[Politech] Replies over electronic voting machines, Diebold, and security

From: Declan McCullagh (declan@private)
Date: Tue Mar 02 2004 - 21:05:51 PST

  • Next message: Declan McCullagh: "[Politech] More on Toyota's concept car ratting out speeders to cops [priv]"

    -------- Original Message --------
    Subject: Re: [Politech] First-hand report of problems with "secure"  e-voting
    Date: Tue, 02 Mar 2004 17:49:14 -0500
    From: Patrick Saunders <saunders48@private>
    To: Declan McCullagh <declan@private>
    
    Declan,
    As someone who served 12 years on an Ohio board of Elections, one that just
    voted to go with the Diebold DRE machine, after I had expressed my
    reservations with the DRE system. The method of storage for those machines
    in GA is unconscionable, since they are supposed to under the supervision
    of the Elections board until Election Day, not dispatched days ahead of the
    election to sit unguarded.
    
    I have the same reservations about the "security" of this system. My main
    reservation is that local boards will no longer control the election
    process, but will be reliant on outside computer people to operate,
    maintain and upgrade the software used in this system.
    
    
    
    
    
    -------- Original Message --------
    Subject: why e-voting??
    Date: Tue, 02 Mar 2004 16:23:59 -0800
    To: declan@private
    References: <20040302122030.A16112@private>
    
    Usual request to remove my email address in the event this is reposted.
    Thanks.
    
    Perhaps someone can explain to a Canadian why the apparent US
    fascination with voting machines.  We run solid elections in Canada
    using pieces of paper, pencils and and tested procedures.  The costs is
    not extreme.  We can recount and evaluate ballots.  Personally, I
    cannot imagine a system in which no hard copies of ballots exist.  If I
    remember correctly, our last federal election, from start to finish,
    took less time than your disaster with Florida's voting machines.  And
    the answer, more machine-based voting! Why?
    
    This is not intended to be a rhetorical question.  I really would like
    someone to explain why Americans embrace voting machines. A defence,
    anyone?
    
    Robert Neville
    Burnaby, British Columbia
    
    
    
    
    
    
    -------- Original Message --------
    Subject: Re: [Politech] An election judge replies to Politech over secure e-voting
    Date: Tue, 2 Mar 2004 13:03:27 -0500
    From: Art Amolsch <aamolsch@private>
    To: Declan McCullagh <declan@private>
    References: <20040302122030.A16112@private>
    
    Can there be a simpler method of rigging an election
    than tampering with a plastic seal in certain precincts
    that historically vote overwhelmingly for one party
    or another? If those machines go offline, how many
    votes will be "stolen" because people couldn't use
    the machines?
    ------------
    A Texas elections judge wrote:
    
    "I reckon that repairing a broken plastic seal is beyond the
    abilities of most meddlers."
    
    
    
    
    
    -------- Original Message --------
    Subject: for Politech: e-voting threat models: what election officials don't get
    Date: Tue, 2 Mar 2004 17:02:29 -0500
    From: Richard W. DeVaul <rich@private>
    To: Declan McCullagh <declan@private>
    CC: Richard W. DeVaul <rich@private>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Hello, Declan.
    
    I'm responding to the anonymous election judge whose comments you
    recently posted to Politech.  He was responding to a student's concern
    regarding the physical security of some electronic voting machines.
    
    I am far less worried about the physical security of individual voting
    machines than I am about the security of the voting technology
    providers, such as Diebold.
    
    This election judge apparently regards paperless e-voting machines as
    simply another type of election technology, which should be compared
    with other options based on error rates, accessibility, cost, etc.
    This is inappropriate because (1) the e-voting machines are
    computerized black-boxes running proprietary hardware and software,
    and as such can't be externally verified. and (2) many of these voting
    machined don't produce a paper audit trail, and as such can't
    meaningfully be audited.
    
    The electronic aspect and lack of paper trail makes this technology
    fundamentally different from paper-based voting technology (which
    provides a clear audit trail) and mechanical voting machines, whose
    physical operation can be verified with reasonable assurance.
    
    To those who say that e-voting systems are tested and verified in
    advance, I assure you as a software and hardware engineer that it is
    trivial to make a voting system that will pass any test of fairness
    you want, except on voting day.  And without a paper audit trail, you
    will never catch the fix.
    
    Since the technology is a black box we cannot audit, the security and
    integrity of the system ultimately rests on the source of the
    technology. If we could trust the source of the technology and trust
    the physical and network security of the voting machines, perhaps we
    could trust the system in the absence of a paper-ballot audit.
    
    So, can we trust the providers of our election technology?  Even
    assuming the best of intentions (which I do not assume) the answer is
    no. The problem is that software systems are complex and difficult to
    audit under the best of circumstances.  A stringent review process is
    necessary to assure that code does only what it is supposed to do, and
    few organizations are capable of it, let alone attempt it.  Due to the
    nature of software development, bugs, security flaws, and "unitended
    features" are all but certain.
    
    All it takes is a single code flaw, malicious insider or external
    security breach at the technology provider to compromise the integrity
    or security of an _entire_ election.
    
    Fixing a paper-ballot election is time-consuming, expensive, and
    difficult, and the resources required scale up with the size of the
    election.  Fixing an electronic election, even one on a national
    scale, by comparison is trivial.
    
    The use of paperless e-voting technology as it exists today means we
    are trusting our elections to corporate quality assurance and security
    processes that we can't audit (though we know in Diebold's case that
    their network security is less than stellar).  And as with any system
    we can't meaningfully audit, we can't trust it.
    
    There are a myriad of ways in which otherwise functional,
    well-intentioned computer technology can be a security nightmare, and
    e-voting is subject to all of them.  Bruce Schneier's "Secrets and
    Lies: Digital Security in a Networked World" should be required
    reading for everyone involved in the e-voting debate.
    
    	Cheers,
    	Rich
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/>
    
    iD8DBQFARQRfcEzhTv/Qc9oRAhWWAKDjJU7yQwANbpkeTm2O/6GDQTUz+ACePu/7
    ZugyPoDqKpZG7rglKDvrmDo=
    =KCIu
    -----END PGP SIGNATURE-----
    
    
    
    
    
    -------- Original Message --------
    Subject: Re: [Politech] An election judge replies to Politech over  secure e-voting
    Date: Tue, 02 Mar 2004 13:34:43 -0500
    From: Tracy <tracy@private>
    To: Declan McCullagh <declan@private>
    
    At 13:20 3/2/2004, Declan McCullagh wrote:
     >The "zip tie" tags are seals with unique serial numbers that are checked and
     >verified during set-up; any sign of tampering and that particular machine
     >isn't used.  I reckon that repairing a broken plastic seal is beyond the
     >abilities of most meddlers.
    
    If these zip-tie tags are the same as others commonly used in the computer
    industry (and elsewhere), they are very easy to open and close again
    without any sign of evident tampering. I would hope that something as
    sensitive as voting equipment would be sealed with something a bit more
    secure.
    
    Granted that the machines are not set up and directly abusable in their
    crated state, but if someone who really wants to tamper has access to the
    software load (and various versions of the software load for Diebold
    machines have been available on the net at various times), they could
    modify the software load, open the zip-tie (using nothing more complicated
    than a paper-clip, if it's a standard zip-tie), modify the software on the
    voting machine, then reseal it. When it is put into operation, whatever
    changes were made to the software load would then become effective. For
    instance, the software could be patched to randomly take votes for one
    party and assign them to the other - such a patch could make this change
    without it being detectable in the logs.
    
    There are many aspects to security, and no matter how good the software
    security it, if the physical security isn't up to the same level, the
    system is inherently insecure.
    
    Just some thoughts...
    
    
    
    -------- Original Message --------
    Subject: Re: [Politech] An election judge replies to Politech over secure e-voting
    Date: Tue, 02 Mar 2004 11:04:29 -0700
    From: Cameron Miller
    To: Declan McCullagh <declan@private>
    CC: politech@private
    References: <20040302122030.A16112@private>
    
    Hi Declan,
    
    Please remove my email address if you use this.
    
    Cesar,
    
    One problem I perceive with tallying error rates, the electronic voting
    machines provide no way for voters to determine if errors were made.  I
    agree with the need for voter verifiable paper trails and I would like
    to see new systems thoroughly tested for many iterations of a few of
    thousand small local elections, not on a national level for our nations
    highest office.
    
    - cameron miller
    - UNIX systems administrator
    
    
    
    
    
    
    -------- Original Message --------
    Subject: RE: [Politech] An election judge replies to Politech over secure
    Date: Tue, 2 Mar 2004 22:41:16 -0500
    From: Tom Cross <tom@private>
    To: declan@private
    
    Declan,
    
    	Mr. Benavides ought to be careful about accepting computer security
    analysis from a political organization.
    
     > Here is a link to a recent position paper on voting systems in
    Georgia that
     > addresses electronic voting security issues in that state in more
    detail:
     > http://www.commoncause.org/states/georgia/evs.htm
    
    This paper states:
    
     > We share the concern that modem transmission of totals from the
    precinct back to the
     > county location represent a potential compromise point, but in
    Georgia those modem
     > transmissions, if done at all, only provide an unofficial tally....
     > Encryption of the modem transmission is one of four changes now being
    incorporated into
     > the Georgia voting systems for the 2004 elections.
    
    Thats nice. How is the encryption implemented? How are you dealing with
    key management? Most companies get this stuff wrong the first time, but
    you're giving them the benefit of the doubt.
    
    The fact that this modem connection is used to provide an unofficial
    tally is of little solace given that, from what I've read, the memory
    card with the official tally is plugged into the machine when it places
    the phone call. If I can force your computer to call mine, instead of
    the central tallying place (ask your operator about remote call
    forwarding), I can negotiate the PPP session with it, exploit a
    vulnerability in it's OS, and then modify the contents of the memory
    card. I can then also call the central polling place, pretend to be
    your polling location, and upload the same fake results to it.
    
     > The four modifications are the recommended system changes cited in
    the SAIC report
     > for the state of Maryland.
    
    I applaud the State of Maryland for having the foresight to go through
    with such an audit. However, even the parts of that report that were
    redacted showed that the most basic security practices weren't being
    followed. The computer that performed the official tally was connected
    to the internet, and ballot files were being distributed to polling
    places via FTP! Getting an audit is a good first step for them, but its
    the sort of thing that you do before putting a new system in
    production, not after.
    
    Computer Security is not just about technology, its about policies and
    practices. Obviously Georgia has a different set of policies and
    practices then Maryland. In fact, from what I've heard they are better.
    Why not submit Georgia's electronic voting system to a similar audit
    instead of relying on the results of an audit of someone else's system?
    
    Mr. Benavides is correct when he points out that activists opposed to
    electronic voting systems aren't really weighing the problems with
    these systems next to the present status quo. On the other hand, I
    think what gets the security community so riled up is that elections
    administrators have fought against even the most basic sort of security
    process that we'd apply in another context, such as e-commerce or HIPPA
    compliance. While Georgia has agreed to encrypt their dial-up session,
    this change has only occurred as the result of widespread political
    uproar. This fact does not inspire confidence.
    
    Tom Cross
    
    _______________________________________________
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)
    



    This archive was generated by hypermail 2b30 : Tue Mar 02 2004 - 22:00:32 PST