Schneier on Security
A blog covering security and security technology.
« The Onion on TSA's Liquid Ban |
| New Voting Protocol »
October 2, 2006
Voting Software and Secrecy
Here's a quote from an elections official in Los Angeles:
"The software developed for InkaVote is proprietary software. All the software developed by vendors is proprietary. I think it's odd that some people don't want it to be proprietary. If you give people the open source code, they would have the directions on how to hack into it. We think the proprietary nature of the software is good for security."
It's funny, really. What she should be saying is something like: "I think it's odd that everyone who has any expertise in computer security doesn't want the software to be proprietary. Speaking as someone who knows nothing about computer security, I think that secrecy is an asset." That's a more realistic quote.
As I've said many times, secrecy is not the same as security. And in many cases, secrecy hurts security.
Posted on October 2, 2006 at 7:10 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I have developed a proprietary formula that will keep Conny McCormack looking beautiful forever. I find it odd that she would not want to buy any from me. I really can't understand why she would prefer to buy from a reputable medical supplier who has their products tested in a peer reviewed manner. But if I make my formula known people would be able to tamper with it.
"We think the proprietary nature of the software is good for security."
So, how do we get these officials to read Mr. Schneiers blog?
"So, how do we get these officials to read Mr. Schneiers blog?"
Gah, if that worked, schools' professed purpose of making people less stupid would also work.
How's Schiller's quote go? "Against stupidity, the gods themselves contend in vain."
Yeah, that sounds about right...
People who are sure of their opinions don't go out looking for ways to shatter their world view. How would you go about getting the people here to read flat earth and alchemy blogs?
There's no point in trying to educate these people. They are producing a product for profit. Reviewing security is a cost that detracts from profit. It doesn't make any business sense for them to worry about what people like us think of them.
The real target for information is the public. Everyone doesn't need to be a security expert, they just need to defer the decision to someone who knows more about the topic than they do.
Every time someone asks me about electronic voting machines, I ask them what problem do they think is being solved? The biggest benefit I see from the kinds of machines being produced today is that someone can manipulate the counts. Sure, this isn't a benefit to the voting public, but it could be a benefit to some of the people who want to have these machines installed.
Not everyone agrees that these voting machines have no significant benefits and have serious risks, but they do agree that someone should be evaluating these risks. Politicians aren't afraid of spending someone else's money on independent security reviews if that makes them look good in the eyes of their constituents. I just don't think we've reached a critical mass of people who care about the topic to even bring it up.
Ignorance is bliss. Especially in this era where faith-based life has extended beyond religion. Why learn and think and educate when one can just blindly believe? Besides, if she doesn't have to think about it, then nobody can hold her accountable when the darned things get hacked, right? ;)
"And it's a paper ballot voting system so recounting is pretty easy."
I personally haven't looked at this voting system, but if this statement is accurate and the machines just produce paper ballots, then at least it is a step in the right direction.
The following text from the Vishnu Purana is thousands of years old:
"In the Kali Yuga, there will be numerous rulers vying with each
other. They will have no character. Violence, falsehood and
wickedness will be the order of the day. Piety and good nature
will dwindle slowly... Passion and lust will be the only
attraction between the sexes. Women will be the objects of
sensual pleasure. Dishonest will be the bottom line of
subsistence. Learned people will be ridiculed and put to shame;
the word of the wealthy person will be the only law."
Especially the bit about "learned people will be ridiculed and put
to shame", describes this time we live in so aptly.
M Sherwood, the problems that need to be solved are: access for the various disabled, improved auditability, reduced human or machine counting error, improved speed for both the voting process and counting process, reduced cost of running an election, and greater difficulty in corrupting the vote. In theory, an electronic voting system can accomplish all of these. As executed in practice, they do not.
I find the best current technology compromise to be the optical paper reading systems, but these have problems for the disabled and cost issues because every ballot requires a special printing run. It is also surprising how many people use their own (wrong color or type) writing implement no matter how many markers are kept in the ballot booths.
The following text from the Vishnu Purana is thousands of years old:
Especially the bit about "learned people will be ridiculed and put
to shame", describes this time we live in so aptly.
To me, it suggests that things back then were much the same as now, and that human nature hasn't changed to any noticable degree in the intervening few thousand years - so it would be better to say that your quote aptly describes the eternally venal and corrupt nature of people in general.
If I were a government buyer considering bids for a voting machine, I'd take a few minutes to educate myself. I'd say Conny McCormack probably knows exactly how silly that statement sounds to anyone who has even the slightest knowledge of software and security.
I think it's impossible for this e-voting industry to be secure- there's too many rich and power forces that would stand to gain by it being crooked. I'll bet that if a vendor came out with the perfect machine and had it's code withstand the fire of public scrutiny, they would not win any government bids. The people in power stand to gain too much by getting machines that are easily compromised.
The Vishnu Purana quote puts me in mind of another optimistic little ditty: "The best lack all conviction, while the worst/Are full of passionate intensity".
If voting software is secret, your votes are tallied by unaccountable strangers.
Maybe somebody can come up with a catchy phrase along these lines.
I took the liberty of dropping the county recorder's office an E-mail.
"If voting software is secret, then only secrets can vote" doesn't have the right ring, does it? ;-)
I much prefer "What's wrong with a nation where electronic slot machines have to use code escrow, but electronic voting machines do not?"
It isn't catchy, but I think it sums up the problem: the State of Nevada requires that all code in use on slot machines be filed with (and reviewed by) the State Gaming Commission. But no one gets to review the code on voting machines. It's simply nuts.
So if the software is proprietary, how did you certify it?
"Here, install this program. It's safe."
The only improvement these machines make is secrecy for the blind.
Human error? Add more eyes.
Machine error? Take away the machines.
Speed? How long does it take to count paper ballots, with volunteers --- there are countries that can pull it off in less than four hours.
Again, in theory (not just practice) electronic machines cannot improve over paper ballots. They are inherently less transparent and error prone. This "in practice" BS has to end.
NO to electronic voting. The only use of these machines is to the bottom line, and to cheats.
If this is a paper-ballot system, it *may* be OK, but not necessarily.
I had the opportunity to participate in a hands-on demonstration of a direct-entry voting machine in my local district. As per proposed state requirements, it had a "paper-trail". Of sorts...
It printed a record of your votes, got voter verification that the printed record was correct, and dropped the printed record into a lock-box. All nice and handy.
Except that if the voter rejected the printed record, the ballot was still dropped into the same lock-box and the *replacement* ballot was marked as being a replacement. Luckily, there was a ID code (apparantly randomized, I didn't get a chance to verify) printed on each ballot, so you could pair up (by hand) replacement ballots with originals.
Oh, and the voter could request ballots printed in either standard print or large print for verification purposes -- which lead to two different sized printed ballots in the drop box.
From an ease-of-recount perspective, it was clearly (to me) a big PITA.
The sad part was that of the two direct-recording machines we saw, it had the better paper-trail system (the other printed a paper-trail, but displayed it to the voter through a small window that didn't allow the voter to read the whole thing).
We should, instead, be focusing on what technology is apropriate for each segment of the voting process.
Decentralized computers, data lines and such are GREAT for validating if a person is a registered voter, valid in that location, with adequate identification, etc.
The same with allowing a voter to check that s/he is correctly registered PRIOR to voting day.
Speed the process of validating/identifying the voters. Everyone who wants to vote should be allowed the opportunity or informed of any restrictions and how to appeal them.
But first, a paper trail to ensure that the votes cast are correctly counted. And low tech is the best way to do that.
"speaking as someone with no knowledge of computer security, I feel more secure if actual specialists can't audit the code"
Everyone is assuming that the purpose of the software is to ensure fair elections. That's a dangerous assumption -- do you know what specs the voting software was written to?
The reason that Casino accept the inspection rules on slot machines is that they understand that if the meme of 'Slot Machines cheat you' gets out, they'll lose a great deal of income. They want slot machines to be fair, and be perceived as fair, because they make money with them. The user wants it to be fair, or they have no chance of payoff. Interests align.
Users want voting to be fair, so that they can have a say in government. Do elected officials have that same interest?
This is why you will never see an open source voting system implemented. They will go back to punch cards first.
Never mind the complete uselessness of a source audit, if you don't have mechanisms in place to audit the hardware and ensure that the audited software compiles correctly, and that object runs on the audited hardware.
There are way too many way to break that audit chain, if someone has access and the will -- and there is ample access and will out there.
Given this, the only correct electronic voting scheme is none. Period. It cannot be secured unless you can align the interests of elected officials and voters on the subject of fair elections.
Of course, the official is superficially correct. At least I'd bet that if the InkaVote software were immediately made available to the public, that there would be many exploitable bugs readily apparent. After all, OpenSource is only safer AFTER individuals have had a chance to find and FIX the bugs.
I'm sure that's not what she meant, but given the very near planning horizon of most political animals, it would actually be hard for her to think about in some other way even if she were well schooled in security and software design.
The problem as it stands is that there is NO OpenSource balloting software currently available for use.
> optical paper reading systems, but these have
> problems for the disabled and cost issues because
> every ballot requires a special printing run
I'm sorry, I don't buy the cost argument. Download the ballot PDF form the county/city/whatever web site, fill it in electronically if you wish (PDF forms), print on your home inkjet. Use a 20-point header and footer that reads USE BLACK INK ONLY on every page to remind those filling in by hand not to use their kids' bright pink magic markers.
How costly is that? Depending on where you live, the fuel you burn to go to the polling station might cost more than the ink/toner.
Machines may be necessary to help voters who are visually impaired and need a tactile/audio interface. A Braille or touch-tone front end to the same PDF back end doesn't seem like rocket science.
Are the OCR vendors (or the OCR detractors) in the biz claiming that their scanners can't handle black inkjet/laser printouts?
I only said it was a step in the right direction. If we are stuck with these silly machines, at least we can verify that in a recount our vote is correct. That's way better than the current Diebold machines they have all over in my state (I'm in Maryland, where the voting machine problems are all over the front page currently). I keep voting, even though I'm pretty certain my vote is essentially worthless until they get rid of those machines.
My personal feeling matches Erik V. Olson's, in that the only people served by the voting machines are the politicians. It throws a huge question mark on any election. Whoever loses simply claims the election was rigged, and then sues over it. Obviously the biggest variable in an election is the voters themselves, so this is a convenient way to remove that variable. The election then turns into a legal battle, and whoever has the better lawyers wins. While I hope I'm just being paranoid, there is enough precedent to be worried (Al Gore actually did this in the 2000 election, but luckily the judge ruled he had no authority over the election committee).
I dont know what all the fuss is about, she seems eminently qualified to make informed assessments and decisions on security as it relates to open or closed source software:
From Davi's second link:
Penn State University (Journalism);
Virginia Polytechnic University (Political Science), B.A.;
University of Miami (Politics and Public Affairs), M.A.;
Emory University (Political Science) Ph.D. studies (ABD)
("political science" - still trying to get my head around that obvious contradiction in terms ...)
More background on McCormack and voting in LA, from 2005:
"Due to a problem with Electronic Voting Machines in Los Angeles County, Gov. Arnold Schwarzenegger was told he had already voted when he showed up at the polls today to cast his ballot in the Special Election that he himself declared for California today!
He was told he'd have to use a provisional ballot, but unlike most American voters, he was eventually allowed to use a regular ballot anyway.
Los Angeles County Registrar, Conny McCormack (a huge fan of Diebold machines, and a very good friend of their sales rep here in Southern California) is trying to mitigate the damage…big time…Though she admits that someone 'breached protocol in advance of the election'"
Based on her comments about the absolute need for "secrecy" my guess is she intends to silence anyone who finds flaws or criticizes the system, rather than properly fix the system.
How ironic that she worked on the Russian electronic balloting system from 94-95. I found numerous references to election fraud and misgivings there as well.
Perhaps this is the same/similar electronic election system she is now promoting in LA:
"Immediately after the presidential election this March , Communist Party officials tried to present evidence of serious ballot box fraud in nine regions, Dunlop said, but they were ignored. [...] Among the election irregularities reported were cases of computer tallies that did not come close to matching precinct tallies and the closed-precinct voting of 80 to 90 percent of Russia's military personnel. 'Moscow sent 580,000 ballots to Chechnya for 460,000 voters, including 100,000 military personnel,' he said."
at the intersection of administrative control over an important election and naked self-interest, stupidity and corruption become indistinguishable.
Basic security through obscurity i hate it more and more every time i see it
Best OCR: eyes from a local jury or reps of all political parties. As is done in democratic countries.
Exactly. Appropriate technology for the problem. Checking registered voters? Secure e-database may be better than paper lists. Checking votes? pencil, paper, eyes.
@ Rob Mayfield
You know, being a PoliSci grad myself many years ago, I have to agree with your assessment. She apparently has no credentials on which to base her position on software security. If anything, she appears to be using a mastery of politics to undermine security. Hard to tell motives, but the consequences are clear.
That being said, I found a fascinating interview with McCormack that reveals even more disturbing comments.
Kudos to the Los Angeles City Beat for putting this online:
"[Question:] Isn’t proper certification of election software an issue?
[Answer:] We have been using and patching software in L.A. County for over 30 years. Whenever changes are made, an incredible amount of testing is done – literally thousands of checks. Now, there have been infractions by all vendors, including in L.A. County. We have not been dotting every “i��? and crossing every “t��? to certify all the software. But it would be the biggest irony, to me, to have someone say that because we hadn’t done it by such-and-such a date we couldn’t do it."
Can you say clueless? Can there be any greater clear and present danger to democracy than an elections official who says "vendors make mistakes, software is buggy, so get over it"? The question was about certification for an election system today, mind you, not just any bug on any software in the past 30 years.
Imagine if other branches of government were run this way. Rockets would explode ("launch first, fix the guidance software later"). Trains would derail. Space shuttles would *never* land. NASA might even say, "hey, trains derail so why would you expect us to land the shuttle?" Things would be "certified" safe even if the vendor promised to only fix vulnerabilities some time in the future.
Delaying a fix on SimCity or a vacation tracking system is one thing, but knowingly allowing an insecure electronic voting system to be used in a real election should be a felony offense. And the onus/cost should be on the elections officials to prove it secure. If they are to be trusted, do not let them transfer the liability/accountability for fraud.
More examples on my blog:
"We think the proprietary nature of the software
is good for security."
Yeah, that certainly works well for Microsoft Windows...
Disclosing the source code might be a step in the right direction, but it's not enough to solve the big problems. It turns out that it's pretty hard to find subtle bugs in source code, even source code you wrote yourself. People trying very hard, spending lots of resources, still have security vulnerabilities pop up in their products. Most of those people don't have an unauditable process to hack, or one that people are demonstrably willing to spend millions of dollars to influence.
Here's a voting system that uses crypto to accomplish its goals:
By using Bruce Schneier's system for distributed secure logging, it might be possible to create a log of voting records that many people can verify, and that would be difficult to tamper with post-facto. Volunteers of all stripes (who can afford a computer) could join in a hash lattice of the voting results.
I went to an InkavotePlus demo just the other day. I was impressed with its ability to discern where there were problems with overvoting and no votes on a specific ballot. One of my chief concerns as a voter is ratcheting down the number of discarded votes for each election.
However, I did not know at the time that the state of California (though not for this election) intends to use it as vote counter as well.
At least there is a paper record that everyone can use to verify election results.
Inkavote is an optical scan system. The Inkavote plus system, the in-the-poll electronic system that voters see on election day, inspects voted ballots for overvotes and non-voted ballots. That's all it does. A seperate Inkavote plus feature allows the visually impaired to vote using an audio ballot.
The Inkavote plus system has unused capabilities such as undervote notification (a voter misses a race), and the capability of actually counting ballots. It would do so only as a back up (it has never been necessary 07/07). Mail absentee ballots and election day ballots cast in LA county elections are counted centrally on the RRCC's computer in Norwalk. This is official count of ballots. The MTS programming for the central computer is a fragile 30 year old system created internally by LA county's computer department, ISD. A new central count system is envisioned to replace it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.