Schneier on Security
A blog covering security and security technology.
« NSA Creating Massive Phone-Call Database |
| Thief Disguises Himself as Security Guard »
May 11, 2006
Major Vulnerability Found in Diebold Election Machines
This is a big deal:
Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines.
The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.
Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways.
"This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa.
"In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat."
This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available.
Scientists said Diebold appeared to have opened the hole by making it as easy as possible to upgrade the software inside its machines. The result, said Iowa's Jones, is a violation of federal voting system rules.
"All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design," he said.
The immediate solution to this problem isn't a patch. What that article refers to is election officials ensuring that they are running the "trusted" build of the software done at the federal labs and stored at the NSRL, just in case someone installed something bad in the meantime.
This article compares the security of electronic voting machines with the security of electronic slot machines. (My essay on the security of elections and voting machines.)
EDITED TO ADD (5/11): The redacted report is available.
Posted on May 11, 2006 at 1:08 PM
• 92 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Meanwhile, election machines are not held to any baseline computer security standards. These machines do crypto; where is the FIPS 140-2 certification? Arguably, they do computer security; where's the Common Criteria certification? These machines are not subject to any rigorous scrutiny, and it's criminal. The Powers That Be do not want these machines scrutinized, and are satisfied with Diebold's "Trust us" assertions.
I say no, you must earn our trust.
Is it really all that hard to design an electronic voting machine? Diebold is the most visible problem manufacturer for various reasons, but there are numerous others that have been picked out as having issues, too.
Bruce, you covered a few voting mechanisms in Applied Cryptography, IIRC, as well as articles where you've touched on some aspects of ideal electronic voting systems . Have you written anything on designing, or how you might design, a secure voting system as a whole?
As an election inspector in the upcoming primaries, can you help clue me in on how to verify the trusted build come Tuesday morning? Perhaps they'll go over this in training but I'd like to go in as informed as possible.
It's simple, take one of those special screwdrivers that most people do not have in their toolbox but can be bought at the hardware store. Remove the back panel and look around for a little card slot like you find in digital cameras. Take out the SD Memory card and make a copy of it with a card reader and a laptop.
Once you have copied the software onto your laptop you can take your time within your own four walls and analyse the copiled code. If you then so desire, make changes to the compiled code or generatre your own and go back to the voting machine at the next opportunity and reverse the process described above.
So what's the problem?
Here's one technology that really needs a permanent "off" button.
Really, except for setting the time initially, there's no need to send data to a voting machine. Have it preprogrammed to zero the counters just before voting day and you're done. Now, since you can easily create a modular, battery-powered clock that attaches internally, you can set the time before sealing the machine with tamper-evident tape. All manner of code analysis won't help unless there's a flaw in the voter interface.
Now you set up your voting machines to, if necessary, blindly broadcast their tallies to a number of scattered servers, and Bob's your uncle.
A child could secure a voting machine, once the issues were explained; I don't know how Diebold could have fubbed it so badly except on purpose. I am, however, reminded of a principle I learned when I was young: people will only think you've done something wrong if you admit to it or if the proof is too obvious to ignore.
Now here's a use for the sort of code signing and "Trusted Computing" ideas that only seem to come up in reference to making sure people can't copy the latest overpriced/overproduced video game, movie or album. Diebold has several options they could use here to ensure that only the official build is installed and running.
1. Checksum or hash the image file that is distributed, and have the machine require the operator to confirm that the fingerprint of the loaded image matches what was distributed each time the machine is started. (Potentially allows for human error or a clever social engineering scenario)
2. Only allow the machine to load and run an image digitally signed by Diebold using a public/private keypair. (Could be cracked, but not without major effort and a lot of time spent analyzing a machine on the hacker's part, much like "modchips" for Xbox or PS2).
Instead, it sounds like the machines will load up any image that someone decides to give it (assuming it runs on the hardware etc).
I am a foreign student in the US. I can't understand _why_ this country needs electronic voting machines, while paper ballots are cheap, efficient and extremely hard to manipulate. In the recent elections in Hungary, the ballot closed at 19.00, then the election committees started counting, and preliminary results were available by 10 pm. Experience shows that people can count a couple thousand votes in just a few hours, and when the results are disputed, they just recount.
What is so attractive about electronic voting machines?
"It is difficult to get a man to understand something when his salary depends upon his not understanding it."--Upton Sinclair
Because it is way to funnel money from gov'ts to private companies...As well once you have a private, non-accountable entity owning the means to voting, you can make, say, certain "adjustments".
So I suppose we'll be hearing from the "independent" institutes who have been certifying the quality of voting machines and their software, announcing that they're ceasing business as of today and refunding all the money paid to them by manufacturers and by state governments?
Someday, probably in some other country, the US experience with electronic voting machines will be cited as a classic example of what happens when you break every single rule for developing secure systems and rely instead on security by obscurity.
But voting machines are only used to elect the government of the whole country, not half as important as the entertainment industry.
Technology because they can. Any Third World country can implement a paper ballot. Technology makes you feel so like you're getting value for your tax dollar. Here in the UK we're experimenting with postal votes because no one can be arsed to go to a polling station any more. No chance of fraud there, then.
That Americans are too impatient and lazy to do things right is one explaintation (both of electronic voting machines and of why we don't have people count the paper).
There is, of course more to it--the USA has a population of about 299 million while Hungary has a population of about 10 million (at least according to the CIA factbook--take that with as large a grain of salt as you please), as well as the fact that the USA has a population that is both more dense and more sparse (at the same time, in different places) and a much larger land area. This makes handcounting impractical in many places--which then influences the practices in less populated areas, etc.
This "USA is too bit" argument is a bit strange. If you have more people to vote, you also have more people to volunteer to count. There are nice scalable algorithms for doing it in parallel. E.g. everybody counts, then you add up the counts from the individual people. India managed to have paper ballots for ages. They don't even have the high literacy rate which helps get many volunteers.
I was trying to make the point that when you COMBINE laziness, impatience, and disinterest with the other factors you will likely get mechanization. Many local districts still count ballots by hand for local elections--because they care about those, and because federal election rules (designed around big cities with histories of electoral fraud) don't prevent them from doing the count by hand, alone, in a small, quiet, closed room.
I guess I was hoping too much that somebody would think about what I said and then think for a second about their neighbors before jumping on me and attempting to claim some sort of useless technical victory.
Oh, and by the way, the whole area thing does matter, as the impatient people out there want to hear immediately from tens of thousands of electoral districts what the results of the election are without having to contact each and every district (my information search about Hungary came up with far fewer electoral districts than that) individually.
Also, it is worth noting that with the electoral apathy common here in the USA (add to that the problems low-income workers have just actually getting out of work long enough to vote) it is very difficult just to get enough volunteers to staff a minimallist voting center much less actually count everything (which must happen after the election for the whole annonymity thing to work out) by hand.
I'm also told that there is much less electoral apathy in most of India than there is here-perhaps helping to speed the counting of ballots.
But hell, I could be completely full of sh*t--after all I did have to look this stuff up to build my argument.
I'm probably missing some important technical point, but if one was creating from scratch an electronic voting system to be used in a polling station I would have a central server and the voting stations around the room would be thin clients. The whole thing running on a secure, encrypted private CAT5 network and each voter receiving a paper receit with a second and third copy burnt directly to write-once media on the server.
Guess what, you can buy such a set up from a number of vendors (Sun, IBM, HP etc) standard product lists.
So why does Diebold have to build special super sekret hardware?
It's common knowledge that Diebold's president is a staunch Republican. Combine that with our fascination for anything computer-related, and you have a recipe for disaster.
Don't listen to the folks here who have limited knowledge of the US - voting is not uniform across the country. Here in NH we use paper ballots, there's a law requiring all voting systems to have a paper trail, and our votes are counted typically within an hour. It's probably just the same as it is in Hungary.
There's just less pork in this state than some others.
This is why the Republicans are not worried about the polls.
I'm no expert myself, but one argument against the "central server" architecture is that then local officials cannot verify the local count. This is something they _can_ do, as many times as necessary, with paper ballots. Other arguments could include throughput, failover, cost, etc.
Of course, you could have some sort of tiered architecture. It seems that would just make the tradeoff between local verification and global security roughly configurable, which doesn't really solve either requirement.
I'm from NH (prior to moving further north for my current job) and while it is true that you still do fill out a paper ballot there, they are not usually counted by hand. I think that we'd both agree that if it weren't for impatient folk wanting the answer yesterday (when voting only started five minutes ago) that nobody would be able to build a case for the electronic ballot scanners in use throughout much of the state. Those scanners have a lot more to do with outsiders wanting things quickly (and not wanting to put some effort into getting those things done) than anything else (guess what, that's the federal election law part of things).
If somehow I need to spend a couple of hours to spell things out for each and every damned case then please let me know!
No wonder nobody attempts to fix the broken systems in the USA--you can't just say that it is broken because of x,y, and z shared in common by all people, because that isn't specific enough!
@Jarrod -"Is it really all that hard to design an electronic voting machine?"
As I think that the comparison with Video Lottery Terminals (i.e. slots run by a state) is reasonably good, I'd say "moderately" (having worked in the latter industry). You do need some knowledge of the possible tools your attackers can use, and you need to be able to design defenses against them; of course, you also need to assume that some of your attackers will be its present designers, and gaurd against that. You need "perfect" accuracy, even under the conditions which most industries ignore (deliberate tampering with, say, the power input). You need graceful failure, and you need to be able to shut them off in the event of a systemic failure.
Most VLT terminals by companies just entering the buisness are very much like Diebold's machines - easily cracked/hackable/attacked, in a large number of ways. The difference is that the states (in the case of gambling) hire a company or have an agency to find these problems before they're on the floor, and reject them until they are fixed. This at least dramatically reduces the number of successful attacks that occur on the floor.
Frankly, with the costs of doing electronic machines, I side with those in favor of paper ballots.
There actually are legitimate points in favor of some sort of electronic voting.
- Paper ballots are difficult for elderly and disabled people to use, and cannot prevent people from voting in a way which invalidates their ballot. (For example, voting for too many candidates in an "M out of N" ballot.)
- Many states have very complicated rules which make paper ballots difficult to print and to count. In some states, there's actually a different ballot at each individual polling place, for the election of judges and such.
- Paper ballots are *not* hard to manipulate. The average age of poll workers in the U.S. is 72. Paper ballots are easy to steal or misplace, and unless they're the optical-scan type, they have to be counted by rooms full of people who are difficult to supervise and who likely have a partisan interest in skewing the outcome. Everyone seems to ignore this point, but it's important; it's the reason mechanical voting machines were originally introduced decades ago. When lots of people handle completed ballots, fraud becomes much, much easier.
Let me address the points in favor of electronic voting:
1. Old People
There is not problem in using an electronic screen as an INTERFACE, but why use them to record AND tabulate?
2. Complicated State Laws and Paper ballots
The best way for a state to address this is to standardize the paper ballot and the machine used to count them. Our votes should be recorded on paper. How votes get on the paper and how the votes are counted once on the paper can be left up to the needs of the district.
3. Paper ballots are manipulatable
First, with standardized paper ballots that are filled out by machines, we can use a machine to count them. With proper configuration management, we can minimize tampering to an acceptable level. It is much easier to manipulate the outcome of an election if the official ballots are logically stored.
I agree with your points. The question is if the costs of electronic voting machines outweigh the benefits in comparison to some other form of voting. I think that designing a security system for hand-counting ballots is simpler than designing a secure voting machine by several orders of magnitude. The problem isn't really electronic voting machines versus any other form of voting, it's that at least some (and likely most) of the electronic voting machines are not designed to be part of a secure system, whereas the others (in large part) are.
From the report:
"Three-layer architecture, 3 security problems
Each can stand alone or combine for 3-layer offense in depth"
Offense in Depth. Classic.
@Quindar: As far as the fraud possibilities with paper ballots - of course they exist, but (from a UK perspective):
1. Rooms full of people are not necessarily that difficult to supervise. We assume that the vast majority of those involved in the count have a genuine interest in getting the right result rather than committing fraud -so if you saw the person next to you miscounting, you might very well raise the alarm (or not, which is a risk!)
2. The count is public - the candidates or their agents can watch the progress of the count; if they believe something is being miscounted they can actually trigger an investigation.
3. The ballots constitute a tangible physical collection (in some ways, we're better at defending physical things than electronic ones) While this means that anyone can understand how the system could be defrauded, this simplicity also makes it much easier to defend. If ordinary poll workers understand exactly what's involved in validating, issuing and counting bits of paper, they're much less likely to fall victim to social engineering, and will be much more effective at defending the system.
4. Finally, there are obviously possible errors that can arise - but the original ballots still exist - as long as your physical security (and the ballot procedures) protect against the introduction of extra papers, you can recount as many times as you like. Electronic systems (to my mind) don't offer that protection.
Speed - concur with what others have said - the UK is (essentially) all-paper and has a population of 60m - typically the result of a general election is absolutely clear within 6-9 hours of the close of poll.
@Jess Austin (my own comment)
It's possible I misunderstood Geoff's reasons for preferring a secure network implementation of a thin-client-with-central-server architecture. I assumed that he was counting on greater security from this setup, but there's no prima facie case for that. If you can't trust the poll workers or their supervisors, what's to stop them from keeping access to the terminals to themselves, and holding a fake poll in another room? I guess I don't really see any advantage in a thin-client architecture.
After reading the report, any agency/company that examined these machines and had the slightest knowledge of terminal security should have failed them. It looks like you don't even have to open them up to find multiple reasons to fail them.
The solution is to stop voting. Period.
Hungary is NOT a third world country.
Diebold has long since lost all of its credibility. Trash all of their already trashy hardware!
I've been watching the Black Box Voting site for a while, and it's interesting just how much Diebold are trying to cover up.
Previous tests have been made into the voting data and how it's stored. By the looks of things, there's an integer overflow possible in the way that the votes are tallied. This allows the ballots to be stuffed in such a way that the pre-voting "zero tally" reports look normal.
All of this was done on a single memory card, without modifying the voting software in any way.
This test was done on a live voting machine. After the test, Diebold said that the machine was compromised, its warranty void, and that it'd have to be sent back to be re-initialized.
With companies like Diebold in control of the voting process, it really makes me glad I live half-way across the world.
One other major advantage of paper balloting is that a security vulnerability in your paper balloting process does not readily scale into a class break.
If you're stealing ballots, you have to move piles of paper. If you're stuffing boxes, you have to physically cram paper into boxes, etc. All of those can be detected, which increases the risk of the attempt.
Electronic voting, however, can be manipulated in a much larger scale by fewer people (who may, admittedly, need more or different access). However, one dude reflashing a ROM requires a limited amount of time with physical access to a machine. This one guy can manipulate the entire results of several machines in different locations, if planned correctly.
This has a much greater impact that "misplacing" a box or two of ballots or perhaps "adding" an extra box to a tally for a voting location.
@McGavin, Fred Page
I'm not arguing against the use of paper, I'm arguing against the use of *only* paper. Perhaps it's naive of me, but I still think that it'd be easier to design a sufficiently secure electronic system, once, than to secure 100 million pieces of paper every four years. Of course you still need the verifiable ballot in order to trust it (for spot checks and the like), but the system gains reliability from the fact that you're not running *all* of the paper through the *entire* process *every* time.
A proprietary system will have flaws because it's supposed to. The whole point of going digital is to put on a pretty show for the public so they can feel like they participated, and then to make the totals come out right to get the desired results.
It is the totals that decide the elections, not the votes.
If Diebold machines were to be replaced by an open source system, that would still not address the problem of getting the totals to accurately reflect the voting. If a million voting machines all work perfectly, but the transferred totals get gimmicked, then the election is still fixed.
"It's not the people who vote that counts; it's the people who count the votes."
- Josef Stalin.
I'm currently working on a secure system, and it is NOT easy to make sure that you are protected against any/all forms of attack (especially since you have to protect yourself against all the attacks you know of and the ones you haven't thought of yet). The only truly "safe" computer (from a hacking standpoint) is one that isn't on a network. But that doesn't protect you from errors (or "intentionals") in the design or coding of the software, and these can be extremely hard to track down (even with very thorough testing procedures). I'm wondering (because I haven't done any research, being a lazy, impatient US citizen :->) if there is any kind of open source movement for "all" electronic voting systems (with a paper trail, of course)?
This is actually very old news in some regards.
Black Box Voting (http://www.blackboxvoting.org/) is devoted to the issues in general and
covers a lot of the investigation that went on years ago highlighting the vulnerability of the system to various attacks. This particular attack looks like it belongs to the class of attacks identified back in 2004 by Hurti.
When the vote is close (essentially an equilibrium condition in a two party system) stealing the election doesn't require massive fraud. A nice little tip in one direction in a few key places will do nicely.
Unfortunately, by the nature of the phenomena, recognition of a tipping point is usually done in retrospect. The relevant question isn't really "can it be done" (the answer is obvious...), but has it been done, and has it been done to the extent that outcomes have been altered?
People here do not seem to understand the nature of politics. Electronic voting machines are boondoggles. They are not supposed to work - they are supposed to get your money - that is all. Open source voting isn't any better either, since someone will still have to make the machines. The open source lobby may be just as effective as Diebold. I trust neither one, and neither should anyone else.
Voting is theft. Period.
If you wanted people to be able to quickly change votes then this would be considered a feature, not a bug.
You are right on the money.
Speaking of an exchange of money, and the related liability, at what point does flocking a weak/broken machine billed as secure enough for voting constitute negligence or fraud?
This is an interesting article and comment thread - Right now in Arizona we are attempting to keep the state from wasting its money on these lousy touchscreens, since we currently have only optical scan systems.
For those of you who have said that writing this system "is an easy thing to do", think on the following requirements which make auditing a tad more difficult:
1) Voter verification of vote cast and yet
2) Anonymity and secrecy of vote cast. that is, unlike an atm, it is illegal for the system to be used to trace the transaction (vote) back to the user in a sequential fashion, or for the user to be able to take a receipt which documents what vote was cast.
3) Voting device must be accessible for input yet physically secure from intrusion(like an atm)
4) yet unlike an atm it must be light and luggable - not a permanent installation.
5)Must be fairly inexpensive.
6)Must be able to be set up by barely trained, temporary personnel in an insecure location.
Our group, auditaz is preparing a succinct summary for local politicians of the recently revealed Diebold TSx vulnerabilites mentioned in the paper Bruce S links to. If anyone reading this is a computer security professional who would like to help (um probono) please drop an email to firstname.lastname@example.org
Oh, and this story wasn't widely reported, but I thought it might add some nice flavor to the discussion here. Apologies for the long post:
"Gov. Arnold Schwarzenegger showed up to his Brentwood neighborhood polling station today [Nov 08, 2005] to cast his ballot in the special election — and was told he had already voted."
The CA governor's lawyer (Tom Hiltachk) reportedly said:
"I have no reason to believe anything nefarious occurred."
Not clear if he was referring to Diebold's business practices or the intent of the person who breached the system. If it's the latter, than is he really be saying that from a legal perspective there is no need for alarm if someone "breached [Diebold] protocol and was playing around in advance of the election"?
To put this in proper perspective, the CA state government was in process of a blanket ban on electronic voting machines at the end of 2004 and had actually decertified Diebold. They even started a lawsuit against the company.
But then something odd happened and the state settled with Diebold for $2.6 million (note that at least one county had spent over $11 million on Diebold equipment in 2004). The Attorney General also dropped a criminal investigation.
Diebold contracts were then somehow renewed in 2005 even though the systems were found to fail election tests:
So, you have to wonder when the Governor himself is violated by the system what does he do about it? Naturally he has his Secretary of State Bruce McPherson look into the matter. And, surprise, Bruce "certified Diebold on Feb. 17  after receiving a state-conducted analysis that found Diebold's election system had 'a number of security vulnerabilities,' but concluded that 'they are all easily fixable' and 'manageable.'"
Manageable? Isn't that what Davis called the Oracle system after they routed him a $25K campaign contribution? Diebold must have naked pictures of someone in Sacramento. In lieu of that, here's McPherson on video:
I say these machines are like the exploding Pintos of voting. The Firestone ATX of your town hall. Why any sensible politician would allow them anywhere near his/her voters is beyond me. In other words, and as they say in the story cited above,
Live Free or Diebold
I think the mentioned issue is not a bug, it's nice an interesting "feature" of the voting machines designed for the benefit of politicians ;-)
Here's a form letter to send CA senators:
"we write to you to urge you in the strongest possible terms to issue subpoenas to individuals involved in the election voting machine industry and certification insiders, forcing them to report actual workings of the voting machines to the election committee"
There is also an action list and phone numbers to call...
I remember reading about an Australian engineer involved with designing that countries electronic voting machines. When asked why it included a paper trail, he simply said "Why should anyone trust me?"
Diebold seems to be a little less candid.
You don't even have to think this hard on the issue.
When you use the voting machine, you can hide the fact that you have a powerful electromagnet in your coat. You can even make it more powerful by putting a series of batteries in the coat. It can wipe the whole thing in seconds. Since these things store votes in them for a few hours before they are uploaded to a central source, you could potentially wipe out several hours of poll data.
Say you want to throw the elections in favor of Dems or Repubs. You could, using the Internet, identify buddies willing to do this in geographic areas where your opponent party typically relies on votes. If mobilized enough, you could throw an entire election your way until the FBI catches you.
Say, and for something really low tech, a cup of water or oil can short the system and a really sharp pin can damage the touch screen for certain buttons and/or fry the electronics underneath. In fact, the best bet is probably a really sharp pin because it's easily concealable, leaves the thing looking operable just long enough for you to walk out the door, and permits you to damage the touchscreen buttons used for the opposing candidate.
This is unfortunate. Look, I'm all for a better system, and I'm not an anarchist, but the USA Gov needs to get real here and think up a solution that gets a lot of public review before it is implemented.
Regarding the comparisons between US elections and elections in other countries, I think few people realize the disparity in the number of elected offices between the US and most other countries.
In most democracies, federal, provincial, and municipal elections are held at different times. Also, there are only a few elected offices at each level of government -- in Canada, you vote for only one person at the federal level, one at the provincial level, and maybe two at the municipal level (mayor and councilman). To the best of my knowledge, that's typical of many European countries as well.
In many US jurisdictions, federal, state and local elections are held all at once. And at the state and municipal level, the number of elected offices is often much higher -- at the state level, not only governors and legislative representatives, but judges, attorneys general, comptrollers, and other offices. At the local level, it's common to elect not just the mayor and councilman, but the sheriff or police chief, the school board, and other offices.
So a typical ballot in Canada or most any European country might have at most two or three offices, and it's an easy matter for the counters and the scrutineers (people appointed by the candidates to watch the counting and make certain that it is fair) to tally the votes on a ballot in a couple of seconds; it's easy for a small number of people to manually count all the ballots at a polling station in a few hours.
In contrast, a typical American ballot might have well over a dozen offices to vote for, and tallying the votes on a single ballot could take a manual counter the better part of a minute; for a small number of people to tally all the votes at an urban polling station in a single evening is often impossible. So in many US jurisdictions, some kind of automatic vote counting machine is a necessity.
And because mismarked ballots can slow down the process of automatic counting, there's a temptation to automate the collection of votes, as well as the counting of them. Hence America's fascination with voting machines, which make a mismarked or incomplete ballots impossible, and which speed up the counting process even more, because there's no need to feed bits of paper into a reader.
IMO, There's nothing wrong with automated vote counting (although you obviously want to use a technology that is reliable and error free). There is something deeply wrong with automatic vote collecting, because once you do away with those bits of paper, you've made it much easier to rig an election without anyone noticing.
In a country like India where there are millions of voting population, hundreds of constituencies and many a contesters, the electronic voting machine adoption has brought a welcome change.
This is relatively secure system as of now than the traditional paper based ballots, as the paper based ballots are relatively more vulnerable in this part of the world.
Also I feel there is no networking of the Electronic voting machines in the polling booth stations and they are centrally pooled during counting, bringing down the risk of exploits at the polling booth level. Risk of physical level compromises exists though.
This has enabled a great improvement in the counting process and time taken for declaration of results.
However it is not known on how long it will take to get to answering the question of Efficiency vs. security?
Now you know how THIS president came to power the second time. Or what makes you sure the vulnerability wasn't already in use?
Time to send some over-inquisitive security experts to Guantanamo, so that such information leaks can't happen again. Goodbye, Bruce.
> The result, said Iowa's Jones, is a violation of federal voting system rules.
Assuming for a moment that Jones is correct, and that a court agrees with him, what liability (if any) does this open Diebold up to?
Is there civil liability in that they've failed to satisfy their contract with their customers? Is there criminal liability in that they've (perhaps negligently) violated or contributed to violations of one or more Federal election laws? Furthermore, are the States themselves in breach of Federal law or even the Constitution if they knowingly (or negligently) use unfit equipment?
Or are Diebold able to just shrug their shoulders and say THIS VOTING MACHINE IS PROVIDED 'AS IS' AND WITHOUT WARRANTY OF ANY KIND INCLUDING FITNESS FOR PURPOSE?
Is the cost of having an electronic machine print out a human and machine readable ballot (which is then put in a box to cast the vote) prohibitive? It seems like that would give all the advantages of an electronic interface, with the same time-tested security of a paper-ballot. There would be reasonable speed, since the printed result would be machine-readable.
I love the analogy of application, O/S and boot loader, culminating in :
"If the attacker can replace the boot loader, trying to change the paper instructions or the man reading them does not work. The supreme entity will always have the power to replace the man with his own favorite, or perhaps he just modifies the man’s eyes and ears: Every time the man sees yellow, the supreme being makes him think he is seeing brown. The supreme entity can give the man two heads and a secret magic word to trigger switching the heads."
If a prof from Iowa can suggest viable ways to rig the vote, imagine what the insiders did.
And so the evidence mounts that the 2004 election was one of the most corrupt US elections in history. Not to suggest that "President Kerry" would have been better--it was rigged from the start, so to speak.
@RvnPhnx: I don't think that American people are lazy. My impression is that they are hard-working and industrious.
What matters is not the total population of the country, it's the number of people per voting circle, because that's the number of votes they have to count. Larger countries have more voting circles, but I don't see why they would have to have more people per voting circle.
I don't see why population density would matter: as long as people put their votes into the ballot box, they are there to count.
When the votes are counted, the the voting circle just tells the number of votes to some central voting authority (eg using secure communications). So the system is fast. Especially considering that it is less susceptible to an attack, so there is very little chance of witnessing the usual farce about recounting votes a zillion times.
"Perhaps it's naive of me, but I still think that it'd be easier to design a sufficiently secure electronic system, once, than to secure 100 million pieces of paper every four years."
I agree that it's possible to create an electronic system that's as secure, or perhaps more secure than a paper system. I disagree that the costs of such an electronic system would be less than a paper system - as a minor example, I'd want a backup power system for the entire voting system, so that an attack on power would be unlikely to affect voting, votes, or vote-counting. I also think that the mechanisms that led up to purchasing systems like Diebolds' won't lead to a singificantly better electronic voting system in a reasonable period of time.
Jeeze why dont you just go back to paper ballots
if they had these in my country, i wouldn't know whether to insert my voting ballot in the slot or hit the fucking monster with my large mallet.
so what do they put in the drinking water over there that makes americans different?
interesting that no one has mentioned voting in Oregon ("the Canada of California" - Colbert). It's all done by mail, with ballots sent out several weeks in advance to each registered voter, who takes his or her time in completing it, then returns it in 2 envelopes with a signature - either by mail or to a dropbox - by election day. Counters (I think using optical scanners) have much more time to do their counting, although they do not announce the current count in advance of "poll closing." They've done various spot checks for fraud, and found almost none. Election results are rarely surprising, such as to make one suspect fraud. I have to say that vote-by-mail is one of the things I miss most about Oregon. (Of course, these are the same folks who tried the borrow-a-public-yellow-bike-and-leave-it-somewhere-for-the-next-person-needing-it: not once but twice.)
Secure electronic vote counts should be easy:
1) Everybody gets a printout so that they can verify theri vote.
2) The printouts are then put into ballot boxes in the same way as in any paper-based election
3) After every election there is a recount of votes by checking the (completely unambiguous) printout in a certain percentage of electoral districts polling stations. The polling stations are only determined AFTER the end of the election.
4) If printouts and electronic tally don't match, there have to be more recounts, with the printouts determining the end result.
This way, cheating should be next to impossible, with incentives for everyone to play by the rules.
Perhaps they should subcontract the Gaming Commision and the "slot machine industry" to make the voting machines. As an industry it appears that they have the in house skills and support infrastructure all ready in place and it should not be hard for them to make a voting machine that would meet mandated specs.
That's pretty much what they did with Diebold, as ATMs are mostly secure (at least to my knowledge). Not exactly sure what the difference here is, some would say conspiracy, other would say less accountability, and I haven't heard any other explanations.
I live in Canada and like clock work every four and some years I take my voters registration card and walk up to the local school gymnasium. I stand in a typicaly very short line to give my card to a volunteer who checks my card against the official list, at that point I am given a ballot and pointed to a desk with a privacy curtain on it. I open my ballot choose the party I am interested in, seal my ballot and then deposit it in a container that is sitting on a desk in front of the staff running that particular polling station.
It usualy takes me longer to get to the polling station than it does to vote and typicaly the "PAPER" ballots are counted and reported within 3 hours of closing. The Federal Vote will usualy be known by early morning (2 am), and I have always known whom our next government was by the time I woke up the next morning.
This is a totaly paper based system with a lot of volunteers involved.
Population wise we are a much smaller country and we have a very different voting system than the USA. (read simpler) Electoral Canada has a huge advantage over the USA in that it is the only agency that is involved in Federal Voting. One authority nation wide with one well tested means of voting to field nation wide gives us a paper based system that is fast and accurate.
Contrasts this to the USA in which every State has it's own voting authority and runs the ballot taking how ever it chooses too.
Paper based systems can work well, how they are implemented seems to be one of the key factors.
Diebold obviously doesn't take security in voting machines serious enough. You can't focus on things like making the software easy and fast to update and expect to wind up with a secure machine. The executives need to hire some real talent to secure their machines. Doesn't this make you question how well your PIN number is secured when you use a Diebold ATM??? What does this vulnerability involve anyways? Opening a usb panel on the front of the machine and inserting your thumb drive? The software then runs an autorun file? From the decriptions it sounds almost that easy. Updating software should require a code or encrypted key from two separate people.
I don't believe the people who say there's a conspiracy to have these flaws in electronic voting machines. It's just bad workmanship by the software/hardware engineers.... who may have too much corporate pressure and not enough resources to do a good job.
Also, voting accuracy doesn't garuntee the best man wins - rarely is the best person for the job even in the race.
A comparison of the US and Hungarian vote tallying system isn't that useful for a number of reasons. When the current Hungarian voting system was developed in 1989 everyone knew that the actual counting method had to be visibly and obviously transparent, given that for 40 years candidates typically got a reported 99% of the vote. Truly despised individuals (Sandar Gaspar, I think was an example) would get a shockingly low, 97% of the vote.
Although the actual counting of the votes have to be very obviously transparent in Hungary, getting from counts to actual seats in Parliament is another matter. I am willing to be that not 1 in 100 people in Hungary fully understand that part. (In 1990, I wrote a little program to make those calculations and estimated after the first round what was needed in second round results for a party to get a certain number of seats. But since then, I've forgotten the details.)
Diebold is garbage. Their ATMs have a nice feature that allows you to dump core via telnet, presenting you with the last several transactions including account numbers and what-not.
"interesting that no one has mentioned voting in Oregon ("the Canada of California" - Colbert). It's all done by mail, with ballots sent out several weeks in advance to each registered voter, who takes his or her time in completing it, then returns it in 2 envelopes with a signature - either by mail or to a dropbox - by election day. Counters (I think using optical scanners) have much more time to do their counting, although they do not announce the current count in advance of "poll closing." They've done various spot checks for fraud, and found almost none. Election results are rarely surprising, such as to make one suspect fraud. I have to say that vote-by-mail is one of the things I miss most about Oregon. (Of course, these are the same folks who tried the borrow-a-public-yellow-bike-and-leave-it-somewhere-for-the-next-person-needing-it: not once but twice.)"
The UK trialed postal-only votes in some areas not that long ago. It resulted in at least one outbreak of organised fraud by the candidates - http://news.bbc.co.uk/1/hi/england/west_midlands/...
Besides, postal voting lacks one nice property of traditional voting - with postal votes, the voter can prove who they're voting for to a third party. That means that people can be paid/forced to vote for a specific party.
As a software engineer, I have been apalled at the lack of rigorous process in this whole electronic voting farce.
I routinely work on systems that process large amounts of data and perform complicated operations on said data. When asked to rearchitect some component of the system, there is a time-honored process that I follow. You first construct a set of tests that flex the portions of the system you're interested in. Next, you run those tests using the "old" software, and save the output as gold-standard results. Next, you run the tests on the "new" software and save that output as the "new" results. Finally, you spend the next few months figuring out why the two sets of output don't look the same, fix some things, and then repeat the whole process three more times until things match up.
As it applies to voting, I would have expected at least three voting cycles of parallel electronic/paper ballots. The fact that an immediate (zero-overlap) cutover prevailed only indicates to me that someone wanted to rig the results.
No engineer serious about accuracy would have allowed this to happen.
Interesting thoughts, but how many multiple choice tests are graded with how many answers in how much time in the US? I don't see the efficiency argument having any value at all, especially when it's held up against the value of fairness.
While we in the United States agonize over touch screens and paper trails, India managed to quietly hold an all-electronic vote. In May, 380 million Indians cast their votes on more than 1 million machines. It was the world’s largest experiment in electronic voting to date and, while far from perfect, is widely considered a success. How can an impoverished nation like India, where cows roam the streets of the capital and most people’s idea of high-tech is a flush toilet, succeed where we have not?
American machines, by contrast, may be vulnerable to wholesale fraud. Our machines are far more complicated and expensive—$3,000 versus $200 for an Indian machine. The U.S. voting machines are loaded with Windows operating systems, encryption, touch screens, backup servers, voice-guidance systems, modems, PCMCIA storage cards, etc. They have millions of lines of code; the Indian machines hardly any at all.
Just another argument for the US/Hungary voting "conflict". ;-)
Don't forget that the whole EU has to vote every few years! In 2004 the population of the EU states was 380 million. In 2007 it will be 480 million. Most of the EU states don't use any voting machines but they don't have any problems to report the results a few hours after the ballot closed.
It is simply NOT a problem of the number of votes to get early and correct results.
Interesting stuff about the Diebold machines, but hardly surprising considering the many allegations of "irregularities" linked to their use.
I guess I don't see why vulnerability details are being withheld for any reason--let anyone and everyone hack into these things and it will eventually point out how useless (and subject to possible fraud) they really are..."light on dark corners" and all that....
Who says that just the touch screens can be hacked?
Sure, paper ballots and optical scanners are hard to hack, but what about the central tabulators?
This is just the tip of the iceburg.
I think that electronic voting suffers from a similar social issue to many military projects. There are only a limited number of really good analysts and programmers in the country. Most of them don't want to work for either military contractors, or for operations like Deibold. So you get an electronic voting system designed and implemented by the passengers from the B-Ark.
David Chaum has an interesting design for an electronic voting system that provides an voter-verifiable paper receipt while also maintaining confidentiality. The receipt can be validated by a third party without exposing the content of the individual's vote. The receipt can also be used by the individual to verify that their individual vote was counted. I suppose that there is still some room for mischief farther upstream in the process, but it takes a lot of the mischief potential away from individual precincts, counties, and possibly even states. This is important when you have, say, a state governor who is the brother of one of the Presidential candidates, or a CEO of a voting machine company who is also a major fundraiser for one of the political parties and promises to "deliver the state" in which he lives.
Read about it here:
voting machines MUST produce a paper audit record at the time the vote is cast that the voter can visually inspect.
The electronic count can be used as an unofficial tally while a machine that counts the paper record (a la old fashion punch cards) can produce the official tally.
It would be some REAL clever hacking that produced a paper audit record that says "1 vote for Kerry" but was tallied by the counters as "1 vote for Bush".
>>> dqueue says:
> The Powers That Be do not want these
> machines scrutinized, and are satisfied
> with Diebold's "Trust us" assertions.
"Trust Us". That seems to be the guiding theme of the Bush administration.
"Trust us to wiretap without a FISA warrant", "Trust us to do pen traces on the entire US without FISA warrent", "Trust us, there are WMD in Iraq"...
A close second would be "When the president does it that means that it is not illegal".
--"That's pretty much what they did with Diebold, as ATMs are mostly secure"
Nope. They're just after a different problem that's much more tractable, since it can easily support extensive auditing features. The problem they don't encounter with ATMs that does exist with EVMs is anonymity. As long as we run on the secret ballot system, this provides them with all sorts of new challenges, as they can't individually track every transaction. Which is how they run ATMs, still get loads stolen from, but can keep down to levels banks consider acceptable and have a chance at uncovering/recovering fraud.
--"voting machines MUST produce a paper audit record at the time the vote is cast that the voter can visually inspect."
This is the key point. The problem I have with all these EVM companies is how much they resist it. The fix is very simple: stick a printer on and print out the ballot, which goes in the box. That all three major vendors are so adamantly against this set-up tells me a lot about their motives.
Oh, and I was going to add one more thing. We can cover the whole instant gratification bit quite easily by simply using the electronic tally for early results. Not as an official number, but for the news guys. Then when the hand-count is done we've got our official tally.
Computerized voting using $3,000 general-purpose machines running a general-purpose operating system is bullshit.
Computerized tabulation using machines designed specifically for the task is okay though.
Connect a line on paper ballots with a black marker and have an optical scanner tabulate the votes.
All election officials that waste money on expensive "computer voting" garbage need to either be forced to pay the cost of the machines, or beaten.
Here's a little Voting machine hack I tried a week ago, using nothing but the normal user interface.
Tuesday was voting day. I live in a small town and as the only thing on the
ballot was "School Board" and "City Council", the turnout was small. In my
voting precinct the total at the end of the day was in the low 200's. Several
people who know me were working the poll, so I got feedback within an hour of
Not too long ago, the town switched to "Touch Screen" electronic voting. As
many of you know, this is often referred to as "black box" voting and is an
ongoing political and technical debate.
When I went in to vote, one of the screens said "Select up to 3" and
displayed a list of candidates for "School Board", and a "write-in" section.
I voted for one of the school board candidates then on a lark, decided to try
the write-in function, I'd never used that before so I entered my own name.
Sure enough, it accepted it and I finished and left for work.
During the drive to work I got to wondering; does the software check for
duplicate write-ins from the same voter? Unfortunately I'd already voted so
couldn't test it, ... or could I?
I got home an hour before the polls closed and asked my newly registered
voter Son if he'd voted. He said he had not and didn't intend to do so.
Normally I'd then provide the standard lecture on voting and making your
voice heard, but this was too good an opportunity. I explained the hack I
wanted to try and my son rushed out with a grin to see if he could write my
name in all three times. Fifteen minutes later he was back to announce that
the machine took it.
Three hours later, I got the poll results:
I received 4 Votes!
I'd tell the town about the problem, but I'm afraid they will simply acuse me of "evil".
What kind of voting machine were they using in your district? Do you have the make/model? This flaw seems pretty serious. It would be possible for you and a small group of your best friends to triple the write-in vote for a candidate and win an election. I wonder if the machine not only does not check for duplicate write-ins, but if it does not check if the write-in is not the same as a normal listed candidate?!
Sorry, I don't remember the machine's used other than they were NOT "Diebold".
I was told by one of the election officials that they discard write-ins for listed candidates. This implies that the machine does not check but they procedurally handle it. This begs another issue, because nowhere is this made clear to the voter.
I apologize in advance for the long post, but since I work in this industry, I think my comments may be able to provide some context.
Interesting test. I work for a company that builds a ballot marking device geared toward voters with accessibility needs. This will be an interesting test to add to our suite.
Your post should be required reading for Americans and non-Americans who can't understand why we can't "just go back to paper." The US is a federation of independent states, and election law is clearly the province of the states. Federal election laws simply provide boundaries for certain aspects (such as the 2002 HAVA law), but not the entire process.
Some states allow straight-party-voting (SPV). Some don't. Some allow SPV based on government level (i.e. Republican SPV at the federal level, Democratic SPV at the state level, and Libertarian SPV at the local level, all on the same ballot). They want to track SPV selections to measure party-loyalty versus candidate-loyalty, so there's a difference between voting Republican SPV and coincidentally choosing all Republican candidates.
Some allow for closed primaries (your ballot is determined by your party affiliation), some provide open primaries (where you select the primary ballot as you walk in the door). Some provide secret open primaries, where you get ballots for all parties in the primary, and choose the one you want to cast in the voting booth! Some states will allow for "closed cross-party primary voting" in which you're allowed to vote for candidates in a primary *other* than your registered party if, and only if, there is no representation in that contest within your own party (which means that the primary is effectively, for that contest, the general election).
How about cross-party endorsement? In NY, for example, you may have the same person's name appear under several different parties. If it's a "vote for N of M" (where N > 1), you should block votes for John Smith - Republican if you've already selected John Smith - Libertarian. How often do you think that would be accurately caught by a hand-counter?
What about ballot rotation? Many jurisdictions specify that certain precincts display candidates for a contest in A, B, C order and the adjoining precinct is B, C, A order, to address the reality of "first candidate preference." If the ballots were counted at the jurisdiction level (instead of at the precinct), you've got a nightmare to deal with. Even worse, it's possible in some communities for a given precinct to not have just one or two ballot styles, but dozens, depending on how geographically large the local jurisdiction is.
NY requires what is called a "full face" ballot, where you must be able to see all contests and candidates on the same page, at one glance. This is a problem for DRE's, as they may be forced to use a 30" LCD (mounted vertically) to show everything on one page.
You hit on several issues very well, but fully understanding why we can't just "go back to paper ballots nation-wide" requires examining election laws all over the place. You think the individual states are going to allow the federal people to just step in and change the way they do things? (Given the way some places have resisted HAVA...)
As for people who suggest that companies don't think about security issues... just because of issues at *some* companies doesn't mean they're all that way. Are they as well-versed in security as they should be? No! However, one of the common calls we see in this industry all the time is for "open source" voting software. The suggestion is that this, in and of itself, will address most of the security issues.
My experience parallels that of Gary McGraw (author of "Building Secure Software") when he says that bugs (buffer overflows and the like) and flaws (design errors like making it easy to modify/upload the object code in the machine) are the biggest source of security issues in most applications.
Accordingly, you can find flaws with a good analysis of the design, but only a source code review (manual or automatic) will reveal most of the bugs. The problem is, it takes a very experienced software engineer to do an effective security-oriented source code review, and therefore the "many eyes" component of open-source solutions doesn't necessarily make those apps more secure (with regard to security bugs) than closed source apps.
Personally, I'm in favor of electronic ballot marking (addresses accessibility and consistency of marking issues), with manual counting where plausible, and optically scanned ballots where absolutely necessary. Ballot marking becomes a matter of validating that the system is an "electronic pencil," and accurately marks the paper.
There are still issues, but anyone who thinks that there haven't been issues with paper and levers, isn't a very creative thinker. The difference (and not a trivial one, to be certain) is that electronic voting systems have the potential to propogate errors on a different scale. However, this suggests the need for non-monolithic systems, and government-mandated diversity between marking the ballot and counting it.
I'm afraid that the existing vendors have lost so much credibility that only by playing them against each other, using a well-defined paper interface, will we ever get the kind of reliability we need. Will the current vendors like it? Nope. Will they do it? If they have to. Can they do it? Definitely.
Should have clarified that last paragraph.
What I think should happen is validation of ballot marking systems (BMS's) and Ballot Counting Systems (BCS's). Vendors would be certfied for those separately, and states might be prohibited from using the same vendor for both. For example, get your BMS from Diebold, and your BCS from ES&S, or BMS from ES&S and the BCS from Diebold.
Unless there's collusion (such as was suggested, but not proven, with the situation in Leon County Florida), you should have a more robust system. At the very least, errors in one system would be less likely to have positive feedback into errors in the other. Putting a well-defined (and secure) paper interface in the middle becomes, IMHO, a viable solution.
> I'm wondering (because I haven't done any research, being a lazy, impatient US citizen :->) if there is any kind of open source movement for "all" electronic voting systems (with a paper trail, of course)?
There are commercial voting machines running on FOSS, as well as FOSS-through-and-through projects. (Sorry, don't have bookmarks handy. My nation's not moving away from paper ballots anytime soon. ;-)
> my son rushed out with a grin to see if he could write my name in all three times. Fifteen minutes later he was back to announce that the machine took it.
This is called "cumulation", and perfectly legal in some elections on this planet. Did you doublecheck that it is *not* in your place?
> why we can't "just go back to paper." The US is a federation of independent states, and election law is clearly the province of the states.
And the states, most of them still larger than some democratic *nations* elsewhere in the world, can't implement their *one* system with paper ballots because ... ?
Because there are (say) two dozen offices to be filled and the (!) ballot gets too complicated for fast verification and tallying? Split the non-connected elections into *different* (color and size coded) ballots, then. Presto, presidential election tallying completely independent of any dispute over the Sheriff-to-be.
(And no, I don't think that the government *should* have the umpteen sub-votes of someone's vote available as *cross-referenced* data unless they have a truly *stellar* reason for that.)
not a single president has ever been elected ,they are selected by the illuminati.
First off, I'm an American, and I think that most Americans are very lazy--if they aren't getting paid for the most part nothing is getting done.
Voting falls victim to this pattern of activity in that very few people are then available to count votes relative to the general popluation and relative to the size of the pool of elegible voters. We here are also trained (due to our shared history) to be suspicious of people whom are really motivated to count votes by hand--in the past many such individuals (though small in number overall) have turned out to have no scruples which would prevent them from forcing their agenda on others. On top of this, our country has designed safeguards into our voting system that while preventing fraud increase the actual task load of counting by hand. Add to this the impatience of the people and you have a situation in which counting by hand just doesn't make sense for anything larger than a local (say school district, for example) election.
There is an additional factor in all of this as well--a machine will typically just spit out a (paper) ballot with red marks on it to indicate which votes it couldn't figure out how to count. People don't do this; they make assumptions--assumptions are something that any good voting system is designed to prevent. This is part of why hand counts are so expensive and so onery in the USA--the large number of checks and balances leads to a labor load that is insupportable for non-extraordinary circumstances.
Frankly, if you wanted to have hand counts of votes in the USA (in big elections) you'd need to have something set up similar to the jury summons process. That way it becomes a cumpulsory requirement to show a good reason why you SHOULDN'T help counting the votes (if you don't want to do it)--instead of just taking any warm body that doesn't seem to have an obvious partisan agenda.
In a fall 2003 fundraising letter sent to Republicans, from Diebold CEO Walden O'Dell:
"I am committed to helping Ohio deliver its electoral votes to the president."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.