Schneier on Security
A blog covering security and security technology.
« Conversation with Kip Hawley, TSA Administrator (Part 5) |
| Podcast Interview with Me »
August 3, 2007
More on the California Voting Machine Review
This is a follow-on to this post. What's new is that the source code reviews are now available.
I haven't had the chance to review the reports. Matt Blaze has a good summary on his blog:
We found significant, deeply-rooted security weaknesses in all three vendors' software. Our newly-released source code analyses address many of the supposed shortcomings of the red team studies, which have been (quite unfairly, I think) criticized as being "unrealistic". It should now be clear that the red teams were successful not because they somehow "cheated," but rather because the built-in security mechanisms they were up against simply don't work properly. Reliably protecting these systems under operational conditions will likely be very hard.
I just read Matt Bishop's description of the miserable schedule and support that the California Secretary of State's office gave to the voting-machine review effort:
The major problem with this study is time. Although the study did not start until mid-June, the end date was set at July 20, and the Secretary of States said that under no circumstandes would it be extended.
The second problem was lack of information. In particular, various documents did not become available until July 13, too late to be of any value to the red teams, and the red teams did not have several security-related documents. Furthr, some software that would have materially helped the study was never made available.
Matt Blaze, who led the team that reviewed the Sequoia code, had similar things to say:
Reviewing that much code in less than two months was, to say the least, a huge undertaking. We spent our first week (while we were waiting for the code to arrive) setting up infrastructure, including a Trac Wiki on the internal network that proved invaluable for keeping everyone up to speed as we dug deeper and deeper into the system. By the end of the project, we were literally working around the clock.
It seems that we have a new problem to worry about: the Secretary of State has no clue how to get a decent security review done. Perversely, it was good luck that the voting machines tested were so horribly bad that the reviewers found vulnerabilities despite a ridiculous schedule -- one month simply isn't reasonable -- and egregious foot-dragging by vendors in providing needed materials.
Next time, we might not be so lucky. If one vendor sees he can avoid embarrassment by stalling delivery of his most vulnerable source code for four weeks, we might end up with the Secretary of State declaring that the system survived vigorous testing and therefore is secure. Given that refusing cooperation incurred no penalty in this series of tests, we can expect vendors to work that angle more energetically in the future.
The Secretary of State's own web page gives top billing to the need "to restore the public's confidence in the integrity of the electoral process," while the actual security of the machines is relegated to second place.
We need real security evaluations, not feel-good fake tests. I wish this were more the former than the latter.
EDITED TO ADD (8/4): California Secretary of State Bowen's certification decisions are online.
She has totally decertified the ES&S Inkavote Plus system, used in L.A. County, because of ES&S noncompliance with the Top to Bottom Review. The Diebold and Sequoia systems have been decertified and conditionally recertified. The same was done with one Hart Intercivic system (system 6.2.1). (Certification of the Hart system 6.1 was voluntarily withdrawn.)
To those who thought she was staging this review as security theater, this seems like evidence to the contrary. She wants to do the right thing, but has no idea how to conduct a security review.
EDITED TO ADD (8/4): The Diebold software is pretty bad.
EDITED TO ADD (8/5): Ed Felten comments:
It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.
And Avi Rubin comments:
As I read the three new reports, I could not help but marvel at the fact that so many places in the US are using these machines. When it comes to perscription medications, we perform extensive tests before drugs hit the market. When it comes to aviation, planes are held to standards and tested before people fly on them. But, it seems that the voting machines we are using are even more poorly designed and poorly implemented than I had realized.
He's right, of course.
Posted on August 3, 2007 at 12:55 PM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"It seems that we have a new problem to worry about: the Secretary of State has no clue how to get a decent security review done."
I think you are crediting him with incompetence when it was actually done with malice; he doesnt want a thorough review because he doesnt want to have to spend the money to fix the problems.
Facing schedule and profitability pressures, it is fairly common today to cobble together existing code from various sources into a delivery, thereby incorporating a variety of previously unrelated bugs and vulnerabilities, and, worse, having no security integrity, so that bug fixes may be undone by unrelated code, creating emergent vulnerabilities.
It would be interesting to trace the parentage of the Sequoia code to see if any parts were lifted from elsewhere.
Just how difficult is it to build a box that can count?
We would be better off putting pebbles in jars than trust any of these hairbrained schemes.
The paper based human counting system has many faults, but it's good enough. It has the huge advantage of being cheap and the requirement that people have to actually turn up to vote makes systematic and automated fraud difficult (though not impossible.)
Very often, good enough, is sufficient. That last 10% is always going to be expensive to cover and you never get value for money.
The secretary of state, Debra Bowen, ran on a platform of electoral security, and has the support of a number of security experts.
The schedule emerged because the legislature moved up the California primary to February, and the law requires a six month warning if the secretary wants to raise security issues with the county elections officials, or decertify any systems.
> law requires a six month warning
???? So if they find a massive vulnerability, or an actual breach, the week before an election they just what, cover it up? Throw up their hands and use the machines anyway?
"the law requires a six month warning if the secretary wants to ... decertify any systems."
That six month deadline is today - I take that to mean that if the machines aren't decertified in the next couple of hours, then they'll be in use on 5 Feb.
So, any would-be election tamperers will have half a year to study the reports, reproduce the results, and get their election-fixing software firmly entrenched. Hurrah! The long-held dream of a Zoroastrian theocracy in America may finally come true!
- Throw up their hands and use the machines anyway?
Apparently, that is the case. I think the secretary can challenge results, but local officials have the choice of the system to use.
The big scandal is the local officials: they are screaming that the systems are not the problem, and that the tests were not fair. They claim their procedures would prevent the machines from being hacked.
Which we know is a joke.
Basically, the county guys made bad purchase decisions because the previous secretary of state said the machines were OK. He was appointed by Arnold.
"Deep rooted weakness" .. wow .. you can make this same statement about any sizable project. I am sure if there was a "real" problem these guys will be jumping all over tv and internet .. instead they come up with this lame dame story.
What's the story here .. that a secretary of state doesn't know how to schedule a software review ?
I wonder what's becoming of this site, it's become a fixture for conspiracy seekers and anti-establishment fear mongers and BS keeps serving them coolaid.
So, let's try a thought experiment. Suppose that instead of significant, deeply-rooted security weaknesses, these researchers had found real problems. In such a case, how should they have phrased their conclusions so as to convince you that the problems they had found were indeed real?
The NSA should be given the task of developing secure voting machine standards, just as they have standards for other aspects of computer security.
I'm not a lawyer and I don't play one on TV.
> Secretary of State has no clue how to get a decent security review done.
My cursory reading of the CA voting code agrees with what Bill said:
> The schedule emerged because the legislature moved up the
> California primary to February, and the law requires a six month
> warning if the secretary wants to raise security issues with the county
> elections officials, or decertify any systems.
> Throw up their hands and use the machines anyway?
Yeah, what Bill said again. They use the machines.
The CA voting code is here:
The SoS's job is to count the votes, and organize contested elections:
Really, the only recourse available to the SoS is to instigate civil proceedings:
So, Debra can only say, "These suck, you ought not to use them," the local officials get to decide whether or not to use them. And if they do use them anyway, her choices are, (a) do nothing, or (b) instigate a civil action, or I guess (c) refuse to certify the results.
But (c) is (so far, anyway) not well defined.
I haven't read enough of the CA code to know what the implications of the SoS refusing to certify an election are.
Yes, I verified that Bill is correct:
> 19201. (a) No voting system, in whole or in part, shall be used
> unless it has received the approval of the Secretary of State prior
> to any election at which it is to be first used.
> (b) No jurisdiction may purchase or contract for a voting system,
> in whole or in part, unless it has received the approval of the
> Secretary of State.
In other words, now that the machines have been used, the SoS can't say, "You can't use these any more" - it's up to the local officials.
> 19208. If the report states that the voting system can be used, it
> shall be deemed approved by the Secretary of State and machines or
> devices of its kind may be adopted for use at elections.
There is NO ability to revoke approval, as near as I can tell (again, disclaimer: not a lawyer).
Yes, this is a major problem. But it looks like, if the SoS declares the machines unfit, she can't do much to enforce it.
Ah, wait, I/Bill was wrong:
19222. The Secretary of State shall review voting systems
periodically to determine if they are defective, obsolete, or
otherwise unacceptable. The Secretary of State has the right to
withdraw his or her approval previously granted under this chapter of
any voting system or part of a voting system should it be defective
or prove unacceptable after such review. Six months' notice shall be
given before withdrawing approval unless the Secretary of State for
good cause shown makes a determination that a shorter notice period
is necessary. Any withdrawal by the Secretary of State of his or
her previous approval of a voting system or part of a voting system
shall not be effective as to any election conducted within six months
of that withdrawal.
So, yes, she can decertify the machines, which means that they couldn't be used.
Real problems will be listed as :
1. This thing fails in the following scenarious .....
2. This thing can be compromised this way ....
This thing about "deep rooted" .. is in the same category as "international experts" and "really sound" and "totally useless"
Other than making nasty comments on everyone else's integrity and capability, these reports don't tell anything useful.
Thought experiments are with thoughts .. there is nothing here ..
Did you actually read the reports or blog posts you''re talking about?
The reports consist of several hundred pages of the form "this thing fails in the following scenarios" and "this thing can be compromised this way...". That seems to add up to "deeply rooted" by any definition.
Also, where do they make any nasty comments on anyone's integrity? I've not finished reading them, but I haven't gotten to that part yet.
I assume you're just trolling, but there are so many crazies willing to apologize for these supremely awful voting machines, I may be wrong.
IANL...but the way I would interpret 19222 above:
1) The CA SoS can simply declare the machine unacceptable / obsolete / etc and give the Counties 6 months to replace them.
If the primary is less then 6 months away, the Counties could still use the machines.
2) "Good Cause" is for emergency situations -- such as when 2 days before the election they find out there's been a systemic hack actually taken place on the machines, and she orders the Counties to use paper ballots.
> The paper based human counting
>system has many faults, but it's good
>enough. It has the huge advantage of
Counting ballots by hand is *not* cheap, and moreover requires having the available, trustworthy labor to do it.
The larger the ballot, the longer it takes. A simple budget referendum that's "yes / no" would be hard pressed to count more then 1,200 or so ballots / hour, and that requires at least 5 people -- a person who reads the ballot, a person who confirms the person reading, a person who tallies, a person who confirms the tally is accurately recorded, and a supervisor/judge (although he could have multiple groups he's counting).
Now I figured it was 1,200 ballots/hour for a single question yes/no referendum.
Now let's take a more typical election with a dozen positons being voted on, most of which have 2 and some of which may have 4, 5, or 6 candidates on the ballot.
You're probably talking more like 180 ballots/hour for a full count (don't forget, most "recounts" are only conducted for a single position, they're not counting by hand every position).
Your labor costs, direct and indirect, are at least $50/hour for that 5 person crew -- so you're talking $3.60/ballot to count them.
Mechanical voting machine elections run about $3,000. I don't think you'd see much of a drop in that cost with other automated systems, like optical scanned paper ballots.
With 2,500 votes cast in my town the November, 2006 elections. That's under $1 per vote.
Move to a hand counted system, you're talking adding around $9,000 to the cost of the election, or over $4/ballot cast.
Perhaps more importantly, it saves something like 70 man hours of time to count them. Either you need to double up on the number of poll workers to record them "live time" or you're looking at a day or two later before you have a final count.
My town, like most, has difficulty recruiting poll workers. Now you're asking to recruit twice as many, or have them work for 2 or 3 days instead.
It makes it a perfect place to apply technology to save time and money.
You just need the technology to be reliable and verifiable -- like optical scanner systems.
So what most of the people here who support these machines are saying is that the machines might be expensive, and let people steal the election, then use the power they get to cover it up and ensure that next time it is done the same flawed way, but that paying a bunch of people to sit and count the votes correctly takes too long, and costs money.
Sorry, but governments spend billions of dollars on whims and fancies and nice dinners, whilst voting themselves pay rises. Spending a few million on a custom built and well working voting machine, *for which they only have to promise to buy the winner of the contest* really isn't hard. The military and others have been doing it for a hundred or more years. It's called a tender.
A number of states have election security issues arising from electronic voting. Having ready online access to a state's legal code is helpful for assessing the current state of affairs, so I'm glad that Californians have that access. Some states, Georgia among them, direct official state web site visitors, when the option for the state code is selected, to a gateway controlled by LexisNexis. The gateway has no information as to how a visitor without a business or academic registration might register and get a password.
"You just need the technology to be reliable and verifiable -- like optical scanner systems."
@Matt from CT
As the recent, Florida-sponsored, July 27, 2007 SAIT "Software Review and Security Analysis of the Diebold Voting Machine Software" noted on p.3, opscan systems are not without flaws:
"As an example of the issues that remain, flaws in Optical Scan software enable a type of vote manipulation if an adversary can introduce an unofficial memory card into an active terminal before the voting (or early voting) period (e.g., during 'sleepover'). Such a card can be preprogrammed to alter the correspondance between physical bubbles on the scanned paper ballots and the candidates with which they are associated. Specifically, it can be used to essentially swap the electronically tabulated votes for two candidates, reroute all of a candidate's to a different candidate, or tabulate votes for several candidates of choice toward another chosen candidate. We implememented this attack in the laboratory. The attack succeeds despite new protection mechanisms apparently designed to protect against similarly-documented attacks in previous studies."
Deploying a system with a capability for an independently auditable ballot is just an initial requirement.
The results from theoretically software-independent (SI) election system must actually be independently tallied--or at least independently audited--before the system should actually be considered SI.
In the past, I've proposed fully-redundant counting subsystems. Others pointed out unresolved problems with that particular proposal in assuring receipt-free properties. But, on the whole, fully-redundant counting subsystems seem affordable.
At the very, absolute least, actually auditing the results from the vote tally is essential: An opscan system by itself is not sufficient.
"[California Secretary of State Debra Bowen] wants to do the right thing, but has no idea how to conduct a security review."
Fwiw, on March 22, 2007 the California Secretary of State's office made its "Draft Criteria for Top-to-Bottom Voting Machine Review" available for public comments.
The deadline for public comments was Mar 30, 2007. Obviously, that deadline has long since passed. But what were your comments on the draft criteria?
In your opinion, how should this review have been conducted?
The draft was published March 22, 2007 and the deadline on March 30, 2007, that are only six workdays. Was the fact of the publication made widely public, was it in at least some news or was the link at the website the only way to know it?
A press release ist worth nothing if noone publishes it except yourself on your website.
> In your opinion, how should this review have been conducted?
Not how but when: before any line of code had been written and before any screw had been turned. Then regularily while the work is in progress and when it is finished and when it is used.
The design must be done formaly and be able to be proved mathematically (I would propose a formal language for that purpose. The logic is not very complicated and straightforward, even something simple like ISO-Z would be sufficient). At least where possible because it's in most cases very difficult to find a provable correct compiler/interpreter for your programming language of choice. COTS hardware is also difficult to dissect and building hardware yourself is expensive.
I find it very irritating that people here are actually discussing the security of voting machines, though the whole idea should be critized.
The point about democratic elections is that they should work without trust as a prerequisite. It should be possible that, although two parties cheat on each other whenever possible, the overall result can still be trusted, as manipulation can only effect small fractions of the result (the system fails sensibly). Think about glass containers for the votes, that everybody can observe (using his/her own understanding of the laws of physics) that no manipulation is taking place!
Only the full confidence that the result can be trusted established the necessary legitimation for the politian voted into office.
The need to "ceritify voting machines" by "independent experts" already shows that there is some perlimary trust needed. Such a system is wrong.
I find it very interesting that we are telling other nations how they should run elections, and actually go there to observe honest elections, yet we seem unable to do the same in our own country. Perhaps we also need independent international observers?
I just wanted to thank Pat Cahalan for taking the extra minutes to review the actual articles on the topic and commenting, instead of adding more knee-jerk opinions. The vitriol should be aimed at the state workers and companies that insist nothing is wrong, these machines are fine. Bowen should be praised and supported here for such an aggressive stance towards getting the problem addressed; if we had put people like her in office at the beginning when these things were first showing up, we might actually have seen real security reviews from the very start, and not emergency reviews and hot-patches.
"- Throw up their hands and use the machines anyway?
Apparently, that is the case. I think the secretary can challenge results, but local officials have the choice of the system to use."
Challenging the results is useless, see the history from FL, 2000 Presidential election.
Selective malfunctions were used to skew results by invalidating ballots from demographically biased precincts. (Here's how: hanging chad result from failure to properly clean and maintain machines, if you make sure that happens where demographics indicate you want an undervote but not where demographics favor your candidate, you skew the results.) Challenges went all the way to the Supreme Court and the modified results were upheld.
Local officials in those same precincts now defend their present electronic voting systems. Wonder why?
@RC: "The NSA should be given the task of developing secure voting machine standards, just as they have standards for other aspects of computer security."
Fast forward a few decades.... "Gee, isn't it funny how only the Presidential candidates who promise increased funding for the NSA manage to get elected."
I don't think anyone posted...per an NPR news clip I heard over the weekend, the California Secretary of State has decertified the machines and they WILL NOT be used for the Primary.
>At the very, absolute least, actually
>auditing the results from the vote tally
>is essential: An opscan system by itself
>is not sufficient.
Absolutely. An audit only requires a small fraction of the counting a manual count requires, and it can take several forms.
>I find it very irritating that people here
>are actually discussing the security of
>voting machines, though the whole
>idea should be critized.
You could drop the whole security word.
In the end, we're talking about Accuracy. In most elections, it doesn't matter since the margin of victory is greater then the margin of error.
My state has long had procedures in place when elections are so close to require an automatic recount, and when there is a wider margin of victory but still close enough the losing candidate has the right to demand a recount.
Mechanical machines can be shown to be accurate by a mechanic. He can show all the sprockets and levers.
Media that is marked primary by the voter (like optical scan ballots or punch cards) can be trusted to accurately reflect their intent.
The problem with voting machines which the primary means is electronic to mark the ballot is verifying the accuracy -- you must expect knowing our society most voters will not take the time to verify the paper "receipt." Once an audit discrepancy is detected, which do you trust to be accurate? The machine that recorded the vote directly, or the same machine that produced the receipt that doesn't match the vote?
>Selective malfunctions were used to
>skew results by invalidating ballots from
>demographically biased precincts
Most of these allegations of poor procedures are strongly associated with areas of a heritage of corrupt Democratic machine politics. In an area controlled, traditionally, by Democrats it really didn't affect the outcome of Citywide / Statewide / National power. What it did affect was internal Party politics of one Democrat against another.
These local pockets of corrupt political culture has become more obvious due to recent closeness of major races, and that the corruption has spread to Republicans -- specifically, Republicans in areas that formerly had Democratic machines designed to suppress the black vote. The corruption spread when the white fled the Democratic party in the south.
It's nothing new -- just remember the famous slogan of Democratic Chicago Mayor Richard Daley -- "Vote Early and Vote Often!" and such practices of the dead voting and people voting in multiple precints were endemic in certain Democrat machine controlled urban cities through out the nation and rural areas of the South for all of the 20th century.
Bruce: to be fair, the schedule wasn't entirely the Secretary of State's discretion. In order to decertify machines for the February primary, the Secretary of State had to announce her decision no later than yesterday; in order to give her time to respond to the review, the review had to be finished no later than a week ago.
Yeah, it could have been started earlier; but she was sworn in in January and started the process in March --- I'm not sure how much faster it's reasonable to have expected her to get things done.
Bob: I think you are accusing someone of malice without knowing anything about them. California's Secretary of State is a *she*, and she specifically campaigned for the office on this issue.
Bill: the local officials are generally speaking computer illiterate, and are not to be trusted with this decision. (I'm a poll worker, and a software engineer; the poll worker training I received claimed, among other things, that the Hart machines weren't computers).
Christoph: arguably you are correct that this should have been done before any code was written. But given that a previous SecState had approved the machines, that was no longer an option.
Aphrael is right; Bowen only won election in November '06.
As a member of the legislature she led a well-regarded review of e-voting systems problems last summer...
I'm going to have to agree with abacus on this one; I don't think the investigation was rushed because Bowen doesn't know how to run an audit, I think it was rushed because it had to be finished in the allotted time to have any effect on the '08 election.
> You could drop the whole security word.
>In the end, we're talking about Accuracy. In most
>elections, it doesn't matter since the margin of
>victory is greater then the margin of error.
I disagree. The point is indeed security. We consider the leverage of a villain. If we have manual voting, then the leverage is much smaller when compared to a villain who manages to manipulate a voting machine.
Also, even if "we engineers" are able to build a really safe voting system: The problem that the average John Doe cannot verify the voting procedure opens up a whole new world for conspiracy theories and erodes the legitimation of the politicians. This is poison for democracies, where the minority has to accept that they are governed by the party that got the majority.
"California Secretary of State Debra Bowen up and decided Friday that those severely vulnerable Diebold, Hart, and Sequoia voting terminals would still be cleared for takeoff, provided the companies in question supply their machines with updated firmware, disabled access to unused ports, kill the wireless connections, and so on."
OQ: that's inaccurate. The full text of her decision is available on her website, but what it boils down to is this --- HAVA requires that blind and disabled voters be allowed to vote unaided. A *single* machine is allowed in each polling place to accomodate these voters.
She's between a rock and a hard place on that; if she doesn't allow these machines to be used for disabled access, then California is in violation of federal law, and the Justice Dept can step in.
People interested in this topic should check out today's forum (a local npr call in show), which featured her and various county elections officials discussing the decision. An mp3 will eventually be available here.
@Matt from CT, "@Anonymous
>Selective malfunctions were used to
>skew results by invalidating ballots from
>demographically biased precincts
Most of these allegations of poor procedures are strongly associated with areas of a heritage of corrupt Democratic machine politics. In an area controlled, traditionally, by Democrats it really didn't affect the outcome of Citywide / Statewide / National power. What it did affect was internal Party politics of one Democrat against another."
Um, Matt, hanging chad gave W the white house win in 2000. That's certainly affecting national power, and something no side on any internal Democratic party politics would want to see.
So I think you're blowing smoke. W's brother, the governor of Florida, and his cronies stole that election, no two ways about it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.