Voting Machines Based On WinCE Found To Be Security Risks

This just isnit Microsoftis week.

Yet another security problem with one of Microsoftis products has reared it head, this time the problem is with Windows CE, Microsoftis earlier version of its PDA OS. It seems that the OS was used in an electronic voting system of which the source code was inadvertently left where Internet surfers could find it. A team of security gurus scrutinized the code and deemed it lacking adequate security. From the C|Net News article, Voting Machine Fails Inspection :

Using an earlier version of the source code that powers machines manufactured by Diebold Election Systems, the security experts--three from Johns Hopkins University and a colleague from Rice University--performed an audit and found numerous security holes.

"Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts," said the researchers in a paper published Wednesday on the Internet, concluding that "as a society, we must carefully consider the risks inherent in electronic voting, as it places our very democracy at risk."

The criticisms echo a fundamental issue that many security researchers have raised with most current systems: there is no way to verify that a vote was correctly recorded and no permanent record is kept.

The issues also come as direct recording electronic (DRE) voting systems are taking off. In the 2002 election, 19.6 percent of the electorate could have cast an electronic vote, up from 7.9 percent in 1996, according to Election Data Services .


Several issues became evident when the code was audited, said Avi Rubin, an associate professor of computer science at Johns Hopkins University and one of the authors of the paper.

For one, the manufacturer chose Windows CE as the operating system--a bad choice from a security standard, Rubin said. "Windows has a long history of new releases of patch just about every week," he said. "You canit run voting machines on Windows."

Read the entire article at C|Net.