lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: jei at cc.hut.fi (Jei)
Subject: Rigged Electronic Voting Machines

Going to be a fun election?

  #define DESKEY ((des_key* "F2654hd4".

http://www.jewishtimes.com/2435.stm

BALLOT BOXING

Joel N. Shurkin OCTOBER 29, 2004 ? Last month, U.S. Sen. Barbara A. 
Mikulski decided to try one of Maryland's new voting machines in Takoma 
Park. It was a brand-new Diebold AccuVote-TS. The state of Maryland has 
just spent $55 million for the ATM-like electronic voting devices to be 
used in the upcoming presidential election.

The AccuVote, acting just as a demonstration, offered two choices: 
"yes" and "no." Sen. Mikulski pressed "no." The machine registered "yes."

The cackling sound you heard was Avi Rubin, technical director of the 
Information Security Institute at Johns Hopkins. But, as Dr. Rubin will 
openly confess, it really wasn't funny.

One-third of voters in the November election will be using electronic 
voting machines, simple-minded computers that record and report votes. Dr. 
Rubin and many computer scientists see nothing less than a threat to 
American democracy in these machines. They are easy to tamper with, he 
believes, and that makes it possible to rig elections. Indeed, there 
already are conspiracy theories flying around the Internet of a 
conservative plot to steal the presidential election. (A number of 
Conservative groups are equally unhappy about the instruments.) In many 
cases they are set up to prevent recounts in case of disputes.

Plots to the contrary, after what happened in Florida in 2000 ? and what 
is happening in Florida now ? attention must be paid.

It was Dr. Rubin who first raised serious security issues with the 
electronic voting machines and who has taken the brunt of attacks from the 
voting machine industry. He instantly rose from an obscure Jewish computer 
scientist to a media star, and he's having a wonderful time.

"After my study broke, the public relations office had television crews 
lined up outside my office and for a five-week stretch, I was on national 
television every week," he said.

He is still quoted regularly in the national media on the debate over the 
machines as the election nears, and this spring he reached the apogee of 
contemporary culture, a brief appearance as a "Zen moment" on the "Daily 
Show with Jon Stewart" on cable. He was scheduled for "60 Minutes" this 
week.

Someone recognized him at the swimming pool at the Owings Mills Jewish 
Community Center as the guy on television, and even his plumber announced 
himself impressed.

How much effect his efforts have had in curbing the use of the electronic 
devices or in modifying how they are used is not clear. Several states, 
confronted with challenges to the integrity of their elections, have 
backed away from using them, several have changed the voting method to 
make them more secure and others ? most particularly Maryland ? became 
defensive and refused to budge.

"His study had an enormous effect," said Barbara Simons, former president 
of the Association of Computing Machines (ACM), the computer scientists' 
professional organization. "Of course it didn't prevent Maryland from 
buying the stupid machines."

"What we're fighting about is democracy. If we lose confidence that our 
votes will be accurately counted, that's it," she said.

The voting machines are technically known as Direct Recording Electronic 
voting machines or DREs.

Dr. Rubin's adventure began last year almost by accident. Bev Harris, a 
writer in Renton, Wash., was researching a book on electronic voting in 
January 2003. While "googling" for background, she stumbled on a Web site 
that turned out to be an electronic archive of a company bought by Diebold 
Inc. The site was huge, containing hundreds of unprotected company files 
that could be downloaded by anyone who wanted them. One file hinted that 
Diebold had put code that was uncertified for elections in DREs headed for 
a Georgia election, which is illegal, so she downloaded it to see. The 
download took 40 hours and filled seven CDs.

She posted what she found on a Web site in New Zealand (geographic 
distance means nothing to these people) and someone told her that one file 
looked suspiciously like Diebold's source code, the programming that lies 
at the heart of the DREs.

Posting unprotected source codes for a commercial product on the Web is 
rare and considered unspeakably stupid in the computer world, so, word 
spread quickly, and a computer scientist at Stanford University told Dr. 
Rubin. Dr. Rubin, in turn called in Adam Stubblefield, a doctoral student 
at Hopkins, and Tadayoshi Kohno, a summer graduate student, telling them 
they needed to drop everything and come see what was on his computer. What 
they were looking at, they concluded, was a program compiled in 2000 and 
its April 2002 update, apparently posted so programmers could work on it. 
It was nothing less than the programming that made the voting machines 
voting machines.

The students pored over 49,609 lines of "code," computer language commands 
that look like hieroglyphics to anyone not trained as a programmer. One 
line blew them away. It means nothing to laymen, but it was enough to make 
Dr. Rubin's hair stand on end.

#define DESKEY ((des_key* "F2654hd4".

All commercial programs have provisions to be encrypted, protected by 
secret code so that no one could read or change the contents without the 
encryption key. That is particularly true of programs that require 
transmission by telephone or wireless networks. The line that staggered 
the Hopkins team told them first, that the method used to encrypt the 
Diebold machines was a method called Digital Encryption Standard (DES), a 
code that was broken in 1997 and is no longer used by anyone to secure 
programs. F2654hd4 was the key to the encryption.

The programmers had done the equivalent of putting the family jewels in a 
safe, putting up a blinking neon sign reading "Jewels in Here!" and taping 
the lock's combination to the safe door. Moreover, because the key was in 
the source code, all Diebold machines responded to the same key. Unlock 
one, you can unlock them all.

That was only one of the problems Dr. Rubin's team found. The computer 
language used to write the program, C++, is never recommended for secure 
programs because hackers can ? and do ? attack it easily. There are other 
programming languages far more secure that the Diebold programmers 
ignored, perhaps because they didn't know them well.

Additionally, all large computer programs, which can sometimes run into 
the hundreds of thousands of lines, are written by teams and therefore are 
extensively annotated. One programmer or a team puts in an instruction and 
then adds a note explaining why it was done that way. Other programmers 
can add comments or base what they do on the reasoning in the comments. 
Or, they can use the annotations to hunt for bugs when the program 
misbehaves.

Dr. Rubin said that when he worked for IBM one summer, there were three 
pages of notes for every line of code, and no line was added until 
committees of reviewers approved. Whole pages of the Diebold source code 
were without annotations or signs of review, something you don't see on 
professionally written programs, he said. Some of the annotations that 
existed even warned that the code contained unfixed bugs. Clearly, Dr. 
Rubin thought, Diebold was not using the top of the class at M.I.T. to 
write programs for its voting machines.

?The code is so badly written, Dr. Rubin shows sections to audiences at 
computer science conferences to get laughs.

Moreover, the Diebold program was written for computers using Windows, 
Microsoft's relatively unstable and notoriously insecure operating system, 
the target of choice for hackers everywhere. (Almost all the staff of 
Hopkins' security institute uses Apple Macintoshes, which are virus-free 
and far more difficult to tinker with.)

Oh, there is more. The method chosen by Diebold for voting required the 
voting officials to check the registration of each voter and then hand 
them a "smartcard," a credit card-like piece of plastic containing digital 
information that essentially turns the machine on. The machine reads the 
card and if the information is correct, permits the voter to cast his or 
her ballot.

The smartcards chosen for the Diebold DREs were not encrypted and could be 
forged by a 15-year-old in his bedroom at an equipment cost of about three 
weeks' allowance, Dr. Rubin said. Anyone with a phony card could vote more 
than once.

Dr. Rubin, the Hopkins students and a colleague from Rice University 
posted their findings on the Internet (later in an engineering journal) 
and then Dr. Rubin, who is not shy, called John Schwartz of The New York 
Times, at which point, all hell broke loose.

The reaction of the voting machine industry ? especially Diebold, one of 
four voting machine manufacturers ? was furious. The first comment, 
besides attacking Dr. Rubin and company, was to deny there were problems. 
When other studies showed the same things, the defense switched to 
admitting there were problems but they had been fixed.

Diebold says the programming in the machines it sells now ? including 
those to be used in Maryland ? is not the same programming the Hopkins 
study looked at. Since the programming also is proprietary and Diebold 
won't show any new versions to anyone, the claims must go unverified, 
which is a whole other problem.

Dr. Rubin does not believe the machines are fixable. Diebold says the 
smartcards now are encrypted.

"The problems were at different levels. Some are fixable, like they used 
broken encryption, but you can fix that ? put in good encryption. But 
there was a very bad software engineering process that went into the 
machines. It was clear looking at the code. If you have a software package 
that is as bad, the answer is not to try to plug the holes and fix it 
because every time you do that, you introduce new bugs. I don't think you 
should try to evolve 45,000 lines of broken code into a system that's 
secure. You need to start over with a more talented and experienced team.

"I joked with my wife about wearing a bulletproof vest," Dr. Rubin said. 
"We lost them a lot of business and put their industry in turmoil."

Nonetheless, whatever is in those machines is what you will use in the 
November election and so will voters in 38 states.

He was not planning on such a public life.

He was born in Kansas where his parents, both academics, were graduate 
students. In something of a reversal of roles, his father became an 
English professor (specialty: English Jews in English literature) and his 
mother is a mechanical engineer, the type of person who writes computer 
programs in FORTRAN to create recipes for dinner.

In 1970, they made aliyah..

The Rubins taught in Israeli universities for six years, Then Israel was 
inundated with refugees from the Soviet Union and the universities thought 
they were in more need than former Americans, so the Rubins lost tenure. 
They moved back to the United States in 1976. The family moved to Alabama 
where Dr. Rubin was in the first graduating class at the Birmingham Jewish 
day school. Dr. Rubin and his three siblings and parents (who now teach at 
Vanderbilt) often speak Hebrew when they are together.

He got his Ph.D. in computer science from the University of Michigan.

"When I got my Ph.D., my adviser said, you have a Ph.D., you're a computer 
scientist. Don't be too narrow. Now I've managed to become synonymous not 
only with computer security but a tiny little subfield of it," he said.

What he also got involved with was a battle between bureaucrats, including 
those who staked their careers on buying DREs, and academics. Both sides 
accuse the other of not knowing what they are talking about. Most of his 
colleagues in computer science, he said, support his position. Dr. Simons, 
now a co-chair of ACM's public policy committee, agreed.

Other computer security specialists, including the National Security 
Agency, testified in support of the Hopkins study.

Legislators, concerned with what the Hopkins study showed, asked the 
Department of Legislative Services to review the state's purchase of the 
Diebold machines and held hearings. First, they hired a firm called SAIC 
to study the situation, and then hired RABA Technologies, a Maryland 
consulting company to review both studies. SAIC said Dr. Rubin was correct 
in his assessment but didn't completely understand the Maryland voting 
system. RABA supported the Hopkins study in most of its accusations and 
found even more problems.

RABA's Michael A. Wertheimer and a team of company hackers broke into the 
Board of Elections computer, changed the results of a mock election and 
then backed out without leaving a trace.

"We did it in under five minutes," he told "The Daily Show."

Then there is what happens when the results are uploaded from the DREs to 
the state's computer.

"You're more secure buying a book from Amazon," he concluded.

?He also found that the Maryland election officials had not upgraded 
Windows with security patches from Microsoft and were, in fact, 15 
upgrades behind. Every time they tried to load a patch, Windows crashed.

Mr. Wertheimer finally suggested the machines be wrapped in 
tamper-resistant tape around the machines, something Linda Lamone, the 
state's election administrator, says can't be done in time and would look 
awful.

More important to Dr. Rubin, "RABA found the Hopkins report to be a 
thorough, independent review of the AccuVote source code and should be 
credited with raising valid issues that have resulted in considerable 
improvements," concluded RABA.

But the state hasn't done enough improvements to suit Dr. Rubin and his 
allies.

There are 150 million registered voters in America and a third will be 
using voting machines despite the fact the machines have never been tested 
in a mass scale. Anecdotally, there are reasons for concern.

New Mexico, a leader in electronic voting, went to Al Gore in 2000 by 366 
votes. In one county, 678 out of 2,300 votes cast went uncounted. The 
voting machines lost them.

Remember the hanging chads in Florida? They weren't the only problem the 
state has had with elections. Some areas used electronic machines, 
including Miami-Dade County. A study by the American Civil Liberties Union 
reported that in the Democratic gubernatorial primary in 2002, 8 percent 
of the votes cast in 31 Miami-Dade precincts was lost.

California bought the machines, decertified them and changed its mind. It 
is suing Diebold and once threatened criminal charges on grounds that the 
company made false claims about the machines. Ohio, one of the election's 
swing states, is only one of several that have pulled the plug on DREs, as 
has Missouri. The revelation that Diebold made political contributions to 
the Republican Party didn't make critics any happier, although Diebold's 
competitors are Democratic contributors.

Critics have been stunned by the reaction of Maryland officials, 
especially Ms.Lamone, the state's administrator, who apparently is now 
fighting for her job. Officials have defended the machines with a passion 
that sometimes even exceeded the manufacturer's defense, claiming all the 
problems have been fixed. Ms. Lamone went to court to defend against a 
suit brought by a voter group to force the state to change its system and 
she won.

"Maryland is acting as though they are the ones selling the machines 
instead of buying them," Dr. Rubin said. "I think there is some face 
saving and some embarrassment. If you spend $55 million and someone says 
it was a bonehead purchase you might get defensive. Some jobs are on the 
line about this, I believe."

Del. Jon Cardin (D-11th) defends the state's decision. He is a member of 
the House Ways and Means Committee and participated in a summer 
investigation of the voting process in Maryland. He said that of the more 
than 100 suggestions made to improve the machines and the voting process 
"almost every single one was complied with by the State Board of 
Elections." Part of the problem with sorting through the issues is clear 
differences of opinion among the experts.

Mr. Cardin says that the rate of error in paper balloting is 7-9 percent, 
while the error rate with computers is minuscule. (A joint study by the 
California Institute of Technology and the Massachusetts Institute of 
Technology disagrees. Paper has the lowest error rate, the study said. 
Electronic machines were no better than punch cards. Mr. Cardin says he 
has not seen the study.)

Mr. Cardin also said breaking into the machines and changing votes would 
be very difficult and require great computer skills and technical 
knowledge and is hence very unlikely.

"I am [more] concerned that there is a contingent of people that have lost 
confidence in the voting system, not in the integrity of voting," he said.

There is a process that can mitigate some of the danger: a paper "trail." 
The DREs would be attached to printers and whenever a vote was cast, the 
printer would reproduce the vote on paper. The voter could then certify 
that, unlike the machine Sen. Mikulski played with, the DRE got it right. 
Also, if there were a need for a recount, there would be a paper record of 
the votes. By comparing numbers, it would even be possible to detect 
multiple votes or ballot stuffing.

Several states have implemented paper trails, and Nevada successfully held 
an election this summer with paper backup that everyone, including Dr. 
Rubin, thinks went well. "A paper trail keeps them honest ? if [the paper 
ballots] are counted," Dr. Rubin said.

Nevada, however, wasn't using Diebold DREs and Diebold's machines aren't 
designed for use with printers. Printers also cost money, another reason 
for resistance by state officials.

Florida election officials (all Republicans), on the other hand, have 
barred paper trails and ruled against manual recounts in case a result is 
contested, a decision that was thrown out by a state court on Sept. 27. If 
the officials appeal and win, we would never know the true winner of 
another close Florida election.

"If we have an election that is really close like we did in 2000 and there 
are places in which the vote is disputed that were fully electronic, we 
won't have hanging chads to recount," Dr. Rubin said.

Another state without paper trails, of course, is Maryland, partly because 
it is using Diebold's devices, and partly because of the stubborn 
insistence by Ms. Lamone's office that paper trails are unnecessary.

Sen. Mikulski, meanwhile, has signed onto a bill in Congress that would 
make paper backup mandatory but not until 2006. Meanwhile, in many places 
where results could be very close, it may not be possible to do recounts 
and we may never know the outcome of the races. The ACM's Dr. Simons 
thinks the upcoming election may wind up in court again, and this time 
because of electronic voting. If there is cheating, it may go undetected, 
she said.

?Dr. Rubin is keeping himself busy at Hopkins and as an expert witness in 
computer security matters, a very lucrative trade. He also has a raucous 
family at home with three young kids, including 2-year-old twins. His 
eldest goes to Krieger Schechter Day School and Dr. Rubin is on the 
school's computer technology advisory committee. The family belongs to 
Chizuk Amuno.

Journalists and voting advocacy groups still regularly consult him.? Dr. 
Rubin points out that there actually is an almost foolproof voting method, 
hard to corrupt and capable of producing completely accurate counts: 
paper.

Paper can be used in two ways, he said. One is simply having people mark 
the ballots, put them in boxes for recounting later, the way it was done 
in the 18th century and as far as anyone knows, still the most exact way 
of running an election. Cheap too.

Another possibility, if people insist on 21st-century technology, would be 
to take the paper ballots, put them in optical scanners and let the 
scanners accumulate the votes. That might be faster than manual counting, 
is very accurate, and if there are problems, election officials can always 
go back and recount the paper ballots.

Stung a bit by the criticism that he ? an academic ? knew nothing about 
voting procedures, Dr. Rubin volunteered to be an election judge in 
Baltimore County in the spring. His experience is that well-run voting 
places are of great help in protecting the integrity of the vote. He no 
longer worries about the smartcard problem in efficient polling places. 
With nine judges and five machines, it would have been easy to spot 
someone fooling around in the booth.

One flaw he found worse than he expected is the use in the Diebold plan of 
a "zero" machine, one of the DREs that would accumulate all the votes in 
the other computers for counting. "There is no need to attack all the 
machines," he said. All a hacker had to do was attack that one DRE, 
especially since that machine is the one that phones in results, making it 
vulnerable in multiple ways.

He still doesn't think DREs are a good thing, even with a paper trail. The 
only machines he prefers would be simple devices that act as 
intermediaries between the voter and a printer. He is not worried about 
people hacking the network between the voting machines and the state 
computer.

"The biggest concern I have is that someone would rig the machines," Dr. 
Rubin said. "This would be somebody at the manufacturer or somebody with 
physical access to the machines who could change the software. Traditional 
Internet-based hacking is not the issue."

If jurisdictions use paper trails to DREs, the same manufacturer should 
not make both the DREs and the printers, he said. That would reduce the 
chances of a conspiracy or at least broaden the conspiracy and make it 
more difficult to operate and easier to detect. He admits, however, that 
when he was a primary voting judge the people using the Diebold DREs loved 
them.

"They raved about them to us judges. The most common comment was 'that was 
so easy.' I can see why people take so much offense at the notion that the 
machines are completely insecure... I was curious that voters did not seem 
to question how their votes were recorded.

"I continue to believe that the Diebold voting machines represent a huge 
threat to our democracy. I fundamentally believe that we have thrown our 
trust in the outcome of our elections in the hands of a few companies who 
are in a position to control the final outcomes of our elections.

"The more e-voting is viewed as successful, the more it will be adopted," 
he said, "and the greater the risk when someone decides to actually 
exploit the weaknesses in these systems.

"I am not against technology. I drive a car, get on airplanes and ride 
elevators. However, if the code in any of these was as bad as Diebold's 
software, I wouldn't. I think that the real difference is the adversary 
model. If there were trillions of dollars worth of incentives for people 
to rig elevators so that they crashed, I would be advocating for only 
using stairs."


Powered by blists - more mailing lists