|
Printer-friendly format Email this thread to a friend Bookmark this thread |
This topic is archived. |
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) |
stillcool (1000+ posts) Send PM | Profile | Ignore | Tue Jan-29-08 11:43 AM Original message |
My Letter to the Secretary of State |
Good Morning. I recently contacted your office with questions about a standard audit, in response to a bill that has been presented by Rush Holt. H.R. 5036: Emergency Election Assistance for Secure Elections Act- the "EASY" bill to secure the November 2008 elections. This bill reimburses states that wish to implement measures to insure the accuracy of our votes.
http://holt.house.gov/HR_5036.shtml I was surprised that the person I spoke to was not aware of the importance of standard audits, as they pertain to the Optical Scan voting systems used across our state. As a result of that phone call I am emailing information from a few of the many studies regarding the vulnerabilities in our voting systems. I would hope that those who get paid to conduct elections in this state would be knowledgeable of the problems inherent in our voting systems, and the simple measures recommended to secure our elections. Thank you, THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD THE BRENNAN CENTER TASK FORCE ON VOTING SYSTEM SECURITY SUMMARY OF FINDINGS AND RECOMMENDATIONS BRENNAN CENTER FOR JUSTICE AT NYU SCHOOL OF LAW www.brennancenter.org Three fundamental points emerge from our threat analysis: ■ All three voting systems have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections. ■ The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level. ■ Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully. Voting System Vulnerabilties After a review of more than 120 potential threats to voting systems, the Task Force reached the following crucial conclusions: For all three types of voting systems: When the goal is to change the outcome of a close statewide election, attacks that involve the insertion of Software Attack Programs or other corrupt software are the least difficult attacks ■ Voting machines that have wireless components are significantly more vulnerable to a wide array of attacks. Currently, only two states, New York and Minnesota, ban wireless components on all voting machines. For DREs without voter-verified paper trails: ■ DREs without voter-verified paper trails do not have available to them a powerful countermeasure to software attacks: post-election Automatic Routine Audits that compare paper records to electronic records. For DREs w/ VVPT and PCOS: ■ The voter-verified paper record, by itself, is of questionable security value. The paper record has significant value only if an Automatic Routine Audit is performed (and well designed chain of custody and physical security procedures are followed). Of the 26 states that mandate voter-verified paper records, only 12 require regular audits. ■ Even if jurisdictions routinely conduct audits of voter-verified paper records, DREs w/ VVPT and PCOS are vulnerable to certain software attacks or errors. Jurisdictions that conduct audits of paper records should be aware of these potential problems. Security Recommendations There are a number of steps that jurisdictions can take to address the vulnerabilities identified in the threat analysis and thus to make their voting systems significantly more secure. Specifically, we recommend adoption of the following security measures: 6 1. Conduct Automatic Routine Audits comparing voter-verified paper records to the electronic record following every election. A voter-verified paper record accompanied by a solid Automatic Routine Audit of those records can go a long way toward making the least difficult attacks much more difficult. ----------------- Fortunately, these steps are not particularly complicated or cumbersome. For the most part, they do not involve significant changes in system architecture. Unfortunately, few jurisdictions have implemented any of the recommended countermeasures. *Please read more. http://brennan.3cdn.net/a56eba8edf74e9e12e_r2m6b86s2.pdf Security Analysis of the Diebold AccuBasic Interpreter David Wagner David Jeerson Matt Bishop Voting Systems Technology Assessment Advisory Board (VSTAAB) with the assistance of: Chris Karlof Naveen Sastry University of California, Berkeley February 14, 2006 http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf Page 13 Impact. The consequence of these vulnerabilities is that any person with unsupervised access to a memory card for sucient time to modify it, or who is in a position to switch a malicious memory card for a good one, has the opportunity to completely compromise the integrity of the electronic tallies from the machine using that card. Many of these vulnerabilities allow the attacker to seize control of the machine. In particular, they can be used to replace some of the software and the rmware on the machine with code of the attacker's choosing. At that point, the voting system is no longer running the code from the vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace the running code of the machine, the attacker has full control over all operation of the machine. Some of the consequences of this kind of compromise could include: The attack could manipulate the electronic tallies in any way desired. These manipulations could be performed at any point during the day. They could be performed selectively, based on knowledge about running tallies during the day. For instance, the attack code could wait until the end of the day, look at the electronic tallies accumulated so far, and choose to modify them only if they are not consistent with the attacker's desired outcome. The attack could print fraudulent zero reports and summary reports to prevent detection. The attack could modify the contents of the memory card in any way, including tampering with the electronic vote counts and electronic ballot images stored on the card. The attack could erase all traces of the attack to prevent anyone from detecting the attack after the fact. It is even conceivable that there is a way to exploit these vulnerabilities so that changes could persist from one election to another. In other words, these vulnerabilities mean that a procedural lapse in one election could potentially aect the integrity of a subsequent election. However, we would not be able to verify or refute this possibility without experimentation with real systems. It is conceivable that the attack might be able to propagate from machine to machine, like a computer virus. ---------------------------------- In addition, most of the bugs we found could be used to crash the machine. This might disenfranchise voters or cause long lines. These bugs could be used to selectively trigger a crash only on some machines, in some geographic areas, or based on certain conditions, such as which candidate has received more votes. For instance, it would be possible to write a malicious AccuBasic script so that, when the operator prints a summary report at the end of the day, the script examines the vote counters and either crashes or continues operating normally according to which candidate is in the lead. The impact on the paper ballots (AV-OS). It is important to note that even in the worst case, the paper ballots cast using an AV-OS remain trustworthy; in no case can any of these vulnerabilities be used to tamper with the paper ballots themselves. *Please read more: http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf Security Assessment of the Diebold Optical Scan Voting Terminal A. Kiayias L. Michel A. Russell A. A. Shvartsman UConn VoTeR Center and Department of Computer Science and Engineering, University of Connecticut {akiayias,ldm,acr,aas}@cse.uconn.edu with the assistance of M. Korman, A. See, N. Shashidhar, D. Walluck October 30, 2006 1 Introduction The subject of this paper is the AccuVote Optical Scan voting terminal (AV-OS) manufactured by Diebold, Incorporated, Election Systems division. Security Vulnerabilities Page 5 We briefly describe the new vulnerabilities that were discovered during our evaluation process. A detailed presentation of these vulnerabilities is available in an extended version of the report that can be provided on a need-to-know basis. The AV-OS leaks the memory card contents: The AV-OS terminal allows any operator to obtain a dump of its installed memory card contents without any authentication control. In particular, given access to an AV-OS machine one can obtain all the information that is stored in the memory card in a matter of seconds. In order to obtain this information, it is sufficient to use an off-the-shelf RS-232 serial cable (null modem cable) and a laptop. The AV-OS performs no authentication test to ensure that a trusted system is present on the other side while the dump is delivered in cleartext form. Moreover, the terminal does not prompt the operator for a password in order to produce such memory dump. It is easy to identify the election data when observing a memory dump; other sensitive information, including the password (PIN) and audit records associated with the memory card can also be reconstructed from the dump. Alternatively, the same dump can be obtained by using the built-in modem on the AV-OS to transmit the data to a remote PC. The communication between AV-OS and GEMS is unauthenticated: During the initialization of a machine for election the GEMS system communicates with the AV-OS terminal to write the initial election setup to the memory card. No encryption or cryptographic authentication is performed during this transmission. The serial line protocol does use a cyclic redundancy check (CRC) mechanism for error control. While the CRC polynomial used is standard, the details of the protocol are undocumented by the manufacturer; as such, this is a de facto lightweight authentication mechanism. However, it is possible to reverse-engineer the whole protocol, including the CRC scheme formula (as we have done in our assessment). The lack of cryptographic authentication opens the possibility for an unauthorized attacker computer to impersonate the GEMS system to the terminal (this is one of the ingredients of our main election compromising attack in the next section). Executable code within the AV-OS memory card: Each memory card contains executable code that is used for printing the reports. The code is written in a proprietary symbolic language. Such executable files are identified as .abo (AccuBasic Object) bytecode. The possibility to modify the code that prints the results opens the possibility to corrupt machines and coerce them into misinterpreting their counters. The presence of conditionals and arithmetic in the language enables bytecode “malware” to operate even conditionally on the state of the machine and thus appear to operate properly in some occasions * Please read more- http://www.votetrustusa.org/pdfs/Diebold%20Folder/uconn-report-os.pdf PROTECTING ELECTIONS IN AN ELECTRONIC WORLD Summary • All three of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities. • Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute. • Millions of Americans with disabilities cannot vote independently and secretly on the voting machines in their precincts. • The design of ballots and instructions has a large and demonstrable effect on loss of votes as a result of residual errors. • The initial costs of a voting system are likely to be a small percentage of the total cost over its life-span. All three of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities. These vulnerabilities pose a real danger to the integrity of national, state, and local elections. When the goal of an attack on voting systems is to change the outcome of a close statewide election, attacks that involve the insertion of corrupt software are the least difficult attacks. Voting machines that have wireless components are significantly more vulnerable to a wide array of attacks. Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute. Of the 27 states that mandate voter-verified paper trails, only 13 require regular audits. Current federal guidelines for voting systems do not ban wireless components; only two states, New York and Minnesota, ban wireless components in voting machines. Only four states conduct parallel testing statewide. After evaluating more than 120 possible attacks on voting systems for more than a year, the Brennan Center’s Task Force on Voting System Security recommends: (1) automatic routine audits of paper records; (2) parallel testing of voting machines; (3) banning of wireless components on all voting machines; (4) transparent and random selection procedures for parallel testing and audits; (5) decentralized programming and voting system administration; and (6) implementation of effective procedures for addressing evidence of fraud or error. THE WORK OF THE BRENNAN CENTER ►Providing legal analysis and legislative counseling. The Brennan Center offers legal support to state officials interested in policy change. In conjunction with the California Secretary of State’s office, we held a seminar for the chief election offices in ten other states to explain our security findings and recommendations. We have worked with a number of legislators and policymakers on the federal, state, and local level to adopt legislation and regulations that will ensure that voter preferences are counted accurately. Since the release of our report on voting system security, Arizona, Utah and Wisconsin have announced they will audit voter verified paper records in this November’s elections. ►Working with local jurisdictions to increase the effectiveness of voting systems. The Brennan Center consults with county election officials to help them put measures in place to ensure the accuracy, accessibility, and security of their voting systems. Specifically, we have worked with Palm Beach County, Florida to develop a Parallel Testing regime for their paperless DREs this November. Pima County, Arizona (which includes Tucson) explicitly adopted a number of the Brennan Center’s security recommendations for this November’s elections. And the Cuyahoga County Election Review Panel, which was asked by Cuyahoga County, Ohio officials to review election and voting system practices, used the Brennan Center security report in developing new security recommendations for the county Brennan Center for Justice at NYU School Of Law 161 Avenue of the Americas, 12th Floor • New York, NY 10013 212-998-6730 • www.brennancenter.org http://www.federalelectionreform.com/pdf/Voting%20Systems%20Issue%20Brief.pdf |
Printer Friendly | Permalink | | Top |
canoeist52 (1000+ posts) Send PM | Profile | Ignore | Tue Jan-29-08 11:52 AM Response to Original message |
1. What happens after the paper ballot |
matters too. I watched a video of the New Hampshire recount showing boxes with loose covers and supposedly "sealed" with officially marked tape that could be pulled off without leaving a mark and re applied. This is very important as well as machine irregularities.
|
Printer Friendly | Permalink | | Top |
stillcool (1000+ posts) Send PM | Profile | Ignore | Tue Jan-29-08 12:00 PM Response to Reply #1 |
2. That is also one of the recommendations |
suggested in every one of these studies. I believe that those paid to conduct elections in my state are responsible for their own ignorance and their lack of action to secure my vote. When I know more about my voting system, than the Secretary of State's office, something is very fucked up.
|
Printer Friendly | Permalink | | Top |
DU AdBot (1000+ posts) | Wed Jun 05th 2024, 05:54 PM Response to Original message |
Advertisements [?] |
Top |
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) |
Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators
Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.
Home | Discussion Forums | Journals | Store | Donate
About DU | Contact Us | Privacy Policy
Got a message for Democratic Underground? Click here to send us a message.
© 2001 - 2011 Democratic Underground, LLC