Slashdot Mirror
Voting Machine Attacks Proven To Be Practical
An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."
They completely own the AVC Advantage using no access to source code or design documents
What do Source Code and Design Documents have to do with purchasing something?
What these "intellectuals" and "researchers" have to keep in mind, is that in reality, no one would ever dream of committing election fraud.
We all live in a utopia, where everyone has equal say, no one would ever coerce others and there's a kitten on every lap. That's why there are no such things as secret ballots. In every voting booth there will be three heavily armed guards who will watch you vote to ensure that you won't be doing anything you shouldn't do.
Have a cotton candy, drink your beer and turn on the TV. The shiny shiny is on again, you like that. You have always liked that.
</sarcasm>
Americans today committed egregious acts of democracy to elect the next failed administration and the next failed Congress.
In a fabulous upset, almost no-one could bring themselves to vote directly for either of the official candidates, instead opting for a write-in vote. Popular write-ins included "the black guy", "the old guy", "McCain from 2000" and "Tina Fey." The seventeen votes for "The Invisible Man" were tallied for Joe Biden. Several tons of Liquid Paper needed to be scraped off voting machines.
The winning candidate turned out to be Noneof Theabove, 46, of Dogshit, Nebraska. Apart from the Presidency, Mr Theabove won 72% of Congressional seats and all Senate seats up for election this year.
Mr Theabove's policies include drinking, shouting abuse at the television and inchoate existential despair. "He completely embodies the national mood," said Nate Silver of FiveThirtyEight.com, just before applying for a new job flipping burgers.
A majority of US soldiers in Afghanistan stated the place was "just fine, really" and they were learning to speak Pashto rather than returning. Canada looked south and snickered, though not very much as they still had Stephen Harper to cope with. The Kingdom of Mexico stated its "regret" today that it has had to close its borders to American refugees.
http://rocknerd.co.uk
Electronic bits do not have the quality of being static. Electronic votes can be changed without obvious physical evidence, and as long as they're purely electronic, it will always be like that.
Even an optical disk is more static than electronic bits that live in a database.
People need to demand paper ballots until electronic voting machines are all enhanced with built-in paper trails.
Check out my sysadmin blog!
Or people can listen to a whistleblower who programmed voting machines that easily allowed fraud without a trace.
If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
Here's what I'm trying to understand.
We have this great thing called Public Key Crypto and the PKI to go along with it.
If you presume a custom processor that will only execute code signed by an election commission, that would be a first step - the system won't run anything that hasn't been specifically approved for installation on the machine. There would be no more "last minute fixes" as we've seen in the past, where code was installed without being vetted by an election authority.
For that matter, require the software developers to store their code on a state or federal election repository, and only sign code that's been compiled on those systems, from that repository. Require that anyone who makes changes sign them with their private key and state the reason for the change.
For the results, take each ballot, strip off the identifying information, and encrypt it to the election commission, and sign it with a pre-deployed per-machine private key that's known. It would of course also be important to have a reliable time source for the device, to include that in the result file.
I would even envision that this would be a good purpose for a federal election agency - hosting the code for all certified voting systems, and being the "root of trust" that signs certificates for the state election commissions, which can then sign local and county commissions, which can then issue keys to individual election machines.
Some patches to an open-source OS, say Linux, a PKI infrastructure (along with some HSM modules to store keys) and a processor with an integrated crypto engine and TPM module would take care of all of this.
Banks do this kind of stuff all the time - what's so hard about it?
Here it is without the IDIOTIC carriage returns. Yes, you are an IDIOT, guido-cock.
Abstract
A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. In this paper, we give a case study of the longterm security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s. The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, we demonstrate that an attacker can induce the AVC Advantage to misbehave in arbitrary ways--including changing the outcome of an election--by means of a memory cartridge containing a specially-formatted payload. Our attack makes essential use of a recently-invented exploitation technique called return-oriented programming, adapted here to the Z80 processor. In return-oriented programming, short snippets of benign code already present in the system are combined to yield malicious behavior. Our results demonstrate the relevance of recent ideas from systems security to voting machine research, and vice versa. We had no access either to source code or documentation beyond that available on Sequoia's web site. We have created a complete vote-stealing demonstration exploit and verified that it works correctly on the actual hardware.
1 Introduction
A secure voting machine design must withstand not only the attacks known when it is created but also those invented through the design's service lifetime. Because the development, certification, and procurement cycle for voting machines is unusually slow, the service lifetime can be twenty or thirty years. It is unrealistic to hope that any design, however good, will remain secure for so long.1 In this paper, we give a case study of the long-term security of a voting machine, the Sequoia AVC Advantage. The hardware design of the AVC Advantage dates back to the early 80s; recent variants, whose hardware differs mainly in featuring a daughterboard enabling audio voting for the blind [3], are still used in New Jersey, Louisiana, and elsewhere. We study the 5.00D version The AVC Advantage voting machine we studied. (which does not include the daughterboard) in machines decommissioned by Buncombe County, North Carolina, and purchased by Andrew Appel through a government auction site [2]. The AVC Advantage appears, in some respects, to offer better security features than many of the other directrecording electronic (DRE) voting machines that have been studied in recent years. The hardware and software were custom-designed and are specialized for use in a DRE. The entire machine firmware (for version 5.00D) fits on three 64kB EPROMs. The interface to voters lacks the touchscreen and memory card reader common in more recent designs. The software appears to contain fewer memory errors, such as buffer overflows, than some competing systems. Most interestingly, the AVC Advantage motherboard contains circuitry disallowing instruction fetches from RAM, making the AVC Advantage a true Harvard-architecture machine.2 Nevertheless, we demonstrate that the AVC Advantage can be induced to undertake arbitrary, attackerchosen behavior by means of a memory cartridge containing a specially-formatted payload. An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes, or changes votes as the attacker wishes. Unlike those attacks described 1 in the (contemporaneous, independent) study by Appel et al. [3, 4] that allow arbitrary computation to be induced, our attack does not require replacing the system ROMs or processor and does not rely on the presence of the daughterboard added in later revisions. Our attack makes essential use of return-oriented programming
From TFA:
"The attacker does not need to remove any tamper-evident seals; in particular, he does not need to remove the circuit-board cover."
(CAPTCHA: counted)
The only problem with this is that you aren't going to get a few "private minutes" with the machine
Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.
And an election can be thwarted by leaving evidence of tampering in a district you want to disenfranchise.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Here's a several trillion bucks and counting glaring example about how most reps and senators give not crap one what their constituents want: Public opposition including phone calls, faxes, emails, snail mails and buttonholing was running well over 90% against the casino bankers bailouts. Yet it passed, both under the shrub admin and continues today under the yomama admin. People just wanted normal bankruptcy to occur, let the real free markets sort out those ludicrous collateralized debt obligations and hedged derivatives bets and all those other pseudo financial "products" and other forms of mass leechery from the real working folks. People said in huge numbers "No, we don't need to offer millionaires and billionaires welfare when they bet wrong, they should eat their own megacapitalist dogfood..we'll deal with whatever happens, but don't subsidise those people". But nope, the US public got put on the hook to bail them out.
GM and Chrysler, again, decades of getting it wrong in the auto industry, all the chance in the world for management, unions and investors to get it right..nope, they kept screwing up. People really didn't want to bail them out, again in huge numbers, just let them go bankrupt like normal, but, the quasi bailout happened anyway, and now we have some precedent that the executive branch can just seize corporations and run them. Seems like we fought a big fat war over that economic and governmental "blend" two generations ago, we were against that back then, and actually hung some of the high level proponents after that war. Now, it is *policy*, despite most folks being against it.
Look at the dumb wars..I sincerely doubt there is even close to a majority opinion anymore to continue these wars....but they still go on.
The bottom line is "government" doesn't give a rat's ass what "the people" want, they just go ahead and do whatever they want to do, or what they have been bribed and blackmailed into doing.. I can't give you an exact date when it happened, but voting and "representative democracy" has been broken on many levels for a long, long time now.
Now I still vote, inertia mostly and all, but I think it stopped having much meaning at the larger scales. Local elections I think your vote can make a little difference, at state and above levels though, you have your choice of the globalist screw the middle class party that subsidizes a.b and c over there at your expense, or the globalist screw the middle class party, who subsidizes x,y and z over thataway, again at your expense.
I *wish* it was different, really, I sincerely do, but not seeing it. Until such a time as the two corrupt major parties are abandoned or outlawed for major racketeering, just not seeing things getting any better. Just way too corrupt, for way too long now, it is just "business as usual", and neither party has any incentive to eliminate themselves or the other party, because they are equally corrupt, so they just are never going to go there.
My big hope, really..I hope the USA does a USSR and just dissolves as a bad idea, past prime, with no bloody revolutions. I want some real honest choice. If a regional bloc or state wants joe government to run all aspects of their lives, cradle to grave, and stay taxed at 90% with a herd of commissars overseeing them all the time...swell, let them try that, see how it works. If another wants just about no government at all, private everything, no rules except ferengi "profit at all costs!", fine, let them try that and see what happens.
Somewhere, some state or group of previous states will go "gee..ya know..the original Constitution and bill of rights actually seems well thought out..wonder what will happen if we really, REALLY follow those guidelines and not just lie about it all the time??". THAT place I *will* move to, even if I have to fight every step of the way there.