Electronic Voting Done By Idiots

"If Virginia Elections Weren't Hacked, It's Only Because No One Tried"
I have talked about electronic voting before (lots of older posts on twitter and Facebook) and here is a story that hits too close-to-home.

"[E]arlier this week, Virginia decided to decertify a bunch of electronic voting machines after noting that the security on them was abysmal."

Turns out that all the spiffy electronic voting boxes we have been using in Virginia for years were abysmally bad. From using weak default and hard coded passwords to completely skipping anything like basic security practices.

"If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded."

An incompetent first year CS student could have designed a better system so the only conclusion I can make is that either the company that wrote the software did not care at all about producing a decent product, or they were deliberately trying to write bad code.

The database is a very obsolete version of Microsoft Access ... there are no controls on changing the database

I would not even allow code I wrote to be delivered to production with the kinds of mistakes mentioned in the report. From not locking out default services to allowing uncertified USB devices to connect to the hardware.

What actually scares me more is the attitude displayed by Richard Herrington, secretary of the Fairfax City Electoral Board

Herrington voted against decertifying the machines on the grounds that all machines have problems.

Yes, Mr Herrington, all software does have problems and bugs. However, even basic testing and trivial security uncovered these issues. And no competent program department should have ever certified these machines.

But more importantly, when dealing with something as critical as voting, we should demand far more than "eh, it's not all that bad...". I would not trust the company that produced those machines with my money and we should demand at least as good code for voting as we demand from our banks.

blog evoting