Wednesday, August 08, 2007
What Have We Learned About Elections Lately?
CA Secretary of State Debra Bowen made a dramatic late-night announcement on Friday, August 3, presenting her certification decisions for the state's voting systems. Bowen completely decertified InkaVote, sold by ES&S and formerly used only in Los Angeles, because the source code was not submitted for review. All other equipment was decertified and recertified with new conditions for use, based in part on the reports (lower on same page as above link) of Bowen's Red Teams of computer security experts (see my summaries of the Diebold and Hart Intercivic reports). Some of these terms are vague or confusing, and I'll cover that in a bit.
What is clear to me is that the public is becoming more aware and more concerned about our election conditions. I have observed more people than ever having open discussions about Diebold, Bowen, and hand-counting paper ballots. More than a few people contacted me by e-mail in the past week to ask how to get involved. The increased interest in election integrity feels palpable to me.
While plentiful, Humboldt media coverage has been mixed, at best, while at other times presenting an alternate reality. On July 28, The Times-Standard gave us a headline of "Local election systems may be vulnerable to hackers" above a lede that makes clear local election systems ARE vulnerable to hackers. Today, a T-S headline read, "County election system fares well in review" - despite the Red Team reports of countless exploits found in our Diebold optical scanners.
Hank Sims had a little more on the ball in last week's Town Dandy column in the Journal: "...the hackers basically made mincemeat of the machines, demonstrating a variety of ways to skew the vote...The Red Team also verified that the optical scanning machines found at our precincts could be easily jimmied and rendered inoperative."
Having checked out the amazing calculator tool (.xls) I wrote about last week, Sims went on to address the feasibility of the Voter Confidence Committee's campaign for hand-counted paper ballots:Berman's suggestion: Ditch the machines and go to a pure hand-count of all votes cast. Initial twiddling with the numbers suggests that it wouldn't be all that time-consuming or costly -- and wouldn't you rather wait a few days and spend a little more for a trustworthy count?
I have no objection to being called "obsessive" when the same article makes my case this well. The new issue of the Journal is out but not yet online. Sims again writes about elections, referring to Bowen's "weekend massacre." The problems this will cause Humboldt are "relatively minor," says Sims, contrasting with the newly machine-less LA. True that.
However, I believe Sims understates things when saying that shoring up security for the GEMS central tabulator will merely mean "our elections office will have to change up procedure a bit." I leave it to the reader to re-trace my many prior references to the dangers of GEMS. Here I shall only point to the words from another of the reports provided to Bowen in her Top To Bottom Review (TTBR). This is from the Executive Summary of the Source Code Review of the Diebold Voting System:Vulnerability to malicious insiders
It doesn't get any more devastating than that. All the preening of Humboldt Registrar of Voters Carolyn Crnich is plainly phoney, and the media pandering to her is reprehensible. Sims gets a pass for his support of HCPB, but here is more bad journalism from the T-S ("E-voting order may have little impact here"), and without Rebecca S. Bender it seems the Eureka Reporter has gone mute on this subject, save a great letter to the editor submitted by VCC members Ruth Hoke and George Hurlburt.
The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county's GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county's voting machines.
Although we present several previously unpublished vulnerabilities, many of the weaknesses that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18], [19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied.
Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit "weakness-in-depth"-even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.
Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.
What is happening is that Crnich and other Registrars throughout the state are in a highly defensive posture. Being forced to give up all their equipment would mean maximum uncertainty and the greatest amount of work. Instead, in fine CYA fashion, we see continued apologies for secret vote counting machines. You don't have to look all that closely to see the similarities in the rhetoric of Registrars and machine vendors such as Diebold. It is unconscionable that the results of Bowen's TTBR would make anyone more inclined to support "electronic voting machines." We're past the time of being surprised by such things, including the media's facilitation role. It is time we use these points against them. Ready for the first great example?
As Sims points out in his new column, Bowen has banned the use of modems for transmitting precinct results to the central tabulator. The VCC report addresses the risks of modems and obviously calls for their banishment as they are unnecessary with hand-counting. The beauty of what Sims says:"The machines will have to be physically delivered back to Elections HQ before the counting commences, which means that we will no longer have election night results."
Of course, one of the most common blusters we hear against HCPB is that it will take too long. We are now very close to having definitive proof that HCPB will be faster. The VCC continues to call upon Crnich to help us narrow down the range of estimates plugged into the calculator tool (.xls) for forecasting manpower needs and costs of hand-counting 100% of the paper ballots. And now, thanks to Sims, I believe we should hereby permanently lay to rest the canard of immediate election results being prioritized over accuracy.
Now, regarding Bowen's conditional certification of Diebold, the way she has this posted online, I'm unable to copy and paste text directly out of the document. So, here I'll just re-type brief references and encourage you to read the full document for yourself.
Page 2
"voting systems analyzed were inadequate to ensure accuracy and integrity of the election results...contain serious design flaws...which attackers could exploit to affect election outcomes...Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines and on the election management system, which could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results...due to these shortcomings some threats would be difficult, if not impossible, to remedy with election procedures...with access only to the Windows operating system on the Diebold GEMS election management server supplied by Diebold and without requiring access to Diebold source code [Red Team members] were able to access the Diebold voting system server software and to corrupt the election management system database, which could result in manipulated voter totals or the inability to read election results, rendering an election impossible to complete electronically."
Page 3
"...without accessing Diebold source code, [Red Team members] gained access to the election management server to manipulate and corrupt the election management system database...some of these attacks could be carried out in a manner that is not subject to detection by audit, including review of the software logs."
[WDNC]: the next quote is from page four and it strikes me as contradictory and dangerously hypocritical (sorry Bowen)
Page 4
"...tampering with optical scan equipment...can be readily detected and corrected through hand counting of the optical scan paper ballots marked and directly verified by voters."
[WDNC]: First of all, this begs acceptance of the vulnerability. With various exploits described as difficult or impossible to detect, there is no justification for guaranteeing detection, let alone correction, with opscans. This puts an undue burden on the People whose rights are not being secured here, as a government is charged to do. Rules and regulations trying to promote public oversight must first clear the view with a more transparent method of counting votes.
Page 4
"...studies have shown that many voters do not review VVPAT [Voter Verified Paper Audit Trail] records and that test voters who do review VVPAT records to not detect many discrepancies that have been intentionally introduced..."
Page 5
"In order to provide accessible balloting to voters with disabilities in compliance with HAVA, jurisdictions may use no more than once AccuVote-TSx per polling place on Election Day."
[WDNC]: This refers to the touch screen models, not used in Humboldt. Registrars have been complaining about this and it is easy to understand why. They are either going to have massive logjams of voters all trying to vote on one machine where there used to be several or many, or they will urgently have to buy many new optical scanners, or they will have to resort to hand-counting.
Page 5
Requires "a 100% manual count of all votes cast on an AccuVote-TSx."
[WDNC]: This is astounding. Hand-counting 100% of the votes defeats the purpose of having the machine count them. My assumption is that Bowen's is trying to discourage use of the touch screen machines and so the hope would be for relatively few votes cast this way in need of being hand-counted.
Page 6
"Before any use in the February 5, 2008, Presidential primary election, jurisdictions must reinstall all software and firmware (including reformatting all hard disk drives and reinstalling the operating system where applicable) on all election management system servers and workstations, voting devices and hardware components of the voting system. Voting system application software must be reinstalled using the currently approved version obtained directly from the federal testing laboratory or the Secretary of State."
Page 7
"Within 30 days of the date of this document, the vendor must develop and submit to the Secretary of State for approval, a plan and procedures for timely identification of required security updates (e.g., operating system security patches, security software updates, etc), vendor testing of the updates, and secure distribution and application of vendor-approved security updates."
[WDNC]: Why should we have confidence in the machines in their newly approved form when the expectation is that more security flaws will be found? Avi Rubin makes a similar observation. This page also inexplicably allows for networking, though it does have the modem prohibition. It also makes reference to the two-person rule which I believe goes back to the Feb. 2006 VSTAAB report, which recommends that optical scanners and memory cards never be in anyone's sole possession. This would seem to preclude sleepovers, however, page 9 seems to allow poll workers to take home machines prior to Election Day.
Page 8
"Upon request, members of the public must be permitted to observe and inspect, without physical contact, the integrity of all externally visible security seals used to secure voting equipment in a time and manner that does not interfere with the conduct of the election or the privacy of any voter."
[WDNC]: This is looks great on paper but we've seen Registrars plainly obstruct the access of citizens to their Democracy. This should carry a severe criminal penalty. Page 8 also requires posting of poll tapes, another apparent victory that in reality carries no weight. As the VCC learned last November, precinct poll tapes are useless when the County never provides as a basis for comparison raw precinct scanner data that has not been combined with absentee or other ballots not cast on the scanner in the precinct on Election Day.
Page 8
"Any post-election auditing requirements imposed as a condition of this certification shall be paid for by the vendor. Jurisdiction users are required to conduct the audits and the vendor is required to reimburse the jurisdiction."
[WDNC]: I'm getting near the end now. Just a few more stray notes, such as page 9 continuing the requirement (begun under McPherson?) that counties submit a post-election problem report to the SoS. Page 10 describes how to deal with machines whose security has been compromised, and also machines that have been rebooted or which have rebooted themselves. The bottom of page 11 and the top of page 12 is a bit troublesome. It attempts to put vendors on the hook for warrantying their equipment, but all it really does is say they have to stand by their word and repair equipment at their expense when they have been caught lying again. This is not nearly strict enough. Finally, page 12 expands the requirement for vendors to give the SoS a copy of the source code, in addition to placing a copy in escrow.
So, what have we learned about elections lately?
Permalink:
http://wedonotconsent.blogspot.com/2007/08/what-have-we-learned-about-elections.html
Labels: Carolyn Crnich, Debra Bowen, Diebold, Eureka Reporter, Eureka Times-Standard, hand-counting paper ballots, Hank Sims, The Journal, Voter Confidence Committee, VSTAAB
Friday, July 27, 2007
Bowen's Red Team Compromises Each Voting System Tested
The big announcements will be next Friday, August 3, when California Secretary of State Debra Bowen will reveal decisions on certifications for the various "election machines" used in CA. She is holding a public comment session in Sacramento on Monday, and today issued a press release called "Independent Computer Expert Teams Release Findings in Top-to-Bottom Voting System Review Ordered by Secretary of State Debra Bowen." On the Secretary's website, this page has links to various different reports within the overall review. There are separate reports on the testing of Sequoia, Hart Intercivic, and Diebold, which is the only one I've read so far because it applies here in Humboldt County. The headline of this blog post says it all. I think this report is going to be as important as such landmark documents as the Hursti Hacks, and the Berkeley VSTAAB Report. Here are just a few assorted excerpts from the 17-page Diebold report:page 10
Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original)
...
still page 10
The GEMS server is on a local area network (LAN) with other Diebold components, and this LAN is supposed to be isolated. However, even Diebold documentation reports that this requirement is not always met. Therefore, attacks via Ethernet against the GEMS server could reasonably be executed by personnel with physical access to the networking components (hubs/switches) in the isolated LAN or— if the Diebold LAN were intentionally or unintentionally connected to a public internet connection—by remote attackersa. Windows Vulnerabilities
The Red Team performed vulnerability scans against the GEMS server. The results identified multiple vulnerabilities; primarily, these vulnerabilities existed because the Windows 2000 server (configured by the Diebold technicians) was not properly patched3. After noting these vulnerabilities, the Red Team was able to download an exploit from a free public repository of well-known and documented exploits. This exploit gave the Red Team access of a Windows Administrator on the GEMS server.3 Even if the Red Team had been expected to make other system configuration changes in order to make the GEMS server consistent with Diebold configuration documents, it would have been highly unreasonable for Diebold to expect the Red Team to patch Windows 2000 Server.
Additionally, the Red Team noted that most standard Windows logging capabilities were either disabled or enabled in very limited states in the configuration provided by Diebold. This means that most malicious actions taken by attackers would not be traceable. More detail on the auditing configuration of this system is available in the report prepared by the 2007 TTBR Diebold Documentation Review Team.
Finally, the Red Team uncovered evidence that Diebold technicians created a remotely-accessible Windows account that, by default configuration (according to the Diebold documentation), can be accessed without the need to supply a password. There is evidence to suggest that this account is intended to be used by TSx units for dial-in access at the close of polls on Election Day, but the documentation for election officials never mentions this particular account by name. An attentive system administrator would notice the account. However, the responsibility should not be on election officials to discover remotely-accessible Windows accounts and act appropriately to ensure those accounts are not inappropriately accessed. Devices, as delivered to customers, should only have accounts that are well-documented and remote access that is necessary for the needs of the particular county. Undocumented remotely-accessible logins are contrary to generally-accepted security practices.
b. GEMS Databases
The Red Team used Windows Administrator access on the GEMS server to manipulate and corrupt GEMS databases. These actions could result in manipulated vote totals or in the inability to read previously-generated ballot definitions if no valid database backups were available (whether because the backups were not made or because the backups had also been corrupted). On election night, the inability to read results from the deployed TSx and AV-OS devices could render an election impossible to complete electronically. In this case, a hand count of paper ballots and VVPAT records would be the only option for deducing the intent of the voters who turned out on Election Day.
c. GEMS Audit Logs
The Red Team found methods for executing actions from within the GEMS server that could not be tracked by the GEMS audit logs, allowing malicious GEMS users to conceal actions they had taken while logged in. Additionally, the Red Team noted that one of the standard functions offered by GEMS is the ability for a GEMS administrative user to change the username of her account. This is a non-standard computing practice, and it could potentially be used by a rogue administrator to implicate another GEMS user (i.e. other elections personnel).
...
page 12
2. GEMS Server Networking Components
Using information gained from access obtained as the Windows Administrator user, the Red Team was able to guess the authentication credentials for the networking hardware supplied by Diebold, and gain root access on these devices. These root accesses would provide sufficient access for an attacker to manipulate every setting on the networking devices and on the server. Additionally, the Red Team was able to use this access on the GEMS server to install the drivers for a USB wireless dongle. This small device was then planted on the back of the server, ensuring remote access to the GEMS server even
3 Precinct Count AV-OS
The Red Team was able to verify the findings of some previous studies on the AV-OS unit; the impact of these was to alter vote totals in order to change the vote results on that machine.
Everything about GEMS and the AV-OS applies to Humboldt County. There are a few items worth noting for the TSx touch screen machines used in other parts of the state.page 12
Well there you have it. Really nothing too surprising if you've been paying attention at all in the past several years. What is Bowen going to do? It seems unlikely she will compel the entire state to hand-count paper ballots, yet where is there room to compromise with the continued use of these so-called "election machines"?
4. TSx
a. TSx: Physical Security
The Red Team was able to violate the physical security of every aspect of the TSx unit, using only tools that could be found in a typical office. This guaranteed the access necessary to execute physical and electronic attacks.
b. TSx: Malware
The team verified previous findings regarding multiple avenues for overwriting system firmware and software as well as for the introduction of malware that would affect the current software. These avenues, when exploited, are a platform for altering vote totals to potentially change the outcome of an election. They could also be leveraged to violate voter privacy4 or enact a denial of service on affected devices.
Of potentially greater concern, the introduction of malware into a TSx unit could spread virally into the GEMS server via format string errors in the GEMS software as identified by the team. TSx units use PCMCIA cards to store and transport election definitions and vote totals. When those vote totals are communicated back to the GEMS server (either by physical transfer of the PCMCIA card into a TSx unit connected directly to the server’s LAN or over a dial-in connection), an exploited TSx could virally infect the GEMS server. Future TSx and AV-OS units connected to the GEMS server could likewise be infected as ballot definition files are transferred via serial or Ethernet connection.
...
page 14
g. TSx: PCMCIA card
The Red Team verified the results of other studies, which found that modifications to the contents of the PCMCIA card could affect the accuracy of vote totals.
...
page 17
VI. Conclusions
Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Diebold GEMS 1.18.24/AccuVote system, we were able to discover attacks for the Diebold system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that – absent procedural mitigation strategies – can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.
By the way, San Francisco is one place that may already be closer to hand-counting than most people realize. Guest blogger Jane Allen has that story very shortly.
Permalink:
http://wedonotconsent.blogspot.com/2007/07/bowens-red-team-compromises-each-voting.html
Labels: Berkeley, Debra Bowen, Diebold, Hart Intercivic, Hursti, Red Team, Sequoia, VSTAAB
