Schneier on Security
A blog covering security and security technology.
« UK Police Seize War on Terror Board Game |
| Friday Squid Blogging: Talking Squids in Outer Space »
August 15, 2008
XKCD on Voting Machine Security
This comment is absolutely correct.
Posted on August 15, 2008 at 12:55 PM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I hear Diebold also blames the US Presidential election results in 2000 on the voters.
I must be a flaming idiot because I don't get it.
Is AV *bad* to have installed?
Or is it just that this is not the problem that needs solving?
Or that AV has absolutely nothing to do with the problems the systems had?
Or something else entirely?
By the way, McAfee is the same AV they put on ATMs along with Sygate personal firewalls (as of about 7 months ago when I last worked with them).
Yes, installing random, unaudited, untrustworthy third-party software on what is supposed to be a highly secure system is generally a bad idea. At best it may cause malfunctions, at worst it can provide a door for an adversary to compromise the system.
Supposedly they partner with McAfee and certify their AV.
It is the only AV they will support on their ATMs. If you install anything else, every problem is then your fault.
Same for Sygate firewall.
They needed "something" and went with McAfee. But I doubt they have source code access or anything.
I suppose a voting system should never be in a situation where it would be possible to try to infect it with a virus (not on a network, no external connections publicly accessible, no way to get to the underlying OS through the interface, etc).
But I guess it isn't really that way.
The computers involved in voting and counting votes shouldn't have anything else on them.
Computers are cheap, for something that important the cost of a dedicated machine is trivial.
Anything on that machine could influence the vote counting, AV software is a perfect example since by design it manipulates other programs running on the machine.
Since all the software on the machine should be fixed. No one should be surfing the web, downloading random shareware programs, etc, etc there's no need for AV software.
Adding it just opens another attack vector. Now McAfee can manipulate election results with a simple virus program update.
What a wonderful analogy. Thanks!
Funny. I saw this comic and thought, "I should send this to Bruce".
Also, sam, you are right on!
"Supposedly they partner with McAfee and certify their AV. "
I see. The emperor approves of his tailors before proclaiming their new invisible suit for him a masterpiece of fashion?
Certified is a word that begs the concept of governance and transparency.
Did you hear what happened to the "No. 1 tester of voting machine software" in America?
"Ciber Inc. of Greenwood Village, Colo., was told to stop testing machines after a federal assessor found the company had failed to follow proper procedures and could not show that it had conducted all the required tests, said Donetta Davidson, who heads the U.S. Election Assistance Commission."
Not just McAfee themselves, but anyone with even basic computer skills. McAfee AV had a series of well-known system-level vulnerabilities recently (prob around the time Diebold installed them) and a dedicated scanner soon appeared.
Don't the voting machines run linux as their OS? Or am I missing something? Antivirus software lol.
Yeah, I get it.
I worked with Diebold and ATMs for six years, so that is what I think of when I think of their systems.
Voting systems are at a different level of importance than ATMs.
ATM issues cause problems for individuals and perhaps some banks, but a problem with voting machines causes problems for the entire country and undermines one of our Constitutional rights.
In my humble and lay opinion, it goes even further than that. It's not just that the machine shouldn't be used to do things like download shareware applications or even surf the intertubes, they shouldn't have internet access in the first place. Or, to be more clear, the internet shouldn't have access to any part of this electronic voting system.
But then again, if we start talking about what should or shouldn't be done regarding an electronic voting system, we'd have a long list of things to talk about which would be almost entirely incongruous with the reality of the Diebold/Premier system.
Uh, there's a pretty simple difference between voting machines and ATMs.
ATMs have to be a part of a live international network.
Voting machines really shouldn't be exposed to other computers at any point between setting up a trusted configuration and dumping results.
(If you connect your voting machines to a network, Cylons can hack your elections!)
What I'd like to know is why a machine running Windows (or any other full-scale OS) is required for this purpose.
It seems to me that any high-school student's graphing calculator has more than enough power to load a list of elections and referenda, produce a prompt for the voter, store the votes and later transfer to another device (whether via direct, physical connection or secured network).
Why don't we build minimalsitic machines? Simple, low-power, low-cost processors, a bit of ram and flash memory. Code the entire system from the ground up; it's not like these things have to be complicated with rainbows and animations. Anybody who took an undergraduate course in operating systems should be able to navigate the basic requirements; throw in an expert coder instead and you can have a trim system for less money than something that is running Windows (etc.), and probably a damn sight more secure since there wouldn't be any room for holes (no network stack, no program loader, no flexible UI, none of the things that make a PC versatile, since this has ONE function).
Furthermore, this kind of small code would be more easily verified by outsiders, and less likely to contain anything worth keeping as a corporate secret, so *more likely* to be allowed to be verified.
I guess I just don't get it.
"It's not just that the machine shouldn't be used to do things like download shareware applications or even surf the intertubes, they shouldn't have internet access in the first place."
Exactly. I don't remember the Diebold machines having connectivity. Is this new?
Or, is it running AV software in case somebody inserts removable media with a virus on it? In that case, it's a little more understandable.
On the contrary - you do get it. There are oodles of hardened real-time industrial-strength operating systems that could be used for an application like this. I think the only reason Diebold didn't use one is laziness. It is a lot easier to find Windows programmers than people with real embedded programming experience.
Jason, it's crap design to use a desktop PC operating system on either a voting machine or an ATM. If you are installing desktop PC security software on something that shouldn't be running desktop PC software, you're doing something very wrong.
I think you mean maximizing return on investment?
They have re-purposed insecure ATM systems running "embedded" Windows XP because they could increase revenue to an existing product.
The fallacy is that voting systems are on a closed network. Remember that Diebold argued the same fallacy in 2003 when they revealed their ATMs were being infected by viruses.
"Diebold does not know how the worm got on to the closed financial network."
They also could not explain why their customers did not apply known high-risk security patches in a timely fashion...
If you want an example of how this plays out in the elections market, the official in Los Angeles (Conny McCormack) actually argued that flaws in elections software were acceptable because they could be found in the future.
"We have not been dotting every 'i' and crossing every 't' to certify all the software. But it would be the biggest irony, to me, to have someone say that because we hadn't done it by such-and-such a date we couldn't do it."
Incidentally, she also just happens to be a close personal friend of the Diebold sales representative. Now are you scared?
Contrary to her statement a lack of proper certification is exactly what has been documented in the US, as mentioned in my earlier post above.
How about now?
Antivirus is CYA (Cover Your Ass) security. If the voting machines are attacked through malicious software, Diebold can claim that they did everything possible to prevent a software attack. The analogy presented in the cartoon, if you haven't figured it out already, can be explained by: "Antivirus Software is safe as wearing a condom, but why are you having sex with your students?"
"You are doing it wrong!"
You should not be able to install antivirus on a voting machine. It shouldn't be that type of machine, it should be something that counts and then prints what it just counted on a paper backup. You don't need a bulky commercial OS for that. It shouldn't even be connected to a network. At the end of the day it gives the results and the precinct reports what it says. If there is a problem everyone sits down and counts paper ballets like we always have.
You state that "ATM issues cause problems for individuals and perhaps some banks, but a problem with voting machines causes problems for the entire country and undermines one of our Constitutional rights."
I'd argue that a problem with voting machines could cause problems for the entire world, never mind your constitutional rights ;)
From what I've read, the problem with the McAfee AV software is actually on what they're calling "tabulation servers."
"Premier issued a product advisory to its users instructing them to disable antivirus software on vote tabulation servers when uploading votes from memory cards."
What I get from this is that there are (at least) two different machines that Diebold/Premier peddle: the voting machines themselves, and these tabulation servers. Information from the voting machines is stored on "memory cards" and uploaded to the tabulation server to be compiled in with results from other machines.
So what they're saying is that the tabulation servers, which handle data from multiple voting machines (tens? hundreds?), have this AV software installed for some reason, whether it's because they have active internet connections or because they're afraid of removable media containing virii.
In any case, it's enough to make a rational and intelligent person want to throw themselves out a window.
What most people miss when comparing voting machines to ATM's is that voting machines control far more access to money than ATM's do.
Preventing electoral fraud is really quite simple, even if you want to give voters an electronic interface:
1. Voters are presented with a screen where they select from among clearly labeled candidates, with an option to write in a name if that is part of their electoral system.
2. The vote is then registered electronically, by whatever means, and a piece of paper is printed with the person’s choice of candidate, ideally in large bold letters.
3. For an election involving multiple choices, each is likewise spelled out clearly. For instance, “I vote NO on Proposition X (flags for orphans).”
4. The voter then checks the slip to make sure it is correct, before dropping it in a ballot box.
5. These are treated in the standard fashion: locked, tracked, and observed before counting.
6. The votes are tallied electronically, with a decent proportion (say, 20%) automatically verified by hand.
7. If there is any serious discrepancy between the paper and electronic votes, all the paper ballots should be counted. Likewise, if there is a court ordered recount on the basis of other allegations of electoral irregularity.
A more elaborate system, which helps ensure your vote is counted:
"Diebold can claim that they did everything possible to prevent a software attack."
I can see it now. "Yes, Senator, we construct our blast-resistant nuclear fallout shelters out of secret airtight materials, using our proprietary airtight processes, and, just in case it rains, we include complimentary buckets, the best buckets money can buy."
The only reason to have antivirus software is that you expect that random external files will be introduced to the system on a repeated basis, and you want to check each one for problems. But a properly designed voting machine isn't going to be off surfing the net, with a user clicking randomly on this and that.
Antivirus software implements a blacklist: exclude known bad guys and permit anything else. For a voting machine, you'd want to reverse that and implement a whitelist: only known files should be on the system and every unneeded service should be disabled.
There's been a lot of very good comments if the form "If you wanted to build a hack-proof voting system".
This of course makes a very large assumption: That the people driving the design decisions have in fact been tasked with delivering a product that ensures that neither side can steal an election.
Just sayin', ya know? Now where's my tin foil?
In most states, voting systems are flat banned from having any network connections outside of the voting system itself.
The AV software in question was on the central tabulator, which runs either Win2k or WinXP. The actual database of votes is held in, I swear to God, Microsoft Access. Sigh.
Anyways. They have to connect the voting system parts to each other (at least long enough to download ballot layouts to the terminals and upload results), but not to any other system, let alone the Internets.
So the analogy is apt: they need AV software like a teacher needs condoms.
Excellent analogy, understandable to non-experts. Impressive.
XKCD has alt text for every cartoon. Nobody has mentioned it yet, so I thought I'd point out that today's alt text is "And that's *another* crypto conference I've been kicked out of. C'mon, it's a great analogy!"
Worthy of expulsion?
First off, I agree that the vote tabulation machines shouldn't be running a stock OS like windows. They should be running some kind of opensource embedded style OS.
But in a counter argument to all those "they shouldn't be downloading stuff from the net" arguments, that's not the only source of virus to worry about here. What about all those vote machine memory cards that will be plugged in? What if just one of those cards was somehow tampered with and infected? This is all hypothetical, and whatever virus it's infected with would likely not be one a stock anti-virus software would recognize, so it's probably a moot point anyway.
If the memory cards was not secured, and have been tampered with, the integrity of the election have already been compermised. You've already lost.
Is this a case of building a 'good' product, or building something so cheap that any 'better' solution seems prohibitively expensive?
Was the contract for the voting machines given to the lowest bidder?
I think you underestimate the complexity. At the very least I imagine there are various accessibility requirements for sight-impaired people, for example. So it makes sense to reuse existing software for some of these things. That said, there is no excuse to not audit what goes into the machine and to expose unneeded functionality that could compromise the system.
I question the need for software of any kind on a voting machine. Honestly the most difficult task a modern electronic voting machine does is render nice-looking fonts, and that (and everything else a voting machine ever needs to do) can be done in fixed-function custom hardware.
I think the best practice for electronic voting machines should be to rigouously exclude microprocessors and even things like non-volatile memory and FPGAs.
I would guess neither, since I would not think that these machines are cheap. My guess would rather be a flawed or corrupt bidding process. Smooth talking and some gifts probably sealed the deal.
What the heck were they connecting a voting machine to that it even needed AV??
No machine should need AV software, it doesn't work when you really need it and it gives the user permission to be lazy and therefore a false sense of security. I can't tell you how many times I've heard someone say "I'm curious about this and it's not dangerous because I'm running an AV." Doh. I haven't run an AV on my home PC in over 10 years and I've never had a virus.
After a ten year straight benevolent activity helping configuring, maintaining & debuging personnal computers I dont recall a single time an infected machine didn't had an AntiVirus software installed.
100 % of thoses machines had AV soft running. Unfortunately, as soon as this soft is installed, a complete nonsense behaviour is started as a mystical sense of absolute shield prevail « A.K.A. Divine protection . »
So, in a voting machine, I dont expect a better use. A fire and forget security issue.
By the way, this COULD be the weak link to hack thoses machines because they relies on obfuscation (AV company do not publish source code).
Voting machines typically run WinCE, the election management software is a standard Windows PC. The antivirus software is really best practice on Windows.
Memory card viruses have been demonstrated, see California's top-to-bottom review by the California secretary of state. Unfortunately, commercial virus software is unlikely to catch it.
Current voting machines have so many real flaws, there's simply no need to make stuff up about their lack of security—it's already quite well documented.
@ Confused - you aren't. Diebold is yet another corporate case of bean-counters overruling the engineers and designers.
@ Wally - "easier to find Windows programmers" - much cheaper, too. Why roll-your-own or reinvent the wheel on such trivial things as ATM and voting machines where security should be paramount?
@ Davi - if my memory serves me, I read that Diebold used to use a version of AT&T UNIX on it's ATMs'. Guess Windows Embedded was cheaper and prettier when they needed to "improve" the product line.
@ Pip & n - "RING-RING-RING - We have a winner!" ATM's and voting machines should be running proprietary OSes on proprietary hardware. Only the source code for the voting application should be public domain, inspectable, and truly independently verifiable. (NOT OpenSource - we don't want a Wikipedia scenario with developers kludging the code for fun and profit.) It's a disgrace that banks have cheaped out on systems to allow WinPCs as interfaces to BigIron, or even worse allowed WinServers to replace the BigIron.
@ King - you're delusional or a liar - any machine connected to a public network will be exposed to a worm or virus at some point and will become a target for infection. Plus, you couldn't possibly know your PC wasn't infected without running some sort of AV software. Really, you expect us to believe that perhaps you can decode and track Assembly or binary in real-time to observe the actions and interactions of all the software running on your machine? Right....
Folks, the biggest thing on this is not security thru obscurity, but accessability. BigIron isn't my favorite flavor, but the access model was right: Limit who touches the data with the right hardware and software, and lock it up six ways from Sunday. Windows expands on the DOS mentality - extensability by anyone for any reason - take a long look at the benefits and costs that's brought us.
The reason that AV software = 'You are doing it wrong' is that, for a voting system, any opportunity for it to connect to (or be connected to) anything untrustworthy means there is a operational or design failure. These aren't phones or internet terminals. These are the fundamental building blocks upon which democracy depends.
There should be no opportunity and no chance that untrusted code could exicute on a voting machine. Just like there should be no way that a teacher should need a condom when interacting with his or her students.
Confused: One thing you forgot to consider is that while one concern is that a hacker attempt to change results on purpose, another concern is that a programmer will accidentally introduce a bug which will _accidentally_ change the results.
Which clearly isn't to say that windows was a good choice, but a undergrad OS student may be able to write a OS which works most of the time, but they are quite likely to not consider all the edge cases (like race conditions, etc) and write code with bugs.
The system either needs to run on software you REALLY trust to be bug free -- which I'd argue probably doesn't exist -- or you need to design the entire system to be so simple that you can be confident the whole system is correct. The Indian system might possibly approach that level of simplicity, but I suspect that such a system should really involve paper and counting (at least to audit.)
While the Swiss use quantum crypto in voting to exchange keys securely, the U.S. has some of the most hackable voting machines/tabulators in the world. What's going on?
@FloridaBadger: Sorry, I'm neither delusional nor a liar, though you can believe whatever you like. A machine, even if connected to a public network (and, back to the original point, why would a voting machine be!?) is only exposed to malware if the user does something stupid or doesn't run a firewall. Because AV isn't perfect, running one won't tell you in every case even if you have been exposed anyway. I track all my outgoing traffic, so yes, I can characterize my traffic and I know none of it is virus-like. I trust that more than any AV.
There is no point having a firewall if there is no access to the Internet.
The only things that should physically connect to the voting machine are the power supply and backup and the devices that configure the machine, verify integrity, and copy totals.
There should not be a port to upgrade the OS or the software, as this would open the door to rootkits and other malware. Upgrades should require the physical removal and replacement of hard components.
Thus, no need of a firewall.
I was addressing an off-topic rant against my original post when I mentioned the firewall. Of course, voting machines should need neither a firewall nor any AV because they shouldn't be connected to any network that would require it, of course.
@Confused: You're right, the most complicated OS this needs would be something along the lines of MikBug.
Have a college assembly language class write touchscreen, keyboard, handicapped and flash memory card I/O (need an encrypted memory input capability to get the latest candidate info as well as vote storage output for tallying) and storage routines and RFC it before implementing.
The hardware should not have any network access. If for some unforeseeable reason it should need remote communications, it should use dial-up directly to the server, manually entered by a human and logged to the vote paper log. It should use a memory card that is physically carried by humans to the tallying machine and print the official tally on paper where the voter can confirm it. It should also set off an audible alarm whenever a memory card is inserted or removed.
There should be automatic audits. There should also be manual recounts - but when the vote is overwhelming, not when its close.
I ran into the same philosophy back in 1985 when IBM PCs were fairly new. I worked at a place that made a proprietary computer which was used in spirometry machines.(breathing and lung function testing) It worked very well. But the marketers said to be competitive we had to have IBM PCs running them instead of our own machines [all I can guess about the logic behind this is that the admin staff at the customer hospitals needed to go up into the pulmonary labs and interrupt $3500/hr of profit-making spirometry tests in order to do word processing or spreadsheets or something].
So we took the keyboard off our machine, put it in a small box, called it an "interface", hooked it via cable to the PC, wrote a pass-through program for the PC (very similar to a browser today) and voila - now your $35,000 spirometry lab machine can also run flight simulator in addition to pulmonary testing for only $4000 more than the stand-alone box. In todays world the equivalent would be running it under windows.
"...the marketers said to be competitive we had to have IBM PCs..."
Sad but true.
Here's another good example I wrote about after a recent FDA ruling:
Try to sell most Americans high fructose corn syrup, carbonated water and flavor they will look at you funny...but if you say "coke" their pocket-book will mysteriously open.
Note that Coke changed two things in 1985, one was the marketing of their flagship product and the other was the sweetener they used.
A backlash forced them to move away from the new marketing. However, the contents remained changed forever in America. Other countries still have natural sweeteners instead of chemical byproducts used in America.
"Pretending that soda made with high fructose corn syrup is ‘all natural,’ is just plain old deception," said CSPI executive director Michael F. Jacobson. "High fructose corn syrup isn’t something you could cook up from a bushel of corn in your kitchen, unless you happen to be equipped with centrifuges, hydroclones, ion-exchange columns, and buckets of enzymes."
Think of it just like when Diebold put Microsoft Windows in the electronic voting machines -- it is not natural.
I recall the Sony root kit story, where the anti-virus s/w folks were approached by Sony to make sure their back doors into users' computers were not detected, and they complied.
Think of it this way ala XKCD:
Imagine you're at a Parent-Teacher conference, and the teacher reassures you that he always wears a condom while teaching, the same day that the newspapers break a front page story saying that *all* the major condom-makers admit to sticking pins through their product before shipping them.
"Doh. I haven't run an AV on my home PC in over 10 years and I've never had a virus."
Then how do you know you never had a virus? Maybe you've got one right now?
Latest News (Washington Post):
Ohio Voting Machines Contained Programming Error That Dropped Votes
"The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is the root of the problem has been part of the software for 10 years, said Chris Riggall, a spokesman for Premier Election Solutions, formerly known as Diebold."
(Warning: off-topic a bit)
I suggest that the greatest threat to integrity of elections is the temptation to make voting more convenient, via "remote" voting (absentee ballot or remote electronic voting schemes.) The threat is not fraudulent voting (i.e., "identity theft" of some sort), but vote selling. It is the inability of people to prove how they vote (in the privacy--and sobriety--of the voting booth) for that impedes their ability to sell their vote for, say, a another bottle of wine or an extra-large pizza. Or to be peer-pressured effectively into voting "correctly."
"The threat is not fraudulent voting (i.e., "identity theft" of some sort), but vote selling."
Not in the UK it was found that in some places the local councils had no checks in place to ensure voter names to homes.
After one particular election an official investigation (by the Police) showed that some houses had had 50 ballot papers sent to them.
"Or to be peer-pressured effectively into voting "correctly."
Again in the UK (supposed) party officials came around to peoples homes and either filled the ballot in for the occupier or took them away "to stop them getting lost in the post".
Further after a number of people complained they had not received their voter cards it was found that in a number of asian areas the head of the household had got postal ballot papers for the family and filled them in and returned them.
So the abuses are wider in scope than you think.
"Doh. I haven't run an AV on my home PC in over 10 years and I've never had a virus."
Then how do you know you never had a virus? Maybe you've got one right now?
To be precise I'd say: "I haven't run an on-access AV on my home PC in over 10 years and I've never had a virus, even when checking from a boot CD"
So I have installed a scanner to check the blacklist, just for you, but I don't use the machine crippling POS that you call an AV.
ie: we've done a pregnancy test; you get it now?
It's true for condoms too; ie there are better methods we can use instead.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.