Diebold issued a response to our e-voting report. While we feel our paper already addresses all the issues they raise, here is a point by point rebuttal. Diebold's statement is in italics, our response in normal type.
Three people from the Center for Information Technology Policy and Department of Computer Science at Princeton University today released a study of a Diebold Election Systems AccuVote-TS unit they received from an undisclosed source. The unit has security software that was two generations old, and to our knowledge is not used anywhere in the country.
We studied the most recent software version available to us. The version we studied has been used in national elections, and Diebold claimed at the time that it was perfectly secure and could not possibly be subject to the kinds of malicious code injection attacks that our paper and video demonstrate. In short, Diebold made the same kinds of claims about this version – claims that turned out to be wrong – that they are now making about their more recent versions.
Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit.
This is incorrect. Far from ignoring Diebold's "normal security procedures", we made them a main focus of our study.
The tape and seals are discussed in our paper (e.g., in Section 5.2), where we explain why they are not impediments to the attacks we describe. The main attack does not require removal of any screws. Contrary to Diebold's implication here, our paper accounts for these measures and explains why they do not prevent the attacks we describe. Indeed, Diebold does not claim that these measures would prevent any of our attacks.
A virus was introduced to a machine that is never attached to a network.
This is irrelevant. Our paper describes how the virus propagates (see Sections 2.2.2 and 4.3) via memory cards, without requiring any network.
By any standard – academic or common sense – the study is unrealistic and inaccurate.
This is little more than name-calling.
For an academic evaluation, ask our academic colleagues. We'd be happy to provide a long list of names.
We demonstrated these problems on our video, and again in live demos on Fox News and CNN. Common sense says to believe your eyes, not unsubstantiated claims that a technology is secure.
The current generation of AccuVote-TS software – software that is used today on AccuVote-TS units in the United States – features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more.
As above, Diebold does not assert that any of these measures would prevent the attacks described in our paper. Nor do we see any reason why they would.
These touch screen voting stations are stand-alone units that are never networked together and contain their own individual digitally signed memory cards.
As discussed above, the lack of networking is irrelevant. We never claim the machines are networked, and we explain in our paper (e.g. Sections 2.2.2 and 4.3) how the virus propagates using memory cards, without requiring a network.
Again, Diebold does not claim that these measures would prevent the attacks described in our paper.
In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines – every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.
Our paper discusses physical security, election procedures, security tape, and numbered security seals. See, for example, Sections 3.3 and 5.2 of our paper. These sections and others explain why these measures do not prevent the attacks we describe. And once again, Diebold does not assert that they would.
Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis.
Every voter in every local jurisdiction that uses the AccuVote-Ts should feel secure knowing that their vote will count on Election Day.
Secure voting equipment and adequate testing would assure accurate voting – if we had them. To our knowledge, every independent third party analysis of the AccuVote-TS has found serious problems, including the Hopkins/Rice report, the SAIC report, the RABA report, the Compuware report, and now our report. Diebold ignores all of these results, and still tries to prevent third-party studies of its system.
If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.
Front page posts
Sounds like Diebold uses the minibar keys for more than just their voting machine locks.
Diebold, for the best election results the highest bidder can buy!
Surely, the foundation of democracy is in its honest, free, open, transparent, independent and verifiable elections. Diebold machines, clearly, cannot provide these and indeed, the very use of these machines hinders the accuracy and honesty and open-ness of elections, and the democracy upon which these are supposed to stand.
Elections must be clear and open and beyond reproach. They should be honest and accurate and seen to be so. For if The USA is going to lecture and then launch wars in pursuit of democracy elsewhere, surely their own elections MUST be unquesationably honest and accurate.
This creates BIG questions and so long as these questions are there, the whole of the democratic election of the government MUST remain in doubt.
The USA is not a democracy and nobody can indpendently verify that GW Bush was ever democratically elected.
Ed: I know this sounds far-fetched, but I don't think it would be a bad idea to talk to a lawyer about possible libel claims against Diebold. They have used factual misrepresentations to support a public statement about your professional inadequacy. Perhaps Princeton's in-house counsel could provide an opinion and/or a referral.
When I voted last week in Maryland, I was confronted by one of these machines. When I asked the election official at the polling place if it was possible to do a paper verified hand-recount, I was told that there was a printout, but it was sealed within the machine. I asked if it was possible for me to verify that my vote was recorded appropriately (or even recorded at all), I was told that it was not possible.
Why do we need instant feedback and results on election day? Why not use printed paper ballots on which we use an ink pen to mark our choice and publicly monitored hand counting -- even if it takes a few days to get results?
Any "voting machine" that uses closed technology with no way to indendendently verify machine settings or compare results with the voter's intention is a fraud. The voter is unable to verify that the machine actually recorded their ballot as they voted, or even if their vote was recorded at all!
In the mcLibel case the trial was a huge win for the anti mcDonalds movement. In court they will have to prove their claims. This could backfire big time for Diebold.
Sue them!
Thank you for doing this important work.
Do you plan to put the virus code in the public domain?
Yes, I see they're really concerned about security; enough for the marketing department to throw out buzzwords and acronyms in an attempt to fool those who think computers are magic. And they're arrogant enough to think this bullshit will work on _professionals that know far more than they do_.
That in itself is reason to reject any use of their product.
This comment on reddit deserves to be addressed:
"Digitally Signed memory card data"
"As above, Diebold does not assert that any of these measures would prevent the attacks described in our paper. Nor do we see any reason why they would. "
while I don't claim it couldn't be cracked, if the machine requires that a memory card be signed with a Diebold private key, that would seem to answer the question of why their modified memory card hack would be a lot harder than the description in the original paper in which they simply loaded their own code.
The solution is for every voter to request an absentee ballot. I believe Oregon uses mail in ballots exclusively. While this may not be possible for 100% of voters, wouldn't it work for +90%?
Apparently, nobody at Diebold has been using computers long enough to remember the days when viruses spread by floppies.
Who do you want to win?
The totalitarians or the terrorists?
Vote wisely.
Germany uses paper ballots, which are counted by representatives of each party among the government workers; it takes a couple of day, which no one minds. My German friends are praying that we may soon return to a real democracy, the kind we helped them achieve after WWII.
And bless you Princeton guys for having done this work and putting it out there.
I agree with the "absentee ballot" protest. I plan to use one this year!
- Precision Blogger
Canada also uses paper ballots, which are counted by the polling officers from Elections Canada, the federal, non-partisan body responsible for holding elections. Tabulation is performed at the polling place, and is completed within hours of the poll closing. There is no reason why this system could not be used in the United States; efficiency is not a real issue as the manpower necessary to staff the polling places is the same manpower used to count the votes. Indeed, the decentralization necessary to efficiently count the votes is a excellent deterrant to large scale vote tampering, as no one person has access to ballots from more than one small precinct.
[...] Recently, Diebold responded to the report in a PDF, and said, basically that the machines they tested were old and had outdated software, that the machines would not be tied to a network to spread the virus and called the report unrealistic and inaccurate, essentially attacking the reviewers trying to deflect the criticism. Well, Ed Felten posted their response to Diebold. We studied the most recent software version available to us. The version we studied has been used in national elections, and Diebold claimed at the time that it was perfectly secure and could not possibly be subject to the kinds of malicious code injection attacks that our paper and video demonstrate. In short, Diebold made the same kinds of claims about this version — claims that turned out to be wrong — that they are now making about their more recent versions. [...]
Personally, I'm worried about political parties using these "features" in order to "win" an election. I'm not even convinced that it wasn't intended to be the way it is (insecure). Of course, I always lean towards conspiracy theories when given the opportunity. What? Bush won a third term? How the hell did that happen? Oh... Diebold....
Diebold's response convinced me (long before I read your reply to it) that they don't even understand what the security issues are.
So, Diebold says that the machines are never networked, but that they employ SSL?
Ed, can you tell us what SSL is used for on these machines?
> "If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them."
If you've contacted them requesting the opportunity to do this, have they responded? If so, could you print the exchange in a blog post and link to it from this one?
What we really need is a person to win the election that is truely detestable to all parties (say, Saddam or bin Laden). That way, we will have both the minority party and the majority party working on election reform!
Brian,
The machine can dial up to the central election office to download the ballot before an election or to upload the results afterward. SSL would be used over those dialup connections.
In the security world when a vendor fails to cooperate with whitehats identifying vulnerabilities in their software, pretty much the only choice is to force them to deal with their problems by making them as public and exploitable as possible. I hope you've considered releasing the injectable software to the public and making the coming election as insecure as possible.
We studied the most recent software version available to us. The version we studied has been used in national elections, and Dissertation Writing Diebold claimed at the time that it was perfectly secure and could not possibly be subject to the kinds of malicious code injection attacks that our paper and video demonstrate. essay writing In short, Diebold made the same kinds of claims about this version
My virus will kill the ballot download process and create use it's own instead. My ballot will look like this:
---------------------------------------------
o Democratic Candidate
o Candidate of the Democratic Party
o Libertarian Candidate
o other Democrat _______
----------------------------------------------
Brian Jones Said:
"So, Diebold says that the machines are never networked, but that they employ SSL?"
And Ed Felten Then Said:
"The machine can dial up to the central election office to download the ballot before an election or to upload the results afterward. SSL would be used over those dialup connections."
...
... ... ...
... ... ... ...
... So Diebold doesn't understand what "network" means...
And the machines issuing ballots and taking the results are...?
I'm not sure if this is known on the latest generation of the machines, but it seems to me if they're requiring that the code updates that it automatically installs from the card be digitally signed, then this _would_ defeat the attack described in the paper.
Do they sign only the data from the election, or are the code updates also digitally signed? If this is being done, how does the attack get around the signature check?
Rob,
Based on documents we have seen, we believe that Diebold's claimed "digital signature" is not really a digital signature, in the sense that a cryptographer would use that term. To be effective, a "digital signature" would have to (a) really be a digital signature, (b) cover the correct data, and (c) be checked at the right time. Based on the documents, we believe that at least one, and possibly more, of these criteria are not met by Diebold's current design.
Now how long will it be before someone claims that they are "digital signatures just like the ones used by UN nuclear inspection teams!"
Also, on the TSx (the newer model), the digital signing was only of election data...
RE the note about paper voting in Canada:
Surely, you jest. It's extremely difficult to get enough pollworkers as it is--and those people spend 15+ hours now (an hour early to set up, 7a to 8 p polling, an hour to take down [paperwork too], plus taking vote stuff to the central location--county courthouse here).
I firmly agree we need to fix this electronic voting problem, but I think paper printouts would be better. Or allow several days to count paper.
Meanwhile, I vote early on paper.
[...] Krotusblog » Blog Archive » http://www.freedom-to-tinker.com/?p=1065 [...]
skitch: Don't worry, the coming election will be as insecure as possible anyway. The people in charge of that don't need Ed Felten's help to do so, and wouldn't trust him anyway.
Note: I was incorrect above, the MAC encryption on the TSx appears to cover almost all data stored on the memory card.
[...] Diebold does not allow third-party evaluation of their systems. [...]
A woman on another website came up with this idea, which is along the lines of John J's idea:
"I can think of a solution to the voting machines debacle. It can be done too. If the voting machines are already rigged and they can be hacked as easily as it seems, then I hope someone comes along with the bright idea of making the machines come up with such an impossible win (say they show that Ghengis Khan wins by 99% of the votes) that the elections will have to be held again, only with paper ballots. It’ll be proven once and for all that they are RIGGED AND RIGGABLE!"
Im all for the good old fashioned Paper voting system. But lets admit it. If someone was desperate enough to want to swing a vote in someones favour, they could. Knowing the right people and having a large enough Bank balance can get you almost anything. In a way paper voting is just as suseptable to errors as electronics when you think about it. Perhaps a better method is needed for the future of voting... mind probe voting perhaps? :)
Overseer Said:
"If someone was desperate enough to want to swing a vote in someones favour, they could. Knowing the right people and having a large enough Bank balance can get you almost anything."
True for sufficiently large values of "right people" and "bank balance" but that's American politics, right?
"In a way paper voting is just as suseptable to errors as electronics when you think about it.'
But we're not talking about errors here (except in regards to Diebold's engineering errors)
we're talking about an insecure setup that allows one voter to screw with the votes of many... a system that Diebold insisted long and loudly was "perfect".
"Perhaps a better method is needed for the future of voting…"
Yes, but even the current fiasco can be improved with some effort… and some research… and some expenditure… on Diebold’s part... with some external oversight...
"mind probe voting perhaps? :)"
Forcing the evolution of a better voting machine... with Diebold paying… :)
Rob Adams said:
>I’m not sure if this is known on the latest generation of the machines, but it seems to me if they’re requiring that the code updates that it automatically installs from the card be digitally signed, then this _would_ defeat the attack described in the paper.
Such an attack need not replace true votes with fraudulent counts (plus a valid signature), but could also be used simply to invalidate the results of individual machines. Say, in a precinct which heavily favors your opponent. With enough machines invalidated, chaos ensues. This seems more likely as a scenario because each precinct knows (independent of the machines) how many voters came through, so a machine with a record of 4000 votes for Mr. X is obviously invalid when the entire precinct only had 720 voters show up that day ... so the vote forger would need to shift votes from Mr. Y to Mr. X while staying fairly close to the real vote total that was on that machine (but need not be exact, since not every voter votes in every race), but without seeing that number boforehand.
Keep up the great work, Ed.
About the digital signing of memory cards:
6 years ago when we broke SDMI, one of the components was a digital signature of compact discs---to identify factory originals, under the assumption that all CD burners would refuse to propogate the signature.
The signature track was whopping huge in size, but only encoded a 16-bit signature (!!) which didn't even seem to be uniformly distributed. We found hash collisions in SDMI's own sample data of 100 signatures.
That was more properly a checksum, since the phrase "digital signature" carries some connotation of security, or difficulty of forgery. As far as we could tell, it was unreliable as a digital signature.
The message is: trust these things only when the software people actually tells you what they are doing. Are they signing code and firmware updates? Using what signature algorithm, what hash? It is customary for these things to be disclosed in security products that people trust.
Posible solution: Simply triple check!
From one side you could have a "choosing box" where you choose your candidate, once you’ve chosen, the ballot is stored in that machine, and it BOTH prints your vote (indicating your vote and the machine from which it was cast) and record it on the voting card. Then you go with this card to a SECOND machine (the "Hub" Ballot box machine) in which all of the votes for a number of choosing boxes is stored, and here you can recheck your vote, consolidating it (the time per voter in this machine would be very low because you would only need to confirm your ballot.
Finally you deposit the voting paper given by the first machine on a third box, (from which some % should be manually verified to match in BOTH tipes of machines). The sum of all choosing machines should match perfectly by number of votes per candidate and per machine with the information on the Hub machine.
In this way ALL the votes would finally be on paper if any trouble appears with the checking of the machines, and the probability of hacking all of the choosing machines involved in order to have a perfect match between all of them and the final ballot box machine is much much lower.
Is my process too complicated?
You've got to hit them in the pocketbook.
My suggestion is here.
Jim H.
Sandie: I am quite serious, please read the first entry in this FAQ:
http://www.elections.ca/content.asp?section=faq&document=faqelec&lang=e&...
I'm quite sure CNN or Fox would love to see you and your assistants try to hack some other Diebold machine at random that would be used in the upcoming election (not one specially prepared by them).
Anyone who lived during the 3.5" floppy era remembered they were the first way viruses were spread - via sneakernet!. Even if you encrypted all the data on the floppy, the boot sector could still install the virus.
And I don't know of any way to show it up except to do something obvious like a 3rd party candidate getting 95% of the vote in the upcoming election.
Geeks United and Elect Geek Politicians who can actually understand what they are writing laws about.
Why anyone is surprised with the findings of Diebold's electronic voting machines is what amazes me! After all at a political fund raising event for current President George Bush, the president/owner of Diebold stated he guaranteed the election for Bush......
Several years ago it was pointed out that Diebold's system had over 400+ errors that prohibited accurate votes from being counted! Duh????
[...] Felten dissected Byrd’s claims on his Freedom to Tinker blog. Most notably, Felten indicated several times that the measures extolled by Byrd would not stop the attacks the researchers were able to accomplish. [...]
Forgive someone commenting from England on US Election processes but we'll probably follow where you lead ...
Aren't you making the mistaken assumption that Diebold want the machines to be secure? They want the voters to be deceived about this - but maybe it is useful to Diebold and other parties if the machines are easy to hack ...
There are already problems with the election process. As a precinct worker, I have seen at least one ballot be made meaningless at every election I have worked for in the past ten years, even without e-voting.
Voters have neglected to check their ballot after it has been marked, and placed in the ballot box, with every available technology, chad punch spikes, and ink marking devices.
The precinct workers don't know about it until the polls are closed, when the ballots are being checked not for votes, but just to count the number of ballots to make sure that figure matches the number of voters according to the roster.
There is no way to go back and see if the voter intended to submit a blank ballot, perhaps sending some sort of "signal" that they are objecting to the election. At the precinct level, we see the reality of secret ballot one-man one-vote, and how fragile that can be. I know for sure that sometimes the elderly infirm voters have complained that the spikes didn't work right, and that they have become confused by the rubber stamp that has replaced the spikes (altho they look superficially the same), and they thought something was wrong.
Once recently, a voter slipped her ballot into the voting machine when it was folded, and the precinct inspector (the boss of the other precinct workers) didn't realize the machine was jammed until a few other voters had used the same voting machine, so at least a few votes didn't get counted properly. That's only a few in my precinct, but multiply that by every precinct, and that's a significant chunk of the voting population.
It's hard to believe that this is happening here and now. It feels like speculative fiction.
It's awesome that researchers at a respected university have gone to the trouble to try to save and restore election integrity.
Note to those Diebold shills living in a corporate-mandated fairyland.
Yes, older election techniques have had troubles, but look up "Maryland" "Election" and "Debacle". And that's just the latest edition of the Diebold follies.
Diebold has had severe problems in getting its "perfect" election solution to work right... and then Diebold proceeds to lie nonstop about said solution.
And this is with people one would assume were doing their best to make the Diebold system work properly.
Now add to that the very real and verifiable potentials for deliberate misuse as documented by the Princeton team, mix in Diebold's nonstop lying, deception and evasion regarding those potentials, and you lay the groundwork for a truly monstrous perversion of the electoral process.
Which would lead to the grimly humorous scenario of senior citizens not only being unable to vote properly because of Diebold's screwups, instead of the old-fashioned punch card screwups, but of them then realizing that their entire effort would have been wasted anyway... because someone injected malicious code into the software.
It is unclear from reading the various responses, whether Diebold's digital signatures on their memory cards would prevent the malicious software from being injected into the machines. This is a big question that Diebold should answer in a complete and professional manner
The big problem is that Diebold will not disclose their security strategy and techniques except in the most general terms. If they did, the security community would could take a crack at them and the result would/could be a bullet-proof system.
Seems to me that a good short-term fix would be to use the existing printers to print out a paper result for each vote cast in 2 copies. One goes to the voter, and one stays in the polling place. A barcose would be very helpful in case a recount is needed.
The paper would have to be replenshed more often, but at least each vote would be recorded on paper in a form the voter could verify, and the precinct's copy could be used in a recount, making it pretty foolish to try and hack the machines.