Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Politics : Stockman Scott's Political Debate Porch -- Ignore unavailable to you. Want to Upgrade?

To: lurqer who wrote (35968)	1/22/2004 1:41:18 PM
From: lurqer	Respond to of 89467

Panel members find security flaws in Internet voting system 'A dedicated and experienced hacker could subvert the election rather easily,' said one expert A federally funded Internet-based voting system scheduled for use in the 2004 primary and general elections has several unresolvable security vulnerabilities that leave it open to widespread vote tampering and privacy breaches. That is the opinion of four members of a 10-person peer review group assigned to identify potential flaws in the Secure Electronic Registration and Voting Experiment (SERVE) system being built for the U.S. Department of Defense's Federal Voting Assistance Program (FVAP). The system is being developed as part of a government initiative to make it easier for U.S. armed force personnel, the Merchant Marines and overseas civilians to vote. The SERVE system is expected to be used by absentee voters from 50 counties in seven states and is designed to handle up to 100,000 votes. According to the panel members, who publicly aired their concerns yesterday, the risks are so serious that it is recommending that further development of SERVE be immediately shut down and not attempted again until "both the Internet and the world's home computer infrastructure have been fundamentally redesigned." The problems lie in the inherent insecurities associated with Internet and PC-based systems, said David Wagner, an associate professor at the University of California, Berkeley, and one of the security experts assigned to review the prototype SERVE system. These include viruses and worms, denial-of-service attacks and Web-site spoofing, Wagner said. An attack on the main SERVE system or any of the PCs being used by voters, using any of these methods, could seriously compromise the results, Wagner said. "SERVE is susceptible to large-scale election fraud that could be launched from outside the reach of U.S. law and go completely undetected," he said. For instance, it would be relatively easy for malicious hackers to insert spoofed Web pages that appear to belong to the SERVE system but are actually designed to alter votes or prevent them from being cast. A voter using a PC infected with a virus or worm could easily jeopardize the integrity of the system, Wagner said. And the particularly dangerous part is that such hacks could be carried out without ever being detected. I think that a dedicated and experienced hacker could subvert the election rather easily," said Avi Rubin, a professor at Johns Hopkins University and one of the security experts that reviewed SERVE. "I don't think that Internet-based voting such as SERVE can be made secure enough for use until we can develop computer systems that are not vulnerable to viruses and Trojan horses, and until we can develop an Internet that is resistant to denial-of-service attacks." The full report is available online at servesecurityreport.org. The two other members of the team that analyzed SERVE are David Jefferson, from the Lawrence Livermore National Laboratory, and Barbara Simons, an independent technology policy consultant. The group was formed by the FVAP. Glen Flood, a spokesman for the SERVE project, said that while the input from the four-member panel is "welcome," it represents only a minority view. Six other members of the original 10-member panel assigned to study SERVE haven't raised any security objections, he said. "This group is really only a small faction of the peer review group," Flood said. He added that security is an issue that SERVE project members have been paying close attention to ever since Congress funded the project two years ago. "We have high confidence in the security of the system," he said. "The only 100% way we can avoid some of the security issues [raised by the four panel members] is to not do this. And that is not something we will do," he said. SERVE's Web site claims the online voting system "uses the latest security technology available" to protect voter information and ballot integrity. Similarly, SERVE uses "a variety of strategies" to deal with denial-of-service attacks, the site claims without offering specifics. The site also notes that every ballot cast is encrypted, and only the local election official in the voter's jurisdiction has the power to decrypt that vote. Voters using the system will be issued digital signatures for identifying and authenticating themselves on SERVE, the Web site said. The SERVE reports comes at a time when concerns are already high about the security of electronic voting in general. Recent security reviews of direct recording electronic (DRE) machines from several major vendors, including Diebold Inc. and Sequoia Voting Systems Inc., have unearthed several critical flaws. computerworld.com lurqer