E-Voting Bites

What will happen in November? Are electronic voting machines secure? One need not believe in a vast plot to rig the elections to take those questions seriously — and to be pessimistic about the answers.

When Princeton researchers announced in September that the Diebold Accuvote TS voting machine software was vulnerable to tampering, it was the first time that independent computer scientists had confirmed the weaknesses long suspected in techie circles. A few days later, in a minute-and-a-half segment on Fox News, Professor Edward Felten demonstrated just how easy it would be to steal an election (to which the blonde and tanned anchors responded with the canned surprise you'd expect from a demonstration of a new food processor).

Physical security also consists of tamper seals and locked rooms.

How does the program delete itself without a trace? This is "Magic Software" that can on paper or in specs do anything.

The machine booted its election program from an embedded eeprom. Details about the election was loaded from a card- not the operating program, according to Diebold.

As for Diebold not releasing any info about hacks, you never read info about LoJack, and Master does not sell lockpick manuals. I wonder why...

The infection could also be detected after an election, during an investigation. The claim that the virus is undetectable and deletes itself tracelessly is unproven. If true, it would be a first in the virus world, especially for such a magic virus that has so many features.

A good voting system must be much better than paper ballots. Many want a return to paper just because it was so insecure; all the hacks for the paper system have been worked out for years and people are good at it by now, with occasional problems like 99% or even 115% turnouts.

I'll believe the Princeton "experts" when they conduct a real demo, with FBI, James Randi, FEC, and maybe Jimmy Carter watching.

It's not the lock on the machine that matters, it's the person(s) charged with keeping eyes on the machine.

Given that the machine will be alone in the voting booth with the voters, there's no way for people to keep an eye on it. Hence the need for locks.

One might argue that allowing people private access not only to their own ballot, but the device that stores all the others, is a bad idea. I'd be inclined to agree. In optical-scan systems or even manual paper-ballot systems, voters mark their ballots within a private booth but then insert them into the ballot box in view of the poll watchers.

Still, having a machine which is well secured with locks that can only be opened by trusted people, and which is within earshot of poll watchers, is probably adequate. Someone with the proper low-security key may be able to tamper with a voting machine silently. Someone without a key isn't going to be able to force a well-designed locking system without being heard.

How does the program delete itself without a trace? This is "Magic Software" that can on paper or in specs do anything.

It's pretty easy, at least if one isn't concerned about people using advanced forensic techniques on the machines in question. If one is only concerned about removing all trace from a file-level view, it's really easy. The fake software, upon installing itself, renames the old version. Then, when the fake software is run for the last time, it deletes itself from the disk/flash (still running in RAM) and then renames the old version back to its proper name.

If one is worried about people doing sector-level analysis, things are a bit tougher. For best stealth, one should identify some highly-compressible files in the original installation. Compress them, and put the malware in the space that's freed up. The last time the malware is run, it should uncompress those files and put them back where they belong.

Why do you regard these techniques as some impossible magic? The techniques have been common in bootloader design for a long time.

The infection could also be detected after an election, during an investigation.

Horse. Barn door.

If in a particular election, some machines are found to have been compromised and the number of voters who used those machines exceeds the difference between the vote tallies the top two candidates received elsewhere, how can the election be salvaged?

Of course, at least in Washington State, such a thing wouldn't matter so long as the Democrats win. But not all states have such attitudes.

BTW, why use WINCE? I've designed graphical systems on 'bare metal' that would be entirely adequate for use in a vote entry device. Such a system can be constructed to account for every byte of RAM or flash usage. Can the same be said for WINCE?

Horse. Barn door.

Just like ANY election tampering technique, it can only be detected after the election.

It was postulated in the 2K election that the guy caught with the ballot boxes and voting machine was taking it to a location where people would take bundles of voted ballots and punch the Gore chad out, 5, maybe 10 at a time. This would convert the Bush votes to null, the gore votes don't change, and the undervotes go to Gore. In so doing some chads would not get punched and be dimpled.

This turned out to be untraceable and, because it was all one party in control of the county infrastructure, unprovable. And much easier to manage than loading super-spec'd software into hundreds of machines so that even a forensic expert could not discover it.

As for recovery, once the forensic guys get a copy of the code, they can decompile the vote swap algorithm and recover the votes, if it's a D that lost. If an R lost, nothing can be done, sorry.

I get stuff from the DEA Forensic Computer Lab and it's pretty cool what they can do. Once and a while they get help from NSA. I have an interest in protecting IP from compromise when you must release proprietary code to folks who'd love to unlock it.

I don't know why they'd use WinCE. At the Make/Buy gate, they went Buy COTS rather than try to develop their own operating system.

Gates probably offered it for free so that he could use the secret backdoor Windows features to make sure that the mayor of his town was the one he wanted.

You specify that your technique would not stand up to forensic examination- why do you assume that if a voting machine election was contested, the FBI, FEC, or state police forensic computer lab would not get involved? Especially if the wrong party got elected.

I offered two methods. The first technique is easier to understand, and gives the general principle, but would probably be uncovered with forensic examination. The second technique (compress part of the original code so that the altered code takes up the same amount of space as the original) would be more difficult, if not for all practical purposes impossible, to uncover via forensic means.

In particular, if someone used the latter approach, all sectors of data on the storage media would contain the same data as they would without the hack, except for those parts which the hacker explicitly changed (such as the vote counts). The sectors may not get written in the same order as they would in a legitimate election scenario, so if the inner workings of the media allow one to ascertain the order in which data were written, it may be possible to tell that something fishy was going on. Even that sort of analysis, however, could be complicated if someone knew how the storage media worked.

Insider knowledge would probably be required to produce phony software that could withstand the tougher levels of forensic analysis. On the other hand, good election systems should be immune to even insider attacks provided there is at least one honest person monitoring them.

I suspect that the Princeton hack requires detailed knowledge of the election setup parameters and the GUI in advance.

Otherwise, the "new" software might at least present a different-looking screen- the software really does not "know" a vote for supercat was cast, it just "knows" that a certain spot on the screen was pressed.

They'd need to know all the details of the display in advance, as well as other things.

Like I said before, what they presented as a serious threat is all words, as far as I have seen.

Let them tackle a machine that they have not had in their possession for a month or two (and programmed with their own "election" which they then hack). Let's have them start with a machine that someone else has set up, give them 20 minutes alone with the machine with security seals on it, and then let's see how effective they are at compromising the system. Let's see them swap the op sys eeprom on camera and put the thing back together!

The level of proof of a real threat they offer is very thin, and no real attempt has been made to verify the claims- much like a college student who "designs" a nuke on paper and gets written up in Time or Newsweek, or some country claiming that they can detect stealth planes like F117 or B2. Or a group of professors who claim that 9/11 or OKC were inside jobs. All have pretty low credibility and high publicity, for political effect.

If code was changed on one storage system, comparison with a verified system would reveal discrepancies. A forensic lab would have a good chance at discovering tampering, especially if they hashed all the memory entries and compared sigs from the hashing.

For now, until I see better proof, I'm asserting that the total system of access control, security seals, and forensic examination will reveal fraud or tampering. Electronic voting offers on the whole less chance for fraud, which is why people don't like it.

On a related matter, I recently read on FR that dems are worried that all their chatter about vote fraud may suppress the Black vote! Because, if their vote is not going to be recorded properly, why bother. Now that's propaganda with unintended consequence.

Let's have them start with a machine that someone else has set up, give them 20 minutes alone with the machine with security seals on it, and then let's see how effective they are at compromising the system.

A good election system should be unhackable, even by someone with full insider knowledge, if there is even one honest person monitoring things. I see no good reason why an election system should be constructed that does not satisfy that criterion.

If code was changed on one storage system, comparison with a verified system would reveal discrepancies. A forensic lab would have a good chance at discovering tampering, especially if they hashed all the memory entries and compared sigs from the hashing.

The problem is that after the election the code in the machine would be exactly as it should be. To thwart forensic analysis one needs to know what types of 'residue' are left by writing to the attached storage media, but unless the systems use hardware that's designed to prevent undetectable rewrites (and I've seen no indication that Diebold has attempted to use such) an attacker could make his software undetectable after the fact.

Perhaps you don't view insider attacks as a real threat, but I see no reason to discount them. Slot machines go to great lengths to prevent insider attacks, and elections can be worth more than a few jackpot payouts.

" Perhaps you don't view insider attacks as a real threat, "

With paper ballots, the insider fraud is well established and can be done by almost any group of insiders. Little technical skill is needed, just adherence to simple guidelines.

Insider fraud with electronic machines means much fewer people with the ability to pull it off, and much more chance of being caught.

I've yet to see proof, audited proof, that the Princeton fraud is untraceable, and that was my initial point- they have made scary assertions without any backup, independent analysis, or peer verification. I doubt that someone could add in residue-less code, have it alter the way the system runs, then have it completely remove itself autonomously. You disagree, OK, I respect your point of view, you have some good ideas, but I need to see proof that it is possible.

With a human in the loop, perhaps it is. Some of the projects I'm working now involve testing whether or not a customer has monkeyed with the code. Even with a human to scrub things, detection is highly probable. With no human, relying on autonomous code to cover its own tracks is not a good way to go. There are so many things that change when you diddle with a deep-down routine that it's hard to change one thing back without changing another, or leaving behind a scrap used to delete something else.

I agree that any system should be unhackable, but not all the bulletproof needs to go into code. Procedure and opsec can count as heavily as software.

I agree that any system should be unhackable, but not all the bulletproof needs to go into code. Procedure and opsec can count as heavily as software.

Actually, what's best is to provide hardware that can prove (1) the contents of the media containing all code and election parameters can be write-protected; (2) such media can be read after being write-protected, but before the election, by members of both parties, without actually having to execute code on the medium; (3) during the election, anyone can see that the correct media are being used; (4) after the election, the media can be re-read by both parties and confirmed to be unaltered.

It's trivial to design hardware meeting those requirements. Something like an 80C32 may be a tiny bit underpowered if one wants a nice fancy graphical display (using a processor-based display would add its own issues) but if all the unit has to do is show some canned messages it shouldn't be too hard.

So, for the main unit, include a controllerless LCD, an 80C32 or ROMless equivalent, some buttons, a printer, couple edge connectors, a few glue logic chips (74HC138, 74HC00, etc.). Each plug-in cartridge would simply contain a 128Kx8 flash memory chip, a small glue chip (probably 74C00), two resistors, and a bypass cap, with a multi-segmented card edge such that certain pins could be physically protected aganst access by a removable block. The housing would be constructed of transparent material to allow visual inspection, and would be protected against tampering by seals of all interested parties.

The code storage cartridge would have the /WE pin blocked off (pulled high by internal resistor) and sealed after the code was loaded. It would remain blocked off and sealed until after it was adequately inspected post-election.

The ballot storage cartridge would have one of its data pins blocked off (and pulled to the another's state) in such fashion as to allow byte-write operations to take place (writing 7 bits of useful data) but not allow any sort of erase operations to take place. The glue-logic chip would be used to prevent the use of funny voltage levels to get around that restriction. I don't remember off-hand the exact operation sequences required for writing vs. erasing, but I think this would be doable even with something like a 74HC00.

I could design the whole thing in less than a month. Entirely open code, since there's really not much to it. To get around CPU horsepower limiations, I'd simply keep candidate names as bitmaps and arrange the display code to simply show different bitmaps (stored in non-writable flash) on different parts of the screen. The 8x32 can't run code from anything but the external ROM, so there'd be no danger of someone inserting a fake cartridge, powering the machine up, having the code copy itself to ROM, and then putting in the real cartridge (whose code would not actually be used).

I could do this thing in less than a month. Not a whole lot of bells and whistles, but much more immune to insider tampering than anything Diebold has proposed.

Also, with paper ballots, how can one tamper with those if there is even one honest person who monitors the ballot box continuously until such time as he puts an effective tamper-reistant lock on it, and if all occasions when the box is unlocked in future are likewise monitored by at least one honest person?

To be sure, some places put in rules to prevent honest people from monitoring their election conduct, but that's a problem with the rules, not the balloting medium.

You know, you almost have a proposal there- almost at the white paper stage. Consider developing it, it has potential and appears to be very simple. I like it! I bet the unit cost would be low, too. Throw in a cheap printer (either for tallies or for sequential recording), and some networking protocol with some sort of packet encryption) and I bet you'd have a sellable product. I'm not sure where you'd seek an investor, but if you wrote the white paper and some financial sheets I bet some venture capitalist would talk to you about getting going.

You don't have ties to Cezar Chavez, do you? Just kidding, but you knew that.

As for paper ballot tampering, most happens away from the precinct, after the boxes are sealed, at places that use central counting. Insiders with access to security seals remove the seals.

You mentioned slot machines- didn't Bally try to sell an electronic vote machine several years ago? iirc the news was that they were not trusted because of mob ties, and 'everybody knows" that slots are fixed (sort of true- you set the payback, which sets the odds).

I suspect that you are correct that many places put in rules that effectively prevent an honest person from seeing or stopping vote fraud. Things like electronic ballot boxes upset the procedures they've had in place for years.

You know, you almost have a proposal there- almost at the white paper stage.

Yeah, but there's not really much original there. And given a choice between fancy color touchscreens and simple cheap monochrome LCD's, which are politicians who don't have to spend their own money going to prefer? If seals are inadequate to prevent ballot tampering by unauthorized people, the solution should be pretty easy. Construct a box with locking bars such that it cannot be opened while a padlock is attached to any of several spots. Give a trustworthy person a good padlock for whom no untrusted people have the key. If the box and lock are good, no matter how many locks are installed by untrustworthy people. One trustworthy person will ensure election integrity.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.