Glass Box Voting

An interesting post about an exploit in some forum software causing medical harm to epileptics. That got me thinking about social networks generally as a security domain. As with voting, you have understand the security environment before you can determine the security requirements. Users of new social networks have a wild array of choices, from reasonably well authenticated and community policed sites like LinkedIn to much more pseudonymous arenas such as IRC and ICQ.

The Off the Record tool from http://www.cypherpunks.ca/otr/ is a recommended example of a security utility for social network users It enables a private conversation with another party, enforced by cryptographic means. From their site, the utility offers:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

Finally, it’s licensed under the LGPL so it is free for use.

I am an amateur gardener in my not-so-copious spare time, and this year I am attempting to train wisteria and honeysuckle vines onto some cords I have strung around the garden. This involves going out to all of the vines several times a week and gently moving the new growth towards the cord you want them to grow on, as well as pruning growth that just isn’t headed in the right direction.

Meanwhile, at my day job, we are having trouble filling a slot because we lack people with the proper certifications - a direct consequence in management decisions to focus solely on revenue with little to no investment in useful training. Training a workforce is like training a vine - it’s an ongoing process, it has to be maintained for the more senior employees / older vines just like the entry level / new shoots.

Also meanwhile, another client - a business with over a hundred thousand employees and as many additional contractors, is asking their workforce to get trained on regulatory compliance, by having us sign up and watch webcasts. This kind of approach is done with the hope that the people who actually need to comply with the regulations get the information they need, but I’m not sure it’s more cost-effective than targeting the training at those that need it.

Since I’ve been thinking about usability problems, especially where it relates to security engineering, I can carry the metaphor a step further. Administrators, employees, and customers are all users, and a system of any complexity requires all of those users to have decent initial training (introduction to the system), ongoing training (in the form of easy to navigate, complete and comprehensive documentation), an approachable technical support mechanism, and a mechanism for entering trouble tickets and/or bug reports.

And, um, that’s like training vines. Blah, the metaphor slipped away.

Monday’s Supreme Court ruling reminds us that exploiting vulnerabilities in voting equipment is not the only way to manipulate an election.   To say nothing of Bush v Gore.

The contents of the report are good.  It’s missing discussion of security and public trust in equipment, but I believe they will address that in the next phase.

Released just now while I was writing the “awaiting press release” post. I will read it now and post my thoughts.

The release in full after the jump.

Read the rest of this entry »

Speaking of machines that handle money, a commenter on slashdot reminded me of a graphic comparing gaming machines to voting machines.  From the intro:

It’s easier to rig an electronic voting machine than a Las Vegas slot machine, says University of Pennsylvania visiting professor Steve Freeman. That’s because Vegas slots are better monitored and regulated than America’s voting machines, Freeman writes in a book out in July that argues, among other things, that President Bush may owe his 2004 win to an unfair vote count. We’ll wait to read his book before making a judgment about that. But Freeman has assembled comparisons that suggest Americans protect their vices more than they guard their rights, according to data he presented at an October meeting of the American Statistical Association in Philadelphia.

Not going to hotlink their image, so click the link.

Interesting article on the costs of voting machines. A spokesman for Premier Election Systems (formerly Diebold Election Systems) is quoted saying:

“An ATM is significantly a more expensive device than a voting terminal…” said Riggall. “Were you to develop something that was as robust as an ATM, both in terms of the physical engineering of it and all aspects, clearly that would be something that the average jurisdiction cannot afford.”

Glass Box Voting was founded on the premise that that statement is not true.

The article also reminds us of the fun fact that Diebold Accuvote-TS machines can be opened with a standard minibar key.

I do not agree with the premise of the headline that money for improving voting machines has all gone to Iraq - our government has the resources to fund multiple priorities, and the integrity of the voting process seems to me to be an important priority. I agree with Ed Felten:

“It all depends what you compare it to,” said Felten. “If you compare the amount of money we spend actually administering the election versus the amount that’s spent trying to convince people to vote this way or that way, it looks pretty small. It you compare it against the importance of getting the outcome right, it also looks relatively small. So, to me, it’s an investment that we should be willing to make.”

Hat tip to infodiva and slashdot. Also want to remind new readers of an old post: The difference between an ATM and a voting machine.  Edit - oops, meant to link to Voting as a security problem.

The folks at verifiedvoting.org have a useful page that shows what voting systems are in place across the country. You can drill down to the county level, learn exactly what equipment is in use, and learn contact information for elections administrators.

Thanks to Brad Freidman for the link.

Ars Technica reports on difficulties with voting machines being used in today’s primary elections.  A primary complaint is the failure of U.S. Rep Rush Holt’s proposal to fund conversion of machines to include a paper trail.  It failed in the house last week.  I’m not sure why a 2/3 vote was required for it, but it fell 39 votes short of that measure.  Voting was on party lines.

I am not sure why integrity of voting machines is a partisan issue, can someone explain that to me?

As a counterpoint, Professor Michael Shamos of Carnegie Mellon calls paper trails (aka Voter Verified Paper Audit Trail or VVPAT) a red herring in an interview published yesterday.  I tend to agree with him that paper does not prevent fraud, but my position is that a cryptographically protected electronic audit trail generated on a device whose security can be demonstrated, along with a VVPAT, provides redundancy and the separation of duties that a well secured system requires.  The electronic records can be used to audit and cross check the paper records, while also providing fast results, flexible ballots, and other characteristics that have made DREs popular in recent years.

A New Jersey state judge has subpoenaed county clerks in six NJ counties to turn over voting machines.  Brief AP story here.  Sequoia voting systems, the vendor, plans to fight the subpoena.  The plaintiff in the case plans to have the machines tested by voting system researcher Ed Felten.  Here is his summary of the discrepancies.

Sequoia is pushing back, claiming that their trade secrets will be violated, but they probably object in particular to the choice of Felten (see here for a little bit of the history between Sequoia and Felten).

Voting systems should be available for public scrutiny and testing.  The argument that the secrecy is mandatory to protect the company’s intellectual property is a fallacy and a smokescreen - a good IP lawyer should be able to design terms by which the design is transparent for independent testing purposes but not permitted to be used for commercial development.  Such terms would not meet the full definition of Open Source as defined by the Open Source Initiative, but they would still enable a much greater level of transparency and scrutiny than is currently permitted.  Of course, that’s probably why the existing vendors resist such an approach - because their systems cannot stand up to the scrutiny.