July 25, 2016

avatar

More California E-Voting Reports Released; More Bad News

Yesterday the California Secretary of State released the reports of three source code study teams that analyzed the source code of e-voting systems from Diebold, Hart InterCivic, and Sequoia.

All three reports found many serious vulnerabilities. It seems likely that computer viruses could be constructed that could infect any of the three systems, spread between voting machines, and steal votes on the infected machines. All three systems use central tabulators (machines at election headquarters that accumulate ballots and report election results) that can be penetrated without great effort.

It’s hard to convey the magnitude of the problems in a short blog post. You really have read through the reports – the shortest one is 78 pages – to appreciate the sheer volume and diversity of severe vulnerabilities.

It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.

Some of these are problems that the vendors claimed to have fixed years ago. For example, Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was “resolved in subsequent versions of the software”. Yet the current version still uses at least two hard-coded passwords – one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).

Similarly, Diebold in 2003 ridiculed (p. 6) the idea that their software could suffer from buffer overflows: “Unlike a Web server or other Internet enabled applications, the code is not vulnerable to most ‘buffer overflow attacks’ to which the authors [Kohno et al.] refer. This form of attack is almost entirely inapplicable to our application. In the limited number of cases in which it would apply, we have taken the steps necessary to ensure correctness.” Yet the California source code study found several buffer overflow vulnerabilities in Diebold’s systems (e.g., issues 5.1.6, 5.2.3 (“multiple buffer overflows”), and 5.2.18 in the report).

As far as I can tell, major news outlets haven’t taken much notice of these reports. That in itself may be the most eloquent commentary on the state of e-voting: reports of huge security holes in e-voting systems are barely even newsworthy any more.

Comments

  1. So the take-away message here is that no commercial entity has been able to come close to producing an electronic voting system which approaches the levels of security, integrity, and confidentiality that are required of an effective electronic voting system.

    Would it work to create an open-source project to develop the hardware and software for an electronic voting system? This would allow any member of the public to review and audit the hardware and software at any time. Such a project would have to totally forgo “security through obscurity”, but would it gain more than it lost? I would venture so, but perhaps other could offer better insight.

  2. avatar Rob Adams says:

    In their response to these studies, Diebold cited the paper trail as the ultimate defense against all these serious software and hardware issues. And this is after they, among others, fought tooth and nail against paper trails calling then unnecessary. Now they seem to think that because there’s a paper trail (which isn’t ever compared against the electronic record except in the event of a manual recount) that the actual security of the machines doesn’t matter.

    I’m not sure if they’re just that incompetent or if they’re being intentionally obtuse. Either way I sure wish this company didn’t have the US democracy by the balls.

  3. avatar Arlene Montemarano says:

    Electronics have no place in the sacrosanct ritual of voting. Period.

    The average voting citizen cannot see what the electronic devices are doing, and if the average non-techie cannot see counting and recording activities with his own eyes, then it is not transparent enough a process for voting……. which IS ANONYMOUS.

    We must always remember that. Because voting is anonymous, we can never follow our votes, as we can with other business transactions.

    Get the electronics and the vendors out of our voting systems.

  4. avatar Lawrence D'Oliveiro says:

    Other countries have succeeded in building trustworthy e-voting systems. this article cites the Australians as a good example.

  5. I think the lack of reporting on this issue is more an indictment of today’s extremely shallow news media rather than a commentary on perpetually poor integrity in the voting process. There’s not a whole lot of air time or print space left over after all the crap about drug-addicted pop tarts, sports scandals, etc.

  6. Paper and pencil is the only way to go. Just mark an X. So it takes an extra hour to count the votes at least it’s fair.

  7. Because the use of technology requires the use of experts, technology is not appropriate for elections. Using experts requires We the People to trust those hired by the politicians whose very seats of power are being determined. Trust has no place when power is counting its own votes.

    Elections belong to the people. We must observe the vote count. Hand count paper ballots (HCPB) at the precinct on election night before all who wish to observe. This is the most secure, most accurate and least expensive system. Democracy deserves and demands HCPBs.

    In running parallel elections in Columbus, OH, we’ve counted and audited at an average rate of 2 votes per minute. Other official and parallel elections that hand count paper ballots have an even faster count rate: 4-6 votes per minute. (Our team, admittedly, had worked since 6 AM at the Nov. 06 election, so were pretty damn tired by 8 pm when the vote count started.) With a fresh team of counters, speed and accuracy is enhanced.

    The continued use of these scientifically discredited computerized voting systems constitutes an Act of War against the people of a democracy. Elections are a matter of life and death, since lives are at stake when politicians vote to fund an illegal war, vote to maintain a below poverty minimum wage, vote to refuse Americans health care (requiring those who can afford it to pay for it).

    Software driven devices (SDDs) have no place in elections – it’s time we cured our elections of SDDs and prevent the further spread of this disease.

    Without observable vote counts, we have no basis for confidence in reported results… our elections are a sham. HCPBs will begin to restore a basis for confidence and are what advocates of democracy demand.

  8. Quick typo correction: “You really have read through the reports ” should probably be “You really have to read through the reports”.

  9. Does anyone find it odd that these machines have such easily identifiable short-falls? It’s almost as if they’re designed to be rigged…

    This is what happens when you pay low wages to a wanna-be programmer out of a state college who thinks he/she’s bad because she read java out of a “for dummies” book and think he/she knows a thing about computer software…

    But again, not to be a conspiracy theorist, but it seems like they want the elections to be fixed in a certain way by allowing such glaring holes in their systems…

  10. I would gladly wait 2-3 days for the results of a manual process that had integrity. But our insatiable appetite for instant results has placed us here. And the news media is equally culpable. As an example, 4 people died in the past 10 days in the dual news helicopter crash. They were tracking a fairly boring police chase … so we could see the results NOW. It couldn’t wait.

    Its an optimization problem. Do you solve for maximum speed? Or maximum integrity? I liked Iraq getting folks to color their fingers blue as an indication they voted … to prevent fraudulent multiple votes. But we don’t want to get OUR HANDS dirty.

  11. Java for Dummies? They’re pretty not using Java. If they were, they wouldn’t have buffer overrun vulnerabilities. :P

  12. The big problem is that the neocons are light years ahead of everyone else with their scheming. This Diebold voting is old hat to them now. Surely they have plenty up their sleeves, including plans to corrupt
    a papertrail, if/when it is implemented. The dems, indies and moderates need to unite and counter the neos AHEAD of their scheming, which is unlikely. Sorry…

  13. avatar Ned Ulbricht says:

    […] in the sacrosanct ritual of voting.

    Arlene Montemarano,

    Do you want a sacrosanct ritual?

    Or do you want an election system engineered to assure integrity, confidentiality, availability, and auditability?

    Because the use of technology requires the use of experts, technology is not appropriate for elections.

    Rady Ananda,

    Perhaps you would prefer an election ritual conducted by candlelight?

    Both of you–while you raise some good points–you’re showing a technophobic bias. Now if either of you have profoundly religious objections to polluting the temple of democracy, then I’ll back off and just leave you to your conscientious objections.

    But if your interested in assuring accuracy and transparency in one of our society’s critical pieces of infrastructure, then I’d ask you to rethink your positions slightly.

    I’m not defending the currently deployed electronic voting systems. In fact, I’ve called them engineering malpractice. That’s an extremely harsh judgement.

    But part of the reason that I’ve called these existing systems engineering malpractice is that I know that we can design critical systems with safeguards and intentional redundancy. I’m confident that we can also design them so that it’s possible to explain and demonstrate their security and accuracy to the average voter.

    Your calls for hand-counting seem misplaced to me. You’re simply proposing a replacement of an unacceptable system with a barely-tolerable system. Instead, we need a system–at an acceptable cost–which delivers independently tallied results, so that those results can be compared and any discrepancies resolved. We need a system that–to the extent possible–does not have any single points of failure. Hand-counting needs to be an option for every ballot, but should not be the sole option for all ballots.

    Maybe you people just want to hang all the experts–you don’t trust them–and you say they’re all cheating you. If so, you’re not asking foraccurate, transparent elections–you’re just asking to be entertained with a lynching. I want no part of that.

    I want an election system from an America that engineered man’s voyage to the moon–six times.

  14. avatar supercat says:

    I am bewildered at the failure to protect fundamental vulnerabilities, even when solutions are not difficult.

    Problem #1: If a machine has a writable code store, it’s possible for illegitimate code to perform just about any function, and then later overwrite itself with a copy of the legitimate code thus leaving little or no trace of its existence.

    Solution #1: Require that machines be constructed to only run code from flash or OTP cartridges which cannot be altered while they are inside the machine, and whose contents can be inspected without running any code stored thereon.

    Problem #2: Machines with built-in locks are subject to key compromise.

    Solution #2: Rather than having locks built into the machines, construct them with places to attach padlocks, such that all padlocks must be removed for access. Each interested party then supplies its own lock. No party need entrust any other party with its keys.

    Problem #3: Vote storage media could be altered after the election.

    Solution #3: Construct the vote storage media with a highly visible write-protect mechanism. After the election, election judges confirm that the mechanisms are engaged as soon as the media are removed from the machines; members of each party then use their own media readers to copy the election results, and supply each other with digital signatures thereof.

    I don’t see any need for particularly fancy equipment. Something like an 8032 should be just fine. Somewhat higher end processors might allow for prettier graphics, but maintaining code/data separation might be a little more tricky.

  15. … see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities.

    Diebold have a long history in the banking industry, including ATMs handling large volumes of cash every day. The only scenarios that make sense are: either Diebold ATMs are just as weak; or for some reason (careless/cost/deliberate) Diebold’s voting division operates completely differently to their banking division. I find the first scenario the most plausible…

    Perhaps you would prefer an election ritual conducted by candlelight?

    Both of you–while you raise some good points–you’re showing a technophobic bias. Now if either of you have profoundly religious objections to polluting the temple of democracy, then I’ll back off and just leave you to your conscientious objections.

    If in doubt, call it a religion. For even more religion-bashing fun, how about posting up a cartoon of the Prophet?

    Better than poking fun might be to understand how democracy works and what makes it work. One of the key components of any democracy is the people voting. If you ignore that part of the system then you might be designing a voting machine but you are not building a democracy. Justice must be done AND justice must be seen to be done. Every voter must go home understanding how their vote fits into the overall process and they must be able to take part in the process too (as a vote counter for example).

    Maybe you people just want to hang all the experts–you don’t trust them–and you say they’re all cheating you. If so, you’re not asking foraccurate, transparent elections–you’re just asking to be entertained with a lynching. I want no part of that.

    I want an election system from an America that engineered man’s voyage to the moon–six times.

    One important lesson that no university teaches is training technologists to let go of the “gee wizz” principle. As I eat a bowl of cereal I can see a dozen technological designs that have stood unchanged for over a thousand years to the present day — including the ceramic bowl and the eating of cereal. There’s nothing wrong with these designs, they do their job, they don’t need replacing just because they are old.

    No one wants to lynch the experts. All we want to do is slap their wrist every time they reach out to meddle with something with no better justification than “oh I want to replace it with something more modern”. If you want to fly to the moon then you can’t do that with Iron Age technology so there is justification for using something better. I have not yet seen any single valid justification for electronic voting. Not one.

    Your calls for hand-counting seem misplaced to me. You’re simply proposing a replacement of an unacceptable system with a barely-tolerable system.

    On what basis is paper voting barely-tolerable? Yes it is labour intensive — that’s a feature, a very good feature. Yes it is a bit slow to announce a result — that is well within the design criteria and faster reasout doesn’t actually improve the results. Paper voting is fully verifyable and recountable.

  16. avatar Bradley Peters says:

    I think the preceding comment from supercat highlights the most fundamental aspect of e-voting systems. In systems that I’m familiar with that use paper voting technology, the primary guarantor of security isn’t the type of padlock on the ballot box but allowing each candidate to appoint scrutineers at each place where votes are counted.

    When the votes are counted by human eyes, the interested parties parties are allowed to supply their own set of eyes to watch over things. In other words, I don’t think the problem with the e-voting machines is that a machine counts the votes, it’s that only one machine (or one type of machine) counts the votes. The role of the human ballot counter is now handled by the voting machines, but where are the machines representing the scrutineers?

  17. avatar Ned Ulbricht says:

    Your calls for hand-counting seem misplaced to me. You’re simply proposing a replacement of an unacceptable system with a barely-tolerable system.

    On what basis is paper voting barely-tolerable? Yes it is labour intensive — that’s a feature, a very good feature.

    Tel,

    First, please note carefully that I objected to hand-counting. There’s a big difference between paper ballots and hand-counting.

    Second, a labor-intensive process might be a feature for you in Australia. Here in the U.S. it’s a definite problem. In the last presidential election year, at the end of October 2004, USAToday reported about a half a million shortfall in pollworkers. On November 1, The New York Times similarly reported that “[r]oughly 1.4 million people have been trained to serve as poll workers” across America, but that about 2 million were needed. And the Associated Press ran a story.

    After that presidential election, the EAC , in chapter 12 stated:

    Nationally, jurisdictions reported an average of 7.9 poll workers per polling place and 5.7 poll workers per precinct. Jurisdictions reported that 5.8 percent of polling places and 4.0 percent of precincts did not have the minimum number of required poll workers. In all, 5,252 precincts or polling places of the 113,749 reported polling places or 174,252 reported precincts were said to have inadequate staffing.

    Also see table 12 from the EAC survey.

    For reference, there were about 122 million ballots cast in that U.S. presidential election.

    For some unequal comparision, in Canada’s 2004 general election, from a population of about 30 million (roughly comparable to California), there were about 22.5 million eligible voters, and about
    13.6 million actual votes cast. According to Elections Canada, besides a relatively small permanent and term staff (well under a thousand), they hire about 170,000 citizens to run the election across 58,000 polling divisions for 308 districts. The 2004 general election directly cost $CA 212.4 million or $CA 9.45 per eligible voter. In US dollars, using a June 2004 average exchange rate from the Bank of Canada, that’s roughly $US 160 million or around $US 7 per eligible voter.

    U.S. general election ballots, though, tend to contain quite a few more races than I believe Canadian ballots do.

    A labor-intensive vote tally is not a feature in the U.S.

  18. How much is an accurate election worth to the US? Apparently not enough to hire more poll workers and pay them more so you get more people choosing to do so. What would it cost to do a hand-counted vote? A couple of billion? Every four years. The US currently spends half a TRILLION dollars ANNUALLY on defense.

    Considering that fair and accountable elections are the first line of defense against tyranny developing within, as grave a threat to the people as any foreign enemy, I don’t think a billion or so more defense dollars per year spent on honest elections in addition to the 500 spent on Iraq is too much to ask.

  19. Call me callous, but I say opscan is the perfect answer. The main problem with paper ballots is that people can mark them in ambiguous or incorrect ways. In high school, if we marked an opscan form with an incomplete bubble, or marked two bubbles, or otherwise messed up the test form, we’d get the question wrong. In other words, to get through high school without failing your tests, you need to be able to do a simple opscan form. And the way I see it, if you can’t get yourself through high school, I don’t want your vote to count, because you’re too stupid to have an opinion. Just the way I feel about the situation…

  20. avatar ConcernedScientist says:

    I’m speaking now as a computer scientist who has worked in the field since about 1977, who has done – and continues to do – both hardware and software design of systems large and small. My credentials include doing research at U.C. Berkeley’s ERL and working for Langley in Virginia, among many purely commercial activities. I have designed and built major systems which connect large organizations using modern encryption technologies and my work has undergone line-by-line source code analysis for use in the most secure governmental systems.

    There are no all-digital solutions to voting that are also secure. Period. Anyone with sufficient background will agree, though, granted, much of the public, and legislators, regulators and governmental executives are woefully uneducated. This is the real danger; the push for and acceptance of All-Digital Voting is championed and embraced by the undereducated and the corrupt, and no one else.

    Just as food for thought; unlike financial transactions, and given our American system of the Secret Vote, voting transactions have no external verifiability. Therefore, there is absolutely no means by which they can be reliably collected and managed in an all electronic system. A key problem here is the desire to have the vote be completely secret. We _could_ provide a secure system that would let people verify their own votes after the election – secret to all but the original voter – but that would violate the secret ballot principal because it would permit a voter to share what their vote was and prove it. My father would say that this could lead to vote buying.

    It should be pointed out, however, that we can prove – or could prove – the election thefts of the last few years by doing what we do regarding questionable voting elsewhere in the world; exit polling. You see, it has long since been proven that exit polling, which asks people what they did do rather than what they will do, is very much more reliable than pre-ellection polls and can statistically prove fraud. We have overturned elections in other parts of the world where the exit polling showed a discrepancy beyond a scientifically agreeable margin of error. My father worked hard to perform this same analysis over our last two presidential elections and found that most of the extant data belongs to media corporations who refuse to provide it for analysis. I think we should change this. I have two proposals; either publicly fund exit polling and/or make the _raw_ data from ALL exit polling public property after some relatively short period after which it has lost its newsworthiness to the organization that paid for its collection…

    Happy Voting – lets just hope it counts next time…

    R

  21. avatar Byron Thomas says:

    I notice that on the Sequoia website they have a reply to the original red team report, in which they say something along the lines of:

    “The security review was not conducted according to a formal procedure, and did not follow Common Criteria, IEC, etc… Since the attacks did not consider the whole system but only the technological aspects, the results do not say anything about the real system security”
    [NOTE: completely paraphrased from memory as I can’t get onto the site now to quote them]

    As a Common Criteria evaluator, and having read the Sequoia reports, I certainly agree that the technology wasn’t evaluated in the context of an election system and that a CC evaluation would have done so. However:

    1) There wasn’t time / money available to conduct such a study, and the reviewers clearly stated this

    and

    2) Let’s just stand back a second here: the source code review tells us that malicious software can be introduced with physical access to any voting machine / any cartridge to configure a voting machine. Where in my terminology, “voting machine” covers opscan machines, DRE machines, batch opscan machines in the electoral offices. Any physical security procedure to control all of these elements would require huge numbers of people, and it only takes one of them to be malicious to subvert (at least a part of) the system security.

    Sequoia are delusional if they think an election system using this technology would get through a CC evaluation to a reasonable level of assurance. Unless the security target stated nothing about protecting intergrity and confidentiality of ballots.

  22. The security target probably stated something about the democrats not winning the election.

  23. Media attention comes from a publicity strategy. Where are the short youtube videos showing how easy it is to break these security flaws? Was there a press conference to discuss the results? What are the most troubling scenarios and how plausible do they sound?

    I think the media has been moderately open to these stories, but they are lazy. Let’s get an accurate but digestible version of this travesty out there!

  24. As I said before, the citizen/voters are part of the machine. If they aren’t interested in Democracy then that would be your problem right there. Similarly, a working Democracy requires suitable money allocated to:

    education of citizens — how democracy works and the details of particular poll-worker jobs.
    paying poll-workers and election officials.
    providing results information to the public.
    documenting the behaviour of each government so that people can see what they voted for.

    Given that the major difficulty facing US Democracy is voter apathy and disenfranchisement… how is adding more machines and more electronics going to fix that?

    The last (2004) general election in Australia cost $118 million for a country of 20 million people, that’s about $6 per citizen (approx 5 USD). Voting is compulsory but not everyone is eligible and some people never register. Total enrollment for the 2004 election was 13 million of which 95% actually voted. That’s $10 per voter (approx 8.60 USD). Looks pretty close to Canada.

    I would regard the cost per citizen as the key indicator (since every citizen benefits from a Democratic nation), and it is easier to calculate. Also, every citizen is subject to tax, whether they vote or not. Given that history has measured Democratic countries as the least likely to massacre their own people (and such massacres have been the norm rather than the exception), I would say that my $6 is excellent value… buying a new latch for the front gate costs more and is far less effective.

  25. That $6 didn’t help the Jews much when the Weimar Republic held an election in 1933… :P

  26. avatar doug rosbury says:

    To those in government worried about hacking into their voting systems, I strongly reccommend ” Returnil”, program to create a virtual partition in computer memory using ram instead of the hard drive. It is an advanced
    method of computer security that works to eliminate criminal hacking.
    or Look it up folks.
    (IT WORKS) (!!!!!!)—Doug Rosbury

  27. avatar doug rosbury says:

    Contact This is a good thing for everyone who are disgusted with hackers.—Doug Rosbury

  28. Returnil is somewhat “hack proof” only because it isn’t widely used yet. Wait till you put it in one of these machines.

  29. avatar Gary Young says:

    1,2,3,4,5,6,7,8

    That’s the same combination I have on my luggage!

  30. avatar New Voter says:

    Don’t be confused. A state measure is a proposition and visa-versa. Typical jargon confusion. The media overwhelm you with information about propositions and the ballot calls it a state measure. Priceless.