elections.ppt - UNL Computer Science _ Engineering

Document Sample
elections.ppt - UNL Computer Science _ Engineering Powered By Docstoc
					   Electronic Voting
  Down for the Count?
      Charles P Riedesel
 University of Nebraska, Lincoln
Computer Science & Engineering
     Where I am coming from
• Mathematician – “fair” elections are
• Computer scientist/engineer – designing
  errorless/unhackable computer hardware
  and software is impossible
• Politition – fooling the people all the time is
     Where am I coming from?
• I teach computer organization – By the end of
  freshman year my students can design the
  circuitry of a functional computer. I know how to
  hide an “Easter Egg” in hardware that is virtually
  impossible to find.
  – Counterfeit chips are already a problem
  – An Easter Egg is a surprise that can be uncovered by
    very particular actions, a “Cryptic Knock”
  – Example: MicroSoft Excel 97 had a hidden flight
    simulator, activated by keying at special cell
  – Cryptic knocks can be used to wake up trojan horses!
    Where am I coming from?
• I have taught operating systems and
  compiler construction at the jr/sr/grad
  level. With this knowledge we can replace
  and/or modify COTS (Commercial Off The
  Shelf) software to do things totally
  unexpected by unknowing programmers.
    Where am I coming from?
• I have gone through a lot of the technical
  reports about voting systems hardware
  and software, and can make sense and
  comment of most of it. My colleagues who
  are more expert at communication
  networks and software engineering
  aspects can absorb it all.
            Today’s Agenda
•   The role of elections in our democracy
•   Makings of an election
•   Rise and fall of the DRE
•   Other players, organizations, documents
•   Recommendations
    The Role of Elections in Our
• Inherent mathematical flaws of elections
• An election is only a snapshot of those
• Weighted voting
• One person, one vote?
• Legitimacy based on trust
• Principles for a good election
   Inherent Mathematical Flaws of
• Winning is not transitive
   – Three-way race with Alice, Bob and Calvin based on
     three equally important issues of abortion, taxes, and
   – Voters prefer Alice, then Bob, then Calvin on abortion.
   – Voters prefer Bob, then Calvin, then Alice on taxes.
   – Voters prefer Calvin, then Alice, then Bob on war
   – In two way races Alice beats Bob, Bob beats Calvin,
     and Calvin beats Alice!
    An Election is only a Snapshot
•   Elections are held on one day (usually)
•   Polls demonstrate dynamics of a race
•   Sensitive to late-breaking news, charges
•   New information after the election
•   Election really valid for 2, 4, or 6 years?
           Weighted Voting
• What if Alice beats Bob, but it is only
  because 51% mildly prefer Alice, but 49%
  detest Alice and adore Bob? Overall, Bob
  is better liked!
• What if Calvin beats Don 55% to 45%.
  Instead of winner takes all, put both in
  office and weigh their single vote 55-45 on
  all issues!
     One Person, One Vote?
• You are smart, well versed on issues.
• The idiot with an IQ of 40 on your right
  really has no idea what is going on.
• The blow-hard on your left is caught up in
  some single-issue thing.
• Should your vote really count the same as
  either of theirs?
    Legitimacy Based on Trust
• Numerous flaws in elections
• Possibility of mathematically invalid results
• Can anyone find a better way?
• What level of imperfection can we
• Essential that winners and losers alike buy
  in to the system and accept results
 Principles for a Good Election
• Vote storage mechanisms should be
  – Simple
  – Reliable
  – Durable (for the votes)
  – Tamper-evident
  – History-independent
  – Subliminal-free
  – Cost effective
 Principles for a Good Election
• Voters need to know their vote is
  – Accurately recorded
  – Counted in the total
  – Anonymous – no way to track back who voted
  – Private – no possible evidence to show
    anyone how he/she voted
         Makings of an Election
• Voting system machinery
  – GEMS
  – Electronic Voting Machines
       • DRE, DRE with VVPT, PCOS
• Process of an election
• Regulatory actors
  –   HAVA
  –   ITA’s – ciber, Wyle Labs, SysTest Labs
  –   NASED
  –   FEC
     Voting System Machinery
• GEMS: General Election Management System –
  the computer and software that takes in and
  processes the results from all the voting
• DRE: Direct Recording Electronic voting
  machine – votes recorded in software
• DRE with VVPT: Voter Verifiable Paper Trail –
  votes also recorded on paper
• PCOS: Precinct Center Optical Scan – scans
  and records vote upon being cast
        Process of an Election
• Election Definition – define races, candidates,
  districts, precincts
• Configure Voting Equipment, Print Ballots –
  geography makes each precinct different
• Pre-Election Test – Verify that everything is
• Election Day – Open polls, vote, close polls
• Canvassing – Compute and publish totals,
  archive results
  – (Copied from a slide by Douglas Jones)
          Regulatory Actors
• HAVA: Help America Vote Act, 2002,
  – Get rid of hanging chad,
  – Eliminate mechanical voting machines,
  – Central count for absentee ballots only,
  – Promote accessibility for disabled voters,
  – Fund new machines,
  – Set up new agencies
           Regulatory Actors
• NIST: National Institute of Standards &
  Technology – technical advisor to
• TGDC: Technical Guidelines Development
  Committee – advisory board to
  – (note: Nebraska Secretary Of State John A. Gale is a
    member of TGDC!)
• EAC: U.S. Elections Assistance Commission –
  handful of presidential appointees
• STS: Security and Transparency Subcommittee
  of TGDC – “Requiring Software Independence in
  VVSG 2007” recommendation to TGDC 11/2006
          Regulatory Actors
• ITA’s: Independent Testing Authorities
  – Ciber: employs standard methodologies for
    evaluating correctness and quality of software
    • Jan 2007 – in trouble for not following quality
      control procedures and lack of documentation
  – Wyle Labs: review source code, does
    hardware testing and functional testing of
    voting machines
  – SysTest: quality assurance, software test
    engineering, verification & validation
          Regulatory Actors
• NASED (National Organization of State
  Election Directors) under the
• Election Center to which the ITAs report,
  part of the old
• FEC (Federal Election Commission)
       Rise and Fall of the DRE
•   The Direct Recording Electronic machine
•   Hopkins Report
•   SAIC Report
•   Compuware Report
•   Raba Report
•   VSTAAB Report
•   Hursti II Report
•   Princeton Report
•   Nedap Report
     Rise and Fall of the DRE
• Major makers of DRE’s are
  – Sequoia
  – Diebold
  – ES&S
• Policy of “Security through Obscurity”
• Fundamental Challenge – electronic votes
  can evaporate with NO remaining
  evidence, unlike paper ballots
• Not a transparent process
       Rise and Fall of the DRE
• Categories of Possible Attacks
  –   Corrupt software inserted prior to election day
  –   Wireless or other remote control attacks
  –   Attacks on tally servers
  –   Miscalibration of machines
  –   Shutting off voting machine features
  –   Denial-of-service attacks
  –   Corrupt poll workers actions
  –   Attacks on ballots or VVPT
       • (thanks to Brennan Center for Justice)
       Rise and Fall of the DRE
• Challenges for the Attacker
  –   Overcome vendor motivation
  –   Finding an insertion opportunity
  –   Obtaining technical knowledge
  –   Obtaining election knowledge
  –   Changing votes
  –   Eluding inspection
  –   Eluding testing and detection
  –   Avoiding detection after polls close
       • (thanks to Brennan Center for Justice)
     Rise and Fall of the DRE
• Hopkins Report – Bev Harris discovered
  an ftp site for Diebold that contained the
  software for its DRE, the AccuVote-TS.
  She took it to Aviel Rubin of Stanford.
  – “Analysis of an Electronic Voting System” by
    Aviel Rubin, et. al., 7/23/2003
  – Based just on code analysis discovered
    numerous potential security problems and lax
    software engineering standards.
     Rise and Fall of the DRE
• SAIC (Science Applications International
  Corporation) Report for Maryland State Board of
  – “Risk Assessment Report: Diebold AccuVote-TS
    Voting System and Processes”, 9/2/2003
  – Only 40 page redacted version (Diebold’s agreement
    let them do it) ever released until nearly 200 page full
    version leaked 11/2006 by whistleblower
  – Risk assessment responding to Hopkins Report,
    resolves many problems and hides others
     Rise and Fall of the DRE
• Compuware (Corp.) Report
  – “Direct Recording Electronic (DRE) Technical
    Security Assessment Report”, for the Ohio Secretary
    of State, 11/21/2003
  – Security assessment and validation of four voting
    machines, including Diebold’s AccuVote-TS
  – About 275 pages with test scenarios, results, and any
    identified risks with risk level (of which are a number)
  – Limited to the voting machine, not policies and
     Rise and Fall of the DRE
• RABA (Technologies) Report for the state of
  – “Trusted Agent Report: Diebold AccuVote-TS Voting
    System”, January 20, 2004
  – Security experts review the Diebold system, the SAIC
    report, and formed “Red Team” exercise to probe
    actual system setup
  – Successfully hacked it and the GEMS server in
    multiple ways
  – “Considerable” risks found, but with recommendations
    can be mitigated well enough for the primary
  – More needed for general election - ultimately need
    paper receipts
     Rise and Fall of the DRE
• VSTAAB (California’s Voting System
  Technical Assessment and Advisory
  Board) Report “Security Analysis of the
  Diebold AccuBasic Interpreter”, 2/14/2006
  – 3 computer scientists from U of California
    analyzed AccuBasic, a proprietary, interpreted
    language used in a couple machines including
    the AV-TSx touchscreen because no ITA
    testing was done
  – Problems (many easily correctable) found
     Rise and Fall of the DRE
• Hursti II Report, a Black Box Voting
  Project by Harri Hursti, “Diebold TSx
  Evaluation – SECURITY ALERT: May 11,
  2006: Critical Security Issues with Diebold
  TSx at invitation of a Utah county
  – Firmware is easy to change
  – PCMCIA virus threat
     Rise and Fall of the DRE
• Princeton Report “Security Analysis of the
  Diebold AccuVote-TS Voting Machine” by
  several authors at Princeton University,
  Sept 13, 2006
  – Obtained one of the DRE machines,
    demonstrated Hursti’s proposed virus, and
    created a demo virus that attacks an election
  – Problems in common with desktop PCs
  – Diebold response is that polling place
    procedures provide adequate protection
     Rise and Fall of the DRE
• Nedap(/Groenendaal) Report –
  “Nedap/Groenendall ES3B Voting
  Computer: a Security Analysis”, 10/6/2006
  – Used extensively in Netherlands and nearby
  – Authors show how anyone can quickly gain
    complete and virtually undetectable control
    over election results
  – Radio eminations up to several meters away
    can be used to tell who votes what
  – Sold in US by Liberty Voting Solutions
     Rise and Fall of the DRE
• TGDC report by STS to NIST calls for Software
  Independence, basically ruling out paperless
• By the end of November 2006, NIST concludes
  that paperless DRE’s are not acceptable
• At the beginning of December 2006, the EAC
  rejects 6-6 recommendation to only certify
  DRE’s that use “independent audit technology”
  (namely paper). Cost was a factor.
      Other Players, Organizations,
•   Douglas Jones
•   Ariel Rubin
•   Bev Harris – Black Box Voting
•   Rebecca Mercuri
•   Eugene Spafford
•   William Pitt – Truthout
•   David Dill – Verified Voting Foundation
•   Linda Malone – President of NASED
•   Barbara Simons - USACM
•   The Brennan Center for Justice
               Douglas Jones
•   University of Iowa at Iowa City
•   Department of Computer Science
•   Gives many talks, lay and technical
•   Inspiration for parts of this presentation
    – See “Voting Security: A Technical
      Perspective”, presented at U of S. Car.
      Cybersecurity Symposium, 10/27/2005
              Aviel Rubin
• John Hopkins University
• Election Judge
• Author “Brave New Ballot: The Battle to
  Safeguard Democracy in the Age of
  Electronic Voting”
• Analyzed source code at the discovered
  Diebold ftp site
                 Bev Harris
•   Seattle grandmother and writer
•   Stumbled on the Diebold ftp site, 2002
•   Founded Black Box Voting
•   Voracious investigator
          Rebecca Mercuri
• Founder of Notable Software and
  Knowledge Concepts
• Promotes mechanism with printout to be
  voter verified which is protected behind
  glass before being dropped into box
         Eugene Spafford
• Chair of USACM (US Public Policy
  Committee of the ACM)
• Endorsed Nov. 2006 STS report
  advocating paper trails
              William Pitt
• Managing editor of Truth Out
               David Dill
• Founder of Verified Voting Foundation
• Stanford University
• Endorses voter verifiable audit trail
             Linda Malone
• President of NASED
• Administrator of Maryland’s State Board of
• In unaired Oct 2006 interview responds to
  questions about critical Diebold report with
  “I think you are in fantasy land”
            Barbara Simons
•   Formerly at IBM
•   Former ACM chair
•   USACM member
•   Gives statements and testimony
•   Upcoming 2007 book with Doug Jones
The Brennan Center for Justice
• New York University
• 2006 report on security problems of 3
  most common electronic systems
               IEEE and ACM
• Association for Computing Machinery
• Institute of Electrical and Electronics Engineers
• Professional organizations representing
  computer sciences and engineering
• ACM Policy Statement – all systems should
   – Careful engineering
   – Strong safeguards
   – Rigorous testing of design and operation
•   Keep things in perspective
•   Restore and maintain trust
•   Regulate, fund, and train
•   Decentralize and diversify
•   Establish reasonable processes
•   Implement an assessment cycle
• Keep Things in Perspective – There are
  many factors that influence an election.
  Some we accept without question as
  legitimate, some are ignored, some are
  presented as terrible threats. How much
  do we spend to eliminate one threat, no
  matter how small and unlikely?
• Restore and Maintain Trust
  – Pay attention and respond respectfully
  – Educate yourself and others
  – Openly take reasonable steps
  – Stay calm
  – Act quickly and decisively when appropriate
  – Question authority at the same time as you
    respect authority
  – Keep everything as transparent as possible
• Regulate, Fund, and Train – There is no
  human or technological perfect system
  – Regulate all aspects of the election cycle
  – Provide adequate funding for all aspects of
    the election cycle including certification,
    acquisition, verification, and development of
    hardware and software
  – Poll workers are generally low paid and
    unskilled, yet the system depends on them!
• Decentralize and Diversify – Attacks (accidental
  and malicious) are most effective when
  implemented system-wide. Think of virus threat
  if all computers were the same or all cattle had
  the same DNA – thus the same vulnerabilities!
  – Promote competition in the industry
  – One size doesn’t fit all – consider costs,
    demographics, and accessibility
  – Don’t fund a pie-in-the-sky perfect solution
  – Limited use of DRE’s may be acceptable
• Establish Reasonable Processes – People
  need to know what to do in case of all
  kinds of events. Secure systems depend
  on the people implementing and using
  them following proper protocols.
  Development and certification are loaded
  with details that are easily overlooked.
• Implement an Assessment Cycle – The
  poll workers and others closest to an
  election should participate in evaluating
  the processes, looking for both good and
  bad features, and providing feedback that
  will be used (not sit on a shelf!!!) to
  improve the system. They see things the
  experts miss.

Shared By: