Analysis of Electronic Voting Systems by John Hopkins University.
This article has some good points to it. I too am frustrated by the poor coding and systems design by the niche companies that serve the elections communities.
However this analysis, like so many others, ignores the procedural and physical security measures that surround the voting systems.
I am glad that this author took the effort to learn some about the elections process as a polls judge. I would encourage all to observe the official logic testing and recount processes as well.
Smart Cards: If you have EVER gone to a polling place, you will not that it is required that you be a registered voter and listed on a voter index/roster. If you are not, you are required to vote a "Provisional" ballot in most jurisdictions. At this point, it wouldn't matter if the smart card was nothing more than a common unencrypted floppy disk. You didn't pass the first measure of physical control. Other than that, you would need inside knowledge of the unique identifiers on that smart card to activate anything on the voting system.
Casting multiple votes: In this scenario, again you would have to know the unique identifiers used in the election. This would be an inside job performed by a vendor or election official. Also, vote trends would detect an anomaly if a percentile difference for votes cast or ballots cast in a precinct deviated from the norm and would throw a red flag EVEN IF the total votes cast was not audited against signatures on the index of voters. This would be detectable by the public when presented on the precinct level votes report.
Accessing administrator and poll worker functionality: This is a procedural issue that should be addresses by the election official. PINS should be complex and changed each election where possible. This would also require access to an existing valid administrator card. This IS a poor security design, although other systems do not follow this model.
Election configurations and election data: Data storage manipulation requires unfettered access to the voting terminal. Again, proper physical security measures prevent this. Networking should never be used when it is connected to external systems such as the election officials LAN or Internet. Barring open network connections there is nothing to be faulted with network data uploads as long as all systems within the network are properly secured, updated and virus free.
Tampering with the system configuration: Unfettered access to the machine or data would be required to accomplish this. Vote trends and patterns would detect any manipulation of the votes cast.
Impersonating legitimate voting terminals: PLEASE GOD! Show me one election jurisdiction that is STUPID enough to upload results through the public internet! And yes, the voting device ID is verified by the backend server and may only be uploaded ONCE, thereby throwing a red flag when a duplicate is encountered.
Key management and other cryptographic issues with the vote and audit records: Encryption is not used on many of the voting terminals that I am familiar with. And yet the one company that goes the extra step is criticized because of it. If it were that big of an issue, all vendors would be required to implement it. Encryption does not matter unless you are able to get that data into the system.
Tampering with election results and linking voters with their votes: Again. show me someone who has intercepted a voting machine, cracked the encryption, rewrote the votes, re-encrypted the data, copied to all redundant media, with full cooperation of the multi-partisan poll site employees who would detect this when either opening the polling site or reconciling the votes cast to the voter index. These geeks have no clue, I could find plenty of fault in the CIAs systems if I had full access to them.
LINKING VOTERS WITH THEIR VOTES.: Honestly, who really cares? Elections officials don't care who voted for who. I don't care if you know who I voted for. People want to know if their vote counted, yet they want it secret. You can't have both. Also, linking voters with their votes would require the cooperation of all poll workers in the precinct. Not likely due to the mixed party panels.
Audit logs: Audit logs tell you that something went bad after the fact. Votes are in the system, untraceable to a voter and we can't get them out in an intelligent manner. Any seeding of votes into the system prior to e-day would be caught by a poll judge. Any during the day would require cooperation of a multi-partisan poll panel. Why, when, how would you alter these logs?
Attacking the start of an election: Yes, let's download the files over the Internet. Who does this?!?!?! Why don't we make up a outrageous situation that doesn't exist to garner public support for our position?
Software engineering: From this point on, these "Experts" get into detail that is beyond the concern of the public and more of a concern for anal retentive tech geeks. I could care less if it was spaghetti-code with goto, line labels, multiple return paths and general chaos. If it fulfills a purpose and can be implemented in a secure way, the code doesn't matter.
I encourage anyone out there to volunteer to observe and learn about the elections process. Testing is mandated to be publicly observable in all California jurisdictions. Ask, learn and understand. Or you may speculate, suppose, assume and call yourself an "Expert".
This article has some good points to it. I too am frustrated by the poor coding and systems design by the niche companies that serve the elections communities.
However this analysis, like so many others, ignores the procedural and physical security measures that surround the voting systems.
I am glad that this author took the effort to learn some about the elections process as a polls judge. I would encourage all to observe the official logic testing and recount processes as well.
Smart Cards: If you have EVER gone to a polling place, you will not that it is required that you be a registered voter and listed on a voter index/roster. If you are not, you are required to vote a "Provisional" ballot in most jurisdictions. At this point, it wouldn't matter if the smart card was nothing more than a common unencrypted floppy disk. You didn't pass the first measure of physical control. Other than that, you would need inside knowledge of the unique identifiers on that smart card to activate anything on the voting system.
Casting multiple votes: In this scenario, again you would have to know the unique identifiers used in the election. This would be an inside job performed by a vendor or election official. Also, vote trends would detect an anomaly if a percentile difference for votes cast or ballots cast in a precinct deviated from the norm and would throw a red flag EVEN IF the total votes cast was not audited against signatures on the index of voters. This would be detectable by the public when presented on the precinct level votes report.
Accessing administrator and poll worker functionality: This is a procedural issue that should be addresses by the election official. PINS should be complex and changed each election where possible. This would also require access to an existing valid administrator card. This IS a poor security design, although other systems do not follow this model.
Election configurations and election data: Data storage manipulation requires unfettered access to the voting terminal. Again, proper physical security measures prevent this. Networking should never be used when it is connected to external systems such as the election officials LAN or Internet. Barring open network connections there is nothing to be faulted with network data uploads as long as all systems within the network are properly secured, updated and virus free.
Tampering with the system configuration: Unfettered access to the machine or data would be required to accomplish this. Vote trends and patterns would detect any manipulation of the votes cast.
Impersonating legitimate voting terminals: PLEASE GOD! Show me one election jurisdiction that is STUPID enough to upload results through the public internet! And yes, the voting device ID is verified by the backend server and may only be uploaded ONCE, thereby throwing a red flag when a duplicate is encountered.
Key management and other cryptographic issues with the vote and audit records: Encryption is not used on many of the voting terminals that I am familiar with. And yet the one company that goes the extra step is criticized because of it. If it were that big of an issue, all vendors would be required to implement it. Encryption does not matter unless you are able to get that data into the system.
Tampering with election results and linking voters with their votes: Again. show me someone who has intercepted a voting machine, cracked the encryption, rewrote the votes, re-encrypted the data, copied to all redundant media, with full cooperation of the multi-partisan poll site employees who would detect this when either opening the polling site or reconciling the votes cast to the voter index. These geeks have no clue, I could find plenty of fault in the CIAs systems if I had full access to them.
LINKING VOTERS WITH THEIR VOTES.: Honestly, who really cares? Elections officials don't care who voted for who. I don't care if you know who I voted for. People want to know if their vote counted, yet they want it secret. You can't have both. Also, linking voters with their votes would require the cooperation of all poll workers in the precinct. Not likely due to the mixed party panels.
Audit logs: Audit logs tell you that something went bad after the fact. Votes are in the system, untraceable to a voter and we can't get them out in an intelligent manner. Any seeding of votes into the system prior to e-day would be caught by a poll judge. Any during the day would require cooperation of a multi-partisan poll panel. Why, when, how would you alter these logs?
Attacking the start of an election: Yes, let's download the files over the Internet. Who does this?!?!?! Why don't we make up a outrageous situation that doesn't exist to garner public support for our position?
Software engineering: From this point on, these "Experts" get into detail that is beyond the concern of the public and more of a concern for anal retentive tech geeks. I could care less if it was spaghetti-code with goto, line labels, multiple return paths and general chaos. If it fulfills a purpose and can be implemented in a secure way, the code doesn't matter.
I encourage anyone out there to volunteer to observe and learn about the elections process. Testing is mandated to be publicly observable in all California jurisdictions. Ask, learn and understand. Or you may speculate, suppose, assume and call yourself an "Expert".
posted by Veggivore at
11:24 AM
1 Comments:
Again, this would require an insider to hack the binary/object code in the election softare on over 1,000 machines (depending on the size of the jurisdiction). Most California Counties have 4,000+ machines.
This Hack would also have to pass the PUBLIC pre-election logic tests (which it would not). Ask your election official about when these tests are performed and witness for yourself. After these tests, the tested code should be placed in a secure repository (Usually wih the Secretary of State).
If the elections official has the ability to do so, they would also run an MD5 hash to check the binary code for anomolies against the Federal/State certified binaries.
By
Veggivore, at 9:06 PM
Post a Comment
<< Home