On the Insecurity of ES&S Voting Machines’ Hash Code

Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&S’s software authentication system:

It turns out that ES&S has bugs in their hash-code checker: if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error. It’s simultaneously shocking and unsurprising that ES&S’s hashcode checker could contain such a blunder and that it would go unnoticed by the U.S. Election Assistance Commission’s federal certification process. It’s unsurprising because testing naturally tends to focus on “does the system work right when used as intended?” Using the system in unintended ways (which is what hackers would do) is not something anyone will notice.

Also:

Another gem in Mr. Mechler’s report is in Section 7.1, in which he reveals that acceptance testing of voting systems is done by the vendor, not by the customer. Acceptance testing is the process by which a customer checks a delivered product to make sure it satisfies requirements. To have the vendor do acceptance testing pretty much defeats the purpose.

Tags: , , ,

Posted on March 16, 2021 at 6:36 AM27 Comments

Comments

PeterV March 16, 2021 7:13 AM

> To have the vendor do acceptance testing pretty much defeats the purpose.

As we all know now how that worked out for the 737Max and the 787.

Wannabe Techguy March 16, 2021 7:38 AM

And yet there was this headline 11/10/20:
“2020 Was a Secure Election”.

Winter March 16, 2021 7:58 AM

@Wannabe
““2020 Was a Secure Election”.”

I could totally have broken into your house and rob you blind in 2020. So, do you now want to prosecute me for the fact that I have been able to break into your house?

But Democrats have warned against using voting machines for years. It is the Republicans love them, maybe their insecurity has a role in that preference. It has been observed for a long time that Republicans have been able to beat exit polls in all precincts where voting machines were used, but never where they were not used.

Since the introduction of touchscreen voting, anomalous congressional election results have been increasing. In 2000 and 2002, Senate and House contests and state legislative races in North Carolina, Nebraska, Alabama, Minnesota, Colorado, and elsewhere produced dramatic and puzzling upsets, always at the expense of Democrats who were substantially ahead in the polls. All of Georgia’s voters used Diebold touchscreen machines in 2002, and Georgia’s incumbent Democratic governor and incumbent Democratic senator, who were both well ahead in the polls just before the election, lost in amazing double-digit voting shifts.

In some counties in Texas, Virginia, and Ohio, voters who pressed the Democrat’s name found that the GOP candidate was chosen. It never happened the other way. No one reported choosing a Republican and ending up with the Democrat. In Cormal County, Texas, three GOP candidates won the touchscreen contest by exactly 18,181 votes apiece, a near statistical impossibility.

http://www.michaelparenti.org/stolenelections.html

QnJ1Y2U March 16, 2021 8:00 AM

@Wannabe Techguy

Yes, 2020 was a secure election.

I knew as soon as I saw the post that somebody would leap in with a take like yours. The existence of a vulnerability is not proof that anyone took advantage of it; that would like saying that locks being pickable is proof that your house was broken into.

There’s always room for improvement in any system, but all of the audits and recounts and evidence lead to one simple conclusion:

2020 was, indeed, a secure election.

Winter March 16, 2021 8:10 AM

For those in the USA, here you can see how those backward Europeans handle voting. In the Netherlands, they still use paper ballots and hand counting only!

Netherlands eases rules for mail-in ballots as election continues

The Dutch government on Tuesday said that it would adjust rules for accepting mail-in ballots in an ongoing national election, after reports people had made a minor mistake in the proceedure.

The election, in which Prime Minister Mark Rutte’s conservative VVD Party is expected to gain enough support to secure a fourth term, is running for three days, March 15-17, to allow social distancing room at polling stations.

https://www.reuters.com/article/us-netherlands-election-idUSKBN2B80XX

Btw, polling stations are within walking distance and are also found in railway-stations etc. for easy voting during a commute. Waiting times used to be in the minutes, but not sure how this will be in COVID time.

OneAnonEngineer March 16, 2021 8:43 AM

After reading many such articles on the vulnerabilities of voting systems, it seems to me, that, we can’t come up with a fool-proof technological method for a secure voting system. Even paper ballots can be manipulated. Reminds me of:

There’s no such thing as a fool-proof system. That idea fails to take into account the creativity of fools — Frank Abagnale

Name withheld March 16, 2021 8:49 AM

So long as we leave it up to tech vendors to self assess their products we deserve all of the hacking that occurs. The honor system doesn’t work for Doctors, Lawyers or vaccines either.

Personally I don’t trust tech that involves suitcases or thumb drives, but what do I know.

wiredog March 16, 2021 9:03 AM

“Using the system in unintended ways (which is what hackers would do)”
That’s also what good software testers do.

Scott March 16, 2021 9:13 AM

@Wannabe Techguy (apt name in hindsight) says – “2020 Was a Secure Election”

You seem to be confusing the existence of a vulnerability (a given), the disclosure of a vulnerability (almost always a given … eventually) with an exploit. Or, by all means, feel free to do what Bruce did and post some sources, in your case, those sources would highlight the voting fraud that actually occurred.

Yes, we need to constantly tighten up security around voting. Yes, these machines are FAAAARRR from perfect. No, the election was not stolen. Your guy lost. Waah!

Clauclauclaudia March 16, 2021 10:01 AM

It seems to me there’s a difference between “no bad actors committed wholesale fraud” and “the election was secure”.

I could go for “the election was sufficiently secure”.

MarkH March 16, 2021 12:38 PM

@2020 U.S. Election Skeptics:

Probably people have varying ideas as to what “secure” means in this context.

A logical — if foolish — definition would be that

secure = impossibility of illegal votes

In other words, if even one of the 150,000,000+ votes was illegal, the election would be proved “insecure” by this definition.

A practical (and democratic) standard is

secure = infeasible to change election outcome by illegal votes

It seems to me that when Bruce wrote about the security of election, he clearly referred to a system of safeguards which (a) impose high costs and risks on those who would commit election fraud, and (b) will detect such election tampering with probability very close to 100%.

To prevent all illegal voting is an impossible standard, and pretending that we’re going to do this impossible thing is very bad for democracy.

It’s sufficient to make illegal voting risky to would-be election thieves, and to detect illegal voting when it exceeds a very low threshold, providing opportunities to (a) impose prison terms on the perpetrators, and (b) correct the vote tallies before election certification.

Denton Scratch March 16, 2021 1:17 PM

A few years ago, I had £100,000 worth of building work done. The law requires that work be done to a certain standard, which is to be certified by a Chartered Surveyor.

These surveyors used to be employed by the local authority.

It seems that nowadays, it is the norm for the builder to appoint this surveyor; her fees just get added to your works bill by the builder. Local authority surveyors apparently no longer exist.

Who? March 16, 2021 1:58 PM

Shouldn’t the National Security Agency and other technology-oriented government agencies collaborate in things like this certification process instead of hoarding vulnerabilities?

I am not an expert in U.S. government issues, but a weak voting infrastructure looks like a serious national security threat to me.

Andy F March 16, 2021 2:47 PM

In my experience in the telecomms world acceptance testing is normally performed by the vendor according to a test script agreed with the customer. Sometimes the test script is provided by the customer but in most cases it is created by the vendor to exercise the essential functionality as specified in the contract. The customer normally sends witnesses to monitor test execution.

The reason for this is that the customer generally has limited technical resources and finds it easier to simply add another deliverable to the contract rather than set up the test environment and scripts themselves.

There are other test phases in most projects like unit testing, integration testing and stability testing which are also performed and witnessed prior to the final acceptance.

Aaron March 16, 2021 3:52 PM

From the article:
They may encounter a problem, though: the ES&S sales contract specifies that ES&S must perform the acceptance testing, or they will void your warranty (see clause 7b) .

This language in a government contract flies in the face of every government contract I’ve seen while working in the defense industry for over 20 years. Within the systems and agencies I’ve worked with, and as a provider of services, software, etc. we are required to allow government representatives (employees) and secondary contractors (not associated with our company) with technical expertise to review the testing methods we have created to meet the contract guidelines, modify the test cases to clarify their intended goal in accordance with contractual obligations and to provide direct witness of tests on a non-interference basis.

We legally can’t self validate our product, let alone tell the government it would void the warranty if they tested it themselves.

SpaceLifeForm March 16, 2021 4:56 PM

@ ALL

Long story short: ESS is a fascist op.

The receipts are out there.

When you keep hearing ‘Voter Fraud’, that is the mis-direction from ‘Election Fraud’.

jones March 16, 2021 6:32 PM

ES&S has lots of problems — just like their competitors.

In 2019, for example, AP reported that new ES&S were running Windows 7 months before that OS reached its end-of-life (Windows 10 was released in 2015).

There’s an excellent documentary called “Hacking Democracy” about the founder of blackboxvoting.org, which documents how difficult it is to get meaningful information about these election systems.

The proprietary source code is not even made available to election officials.

The documentary is about Diebold, which was renamed to Premiere Election Solutions, now owned by Dominion.

David March 17, 2021 4:51 AM

“testing naturally tends to focus on “does the system work right when used as intended?” ”
Many years ago when I was working as an app developer, one of my systems analysts used to include as part of his application testing routine.
Certainly not part of using it as intended, and some of the developers used to cry “foul”, but it’s amazing how often it generated unexpected results.

Ergo Sum March 17, 2021 6:51 AM

“2020 Was a Secure Election”

hxxps://www.youtube.com/watch?v=DZFyJT0tw6U

The 2020 elections are over, certified and as such, move on. There’s no reason to argue about its validity.

Where the discussion should center instead is making the voting machine’s source code publicly available well before actual voting day. That should include central tabulating machine as well. Once the source code had been approved by independent entities, generate a hash value for the program and check the voting machine compliance to this value prior/during/after voting.

Adding paper trail, a printout of the voter’s choice collected, will provide verification that the voting machine had not been tempered with and also allows recounting the votes.

PS: As much as I know about systems, programs, etc., these seem reasonable efforts for election security…

Winter March 17, 2021 6:58 AM

@Ergo Sum
“The 2020 elections are over, certified and as such, move on. There’s no reason to argue about its validity.”

Oh there is a reason.

This supposed “fraud” is used as an excuse to prevent black voters, and other Democrat constituencies, from ever voting again.

As is mentioned above, the only secure elections are those where no one votes. So, just prevent people from voting for the Democrats will make the elections secure for the Republicans.

SpaceLifeForm March 18, 2021 6:03 PM

@ Ergo Sum, Winter, name.withheld.for.obvious.reasons

The Security is not there via a Computer and some hash. Not possible.

Turtle got re-elected via approx 10% vote flipping. That is ESS in Kentucky.

The only way to trust vote is via auditable paper, counted by multiple groups.

The ‘FIX’ wss to throw Trump to curb, but keep GOP Senate. Because they are all blackmailed cult members and putin puppets.

https://www.dcreport.org/2020/12/19/mitch-mcconnells-re-election-the-numbers-dont-add-up/

trsm.mckay March 19, 2021 4:04 PM

It is good that so many people in the US are now paying attention to election security. It is bad that so many of those people are chasing phantom problems instead of the real security issues.

I have tried to inform friends and family the easy way to see if a “election fraud” method is a real problem – do they describe the existing security measures and how they are overcome? It is not like no one tried to cheat in an election before this this one, or that our country never tried to prevent election fraud in the past.

The election conspiracy theories remind me of that saying about designing a cryptographic algorithm; it is easy to come up with a method of defrauding an election that you yourself can’t mitigate against. But if they can’t even describe the current security mitigations they would need to overcome, than the chances of their scheme actually working is pretty poor.

The rare flipside is the occasional semi-knowledgeable person who comes up with the elaborate mission-impossible style movie plot to commit election fraud. Too often those people just don’t understand risk/reward. Like voter impersonation fraud, and people who argue why we have to make our ID checks even more foolproof. How many votes can you change by voter impersonation fraud, per person? How many times can you vote as different people before someone gets suspicious? Ok, even if you have people wearing disguises, and rotating around to different polling places, and making sure only to impersonate registered voters that didn’t plan to vote; how many votes per hour per collaborator can you add to the total? Particularly if you are in one of those favored locations where it takes many hours just to cast one vote? These are not real world attacks that any election fraud mastermind would bother pursuing.

MarkH March 19, 2021 5:44 PM

@trsm.mckay:

Your observations are full of good sense.

Millions of people seem to have made a mighty leap from something that seemed to them less solid than they feel comfortable with (for example, they don’t trust signature matching — especially when the people checking signatures have a certain complexion) to the conclusion that the election outcome was changed by illegal activity.

What I’ve never yet seen is a practical means by which election tallies could be altered enough to make the difference, without high probability of detection … and prison time.

SpaceLifeForm March 20, 2021 8:05 PM

@ MarkH

What I’ve never yet seen is a practical means by which election tallies could be altered enough to make the difference, without high probability of detection

Read my link above.

Unless all ballots are paper, and hand counted by multiple independent groups, you really can not trust.

Ten percent works well if no one checks.

Less than 5 percent works too.

MarkH March 22, 2021 5:11 AM

@SpaceLifeForm:

It’s my nature to be suspicious of operators like McConnell, and of election practices in slave states. Even so, I must apply rational scrutiny to the claims or insinuations from the linked article, just as I do to their MAGA counterparts.

The dcreport article lists surprises and contradictions, some of which certainly arouse my suspicion. It then proceeds to dark suggestions concerning “algorithms”.

Now, I hate hate hate that there are still DRE machines used in U.S. elections, and it’s typical of benighted Kentucky to be such a bastion of this inexcusable tech. In the affected counties, the power of auditing is effectively curtailed.

Still, here are a few questions:

• precisely what forms of tampering are implicated?

• did political operatives reverse engineer and modify the machines?

• or, did they hire technical experts to do so for them?

• or, did they bribe somebody at ES&S?

• what are the means by which someone not in the conspiracy might have detected — or even now still detect — the tampering?

• what are the means by which the tampering needed to be applied to each affected machine?

• what security/integrity safeguards would need to be defeated in order to accomplish the tampering?

• how many persons needed to be witting in the conspiracy?

• what would be the risks to the participants, if their malfeasance were exposed?

• how confident could the conspirators be, that no one of them would have an eruption of conscience or fear that could result in the unmasking of all of them?

• given the dcreport claims about anomalies, did Democratic persons or organizations in Kentucky make corresponding formal challenges to election results? if not, why not?

================

My observations about changing the election outcome were made with the presidential election in mind; as common sense would suggest, smaller elections are generally more vulnerable to illegal interventions.

In fact, U.S. criminal cases concerning election tampering seem to be mostly for city-wide elections (mayor races, e.g.).

Until I see specific and knowledgeable answers to the questions I posed above — and probably several other questions we could easily think of — then where is the “practical means by which election tallies could be altered enough to make the difference?”

================

The writer at dcreports made a potentially useful contribution by calling attention to suspicious patterns in Kentucky.

But actual reportage means doing the detective work: was there a criminal conspiracy? The anomalies don’t prove that.

If there was, the perpetrators must have left some evidence … they always do. People would need to do the hard work of tracking it down.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.