Electronic Voting Down for the Count? Charles P Riedesel University of Nebraska, Lincoln

Download Report

Transcript Electronic Voting Down for the Count? Charles P Riedesel University of Nebraska, Lincoln

Electronic Voting
Down for the Count?
Charles P Riedesel
University of Nebraska, Lincoln
Computer Science & Engineering
Where I am coming from
• Mathematician – “fair” elections are
impossible
• Computer scientist/engineer – designing
errorless/unhackable computer hardware
and software is impossible
• Politition – fooling the people all the time is
impossible
Where am I coming from?
• I teach computer organization – By the end of
freshman year my students can design the
circuitry of a functional computer. I know how to
hide an “Easter Egg” in hardware that is virtually
impossible to find.
– Counterfeit chips are already a problem
– An Easter Egg is a surprise that can be uncovered by
very particular actions, a “Cryptic Knock”
– Example: MicroSoft Excel 97 had a hidden flight
simulator, activated by keying at special cell
– Cryptic knocks can be used to wake up trojan horses!
Where am I coming from?
• I have taught operating systems and
compiler construction at the jr/sr/grad
level. With this knowledge we can replace
and/or modify COTS (Commercial Off The
Shelf) software to do things totally
unexpected by unknowing programmers.
Where am I coming from?
• I have gone through a lot of the technical
reports about voting systems hardware
and software, and can make sense and
comment of most of it. My colleagues who
are more expert at communication
networks and software engineering
aspects can absorb it all.
Today’s Agenda
•
•
•
•
•
The role of elections in our democracy
Makings of an election
Rise and fall of the DRE
Other players, organizations, documents
Recommendations
The Role of Elections in Our
Democracy
• Inherent mathematical flaws of elections
• An election is only a snapshot of those
voting
• Weighted voting
• One person, one vote?
• Legitimacy based on trust
• Principles for a good election
Inherent Mathematical Flaws of
Elections
• Winning is not transitive
– Three-way race with Alice, Bob and Calvin based on
three equally important issues of abortion, taxes, and
war.
– Voters prefer Alice, then Bob, then Calvin on abortion.
– Voters prefer Bob, then Calvin, then Alice on taxes.
– Voters prefer Calvin, then Alice, then Bob on war
– In two way races Alice beats Bob, Bob beats Calvin,
and Calvin beats Alice!
An Election is only a Snapshot
•
•
•
•
•
Elections are held on one day (usually)
Polls demonstrate dynamics of a race
Sensitive to late-breaking news, charges
New information after the election
Election really valid for 2, 4, or 6 years?
Weighted Voting
• What if Alice beats Bob, but it is only
because 51% mildly prefer Alice, but 49%
detest Alice and adore Bob? Overall, Bob
is better liked!
• What if Calvin beats Don 55% to 45%.
Instead of winner takes all, put both in
office and weigh their single vote 55-45 on
all issues!
One Person, One Vote?
• You are smart, well versed on issues.
• The idiot with an IQ of 40 on your right
really has no idea what is going on.
• The blow-hard on your left is caught up in
some single-issue thing.
• Should your vote really count the same as
either of theirs?
Legitimacy Based on Trust
•
•
•
•
Numerous flaws in elections
Possibility of mathematically invalid results
Can anyone find a better way?
What level of imperfection can we
tolerate?
• Essential that winners and losers alike buy
in to the system and accept results
Principles for a Good Election
• Vote storage mechanisms should be
– Simple
– Reliable
– Durable (for the votes)
– Tamper-evident
– History-independent
– Subliminal-free
– Cost effective
Principles for a Good Election
• Voters need to know their vote is
– Accurately recorded
– Counted in the total
– Anonymous – no way to track back who voted
how
– Private – no possible evidence to show
anyone how he/she voted
Makings of an Election
• Voting system machinery
– GEMS
– Electronic Voting Machines
• DRE, DRE with VVPT, PCOS
• Process of an election
• Regulatory actors
–
–
–
–
–
HAVA
NIST, TGDC, EAC, STS
ITA’s – ciber, Wyle Labs, SysTest Labs
NASED
FEC
Voting System Machinery
• GEMS: General Election Management System –
the computer and software that takes in and
processes the results from all the voting
machines
• DRE: Direct Recording Electronic voting
machine – votes recorded in software
• DRE with VVPT: Voter Verifiable Paper Trail –
votes also recorded on paper
• PCOS: Precinct Center Optical Scan – scans
and records vote upon being cast
Process of an Election
• Election Definition – define races, candidates,
districts, precincts
• Configure Voting Equipment, Print Ballots –
geography makes each precinct different
• Pre-Election Test – Verify that everything is
ready
• Election Day – Open polls, vote, close polls
• Canvassing – Compute and publish totals,
archive results
– (Copied from a slide by Douglas Jones)
Regulatory Actors
• HAVA: Help America Vote Act, 2002,
– Get rid of hanging chad,
– Eliminate mechanical voting machines,
– Central count for absentee ballots only,
– Promote accessibility for disabled voters,
– Fund new machines,
– Set up new agencies
Regulatory Actors
• NIST: National Institute of Standards &
Technology – technical advisor to
• TGDC: Technical Guidelines Development
Committee – advisory board to
– (note: Nebraska Secretary Of State John A. Gale is a
member of TGDC!)
• EAC: U.S. Elections Assistance Commission –
handful of presidential appointees
• STS: Security and Transparency Subcommittee
of TGDC – “Requiring Software Independence in
VVSG 2007” recommendation to TGDC 11/2006
Regulatory Actors
• ITA’s: Independent Testing Authorities
– Ciber: employs standard methodologies for
evaluating correctness and quality of software
• Jan 2007 – in trouble for not following quality
control procedures and lack of documentation
– Wyle Labs: review source code, does
hardware testing and functional testing of
voting machines
– SysTest: quality assurance, software test
engineering, verification & validation
Regulatory Actors
• NASED (National Organization of State
Election Directors) under the
• Election Center to which the ITAs report,
part of the old
• FEC (Federal Election Commission)
Rise and Fall of the DRE
•
•
•
•
•
•
•
•
•
The Direct Recording Electronic machine
Hopkins Report
SAIC Report
Compuware Report
Raba Report
VSTAAB Report
Hursti II Report
Princeton Report
Nedap Report
Rise and Fall of the DRE
• Major makers of DRE’s are
– Sequoia
– Diebold
– ES&S
• Policy of “Security through Obscurity”
• Fundamental Challenge – electronic votes
can evaporate with NO remaining
evidence, unlike paper ballots
• Not a transparent process
Rise and Fall of the DRE
• Categories of Possible Attacks
–
–
–
–
–
–
–
–
Corrupt software inserted prior to election day
Wireless or other remote control attacks
Attacks on tally servers
Miscalibration of machines
Shutting off voting machine features
Denial-of-service attacks
Corrupt poll workers actions
Attacks on ballots or VVPT
• (thanks to Brennan Center for Justice)
Rise and Fall of the DRE
• Challenges for the Attacker
–
–
–
–
–
–
–
–
Overcome vendor motivation
Finding an insertion opportunity
Obtaining technical knowledge
Obtaining election knowledge
Changing votes
Eluding inspection
Eluding testing and detection
Avoiding detection after polls close
• (thanks to Brennan Center for Justice)
Rise and Fall of the DRE
• Hopkins Report – Bev Harris discovered
an ftp site for Diebold that contained the
software for its DRE, the AccuVote-TS.
She took it to Aviel Rubin of Stanford.
– “Analysis of an Electronic Voting System” by
Aviel Rubin, et. al., 7/23/2003
– Based just on code analysis discovered
numerous potential security problems and lax
software engineering standards.
Rise and Fall of the DRE
• SAIC (Science Applications International
Corporation) Report for Maryland State Board of
Elections
– “Risk Assessment Report: Diebold AccuVote-TS
Voting System and Processes”, 9/2/2003
– Only 40 page redacted version (Diebold’s agreement
let them do it) ever released until nearly 200 page full
version leaked 11/2006 by whistleblower
– Risk assessment responding to Hopkins Report,
resolves many problems and hides others
Rise and Fall of the DRE
• Compuware (Corp.) Report
– “Direct Recording Electronic (DRE) Technical Security
Assessment Report”, for the Ohio Secretary of State,
11/21/2003
– Security assessment and validation of four voting
machines, including Diebold’s AccuVote-TS
– About 275 pages with test scenarios, results, and any
identified risks with risk level (of which are a number)
– Limited to the voting machine, not policies and
processes
Rise and Fall of the DRE
• RABA (Technologies) Report for the state of
Maryland
– “Trusted Agent Report: Diebold AccuVote-TS Voting
System”, January 20, 2004
– Security experts review the Diebold system, the SAIC
report, and formed “Red Team” exercise to probe
actual system setup
– Successfully hacked it and the GEMS server in
multiple ways
– “Considerable” risks found, but with recommendations
can be mitigated well enough for the primary
– More needed for general election - ultimately need
paper receipts
Rise and Fall of the DRE
• VSTAAB (California’s Voting System
Technical Assessment and Advisory
Board) Report “Security Analysis of the
Diebold AccuBasic Interpreter”, 2/14/2006
– 3 computer scientists from U of California
analyzed AccuBasic, a proprietary, interpreted
language used in a couple machines including
the AV-TSx touchscreen because no ITA
testing was done
– Problems (many easily correctable) found
Rise and Fall of the DRE
• Hursti II Report, a Black Box Voting
Project by Harri Hursti, “Diebold TSx
Evaluation – SECURITY ALERT: May 11,
2006: Critical Security Issues with Diebold
TSx at invitation of a Utah county
– Firmware is easy to change
– PCMCIA virus threat
Rise and Fall of the DRE
• Princeton Report “Security Analysis of the
Diebold AccuVote-TS Voting Machine” by
several authors at Princeton University,
Sept 13, 2006
– Obtained one of the DRE machines,
demonstrated Hursti’s proposed virus, and
created a demo virus that attacks an election
– Problems in common with desktop PCs
– Diebold response is that polling place
procedures provide adequate protection
Rise and Fall of the DRE
• Nedap(/Groenendaal) Report –
“Nedap/Groenendall ES3B Voting
Computer: a Security Analysis”, 10/6/2006
– Used extensively in Netherlands and nearby
– Authors show how anyone can quickly gain
complete and virtually undetectable control
over election results
– Radio eminations up to several meters away
can be used to tell who votes what
– Sold in US by Liberty Voting Solutions
Rise and Fall of the DRE
• TGDC report by STS to NIST calls for Software
Independence, basically ruling out paperless
DRE’s
• By the end of November 2006, NIST concludes
that paperless DRE’s are not acceptable
• At the beginning of December 2006, the EAC
rejects 6-6 recommendation to only certify
DRE’s that use “independent audit technology”
(namely paper). Cost was a factor.
Other Players, Organizations,
Documents
•
•
•
•
•
•
•
•
•
•
•
Douglas Jones
Ariel Rubin
Bev Harris – Black Box Voting
Rebecca Mercuri
Eugene Spafford
William Pitt – Truthout
David Dill – Verified Voting Foundation
Linda Malone – President of NASED
Barbara Simons - USACM
The Brennan Center for Justice
IEEE, ACM
Douglas Jones
•
•
•
•
University of Iowa at Iowa City
Department of Computer Science
Gives many talks, lay and technical
Inspiration for parts of this presentation
– See “Voting Security: A Technical
Perspective”, presented at U of S. Car.
Cybersecurity Symposium, 10/27/2005
Aviel Rubin
• John Hopkins University
• Election Judge
• Author “Brave New Ballot: The Battle to
Safeguard Democracy in the Age of
Electronic Voting”
• Analyzed source code at the discovered
Diebold ftp site
Bev Harris
•
•
•
•
Seattle grandmother and writer
Stumbled on the Diebold ftp site, 2002
Founded Black Box Voting
Voracious investigator
Rebecca Mercuri
• Founder of Notable Software and
Knowledge Concepts
• Promotes mechanism with printout to be
voter verified which is protected behind
glass before being dropped into box
Eugene Spafford
• Chair of USACM (US Public Policy
Committee of the ACM)
• Endorsed Nov. 2006 STS report
advocating paper trails
William Pitt
• Managing editor of Truth Out
David Dill
• Founder of Verified Voting Foundation
• Stanford University
• Endorses voter verifiable audit trail
Linda Malone
• President of NASED
• Administrator of Maryland’s State Board of
Elections
• In unaired Oct 2006 interview responds to
questions about critical Diebold report with
“I think you are in fantasy land”
Barbara Simons
•
•
•
•
•
Formerly at IBM
Former ACM chair
USACM member
Gives statements and testimony
Upcoming 2007 book with Doug Jones
The Brennan Center for Justice
• New York University
• 2006 report on security problems of 3
most common electronic systems
IEEE and ACM
• Association for Computing Machinery
• Institute of Electrical and Electronics Engineers
• Professional organizations representing
computer sciences and engineering
• ACM Policy Statement – all systems should
have
– Careful engineering
– Strong safeguards
– Rigorous testing of design and operation
Recommendations
•
•
•
•
•
•
Keep things in perspective
Restore and maintain trust
Regulate, fund, and train
Decentralize and diversify
Establish reasonable processes
Implement an assessment cycle
Recommendations
• Keep Things in Perspective – There are
many factors that influence an election.
Some we accept without question as
legitimate, some are ignored, some are
presented as terrible threats. How much
do we spend to eliminate one threat, no
matter how small and unlikely?
Recommendations
• Restore and Maintain Trust
– Pay attention and respond respectfully
– Educate yourself and others
– Openly take reasonable steps
– Stay calm
– Act quickly and decisively when appropriate
– Question authority at the same time as you
respect authority
– Keep everything as transparent as possible
Recommendations
• Regulate, Fund, and Train – There is no
human or technological perfect system
– Regulate all aspects of the election cycle
– Provide adequate funding for all aspects of
the election cycle including certification,
acquisition, verification, and development of
hardware and software
– Poll workers are generally low paid and
unskilled, yet the system depends on them!
Recommendations
• Decentralize and Diversify – Attacks (accidental
and malicious) are most effective when
implemented system-wide. Think of virus threat
if all computers were the same or all cattle had
the same DNA – thus the same vulnerabilities!
– Promote competition in the industry
– One size doesn’t fit all – consider costs,
demographics, and accessibility
– Don’t fund a pie-in-the-sky perfect solution
– Limited use of DRE’s may be acceptable
Recommendations
• Establish Reasonable Processes – People
need to know what to do in case of all
kinds of events. Secure systems depend
on the people implementing and using
them following proper protocols.
Development and certification are loaded
with details that are easily overlooked.
Recommendations
• Implement an Assessment Cycle – The
poll workers and others closest to an
election should participate in evaluating
the processes, looking for both good and
bad features, and providing feedback that
will be used (not sit on a shelf!!!) to
improve the system. They see things the
experts miss.