Computerworld - Herbert Thompson, director of research at Wilmington, Mass.-based Security Innovation Inc., is a co-author of several books, including How to Break Software Security (Addison Wesley, 2003). He volunteered last May and again last month in Leon County, Fla., to hack an optical scan system made by Diebold Elections Systems Inc., after county officials voiced fears about the system's accuracy and security. Thompson recently discussed the result of the test hacks in an interview with Computerworld.
Herbert Thompson, director of research at Security Innovation Inc.
[Finnish security specialist] Harri Hursti [who also took part in the hacking exercise] changed the contents of a memory card used in the optical scan device and preloaded it. If you can get access to the memory card, you can change its logic and have it do whatever you want. That hack was like prestuffing a ballot box to handicap one candidate by giving them negative votes and giving another positive ones.
Do you think e-voting security has become a political issue? I'm strictly an independent person donating my time. It's not political. Bad software is the issue. I'm a software security guy. I see a lot of bad software. All software has security vulnerability -- this is just particularly bad. As an election official, you have to be wary when touching a tabulator or a memory card; it has to be treated like a box of live ballots.
How do you respond to Diebold's claims that the hacks were unfair? I would love to do a demonstration where Diebold participates. There are certainly other voting companies that make tabulation software as well as optical scan gear, and we're seeing the same vulnerabilities as we've seen in Diebold's systems, which raises a broader question. That's about whether the verification and validation processes these machines go through are woefully inadequate or not. The e-voting companies aren't volunteering their systems for independent audits and analysis.
Is the security in e-voting up to the standards that business executives would demand in their applications?No way. Definitely not. Five years ago, yes, but in the current climate, no. These guys are betting their critical business processes on software. They need to consider who might do harm to that system. This level of rigor isn't applied to e-voting systems.
What should be done? There should be much more severe security-testing requirements. The key is you need to raise awareness that these vulnerabilities do exist and can be exploited, and you need a way of measuring security.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
