It’s doubly hard to understand why stores are still using and installing WEP, when a newer, better alternative, WPA, is available. Cost and inconvenience seem to be the main reasons retailers don’t upgrade and protect their customers. The expression “penny wise and pound foolish” comes immediately to mind.
Breaching security in two stores in Florida gave the thieves free access to 2,400 more stores across the country, Canada, and the U.K. Once the thieves were inside the network, they were able to meander undetected from store database to store database bagging, in this case, nearly 100 million credit card numbers. The haul also included social security numbers, dates of birth, driver’s license numbers, PIN numbers, military IDs, and even answers to those special security questions like, “What’s your mother’s maiden name?” Anyone who has ever applied for a credit card knows that’s all you need to be good to go.
Fully armed with all the pertinent information, imposters can make fraudulent purchases and entire identities can be stolen, recreated, and assumed. The purloined data is dispersed around the globe via internet auctions where four full identities can go for as little as $25. Take a moment to marvel at the size of this security breach – it takes your breath away. There are millions of complete and factual identities floating around, ready and available. So much for homeland security.
To recap
Let’s isolate and examine the key elements of this story. We’ve got:
• Computers and databases;The prescription: more and more upgrades to keep up with the hackers. One of the parties – in this case, the credit card companies, is capitalizing on the crisis to make money. And the customer is left holding the bag.
• Insufficient security;
• A wireless network;
• A subsequent security breach;
• Billions of dollars lost and millions of customers at risk of identity theft and fraudulent purchases.
Let’s recast this story with a different set of players and see if it sounds at all familiar. Substitute computerized voting or EVM (electronic voting machines) for store computers. Then add in the laughable and primitive security provisions that have been condemned in every independent study and hack conducted over the last five years.
Wireless network
Last year, investigative reporter Pokey Anderson explored the wireless capabilities of our election systems and made disturbing discoveries. Advanced Voting Solutions, for instance, brags about its ability to program and change data on as many as 1,000 voting machines simultaneously without even being in the same room. How? Remotely, via the wireless network. And how is this technology protected? With WEP – the same substandard, oft-hacked software that contributed to the notorious TJX debacle. Anderson quotes Dr. Avi Rubin, computer science professor at Johns Hopkins,
There are tools on the Internet to break WEP in seconds. We were the first to do it when I was at AT&T. I think that as bad as some of the voting machines are in terms of security, having wireless capability is a total disaster. I can’t think of a worse idea.
Even universally banning the technology would be impossible to enforce. The 2006 Brennan Center Report that identifies well over 100 potential threats to our elections puts banning wireless capability as #3. The document states,
Wireless components should not be permitted on any voting machines… Banning the use of wireless components (even when that involves disabling them), rather than requiring removal of these components, still leaves voting systems unnecessarily insecure. Among other reasons, a software attack program could be designed to re-activate any disabling of the wireless component.
In the very same way that access to the database of two stores allowed the TJX thieves access to 2,400 stores, so access to one computerized voting machine can allow access to thousands of others, even if they are not connected to one another. Over two years ago, computer security expert Bruce Schneier, wrote in "What's wrong with electronic voting machines?"
A software problem, whether accidental or intentional, can affect many thousands of machines and skew the results of an entire election…This has nothing to do with whether the voting machines are hooked up to the internet on election day…The threat is that the computer code could be modified while it is being developed and tested, either by one of the programmers or a hacker who gains access to the voting-machine company's network. It's much easier to surreptitiously modify a software system than a hardware system, and it's much easier to make these modifications undetectable.
Security breach
Let’s visit Cook County, Illinois, where I live, to see how easily these computerized systems can be hacked. In late October 2006, Bob Wilson and his colleagues at the Illinois Ballot Integrity Project conducted a friendly hack into the Cook County Online Voter Registration Database. They had notified the Chicago Board of Election Commissioners several weeks before about the disturbing security breach they had discovered, but nothing had been done to address the problem. Apparently, at least 1.5 million Cook County residents had all their most personal information exposed for six years – names, addresses, and social security numbers – a veritable gold mine for identity thieves. Another unnerving feature of the breach is that registration information could have been downloaded and edited, making election day a potential nightmare.
Cost
The result of those compromised voting computers is broken elections with results we can neither observe nor verify. Votes are routinely lost, flipped, or miscounted. Here are a few choice examples.
• The Gahanna I-B ward in Franklin County, Ohio 2004 where less than 700 voters magically yielded more than 4,000 votes,Whatever your party affiliation, few can argue that our nation’s direction would have been quite a bit different under either Al Gore or John Kerry. The ramifications of stolen elections are huge.
• The Alaska 2004 Presidential race where there were 100,000 more votes than voters,
• The Volusia County computers that, in 2000, suddenly and temporarily erased 16,000 votes, allowing Florida to move into the Bush column and affecting the national race.
Benefiting from the crisis
Critical reports and voting machine hacks have been piling up for years. Nevertheless, billions of federal tax dollars have gone into an electronic voting system plagued by major problems and a total lack of accountability or responsiveness on the part of the vendors. Vendors have extorted huge sums for maintenance and service, far exceeding their original estimates, according to Maryland’s former Governor, Republican Bob Ehrlich. Even when voters and municipalities decide to dump their DREs, the vendors are in place to sell them millions of dollars worth of optical scan machines and other “updated” election technology. Continuing to entrust our elections to this sleazy group of fraudsters is truly a question of national security and importance.
There are some scary king-size wrinkles when we use this inherently flawed, problem-ridden system. Here are two examples.
New York
New York is the last state to comply with HAVA – the Help America Vote Act of 2002. The Department of Justice is threatening to take over New York’s elections in order to make them buy the very EVM systems that have consistently failed so abysmally across the country. None of those machines pass New York’s more stringent standards and trying out a new system right before a presidential election is clearly a recipe for disaster. Forcing New York to adopt machines that fail their own high standards also means federalizing our elections and subverting states’ rights.
Andi Novick, of Northeast Citizens for Responsible Media, has written a number of good articles on this that you can find here. She makes the case simply and eloquently.
We need to keep writing in favor of elections the people can see and verify and understand with their own eyes. Would you accept a guy who takes all your votes, goes in a back room, comes out later and announces who won? Would you just trust him? Then resist these computers in New York.
California
In California, the word is in, and the last domino has fallen. All of the computerized voting machine systems tested in Secretary of State Bowen’s Top To Bottom Review (distilled here) failed miserably. ES&S, used in L.A. County, refused to submit the source code and therefore was not part of the tests. They finally did so and the reports concluded that they have also flunked, putting L.A. County voters at risk. This is very bad news because Bowen is considering running the February primary using these vulnerable machines, which could play a critical role in the upcoming 2008 election.
In “Testers for CA Secretary of State Finds LA County's ES&S E-Voting System Vulnerable to Hacking, Fraud and Manipulation,” Brad “BradBlog” Friedman writes,
Los Angeles County itself, a reliably Democratic-leaning county over all, carries an enormous number of votes for the state. It's the largest such county in the nation, larger even than two-thirds of the states in the country. Tampering with the vote tabulation in that one county alone, could easily change enough votes to see the Electoral College initiative passed successfully across the state.The perfect storm of a compromised voting system and a democracy-thieving amendment could result in a historical shift even further toward a permanent one-party system. Is it a coincidence that two states are under attack are both large and Democratic? Demographics and Bush’s legacy do not bode well for Republicans. Under normal circumstances, 2008 would be as close to a sure thing as politics ever is.
Surely there are democracy-loving Republicans who eschew winning at all costs and want our political system to be as healthy as possible. It’s time for you to speak up! Democracy must have dissent, debate, discussion and accurate, observable elections to thrive.
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).