Yes
They are far from secure yet, and the temptation to tamper with the results comes from both inside and outside.
Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board. In 2010 the Washington DC election board announced it had set up an e-voting …
[...]another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying.
So this is what passes for a test? Seems to me that a "test" would require some number of annoying little details collectively referred to as "requirements", and any tester that can reasonably be called that would have immediately noticed that there was no requirement for the U of M fight song.
If this is how these systems are "tested" then there is no hope of ever securing them. (Of course, that would presume that the testers were actually competent, and not some other political hack's cousin or something....)
I want paper and a pencil!
Note the "testers" were mostly (if not all) Universities. I've yet to encounter any fresh University graduates (even PhD's) who didn't need on the job training on all aspects of professionalism, including how to write and analyze specifications, as well as how to scope out a project, etc.
Well, if the hacker who got into the system before you takes steps to secure it to prevent others hijacking their hard work, then it could easily be more secure against further attacks. Indeed, a quick read of the article suggests that other attacks were detected and block by Halderman.
This is why pen-testing alone is insufficient.
Yes, because a lot of the time what passes for testing is not testing, it is merely verification that something is working. Typically testing is entering 'correct' values into whatever is being tested and when it works it is considered tested.
Some people have no idea what testing on boundary conditions means.
The goal of a voting system should be to accurately record and report votes, not necessarily to "make voting easy". In fact, we'd be better off if we did something small to disocurage idiots from voting. Such as having to pass a simple test (what are the three branches of the federal govt; who is the president; what is the basic legal document of the USA). Yes, I know tests were used in the past to discriminate racially; I think we should use them to screen out idiocy.
I'd be interested in any feedback about my web page http://www.billdietrich.me/Reason/ReasonVotingMachines.html Thanks.
Indeed, but in the UK at least, the (locked) boxes are taken from the polling booths straight to be counted. So, you'd have to break into them either in the polling booth, in the transporting vehicle or in the counting station. Any of which would be pretty obvious, since people (volunteers) are always around them.
I like our system, generally good physical security. Problems generally appear with the postal ballots.
That assumes you have all parties properly represented at the polling booth - a situation that all too frequently doesn't occur in the states. I work as a partisan observer at my local polling location during elections. I'm authorized to challenge voters whom I think are ringers, but that's it. They were actually quite surprised when I showed up. Seems my party hasn't had a rep there in forever (being as I represent the minority party and we'll never win an election in my precinct). Oddly enough, since they are assured of victory I've never seen my partisan counterpart either.
Having observed from the inside, the one thing of which I am certain is that the only thing keeping the election honest is that the people doing the work at the station are also trustworthy. I can't be there the whole time, so there's plenty of opportunity both before and after, that if one of those folks was properly equipped and intent on doing so, the election results could be altered.
A friend has parents who are both Salvation Army officers (pretty upstanding & reliable members of society, I think we'd all agree), and they have frequently (and for many years) been involved in the physical process as monitors at the polling stations. However they have *never* been invited to join in the teams that actually count the papers, and say that they have *no idea* who those people are...
If anyone knows how the counters are recruited, I'd be interested to hear.
(Personally I think all 'representative democracy' is like giving sheep the choice of which wolf they want to be eaten by... it doesn't really matter which one wins)
It is a while since I have been involved but in the UK the tellers are bank employees who are junior enough to want to earn a few extra quid. They are supervised by the returning officer (often the Mayor) and his staff of couciol employees.
Your friends sound like tellers who are unofficial volunteers from the political parties who sit outside the polling station and invite to voters to identify themselves. The candidates' representatives use this information so that they can identify their probable supporters who appear not to have voted yet.
Each candidate is entitled to be present at the count and is allowed nominees to watch each table. It is open to the press but the public are not allowed in.
There is a more detailed description here http://www.helium.com/items/1798154-counting-the-votes-in-a-uk-election It took me at least ten seconds to find that so I guess your were not that interested to hear how it works.
WARNING: Anecdotal 'evidence'
I have a relative who was one of those polling station volunteers and apparently they have the means to re-seal the ballot box. At some point in the day they realised they'd neglected to stamp some of the ballot papers, rendering those votes invalid. They opened the ballot box, stamped the papers, and resealed the box with nobody else being any the wiser.
As with security in all systems, paper and pencil alone is not the answer. Paper and pencil alone are easily duplicated and easier for BOFPH to manipulate. Despite the hanging chads from a certain incompetent Democrat district in Florida, The old IBM punch systems are probably the most secure given proper maintenance of the systems, and a known secure system of first transporting tested and certified machines from the certification location to the voting place, and then transporting them from the voting place to the vote counting certification location. It also requires a known secure means of counting the ballots after they arrive at that location. Compromise any of those links and you're frelled. For purposes of this exercise, I have assume horses are frictionless perfect spheres, I mean the voting process itself was not compromised via multiple voting techniques.
In short, only significant involvement of trustworthy people in the entire voting process assures proper elections. Which is frequently a hurdle too high for even the simplest systems.
I find it worrying that this kind of things are still newsworthy. There is ample evidence of e-voting systems being ripe for abuse, together with real-life examples of exploitation, dating as far back as JW Bush first election, that it smells like conspiracy. I hate to come across as the tinfoil-hat person, but these things just cannot have been missed by the people in charge. It must be at the very least considered gross negligence. Heads should have rolled a long time ago. It really looks like officials in charge of elections have been covering their ears and singing "lalalala I can't hear you" for the past decade. If _any_ other kind of tech vendor had attempted that kind of embezzelment, they would have been sued into oblivion faster than you can say "not fit for purpose". It seems that democracy really is the least concern for the people whose job is precisely to safeguard it. Which is where the reader should refer to the title of this post...
Good example! The "hanging chads" on the paper ballots in the 2000 Presidential elections dispute was *really* good "evidence of e-voting systems being ripe for abuse".
(How are those reading comprehension lessons going, by the way? You need to put a bit more effort into them, apparently.)
Incidentally, while you were wherever it was that you've been for the last few years, there have been any number of examples of high-profile and government organizations being "hacked". Had you been able to pay just a little more attention, you might have noticed this, and then drawn the inescapable inference that there seems to be no sector of government (or industry) that has the first clue about computer security, and that, consequently, your idea that e-voting systems are insecure, not because of incompetence, but because of some kind of devious plot, is pretty damn stupid. Which is what we would have to expect from you, right? After all, plus ca change, know what I mean?
And yet you are nevertheless correct: electronic voting systems *are* a really bad idea. (But then again, even a broken clock tells the correct time twice a day.)
This post has been deleted by its author
So you just want to gloss over the e-voting systems that had a negative seed total against certain candidates and whose audit logs were thrown in a skip? Believe they were the shitty Diebolds that had totals stored as a count on a removable card so you could just "reset" the device and stick a count of -10000 against a candidate. You must have missed that investigation that was televised around the World.
What sort of keyboard do they have that takes decades to type anything besides "admin"? Write as many files as you want to the image directory, you're just going to annoy the server admin and they'll patch that up real quick. You might think "well if there are things as simple as shell injection and a default username/password, you have to wonder what else there is" and that's a valid point, but this particular team didn't prove anything except that they know the first rule of hacking: always try the default username/password. Presumably before any system goes live they have at least one person with at least some experience test it? They would easily find this vulnerability and change the password, but maybe I give the government too much credit.
The whole point is that security cannot ever be a huge pile of retrospective patches to a broken design, that's always a fatal error.
Security has to be well considered and designed in with a spec for both functionality and how that relates to security from the beginning of that project. You then test that the device meets that spec, and only that spec (i.e. unauthorized features are a security violation), and then you might have a secure device.
The fact is that the supplier of this technology thought this was a "production ready" device three weeks before an election, and external testing picked up all of these problems. Assuming internal testing missed all of these issues, and if they had missed all of these glaringly obvious problems then you have to then ask "what else did they miss"?
Good security requires the right mindset - these kind of bugs implies this supplier doesn't have it. And Ruby - really? You want a secure system which has to cope with "please tick the box" type answers, and you stick a huge unaudited third-party codebase in the middle of your system. Security needs KISASS (keep it simple AND small stupid) - minimal attack surface, and therefore minimal verification required.
Well, the first and most obvious thing missed is the one skipped over by the author of the article: of all the voting areas in the entire USA, the most corrupt and most incompetent is the District of Columbia. It almost doesn't matter who is running, the fix is in long before the first ballot is cast. They just threw out the moderately competent Adrian Fenty for a machine politician who paid cash to another candidate so the other candidate could keep attacking Fenty without the machine guy getting obvious shit on his suit. Said other candidate is now in the pokey, but no charges filed against the sitting mayor.
The admin/admin was on a terminal server on the network.
Are you sure about all the default passwds on everthing on your network?
Really sure? Including the printers, VOIP phones, the conference system, the security cameras, the fax machine.
Are you sure there are no manufacturer's update/service passwds you don't know about on an of them?
This post has been deleted by its author
Yeah, there's this thing called a domain as well in the Windows world, there is similar functionality available for *nix systems, which involves using some kind of directory service as a central location for user accounts and passwords.
This normally means you don't have to update passwords on every box. That kind of thing would get very tiring on a network with thousands of users and machines.
You are justifying this?
If you find this understandable then would love to see your network.
As for the questions you ask - yes I'm damn sure. Everything is scanned/probed routinely and anything found like some odd back door is either disabled or if not possible the kit is thrown out and replaced. And even if a printer or a fax machine get's somehow pwned then all that can happen is maybe some paper waste at most...
I do this for my own micro enterprise cause it's my background but I'd expect an even higher level of checks for something like elections...
And if the printer has scanner functionality that can launch applications on demand on a target machine are you sure those apps run under a suitably secure set of credentials? If it does have hosted functionality are you sure it can't be subverted to run the 'wrong' app?
Did that printer keep a copy of your printed bank statement in a hard disk or flash memory buffer that could be downloaded? Especially if it's been 'thrown out'?
Are you sure that the manufacturer didn't build in their own credentials and hide them? Scanning for 'back doors' as you claim isn't enough to detect that, especially if the login is 'just another' user account.
Use technology that is easy enough for those that run the ballots to completely understand the system and to fully understand the implications. We know what properties an election should have. Somehow, no electronic system on the market today can fulfill them all. So the obvious solution is to stick with paper systems and have humans tally the results.
Sometimes, it is simply more important to have a system you can trust, that will work properly and can easily be audited, than to have the very latest in technology. Even cost is no argument: A system that looks costly to run but will reliably do so uneventfully, might suddenly look a lot cheaper than the fancy replacements full of projected savings bullshit that then cause endless squabbles, disputes, and dissatisfaction.
Here we have a hybrid system. You vote on paper, but they scan the votes (with the ballets then dropping into a sealed box). So you get the fast results of an e-voting system, but if the vote is close, or there is a dispute they open up the boxes and count them by hand.
Still have to watch for the old games like stuffing the ballet box, gaming the voters list and such but it beats e-voting hands down when it comes to trust.
For the last line I'd love to give you 10 up votes.
First line, not so much. Some of the most obvious fixes have never been challenged because the areas from which they have been run were too corrupt to prove otherwise. The most famous of which would be Nixon vs. Kennedy in which Cook county at the very last minute delivered just enough "previous unfound" ballots to hand the state to JFK. Of course, since that outcome is approved of by the LSM as opposed to the Bush vs Gore recount, you never hear about it.
You want a system that protects against wilful malice from those entrusted with overseeing the process?
I think that's a bit much to ask. I'd rather we trust the people entrusted with the process and have them show their trustworthyness (pulling "previously unfound" votes out of a hat doesn't count as "trustworthy"), rather than have a system that's effectively opaque to the same people running the show, making them vulnerable to meddling and tampering by third, fourth, fifth, and so on parties. It won't eradicate the incentive and the will, it will hopefully reduce the problem to something that's overseeable by humans so that they can reasonably be held accountable.
One thing that would help a lot would be to get rid of the ossified Electoral College in the US. This is used only to elect the US president. All other elections use straight popular vote. Nobody would be stupid enough to do such a thing for a governor or senator.
The most dangerous aspect of the EC is the winner-take-all properties of most state's election points. Therefore there's 45 opportunities to have a large block of points thrown by a small box of previously "lost ballots" in one or another state with close results. See also Ohio, Florida.
If it was a straight popular vote, an extra thousand votes cooked up here or there probably could not make a dent in 50M or 100M votes.
Two words for you: "audit trail".
Many electronic voting systems fail miserably in this regard, whereas boring old pen-and-paper elections do in fact leave a paper trail that can be inspected after the fact. Not perfect, sure. But significantly better.
Hi Ru, So what do you think of the result of Syria's referendum on a new constitution? Who would have predicted that 89% of Syrian's would approve on the new constitution that would allow Assad to remain in office until 2028.
Does anyone want to make a prediction on how ex-KGB man Vladimir Putin will do in the Russian presidential election?
"do in fact leave a paper trail that can be inspected after the fact"
Which can *also* be tampered with.
I put it to you with proper attestation a digital audit trail can be *far* more secure and reliable than any paper one ever could be.
The issue with digital voting systems is that the companies involved are incompetent not that it is inherently worse.
An audit trail - I don't see why this can't be done with a (partial) computerized voting system. Yes I do know why - the people who set up the election systems fully intend to tamper with the results. Any voting system without some sort of double-checking, you might as well get out the yellow tape, because it's a crime scene. 2+2.
Money is handled through totally computerized systems, from the cashier to the bank to the CEOs paycheck, with audit trails and security that's solid enough to keep corporate losses to a minimum. Yes there are breakins, yes cashiers regularly have discrepancies in their dimes and shillings. But with someone's bottom line in jeopardy, there's plenty of effort put in to making it as secure as possible and keeping the mayhem to small amounts.
Now, the managers at retail locations understand the cash registers and understand all the ways they can be hacked and customers, or cashiers, can cheat. We don't have that at electronic voting sites. obviously. If we have to simplify the system down to make people understand it, so be it, that's why so many are still voting with paper. The security is more obvious with paper. I think a significant part is getting voting machines managed by people who can competently keep people from hacking in by wire or by air or by finger.
Hmmm...
Nope, that system didn't work so well in the Iowa caucuses, where you nominally have similarly oriented partisans working to select their nominee (that is, reduced inducement to corruption of the process). On the night of the election all the LSM outlets announced Romney was the winner. A week later it turned out to be Santorum because some of the trusted counters couldn't be arsed to turn in their paperwork.
“They found that the cameras installed to watch the voting systems weren't protected, and used them to work out when staff left for the day and so wouldn't spot server activity.”
Straight out of a Hollywood movie. Actually it sounds like that was a totally unnecessary flourish, but who could resist?
It doesn't matter how secure such a system is, but how easily you can check it. The usual pen and paper based system can easily be checked. You can detect tampering trivially without any special knowledge.
It can be understood by everybody and checked by everybody.
Plus its cheap and gets results quickly.
So why even think about electronic elections?
First of all, I trust electronics more than I trust people. I don't know what happens to my paper vote after it gets placed in the magic box. I do know that some of these magic boxes are sometimes found after the election is over, containing a bunch of uncounted votes.
Secondly, by cutting costs (both on the counting side, as well as for me, the voter), maybe we can hold _more_ elections, letting me vote on issues rather than on some pretty face with a slick tongue.
Today I do not have to visit my local bank and fill up my wallet with cold cash. I use a credit card instead, and more importantly: I can pay bills using their Internet solution.
In my country of residence, I use the same electronic ID to access my bank as well as various state services (e.g. accessing the DMV records, paying my taxes or book an appointment with my doctor).
If there is a hole in that system, then my bank account would be empty now. Well, truth be told, it is nearly empty, but for different reasons not pertaining to security issues.
"First of all, I trust electronics more than I trust people."
If there was some way of designing, making and using electronics without using people, this would make sense. As it is, there isn't, so your choice is untrustworthy people with electronics, or untrustworthy people with bits of paper.
They could have made their study a little more interesting. I assume that since the code was released for public testing, that the code was unlikely to see further detailed inspection. I might have added a discrete bit of work that would sit there until election day, add Bender to the actual list of candidates, and allocate plenty of votes to him. Would make for interesting watching when they wanted to release the final tallies :)
I think you missed this part of the article:
>>"It was too good an opportunity to pass up," explained Professor Alex Halderman from the University of Michigan. "How often do you get the chance to hack a government network without the possibility of going to jail?"<<
But if you call the risk of going to jail 'a little more interesting', you are right.
"Financial attacks by hackers are relatively easy to detect – because at some point money has to leave the system. But if an election is hacked then we may never know, because it's a one-time action that typically isn't checked after the results have been announced and officials elected."
And herein, stated more succicntly than ever before, is the entire problem in a nutshell.
What's REALLY important in the world?
these e-voting systems would print out a copy of the person's vote for them to check and place in a ballot box so physical recounting is possible.
They don't do that?
It still wouldn't help with removing/changing candidate names from the ballot paper as in the article example though so, as above, old school pen & paper for me.
Easy enough to fix. Below the touch screen / set of buttons for voting, is a transparent plastic window. Behind this is a receipt printer, like those used in checkout tills. When you make your selection, this prints your choice, displaying it so that you can verify it. This then feeds the roll of paper into a sealed box, so the next voter cannot see your choice. The sealed box then contains an audit trail of every vote passed.
You are also right about anonymity int he UK. The voting card has a voter number on it, which is written on the counterfoil of the ballot paper. Anyone who has access to the list of voter numbers and names, and also the counterfoils, and the ballot papers can trace a vote back to its origin. This does require physical access to both the ballot paper, and the counterfoil, which I would imagine would be securely held, and presumably eventually securely disposed of.
"Easy enough to fix. Below the touch screen / set of buttons for voting, is a transparent plastic window. Behind this is a receipt printer, like those used in checkout tills. When you make your selection, this prints your choice, displaying it so that you can verify it. This then feeds the roll of paper into a sealed box, so the next voter cannot see your choice. The sealed box then contains an audit trail of every vote passed."
But this isn't possible for an online system.
To: Anonymous Coward
who wrote:
> Sorry, but it needs to be anonymous; I wouldn't want my vote to be traced back to me in the
> UK, never mind somewhere like Iran!
Sorry to burst your bubble.
It has been widely known for decades that The Establishment uses the _unique_ pinhole punched pattern at the top of every ballot paper to identify those who vote anti-establishment e.g. anarchist, communist etc.
Its been going on since long, long _before_ there was 'special branch' and long before the creation of 'anti terrorist' smokescreen.
If you don't Know your history ....etc.
Technical details of the hack aside, the paper explained, "Why internet voting is hard," especially, "Tensions between ballot secrecy and integrity." Implementing both secrecy and integrity seems very difficult in any electronic system, but we've mastered both in a paper ballot.
I mean a real paper ballot, that uses "X" for an anonymous signature.
And I couldn't help but notice this little jab: "[...]despite the use of the term “commercial [off-the-shelf software],” includes most everyday open-source software."
In exchange I offer this little jab: "You can't blame Microsoft for this one."
Yep, and after he put in a competent Super, test scores started going up and even more surprisingly, getting students back from private schools, even some of the affluent white ones. First thing the new mayor did was fire the competent person. Fortunately for citizens in DC, the changes wrought meant he had to at least keep someone who would keep the process going forward instead of completely reversing like he was supposed to do to line the pockets of his union masters.
They need to do the same thing they do on Nevada state voting machines -- random inspections, any discrepancies found and the machine is shut down and investigated, background checks on all devs, board of inquiry for the public to use, and more. Nevada voting machines are more secure because of this, and because there's serious penalties for fuffing about with them.
It's reasonably easy to make a secure, verifiable e-voting system: print receipts, allow verification by the voter later, establish some standards and support multiple vendors. See my web page http://www.billdietrich.me/Reason/ReasonVotingMachines.html Thanks.