Thursday, October 05, 2006

Election Computers

Wij vertrouwen stemcomputers niet have analysed the election computers that are used in the netherlands and found out that they have a huge number of security flaws. Their great publication is a very detailed description of all the shortcomings they found up to now, it shows some possible attacks they have implemented and describes few more that are now known to be feaseable.

Those machines are basically a overpriced version of the Amiga 500, with less RAM and without the nice sound and video capabilities -- in a huge box. There is not a single feature built in to try to counter vote forgery, it's really just a plain 68k computer without any cryptographic or trusted-computing capability.

Those voting-machines are very simmilar to the computers that are used in some regions of germany. Of course they have been thoroughly examined; in germany (where I live) by the PTB which is responsible to maintain precise clocks (a task it does very, very good) or to provide standard-weights so that scales at the grocery-store measure the correct amount of vegetables you buy. I'm sure our election computers are really precise in this regard.

It's noteworthy that the german BSI (the authority for security in information processing, who really are knowledgeable about computer and IT security) have not been ordered to evaluate those computers (who said bribery?)! And of course the report on the test done by the PTB is confidential not to compromise the valueable 1980's technology trade secrets of the supplier. What a joke.

In the Netherlands they have been checked by the authority responsible for the safety of cars or electrical installations in bildings. No one will ever get a electric shock or be injured by a hard edge on those machines -- correct counting oviously was of no concern to the testers.

The computer magazine c't recently had an article about that e-voting-mess in general (issue 16/06, page 54), and after reading few reports about how that works in the USA I honestly was not really surprised about what the dutch hackers had found out. Maybe that's also why I quicky got distracted from studying the NEDAP-hardware to find this little gem:

A javascript emulator of hd44780 LCD displays!

No comments: