May 6, 2016

Search Results for: voting


Internet Voting? Really?

Recently I gave a TEDx talk—I spoke at the local Princeton University TEDx event.  My topic was voting: America’s voting systems in the 19th and 20th century, and should we vote using the Internet?  You can see the talk here:


Internet Voting? Really?



Internet Voting, Utah GOP Primary Election

Utah’s Republican presidential primary was conducted today by Internet.  If you have your voter-registration PIN, or even if you don’t, visit and you will learn something about Internet voting!


VW = Voting Wulnerability

On Friday, the US Environmental Protection Agency (EPA) “accused the German automaker of using software to detect when the car is undergoing its periodic state emissions testing. Only during such tests are the cars’ full emissions control systems turned on. During normal driving situations, the controls are turned off, allowing the cars to spew as much as 40 times as much pollution as allowed under the Clean Air Act, the E.P.A. said.”  (NY Times coverage) The motivation for the “defeat device” was improved performance, although I haven’t seen whether “performance” in this case means faster acceleration or better fuel mileage.

So what does this have to do with voting?

For as long as I’ve been involved in voting (about a decade), technologists have expressed concerns about “logic and accuracy” (L&A) testing, which is the technique used by election officials to ensure that voting machines are working properly prior to election day.  In some states, such tests are written into law; in others, they are common practice.  But as is well understood by computer scientists (and doubtless scientists in other fields), testing can prove presence of flaws, but not their absence.

In particular, computer scientists have noted that clever (that is, malicious) software in a voting machine could behave “correctly” when it detects that L&A testing is occurring, and revert to its improper behavior when L&A testing is complete.  Such software could be introduced anywhere along the supply chain – by the vendor of the voting system, by someone in an elections office, or by an intruder who installs malware in voting systems without the knowledge of the vendor or elections office.  It really doesn’t matter who installs it – just that the capability is possible.

It’s not all that hard to write software that detects whether a given use is for L&A or a real election.  L&A testing frequently follows patterns, such as its use on dates other than the first Tuesday in November, or by patterns such as three Democratic votes, followed by two Republican votes, followed by one write-in vote, followed by closing the election.  And the malicious software doesn’t need to decide a priori if a given series of votes is L&A or a real election – it can make the decision when the election is closed down, and erase any evidence of the real votes.

Such concerns have generally been dismissed in the debate about voting system security.  But with all-electronic voting systems, especially Digital Recording Electronic (DRE) machines (such as the touch-screen machines common in many states), this threat has always been present.

And now, we have evidence “in the wild” that the threat can occur.  In this case, the vendor (Volkswagen) deliberately introduced software that detected whether it was in test mode or operational mode, and adjusted behavior accordingly.  Since the VW software had to prospectively make the decision whether to behave in test mode as the car engine is operating, this is far more difficult than a voting system, where the decision can be made retrospectively when the election is closed.

In the case of voting, the best solution today is optical scanned paper ballots.  That way, we have “ground truth” (the paper ballots) to compare to the reported totals.

The bottom line: it’s far too easy for software to detect its own usage, and change behavior accordingly.  When the result is increased pollution or a tampered election, we can’t take the risk.

Postscript: A colleague pointed out that malware has for years behaved differently when it “senses” that it’s being monitored, which is largely a similar behavior. In the VW and voting cases, though, the software isn’t trying to prevent being detected directly; it’s changing the behavior of the systems when it detects that it’s being monitored.


Decertifying the worst voting machine in the US

On Apr 14 2015, the Virginia State Board of Elections immediately decertified use of the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine. This seems pretty minor, but it received a tremendous amount of pushback from some local election officials. In this post, I’ll explain how we got to that point, and what the problems were.

As one of my colleagues taught me, BLUF – Bottom Line Up Front. If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
[Read more…]


Wall Street software failure and a relationship to voting

An article in The Register explains what happened in the Aug 1 2012 Wall Street glitch that cost Knight Capital $440M, resulted in a $12M fine, nearly bankrupted Knight Capital (and forced them to merge with someone else). In short, there were 8 servers that handled trades; 7 of them were correctly upgraded with new software, but the 8th was not. A particular type of transaction triggered the updated code, which worked properly on the upgraded servers. On the non-upgraded server, the transaction triggered an obsolete piece of software, which behaved altogether differently. The result was large numbers of incorrect “buy” transactions.

Bottom line is that the cause of the failure was lack of careful procedures in how the software was deployed, coupled with a poor design choice that allowed a new feature to reuse a previously used obsolete option, which meant that the trigger (instead of being ignored of causing an error) caused an unanticipated result.

So what does this have to do voting? [Read more…]


Internet Voting Snafu at USRowing

USRowing, the governing body for the sport of rowing in the U.S., recently announced the discovery of likely fraud in one of its leadership elections.

Further investigation into this region’s voting resulted in the determination that fraudulent ballots were cast in the Mid-Atlantic election that directly affected the outcome of the Mid-Atlantic Regional Director of the Board of Directors election only. Those responsible for the fraudulent ballots have not yet been identified.

[Read more…]


Internet Voting Security: Wishful Thinking Doesn’t Make It True

[The following is a post written at my invitation by Professor Duncan Buell from the University of South Carolina. Curiously, the poll Professor Buell mentions below is no longer listed in the list of past & present polls on the Courier-Journal site, but is available if you kept the link.]

On Thursday, March 21, in the midst of Kentucky’s deliberation over allowing votes to be cast over the Internet, the daily poll of the Louisville Courier-Journal asked the readers, “Should overseas military personnel be allowed to vote via the Internet?” This happened the day before their editorial rightly argued against Internet voting at this time.

One of the multiple choice answers was “Yes, it can be made just as secure as any balloting system.” This brings up the old adage, “we are all entitled to our own opinions, but we are not entitled to our own facts.” The simple fact is that Internet voting is possible – but it is definitely NOT as secure as some other balloting systems. This is not a matter of opinion, but a matter of fact. Votes cast over the Internet are easily subject to corruption in a number of different ways.

To illustrate this point, two colleagues, both former students, wrote simple software scripts that allowed us to vote multiple times in the paper’s opinion poll. We could have done this with repeated mouse clicks on the website, but the scripts allowed us to do it automatically, and by night’s end we had voted 60,000 times. The poll vendor’s website claims that it blocks repeated voting, but that claim is clearly not entirely true. We did not break in to change the totals. We did not breach the security of the Courier-Journal’s computers. We simply used programs instead of mouse clicks to vote on the poll website itself.
[Read more…]


How much does a botnet cost, and the impact on internet voting

A brief article on how much botnets cost to rent (more detail here) shows differing prices depending on whether you want US machines, European machines, etc. Interestingly, the highest prices go to botnets composed of US machines, presumably because the owners of those machines have more purchasing power and hence stealing credentials from those machines is more valuable. Even so, the value of each machine is quite low – $1000 for 10,000 infected US machines vs. $200 for 10,000 random machines around the world. [Reminds me of my youth where stamp collectors could get packets of random canceled stamps at different prices for “world” vs. specific countries – and most of the stuff in the world packets was trash.]

So what does this have to do with voting? Well, at $1000 for 10,000 infected American machines, the cost is $0.10/machine, and less as the quantity goes up. If I can “buy” (i.e., steal) votes in an internet voting scheme for $0.10 each, that’s far cheaper than any form of advertising. In a hard-fought election I’ll get a dozen fliers for each candidate on the ballot, each of which probably costs close to $1 when considering printing, postage, etc. So stealing votes is arguably 100 times cheaper (assuming that a large fraction of the populace were to vote by internet), even when considering the cost of developing the software that runs in the botnet.

Granted, not every machine in a botnet would be used for voting, even under the assumption that everyone voted by internet. But even if only 10% of them are, the cost per vote is still very “reasonable” under this scenario.

And as John Sebes responded in an earlier draft of this posting:

“You compared digital vote stealing costs to the costs of mere persuasion. What about the costs of analog vote stealing? It’s all anecdotal of course but I do hear that the going rate is about $35 from an absentee vote fraudster to a voter willing to sell a pre-signed absentee ballot kit. Even if the bad guys have to spend 100 of those dimes to get a 1-in-a-hundred machine that’s used for i-voting, that $10 is pretty good because $10 is cheaper than $35 and it and saves the trouble of paying the gatherers who are at risk for a felony.”


Oral arguments in NJ voting-machines lawsuit appeal

The appellate hearing (oral argument) of the New Jersey voting-machines lawsuit (Gusciora v. Christie) has been rescheduled to March 5, 2013 in Trenton, NJ.

To learn what this is all about, and why you should attend, click here.

To recheck the location, time of day, and date of the hearing before you go down to Trenton, check this very post for updates.

Note new time!

Time:  10:00 a.m. 11:30 a.m., March 5, 2013  (but arrive significantly earlier, because it takes some time to get through security).

Place:  8th Floor, N. Wing, Hughes Justice Complex, Trenton, NJ.   Specifically,  Part E: Judges Messano, Ostrer and Lihotz.

Transportation:  If anyone from the Princeton area is interested in carpooling, send me mail.