Schneier on Security
A blog covering security and security technology.
« Insider Identity Theft |
| Perceived Risk vs. Actual Risk »
November 2, 2006
How to Steal an Election
Good article. (Here is the full article in pdf.)
EDITED TO ADD (11/2): Here are some additional resources. "E-Voting: State by State," a guide to e-voting vendors, and a review of HBO's "Hacking Democracy" documentary. Also, a debate from The Wall Street Journal on electronic voting, and an Ars Technica article on current-year problems with electronic voting.
EDITED TO ADD (11/2): Another review of the documentary.
EDITED TO ADD (11/3): And two items from The Brad Blog.
Posted on November 2, 2006 at 2:26 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There's a fun commentary on this issue, made by Scott Adams (Dilbert's creator):
"[...] there’s a 100% chance that the voting machines will get hacked and all future elections will be rigged. But that doesn’t mean we’ll get a worse government. It probably means that the choice of the next American president will be taken out of the hands of deep-pocket, autofellating, corporate shitbags and put it into the hands of some teenager in Finland. How is that not an improvement?
Statistically speaking, any hacker who is skilled enough to rig the elections will also be smart enough to select politicians that believe in . . . oh, let’s say for example, science. Compare that to the current method where big money interests buy political ads that confuse snake-dancing simpletons until they vote for the guy who scares them the least."
...fun, but at the same time a little thoughtful :)
Voting. It's an IT problem.
I can't help remembering the old joke about Bill Gates being shown Hell by the Devil, where it's all luxury and pretty chicks, so Bill chooses Hell. Then he finds out it's, uh, Hell, to which the Devil say "Bill, that was the demo".
These election officials bought the demo, but what they got was Hell.
@ Anonymous at November 2, 2006 05:42 PM
Color me cynical, but hackable, unauditable voting machines wouldn't be Hell-ish at all for some election officials.
Statistically speaking, any hacker who is skilled enough to rig the elections will also be smart enough to select politicians that believe in...
paying him lot's of money. Not sure that this will mean a net improvement.
But perhaps a sober reflection on the shallowness of democracy as it's practised now will reduce the ardor to export it to the rest of the world by force.
There's a saying to the effect of "there is no city wall so high that money cannot breach" (mangled quote, sorry).
Those same corporate types who essentially decide elections now, even if they don't understand the system, can hire more than enough tech-savvy teenagers to outweigh the Finnish hackers. Think about it: how many techie types are so shallow that they would sell out their democracy for a shiny car, fiber to the home, and a lifetime supply of any computer hardware they wanted? Yeah, I agree that's a depressing thought...
It may seem that electronic voting democratizes corruption by lowering the price tag of our government. That's not really the case, though. Yes, everyone can do it, but only some can afford to pay others to do it professionally.
Perhaps the most stunning recent revelation is that **all** Sequoia Voting System's touch screen voting machines have a yellow button in back that allows you to switch to manual mode and vote as many times as you like. No that's real security.
I can't believe how many millions we've wasted on criminally negligent voting systems.
WTF is this?
"I know that people tend to place (misguided) faith in paper records. There's no doubt they're comforting, although they shouldn't be."
So far, paper has been our best record. Seriously.
"The ATM argument is easily dispensed with. You go to the machine and withdraw $300, which is immediately subtracted from your bank balance. You get a receipt that says you withdrew $300, but the machine only gives you $200. What do you do now?"
Simple, you take that receipt and the $200 into the bank and have them check their records.
Without the receipt, you wouldn't even have a record to show that anything happened to your account.
So your paper trail example contradicts your stated position. Without the paper trail, it is MORE difficult to demonstrate that there was a problem.
And, by that same token, it is EASIER to demonstrate that there was NOT a problem with the system.
All printed receipts ...
total the same as all electronic calculations ...
which match the cash on hand.
The lesson is "get a printed receipt".
This is getting boring! Elections are stolen by stuffing voter lists with dead or inexistant people and similar old-fashioned, time-tested techniques.
This unsound, unhinged fascination with voting machines is a symptom of BDS and an urban legend. You know, the Black Helicopters flown by Hallicheneyrovebushchimpidiotgenius.
It is 21st century Luddism.
Look at the Wash. State gubernatorial election for a primer on how elections are stolen. Or look at what is happening with the voter lists in this election cycle, i.e. Missouri, New Mexico.
>> This is getting boring! Elections are stolen by stuffing voter lists with dead or inexistant people and similar old-fashioned, time-tested techniques.
>> This unsound, unhinged fascination with voting machines is a symptom of BDS and an urban legend. You know, the Black Helicopters flown by Hallicheneyrovebushchimpidiotgenius.
You Republican nitwits should stick to time-and-tested techniques such as buying and corrupting major corporations. Trying to false-flag is simply outside your expertise.
I know Diebold techs. They're quietly pissed. But they have families to feed.
I just watched the HBO Hack the vote, and can someone tell me why is there a EXE file on the memory card?
According to the Black Box Report, "...the executable program on the memory card controls the optical scan report and the user
> This is getting boring! Elections are stolen by stuffing voter lists with dead or inexistant people and similar old-fashioned, time-tested techniques.
Those techniques have been discovered, corrected, and prosecuted via the audit trails of paper-based systems. Thanks for proving our point.
Doesn't the Bush administration fear that "terrorists" might rig the election?
Can't wait to see a Mullah in the White House ;-)
Well, thinking about it seriously, wouldn't people actually notice if you stole an election? There's all the polling, and stuff, which is usually not far wrong. So what's the point of stealing an election and getting caught out? If you don't mind getting caught, there's far more effective ways to rig elections than stupid electronic voting machines. If you can't stand getting caught, then there'll be an orange revolution. No revolution, No deserve Democracy.
This get's back to Bruce's point in the books about detention coming from consequences rather then prevention
Last Sunday, we brazilian selected our next president (Luiz Inacio Lula da Silva, re-elected). As you know, our 100% e-voting system is made by Diebold (Procomp).
IBOPE, one of our biggest opinion research company predictions was 60-40 (+- 2%) and the results... Oh 60,9%...
Two important things:
1. Auditing of the whole process
2. Anomaly detection
I think that the point you're referring to is that that professor believes that write-once memory is (a lot) better than paper. My opinion is that in either case, I'd need to see the system to make any final judgement, but for write-once memory to work well, we need vastly better auditing procedures.
"that professor believes that write-once memory is (a lot) better than paper"
There's a fundamental problem with (electronic) memory, which is that voters can't see electrons.
Write-once memory (potentially) ensures that the vote that is originally recorded isn't subsequently changed, but nobody knows whether what is originally recorded genuinely represents the voter's vote. The voter doesn't know what is recorded on the memory, and nobody who later audits the memory knows how the voter voted.
With a paper audit trail, the voter can check that what is recorded is what they really meant, and audits can check that the election result reflects what is recorded.
Personally, I'd call that a big win for paper. (Assuming such audits are routinely performed, of course...)
@zoobab "Voting machines in Holland has been hacked"
And the Minister responsible for organizing the elections has taken those machines out of circulation. This means that f.i. in Amsterdam where these particluar machines were to be used the voting will now be done on paper with marks made by red pencil.
Other brands of voting computers will now also be scrutinized by TNO-Brightsight -an independent trust organization in the Netherlands which has performed security evaluations for over three decades- to see what sort of vote rigging could be done with them.
This is IMHO the correct response of the Government. These voting computers were built in the 1980-ies with 1980-ies technology and knowledge. Now we have to re-examine these computers and, if neccesary, replace them with newer, saver computers or, as I would like to see, revert to paper and pencil.
--"Well, thinking about it seriously, wouldn't people actually notice if you stole an election?"
Quite probably. There's definite signs of it happening in 2004, for instance. The problem is proving it. With these DRE systems there's no auditability, hence no way to actually prove even whether or not what happened, well, happened.
There's several known hacks already that provide ways to undetectably alter the results. One system is vulnerable to a virus (and yes, it spreads itself) on the memory cards used to record votes. Some of these systems use bog-standard Access databases to store the results, and anyone with access to it can simple open the database and alter the results, with no real auditing.
So it's not so much that people won't notice, it's just that the people who do notice won't be able to do anything about it.
I do not understand why the debate seems to be about weather we should or should not use computers vise paper. Anyone who has been following the arguments for both sides (and honestly considering them) would conclude with a hybrid type answer.
Having paper to audit in addition to electronic record only adds to the ability to detect anomalies, and it also adds to the dificulty of tampering, as it requires covering your tracks in 2 places as opposed to one.
Why can't we use this as a model to go 'Open Source' with the process? A government funded organization which makes the hardware and software and publishes the code and hardware specs? Invite all hackers to 'do their worst' and pay a finders fee for exposing flaws. Hell, bring the best ones on the payroll......
I guess that would eliminate the big business profit from this... Nevermind, I think that I just answered my own question.
Being software, any transaction that you do in which you say you don't need/want a paper receipt is one that's ripe for small tweaks that likely will go unnoticed. Asking for a receipt keeps the programmers more honest, just like asking for the paper receipt helps ensure employees aren't stealing from the till.
"...how many techie types are so shallow that they would sell out their democracy for a shiny car" etc
Fewer than you think. Politicians have this view of the world (i.e., "everyone is as ethically crippled as I am") but it's just not true. In this case, as in many, volunteer white hats would triumph.
But to take the debate back a bit...
Why are we even discussing electronic voting? By all available metrics, the irregularities in the 2004 election indicate widespread, targeted, intentional vote tampering. In a younger (less apathetic) democracy, we would have been rioting in the streets the day after the 2004 election. Instead, we let Tom Brokaw tell us that exit polls are worthless, thus discarding the only truly objective means of evaluating election results. Nice.
Other than thwarting vote selling, the greatest asset of a voting system is its transparency. Translating my vote into bits and repeatedly mangling those bits is upsetting to me. After all, you wouldn't want the guts of our voting system to be administered in French, and run by those narrow-shouldered Frenchies, would you?
Back to paper. E-voting can suck wind.
" . . . wouldn't people actually notice if you stole an election?"
Under very close elections, you could easily swing just a few votes and still be within the margin of error of any exit polls. Keep in mind that under the American electoral college system, you can pick which states are expected to be close and possibly swing the overall election from there.
I'd also like to note how despicable it is that vote fraud is now a partisan issue in the US. In a healthy democracy, all sides would put aside any differences to build a good voting system.
Well, thinking about it seriously, wouldn't people actually notice if you stole an election? There's all the polling, and stuff, which is usually not far wrong.
Been paying attention? IIRC, the exit polls were suspiciously out in the last 2 US presidential elections, and the news media just assumed the exit polls were wrong. Last time, some of them even "corrected" their pages with the exit poll results once the official results came out in order to get the right result.
Well, yes, I was paying attention. I visit USA regularly. If that doesn't make the streets get filled with protests - like Eastern European countries with similar shady voting practices - why do the people deserve the right to have a say?
bye bye democracy.
Not that Australia is greatly better. the election system is much better, so the fraud and deceit happen elsewhere
I think I said this before on this blog and it echos many voices commenting on this blog. A paper trail allowing each voter to individually verify his/her vote online or per telephone ist the only solution.
The banking system works because everyone spends some time every month looking at his bank or credit card statement to make sure that no unauthorized transaction have sneaked in.
The same needs to happen with elections. Each person needs to care and make sure that his vote counts, just as much as he/she cares that his/her money is still in the bank.
What was so wrong with pen and paper that 'technology' had to be introduced into the voting process?
Now that the elections are over. Does anyone have any stories about stolen elections or was this only apply to one party? I guess was we file this under "preceived risk vs. actual risk".
Oh and be the way in Riverside county (At least in the city of Murrieta) California the voting machines had a master record with a paper audit that can be verified by the voter before a final commitment. Now they need to have the machine make a copy of the record to the actual voter with a matching id number to the master record.
Yeah, it's funny how all those stories about the Diebold machines are non-existent today.
I guess the right results came in.
Hey, Schneier how about a comment. Or you too busy partying 'cause your buddies won???
>Does anyone have any stories about stolen elections or was this only apply to one party?
>Hey, Schneier how about a comment. Or you too busy partying 'cause your buddies won???
WOW, the silence is deafening.
"Yeah, it's funny how all those stories about the Diebold machines are non-existent today. I guess the right results came in. Hey, Schneier how about a comment. Or you too busy partying 'cause your buddies won???"
I'm too busy writing. There will be four posts about voting machines and election security tomorrow.
"WOW, the silence is deafening."
That's the impatience.
"Statistically speaking, any hacker who is skilled enough to rig the elections will also be smart enough to select politicians that believe in . . . oh, let’s say for example, science."
Of course there is the universal belief in money, which puts the services of hackers at the beck and call of anyone with deep enough pockets, as the last two presidential elections have demonstrated.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.