DC Internet Voting Trial Attacked 2 Different Ways

mtrachtenberg writes "University of Michigan Professor J. Alex Halderman and his team actually had two completely separate successful attacks on Washington, DC's internet voting experiment. The second path in was revealed by Halderman during testimony before the District of Columbia's Board of Elections and Ethics on Friday. Apparently, a router's master password had been left at the default setting, enabling Halderman to access the system by a completely different method than SQL injection. He presented photographs of a video stream from the voting offices. In addition, he found a file that had apparently been left on the test system contained the PINs of the 900+ voters who would have used the system in November. Others on the panel joined Halderman in pointing out that it was not just this specific implementation of internet voting that was insecure, but the entire concept of using today's internet for voting at all. When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was not allowing them to be stored on internet-connected computers. When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting. Clips from the testimony are available on YouTube." Update: 10/09 19:24 GMT by T : Reader Cwix points out two newspaper stories noting these hearings: one in the Washington Post, the other at the Chicago Tribune. Thanks!

Please use internet voting

to mod me up to +5 informative, to show it does work perfectly!

Re:Please use internet voting

[Miseph]

Question: if we use internet voting, will that impede voter intimidation, ballot stuffing, creative counting or any of the other traditional methods of rigging elections proudly used in this country since the 18th century? Because if so, I've been informed it doesn't matter what I vote, and if not then I've been informed it still doesn't.

Re:Please use internet voting

[flimflammer]

Why are people wasting mod points to mod these troll?

Facts don't matter

[webnut77]

When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting.

Just another example of our government ignoring the facts in favor of doing whatever they want.

Re:Facts don't matter

[Xaositecte]

What I've never understood;

Many of the companies famous for building voting machines also built their reputations building ATMs and such.

ATMs are, to the best of my knowledge, tremendously secure, even when you have physical access to the machine. Basically, when people money is on the line, they do not fuck around at all.

Why then are they making voting machines less secure than ATMs? The expertise clearly exists to do it properly, the only explanation I can see is intentional sabotage of the voting process.

Re:Facts don't matter

[_Sharp'r_]

Why then are they making voting machines less secure than ATMs?

You clearly don't understand enough about ATMs if you think they are more secure than voting machines.

Most ATMs are just barely secure enough to keep the cash from walking away as long as someone can keep a physical eye on the machine (something somewhat inhibited for voting machines by private voting requirements). ATMs generally do a decent job of recording and reporting transactions to a remote server so that when money invariably is stolen (physically or electronically) it can eventually be taken from the correct legally accountable bank account.

A variety of ATMs suffer from default passwords that aren't changed, physical cabinet keys that aren't unique, eavesdropping attacks in the form of card skimmers and cameras, unencrypted transmissions, insecure operating systems, administrative backdoors, etc...

ATMs and voting machines suffer from what are essentially illusions of security that rely on no one smart enough to bypass them having the real desire and resources to do so. When voting machines determine how real power in large amounts is distributed (say, in national elections), they can't hope to stand up to what's at stake unless they are simple enough to be essentially transparent in function to the public.

Re:Facts don't matter

[vadim_t]

IMO, things that work in the ATM's favour:

1. There's strict accounting of whose account is being accessed.
2. If you're going to hack an ATM, you have to have physical access to it.
3. If you manage to steal money from an ATM, it'll be obvious. They just have to compare the amount of money there was inside with how much there should have been.

This doesn't hold with voting machines. The voter doesn't have an account, so detecting something was manipulated is much harder. Also, the money is at the physical ATM. If you're hacking it remotely, then you're not where the money is, and if you're hacking it in person then you can be quite certain you were filmed by a camera. Also there's a lot of money in it, so the bank has a lot of incentives to try to catch you if you manage to steal some.

Re:Facts don't matter

[AJWM]

When user votes, for his vote a checksum is created using one-way algo (digest) which is formed from:
    Session ID, Voter name, Vote result, a unique key given only to voter and known only by voter and govt, date.

Now crack that one ;)

It doesn't need to be cracked, it's already broken; that unique key known to the govt breaks voter anonymity.

Re:Facts don't matter

[Sique]

Electronic voting still can't solve a simple thing:

To make each vote proven unique and untrackable at the same time.

With paper it's easy. Each piece of paper is unique by virtue of being a real object. Electronic votes are data, and data is limitless copyable, so the only way to warrant a piece of data is unique is giving it a unique ID, at which moment it becomes trackable.

Re:Facts don't matter

[Joce640k]

We're talking about internet voting, not voting machines. ie. People voting from their botnet-ridden home PCs.

What's to stop a party from releasing a virus which triggers once on election day then deletes itself from disk? Such a virus could subvert the entire process, regardless of public keys, SSL, whatever.

Re:Facts don't matter

[DavidTC]

And while paper ballots are not trackable at the vote level, you can physically keep track of them and know where they are at all times. You can sit there and watch the box, you can watch people add and remove things to the box. You can see the 'vote container' without actually seeing the votes, and know that no one can actually change the votes without adding or replacing or removing them from the container, which you could see.

There's no way to do that with electronic voting. The votes can be tampered with without detection, because you're handing the entire ballot box to people every time they vote, where upon they take it into the booth with them and do whatever to it.

Moreover, the people voting can't actually see their vote to start with.

It's just insecure in so many ways, the entire concept is insecure. It's a lot like DRM, in fact...the fact they currently get broken by stupid security issues is sorta masking the fact the entire idea is stupid and unworkable.

Electronic voting, incidentally, is a form of DRM. Except it's DRM where the programmers and system designers have motive to break it also, stopped only by a third party that doesn't understand any of this. So yeah.

To quote Douglas Adams, 'their fundamental design flaws are completely hidden by their superficial design flaws.' The problem isn't any specific security flaws discovered at any specific time, the problem is the idea of non-physical voting, period, full stop, because all the methods we have to stop fraud are via paying attention to physical objects.

Inventor?

> the inventor of public key cryptography, MIT professor Ronald Rivest,

Rivest is a brilliant, very accomplished man, and was one of the inventors of one of the earliest and best-known public-key cryptosystems. But it's misleading to refer to him as "the" inventor of public-key cryptography in general. He co-invented RSA with Shamir and Adleman (several years after Cocks came up with it and kept it secret). But the concept of public-key cryptography was described before RSA, by such luminaries as Diffie, Hellman, and Merkle. He is certainly one of the pioneers of public-key crypto, and deserves acclaim for that, but is not "the" inventor of the concept.

Incidentally, much of Rivest's recent work is in the area of electronic voting (how to make it simultaneously accurate/auditable, privacy-preserving, and usable by non-technical people)--so he's not just speaking as a luminary in the field, but as someone who has studied this specific problem.

Actual article

[Cwix]

The youtube videos are all well and good.. heres a few links to written articles about this though

http://voices.washingtonpost.com/debonis/2010/10/prof_explains_how_dc_online_vo.html

http://www.chicagotribune.com/news/chi-ap-dc-dcelections-heari,0,541741.story

Corrrections to post text

[EvilSporkMan]

It was a terminal server, not a router, and the previously-published attack was shell injection, not SQL injection.

A solution to a problem that doesn't exist

Electronic voting always seemed to me like a solution looking for a problem.

What, exactly, is it about paper ballots that makes electronic voting systems seem like such a better idea? Obviously it's easier to rig elections with electronic systems, which is a good reason to like electronic voting if you're a scumbag. Aside from the that, what reasons are there to replace a tried and true system that everybody already likes and prefers?

Re:A solution to a problem that doesn't exist

[NiteMair]

Obviously it's easier to rig elections with electronic systems, which is a good reason to like electronic voting if you're a scumbag.

I think you answered your own question there...

Re:A solution to a problem that doesn't exist

[jd]

Obviously it's easier to rig elections with electronic systems

Extraordinary claims require extraordinary proofs.

Let us say you have an electronic ballot system, where the voter's registration card has a public encryption key. The ballot is then encrypted using that key. The corresponding private key is in a central computer, with no record linking it to the public key (thus preserving anonymity). This allows the central computer to verify that any one encryption key is used once and only once (one person cannot cast more than one vote), and that no vote that is counted comes from a person without a valid encryption key (so all votes are from people). Let us also say that observers and election officials are supplied with crytographic hashes of the unencrypted ballots at the time of the vote being cast. The total number of votes tallied at the end must equal the total number of cryptographic hashes if no fraud was perpetrated. Since the hash will uniquely identify the cast vote (without identifying what any individual voted), stolen votes (votes injected into the system by an attacker) would be readily identifiable as they would not match a hash. Fraudulent votes could then be eliminated and replaced with the real ones in a semi-automated recount.

We now have three things that cannot be tested with any paper ballot and one corrective action that cannot be achieved by paper ballot.

If you want to show that it is easier to rig an electronic election, find a way you could rig the above system that would be easier than an election official substituting a real ballot box with a pre-stuffed one (something that actually happened in the 2000 election) or that would be easier than an election official "losing" thousands of votes behind office furnishings (something that actually happened in the 2004 election).

The above system is not perfect, but show me that it isn't better. It may be that paper ballots are better, but that doesn't mean it is "obvious". Oh, and as for dodgy software (as happened with Diebold), let's say the election system used a CC EAL7 (Orange Book A1) rated platform, that the software AND submitted proof was open to independent scrutiny, that all networking was encrypted and run over a virtual circuit (so it can't be tampered with and can't be DDoSed) and that both NIST scrutiny and independent scrutiny had certified the systems as secure, politically agnostic, reliable, fault-tolerant and robust.

Again, these are all criteria you can look for in an electronic system, but not a single one of them applies to a manual system. The current system is run by party stooges, for a start. That automatically creates means, motive and opportunity for electoral fraud. Independent international observers have tried to monitor US elections but were blocked from doing so, so independent scrutiny is impossible. Reliability is obviously false, given that electoral fraud has happened on a fairly substantial scale in the past (hence the interest by international observers).

Now, if you meant "the proposed electronic system is open to fraud", then I'd agree with you. It's the generic that I'm not happy with, as it's possible to show that there's examples of superior electronic systems even if they're not ones that would likely be deployed in practice.

Re:A solution to a problem that doesn't exist

[AJWM]

Programs aren't open source and are not available to scrutinize.

Yes and no. The EAC (Election Assistance Commission, formerly the Federal Elections Commission) has a very fat book full of regulations and specifications to which voting systems should be certified. (Technically certification is voluntary, in practice many states and counties will only approve certified systems for purchase.) The testing and certification is done by independent Voting System Testing Laboratories (VSTLs). Testing covers everything from hardware (security of locking mechanisms and seals, resistance to ESD and power glitches, etc) to software (line-by-line inspection of source code, independent builds of the source using independently acquired or verified compilers, etc) to running simulated elections and verifying counts, etc. A lot of the validation data for certified systems is available on the EAC web site.

Not that any of this is 100% foolproof, the standards don't cover everything conceivable.

(I worked for a VSTL mostly doing source code review, also security analysis of the system design,both as documented and checking that implementation matched documentation. I rejected a lot of code, although much of that was for commenting that wasn't up to standard rather than potential security holes -- although there was a lot of failing to check for null pointers. If the logic really looked squirrelly, but met coding standards, I had to okay the code but could write up a test case to check it out during system testing. The code itself of course was all under NDA and security in the labs was pretty tight -- although not quite as tight as for the game testing lab next door.)

Re:A solution to a problem that doesn't exist

[feenberg]

Maybe sweeps are in November because that is when the elections are? Anyway the problem with electronic voting is not only that it is hard to do right, but also that it is impossible to show the average voter that it has been done right. With paper ballots and each party having a representative at the polling place and at the counting, voters are willing to believe the count is accurate. The offer to examine the source code is less convincing. Saying that the source code has been examined by someone paid for by the company that wrote the code is nothing at all.

Color Me Paranoid

[Cylix]

It seems like the entire ordeal was designed to fail.

These were all fairly common attack vectors and not nearly as lavish as the PS3 stack smash. (Seriously, who thinks of that attack vector). Even basic precautions and awareness of current threat models would have enabled them to harden their system from these things. To add insult to injury the left over data on the host and default passwords to expose it.

I wholly agree that internet voting is fucking scary, but it seems like this test setup was created just to make the idea shine.

Re:Color Me Paranoid

[Sir_Lewk]

Sufficiently advanced incompetence is indistinguishable from malice.

And really, why does it matter which one it was? In either case these people shouldn't be in the positions they are.

Re:They Should Handle it Like Reality Shows

[istartedi]

In the long run, the number of votes cast would tend to be based on prevailing interest rates. If the winner's salary + bribes is $1 million, and the prevailing rate of interest is 2%, then spending $50 million would only get you prevailing interest. You should spend less, because there are risks to being an office holder, and you might also lose.

Ultimately, an options market should be built around the candidates, and we should dispense with voting and simply sell shares in each candidate. Insted of pork, they could just pay dividends.

Of course, on the way to this perfection there might be some problems with candidate derivatives being sold over the counter, and banks over-leveraging on a particular candidate that nobody thought would lose or get sick and die.

Nevertheless, we should proceed. I'll get in touch with the Grand Negis shortly...

Votes simply don't matter...

[blahplusplus]

... I don't understand why people are so up and up about the voting system given that

1) The vast majority of the public is too stupid to make any kind of sound decision about many issues
2) Most candidates can only get anywhere by money
3) You can never get rid of or mitigate the influence of money on politics since corporations are what makes the world go round.
4) Until their is something of a mass movement/revolt so that the power of corporations are reigned in, voting is irrelevant.

Re:Votes simply don't matter...

[copponex]

Yeah. Fuck democracy. It's not like keeping the voting system accessible by the public has any meaning. What's the difference between North Korea and America? Why, just a little cuisine and weather, right?

1) The vast majority of the public is too stupid to make any kind of sound decision about many issues

Go fuck yourself. Seriously.

2) Most candidates can only get anywhere by money

Martin Luther King? Desmond Tutu? Ghandi? There have been many political leaders, who didn't necessarily enter politics, who were able to force the state to change because the truth was no longer concealable. You cannot govern a population that does not want to be governed by you. Their desire to hold on to their positions of power is both a blessing and a curse. Even in communist China popular will has given way to reforms because the ruling party didn't want to be overthrown. There are some examples of states supported by outside powers, or in power because that state is under threat from other states, but especially in the developed Western world, the citizens of a nation determine their destiny.

3) You can never get rid of or mitigate the influence of money on politics since corporations are what makes the world go round.

Bullshit. People are what make the world go around. Do you really think life would stop tomorrow of AT&T and Exxon didn't exist? Civilization existed for thousands of years before the corporation. They are a human invention, not some magical organization that's any better or worse than any other hierarchy. But keep swallowing that line like an obedient intellectual prostitute.

4) Until their is something of a mass movement/revolt so that the power of corporations are reigned in, voting is irrelevant.

Bullshit. Countries around the world have voted to kick corporations out. Unfortunately, when they do, the United States often assassinates their leader or overthrows their democratic government through coups or terror campaigns. If you are an American citizen, you are one of the most powerful people on earth, because you have a vote that can change the way the world operates. But you've accepted the reality they sold to you, not out of struggle or just giving up because you don't have the strength to continue fighting, but because accepting that belief enables you to act immorally and pretend that it doesn't matter. You're nothing more than a sell out.

Democracy is a device that ensures we shall be governed no better than we deserve. -George Bernard Shaw

Re:Votes simply don't matter...

[Mikkeles]

'I don't understand why people are so up and up about the voting system...'

Because letting a bad system become worse is not a good way to improve it.

Re:Votes simply don't matter...

[circletimessquare]

1) The vast majority of the public is too stupid to make any kind of sound decision about many issues

the people do not deserve to be told they are stupid. according to who? according to someone who is angry that the "smartest" agenda is not being implemented? on what basis is your agenda better and smarter? in china, they think as you do: the average man is too dumb to determine his own destiny. in other words, your thinking is the essence of anti-democratic fascism: "the common man can not think for himself, i must think for him". this is how every despot, dictator, and authoritarian system thinks: like you

2) Most candidates can only get anywhere by money

yes, and this is why we need to improve democracy, not make it even more flawed with internet voting

3) You can never get rid of or mitigate the influence of money on politics since corporations are what makes the world go round.

money is an influence. its not ALL the influence. unless you are a hopelessly negative cynic. in which case, butt out: us who are trying to make a positive difference don't need to be told our fight for what is good is hopeless. we know it isn't hopeless, and we also know you believe that out of a personality defect you have, rather than any better knowledge of reality. what you have is called "learned helplessness". it is a psychological flaw that defines a downward trajectory to YOUR life, not my life, and not our reality

4) Until their is something of a mass movement/revolt so that the power of corporations are reigned in, voting is irrelevant.

so you want a bloody revolution. after which, who knows who will be in power (no one controls a revolution). it could (it will) be a lot worse than the system we have now

how about we use the issue you and i care about: get money out of our government, to vote for **gasp** candidates who want money out of government? what an amazing fucking concept. as opposed to your mindless cynicism that believes in things WORSE than what we currently have

The Rivest bit reminded me of Annie Hall

[hey!]

In Annie Hall, Woody Allen is stuck in line behind an obnoxious guy pontificating about the work of media critic and scholar Marshall McLuhan

MAN: Now, Marshall McLuhan--

WOODY ALLEN: You don't know anything about Marshall McLuhan's work--

MAN: Really? Really? I happen to teach a class at Columbia called TV, Media and Culture, so I think that my insights into Mr. McLuhan, well, have a great deal of validity.

WOODY ALLEN: Oh, do you?

MAN: Yeah.

WOODY ALLEN: Oh, that's funny, because I happen to have Mr. McLuhan right here. Come over here for a second?

[Allen pulls McCluhan out from behind a group of bystanders]

MAN: Oh--

WOODY ALLEN: Tell him.

MARSHALL McLUHAN: -- I heard, I heard what you were saying. You, you know nothing of my work. How you ever got to teach a course in anything is totally amazing.

WOODY ALLEN: Boy, if life were only like this.

Evidently, sometimes it is.

There's an even bigger problem: selling votes

[YA_Python_dev]

There's an even bigger problem: selling votes.

If I'm allowed to vote at home criminals can use threats and/or bribes to convince me to vote in their presence so they can be sure that I voted exactly how they wanted.

That's why vote must always be strictly secret and voters must always have plausible deniability about their choices. E.g. in most modern democracies voters are prohibited from taking photos inside the voting booth for exactly this reason: so anyone else cannot be sure of their votes, and threats and bribes to influence elections become much less effective.

Re:There's an even bigger problem: selling votes

[makomk]

Whats to prevent someone from paying you to vote a certain way, by having you fill out the ballet, giving it to them, and if you have followed their instructions, they pay you and they put the ballot in the envelope and mail it for you.

Not a lot, which is why the availability of absentee ballots has often been strictly regulated and monitored. A few years ago, the UK tried an experiment in some areas in which all voting was by mail and there were no ballot boxes. There were some fairly impressive issues with fraud - people from the Labour party were going door-to-door, collecting people's blank ballots and filling them in.

Too bad you're clueless.

[copponex]

A democracy means there is a vote to either directly approve laws (direct democracy) or to elect representatives to do the same (representative democracy). Republic literally means ruled by the public, not by a monarch or a non-elected supreme rule. America is a representative democracy that limits government power with a constitution, but since that constitution can be changed by democratic action, you cannot say that it isn't a democracy. We could do away with the constitution in another constitutional convention and replace it with another if we so chose.

Just because you read Atlas Shrugged yesterday doesn't mean shit to anyone else. Crawl back over the Drudge Report, where you can eat up the talking points regurgitation with the rest of the libertarian zombies.

That's the biggest problem you can think of...?

[Joce640k]

What about all those "botnets" you see in the news?

Strength of cryptographic algorithms, etc., is completely irrelevant when people vote by visiting a web page using their home PC.

Re:You had me until "stooges"

[DavidTC]

f it could, this would be known well in advance, since it's trivial to compare the proof with the code to see if they differ, and trivial to inspect a proof to see if the code could do that.

Really? You can somehow walk up to a computer and know the code on it is the same code that other people inspected?

That is...implausible to say the least.

This is because, of course, security certifications don't protect against the people installing the software. At all. Not a single one of them is even slightly designed to let users verify things administrators have done.

Seriously, you sound so knowledgeable, but somehow you think there's a way to walk up and verify that computers have had the software installed on them that you think they've had installed on them, and nothing else. That is so cute.

No, nobody can tamper with it, that's why I've stipulated so much bloody security. Machines that are input-only (where the voter registration office adds users) have mandatory access control, as do the voting machines themselves (by definition, since that is part of what A1 means). The counting system is essentially output only from the users perspective and therefore has no user account to crack. Input over the network would be via IPSec-utilized certificates with both client and server validating each other. Since the server has a pre-programmed list of acceptable voting machines, additional machines cannot be added in.

And, of course, nowhere in the list is there any way, nor can there be any way, to stop someone from sitting down at one of the machines and using a dozen of public keys to vote. (Which, as I pointed out, anyone working in a vote registration office can get.)

Because that is not, in any sense, 'tampering' with the machine.

Now, you'll probably assert they'd have to each vote individually, limiting their effect to a couple of dozen votes before they'd obviously be caught, because of the magical software you're sure will be there.

I will point out that, in no circumstances, would any TCSEC requirement restrict doing thousands of perfectly valid inputs in a few seconds, although obviously that could be an additional requirement of the system. TCSEC systems verify input. Ten thousand votes with public keys attached are correct input.

I will also point out that A1 security ranking is, um, impossible without physical security...and they get tested after being installed. You can't stick a computer in a box, pull it out six months later, and claim it's A1 security, unless you had someone watching the box at all times.

And note you've added at least two other computers to each polling site. And each voting computer needs some way to read the public key, so you've added a barcode reader, at least, to them.

To actually install A1-level security computers, you would spend millions of dollars per site.

Which makes the whole thing rather idiotic to start with, as we could never afford it, on top of the problem that A1 security is not designed to protect against a) programmer/administrative tampering (Which is what we're fucking talking about when we talk about tampering...we're not assuming voters figure it out.), and b) there's a rather obvious hole in the system of assigning public keys, so people can have entirely, utterly, completely 'valid' inputs that rig an election.

Here are the three specific security issues I've pointed out, that do not exist under paper voting. Please explain how your system catches them:

a) The person who loads the software onto a machine alters it before doing so.
b) Someone in the voter registration office adds extra voters to the roles, and takes their public keys, and they and others vote multiple times when they enter the booth. (This actually is fixable.) c) b, but with one poll worker also helping them. Perhaps by, when setting up the computers, they simply set one up in another room, so someone can