December 22, 2024

Archives for 2004

Diebold Fails Yet Another Security Evaluation

A group of ex-NSA security experts, hired by the state of Maryland to evaluate the state’s Diebold electronic voting systems, found the systems riddled with basic security flaws. This confirmed two previous studies, one led by Johns Hopkins researchers and one by SAIC. Here are some excerpts from John Schwartz’s New York Times story:

Electronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.

The authors of the report said that they had expected a higher degree of security in the design of the machines. “We were genuinely surprised at the basic level of the exploits” that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.

William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, “I can say with confidence that nobody looked at the system with an eye to security who understands security.”

Read the second (on-line) page of the NYT story for a litany of problems the team found. In short, they could easily corrupt individual voting machines so that they counted votes for the wrong candidate or not at all; they could introduce false vote counts for whole precincts into the central vote-tallying server; or they could use well-known hostile exploits to seize control of the servers remotely.

Diebold’s response?

In a statement released today, Bob Urosevich, president of Diebold Election Systems, said this report and another by the Science Applications International Corporation “confirm the accuracy and security of Maryland’s voting procedures and our voting systems as they exist today.”

Mr. Urosevich added: “With that said, in our continued spirit of innovation and industry leadership, there will always be room for improvement and refinement. This is especially true in assuring the utmost security in elections.”

University of Maryland professor Bill Arbaugh, one of the study participants and a genuine security expert, gets the last word: “It seemed everywhere we scratched, there was something that’s pretty troubling.”

Dean's Smart-Card Speech

Declan McCullagh at CNet news.com criticizes a speech given by Howard Dean about two years ago, in which Dean called for aggressive adoption of smartcard-based state driver’s licenses and smartcard readers. Declan highlights the privacy-endangering aspects of the smartcard agenda, and paints Dean as a hypocrite for pushing that agenda while positioning himself as pro-privacy.

Larry Lessig (among others) argues that Declan mischaracterized Dean’s speech, and urges people to read the text of Dean’s speech. Others have compared this incident to Declan’s infamous role in manufacturing the “Al Gore claims to have invented the Internet” meme back in 2000.

There is certainly a disconnect between the tone of Declan’s article and that of Dean’s speech. Reading the speech, we see Dean genuflecting properly, and at length, to the importance of privacy. We don’t hear about that in Declan’s article.

But Declan’s omissions aren’t the whole story. The first half of Declan’s piece quotes extensively from Dean’s speech, and it portrays accurately the technical proposal that Dean was endorsing. Declan’s reaction to that technical agenda is not unreasonable. For example, a National Academy study report on national ID technologies took a position closer to Declan’s than to Dean’s.

The fact is that there is a deep disconnect between the different sections of Dean’s speech. It’s hard to reconcile the privacy-is-paramount part of the speech with the smartcards-everywhere part. At least, it’s hard to reconcile them if you really understand the technology. Dean makes a compelling argument that computer security is important, and he makes an equally compelling argument in favor of preserving privacy. But how can we have both? Enter the smartcard as deus ex machina. It sounds good, but unfortunately it’s not a technically sound argument.

Now, nobody expects state governors to understand technology well enough to spot the technical flaws in Dean’s speech. Probably, nobody advising Dean at the time had the knowledge to notice the problem. That’s not good; but it hardly makes Dean unique.

At bottom, what we have here is a mistake by Dean, in deciding to give a speech recommending specific technical steps whose consequences he didn’t fully understand. That’s not good. But on the scale of campaign gaffes, this one seems pretty minor.

[Disclaimer: My longstanding policy is to avoid partisan politics on this blog. I’m commenting on this issue because of my expertise in computer security, and not to make a political point or to urge anyone to vote for or against Dean.]

Was the Senate File Pilfering Criminal?

Some people have argued that the Senate file pilfering could not have violated the law, because the files were reportedly on a shared network drive that was not password-protected. (See, for instance, Jack Shafer’s Slate article.) Assuming those facts, were the accesses unlawful?

Here’s the relevant wording from the Computer Fraud and Abuse Act (18 U.S.C. 1030):

Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States … shall be punished as provided in subsection (c) …

[T]he term ”exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

To my non-lawyer’s eye, this looks like a judgment call. It seems not to matter that the files were on a shared server or that the staffers may have been entitled to access other files on that server.

The key issue is whether the staffers were “entitled to” access the particular files in question. And this issue, to me at least, doesn’t look clear-cut. The fact that it was easy to access the files isn’t dispositive – “entitled to access” is not the same as “able to access”. (An “able to access” exception would render the provision vacuous – a violation would require someone to access information that they are unable to access.)

The lack of password protection cuts in favor of an entitlement to access, if failure to protect the files is taken to indicate a decision not to protect them, or at least an indifference to whether they were protected. But if the perpetrators knew that the failure to use password protection was a mistake, that would cut against entitlement. The rules and practices of the Senate seem relevant too, but I don’t know much about them.

The bottom line is that unsupported claims that the accesses were obviously lawful, or obviously unlawful, should be taken with a large grain of salt. I’d love to hear the opinion of a lawyer experienced with the CFAA.

(Disclaimer: This post is only about whether the accesses were lawful. Even if lawful, they appear unethical.)

Senate File Pilfering "Extensive"

Charlie Savage reports in today’s Boston Globe:

Republican staff members of the US Senate Judiciary Commitee infiltrated opposition computer files for a year, monitoring secret strategy memos and periodically passing on copies to the media, Senate officials told The Globe.

From the spring of 2002 until at least April 2003, members of the GOP committee staff exploited a computer glitch that allowed them to access restricted Democratic communications without a password. Trolling through hundreds of memos, they were able to read talking points and accounts of private meetings discussing which judicial nominees Democrats would fight – and with what tactics.

We already knew there were unauthorized accesses; the news here is that they were much more extensive than had previously been revealed, and that the results of the snooping were leaked to the media on several occasions.

Committee Chairman Orrin Hatch (a Republican) has strongly condemned the accesses, saying that he is “mortified that this improper, unethical and simply unacceptable breach of confidential files may have occurred on my watch.”

The accesses were possible because of a technician’s error, according to the Globe story:

A technician hired by the new judiciary chairman, Patrick Leahy, Democrat of Vermont, apparently made a mistake [in 2001] that allowed anyone to access newly created accounts on a Judiciary Committee server shared by both parties – even though the accounts were supposed to restrict access only to those with the right password.

An investigation is ongoing. It sounds like the investigators have a pretty good idea who the culprits are. Based on Sen. Hatch’s statement, it’s pretty clear that people will be fired. Criminal charges seem likely as well.

UPDATE (Friday, January 23): Today’s New York Times runs a surprisingly flat story by Neil A. Lewis. The story seems to buy the accused staffer’s lame rationalization of the accesses, and it treats the investigation, rather than the improper acts being investigated, as the main news. The headline even refers, euphemistically, to files that “went astray”. How much of this is sour grapes at being beaten to this story by the Globe?

Report Critical of Internet Voting

Four respected computer scientists, members of a government-commissioned study panel, have published a report critical of SERVE, a proposed system to let overseas military people vote in elections via a website. (Links: the report itself; John Schwartz story at N.Y. Times; Dan Keating story at Washington Post.) The report’s authors are David Jefferson, Avi Rubin, Barbara Simons, and David Wagner. The problem is not in the design of the voting technology itself, but in the simple fact that it is built on ordinary PCs and the Internet, leaving it open to all of the standard security attacks that ordinary systems face:

The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the [program] has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough.

SERVE advocates have two reponses. The first is simple stonewalling (for example, saying “We have addressed all of those problems”, which is just false). I’ll ignore the stonewalling. The second response, which does have some force, says that SERVE is worth pursuing as an experiment. An experiment would have some value in understanding user-interface issues relating to e-voting; and the security risk would be acceptable as long as the experiment was small.

The authors of the report disagree, because they worry that the “experiment” would not be an experiment at all but just the first phase of deployment of a manifestly insecure system. If an experiment is done, and no fraud occurs – or at least no fraud is detected – this might be taken as showing that the system is secure, which it clearly is not.

This reminds me of an analogy used by the physicist Richard Feynman to criticize NASA’s safety culture after the Challenger space shuttle accident. (Feynman served on the Challenger commission, and famously demonstrated the brittleness of the rubber O-ring material by dunking it in his glass of ice water during a hearing.) Feynman likened NASA to a man playing Russian Roulette. The man spins the cylinder, puts the gun to his head, and pulls the trigger. Click; he survives. “Aha!” the man says, “This must be safe.”

UPDATE (Saturday, January 24): The Washington Post site has a chat with Avi Rubin, one of the report’s authors.

UPDATE (Thursday, February 6): The DoD has decided not to use SERVE in the November 2004 elections.