Damning Report On Sequoia E-Voting Machine Security

TechDirt notes the publication of the New Jersey voting machine study, the attempted suppression of which we have been discussing for a while now. The paper that the Princeton and Lehigh University researchers are releasing, as permitted by the Court, is "the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine." What's new is the release of a 90-minute evidentiary video — the researchers have asked the court for permission to release a shorter version that hits the high points, as the high-res video is about 1 GB in size. See TechDirt's article for the report's executive summary listing eight ways the AVC Advantage 9.00 voting machine can be subverted.

Re:"E-Voting Machine Security" like "Microsoft Wor

[entgod]

They could, in addition to printing the paper ballots, count the votes. That way it would be possible for people to see the votes being cast in almost real-time. I would like it. Of course, the official count would be done by hand.

Elections of 2010

[TubeSteak]

My first thought was "what's the point of publishing this now?"

Everyone (yes, even the clueless people in charge) knows that electronic voting machines are SNAFU, they just didn't have the time/money to do anything about it this election cycle.

2010 should be much different.
Hopefully they'll take the next 2 years to do some criminal investigations into all the substituting and patching of firmwares while they're at it.

Re:So what?

[entgod]

That's quite a lot of fud with not much to back it up with. True, IMNAA (I am not an american) but I'm inclined to think that those who are can have some influence on the next president of the USA or whatever they are voting over.

True, the significance of one vote is not much when there are many voters but it's pretty obvious how the ammount of power one vote wields goes up when the amount of voters goes down.

Individuals' options?

[PaleCommander]

Public outcry, inquiry, and (in some cases) mockery are well and good, and hopefully lead to policy change. However, when it comes time to vote, what's an individual voter to do when faced by an electronic voting machine at the polls? Boycotting doesn't seem like the right course of action here.

Re:"E-Voting Machine Security" like "Microsoft Wor

[corsec67]

On a side note - how hard can this stuff be? It's not like they aren't making a fortune from these things - it's seeming like they are barely able to break even so they have to hire "below the barrel" talent...

Making a machine that counts or tallies votes shouldn't be very hard, and should be a first year programming assignment.

Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)

From Ken Thompson's essay Reflections on Trusting Trust [bell-labs.com], he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.

Re:"E-Voting Machine Security" like "Microsoft Wor

[fuzzyfuzzyfungus]

There are three problems with that analogy: Centralization vs. distribution, steady load vs. bursty load, and willingness to pay.

Things like financial recordkeeping and stock trading are relatively steady, constant, loads that can be handled in a fairly small number of highly centralized locations, for which people are willing to pay a great deal of money.

Voting is a highly bursty and uneven load, spread across tens of thousands of sites and systems, for which people don't seem willing to spend all that much.

It is definitely true that voting machines can be made secure in theory(and we know that they could be made far more secure than the are: not only are the current models not good enough, they aren't even as good as current generation consoles); but the analogy between voting systems and financial systems is weak and misleading. More accurate might be an analogy between voting machines and point of sale systems. Unfortunately, those are plagued by card skimmers and similar, despite the fact that they have the advantage of it being possible to calculate the "correct" outcome. It is fairly easy to detect and rectify fraudulent transactions just by looking at financial records. You can't do the same with votes.

Re:Don't look

[cayenne8]

"Don't read the report about voting machines. It contains spoilers about who wins next month."

Hell, why bother with rigging the voting machines...it seems this year a simpler method has been found, with Acorn registering everyone they can, dead, undead, fictional or alive.

The old, tried and true way of "Vote Early, and Vote Often" seems to be the method du jour this year.

:)

Re:if electronic voting

[MyMistake]

I'm a "technofetishist" and so are many of my friends. We all think voting should be paper. It's a hell of a lot easier to fix the hanging chad bug than to build, debug, and secure a system like that.
I've heard people cite the ATM network when they talk about big, distributed hardware/software systems that anybody can access, and it works pretty well. It's a false-equivalence though. You get a paper statement at the end of every month (or online, immediately) which provides the paper trail. If my account gets hacked, I don't get the wrong president. And you have Visa, Wells Fargo, Bank of America, Chase, etc... all with a vested interest in it working properly. Compare that to the Democratic and Republican parties eternal war and they look like best friends forever.
eVoting? No thanks.

I disagree.

[FrameRotBlues]

Personally, I disagree. You seemed rushed in reply, but I don't think I would qualify those devices as "tools." A tool is a single-purpose object designed to solve or repair a problem, and can be checked for operating performance against a known standard. By that definition, that's all a voting machine should be, although I'm not sure I'd ever refer to a voting machine as a "tool." Then again, perhaps some election workers would argue that it solves the problem of hand-counting all those votes.

a government is a purely human construct. its all about social structure and where you fit into it. its all about trusting or not trusting the other people around you.

Yes, the United States government is by the people, for the people; in many ways it is a hierarchy, but specifically for representation, security, and the enabling of rights as outlined in our charter documents. I don't believe it is meant to be a nanny-state, wherein we place all our trust in the government. The Forefathers recognized our need to prevent the nanny-state from occurring, and wrote the 2nd Amendment. I will never give the government, nor anyone around me, either 100% or 0% of my trust. Everyone involved in my life, including Joe Schmoe on the street whom I've never met, receives a certain percentage of my trust. If they befriend me or I determine their goals and past performances are worthy of my support, their trust level goes up. If they stab me in the back or are otherwise dishonorable, their trust level goes down. Very few people can ever receive 100% of my trust. I judge machines and contraptions the same way - based on previous performance. The government, just like the public in general, can never earn 100% of my trust, because it's impossible to personally know all of those people. At the same time, they can never earn 0% of my trust, because I realize that there are people who are in it specifically for the good of the general public, whether I know them or not.

I think trust is one of those fallible human emotions, like love. They are similar in many ways, but I don't think they're synonymous. I once had an ex who told me that 100% love means 100% trust, and that each was a requirement of the other. I couldn't really explain it then, and I can't really explain it now, but even though I loved her with all my heart, I never could fully trust her.

Re:No problem, just put a disclaimer on the machin

[waferbuster]

You forgot the most important part that appears on lottery machines (and by association should appear on voting machines): "Any malfunction voids play results."

Hmm

[ShooterNeo]

An electronic voting machine should be simple. Why the f- are they even using an operating system at all? Wouldn't a stripped down the bone OS do the job? How about using DOS?

(before you laugh or say to use free software, the reason I say DOS is there is ZERO chance someone 20 years ago inserted code that would corrupt a voting machine)

Also, with DOS you could easily verify the md5 of the OS image.

I say use DOS, and write the vote counting program in terminal graphics mode, with those colored ASCII characters for a GUI. A SIMPLE GUI. The feature count on this program should be limited to the crucial things only.

And NO network access. The only way to count votes should be to physically gather all the flash memory cartridges in one place. Each cartridge would have a ONE TIME PAD encryption lock. There would be a central "vote counting" terminal that would be the only machine in the county with the other copy of the one time pad used.

Why so backwards?

[lord_sarpedon]

Funny I think that people are so cautious to trust computers here, but they're fine for everything else. Just make it open. We can gain some advantages.

-Immediately before voting, you are handed a number. How we generate these numbers is up for debate. Perhaps they are centrally generated and serial. Perhaps a hash of name + DOB + other stuff. Each choice here opens different doors.

-Barcode equivalent to said number must be scanned at the machine. Number must also be entered on an onscreen key pad.

- Number + voting choices + timestamp + voting machine id are stored in a central database. Immediately. Nothing local.

-You get a receipt with your Number + voting choices + timestamp + machine ID. It also has these other handy value on there. A digital signature, created by said central authority with its private key. The public key is well known long in advance.

-After the election, the entire result set is made available for download. Yeah, a recount is a big fucking deal. We have these neat machines that are good at math. The bigger deal here is that if you check the database after you voted and the entry for your number doesn't match, you scream bloody murder. If you don't trust the machine, any party can verify the central authority's signature.

-But in addition to 'any' party, it is critical to have a non-networked verification appliance, which does nothing but verify the central signature for you before you physically leave. If you scream bloody murder at this point, we can consider the plain-text part of the receipt trusted. You obviously couldn't have faked the entire receipt while being watched by everyone. More on this soon.

Nice huh? Let's recap some advantages here:
-You can verify that your vote was counted and correctly
-You can't determine who voted for whom, except yourself.
-The receipt actually means something

Let's elaborate on that third point.
There are several means of lying to you, which can't easily be solved without adding machines into the mix

-What if the receipt says you voted for X but the machine recorded you as voting for Y? This is as good as pressing the wrong button. The signatures will both be valid. But if the plain-text portion shows the wrong candidate, you'll notice and scream. If the plain-text portion doesn't match the the central signature (the one most directly relevant to proper recording) you will catch this at the non-networked verifier. The receipt can still be trusted having not left the polling place, so you will be allowed to vote on another machine, as meanwhile the machine you previously used is marked for a serious investigation...

-What if the central authority records whatever it wants but produces a normal signature? The receipt will be considered entirely valid and endorsed. People will notice quickly as they check the database from home. You have a paper trail that can be trusted. What if the signature is bogus? People notice before they leave the polling place.

Up to this point? Criminal negligence bordering on treason. Open source needs to step up.

Re:ES&S has the same crap, as shown by UCSB

[ComputerSlicer23]

I've done work for ES&S at a couple of different points, and can point out several things. First, the reports are mostly accurate (there are a few points which I'd disagree with, but there are a number of legitimate concerns in there). Second, no system is secure without physical security, and a number of the attacks ultimately come down to the state needing to ensure that these machines are treated as such. States are very lax about this, and that is a serious problem (personally I think precinct counters should be there to validate the ballot for the voter and give feedback/warnings or errors, and all tabulation should be done via high speed central scanners. The tabulation of the precinct counters might be kept as checks against voter fraud during ballot transport). Physical security is the single most important aspect of any voting system, with enough physical access any security system can be beaten (see every DRM or anti-cheat system for gaming). Unless it's fairly far into the videos, the video stuff is actually about the Sequoia not about ES&S systems. The PDF report linked to does include several chapters about the ES&S systems (all of part II).

Most of those that are dealing with the M100 and the M650 should be dealt with with the next generation of hardware/software for the newer paper scanner products (don't want to comment on the others as I didn't work on or with any of those). Not sure what ES&S's view is, but my personal view is that all DRE machines should be shipped to the nearest blackhole for permanent storage.

There is also some help in addressing some of the concerns about the review of proprietary software. Other then the Java compiler and the cryptography pieces (which are required to have FIPS complaince that most OSS products lack due to expense), all of the software is Open Source and is compiled during the system builds. I believe only one or two libraries aren't compiled from scratch on the machine (the commercial crypto tools, and the Sun JDK). I wouldn't be shocked to find out that OpenJDK is compiled on some future release. Every tool and/or line of source used to build the system has an MD5SUM, and a SHA1SUM along with the external site the software was retrieved from. Other then the crypto and the Java tools, all of the tools are built from source (a LiveCD distro with a minimal dev environment to build GCC, glibc, make, perl and a couple of other tools are bootstrapped into a chroot). It is fairly straight forward to use walk into a secure room and a blank PC with no software on it and end up with 99% of the software that ends up on the M100 replacement product. Two embedded compilers require windows that are built separately.

Another issue is that resolving issues quickly on election day is internally an important quality to the company. There are some security aspects that would be a disaster if the slightest thing goes wrong. With a deployment that large, by a mostly volunteer group, there are always significant mistakes and "proper" security would get in the way. The inability to do field firmware upgrades, because somebody in the state failed to upgrade the hardware before it shipped would be a disaster. It happens in every election despite all the procedures and guidelines. So part of the "only one key" thing falls into this category.

Finally, the most serious problem with all of the software is that no programmer in their right mind can deal with the various rules and obligations for VVSG compliance. I'd spend a day writing, unit testing, and writing "normal" documentation. Followed by at least a day or two of writing all of the required documentation, none of this included the stuff we had tools to auto-generate. I had to write the code first and document afterwards because it was hard to be concise and see all of the related code at a time when it was fully documented.

They require the generation of inane and superfluous documentation, and are bureaucratic and dogmatic about enforcing the rule co

Re:ES&S has the same crap, as shown by UCSB

[enos]

You're right, the ES&S system was for a different study. The one presented is Sequoia. That's what I get for posting tired ;)

Thank you for the post, it's great to hear about how the companies are run. Don't take the rest personally, it's a reply to you but addressed to your (former) bosses:

Though most of the difficulties you talk about are things faced by any large project. File management and documentation? Please. All projects have to handle this. Apparently the Sequoia system is also a hodgepodge of many languages, I think they said around 10. That's a lot and makes debugging and audits more difficult while introducing more potential holes. I don't know if the ES&S system is that bad, too.

Hell no the firmware shouldn't be upgradeable in the field. That's another way for undetected tampering to get in. If you're fixing things up right until the last minute, the damn thing isn't ready for prime time. Use the paper ballots for that election. The firmware should only be upgradeable under public supervision.

And what good are the checksums if they're not checked? I don't see why the firmware can't do a checksum of the entire system before each voter comes in. Heck, use a TPM chip, they've been common on consumer machines for the last 2 years. That will give you a chain of trust and help you detect tampering. Anything on the machine should be signed by both the manufacturer and the state.
But heck, with hard-coded keys and 16-bit hash functions, it's clear that the security is not only on the back burner, it's implemented by idiots. And I mean that term. Idiots.

As for the screwey state by state laws, yeah, so what. All of that is in the user interface, and can be abstracted pretty easily. Sure it will take time to implement each thing, but not that long. It should have NO effect on security. Heck, get some people who write tax software to do it. The tax code is complicated as hell and they're managing to slog through it.

Sure, it's not just voteCount++, but it's not that difficult that the utter shit that these companies put out is the best that can be done. Hire some competent people for pete's sake. And listen to them!

Stalin said it best: "It's not who votes that counts, but who counts the votes."

Re:Paper ballots are ABSOLUTELY safe!

[rtb61]

You obviously have no idea how a regulated manual system works wnen the government is corrupt and already using force to sustain it's rule. In a manual system, there are volunteers from all parties attending the ballot process, including, sealing of empty ballot boxes, handing out of the ballots, monitoring the filling of the ballot boxes, unsealing and emptying of the ballot boxes, and counting of the ballots. Normally the voting and ballot counting occur at the same location avoiding transport of ballot box problems.

In addition to the volunteers from all parties doing all the work, their are paid officials who supervise and monitor the activities of the volunteers. In a lot of countries the election takes place on a Saturday, to ensure easy access for volunteers and well as of course for voters and enabling the use of the numerous school halls available around most countries for the voting and vote counting process.

So cheating is enormously difficult and only really happens in regional areas, where the volunteers are all from one party and the election official is also corrupt, catch is only one or a handful of polling booths out of thousands is corrupted and, in reality only has negligible impact upon the election as a whole (and the risk is huge and the penalties severe).

With electronic voting machines and electronic vote counting machines of paper ballots, all with secret unverifiable code, as well as unverifiable electronic chips (how many are removed from their plastic housing and microscopically scanned and analysed), the whole election can be rigged and the electorate has absolutely no means by which to verify the validity of the electronic election process and even with receipts of electronic votes, the winning party will simply deny the chain of legal possession of those receipts to verify their authenticity. Only a fool would think that stuffing one election box at one polling booth, would compare with hacking the voting machines, the transfer of the output of the vote counting machines to the data analysis location and of course the data output of the analysis device.

Elections are all about people governing other people, so people should be fully involved in the control of and verification of every part of the process. The election is the single most fundamental part of any democracy and every step should be taken to ensure it's safety and validity, from voter registration to the final vote tally.

Re:LOL

[TheLink]

"... I am getting upset over the fairness of a system that will only let me choose between two criminals for who should be the leader."

Aren't there more than two candidates? Can't you vote for the others instead?

Apparently in the past election 60+ million voted for X and 59+ million voted for Y.

But 80+ million didn't bother to even show up.

Think X and Y might notice if the 80+ million voted for Z?

I bet X and Y might also notice even if the 80+ million walked up to the voting booths and voted "none of the above" and thus "spoilt" their vote.

At least the foreign media would be reminding them of it e.g. "Mr President, how can you say you have support of the people?".

What happened to testing *before* deployment?

[radarsat1]

To me the messed up thing in all this e-Voting stuff is that the counties are using e-Voting machines that are shown to be hackable... implying that they are using the machines without fully testing them. That is, they have decided on the machines (presumably after a convincing marketing presentation), and only *after* using them, have people come along and said, hey, these aren't safe.

In usual situations, a system would be tested for hacking *before* being deployed. Until such time as it can be independently declared safe, the old, trusted system would remain in place. This rule applies to every major server in the world, why does it not apply to something as fundamental as VOTING?

We shouldn't just be mad about hackable eVoting machines, we shouldn't just be mad at the companies that make them, we should be mad about bad decisions being made by those in power to use these machines without properly testing them.

(By "we" of course I mean people who actually have to use e-Voting machines.. myself, I'm from a place that banned them [slashdot.org], thankfully.)