Researchers Crack Every Certified CA Voting Machine

ewhac writes "The San Francisco Chronicle is reporting that computer security researchers throughout the University of California system managed to crack the security on every voting machine they tested that has been approved for use in the state. The researchers are unwilling to say how vulnerable the machines are, as the tests were conducted in an environment highly advantageous to the testers. They had complete access to the devices' source code and unlimited time to try and crack the machines. No malicious code was found in any of the machines, but Matt Bishop, who led the team from UC Davis, was surprised by the weakness of the security measures employed. The tests were ordered by Secretary of State Debra Bowen, who has until Friday of next week to decide whether to decertify any of the machines for use in the upcoming Presidential primary election."

And the problem with paper was?

[seanadams.com (463190)]

So before, the only people who probably knew how to crack these would have been the people who designed them, plus whoever else had access to the source code, plus probably a whole bunch of administrators who would have access to the data files during the election.

Now, as if that's not bad enough, in addition to all of them we have a whole team of hackers who have proven that they know SPECIFICALLY how to do it. And by the way, they hacked both the voting machines themselves AND the back-end remote machines that do the tabulating.

And those facts are all public knowledge now!

So if these machines were merely "ridiculously" insecure to begin with, now they're just split wide open like a dvda. Yay democracy. What exactly does Ms Bowen need until next Friday to fucking think about?

And please, can we quit calling them "computer security researchers"? What's wrong with hackers? When did we start on the euphemism treadmill [wikipedia.org]?

Re:And the problem with paper was?

[Lockejaw (955650)]

And please, can we quit calling them "computer security researchers"? What's wrong with hackers? When did we start on the euphemism treadmill?

When the media decided that a "hacker" is someone who secretly breaks into your computer and fills it full of spam and child porn. So we needed a word for people who break into computers without being secretive about it and don't fill it with bad stuff.

Hacking???

[cluckshot (658931)]

Since I have on my computer the software for many of the major voting machine companies and I worked reviewing it for one of our big US States, (Not California) I might have a thing or two to say on the issue.

The first thing to understand is that the audits under the voluntary national standard for voting machine software do nothing about securing a ballot. The next thing to understand is that the public authorities don't want secure software on voting machines. -As politely as it can be said- Who in the hell do you think steals elections? --- Not the voters I can assure you! It is election officials. Next you have to understand that the purpose of modern voting machines isn't to prevent errors, it is to eliminate any evidence that they happened. Next you have to understand that some company or another wants to sell all the machines to run the election and that they don't want the election officials to be able to buy machines by another brand without having to go to the cost of ripping out the entire system by its roots and halting the whole world. In short they want to hold the political agents hostage to their company and make them pay through the nose on every election. How else does a scanner machine which might be worth $200 become a machine worth $30,000?

Now that we have identified the motives in play here and there may be a few more nasty habits around like companies wanting to control political events..... Lets get down to the brass tacks here! Any election system worth anything should have some of the following attributes and possibly some more.

(1) It must be machine independent. So that any device that fails can be easily replaced.

(2) It must be transparent in its software where anyone can see the code and see that it does what it says.

(3) It must be receipt based where it can be checked by additional 3rd party methods. Recounting must be possible and not just memory buffer checks.

(4) It should be isolated from external attack only reporting via network and protected from intrusion by device isolation. This means no USB drives and no standard internet connections etc.

(5) It must be custody of data prevented from having the political authorities being able to destroy the evidence of an election fraud.

Making elections report totals quickly accurately and with receipts and such is no problem. Technically this is very easy. I probably could write in a few days the structure and code it in a matter of months myself. I would get nowhere because the political leaders would find their methodology of stealing elections in great trouble. Unless the voters rise up and get really angry on this one, expect the development of a silent dictatorship in which you hold elections and keep on loosing to the powers that be. (Maybe it already is here????)

Mod Parent Up

[mad.frog (525085)]

This is a valid comment, but is modded into oblivion for some reason...

Fraud

[WindBourne (631190)]

Paper elections can and has been taken over. I am not so sure at this time if any in the USA are, but Texas, Florida, and Chicago had a LONG TIME well deserved voting fraud issues. That is why EVERY box has 2 or more ppl going over the vote, with each person coming from 1 of the 2 major parties (interestingly, they are not required to have a person from all parties that are running candidates, just from the major parties). The current elections since 2000 (probably before), have shown how easy it is for general election fraud. In particular, in Florida, the gov. was not allowing votes from anybody with the same name as criminals in high democrat counties only. In ohio, they had 3 ppl (democrats) certify an election by picking certain boxes, counting them before hand, and then using those for their "random" tests. They were suppose to pick a number of random boxes and check their results as well the count. They just did not feel like doing it.

There are VERY good reasons for going to computers. Sadly, not only has the computers obviously not been designed and built well, but the vetting process in nearly all states has left a LOT to be desired. In nearly all cases, the groups have been willing to accept systems that several major companies thrust on us. What fascinated me, and should have been of interest to all the groups, is that NONE of these major machines wanted back-up paper system added in. In ALL cases, it would be their paper (i.e. get to gouge), and of course, they would be required to have somebody around to handle things (at least at the county level). This would be a recurring revenue stream for them. And yet, they fought it esp. diebold. That should be making ALL of those groups nervous, and instead it takes a judge to be looking at this issue.

The computer systems ARE the right idea. The choice and implementation have been disasters. Welcome to Amerika.

Ooh, Shiney!

[pipingguy (566974)]

If voting is the core of a democracy then the transparency of the process MUST be paramount. Chuck out the whole concept of voting if average citizens have to understand and correctly interpret the latest whiz-bang technology.

Re:

[fl!ptop (902193)]

Chuck out the whole concept of voting if average citizens have to understand and correctly interpret the latest whiz-bang technology

i'm not sure the average citizens need to understand more than 'press here for candidate a', 'press here for candidate b' (obvious side-discussion regarding knowledge empowering voters to select better candidates avoided here), but those who make decisions about what procedures and machines are used to ensure the votes are tallied fairly have to consider it. poll workers ar

Re:Ooh, Shiney!

[rbarreira (836272)]

Winston Churchill has the solution:

The best argument against democracy is a five minute conversation with the average voter. -- Winston Churchill.

What's wrong with paper?

[fastest fascist (1086001)]

Considering how strong the push for voting machines is, you'd think there's something terribly wrong with paper ballots. What is it? To me, they seem to work fine, and knowing the system for counting the votes doesn't let you compromise the impartiality of the system. What benefit do these voting machines offer that justifies the risks?

Re:

[Baricom (763970)]

Paper is too slow.

That's no justification in the real world, but unfortunately that is a perfectly logical reason to move to electronic balloting for most people.

Re:What's wrong with paper?

[Elemenope (905108)]

The problem with paper is...it's slow. Don't get me wrong, I don't see that as a problem; I am of the school of thought that it is no disadvantage to take a week or so to count ballots by hand. However, the public has an expectation (cultivated as it has been by TV media, mostly) that elections are to be decided ASAP. I don't know how to ween folks off of such an expectation, esp. since there is a profit motive in minute-by-minute coverage. It is hard in the Internet age to get people to understand why everything can't be as fast as a Google search.

I'm not crazy about exit polls, either, though if done accurately enough (i.e. large enough sample sizes, unbiased methodology) should be able to provide a good indication of results quickly even with a paper ballot system.

I'm completely spitballing here, but I imagine that psychologically the image of a computer as the instrument of an election is more reassuring to people (who, by and large, use computers for many routine tasks) than paper, which conjures notions of impermanence and fragility and a history of "stuffed ballot boxes" and other shenanigans; while computers in reality may be more vulnerable to such shenanigans, they do not as easily lend to such an image, and so combined with their inner mysterious mechanics, they are more easily trusted. People, scarred by the disintegrating trustworthiness of their government, desperately want some part of the political process to place their faith in.

Re:

[fastest fascist (1086001)]

Hm, well, to do the old "over-here-they-do-it-better", over here ballots are counted manually, and the results after a nationwide vote are available withing a few hours of the closing of polls. While I live in a much smalled country than the USA is, I don't think the percentage of people who vote is any higher over there, and thus the amount of vote counters required per capita shouldn't be, either. If it takes weeks, hire more people, or perhaps people who can count, if that is the problem.

Re:

[fl!ptop (902193)]

What benefit do these voting machines offer that justifies the risks?

the push (in the u.s.) for electronic voting machines seems to have been made after the 2000 election recount fiasco. need i mention the words, "hanging chad?" i don't think you can have one of those with an electronic machine. besides, paper ballots are easy to invalidate. remember the pictures on the news of people holding them up to the light, and others handling stacks of paper ballots? one small wire shoved through a stack lik

Re:What's wrong with paper?

[TapeCutter (624760)]

"with a computer, there is no doubt, it's either a 0 or a 1." - Maybe I'm feeding a troll but here goes anyway...

Speaking as degree qualified programmer with 20yrs experience, I don't trust the machines and TFA clearly demonstrates why.

My number one reason for distrusting computerised systems is that they enable "wholesale fraud" with a single point attack, it might be "unlikely" but it is a technical possibility that the result of the whole election could be predetermined and the "race fix" can be implemented by one person sitting at a desk. Worse still it's a technical possibility that a "fix" can be done in such a way that it is undetectable after the fact.

Contrast that risk with old-fashioned paper and international observers. With that system the best a cheat can hope for is "retail fraud" - some stuffed boxes over here, the senator's hound dogs voting over there, ect. Fraud and corruption are a fact of life, nowhere on the planet can they be totally eliminated from such high stakes "games" as national elections.

The traditional paper system with it's well-known and thouroughly tested procedures minimizes the risk of a "fixed race" simply because of the fact that it is much more difficult and requires a hell of a lot more people to get away with "wholesale fraud". Speed is not a big issue since there are plenty of counters in the form of eager voulenteers from the various parties. And it's crucial to security that you pair off "opposing counters" since they also embody the imporatnt "checks and balances" of watching each other like hawks and arguing so loudly about something as mundane as "hanging chads" that even I remeber it and I live 10,000 miles away!

Paper ballots are even MORE insecure...

[hummassa (157160)]

Paper ballots are falsifiable. You can easily stuff/switch paper ballots. The security in an election process, electronic or otherwise, is in the process itself. If the machines are tested, and their state is always checked by parties' officials before the election begins, they are as safe as paper ballots that are sealed by said parties' officials -- with the advantage that you know the results quicker, with less opportunity to magic tricks. Of course it helps having more than one (or two) parties. Oh, and

Re:

[symbolic (11752)]

I heard it was something about some dude named Chad that liked hanging around during the election, making it difficult to determine what people were voting for. This guy's kind of strange, too- rumor has it that he occasionally gets pregnant from voting machines that malfunction. I'm guessing that the move to e-voting will give this guy a much-needed break.

Voting machines

[saibot834 (1061528)]

"Voting machines are the non-solution of a non-existing problem" (not my quote, I heard it somewhere).

The quote is completely right.
a) What is wrong with pen&paper voting?
b) Voting machines do not solve any problems: If we say for example a) was about the money: Voting machines cost all-in-all more money than pen&paper voting.

Not true!

[rbarreira (836272)]

That's not true! Voting machines are the solution to the existing problem of "how to make sure one is elected".

Link to SOS Site

[jellie (949898)]

I'm surprised there's no link to Secretary of State Debra Bowen's site that includes all the analyses, CVs/resumes, and all other documentation regarding the top-to-bottom review:
http://www.sos.ca.gov/elections/elections_vsr.htm [ca.gov]

The overview by Matt Bishop is actually quite an interesting read. In it, he says that they could have found more problems with the three systems, but they were limited by time:

The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a "lower bound"; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities.

In addition, he also cites the lack of proper information from the vendors as another problem.

It should also be noted that a fourth vendor, Election Systems and Software (ES&S) missed the deadline for submitting their systems for the review. I'll be cynical and just assume that they decided to skip the initial review than to have a bunch of computer researchers hack their systems.

Security is tough.

[fishthegeek (943099)]

The only secure machine is one that is OFF. If it isn't off then I'm always going to bet on the hacker. IANAP, but I feel very sorry for the challenges that programmers face. They have to review and analyze code for bugs, flaws, and features, they have bosses that demand profit and features. Those 1337 boys only need to find one flaw, the programmers have to find and fix all of them. I'm not surprised at all that all of the machines were cracked, given a high enough profile, the right conditions, and a motivated h4x0r any system is vulnerable.

Move your ass guys

[rbarreira (836272)]

Hey, do something for your country and humanity, send letters to your representatives or whatever you can do to stop this electronic voting madness. Posting on slashdot won't do much.

How did the election Official get his job?

[chris_sawtell (10326)]

From the article:-

Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.

This is simply not true! The analogue in the real world of locks and keys is that you have given a burgler the design blueprints of the lock. NOT the code combination or the key lever settimgs. The demonstrated ignorance of the said Steve Weir about secure computing begs the question "How did he get appointed to his positions?"

Re:

[martyb (196687)]

From the article:-

Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.

This is simply not true! The analogue in the real world of locks and keys is that you have given a burgler the design blueprints of the lock. NOT the code combination or the key lever settimgs. The demonstrated ignorance of the said Steve Weir about secure computing begs the question "How did he get appointed to his positions?"

This is directly responded to in the Overview of Red Team Reports [ca.gov] in section 3.1 (page 5): (NB: emphasis added.)

Finally, no security should ever rely solely on secrecy of defensive mechanisms and countermeasures. [2] While not publishing details of security mechanisms is perfectly acceptable as one security mechanism, it is perhaps the one most easily breached, especially in this age of widespread information dissemination. Worse, it provides a false sense of security. Dumpster diving, corporate espionage, outright bribery, and other techniques can discover secrets that companies and organizations wish to keep hidden; indeed, in many cases, organizations are unaware of their own leaking of information. A perhaps classic example occurred when lawyers for the DVD Copyright Control Association sued to prevent the release of code that would decipher any DVD movie file. They filed a declaration containing the source code of the algorithm. One day later, they asked the court to seal the declaration from public view--but the declaration had been posted to several Internet web sites, including one that had over 21,000 downloads of the declaration! [9] More recently, Fox News reported that information posing "a direct threat to U.S. troops ... was posted carelessly to file servers by government agencies and contractors, accessible to anyone online" [8], and thefts of credit card numbers and identities are reported weekly and growing in number. Thus, the statement that attackers could not replicate what red team testers do, because the red team testers have access to information that other attackers would not have, profoundly underestimates the ability and the knowledge of attackers, and profoundly overestimates the infallibility of organizations and human nature.

[2] This is often called "security through obscurity".

Why even have electronic/computer voting?

[Skapare (16644)]

Paper ballots do have their problems. People don't always mark them consistently. Sometimes they mark one candidate then try to rub it out and mark another. The paper ballot was hard to read by electronic means and manual counting was too time consuming to get the quick results most people wanted.

Punch cards that people have to do the punching on don't always get punched right (remember the hanging chad problem). Sometimes people start to punch one hole, and realize they are in the wrong hole or change their mind real fast and try to punch another instead. Sometimes 2 or more holes are punched. Sometimes holes are punched partially. In most cases people could check, but they don't, or don't really know they should.

Computer voting was intended to eliminate these things. But that's its fundamental misguidance. Instead, it should be used to enhance them and correct the issues.

Voting station computers should do nothing more than assist a voter in creating a reliably readable paper ballot. The voting station should not be networked, and not even have any storage space. It would be an embedded machine booted from flash that is hardware wired to be unwritable, or booted from a CDROM or equivalent. It should boot very fast (embedded developers know how to do this and bring a minimal system and application up in a second). It should be rebooted between each voter.

The voting station would have a simple single sheet printer and an LCD flat screen with touch sensors. The voter would "touch" their votes and always have the ability to go back, or even jump around randomly to various offices/issues to vote on. Once done, the voter can press the "I am finally done" button to print the choices on paper.

What is printed on the paper is a combination of scannable text and bar codes with strong checksums (SHA1). The text shall be human readable (although in big elections some people might need optical reading assistance). Visually impaired people can ask for a poll worker to read back their ballot to them.

The next step is the paper ballot is taking to the reading station. The ballot is read in by another computer with a scanner. This computer scans the text and reduces it to a set of simple vote codes. These vote codes are checksummed and that is compared against the bar codes. If there is a mismatch, probably a scanner error took place, or the ballot was damaged or smudged. It flashes and beeps a warning the the ballot is not readable. This may require the voter to re-do another ballot (this one is marked as bad and the voter is given another sheet and front-of-line access to a voting station).

The scanner keeps tallies and may send results to a central office. Larger voting places may have more than one scanner and tallies will be done by a central computer. The paper ballot is then inserted UNFOLDED into a locked box.

The voter gets a receipt for having voted, but does NOT get a copy of what votes they made. If they want to remember their own votes, they must make their own notes themselves. The reason for this is that no voter should have any official statement of who they voted for to ensure no voter can "prove" to someone else who they voted for. This has been a long time standard to impede vote buying/selling, and should not change.

The computers that tally the votes could give nearly instant 100% results shortly after polls close. But that's not the end of it. Those results are not certified. The voting officials will, in the next few days, monitor the process if re-scanning all the paper ballots to ensure the results are consistent. If they are satisfied of this, then they certify the election results. If there are any issues, then the paper ballots can be manually checked.

This process is still paper based, and still just as auditable and recountable as any paper based system. It gains the avantages of consistency in the marking of ballots. Instead of being hand marked, they are "computer marked" (in a way that humans c

Re:

[sconeu (64226)]

I wouldn't.

If I *had* to, I'd have the computer be the means of *printing* a ballot only. It wouldn't tabulate.

It would then print a ballot that was both human and machine readable (OCR font anyone?).

That ballot would be placed in a box, and counted.