Damning Report On Sequoia E-Voting Machine Security

TechDirt notes the publication of the New Jersey voting machine study, the attempted suppression of which we have been discussing for a while now. The paper that the Princeton and Lehigh University researchers are releasing, as permitted by the Court, is "the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine." What's new is the release of a 90-minute evidentiary video — the researchers have asked the court for permission to release a shorter version that hits the high points, as the high-res video is about 1 GB in size. See TechDirt's article for the report's executive summary listing eight ways the AVC Advantage 9.00 voting machine can be subverted.

Don't look

Don't read the report about voting machines. It contains spoilers about who wins next month.

Re:Don't look

[BorgAssimilator]

It's ok, the spoilers were already announced:

http://www.theonion.com/content/video/diebold_accidentally_leaks

Re:Don't look

[cayenne8]

"Registration is not voting. Nice try, fail."

False registration is the first step in voter fraud, is it not?

And flamebait on the original post? What...Is rigging the machines not just as bad as encouraging and aiding voter fraud by fraudulently registering voters multiple times, fake voters, etc?

I mean...c'mon...if it is bad for one side, it is bad for the other side too.

Re:Don't look

[laird]

"why bother with rigging the voting machines...it seems this year a simpler method has been found, with Acorn registering everyone they can, dead, undead, fictional or alive"

This is, as the poster must be surely be aware by now, not what happened. What actually happened is that a few ACORN employees got lazy and filled out fake voter registrations using the. names of athletes, characters from fiction, etc.). ACORN found out, fired the people responsible, and identified the bad registrations to the authorities when they turned them in. They were required to turn them in by law, as it is illegal to not hand in any voter registration forms due to the obvious potential for abuse if the registration organization is allowed to be selective about which registrations to submit.

Because ACORN identified the suspicious registrations, and because the government agencies that process the registrations validates them, there were likely few or no fake voters actually registered to vote.

And, of course, Micky Mouse, etc., is not going to show up to vote.

So the fraud was not the creation of fake votes, but of ACORN (and to a degree the voter registration agencies) getting their time and money wasted by a few former ACORN employees. Given that ACORN hired 13,000 people and generated 1.3m legitimate registrations, the number of bad registrations reported so far is surprisingly small (a few thousand is claimed).

For actual voter fraud, you'll have to look elsewhere. Like, say, electronic voting machines, caging, etc.

Re:Don't look

[KovaaK]

encouraging and aiding voter fraud by fraudulently registering voters multiple times, fake voters, etc?

And if you actually look into it beyond fox news and the "sources" that they quote, you may find out that it is legally required by a voter registration group such as ACORN to submit every single registration form that they receive, regardless of if they think it is valid. They are allowed to mark ones that they believe to be invalid, so that they will be further inspected by actual officials, but to my knowledge, no one has questioned the accuracy of their markings. The issues with false registrations are mostly being found as cases of the person collecting registrations attempting to hit quotas to prove that he/she is actually working. Molehill, not a mountain.

False registration is the first step in voter fraud, is it not?

It could be the first step, but it isn't necessary for voter fraud (as some other replies around this thread suggest, there are plenty of ways to mess with democracy).

As for this particular method, are you suggesting that people going to show up with fake ID's to match the false registrations that they submitted? Seems a bit more involved than designing the machines to falsely provide results.

Outside of that, I have recently realized an issue of concern regarding our electoral process... some people have realized that many minorities who are legal citizens of the country and should be allowed to vote aren't being allowed to vote because they lack ID that is accepted at the time of voting. The problem is that while the Democrats are fighting to get these ID laws removed, they aren't really acknowledging that false registrations in conjunction with no ID required would completely undermine our voting system. We still need to find a way for all citizens to vote though (preferably not a solution involving ID's with RFID chips, GPS tracking or whatever else is remotely possible).

No problem, just put a disclaimer on the machines

[l0ungeb0y]

"We provide this voting booth for entertainment purposes only. Use of this machine does not constitute the actual act of voting for a bill or candidate. The State of [INSERT_STATE_NAME_HERE] and the United States Federal Government are not liable for any damages that may arise through the use of this entertainment apparatus."

That ought to do it.

"E-Voting Machine Security" like "Microsoft Works"

[corsec67]

An oxymoron.

The only thing a e-voting machine should be used for is printing a paper ballot.

Count the paper ballots.

Anything else means you have to trust the voting machine, or the people who verified the voting machine.
(You have to make sure that there are no hidden things in any of the chips, the software, any memory card that comes into contact with the machine, the network that the machine is connected to, etc. Seriously, who can possibly think that a E-voting machine with a Sprint data card in it is secure?)

if electronic voting

[circletimessquare]

could be made 100% secure, foolproof, etc., it should still not be used

simply because of the PERCEPTION of what happens to your vote in electronic voting

it is a black box. your votes go in, sausage comes out. meanwhile, a piece of paper has no secrets. it stays in a box, it can retallied. it can be messed with and falsified and burned, sure. but not with such ease and not in so many quick secret and immensely powerful ways electrons or magnetic marks on a disk can be messed with

all nations should use paper ballots, doesn't matter how rich they are. joe schmoe needs to touch and feel and smell his vote. voting machines and electronic voting represents a black box system, and therefore represents too much fundamental distrust. distrust undermines the legitimacy of democratically elected governments in the eyes of the people

it is not good enough that joe schmoe vote in absolute security and privacy and integrity. joe schmoe must also BELIEVE that. but in an irreducibly black box system, distrust is inescapable

electronic voting is the greates threat to democracy, ever. no ideological system or intolerant set of beliefs can undermine faith in democracy more than a method of tallying votes that the technofetishist loves, but the general populace views with suspicion

you don't need to say "gee whiz" when you vote

we need to end electronic voting, in the name of strengthening democracy

Re:if electronic voting

[corsec67]

I think you have the perception most people have of computers wrong.

Most people think computers are incapable of being incorrect. Microsoft is trying hard to change that, but they are getting less effective.

If the computer is wrong, it must have been something that the user did incorrect. "I shouldn't have clicked on that link to that page", instead of "The browser is broken, it shouldn't have been vulnerable to the stuff on that page"

I agree that paper ballots should be used, but most people think that if a computer is involved it will not be incorrect.

Actual report:

http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf

Re:"E-Voting Machine Security" like "Microsoft Wor

[entgod]

They could, in addition to printing the paper ballots, count the votes. That way it would be possible for people to see the votes being cast in almost real-time. I would like it. Of course, the official count would be done by hand.

Hardware Work Around

[Gat0r30y]

Is very simple, and in fact I used it Today! - The Paper Ballot. I marked my choices, and turned it in. Voters in NJ should demand paper ballots, issue solved (sort of).

LOL

[circletimessquare]

actually, i was referring to a scratch and sniff voting system

"hmmm... obama"

scrathscrathscratch

"yay! smells like jesus and cupcakes! ok, now... mccain"

scrathscrathscratch

"uggh. smells like depends and denture cream"

Re:LOL

[db32]

I can't bring myself to make a scented Palin joke.

Every time I get upset about the tremendous disaster that our modern voting is with the rampant election fraud I remind myself... I am getting upset over the fairness of a system that will only let me choose between two criminals for who should be the leader. It seems to me that getting up in arms about the whole voting trainwreck is pretty stupid considering what we are demanding our votes get counted for. When I am faced with a choice more complex than liar/asshole vs asshole/liar I will be more concerned about how my vote gets counted. As it stands now I can rest assured that no matter what I do my vote would go towards putting a liar and an asshole in office.

I mean really now...its like being lost in the woods and choosing if you want to wipe the shit off your ass with your left hand or your right hand. Which hand you choose is pretty tangent to the fact that you are lost in the damned woods. Seems to me we should be a little more concerned about getting out of the woods than to be upset about which hand got shit on it.

Re:LOL

[db32]

Oh yeah...and what does Jesus smell like?
I am torn between sort of a dusty smell or a 2000 year old zombie smell. I guess it depends on your take on the story. Even best case scenario of coming back non rotted they didn't exactly bathe much back then and washing feet was a big damned deal. No matter what, I can't imagine Jesus is a good smell. (love or hate the fan club, regardless of the divine/not divine, the J man was a cool guy...and thankfully he was a Jew so probably has a good sense of humor so I don't have to sweat it much if he was divine)

Re:LOL

[TheLink]

"... I am getting upset over the fairness of a system that will only let me choose between two criminals for who should be the leader."

Aren't there more than two candidates? Can't you vote for the others instead?

Apparently in the past election 60+ million voted for X and 59+ million voted for Y.

But 80+ million didn't bother to even show up.

Think X and Y might notice if the 80+ million voted for Z?

I bet X and Y might also notice even if the 80+ million walked up to the voting booths and voted "none of the above" and thus "spoilt" their vote.

At least the foreign media would be reminding them of it e.g. "Mr President, how can you say you have support of the people?".

ES&S has the same crap, as shown by UCSB

[enos]

California ordered a review of all the machines used in the state last year. They would give access to university security labs to one manufacturer's machines at a secure location. I mean the machines were held in cages over night and there was controlled access for only the researchers, etc.
They were asked to evaluate the machines.

UC Santa Barbara did ES&S, and their analysis is here.
They also have a short video on the subject, here it is on youtube

In short, all the machines were utter crap. The "seals" can by bypassed by bending some plastic. The locks can be bypassed with a screwdriver. Plus the software is susceptible to viruses, and they managed to make the machine vote for whoever they wanted. Even though all the machines have the VVPT (voter-verified paper trail).

Re:Elections of 2010

[mr_josh]

The thing is, I don't think that everyone DOES know. I sincerely HOPE that they don't know, because no one is COMPLETELY OUTRAGED about it, and seriously, I think this should be a "people in the streets with torches and pitchforks" kind of issue. There simply seems to be zero public interest in this (and by "public" I of course mean the non-Slash-reading public) and it boggles the mind that some public figure hasn't jumped on this and made it a platform.

Simple paper ballots, overseen by observers

[bboxman]

Simple paper ballot. Allow observers from all interested (political) parties to monitor the voting station and the count.

Presto, solves verification of the internals of the not so obvious "voting machines". Voting machines aren't truly verificable.

Re:"E-Voting Machine Security" like "Microsoft Wor

[corsec67]

On a side note - how hard can this stuff be? It's not like they aren't making a fortune from these things - it's seeming like they are barely able to break even so they have to hire "below the barrel" talent...

Making a machine that counts or tallies votes shouldn't be very hard, and should be a first year programming assignment.

Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)

From Ken Thompson's essay Reflections on Trusting Trust, he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.

Re:Where are these machines used?

[SpaceLifeForm]

Link

Check the map.

Re:I rolled a 2

[onkelonkel]

It's nice here in the summery. In the wintery it rains all the time.

Re:"E-Voting Machine Security" like "Microsoft Wor

[corsec67]

Because those are different cases.

The user isn't going to hack his own computer to get his credit card number. Hope that persons computer doesn't have a virus or key logger.

That insurance company or hospital hopefully will have physical security protecting their machines. That doesn't always work, surely you have seen the articles about x million peoples data lost from (company of the week).

Securing E-voting is really like DRM: you want to distribute a device to potential hackers, and keep it secure from those hackers.

Re:"E-Voting Machine Security" like "Microsoft Wor

[vtcodger]

***E-voting done well is far superior to paper voting done well. The costs are far less, it's more convenient, and more environmentally friendly*** Sounds like utter and complete hogwash to me. E-voting is a complicated solution to an simple problem. The US uses all sorts of moderately complex and expensive mechanical voting aids that invariably lead to complaints of fraud, malfeasance, or failure to register votes (because they are busted). Canada uses paper ballots and counts them in a few hours. The paper ballot system is not broken. We should quit trying to fix it until we get a LOT smarter.

Optically-read Paper Ballots

[tonytnnt]

My state uses optically read paper ballots. I think it's the best of both. It can be machine read, but the paper ballot is still there to double check or recount. Is it really that hard to fill in a bubble with a #2 pencil?

An obvious question...

[Dzimas]

Why doesn't the US revert to paper ballots? We just held a federal election in Canada, and things worked just fine with a good old fashioned pencil and a small paper ballot (well, actually more like thin card). It took us a matter of hours to successfully decide the fate of the country for the next X years without the need for millions of dollars worth of mysterious electronic machinery.

Re:"E-Voting Machine Security" like "Microsoft Wor

[Amazing+Quantum+Man]

Absolutely. Would you trust your credit card number to SSL if you knew there were hundreds, maybe thousands of professional hackers trying to sniff it?

You mean there aren't?

Re:So what?

[kesuki]

"That's quite a lot of fud with not much to back it up with."

damn lameness filter, the 9 megabyte pdf is not FUD, it was a court ordered analysis of the voter system used in new jersey. http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf

NOTE REGARDING REDACTIONS. As paragraph 1.1 and Appendix L explain, this research was conducted pursuant to a Court Order by the Hon. Linda Feinberg of the New Jersey Superior Court. Sequoia Voting Systems filed a motion alleging that certain parts of this report contain protected trade secrets. Plaintiffs dispute Sequoia's contentions. Judge Feinberg has expressed her intention to preserve Plaintiffs' objections until the time of the hearing when she will rule on the merits of Sequoia's claims of trade secret. We are confident that the Court will then permit release of the full, unredacted report. In the interim, the Court encouraged us to release the report with redactions. Paragraphs 19.8, 19.9, 21.3, and 21.5, as well as Appendices B-G, are redacted in this release.

Re:Paper ballots are ABSOLUTELY safe!

[corsec67]

Lets change your bet a little bit. The 7 minutes are 2 days before the election. You get private time with the ballot box, I get private time with the voting machine.

What can you do to the ballot box that wouldn't be noticeable 2 days later and still affect the vote?

I was an election judge for Boulder County in 2004. Part of my duties as the head election judge for the precinct was to make sure that there was noting in the ballot box and seal it. From that time until I handed the box to the county officials, it was not left in the presence of any single person, so nobody would have 7 minutes during the election day.

You can't stuff the ballot box 2 days before the election with nobody being able to notice.

**THAT** is what they are complaining about. The machines were left in publicly accessible areas for days before the election. Replace one of the chips with that 7 minutes, and it would take a very detailed examination to notice the problem.

20 minutes in

[DreadPiratePizz]

Pretty much 20 minutes into the video, it describes how a poll worker can simulate activating the machine so that everybody in the room believes it is active, and the voter will notice nothing suspicious, yet the vote cast is not counted. The activation chirp is played, and the correct light display when the voter picks the candidate, and even says "vote counted thanks you", when in reality, no vote has been cast. Unbelievable. It's obvious that a malicious poll worker could absolutely use this to his or her advantage and deny people votes.

Re:"E-Voting Machine Security" like "Microsoft Wor

[flyingsquid]

The only thing a e-voting machine should be used for is printing a paper ballot. Count the paper ballots. Anything else means you have to trust the voting machine, or the people who verified the voting machine. (You have to make sure that there are no hidden things in any of the chips, the software, any memory card that comes into contact with the machine, the network that the machine is connected to, etc. Seriously, who can possibly think that a E-voting machine with a Sprint data card in it is secure?)

Nonsense. The vast majority of computer security experts agree that electronic voting machines are the safest, most secure way to conduct an election, and that they are virtually immune to tampering or forging of votes.*

*results of a poll of 1000 experts conducted using Diebold voting machines. 93 of 1000 said electronic voting was not secure, 1237 out of 1000 said that it was.

Anonymity and reliability are directly at odds

[LrdDimwit]

There is also the not-at-all-a-small-issue of anonymity. Your voting mechanism must ensure that a particular account number (i.e. a voter's identity) can be used at most one time per election. And you have to record what it was used for anonymously so that what was done with the account literally cannot be traced back to the account holder.

Most of the common credit card fraud-prevention schemes (such as date/time stamping every transaction) violate this. Not really a surprise, since the credit card system is designed to enforce accountability, the antithesis of anonymity (the whole purpose of anonymity is to avoid accountability).

Fundamentally, anonymity is about removing traceability information, and fraud prevention is about maintaining it. These are both core requirements, and they directly work against one another.

Re:Anonymity and reliability are directly at odds

[SUPAMODEL]

This weekend, I voted in an election in the place where I live in Australia. I used one of their electronic voting things. Note that voting is compulsory here. I walked in, they use a computer to work out that I had not gone to another area where I could vote. They then gave me a card with a barcode on it, which is randomly picked up from a pile. It is not associated with my name in any way. The only association was "yes, this person has elected for electronic voting", but no barcode info was recorded. I then go to the system, swipe the barcode. The barcode thing had an approximately 70 character string underneath it. I think it was a hash or something to verify that a) the barcode related to the electorate that the voting booth was related too and b) that it was issued from this site. Each barcode had a different identifier. I then vote for the candidates as I wish. The system would not allow you to make an invalid vote (we use a preferential system here; needed to vote in order of preference of at least 7 candidates, 35 on the ballot paper in total). I did this, and hit the button to let me review it. The system then displays the preference information you've put in. You have to swipe your barcode again to verify that it is the correct one. If it would not swipe, or you needed help, you could hide the vote on the screen and get an election official to help. Once the barcode is swiped, my vote was stored in the system. I then had to place the barcode into the ballot box that paper voters would place their completed ballots in. My vote would not have been counted from the system if my barcode had not been present. Would I prefer an open system? Yes, most definitely, and I have written my comments to those running the election. I would have preferred it to print out a completed ballot paper I could check and lodge that. I think it covers most of the fraud. Is the number of barcodes equal to the number of voters? If not, then fraud has been commited by someone trying to stuff the ballot box. My name is not in any way associated with my vote, but it is counted if the barcode is placed into the ballot box. The barcode also could not be used at different voting booths, even in the same electorate (at least that is my understanding). So, for me, I think the issue of nontraceability and fraud prevention is somewhat solved by this system. Fraud could still occur in how the system records the vote, but at least you are given ample opportunity to see if your candidates have been correctly preferenced. Also, if it fucks up and you aren't happy with it, at any time you can say "no, clear my vote", your barcode is torn up, and you can do it by paper. I think that should always be an option.

Re:Paper ballots are ABSOLUTELY safe!

[mangu]

I was an election judge for Boulder County in 2004

And I was an election judge for Itatiaia, in Brazil, in 1998. I had more or less the same duties as you had. It was an electronic box.

I inserted a flash card with the software, including the operating system, which was given to me by an officer of the electoral court minutes before the election started.

If you can corrupt a representative of the judge who is responsible for declaring if the vote is correct, does it matter if the box is electronic or paper?

From that time until I handed the box to the county officials

You are ready to swear for the honesty of those county officials, yet you don't trust the people who handled the electronic box before the election?

The machines were left in publicly accessible areas for days before the election.

That's *WRONG*, no matter if the ballots were paper or electronic. No part of an electoral process should be left unattended at any time at all.

To sum up, you have absolute trust in the paper voting system, because you have absolute trust in the way the paper ballot was handled *AFTER* the election, but you mistrust the electronic vote because you mistrust the way the electronic box is handled *BEFORE* the election.

For me, both systems can be corrupted, but the electronic system is better because, given the same level of precaution before and after the election, the electronic system gives faster results. To cheat, you need physical access to the system, so the quickest system is safer.

Why so backwards?

[lord_sarpedon]

Funny I think that people are so cautious to trust computers here, but they're fine for everything else. Just make it open. We can gain some advantages.

-Immediately before voting, you are handed a number. How we generate these numbers is up for debate. Perhaps they are centrally generated and serial. Perhaps a hash of name + DOB + other stuff. Each choice here opens different doors.

-Barcode equivalent to said number must be scanned at the machine. Number must also be entered on an onscreen key pad.

- Number + voting choices + timestamp + voting machine id are stored in a central database. Immediately. Nothing local.

-You get a receipt with your Number + voting choices + timestamp + machine ID. It also has these other handy value on there. A digital signature, created by said central authority with its private key. The public key is well known long in advance.

-After the election, the entire result set is made available for download. Yeah, a recount is a big fucking deal. We have these neat machines that are good at math. The bigger deal here is that if you check the database after you voted and the entry for your number doesn't match, you scream bloody murder. If you don't trust the machine, any party can verify the central authority's signature.

-But in addition to 'any' party, it is critical to have a non-networked verification appliance, which does nothing but verify the central signature for you before you physically leave. If you scream bloody murder at this point, we can consider the plain-text part of the receipt trusted. You obviously couldn't have faked the entire receipt while being watched by everyone. More on this soon.

Nice huh? Let's recap some advantages here:
-You can verify that your vote was counted and correctly
-You can't determine who voted for whom, except yourself.
-The receipt actually means something

Let's elaborate on that third point.
There are several means of lying to you, which can't easily be solved without adding machines into the mix

-What if the receipt says you voted for X but the machine recorded you as voting for Y? This is as good as pressing the wrong button. The signatures will both be valid. But if the plain-text portion shows the wrong candidate, you'll notice and scream. If the plain-text portion doesn't match the the central signature (the one most directly relevant to proper recording) you will catch this at the non-networked verifier. The receipt can still be trusted having not left the polling place, so you will be allowed to vote on another machine, as meanwhile the machine you previously used is marked for a serious investigation...

-What if the central authority records whatever it wants but produces a normal signature? The receipt will be considered entirely valid and endorsed. People will notice quickly as they check the database from home. You have a paper trail that can be trusted. What if the signature is bogus? People notice before they leave the polling place.

Up to this point? Criminal negligence bordering on treason. Open source needs to step up.