Slashdot Mirror
Damning Report On Sequoia E-Voting Machine Security
TechDirt notes the publication of the New Jersey voting machine study, the attempted suppression of which we have been discussing for a while now. The paper that the Princeton and Lehigh University researchers are releasing, as permitted by the Court, is "the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine." What's new is the release of a 90-minute evidentiary video — the researchers have asked the court for permission to release a shorter version that hits the high points, as the high-res video is about 1 GB in size. See TechDirt's article for the report's executive summary listing eight ways the AVC Advantage 9.00 voting machine can be subverted.
Don't read the report about voting machines. It contains spoilers about who wins next month.
My reading comprehension must have failed a saving throw. I can't understand the summery.
"We provide this voting booth for entertainment purposes only. Use of this machine does not constitute the actual act of voting for a bill or candidate. The State of [INSERT_STATE_NAME_HERE] and the United States Federal Government are not liable for any damages that may arise through the use of this entertainment apparatus."
That ought to do it.
An oxymoron.
The only thing a e-voting machine should be used for is printing a paper ballot.
Count the paper ballots.
Anything else means you have to trust the voting machine, or the people who verified the voting machine.
(You have to make sure that there are no hidden things in any of the chips, the software, any memory card that comes into contact with the machine, the network that the machine is connected to, etc. Seriously, who can possibly think that a E-voting machine with a Sprint data card in it is secure?)
If I have nothing to hide, don't search me
could be made 100% secure, foolproof, etc., it should still not be used
simply because of the PERCEPTION of what happens to your vote in electronic voting
it is a black box. your votes go in, sausage comes out. meanwhile, a piece of paper has no secrets. it stays in a box, it can retallied. it can be messed with and falsified and burned, sure. but not with such ease and not in so many quick secret and immensely powerful ways electrons or magnetic marks on a disk can be messed with
all nations should use paper ballots, doesn't matter how rich they are. joe schmoe needs to touch and feel and smell his vote. voting machines and electronic voting represents a black box system, and therefore represents too much fundamental distrust. distrust undermines the legitimacy of democratically elected governments in the eyes of the people
it is not good enough that joe schmoe vote in absolute security and privacy and integrity. joe schmoe must also BELIEVE that. but in an irreducibly black box system, distrust is inescapable
electronic voting is the greates threat to democracy, ever. no ideological system or intolerant set of beliefs can undermine faith in democracy more than a method of tallying votes that the technofetishist loves, but the general populace views with suspicion
you don't need to say "gee whiz" when you vote
we need to end electronic voting, in the name of strengthening democracy
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
You have a very good point here - why are these things even doing all the "tallying" on there own? Wasn't the overall MAIN issue was the validity of "hanging chads" and the like - why in the hell can't we have a simple machine with all the same bells and whistles that simply punches the damn things for us?!?!
On a side note - how hard can this stuff be? It's not like they aren't making a fortune from these things - it's seeming like they are barely able to break even so they have to hire "below the barrel" talent...
http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf
They could, in addition to printing the paper ballots, count the votes. That way it would be possible for people to see the votes being cast in almost real-time. I would like it. Of course, the official count would be done by hand.
My first thought was "what's the point of publishing this now?"
Everyone (yes, even the clueless people in charge) knows that electronic voting machines are SNAFU, they just didn't have the time/money to do anything about it this election cycle.
2010 should be much different.
Hopefully they'll take the next 2 years to do some criminal investigations into all the substituting and patching of firmwares while they're at it.
[Fuck Beta]
o0t!
That's quite a lot of fud with not much to back it up with. True, IMNAA (I am not an american) but I'm inclined to think that those who are can have some influence on the next president of the USA or whatever they are voting over.
True, the significance of one vote is not much when there are many voters but it's pretty obvious how the ammount of power one vote wields goes up when the amount of voters goes down.
Is very simple, and in fact I used it Today! - The Paper Ballot. I marked my choices, and turned it in. Voters in NJ should demand paper ballots, issue solved (sort of).
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
Public outcry, inquiry, and (in some cases) mockery are well and good, and hopefully lead to policy change. However, when it comes time to vote, what's an individual voter to do when faced by an electronic voting machine at the polls? Boycotting doesn't seem like the right course of action here.
actually, i was referring to a scratch and sniff voting system
"hmmm... obama"
scrathscrathscratch
"yay! smells like jesus and cupcakes! ok, now... mccain"
scrathscrathscratch
"uggh. smells like depends and denture cream"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
California ordered a review of all the machines used in the state last year. They would give access to university security labs to one manufacturer's machines at a secure location. I mean the machines were held in cages over night and there was controlled access for only the researchers, etc.
They were asked to evaluate the machines.
UC Santa Barbara did ES&S, and their analysis is here.
They also have a short video on the subject, here it is on youtube
In short, all the machines were utter crap. The "seals" can by bypassed by bending some plastic. The locks can be bypassed with a screwdriver. Plus the software is susceptible to viruses, and they managed to make the machine vote for whoever they wanted. Even though all the machines have the VVPT (voter-verified paper trail).
boldly going forward, 'cause we can't find reverse
Simple paper ballot. Allow observers from all interested (political) parties to monitor the voting station and the count.
Presto, solves verification of the internals of the not so obvious "voting machines". Voting machines aren't truly verificable.
Making a machine that counts or tallies votes shouldn't be very hard, and should be a first year programming assignment.
Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)
From Ken Thompson's essay Reflections on Trusting Trust, he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.
If I have nothing to hide, don't search me
It's just as reliable as the computers, network, memory and hard drives you used to keep your bank records and run the stock market. I don't see anyone complain about those....
TOP DSLR Cameras Reviews of the top DSLRs
Check the map.
You are being MICROattacked, from various angles, in a SOFT manner.
Because those are different cases.
The user isn't going to hack his own computer to get his credit card number. Hope that persons computer doesn't have a virus or key logger.
That insurance company or hospital hopefully will have physical security protecting their machines. That doesn't always work, surely you have seen the articles about x million peoples data lost from (company of the week).
Securing E-voting is really like DRM: you want to distribute a device to potential hackers, and keep it secure from those hackers.
If I have nothing to hide, don't search me
You know, if I didn't know any better, I'd say that this was the same company as Diebold.
Oh, wait, it is ...
-- Tigger warning: This post may contain tiggers! --
Because the people with *physical* access aren't (usually) the people trying to hack the systems.
If I have nothing to hide, don't search me
***E-voting done well is far superior to paper voting done well. The costs are far less, it's more convenient, and more environmentally friendly*** Sounds like utter and complete hogwash to me. E-voting is a complicated solution to an simple problem. The US uses all sorts of moderately complex and expensive mechanical voting aids that invariably lead to complaints of fraud, malfeasance, or failure to register votes (because they are busted). Canada uses paper ballots and counts them in a few hours. The paper ballot system is not broken. We should quit trying to fix it until we get a LOT smarter.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
My state uses optically read paper ballots. I think it's the best of both. It can be machine read, but the paper ballot is still there to double check or recount. Is it really that hard to fill in a bubble with a #2 pencil?
people can use computers, television, and the car, but they don't have to trust them. in fact, they don't. the tv has the biased media on it. the computer spies on them with cookies. the car is always breaking down. sure, they still use thes tools, but that's not a question of trust going on with these things in the same way it is going on with their voting system. you do not have the same relationship you have with your tools that oyu have with your social environment
a government is a purely human construct. its all about social structure and where you fit into it. its all about trusting or not trusting the other people around you. its a completely different dynamic. and a sliver of doubt about how the social hierarchy around you works can only grow if you are dealing with a black box voting system
what i'm saying is that your allegories are unsound
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Why doesn't the US revert to paper ballots? We just held a federal election in Canada, and things worked just fine with a good old fashioned pencil and a small paper ballot (well, actually more like thin card). It took us a matter of hours to successfully decide the fate of the country for the next X years without the need for millions of dollars worth of mysterious electronic machinery.
Making that whole system *secure*, otoh, is almost impossible,
Making a human and machine readable, voter verified, printout is far from impossible in fact it's simple. Safely getting Paper ballots from the voting locations to a central polling place is simple. Counting the human and machine verifiable ballots with a high degree of accuracy is simple.
Now making a e-voting system that is obtuse and vague enough that elections can be skewed with a good sot at deniablity and a complete lack of papaer trail? That's difficult.
There have been dozen of high security, low cost/technology, handicapped accessible solutions proposed here on Slashdot. It is quiet obvious that a secure voting system isn't the actual priority, when these systems are purchased. It stands to logic that there is instead a different priority. I have to wonder what that priority would be, that doesn't qualify as treason.
We are all just people.
Absolutely. Would you trust your credit card number to SSL if you knew there were hundreds, maybe thousands of professional hackers trying to sniff it?
You mean there aren't?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
There are three problems with that analogy: Centralization vs. distribution, steady load vs. bursty load, and willingness to pay.
Things like financial recordkeeping and stock trading are relatively steady, constant, loads that can be handled in a fairly small number of highly centralized locations, for which people are willing to pay a great deal of money.
Voting is a highly bursty and uneven load, spread across tens of thousands of sites and systems, for which people don't seem willing to spend all that much.
It is definitely true that voting machines can be made secure in theory(and we know that they could be made far more secure than the are: not only are the current models not good enough, they aren't even as good as current generation consoles); but the analogy between voting systems and financial systems is weak and misleading. More accurate might be an analogy between voting machines and point of sale systems. Unfortunately, those are plagued by card skimmers and similar, despite the fact that they have the advantage of it being possible to calculate the "correct" outcome. It is fairly easy to detect and rectify fraudulent transactions just by looking at financial records. You can't do the same with votes.
Yeah, right! NO ONE can cheat in an election with paper ballots! The concept of a corrupt government did not exist before the invention of electronic voting.
*BULLSHIT*
Reading TFA: This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this ``hack'' takes just 7 minutes to perform.
Do you want to make a bet? Let's see how many paper ballots I can stuff in 7 minutes, given the same level of physical access one needs to change a chip in a computer. This means I can open a box, right? It doesn't matter if the box is electronic or not, it should have a padlock. If I can open the box, with no one noticing, it doesn't matter if the content is electronic or paper.
The intrinsic safety of electronic voting comes from the agility in counting. Counting a paper ballot box takes much longer than it takes to fill that box with a totally different set of votes. By the time you have counted, recounted, and counted again those paper votes, they could have been substituted a dozen times.
"That's quite a lot of fud with not much to back it up with."
damn lameness filter, the 9 megabyte pdf is not FUD, it was a court ordered analysis of the voter system used in new jersey. http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf
NOTE REGARDING REDACTIONS. As paragraph 1.1 and Appendix L explain, this research was conducted pursuant to a Court Order by the Hon. Linda Feinberg of the New Jersey Superior Court. Sequoia Voting Systems filed a motion alleging that certain parts of this report contain protected trade secrets. Plaintiffs dispute Sequoia's contentions. Judge Feinberg has expressed her intention to preserve Plaintiffs' objections until the time of the hearing when she will rule on the merits of Sequoia's claims of trade secret. We are confident that the Court will then permit release of the full, unredacted report. In the interim, the Court encouraged us to release the report with redactions. Paragraphs 19.8, 19.9, 21.3, and 21.5, as well as Appendices B-G, are redacted in this release.
https://www.gnu.org/philosophy/free-sw.html
you do realize that most e-voting machines run windows right?
The base OS in these machines is fscked from the beginning, there is no way to secure them completely.
If they used Open BSD, stripped of all unnecessary components compiled from scratch from at least two different compilers to double check all the out puts and inputs then you have a reasonable base to start with. DRM on all software pieces is also needed. at the very least a hash system to approve updates unless they occur 10 days before and 10 days after the election day. During that time no updates should be allowed. while it doesn't prevent tampering, it does limit options and things can be double checked so anomalies can be seen easier.
i thought once I was found, but it was only a dream.
a government is a purely human construct. its all about social structure and where you fit into it. its all about trusting or not trusting the other people around you.
Yes, the United States government is by the people, for the people; in many ways it is a hierarchy, but specifically for representation, security, and the enabling of rights as outlined in our charter documents. I don't believe it is meant to be a nanny-state, wherein we place all our trust in the government. The Forefathers recognized our need to prevent the nanny-state from occurring, and wrote the 2nd Amendment. I will never give the government, nor anyone around me, either 100% or 0% of my trust. Everyone involved in my life, including Joe Schmoe on the street whom I've never met, receives a certain percentage of my trust. If they befriend me or I determine their goals and past performances are worthy of my support, their trust level goes up. If they stab me in the back or are otherwise dishonorable, their trust level goes down. Very few people can ever receive 100% of my trust. I judge machines and contraptions the same way - based on previous performance. The government, just like the public in general, can never earn 100% of my trust, because it's impossible to personally know all of those people. At the same time, they can never earn 0% of my trust, because I realize that there are people who are in it specifically for the good of the general public, whether I know them or not.
I think trust is one of those fallible human emotions, like love. They are similar in many ways, but I don't think they're synonymous. I once had an ex who told me that 100% love means 100% trust, and that each was a requirement of the other. I couldn't really explain it then, and I can't really explain it now, but even though I loved her with all my heart, I never could fully trust her.
Pretty much 20 minutes into the video, it describes how a poll worker can simulate activating the machine so that everybody in the room believes it is active, and the voter will notice nothing suspicious, yet the vote cast is not counted. The activation chirp is played, and the correct light display when the voter picks the candidate, and even says "vote counted thanks you", when in reality, no vote has been cast. Unbelievable. It's obvious that a malicious poll worker could absolutely use this to his or her advantage and deny people votes.
Nonsense. The vast majority of computer security experts agree that electronic voting machines are the safest, most secure way to conduct an election, and that they are virtually immune to tampering or forging of votes.*
*results of a poll of 1000 experts conducted using Diebold voting machines. 93 of 1000 said electronic voting was not secure, 1237 out of 1000 said that it was.
electronic voting in any democracy is wrong.
It's what I said. You aren't arguing about it. You have made up your mind and are on a religious rant against the antichrist, I mean, e-vote. You aren't making coherent thoughts. You are arguing one point one time, and one the other. "No one can trust it" "OK, Brasil trusts it, but the entire country is wrong to do so." You'll change your statements to mold to whatever counter-arguments someone comes up with. Pick a fact, and I'll prove it wrong, but I can't prove your religion of anti-e-vote to be wrong. It's as irrational as any "real" religion (and no, that's not a stab at religions, they are, by definition, irrational, as in not rational/logical, in fact, the Bible says that one can't understand God, so logic/ration are out the window).
do you see the issues at work now?
Yeah, you are a nutjob.
do you think electornic voting is more or less exploitable than paper voting?
Less.
if you think it is less exloitable, you fail at logic
If you were capable of using proper punctuation and capitalization, then one might take you more seriously. However, that aside, take a system where you have paper ballots and holes to punch out. Would you find that more or less reliable than having a computer terminal for every vote and that computer printed out a human-readable "recipt" for every vote that the person takes and drops into the vote bucket with the hole-puncher? Well, there have been numerous cases of hole-punching being flawed (chads and such) and that's paper voting, and yet there isn't a single case I know of where human-readable printed ballots from an e-box were confusing to the counters. As such, an e-voting system is necessarily less ambiguous and less exploitable than the non-e-system I'm comparing it to.
If you disagree, then you fail at logic.
(see, both of us can make the "you disagree, you fail" assertions, did it work for me like you thought it would for you? No? Then stop being a three year old with the "agree with me or I'll tell you that you are stupid" game. I at least wait for you to say something stupid before proving it so)
Learn to love Alaska
You forgot the most important part that appears on lottery machines (and by association should appear on voting machines): "Any malfunction voids play results."
I'm an individual! Just like everyone else!
There is also the not-at-all-a-small-issue of anonymity. Your voting mechanism must ensure that a particular account number (i.e. a voter's identity) can be used at most one time per election. And you have to record what it was used for anonymously so that what was done with the account literally cannot be traced back to the account holder.
Most of the common credit card fraud-prevention schemes (such as date/time stamping every transaction) violate this. Not really a surprise, since the credit card system is designed to enforce accountability, the antithesis of anonymity (the whole purpose of anonymity is to avoid accountability).
Fundamentally, anonymity is about removing traceability information, and fraud prevention is about maintaining it. These are both core requirements, and they directly work against one another.
I know... it's not couth to reply to my own posting, but on reflection I had it wrong above. Or rather, I posted poor concepts. Just voiding play on a voting machine is very different from voiding play on a lottery machine.
The reason is that from the viewpoint of lottery, an individual player gets an individual result (win/lose). A voter is placing a vote which is aggregated with the corresponding inputs from other voters to determine the election winner (we'll ignore the electoral college as being overly pedantic).
The difference is that voters affiliations are not evenly distributed geographically. So, by voiding play on voting machines which are in areas with high concentrations of voters of one party, the aggregate can be skewed toward a desired outcome.
I'm an individual! Just like everyone else!
Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)
From Ken Thompson's essay Reflections on Trusting Trust, he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.
I would like to respectfully disagree here. Your comment can be too easily be summarized to "well, if you can't solve every possible flaw, you don't have a secure system, and so there's no point in trying, if they're all insecure anyway, any system is as bad as any other."
This belief is flawed. Even if you can't prove that there isn't any possible attack, it is nevertheless true that there are better systems and worse systems, and you don't want a worse system. Being able to check the source code-- and, better, having the source code open for anybody to look at-- is in fact a very good start. Yes, it is possible that there may be some hithertofore-unknown flaw in the compiler, and some extremely ingenious cracker might be able to find it and find a way to use it to manipulate voting results... but this is a billion times less likely than the case of some open port left accessable, or a deliberately open back door, that would be found by careful inspection of the source.
(You've misquoted Ken Thompson's conclusion, by the way. His actual conclusion was that you should never trust any program you didn't write yourself. Apparently he's never seen the programs I've written myself.)
http://www.geoffreylandis.com
Here you go, a torrent for the 1 gigabyte hi-res video:
advantage-insecurities-exhibit-hires.mp4.torrent
An electronic voting machine should be simple. Why the f- are they even using an operating system at all? Wouldn't a stripped down the bone OS do the job? How about using DOS?
(before you laugh or say to use free software, the reason I say DOS is there is ZERO chance someone 20 years ago inserted code that would corrupt a voting machine)
Also, with DOS you could easily verify the md5 of the OS image.
I say use DOS, and write the vote counting program in terminal graphics mode, with those colored ASCII characters for a GUI. A SIMPLE GUI. The feature count on this program should be limited to the crucial things only.
And NO network access. The only way to count votes should be to physically gather all the flash memory cartridges in one place. Each cartridge would have a ONE TIME PAD encryption lock. There would be a central "vote counting" terminal that would be the only machine in the county with the other copy of the one time pad used.
Funny I think that people are so cautious to trust computers here, but they're fine for everything else. Just make it open. We can gain some advantages.
-Immediately before voting, you are handed a number. How we generate these numbers is up for debate. Perhaps they are centrally generated and serial. Perhaps a hash of name + DOB + other stuff. Each choice here opens different doors.
-Barcode equivalent to said number must be scanned at the machine. Number must also be entered on an onscreen key pad.
- Number + voting choices + timestamp + voting machine id are stored in a central database. Immediately. Nothing local.
-You get a receipt with your Number + voting choices + timestamp + machine ID. It also has these other handy value on there. A digital signature, created by said central authority with its private key. The public key is well known long in advance.
-After the election, the entire result set is made available for download. Yeah, a recount is a big fucking deal. We have these neat machines that are good at math. The bigger deal here is that if you check the database after you voted and the entry for your number doesn't match, you scream bloody murder. If you don't trust the machine, any party can verify the central authority's signature.
-But in addition to 'any' party, it is critical to have a non-networked verification appliance, which does nothing but verify the central signature for you before you physically leave. If you scream bloody murder at this point, we can consider the plain-text part of the receipt trusted. You obviously couldn't have faked the entire receipt while being watched by everyone. More on this soon.
Nice huh? Let's recap some advantages here:
-You can verify that your vote was counted and correctly
-You can't determine who voted for whom, except yourself.
-The receipt actually means something
Let's elaborate on that third point.
There are several means of lying to you, which can't easily be solved without adding machines into the mix
-What if the receipt says you voted for X but the machine recorded you as voting for Y? This is as good as pressing the wrong button. The signatures will both be valid. But if the plain-text portion shows the wrong candidate, you'll notice and scream. If the plain-text portion doesn't match the the central signature (the one most directly relevant to proper recording) you will catch this at the non-networked verifier. The receipt can still be trusted having not left the polling place, so you will be allowed to vote on another machine, as meanwhile the machine you previously used is marked for a serious investigation...
-What if the central authority records whatever it wants but produces a normal signature? The receipt will be considered entirely valid and endorsed. People will notice quickly as they check the database from home. You have a paper trail that can be trusted. What if the signature is bogus? People notice before they leave the polling place.
Up to this point? Criminal negligence bordering on treason. Open source needs to step up.
"Strangers have the best candy" -Me
Suppose we had such a situation as you suggest and thousands of reviewers pawed over the code making it "as good as it gets". How do you verify the code that was reviewed is the code that is running?
"if they're all insecure anyway, any system is as bad as any other."
It is true that all voting systems are open to fraud, however rigging a paper election is orders of magnitude more difficult than rigging an electronic election simply because of the number of people needed to implement the "hack".
With all due respect, people who believe electronic voting can be made "better than" or even "as good as" traditional paper voting have no idea how the counting of traditional paper ballots is conducted.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Or perhaps just use a micro and run an embedded application rather than running a pre-emptive multitasking operating system. It doesn't need to do much.
To me the messed up thing in all this e-Voting stuff is that the counties are using e-Voting machines that are shown to be hackable... implying that they are using the machines without fully testing them. That is, they have decided on the machines (presumably after a convincing marketing presentation), and only *after* using them, have people come along and said, hey, these aren't safe.
In usual situations, a system would be tested for hacking *before* being deployed. Until such time as it can be independently declared safe, the old, trusted system would remain in place. This rule applies to every major server in the world, why does it not apply to something as fundamental as VOTING?
We shouldn't just be mad about hackable eVoting machines, we shouldn't just be mad at the companies that make them, we should be mad about bad decisions being made by those in power to use these machines without properly testing them.
(By "we" of course I mean people who actually have to use e-Voting machines.. myself, I'm from a place that banned them, thankfully.)
Suppose we had such a situation as you suggest and thousands of reviewers pawed over the code making it "as good as it gets". How do you verify the code that was reviewed is the code that is running?
If the code that's reviewed is not the same as the code that's running, this is in itself evidence of fraud. You don't need to look for a back door in this case; you don't need to even know what the code that's running does, you have already shown fraud.
http://www.geoffreylandis.com