Sunday, August 31, 2008
ISE exploits MMORPGs
Researchers at my consulting company, ISE, discovered vulnerabilities in Age of Conan and Anarchy Online. The game producers were notified, and no details were released until the vulnerabilities were closed. It's instructive to see what was wrong and how such vulnerabilities can be avoided. The details are posted on our web site. A story appeared in today's Baltimore Sun.
Saturday, July 12, 2008
How an iPhone debut is like an election
I'm an iPhone junkie. I waited in line yesterday morning to get my iPhone, but I only had two hours, and after my time was up, I had made only minor progress, while the line grew pretty long behind me, so I abandoned my newfound iPhone junkie friends and left the Apple store (well, the line outside the Apple store) empty handed. Only later did I learn that the line was moving so slowly because of glitches in the system caused by so many simultaneous activations. John Markoff said it well in his NYT article today.
The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.
Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.
For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.
The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.
Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.
For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.
Thursday, July 03, 2008
"Paper ballots" not "paper trails"
I've noted some confusion in discussions with reporters recently, and I have to assume that this confusion is somewhat widespread. The issue is whether or not a "paper trail" resolves the problems with electronic voting. The term "paper trail", in my opinion, is an unfortunate one. When I first got seriously involved in this issue in 2003, many of us advocated paper trails as a solution to paperless DREs. The thinking was that if every vote is recorded on a piece of paper and that paper was audited by the voter, then a correct tally could be produced by counting the papers. This could be used to audit the machines, or as the definitive ballots. In theory, this seems reasonable, but it doesn't work in practice, and the theory is a bit flawed as well.
As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.
All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.
So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.
As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.
All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.
So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.
Tuesday, April 01, 2008
Adios iPhone
I was flying back from California last week, watching a video on my iPhone, and next to me was this guy who kept glancing at me and smirking. "Is that an iPhone?", he finally asked. I nodded. "Humph," he grunted and assumed an air of superiority. I was a bit taken aback so I asked him why he didn't like iPhones. "Oh," he said, "they're okay, I guess," and then he mumbled under his breath "if you are into that sort of thing." I couldn't just let that go, so I asked him if he had ever actually used an iPhone.
He looked around as if to see if anyone else was looking, and gave me a conspiratorial smile. "I've got something to show you," he said. And he proceeded to pull out a tiny gadget that looked like an earpiece for a phone. "Check out my device," he said. "It's an integrated PDA, phone, GPS and HD multimedia station." I asked him how he dialed the phone, and he said that it uses a built-in address book with voice recognition. You just say a name , and it looks it up in your address book and dials. What about names that aren't in the address book? He says that since the device is always online, it does a directory search over the Internet and tries to find a match that way. But, how do you know what number it found? There's no display! Before I understood what was going on, he removed a contact lens from his eye and asked me to put it in. I thought this was crazy. But, he had a liquid that he sprayed on it to clean it. Still skeptical, I popped it into my eye, and I was completely blown away. As if floating in air was a transparent view of a screen with a phone style interface. "Now," he said, "use your pupil to navigate the cursor, and crunch your jaw to click. Right side of the mouth for right click, left side for regular click, and bite your tongue to scroll." It took me a little practice, but I was soon able to move things around the screen with ease. I could see as if I was looking at a computer screen. It was like nothing I've ever seen before. And then he played a movie for me. Unbelievable resolution, and hi fidelity sound. The growing pain in my tongue was the only downside I could see to this device.
The "phone" had a full fledged PDA interface. It had video watching mode, an Internet browser, visual voicemail, and many other features that I had never even heard of. I asked my new friend where he got this, and he said that it is a prototype of a new product he invented that he is calling the EyePhone. He had a few glitches to work out, and then he was going to try to commercialize it. I volunteered on the spot to be a beta tester for him, and he agreed. I now have a room full of these test devices, and a year's supply of Hi Definition contact lenses. Needless to say, I am dumping my iPhone.
So, if you ever see me staring off into space with a blank look, it's not that I'm ignoring you; I'm probably just reading email or looking something up in my calendar, perhaps checking to see what happened on April 1.
He looked around as if to see if anyone else was looking, and gave me a conspiratorial smile. "I've got something to show you," he said. And he proceeded to pull out a tiny gadget that looked like an earpiece for a phone. "Check out my device," he said. "It's an integrated PDA, phone, GPS and HD multimedia station." I asked him how he dialed the phone, and he said that it uses a built-in address book with voice recognition. You just say a name , and it looks it up in your address book and dials. What about names that aren't in the address book? He says that since the device is always online, it does a directory search over the Internet and tries to find a match that way. But, how do you know what number it found? There's no display! Before I understood what was going on, he removed a contact lens from his eye and asked me to put it in. I thought this was crazy. But, he had a liquid that he sprayed on it to clean it. Still skeptical, I popped it into my eye, and I was completely blown away. As if floating in air was a transparent view of a screen with a phone style interface. "Now," he said, "use your pupil to navigate the cursor, and crunch your jaw to click. Right side of the mouth for right click, left side for regular click, and bite your tongue to scroll." It took me a little practice, but I was soon able to move things around the screen with ease. I could see as if I was looking at a computer screen. It was like nothing I've ever seen before. And then he played a movie for me. Unbelievable resolution, and hi fidelity sound. The growing pain in my tongue was the only downside I could see to this device.
The "phone" had a full fledged PDA interface. It had video watching mode, an Internet browser, visual voicemail, and many other features that I had never even heard of. I asked my new friend where he got this, and he said that it is a prototype of a new product he invented that he is calling the EyePhone. He had a few glitches to work out, and then he was going to try to commercialize it. I volunteered on the spot to be a beta tester for him, and he agreed. I now have a room full of these test devices, and a year's supply of Hi Definition contact lenses. Needless to say, I am dumping my iPhone.
So, if you ever see me staring off into space with a blank look, it's not that I'm ignoring you; I'm probably just reading email or looking something up in my calendar, perhaps checking to see what happened on April 1.
Thursday, February 21, 2008
Lunar Eclipse
Last night, there was a lunar eclipse - the last one until December, 2010. Since it was very cold and had just snowed, instead of setting up my tripod outside like I should have, I took some pictures and hand held the camera. Still, they came out okay. If you want to see the pictures, click here. My daughter was pretty excited about it, and was even willing (eager!) to extricate herself away from American Idol to look at it several times.
Saturday, February 02, 2008
An article about Internet voting
David Dill and Barbara Simons have written an excellent essay about some of the risks of Internet voting and a system that is being deployed for the Democratic primary. While the dangers of electronic voting with paperless DREs have been covered in great detail in this blog and in other places, the risks of voting on home computers over the Internet are significantly greater. It seems only fitting that Dill & Simons published this article on Groundhog Day. If you saw the Bill Murray movie where every day repeats as though for the first time, you'll appreciate the way Internet voting seems to appear again in every election in a similar fashion. Dill and Simons refer to Internet voting "experiments" as a whack-a-mole.
Thursday, January 24, 2008
My cool Mom
My Mom leads the Israeli dance group in Nashville, TN, where I grew up. They dance at Vanderbilt where she is Professor of Mechanical Engineering. They recently produced a short video about the group, which is narrated by my Mom who also stars in it with her dance group. Check it out.
Monday, January 21, 2008
ACCURATE annual report available
ACCURATE is A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections. We are funded by the National Science Foundation, and I am the center director. Our 2007 annual report is now available here. It highlghts the Center’s major accomplishments and activities in 2007. This coming election year promises to be our most interesting and productive, as members of ACCURATE engage in all aspects of the election, as well as in researching technologies for improving future elections.
Thursday, January 10, 2008
2008 Election Judge Training
I attended my Maryland election judge training session today. It was a 3 hours class for returning judges. There was really nothing new for me. I've already worked 4 elections using the Diebold Accuvote machines, and we will be using them again this year. I did, however, notice a change in the tone of the class.
Right up front, the instructor told us that the three most important factors for us to consider are "Security, Integrity, and Accuracy". These three things were stressed throughout the day. The instructor talked about the 20/20 segment where a hacker was able to change tallies on the machine (I think it was Harri Hursti), and told us of a new tamper tape that was placed on the corner of the machine where there is a screw for opening up the casing. As before, I had a good look at this tamper tape and determined that it would be extremely difficult to tell if the tape had been voided or not. I think these tamper tapes are emperor's clothes designed to make administrators feel good. One of the trainers referred to it as the "Lou Dobbs seal", in reference to Lou Dobbs' coverage of e-voting problems leading up to the 2006 election.
We spent more time training on the poll books than I had in previous elections. These are those machines that failed miserably in the 2006 primary. The instructor told us that the books would not work properly if they were turned on at the same time, so each poll book had to be turned on and enabled before the next one. I remember hearing this as one of the explanations of why so many stations failed in 2006. I hope that she is mistaken, and that the machines will still work even if powered up in arbitrary order. Otherwise, Maryland will have problems again in 2008, because I'm certain that not all judges will remember to follow these instructions. The poll books have a new feature this year that the instructor was very proud of. The chief judges can reverse a voter's check-in and reissue them a voter authority card. This feature is a bit scary, although I can see how it would be useful under certain circumstances. This is enabled via a 4 digit PIN that is supposed to be known only to the chief judges.
It struck me as ironic that we were required to fill out a survey about our experience as a judge, as well as an evaluation of our instructors. We were given the surveys on paper, with round ovals to fill in so that the survey and evaluation results could be optically scanned and tabulated. It struck me that the survey and evaluation of our election judge training was more auditable, secure, reliable and transparent than the machines that will be used in the actual election.
I hope that when I train for the 2010 election in Maryland, that we will be working on how to collect paper ballots, to avoid residual votes, and to work with precinct count scanners of paper ballots. If the state does not fund this change, then the measure to move to paper ballots that passed in the legislature last year and was signed by the governor will be thrown out.
Here are some pictures that I took at training today.
Right up front, the instructor told us that the three most important factors for us to consider are "Security, Integrity, and Accuracy". These three things were stressed throughout the day. The instructor talked about the 20/20 segment where a hacker was able to change tallies on the machine (I think it was Harri Hursti), and told us of a new tamper tape that was placed on the corner of the machine where there is a screw for opening up the casing. As before, I had a good look at this tamper tape and determined that it would be extremely difficult to tell if the tape had been voided or not. I think these tamper tapes are emperor's clothes designed to make administrators feel good. One of the trainers referred to it as the "Lou Dobbs seal", in reference to Lou Dobbs' coverage of e-voting problems leading up to the 2006 election.
We spent more time training on the poll books than I had in previous elections. These are those machines that failed miserably in the 2006 primary. The instructor told us that the books would not work properly if they were turned on at the same time, so each poll book had to be turned on and enabled before the next one. I remember hearing this as one of the explanations of why so many stations failed in 2006. I hope that she is mistaken, and that the machines will still work even if powered up in arbitrary order. Otherwise, Maryland will have problems again in 2008, because I'm certain that not all judges will remember to follow these instructions. The poll books have a new feature this year that the instructor was very proud of. The chief judges can reverse a voter's check-in and reissue them a voter authority card. This feature is a bit scary, although I can see how it would be useful under certain circumstances. This is enabled via a 4 digit PIN that is supposed to be known only to the chief judges.
It struck me as ironic that we were required to fill out a survey about our experience as a judge, as well as an evaluation of our instructors. We were given the surveys on paper, with round ovals to fill in so that the survey and evaluation results could be optically scanned and tabulated. It struck me that the survey and evaluation of our election judge training was more auditable, secure, reliable and transparent than the machines that will be used in the actual election.
I hope that when I train for the 2010 election in Maryland, that we will be working on how to collect paper ballots, to avoid residual votes, and to work with precinct count scanners of paper ballots. If the state does not fund this change, then the measure to move to paper ballots that passed in the legislature last year and was signed by the governor will be thrown out.
Here are some pictures that I took at training today.
Friday, December 14, 2007
Ohio report is available
Ohio's secretary of state, Jennifer Brunner has commissioned a study that appears to be on the same order as California's top to bottom review of their voting systems. There are several reports available on the SoS web site. The most remarkable report is that of the academic team who analyzed the ES&S, Premier Elections Solutions, and Hart InterCivic voting systems. The academic report, produced by some of the leading computer security experts such a Matt Blaze, Harri Hursti, and Giovannie Vigna, and led by Patrick McDaniel of Penn State, is available here, on the SoS web site.
Quoting from the executive summary:
"All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election. While each system possessed unique limitations, they shared critical failures in design and implementation that lead to this conclusion:
and later in the executive summary:
The report is an incredible read. This group, in only a couple of months, managed to completely subvert these system and to expose them as woefully insecure and inadequate for the real world. Secretary Brunner, to her credit, has now recommended the elimination of DREs in polling places in her state. Now if only other states will follow her lead and that of Debra Bowen, SoS of California.
Quoting from the executive summary:
"All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election. While each system possessed unique limitations, they shared critical failures in design and implementation that lead to this conclusion:
- Insufficient Security - The systems uniformly failed to adequately address important threats against election data and processes. Central among these is a failure to adequately defend an election from insiders, to prevent virally infected software from compromising entire precincts and counties, and to ensure cast votes are appropriately protected and accurately counted.
- Improper Use or Implementation of Security Technology - A root cause of the failures present in the studied systems is the pervasive mis-application of security technology. Failure to follow standard and well-known practices for the use of cryptography, key and password management, and security hardware seriously undermine the protections provided. In several important cases, the misapplication of commonly accepted principles renders the security technology of no use whatsoever.
- Auditing - All of the systems exhibited a visible lack of trustworthy auditing capability. In all systems, the logs of election practices were commonly forgeable or erasable by the principals who they were intended to be monitoring. The impact of the lack of secure auditing is that it is difficult to know when an attack occurs, or to know how to isolate or recover from it when it is detected.
- Software Maintenance - The software maintenance practices of the studied systems are deeply flawed. This has led to fragile software in which exploitable crashes, lockups, and failures are com- mon in normal use. Such software instability is likely to increase over time, and may lead to highly insecure and unreliable elections."
and later in the executive summary:
"The review teams were able to subvert every voting system we were provided in ways that would often lead to undetectable manipulation of election results. We were able to develop this knowledge within a few weeks. However, most of the problems that we found could have been identified with only limited access to voting equipment. Thus, it is safe to assume that motivated attackers will quickly identify – or already have – these and many other issues in these systems. Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact."
The report is an incredible read. This group, in only a couple of months, managed to completely subvert these system and to expose them as woefully insecure and inadequate for the real world. Secretary Brunner, to her credit, has now recommended the elimination of DREs in polling places in her state. Now if only other states will follow her lead and that of Debra Bowen, SoS of California.
Subscribe to:
Posts (Atom)