[E-voting] E-Vote Software Leaked Online

Catherine Ansbro cansbro at eircom.net
Sat Nov 26 14:56:00 GMT 2005


from BBV 
http://www.bbvforums.org/cgi-bin/forums/show.cgi?tpc=73&post=14360#POST14360
Are any of the various software systems mentioned in this article 
relevant to Ireland?
Catherine
* * *

The article linked above by Arnold has been removed from the Web by 
WiredNews. Here is the missing article:

link to archived version 
<http://web.archive.org/web/20031127044406/http://www.wired.com/news/privacy/01848%2C61014%2C00.html> 


E-Vote Software Leaked Online
By Kim Zetter
05:00 PM Oct. 29, 2003 PT

Software used by an electronic voting system manufactured by Sequoia 
Voting Systems has been left unprotected on a publicly available server, 
raising concerns about the possibility of vote tampering in future 
elections.

The software, made available at ftp.jaguar.net <ftp://ftp.jaguar.net>, 
is stored on an FTP server owned by Jaguar Computer Systems, a firm that 
provides election support to a California county. The software is used 
for placing ballots on voting kiosks and for storing and tabulating 
results for the Sequoia AVC Edge touch-screen system.

The security breach means that anyone with a minimal amount of technical 
knowledge could see how the code works and potentially exploit it. 
According to a computer programmer who discovered the unprotected 
server, the files also contain Visual Basic script and code for voting 
system databases that could allow someone to learn how to rig voting 
results. The programmer spoke on condition of anonymity.

Jaguar blocked public access to the FTP site late Wednesday. 
Representatives from Jaguar did not return calls for comment.

Sequoia said it was disturbed that the proprietary code had been 
accessed in an "inappropriate manner," and went on to blast Jaguar in an 
e-mail to Wired News about the security gaffe.

"While this breach of security is grossly negligent on the part of the 
county's contractor, the code that was retrieved is used to accumulate 
unofficial results on election night and does not compromise the 
integrity of the official electronic ballots themselves," wrote Sequoia 
spokesman Alfie Charles.

Peter Neumann, lead computer scientist at the Stanford Research 
Institute, said the exposed code could allow someone to plant a Trojan 
Horse in the system's compiler -- the program that translates the code 
for use by the computer -- that would be undetectable to anyone reading 
the code.

The files on the server also revealed that the Sequoia system relies 
heavily on Microsoft software components, a fact the company often has 
been coy about discussing since Microsoft software is a frequent target 
of hackers.

Jaguar, based in Riverside, California, left the data unencrypted and 
unprotected. The FTP server allowed anyone to access it anonymously.

Once a visitor gained access to the server, a small note stated that the 
server was meant for employees and clients of Jaguar. However, the 
company's own website directed visitors to the FTP server and noted that 
"our '/PUB' directory is stuffed with many of the files that we use." 
The website has since been changed by Jaguar.

Sequoia's AVC Edge voting machines were used in California's Riverside 
County for the 2000 presidential election and for last month's 
California gubernatorial recall election. The system also has been used 
in counties in Florida and Washington state.

It's the second time this year that voting machine code has been leaked 
on the Internet.

In January, source code for the AccuVote-TS system made by Diebold 
Election Systems was found on an unprotected FTP server belonging to the 
company.

Researchers at Johns Hopkins and Rice universities who read the Diebold 
code found numerous security flaws in the system and published a report 
(PDF) that prompted the state of Maryland to conduct its own audit of 
the software.

A key difference between the Diebold and Sequoia leaks has to do with 
the type of code found. The Diebold code that researchers evaluated was 
source code, a raw form of code that contains programmer notes and 
comments and allows anyone to quickly see how a system works.

The Sequoia code on the Jaguar site is binary code, which is already 
compiled into a program with the comments and other information stripped 
away. It's working code, which means that the program must be 
reverse-engineered, or taken apart, in order to understand how it works. 
This is not hard to do, but it takes more time than working with source 
code. The Johns Hopkins researchers were able to write their report on 
the Diebold code in two weeks. The Sequoia code would take at least two 
months, the researchers said.

But even binary code reveals a lot of information about a program, said 
Avi Rubin, one of the Johns Hopkins researchers who wrote the report on 
the Diebold system.

"With binary code you can create most of the program and analyze it," he 
said. "All the information about what the program does is there. Maybe 
60 percent of what you can get from the source code you can also get 
from the binary."

On its website, Sequoia makes a point of stating that its system is much 
more secure than the Diebold system, since it doesn't rely on Microsoft 
software. The website reads: "While Diebold relies on a Microsoft 
operating system that is well known and understood by computer hackers, 
Sequoia's AVC Edge runs on a proprietary operating system that is 
designed solely for the conduct of elections."

In fact, the system uses WinEDS, or Election Database System for 
Windows. WinEDS runs on top of the Microsoft Windows operating system. 
According to Sequoia, "WinEDS is used to administer all phases of the 
election cycle, create electronic ballots for the AVC Edge, and tally 
early voting, as well as official election and absentee votes."

The system also appears to use MDAC 2.1, or Microsoft Data Access 
Components, which was found in the WinEDS folder on the server. MDAC is 
code used to send information between a database and a program. 
According to the computer programmer who discovered the FTP server 
containing the Sequoia code, version 2.1 was found to be insecure. He 
said Microsoft currently distributes an upgraded version 2.8, which has 
been available since August, but the version on the Jaguar site doesn't 
include a patch to fix the security problems.

Also, because MDAC is off-the-shelf software, it's not subject to the 
same certification processes and audit that is standard for proprietary 
voting software.

Neumann, the security expert, said, "This means that anyone could 
install a Trojan Horse in the MDAC that won't show up in the source 
code." Jaguar employees, Sequoia employees or state election officials 
could insert code that wouldn't be detectable in a certification review 
of the code or in security testing of the system, he said.

Neumann said this points to the necessity for using only voting machines 
that provide a voter-verifiable paper trail.

"The idea of looking at source code to find problems is inherently 
unsatisfactory," he said. "You need to use a machine with accountability 
and an audit trail."

The source who discovered the unprotected server containing the Sequoia 
system code said the files include Visual Basic script, which is 
uncompiled script that can be changed very quickly and easily.

"You can swap out a file and plant a Trojan Horse in this," he said. 
"There's also SQL code in there that sets up a database. The SQL gives 
you details about the database that you can use to alter the contents of 
the database."

The companies making electronic voting systems long have said that their 
systems are proprietary and their code needs to remain secret in order 
for the systems to be secure.

Cindy Cohn, an attorney at the Electronic Frontier Foundation, said 
information gained from the discovery of the Diebold and Sequoia codes 
indicates the exact opposite.

"Our society and our democracy is better served by open voting systems," 
she said. "The way to create a more secure system is to open the source 
code and to have as many people as possible try to break into the system 
and figure out all the holes. The clearest way to have an insecure 
system is to lock it up and show it to only a few people."

Cohn said her organization is trying to convince election officials and 
companies to make their systems more secure. "That doesn't seem to be 
happening," she added. "So I have a lot of admiration for these people 
who are taking it upon themselves to try to figure out whether these 
machines are secure. I think we are all better off because of 
researchers who are taking the time to say the emperor doesn't have any 
clothes."

Rubin said the focus shouldn't be on keeping systems secret but on 
creating systems that are more secure so they can't be easily exploited 
or rigged for fraud.

"This argument that everything needs to be kept secret is not viable 
because the stuff does get out whether companies intend it or not," he 
said. "Now two out of the three top companies have leaked their system.

"Scientists are being made to feel afraid to look at these things, which 
in the end will be bad for our society. Why shouldn't everyone want 
scientists to look? If there's any feeling that there may actually be 
danger to our elections, how can we not be encouraging researchers to 
look at our systems?" Rubin said.




More information about the E-voting mailing list