Friday, December 14, 2007

Ohio report is available

Ohio's secretary of state, Jennifer Brunner has commissioned a study that appears to be on the same order as California's top to bottom review of their voting systems. There are several reports available on the SoS web site. The most remarkable report is that of the academic team who analyzed the ES&S, Premier Elections Solutions, and Hart InterCivic voting systems. The academic report, produced by some of the leading computer security experts such a Matt Blaze, Harri Hursti, and Giovannie Vigna, and led by Patrick McDaniel of Penn State, is available here, on the SoS web site.

Quoting from the executive summary:

"All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election. While each system possessed unique limitations, they shared critical failures in design and implementation that lead to this conclusion:


  • Insufficient Security - The systems uniformly failed to adequately address important threats against election data and processes. Central among these is a failure to adequately defend an election from insiders, to prevent virally infected software from compromising entire precincts and counties, and to ensure cast votes are appropriately protected and accurately counted.
  • Improper Use or Implementation of Security Technology - A root cause of the failures present in the studied systems is the pervasive mis-application of security technology. Failure to follow standard and well-known practices for the use of cryptography, key and password management, and security hardware seriously undermine the protections provided. In several important cases, the misapplication of commonly accepted principles renders the security technology of no use whatsoever.
  • Auditing - All of the systems exhibited a visible lack of trustworthy auditing capability. In all systems, the logs of election practices were commonly forgeable or erasable by the principals who they were intended to be monitoring. The impact of the lack of secure auditing is that it is difficult to know when an attack occurs, or to know how to isolate or recover from it when it is detected.
  • Software Maintenance - The software maintenance practices of the studied systems are deeply flawed. This has led to fragile software in which exploitable crashes, lockups, and failures are com- mon in normal use. Such software instability is likely to increase over time, and may lead to highly insecure and unreliable elections."


and later in the executive summary:


    "The review teams were able to subvert every voting system we were provided in ways that would often lead to undetectable manipulation of election results. We were able to develop this knowledge within a few weeks. However, most of the problems that we found could have been identified with only limited access to voting equipment. Thus, it is safe to assume that motivated attackers will quickly identify – or already have – these and many other issues in these systems. Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact."


The report is an incredible read. This group, in only a couple of months, managed to completely subvert these system and to expose them as woefully insecure and inadequate for the real world. Secretary Brunner, to her credit, has now recommended the elimination of DREs in polling places in her state. Now if only other states will follow her lead and that of Debra Bowen, SoS of California.