Feeds

Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'

Choosing a cloud hosting partner with confidence

When Bruce Funk called in BlackBoxVoting to look at some strange memory issues with Diebold voting systems in Utah, finding the "nuclear bomb" of e-voting security was not on his agenda.

As the auditor and clerk for Emery County, a large rural bite out of the middle of Utah, Funk had noticed that the county's voting machines - provided by Diebold - were having various maintenance issues. Because Utah had adopted a requirement for a verified voter paper audit trail - essentially a printout of a person's vote - Funk needed the printers to work flawlessly. However, they frequently jammed. Moreover, electrical cords had pulled out from the machines with components attached. Those issues made Funk believe the machines may not have been new, but refurbished.

A Diebold technician told the county auditor early this year that any components with problems would have to be replaced. Funk decided to do a manual check of the systems to find any other issues and discovered that the machines had a variety of different file sizes on backup memory. Uncertain why that should be and wanting an independent opinion, he contacted the e-voting muckraking group BlackBoxVoting to come and look at one of the systems, he said.

In March, BlackBoxVoting flew in Harri Hursti, a Finnish voting-machine security expert with whom the group had frequently collaborated. Funk remembers that he was surprised by what Hursti could do with only poll-worker-level access to the machine.

"He was able to - from the keyboard that appears on the machine - create a macro that doesn't even show up that you created it, go and pickup a program through the modem, and run it," Funk said during an interview with SecurityFocus from his home in Clawson, Utah. "I was thinking that this was not right."

As Hursti got more familiar with the machine, he and members of BlackBoxVoting, who were videotaping the process, became more concerned, Funk said.

"It became so serious, that my concern about memory was minor," he said. "They told me that the information that they'd found had to go to certain federal agencies and certain things had to be done before the issues were made public."

Officials in Utah apparently were not concerned with the security of the systems, but with what they considered a breach in authorization. State officials and representatives of Diebold told Funk that he had cost the county more than $40,000 in damages because Diebold technicians would have to return to the county and recertify the systems, according to transcripts of the public parts of an April meeting in Emery County published by BlackBoxVoting.

"The reason that we’re here today is because Mr. Funk, on his own, has gone outside that system and compromised the integrity of not only Emery County’s elections, but also the State of Utah and any other jurisdiction of the United States that is using this equipment, simply because he wouldn’t call and ask these questions that these people and the Lieutenant Governor’s staff know the answers to," said Utah's State elections director, Michael Cragun, according to the transcript. "It seems to me it’s inappropriate to be in this meeting now answering these questions he should have asked before he compromised the integrity of this system."

The officials asked for Funk's resignation, which he gave verbally at the meeting.

"They basically said that they have people that want to have you removed," Funk said. "This whole weight fell on me and I said, 'I'm so tired, just let me out.'"

By the next morning, he decided to fight the process, but he was informed that a verbal agreement to resign was enough, he said. Calls to both Diebold and the office of the governor of Utah by SecurityFocus were not returned.

Meanwhile, Funk maintains that he did what the county's voters elected him to do: Look out for their interests in a fair election process.

"Basically, (Utah officials) tried to portray BlackBoxVoting as some radical organization, and they portrayed me as a renegade villain," he said. "They don't want this to come out, but it needs to come out at a national level."

Intelligent flash storage arrays

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.