Vejam, abaixo, o texto (em inglês) no blog do Bruce Schneier sobre uma fraude "low-tech" em urnas eletrônicas no Kentuchy, EUA, entre 2002 a 2006.
A urna usada nesta fraude (ES&S iVotronic) tem uma série de furos de segurança que poderiam ser usados em fraudes de alta tecnologia, envolvendo a modificação do software, mas o que surpreendeu neste caso de Kentuchy é que se explorou uma vulnerabilidade elementar, que não tinha sido percebida em nenhuma análise técnica anterior, e que permitia uma fraude simples: os oficiais do cartório eleitoral não instruíam os eleitores para a segunda confirmação do voto depois de apertado a tecla VOTE. Alguns eleitores abandonavam a cabine antes de confirmar e permitiam que os mesários cancelassem e adulterassem o voto!!! Como não podia deixar de ser, aqueles que primeiro descobriram a ambigüidade da tela de confirmação, em vez de denunciá-la, resolveram explorá-la para fraude... Esse caso guarda um certo similar com os testes de voto impresso no Brasil, também em 2002, quando o TSE não instruiu os eleitores sobre a segunda tecla CONFIRMA que precisava ser digitada ao final da votação. Muitos eleitores deixavam de confirmar o voto e iam embora. Porém, neste caso brasileiro, a falta de instrução ao eleitor sobre a tela de confirmação foi deliberada e intencional, pois os técnicos do TSE queriam provocar problemas com o voto impresso para depois poder condená-lo (no que tiveram sucesso). [ ]s Eng. Amilcar Brunazo Filho - Santos, SP www.votoseguro.org ----------------- SEI EM QUEM VOTEI, ELES TAMBÉM, MAS SÓ ELES SABEM QUEM RECEBEU MEU VOTO _______________________________________________ http://www.schneier.com/blog/archives/2009/03/election_fraud.html Schneier on Security A blog covering security and security technology. March 24, 2009 Election Fraud in Kentucky I think this is the first documented case of election fraud in the U.S. using electronic voting machines (there have been lots of documented cases of errors and voting problems, but this one involves actual maliciousness): Five Clay County officials, including the circuit court judge, the county clerk, and election officers were arrested Thursday after they were indicted on federal charges accusing them of using corrupt tactics to obtain political power and personal gain. The 10-count indictment, unsealed Thursday, accused the defendants of a conspiracy from March 2002 until November 2006 that violated the Racketeering Influenced and Corrupt Organizations Act (RICO). RICO is a federal statute that prosecutors use to combat organized crime. The defendants were also indicted for extortion, mail fraud, obstruction of justice, conspiracy to injure voters' rights and conspiracy to commit voter fraud. According to the indictment, these alleged criminal actions affected the outcome of federal, local, and state primary and general elections in 2002, 2004, and 2006. From BradBlog: Clay County uses the horrible ES&S iVotronic system for all of its votes at the polling place. The iVotronic is a touch-screen Direct Recording Electronic (DRE) device, offering no evidence, of any kind, that any vote has ever been recorded as per the voter's intent. If the allegations are correct here, there would likely have been no way to discover, via post-election examination of machines or election results, that votes had been manipulated on these machines. ES&S is the largest distributor of voting systems in America and its iVotronic system --- which is well-documented to have lost and flipped votes on many occasions --- is likely the most widely-used DRE system in the nation. It's currently in use in some 419 jurisdictions in 18 states including Arkansas, Colorado, Florida, Indiana, Kansas, Kentucky, Missouri, Mississippi, North Carolina, New Jersey, Ohio, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Wisconsin, and West Virginia. ArsTechnica has more, and here's the actual indictment; BradBlog has excerpts. The fraud itself is very low-tech, and didn't make use of any of the documented vulnerabilities in the ES&S iVotronic machines; it was basic social engineering. Matt Blaze explains: The iVotronic is a popular Direct Recording Electronic (DRE) voting machine. It displays the ballot on a computer screen and records voters' choices in internal memory. Voting officials and machine manufacturers cite the user interface as a major selling point for DRE machines -- it's already familiar to voters used to navigating touchscreen ATMs, computerized gas pumps, and so on, and thus should avoid problems like the infamous "butterfly ballot". Voters interact with the iVotronic primarily by touching the display screen itself. But there's an important exception: above the display is an illuminated red button labeled "VOTE" (see photo at right). Pressing the VOTE button is supposed to be the final step of a voter's session; it adds their selections to their candidates' totals and resets the machine for the next voter. The Kentucky officials are accused of taking advantage of a somewhat confusing aspect of the way the iVotronic interface was implemented. In particular, the behavior (as described in the indictment) of the version of the iVotronic used in Clay County apparently differs a bit from the behavior described in ES&S's standard instruction sheet for voters [pdf - see page 2]. A flash-based iVotronic demo available from ES&S here shows the same procedure, with the VOTE button as the last step. But evidently there's another version of the iVotronic interface in which pressing the VOTE button is only the second to last step. In those machines, pressing VOTE invokes an extra "confirmation" screen. The vote is only actually finalized after a "confirm vote" box is touched on that screen. (A different flash demo that shows this behavior with the version of the iVotronic equipped with a printer is available from ES&S here). So the iVotronic VOTE button doesn't necessarily work the way a voter who read the standard instructions might expect it to. The indictment describes a conspiracy to exploit this ambiguity in the iVotronic user interface by having pollworkers systematically (and incorrectly) tell voters that pressing the VOTE button is the last step. When a misled voter would leave the machine with the extra "confirm vote" screen still displayed, a pollworker would quietly "correct" the not-yet-finalized ballot before casting it. It's a pretty elegant attack, exploiting little more than a poorly designed, ambiguous user interface, printed instructions that conflict with actual machine behavior, and public unfamiliarity with equipment that most citizens use at most once or twice each year. And once done, it leaves behind little forensic evidence to expose the deed. Read the rest of Blaze's post for some good analysis on the attack and what it says about iVotronic. He led the team that analyzed the security of that very machine: We found numerous exploitable security weaknesses in these machines, many of which would make it easy for a corrupt voter, pollworker, or election official to tamper with election results (see our report for details). [...] On the one hand, we might be comforted by the relatively "low tech" nature of the attack -- no software modifications, altered electronic records, or buffer overflow exploits were involved, even though the machines are, in fact, quite vulnerable to such things. But a close examination of the timeline in the indictment suggests that even these "simple" user interface exploits might well portend more technically sophisticated attacks sooner, rather than later. Count 9 of the Kentucky indictment alleges that the Clay County officials first discovered and conspired to exploit the iVotronic "confirm screen" ambiguity around June 2004. But Kentucky didn't get iVotronics until at the earliest late 2003; according to the state's 2003 HAVA Compliance Plan [pdf], no Kentucky county used the machines as of mid-2003. That means that the officials involved in the conspiracy managed to discover and work out the operational details of the attack soon after first getting the machines, and were able to use it to alter votes in the next election. [...] But that's not the worst news in this story. Even more unsettling is the fact that none of the published security analyses of the iVotronic -- including the one we did at Penn -- had noticed the user interface weakness. The first people to have discovered this flaw, it seems, didn't publish or report it. Instead, they kept it to themselves and used it to steal votes. --~--~---------~--~----~------------~-------~--~----~ __________________________________________________ O texto acima e' de inteira e exclusiva responsabilidade de seu autor, conforme identificado no campo "remetente", e nao representa necessariamente o ponto de vista do Forum do Voto-E O Forum do Voto-E visa debater a confibilidade dos sistemas eleitorais informatizados, em especial o brasileiro, e dos sistemas de assinatura digital e infraestrutura de chaves publicas. __________________________________________________ Pagina, Jornal e Forum do Voto Eletronico http://www.votoseguro.org __________________________________________________ Você recebeu esta mensagem porque está inscrito no Grupo "VotoEletronico" em Grupos do Google. Para postar neste grupo, envie um e-mail para [email protected] Para cancelar a sua inscrição neste grupo, envie um e-mail para [email protected] Para ver mais opções, visite este grupo em http://groups.google.com/group/votoeletronico?hl=pt- -~----------~----~----~----~------~----~------~--~---
