David Dill of Stanford, Verified Voting, and ACCURATE has written a terriffic essay on the Holt Bill. I'm posting it here in its entirety:
IT'S TIME TO OUTLAW PAPERLESS ELECTRONIC VOTING IN THE U.S.
by
David L. Dill
VerifiedVoting.org
Four years ago, when I began publicly opposing paperless electronic
voting, passing a Federal law to require voter-verified paper records
(VVPRs) seemed an impossible dream. Rep. Rush Holt introduced such
a bill in 2003, and another in 2005, but both bills languished in
committee until the clock ran out.
The dream is now achievable, due in part to the unending stream of
problems caused by paperless voting machines in recent years. HR
811, the third incarnation of the Holt bill, is a critical measure
needed to protect the integrity of our elections, and it now has very
good prospects of being enacted. It already has 210 co-sponsors in
the House, where only 218 votes are required to pass it.
There are two provisions in HR 811 that are especially vital for
restoring trust in American elections: A nationwide requirement for
voter-verified paper records, and stringent random manual counts of
those records, to make sure they agree with the announced vote
totals. The requirements in the Holt bill are superior to those in
almostevery state of the country (there are now 22 states with
significant amounts of paperless electronic voting, and only 13
states require random audits of VVPRs).
Success is not assured, however. The forces that have blocked
previous bills are still active, especially vendors of current poorly
performing equipment. Also, various concerns, reasonable and
otherwise, have been raised about the bill by other parties.
Some groups insist on optical scan machines, which read and count hand-marked paper ballots, and are not supporting HR 811 because it still allows the use of touch-screen machines. However, under HR 811, those machines must be equipped with so-called voter-verifiable paper trails, which print a paper copy of the vote that can be reviewed by the voter before being cast. Most of the current generation of inferior paper-trail machines would not be allowed under HR 811, which requires the machines to preserve the privacy of voters and requires the VVPRs to be printed on high-quality paper. This will create a strong incentive for local jurisdictions to purchase optical scan equipment. Furthermore, HR 811 makes the paper records the official ballots of record in audits and recounts, and requires election officials to post a notice explaining to voters the need to verify their VVPRs.
I would personally prefer to see optical scan machines be used
nationwide, if supplemented by equipment to allow voters with
disabilities to vote privately. If groups objecting to HR 811 can
cause such a bill to be introduced and line up the votes in Congress
to get it passed, that bill will have my support. Meanwhile, those of
us who have actually talked to Congressional staff have not seen any
significant support for such a requirement. It seems that we have a
choice between HR 811 or continuation of our current "Kafka-esque"
paperless system (as a French politician recently described it).
Another small but noisy contingent is opposing HR 811, sometimes
without revealing their true agenda, because they will be satisfied
only with a nationwide system of hand-counted paper ballots. In
theory, we could adopt hand-counting of all ballots. However, hand
counting is rarely used now. It is politically unrealistic to believe
that the overwhelming number of jurisdictions that have been using
automated voting in various forms for 40 years or more are going to
go back to hand counting. HR 811 does not prevent hand counting
for those communities who want to do it, but it provides a realistic
solution for the rest of us.
Some are troubled by the role of the Federal Elections Assistance
Commission (EAC) under the bill. Like many others, I, too, lack
confidence in the EAC as currently configured. But HR 811 gives only
minimal responsibilities to the EAC. I can live with that if the
other provisions of the bill are enacted.
Finally, election officials have expressed concern over whether the
timeframe of HR 811 is feasible. On the one hand, I want passionately
to avoid potential meltdowns in the 2008 general election, and I am
not convinced that the possibility of simply purchasing optical scan
equipment has been adequately considered by those jurisdictions
currently using paperless electronic voting. On the other hand, it is
obviously necessary to allow adequate time for implementation of the
bill. Congress has heard all sides of this argument, and I am
confident that they will strike the right balance. If the
implementation date needs to be extended, I hope it will be done in a
way to encourage earliest possible elimination of paperless electronic
voting, so that the maximum number of voters will be protected in
2008.
HR 811 will no doubt change as it travels down the long, winding
legislative road. With some luck, the bill will survive with
the key provisions intact, and may even improve.
A good bill that becomes law is better than a great bill that doesn't.
HR 811 will start moving soon. Please ask your U.S. Representative to
support it.
Thursday, April 26, 2007
Tuesday, April 10, 2007
Paper ballot bill passes Maryland House
I have not seen any press reports about it yet, but according to a source of mine, yesterday, the Maryland House passed an enhanced version of the bill that passed the Maryland Senate last week. The bill requires paper ballots with in-precinct optical scan counting. Some provisions were added addressing disability access. The implementation of audit is left to the board of elections. I have not seen the final bill yet, but if this is all true, then it is a positive step. Now we need some proper audit requirements and for the governor to sign this bill and Maryland will switch from having one of the worst voting systems in the country to having one of the best. The transition to optical scan will happen by the 2010 election. I think it's a shame not to do this by 2008, but on balance, I will take it, considering that without this bill, we'd probably continue using DREs for a long time.
Friday, April 06, 2007
More information on SB392
I have obtained a copy of Senate Bill 392 which I am told passed the Maryland Senate today. I read through it, and I have mixed feelings. On the one hand, it definitely requires paper ballots and optical scanners by 2010. While I would strongly prefer 2008, at this point, I will take a guarantee that we will have this technology by 2010. However, what troubles me is that the required manual randam audit text has been removed from the original bill. While this new system will have audit capability, it is critical that audits be required and random. Hopefully, this can be fixed after the fact. For now, I still view this development as a minor victory.
Good news from Maryland
What a sudden turnaround. The Maryland Senate just passed a paper ballot bill. I have heard from several people (including a comment posted on my previous blog entry) and one reporter, but I have not yet tracked down the text of the new bill. What I hear is that it will require paper ballots with optical scan and accessible ballot marking of paper ballots for disabled voters. I also have it on pretty good authority that there will be an effort within the Maryland House to pass the exact same bill.
The Senate bill passed unanymously! This is absolutely thrilling news.
I will post more once I track down the actual bill that passed and have a chance to read it.
What a great day for Maryland.
The Senate bill passed unanymously! This is absolutely thrilling news.
I will post more once I track down the actual bill that passed and have a chance to read it.
What a great day for Maryland.
Monday, April 02, 2007
Disappointment in Maryland
I'm away with my family in Tennessee for Passover, but I wanted to take a moment to go online and update my readers about Maryland. Unfortunately, once again the state senate did not pass legislation that would have provided for a paper ballot for every voter in the state. I'm not sure why this happened because there seemed to be a uniform support for this bill in the committee when I testified in the senate hearing a few weeks ago. This will set Maryland back in the quest for verifiable and auditable elections. A huge disappointment.
Sunday, April 01, 2007
See you in ten
I have decided to leave computer science and to leave civilization and to go live in the woods. I have been ignoring nature for too long, and I would rather hang out with trees and rivers than with computers. You will no longer be able to reach me by email or fax, but if you put a message in a bottle and drop it off in a mountain river stream, I might get it. Take care everyone. I will return in 10 years and blog about my experience.
Friday, March 23, 2007
Shmoocon
I gave the keynote address at the Shmoocon Conference in Washington DC this evening. I promised the audience that I would post my slides here on my blog. Click here to download them.
Tuesday, March 13, 2007
Encrypting hard drives from Seagate
This week, Seagate technology made headlines with their announcement of a new encrypting hard drive. The idea is that the hard drive will automatically encrypt and decrypt data so that it will always be stored encrypted. That way if a laptop with this hard disk is lost or stolen, the data will not be accessible to an attacker. I performed a search on this story on google news today and came up with over 250 articles covering this announcement.
I think that the drive is an appropriate choice for where to encrypt data, but the limitations of this approach should be addressed, and none of the news stories that I read mentioned the shortcomings of drive-level encryption. On the positive side, data in this scheme is encrypted on the fly so that users and applications do not need to participate in the encryption - it is entirely transparent. A raw hard drive physically extracted from a laptop provides no data to an attacker, assuming a proper encryption key is used. This provides protection for the data at rest, when nobody is using the computer, and no user is logged in.
However, an encrypted drive does not guarantee that attackers can never access the data on the disk. To function properly, the system must allow access to legitimate users. This access must be simple and transparent. My expectation is that the user login password will be used to derive the encryption keys that protect the data on the drive. But, regardless of the scheme used to obtain the key, when a user is active on the machine, the keys must be available to the hard drive so that data can be encrypted and decrypted in the course of normal use. At that time, the data is just as available to malicious code in the form of spyware, Trojan horses and viruses as it is to the legitimate user. If the system is designed well, then the keys will be erased whenever a user logs out. Another problem with login keys to encrypt the drives is that user-level keys are frequently susceptible to dictionary attacks.
I'm not certain, though, that user-level keying makes sense for a drive-level encryption scheme. Drives contain all kinds of data, including system data, and data from many different users. At the disk drive level, there is no notion of a user, just data blocks. So, it would be awkward to use login keys to encrypt the drive. How would system files be decrypted? In fact, all kinds of file system information, such as file permissions, are not supposed to be known at the disk drive level. So, my feeling is that there is not an intuitive key management scheme for the Seagate hard drives. I'd be curious to know what they are doing in that regard. Encryption is great, but without proper key management, its benefits are questionable.
I applaud Seagate for pushing the envelope and encrypting at the drive level. Such a move by the leading manufacturer of disks can only be good news for those concerned about security. But, I caution users not to blindly trust that their data is no longer susceptible to theft. As long as users can access their data, so can attackers, and the security of the data on a lost laptop is to a large extent dependent on what Seagate did for key management - a difficult problem that is often left unsolved.
I think that the drive is an appropriate choice for where to encrypt data, but the limitations of this approach should be addressed, and none of the news stories that I read mentioned the shortcomings of drive-level encryption. On the positive side, data in this scheme is encrypted on the fly so that users and applications do not need to participate in the encryption - it is entirely transparent. A raw hard drive physically extracted from a laptop provides no data to an attacker, assuming a proper encryption key is used. This provides protection for the data at rest, when nobody is using the computer, and no user is logged in.
However, an encrypted drive does not guarantee that attackers can never access the data on the disk. To function properly, the system must allow access to legitimate users. This access must be simple and transparent. My expectation is that the user login password will be used to derive the encryption keys that protect the data on the drive. But, regardless of the scheme used to obtain the key, when a user is active on the machine, the keys must be available to the hard drive so that data can be encrypted and decrypted in the course of normal use. At that time, the data is just as available to malicious code in the form of spyware, Trojan horses and viruses as it is to the legitimate user. If the system is designed well, then the keys will be erased whenever a user logs out. Another problem with login keys to encrypt the drives is that user-level keys are frequently susceptible to dictionary attacks.
I'm not certain, though, that user-level keying makes sense for a drive-level encryption scheme. Drives contain all kinds of data, including system data, and data from many different users. At the disk drive level, there is no notion of a user, just data blocks. So, it would be awkward to use login keys to encrypt the drive. How would system files be decrypted? In fact, all kinds of file system information, such as file permissions, are not supposed to be known at the disk drive level. So, my feeling is that there is not an intuitive key management scheme for the Seagate hard drives. I'd be curious to know what they are doing in that regard. Encryption is great, but without proper key management, its benefits are questionable.
I applaud Seagate for pushing the envelope and encrypting at the drive level. Such a move by the leading manufacturer of disks can only be good news for those concerned about security. But, I caution users not to blindly trust that their data is no longer susceptible to theft. As long as users can access their data, so can attackers, and the security of the data on a lost laptop is to a large extent dependent on what Seagate did for key management - a difficult problem that is often left unsolved.
Friday, March 09, 2007
The FSU report on the ES&S iVotronic used in Sarasota County
On February 23, a team of computer scientists, based out of Florida State University put out an exceptional report analyzing the ES&S iVotronic 8.0.1.2 voting machine firmware. The reason that this particular machine was of interest is that it was used in the 13th Congressional race in Sarasota County last November. As many of you know, this is the machine that was responsible for approximately 18,000 undervotes in that race. The research team was chartered with the task of attempting to determine if anything related to that code could have caused the missing votes due to some bug in the software on the voting machine. Of course, they could only analyze the source code of software that was supposed to be on the machine. They did not have an opportunity to examine whether or not the binaries actually running on those machines corresponded to that source code, nor is such a determination possible today.
When I first heard about this study (and I was even approached about joining it), my first thought was that it is a silly idea to try to figure out what went wrong in Sarasota County by analyzing the source code. So many factors that have nothing to do with the source code could have contributed to the problem, and source code analysis cannot be used to find all problems that may have arisen in the software. There are all kinds of run time conditions such as, for example, race conditions and runtime bounds errors that could cause problems without the ability to be detected by source code analysis.
However, the team, which contains quite a few all stars, proved that even though a source code analysis is not likely to shed any light on what happened in this particular election, it is nonetheless an extremely valuable exercise. I wish more real voting systems were subjected to such careful scrutiny followed by a public report. I have not seen the confidential appendices in this report, but just from the table of contents, it is clear that some serious problems were found in this machine, and once again it boggles the mind that it was ever certified and used in elections. On page 37, section 7.1 begins as follows:
This is reminiscent of the vulnerability that the Princeton team exploited in the Diebold DRE. I would not suggest reading this report before bed, because it is quite scary. To me, the Princeton work, coupled with this FSU report should serve as wake-up calls to the elections community that these sorts of studies need to take place before voting systems are deployed, not after an election has proven problematic. Studies such as the FSU one should be done as part of the certification process. This report clearly uncovered problems that would have been show stoppers, and yet, relatively little attention has been paid to this.
When I first heard about this study (and I was even approached about joining it), my first thought was that it is a silly idea to try to figure out what went wrong in Sarasota County by analyzing the source code. So many factors that have nothing to do with the source code could have contributed to the problem, and source code analysis cannot be used to find all problems that may have arisen in the software. There are all kinds of run time conditions such as, for example, race conditions and runtime bounds errors that could cause problems without the ability to be detected by source code analysis.
However, the team, which contains quite a few all stars, proved that even though a source code analysis is not likely to shed any light on what happened in this particular election, it is nonetheless an extremely valuable exercise. I wish more real voting systems were subjected to such careful scrutiny followed by a public report. I have not seen the confidential appendices in this report, but just from the table of contents, it is clear that some serious problems were found in this machine, and once again it boggles the mind that it was ever certified and used in elections. On page 37, section 7.1 begins as follows:
"We identified several buffer overflow vulnerabilities that in a worst case scenario may allow an attacker to take control of a voting machine by corrupting data on a PEB. These create the possibility of a virus that propagates by exploiting the buffer overflow vulenrability."
This is reminiscent of the vulnerability that the Princeton team exploited in the Diebold DRE. I would not suggest reading this report before bed, because it is quite scary. To me, the Princeton work, coupled with this FSU report should serve as wake-up calls to the elections community that these sorts of studies need to take place before voting systems are deployed, not after an election has proven problematic. Studies such as the FSU one should be done as part of the certification process. This report clearly uncovered problems that would have been show stoppers, and yet, relatively little attention has been paid to this.
American Idol - I demand a recount!
For this posting, I have to admit something that will probably lose me the respect of many, and yet I can't help it. Here goes... I am a closet American Idol fan. Every week, my wife and I go downstairs after the kids are in bed and we watch the most recently Tivo'ed episode of American Idol. We don't like the early rounds very much, which are mostly about watching the judges humiliate unfortunate people who don't realize they can't sing. But once the top 24 are chosen, we really enjoy the singing and the drama of who will be eliminated.
As someone who is consumed with voting and voting security, I have more than once wondered about the voting on the American Idol show. How easy would it be to rig the vote that is conducted over the phone? A friend of mine has some pretty good and convincing ideas for ways to tamper with the votes using computers and automated dialing tricks and even taking advantage of some weaknesses in the phone system. I'm not sure if the tricks he has suggested are legal, and I'm certain that most of the population wouldn't know how to do them. Although, it would only take one enterprising attacker to really mess with the votes. I'm convinced of that.
Last night, the unthinkable happened. Sabrina Sloan was eliminated and missed making the top 12. There are several reasons why I find it impossible to believe that the vote was fair. I had Sabrina pegged as #3 in the overall competition, after Lakisha jones and Melinda Doolitle. Okay, you could argue that maybe Stephanie Edwards is up there with Sabrina. But, American Idol is also about popularity and looks. Sabrina is by far the most attractive of the candidates, and in my opinion she has that star quality to her. She is also an absolutely incredible singer. I'm not alone in my thinking. All three judges were completely stunned by this result. Furthermore, Sundance Head (who I don't think was that spectacular) lost out and Sanjaya Malakar advanced. Now Sanjaya seems like a nice kid, but he's totally out of his league on Idol, and Sundance can sing circles around him. Not only that, Sundance has real personality and charm, and is just the kind of person that goes far in this competition. He's better than at least 3 of the guys who advanced. Far better.
So, is it possible that the judges are wrong? They can be wrong, but I don't think they can be that wrong about these two singers that were cut. Considering that Haley Scarnato and Sanjaya Malakar made it to the elite 12 and Sabrina and Sundance did not, I have to figure there was some funny business with the vote. I don't know if it was because somebody hacked the phone lines, somebody read the results wrong, somebody was paid off, or any combination of the above. But there is no way on Earth that America voted this way this week.
Having a non-verifiable vote, like the one on American Idol can result in people like me being upset that we won't get to watch Sabrina Sloan sing any more on Idol. We can be upset that Chris Daughtry did not win last year when he was by far the best singer, as his album sales are demonstrating this year. But, that's about where it ends. Having non-verifiable voting in public elections, with the doubt that such election outcomes can have, is much more serious.
As someone who is consumed with voting and voting security, I have more than once wondered about the voting on the American Idol show. How easy would it be to rig the vote that is conducted over the phone? A friend of mine has some pretty good and convincing ideas for ways to tamper with the votes using computers and automated dialing tricks and even taking advantage of some weaknesses in the phone system. I'm not sure if the tricks he has suggested are legal, and I'm certain that most of the population wouldn't know how to do them. Although, it would only take one enterprising attacker to really mess with the votes. I'm convinced of that.
Last night, the unthinkable happened. Sabrina Sloan was eliminated and missed making the top 12. There are several reasons why I find it impossible to believe that the vote was fair. I had Sabrina pegged as #3 in the overall competition, after Lakisha jones and Melinda Doolitle. Okay, you could argue that maybe Stephanie Edwards is up there with Sabrina. But, American Idol is also about popularity and looks. Sabrina is by far the most attractive of the candidates, and in my opinion she has that star quality to her. She is also an absolutely incredible singer. I'm not alone in my thinking. All three judges were completely stunned by this result. Furthermore, Sundance Head (who I don't think was that spectacular) lost out and Sanjaya Malakar advanced. Now Sanjaya seems like a nice kid, but he's totally out of his league on Idol, and Sundance can sing circles around him. Not only that, Sundance has real personality and charm, and is just the kind of person that goes far in this competition. He's better than at least 3 of the guys who advanced. Far better.
So, is it possible that the judges are wrong? They can be wrong, but I don't think they can be that wrong about these two singers that were cut. Considering that Haley Scarnato and Sanjaya Malakar made it to the elite 12 and Sabrina and Sundance did not, I have to figure there was some funny business with the vote. I don't know if it was because somebody hacked the phone lines, somebody read the results wrong, somebody was paid off, or any combination of the above. But there is no way on Earth that America voted this way this week.
Having a non-verifiable vote, like the one on American Idol can result in people like me being upset that we won't get to watch Sabrina Sloan sing any more on Idol. We can be upset that Chris Daughtry did not win last year when he was by far the best singer, as his album sales are demonstrating this year. But, that's about where it ends. Having non-verifiable voting in public elections, with the doubt that such election outcomes can have, is much more serious.
Subscribe to:
Posts (Atom)