Schneier on Security
A blog covering security and security technology.
« Coast Guard Solicits Hollywood to Help with Movie Plot Threats |
| Smart Profiling from the DHS »
May 22, 2006
Diebold Doesn't Get It
This quote sums up nicely why Diebold should not be trusted to secure election machines:
David Bear, a spokesman for Diebold Election Systems, said the potential risk existed because the company's technicians had intentionally built the machines in such a way that election officials would be able to update their systems in years ahead.
"For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software," he said. "I don't believe these evil elections people exist."
If you can't get the threat model right, you can't hope to secure the system.
Posted on May 22, 2006 at 3:22 PM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Truth is stranger than fiction.
Let's just hope this is a case of an ignorant spokesman, and not an actual reflection of the company.
Tell him to type in "election fraud" "conviction" into his favorite search engine.
For some reason, the image of a very young child comes in to my head, closing his eyes and thinking nobody can see him because he can't see them.
"If we can't see the attackers, they can't see our vulnerabilities"
I figured that one of the reasons that Diebold bought Global Election Systems was because adding the Diebold name would imbibe them with more trust. At least among the tech community, it seems the effect has been precisely the opposite, increasing distrust of Diebold.
Re: "Let's just hope this is a case of an ignorant spokesman, and not an actual reflection of the company"
Aviel Rubin, a professor of computer science at Johns Hopkins University, did the first in-depth analysis of the security flaws in the source code for Diebold touch-screen machines in 2003. After studying the latest problem, he said: "I almost had a heart attack. The implications of this are pretty astounding."
I guess that in the perfect world Diebold is living in, there are no "evil officials" and Diebold is the prime example of a responsible company.
Seriously, can we ban the use of these things now?
This guy has obviously never been to Chicago :^)
Ah, c'mon. What did you expect him to say? "Whoops?"
Seriously, can we ban the use of these things now?
hah. not likely, as long as the prevailing public opinion continues to be
Let's just hope this is a case of an ignorant spokesman, and not an actual reflection of the company
It should be intuitively obvious to the casual observer that any vendor that has to make this kind of handwaving appeal to authority in order to defend itself from allegations of fraud has no business marketing voting machines in a democratic society. If Diebold were the company they want us to believe they are, they would understand that there is no substitute - none - for public scrutiny of election procedures and public auditing of election machine source code; they would understand that an honest broker has nothing whatsoever to fear from exposure to the light of day.
A company worthy of the public trust would understand why the public is perfectly justified in mistrusting a voting machine vendor - any voting machine vendor - who will not place their source code in the public domain.
Oh, come on, now. You're taking out all of the fun of Chicago politics! :)
In the real world, perfect security is impossible -- you have to pick and choose between movie plot threats and legitimate ones. There are simply so many systems and so many ways these systems interact it's impossible to make it perfectly secure, and still allow people to live their lives peacefully. In the electronic world, it's different. You're no longer dealing with radical terrorists, you're (often) dealing with highly intellegent, mentally endurant, highly motivated people with the time and energy to do whatever it takes to get whatever they want done.
You cannot say "no one is willing to do that" in electronic security. There is always someone willing "to do that", and hoping that person exists doesn't change the fact that they do. Whatever the flaw, someone will have the motivation and knowhow to exploit it. The only question is whether or not luck is on your side and they fail to do so.
Real life security threats aren't the same as electronic ones, in the sense of protection against "minor" (or not so minor) flaws. In real life, perfect security is not possible, in electronics, it's all but manditory. If you make a mistake, someone will exploit it. Geeks have a different attack stragety than terrorsts, and you have to model your defenses to reflect that.
And when the flaw is as widely known and recognized as this one is, it only makes matters worse.
And to top it off, it's not even like this type of exploit hasn't been used before. No one's willing to do it? They already have.
I have to go now. California elections are about to take place, and I need to vote for Governor, etc. And I can't help but notice that there are no punch-through holes this time, just SAT-like ovals...
Maybe we should compare the gain of election fraud with that of bank fraud through ATM machines; Diebold makes those too.
With ATM fraud you'ld be able to extract several thousands of dollars per ATM per day. A large scale operation could divert a fraction of the GNP of a country. Successfull election fraud brings a group of political candidates of your choosing in office, allowing you to divert a significant proportion of the tax income into your pockets (with tax breaks).
The gains of election fraud are interesting enough to consider them on par with bank and other financial frauds... What are the risks of being caught? Your elected government has no incentive to investigate your fraud, where the banks have all incentives to investigate fraud.
of course we exist. what a moron!
Diebold's ATM machines provide much better security than their voting machines do. In particular, they produce paper records of transactions, and they are built like safes.
Diebold also makes ATMs. Is anybody getting real nervous?
"Diebold's ATM machines provide much better security than their voting machines do. In particular, they produce paper records of transactions, and they are built like safes."
That's part of Diebold's problem. Building a automated financial transaction machine is not similar to building an electronic voting machine -- except for the cool touchscreen thing.
Maybe it's Schneier who doesn't get it. He's assuming Diebold, through its spokesperson, is engaging in a rational debate on the matter. Perhaps what Diebold wants is simply to keep selling its machines, secure or otherwise. Their agenda is PR, not science.
On that scenario Diebold won't enter a rational, evidence-based debate; because doing so would "legitimise" doubts about their product. Instead they'll employ misdirection: "security of our machines is only an issue if the election officials are dishonest". Let me guess who decides/recommends which machines to buy....
The differance between ATM's and elections machines (and why the former is so much more secure than the latter) is that it's easier to prove that someone stole your money.
Your post reminds me of something in one of Bruce's books. Some bug in Netscape that they had figured would take such and such amount of time and computing power to exploit and wasn't worth fixing. Sure enough some university students with no lives figured out how to exploit it.
Who would have an interest in falsifying the results of an election?
Evil elections people.
But the other implication is that, since Diebold says there are no evil elections people, then there can't have been any elections that were falsified.
It's a goofy statement no matter which way you play it.
A long long time ago, a wise man wrote "Security is a process, not a product" and he said "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology".
Security in electronic election is a matter of process, not product or technology.
Chris Walsh -
You took the words out of my mouth. Whoever doesn't believe in election tampering hasn't so much as heard of Chicago.
Of course we burned the ballots after counting them! It's a tradition! What?
"Maybe it's Schneier who doesn't get it"
He gets it only too well. Of course Diebold is pitching its products at exactly the market of "evil" politicians who are the ones that will buy the product in the end.
Interesting is, that experts in the form of consultants, technicians, scientist who know what is best for the common good do not have a voice because it is the same "evil" politicians who ultimately control the press.
Hence Bruce's blog. He at least tries to counterbalance the propaganda.
"election officials would be able to update their systems in years ahead"
Sounds like children of the future will wonder what it was like to vote, before election officials "updated their systems" to determine who would win an election.
"I don't believe these evil elections people exist"
If you win, you must not be evil, right?
@Joe Buck: "Diebold's ATM machines provide much better security than their voting machines do. In particular, they produce paper records of transactions, and they are built like safes."
When we're talking about electronic security, the physical (safe) doesn't really matter.
What are the paper records worth? If you , say, find a hack to let any Diebold ATM spill out all of its money (no matter if the money is charged to some account or not) - will the customers (banks) be relieved to have a paper log? "Wehre's the money? Oh, yeah - here it says "all gone". Phew" ;)
But whats getting all that money vs. getting president ;)
I wonder if Diebold lock their doors at night...
There's a very simple and cost-effective solution to the problem of election fraud: abolish the elections. Just don't elect anyone.
Sounds insane? Think again.
Elections are nothing more than a classical security theatre - pretending that the danger of a government can be mitigated by the ritual of choice. The history teaches that even the worst dictators can be lawfully elected.
The real problem with democratic process is that it always boils down to some group of people forcing its will by violence or credible treats of violence onto people who did nothing wrong to the members of that group.
It does not matter if you're electing between two criminals - no matter what your choice is, you're mugged. It follows that the integrity of the mechanics of choice is totally irrelevant to your protection.
The real problem is that Diebold is used to making their customers (banks) happy., and they're not used to looking out for the interests of the users of their ATMs. So now they're trying to make their customers (election officials/party in government) happy, not to make the users (voters) happy. The two are subtly, but importantly different.
McGavin said, "Building a automated financial transaction machine is not similar to building an electronic voting machine -- except for the cool touchscreen thing."
I think ATM machines often have terrible user interfaces **because the ATM machines are designed to protect the bank's assets, not the user's interests**. For example, there was an ATM (in a Microsoft cafeteria of all places) that would not shut down and say "out of cash" when it had no money in it. Instead it would report "amount requested too large" at the end of the transaction instead of giving me money. Only after several wasted minutes, trying to withdraw successively smaller amounts, did I realize what the problem with the machine was. The bank didn't care that the ATM had wasted my time -- there was no risk of their money being stolen. So as far as they are concerned the interface was perfect. The ATM makers had made the rational decision of ignoring my wishes, and focusing on their paying customer.
**But election machines need to protect the user's vote, NOT the interests of whatever party or government official orders the machines.** So in a sense Dibold is exactly the WRONG choice of a company, because they have no experience making the user's experience safe and easy; only experience making their customer's experience safe and easy. So it should come as no surprise that they're trying to do what they know -- making their customers happy, not their user's happy. Note what the Diebold spokesperson said, the problem existed because they made it _easy for their customers_ (the election officials who bought the machine) to do something _at the expense of the users' security_.
Making matters worse, Diebold has a very good track record with banks. And since the issue of customer vr users is a tad subtle, they seem like exactly the right people to make the machines at first blush. Even if you changed from Diebold to Triton, or IBM the same problem would exist. The problem isn't just with Diebold, it's with the process of selecting the the machines to buy. Asking for bids on voting-macines gives
And while we're discussing interface, I think it's a mistake to say the interface of an ATM machine is similar to that of a voting machine. ATM machines verify you, then let you select if the machine should dispense 0 and 25 $20 bills. Voting machines do not verify you, and they let you select one or none of a variable number of candidates (who the voter may never have heard of before, but nonetheless need to be clearly identified), for a variable number of races. Choosing one item out of a long list of names is essentially what the an MP3 player's interface does (choose 1 song to play). So Sony, Apple, or Rio would seem to have better qualifications for making an election machine then Dibold.
Not only do we exist; we have a union. Dont worry about your dues, well take those out of that offshore account you're hiding...
@anonymous: Actually, yes the paper records will be used to try to get the money bank. The bank will find the account number of the person who supposedly took out the money, dock his account, and then it will be up to the victim/customer to write letters and file lawsuits to prove he didnt take it (an impossibility - proving a negative) to get it back.
I used to develop ATM software - one time I installed a bank with hardware DES encryption. THey had a 16-char hex key. I accidentally memorized it through repeptition during the development process. When the bank VP found out, he went nuts "You could steal all the money". I was young and stupid enough then to point out that knowing the key was trivial; since I wrote the code I could have coded it to just dump all the money out the presenter when I put my card in and not print anything anywhere. It didnt seem to make him feel any better.
"If you can't get the threat model right, you can't hope to secure the system."
It seems to me that most everyone here is getting the threat model wrong. Here's the threat I am worried about:
1) CEO of a company equipped to make voting machines feels highly motivated to help a particular political party gain/keep power.
2) That company starts making voting machines.
3) The voting machines this company makes are closed-source, have no verification, and are demonstrably insecure.
4) Employees of the company screw with the machines to commit virtually untraceable voter fraud.
5) In order to keep their machines on the market and maintain plausible deniability, the company makes press statements denying the alleged threats, but do so in ways that show unexpected naievety.
We already KNOW that steps 1 - 3 have happend here. And we know they are doing step 5, even if we don't know their motivation. Assuming step 4 didn't happen is about as naive as you are accusing them of being.
@Kne: step 1 is superfluous. I'm only worried about steps 2-4 and dont care WHY. Employees doing it because they have been bribed instead of coerced by the boss does not make it better.
This is just a distraction.
The REAL PROBLEM is not the touch screens.
It's the central tabulators at the precinct level. Hack into those (why do they need dial in access?) and you can change the election results at will - no trace!
Optical scan paper ballots fixes the vote capture problem (with traceability & reliability). But it's irrelevant if the count gets modified after the fact.
(as long as the people making the ballots are trustworthy - don't look at any connections here; move along - nothing to see here)
It's the SYSTEM, stupid. How do the votes get captured AND counted after they leave the polling place?
We no longer live in a democratic republic. It's OVER.
I am reminded of the complex controls the Catholic Church has in place for the election of a Pope, about which Bruce wrote some time ago. Here's a bunch of guys who are in positions of great trust, who are nonetheless required to vote according to a system which has been specifically designed NOT to assume that they are honest at all. Of course, this system is probably more expensive than having each cardinal mail in a postcard.
I think the expense of designing a proper system is part of the issue with Diebold. Municipalities do not know what requirements the system should have, security-wise, so the firms responding to RFPs compete on price and you get junk.
@"karl rove": That issue has ALWAYS been there. We are now bitching at an additional layer of vulnerability that has been added at the last minute and great expense(apologies to monty python); with (ironically) the ostensible purpose of making the system MORE secure. Its a lot easier to secure 1 mainframe per county than it is 243 voting machines + 1 mainframe per county .
As Abraham Lincoln said: "The ballot is stronger than the bullet..."
But take people's belief in the former away...
Anyone from Diebold get it now? Of courese not. Diebold is a busniess. They are focused on sales, not on results. They will market based on claims of "easier, cheaper, faster" but not on "accountability, security, reliability" until their hand is forced.
The laws of the Nation need to change to reflect the requirement of a verifiable paper trail. Only then will the manufacturer feel the need to meet this demand.
There are some procedural defenses against central tabulator attacks. Here's what we do in Wake County, NC:
The results tape from the polling place's tabulator is posted, at the polling place, after the polls close. People could go around collecting them, and compare those results to the precinct-by-precinct official results reported after the election is certified. There will usually be minor discrepancies from provisional and absentee ballots, but this would catch major discrepancies.
Diebold's only interest in its ATM business is pleasing its customers, the banks, but since banks want to please their customers as well, the banks' customers are Diebold's customers as well. The banks are a filter between the ATM users and Diebold, but at some level banks are expressing at least a portion of the preferences of ATM users.
The bigger motivator for Diebold when it comes to ATM security is the prospect of getting sued for negligence over faulty security in their machines. Were their machines to contain a vulnerability that was exploited in a significant way, you'd have 1) ATM users calling attention to it right away, and 2) the banks and ATM users would sue them out of existence.
The same isn't true with voting machines. Voters aren't going to know if their votes have been compromised, so it's much less likely that voting fraud is uncovered/revealed. But even if it is, the damages they'd likely have to pay wouldn't approach those in a civil suit brought by banks & ATM users, particularly if the Diebold's owner and employees have made the appropriate campaign contributions.
What I can't understand is why the appropriate state committees aren't convening non-partisan task forces of experts, leaving out the politicians, and allowing the experts to vett and approve potential voting machines. In a democracy, you'd think that integrity of the voting results would be the highest goal, and allowing technical experts to be the arbiters on the technical issues is the only thing that's likely to guarantee that integrity.
I was a little worried feeding my ATM card in a Diebold made ATM at the mall last weekend.
Thankfully, I only lost $8 out of checking, but my savings went up $2.84, so it's not too bad.
But who appoints the state committees? :P
Nice comments. Just one correction:
"Making matters worse, Diebold has a very good track record with banks."
I'm not even sure about that.
Historically, Diebold had an excellent record in making safes and vaults. When the computer era came around, they decided to diversify into electronic devices kept in safes, and they never seem to have really mastered the security concepts involved; so far to date, Diebold ATMs are the only brand that were taken out by an internet worm epidemic (yes, they were running network connected windoze on a cash machine!)
Put this guy in an airplane controlled by software designed and written in the same manner as his voting machines. Invite him to take a six-hour cross-country flight in the airplane that is announced in the newspapers. No evil people will bother him, I'm sure.
It's not the people who vote that count, it's the people who count the votes.
What if they want to die bold in Diebold? ;-)
You are just too paranoidic, you don't need voting machine fraud to finger voting results. In your country you can be elected with money already. ;-)
I just have an image in my head... talk to the spokesman. Hold up one hand and tell him this is his elections people (evil and not). while he's look at that hand, hit him real hard with the other (slap, punch.. your choice). Then say, "that's the hired 18 year old voter with an agenda to manipulate the vote." Get it?
How is this different than say 5 guys, in a smoke-filled room of course, 10,000 paper ballots, pencils and a few hours to spare???
Diebold only make the machines, before the company responsible closed it was cds systems
and poll count.
I should come clean with you, I don't know that much about ATMs. I could well be wrong about that. You did remind me of these pictures of crashed Dieblold ATMs:
Good points, I believe the reason there isn't a congressional committee investigating this is because it isn't big news. I can't remember the last time a flaw in a voting machine made it on the TV news. People like us are on the lookout for these stories, but they fly below the radar for most people. Also, it's a surprisingly complex issue. It seems easy at first to make a voting machine, but the devil is in the details. So it probably just takes more time then they have. Congressmen aren't experts on everything, if they haven't been told about it, I don't see why we would expect them to know about complex and unpopular issues. Always blame incompetence before malice and all that.
One problem here is that there is little or no financial incetive to invent the "perfect" voting system. By definition, its details are open to review. That means all the cool inventions are free to all the competitors. In fact, it would take the efforts of sizeable standards committe type of organization to create and verify the protocols.
On the other hand, plenty of financial incentive to pretend to create the perfect system and keep its imperfections secret as much as possible.
Even without nefarious intent to corrupt an actual election, there is plenty of motivaiton to make a product that only pretends to be secure vs one that actually is secure.
Maybe we need an open source Gnu-Vote or modElect or something.
Maybe a voting machine/software/protocol contest might be interesting? Give a prize for the design that withstands the most attacks during mock elections. Give prizes for successful attacks. See who can prevail.
Maybe the NSA can help?
More Diebold idiocy from Techdirt http://techdirt.com/articles/20070123/...
Diebold Shows Anyone How To Break Into Their E-Voting Machines
...Halderman was a part of the team that showed that Diebold's locks on their e-voting machines used a default key that was common to many hotel minibars and could be found easily in many places. However, the researchers who noted this were still careful never to show the actual key, preferring not to help anyone who seriously intended on breaking into the machines. Diebold, on the other hand, isn't so careful. The company, that has continually played down reports of security flaws is apparently selling the very key you need to break into their boxes on their online site... with a picture of the key....
You know, what I just don’t understand is how busy everyone seems to be covering Diebold ass.
Look at it this way, if you will. People obsucate the exact shape of the key so that others can’t copy it. People redact file names that allow corruption of the voting record, etc. Why?
Wouldn’t be much better if everyone knew what the keys were exactly? If everyone knew what the file names are that would allow vote manipulation?
Geeks get the technology, but the rest of the world gets it when they have a key in their hand that opens the ballot box and they see that everyone around them has one too.
Set Diebold's keys free.
It was widely reported in the legitimate press (yes, and Fox News too even) that Diebold employees went around the night before the last major election in 2004 in Ohio and modified the software on their machines. These modifications were of course not supposed to happen and there was no information later about what was done to them. So the risk isn't just from election officials, but from one party or the other (in this case the Republican party) somehow enlisting the assistance of Diebold to do who knows what. We know what can be done though- the software is easily modified (as demonstrated many places including UC Davis recently for the State of California) to register totals during election day that are creatively skewed. This was also shown on a TV news show about a year ago. Evidence of problems with Diebold equipment are rampant. However I think Diebold does get it- they just like to deny everything. It always amazes me that us Americans will somehow think we can't correct a problem if the person doing wrong just stonewalls. What's the matter with us?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.