"If Virginia Elections Weren't Hacked, It's Only Because No One Tried"
I have talked about electronic voting before (lots of older posts on twitter and Facebook) and here is a story that hits too close-to-home.
"[E]arlier this week, Virginia decided to decertify a bunch of electronic voting machines after noting that the security on them was abysmal."
Turns out that all the spiffy electronic voting boxes we have been using in Virginia for years were abysmally bad. From using weak default and hard coded passwords to completely skipping anything like basic security practices.
An incompetent first year CS student could have designed a better system so the only conclusion I can make is that either the company that wrote the software did not care at all about producing a decent product, or they were deliberately trying to write bad code.
I would not even allow code I wrote to be delivered to production with the kinds of mistakes mentioned in the report. From not locking out default services to allowing uncertified USB devices to connect to the hardware.
What actually scares me more is the attitude displayed by Richard Herrington, secretary of the Fairfax City Electoral Board
Herrington voted against decertifying the machines on the grounds that all machines have problems.
Yes, Mr Herrington, all software does have problems and bugs. However, even basic testing and trivial security uncovered these issues. And no competent program department should have ever certified these machines.
But more importantly, when dealing with something as critical as voting, we should demand far more than "eh, it's not all that bad...". I would not trust the company that produced those machines with my money and we should demand at least as good code for voting as we demand from our banks.