Ars Technica's Guide to Vote Hacking

[Lemur]

Ars posted a lovely, detailed meditation on what it would take for a determined individual (or small group) to swing votes using e-voting machines. From the article's conclusion:

• Bits and bytes are made to be manipulated; by turning votes into bits and bytes, we've made them orders of magnitude easier to manipulate during and after an election.
• By rushing to merge our nation's election infrastructure with our computing infrastructure, we have prematurely brought the fairly old and well-understood field of election security under the rubric of the new, rapidly evolving field of information security.
• In order to have confidence in the results of a paperless DRE-based election, you must first have confidence in the personnel and security practices at these institutions: the board of elections, the DRE vendor, and third-party software vendor whose product is used on the DRE.
• In the absence of the ability to conduct a meaningful audit, there is no discernable difference between DRE malfunction and deliberate tampering (either for the purpose of disenfranchisement or altering the vote record).

[Fragony]

There has been some discussion about that here, our voting machines weren't even protected

[Duke Malcolm]

Praises be that we in the old country stick with the tried and tested paper ballots...

[Lemur]

I'm surprised this is generating so little discussion. We're two weeks from a major vote in the U.S., and many of us will be using touchscreens. Key quote from the article:

In all this time, I've yet to find a good way to convey to the non-technical public how well and truly screwed up we presently are, six years after the Florida recount. So now it's time to hit the panic button: In this article, I'm going to show you how to steal an election.

[Vladimir]

So dead people don't vote using paper ballots? What are you saying, that the system has flaws? Oh Noes!

[drone]

The only way people are going to take this seriously is if the system is hacked to produce a completely ridiculous result. When Homer J. Simpson (Lib) wins the 2008 presidential election, all thoughts of paperless e-voting machines will be purged. Until then, the vast majority will not care, and I'm not so sure the main parties really want a secure, fair system.

[sharrukin]

So dead people don't vote using paper ballots? What are you saying, that the system has flaws? Oh Noes!

"the ability of an individual or a very small group to steal an entire election by making subtle changes in the right places."

"an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus."

The problem is that stuffing ballots takes a lot of people to swing an election in a local setting and is not really feasible on a national scale. It leaves behind evidence that it happened as well. That evidence can be used to invalidate a crooked election. Electronic manipulation doesn't leave behind obvious evidence of what took place, only (sometimes) evidence that 'something' took place. Voting irregularities take place all the time, and finding the electronic footprint in that, and knowing it for what it is, would be very difficult. An election could be stolen and we would never know!

[Xiahou]

So dead people don't vote using paper ballots? What are you saying, that the system has flaws? Oh Noes!

Im kinda with you. I don't know what you people have been voting on, but I never got a "reciept" for any vote I've ever made and never saw any ballot. I used to vote on the old "green monster" voting machines where flick switches and then pull a lever and hope everything counted. Last time I voted, it was on a touchscreen- personally, I felt better about the touchscreen since I at least got a review page before I submitted my vote.

Sure, do everything you can to make electronic voting machines more secure- there's no reason not to. But when you factor in the dead vote, illegal alien votes and other fraudulent registrations/votes- it's tough to get excited. Might some corrupt official with the access to do so alter the vote? It's possible, but what stopped this theoretical official from doing so with the old voting machines as well?

[macsen rufus]

An election could be stolen and we would never know!

And even if you did know, would anything get done about it?

Thinking back to 2000... oh, sorry, getting confused... that wasn't stolen was it? It was bought and paid for, fair and square

[Vladimir]

The problem is that stuffing ballots takes a lot of people to swing an election in a local setting and is not really feasible on a national scale. It leaves behind evidence that it happened as well. That evidence can be used to invalidate a crooked election. Electronic manipulation doesn't leave behind obvious evidence of what took place, only (sometimes) evidence that 'something' took place. Voting irregularities take place all the time, and finding the electronic footprint in that, and knowing it for what it is, would be very difficult. An election could be stolen and we would never know!

I don't know what level of experience you have with computers but your analysis is flawed. You can just look at what privacy groups say in regards to data collection on purchases, phone calls, ATM transactions, etc. It is SO easy to track someone electronically.

Everything you do on a computer is tracked. The problem with tracking systems and computers is not with them but with the human responsible for them. I don't want to call the anti e-vote people Luddites but I think that they're primarily reacting out of ignorance (which breeds fear).

Proper security procedures and competent, trustworthy people are all you need to ensure the reliability of ANY voting process.

[Lemur]

Everything you do on a computer is tracked.

Untrue. I'm not even sure what article to link to on this point, since saying "everything is tracked" demonstrates a substantial misunderstanding of how networks and computers function.

I don't want to call the anti e-vote people Luddites but I think that they're primarily reacting out of ignorance (which breeds fear).

Ars Technica is not exactly a bastion of anti-technological fearmongering. If anything, the apathy on this issue has largely been from non-technical people. Most geeks have formed an opinion on e-voting, either pro or con.

[sharrukin]

I don't know what level of experience you have with computers but your analysis is flawed. You can just look at what privacy groups say in regards to data collection on purchases, phone calls, ATM transactions, etc. It is SO easy to track someone electronically.

Everything you do on a computer is tracked. The problem with tracking systems and computers is not with them but with the human responsible for them. I don't want to call the anti e-vote people Luddites but I think that they're primarily reacting out of ignorance (which breeds fear).

Proper security procedures and competent, trustworthy people are all you need to ensure the reliability of ANY voting process.

Do you know what a hacker is? Are you aware that there have been numerous hacker attacks in past years that have gone undetected?

http://lists.jammed.com/IWAR/1998/06/0003.html

"At Stanford's main campus, hackers have broken into the computer
system before using ``sniffers'' -- or networked computers with
special software -- and gone undetected for months."

These are not professionals, just young adult morons.

http://www.awprofessional.com/articl...&seqNum=6&rl=1

"It is possible to design a virus or worm program that spreads via software exploits that are not detected by intrusion-detection systems (for instance, zero-day exploits [18] ). Such a worm could spread very slowly and be very difficult to detect. It may have been tested in a well-stocked lab environment with a model of the target environment. It may include an "area-of-effect" restriction to keep it from spreading outside of a controlled boundary. And, finally, it may have a "land-mine timer" that causes it to be disabled after a certain amount of time—ensuring that it doesn't cause problems after the mission is over."

Point
http://www.rollingstone.com/news/sto...lection_stolen

Counterpoint
http://www.cleveland.com/readers/ind...900.xml&coll=2

My personal opinion tends towards not believing that it was stolen. But then, if it had been, how exactly would we know amidst all of this nonsense and sensationalism? A few percentage points is all it takes and if done electronically, it could easily be lost in the shuffle.

[Vladimir]

A few percentage points can also be done using paper ballots. And it takes a less than computer savy person to do that.

Yes I know what hacking is, and to quote you:

"an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus."

We were talking about physical access, not some kid using his parents PC.

[sharrukin]

A few percentage points can also be done using paper ballots. And it takes a less than computer savy person to do that.

Yes I know what hacking is, and to quote you:

Quote:
"an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus."

We were talking about physical access, not some kid using his parents PC.

The physical access method was only one of multiple attack vector mentioned!

And no, it takes a lot of non-computer savy individuals to steal an election on a medium scale, and the evidence is obvious, and traceable.

[Lemur]

I really don't understand why this discussion has broken down partisan lines. One would think that the pursuit of fair, accurate and representative elections would not be parsed as (yet another) left-right issue.

[BDC]

I really don't understand why this discussion has broken down partisan lines. One would think that the pursuit of fair, accurate and representative elections would not be parsed as (yet another) left-right issue.

It's America. Everything is partisan.

[sharrukin]

I really don't understand why this discussion has broken down partisan lines. One would think that the pursuit of fair, accurate and representative elections would not be parsed as (yet another) left-right issue.

Well, I am a right wing conservative. I am a Canadian as well, so I am not sure if that counts. Why would Democrats care more than Republicans in any case? Is this a legacy of that 'hanging chad' thing in Florida?

[drone]

We were talking about physical access, not some kid using his parents PC.

Not sure if you read the article, but when they say "physical access", they include the act of voting. The Diebold machines are not physically secure either, it's the combination that has some people worried. A hacker gets to the voting booth early, pretends to vote, but instead compromises the machine in such a way as to affect the voting on either that machine, or any machine that networks with the compromised machine. Since voting occurs in November, people will be wearing bulky coats in some places, plenty of ways to hide what you are doing while standing at the booth.

The fact that some people are so adamantly against a paper trail backup to e-voting machines makes me suspicious. Why not?

[Xiahou]

And no, it takes a lot of non-computer savy individuals to steal an election on a medium scale, and the evidence is obvious, and traceable.

And you're saying that it would only 1 person and be untraceable on e-voting machines? I think not.

And again, before someone decides to put words in my mouth- I think we should make voting machines as secure as possible, there's no reason not to. However, you have to recognize that you'll never have perfection... you sure didn't have it under the "old" systems. Sure, take whatever reasonable steps you can for security, but Im no more concerned (and in some ways less concerned) about my vote counting via an e-vote than traditional methods.

Untrue. I'm not even sure what article to link to on this point, since saying "everything is tracked" demonstrates a substantial misunderstanding of how networks and computers function.

You can log everything- the question is more about doing it and doing it accurately.

[Lemur]

In case anyone is unclear, Xiahou is a geek who has decided that he is unreservedly for touchscreen voting.

[Xiahou]

In case anyone is unclear, Xiahou is a geek who has decided that he is unreservedly for touchscreen voting.

And Lemur is a geek who is unreservedly against touchscreen voting.

[Lemur]

And Lemur is a geek who is unreservedly against touchscreen voting.

I don't see how you can arrive at that based on what I've posted. I'm all for electronic voting, assuming good practices are applied. Any computing environment requires safeguards. Especially when so many people have so many reasons for wanting to mess with the results.

In all seriousness, could you explain to me why you are 100% in favor of the current system of e-voting? I don't understand where your certainty is coming from ...

[Xiahou]

In all seriousness, could you explain to me why you are 100% in favor of the current system of e-voting? I don't understand where your certainty is coming from ...

I never said I was 100% in favor of the current system, so I was equally confused when you said so about me. I did say, personally, that I have more confidence in my vote being registered correctly under the touch screen system than I did under the previous "green monster" voting machines- which, to my knowledge, only counted tallies and had no "paper trail" either.

And as far as votes being registered correctly, I'd think touchscreen is also far better than punch-card paper ballots with their hanging chads, dimples, and butterfly ballots.

People who are opposed to voting machines seem to be under the impression there was no possible room for election fraud on that backend- that isnt the case. Clearly there's room for backend fraud on e-voting fraud, but I find the accusations that it can be done undetectably by a single hacker to be incredible. I'm not 100% certain e-voting is foolproof, but I wasnt certain that the previous myriad of methods were either.

[Lemur]

Well, it's good to see there's room for nuance in both our positions. I still believe that e-voting should be done with ATMs, but then I'm weird. (My reasoning being that people get serious about security and accountability when money's involved, so none of this hanky-panky would be tolerated.)

With any crime, the issue is not making it impossible, but rather making it inconvenient. After all, the only safe PC is one that is encased in lead, turned off, and buried in an undisclosed location. You can't make anything perfectly secure, and to ask for that is absurd.

On the other hand, it is possible to make a computerized system that is unreasonably insecure. Re-reading the Ars article, I rather suspect the latter.

[Spetulhu]

You can't make anything perfectly secure, and to ask for that is absurd.

On the other hand, it is possible to make a computerized system that is unreasonably insecure. Re-reading the Ars article, I rather suspect the latter.

If it's the Diebold machines, well, they're so easy to subvert that you'd suspect the GOP-supporting owner of the company designed them that way. If you were of the tinfoil-hat persuasion, that is.

http://www.bbvforums.org/cgi-bin/for...954/15595.html

[Lemur]

In other tinfoil hat news, the mistakes and miscounts involved in the e-voting machines always seem to skew in a particular direction ...

KFDM continues to get complaints from Jefferson County voters who say the electronic voting machines are not registering their votes correctly.

Friday night, KFDM reported about people who had cast straight Democratic ticket ballots, but the touch-screen machines indicated they had voted a straight Republican ticket.

Some of those voters including Lamar University professor, Dr. Bruce Drury, believe the problem is a programming error.

Saturday, KFDM spoke to another voter who says it's not just happening with straight ticket voting, he says it's happening on individual races as well, Jerry Stopher told us when he voted for a Democrat, the Republican's name was highlighted.

Stopher said, "There's something in these machines, in this equipment, that's showing Republican votes when you vote for Democrats, and I know Ms. Guidry's a nice lady, and she's working hard, but her theory that my fingernail was somehow over the Republican button is just unrealistic, my fingernail was not. The equipment is not working properly as far as I can tell."

Jefferson county clerk Carolyn Guidry says her office has checked the calibration of the machines and found no problems.

She says the electronic system is very sensitive.

Sensitive is an interesting choice of words. That story is from Texas. Meanwhile, in Florida, the true and proper home of contested elections:

Debra A. Reed voted with her boss on Wednesday at African-American Research Library and Cultural Center near Fort Lauderdale. Her vote went smoothly, but boss Gary Rudolf called her over to look at what was happening on his machine. He touched the screen for gubernatorial candidate Jim Davis, a Democrat, but the review screen repeatedly registered the Republican, Charlie Crist.

That's exactly the kind of problem that sends conspiracy theorists into high gear -- especially in South Florida, where a history of problems at the polls have made voters particularly skittish.

A poll worker then helped Rudolf, but it took three tries to get it right, Reed said.

"I'm shocked because I really want . . . to trust that the issues with irregularities with voting machines have been resolved,'' said Reed, a paralegal. "It worries me because the races are so close.''

[...]

Mauricio Raponi wanted to vote for Democrats across the board at the Lemon City Library in Miami on Thursday. But each time he hit the button next to the candidate, the Republican choice showed up. Raponi, 53, persevered until the machine worked. Then he alerted a poll worker.

[Lemur]

The Reg has picked up on this story that appears to be completely uninteresting to my fellow citizens:

Florida ballot terminals favor Republicans

Even when voters don't

By Thomas C Greene in Dublin
Published Tuesday 31st October 2006 13:15 GMT

Florida voters using electronic ballot machines are having persistent problems choosing Democrats in early elections, the Miami Herald reports.

The touch-screen gizmos seem strangely attracted to Republican candidates. One voter needed assistance from an election official, and even then, needed three tries to convince the machine that he wanted to vote for Democrat Jim Davis in the gubernatorial race, not his Republican opponent Charlie Crist.

Another voter who went Democrat across the board kept finding Republicans listed in the summary screen. He made repeated attempts until, finally, the machine registered his votes correctly, and he cast his ballot.

Yet another frustrated voter who complained of difficulties selecting a Democrat was told that the machine she was using had been troublesome. Poll workers fiddled with it for a bit, and then it seemed to work properly.

Apparently, this happens all the time. According to the Herald, "Broward County Supervisor of Elections spokeswoman Mary Cooney said it's not uncommon for screens on heavily used machines to slip out of sync, making votes register incorrectly. Poll workers are trained to recalibrate them on the spot - essentially, to realign the video screen with the electronics inside. The 15-step process is outlined in the poll-worker's manual."

Well that's a relief. Only we have to wonder, if the screens "slip out of sync," might other components do so as well? And why are poll workers permitted to fiddle with the machines?

Unfortunately, the article tells us little. It sounds as if the machines are of poor quality, but the paper neglects to mention the manufacturer(s) responsible for them. The elections supervisor's spokesperson seems altogether too comfortable with the notion that the machines are unreliable. 'They do that all the time?'

With early elections already underway, it looks as if Florida will again be in the headlines for the wrong reasons, as it so often is.

[Banquo's Ghost]

It probably doesn't soothe any worries, but we're having the same disaster/debate here in Ireland - though our politicians being what they are, we've screwed it up more royally than anyone dared hope.

El Reg again.

Spoiler Alert, click show to read: 

Irish e-voting emerges from the crypt
On government life support
By Thomas C Greene in Dublin
Published Tuesday 24th October 2006 13:35 GMT


After spending €52m on a computerised voting scheme that doesn't work reliably, and warehousing the kit at a cost of about €800,000 per year, the Irish government would like to revive the technology so that the country's reputation doesn't suffer.

Ireland will be embarrassed without computerised balloting, Taoiseach Bertie Ahern claimed during a Dáil session last week.

"We have to correct the software, which will cost €500,000 and try to move forward. Otherwise, this country will move into the 21st century being a laughing stock with our stupid old pencils," the Taoiseach explained.

(The Times Online quoted him as saying "stupid aul pencils", but we can assure readers that the Taoiseach does not, in fact, talk like animated Lucky Charms cereal pitchman Lucky the Leprechaun.)

According to government reports on the system's various flaws, the hardware is acceptable. The software, not so much.

Labour Party leader Pat Rabbitte was strident in his criticism of the whole scheme, and repeatedly suggested that there is no way forward. He was at a loss to suggest any positive step, however, and even declined to advocate scrapping the scheme once and for all - which makes sense, as it would remove from his use a fair bit of ammunition with which to ridicule the government. Which he does rather nicely.

Rabbitte had supported e-voting, although when confronted with this fact insisted that he'd supported "a working system". Which Ireland clearly does not have.

The fact is, the whole debate is academic. It makes no difference whether one uses electronic gadgets, paper ballots, or a combination. All that matters are the security protocols in effect. A strictly paper system can be quite secure if it's designed right. Similarly, an electronic system can be quite secure - again, if it's designed right.

The combination of electronic machines with a paper record has become an obsession among a number of "activists", but it, too, can only be useful if the design is secure. Still, it's the least desirable alternative because it introduces needless complexity, and tremendous uncertainty when results are in dispute. How do you know which record, the electronic or the paper, is valid? Either component can be attacked, can fail, or can simply be designed badly.

The Irish system is now so mistrusted that there is nothing anyone can do to fix it (including actually fixing it). Ahern is in a terrible position. His government squandered the €52m, and everything he says sounds like spin, even on those occasions when it isn't.

For example, when confronted by news that a voting machine had been compromised, Ahern noted that "the anti-electronic voting campaign group in the Netherlands physically hacked into a machine to demonstrate security flaws. If one hacked into a ballot box one could do that too".

It's a sensible observation, but it doesn't help. The public perception is that machines are easier to hack, and that it's easier to conceal the fact. Meanwhile, the opposition likes having the e-voting debacle to hang around Ahern's neck when it suits them.

At this point, the only sensible thing to do is start over. A well-designed paper system would be a perfectly good place to start. But if Ireland has got to have electronic voting to boost the government's self esteem, then fine.

For secure, trustworthy e-voting, one needs hardware validated by an independent (and competent) testing agency, and a system to ensure that only validated hardware is used (ie, no post-validation equipment changes of any sort, and fragile seals to indicate tampering visibly).

Next, one needs software validated by an independent testing agency, and a mechanism to ensure that only validated software can be installed. This would involve the compiler, all source code, libraries, encryption software, etc. It doesn't have to be open source, but the validating agency has got to have access to every single bit. It would then build all of the software and issue approved copies. This can be verified cryptographically, cheaply, and easily.

Of course, there must not be any mechanism for remote IP access or switched telephone access to the machines or the database. Leased lines only.

There also needs to be a validated auditing mechanism to show every instance of access to the machines and the database.

Finally, one needs redundancy in the database and in each machine, so that when one fails, its contents cannot be lost. And there must be a mechanism to ensure that when it fails, it will cease to function (ie, it will fail safe), with its contents up to that point preserved. That's basically it, although there are numerous details which The Register has covered at length previously, here and here.

It appears, however, that the government will make some improvements and try to call the system fixed. But patching isn't good enough; the system is not trusted and it needs to be re-worked with a comprehensive set of security and trustworthiness protocols. Otherwise, important weaknesses will undoubtedly be overlooked and the debate will go on, pretty much for eternity.

[IRONxMortlock]

As electronic voting machines become part of the election process in more and more countries I think it's vital that there are backups so that there can be a physical recount if needed.

Perhaps electronic voting machines which supply two receipts of your vote could be the answer? One goes into a box for the electoral officials and the voter keeps the other.

[BigTex]

As electronic voting machines become part of the election process in more and more countries I think it's vital that there are backups so that there can be a physical recount if needed.

Perhaps electronic voting machines which supply two receipts of your vote could be the answer? One goes into a box for the electoral officials and the voter keeps the other.

Indeed paper backups are neccesary. It's scary to think about how easily computers are manipulated, even these could be. Without any form of a backup poll manipulation could be impossible to detect, or worse never detected at all.