[ISN] Firm invites experts to punch holes in ballot software

[InfoSec News]

http://zdnet.com.com/2100-1105_2-5186016.html

By Robert Lemos 
CNET News.com
April 6, 2004

VoteHere, a maker of security software for voting machines, published 
the source code for its product online in hopes of garnering 
additional analysis of its method for verifying the integrity of 
electronic votes. 

The company, which has patented its VHTi technology, wants comments, 
not competition, so it released the code and several documents to its 
Web site under a license that restricts use of the code to analysis 
for a period of 60 days. 

"We pride ourselves on being good students of cryptography," said Jim 
Adler, founder and CEO of the Bellevue, Wash.-based company. "We know 
there is no security through obscurity, so we want to be open." 

Revealing encryption algorithms for peer review is a standard practice 
in encryption circles and allows experts to poke holes in other 
people's technology. VoteHere hopes the additional scrutiny will prove 
that its technology is sound, Adler said. 

The company's software is designed to let voters verify that their 
ballots were properly handled. It assigns random identification 
numbers to ballots and candidates. After people vote, they get a 
receipt that shows which candidates they chose--listed as numbers, not 
names. Voters can then use the Internet and their ballot 
identification number to check that their votes were correctly 
counted. 

"It doesn't protect the system from compromise, but it detects when 
compromises happen," Adler said. "We are the barking dogs: If anything 
touches the ballots, it can be detected." 

The move comes as questions arise about the security of electronic and 
Internet voting. 

Though few problems with electronic voting machines arose on March 1, 
Super Tuesday, many problems have cropped up during other elections. 

Some states, Michigan among them, are going full bore to ballots cast 
on the Internet, despite some computer scientists' concerns that the 
Net is not secure enough to prevent election tampering. About 28 
percent of Michigan voters cast their ballot online in February during 
that state's Democratic caucus. In the same month, the Department of 
Defense backed away from plans to conduct a trial that could have let 
the 6 million Americans abroad cast their vote online. 

VoteHere has had its own security issues to deal with as well. In 
December, the company called in the FBI to investigate a breach in the 
company's network. Adler said the investigation was ongoing and 
stressed that VoteHere's plans to release source code had been in the 
works since last summer.