H/T to Yahoo! Tech for the story. As usual, the problem is government. In particular, after the "Hanging Chad" election in 2000, the congress passed the Help America Vote Act of 2002. Among other things, the Act banned punched-card and mechanical-lever voting machines. This led to the inevitable gold rush to suck up that gubmint money by producing voting machines. And just as the War on Some Drugs money has always been spent so wisely; like the Quadro Tracker, the $1000 empty box with a 'diving rod' on it, so was spent the Help America Vote money. As I've said before, the Fed.Gov dribbles money like a toddler dripping turds out of its Pampers, and this always attracts companies ready to suck up the gubmint droppings.
Outside of Virginia, only a few counties in Pennsylvania and Mississippi adopted Winvote (from the now-defunct Frisco, Tex.-based Advanced Voting Systems). But Winvote terminals had much in common with other electronic voting machines of that time: They were built to win government contracts. And they were based on general-purpose Windows platforms that made them needlessly complex and vulnerable to exploits.Winvote fulfilled its purpose, to suck up money, and quite possibly delivered the least secure systems ever.
Switching to Epstein's summary for a moment:Jeremy Epstein, a security scientist with SRI International, has spent years investigating the weaknesses of these and other electronic voting systems. But even he didn’t know how bad Winvote terminals were until this past April.
That’s when the Virginia Information Technologies Agency condemned the security of these machines and banned them from the commonwealth. Their only remaining use was, literally, as a lesson to others.
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.How bad was it? How about the shiny key to lock the machine? Epstein reports “All the keys are the same for every Winvote that’s ever been made, because that way it’s easier,”
As the saying goes, security wasn't an afterthought; it was never thought of at all.• Winvote’s machine runs a version of Windows XP that hasn’t had patches installed since 2004 — four years before AVS deservedly went out of business.• Its wireless network is “safeguarded” with insecure WEP encryption — and the password is abcde. (and that was unchangeable)• The Windows admin password is (no, I’m not making this up) admin. (and that seemed unchangeable as well)• Windows file-sharing is left on.• The machine tracks votes using an obsolete version of Microsoft Access, in which the unencrypted database file is “protected” with a five-character password that a security tool cracked in seconds. (That password — shoup — apparently refers to a voting-machine company with a history of criminal indictments.)• The system doesn’t log changes to that file.• You can’t turn off the WiFi; if you remove the wireless card, the device won’t boot.
It's hard to say just what the worst part of this situation is, but possibly it's (as mentioned a few paragraphs ago), "if an election was hacked any time in the past, we will never know." Possibly the worst part is that this might not be unique to Winvote machines at all. In fact, Diebold wasn't much better.
Technology moves quickly, as I don't have to tell you. Governments don't - they're the second slowest institutions to change in the world. We've got to get smarter about electronic voting machines. The county I'm in has you enter votes on a sheet of paper and tallies them optically, the way standardized tests are graded. Those are only "hacker proof" if they're off a network and handled carefully. But, just as they say the hackers are winning attacks on the financial institutions because there's so much money at stake, the amount of money and power at stake here dwarfs anything in the banks.