29.03.2013 Views

How to Steal an Election by Hacking the Vote - repo.zenk-securit...

How to Steal an Election by Hacking the Vote - repo.zenk-securit...

How to Steal an Election by Hacking the Vote - repo.zenk-securit...

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

http://arstechnica.com/articles/culture/evoting.ars<br />

<strong>How</strong> <strong>to</strong> steal <strong>an</strong> election <strong>by</strong> hacking <strong>the</strong> vote<br />

By Jon S<strong>to</strong>kes<br />

What if I <strong>to</strong>ld you that it would take only one person—one highly motivated, but only<br />

moderately skilled bad apple, with ei<strong>the</strong>r authorized or unauthorized access <strong>to</strong> <strong>the</strong><br />

right comp<strong>an</strong>y's internal computer network—<strong>to</strong> steal a statewide election? You might<br />

think I was crazy, or alarmist, or just talking about something that's only a remote,<br />

highly <strong>the</strong>oretical possibility. You also probably would think I was being really over<strong>the</strong>-<strong>to</strong>p<br />

if I <strong>to</strong>ld you that, without sweeping <strong>an</strong>d very costly ch<strong>an</strong>ges <strong>to</strong> <strong>the</strong> Americ<strong>an</strong><br />

elec<strong>to</strong>ral process, this scenario is almost certain <strong>to</strong> play out at some point in <strong>the</strong><br />

future in some county or state in America, <strong>an</strong>d that after it happens not only will we<br />

not have a clue as <strong>to</strong> what has taken place, but if we do get suspicious <strong>the</strong>re will be<br />

no way <strong>to</strong> prove <strong>an</strong>ything. You certainly wouldn't w<strong>an</strong>t <strong>to</strong> believe me, <strong>an</strong>d I don't<br />

blame you.<br />

So what if I <strong>to</strong>ld you that one highly motivated <strong>an</strong>d moderately skilled bad apple<br />

could cause hundreds of millions of dollars in damage <strong>to</strong> America's private sec<strong>to</strong>r <strong>by</strong><br />

unleashing a Windows virus from <strong>the</strong> safety of his parents' basement, <strong>an</strong>d that m<strong>an</strong>y<br />

of <strong>the</strong> victims in <strong>the</strong> attack would never know that <strong>the</strong>y'd been compromised? Before<br />

<strong>the</strong> rise of <strong>the</strong> Internet, this scenario also might've been considered alarmist folly <strong>by</strong><br />

most, but now we know that it's all <strong>to</strong>o real.<br />

Th<strong>an</strong>ks <strong>to</strong> <strong>the</strong> recent <strong>an</strong>d rapid adoption of direct-recording electronic (DRE) voting<br />

machines in states <strong>an</strong>d counties across America, <strong>the</strong> two scenarios that I just<br />

outlined have now become siblings (perhaps even fraternal twins) in <strong>the</strong> same large,<br />

unhappy family of information <strong>securit</strong>y (infosec) challenges. Our national election<br />

infrastructure is now largely <strong>an</strong> information technology infrastructure, so <strong>the</strong> problem<br />

of keeping our elections free of vote fraud is now <strong>an</strong> information <strong>securit</strong>y problem. If<br />

you've been keeping track of <strong>the</strong> news in <strong>the</strong> past few years, with its weekly lit<strong>an</strong>y of<br />

high-profile breaches in public- <strong>an</strong>d private-sec<strong>to</strong>r networks, <strong>the</strong>n you know how well<br />

we're (not) doing on <strong>the</strong> infosec front.<br />

Over <strong>the</strong> course of almost eight years of <strong>repo</strong>rting for Ars Technica, I've followed <strong>the</strong><br />

merging of <strong>the</strong> areas of election <strong>securit</strong>y <strong>an</strong>d information <strong>securit</strong>y, a merging that<br />

was accelerated much <strong>to</strong>o rapidly in <strong>the</strong> wake of <strong>the</strong> 2000 presidential election. In all<br />

this time, I've yet <strong>to</strong> find a good way <strong>to</strong> convey <strong>to</strong> <strong>the</strong> non-technical public how well<br />

<strong>an</strong>d truly screwed up we presently are, six years after <strong>the</strong> Florida recount. So now<br />

it's time <strong>to</strong> hit <strong>the</strong> p<strong>an</strong>ic but<strong>to</strong>n: In this article, I'm going <strong>to</strong> show you how <strong>to</strong><br />

steal <strong>an</strong> election.<br />

Now, I won't be giving you <strong>the</strong> kind of "push this, pull here" instructions for cracking<br />

specific machines that you c<strong>an</strong> find scattered all over <strong>the</strong> Internet, in alarmingly<br />

lengthy PDF <strong>repo</strong>rts that detail vulnerability after vulnerability <strong>an</strong>d exploit after<br />

exploit. (See <strong>the</strong> bibliography at <strong>the</strong> end of this article for that kind of information.)<br />

And I certainly won't be linking <strong>to</strong> <strong>an</strong>y of <strong>the</strong> leaked Diebold source code, which is<br />

available in various corners of <strong>the</strong> online world. What I'll show you instead is a road<br />

map <strong>to</strong> <strong>the</strong> brave new world of electronic election m<strong>an</strong>ipulation, with just enough<br />

nuts-<strong>an</strong>d-bolts detail <strong>to</strong> help you underst<strong>an</strong>d why things work <strong>the</strong> way <strong>the</strong>y do.<br />

Copyright © 1998-2006 Ars Technica, LLC<br />

2

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!