Fwd: NYTimes.com Article: Who Hacked the Voting System? The Teacher

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Mon May 03 2004 - 16:05:46 CDT

--- begin forwarded text

Who Hacked the Voting System? The Teacher

May 3, 2004

BALTIMORE, April 29 - The fix was in, and it was devilishly
hard to detect. Software within electronic voting machines
had been corrupted with malicious code squirreled away in
images on the touch screen. When activated with a specific
series of voting choices, the rogue program would tip the
results of a precinct toward a certain candidate. Then the
program would disappear without a trace.

Luckily, the setting was not an election but a classroom
exercise; the conspirators were students of Aviel D. Rubin,
a professor at Johns Hopkins University. It might seem
unusual to teach computer security through hacking, but a
lot of what Professor Rubin does is unusual. He has become
the face of a growing revolt against high-technology voting
systems. His critiques have earned him a measure of fame,
the enmity of the companies and their supporters among
election officials, and laurels: in April, the Electronic
Frontier Foundation gave him its Pioneer Award, one of the
highest honors among the geekerati.

The push has had an effect on a maker of electronic voting
machines, Diebold Inc., as well. California has banned the
use of more than 14,000 electronic voting machines made by
Diebold in the November election because of security and
reliability concerns. Also, the company has warned that
sales of election systems this year are slowing.

In April, the company said its first-quarter earnings rose
13 percent compared with the same quarter a year earlier.
It also reported $29.2 million in revenue on nearly $500
million in sales in the latest period. But it lowered
expectations for election systems sales for this year to a
range of $80 million to $95 million from $100 million in
sales a year earlier.

Professor Rubin took center stage in the national voting
scene last July, when he published the first in-depth
security analysis of Diebold's touch-screen voting
software. The software had been pulled off an unprotected
Diebold Internet site by Bev Harris, a
publicist-turned-muckraker who posted the software and
other documents she found as part of her campaign against
what she calls "black box voting."

Professor Rubin and his colleagues at Hopkins and Rice
University in Houston subjected the 49,000 lines of code to
a deep review over a two-week period. Their report painted
a grim picture: "Our analysis shows that this voting system
is far below even the most minimal security standards
applicable in other contexts," they wrote. "We conclude
that, as a society, we must carefully consider the risks
inherent in electronic voting, as it places our very
democracy at risk."

That shot across the bow was met with outrage from the
industry and from election officials who had spent tens of
millions of dollars on Diebold machines. Mr. Rubin was
denounced as irresponsible and uninformed.

"I think when he's talking about computers, he's very good
and knows what he's doing," said Britain J. Williams, a
professor emeritus of computer science at Kennesaw State
University in Georgia, and a consultant on voting systems.
"When he's talking about elections, he doesn't know what
he's talking about."

Typically, Professor Rubin decided to confront the issue of
whether he had experience with elections by taking part in
one. During the March presidential primary, he signed up to
become an election judge and found himself sitting all day
at a precinct in a church at Lutherville, Md., helping
voters use the same Diebold touch-screen machines that he
had criticized so roundly. He then went home and wrote a
full account and posted it to the Internet.

Over the day, he wrote, "I started realizing that some of
the attacks described in our initial paper were actually
quite unrealistic, at least in a precinct with judges who
worked as hard as ours did and who were as vigilant. At the
same time, I found that I had underestimated some of the
threats before."

Ultimately, he said, "I continue to believe that the
Diebold voting machines represent a huge threat to our

When asked to comment on Professor Rubin's work, the
company issued a statement that did not mention him by
name. "Our collective goal should always be to provide
voters with the assurance that their vote is important,
voting systems are accurate and their individual vote
counts," the company said.

While the debate has largely been constructive, Diebold
said: "A key consideration in this dialogue, though, should
be that the debate be positive and productive. We must not
frighten voters or inadvertently provide any type of
disincentive to voting, because at that point the dialogue
itself begins to disenfranchise voters - the very thing
this beneficial discussion is trying to prevent."

Professor Rubin is not the first person to take on the
risks of high-tech voting.

Since Professor Rubin's paper came out last year, other
reports have broadened and deepened his conclusions.

But Professor Rubin is in a class by himself, said David
Jefferson, a computer scientists at Lawrence Livermore
National Laboratory in California, who calls him "the most
important figure in the United States in articulating the
security problems with electronic and Internet voting."

The only damage Professor Rubin has sustained along the way
is largely self-inflicted. Last August, he resigned from an
unpaid technical advisory position for a voting company,
VoteHere Inc., and turned in stock options that he had
received but never redeemed.

Professor Rubin, 36, a child of two college professors,
seems too soft-spoken to be a firebrand. But his quiet
exterior conceals a deeply competitive streak: he has
played soccer as a blood sport for most of his life,
breaking both wrists and ankles repeatedly over the years.
He still plays twice a week, he says, but now it is "a more
social game, without slide tackles."

Born in Kansas, he grew up in Birmingham, Ala., Haifa,
Israel, and Nashville, and got his computer science
training at the University of Michigan, where he earned
bachelor's, master's and Ph.D. degrees by 1994. In late
2002, he became the technical director of the Information
Security Institute here at Hopkins.

Because of his passionate advocacy for his views, many
people expect Professor Rubin to be something of a "smart
aleck" in person, said Gerald Masson, the head of the
institute. Instead, he said, "He comes across as someone
who sincerely believes that what he's doing is right, and
he has the technological depth to support it."



Get Home Delivery of The New York Times Newspaper. Imagine
reading The New York Times any time & anywhere you like!
Leisurely catch up on events & expand your horizons. Enjoy
now for 50% off Home Delivery! Click here:


For information on advertising in e-mail newsletters
or other creative advertising opportunities with The
New York Times on the Web, please contact
onlinesales@nytimes.com or visit our online media
kit at http://www.nytimes.com/adinfo

For general information about NYTimes.com, write to

Copyright 2004 The New York Times Company

--- end forwarded text

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:17:05 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT