ES&S Voting Machine Reviewed: Security Is Lacking

from the you-expected-otherwise? dept

ES&S is already involved in a lawsuit for providing uncertified software to California e-voting machines, but things keep getting worse for the company. Beyond all the other problems it's had with buggy machines and a defiant attitude towards anyone who questions the company, California has finally produced the independent security team review of the ES&S machines used in California and it's not pretty. You may recall that all of the other e-voting machines were reviewed by independent researchers four months ago. ES&S, however, wasn't included in that review because the company stubbornly refused to hand over its source code until well after the deadline, meaning that the review had to wait. However, the results are pretty similar to the other machines. The machine was clearly not built with security in mind, as both the software and the physical security were found to be lacking and easily violated in ways that would not leave much of a trace. At this point, none of this should be even remotely surprising. What still is surprising is why none of these firms will even admit that their approaches to date have fallen well short of what was necessary -- while committing to building new machines that actually have real security and accountability built in.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    bob, Dec 4th, 2007 @ 4:03pm

    never atribute to malice what can be explained by incompatance, however at this point incompatance is getting harder and harder to believe

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Dec 4th, 2007 @ 5:11pm

    Re:

    "Never attribute to malice that which can be explained by incompetence."

    Fixed. Perfect thing to quote in regards to these 'voting machines.'

    I'm honestly surprised the government (state or better yet, Federal) doesn't treat these like they do military hardware. Send out an RFP (request for proposal) with specific needs and do a competitive bid.

    Should the winning bid fail to meet the needs (such as being able to be compromised as easily as these POSes) move on to the next bidder.

    Then once they get a working model, STANDARDIZE IT and use it until a flaw is found.

    Won't happen, but it'd be nice.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    The spell checker, Dec 4th, 2007 @ 5:13pm

    Re:

    Main Entry:in-com-pe-tence
    Function:noun
    Date:1663

    : the state or fact of being incompetent

    Or in this case, the state of desperately needing a spell checker in the comments area

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    ECA (profile), Dec 4th, 2007 @ 5:55pm

    Hmmm

    Any old programmers here? Want to start a company..

    What would it take to HIT the BIOS and lock down ALL ports.
    USE a BASIC input device, like a Numeric pad ONLY.
    And make the Whole program in GW basic.. Or just use DOS, and HTML..
    WHAt is so hard about LOCKING down ports, and NOT installing DRIVERS for those ports...UNLESS you want to USE WINDOWS, there SHOULDNT be a problem.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Sal, Dec 4th, 2007 @ 7:24pm

    I'm no expert programmer, but how hard is it to make a program using 5 buttons at the most. I thought the point of e-voting is an accurate count, not a complex global network with special features.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Rich Kulawiec, Dec 5th, 2007 @ 7:19am

    Technology is the wrong answer

    And I say that as a long-time technologist.

    Part of the reason that it's the wrong answer is that the wrong question is being asked -- or perhaps another way to put that is that the wrong requirements are being articulated. Consider, for example: what is the functional requirement for the time lag between end-of-voting and result reporting?

    I submit that the answer to that question ranges somewhere from "days" to "weeks", as in most countries there is a considerable lag between when an election's winner is determined and when that winner assumes office. There is thus no functional requirement for real-time reporting of results. (Yes, I'm aware that the media would like this, but elections are not run for the benefit of media. It is vitally important to get the numbers right; it is of no importance at all to get them quickly.)

    This line of reasoning (and others similar to it) lead me to the conclusion that very simple voting systems (e.g., pencil and paper) will meet all functional requirements. In addition, such systems are well-understood -- in part due to long experience in the field -- and numerous anti-fraud techniques are known for them.

    The answer isn't to "fix" these hopelessly-broken voting machines; the answer is to dispense with them entirely.

    (Let me anticipate a possible counter-argument about the tedium of having tens of millions of ballots repeatedly hand-counted over a period of (say) a few weeks: don't you think that democracy's worth that minor delay and trifling inconvenience?)

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Trevlac, Dec 5th, 2007 @ 11:36am

    Re: Hmmm

    When you capitalize whole words to put emphasis on them like this it MAKES me WANT to SMASH your FACE in WITH a HAMMER. Because I can hear your repetitive cadence in my head -- and it is maddening. As to what you said, you're all over the place with computer terms. Try to consolidate your argument or at least explain each method of intrusion.

    As far as the voting machines go, why are we even allowing this to continue?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This