Can voting machines be safe with good election procedures?

When security researchers show how to hack a voting machine, is it just a stunt that couldn't happen in the context of a real election?

Princeton researcher Dan Wallach talks about the difference between what his team did and what a real attacker would have to do. The bottom line is that a real attack would be a bit more work, but not prohibitively so.

His full article is at http://www.freedom-to-tinker.com/?p=1304. Excerpts below.

"Our work found a wide variety of flaws, most notably the possibility of "viral" attacks, where a single corrupted voting machine could spread that corruption, as part of regular processes and procedures, to every other voting system. "

"At this point, the scientific evidence is in, it's overwhelming, and it's indisputable.  The current generation of DRE voting systems have a wide variety of dangerous security flaws. "
"The big difference between what we had and what an attacker might have is that we had some (but not nearly all) source code to the system.  An attacker who arranged for some equipment to "fall off the back of a truck" would be able to extract all of the software, in binary form, and then would need to go through a tedious process of reverse engineering before reaching parity with the access we had."
"When the vendors call our work "unrealistic", they usually mean one of two things:

   1. Real attackers couldn't discover these vulnerabilities
   2. The attackers can't be exploited in the real world.

Both of these arguments are wrong. In real elections, individual voting machines are not terribly well safeguarded.  In a studio where I take swing dance lessons, I found a rack of eSlates two weeks after the election in which they were used.  They were in their normal cases.  There were no security seals.  (I didn't touch them, but I did have a very good look around.) That's more than sufficient access for an attacker wanting to tamper with a voting machine. "
"I'll estimate that it would take a group of four talented people, working full time, two to three months of effort to do it[develop an attack].  Once.  After that, you've got your evil attack software, ready to go, with only minutes of effort to boot a single eSlate, install the malicious software patch, and then it's off to the races.  The attack would only need to be installed on a single eSlate per county in order to spread to every other eSlate.  The election professionals and procedures would be helpless to prevent it.  "
"What about auditing, reconciliation, "logic and accuracy" testing, and other related procedures? Again, all easily defeated by a sophisticated attacker."

The only kind of testing he considers effective is to cross-check a sample of voter-verified printouts against the machine-recorded votes.

< On A New School Year, Or, The Sarah Palin Drinking Game | You should vote Republican if ... >
Display: Sort:
--accuracy" testing just plain old function testing.  It is NOT security testing.

I agree with his basic premise about voter-verified--I just wish he'd use the term "ballot."  A ballot has legal status as the real vote; "trails," "printouts" etc. do not.

Even aside from deliberate attacks, there is just plain old software bugginess to consider--no complex software is ever free of it.  With word processing programs and spreadsheets, though, millions of users report all of the ones that compromise functionality, so that while never bug-free, these programs eventually become robust and stable.

Voting machine software is used a couple of times a year by people who have no connection with the programmers who wrote it.  If a machine (say in Snohomish County) makes them vote for Rossi instead of Gregoire, the only people available to complain to may not be able to do anything about it.

Think about how badly cars would suck if nobody ever drove them except for a couple of times a year.

Before we even think of trying to get a national consortium to develop open source software, we need to make auditing mandatory.  In an analytical chemistry lab, all equipment from simple scales to quadrupole mass spectrometers is constantly audited.  For auditing purposes, a set of standard weights is far mor useful than only having a schematic of the scale.

by eridani on Sat Sep 06, 2008 at 09:27:49 PM PST

* 1 none 0 *

Malicious code can be inserted in a variety of locations, by a wide variety of people.

Progammers who create the tabulation source code, database code.  Technicians who write the updates before and during elections. A variety of insiders who have access to the machines and memory cards, and to the GEMS central tabulator.

It has been alleged by a computer expert who used to support McCain, Stephen Spoonamore, believes that the 2002 Georgia election was stolen by the head of Diebold who personally delivered memory card updates to several county jurisdictions.

These systems are a joke. Computers are good for many applications, but elections is not one of them.

If you  want a democracy, then it should be paper ballots, hand counts, citizen oversight.  Private corporations with control over counting and recording votes have no place in this process. Even publicly owned systems will end up in the control of election insiders.  They still lack transparency. So long as we use machines, the process lacks transparency and verifiabilty by We The People.

Spoonamore video.

by raincity calling on Tue Sep 09, 2008 at 05:50:58 PM PST

* 2 none 0 *

...how did King County manage to get the "X of Y ballots remaining" counts wrong on the ballot stubs? They've been printing the same ballots for a decade. Where were the observers? Where was the news coverage?

by m3047 on Tue Sep 09, 2008 at 11:29:30 PM PST

* 3 none 0 *

Whether you are talking about machines or people, the less often an operation is performed, the greater the likelihood of screwing something up.

by eridani on Sat Sep 13, 2008 at 11:41:14 PM PST

* 4 none 0 *

Display: Sort:
Skims $ Millions
from workers comp to attack Gregoire







Make a new account


Recommended Diaries

Washblog RSS Feeds

Political Contacts

Local Media

Coastal/Grays Harbor
Aberdeen Daily World
Chinook Observer
Montesano Vidette
Pacific County Press
Willapa Harbor Herald
KXRO 1320 AM

Olympic Peninsula
Peninsula Daily News
Bremerton Sun
Bremerton Chronicle
Gig Harbor Gateway
Port Orchard Independent
Port Townsend Leader
North Kitsap Herald
Squim Gazette
Central Kitsap Reporter
Business Examiner
KONP 1450 AM

Sound and Islands
Anacortes American
Bainbridge Review
Voice Of Bainbridge
San Juan Journal
The Islands' Sounder
Whidbey NewsTimes
South Whidbey Record
Stanwood/Camano News
Vashon Beachcomber
Voice Of Vashon
KLKI 1340 AM

North Puget Sound
Bellingham Herald
The Northern Light
Everett Herald
Skagit Valley Herald
Lynden Tribune
The Enterprise
Snohomish County Tribune
Snohomish County Business Journal
The Monroe Monitor
The Edmonds Beacon
KELA 1470 AM
KRKO 1380 AM

Central Puget Sound
King County Journal
Issaquah Press
Mukilteo Beacon
Voice of the Valley
Federal Way Mirror
Bothell/Kenmore Reporter
Kirkland courier
Mercer Island Reporter
Woodinville Weekly

Greater Seattle
Seattle PI
Seattle Times
UW Daily
The Stranger
Seattle Weekly
Capitol Hill Times
Madison Park Times
Seattle Journal of Commerce
NW Asian Weekly
West Seattle Herald
North Seattle Herald-Outlook
South Seattle Star
Magnolia News
Beacon Hill News
KOMO AM 1000
KEXP 90.3 FM
KUOW 94.9 FM
KVI 570 AM

South Puget Sound
The Columbian
Longview Daily News
Nisqually Valley News
Lewis County News
The Reflector
Eatonville Dispatch
Tacoma News Tribune
Tacoma Weekly
Puyallup Herald
Enumclaw Courier-Herald
The Olympian
KAOS 89.3 FM
KOWA FM 106.5
UPN 11

Ellensburg Daily Record
Levenworth Echo
Cle Elum Tribune
Snoqualmie Valley Record
Methow Valley News
Lake Chelan Mirror
Omak chronicle
The Newport Miner

The Spokesman-Review
KREM 2 TV Spokane
KXLY News 4 Spokane
KHQ 6 Spokane
KSPS Spokane
Othello Outlook
Cheney Free Press
Camas PostRecord
The South County sun
White Salmon Enterprise
Palouse Boomerang
Columbia Basin Herald
Grand Coulee Star
Walla Walla Union-Bulletin
Yakima Herald-Republic
KIMA 29 Yakima
KAPP TV 35 Yakima
KYVE Yakima
Wenatchee World
Tri-City Herald
TVEW TV 42 Tri-cities
KTNW Richland
KEPR 19 Pasco
Daily Sun News
Prosser Record-Bulletin
KTCR 1340 AM
KWSU Pullman
Moscow-Pullman Daily News