Schneier on Security

The only people who have the power to fix the problems have the problems to thank for putting them into power. Fixing means their political suicide; keeping the system broken means their political survival.

It's simple and straightforward.

I work in the industry, and it's personally troubling to me how many of the jurisdictions share the exact same attitude as that expressed by Diebold (and others). "There have always been cases of fraud and voting irregularities," is the most common thing I've heard, which completely ignores that with computers involved, the scale of problems can go up astronomically.

FWIW, I have developed the rep within my company of being the "security weenie," because I've insisted that we take extra precautions to protect both the vote, and our company's reputation. One of the roadblocks that I've encountered is the lack of knowledgeable manpower available to each of the states. The Secretary of State in your average state does not have a highly technical IT staff, particularly within the Elections management area. They are good people, and all seem quite dedicated to fair and honest elections, but they are not accustomed to working in a mode where they might be considered a security threat themselves.

In my case, I want to prove to the customer that our processes and practices are such that any action I might take that was inappropriate would be clearly visible to them, and I am constantly begging them to supervise me for just that reason. This seems surprising to many of these folks, almost as much as the suggestion that someone should be supervising or reviewing their work (more so than peer review).

Ultimately, there needs to be, not just an overhaul of the way DRE's, optical scans, and other technologies are used, but a complete rethinking of how each state can restore credibility to the entire process. As many others have pointed out, more exposure of the process is always a good thing, and if we can make it transparent enough, perhaps the American voter will have a bit more faith.

@roy: almost all government positions involve (job) suicide as a reward for success. Thats why the british still have a guy standing at Dover with binoculars looking for Napoleon, and a guy standing next to him with binoculars looking for Hitler.

One problem with the study is that while it looks at each class of voting machine, it does not specifically say which attacks may work against a given machine. In my jursidiction (Travis County (Austin), Texas), we use the Hart eSlate machines, without a paper trail. The County Clerk here is steadfastly opposed to including a paper trail, saying that it will cause more problems than it is worth, and that her machines are just fine without it, thank you.

And, of course, since changing course might involve spending more money, the Commissioners' Court here is loathe to do anything as well.

I guess until we have an election demonstrably stolen by these devices, we are stuck with them...

Again, the question is externalities, the price for failure of the machines is born by the voters for the losing party, who are by definition not empowered to do anything about it.

It amazes me that Diebold can build a rock-solid well audited ATM machine which rarely malfunctions, and yet can't do the same, or even employ the same technologies, in their voting machines. They just aren't motivated. Maybe NIST can generate a standard.

"It is difficult to get a man to understand something when his salary depends upon his not understanding it."
-- Upton Sinclair

@IndustryInsider writes that state election officials appear surprised at
the expectation that election-related programs and activities ought to be
subject to rigorous security procedures and audits.

The odd thing is, these same officials are generally quite diligent when it
comes to the management of funds. State money is carefully tracked, and if
some state employee improperly makes makes off with even petty cash, in the
natural order of things this will be discovered because of the accounting
procedures designed to prevent it.

Perhaps we ought to somehow place monetary value on votes. If each
accurately-counted and authenticated vote were worth $10 to the state
(say), and the *loss* of such a vote cost the state real money, and the
genration of fake votes were regarded as legally equivalent to currency
forgery, then perhaps state officials might undergo the gestalt switch that
would allow them to regard the election system as worthy of high-grade security.

"It amazes me that Diebold can build a rock-solid well audited ATM machine which rarely malfunctions, and yet can't do the same, or even employ the same technologies, in their voting machines."

Dave: Is that a bald assertion or from personal knowledge? I have a guy sitting next to me, who used to work on ATMs for a living who would disagree with you. Granted, his information is 10 years old...

They're talking about this on NPR right now. The "we don't need to change anything" voice was mostly arguing that voter confidence is high, ergo everything is just fine.

This pretty much took my voter confidence out behind the barn and shot it, but then I read this blog.... Maybe others out there would be impressed by a 10 ton vault door they never close or lock.

Lawrence Norden of the Brennan Center was on Diane Rehm's radio show on WAMU (Washington, D.C.) this morning to discuss the report, along with Avi Rubin and a few other guests. An audio stream will be available later today from this URL:

http://www.wamu.org/programs/dr/06/07/...

@David: Great Quote from Sinclair

Thank you for your work on this Bruce. With all the focus we, as a nation, are putting on securing ourselves from terrorist attacks, we are ignoring several key areas where our nation's core values are being challenged. The consolidation of power in the Executive branch (possibly upsetting the "checks and balance" system which was the true genius decision of America's founders), the movement of legal enforcement from state level to federal level, and paperless electronic voting are among the biggest issues the nation is largely ignoring.

I often feel powerless to influence the course our nation is taking, but I am comforted to see someone of your stature working on this issue.

Quotes like the one you included, "This report is based on speculation rather than an examination of the record. To date, voting systems have not been successfully attacked in a live election," show the ignorance of those currently involved in developing and deploying these electronic systems. Ignoring the ease with which elections could be manipulated, hacking the election would be the crown jewel in any hacker's list of achievements. I always remind myself of the greatest hack of all time from none other than Ken Thompson: http://www.acm.org/classics/sep95/

In fact, we should credit whomever titled the Washington Post article:

" A Single Person Could Swing an Election "

In retrospect the summary on the Brennan report should have opened with a much simpler and clearer statement. Something like:

" With current voting systems, a single person in the wrong place could change votes and swing an election. We cannot be certain that past elections have not been corrupted. We can do better. "

While not offering nearly as many syllables per word, the meaning is clearer. :)

In my perfect world, I would have the same audit rules for voting machines as are used for slot machines in Nevada. Severe audit procedures and inspection with actual legal authority. Of course it will never happen. This is a game that is rigged to favor the house.

if these recommendations were implemented, people like the former ceo of diebold would be robbed of their ability to keep promises to deliver states, e.g., ohio, to the candidate of their choice. that's almost like disenfranchisement.

Why invent a time machine to go back and change the past, when you can hack a vote and change the future?

(And this is assuming that the source code is "impartial").

But we have nothing to worry, right? I mean, no American would stoop to stealing another person's vote, right? Pah! Rubbish! We're better than that.

C'mon folks...wake up. Smell the toast...that's your vote too.

Bruce, keep up the good work with this project, and imbue your peers with the importance of their mission.

There are few things more sacred in this land that a single vote.

I am just sorry we cant stick with the punched-card system we had for the last (40?) years. Cheap (nevermind already paid for). Reliable. Effective. Easy to use. Portable. The only real posibility for fraud at the precinct is putting out false labels, which could be easily countered by publishing the official ones in the newspaper ahead of time.

The system was as verifiable as anything can be. And recounts involve the exact same media as "firstcounts".

But you cant use a pencil if a wordprocessor would be almost as good and only cost 7,000x more, so I guess thats progress.

@Brett

"I guess until we have an election demonstrably stolen by these devices, we are stuck with them..."

How would we know an election was stolen?

Well, if somebody hacked the system and made Bugs Bunny sweep 10,000% of the vote -- 100 times the number of registered voters -- that would cinch it. But as long only registered candidates appeared in the results and the figures weren't too far out of whack, nobody could prove there was any funny business.

P.S. Am I the only one who knows who Donald Segretti was? Imagine his ilk loose in the computer age. Think of hacking experts turning script kiddies loose with re-electioneering software.

There is already very clear evidence of massive fraud in electronic vote counting. Exit poll results in both 2000 and 2004 are significantly different than official election results. The difference is highly pronounced in key states such as Flordia and Ohio. This is as close to a smoking gun as one can get with non-auditable DREs.

See http://center.grad.upenn.edu/center/get.cgi?...

Furthermore, the biggest problem with electronic voting equipment isn't the technology but rather with conflicts of interest. Several equipment providers have very close ties to the Republican party and also to Christian reconstructionist (pro-theocracy) groups that have a dubious committment to democracy. Anyone who doesn't spare at least a thought to questioning the impartiality of Diebold equipment after the Diebold CEO's famous statement that he was 'committed to helping Ohio deliver its electoral votes to the President' really needs their head examined.

Has anyone given any thoughts to the legalities in case fraud is detected after the event. What happens? Is the election annulled and the nation declared leaderless.

There are probalby some tricky problems here.

I hope all people who plan to commit any kind of fraud admit it up front on nationwide TV. Dont suppose you could be putting politically oriented spion on something? Nope, he has to have meant he was going to steal the election, good thing you guys are smart enough to have seen through his non-subterfuge. Good catch. Put your tinfoil hat back on.

@get-a-life:

The evidence of vote manipulation in 2000 and 2004 is incontravertable to anyone who can read and isn't part of the cool-aid chugging 30 percent. The only one here peddling partisan bullshit is you.

>> Tom Jefferson - Dem-Rep
>> Johnny Adams - Federalists

Nice 8)

This whole story has me completely confused. I know it is a big political issue in the US and I just don't get it. In Canada, All the ballots are pencil on paper and they are counted by hand. We get the results in about the same time as the US does. There are sometimes judicial recounts, but they seldom move very many counts. Why have ANY kind of machine?

Vote fraud and election manipulation is rarely confined to one technique or method.

In the past elections (2000,2004) the attacks on the voting process ranged from Jerrymandering (the Texas violation found in the recent Supreme Court decision) to registration barriers (wrong paper weight of registration in Ohio) to Secretary of State manipulation of voter lists:( Ohio, Minnesota, Florida), to fradulent registrars that throw away opponents registrations:( New Mexico, Ohio), to intimidation of voters (Minnesota Indian reservations) to depriving voters of means of voting (shortages of machines or ballots at precinct voting stations) to manipulation of absentee ballots (fixing incomplete ballots or throwing away opponent ballots) to changing precinct locations to confuse voters, to not counting provisional ballots (very few were cast in Minnesota vs hundreds of thousands cast and not counted in Ohio, New Mexico, Florida.) And then having the vote on a Tuesday, a work day when people are not able to take time to vote between 7am and early evening when child care, work and family obligations are at a peak. Add some attacks of your own here.

Finally there is manipulation of voter count using the electronic scanner and DRE. The manipulation of elections is not just one set of attacks against electronic voting but is an attack on voting at all levels in the entire voting process spanning a much greater interval of time than just the day of the vote.

So to continue....

Vote manipulation is easier when participation is smaller. A smaller set of manipulations must happen in the smaller participation set to affect the outcome.

Since the 1960s voting rights and 1970's when voter ages were lowered to 18 and same day registration and motor-voter registrations were implemented in a few states there has been no movement to widen participation in elections. Instead, barriers to registration and HAVA have created methods to supress turnout.

Audits as mentioned in the report are fine, but when only white rich men can vote what will the audited result be?

Universal registration and a work holiday with daycare to vote would change the affects of attempted manipulation by increasing the set of voters and making manipulation more difficult.

Johnny Quest> And then having the vote on a Tuesday, a work day when people are not able...

While there are disadvantages, having the vote on a weekday has the advantage of maintaining a religious agnosticism in the voting process. Doing it on Saturday or Sunday would have people going to the polls fresh out of temple or church service; that might create its own bias in that officiators at those respective services would find it tempting to advise their constituents how to vote.

@bruce

that study is badly flawed. it says in "attacking a voting computer with VVPAT" (page 65) that the fraudsters might get away with it because voters might believe they pressed the wrong button:

" ... believe
she had accidentally pressed the wrong candidate the first time. In any
event, it might make her less likely to tell anyone that the machine made a
mistake."

this ignores the obvious case, that the voting machine shows "Adams" on
paper and "Jefferson" on the display at the same time making it easy to prove the manipulation to an election official. after this happened once, the machine is out of business and goes straight to the FBI, the fraudsters can be prosecuted quickly.