Forum Navigation
Topics
Log In
Log Out
Forum Search
New Today
New This Week
Advanced Search
Tree View
Forum Account
Edit Profile
Register
Forgot Password
Forum Tools
Help/Instructions
Contact Moderators
Administration
|
| 3-19-08 - Tightening the net: An indi... |
|
| Author |
Message |
    
Bev Harris
Board Administrator
Username: Admin
Post Number: 7749
Registered: 12-2004
Best of Black Box? 
Votes: 4 (A keeper?) | | Posted on Wednesday, March 19, 2008 - 2:02 pm: | 
|
Jim March, John Brakey and Michael Shelby have pulled a coup in Arizona.
They have studied and reported on the presidential primary election in the largest county in that state, Maricopa, with 56% of the AZ vote.
The report they've published sets new ground in how to monitor the security and sanity of an election.
THERE ARE THREE REASONS TO READ THIS REPORT:
1) Appendix A is a scathing indictment of the security and legality of the Sequoia product line. Taking advantage of material that wasn't available to California Secretary of State Debra Bowen's top-to-bottom review team, they've shown that Sequoia must now be considered the least secure and most illegal black box voting system in America - "dethroning" Diebold. Appendix A is a standalone section that can be read independently of the full report.
2) Also of national interest: this report forms a blueprint on how to do central tabulator observation missions, whether as a citizen or partisan representative. By carefully observing the hardware being used and asking pointed questions and public records digging, they've shown that it's possible to pierce the veil of secrecy over election (mis?)conduct.
Findings include the outsourcing of the entire mail-in vote process including the use of a private company to print, mail out, -=receive=- and scan the ballot signatures ... all by a private company outside of the scope of public records access and proper accountability.
3) For any Arizona voter, the report is a must-read to see just how badly an election can be run in the 4th largest county in America! It's also a message of hope - they can't get away with running a system this sloppy without getting caught.
The barriers these three faced in producing this document were unbelievable. Arizona is one of the states where the rights of the citizenry to observe and control their own elections are not recognized by the government. Instead, you must be a political party election observer in order to observe. Turned down as observers by the Maricopa Republican and Democratic parties after a slander campaign by the county elections department to both of those party chairs, March and Shelby were credentialed as observers by the Maricopa Libertarians...who by statute have observer rights. But since the Libertarian Party wasn't on the ballot, the county attempted to deny them credentials, which was reversed by a judge on election day in an emergency hearing called by attorney Michael Kielsky - the LP STATE party chair.
Based on what's come out in this report, the nation owes a debt to the Arizona Libertarian Party.
FULL REPORT: http://www.bbvdocs.org/sequoia/Maricopa-County-Elections-Report.pdf
(5,769 KB)
Maricopa County Elections:
A Security Report for the Maricopa
Libertarian, Republican and Democratic Parties
by Jim March, John Brakey and Michael Shelby
OVERVIEW AND EXECUTIVE BRIEFING
Attached find a 24 page document summarizing the state of election integrity and security issues in Maricopa County AZ during on and around the Feb. 5th 2008 Presidential Preference primary election.
- Discrepancies in data reporting (between mail-in and precinct voting) has left confusion over results and data analysis. (See full report, Items 1, 1a and 1b, page 2)
- Issues regarding precinct access, pollworker staffing and long lines. (See full report, Item 2, page 2)
- Issues regarding operations, security And transparency at the central tabulator. (See full report, Item 3, page 3)
- Issues regarding networking and data interchange security. Numerous concerns and suggestions including obvious threats to the integrity of the process. (See full report, Item 4, page 3)
- Issues regarding overall system transparency and observation – an electronic voting cannot be observed using only basic human eyeballs; rather, the observation process in existing law must be electronically revamped. (See full report, Item 5, page 6)
- The processing of mail-in votes has been outsourced. A conflict of interest arises: if a private company owns the mail-in vote handling process, and it goes wrong in any way, employees will be pressured to cover up. (See full report, Item 6, page 7)
- Operations of the Sequoia voting machines at election headquarters has been outsourced to Sequoia employees. There is another conflict of interest: Sequoia employees would be required by their employer to conceal glitches or evidence that the Sequoia system had been subverted. (See full report, Item 7, page 7)
- Disturbing pollworker reports. (See full report, Item 8, page 7)
- Physical access security – one of the doors has been left without an access record trail. (See full report, Item 9, page 8)
- Party access to the oversight process. (See full repport, Item 10, page 8)
- Comments and conclusion. (See full report, Page 9)
- Appendix A covers the legal and practical issues surrounding the Sequoia "BPS" and "Bridge Tool" software modules. They are uncertified; this section analyzes the legal conflict surrounding these materials. National Importance (See full report, Page 11)
- Appendix B covers the process for permanent early vote list assignments. (See full report, Page 28)
The reports draws on several sources:
- Detailed study of the Sequoia voting systems by way of internal Sequoia documentation, the California Secretary of State's 2007 "top to bottom" security review of voting systems and conversations with a former Sequoia employee.
- Study of public records provided by Maricopa County under Arizona's FOIA-equivalent laws.
- On-site observations before, during and after the election.
- A review of the legalities surrounding the Federal voting system certification process and how it interacts with Arizona law affected (Appendix A2.)
Assembling and viewing this material in total, a disturbing picture emerges of a department that is fighting transparency and observation at every level any by any means possible (legal or otherwise), a voting system vendor that is visibly cheating on their legal requirements (and security model) and a series of interlocking bureaucracies at the county, state and federal levels that together are supporting the unsupportable.
The report contains concrete examples of these problems and where possible suggests mitigations. By showing the interweaving issues between the levels of government, it forms a work that is valuable to anyone in America interested in fair, honest and transparent elections. We have run into a situation in this one (large) county that forms a microcosm of what's wrong with America's democratic process.
This isn't the report the authors set out to write. At first we thought we would be producing something specific to the Maricopa or at least Arizona electoral situation. That core purpose is still present and still useful. But readers are urged to look past the local, specific issues and pay attention to the broad strokes.
We're all in trouble. We write this as a plea for help, as an effort to expose something tragically wrong.
NOTE: Appendix A covering Sequoia's legal situation is of national interest and sheds light on flaws not just on Sequoia's product line, but the entire electronic voting infrastructure via the federally-approved testing labs and Sequoia's apparent subversion of that process
Appendix A
The Sequoia Voting System Installation in Maricopa:
A Legal And Practical Analysis
Maricopa County is the largest client county Sequoia has, and is a fairly recent installation (mid-2006).
There are a number of intersecting concerns related to the security and legality of this system. Public records access in the course of producing this report has left the authors in the best possible situation to comment. We will draw heavily from the security analysis published last year pursuant to the California Secretary of State's "top to bottom review" and legal analysis performed by Dr. Tom Ryan in Arizona.
We will however be able to go past where these and other pioneers have left us.
Legal Background
Voting systems in Arizona are certified by the Arizona Secretary of State's office, with a limitation placed on her powers:
16-442.B. On completion of acquisition of machines or devices that comply with the Help
America Vote Act of 2002 (P.L. 107-252), machines or devices used at any election for federal, state or county offices may only be certified for use in this state and may only be used in this state if they comply with the help America vote act of 2002 and if those machines or devices have been tested and approved by a laboratory that is accredited pursuant to the help America vote act of 2002.
The Help America Vote Act further codified an existing system of Federally approved test labs which are the sole people outside of the voting system vendors who are allowed to peer into how these machines work: taking them apart with screwdrivers and more importantly, reviewing the "source code" behind their functionality. This lets the labs (in theory) check the products for accidental "glitches", various security flaws and worse, deliberate "fraud logic".
In order to allow Maricopa County to do their own ballot preparation (electronic and paper ballot layouts, Sequoia sold the county a software module called "BPS", which includes a data-transfer program to load BPS information into the main Sequoia elections database called the "Bridge Tool".
Sequoia, recently supported by Arizona Secretary of State Jan Brewer, is claiming that the BPS/Bridge software components don't need to be Federally certified per the Federal rulebook (2002 edition) covering the test process.
The authors of this report think otherwise. We believe Sequoia deliberately withheld BPS/Bridge code from outside review that is critical to the operation of the election, code that is central enough to the functionality of the system to subvert or corrupt the election process. Per the Federal rulebook, they required test lab review.
Maricopa County Elections Security Report: March/Brakey/Shelby, page 11 of 27
Further, our reading of 16-442.B as a limit on the AZ SecState's powers removes her discretion in this matter. Factually, the code either needs certification under the Federal 2002 rules or it doesn't. If it does, and per admissions already made it hasn't been, then due to the Federal rules making the entire voting system certified as a complete unit, the whole collection of Sequoia parts from the precinct terminals back is legally not a voting system. It's as fake as a Hong Kong Rolex.
The Federal Legalities
Per the Federal 2002 Voluntary Voting System Standards rulebook:
1.5.1 Voting System
A voting system is a combination of mechanical, electromechanical, or electronic equipment. It
includes the software required to program, control, and support the equipment that is used
to define ballots; to cast and count votes; to report and/or display election results; and to maintain and produce all audit trail information. A voting system may also include the transmission of results over telecommunication networks. [Emphasis added]
Sequoia's "BPS" product prepares the electronic and paper ballot layouts, formats them and inputs the data into the main database of votes (controlled by a certified program called "WinEDS"). Depending on which Sequoia document you look at, "BPS" stands for "Ballot Preparation Software", "Ballot Production System" or a couple of other variants.
Sequoia's usual business model is to do ballot prep in-house as a service to client agencies; Maricopa is one of a very few who fought that idea and were offered BPS/Bridge as licensed products to do it themselves. It seems possible the Sequoia salespeople who sold them BPS didn't realize they were releasing a legally questionable product to outside scrutiny. Note that BPS/Bridge is active in the election process no matter who uses it at what office; the availability of BPS in the Maricopa elections office doesn't affect it's legality either way. It does give us the opportunity to examine the situation.
...continued in full report...
 |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 4791
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, March 19, 2008 - 4:32 pm: |
|
What an outstanding report this is! March, Brakey & Shelby have done the American voting public a tremendous service.
The clarity and structure of this report make it very readable. The 1880's examples were an excellent idea.
It's good to know their investigation is continuing. . .
Let's hope Maricopa County starts to clean up its act immediately by responding to the FOIA requests and releasing the records requested. |
Jim March
Frequent Voting Rights Forum Participant
Username: Jimmarch
Post Number: 175
Registered: 5-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, March 19, 2008 - 5:33 pm: |
|
The latest: Maricopa has had word back from Sequoia that they (Sequoia) are disputing the release of the BPS/MDB data.
They didn't say on what basis and Maricopa is waiting for details which they've promised to pass along.
If Sequoia's claim is that there's program code in the BPS data files (MS-Access .MDB format), then they're saying program code from an uncertified source is being passed into the certified WinEDS process.
And that's a really big deal. |
Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl
Post Number: 2019
Registered: 1-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 3:26 am: |
|
I'd really like to know what the 'uncertified source' is, and why it would be allowed to pass data into the WinEDS process/system. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 7750
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 6:41 am: |
|
Regarding page 6, section 5, I'd like to mention that:
1) Many jurisdictions don't "get" that a video signal splitter taking feed directly from the computer screen is not the same thing as sticking a camera in the room. In Bullitt County Kentucky I saw an unacceptable blockage of citizen viewing when we were told to watch a tiny screen containing split-screen images from a few cameras. That is NOT the same thing as a video feed from the computer. We couldn't see anything on the computer screen and sometimes couldn't even see what the people in the room were doing.
2. The screen is only one thing observers should be able to view clearly. Other things include the activities of everyone in the room, and all the objects in the room. Extra disks, instruction manuals, portable memory, etc.
3. As the report points out, the activity around the central tabulator is just as relevant before and after the election is going on.
We need to avoid the temptation to deal with these issues by making elections more complicated. One of the flaws of the use of technology as it is currently implemented in elections is that it complexifies the process making citizen controls unwieldy. |
Michael T.Aupperle
Voting Rights Forum Participant
Username: Auplvo11
Post Number: 1
Registered: 1-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 12:02 pm: |
|
In Nevada we use Sequoia machines and I have not been able to get any elected person to pay attention to the sequoia problems. I asked the NV SOS at a League of women voters meeting to speak to the difference between the CA decertified machines and NV machines he said a lot of words that did not address my question. He means well and is a honest honorable person but I think many of these elected leaders are just overwhelmed by the technology and do not understand the dangers here ! I am over whelmed with it but NV over and under votes in 2004 is what raised the red flag for me. When I brought the news media attention to it a employee of the NV SOS just zeroed them out !!! It was before the election was certified. Do you know of anyone in NV who is trying to work on this problem I could hook up with ??
Thanks
Mike |
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 229
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 1:06 pm: |
|
There is a common tactic these days, and it's not just about voting. Asked how opposite decisions are made regarding two seemingly similar situations, officials give a litany of factors that implicitly make the situations completely different. But how that should affect the outcome is rarely explained. You only need to enumerate some differences, regardless of whether they are relevant.
In the Tobi/Twomey/Scanlan session on Political Chowder David Scanlan tried to distinguish between NH and CA when Arnie brought up the problems in CA, by pointing out that NH uses optically scanned paper ballots. Well CA has more optical scan machines than NH does, and for a while many of them were decertified there.
Mike, can you get your own LWV more interested? Their newsletter only gives a glowing report from that meeting with Ross Miller. Maybe they would be open to a presentation from you at a future meeting to explain the issues in more detail. If the Las Vegas LWV won't be your ally, what are they there for? |
Victoria Parks
Voting Rights Forum Participant
Username: Victoria_parks
Post Number: 1
Registered: 10-2007
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 2:38 pm: |
|
This message is for Michael T.Aupperle. Michael, you wanted to know who in NV might be interested in addressing problems with Sequoia. NV has not got any organized EI groups. Can I suggest you get in touch with Patricia Axelrod? paxelrod1675@yahoo.com. She has also expressed frustration that she feels somewhat alone in the great state of Nevada while election integrity is not even on the blackboard there yet. |
Jim March
Frequent Voting Rights Forum Participant
Username: Jimmarch
Post Number: 176
Registered: 5-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 3:48 pm: |
|
Quoting Brant:
>>I'd really like to know what the 'uncertified source' is, and why it would be allowed to pass data into the WinEDS process/system.<<
The BPS "Ballot Preparation System" application (made by Sequoia) isn't certified. Sequoia is claiming that it doesn't need to be, with the AZ SecState backing that position. I think otherwise and I've laid that out in Appendix A in detail.
But setting that aside, let's assume for a sec that BPS doesn't need cert. OK. If BPS is creating ,MDB files that contain program code, and those MDB files are being pumped into the WinEDS database (with WinEDS being a certified product), then we have exactly that: BPS produces data files containing code, none of which is certified, and it then goes into the certified system.
And that ain't kosher. |
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 230
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 5:20 pm: |
|
Before reading the report I assumed the justification for not requiring BPS certification would be that only the equipment and software actually running on election day would have to be certified. But Appendix A of the report gets past that quickly by quoting from the 2002 VVSG that the system "includes the software required to program...".
Clearly Brewer and Hancock do not agree on whether BPS is part of the system, and Brewer lacks Hancock's closer look at the differences between the 2002 and 2005 VVSGs. One would think the EAC would have the last word, but sp far it seems to be the other way around.
One thing not mentioned about the Sequoia data flow graphic is that it shows manual input from a computer into the BPS database, with no indication what software is used. That software would be BPS, right? There should be a rectangle above the BPS Database parallelogram for the BPS software. The manual input and ballot printing should connect to that, not to the database. The Voter Registration System cloud may be correct in connection straight to the BPS database.
Presumably "manual input straight into the BPS database" is attempting to indicate the point where the human interface to the system lies, consequently defining the boundary of "the system" that must be certified.
But I don't see any discussion of the key phrases from Brian Hancock that the "outputs of this program are inspected by election officials". My reading of this is that Hancock considers anything that is checked by a human to fall outside of the scope of the system that must be certified. Only software producing data that is not humanly verified ahead of an election would require certification. That makes sense to me, as long as the human has access to all data that controls the conduct of the vote counting, when checking.
It is stated in Appendix A that Sequoia normally handles ballot preparation themselves as a service. I did not notice any mention of the obvious, that if the Bridge and BPS software truly do require certification, then the system fails to comply whether Maricopa election officials or Sequoia employees are doing the programming.
Lastly, where does GEMS fall in this regard? Since GEMS is, I believe, roughly the equivalent of BPS + Bridge Tool, is it certified? |
Jim March
Frequent Voting Rights Forum Participant
Username: Jimmarch
Post Number: 177
Registered: 5-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, March 20, 2008 - 7:17 pm: |
|
First off, we know that in Maricopa for this election alone, the total size of the data coming out of the BPS process (in .MDB format) is 70.5megs.
If Hancock is saying that all 70.5megs is hand-inspected by a hooman, he needs rehab for that nasty addition to heroin cut with glue.
Sigh.
Yes, GEMS includes the functionality of both WinEDS and BPS/Bridge, but all in one chunk that has (allegedly) been certified. It wasn't certified very WELL and the clowns who did so at Ciber have been tossed out of the whole process.
But it was "certified", whatever that means.
BPS/Bridge completely dodged even BAD certification. |
Frank Henry
Voting Rights Forum Participant
Username: Fmhenry4netzerocom
Post Number: 1
Registered: 3-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, March 20, 2008 - 11:45 pm: |
|
1. We need to look at 100% manual count of paper
ballots at the end of election day at each
precinct where voting machines are used.
2. We need to get rid of the provisional ballots.
3. Have election day polling place registration
process in place.
4. Include voter's intent in all manual counts.
5. After 'Official count" is released recounts
should be allowed to be requested by voters or
candidate or parties or election official. The
recount consideration level should be up in the
2%, 3%, 4% level.
6. Get rid of the existing AZ post election
voting machine verification process...It has
unconstitutional issues that need resolution.
Hope this happens by November 2008
Thanks and Good Luck
Frank Henry
928-649-0249 |
Randell Jesup
Voting Rights Forum Participant
Username: Jesup
Post Number: 1
Registered: 3-2008
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, March 21, 2008 - 5:34 pm: |
|
The report says "Suggestion: CDs cannot be changed once initially burned – USB flash memory can. CD-ROMs should
be used to transfer data from the central tabulator to the internet reporting computer to allow for
continuity of the data to be retained. This practice would aid in later auditing or verifications of data
continuity, security and authenticity. Each CD would be labeled as to date and time then filed securely."
This is incorrect. First, someone could just substitute a CD-RW (though you could verify that later). Second, if the CD data is written in one of the "changeable" formats, the original data can be there, but can be supplanted by newer copies. This would be visible with the right tools, but simple access wouldn't show it. Third, even a straight "closed" ISO burn could be (in some cases) very carefully modified by burning additional pits. Very tricky, requires expensive equipment, probably not fast, but in theory possible (kind of like adding a stroke to change an 'l' to a 't' (change "slake" to "stake") in handwriting).
Note also any machine with a CDROM, DVD or USB port can be booted off one of those (such as with knoppix) allowing access to the hard drives with any tool they want, unless they're encrypted. (Also via network/pixie-boot, if the BIOS supports it, which many do.)
Don't assume someone needs a special program to modify files. Notepad/wordpad/hex-editors/etc can allow simple modification of files even with no external access, no external tools, just knowledge of what to change. You have to make sure no only that those tools aren't on the system, but that there's no way to use such a tool. Extremely tough - it's just as tough as securing the actual voting machine from illicit access, but now you're on a computer. You'd have to pot the USB ports, not have a CD/DVD, lock (and put seals on) the case, etc. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 4804
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, March 21, 2008 - 7:15 pm: |
|
Thanks, Randall, this is very useful detail.
Most people have little awareness of how vulnerable these systems can be in the right hands. |
Randell Jesup
Voting Rights Forum Participant
Username: Jesup
Post Number: 2
Registered: 3-2008
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, March 21, 2008 - 8:27 pm: |
|
No problem. I was part of the RPI student ACM chapter which ran electronic voting for student government on the campus mainframe back in circa 1983.
CDRs aren't a bad idea in general (better than USB), but you need to avoid making invalid assumptions.
USB drives are active devices. In theory (and this would be a pain to do in practice, but it is doable) you could make or modify a USB memory drive with a small processor to modify the data during the transfer. It could even show one set of data when plugged into one machine, and an entirely different set (or subtly different) when plugged into a different machine. Again not easy, but certainly technically doable.
If you want to protect data in transit, trying to protect the raw (in-the-clear) bits is inherently problematic. Not impossible, but very, very hard. Banks pretty much gave up on that decades ago. The trick is to instead make it useless to intercept or modify the bits in transit. That's the reason you can use credit cards over the internet, why ATMs can be put where someone could tap into the network lines connecting them to the bank, etc.
You encrypt the information. Typically the issues with that are key management - if someone has the key, they could make use of the ability to intercept the data or replace it. Public key encryption helps - you can encrypt using the public key of the tally machine, and sign the encrypted data using a separate private key associated with the polling location/machine/etc.
This is a case where having realtime access is good; the two sides can negotiate a secure connection (TLS/HTTPS/etc) without exposing any information on the keys involved - the only issue is that they need to authenticate each other if you're not using public-key encryption; this is typically done with certificates. Of course, having network access at all does open additional avenues of attack. An argument can be made, though, that armoring a system against attacks is safer than trying to protect a system from *ever* being connected to a network (unless you make sure they don't have any sort of network hardware).
Note: I'm talking about attacking the transmission process (physically and electronically) - protection of the machine against attack is a separate issue. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 4806
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, March 22, 2008 - 5:49 am: |
|
Randall this is invaluable. Really.
I'm going to try to synthesize key points that you've just explained, translated for my non-techie perspective, and please let me know if I've understood you correctly.
1. USB flash drives can easily have their data changed.
2. USB drives in the hands of a highly skilled and motivated person can be changed so that the data transmitted is different depending on the machine to which it is attached. (E.g., in an election scenario, the USB could show one set of data if connected to a local optical scanner, and could transfer a different set of data when connected to a central counting computer.)
3. CDRs can have their data changed (though not as easily as the simplest kind of changing data on a USB flash drive)
(If I've understood the above points correctly, Randall, can you please comment on whether the above are factual vulnerabilities or hypothetical? Have you--or someone you know/know of--actually done these things?)
4. Completing avoiding any chance of data transmission from any device is virtually impossible and banks have long ago given up trying to avoid this.
5. From what you know, the only (or best so far?) strategy used to get around the inherent vulnerability of data being transmitted or being accessed in an unauthorized way, is to use some form of encryption.
6. Not all encryption is the same.
7. Better forms of encryption involve "keys" on either end of the process--sending and receiving, and if one of these keys is "private" it is more secure.
8. [My interpolation] The actual "privacy" of the "private" key depends completely on both the integrity and competence of the person/people with the "private" key and their approach to keeping this key secure. (E.g., if they write their key on a paper and put it in their desk drawer or store it on their computer which a motivated person might be able to access, it might not be so "private"--or if they share it with a trusted "deputy" or vendor tech who needs to do "emergency maintenance" it might not remain "private".)
9. These issues are complete separate and are in addition to issues and vulnerabilities relating to how data on the originating device can be impacted there, before it is ever transmitted. (E.g., if an optical scanner is running bogus code then the data could be tampered with before it is ever transmitted such as on a flash drive or CDR.)
10. [Hypothetical scenario, based on the points you've made so far] --If a USB drive could transmit different data depending on the device to which it is attached (point 2 above), could a USB flash drive could also be used as a vehicle to transmit code that would change the software (or firmware?) of a device to which it is connected (such as a voting machine DRE or scanner)?
Thanks for any illumination on this. |
Randell Jesup
Voting Rights Forum Participant
Username: Jesup
Post Number: 3
Registered: 3-2008
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Saturday, March 22, 2008 - 2:31 pm: |
|
1. USB drives can have their data changed easily.
Yes, absolutely, inherently changeable at any point - in theory even 5 or 10 seconds plugged into a pocket-sized device can change it. If the data is "in the clear" on the drive, with no checks - you must guarantee the physical security of the USB drive at all times, just like it was a paper ballot. (This assumes the data on the USB is as sensitive as a ballot; in some cases it may be useful but not sensitive. For example, when it's used to transmit "quick" totals from precincts, but the actual official tally will be done directly from the machines later. The equivalent to someone phoning the totals in, but the paper record that's used in the official canvas is hand-carried under lock.)
USB drives can also be swapped for identical-looking ones unless some non-tamperable marking is used.
2. USB drives could be made to actively modify the data.
In theory yes; I've never seen it done, but I'm also certain that it could be done. You'd need in most cases to make physical hardware changes or wholesale hardware replacement to the innards. Not easy, hard to hide the physical modification in most cases. Again this shows the vulnerability to "in-the-clear" data.
3. CDRWs would be changeable inherently, but looking closely at them will tell you it's a CDRW drive. Casual inspection might not. CDRs are write-once, but they can be formatted so that you can "virtually" overwrite a file. The old data is still there, but is ignored automatically. Eventually this uses up all the space on a CDR. Also regular modes if not "closed" to additions will allow more data to be added. This can be avoided by choosing modes to format them in properly, and making sure to "close" the disk to lock our further additions.
Changing the data in an already-written sector of a CDR is very, very tough (though making it unreadable is easy). In theory it's possible by burning pits where there weren't any, but you also have to change the pits (bits) that have the error-checking codes so that they match, which SERIOUSLY reduces the chances of doing it successfully, and the odds of being able to change it to what you want. This is not an attack I'd worry about.
Overall, the CDR approach is good - but remember that CDRs (and all records in transit) are vulnerable to loss or destruction.
4. Banks have given up on any form of data transmission.
Not true - they've given up on "in-the-clear" data transmission. They have elaborate and well-vetted (by security experts) encryption schemes and cross-checks. They use data transmission over networks/phone lines/etc that are secure because of encryption and authentication. They guarantee that no one can eavesdrop on the transactions, no one can inject transactions, and no one can modify transactions.
I should note that they care more about some links than others, but even the links to ATMs are very secure.
5. Encryption is the way to go.
YES. Or rather, signature and authentication. In many cases, you don't care about encryption (someone being able to see what you're sending); it can even be a good thing in some uses (allows external verification). Signature and authentication are closely linked to encryption and use similar methods. Signature is a way to verify that the data that was signed has not been modified since the person/machine with the signing key signed it. Authentication is a way to verify who the person you're communicating is. Typically it uses something similar to "I encrypted this with something only you would know, if you can prove you decrypted it then I know it's really you." (In layman's terms - see http://en.wikipedia.org/wiki/Authentication)
6. Not all encryption is the same
Absolutely. Some forms require careful protection of a shared private key; any leak of that key compromises the whole system. Others allow a key to be partly public and partly private - anyone can send you data safely using your public key (only you can decrypt with the private), and you can sign anything with your private key to prove it was you who sent it (anyone can decrypt with the public key). (Greatly simplified; see Public-Key Encryption on Wikipedia/etc.)
7. Better forms of encryption use keys
All forms of encryption use keys; there are many different types. See the previous entry. In network protocols, the keys are often generated on-the-fly, after using authentication to verify who you're talking to.
8. Protection of private keys (used in public-key encryption, or for any other sort, or the "certificates" used in authentication) is very important. Note that keys are not directly like passwords; they're typically LONG binary blobs (like 2048 bits, which is 512 hex (base 16) characters (0-9 and A-F)). No one writes them down; they're stored in files.
One advantage of public-key cryptography is that you can keep the private key much better controlled physically, and anyone can send you data securely using the "well-known" public key.
Encryption doesn't remove the requirements to protect the devices generating or processing the data, though. It merely protects it in transit. It is merely a small (important) piece in the equation, and lets you focus on the security of the senders and receivers and not worry so much about the transit.
Think of it this way: it's like an unbreakable, untamperable box for holding ballots or results. It doesn't guarantee anything about what gets put into the box, what's done after they come out of the box, and the box could be lost (though in the digital world, you could re-transmit it as needed).
9. This is separate from security of the devices.
Absolutely correct.
10. Could a USB drive transmit code specially to a device attached to it?
Yes, kind of. First the device would have to be willing to read the data off the drive and use it. For example, a device might check all installed flash drives for firmware updates in a specific file. I wouldn't be surprised at this, though it's poor security protocol for publicly accessible devices; you should have to do something that physically is tough or impossible to do, or some type of second-level authentication (password on console), etc. You do need some way to install updates, etc, and that's an inherent weak point you have to be careful about.
Note that you don't generally need to a fancy hacked-hardware USB drive to do this, any old USB drive will do if you have seconds or minutes alone with the device. A "hacked-hardware" USB only helps if you're being physically watched from the time the regular data is loaded until it's installed on the machine in question. And it's dangerous to trust physical watching of small devices with lots of important data on them. Ever see a magic show?
The takeaway I was trying to point to was that there are lots of ways to tweak the data if it's not encrypted/signed/etc before transit, and you can't count on checking the data on the USB drive before, during, or after transmission.
This is all basic computer communication security theory. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 4809
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, March 23, 2008 - 3:41 am: |
|
Thanks for the clarifications, Randall. Lots of food for thought there.
How easy or difficult is it to create a CDR with a virtual CDR? It sounds like it would depend on how much used/unusued space was on the original CDR. If there is enough space, is it hard to do? |
christine c reid
Frequent Voting Rights Forum Participant
Username: Ctwatcher
Post Number: 480
Registered: 12-2007
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, March 24, 2008 - 5:37 am: |
|
This is an excellent, thoughtful report from citizens and there is an enormous amount to process and consider. I am just beginning to read and ponder what they've detailed. Fine work, all! THANK you for your commitment, energy, and quality of the report.
Here is only one example, from the non-tech point of view:
Apparently the whole process has been outsourced to a private corporation called Runbeck Election
Services. Runbeck prints the ballots, mails them out, takes them back in, scans them and then passes
them to the county elections office. We won't do a “concerns” set of bullet points because we believe this
outsourcing of a critical elections process is a grave and critical “concern” that will clearly require more detailed and in-depth discussion. Both the practices and the perceptions of integrity of the elections processes must be assured to even the most casual observer in order to build confidence in elections.
Point taken on outsourcing. If citizens discovered that proper controls were not in place, it would argue at a minimum for proper controls (among people not concerned about outsourcing) and demonstrate flaws in outsourcing procedures; at the max would be a case in point as to issues with outsourcing.
It might be worth doing some FOIA'ing to look at the RFP for this outsourcing. What security and other parameters were included?
I really want to understand more about segregation/separation of duties and incompatible duties from an auditor's standpoint, and what dual controls or other protections are in place in this outsourced vendor's processes.
Once again, the layperson's cheat sheet on separation of duties from Wikipedia:
With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.
http://en.wikipedia.org/wiki/Separation_of_duties
They need to have a properly set up system to make sure the same person is not printing and accounting for total numbers printed or tracking incoming/receiving ballots as is reconciling the results, e.g., or the same person is not ordering printing as signing to receive them and reconciling ordered/printed/received/used/leftover.
What are AZ's ballot reconciliation procedures on elecition night? What requirements does AZ have of the outsourced part of the election in terms of auditing their procedures/filing of reports? What is the chain of custody specified on the ballots and records sent back to the state? Is there an auditor/inspector general in Arizona that monitors the quality of work done at state vendors?
If the same person did it, the system needs to be well set up so that there is oversight, audit trail, and so forth, I gather. I'm going to have to read more about this, but outsourcing without auditing that the outsourcer has proper controls would be a mistake. it's an area into which I don't yet have any insight, but the description of what this company does for me is enough to make a very clear and explicit review of how things work there mandatory, whether or not any actual wrongdoing occurred (and accepting for a moment its outsourced nature).
What are AZ laws regarding FOIA and outsourcing companies? Must they be responsive to requests? Any areas/types of requests blacked out? Just wondering if citizens are in any way hindered in understanding the procedures used by this vendor. You don't even have to argue the outsourced nature to argue if the vendor is or is not doing a quality job consistent with good document handling/management practices. If the lack of good procedures could lead to a material difference in election results, it has to change.
(Message edited by ctwatcher on March 24, 2008)
(Message edited by ctwatcher on March 24, 2008) |
Jenny L. Hurley
Voting Rights Forum Participant
Username: Bolivar
Post Number: 63
Registered: 12-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Monday, March 24, 2008 - 7:31 am: |
|
I got this from the GAO this morning.
B-316107, Election Assistance Commission--Availability of Funds for
Purchase of Replacement Voting Equipment, March 19, 2008
http://www.gao.gov/decisions/appro/316107.htm
Section 251 of the Help America Vote Act of 2002 (HAVA), 42 U.S.C.
sect. 15401, authorizes the Election Assistance Commission (EAC) to
provide payments to states for a variety of enumerated purposes,
including procurement of HAVA-compliant voting systems to improve
the administration of federal elections. HAVA leaves to the states
what type of voting equipment the individual states should use, as
long as the equipment complies with HAVA. At issue in this decision
is whether under section 251 of HAVA a state may fund the
replacement of HAVA-compliant voting systems, originally purchased
with HAVA funds, with a different kind of HAVA-compliant voting
system. We conclude that EAC's proposed policy to permit such
expenses is within EAC's discretion in its exercise of statutory
authority under HAVA.
These decisions are now available from GAO's World Wide Web site
in both HTML and PDF versions at the indicated URLs (.pdf extension
for PDF version). They have also been sent to the U.S. Government
Printing Office for addition to the Comptroller General Decisions
GPO Access WAIS database.
===========================================================
This list is produced by the Government Accountability Office
to provide information about GAO Decisions. The home page
for GAO is http://www.gao.gov |
Bruce O'Dell
Voting Rights Forum Participant
Username: Bruceodell
Post Number: 6
Registered: 7-2005
Best of Black Box?
Votes: 2 (A keeper?) | | Posted on Saturday, March 29, 2008 - 12:34 pm: |
|
The information provided by Randall Jesup about encryption is very good, but it overlooks an essential point. In information security - and especially in electronic financial transactions - we are concerned not just with with confidentiality but also with integrity. Sure, encryption keeps people from (easily) eavesdropping on your transaction, and keeps them from altering it (easily) in transit.
But in the special case of voting transactions, encryption provides absolutely no assurance of integrity; namely, the assurance that my vote was counted as cast. Digital signature technology can be used to "certify" a tampered vote as easily as an authentic one, and the voter would never know.
I've worked for many years in information security in financial services and I've designed electronic transaction processing and audit systems, but the core issue is not a technical one. They reason why embezzlement is the exception and not the rule in electronic financial transactions is that strong and legal proof of identity is linked with the transaction, and the combination of identity and transaction is shared with multiple counterparties. If you transfer money from one bank to another, your identity, the sending bank's identity, and the receiving bank's identities are all linked to the transaction; all parties maintain - and reconcile - their independent records of the transaction, while laws and regulations governing electroninc financial transaction disputes are mature.
Precisely none of those conditions apply to voting. Voting is a private anonymous transaction whose accuracy that can only be verified by the voter at the time the ballot is cast. When voting by computer, at some point a human gesture on touchscreen or a mark on on op-scan ballot must be interpreted by program logic. That logic may or may not interpret my gesture or mark on paper as I intended. All encryption and digital signature technology can do after that point is to vouch for the fraudulent or mistaken outcome of the vote counting program; and I as a voter can no longer challenge it, because there is no one who can legally keep a record of my identity and my vote for auditing purposes. Any scheme that enables me to satisfy myself as to how my ballot was counted after the fact can also be used to coerce or sell my vote.
This limitation is inherent to the combination of private voting and computer technology, which is why computer automation is inappropriate for use in elections. The potential return on investment for insider software manipulation is so large, the scope of potential exploits so vast, and there is no meaningful run time audit capability. The voting equipment industry, their IT apologists, and their customers have had nothing to fall back except to try to use quality assurance and testing as security measures. This is utterly misguided - and in fact, dangerously so.
There's simply no reason to trust that the behavior of software certified or tested on one device at one point in time will match what someone assures you is the same software running on another device at another time. Financial services organizations can supplement quality assurance and testing with runtime and post-transaction auditing; voting systems can't.
I'm not saying there is no reason to inspect the pitifully weak artifacts that Sequoia "internal controls" provide. Some exploits could well be detected by this type of forensic work. By all means, if there is a legal challenge that could be mounted based on review of the meaningless "security" mechanisms, go for it - and great work.
But the fundamental issue is there are and always will be a host of exploits which would leave behind no trace in any of the existing, or any future voting system "internal control" mechanisms. Be very careful that in the process of exposing flaws in Sequoia internal controls and "audit" logs, you do not find yourself appearing to endorse the world view where logic and accuracy testing, code inspection, and review of audit logs are actually regarded as meaningful security measures... instead of compelling reasons for the removal of computers from voting. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 4846
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, March 29, 2008 - 2:31 pm: |
|
Randall did point out on a couple of occasions that encryption at best only addresses security during transmission, and that it has no value in ensuring integrity or accuracy either before or after transmission.
I agree entirely with your viewpoint, Bruce. Thanks for emphasizing what encryption can and cannot do, and for elaborating with such clarity. I would stress that encryption makes public observation ultra-impossible.
My interest in getting clarity about encryption and related security questions is because it is an issue that arises repeatedly here. It is helpful to have some of the important facts (claims, limitations, different kinds of vulnerabilities) spelled out from time to time as technology changes. Different technical experts always have more information to add. (E.g., it was news to me that a CD-R can have data added to it.) |
Bruce O'Dell
Voting Rights Forum Participant
Username: Bruceodell
Post Number: 7
Registered: | | |
