>Among the most common weaknesses the team found in nearly all of the systems was the ability to insert removable media - such as USB sticks

This is a huge hole - and one that is difficult to close. It's not a problem unless you exchange USB sticks with another system which has a virus. Who of us has not done this? Malware is actively using this technique to spread. Try putting this harmless but scary 3-line autorun.inf file on a USB stick.:

[AutoRun]
Open= cmd.exe /k color 4e && echo Gotcha!
shell\Open\command= cmd.exe /k for /l %%a in (1,1,9) do start cmd.exe /k
color %%ae ^&^& prompt Gotcha!

What no one ever looks into is the security of the actual county offices where the voting happens. LA County was crawling with high school kids who helped to count the vote. Also, many counties use unsecure computers to compile the results from all of the voting machines. It would be easier to remotely screw up the compile of votes. If a million votes go to Bugs Bunny then the vote is invalid. The scariest thing to a democracy is to invalidate the election. That is how dictators take over!

@Moike:
>>This is a huge hole - and one that is difficult to close.

Not really, but maybe it's just been made difficult to find out how to close. It involves disabling autorun-on-insert not just for CD-ROMs, but for all removable media.
http://www.pcdoctor-guide.com/wordpress/?page_id=1546

Now try your autorun.inf file again, and see what happens.

This is scary. Take a look at http://www.blackboxvoting.org/ and http://www.blackboxvoting.com to see what's going on with technical problems and political struggles to protect vote integrity.

So why aren't they consulting with Estonia, which initiated online voting last year? And why don't they get rid of Bill Gates' flawed OS?

NMAIF> So why aren't they consulting with Estonia, which initiated online voting last year?

Well, why don't they consult with security experts in the US? (The answer has something to do with a combination of greed and stupidity.)

As for online voting, it's a fundamentally flawed concept in a world overrun with botnets and keyloggers.

NMAIF> And why don't they get rid of Bill Gates' flawed OS?

Bill Gates's flawed OS is only a tiny fraction of the overall problem.

Why don't they weld the damn things shut. The Space Shuttle has, I think, five redundant computer systems ... but I doubt it has a soldering iron ... because like voting machines the Space Shuttle spends 99% of the time unused.

You could also disable the USB ports in BIOS, I think, and the CD-Rom while you were at it, couldn't you? But this would require a computer expert at each site, which is harder for a software company to come up with a solution for. What happens if someone tries to reboot the machine and enter BIOS then? You almost need an OS all its own for this type of application- some customized Linux Live-CD of some sort, with votes tallied to a central server in house with secure access from each client.

Couldn't these problems be avoided if existing systems, such as ATMs and computerized voting via "https" sites were used? Where the vote goes immediately to a central computer, rather than remaining in a standalone machine in a polling place? Oh, Diebold, etc, haven't made enough profit yet, so we have to go through iterations of inadequate software and hardware?

NMAIF> Couldn't these problems be avoided if existing systems, such as ATMs and computerized voting via "https" sites were used?

First of all, there are expectations of privacy which ATMs and home computers don't provide, and furthermore, existing voting systems are designed to make it difficult to sell one's votes, since one walks away from the poll with no proof of how one voted.

As far as https (i.e. SSL/TLS) and home computers in general goes: someone who can remotely control home computers (via botnet or trojan) could cause them to vote however he pleased, and the voters would be none the wiser. SSL doesn't protect the end system; it protects only the data in transit (and it doesn't even do that perfectly). If you control the end system, SSL doesn't matter.

"Not really, but maybe it's just been made difficult to find out how to close. It involves disabling autorun-on-insert not just for CD-ROMs, but for all removable media.
http://www.pcdoctor-guide.com/wordpress/?page_id=1546

Now try your autorun.inf file again, and see what happens."

NOPE - it still runs. I take it that you are still vulnerable to USB stick malware. The following is required:

Disabling the Shell Hardware Detection service will help protect the
affected system from attempts to exploit this vulnerability. To disable the
Shell Hardware Detection service, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to
Settings, and then click Control Panel.

2. Double-click Administrative Tools.

3. Double-click Services.

4. Double-click Shell Hardware Detection service.

5. In the Startup type list, click Disabled.

6. Click Stop, and then click OK.

You can also stop and disable the Shell Hardware Detection service by using
the following command at the command prompt:

sc stop ShellHWDetection & sc config ShellHWDetection start= disabled

Impact of Workaround: If you disable the Shell Hardware Detection service,
you may not be able to utilize Fast User Switching capabilities. Therefore,
we recommend this workaround only on systems that do not require the use of
Fast User Switching.

Hummm, Election Fraud, Sound familiar? Florida,Ohio now it looks like California is going to join the mix. All I have to say is if George Bush gets written in to be the president, I moving to Mexico where the coruption is at least in public view. The biggest problem that is going on here is that we are reading about "how to fix an election". If people who are hackers would take their knowledge and use it for the betterment of the world instead of the detriment, just how great would the internet be? This is the real problem. Let's find a solution for that and see what happens.

It seems the old electromechanical voting machines I grew up with were more reliable.

Why not just eliminate any networking capability? Install, test, and seal the machines just before Election Day. Read out the results from each individual machine at the end of Election Day and tabulate them (with appropriate election judges present).

Perhaps instead of using a commercial OS make the machines a "one-trick pony".

This convinces me of the folly of spending all that money to get votes when all you need to do is get the right voting machines installed. Hmm, didn't that one already happen in the last election? The tragic thing is no one at all got nabbed for any wrong doing.

This is definitely leading us more to a "why bother" attitude from voters.

I love how Sequoia blasted the report b/c it was done by computer security experts. Duh, anybody that would actually try to hack a voting machine would have advanced computer security knowledge.

And putting the burden of protecting the machines on poll workers is nonsense. At my polling place for example, the workers can only see what's above my nose and below my knees. If diebold can ensure the physical security of their ATMs, they should be able to do it with their voting stations too.

1st big trick, use purpose built machines with physical and software security features like welding them shut, and putting tamper detection everywhere.

2nd PAPER BACKUP, which is voter verified.

Muddy> 1st big trick, use purpose built machines with physical and software security features like welding them shut, and putting tamper detection everywhere.

Tamper detection is useless unless there is a reasonable procedure for what happens when tampering is actually detected. For example, in Maryland, the Diebold systems were taped up with yellow tamper-evident tape the last election. But what happens to the votes on a machine if someone tampers with the tape? If such votes are invalidated, can a group sway an election by tampering with the machines at polls in heavily partisan areas? and would it be fair for an individual to be able to invalidate the votes of hundreds of others simply by picking at some tape? How, other than by the condition of the tape, do the poll workers know whether the *machine* has been tampered with, and what do they do in either case?

Muddy> 2nd PAPER BACKUP, which is voter verified.

As the reports document, even a VVPAT is vulnerable to a trojan attack if it is not designed correctly. One attack scenario is for a modified machine to print the voter's choices and allow the voter to verify them and complete the voting transaction, then to wait a minute or so for the voter to go away, and finally print VOID on the tape, which, with the particular system being attacked, voids the previously recorded vote.

"Diebold seized on that fact, saying that the presence of an experienced election official could help foil many of the attack scenarios outlined by the team."

Yeah, right. And who is that going to be? Karl's handpicked men?

Muddy,

Here's the thing: any computer can be programmed to print out one thing on paper but record something entirely different internally. There is no way to verify that your vote was cast as you intended, and then actually _counted_, unless you can SEE inside the machine.

What you really want is a PAPER BALLOT, not a 'receipt', 'record' or 'trail', because those are rarely _counted_ by election officials, who understandably do not want to have to do all that work.

They've blown their budgets on electronic computer systems that require secure, year-round air conditioned storage between elections ($$), upgrades and re-programming before every election ($$$) and paid computer technicians on call during early voting and on Election Day to troubleshoot problems ($$$). If you've ever had to leave the precinct without voting because you had to get work and the lines were too long due to a broken down machine, you know what that means. Frankly, paper, pen, and pollworkers are much cheaper.

Discrepancies only show up when comparing the flimsy paper 'trail' with the machine count, and that standard is ridiculously low (less than 2% of the 'trails' are counted, on average, anywhere).

Besides, you don't even have to bother with individual machines -- just tamper with the central tabulator. "Election Day conditions", as harped on by the elections officials and the vendors above, is truly a pathetic complaint about the Bowen report because there are literally hundreds of insiders who get unfettered access to these machines throughout. It takes only ONE PERSON with access about 60 seconds to load malicious software and set it all in motion. And you, the election officials, the counters, the observers, would not be able to SEE anything at all.

Trust, but verify. The elections officials have a difficult job, but democracy is too important to take shortcuts.

And we all have seen that once a candidate has been declared the winner by the media at the end of the night -- always before all the votes have actually been counted -- the challenger has an uphill battle just to get the votes counted. Judges don't like to get involved with elections unless there is proof of shenanigans, but a computer program can be designed (again, only one person needed) to do the task and then erase itself, leaving no trace.

What we need is a PAPER BALLOT, one that is actually counted. We can argue over _how_ to do the counting, but the only truly verifiable record of your vote is one you mark yourself, that you can actually SEE, that is then actually counted. If a computer optical scanner is used to count your vote, then your actual BALLOT is available to recount. In the event of a challenge, a paper BALLOT is obviously the legal ballot of record, not the invisible machine data.

BTW, the CA Sec. of State's report also noted that these systems were NOT accessible to blind and disabled voters, contrary to the vendors' sales pitch.

P.S. the article above points out that ES&S didn't turn over their product "in time" for the testing -- the truth is that they REFUSED to turn it over until Secretary Bowen threatened to take it out of escrow. They should be decertified in CA for that defiance alone, not to mention that the code they turned over is NOT the version they filed in escrow with the state.

It will be interesting to see whether Ms Brown decides to certify these faulty devices - although «faulty» is perhaps not the proper adjective, if one suspects, as I confess to doing, that these machines are expressly designed to be «hacked»....

Henri

@Moike:
>>NOPE - it still runs.

That's very strange, because it doesn't on my XP Pro SP2 box, *with* the Shell Hardware Detection service started. Now I'm curious why not, and whether or not that TweakUI checkbox actually works as advertised.

>>I take it that you are still vulnerable to USB stick malware.

If the box won't run autorun.inf files from a USB stick, then apparently not.

last I heard, you can hijack a pencil and a paper ballot, but the voter you're trying to elbow out can start a fistfight right there as you're trying to cheat.

my vote is for paper and pencils.

I have read or heard of a couple of incidences like this but I think it is strange that no one really questions the topic of anonymity. As a programmer myself, I know that it would be very tempting to store a time-stamp with every vote.
Ever since 9/11 we now have cameras everywhere. And, a lot of cameras in public buildings. Most of these systems record the time as they do the taping. How hard would it be to match your face with the time that you voted to the time on the video recorder? Then, we could tell how you voted.
Does the gov't prohibit time-stamps in an electronic voting system? Or any voting system for that matter? Or, do they prohibit gov't cameras in polling places?
...my two cents.

People you need to do your homework. 1. Electronic machines are here to stay because of the ADA laws. 2. Old systems were manipulated all the time - even lever machine scandals and arrests caused the Shoup family shame. 3. Internet is a no no - too many poor who don't understand computers. Even Ted Stevens does not know what the internet is. 4. Avante figured out VVPAT over 5 years ago. Paper is cut and drops in box. There is no chance for void to print. 5. California was early on in the DDE fraud systems. Their officials were outright bribed with high paying jobs before 2000 hit.

There are so many more issues to know. The computer security issue is a smokescreen! One match destroys a paper ballot box but no one at the Post was writing about that vulnerability 30 years ago...

I read these techno-comments with bemusement. I'm a chief election judge in Montgomery County (i.e., one of the two supervisory precinct workers). I'm positive none of the suggestions comes from anyone who's actually worked at a precinct for a primary, let alone a general election.

Why am I a chief judge? In part because I thought this wasn't a bad way to contribute to the electoral process; in part because I can distinguish a USB cable from a power cord.

Not to belittle the voting-machine problem, I have to say it's only a facet of a larger problem: the election process stands or falls as a result of people who are essentially volunteers.

Volunteers who work one day every two years.

Working an election in Maryland means a mandatory (albeit insufficient) 2 or 3 hour training session, 2 or 3 hours of set-up the day before the election, and at least a 15-hour shift on election day. (The polls open at 7 and close at 8, but you've got to be there at least an hour ahead of time, and you have to help close things down before you can leave.)

Check-in judges (who look up voters in the poll book) and voting unit judges (who assist you at the machines) get $145 in compensation.

Along with no small measure of grief, because so many voters seem to blame precinct workers for: lengthy ballots, murky referendum language, the ratio of voting machines to voters, the choice of machine rather than optical scan, et blooming cetera.

There were 238 precincts in Montgomery County for the 2006 general election, needing a minimum of 8 judges per precinct. So carrying off an electing requires something like 2,500 volunteers.

I am unintimidated by technology. I have a graduate degree and decades of experience working in corporate and technological environments -- but even with the current system, I've never gotten home from the precinct before 1 a.m. because of the reporting, recording, verifying, signing, securing of machines, delivery of the chips and voting machine printouts to the board of elections.

The head of the Baltimore County board of elections said in an interview that the average age of her precinct workers was "deceased."

I heartily invite any Marylanders participating in this discussion you folks who are so eager to fix the system to work the upcoming primary (Tuesday, Feb. 18 -- mark your calendar now). A fair number of the experienced precinct workers may have left for warmer climates, or may decide it's no longer worth the hassle.

I'm sure Virginia and the District have similar needs; I just don't know what they are. Just contact your local board of elections and put your highly-skilled self where your virtual mouth is.

(In the meantime, if you're still suspicious about electronic voting, request an absentee ballot. It comes on paper, and you don't have to wait in line.)

The complaints from Sequoia and Diebold really miss the point. When the contractors who have the root passwords and access to the machines can hack then machine easily and without a trace, this is exactly the problem. These are the very same companies who are guaranteeing the outcomes for candidates.

The complaints from Sequoia and Diebold really miss the point. When the contractors who have the root passwords and access to the machines can hack then machine easily and without a trace, this is exactly the problem. These are the very same companies who are guaranteeing the outcomes for candidates.

It is intriguing that billions can be spent exporting democracy when the system at home relies on volunteers.

Judge Dave> I'm positive none of the suggestions comes from anyone who's actually worked at a precinct for a primary, let alone a general election.

What suggestions are you referring to? Clearly not those of Avi Rubin, who has worked as an election judge in both a primary and a general election. In his most recent commentary on the California top-to-bottom review he wrote, "Rather than using technology provided by incompetent vendors who don't bother to hire real security experts to build voting systems, we should insist that these machines be scrapped."

Judge Dave> Just contact your local board of elections and put your highly-skilled self where your virtual mouth is.

What makes you think we haven't?

Interested readers should also take a look at the report from Florida State University on Diebold systems used there. Avi Rubin's writeup on that is posted here:

http://avi-rubin.blogspot.com/2007/07/florida-sait-report-highlights-more.html

A highlight:

"One of the weaknesses that our report in 2003 pointed out was that Diebold used a single, fixed encryption key for all encryption in the system. Diebold has moved from using DES to AES. However, the key management is just as bad as before, and possibly worse."

Well I have worked elections in California, NJ, Connecticut, NY, and NH. I have had to show election officials the difference between a CD and a power cord. I have had to show 30 yr old people who are the "county computer expert" how to format a CD. I see county workers who work out deals so that they can work 4 days a week and get paid for 5. I have seen the head of the largest county in the country kissing amorously a Diebold salesman. A few days later her husband was holding the hand of a Missouri official under the table so at least it is an "open" marriage. I have also worked with retired IBM workers as election judges who take their roles so seriously, they actually review election law with their people line by line and give tests.

There are some standards for the voting equipment. Congress can only dictate laws for congressional elections. All other elections are handled by the state. There are no standards for poll workers. They just do not want to scare away the volunteers.

I also know that Linda Lamone is crying because she did not get her cushy Diebold "sales" job because of the spotlight Avi Rubin put on her.

I also know at a NY state demo, my blank smart card when entered into a Diebold machine caused it to lock up.

Good luck voters!

Follow-up: the long-awaited source code review reports have finally been posted online here:

http://www.sos.ca.gov/elections/elections_vsr.htm

Avi Rubin's comment: "These reports are comprehensive and detailed and should mark the end of the use of these voting machines in public elections."

Unbelievable. What is the matter with people?

@Mark Odell: Who protects the system against the hacker who just goes in and turns that pseudo protection off? That's always the snag with Windoze boxes, innit? At the end of the day you can't protect anything - you can only chase the bad guys and never catch up or you can run and hide and get found out within the hour.

Rick - no computer is tamper proof. You just need tamper evident. Even with a paper ballot - a match can ruin an election.

We really should go to the real old fashioned voting booth. A traveling booth would go from town to town. People who were eligible to vote (read rich white folk) step in the booth and declare their vote out loud.

James> no computer is tamper proof. You just need tamper evident.

You need a lot more than tamper evidence. Tamper evidence alone is a vector for denial of service; just trigger the tamper-evident mechanism and chaos ensues, even though no actual tampering occurred.

If you read the reports and the commentary, you will see it stated repeatedly that these devices fail to employ well-known technical methods to protect the integrity of elections. The repeated claim by proponents of these devices is that procedural methods fill in the gaps, but even if that were true, why should we rely on a system that requires procedural controls to be followed perfectly every time, when technical controls built into the software and hardware could solve the same problems without risk of human failure?

Following up on yesterday's release of the source code review reports, Ed Felten's comment:

"As far as I can tell, major news outlets haven't taken much notice of these reports. That in itself may be the most eloquent commentary on the state of e-voting: reports of huge security holes in e-voting systems are barely even newsworthy any more."

Big news: California Secretary of State Debra Bowen has decertified all of the previously approved voting machines for the upcoming election:

http://www.sos.ca.gov/elections/elections_vsr.htm

Read that announcement more closely. She said that she gives them conditional reapproval. Typical California BS. She does not have the guts to make the vendors start over from scratch.

Antibozo - you really agree with me. All this talk about security is a smokescreen. If one wants to take over a country the first step is to prove to people that an election was fraud. Making something tamper proof is a false hope. It only takes a human making a transcription error - there have been a couple of times in California alone - and people think the wrong candidate was elected. Instead of making everything so secure, lets make everything transparent. Lets get rid of secrecy clause for elections and lay our votes out on the table...

James> Read that announcement more closely. She said that she gives them conditional reapproval. Typical California BS. She does not have the guts to make the vendors start over from scratch.

Read the announcement more carefully. The conditional reapproval establishes a litany of additional security measures and constraints. For example, only one Diebold system may be used per polling place. This means that all of the precincts will need to acquire or recommission alternative polling equipment, and in that case, given all the other constraints (complete reformat/reinstallation of all Diebold equipment, airgap operation of the GEMS system, etc.) it won't be worth a county's trouble to use any of it.

James> Antibozo - you really agree with me. All this talk about security is a smokescreen.

Uh, no it isn't. It may seem that way if you don't understand it, though.

James> Making something tamper proof is a false hope.

I never said anything about tamper proofing anything. I said that making things tamper evident alone is detrimental.

James> Instead of making everything so secure, lets make everything transparent.

On the contrary, we should make things transparent *and* secure.