February 28, 2017

Archives for July 2007

California Study: Voting Machines Vulnerable; Worse to Come?

A major study of three e-voting systems, commissioned by the California Secretary of State’s office, reported Friday that all three had multiple serious vulnerabilities.

The study examined systems from Diebold, Hart InterCivic, and Sequoia; each system included a touch-screen machine, an optical-scan machine, and the associated backend control and tabulation machine. Each system was studied by three teams: a “red team” did a hands-on study of the machines, a “source code team” examined the software source code for the system, and a “documentation team” examined documents associated with the system and its certification. (An additional team studied the accessibility of the three systems – an important topic but beyond the scope of this post.)

(I did not participate in the study. An early press release from the state listed me as a participant but that was premature. I ultimately had to withdraw before the study began, due to a scheduling issue.)

So far only the red team (and accessibility) reports have been released, which makes one wonder what is in the remaining reports. Here are the reports so far:

The bottom-line paragraph from the red team overview says this (section 6.4):

The red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results.

The red teams all reported having inadequate time to fully plumb the systems’ vulnerabilities (section 4.0):

The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a “lower bound”; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities. In particular, Abbott’s team [which studied the Diebold and Hart systems] reported that it believed it was close to finding several other problems, but stopped in order to prepare and deliver the required reports on time. These unexplored avenues are presented in the reports, so that others may pursue them. Vigna’s and Kemmerer’s team [which studied the Sequoia system] also reported that they were confident further testing would reveal additional security issues.

Despite the limited time, the teams found ways to breach the physical security of all three systems using only “ordinary objects” (presumably paper clips, coins, pencil erasers, and the like); they found ways to modify or overwrite the basic control software in all three voting machines; and they were able to penetrate the backend tabulator system and manipulate election records.

The source code and documentation studies have not yet been released. To my knowledge, the state has not given a reason for the delay in releasing these reports.

The California Secretary of State reportedly has until Friday to decide whether to allow these systems to be used in the state’s February 2008 primary election.

[UPDATE: A public hearing on the study is being webcast live at 10:00 AM Pacific today.]

DRM for Chargers: Possibly Good for Users

Apple has filed a patent application on a technology for tethering rechargeable devices (like iPods) to particular chargers. The idea is that the device will only allow its batteries to be recharged if it is connected to an authorized charger.

Whether this is good for consumers depends on how a device comes to be authorized. If “authorized” just means “sold or licensed by Apple” then consumers won’t benefit – the only effect will be to give Apple control of the aftermarket for replacement chargers.

But if the iPod’s owner decides which chargers are authorized, then this might be a useful anti-theft measure – there’s little point in stealing an iPod if you won’t be able to recharge it.

How might this work? One possibility is that when the device is plugged in to a charger it hasn’t seen before, it makes a noise and prompts the user to enter a password on the iPod’s screen. If the correct password is entered, the device will allow itself to be recharged by that charger in the future. The device will become associated with a group of chargers over time.

Another possibility, mentioned in the patent, is that there could be a central registry of stolen iPods. When you synched your iPod with your computer, the computer would get a digitally signed statement from the registry, saying that your iPod was not listed as stolen. The computer would pass that signed statement on to the iPod. If the iPod went too long without seeing such a statement, it would demand that the user do a synch, or enter a password, before it would allow itself to be recharged.

How can we tell whether a DRM scheme like this is good for users. One sure-fire test is whether the user has the option of turning the scheme off. You don’t want a thief to be able to disable the scheme on a stolen iPod, but it’s safe to let the user disable the anti-theft feature the first time she syncs her new iPod, or later by entering a password.

We don’t know yet whether Apple will do this. But reading the patent, it looks to me like Apple has thought carefully about the legitimate anti-theft uses of this technology. That’s a good sign.

Why No Phoneless iPhone?

I know the iPhone is like so last week, but I want to ask one more question about it: why does Apple insist on users registering for an AT&T account? Officially at least, you have to agree to a two-year contract with AT&T cellular before you can activate your iPhone, even if you will never use it as a phone. (There are ways around this, but Apple seems to wish they didn’t exist.) Which is a shame, because the iPhone is a pretty nice WiFi-enabled portable computer that (to me at least) is less attractive because it’s tied to a two-year AT&T contract.

Of course AT&T is giving Apple a cut of its revenue from the contract. According to rumor, the cut is $3 per month for each user, or $11 per month for users who switch to AT&T from other carriers. Given that about half of iPhone customers switch from other carriers, that’s an average of $7 per month per user, or about $170 total over two years.

But that $170 doesn’t answer the question, because Apple could still sell a phoneless iPhone for, say, $800 while the AT&T iPhone costs $600. If you think Apple still comes out behind at $800, then feel free to pick a larger number. There must be some price point at which Apple is happy to sell a phoneless iPhone, right?

I can see only two reasons why it might be rational for Apple to refuse to offer such a product. It can’t be difficult technically – all they have to do is change the activation procedure so that it doesn’t require the user to sign up for an AT&T contract. But there are two possible reasons.

The first is that the market for a phoneless iPhone is too small, at the price point that they would have to offer. If hardly anyone would buy the device at $800, then it might not be worth the trouble to create another option in the product line. This seems unlikely.

The other reason – the only other possible reason, as far as I can tell – is that the mere existence of a phoneless iPhone makes the original iPhone much less attractive to customers, and that this effect is big enough to offset the extra revenue Apple could get by charging an even bigger premium for the phoneless version.

Why might this be? Maybe Apple thinks the iPhone will look less attractive if the value of the contract lock-in (and hence the cost of lock-in to the customer) is made obvious. Or maybe Apple wants to differentiate the iPhone from other phone handsets by making it the only handset that isn’t obviously subsidized by a carrier. Or maybe Apple is keeping a space in its product line open for a future product introduction. Apple and Steve Jobs are clever enough about these things that there must be some good reason.