They are far from secure yet, and the temptation to tamper with the results comes from both inside and outside.
Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board. In 2010 the Washington DC election board announced it had set up an e-voting …
They are far from secure yet, and the temptation to tamper with the results comes from both inside and outside.
[...]another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying.
So this is what passes for a test? Seems to me that a "test" would require some number of annoying little details collectively referred to as "requirements", and any tester that can reasonably be called that would have immediately noticed that there was no requirement for the U of M fight song.
If this is how these systems are "tested" then there is no hope of ever securing them. (Of course, that would presume that the testers were actually competent, and not some other political hack's cousin or something....)
I want paper and a pencil!
Note the "testers" were mostly (if not all) Universities. I've yet to encounter any fresh University graduates (even PhD's) who didn't need on the job training on all aspects of professionalism, including how to write and analyze specifications, as well as how to scope out a project, etc.
Well, if the hacker who got into the system before you takes steps to secure it to prevent others hijacking their hard work, then it could easily be more secure against further attacks. Indeed, a quick read of the article suggests that other attacks were detected and block by Halderman.
This is why pen-testing alone is insufficient.
Yes, because a lot of the time what passes for testing is not testing, it is merely verification that something is working. Typically testing is entering 'correct' values into whatever is being tested and when it works it is considered tested.
Some people have no idea what testing on boundary conditions means.
but wouldn't running each voting location on an isolated network, handing in the results via encrypted USB key solve most of these issues?
Apart from the obvious, like changing the admin password :-S
lords, reminds me of an episode of Archer!
But difficult for people to vote online - which is the whole point, getting people to vote without them having to get out of the chair and making the whole thing cheaper
Perhaps, but it does't protect you from the group with the most to gain from tampering ... those on the INSIDE
The goal of a voting system should be to accurately record and report votes, not necessarily to "make voting easy". In fact, we'd be better off if we did something small to disocurage idiots from voting. Such as having to pass a simple test (what are the three branches of the federal govt; who is the president; what is the basic legal document of the USA). Yes, I know tests were used in the past to discriminate racially; I think we should use them to screen out idiocy.
I'd be interested in any feedback about my web page http://www.billdietrich.me/Reason/ReasonVotingMachines.html Thanks.
Though that utter retard-inbred-redneck-fuckwit son-of-a-bastard bush jr. getting a second term might have given someone a hint!
Bender would probably do a better job too.
If it doesn't involve a piece of paper and a pencil then I don't believe it is secure,
I've always wondered about the pencil bit, I know it's a stretch but couldnt it be tampered with by the application of an eraser?
OK, you'd have to be pretty desperate but I'd have thought a pen would be a more permanent mark?
Indeed, but in the UK at least, the (locked) boxes are taken from the polling booths straight to be counted. So, you'd have to break into them either in the polling booth, in the transporting vehicle or in the counting station. Any of which would be pretty obvious, since people (volunteers) are always around them.
I like our system, generally good physical security. Problems generally appear with the postal ballots.
In France, we do not even move the boxes : the ballots are counted in situ by volunteers (usually a subset of the voters of this polling office) with several parties delegates frantically texting the count as it progress...
Quite interesting to take part in actually :)
As with security in all systems, paper and pencil alone is not the answer. Paper and pencil alone are easily duplicated and easier for BOFPH to manipulate. Despite the hanging chads from a certain incompetent Democrat district in Florida, The old IBM punch systems are probably the most secure given proper maintenance of the systems, and a known secure system of first transporting tested and certified machines from the certification location to the voting place, and then transporting them from the voting place to the vote counting certification location. It also requires a known secure means of counting the ballots after they arrive at that location. Compromise any of those links and you're frelled. For purposes of this exercise, I have assume horses are frictionless perfect spheres, I mean the voting process itself was not compromised via multiple voting techniques.
In short, only significant involvement of trustworthy people in the entire voting process assures proper elections. Which is frequently a hurdle too high for even the simplest systems.
A friend has parents who are both Salvation Army officers (pretty upstanding & reliable members of society, I think we'd all agree), and they have frequently (and for many years) been involved in the physical process as monitors at the polling stations. However they have *never* been invited to join in the teams that actually count the papers, and say that they have *no idea* who those people are...
If anyone knows how the counters are recruited, I'd be interested to hear.
(Personally I think all 'representative democracy' is like giving sheep the choice of which wolf they want to be eaten by... it doesn't really matter which one wins)
That assumes you have all parties properly represented at the polling booth - a situation that all too frequently doesn't occur in the states. I work as a partisan observer at my local polling location during elections. I'm authorized to challenge voters whom I think are ringers, but that's it. They were actually quite surprised when I showed up. Seems my party hasn't had a rep there in forever (being as I represent the minority party and we'll never win an election in my precinct). Oddly enough, since they are assured of victory I've never seen my partisan counterpart either.
Having observed from the inside, the one thing of which I am certain is that the only thing keeping the election honest is that the people doing the work at the station are also trustworthy. I can't be there the whole time, so there's plenty of opportunity both before and after, that if one of those folks was properly equipped and intent on doing so, the election results could be altered.
A few years ago they had bank clerks doing this as they are good at counting lots of bits of paper.
WARNING: Anecdotal 'evidence'
I have a relative who was one of those polling station volunteers and apparently they have the means to re-seal the ballot box. At some point in the day they realised they'd neglected to stamp some of the ballot papers, rendering those votes invalid. They opened the ballot box, stamped the papers, and resealed the box with nobody else being any the wiser.
It is a while since I have been involved but in the UK the tellers are bank employees who are junior enough to want to earn a few extra quid. They are supervised by the returning officer (often the Mayor) and his staff of couciol employees.
Your friends sound like tellers who are unofficial volunteers from the political parties who sit outside the polling station and invite to voters to identify themselves. The candidates' representatives use this information so that they can identify their probable supporters who appear not to have voted yet.
Each candidate is entitled to be present at the count and is allowed nominees to watch each table. It is open to the press but the public are not allowed in.
There is a more detailed description here http://www.helium.com/items/1798154-counting-the-votes-in-a-uk-election It took me at least ten seconds to find that so I guess your were not that interested to hear how it works.
It is actually more difficult to completely remove all traces of a pencil mark than it is to remove all traces of ink. That's why pencils are used.
I find it worrying that this kind of things are still newsworthy. There is ample evidence of e-voting systems being ripe for abuse, together with real-life examples of exploitation, dating as far back as JW Bush first election, that it smells like conspiracy. I hate to come across as the tinfoil-hat person, but these things just cannot have been missed by the people in charge. It must be at the very least considered gross negligence. Heads should have rolled a long time ago. It really looks like officials in charge of elections have been covering their ears and singing "lalalala I can't hear you" for the past decade. If _any_ other kind of tech vendor had attempted that kind of embezzelment, they would have been sued into oblivion faster than you can say "not fit for purpose". It seems that democracy really is the least concern for the people whose job is precisely to safeguard it. Which is where the reader should refer to the title of this post...
Good example! The "hanging chads" on the paper ballots in the 2000 Presidential elections dispute was *really* good "evidence of e-voting systems being ripe for abuse".
(How are those reading comprehension lessons going, by the way? You need to put a bit more effort into them, apparently.)
Incidentally, while you were wherever it was that you've been for the last few years, there have been any number of examples of high-profile and government organizations being "hacked". Had you been able to pay just a little more attention, you might have noticed this, and then drawn the inescapable inference that there seems to be no sector of government (or industry) that has the first clue about computer security, and that, consequently, your idea that e-voting systems are insecure, not because of incompetence, but because of some kind of devious plot, is pretty damn stupid. Which is what we would have to expect from you, right? After all, plus ca change, know what I mean?
And yet you are nevertheless correct: electronic voting systems *are* a really bad idea. (But then again, even a broken clock tells the correct time twice a day.)
So you just want to gloss over the e-voting systems that had a negative seed total against certain candidates and whose audit logs were thrown in a skip? Believe they were the shitty Diebolds that had totals stored as a count on a removable card so you could just "reset" the device and stick a count of -10000 against a candidate. You must have missed that investigation that was televised around the World.
Are bears Catholic? Does the pope...?
What sort of keyboard do they have that takes decades to type anything besides "admin"? Write as many files as you want to the image directory, you're just going to annoy the server admin and they'll patch that up real quick. You might think "well if there are things as simple as shell injection and a default username/password, you have to wonder what else there is" and that's a valid point, but this particular team didn't prove anything except that they know the first rule of hacking: always try the default username/password. Presumably before any system goes live they have at least one person with at least some experience test it? They would easily find this vulnerability and change the password, but maybe I give the government too much credit.
The whole point is that security cannot ever be a huge pile of retrospective patches to a broken design, that's always a fatal error.
Security has to be well considered and designed in with a spec for both functionality and how that relates to security from the beginning of that project. You then test that the device meets that spec, and only that spec (i.e. unauthorized features are a security violation), and then you might have a secure device.
The fact is that the supplier of this technology thought this was a "production ready" device three weeks before an election, and external testing picked up all of these problems. Assuming internal testing missed all of these issues, and if they had missed all of these glaringly obvious problems then you have to then ask "what else did they miss"?
Good security requires the right mindset - these kind of bugs implies this supplier doesn't have it. And Ruby - really? You want a secure system which has to cope with "please tick the box" type answers, and you stick a huge unaudited third-party codebase in the middle of your system. Security needs KISASS (keep it simple AND small stupid) - minimal attack surface, and therefore minimal verification required.
Well, the first and most obvious thing missed is the one skipped over by the author of the article: of all the voting areas in the entire USA, the most corrupt and most incompetent is the District of Columbia. It almost doesn't matter who is running, the fix is in long before the first ballot is cast. They just threw out the moderately competent Adrian Fenty for a machine politician who paid cash to another candidate so the other candidate could keep attacking Fenty without the machine guy getting obvious shit on his suit. Said other candidate is now in the pokey, but no charges filed against the sitting mayor.
The technology and the means do exist. Who on earth invites hackers to hack system but leaves admin/admin as user/pass? is this for real ? that' s not a test it's a joke. If that's the best they can manage then best they scrap all e-voting machines asap...
The admin/admin was on a terminal server on the network.
Are you sure about all the default passwds on everthing on your network?
Really sure? Including the printers, VOIP phones, the conference system, the security cameras, the fax machine.
Are you sure there are no manufacturer's update/service passwds you don't know about on an of them?
Servers might be a good start on changing the default password - you'd hope most people had at least realised that.
Yeah, there's this thing called a domain as well in the Windows world, there is similar functionality available for *nix systems, which involves using some kind of directory service as a central location for user accounts and passwords.
This normally means you don't have to update passwords on every box. That kind of thing would get very tiring on a network with thousands of users and machines.
You are justifying this?
If you find this understandable then would love to see your network.
As for the questions you ask - yes I'm damn sure. Everything is scanned/probed routinely and anything found like some odd back door is either disabled or if not possible the kit is thrown out and replaced. And even if a printer or a fax machine get's somehow pwned then all that can happen is maybe some paper waste at most...
I do this for my own micro enterprise cause it's my background but I'd expect an even higher level of checks for something like elections...
And if the printer has scanner functionality that can launch applications on demand on a target machine are you sure those apps run under a suitably secure set of credentials? If it does have hosted functionality are you sure it can't be subverted to run the 'wrong' app?
Did that printer keep a copy of your printed bank statement in a hard disk or flash memory buffer that could be downloaded? Especially if it's been 'thrown out'?
Are you sure that the manufacturer didn't build in their own credentials and hide them? Scanning for 'back doors' as you claim isn't enough to detect that, especially if the login is 'just another' user account.
We should allow computers to count votes one day: they day they're certified as full citizens and given the franchise to vote.
Use technology that is easy enough for those that run the ballots to completely understand the system and to fully understand the implications. We know what properties an election should have. Somehow, no electronic system on the market today can fulfill them all. So the obvious solution is to stick with paper systems and have humans tally the results.
Sometimes, it is simply more important to have a system you can trust, that will work properly and can easily be audited, than to have the very latest in technology. Even cost is no argument: A system that looks costly to run but will reliably do so uneventfully, might suddenly look a lot cheaper than the fancy replacements full of projected savings bullshit that then cause endless squabbles, disputes, and dissatisfaction.
Here we have a hybrid system. You vote on paper, but they scan the votes (with the ballets then dropping into a sealed box). So you get the fast results of an e-voting system, but if the vote is close, or there is a dispute they open up the boxes and count them by hand.
Still have to watch for the old games like stuffing the ballet box, gaming the voters list and such but it beats e-voting hands down when it comes to trust.
Yeah because nobody ever tampered with a paper election.
Two words for you: "audit trail".
Many electronic voting systems fail miserably in this regard, whereas boring old pen-and-paper elections do in fact leave a paper trail that can be inspected after the fact. Not perfect, sure. But significantly better.
The trick then being to create results that are plausible but in your favour, so you don't trigger manual inspection.
But really what is the mad hurry to get the results out? Surely democracy is worth taking a couple of days over?
Nope, that system didn't work so well in the Iowa caucuses, where you nominally have similarly oriented partisans working to select their nominee (that is, reduced inducement to corruption of the process). On the night of the election all the LSM outlets announced Romney was the winner. A week later it turned out to be Santorum because some of the trusted counters couldn't be arsed to turn in their paperwork.
Perfection is not required. What is required is the system which is most easy for honest auditors to check. To date, his proposal has the best fit to the requirements.
And yes, I'm stuck using one of those new-fangled electronic devices when I vote.
For the last line I'd love to give you 10 up votes.
First line, not so much. Some of the most obvious fixes have never been challenged because the areas from which they have been run were too corrupt to prove otherwise. The most famous of which would be Nixon vs. Kennedy in which Cook county at the very last minute delivered just enough "previous unfound" ballots to hand the state to JFK. Of course, since that outcome is approved of by the LSM as opposed to the Bush vs Gore recount, you never hear about it.
You want a system that protects against wilful malice from those entrusted with overseeing the process?
I think that's a bit much to ask. I'd rather we trust the people entrusted with the process and have them show their trustworthyness (pulling "previously unfound" votes out of a hat doesn't count as "trustworthy"), rather than have a system that's effectively opaque to the same people running the show, making them vulnerable to meddling and tampering by third, fourth, fifth, and so on parties. It won't eradicate the incentive and the will, it will hopefully reduce the problem to something that's overseeable by humans so that they can reasonably be held accountable.
Hi Ru, So what do you think of the result of Syria's referendum on a new constitution? Who would have predicted that 89% of Syrian's would approve on the new constitution that would allow Assad to remain in office until 2028.
Does anyone want to make a prediction on how ex-KGB man Vladimir Putin will do in the Russian presidential election?
"do in fact leave a paper trail that can be inspected after the fact"
Which can *also* be tampered with.
I put it to you with proper attestation a digital audit trail can be *far* more secure and reliable than any paper one ever could be.
The issue with digital voting systems is that the companies involved are incompetent not that it is inherently worse.
An audit trail - I don't see why this can't be done with a (partial) computerized voting system. Yes I do know why - the people who set up the election systems fully intend to tamper with the results. Any voting system without some sort of double-checking, you might as well get out the yellow tape, because it's a crime scene. 2+2.
Money is handled through totally computerized systems, from the cashier to the bank to the CEOs paycheck, with audit trails and security that's solid enough to keep corporate losses to a minimum. Yes there are breakins, yes cashiers regularly have discrepancies in their dimes and shillings. But with someone's bottom line in jeopardy, there's plenty of effort put in to making it as secure as possible and keeping the mayhem to small amounts.
Now, the managers at retail locations understand the cash registers and understand all the ways they can be hacked and customers, or cashiers, can cheat. We don't have that at electronic voting sites. obviously. If we have to simplify the system down to make people understand it, so be it, that's why so many are still voting with paper. The security is more obvious with paper. I think a significant part is getting voting machines managed by people who can competently keep people from hacking in by wire or by air or by finger.