Reports have been circulating since earlier this week that California’s Secretary of State, Bruce McPherson, has asked Harri Hursti (from Finland) to try to “hack” a randomly selected Diebold voting machine. I first started hearing of this earlier this week, and at that time could not find any confirmation of this request. But this morning the story started to circulate on the newswires, and through a variety of news outlets. For example, here is the Associated Press story, as provided online by MercuryNews.com. There is a longer version of the story provided by the San Francisco Chronicle. I could not find any confirmation of this request on McPherson’s website, nor any official statement or elaboration of this test.
Thus, at this time, details of the test are a bit sketchy. The wire reports indicate that one Diebold precinct voting device, from one of the California counties using these voting machines, will be selected randomly for the test. But exactly what methodology the “hack” will involve is not known; whether it will focus primarily on technology or procedures (or perhaps both) is not known; nor is it clear what information will be provided to the public about this “hack” once it is completed (for example, will we know how many attacks are attempted, what types of attacks they are, and about the outcome of each attack?). It is unclear from the available information whether the vendor will be involved in the “hack” (other than the report that the vendor was not allowed to pick the exact voting device that will be used in test); also unclear is the extent of election official (state or local) involvement in the “hack”. It is also not clear whether the same type of “hack” will be initiated for other voting devices, either those now certified for use in California or those pending certification.
In any case, perhaps more about this “hack” will be revealed in next week’s “Voting System Testing Summit 2005”, sponsored by McPherson’s office. That might be a good opportunity to hear more discussion about the role of “hacks” (also known as “red team” or “tiger team” attacks), as part of a broader process of assessing the overall operational security of a voting technology. I’ll be attending this conference, and I am moderating a session on “Security/Paper Trails/Accountability”. Panelists on our Tuesday afternoon session include Kim Alexander, Henry Brady, David Dill, Avi Rubin, and Michael Shamos. We have been asked to address five different questions:
- Evaluating security — how to do it best
- Recovery process/contingency plans
- Source code — how much should be reviewed? By whom?
- Standards for AVVPAT
- For what purpose should AVVPATs be used?
It will be an interesting discussion, and I’ll do my best to try to summarize this session, as well as the entire conference, next week.