Glass Box Voting

Slashdot:

“Premier Election Solutions (a subsidiary of Diebold) has acknowledged a flaw that causes the systems to lose votes. It cannot be patched before the election and the machines are used in half of Ohio’s counties, but they are issuing guidelines for avoiding the problem that presumably contain a work-around. While Diebold initially blamed anti-virus software for the glitch, they have now discovered that the bug was their own fault for not recording votes to memory when the cards are uploaded in ‘certain circumstances’ — something their initial analysis missed. It would be nice to hope that Ohio poll workers would be tech-savvy enough to make this a non-issue, but they had poll worker shortages last year and might need tech-savvy people to volunteer.”

Some reminders of security holes in open source software:

Debian-Ubuntu Key Generation Flaw of 2006-2008

That was a huge flaw that went unnoticed that introduced serious vulnerabilities in to countless systems.  The code was sitting there for everyone to see, but nobody looked there and understood what it meant for almost two years (don’t quote me on the timeline).

OpenSSL

OpenSSL is secure, but has had to patch a number of security vulnerabilities over the year.  Note this case - this is code that’s always been open, developed by cryptographers, and FIPS 140-2 validated.

DNS

Dan Kaminsky’s DNS flaw is a case of a protocol flaw.  Correct implementations of the protocol had a catastrophic security flaw.  I want to highlight that Kaminsky did an excellent job of responding to the bug when it was discovered. I recommend you read Kaminsky’s thoughts written after the aftermath of the flaw had run its course.

The Open Voting Consortium is a voting system vendor that promotes itself as a voting integrity advocacy group.  Their “About OVC” link states:

The Open Voting Consortium is a not-for-profit organization dedicated to the development, maintenance, and delivery of trustable and open voting systems for use in public elections.

OVC is actively seeking “members” (people to send them money) to fund the development and promotion of an open source voting system.  Their product is currently a software prototype. What catches my eye is the text at the end of their product brochure:

mail a check made payable to the Open Voting Consortium to

No, not that.  This text:

ALL MACHINES USE OPEN SOURCE SOFTWARE (Everyone can see how all machines are programmed.)

There are so many things wrong with that statement.  Believe me, I’ve worked in the area of information assurance for years, in cases where the inner details of the products are made fully available for inspection, and just being able to look is not the same as being convinced that what you see works properly, does not have any logic flaws that subvert its security objectives.

Their May 2008 Demo Disk (550 MB) is online, go download it, examine it, and decide whether it’s secure or not.  Think about what “secure” really means in this context.  I’m not talking about whether the evil vendor put malicious code in there to change your vote for Blueberries into a vote for Onions.  Instead consider the voting machine that very scrupulously records everything you say, but does nothing to protect the voting records at rest on the system.  Or a system that can’t tell if it’s got good or bad code running on it.

The assertion “everyone can see how all machines are programmed” bugs me.  Yes, I can download the code from online, but how do I know, when I come in to vote, that the code I reviewed online is what is running on the machine before me?  What testing has been done on the system and what were the results?

More importantly, is my grandmother going to learn Linux and Python in order to perform a code review, and check the BIOS version of the machine when they boot it on election day?  Even if I had a living grandmother, the idea would be ludicrous.  The right to look at the code does not equal the skills to look at the code.

Many voting integrity advocates call for voter verifiable paper trails as the solution to concerns about software security and quality, but printers and optical scanners are tools, not a panacea.  Remember that electoral fraud has been committed with paper for far longer than it has been possible to commit it with computers.

Okay, with all this in mind, please go read this interview with Alan Dechert of OVC and someone of the Okori Group.

Dechert said that the Open Voting Consortium system would allow for unique read-only discs to be burned for each machine within each precinct and ward. The local poll worker would load the bootable disc into a special computer and printer hybrid that is yet to be designed.

A lot of future tense, it’s worth noting.  But that’s not my point.

Dechert says his system is better because it doesn’t use fancy cryptography, it uses a simple chain of custody.

Chain of custody.  That means “the machines and all election data is handled by a series of people that we trust.”  If the assumption that all of those people are trustworthy turns out to be incorrect, all bets are unfortunately off.  Software can be replaced with malicious images, viruses that alter vote totals can be deployed on the system, vote totals can be modified or (even easier) destroyed.

My friend at Punchscan flowcharted it thus:

Without a hardware platform as a secure platform OVC’s model does not satisfy me as being sufficiently robust or secure to safely use in the administration of a major public election.  These are my gut feelings as a security consultant and dabbler in voting system security, but take them with a grain of salt since I am also a competitor.

Like I said - analyse it yourself, who knows what you might find.

Go read Rick Carback’s article How Secret Is Your Secret Ballot?.

It’s all in the news these days, the Debian distribution used a version of OpenSSL with a key generation flaw.

This bug raises an interesting can of worms that I’m still trying to figure out.

Debian/Ubuntu servers built since 2006 need to be rekeyed.  That is a nontrivial thing, and it not going to happen in a lot of cases.  HTTPS and SSH impersonation is the first thing that leaps to mind if this vulnerability is exploited - those are very serious problems given how many systems are using those protocols for trusted path and authentication purposes.

Also, any servers relying on keys that were generated on vulnerable machines need to stop trusting those keys.  How many systems have good notes in place on where keys were generated?

It is worth noting that defense in depth works.  I have a couple of Ubuntu machines in this office right now that are probably vulnerable, but they are stored offline in a physically isolated location.  Once they are brought back online patching the vulnerability will be the first order of business.  Fortunately Linux package management functionality makes the patching process almost trivial, but it can throw a system (hypothetically) out of evaluated configuration or FIPS approved mode of operations (for example).  Nevertheless patching and rekeying is very much the correct action.

An interesting post about an exploit in some forum software causing medical harm to epileptics. That got me thinking about social networks generally as a security domain. As with voting, you have understand the security environment before you can determine the security requirements. Users of new social networks have a wild array of choices, from reasonably well authenticated and community policed sites like LinkedIn to much more pseudonymous arenas such as IRC and ICQ.

The Off the Record tool from http://www.cypherpunks.ca/otr/ is a recommended example of a security utility for social network users It enables a private conversation with another party, enforced by cryptographic means. From their site, the utility offers:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

Finally, it’s licensed under the LGPL so it is free for use.

I am an amateur gardener in my not-so-copious spare time, and this year I am attempting to train wisteria and honeysuckle vines onto some cords I have strung around the garden. This involves going out to all of the vines several times a week and gently moving the new growth towards the cord you want them to grow on, as well as pruning growth that just isn’t headed in the right direction.

Meanwhile, at my day job, we are having trouble filling a slot because we lack people with the proper certifications - a direct consequence in management decisions to focus solely on revenue with little to no investment in useful training. Training a workforce is like training a vine - it’s an ongoing process, it has to be maintained for the more senior employees / older vines just like the entry level / new shoots.

Also meanwhile, another client - a business with over a hundred thousand employees and as many additional contractors, is asking their workforce to get trained on regulatory compliance, by having us sign up and watch webcasts. This kind of approach is done with the hope that the people who actually need to comply with the regulations get the information they need, but I’m not sure it’s more cost-effective than targeting the training at those that need it.

Since I’ve been thinking about usability problems, especially where it relates to security engineering, I can carry the metaphor a step further. Administrators, employees, and customers are all users, and a system of any complexity requires all of those users to have decent initial training (introduction to the system), ongoing training (in the form of easy to navigate, complete and comprehensive documentation), an approachable technical support mechanism, and a mechanism for entering trouble tickets and/or bug reports.

And, um, that’s like training vines. Blah, the metaphor slipped away.

Monday’s Supreme Court ruling reminds us that exploiting vulnerabilities in voting equipment is not the only way to manipulate an election.   To say nothing of Bush v Gore.

The contents of the report are good.  It’s missing discussion of security and public trust in equipment, but I believe they will address that in the next phase.

Released just now while I was writing the “awaiting press release” post. I will read it now and post my thoughts.

The release in full after the jump.

Read the rest of this entry »