-------- Original Message -------- Subject: Re: [Politech] First-hand report of problems with "secure" e-voting Date: Tue, 02 Mar 2004 17:49:14 -0500 From: Patrick Saunders <saunders48@private> To: Declan McCullagh <declan@private> Declan, As someone who served 12 years on an Ohio board of Elections, one that just voted to go with the Diebold DRE machine, after I had expressed my reservations with the DRE system. The method of storage for those machines in GA is unconscionable, since they are supposed to under the supervision of the Elections board until Election Day, not dispatched days ahead of the election to sit unguarded. I have the same reservations about the "security" of this system. My main reservation is that local boards will no longer control the election process, but will be reliant on outside computer people to operate, maintain and upgrade the software used in this system. -------- Original Message -------- Subject: why e-voting?? Date: Tue, 02 Mar 2004 16:23:59 -0800 To: declan@private References: <20040302122030.A16112@private> Usual request to remove my email address in the event this is reposted. Thanks. Perhaps someone can explain to a Canadian why the apparent US fascination with voting machines. We run solid elections in Canada using pieces of paper, pencils and and tested procedures. The costs is not extreme. We can recount and evaluate ballots. Personally, I cannot imagine a system in which no hard copies of ballots exist. If I remember correctly, our last federal election, from start to finish, took less time than your disaster with Florida's voting machines. And the answer, more machine-based voting! Why? This is not intended to be a rhetorical question. I really would like someone to explain why Americans embrace voting machines. A defence, anyone? Robert Neville Burnaby, British Columbia -------- Original Message -------- Subject: Re: [Politech] An election judge replies to Politech over secure e-voting Date: Tue, 2 Mar 2004 13:03:27 -0500 From: Art Amolsch <aamolsch@private> To: Declan McCullagh <declan@private> References: <20040302122030.A16112@private> Can there be a simpler method of rigging an election than tampering with a plastic seal in certain precincts that historically vote overwhelmingly for one party or another? If those machines go offline, how many votes will be "stolen" because people couldn't use the machines? ------------ A Texas elections judge wrote: "I reckon that repairing a broken plastic seal is beyond the abilities of most meddlers." -------- Original Message -------- Subject: for Politech: e-voting threat models: what election officials don't get Date: Tue, 2 Mar 2004 17:02:29 -0500 From: Richard W. DeVaul <rich@private> To: Declan McCullagh <declan@private> CC: Richard W. DeVaul <rich@private> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Declan. I'm responding to the anonymous election judge whose comments you recently posted to Politech. He was responding to a student's concern regarding the physical security of some electronic voting machines. I am far less worried about the physical security of individual voting machines than I am about the security of the voting technology providers, such as Diebold. This election judge apparently regards paperless e-voting machines as simply another type of election technology, which should be compared with other options based on error rates, accessibility, cost, etc. This is inappropriate because (1) the e-voting machines are computerized black-boxes running proprietary hardware and software, and as such can't be externally verified. and (2) many of these voting machined don't produce a paper audit trail, and as such can't meaningfully be audited. The electronic aspect and lack of paper trail makes this technology fundamentally different from paper-based voting technology (which provides a clear audit trail) and mechanical voting machines, whose physical operation can be verified with reasonable assurance. To those who say that e-voting systems are tested and verified in advance, I assure you as a software and hardware engineer that it is trivial to make a voting system that will pass any test of fairness you want, except on voting day. And without a paper audit trail, you will never catch the fix. Since the technology is a black box we cannot audit, the security and integrity of the system ultimately rests on the source of the technology. If we could trust the source of the technology and trust the physical and network security of the voting machines, perhaps we could trust the system in the absence of a paper-ballot audit. So, can we trust the providers of our election technology? Even assuming the best of intentions (which I do not assume) the answer is no. The problem is that software systems are complex and difficult to audit under the best of circumstances. A stringent review process is necessary to assure that code does only what it is supposed to do, and few organizations are capable of it, let alone attempt it. Due to the nature of software development, bugs, security flaws, and "unitended features" are all but certain. All it takes is a single code flaw, malicious insider or external security breach at the technology provider to compromise the integrity or security of an _entire_ election. Fixing a paper-ballot election is time-consuming, expensive, and difficult, and the resources required scale up with the size of the election. Fixing an electronic election, even one on a national scale, by comparison is trivial. The use of paperless e-voting technology as it exists today means we are trusting our elections to corporate quality assurance and security processes that we can't audit (though we know in Diebold's case that their network security is less than stellar). And as with any system we can't meaningfully audit, we can't trust it. There are a myriad of ways in which otherwise functional, well-intentioned computer technology can be a security nightmare, and e-voting is subject to all of them. Bruce Schneier's "Secrets and Lies: Digital Security in a Networked World" should be required reading for everyone involved in the e-voting debate. Cheers, Rich -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/> iD8DBQFARQRfcEzhTv/Qc9oRAhWWAKDjJU7yQwANbpkeTm2O/6GDQTUz+ACePu/7 ZugyPoDqKpZG7rglKDvrmDo= =KCIu -----END PGP SIGNATURE----- -------- Original Message -------- Subject: Re: [Politech] An election judge replies to Politech over secure e-voting Date: Tue, 02 Mar 2004 13:34:43 -0500 From: Tracy <tracy@private> To: Declan McCullagh <declan@private> At 13:20 3/2/2004, Declan McCullagh wrote: >The "zip tie" tags are seals with unique serial numbers that are checked and >verified during set-up; any sign of tampering and that particular machine >isn't used. I reckon that repairing a broken plastic seal is beyond the >abilities of most meddlers. If these zip-tie tags are the same as others commonly used in the computer industry (and elsewhere), they are very easy to open and close again without any sign of evident tampering. I would hope that something as sensitive as voting equipment would be sealed with something a bit more secure. Granted that the machines are not set up and directly abusable in their crated state, but if someone who really wants to tamper has access to the software load (and various versions of the software load for Diebold machines have been available on the net at various times), they could modify the software load, open the zip-tie (using nothing more complicated than a paper-clip, if it's a standard zip-tie), modify the software on the voting machine, then reseal it. When it is put into operation, whatever changes were made to the software load would then become effective. For instance, the software could be patched to randomly take votes for one party and assign them to the other - such a patch could make this change without it being detectable in the logs. There are many aspects to security, and no matter how good the software security it, if the physical security isn't up to the same level, the system is inherently insecure. Just some thoughts... -------- Original Message -------- Subject: Re: [Politech] An election judge replies to Politech over secure e-voting Date: Tue, 02 Mar 2004 11:04:29 -0700 From: Cameron Miller To: Declan McCullagh <declan@private> CC: politech@private References: <20040302122030.A16112@private> Hi Declan, Please remove my email address if you use this. Cesar, One problem I perceive with tallying error rates, the electronic voting machines provide no way for voters to determine if errors were made. I agree with the need for voter verifiable paper trails and I would like to see new systems thoroughly tested for many iterations of a few of thousand small local elections, not on a national level for our nations highest office. - cameron miller - UNIX systems administrator -------- Original Message -------- Subject: RE: [Politech] An election judge replies to Politech over secure Date: Tue, 2 Mar 2004 22:41:16 -0500 From: Tom Cross <tom@private> To: declan@private Declan, Mr. Benavides ought to be careful about accepting computer security analysis from a political organization. > Here is a link to a recent position paper on voting systems in Georgia that > addresses electronic voting security issues in that state in more detail: > http://www.commoncause.org/states/georgia/evs.htm This paper states: > We share the concern that modem transmission of totals from the precinct back to the > county location represent a potential compromise point, but in Georgia those modem > transmissions, if done at all, only provide an unofficial tally.... > Encryption of the modem transmission is one of four changes now being incorporated into > the Georgia voting systems for the 2004 elections. Thats nice. How is the encryption implemented? How are you dealing with key management? Most companies get this stuff wrong the first time, but you're giving them the benefit of the doubt. The fact that this modem connection is used to provide an unofficial tally is of little solace given that, from what I've read, the memory card with the official tally is plugged into the machine when it places the phone call. If I can force your computer to call mine, instead of the central tallying place (ask your operator about remote call forwarding), I can negotiate the PPP session with it, exploit a vulnerability in it's OS, and then modify the contents of the memory card. I can then also call the central polling place, pretend to be your polling location, and upload the same fake results to it. > The four modifications are the recommended system changes cited in the SAIC report > for the state of Maryland. I applaud the State of Maryland for having the foresight to go through with such an audit. However, even the parts of that report that were redacted showed that the most basic security practices weren't being followed. The computer that performed the official tally was connected to the internet, and ballot files were being distributed to polling places via FTP! Getting an audit is a good first step for them, but its the sort of thing that you do before putting a new system in production, not after. Computer Security is not just about technology, its about policies and practices. Obviously Georgia has a different set of policies and practices then Maryland. In fact, from what I've heard they are better. Why not submit Georgia's electronic voting system to a similar audit instead of relying on the results of an audit of someone else's system? Mr. Benavides is correct when he points out that activists opposed to electronic voting systems aren't really weighing the problems with these systems next to the present status quo. On the other hand, I think what gets the security community so riled up is that elections administrators have fought against even the most basic sort of security process that we'd apply in another context, such as e-commerce or HIPPA compliance. While Georgia has agreed to encrypt their dial-up session, this change has only occurred as the result of widespread political uproar. This fact does not inspire confidence. Tom Cross _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2b30 : Tue Mar 02 2004 - 22:00:32 PST