Glass Box Voting

Bruce Schneier had an excellent post on his blog this week about the security mindset.  The reason that existing voting machines are not secure is because the basic engineering mindset does not include the sneaky attitude required to design a secure system.  From the post:

The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don’t stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.

Wired’s 27b-6 column on the Ohio voting machine story.

The article.

Why would you possible build a voting machine for which audit could be disabled?

Ed Felten received an email from Sequoia Voting Systems warning him not to participate in an upcoming New Jersey system test.

Sender: Smith, Ed [address redacted]@sequoiavote.com
To: felten@cs.princeton.edu, appel@princeton.edu
Subject: Sequoia Advantage voting machines from New Jersey
Date: Fri, Mar 14, 2008 at 6:16 PM

Dear Professors Felten and Appel:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Very truly yours,
Edwin Smith
VP, Compliance/Quality/Certification
Sequoia Voting Systems

I’ve said it before, but Techdirt says it nicely as well:

…banks have much stronger incentives to get things right than election officials. If a criminal succeeds in knocking off an ATM machine, the bank that owns that ATM machine stands to lose a lot of money.

The article was a response to a post last month on voting machines at the University of Chicago’s law school faculty blog.

Update: Greetings to any slashdot readers that might’ve followed my link, but sadly I aimed at the wrong post.  This is the article I meant.

Let noone say Prime III isn’t patriotic:

I referenced David Brin’s book The Transparent Society earlier, and finally published a link to Bruce Schneier’s writing on voting technology last night. They have recently had a back and forth on some very interesting topics.

In The Transparent Society, Brin observes that the powers of state and corporate surveillance are growing exponentially, and that citizens should be able to have similar levels of scrutiny into the practices of governments and companies. I don’t do his overall thesis justice, go buy the book to learn more.

Bruce Schneier’s article, The Myth of the Transparent Society (also posted on his blog), points out that mutual transparency fails to protect citizens because of the power imbalance between individuals and institutions. The marginal value of each information transaction benefits the institutions more, because it can be correlated to their already huge information store.

Brin’s response builds on Schneier’s critique in an interesting way.

Bruce Schneier’s recent column on Wired.com pokes a short-sharp critique toward my 1997 book, The Transparent Society, and its argument that freedom is best served when all citizens have enough knowledge to hold each other reciprocally accountable.

Schneier, a noted commentator on internet security, begins by positing, almost as an axiom, that any civilization based upon general, reciprocal openness would be a major departure from our present social contract. Something “different than before.”

Alas, that premise is false right out the gate. For we already live in the openness experiment, and have for 200 years. It is called the Enlightenment — with “light” both a core word and a key concept in our turnabout from 4,000 years of feudalism. All of the great enlightenment arenas — markets, science and democracy — flourish in direct proportion to how much their players (consumers, scientists and voters) know, in order to make good decisions. To whatever extent these arenas get clogged by secrecy, they fail.

An interesting back and forth. I still need to find the time to blog more about transparency with relation to voting machines and voting administration.

Found at Marco Ramilli’s blog.

I have read Bruce Schneier’s blog for years, it’s a excellent source of information about cryptography and security. I appreciate his Snake Oil Alerts in particular, because they educate you on what to look out for. A common claim by vendors, for example, is that 2048 bit RSA keys are “better” somehow than 256 bit AES keys, which just isn’t the case.

On the topic of voting, I would start with The Problem With Electronic Voting Machines.

Prime III is a system developed at Auburn U. The reviewer says:

At first eye the system appears really well designed. The voter may vote by touch screen and/or by voice in a very intuitive way. If the touch screen has been compromised the voter uses the microphone to express her will. None can understand what the voter is doing because the Prime III links randomly the candidate’s names with number of BEEP that the voter may use to cast the ballot. So for example if there are two voters at the same time that wanna vote for the same candidate they will speak different sequences of BEEP. Moreover Prime III utilizes a dynamic imposter file organization which dynamically generates random signed ballot file into a complex folders system, where only one is the correct one. The real vote folder is determined by an input key set by the election administration official. The whole system runs on SELinux versions where takes the logs informations if necessary.

I will need more information to determine how secure this really is. The Prime III page (click “visual examples”) says, “Each file, whether real or an imposter, is encrypted with Triple Data Encryption Standard (Triple-DES), Advanced Encryption Standard (AES) or other encryption algorithms. The encryption method used for the imposter files are pre-assigned and may vary from precinct to precinct.”

Use of encryption is dandy, but the above statement tells us nothing about how this encryption is achieved and how it protects anything. I need more information on their key management practices before I buy their claim that encryption actually does something in their system.  It sounds like their system requires long term symmetric keys, which can have terrible consequences if compromised, and yet must be retained for the duration that the system is operating.

The randomized folder names strikes me as security by obscurity, which is worthless against a determined attacker.

I wonder how the dummy votes are generated - if those are random, can the real votes be distinguished from the random ones by statistical analysis of the contents?

Their process of “voter verifiable video audit trails” as a way of achieving software independence is interesting. I hope their video logs are hard to alter (displaying time on the UI would prevent replay attacks, for instance).