Tuesday, July 31, 2007

Debunking the "laboratory" defense

Yesterday, there was a hearing in California about the e-voting machines that were studied in the top to bottom review. I watched some of the proceedings that were broadcast on the web, and I read some of the press coverage, such as this article in the San Jose Mercury News. I'm struck (although not surprised) by the way the vendors attack the study results. As the top to bottom review concluded that the systems were highly vulnerable to all kinds of attacks, the vendors stand to lose business and revenue if the machines are decertified, so you would expect them to attack the study with everything they have.

Reading the news coverage of the hearing, it is clear that there is a common theme in the attacks on the study. Quoting the article:

Sequoia Voting Systems, which is used in Alameda, Santa Clara and Santa Cruz counties, called the review an "unrealistic, worst-case scenario" performed in a laboratory environment by computer security experts with unfettered access to the machines.

Several other people use the term "laboratory environment" in criticizing the study. I think these criticisms miss the point. Most, if not all of the vulnerabilities identified in the studies are weaknesses that are well known in the security literature and which can be avoided with proper design and implementation. The source code reviews have not been published yet, so I cannot comment on what was found there, but looking at the red team reviews, I can say that we know how to design systems that avoid the problems that were found there. So, regardless of whether these were broken in a laboratory or in a polling station, the fact is that vendors are not utilizing well-known security technology in designing their systems.

Rather than using technology provided by incompetent vendors who don't bother to hire real security experts to build voting systems, we should insist that these machines be scrapped. The debate should focus on whether or not the machines utilize the best available security, rather than on whether the proof that they are insecure was identified in a lab or somewhere else. If the vendors focused as many resources on improving the security of their systems as they do in criticizing the studies, then they wouldn't have to point out that the studies were done in a laboratory because studies that embarrass them would be less likely to exist.