Replies over electronic voting machines, Diebold, and security

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject: Re: [Politech] First-hand report of problems with "secure"  e-voting
Date: Tue, 02 Mar 2004 17:49:14 -0500
From: Patrick Saunders <saunders48 () accnorwalk com>
To: Declan McCullagh <declan () well com>

Declan,
As someone who served 12 years on an Ohio board of Elections, one that just
voted to go with the Diebold DRE machine, after I had expressed my
reservations with the DRE system. The method of storage for those machines
in GA is unconscionable, since they are supposed to under the supervision
of the Elections board until Election Day, not dispatched days ahead of the
election to sit unguarded.

I have the same reservations about the "security" of this system. My main
reservation is that local boards will no longer control the election
process, but will be reliant on outside computer people to operate,
maintain and upgrade the software used in this system.





-------- Original Message --------
Subject: why e-voting??
Date: Tue, 02 Mar 2004 16:23:59 -0800
To: declan () well com
References: <20040302122030.A16112 () baltwash com>

Usual request to remove my email address in the event this is reposted.
Thanks.

Perhaps someone can explain to a Canadian why the apparent US
fascination with voting machines.  We run solid elections in Canada
using pieces of paper, pencils and and tested procedures.  The costs is
not extreme.  We can recount and evaluate ballots.  Personally, I
cannot imagine a system in which no hard copies of ballots exist.  If I
remember correctly, our last federal election, from start to finish,
took less time than your disaster with Florida's voting machines.  And
the answer, more machine-based voting! Why?

This is not intended to be a rhetorical question.  I really would like
someone to explain why Americans embrace voting machines. A defence,
anyone?

Robert Neville
Burnaby, British Columbia






-------- Original Message --------
Subject: Re: [Politech] An election judge replies to Politech over secure e-voting
Date: Tue, 2 Mar 2004 13:03:27 -0500
From: Art Amolsch <aamolsch () shentel net>
To: Declan McCullagh <declan () well com>
References: <20040302122030.A16112 () baltwash com>

Can there be a simpler method of rigging an election
than tampering with a plastic seal in certain precincts
that historically vote overwhelmingly for one party
or another? If those machines go offline, how many
votes will be "stolen" because people couldn't use
the machines?
------------
A Texas elections judge wrote:

"I reckon that repairing a broken plastic seal is beyond the
abilities of most meddlers."





-------- Original Message --------
Subject: for Politech: e-voting threat models: what election officials don't get
Date: Tue, 2 Mar 2004 17:02:29 -0500
From: Richard W. DeVaul <rich () devaul org>
To: Declan McCullagh <declan () well com>
CC: Richard W. DeVaul <rich () devaul org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, Declan.

I'm responding to the anonymous election judge whose comments you
recently posted to Politech.  He was responding to a student's concern
regarding the physical security of some electronic voting machines.

I am far less worried about the physical security of individual voting
machines than I am about the security of the voting technology
providers, such as Diebold.

This election judge apparently regards paperless e-voting machines as
simply another type of election technology, which should be compared
with other options based on error rates, accessibility, cost, etc.
This is inappropriate because (1) the e-voting machines are
computerized black-boxes running proprietary hardware and software,
and as such can't be externally verified. and (2) many of these voting
machined don't produce a paper audit trail, and as such can't
meaningfully be audited.

The electronic aspect and lack of paper trail makes this technology
fundamentally different from paper-based voting technology (which
provides a clear audit trail) and mechanical voting machines, whose
physical operation can be verified with reasonable assurance.

To those who say that e-voting systems are tested and verified in
advance, I assure you as a software and hardware engineer that it is
trivial to make a voting system that will pass any test of fairness
you want, except on voting day.  And without a paper audit trail, you
will never catch the fix.

Since the technology is a black box we cannot audit, the security and
integrity of the system ultimately rests on the source of the
technology. If we could trust the source of the technology and trust
the physical and network security of the voting machines, perhaps we
could trust the system in the absence of a paper-ballot audit.

So, can we trust the providers of our election technology?  Even
assuming the best of intentions (which I do not assume) the answer is
no. The problem is that software systems are complex and difficult to
audit under the best of circumstances.  A stringent review process is
necessary to assure that code does only what it is supposed to do, and
few organizations are capable of it, let alone attempt it.  Due to the
nature of software development, bugs, security flaws, and "unitended
features" are all but certain.

All it takes is a single code flaw, malicious insider or external
security breach at the technology provider to compromise the integrity
or security of an _entire_ election.

Fixing a paper-ballot election is time-consuming, expensive, and
difficult, and the resources required scale up with the size of the
election.  Fixing an electronic election, even one on a national
scale, by comparison is trivial.

The use of paperless e-voting technology as it exists today means we
are trusting our elections to corporate quality assurance and security
processes that we can't audit (though we know in Diebold's case that
their network security is less than stellar).  And as with any system
we can't meaningfully audit, we can't trust it.

There are a myriad of ways in which otherwise functional,
well-intentioned computer technology can be a security nightmare, and
e-voting is subject to all of them.  Bruce Schneier's "Secrets and
Lies: Digital Security in a Networked World" should be required
reading for everyone involved in the e-voting debate.

        Cheers,
        Rich

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/>

iD8DBQFARQRfcEzhTv/Qc9oRAhWWAKDjJU7yQwANbpkeTm2O/6GDQTUz+ACePu/7
ZugyPoDqKpZG7rglKDvrmDo=
=KCIu
-----END PGP SIGNATURE-----





-------- Original Message --------
Subject: Re: [Politech] An election judge replies to Politech over  secure e-voting
Date: Tue, 02 Mar 2004 13:34:43 -0500
From: Tracy <tracy () arisiasoft com>
To: Declan McCullagh <declan () well com>

At 13:20 3/2/2004, Declan McCullagh wrote:
>The "zip tie" tags are seals with unique serial numbers that are checked and
>verified during set-up; any sign of tampering and that particular machine
>isn't used.  I reckon that repairing a broken plastic seal is beyond the
>abilities of most meddlers.

If these zip-tie tags are the same as others commonly used in the computer
industry (and elsewhere), they are very easy to open and close again
without any sign of evident tampering. I would hope that something as
sensitive as voting equipment would be sealed with something a bit more
secure.

Granted that the machines are not set up and directly abusable in their
crated state, but if someone who really wants to tamper has access to the
software load (and various versions of the software load for Diebold
machines have been available on the net at various times), they could
modify the software load, open the zip-tie (using nothing more complicated
than a paper-clip, if it's a standard zip-tie), modify the software on the
voting machine, then reseal it. When it is put into operation, whatever
changes were made to the software load would then become effective. For
instance, the software could be patched to randomly take votes for one
party and assign them to the other - such a patch could make this change
without it being detectable in the logs.

There are many aspects to security, and no matter how good the software
security it, if the physical security isn't up to the same level, the
system is inherently insecure.

Just some thoughts...



-------- Original Message --------
Subject: Re: [Politech] An election judge replies to Politech over secure e-voting
Date: Tue, 02 Mar 2004 11:04:29 -0700
From: Cameron Miller
To: Declan McCullagh <declan () well com>
CC: politech () politechbot com
References: <20040302122030.A16112 () baltwash com>

Hi Declan,

Please remove my email address if you use this.

Cesar,

One problem I perceive with tallying error rates, the electronic voting
machines provide no way for voters to determine if errors were made.  I
agree with the need for voter verifiable paper trails and I would like
to see new systems thoroughly tested for many iterations of a few of
thousand small local elections, not on a national level for our nations
highest office.

- cameron miller
- UNIX systems administrator






-------- Original Message --------
Subject: RE: [Politech] An election judge replies to Politech over secure
Date: Tue, 2 Mar 2004 22:41:16 -0500
From: Tom Cross <tom () memestreams net>
To: declan () well com

Declan,

        Mr. Benavides ought to be careful about accepting computer security
analysis from a political organization.

> Here is a link to a recent position paper on voting systems in
Georgia that
> addresses electronic voting security issues in that state in more
detail:
> http://www.commoncause.org/states/georgia/evs.htm

This paper states:

> We share the concern that modem transmission of totals from the
precinct back to the
> county location represent a potential compromise point, but in
Georgia those modem
> transmissions, if done at all, only provide an unofficial tally....
> Encryption of the modem transmission is one of four changes now being
incorporated into
> the Georgia voting systems for the 2004 elections.

Thats nice. How is the encryption implemented? How are you dealing with
key management? Most companies get this stuff wrong the first time, but
you're giving them the benefit of the doubt.

The fact that this modem connection is used to provide an unofficial
tally is of little solace given that, from what I've read, the memory
card with the official tally is plugged into the machine when it places
the phone call. If I can force your computer to call mine, instead of
the central tallying place (ask your operator about remote call
forwarding), I can negotiate the PPP session with it, exploit a
vulnerability in it's OS, and then modify the contents of the memory
card. I can then also call the central polling place, pretend to be
your polling location, and upload the same fake results to it.

> The four modifications are the recommended system changes cited in
the SAIC report
> for the state of Maryland.

I applaud the State of Maryland for having the foresight to go through
with such an audit. However, even the parts of that report that were
redacted showed that the most basic security practices weren't being
followed. The computer that performed the official tally was connected
to the internet, and ballot files were being distributed to polling
places via FTP! Getting an audit is a good first step for them, but its
the sort of thing that you do before putting a new system in
production, not after.

Computer Security is not just about technology, its about policies and
practices. Obviously Georgia has a different set of policies and
practices then Maryland. In fact, from what I've heard they are better.
Why not submit Georgia's electronic voting system to a similar audit
instead of relying on the results of an audit of someone else's system?

Mr. Benavides is correct when he points out that activists opposed to
electronic voting systems aren't really weighing the problems with
these systems next to the present status quo. On the other hand, I
think what gets the security community so riled up is that elections
administrators have fought against even the most basic sort of security
process that we'd apply in another context, such as e-commerce or HIPPA
compliance. While Georgia has agreed to encrypt their dial-up session,
this change has only occurred as the result of widespread political
uproar. This fact does not inspire confidence.

Tom Cross

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)