It is important to recognize that the election process is a long and arduous one in which Election Day is just one highly visible manifestation. The integrity of our elections depends on almost every step along the way. That obviously includes the actual casting of ballots and the creation, evaluation, certification, testing, and maintenance of voting equipment. But it also includes the registration of voters; identification, authentication, and challenging of voters; creation of the actual appearance of ballots and setting up the voting machines; distribution and handling of ballot and polling-place information, absentee ballots, and especially provisional ballots; processing of ballots; tabulation and collection of results; and proper assurance that voters' ballots are treated with adequate respect for privacy -- along with oversight of each of the steps in the entire process. Historically, many past elections have encountered serious anomalies. (See my Illustrative Risks document, http://www.csl.sri.com/neumann/illustrative.html and click on Election Problems; that summary of RISKS cases will eventually be upgraded to include the most relevant of a large number of reported November 2004 anomalies.) Yesterday's election reminds us once again that each of the steps in the overall election process represents various potential weak links with respect to security, system integrity, accountability, recountability, privacy -- and, indeed, the democratic process. For example, some exit polls differed rather substantially from the actual results in some states. However, in the absence of meaningful audit trails, it is impossible to determine definitively whether this was the result of a lack of integrity and accuracy in the exit polls or in the election systems themselves; a voter's intent remains unknown in the absence of voter-verified audit trails when using unauditable machines. On the other hand, having to believe in exit polls to evaluate whether the unauditable electronic machines were accurate and noncompromised is also a ludicrous proposition. When everything comes down to one state -- in it did again this year -- we are left with unanswered and indeed unanswerable questions about the integrity of the unauditable all-electronic machines in Ohio. Among other vendors, Diebold is known for numerous transgressions. We have previously noted here that in California in 2002, the software that was used by Diebold in 17 counties was not the software that had been certified; the actual versions in use were different. In Georgia in 2002, Diebold's had unmonitored dedicated lines into computer systems during the election process (in case it was necessary to fix (!) problems). (This is also true of other vendors, and is apparently used to download software upgrades and offload results.) In Ohio in 2003, Diebold's CEO Wally O'Dell wrote to would-be contributors that he is "committed to helping Ohio deliver its electoral votes to the President next year." Overall, the use of unauditable machines is of particular concern when it is impossible to determine the presence of bad software, human error, and intentional fraud -- unless the anomalies are totally egregious, as in the case in Boone County, Indiana, of 144,000 votes being recorded when only 5,352 people had voted (RISKS-23.03) or where -16,022 votes were reported in Volusia County, Florida (RISKS-22,93,94). Of course, other voting machine companies are also involved in many other irregularities, so Diebold is not the only source of problems. Returning to the notion that the voting problem is a total-system problem, here are a few more issues. * The federal election standards are inherently incomplete and extremely weak. This is true of the 2002 standards that replaced the 1990 standards, although most of the current systems were evaluated against the even weaker old standards. * The evaluation process is normally secret, and funded by the voting machine purveyors themselves -- some of whose employees have felony conviction records or otherwise questionable backgrounds. * Many state election officials are overtly partisan, some also serving in party positions (as in Ohio). * The National Institute of Standards and Technology is supposed to be involved in setting standards, but its funding is grossly inadequate for this task. * The U.S. Election Assistance Commission has also been seriously shortchanged in its funding. * Legislation cannot reflect all of the possible things that can go wrong, but it is absolutely essential that nonpartisan actions and guidelines be as carefully and proactively constructed as possible. * In the 2004 national election, it is already clear that numerous irregularities have occurred leading up to and during the election (including a variety of what might be called "dirty tricks"), some of which even appear to have been illegal. For example, numerous efforts to disenfranchise or harass legitimate new voters were reported in various states. Further complicating the need for a level playing field, there were many reports of long lines -- with some voters having to wait two hours or four hours to vote, and even a few who had to wait for 9.5 hours! The fact that some voters persevered despite such discouraging circumstances is truly amazing. * There were also reports from New Orleans that all of the Sequoia machines throughout the city had failed (for example, could not be booted up), and that there were inadequate paper backups. * Training of precinct workers is also a significant problem under confusing conditions, as was misinformation and a lack of standards regarding provisional ballots mandated by the Help America Vote Act. * The Election Incident Reporting System (https://voteprotect.org) is currently showing 29007 reported incidents (many of which were relatively minor, but the total of which suggests some real problems), with Pennsylvania, Florida, California, New York, and Ohio leading the pack in that order. And I feel as if I have only scraped a little off the top of the iceberg. Correcting all of these and other problems is not an easy task, and requires objective approaches. But the primary lesson from this election -- irrespective of the eventual outcome -- is that we still urgently need meaningful election reforms. It is not too early to do this for the future.
U.S. voters across the country reported some 1,100 problems with e-voting machines, bearing out scientists' concerns that touchscreen machines are prone to tampering and unreliable unless they're equipped to print out paper records for recounts. Some problems were blamed on factors as mundane as power outages and incompetent poll workers, but there were a number of voters in six states -- especially Democrats in Florida -- who said that although they voted for John Kerry, when the computer asked them to verify their choice, it indicated that they had voted for President Bush. One voter in Clearwater reported that it took her about 10 tries and a quick touchscreen clean-up with a wet-wipe towel before she could successfully select Kerry. A spokesperson for Sequoia Voting Systems said the machines' monitors may need to be recalibrated periodically to ensure the touchscreen is sensitive enough to record users' votes. [AP/CNN.com 3 Nov 2004; NewsScan Daily, 3 Nov 2004] http://www.cnn.com/2004/TECH/11/03/electronic.voting.ap/index.html
In the election of 2 Nov 2004, San Francisco's district supervisor election used ranked-choice voting for the first time. It went just fine on Tuesday during the election. Preliminary results showed candidates in three districts had won by a majority (so no reranking is needed), whereas the other four seats remained to be determined by the preferential ballot counting process. However, the computer processing broke down completely on Wednesday afternoon when election workers began to merge the first, second, and third choices into the program that is supposed to sequentially eliminate low-vote candidates and redistribute voters' second and third choices accordingly. However, no San Francisco ballots were lost, because each ballot has a paper trail. The software is provided by ES&S (Election Systems and Software, in Omaha). This system has undergone federal and state testing, as well as pre-election testing in which everything seemed to work perfectly. [No surprise to RISKS readers there.] The results of four contested supervisors' races are expected to be delayed up to two weeks. [Source: Suzanne Herel, *San Francisco Chronicle*, 4 Nov 2004, front page continued on A7; PGN-ed]
Brussels has been "blamed" for bringing winter a week early to parts of the country. About 2,000 clocks on public buildings and railway stations across the UK have gone back an hour seven days too soon. An EU directive dictating clocks should change on the last Sunday of October has been blamed by clock makers. Traditionally, clocks changed on the fourth Sunday of October and most were pre-programmed to do so. There are five Sundays in October this year. [...] [Source: BBC News]
Today's cnn.com (http://www.cnn.com/2004/US/10/19/terror.nrc/index.html) has a story on floor plans, chemical lists, and other "sensitive" data on licensed nuclear facilities in the U.S. being made available through the Nuclear Regulatory Commission's web site. The article discusses what types of information are available, and how it may be useful to terrorists planning attacks against such facilities, or raids to obtain radioactive material. Interestingly enough, little is said about why the information was up in the first place. The reason is likely regulations requiring disclosure of hazardous substances and publication of floor plans for use in fire/rescue training and other safety-related regulations. While most of us can agree that security through obscurity is a dead end, the article's author seems mildly outraged and disbelieving that such information would ever be publicly available. However, it's nice to know that some people who are discussing physical security understand the failures of security through obscurity: Money quote: "It [the Web site] may help a little, but if someone's determined to do this, it won't help them much. If someone wanted to find this out, they can," said David Albright of the Institute for Science and International Security. "If secrecy is your only security, then you don't have it. Because everybody that has a brain knows that physics departments use radioactive sources ... and it's not that hard to find where they are," he said. It's always a delicate balance, when you have to weigh government secrecy against the public right to know what's going on in their government. In my mind, it's better to err on the side of public knowledge, while implementing true security measures. The alternative is to try to hide everything and then have to explain to a few thousand people why their loved ones died in an attack that could have been prevented by a security policy driven by the assumption that the enemy can find out whatever they need. The latter takes more work, but it's more honest and more reliable. David W. Brunberg, Engineering Supervisor, The F.B. Leopold Company, Inc.
http://news.yahoo.com/news?tmpl=story&u=/ap/20041025/ap_on_bi_ge/battle_ready_robot http://news.yahoo.com/news?tmpl=story &u=/ap/20041025/ap_on_bi_ge/battle_ready_robot No consideration appears to be given here by the John Deere corporation (engaged enthusiastically in beating plowshares into high-tech swords) that battlefield robots may represent the existing hazards of land mines to children and others...raised to a power. Dazzled by the glitter of the hardware and the apparent perfection of the software in the showroom, we seem to systematically forget what happens to old systems of this nature. The unusable laptop, that boots up to a Blue Screen of Death and is too expensive to repair, becomes closet clutter as does the desktop outdated by the next big thing. But what happens to military hardware, as is evident from the known problem of unexploded ordnance (still a problem in northern France, almost a century after the First World War), is much more serious. It becomes an attractive nuisance for children growing up in former battlegrounds. A partially functional, unmanned and unaccounted for battlefield robot will attract children, but since it is logically impossible to program these pernicious things with Asimov's First Law (see below), its partially corrupted software (corrupted by low power and environmental stress causing memory losses, for example) may well interpret the random actions of children as a threat...especially when the children play "war", as children tend to do in real war zones. Boom...and, as usual, nobody is responsible: the great good John Deere corporation has moved on. It is logically impossible to program these things with Asimov's First Law, which was never to harm a human being. That's because their whole purpose is to harm human beings. Software people make mistakes, called bugs, all the time. Perhaps this inures them to not admitting what may be The Grand Fallacy of software. This is that one is not morally accountable for all phenomena of the software system one has fabricated, including "unexpected" phenomena. Of course, an early lesson, learned and taught by hero computer scientist Dijkstra, was that one was indeed responsible for outlier conditions. We have been told that cruise missiles are pinpoint accurate even though they have destroyed innocent lives. The destruction is explained away as unusual combinations of circumstances or operators who in the heat of battle misprogram the final parameters. Trivially, there is no boundary between field modification of parameters, whether of a cruise missile on board a naval vessel or behind the lines. More important, it can be concluded that the seriousness of a final result (a child's life destroyed) when considered as a number makes the final ratio of our "input" to the magnitude of the crime something which has to be taken into account. Of course, for this reason, many software and hardware engineers simply avoid defense work. But one hopes that the military types write all their own goddamn software all the way down so that Open Source coders are not indirectly responsible. There is some fantasy that if we put enough steps between our actions and a final result, the amplitude of the moral signal, the level of our guilt, is attenuated and not amplified into a cry to heaven. But September 11 may have brought home to many Americans that other people do not feel the same way. Other people, if we implement battlefield robotics and after the battle they are running amuck, will ask us why we constructed such cowardly and unnecessary devices.
Computer makers say that their technical support lines are lit up by consumers frustrated over sluggish performance and increasingly they're tracing the problems back to one culprit: spyware. Companies are concerned about the cost of the calls, but they're even more worried that that customers will wrongly blame them for performance deficiencies. Russ Cooper, senior scientist with TruSecure Corp., says now that spyware has become epidemic, it's time for Microsoft and other technology companies to launch a public education campaign along the lines of the old "Only *you* can prevent forest fires" concept. The industry's incentive is pure survival, says Cooper. Microsoft officials blame rogue software for up to a third of applications crashes on Windows XP computers and AOL estimates that just three such programs together cause about 300,000 Internet disconnections per day. Forrester Research analyst Jonathan Penn says spyware-related customer support can cost $15 to $45 per phone call, but it's worth it. "Security is a component of loyalty. People, they want all these various services, but they expect security to come with it." [AP, 31 Oct 2004; NewsScan Daily, 1 Nov 2004] <http://apnews.excite.com/article/20041031/D862JARG0.html>
Swedish hospital forces users to change their officially registered name! According to an article in "Computer Sweden" (29 oct 2004) the users at karolinska university hospital have adopted a rigorous naming-scheme, that uses *only* a person's name with spelling and order as existing in official population register. Bad, you think? Well it is even worse; many people has several given names, among which most persons pick one and use it for everyday life. But this hospital's administrators refuse to use the chosen name, instead insisting on using the first given name + surename as e-mail address. Reason? "It's about making sure it's the right person logging in and it's also important with law and order." For those unhappy souls not recognizing their names, the IT department has ready-made forms for changing the official population register (which costs money in sweden, something the unhappy souls is not reimbursed for). The article does not mention that some persons still has to use other combinations, there is two cases where the "dream-scheme" does not work (not even in sweden): (1) for the duplicates (or do they refuse employment for these??) (2) for the persons christened to names containing non-ascii characters. Orwell, you are way behind !
The web pages of two candidates from the Finnish National Coalition Party were hacked last Thursday, just three days before the Finnish municipal elections. The pages were a part of a public service provided by Finnish Broadcasting Company YLE. The candidates were supposed to type in their answers along with opinions for predefined multiple-choice questions. In turn, the citizens could compare the candidates' answers against their own preferences. The service has grown to be quite popular during the latest Finnish elections - at least I found my candidate by using the service! According to YLE's project manager Erkki Vihtonen, somebody had gotten hold of the party's passwords and used a PC in a public library to log in and type in bogus answers for two candidates who hadn't completed the questionnaire. The material was distinctively racist and sexist. The webmasters were finally notified on the eve of the election by a tip from the public and bogus answers were removed. The police is currently investigating the suspected crime. The service contained information about 16,000 candidates and it was visited 250,000 times before the election. No information about hits to the bogus pages was released. According to Mr. Vihtonen, they have "7,000 suspects". For the record: the two candidates - one in Helsinki, the other in Kemi - didn't win. Link to the original news story, dated 2004-10-27 (only in Finnish): http://www.helsinginsanomat.fi/tuoreet/artikkeli/1076154360595 Erka.Koivunen@iki.fi +358-50-5066317 http://iki.fi/Erka.Koivunen/
PGN's comment on a couple of proposals to stage Internet-election hacking contests -- [I continue to be amazed that folks persist on focusing only on the risks of penetrations by outsiders. Insiders are by far the greatest concern here. PGN] -- is well-taken as it applies to all software that's involved in ballot counting, but Internet voting is a nonstarter for reasons that are more fundamental. The problem is that Internet voting compromises the secret ballot's secrecy. Although it's often assumed that ballot secrecy is a matter of individual privacy, it's more than that. Ballot secrecy benefits not only the individual voter whose ballot is secret, but all other citizens, who can be sure that their fellow citizens can't be bribed or coerced into voting contrary to their true preferences. The voter is alone in the voting booth, and takes away nothing that she could use to prove how she voted. Now picture a voter casting his ballot, via the Internet, from the comfort and convenience of his home or office. How do we know that his employer, or a party official with pockets full of cash, is not watching over his shoulder? It's true that absentee ballots have already opened this door a crack, but that's no reason to throw it open wide. Hamilton Richards, Senior Lecturer, Dept. of Computer Sciences, UT Austin [... not to mention that you have to trust everything along the way. PGN]
Credit-card thieves find sneaky way to beat fraud checks http://www.msnbc.msn.com/id/6297815/ It's a harmless-looking part of every a Web site retailer's checkout page. The form filled out by customers ordering products almost always has a second line -- sometimes it's used for apartment numbers or other information; it's usually left blank. But that innocuous-looking second line could become a big headache for Internet merchants soon, says one fraud expert. Credit card criminals have figured out a simple way to use that second line to foil the most basic anti-fraud measures online merchants use. [...] Designed long ago, most address verification systems only check numerical values at the beginning of the address and zip code fields in the billing address form. Letters, such as street names and cities, are ignored. That means if the legitimate address is 123 Elmwood Street, and a criminal enters "123 XXTRTWW," the fraud software will return a "yes" value, indicating the address is valid. [...] This is of course not a "glitch", it's people specifying, designing, coding, approving, and *continuing to use* a system in which "letters, such as street names and cities, are ignored". And then being all shook up when something bad happens. Gabriel Goldberg, Computers and Publishing, Inc., 6580 Bermuda Green Court, Alexandria, VA 22312-3103 http://www.cpcug.org/user/gabe 1-703-941-1657
Mike Hogsett wrote about a flat-screen TV in Corvallis, Oregon, that inadvertently summoned a search-and-rescue operation. I just heard a similar story about the Civil Air Patrol in New York. Evidently they get repeated calls which can be traced to a United Parcel Service depot in the Bronx. Now, it turns out that a company that makes Emergency Locator Transmitters is serviced out of that UPS depot, and these ELTs are often returned via UPS for repair. But sometimes the boxes get dropped, at which point the supposedly malfunctioning ELT inside senses the high-G impact of a "crash" and starts to transmit. And then there's the story (perhaps an urban legend) about people mailing supposedly-defective electronic toll tokens back to the issuing highway authority, and being billed for the tollbooths the mail truck passed through...
About a week ago i stopped by a local bank to cash a check and their windows computers where all down. they had no way to determine if the account had sufficient funds to cash the check. when i asked how often the system went down, they replied "once or twice a day" for 10-20 minutes. They have a computer system that spends 10-40 minutes of every workday taking a siesta! Apparently they knew the owner of the account that i was cashing the check from, and determined that he never writes bad checks so it should be OK to give me the money and sort it out later. hhmmm... might there be a risk of someone trying to cash a bad check during a hectic time? related link - Is Microsoft Licensing Forcing Banks to Break The Law? http://www.cioupdate.com/article.php/10493_1485861
I have the same problem with Fidelity Investments. Their official website is at http://www.fidelity.com. Yet in spite of having the problem pointed out to them they continue to send email that directs the recipient to various pages at m0.net, such as http://fidelity2.m0.net/m/s.asp?HB16244124889X4152973X503473 The domain 'm0.net' is owned by Digital Impact in San Mateo. There is no way on the face of it to know that this is legitimate. For some reason they don't think it's a problem. The risk, of course, is that users won't be able to recognize a phishing attempt by the URL.
Please report problems with the web pages to the maintainer