July 30, 2008

EVT Slides

You can find my slides from EVT 2008 here.

Posted by ekr at 1:55 AM | Comments (0)

July 1, 2008

You go to elections with the voting system you have

After the California Top-to-Bottom Review, Alex Halderman, Hovav Shacham, David Wagner, and I got together and asked ourselves whether there was some way to make good use of the existing voting systems. The result was:
You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems

J. Alex Halderman, Eric Rescorla, Hovav Shacham, David Wagner

In light of the systemic vulnerabilities uncovered by recent reviews of deployed e-voting systems, the surest way to secure the voting process would be to scrap the existing systems and design new ones. Unfortunately, engineering new systems will take years, and many jurisdictions are unlikely to be able to afford new equipment in the near future. In this paper we ask how jurisdictions can make the best use of the equipment they already own until they can replace it. Starting from current practice, we propose defenses that involve new but realistic procedures, modest changes to existing software, and no changes to existing hardware. Our techniques achieve greatly improved protection against outsider attacks: they provide containment of viral spread, improve the integrity of vote tabulation, and offer some detection of individual compromised devices. They do not provide security against insiders with access to election management systems, which appears to require significantly greater changes to the existing systems.

The paper will appear at EVT '08. (PDF.)

Posted by ekr at 8:32 PM | Comments (0)

April 4, 2008

On New Jersey and tamper seals

Ed Felten has another post up about the discrepancies in the Sequoia machines used in the New Jersey primary. At the moment, I don't have much to add to Ed's analysis of the situation (except to say that this sure looks like some corner case where some counter is being incremented where it shouldn't or not incremented where it should), but check out the image of the summary tape he posts:

Note the empty space where the number of the seal is supposed to be written down but isn't. That's not really good.

The background here is that there are lots of parts of the voting machine which (e.g., the ability to open the case or swap memory cards), if accessed by the wrong people, could lead to various forms of attacks. It's hard to build the system to guarantee that nobody could obtain access, and what's really needed is to limit access to authorized personnel, which is even harder. Instead, the systems are generally designed so that a temper evident seal can be placed in such a way that you need to breach the seal in an obvious way order to obtain access. In practice it turns out that this isn't always true, both because the seal points aren't always placed correctly and because it's actually known to be possible to open a lot of seals without creating evidence (see the California TTBR reports for more on this.) But that's the theory.

However, there are a lot of seals and they need to be broken and replaced pretty frequently (e.g., to insert and remove the memory cards before and after the election) and seals are available on the open market. So, it's not just enough to have a seal, you need to be able to detect when the seal is replaced with another, similar seal. Unsurprisingly, this is done by having each seal have its own serial number. Every time a seal is breached or placed you're supposed to record the seal number (that's what that space on the summary tape is for) and part of the job of verifying a seal is checking that the number is what it's supposed to be. If you don't record the seal numbers, then the system falls apart, since anyone who has access to any tamper seals at all can just break the seals, do whatever they want, and replace them with their own seals. And since a lot of the security of the current systems depends on the seals working (for instance, in many of the systems the seals cover access points which would allow complete subversion of the device; see the TTBR reports again) this is fairly serious.

Now, I don't know that much about the ES&S machines or the chain of custody procedures in NJ. It could easily be that NJ has some procedural control that renders this particular seal unimportant. But absent any further information, this seems like not it might not be a particularly great practice.

Posted by ekr at 8:39 AM | Comments (1)

March 19, 2008

Discrepancies in Sequoia Advantage machines

Ed Felten reports on inconsistencies in the vote totals reported by Sequoia Advantage voting machines in New Jersey (Note: these machines are different from the touch screen machines we looked at in the California TTBR, so I don't have any inside information.) Anyway, the anomaly is that the number of votes for Democratic and Republican candidates doesn't match the number of times that the ballots were activated. If the number of votes were less than the number of ballots, you could explain that as an undervote, but in the results tape Ed shows, the Republican ballot was selected 60 times and there were 61 votes!

I haven't thought much about potential causes (Ed's commenters theorize) but my money is on simple bugs in the system rather than an attack. If you were an attacker and you had managed to take control of the machine, one of the first things you would want to do is make certain that the results were consistent. Moreover, since this is a primary and not a general election, an attacker wouldn't really benefit from moving votes from one party to another. Much easier (and harder to get caught) to move them from one candidate to another within a party.

Not that this should make you feel any better, since the most basic function of voting machines is to correctly count votes. It shoud also make you wonder about both Sequoia's testing and the testing done by the certification labs. We already know that it's insufficient from a security perspective, but (assuming the problem is in the system), then this seems like it should have been caught by the testing/SQA process.

Sequoia's explanation can be found here. Felten says it's inadequate and that he'll explain why tomorrow. Stay tuned.

Posted by ekr at 9:34 PM | Comments (0)

February 10, 2008

Vote-by-mail lag

Watching the election on Super Tuesday it was interesting to see the enormous gap between Clinton and Obama at the beginning of the night and watching it narrow as more results were counted. Given that these early returns showed high percentages for Edwards, who ended at 4.1%, I speculate that they reflected early vote-by-mail/absentee votes. This matches up with pundit predictions that the early votes (pre-Obama surge) would be substantially more for Clinton.

Oregon already conducts all their elections by mail and according to Wikipedia, all but two of Washington state's counties are vote-by-mail. It's also one not uncommon reaction to concerns about the security of electronic voting systems (I'm not saying it's a good reaction.) As we're seeing here, one interesting impact of vote-by-mail is that it significantly affects the election timeline in two ways:

This seems like a small change, but I'd expect it to really modify required electoral strategies. A last minute attack ad is a lot less effective if people have already voted, and if there's no distinct election day, then it's hard to know when to time your ad buys/media events, etc. In general, it seems like a mass transition to vote-by-mail would greatly increase electoral intertia. Whether that's a good or bad thing depends on you're the frontrunner.

Obviously, this is pretty handwavy. If any EG readers know of some more formal analysis of, please let me know.

Posted by ekr at 8:52 PM | Comments (2)

February 7, 2008

LA County's double-bubble

There's turning out to be a problem with LA County's optical scan voting system. This is an interaction between California's open primary and optical scan balloting. The backstory here is that California's Democratic and American Independent primaries allows voting by "decline-to-state" voters, but they need to fill in a bubble on the ballot to indicate which primary they want to vote in.(sample ballot here).

LA County uses a system called InkaVote Plus, made by ES&S. This isn't one of the systems we worked on in the TTBR. What it is is a centrally counted optical scan with a local checker. The way that this works is that the voters vote on paper ballots which are then checked by a local checking machine, called the precinct ballot reader (PBR). If there is something wrong, it spits the ballot out with some sort of warning (it's hard to tell from the video how good the warnings are). If the ballot checks, it drops into the ballot box. At the end of the election, the ballots get shipped back to county central, where they're counted in central optical scanners.

The nice thing about this design is that it's fairly resistant to technical attacks on the computerized part of the system—all the authoritative counting is done in scanner where access can be restricted to state employees. But because there is checking at the polling place, in principle you can catch voter errors. What's interesting is that it apparently didn't catch them here. It's possible that there are areas that aren't using the ballot check feature, but more likely the PBRs are only programmed to detect overvotes, not undervotes, and this just looks like a particularly egregious undervote.

The thing that I don't quite get here is that reading the coverage it sounds like decline-to-states and Democrats (or AIs) get the same blank ballot, so how does the central scanner know whether you're a registered Democrat or night (registered Democrats don't need to fill in the bubble)? Do they go in different bin or is there some other mark that indicates that they are decline-to-state voters or what?

UPDATE: Fixed link to sample ballot. Thanks to Steve Bellovin for pointing this out.

Posted by ekr at 9:46 PM | Comments (1)