Posted on 11/04/2006 2:21:06 PM PST by calcowgirl
Days before the election, state officials have learned that California's most widely used electronic voting machines feature a button in back that can allow someone to vote multiple times.
Several computer scientists said Wednesday that the vulnerability found in all touch-screen machines sold by Oakland-based Sequoia Voting Systems was not especially great because using the yellow button for vote fraud would require reaching far behind the voting machine twice and triggering two beeps.
"If the machine beeps loudly and someone has their arms wrapped around the machine, the poll workers are going to become suspicious," said David Wagner, a computer security and voting system expert at the University of California, Berkeley.
"It's kind of hard for me to see how this could be used very widely," he said. "It's retail fraud, so it's onesies and twosies and can only affect very close races."
A former poll worker in Tehama County tried alerting state elections officials to the vulnerability about a month ago and said he was told the problem did not seem significant. Ron Watt then obtained poll worker-training documents through a public records request and brought them to the attention last Friday of the state's chief voting systems tester.
On Monday, state elections officials issued a caution to the more than one-third of California counties that use Sequoia equipment, including Santa Clara County, where the touch screens are the primary voting system, and Alameda County, which relies on almost 1,000 machines as a secondary voting system intended for disabled voters. State elections officials reminded the counties to keep a close eye on the machines and post warnings that tampering with election equipment is a crime.
"All counties confirmed that they had implemented security measures, and they were aware of it," said Susan Lapsley, assistant secretary of state for elections.
Some counties were backing the machines up against walls; others were roping off the rear of the machines, state officials said.
"You can't do it surreptitiously," said Guy Ashley, spokesman for the Alameda County Registrar of Voters. "You have to know what you're doing.
"We train our poll workers to keep their eyes peeled, stay on the lookout for stuff like this. We think that will suffice."
Recognition of a potential new security problem that requires no knowledge of special passwords or access to the inner workings of a voting machine revives questions about the effectiveness of state and national evaluations of voting systems.
Twice earlier this year, computer experts and critics of electronic voting have discovered profound vulnerabilities in Diebold touch screens that allow someone with a few minutes of access to a machine to alter or replace its core software and load votes into it undetected.
Debate about the security and reliability of electronic voting has been central to the race for secretary of state, and Sequoia's yellow button became instant fodder Tuesday night in back-to-back radio interviews with Republican appointee Bruce McPherson and his Democratic challenger, state Sen. Debra Bowen, now neck-and-neck in the polls.
McPherson has said California's certification of voting systems is the nation's toughest and most stringent and he has certified several electronic voting systems for the November elections, including the Diebold and Sequoia touch screens.
Bowen has pointed to numerous findings of security problems by computer scientists and argued that electronic voting systems are not mature enough to be trusted in elections.
"And just this morning we learned that the Sequoia machine will allow a voter to vote multiple times if they do something very simple, which is to hold a button in the back down for three seconds," she said on a Los Angeles radio show Tuesday night, adding that McPherson's office "must have known" about the vulnerability for some time.
"No, that is not true," McPherson replied later in the same show. "That is not true. I think she is throwing a lot of fear and doubt out there, and it's unwarranted."
Sequoia's yellow button isn't a hack or flaw. The button has been a feature on Sequoia's mainline AVC Edge touch screens for years, designed as a backup for the typical method of voting on the machines.
In most counties, poll workers use a separate machine to activate a card that a voter inserts into the touch screen in order to retrieve the proper ballot. The yellow button is for counties that can't afford the separate machine or for cases when the card activator becomes inoperable, as happened to Diebold systems in March 2004 in Alameda and San Diego counties and last primary in Kern County.
Pressing, then holding the button for several seconds twice and answering a screen prompt sends the machine into a "manual activation" or "poll worker activation" mode. In that mode, someone can call up one ballot after another and vote them.
"You can literally vote continuously until you are physically restrained," said Watt, the former Tehama County poll worker who reported the problem to state elections officials.
Unlike the Diebold vulnerability, he said, using Sequoia's yellow button "takes no tools."
"In 18 seconds I can switch that to manual and start voting. In 30 seconds I can train you to do it," he said.
Watt and Bowen, the Democrat running for secretary of state, say the vulnerability should have been caught earlier, before the state approved the machine for use in elections.
"You shouldn't have a reset button on the outside of the machine," Bowen said. "Certainly when I'm secretary of state I'm going to want to know if there's a button that only requires physical access to the machine to vote multiple times. And unfortunately if someone does that, you're in a position where you don't know what votes to throw out."
Computer scientists say the manual mode can be rendered inoperable in the touch-screen software, but elections officials worry that it is too close to the election to attempt and may not be useful.
"It's a feature of the machine, it's one that's necessary from a couple of different perspectives but as long as people employ security measures that are already in place then it's mitigated," said Lapsley.
No system is totally foolproof.
Current systems do not even use code signing for the executables (allowing the software to be changed without notice to anyone, compare that to installing a driver on Windows) nor do they encrypt and protect the data that is transferred as well as the browser you are using right now when you pay for a pizza on the web.
Oh, why don't we implement code signing that you have mentioned, and here's other ways to protect the integrity of these systems from being compromised:
- You can treat them like nuclear weapon systems by having 'No Lone Zones' when not in use, and locked them in secure storage with 'Intrusion Detection Equipment' as safeguards.
- When in use or moving them out of storage, implement procedures and documentation for a chain-of-custody and provide security.
- Have coding and voting machine experts from all parties, impartial parties, go over ALL the software code line-by-line, to include hardwired code, before each elections so to be certified. Repeat this procedure before every election.
- After the code and machine is certified, use a MD-5 Hashed Message Authentication Code (HMAC) to ensure software tamper detection.
- Setup federal or state agencies to oversee computer voting machines.
- make new laws to punish machine voting fraud.
I doubt systematic safeguards are going to happen because it would take big buck to implement. And we don't need more bloated bureaucracies. So lets complain some more because it's not totally fool proof.
I have programmed computers professionally for 30 years. I have no faith in these machines. You will find that the faith in these machines is inversely proportional to the amount someone knows about computers, computer security and the validation of software.
And how many programming experts are there that have time and access to these machines that are willing hack them to swing elections? I think not so many.
Yes, lets go back to punching and marking illegal ballots to be stuffed in election boxes - why that's easy to do...
This is a case where "The enemy of my enemy is my friend." does not apply. Just because Dems suspect it should not make you reflexively support it.
I do not. What I do see from the otherside is that they make wild-eyed accusations without 1 iota of proof - ie Bev Harris and the DU'ers.
I'll read that article. do you have a link? :-)
I started programming on Zylog Z-80's. If humans have access to a "reset" button, and the only notification is a "beep"; it will be compromised. Period. Until there is a standardized platform, "features" and fraud will be rampant. I do not claim that older balloting was any more secure or fraud proof. Only that private companies will get to make the rules.
In the early 1980's I compromised the TACC-II cash controller where I worked simply by sequencing keystrokes. It opened the main depository. I notified the employer of the feature and received a $50.00 reward. 3 years later, the software was changed.
Unless it IS THE POLL WORKER DOING THE BEEPING!
or if a democrat you know votes, then BEEP BEEP!
Is this button a "hanging button" in any way, as in, "hanging chad"?
It is easy to postulate vast and expensive bureaucracies and dismiss criticism. That is a paper tiger argument. These are not nuclear weapons and the security model and attacks possible are entirely different.
The real issue is why even the most basic electronic safeguards have not been implemented.
Everyone knows that 'security by obscurity' is a recipe for failure. In a system where the hardware and software must be distributed to thousands of insecure locations, a closed system is only effective in preventing the discovery of vulnerabilities by the good guys.
The bad guys will just buy or steal the box and find the vulnerabilities that the company will deny exist until elections are swung by fraud.
For those that are not familiar with 'security by obscurity' that is why:
1) You can easily copy 'protected' DVDs.
2) Clipper failed.
3) The original WiFi encryption scheme (WEP) is completely broken.
Personally, I am not all that unhappy about the first two, but my data security and the security of our elections are different matters.
The difference between retail punch card fraud and electronic fraud should be obvious, but I will explain:
Punch card fraud is retail. One card, ten cards, maybe a hundred cards.
Electronic fraud can be wholesale, swinging hundreds or thousands of votes at a time and in fractions of a second (depending on the point of attack.)
Electronic voting fraud does not require expertise the point of attack, so only one programmer is needed.
Once one qualified programmer has created the hack, it is as easy to compromise a voting machine as it is for an amateur to copy a DVD with the software available today. With a hand-held card writer (similar to the hand held mag-stripe readers used in credit card fraud), even grandma can do it, if she has the inclination.
You might also update your buzz words. MD5 has been compromised in recent years. SHA1, Whirlpool or RIPEMD would be preferred for new designs.
It is true that the worst sorts of Democrats are using the issue to their advantage. It is, however, an issue of equal or greater importance to us as the likely victim.
I suspect they would prefer to complain about it and never have it fixed than see a real solution implemented. That allows them to direct attention away from their failures. I urge action to take that opportunity away from the scum.
From article: " In the 20-plus years that these machines have been used, in many counties all across the country, there has never been a verified case of tampering."
And after two more years, there still has never been a verified case of tampering.
That's a good track record.
It is pretty clear from reading John Lott's article that, while well intentioned, he is not writing of his own knowledge on the computer issues described. He was not particularly well advised (or did not convey the subtleties well.) It sounds like he read a brochure or talked to a company flack.
To be fair, many of the vulnerabilities that are well known now have been discovered since this article was published more than two years ago, but the use of PCMCIA cards with no protection whatever (not CDRs, which would only require slight of hand to substitute) in the Diebold systems was ignored.
Punch card fraud is retail. One card, ten cards, maybe a hundred cards.
Electronic fraud can be wholesale, swinging hundreds or thousands of votes at a time and in fractions of a second (depending on the point of attack.)
Electronic voting fraud does not require expertise the point of attack, so only one programmer is needed.
So death by a thousand cuts is more preferable? Yes, an undetected fraud to swing elections by electronic voting machines can be wholesale, but I'm sure the fraud risk is many magnitudes lower than paper ballot fraud.
So what's your solution to possible electronic voter fraud?
OK, I'll take your suggestion and update my buzzwords, and you may want to update yours too. SHA-1 may have been compromised by the same Chinese cryptographer...
"So what's your solution to possible electronic voter fraud?"
The first step is transparency in both hardware and software.
There is no room for trade secrets in any part of election processing. Patents are another thing, since they require full disclosure, they are not a problem.
This requires that every aspect of the processing must be open to inspection, not just by those approved by some authority, but by anyone.
I am not an open source zealot, but if there is any place for open source software and hardware, it is in the processing of elections where the result must be fair and, just as importantly, seen to be fair.
Once open, you can be assured that it will be attacked for free, but a reasonable bounty for provable attacks would not hurt to stimulate effort.
At some point, a judgment will have to be made that the system is secure enough for the next election. As you mentioned, no system is perfectly secure. It would be nice however, if the the electronic systems were more secure than the paper based ones, not just more incomprehensible to mere mortals.
Just as the manual procedures for handling votes must be established and public before the election and not subject to change the day of or the day after (as Democrats tried to do in Florida), the electronic voting procedures (software) must be established well before the date of the election.
This requires that the software be certified and the installation verifiable. To have more than minimal confidence, at least parts of the system must be implemented with physical security in mind, i.e. as a trusted platform.
It is clear that the existing proprietary systems can be easily gamed at various points in the process. It is not important whether they have actually been exploited or not. It is sufficient that it is known to be possible and practical. From that point, the result cannot be trusted because there is no electronic audit trail at the voting machine level.
Untrustworthy elections are corrosive to our democracy because they permit tampering to be rationalized by real or imagined tampering by opponents.
Although it would fall short of the ideal, if the resulting systems were only as well implemented, tested and reviewed as the software that drives web transactions at Amazon or in the FireFox browser, we would be far ahead of where we are today with the smoke and mirrors security of current voting systems.
After 2000, politicians responded with the quick, be-seen-to-be-doing-something fix. Shiny, expensive and ineffective technology was purchased to appease the uninitiated. We need to keep a blow torch to the behinds of the politicians to keep them moving in the direction of secure voting systems that are trustworthy.
BTW, as you point out, SHA1 has been compromised although the number of iterations is still on the scale that it would not be a threat today, it is one in the longer term and should be replaced with something, perhaps Tiger or Whirlpool or something not yet invented.
Specifically, "quis custodiet custodes?" ("who will guard the guards?" in Latin) What if the pollworkers themselves are the ones interested in performing vote fraud? The machine can make all the noise it wants.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.