New article: E-Voting: It's Security, Stupid

[David Farber <dave () farber net>]

Begin forwarded message:

From: Stu Burton <stuburtonnyc () hotmail com>
Date: August 24, 2004 9:44:11 AM EDT
To: gnu () eff org, farber () eff org
Cc: lessig () eff org, pam () eff org
Subject: New article: E-Voting: It's Security, Stupid

August 23, 2004

from: http://www.eweek.com/article2/0,1759,1637546,00.asp

E-Voting: It's Security, Stupid

August 23, 2004
By Ben Rothke


Last month, Harris Miller, president of the Information Technology 
Association of America, reportedly stated that the open-source movement 
is using the issue of e-voting security to wage a "religious war" that 
pits open-source software against proprietary software. The only thing 
more absurd would be for Miller to blame the woes of e-voting on a vast 
right-wing conspiracy. As a citizen and voter, Miller should applaud, 
not disparage, the whistle-blowers who have demonstrated the security 
flaws of e-voting systems.

Leading security professionals say they are against e-voting because of 
its intrinsic security weaknesses. Indeed, if e-voting were a drug, the 
FDA would never let it out of the lab.

Miller also stated that a recent ITAA survey showed that 77 percent of 
registered voters are unconcerned about the security of e-voting 
systems. Such a figure demonstrates how little those polled know about 
information security. Could any of that 77 percent find insecure code 
in the voting software or explain, for example, how blind signature 
voting systems are supposed to work? Democracy is magnificent, but the 
optimism of 77 percent of the populace cannot make insecure and buggy 
code workable. If the 77 percent truly understood the many security 
problems, their enthusiasm for e-voting would be quickly extinguished.



In fact, e-voting creates the largest and most unique set of challenges 
to information security today—greater than the security challenges of 
e-commerce or electronic tax filing systems. When the ITAA points a 
finger at the open-source movement, it is only in a futile attempt to 
deflect criticism of the inherent security flaws of e-voting systems.

Paper voting is not without its problems, as the presidential election 
in 2000 made clear. What traditional voting systems offer, however, are 
audit trails. Although far from perfect, paper audit trails are the 
best we have. While fraudulent repeat voting has long been a problem, 
the most fraudulent votes a single person could place in a single day 
might be 20. Move that election online, and there's theoretically no 
limit to the number of hacked votes that could be placed.


Electronic audit trails, if implemented effectively, could provide an 
ideal solution. The only problem is that there are no vendors that are 
developing auditability levels that would permit secure e-voting.

Secure e-voting is not beyond our reach. It could be developed, but it 
might amount to the application equivalent of the Manhattan Project. 
Until such a commitment is made, e-voting is one technology that we 
would be well-advised to do without.

Ben Rothke, CISSP, is a New York-based security consultant with 
ThruPoint Inc. McGraw-Hill has just published his book, "Computer 
Security: 20 Things Every Employee Should Know." Rothke can be reached 
at brothke () thrupoint net.

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/