1、Electronic Voting Down for the Count?,Charles P Riedesel University of Nebraska, Lincoln Computer Science & Engineering,Where I am coming from,Mathematician “fair” elections are impossible Computer scientist/engineer designing errorless/unhackable computer hardware and software is impossible Politit
2、ion fooling the people all the time is impossible,Where am I coming from?,I teach computer organization By the end of freshman year my students can design the circuitry of a functional computer. I know how to hide an “Easter Egg” in hardware that is virtually impossible to find. Counterfeit chips ar
3、e already a problem An Easter Egg is a surprise that can be uncovered by very particular actions, a “Cryptic Knock” Example: MicroSoft Excel 97 had a hidden flight simulator, activated by keying at special cell Cryptic knocks can be used to wake up trojan horses!,Where am I coming from?,I have taugh
4、t operating systems and compiler construction at the jr/sr/grad level. With this knowledge we can replace and/or modify COTS (Commercial Off The Shelf) software to do things totally unexpected by unknowing programmers.,Where am I coming from?,I have gone through a lot of the technical reports about
5、voting systems hardware and software, and can make sense and comment of most of it. My colleagues who are more expert at communication networks and software engineering aspects can absorb it all.,Todays Agenda,The role of elections in our democracy Makings of an election Rise and fall of the DRE Oth
6、er players, organizations, documents Recommendations,The Role of Elections in Our Democracy,Inherent mathematical flaws of elections An election is only a snapshot of those voting Weighted voting One person, one vote? Legitimacy based on trust Principles for a good election,Inherent Mathematical Fla
7、ws of Elections,Winning is not transitive Three-way race with Alice, Bob and Calvin based on three equally important issues of abortion, taxes, and war. Voters prefer Alice, then Bob, then Calvin on abortion. Voters prefer Bob, then Calvin, then Alice on taxes. Voters prefer Calvin, then Alice, then
8、 Bob on war In two way races Alice beats Bob, Bob beats Calvin, and Calvin beats Alice!,An Election is only a Snapshot,Elections are held on one day (usually) Polls demonstrate dynamics of a race Sensitive to late-breaking news, charges New information after the election Election really valid for 2,
9、 4, or 6 years?,Weighted Voting,What if Alice beats Bob, but it is only because 51% mildly prefer Alice, but 49% detest Alice and adore Bob? Overall, Bob is better liked! What if Calvin beats Don 55% to 45%. Instead of winner takes all, put both in office and weigh their single vote 55-45 on all iss
10、ues!,One Person, One Vote?,You are smart, well versed on issues. The idiot with an IQ of 40 on your right really has no idea what is going on. The blow-hard on your left is caught up in some single-issue thing. Should your vote really count the same as either of theirs?,Legitimacy Based on Trust,Num
11、erous flaws in elections Possibility of mathematically invalid results Can anyone find a better way? What level of imperfection can we tolerate? Essential that winners and losers alike buy in to the system and accept results,Principles for a Good Election,Vote storage mechanisms should be Simple Rel
12、iable Durable (for the votes) Tamper-evident History-independent Subliminal-free Cost effective,Principles for a Good Election,Voters need to know their vote is Accurately recorded Counted in the total Anonymous no way to track back who voted how Private no possible evidence to show anyone how he/sh
13、e voted,Makings of an Election,Voting system machinery GEMS Electronic Voting Machines DRE, DRE with VVPT, PCOS Process of an election Regulatory actors HAVA NIST, TGDC, EAC, STS ITAs ciber, Wyle Labs, SysTest Labs NASED FEC,Voting System Machinery,GEMS: General Election Management System the comput
14、er and software that takes in and processes the results from all the voting machines DRE: Direct Recording Electronic voting machine votes recorded in software DRE with VVPT: Voter Verifiable Paper Trail votes also recorded on paper PCOS: Precinct Center Optical Scan scans and records vote upon bein
15、g cast,Process of an Election,Election Definition define races, candidates, districts, precincts Configure Voting Equipment, Print Ballots geography makes each precinct different Pre-Election Test Verify that everything is ready Election Day Open polls, vote, close polls Canvassing Compute and publi
16、sh totals, archive results (Copied from a slide by Douglas Jones),Regulatory Actors,HAVA: Help America Vote Act, 2002, Get rid of hanging chad, Eliminate mechanical voting machines, Central count for absentee ballots only, Promote accessibility for disabled voters, Fund new machines, Set up new agen
17、cies,Regulatory Actors,NIST: National Institute of Standards & Technology technical advisor to TGDC: Technical Guidelines Development Committee advisory board to (note: Nebraska Secretary Of State John A. Gale is a member of TGDC!) EAC: U.S. Elections Assistance Commission handful of presidential ap
18、pointees STS: Security and Transparency Subcommittee of TGDC “Requiring Software Independence in VVSG 2007” recommendation to TGDC 11/2006,Regulatory Actors,ITAs: Independent Testing Authorities Ciber: employs standard methodologies for evaluating correctness and quality of software Jan 2007 in trou
19、ble for not following quality control procedures and lack of documentation Wyle Labs: review source code, does hardware testing and functional testing of voting machines SysTest: quality assurance, software test engineering, verification & validation,Regulatory Actors,NASED (National Organization of
20、 State Election Directors) under the Election Center to which the ITAs report, part of the old FEC (Federal Election Commission),Rise and Fall of the DRE,The Direct Recording Electronic machine Hopkins Report SAIC Report Compuware Report Raba Report VSTAAB Report Hursti II Report Princeton Report Ne
21、dap Report,Rise and Fall of the DRE,Major makers of DREs are Sequoia Diebold ES&S Policy of “Security through Obscurity” Fundamental Challenge electronic votes can evaporate with NO remaining evidence, unlike paper ballots Not a transparent process,Rise and Fall of the DRE,Categories of Possible Att
22、acks Corrupt software inserted prior to election day Wireless or other remote control attacks Attacks on tally servers Miscalibration of machines Shutting off voting machine features Denial-of-service attacks Corrupt poll workers actions Attacks on ballots or VVPT (thanks to Brennan Center for Justi
23、ce),Rise and Fall of the DRE,Challenges for the Attacker Overcome vendor motivation Finding an insertion opportunity Obtaining technical knowledge Obtaining election knowledge Changing votes Eluding inspection Eluding testing and detection Avoiding detection after polls close (thanks to Brennan Cent
24、er for Justice),Rise and Fall of the DRE,Hopkins Report Bev Harris discovered an ftp site for Diebold that contained the software for its DRE, the AccuVote-TS. She took it to Aviel Rubin of Stanford. “Analysis of an Electronic Voting System” by Aviel Rubin, et. al., 7/23/2003 Based just on code anal
25、ysis discovered numerous potential security problems and lax software engineering standards.,Rise and Fall of the DRE,SAIC (Science Applications International Corporation) Report for Maryland State Board of Elections “Risk Assessment Report: Diebold AccuVote-TS Voting System and Processes”, 9/2/2003
26、 Only 40 page redacted version (Diebolds agreement let them do it) ever released until nearly 200 page full version leaked 11/2006 by whistleblower Risk assessment responding to Hopkins Report, resolves many problems and hides others,Rise and Fall of the DRE,Compuware (Corp.) Report “Direct Recordin
27、g Electronic (DRE) Technical Security Assessment Report”, for the Ohio Secretary of State, 11/21/2003 Security assessment and validation of four voting machines, including Diebolds AccuVote-TS About 275 pages with test scenarios, results, and any identified risks with risk level (of which are a numb
28、er) Limited to the voting machine, not policies and processes,Rise and Fall of the DRE,RABA (Technologies) Report for the state of Maryland “Trusted Agent Report: Diebold AccuVote-TS Voting System”, January 20, 2004 Security experts review the Diebold system, the SAIC report, and formed “Red Team” e
29、xercise to probe actual system setup Successfully hacked it and the GEMS server in multiple ways “Considerable” risks found, but with recommendations can be mitigated well enough for the primary More needed for general election - ultimately need paper receipts,Rise and Fall of the DRE,VSTAAB (Califo
30、rnias Voting System Technical Assessment and Advisory Board) Report “Security Analysis of the Diebold AccuBasic Interpreter”, 2/14/2006 3 computer scientists from U of California analyzed AccuBasic, a proprietary, interpreted language used in a couple machines including the AV-TSx touchscreen becaus
31、e no ITA testing was done Problems (many easily correctable) found,Rise and Fall of the DRE,Hursti II Report, a Black Box Voting Project by Harri Hursti, “Diebold TSx Evaluation SECURITY ALERT: May 11, 2006: Critical Security Issues with Diebold TSx at invitation of a Utah county Firmware is easy to
32、 change PCMCIA virus threat,Rise and Fall of the DRE,Princeton Report “Security Analysis of the Diebold AccuVote-TS Voting Machine” by several authors at Princeton University, Sept 13, 2006 Obtained one of the DRE machines, demonstrated Hurstis proposed virus, and created a demo virus that attacks a
33、n election Problems in common with desktop PCs Diebold response is that polling place procedures provide adequate protection,Rise and Fall of the DRE,Nedap(/Groenendaal) Report “Nedap/Groenendall ES3B Voting Computer: a Security Analysis”, 10/6/2006 Used extensively in Netherlands and nearby Authors
34、 show how anyone can quickly gain complete and virtually undetectable control over election results Radio eminations up to several meters away can be used to tell who votes what Sold in US by Liberty Voting Solutions,Rise and Fall of the DRE,TGDC report by STS to NIST calls for Software Independence
35、, basically ruling out paperless DREs By the end of November 2006, NIST concludes that paperless DREs are not acceptable At the beginning of December 2006, the EAC rejects 6-6 recommendation to only certify DREs that use “independent audit technology” (namely paper). Cost was a factor.,Other Players
36、, Organizations, Documents,Douglas Jones Ariel Rubin Bev Harris Black Box Voting Rebecca Mercuri Eugene Spafford William Pitt Truthout David Dill Verified Voting Foundation Linda Malone President of NASED Barbara Simons - USACM The Brennan Center for Justice IEEE, ACM,Douglas Jones,University of Iow
37、a at Iowa City Department of Computer Science Gives many talks, lay and technical Inspiration for parts of this presentation See “Voting Security: A Technical Perspective”, presented at U of S. Car. Cybersecurity Symposium, 10/27/2005,Aviel Rubin,John Hopkins University Election Judge Author “Brave
38、New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting” Analyzed source code at the discovered Diebold ftp site,Bev Harris,Seattle grandmother and writer Stumbled on the Diebold ftp site, 2002 Founded Black Box Voting Voracious investigator,Rebecca Mercuri,Founder of Notable S
39、oftware and Knowledge Concepts Promotes mechanism with printout to be voter verified which is protected behind glass before being dropped into box,Eugene Spafford,Chair of USACM (US Public Policy Committee of the ACM) Endorsed Nov. 2006 STS report advocating paper trails,William Pitt,Managing editor
40、 of Truth Out,David Dill,Founder of Verified Voting Foundation Stanford University Endorses voter verifiable audit trail,Linda Malone,President of NASED Administrator of Marylands State Board of Elections In unaired Oct 2006 interview responds to questions about critical Diebold report with “I think
41、 you are in fantasy land”,Barbara Simons,Formerly at IBM Former ACM chair USACM member Gives statements and testimony Upcoming 2007 book with Doug Jones,The Brennan Center for Justice,New York University 2006 report on security problems of 3 most common electronic systems,IEEE and ACM,Association fo
42、r Computing Machinery Institute of Electrical and Electronics Engineers Professional organizations representing computer sciences and engineering ACM Policy Statement all systems should have Careful engineering Strong safeguards Rigorous testing of design and operation,Recommendations,Keep things in
43、 perspective Restore and maintain trust Regulate, fund, and train Decentralize and diversify Establish reasonable processes Implement an assessment cycle,Recommendations,Keep Things in Perspective There are many factors that influence an election. Some we accept without question as legitimate, some
44、are ignored, some are presented as terrible threats. How much do we spend to eliminate one threat, no matter how small and unlikely?,Recommendations,Restore and Maintain Trust Pay attention and respond respectfully Educate yourself and others Openly take reasonable steps Stay calm Act quickly and de
45、cisively when appropriate Question authority at the same time as you respect authority Keep everything as transparent as possible,Recommendations,Regulate, Fund, and Train There is no human or technological perfect system Regulate all aspects of the election cycle Provide adequate funding for all as
46、pects of the election cycle including certification, acquisition, verification, and development of hardware and software Poll workers are generally low paid and unskilled, yet the system depends on them!,Recommendations,Decentralize and Diversify Attacks (accidental and malicious) are most effective
47、 when implemented system-wide. Think of virus threat if all computers were the same or all cattle had the same DNA thus the same vulnerabilities! Promote competition in the industry One size doesnt fit all consider costs, demographics, and accessibility Dont fund a pie-in-the-sky perfect solution Li
48、mited use of DREs may be acceptable,Recommendations,Establish Reasonable Processes People need to know what to do in case of all kinds of events. Secure systems depend on the people implementing and using them following proper protocols. Development and certification are loaded with details that are
49、 easily overlooked.,Recommendations,Implement an Assessment Cycle The poll workers and others closest to an election should participate in evaluating the processes, looking for both good and bad features, and providing feedback that will be used (not sit on a shelf!) to improve the system. They see things the experts miss.,
