November 16, 2024

Vendor misinformation in the e-voting world

Last week, I testified before the Texas House Committee on Elections (you can read my testimony).  I’ve done this many times before, but I figured this time would be different.  This time, I was armed with the research from the California “Top to Bottom” reports and the Ohio EVEREST reports.  I was part of the Hart InterCivic source code team for California’s analysis.  I knew the problems.  I was prepared to discuss them at length.

Wow, was I disappointed.  Here’s a quote from Peter Lichtenheld, speaking on behalf of Hart InterCivic:

Security reviews of the Hart system as tested in California, Colorado, and Ohio were conducted by people who were given unfettered access to code, equipment, tools and time and they had no threat model.  While this may provide some information about system architecture in a way that casts light on questions of security, it should not be mistaken for a realistic approximation of what happens in an election environment.  In a realistic election environment, the technology is enhanced by elections professionals and procedures, and those professionals safeguard equipment and passwords, and physical barriers are there to inhibit tampering.  Additionally, jurisdiction ballot count, audit, and reconciliation processes safeguard against voter fraud.

You can find the whole hearing online (via RealAudio streaming), where you will hear the Diebold/Premier representative, as well as David Beirne, the director of their trade organization, saying essentially the same thing.  Since this seems to be the voting system vendors’ party line, let’s spend some time analyzing it.

Did our work cast light on questions of security? Our work found a wide variety of flaws, most notably the possibility of “viral” attacks, where a single corrupted voting machine could spread that corruption, as part of regular processes and procedures, to every other voting system.  In effect, one attacker, corrupting one machine, could arrange for every voting system in the county to be corrupt in the subsequent election.  That’s a big deal.

At this point, the scientific evidence is in, it’s overwhelming, and it’s indisputable.  The current generation of DRE voting systems have a wide variety of dangerous security flaws.  There’s simply no justification for the vendors to be making excuses or otherwise downplaying the clear scientific consensus on the quality of their products.

Were we given unfettered access? The big difference between what we had and what an attacker might have is that we had some (but not nearly all) source code to the system.  An attacker who arranged for some equipment to “fall off the back of a truck” would be able to extract all of the software, in binary form, and then would need to go through a tedious process of reverse engineering before reaching parity with the access we had. The lack of source code has demonstrably failed to do much to slow down attackers who find holes in other commercial software products.  Debugging and decompilation tools are really quite sophisticated these days.  All this means is that an attacker would need additional time to do the same work that we did.

Did we have a threat model? Absolutely!  See chapter three of our report, conveniently titled “Threat Model.”  The different teams working on the top to bottom report collaborated together to draft this chapter. It talks about attackers’ goals, levels of access, and different variations on how sophisticated an attacker might be.  It is hard to accept that the vendors can get away with claiming that the reports did not have a threat model, when a simple check of the table of contents of the reports disproves their claim.

Was our work a “realistic approximation” of what happens in a real election? When the vendors call our work “unrealistic”, they usually mean one of two things:

  1. Real attackers couldn’t discover these vulnerabilities
  2. The attackers can’t be exploited in the real world.

Both of these arguments are wrong. In real elections, individual voting machines are not terribly well safeguarded.  In a studio where I take swing dance lessons, I found a rack of eSlates two weeks after the election in which they were used.  They were in their normal cases.  There were no security seals.  (I didn’t touch them, but I did have a very good look around.) That’s more than sufficient access for an attacker wanting to tamper with a voting machine.  Likewise, Ed Felten has a series of Tinker posts about unguarded voting machines in Princeton.

Can an attacker learn enough about these machines to construct the attacks we described in our report? This sort of thing would need to be done in private, where a team of smart attackers could carefully reverse engineer the machine and piece together the attack.  I’ll estimate that it would take a group of four talented people, working full time, two to three months of effort to do it.  Once.  After that, you’ve got your evil attack software, ready to go, with only minutes of effort to boot a single eSlate, install the malicious software patch, and then it’s off to the races.  The attack would only need to be installed on a single eSlate per county in order to spread to every other eSlate.  The election professionals and procedures would be helpless to prevent it.  (Hart has a “hash code testing” mechanism that’s meant to determine if an eSlate is running authentic software, but it’s trivial to defeat.  See issues 9 through 12 in our report.)

What about auditing, reconciliation, “logic and accuracy” testing, and other related procedures? Again, all easily defeated by a sophisticated attacker.  Generally speaking, there are several different kinds of tests that DRE systems support.  “Self-tests” are trivial for malicious software to detect, allowing the malicious software to either disable and fake the test results, or simply behave correctly.  Most “logic and accuracy” tests boil down to casting a handful of votes for each candidate and then doing a tally.  Malicious software might simply behave correctly until more than a handful of votes have been received.  Likewise, malicious software might just look at the clock and behave correctly unless it’s the proper election day.  Parallel testing is about pulling machines out of service and casting what appears to be completely normal votes on them while the real election is ongoing.  This may or may not detect malicious software, but nobody in Texas does parallel testing.  Auditing and reconciliation are all about comparing different records of the same event.  If you’ve got a voter-verified paper audit trail (VVPAT) attachment to a DRE, then you could compare it with the electronic records.  Texas has not yet certified any VVPAT printers, so those won’t help here.  (The VVPAT printers sold by current DRE vendors have other problems, but that’s a topic for another day.) The “redundant” memories in the DREs are all that you’ve got left to audit or reconcile.  Our work shows how this redundancy is unhelpful against security threats; malicious code will simply modify all of the copies in synchrony.

Later, the Hart representative remarked:

The Hart system is the only system approved as-is for the November 2007 general election after the top to bottom review in California.

This line of argument depends on the fact that most of Hart’s customers will never bother to read our actual report.  As it turns out, this was largely true in the initial rules from the CA Secretary of State, but you need to read the current rules, which were released several months later.  The new rules, in light of the viral threat against Hart systems, requires the back-end system (“SERVO”) to be rebooted after each and every eSlate is connected to it.  That’s hardly “as-is”.  If you have thousands of eSlates, properly managing an election with them will be exceptionally painful.  If you only have one eSlate per precinct, as California required for the other vendors, with most votes cast on optical-scanned paper ballots, you would have a much more manageable election.

What’s it all mean? Unsurprisingly, the vendors and their trade organization are spinning the results of these studies, as best they can, in an attempt to downplay their significance.  Hopefully, legislators and election administrators are smart enough to grasp the vendors’ behavior for what it actually is and take appropriate steps to bolster our election integrity.

Until then, the bottom line is that many jurisdictions in Texas and elsewhere in the country will be using e-voting equipment this November with known security vulnerabilities, and the procedures and controls they are using will not be sufficient to either prevent or detect sophisticated attacks on their e-voting equipment. While there are procedures with the capability to detect many of these attacks (e.g., post-election auditing of voter-verified paper records), Texas has not certified such equipment for use in the state.  Texas’s DREs are simply vulnerable to and undefended against attacks.

CORRECTION: In the comments, Tom points out that Travis County (Austin) does perform parallel tests.  Other Texas counties don’t.  This means that some classes of malicious machine behavior could potentially be discovered in Travis County.

Comments

  1. Personally I favor just throwing the violating party out of office for an election cycle

    That creates a new mechanism of fraud: convincingly frame the OTHER PARTY for fraud. And the harder you make either type of fraud, the easier the other becomes.

    Oops.

    But our current system … is expressly designed to reward corruption.

    But of course it is. That won’t change until the end of the Second Civil War, or maybe it’ll be called the Second American Revolution.

    As for who from outside would hack, how about foreign powers? If one Presidential candidate promises to get tough on Iran and the other doesn’t, the current mullah has a reason to strongly prefer one of the candidates. Similar incentives may exist for various secret services and world leaders depending on the candidates’ stances on various foreign-policy issues. Even, sometimes, domestic issues — domestic policies that favor more consumer spending might be desirable to China, for example, and to other exporters for whom the US is a major foreign market.

  2. I was not suggesting a general admin loophole, only the ability to set the machine’s &#@! clock. 😛

    • It talks about attackers’ goals, levels of access, and different variations on how sophisticated an attacker might be. It is hard to accept that the vendors can get away with claiming that the reports did not have a threat model, when a simple check of the table of contents of the reports disproves their claim.

  3. Ken Whitley says

    I’m confused. I thought it was clear from the beginning that corrupt election officials, not outside hackers, were the primary threats that electronic voting needs to guard against.

    If this is going to simply be ignored, with a “you have to trust us, you have no choice” from the local party hacks, then it really doesn’t much matter how secure, or accurate, or easy-to-use, or even real, the voting machines are. You may as well use computerized dice. And ignore them.

    spuzd – If the system is any good it’s going to detect you screwing with its clock(s) – no matter WHAT you set it to – and have a cow. Since it knows it can’t be trusted after that, I wouldn’t think it would ALLOW vote-counting. What it should do is just sit there saying “I was hacked via port X at Y time, and my clock was modified” until it is discarded and destroyed. Yes, I said discarded and destroyed. You can invalidate votes by destroying machines, but then you have/get to vote again. And you can’t change, conceal, or multiply them.

    The whole thing that makes a voting machine trustworthy is that it DOESN’T have an “admin” loophole. None. Along with open, secure software, you use open, secure hardware. Everyone knows you have to bust the chip open and x-ray the innards to get the key, and that only gets you one machine. And you can’t put it back in service.

    But – I think there is a way to verify votes, if you don’t insist on accounting accuracy, though that could be provided by a slower, more thorough audit. But you can simply post, in public, all the votes as they happen. Cluster them just large enough that individual voters can’t be identified, but small enough that voting district’s members CAN recognize whether their district is voting funny. Whether missing, too small or large, or voting radically unlike expected, it is visible, and if it is widespread, then it is widely visible.

    And as the subtotals and totals are made up, widespread visibility also keeps the numbers honest without any security experts, insiders, or technology. If an election is extremely close, the individual, public, visible count of paper ballots in piles settles things.

    A different point we haven’t settled is how to deal with documented voter fraud. Personally I favor just throwing the violating party out of office for an election cycle – it’s the only way to motivate the parties to keep their members honest. And it’s another reason to abandon the two-party system for something more representative and more democratic. Less ideal but workable is a new election. But our current system of just ignoring it unless someone sues, and then passing laws making it more difficult to sue, just doesn’t cut it. It is expressly designed to reward corruption.

    In general, it makes more sense to design the system to be secure against the many real problems that we know for certain we have now, than to fantasize about some sort of hacker that doesn’t exist yet, and may not ever exist.

    After all, who but the two major parties stands to benefit by altering votes? With the two-party system in place, voting for third parties often has a spoiler effect, so it’s unlikely any third parties will attempt it unless they’re already likely to win, which would draw too much media attention. True outsiders see little meaningful difference between the parties, so would have no motivation to hack in favor of one or the other, any more than they currently have motivation to vote. Initiatives and referenda are usually single-issue, well, issues – and don’t have an ongoing political machine to hack for them. Who BUT supporters of one or the other major party have any motivation to alter election results? And why hack from outside when insider access is so easily and so often granted?

  4. Eh? It can be tested by conducting a “ring 0 attack”. A computer system cannot tell the difference between simulation and reality, even in principle, if the simulation is of perfect fidelity, which with the limited “senses” a computer system possesses should not be difficult to achieve.

    So, you set the machine’s clock ahead to election day and then simulate an election, with a realistic number and distribution of votes (e.g. based on current opinion poll results), and see whether it miscounts them in a systematic way.

    Worst case, a hack requires the machine be in a network with a hacked tabulator and other hacked DREs or something — test the whole system at once in the manner described. The attack won’t look for strange forward clock jumps, in all likelihood, because the machine will ordinarily have sat idle for weeks or months between elections and then been turned on again, and the clock will have jumped ahead anyway, so it has no way of knowing that it’s not *real* election day, even based on the clock jumping forwards.

    The only really tricky possibility is if a clever attacker rigged the attack to “arm” only after the clock jumped *backwards*, but you can jump the clock backwards a random number of times and an attacker can’t guess how many times the machine should wait before switching from “act normal” to “rig the election” mode; they might test more times and the machine will get caught red-handed misbehaving, or they might test fewer and the machine will act normal during the real election.

    Of course, between any such testing being completed and the election itself the machines would have to be under lock and key. Preferably with armed guards. Preferably some supplied by each major party.

  5. The main problem with any voting machines is that hardware has become way to powerful to be able to verify them.

    Even if you had a fault free voting software on the machines combined with a cryptographically strong authentication procedure for the software being used, you would still need to verify that the hardware is doing what it is supposed to do. And that is not trivial with the ability to have multiple megabytes of embedded data inside the processor, essentially enabling an attacker to put the attack software inside the processor itself.

    Even though creating your own hack version of a processor should be out of reach to most people attempting fraud, flash programmed devices would already be extremely difficult to verify, even if you ensure maximum entropy of the entire flash memory.

    Unfortunately software is non-linear, so it is impossible use tests to verify correct functionality (or the absence of manipulation). I guess the only solution to this problem is to do random statistical sampling using a separate vote counting method.

  6. Because they want to control the outcomes of elections. Duh.

    See above.

  7. Why would anyone want to install a voting system known to be insecure, and to role it out across the whole country?

    Sheesh!

  8. It’s already too late.

    “…let Facts be submitted to a candid world.

    * He has refused his Assent to Laws, the most wholesome and necessary for the public good.
    * He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.
    * He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.
    * He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.
    * He has erected a multitude of New Offices, and sent hither swarms of Officers to harrass our people, and eat out their substance.
    * He has affected to render the Military independent of and superior to the Civil power.
    * He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:
    o For depriving us in many cases, of the benefits of Trial by Jury
    o For transporting us beyond Seas to be tried for pretended offences
    o For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies
    o For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments”

    – Excerpt charges against King George from the Declaration of Independence

    Time to depose King George Bush II and restore democracy to America.

  9. DRE’S AND OPSCANS

    We ALL need to see THE AMAZING TRUTH ABOUT OUR STOLEN ELECTIONS.

    IF you will cast your votes with touch-screen machines, watch this documentary.
    IF your votes will be counted with opscan machines, don’t miss part 4.
    IF your elections officials have not yet sued Diebold for fraud, watch the tail end of
    Part 7- Trojan horse executable code is forbidden by election rules.

    Hacking Democracy:

    Part 1: http://www.youtube.com/watch?v=GzPXer7946E&feature=related

    Part 2: http://www.youtube.com/watch?v=Eopnvw7mh_8&feature=related

    Part 3: http://www.youtube.com/watch?v=lxGSXYUkplA&feature=related

    Part 4: http://www.youtube.com/watch?v=JJ9UuXF1hkA&feature=related

    Part 5: http://www.youtube.com/watch?v=ht7fqoGUfS0&feature=related

    Part 6: http://www.youtube.com/watch?v=-3zp80H3pN0&feature=related

    Part 7: http://www.youtube.com/watch?v=0VoEVvR60Sg&feature=related

    Part 8: http://www.youtube.com/watch?v=iSvhnXtogQ4&feature=related

    Part 9: http://www.youtube.com/watch?v=J36Jfkxd1vA&feature=related

    OUTRAGED?!

    Copy and send this missive to everyone on your list of friends and associates.
    Ask them to call their representatives and demand the removal of ALL electronics from our elections. Demand PAPER BALLOTS HAND-COUNTED AT THE POLLS!!!! Nothing else will do! NO disappearing of the ballots during transfer or during counting. We demand citizen oversight at every step- from the time you MARK your ballot to the moment it is counted and reported. Otherwise, kiss your freedoms good-bye.

  10. You can find the whole hearing online (via RealAudio streaming)

    Retch!

  11. Valerie, the League of Women Voters has since 2001 been the foremost “independent” organization lobbying for universal adoption of touch-screen DRE voting equipment by the states. I sincerely wish you luck with your quest to enlighten them, but suggest that you not expect much immediate progress. I hope you can prove me wrong.

  12. Valerie Lane says

    I just received from a local Board member of the League of Women Voters, a copy of Professor Wallach’s “quote” as written by reporter Laylan Copelin in the July 3, 2008 American Statesman report on e-voting in Texas. I was distressed and frankly appalled by what I read.

    Since I knew of Professor Wallach’s work on the CA Top-To-Bottom Review I thought the quote presented a very misleading picture of how difficult it would be to rig an election.

    I therefore came to this site to see if Professor Wallach had suddenly lost his mind. I am pleased to discover that the reporter failed to clearly and comprehensively quote Professor Wallach. This is one more case of failure by the media to properly inform the public of the election security crisis we now face. The question of whether this “elegant spin” is by chance or by design will not likely be answered. One more point for the Vendors. I will direct members of the League of Women Voters to this site with the hope that they will read professor Wallach’s COMPLETE STATEMENT and learn the truth.

  13. JLGraham says

    My impression is that a legitimate virtue of electronic voting machines lies in their user interface. The few I have seen seem more user friendly than ubiquitous automatic teller bank machines and they may (?) have the potential to more faithfully record a voter’s preference in aggregate than some previous methods. The weakness of relying on these machines to then document the results on an election should be self-evident given the variety and frequency of successful attacks on “secure” computer systems.

    The strengths of both electronic and paper-based systems could be combined if the touch screen interface was used to prepare a printed or punched paper ballot that could be machine tabulated OR, when necessary, counted by hand. I don’t mean printing a receipt. The voter would hold the actual ballot in his or her hand before submission. The electronic interface would only aid in preparing a stray-mark-free, hanging-chad-free physical ballot that could be verified as correct by casual visual inspection. Possibly previously purchased voting machines could be so converted.

  14. It is hardly surprising that the vendors are describing the world from their own point of view. The well established legal methodology to stretch any person’s point of view is called “cross examination”. Thus, when Diebold says, “no Threat Model”, you have a cross examination question asking, “did you read Chapter 3 of this report?”

    Only systems that are a military grade security, (ie trusted systems with mandatory access controls and tamper proof audit trails)

    This is not sufficient. The security might be perfect and yet that is still not sufficient because justice must be SEEN to be done. In other words, the system must be something that any citizen can understand and easily check for themselves. Plus there must be large numbers of scrutineers in the process, otherwise the resulting system cannot be trusted and will not engender confidence. So far, only paper ballots fulfill this requirement for simplicity and transparency.

    And don’t give me that “too expensive and doesn’t scale” crap.

    Both Canada and Australia spend more per-vote than does the USA (and much more per-head of population, given that so many Americans don’t bother voting). However, you have to ask what is Democracy worth? How much does a stolen election cost the nation? Given that there is a historical trend of non-democratic nations also slaughtering their own citizens, my conclusion is that Democracy keeps me alive so I don’t have a problem spending a few extra dollars.

  15. supercat says

    The problem with military-grade security equipment is that it is designed so that its users can’t know how it works. While you are correct that, in the case of the military, all important aspects of the design and implementation are overseen by people the user should trust, that approach is only workable if there is an overlap between the set of people trusted by the supplier not to leak secrets of the design, and the set of people trusted by the user not to withhold information about design features that would compromise the user’s interests. That’s an achievable situation in the military, where higher-level officers may be trusted with details of a machine’s implementation and lower-level personnel are required to trust superior officers. The situation with voting equipment isn’t really comparable.

    Further, secure systems must be stored securely, with strict chain-of-custody procedures involving only trusted personnel. Is it realistic to require that every voting machine must always be kept clearly in view of representatives of all interested parties, and that any machine for which the chain of custody is at all compromised must be taken out of service until such time as someone authorized to examine its inner workings has done so?

    The beauty of a transparent system is that if it is properly constructed, the chain of custody before an election doesn’t really matter; if the system is sufficiently transparent, the chain of custody after the election wouldn’t matter much either.

    As a rough analogy, consider two ballot box designs for paper ballots. The first design contains three pieces. The first piece is made of plexiglass, and forms five sides of a box, but with rounded corners and edges. It has various projections for attaching the second piece. The second piece is the top of the box; it’s rectangular, but has a hole in which is permanently mounted a rectangular tube. At least eight in the first piece fit into the second; affixing padlocks to any two opposite projections will prevent the box from being opened. The third piece is made of opaque cloth, and surrounds the entire box except for the tube. Like the second, it may be secured using multiple padlocks.

    Given such a box design, I wouldn’t have to worry particularly much about whether the maker was trustworthy, or whether the box’s chain of custody throughout its existence was beyond question. A fairly straightforward inspection of the box would reveal that there were no hidden compartments or methods of unauthorized access.

    Now imagine the BallotMaster 3000. It has a slot on top for ballots to go in, and a pushbutton mechanism which, when the proper codes are entered, will cause all the ballots to emerge from a larger slot at the bottom. Before the election, all interested representatives may enter a code; after the election, they must all enter it again. The box provides an override code (in case a representative forgets his code), but the display will indicate how many times the box was opened in such fashion, and which codes were missing. Imagine further that not only is the box constructed of opaque material, but it is deliberately designed so that it’s impossible (supposedly) to get inside without breaking it.

    If the BallotMaster 3000 were implemented properly, it could offer good security. Why, though, should anyone who hadn’t supervised its design and construction, trust that it isn’t “rigged”? No matter how brilliantly designed all the tamper-proofing features would be if implemented to spec, the opaque nature of the design makes it impossible to confirm that the implementation matches the specifications.

    IMHO, no matter how much security one might try to add to the BallotMaster 3000, there’s no way it could be made as trustworthy as the plexiglass box.

  16. any opinion on “freeforall.tv/” documentary that is free online for July 4th in which Ed Felton is mentioned?
    http://www.freeforall.tv/

    my state (SC) uses ES&S machines and is run by Republicans who don’t want to hear about my concerns. the Democrats tried to bring up a vote for a paper trail for these machines and NOTHING happened.

    thanks

  17. Paper.

    Hand-counted.

    And don’t give me that “too expensive and doesn’t scale” crap. Canada conducts its federal elections that way, and it has the population of California, a vastly larger physical land area, and probably a smaller budget for such things. If Canada can do it that way, each separate State can, and if each separate state can, the US as a whole can.

  18. Supercat: I don’t disagree with anything you say, in principle. However, when you say “most users of the equipment will have to accept on faith that such procedures were followed” there is a problem. Just as representatives of all interested parties can verify the final tabulation, they can also be present at the configuration of the machines in the first place. This should not be done by vendors, but the central authority running the voting/election process.

    Trusted systems work on the premise that you don’t have 100% trust in your users, and they can be set up and even managed centrally without having to place any “trust” in anyone.

    What would you prefer, a transparent system where you could inspect, to find out if an e-voting mahine has been compromised, or a box that could not be compromised in the first place ?

    The integrity aspect of all audit trails can confirm all authorized set-up procedures were followed correctly and can verify that the results are accurate as well, which is really the bottom line.

    If it would please you better, we have ways to convert your open source box into such trusted systems. Perhaps that is the way to go. Transparency of code married to military grade policy enforcement. 🙂

  19. supercat says

    Rob Lewis: Actually, I disagree with that premise. Military security equipment is designed to be opaque; it thus requires that the users of the equipment trust those who supply it. There are procedures in place to prevent covert tampering of equipment, but most users of the equipment will have to accept on faith that such procedures were followed in its construction, acquisition, and delivery.

    Voting equipment should take the opposite approach–it needs to be as transparent as possible, save only for the information which is required to be concealed (i.e. how individual voters voted). The greater the transparency, the less need for other forms of security. For example, if the vote-recording media are write-protected at close of polls, representatives of all interested parties are allowed to read it immediately, and said representatives exchange digital signatures of the data they read, it would be impossible for anyone to alter the votes later without raising some red flags.

    Of course, that poses the question of what should happen if red flags are raised. In the case of the state of Washington, the answer seems to be “So long as the Democrat wins, ignore any problems”. If the appearance of more ballots than voters–in a quantity exceeding the margin of victory–isn’t sufficient to throw out an election, it’s unclear what would be.

  20. “but nobody in Texas does parallel testing”

    Travis County does parallel testing for all elections. That statement is incorrect

  21. Only systems that are a military grade security, (ie trusted systems with mandatory access controls and tamper proof audit trails) will ever be able to stand up to the scrutiny that would be required to deem them acceptable for such an important function.

  22. supercat says

    I would favor an open-source hardware/software design. A few key aspects:

    -1- Machines should be constructed so that they cannot write to the media containing code or ballot parameters.

    -2- It should be possible for representatives of all interested parties to read out the contents of all media used for the election, both immediately before the polls open and immediately after they close; the media should be physically write-protected at that time.

    -3- The machines should be constructed so as to allow X-ray inspection; chips should be used that are simple and big enough to allow X-ray confirmation of what they are. Not all machines would be X-rayed, but a random sampling would be. If any ‘weird’ machine is found, that would be a basis for further investigation.

    I don’t think any of those requirements should be hard to implement, but I can’t think of any way to make a trustworthy system that doesn’t do so.

  23. Leroy Clark says

    Isn’t it time for a movement for Open Source e voting software and hardware? If anything should be open source this is it.

  24. And paper ballots are better?

    Yes.

    * Paper is inexpensive.
    * Paper ballots do not require power. (Eliminating a whole class of DoS attacks).
    * Paper is insensitive to electro-static discharge (ESD).
    * Paper has good storage life.
    * Ink marks made on paper ballots are persistent.
    * Ink on paper, although lacking in tamper-resistance, can be relatively tamper-evident.
    * Ink on paper is voter-verifiable (for most voters).
    * Paper ballots are software-independent (SI).

  25. Nice post Dan.

    I’m sorry to hear that your frustration with Those Who Should Listen continues.

    Here in Ireland, there essentially continues to be no public discussion about the use of computers in voting, and our most recent (notorious) referendum used good ‘ol paper and pencil, much to our ex-Prime Minister’s chagrin, I suppose… 🙂

    Joe

  26. Sadly, in Finland, DREs will now also be piloted in municipal elections. The Finnish system (based on Scytl products integrated by TietoEnator) was audited by University of Turku, and the audit report found many glaring issues not unlike those that have been found in the US.

    Interestingly, like in Texas, this does not seem to stop the use of the systems but they will be taken into use with known vulnerabilities.

    • The big difference between what we had and what an attacker might have is that we had some (but not nearly all) source code to the system. An attacker who arranged for some equipment to “fall off the back of a truck” would be able to extract all of the software, in binary form, and then would need to go through a tedious process of reverse engineering before reaching parity with the access we had.

  27. Fred Brehm says

    Did Peter Lichtenheld describe the threat model that the voting machine companies use?

    From studying the software can you hypothesize a model that the software protects against?

    From his statement it seems that the software itself doesn’t need protections from threats because “elections professionals and procedures, and those professionals safeguard equipment and passwords, and physical barriers are there to inhibit tampering.” That’s the way to pass the buck!

  28. Did you dare suggest that an attacker might be an agent of an incumbent government and thus have ample support and unfettered access at the appropriate times?

    I suspect that the nuanced meaning of ‘attack’, in conveying the idea of an external threat, conditions a blind spot to the need for security against ‘friends of the state’.