ChuckHerrin.com

 Computer Security Stuff
  FAQ/Feedback SpeedHackTheVote Clueless I gotta ask... HackTheVoteDemo Since You Asked... This isn't Russia. Is this Russia? - Caddyshack ConservativeEmpathy LiberalEmpathy My 2 cents. My soapbox. My forum. Whatever. Integrity, Stupid Come on, y'all. We're smarter than this! What's so moral about the high ground? Empathy Speech Paper Ballots Now! Pay no attention to the man behind the curtain.... Dear Chuck....
Since you asked......

Here are some responses to questions I've had recently.  Lemme know if you have others - I'll be glad to throw in my local_currency = $.02

"Optical Scanners are feasible - paper ballots aren't"

That, to me, is unnecessary compromise.  I totally disagree that integrity is "a factor" to be traded off for speed.  We did the studies, and found that hand-counted paper is the most accurate, with the least spoilage, and is also unquestionably the most open.  Optical scanning can be very accurate - no dispute - but (especially when the numbers are then fed into a PC) we are selling out our main priority, integrity, because our elections staff would rather not count by hand.  Some think optical scanning is an easier 'sale' to voters and legislators.  I guarantee if the voters of ANY state demanded hand-counted paper, they would get it.  To say that "the voters won't understand it" is to sell the voters short - do you understand it?  Are you a voter?  Are paper ballots more difficult to understand than, say, driving?  Or DREs that record votes for the wrong person?  THAT is hard to understand....

People will understand it if it's presented logically.  That's the beauty of paper ballots - not that complex.  It doesn't take a Norman Einstein to figure that out ;-)

Compromising when you don't have to only ensures that your opponents will get their way.  They aren't worried about being 'nice guys'.  By allowing a little whining to influence your decision, you are allowing people with other agendas to change your priorities.  Why don't others see that?

One brief point I have is about the priorities reflected by the different solutions. It all comes back to priorities for me and my constant attempts to keep things simple. I believe that the voters of NC will understand hand-counted paper when the basis for the decision is made clear. My priorities:

Integrity
Accuracy
Speed

in that order have led me to favor hand counted paper ballots based on their strengths and limitations. Add to that the fact that there is no tech support or expensive equipment involved, and we have what appears to me to be a superior solution.

Optically scanned ballots offer a solution that goes with the following priority set:

Speed
Accuracy
Integrity

Since hand-counting offers more integrity and resistance to fraud than optical scanning, the question then becomes "How much hand-counting do we need to boost the integrity to an acceptable level so we can still get most of the speed benefits of optical scanning?" 1%, 5%, 10%, etc? Since we intuitively
understand that:

1) hand counting is more trustworthy, and is always treated as 'the final word', and
2) optically scanned ballots are subject to tampering and error more efficiently than paper,

we then have to wrap compensating controls (some percentage manual recount or 'spot check') around the process to compensate for the weaknesses introduced by scanning.

Accuracy is pretty much a wash between the two methods. 

I don't have a strong objection to supporting optical scanning, since it does provide a paper trail that we are sorely lacking. Better is better, after all.

But I do want all of us to go into this with a full awareness of the trade-offs we're making if the voters settle for less than hand-counted paper. I still feel that integrity is not 'A' factor, it is 'THE' factor, but it appears that not everyone feels that way. I'm not saying that they're wrong - No judging - I'm just saying I disagree.

We are necessarily choosing speed over integrity and fraud resistance, and then trying to mix integrity back in at 5% to get the best of both worlds.

This may be the easiest method to sell, but that doesn't make it the best. Not with my priorities. But your mileage may vary, we all have our own set of priorities, and this IS a democracy, right ;-)

Paper Ballots, Recounts and detection:

One other thing that may be preaching to the choir here, but you may be able to use in talking to others.

We all agree that in the event of doubt, we rely on hand-counted paper to settle the dispute. We implement these other systems to gain efficiency, based on faith that our detection mechanisms will work and trigger a count by hand in the event of shenanigans.

Look at Ohio - our detection mechanisms (audit logs, exit polls, 1-3% recount) didn't lead to a 100% hand recount in an environment where the shenanigans we DO know about led Congress to challenging the vote. The opponents most effective weapon is the cry of "no documented evidence".

Our detection mechanisms are not part of the solution, they are actively part of the problem. If we use hand counted paper to give the final results, why not use hand counted paper to give the results, period, and save us all a lot of time? Everyone can trust hand counted paper when it's open.

Analogy: There's no reason to put in a great backup parachute and use something faulty as the main, even though the faulty main chute WILL get you your final results more quickly! Just use the good one from the beginning, and keep another good one in reserve.

Preaching to the choir, I know, but if it helps you in your talking points to others it's not wasted keystrokes.

Hacking Optical Scan Machines:

I can think of a pretty simple way to do it - if it is known that the test run will be, say, 100 ballots, set the software to flip every x vote (5th, 10th, 100th) a certain way after the number exceeds 200 or 300 or 1000.  Vendors know the procedures, y'all.  There's nothing magical about optical scanners - it's just software, too.

This is similar to a gas pump exploit used by the Mafia in Texas a while back. They knew that the accuracy testing for gas pumps was performed by taking a container measuring exactly 8 gallons from station to station and filling it up to exactly 8 gallons, then checking the gauge. They set the pump software to be right for the first 8 gallons, then started padding the price for gas pumped above that. They only got caught when somebody driving an RV noticed that the numbers didn't add up to what they should have - sort of a "gas pump exit poll".

Computers out. There's a reason I keep saying "Hand Counted".

Thanks to my Representatives:

Dear Senators and other members of the committee,

Allow me to express my thanks for inviting me to speak on industry risk and auditing, as well as voting machine and tabulation security. I have to admit that my normal optimism was yielding and I was becoming somewhat cynical due to the seeming lack of interest by many of our elected officials,
but the sincerity and thoughtful questions of everyone in attendance served to dramatically restore my faith in our state's leadership.

There were several questions regarding the will of the voters, and concerns that a return to paper would be seen as adopting "old" technology. I assure you, voters I have spoken to in all parties are only interested in using the APPROPRIATE technology, and paper ballots excel in every category of
accuracy and integrity. You know my position, but I thought it may be helpful to attach some of the feedback I have received from other voters across NC. Some of these comments are from outside our state, and some are from Americans living overseas, but there is a constant theme that in public
elections, trust is everything. I look forward to working with you in any way I can to restore that trust.

Again, I thank you for consulting the security and technology experts, and
trust that you will continue to do the right thing!

On the Heroes at the EFF:

By the way - we should all thank Wendy Seltzer of the Electronic Frontier Foundation (wendy@NOSPAMeff.org) for her help in getting the lawyers at the General Assembly to allow us to bring this information to light. Thanks to her (and Justin, too - he contacted the EFF about the same time I did) we were able to convince that we were on firm legal footing to do so.

I was shocked to hear that because of the proprietary nature of the software and questions over the term 'authorized user' that a computer security professional would not be able to demonstrate the software for elected officials of the state who had purchased the software for use, but this is where we have arrived.

I just sent the EFF $100, and will send them a LOT more in the future. For any of you who are not tapped out from the tsunami relief, Christmas, and life in general, the EFF is truly a great organization that needs our support. Thanks in advance for any support you can give - they really stepped up to the plate for us. I don't forget things like that, and I'm sure that you won't, either.

Hopefully we can all look forward to the day when our elections systems are of the people again and not a profit opportunity for someone's shareholders. We need legislation for that to take place, and as long as we keep communicating with our officials, we just might get it.

On the C|EH and the Media:

http://www.charlotte.com/mld/observer/news/local/10593014.htm

http://newsobserver.com/news/story/1994275p-8380342c.html

http://www.wral.com/news/4063351/detail.html

A couple of the news stories re: yesterday.

Computer scientists will notice that the articles mention the "Certified Ethical Hacker" certification, but not any of the ones that have weight in the industry. That's like saying, "This attorney, who studied chemistry in high school, said...." The C|EH is by FAR the easiest cert I list, but it's the "Hacker" word that gets attention.

No complaints - it's just funny. :-)

"77% of Americans Thought the 2004 Election Was Fair":

77%, huh?  That means 1/4 don't, and given the complete lack of media attention, that says something.  That brings to mind another interesting stat....

85% of poll respondents said that the Y2K issue was overblown, but did you know that wind-shear alert systems failed at airports in Tampa, Denver, Atlanta, Orlando, Chicago, and St Louis? Operators in a Japanese nuclear power plant were unable to determine the position of control rods, and workers in an Arkansas nuclear power plant were denied entry to areas using electronic doors due to malfunctioning radiation monitoring units.

Those of us on the front lines doing the testing probably made up that other 15% when we saw systems fail during date changeover tests. People make fun of it now, but the people with the biggest supply stockpiles were programmers.  One last tidbit:

During the Y2K change the DoD lost a US spy satellite system, and the US Deputy Secretary of Defense wrote that "It was a significant source of information in our national intelligence capabilities" and that some of that data was "lost forever". Had we been hit by a terror attack, I don't think people would say that was "overblown".

The Experts sure as Hell didn't think Y2K was overblown - we were busting our asses to fix it, and managed to pull it out.  It wasn't easy, and it cost Billions of dollars.  In fact, a Y2K bug was recently blamed for a voting machine failure in NC.

But polls don't lie about one thing - the majority of American people are ignorant about what really goes on.  100% of us would agree on that.  :-)

Open Source Voting:

Since my soapbox is still set firmly underneath my size 15 loafers, I thought I'd weigh in on one last thing before I hit the road home.

I think open source is a step forward in terms of security, but I don't think it's the solution for our voting problems. Here's why, in layman's terms (or close).

Open Source has a double-edged sword associated with it - widespread code review. The key to making open-source more secure is that vulnerabilities that are found are then reported and fixed in the next version or via a patch.

But what happens when the bugs *aren't* reported? I'm Joe Hacker, and I find the source code to comb through. I find a bug, let's say a remotely exploitable buffer overflow, but don't say anything about it. The code is reviewed and patched, and everyone feels great! The false sense of security sets in.

That bug that didn't get reported is known as a 0-day exploit, since the people managing the system have zero days to react to the vulnerability because they don't know about it. No patch is available.

How much do you think China, Iran, or Al-Quaeda would pay for a zero-day exploit for the US electoral system? The DNC? RNC? Enough for one little hacker to retire on, I'll guarantee it.

(Computer folks, bear with me - oversimplified, I know) Every patch that fixes a critical security flaw was at one time (potentially) a zero-day. The reason it got patched was because someone responsible reported it. I myself have been involved in reporting a couple, and know of dozens of default settings that are almost as bad as a full code exploit. But what happens when someone responsible doesn't find and report them?

Most elite Hackers try to keep a stash of 0-day exploits - they're like cash in the Hacker community. "I'll trade you 5 login accounts at Experian (to pull credit reports) for a Server 2003 0-day." That example's probably not accurate - exchange rates vary greatly depending on the people involved (spammers vs
warez folks, for example).

But that's why I'm not receptive to running our voting system on ANY software! Bugs WILL be found - that's another guarantee from your Uncle Chuck. But getting every bug reported and fixed is another matter. Voluntarily turning in an exploit to such an important system would cost somebody a lot of power and money, and Hackers aren't interested in giving up power and money any more than politicians are.

Over a LONG period of time, Open Source software (like OpenBSD) DOES get more secure as more and more bugs are reported and fixed, then re-tested. But that is a LONG process - we are still seeing bugs in 20 and 30 year old code get discovered. Like Justin showed with his excellent airplane code example, it is extremely time and money intensive to get code secure. That holds true whether
the code involved is open or closed source. They both can and will be exploited.

And before some DRE fucktard takes this as an endorsement of closed source - it's NOT!  Closed source is much, much worse!  Let's all remember that when Microsoft was asked about making their source code public during their antitrust trials, Bill Gates said that releasing the source code for Windows to public review would be a threat to national security! More testing means better code, so Open Source is undoubtedly better in that respect.

The problem is with ALL software - we just don't have the technology yet.  Sometimes the best tool is a hammer, and sometimes it's paper.  Sometimes the best security isn't a hashing algorithm - It's a big, heavy lock.

Anybody that tells you different is selling something.

Cryptography in Voting Machines:

I would say that the use of cryptography goes against the fundamental aspects of our system of voting, and here's what I mean:

1) it is illegal for votes to be tabulated in secret,
2) Nobody has the right to change my vote data, whether it's on a piece of paper
or a string of 1s and 0s. Nobody.

Simple definition of cryptography for use in vote systems? How about:

Changing vote data to make it secret, then changing it again to count it.

We are supposed to 'trust' that the developer involved in writing the code uses an algorithm that 'changes it, but doesn't _change_ it', into a form that nobody can read, and then another instance of that or another algorithm changes it _back_ to what it was supposed to be the first time, where it is then
counted. There are a thousand potential ways for a clever developer to abuse this, and like everything else inside a computer, it would be difficult to find if done correctly.

And how are we supposed to verify that? Trust is irrelevant - how can I see that my vote is what I wanted it to be when it's encrypted? What if my bar code just resolves to "yes" for every inquiry that is made to see if my vote was counted? That's 2 changes and one secret. How is that open and verifiable by the public?

I'm sure they're great cryptographers, and I respect that since that's a complex field. But they're solving the wrong problem.

Paper ballots, y'all.

Corporate Interests in Election Systems:

Anytime corporations are involved there will be a conflict of interest.  Corporations are obligated to deliver returns to their shareholders, and getting shareholder returns is a conflicting goal with designing open, secure systems. Microsoft is not successful because they write secure software - they are successful because they write software and get it to market!  They only started worrying about security when when their customers starting demanding it - any more testing than is required is just money out of shareholder's pockets!  And corporate "secrets" do NOT serve the public interest in voting - witness the way Diebold, ES&S, et al are hiding a public function behind the veil of "trade secret" and the problems that has caused. They have even designed their systems to defeat a random spot-check of precincts - I'll show you how on Friday.

The profit motive alone is a conflict of interest, but when you add the additional ability to influence elections and the power that goes with it, I'm sure that any number of (private?) corporations would even be willing to operate at a financial loss in order to run the election systems. They lose money now in exchange for political influence - it's called "lobbying".  I'm sure they would be able to make money other ways....remember how "profitable" Enron was?

When we put a computer in between me and my actual vote, that computer acts as my vote proxy since unlike a paper ballot, it has the ability to change my vote. There is no way that anyone knowledgeable would allow someone with a conflicting profit or power motive to act as their vote proxy and trust that everything will just be fine, especially when there's very little chance of fraud being detected.

Corporate goals and public goals conflict sometimes, which is why we don't just come out and do away with government and let businesses officially run the country. Officially, anyway ;-)

This conflict should prevent corporate interests from being able to design OR build the systems. Even when they would be allowed to just build the systems as contractors, there is a huge problem when it comes to verifying that there are no backdoors or secrets that were not intended by the designers, and we're back here where we started, except for now there's a false sense of security.

Even in a well-designed system the computers are tasked with conflicting objectives of anonymity and auditability/accountability. Computers as we know them just aren't well-suited for what we want to accomplish, since they are NOT easily open to independent review by voters.

One final little point (sorry for the length) - the other companies mentioned may not have a history of problems, but if they are given the voting contracts, they will. Computer example: when people started moving from Internet Explorer to Firefox, Firefox vulnerabilities suddenly started coming to light much more frequently. One reason for this is because it was now more of a target. One reason these systems have not had as many problems is because they are not the big players - if all of a sudden "Joe's Voting System" gets adopted, then that system is the target for anyone looking to "influence" an election.

This is a truth of computer science (and everything else) - which is the main reason that more viruses are written to infect Windows than any other platform. Linux viruses exist, but if you want to have maximum impact, you don't target a system with technical users and a 3% market share. There WILL be a way to exploit whatever computerized system is put in place - I guarantee it - and I also guarantee that it will be harder to detect than watching someone walking away with 10,000 pieces of paper tucked in their sweater.

Paper ballots, y'all.

The Oregon System:

(Note - since my original post I have received some helpful information from some folks in Oregon, and their info has helped clear up some things. Oregon does sound like it has a thought-out system, but I maintain that any system where someone does not have to show up and authenticate themselves before their vote is counted is more prone to abuse, regardless of barcodes and signature verification.  I do agree that one single statewide system can be made more secure than the hodgepodge cluster of vendor offal that NC has, and like the idea of receiving ballots beforehand.)

I will post more as I learn more.  They sound like they are doing the right thing, and have multiple controls, but at least one person other than the voter has unrestricted, unmonitored physical access to the ballots (the mailman).  Unrestricted, unmonitored physical access is something that's very difficult to design compensating controls for - period.

I have to say, theoretical exploits aside, the Oregon system is so much better than NC's that as I run through sample scenarios I feel like I'm criticizing a yacht from the inside of a kayak.


"Why is party affiliation listed at the top of everything?"

A friend asked me something the other day, and I don't have a good answer. She worked at a polling place and said that when people called asking for information or showed up in person, as soon as they pulled up the voter's name, their party affiliation was listed right up there with name, address, etc. This often led to the workers providing different information to the person asking the question based on their party affiliation.

Other than determining eligibility to vote in primaries, is there any good reason that this information needs to be prominently displayed, or displayed at all? On the surface, it sounds like it's just an invitation for abuse.

If election workers didn't know the party affiliation, nobody would throw out voter records, etc based on it (they probably still would based on race, etc, but they don't need to know party affiliation in order to register someone), and what party you're registered with doesn't affect who you can vote for, except for in a primary.

Any thoughts? Help me out here - this practice sounds kind of stupid.

Instant Runoff Voting (By Hand, of Course.  It CAN Be Done):

I think that IRV is a fabulous goal, long term. It stands to greatly reduce runoff costs and other problems once we have systems that can reliably handle it. The problem right now is that our electronic voting systems cannot reliably count straight races, and even the DRE manufacturers have said that they are not ready for IRV. Complicating things, IRV introduces a more confusing system in terms of auditability and security, since the ballots are more complex and normal indicators such as exit polls will not be able to easily reflect IRV results. Tracing back the will of the voter in the event of problems or fraud would be more difficult with IRV until a reliable procedure and design is in place, and any abuses are much less likely to be detected since the whole point of the IRV system is avoiding recounts. That's not to say that it can't be done, just that it is extremely important to get it right the first time, with proper design and certification.

Instant Runoff Voting is a great goal for us to work toward, but if we need to get a system in place for 2006 and 2008, IRV is not logistically viable. For IRV to work, we need systems that are trustworthy and reliable, and that takes more time and money than we have available before the next election.

An analogy I use for IRV is the flying car - definitely possible, and a great idea, but right now we won't get there by strapping a missile to a Yugo. Would it fly? Sure - but I don't think it's what we want to rely on for safe and reliable transportation.

I would be happy to work with you towards IRV as a long-term goal, as I think it has merit as a long-term solution when properly designed and tested.
(Note - NC Resident Mark Ortiz has a very promising idea for hand-counted IRV.  Looks great!)

Undervotes and Dixiecrats:

One of the big advantages people in favor of DREs keep trotting out is the great reduction in Undervotes. All of a sudden, 2+2 added up for me when I thought of the following:

1) Many people are dismissing some irregularities as the "Dixiecrat" phenomenon, which is a legit possibility for some voters, but not normally as many as this last election.

2) DREs are advertised to greatly reduce the number of undervotes. If there's a default selection made, I think I see why.

3) Many thousands of people have come forward and said that their voting machine had the President set as the default. That's like a paper ballot coming pre-filled out and then you having to erase what's already there and circle the other choice.

4) In NC (I don't know about other states), if you vote straight-ticket, you must also cast a SEPARATE vote for President. If you don't no vote for President is recorded. Unless, of course, there is a default choice.

5) The results of a "Dixiecrat" and a straight-ticket Democratic vote would be identical - local elections voting Dem and Presidential votes going Republican.

In 2000, there were over 100,000 NC votes with no mark for President. See this article for a little more:
http://www.charlotte.com/mld/observer/news/local/10007894.htm?1c

If the default on all of these machines was set for Bush, 2 things theoretically happen:

A) Bush picks up potentially 100,000+ votes in NC alone, and
B) DRE advocates point to the "wonderful loss of undervotes" recorded by using their systems!

I never said these guys were dumb.....

Why Paper?:

<preamble deleted>...If I were an attacker or corrupt insider:

1) Release my source code for both my Linux OS and voting software, and wait for the entire opensource community to give me the green light,
2) Install my LKM, then run an MD5 hash to generate a known "good" system value, (other MD5 hacking is also possible, including creating matching hash values for different apps - see recent bugtraq posts, for the geeks among us)
3) Roll it out for use in the election, with the full faith and support of computer scientists, and when the election comes in 51-49, everyone who complains then will have an impossibly difficult time getting their voices heard. Any investigations would reveal that the software hasn't changed since certification, and the voting systems are still corrupted.

There are technical details I've omitted for brevity and clarity, but as anyone who has responded to a Hacked *nix box can attest, a well-done rootkit is nearly impossible to detect, even for experts. That's why we tell companies to reinstall from trusted media if you suspect you've been hacked - you can't always find the backdoors.

I love paper. :-)

Diebold's "Election Support Guide":

(Since the target audience was Canadians, I think the author's primary language may not be English, but maybe French.  This is from the 1.8 GB dump off Diebold's open server - they laid an ownership claim to it)

I wanted to show you all some really telling quotes from Diebold's "Election Support Guide", the full pdf is available at http://www.equalccw.com/ElectionSupportGuide.pdf . Jim Clark put together a good summary on his page already, so if you've seen it you can skip the rest of this message.

If it weren't so serious, it would be laugh-out-loud funny. Some of the best (?) quotes:

"3. General issues

As representative of Diebold on election day, you will be considered the paragon of knowledge and authority with respect to the jurisdiction's election, even though you may in fact be the least qualified person on site. In light of this, present yourself in as diplomatic, reassuring, and professional a manner as possible.

3.2. Communication

You will generally be considered to be a high-ranking election specialist and a paragon of knowledge and solutions, which may be disconcerting when things go wrong. Do not promote your ignorance - in case of doubt, call a designated contact who may be more knowledgeable than you.
Be aware of the fact that pollworkers are often quite aged, and that
technological issues that to you are utterly banal may be quite daunting to the pollworkers.

Offer the minimum amount of information necessary.

Do not to offer damaging opinions of our systems, even when their failings become obvious.(sic)

6.2. AccuFeed

The jurisdiction may be using the AccuFeed in order to process absentee ballots in batch mode. The AccuFeed is often sensitive to the orientation, size, and print quality of the ballot.. AccuFeed units tend to reflect varying behavior in terms of speed and quality of processing. Familiarize yourself with the functioning of the AccuFeed before the election if it will be used in the election. Do not offer information as to the AccuFeed's shortcomings to the jurisdiction, even where obvious."

(Jeez.  Ken Lay called from OJ's cell phone - they want their ethics back.)

Why India Gets Our IT Jobs:

Computing meets the KISS principle. Brilliant :-)

http://techaos.blogspot.com/2004/05/indian-evm-compared-with-diebold.html

2 of my favorite quotes:
"The Indian EVM is just plain circuit, with some assembly code. A few LEDs, and two Seven Segment LED displays. One EVM can list 16 candidates, but up to 4 EVMs can be Linked to accommodate 64 candidates. (In a country of a billion people its possible to have 64 candidates for one single constituency.)" --That's complex enough for us, and anyone ever try to hack assembly? Yeesh. And:

"Reading this article, some of you might remember that Cold war era joke, about NASA and its multi million dollar experiment with a pen that can write in micro gravity to solve the writing problems of astronauts, and the Russian solution of using a Pencil to solve the same problem." (Urban legend, but funny)

Unfortunately, that will never work in America because there is no money to be made.  Sorry - sounds great, but we have too much money involved - nope.  No way.  Sounds good, but you know it, too.  Stop.

An Exchange With a Fellow Computer Scientist, Which Pretty Much Sums Up My Whole Position: (My comments in blue)

Not to be stubborn :-), but...

<being stubborn>

My key feelings on this boil down to some very simple declarative statements:

When systems are made complex, they are necessarily less secure. There are inevitably more points of failure, and corresponding controls added to correct these points of failure only add to the system's complexity. This is a tried and true maxim of Information Security - the modern KISS principle.

I do not accept that vote integrity is just a "factor" to be traded off with others. It is THE factor. There is no mention in the constitution about speedy vote counts being available to the press or elections being quick and easy on elections officials (not that I want them to go through any more than they have to); what is required is that every vote be counted fairly and treated equally.

Whenever computers are used, there will be doubts as to what is actually taking place inside the machine. Efficiency does not work to integrity's advantage, and in fact, the more people involved in the counting, the better. The ballot-chaining example could not be carried out without everyone involved
being complicit and keeping quiet. The more eyes on it, the better.

> A simpler solution would be to require that any computer have no modem
> or onboard network card. This eliminates that problem at the vendor
> level and places no additional burden on the election officials.
> Again, require the vendors to eliminate all but one or two I/O ports,
> to allow something like an external CD drive and keyboard hookup in
> the event of a necessary diagnostic. The other half is to require the
> head of elections for that county/city to ensure that no voting
> equipment leaves their office without being "election-ready", and part
> of that checklist includes the tamper-resistant tape. Make them sign
> off on a pre-election-checklist. If they don't sign, they get in
> trouble. If they sign and a precinct judge or assistant notices it
> missing, they (the head honcho) get in trouble.

All of these controls can be eliminated by not having computers in the first
place.

> Well, let's make sure that the officials do their job. There are
> reasonable and unreasonable demands on election officials. That they
> keep track of their own equipment is reasonable.

Agreed. It is easier to track stacks of paper than it is to track tamper-proof
seals and I/O ports.

> They found that hand-counter paper ballots, optical scanners, and
> lever machines had statistically identical rates of error and
> undervote.
> http://www.hss.caltech.edu/%7Evoting/CalTech_MIT_Report_Version2.pdf
> If you look at Table 3 on page 11, you see that in 1996 and 2000,
> repsectively, paper ballots had an error rate of 2.1% and 1.3%;
> optical scanners had an error rate of 1.5% and 1.2%, repsectively.
> When the sample size and standard deviations are taken into account,
> the two alternatives are essentially indistinguishable. The last
> sentence of the conclusion reads:
> "...[w]e wish to call attention to the excellent performance of the
> optically scanned ballots, the best average performance of the newer
> methods, and especially to the older methods of voting -- lever
> machines and paper ballots."

Yup. And from the 4th paragraph:
"The central finding of this investigation is that manually counted paper ballots have the lowest average incidence of spoiled, uncounted, and unmarked ballots, followed closely by lever machines and optically scanned ballots."

We're in agreement that these three methods are best, and I don't think there's any question that pure hand-counted paper is the most resilient (no counting machines jamming, power outages, etc). I also have a sneaking suspicion that if anything BUT hand-counted paper is used that vendors will come sneaking back in with their "new and improved" systems, and we'll be right back here in a few years.

>As much as we dislike it, voting integrity /is/ a factor we have to
>take into consideration and that will we be trading off. The paper
>chain attack I mentioned in my last post could be negated by employing
>more observers, but at what cost? What's to stop someone from buying
>a surplus optical scan machine, printing out their own tally, and
>getting a forgery expert to "sign" the "real" end-of-day tallies that
>shows their candidate doing very well?

I know what will stop someone - hand counting with lots of eyes.

> What's to stop a crooked
> ballot printer from banging out an extra batch of valid paper ballots
> and distributing them to crooked precinct captains of their choice?
> We could potentially stop these attacks, but the cost might be
> prohibitative. At some point we have to say, "it's good enough."

When every citizen can verify their vote transparently, with NO question about what the counting machine did or what the computer did inside its case, that's when "it's good enough."

> I agree that we should never sacrifice integrity for speed, but we
> must realize that integrity is an axis where we have to decide what's
> acceptable risk.

Nothing is ever 100% secure, but when you have competing methods that are equally accurate, I'll choose the more transparent, simpler one every time.

> The count done during election day is taking place among a whole host
> of other events. Voters are coming in and out, officials step outside
> for a cigarette break, the press and observers are hopefully
> wallflowers, but in some cases wandering around, and you need to watch
> them to make sure they don't intimidate the voters and the like.
> Consider this: most of the time I'm careful with my driving, and
> working to avoid an accident. Other times -- like if I've got my
> cousin and her baby in the car -- I'm going to be /damn/ careful about
> my driving. The "free" recount will have fewer things going on at the
> same time, and you're only counting the paper trail, as opposed to
> producing it and counting it at the same time. While you might have
> kept a close eye out before, you're going to be extra careful during
> the recount and eliminate as many possible distractions and sources of
> error as possible.

The number of people around during a transparent hand count only serves to increase the difficulty of perpetrating fraud. I agree that a recount will be careful, but I don't think that means that the initial count should have less care taken.

> You say, "Well, the computer is in the center of
> the room with no network connection, and the videotape didn't show any
> unauthorized people going near it, but let's toss out its count and
> use only the paper records."

No, I say "There's a bunch of paper ballots in a locked plexiglass box. Let's divvy up and let EVERYBODY watch us count those. Computer? What computer?"

> Agreed. Which is why we need to have a comprehensive plan that
> examines all the stuff we've been bringing up: legal status of paper
> ballots, recount procedures, equipment distribution, software
> examination and verification, removing software from unnecessary
> places, etc, etc. If we can come up with a one-page executive summary
> of what we want that lays it all out in (no?) :-) uncertain terms, we can
> minimize our opponents' ability to sigh "what now?"

Agreed. And understand that I will fully support whatever decision the group comes up with. I also realize that paper ballots might seem like a step backwards for some, but when you're about to walk off a cliff, that's the only way to go. (I just made that up :-) )

My fear with this exercise is that if we demand anything BUT hand-counted paper ballots or insist on anything BUT hand-counted paper ballots, then computers will be used somewhere in the process. And once they're in, the same closed-door, secretive BS that got us here in the first place will resume, and
every possible loophole regarding computer security and certification will be exploited to the detriment of the voters. We don't need to let Diebold and ES&S go back to the drawing board to come up with New, Improved vote tabulation systems - we need to keep them out altogether. Open source is better, but that
brings its own problems, like verifying that the code running is really the code that was examined, etc. I would expect these guys to release some Open Source code and get it certified, then load different code on the actual machines. They did that in California - 17 out of 17 precincts were running different versions of the code than what was certified. You know how easy it would be to sneak a little bit of malicious code in there - Open Source doesn't necessarily mean secure. With all of the Linux patches we have to keep track of, along with the "Sendmail bug of the week", we know there are still problems.

With arguments, like everything else, I prefer to Keep It Simple:

There are no loopholes to be exploited or "creatively interpreted" when you ask for hand-counted paper ballots. No shades of gray, no "trade secrets", no profit motive, no code-switching, no expensive certification process; just transparent, open, and (hopefully) honest elections that people can put their
faith in.

> I think you're placing too much emphasis on GEMS; just because the
> current tabulation software is vulnerable and poorly-written doesn't
> mean that future tabulation software will be that bad.

True - it can ONLY get better. But is DOES mean that it will continue to be a target and a weak point.

> I agree that
> tabulators are a tempting target, but I take that to mean that we need
> to pay extra attention when creating system requirements for any
> tabulation method. Paper ballots are "hackable" from a distance, too,
> given corrupt election officials. For example
> Real total
> Candidate A: 972 votes
> Candidate B: 819 votes
> What election official phones in the SBOE for that county:
> Candidate A: 927 votes
> Candidate B: 891 votes

Again, that's human fraud. This is a constant problem regardless of the method used. The use of computers will not make this problem go away.

> True, but elections could start employing tried-and-true security
> methods, such as "allow known good" as opposed to "deny known bad."
> If I only accept e-mails from people I know, and those e-mails are
> signed with their public key, phishing isn't going to work, even if
> they forge the "From:" address.

All of these controls - whitelisting, PKI, digital signatures, etc. are only necessary because the introduction of computer systems brought those vulnerabilites with it. There's no need for a digital signature if I watch you write something down and then you hand it to me. These controls are just not
required in a simpler system. The best tried-and-true security method is to keep the system as simple as possible, and only change it to eliminate complexity, not increase it.

This isn't just a "how do we make electronic voting secure" problem. It's a "how do we make voting secure" problem. The electronic part doesn't need to be there at all if a manual method works better.

> Agreed. My point is that paper ballots do have their own set of
> problems that we need to take into account. As long as we can
> reconstruct the accurate count with a minimum of effort -- like we can
> do with optical scan machines -- we shouldn't be afraid to use new
> technology as long as their are tangible benefits that clearly
> outweigh the added risks.

You're right, but EVERY problem with paper ballots boils down to "Humans can abuse them". There are NEVER any problems with machines failing, or computer screens breaking, or memory card failures. You can drop and step on a paper ballot, and it still works fine. This "human" problem exists with every method, but the ease of abuse increases with the complexity and "opaqueness" of the method used. I agree with what you're saying about paper ballots and their problems, but the problems are not a failing of the ballots - they are failings of the people involved. Also, I am not convinced that super-fast tabulation IS a tangible benefit. To quote Edward W. Spannaus in his testimony to the Missouri House of Representatives:

"Impediments to vote fraud: Any use of computers opens the door to fraud. The
speed and complexity of computers creates an inherently dangerous and
fraud-prone situation, because, as we have noted, only a handful of people know
how votes are being counted. Citizens can never have full confidence in any
such system of vote counting.

By going back to a universal paper ballot, which is hand counted, we are
creating additional impediments to fraud and tampering with results. If this
requires more people to count the votes than is needed when using computers,
all the better. The more people involved, the more obstacles we have created to
carrying out vote fraud.

Transparency and voter confidence. The objection has been raised, that a total
paper-ballot system would be a slow, inefficient system for counting votes. In
our view, this is a great advantage. A slow, ponderous vote-counting system,
where citizens can watch their votes being counted with complete transparency,
is the best way not only to prevent vote fraud and election-rigging, but to
establish public confidence in the integrity of the electoral process.

There is no requirement, Constitutional or otherwise, that vote totals must be
made available instantaneously for the benefit of the news media or anyone
else. There is, however, a Constitutional mandate that votes be counted fairly,
and that all votes be treated equally.

A 100% paper-ballot system is the best means to ensure such an outcome."

I agree with that 100%.



 

 

Main Page
Highland Games
Hacks
Miscellany
Complete CISSP Kit
FAQ/Feedback
Archive / E-Voting
Contact Me
 

  Copyright 2005 Chuck Herrin. 

All Rights Reserved, All Wrongs Avenged.