Security Or Death

If you haven't seen HBO's "Hacking Democracy" on-demand, you must.  If you still don't think data security is a really big deal, this should finally push you over the edge.

If you work for Diebold, I'm sorry, but you gotta find another gig.  What a batch of executive dirtbags.

Let me tell you something more horrific than the fact that last year my good friends at Marriott lost my personal data and two weeks later the Boston Globe not only lost my information, they printed it in hard copy and distributed it across the great state of Massachusetts apparently.

Democracy itself is being decimated, one hacked bit at a time. 

Like many of you, I am smashed in the head with so many sensory inputs daily that I can’t possibly comprehend the magnitude of most events.  I live in an ADD haze where the fact that thousands of people die every day in wars around the globe and mass genocide still occurs gets the same non-attention as the cute little puppy left homeless after a local fire, or who won the football game.  I think about security and data and privacy and ethics as isolated elements, as singular events designed at the hands of some poor slob or evil doer with a small minded mission, like stealing my money.  Then I stumbled upon an HBO documentary (On-Demand, which may be the greatest invention ever) called “Hacking Democracy”.  It had an intriguing title, so play I did.

This may sound like some political rambling for a few minutes, but bear with me.  It may also sound like a lot of hippy, tree hugging, spread the wealth, save the unborn gay whales for the lord rhetoric, but again, stay with me.  I’m as capitalistic and conservative as a centrist can be.  As a matter of fact, I’m a republican living in Massachusetts, which makes me the political equivalent of a Panda – odd, interesting to look at, the brunt of many debates, and not very threatening since we all know neither of us is going to aggressively attack anyone.

The basis of democracy is that everyone gets the right (and duty, in my opinion) to vote.  One person, one vote.  You don’t like how things are going; you have the right to cast your ballot and try to change it.  Granted, most Americans complain and yet don’t vote, but they could if they wanted too.  We can even vote for complete nitwits, as it is our right.  Silly idealistic me has grown up believing this fundamental principal, and believing that all other things I hold dear about the democratic process and all its warts is based upon this one basic principal.  It never dawned on me that of course someone would hijack the process.

Sure, we know that a person could make a “mistake” counting votes.  We know that sometimes things get lost – but only at a small, local level, right?  I mean please, if there are lots of votes to count, we use computers.  Counting things are what computers do, isn’t it?  Haven’t we been able to use a computer to tabulate basic math functions since, well, the invention of computers?  Wasn’t’ the first computing machine an automated abacus?  Of all the problems yet to solve with computers, counting isn’t one of them.  We did that already.

Or so I thought.  A vote counting computer is the gizmo you either vote directly on if it is a touch screen, or you have your ballot placed into and read, if it’s an optical character recognition type.  Either way, all that baby has to do is add up how many checked box 1 and how many checked box 2.  That’s it.  My 12 year old could program it.

Because we like to believe in higher level constructs like truth and justice, we (sorry if I’m associated you with me, there is a chance I’m the only one who was dumb enough to live this way, but it makes me feel better to act as a class) sort of just assumed that A: the voting tabulators, a.k.a. dumbed down calculators (requiring approximately 4% of the functionality of a .69 cent device available in 99% of all electronic products everywhere in the world) could add, and B: the integrity of those machines – i.e. the security of those machines, would be iron clad.  Sure, some could be compromised locally, but the checks and balances associated with such a simple process would have to be impossible to overcome, right?

Bam!! smashed in the mouth with reality.  I’m not that smart, but here’s how I would have assumed such devices might operate:

The magic voting tabulator would have a hardened O.S. that was entirely self contained.  It would not accept any field changes, ever.  Since all it has to do is add, the program would have been locked down since about 1972.  Of course there would be independent auditors who validate the machine code, create tests to run, and certify the integrity of the machines - who work for the people, by the people.  Once the box is “enabled” i.e. ready to accept votes when the polls open, any physical activity would trigger a tampering fault, and the system would shut down.  All the data that had been read thus far would have already been either pushed out to the next level tabulator (with no data being kept on the collection device itself) over a mega-encrypted proprietary link.  There would be no bi-directional communication allowed – one way only – out. 

I’m fairly confident I could start a company and deliver the above specified devices without leaving my home, and be able to make a tidy profit selling said devices for roughly $200 each.  I’m also confident that if my 12 year old couldn’t program it, there’s some other neighborhood kid who can.  I’d let the guys keep the nuke codes be the ones who are in charge of verifying the integrity of the system – or maybe even better – the guys who keep the Oscar winners a secret.  Make it a federal crime with the penalty of death for tampering with the voting process.  I’d vote for that.

Apparently I’ve been drinking the wrong Cool-Aid again.  HBO uncovered the ugly truth behind the uglier process.  Actually, a grandmother in Seattle did, and brought HBO along for the ride.  The story is scarier than Hostile and all 3 Saw movies combined.

This nice Seattle lady, Bev Harris, wondered why her district went from the old fill in the oval ballots to touch screens.  She didn’t like the answers, so she started snooping around on the internet.  During her homework she stumbled upon an FTP site from voting machine market leader Diebold (I think their full legal name may be Die Boldly Lying To Your Face, Inc.).  The FTP site contained all the source code for the voting machines.  Up until that time, the world was told that source on such devices was double secret, uber-Russian security, CIA stuff.  It was completely secure, impenetrable, and bullet proof.  It was B.S.

She took the source to a few security guru’s, who were able to hack the code and make it do whatever they wanted in about 10 seconds.  They could make it output any result they wanted, regardless of the input.  The Diebold machines used a removable disk that kept the tabulated data.  That disk and all the others were then physically removed and inserted into the aggregation machine, which added up all the sub-votes, declaring a winner.  While the company bold face lied to everyone and anyone – insisting the system was impenetrable, Bev and one honest guy who ran a voting district in Florida and smelled a rat, proved that they could put a hacked executable on these disks and upload the hack no problem – and it only took one machine to screw an entire election.

The CEO of Diebold was the cheesiest, smarmiest liar I’ve ever seen.  A used car salesmen’s bookie’s drug dealer has more ethical integrity.  The company spokesman/stooge was a “marketing director”, which means there was no way any VP type was going to put their name on this Titanic debacle.  The poor bastard reminded me of Tariq Aziz and Lee Anne McBride combined.  (Tariq was Saddam’s spin master during the first Gulf War, and I loved how this guy could say things like “we are depleting the enemy of their critical armaments and are assured of victory within hours”, even though the entire world watched non-stop bombing from space while occasionally some guy in the desert threw a goat turd in the air.  Lee Anne is Dick Cheney’s spin master – who told us about the unfortunate accident where Dick shot his pal in the head with a shotgun on a very dangerous quail hunting trip.  She almost made me forget that these “hunting ranches” aren’t exactly the wild jungle – really it’s more like a rich guys back yard that has these birds with one wing duct taped behind it’s back, tethered to a 50 foot rope, tossed in the air by an employee who first yells “look over here guy’s, I think I hear one about to take off”.  I’m pretty sure Dick doesn’t eat what he kills, but I digress.)

He, and the CEO, lied to everyone from Congress to me.  They did so without any consideration of the facts that stared them in the face.  They actually said that Mrs. Harris stole the source code.  It was an awesome display of ethical de-volution combined with outright ineptitude.  At least Bernie Ebbers and Ken Lay were smart dirt balls.  These guys are buffoons.

So it was completely and absolutely proven that the Diebold voting machines had security flaws you could sail an ocean liner through.  (For the record, there are two other companies that make this stuff, but I can’t remember their names, and they weren’t implicated as dirt bags in this documentary.)  It was also exposed that they charge HUGE money for these easily hackable calculators.  One district paid $20,000,000 for a bunch of the bad boxes – after being given irrefutable evidence that the machines have these security issues, the company flagrantly lied right to the committee making the decision, and the whole thing was captured on tape for all to see.  Absurdity at its finest.

We are, after all,  the country that elected Marion Barry back to office even after he was videotaped smoking crack with a hooker.  Democracy in action.  The program spent a lot of time showing how Republicans were benefiting by the scam, but the security issue affects all parties and peoples.  They did do a nice job of showing how one district in Florida had their machines so wonderfully hacked that not only did Mr. Bush kick butt vs. Mr. Gore, but Mr. Gore actually received negative 16,000 votes.  True story.  In order to make sure the number of vote cast equaled the number of voters who voted, the security dudes created a sample executable that uploaded into the voting machine and for every vote it added 5 votes for Mr. Bush, and subtracted 4 votes for Mr. Gore, netting 1 vote.  If 1000 people voted there would be a result of 1000 votes cast for Mr. Bush, zero for Mr. Gore. 

So, I’m sorry about the political, do gooder rant, but I warned you.  Security matters and we aren’t doing enough about it.  It’s not about technology alone – it’s about policy and process.  John Kerry knew that in New Mexico, overwhelmingly Democratic districts reporting overwhelmingly Democratic outcomes in the exit polling were reporting Republican victories.  He knew – and he did nothing.  Worse, by conceding the race under the auspice of saving the belief in the system, there was no legal way to launch an official inquiry.  There were people ready to go. 

As long as people are willing to tolerate security botches they will occur.  As long as greed or power or lunacy is accepted as a reason for leaving a back to door open for the ethically challenged, they shall enter.  As long as our system rewards dirt bags by allowing them to build junk and sell it for a ton, they will.  Am I really to believe that IBM couldn’t build these things?  I don’t even want to think about the ATM’s these guys make.  Stealing my ID sucks, stealing Democracy violates every principal I thought I had. 

Comments

Diebold has a response to the HBO show on their web site. Diebold claims their machines were not even in use in New Mexico during the 2004 Presidential election. Either the lies keep coming or the HBO show contains errors.

Posted by: Kurt | December 05, 2006 at 02:30 PM