiar with the machine, he and members of BlackBoxVoting, who were videotaping the process, became more concerned, Funk said.

"It became so serious, that my concern about memory was minor," he said. "They told me that the information that they'd found had to go to certain federal agencies and certain things had to be done before the issues were made public."

Officials in Utah apparently were not concerned with the security of the systems, but with what they considered a breach in authorization. State officials and representatives of Diebold told Funk that he had cost the county more than $40,000 in damages because Diebold technicians would have to return to the county and recertify the systems, according to transcripts of the public parts of an April meeting in Emery County published by BlackBoxVoting.

"The reason that we’re here today is because Mr. Funk, on his own, has gone outside that system and compromised the integrity of not only Emery County’s elections, but also the State of Utah and any other jurisdiction of the United States that is using this equipment, simply because he wouldn’t call and ask these questions that these people and the Lieutenant Governor’s staff know the answers to," said Utah's State elections director, Michael Cragun, according to the transcript. "It seems to me it’s inappropriate to be in this meeting now answering these questions he should have asked before he compromised the integrity of this system."

The officials asked for Funk's resignation, which he gave verbally at the meeting.

"They basically said that they have people that want to have you removed," Funk said. "This whole weight fell on me and I said, 'I'm so tired, just let me out.'"

By the next morning, he decided to fight the process, but he was informed that a verbal agreement to resign was enough, he said. Calls to both Diebold and the office of the governor of Utah by SecurityFocus were not returned.

Meanwhile, Funk maintains that he did what the county's voters elected him to do: Look out for their interests in a fair election process.

"Basically, (Utah officials) tried to portray BlackBoxVoting as some radical organization, and they portrayed me as a renegade villain," he said. "They don't want this to come out, but it needs to come out at a national level."

Combat fraud and increase customer satisfaction

More from The Register

next story
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
APPLE FAILS to ditch class action suit over ebook PRICE-FIX fiasco
Do not pass go, do cough (up to) $840m in damages
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.