Madlena pavlova security_in__digital_voting_system

27
0 | Page UWS Security in Digital Voting System Data and Network Security Report Madlena Pavlova B00251633 4/19/2016

Transcript of Madlena pavlova security_in__digital_voting_system

Page 1: Madlena pavlova security_in__digital_voting_system

0 | P a g e

UWS

Security in Digital Voting System

Data and Network Security Report

Madlena Pavlova B00251633

4/19/2016

Page 2: Madlena pavlova security_in__digital_voting_system

1 | P a g e

Contents Introduction .......................................................................................................................................2

1. Brief overview of Security Mindset...................................................................................................2

2. Security Requirements ....................................................................................................................2

2.1. Ballot secrecy ...........................................................................................................................3

2.2. Vote authentications ................................................................................................................3

2.3. Enfranchisement ......................................................................................................................4

2.4. Availability ...............................................................................................................................4

2.5. Tension in the system ...............................................................................................................4

3. Voting security procedure ...............................................................................................................5

3.1. Voting registration....................................................................................................................5

3.1.1. Validating of data authentication ........................................................................................6

3.1.2. Tension between security and privacy .................................................................................6

3.1.3. Commercial reuse of the data .............................................................................................7

3.1.4. Who can modify and change the data .................................................................................8

3.1.5. Voter Authentication........................................................................................................ 10

3.2. Voting technologies ................................................................................................................ 11

3.2.1. Optical scan ..................................................................................................................... 12

3.2.2. DRE ................................................................................................................................. 14

4. Security and privacy advancement and glitches -Trustworthy technology......................................... 15

5. Guarding Against Tampering.......................................................................................................... 18

6. Recommendations for better useable security and privacy .............................................................. 23

7. References ................................................................................................................................... 24

Page 3: Madlena pavlova security_in__digital_voting_system

2 | P a g e

Introduction

Voting is an essential feature of democracy, but electoral fraud unfortunately is as old

as voting itself. Increasingly, however, the way we count our votes completely depends

on the computer system. Those systems have to work correctly and securely or the

outcome of the election could be in jeopardy. Many jurisdictions don’t have in place

proper safeguards, which create new opportunities for fraud.

The goal of the coursework is to provide sound understanding of how computer security

is critical to the election process in broadly applicable sense and what we need to do to

keep the election secure.

1. Brief overview of Security Mindset

Security mindset is about what could go wrong in particular system and seeks out ways

to make a system fail. This is the notion of adversary. The adversary is an intelligence

force that wants to make the system misbehave and fail. Security of term of adversarial

problem is the core of mindset. In fact we analyzed computer security as study of how

the system behaves in a presence of adversary.

When we building the system we have to justify few key points:

How to thinks as Attacker

• Looking for weakest links in the system.

• Identifying the assumptions that security system depends on.

• Thinking outside the box – not constrained by system designer‘s worldview.

Assessing the probability is critical element of the system, as there is cost involved in

any defending mechanism and influence the choice of countermeasures and defenses.

Those criteria could be technical and less technical (legal policy, threat of prosecutions

cost vs. benefits analyses).

2. Security Requirements

Adapting security Mindset is a pre - setup requirement before even start thinking of any

secure system. After this, we can go ahead with security requirement that the voting

system need to enforce in order to be consider as a secure.

Page 4: Madlena pavlova security_in__digital_voting_system

3 | P a g e

This can be prioritized as:

• Integrity – the outcome of the election matches the actual voting.

• Voting intent – the vote is cast in the exact way as it was made.

• Votes are counted as cast.

There are room of errors in both cases (technical and less technical requirements),

which require the proper design, so we can avoided this pitfalls.

Well design election system has to comply with:

Secrecy

Authentications

Enfranchisement and availability

Tension in the system

Cost effectiveness

Accessibility

Intelligibility (usability).

2.1. Ballot secrecy

Ballot secrecy is where no one can configure how you vote. This protects not only

privacy but also the level of accuracy, because if it easily to revel to the other people

how you vote, it will make it easy to sell your voice and vote for particular candidate.

Strong Ballot security mechanism protects again coercion of the criminal who might

come up to you and forced you to vote in certain way by expecting the evidence of it.

2.2. Vote authentications

Vote authentications mean that:

• Only outraised voters can take part (Set up by the Law).

• The voter can only be able to vote ones (legal requirement).

Voting multiple times has being recorded numerous times in the past and is known as

the most comment form of cheating.

Page 5: Madlena pavlova security_in__digital_voting_system

4 | P a g e

2.3. Enfranchisement

Enfranchisement is considered as the hardest earned civil rights and democratic value

in many societies as all the authorized voters should have an opportunity to vote. We

may things that this is a corollary to authentications, mention above, but discourage

people who are authorized to vote could be equally powerful attack.

2.4. Availability

Problem:

Availability in election system cannot be challenged because that Election Day is

usually fixed and there is no privation of the Law in many places to postpone the

Election Day or to run the voting machines again if somehow it loosed the

information they supposed to have counted. Attack on availability will target the

system functionality either having to turn people away on election day for

accessing delay, or other form as denial of service attacks by huge traffic, to

knocking service offline and preventing from being available for real time users.

Solution:

The system must be able to accept all votes on schedule (during Election Day) and

produce result in timely manner but It is hard this entire requirement to meet the criteria

which explained why election security is very difficult to be achieved.

2.5. Tension in the system

Problem:

Tension between two or more system’s requirements contradicts with each other

and creates conflict.

Example of common problems and tension within the system could be:

• Tension between integrity and Ballot secrecy

If for instance we decided to make publicly available the vote outcome and

list the names, address, voting choice of the people in local news paper, we

will achieve 100% Integrity but what can we say for Ballot secrecy.

Page 6: Madlena pavlova security_in__digital_voting_system

5 | P a g e

• Tensions between Voter Authentication and Enfranchisement

If we adopted very high level of authentications, for example we requested

Drive License, Passport, Fingerprint, Birth certificate to anyone who enters

ballots section we will drive away a lot of people who are authorized to vote

but because they don’t have the required documentation will decided not to

do it. In other hand, if we want to make voting process easy by no asking

for any form of identification, it will make it very easy also for people who

are unauthorized to vote to do so.

Solution:

These tensions still cannot be resolved completely and are often political matter where

we want to be in the spectrum of possibilities in addition to the election security context.

In addition to the security features, discussed above they are also few more

requirements worth to mention because they are also considered of high importance to

the election system.

1. Cost effectiveness - as the resources are usually limited to spend on the voting

system.

2. Accessibility – for physically disable voters.

3. Convenience - how easy is to access to the physical location of the voting

system.

4. Intelligibility - if the system is too complicate also can effect in way how the

voter behavior - be active or decide not to participate.

Solution: The system of election technology has being struggling to satisfy this various

requirement at the same time because of the tension between them, as there is no one

way to balanced them all, as well, there is no right answer to all differed societies.

3. Voting security procedure

3.1. Voting registration

The security of elections isn't just about the security of computer hardware and

software, but it's also about the security measures of the involved procedures.

To illustrate what can go wrong I am going to provide an example of typical voting

procedure in US and particular Washington D.C. The process required filling online

registration form which raised a number of security issues concerned with validation,

security and privacy of the data.

Page 7: Madlena pavlova security_in__digital_voting_system

6 | P a g e

3.1.1. Validating of data authentication

Problem:

1. One of the issues is matching state database with federal database, as it

can be difficult and can lead to falsely rejection of people due to the format

of how their personal information has being kept.

2. Another obstacle is that most states prohibit people who have been

convicted of serious crimes in further elections by creating a list and

matching it with voter registration databases. This creates potential issues

as many people with same name can enter the prohibited list and wouldn’t

know until they arrived on the Election Day.

Solution: Database system had to have in place standardization of Data Entry

Conventions, which will ensure data integrity and provide better data quality.

3.1.2. Tension between security and privacy

Figure 1. Tension between security and privacy

Problem:

Another kind of risk caused by registration database is the tension between

security and privacy. Collected information as name, address, and signature, date

of birth, telephone number, gender and ID number stored in this massive

database raised up the question of who can access this data. The big problem is

that most of those fields are publicly available and can usually be obtained and

purchased from the state website. In many states the voter registration list is also

Page 8: Madlena pavlova security_in__digital_voting_system

7 | P a g e

used to select people for jury duty which creates a trade-off because people who

try to avoid jury duty will also avoid voter registration.

3.1.3. Commercial reuse of the data

Problem:

Another issue is that voting database is available to parties and they can used it

for campaign purposes as one example is Obama’s campaign:” Is Your Neighbor

a Democrat?” by encouraging volunteers to go out and campaign to registered

Democrats. Commercial reuse of the data is another privacy issue as companies

can combine the voter’s personal information for their business & marketing

purpose for example: home mortgage, credit card debt etc.

Figure2. Commercial reuse of the data

Solution (3.1.2 and 3.1.3.):

Restrict policy for access to the publicly available information by introducing security

mechanism for validating each visitor. Other possibility is to increase the privacy of data

by limited its availability, thus will reduce the level of risk of unlawful use of the personal

information.

Page 9: Madlena pavlova security_in__digital_voting_system

8 | P a g e

3.1.4. Who can modify and change the data

Strong access control again malicious insiders or hackers are another big concern for

security of voting database.

Big part of the security mindset is about the ethics; therefore we need to get into the

attacker's methods and techniques in order to understand how security can fail.

I would like to discuss documented example of voter registration system - Washington

D.C. The system is designed to maintain the list of eligible voters and to keep the

records of the correct address where it should be send the ballot to.

Voter registration database in Washington State also provide an online application to let

voters see and update their records.

Problem:

If we are potential attacker and know the name of someone who lives in

Washington State and want to try to target him for example have their ballot

misdirected to another address so that they won't be able to vote, this scenario

will examine how strongly does the system protect against this sort of attack.

In order to log into the Washington D.C. online registration system, we need the

name and date of birth of the voter. If we don't know person’s date of birth but

know the person's name there is way to figure this out.

Figure 3. Washington Election Voting home page

Page 10: Madlena pavlova security_in__digital_voting_system

9 | P a g e

Date of birth is one of those fields collected during the voter registration process

and publicly available. By simple searching we can easily discover voter

registration record with voter's date of birth and other relevant information

(Figure 4). Having this in hand we can easily log on and accessed to voter

registration home page (Figure 3).

Figure 4.Wachington State Voter DB

Figure 5. Washington Election voting home page update

As the attacker's target is to misdirect the ballot, he will try to update the voter’s

address and will be asked for Driving License number which also is not a piece of

secret information and can be easily retrieved ( Figure 6).

Page 11: Madlena pavlova security_in__digital_voting_system

10 | P a g e

Figure 6.Drive License Washington DB

This kind of attack is pretty scary especially in state where voters participated in the

election process entirely by mail as we can imagine consequences of wide scale attack

where someone tried to automate this process and change the voter’s registration

information automatically through large numbers of people right before the deadline for

mailing out those ballots.

Solution: Clearly voter registration databases like this need stronger protections. One

way that the state could protect against that would be to mail out confirmation before

changing your address for example sending a card to the old and the new address

saying that the address has being modified in the database. Washington State has not

implemented a protection like this but it seems like a key part of the validation process

in order to maintain the integrity of the registration system.

3.1.5. Voter Authentication

Assuming that we have an accurate voter registration database and we know who the

proper voters are. The next procedural question is how we are going to authenticate

those voters when they arrive at the polling place. In many countries, there are national

ID card, driver’s licenses issued by each state and passports issued by the Federal

Government, but it's really a patchwork rather than just one single standardized system.

Many US states required only a signature to verify that the voter is who they claim to be.

The voter registration database is printed into a list at each polling place and each voter

who's eligible to vote at that polling station has a space on this list. Many states now

Page 12: Madlena pavlova security_in__digital_voting_system

11 | P a g e

introduced computerized poll books that maintain a copy of the voter registration

database in a digital form. This can provide a lot of advantages for instance it may be

faster to find people’s files and can also be used to allow voters to visit different polling

stations. But this brought also some security concerns such us the data being

manipulated or denial of service which could interfere with polling and delay the

election.

Problem:

Today, US states considered to implement some kind of requirement for checking

photo ID but its turn out to have a number of issues between voter authentication,

enfranchisement and illegal voting. Another issue is that not everyone has an ID.

About eight percent of the US population, which make more than 21 million US

(African-American, senior citizens etc.) wouldn't be able to produce the required

ID under these rules. For that reason, ID requirements have the potential to be

imposed or opposed for political reasons because the parties in power will fear

that adding these requirements or removing them, would cause a political shift to

their benefit or detriment.

Other problem with voter ID is that getting a quality fake ID is easy and can be

purchase online for relatively little money and hard to detect by ordinary poll

workers.

Solution: Possible higher tech solutions to this voter authentication enfranchisement

trade-off for countries like the US where not everyone has an ID it could be in form of

adding other identifiers to the voter registration database as biometrics, fingerprint scan

or an iris scan. Even adding photograph ID to the voter registration database could

provide high level authentication but again will violate voter privacy.

3.2. Voting technologies

Two kinds of voting technologies were introduced last quarter of the twentieth century.

One of these technologies is DRE voting (direct-recording electronic), this is voting on

computer devices that directly add up and total the votes. The other is optical scan.

Optical scan voting involves filling out a paper ballot and then having a computer read

that ballot and produce the election totals.

DRE and optical scan voting systems fundamentally depend on computers and

especially on computers at the polling place.

Page 13: Madlena pavlova security_in__digital_voting_system

12 | P a g e

3.2.1. Optical scan

The idea with optical scan was to replace these potentially malicious humans who were

part of the counting process with an impartial automated machine. Most of these

machines have a removable memory card. This has positive implications as it can

capture much more information from the ballot and be used to distinguish marks with

greater accuracy, however in order to go from a picture to knowledge it had to be linked

to computer algorithms implemented in software.

The biggest advantage is that the optical scan machine can look for problems with the

ballot and helps cut down the number of over-votes which is important kind of usability

feature, but there was also chance of something to go wrong.

The other benefits are that optical scanning machine alone with electronic records also

stored the physical paper ballot.

Problem:

One of the more prominent issues has to do with the way people interact with

optical scan ballots as not everyone follows the instructions exactly right as

some people use blue ink, some people marked an x instead of filling in the oval.

This is a challenge for optical scan machines because it's possible that the

machines are not going to interpret every one of these marks as a valid vote.

Styles of ways that different people fill out those little circles on an optical scan

form also could be used to compromise voter privacy.

Potential issues with optical scan voting are:

• Accuracy of detector sensors

If the ballot changes its size in humid or dry day or if the ballot inserted into

the machines slightly crooked the sensors it can affect quality of the reading.

• Calibration

Sensors in the machines might respond slightly differently to the same

intensity of light because of physical variations in the electronics.

Solution: In election of any size it is almost certainly that we are going to have some

fraction of ballot’s votes that are misread or lost because of problems like these. This is

fundamentally a challenge to every voting system as it has not being yet design voting

system that will work on a very large scale with absolutely zero error.

Page 14: Madlena pavlova security_in__digital_voting_system

13 | P a g e

Optical scan fraud case study

This Case study is an example to demonstrate the way computer voting machine could

be used to cheat.

The attack was conceived and demonstrated by a voting researcher Harri Hursti on

optical scan voting machine made by Diebold. Harris’s attack looked at what would

happen if the criminal an attacker had access to that memory card that's used to hold an

electronic copy of the results and take it back to the central office for counting. We

assume that the card is going to be very well protected after the voting process finishes

as an important part of election integrity.

But what if someone was able to get access to the card before all of those votes were

cast? Hursti's attack works like this: Before the election he's going to load up the

memory card with a number of votes( for example 10) for the candidate he wants to win,

let's say- Ben .At the end of the election, this number is going to be added to the total

votes for Ben. The problem with the simple version of the attack is it would be pretty

easy to detect. All that the election officials would need to do is observe that the total

number of votes in the machine is ten more than the number of people who used it,

therefore that would be caught right away.

Problem:

Hursti realized that the voting machine's record of how many votes belong to

each candidate performs arithmetic in a very similar way to the mechanical

counter and if he programmed ten votes for the candidate, that he wanted to win

and say 990 votes for the other candidate, when real voters used the machine,

both numbers would increase.

Solution: Luckily, because these are optical scan ballots, there is a way to catch this

kind of fraud which is to actually look at the paper ballots in the ballot box.

With optical scan voting machines, there were still some drawbacks from the point of

view of election administration, as printing and distributing the paper to the polling

places. Because of these issues, the next generation of voting machines, eliminated the

paper ballot entirely. These are known as DRE voting machines.

Page 15: Madlena pavlova security_in__digital_voting_system

14 | P a g e

3.2.2. DRE

DRE stands for direct recording electronic. Inside the machine is an electronic computer

controlled counter that maintains a record of each vote but unlike an optical scan

machine in a DRE generally the only record of the vote is something that's stored in a

computer's memory.

Figure 7.Diebold AccuVote TS

Figure 8.Voting card

Around 1990s was introduced touch screen DRE Diebold AccuVote TS(Fig.7) which

was for a while the most widely used DRE voting machine in the US. When voters come

to the polling place they sign and election officials handed a smart card with chip in it as

authentication mechanism. When the voter inserts the card into the slot on the machine

his vote is recorded in the machine’s memory. At the end of the election, authorized poll

workers used special kind of card supervisor card get accesses to the special screen

with some other features including the ability to close the election and print out a paper

tape with the results on it. The election officials remove that memory card with its record

of the votes and send that with the tape to the election headquarters, where another

kind of machine with special software totals up the votes from every machine. Those

Page 16: Madlena pavlova security_in__digital_voting_system

15 | P a g e

totals are the basis for what they announce at the end of the election night results as the

results of the count.

Problem:

Several problems have being encountered with DRE. Writing software that does

something simple as counting up election results correctly turns out to be really

difficult task with much more complicated problem than we might think of.

Machines (computers) are very good at following instructions but they don’t have

any ability to exercise judgment and realize on their own that something is wrong

and take course of action in response.

Solution: Developer had to supply all the correct instructions to the machine; have to

anticipate the cases that can arise, test them and write instructions for handling all of

them.

Voting turns out to be a very specialized area because of this tension between integrity

and ballot secrecy. When things go wrong, when there's an error in the count or when

there's an attack, it's often very hard to be caught up. Something could go wrong and

we won't even know because the counting process is supposed to be happening in

secret, as we can't just go back to the voters and make sure each of their votes has

been counted correctly. That kind of failure detection or correction mechanism is not

something that's typically engineer able within the confines of a DRE.

4. Security and privacy advancement and glitches -Trustworthy

technology

In a real situation we can have enormous number of potential complications, where

writing the correct software that handles all of these cases in a sensible way is a

problem that is at the very limits of human capability. We can just expect that the

developers who are writing software for a voting machine are going to get it right.

Writing software that is correct is hard, but writing software that's secure is even harder,

because what an attacker does is to look for situations that the developers and testers

have not accounted for. Those situations aren’t just a natural failure, but the failure

that's been forced on the machine by the attacker (Security Mindset: Thinking as an

attacker).

Page 17: Madlena pavlova security_in__digital_voting_system

16 | P a g e

Problems:

Errors

Those errors could be based on design flaws, where the machine is working the

way designers intended but fails to take into account certain major requirements

or there could be implementation glitches or bugs. All of this adds up to the

potential for miscounting and cause reliability problems. There have been cases

where voting machines have been tremendously unreliable and just haven't been

able to function within the demands of a polling place, because of errors in the

software development process.

Vulnerabilities

The second category of problems is vulnerabilities, where an attacker could

sabotage the hardware and manipulate the data if the data's integrity is not

protected.

Hursti’s attack with optical scan is an example of a data manipulation attacks on

vulnerabilities that can lead to privacy leaks.

Integrity

Finally, just knowing that the integrity of the system has being preserved is a very

difficult challenge with voting machines itself. Even if the company that built the

machine posts its software to the internet and says everyone can look at in, there

is no way that we can know that software that's asserted to be the voting machine

software is actually the software running in the machine.

There have been many cases where software that is never been tested or certified

by a government ends up being the software running in a machine on Election

Day. That is just another opportunity for sabotage and error to be introduced and

undetected.

Some software in voting machines is COTS software or commercial off the shelf,

a software package developed by someone else and used for other purposes.

This just provides a further opportunity for problems with integrity because these

packages have to be updated every time in order to fix bugs and other glitches

that has been discovered in them.

Page 18: Madlena pavlova security_in__digital_voting_system

17 | P a g e

Figure 9. Trustworthy Technology

Solution: The next set of procedures is the actions that election organizations put in

place to guard the voting system against tampering.

The first and foremost requirement is to provide assurance that no one added, removed

or changed any of the ballot papers between the start of polling and the time that

counting finished, as between polling and counting is the period of vulnerability of the

ballot box that need to be guarded. With the introduction of electronic voting machines,

this situation changed dramatically as with DREs, for example, it's not only necessary to

safeguard them during polling and counting but also to safeguard the machine at all

times as even after the machine is no longer used for elections, it could still have data

on it that's going to reveal voters' secret ballots. It is really a lifetime of security and one

of the things that just adds to the cost of DRE voting in a way that most people don't

realize.

What safeguarding procedure is required for machines like this?

We have to keep track of them in storage.

We have to keep track of them on Election Day.

We have to keep track of the removable memory cards, and so forth.

One aspect of secure facility is with cameras and watchman. Another aspect is making

sure that they're being secured while they're being transported to polling places and

when the memory cards are being removed and brought back to counting.

Maintaining the physical security by observing is one kind of procedural safeguard that

can be a big challenge, especially for bulky machines like DRE's, as often those

Page 19: Madlena pavlova security_in__digital_voting_system

18 | P a g e

machines are going to be delivered in advance as many elections authorities drop these

machines off the day before the election.

Procedures like this, leaving the voting machines overnight, creates a tremendous

opportunity for fraud, because the machines are relatively easy to tamper with.

Another mechanism to safeguard the physical integrity of the machines against

tampering is what's known as tamper- evident seals.

Tamper-evident seals can come in different styles, for example padlock, little wire rope

or a sticker. The question is how secured are whose seals as the attacker might try a

few different ways to defeat them. One would be to remove the seal and replace it with

a new one that looks just like the original. Another possibility would be to find a way to

take the seal off and put the original one back on without leaving any evidence that it

had ever been removed.

5. Guarding Against Tampering

Problems:

These turn out to be empirical questions:

1. How easy is it for the seals that are actually in use on the market to be

replaced with fresh ones?

The result of experimental group why tried to defeat 244 different kinds of

seals found out, that the average time to defeat them for just a single

person working alone was only 1.4 minutes, and the average cost to break

a seal was only 62 cents, as most of the seals on the market perform

extremely poorly design with low security functionality and the interesting

fact was that 99% of those seals, considered in this study, were being

currently use for nuclear safeguards. Attackers would almost certainly be

able to defeat these seals with the minimal amount of time.

2. Other concern is what kind of defense mechanism is appropriate if there is

broken seal and what is the chance of tempering to be caught if someone

tampered and installed fraudulent software in DRE. Often, that fraudulent

software could just wipe itself out, and remove all traces of the fraud at the

end of the election.

3. Another kind of attack is, what is if someone breaks the seals but doesn’t

actually do any tampering. This kind of, low in cost and easy to do attack

also could create a denial of service.

Page 20: Madlena pavlova security_in__digital_voting_system

19 | P a g e

Solution: Roger Johnston and his colleagues come up with anti-evidence approach,

where when the seal is tampered, will create and display some visual indicator that

creates evidence of the event. Protocol based on hashes or MACs as the nature of the

anti-evidence approach and perhaps, someday seals based on an approach like this will

be able to provide future stronger defense.

5. Inside the voting black box

DRE voting machines are referred to Black Box Voting Machines, because recording of

the votes is unobservable. Voting machine companies claim that their software is trade

secret, which is common practice in software development generally, but when it comes

to voting, it seems like there shouldn't be anything fundamentally secret about the way

our votes are cast and counted. The actual process of counting votes and announcing a

total is something that many people believe should be transparent to the public. There's

a further objection of keeping the software in the voting machine secret, based on

security grounds. If a piece of software relies on being secret for its security and that

software leaks out, then they'll never be any way to get that security back.

For many years, Diebold - the makers of the AccuVote TS was extremely secretive

about allowing anyone to do an independent security evaluation of their machines or the

software running in them. Diebold even threaten election officials who proposed to have

their independent security evaluation done.

Diebold case study

All of that started to change in 2003, when a voting activist named Bev Harris was

Google in for documents about the Diebold machines and came across with a file

posted to a Diebold Internet server. This file happened to be a copy of the complete

source code to the Diebold voting machine.

Page 21: Madlena pavlova security_in__digital_voting_system

20 | P a g e

Figure 10. Analysis of an Election Voting System

This was the first time that anyone independently was able to see what was inside the

software, do a security analysis and talk to the public about the results. A team of

scientists from the University of California, San Diego, Johns Hopkins University and

Rice University looked at the software Bev Harris found and did a security analysis. This

is the paper they published in 2003(Fig.10).

Problems:

They found a number of problems as one problem they found was with the

software handled the voter access cards.

It turned out that using just easily obtainable hardware and software you

wrote yourself a voter could make any number of these cards that would

work in the normal election. This would allow a voter to cast as many times

as he wanted within the election booth.

Another problem this research group found had to do with the encryption

that was used in the Diebold voting machines. Encryption is a means of

scrambling data files so that they're impossible to read unless you have an

encryption key for the file. A key is usually a very large randomly generated

number that's used in the scrambling process and the corresponding de-

scrambling process to get the data back requires the key. Without the key

it's practically infeasible to recover the data. Diebold applied the encryption

to try to protect the integrity and ballot secrecy in data that in the data

stored on the voting machine's memory cards. It’s turned out that they

applied encryption incorrectly in a variety of ways because of design

errors. The most interesting of these errors, the simplest one, was that all

of the voting machines used exactly the same encryption key. This is a

terrible security practice because if a criminal were able to get one of those

voting machines say it, it's stolen from a polling place, or fell of a truck, or

Page 22: Madlena pavlova security_in__digital_voting_system

21 | P a g e

the criminal is an insider in one election district, then that criminal can take

that information and apply it to break the encryption on all of the other

Diebold voting machines in use nationwide. That key is happened to be the

string F2654hD4. That was the secret that was protecting the integrity on all

of these machines and once the code leaked to the Diebold website anyone

could decrypt any of the data files from any of the machines.

Figure 11. Diebold Encryption

The next problem was a ballot secrecy problem. It had to do with the way

ballots were stored on the memory card. The machine made a record of

every time someone cast a vote; the votes were stored in a file on the

memory card. In the Diebold memory card the votes were stored in order.

What this meant was that if someone was just observing at the polling

place, watching the order in which people went into the machine and cast

their votes and they had access to the memory card at the end, they could

determine exactly how every one of those voters voted which is a major

weakness in ballot secrecy. Finally, the researchers looked at the software

development practice.

They looked for evidence that the software engineering methodologies

used to produce the software in the Diebold machine weren’t up to the

exceeding standards of critical software. What they found when they

looked into the code was a lot of evidence of poor engineering practice

which resulted one insecure and unreliable software. The easiest way to

illustrate what it is mean by that is to have a look at the some of the

comments that were found in the code comments and notes programmers

leaved inside the software source code to let themselves and others more

easily understand what's going on.

Page 23: Madlena pavlova security_in__digital_voting_system

22 | P a g e

Figure 11.Poor developer notes

These notes are reflection of the internal development chaos and evidence that the

development practice was far from the level needed to produce critical infrastructure

software .All of these problems painted a pretty grim picture of what's going on inside

the Diebold DREs, but the company's reaction paints an even grimmer one. The

company Diebold first denied the problems. Secondary they claimed that the software

that was studied was not something used in actual machines. Third- personally attacked

the researchers involved. And finally they said that if there were any problems they've

been fixed in the new version of the software. We might think that fixing these problems

in the new version of the software would be an adequate response but actually finding

problems like this is evidence that there's something rotten to the core.

Secure and reliable software is a product of a certain development practice,

mentality and methodology and finding problems like this so easily indicate that

those development practices are broken. Every group that's had a look at the

system has found even more severe problems with security and reliability. Here

is an example of one of those problems. This is something that wasn't spotted in

the Hopkins study but is actual security bug spotted in Diebold voting machine

where everyone with programming skills can detect easily.

Figure 12. Poor coding practice

Page 24: Madlena pavlova security_in__digital_voting_system

23 | P a g e

6. Recommendations for better useable security and privacy

Solution: Every voting technology had problems as it luck strong defensive mechanism. Many

researchers’ opinion is that in order to have voting security community, we have to add paper as

a form of defense. Paper can offer very important security advantages, especially when it's

coupled with electronic system and makes sense as computers are not always available,

reliable and correct, therefore any form of physical backup of the votes’ records can be useful

disaster recovery strategy. Most researchers believe that it is beneficial to combine paper

records and electronic records into one redundant record.

Advantage of having those two records is that they have differed security nodes, hard to violate

in ones. With an old fashion paper record stored in a ballot box, we have the possibility of

physical tampering and retail fraud. With the digital records, where the data is stored in a

memory card site, we have the possibility of cyber-tampering or electronic tampering that would

cause a form of wholesale fraud as its require only a very small conspiracy, perhaps, just one

person with brief access to the electronics. When we combine these records however, if we

checked to make sure that they agree by performing some kind of auditing process after the

election, we can have a very difficult situation for the criminals as they would need to have a

large conspiracy to change paper records to match the electronic records and they have to be

sophisticated enough to make sure that they cheat in both records in a way that agrees or else,

we're going to notice a mismatch in the audit. By combining these low tech and high tech

records, we can have something that's far more secure than either paper ballots or electronic

records on their own. The problem is that in many places, the audits to check that the paper

records and electronic records agree are exceedingly rare, and only happen if, there's very

large or very small margin of victory. For these reasons, most researchers in this field

considered precinct count optical scan with audits to be the gold standard in what today's

technology can do for securing the election. But there is another way that you can combine

paper and electronic records, and this is a technology that was invented to try to overcome

some of the objections to DRE voting machines.

The idea is pretty simple and it’s called a Voter-Verifiable Paper Audit Trail VVPAT, where every

time someone votes, prints out a piece of paper with record of that individual ballot.

The critical thing about VVPAT is that it has to be something that the voter can see and check at

the time their casting their vote. A Voter-Verifiable Paper Audit Trail adds some kinds of

protections but there are still a number of pretty important criticisms.

First of all since the VVPAT is completely controlled by the computer in the voting

machine, if the computer software is dishonest, it could print paper records that don't

match the voter's intent. If the voter doesn't check that these records are what they

thought they would be this creates the opportunity for DRE to cheat and get away with it.

The DRE depending on the specifics of the design of the VVPAT mechanism which

might try to print extra ballots when no one is there interacting with it. It might try to

cancel and replace the voter's ballots after the voter walks away.

Secondary other problem has to do with the most common way of implementing a

VVPAT, which is to use a cash register tape style paper printing device, which is

Page 25: Madlena pavlova security_in__digital_voting_system

24 | P a g e

economical but not particularly reliable and permanent. Those records will fade away if

they were leave out on the sun for too long or at list very hard to read. Some

mechanisms even require the voter to open a door to look at the tape and see how their

votes have been recorded.

The final problem with having a cash register style tape is similar to the problem with

the Diebold memory cards as if you not cutting the tape between each voters vote, you

have a record of all of the votes in the order they were cast which means that if someone

is watching the polling place and seeing who goes up to that particular machine that

votes later on can look at the tape and configured person’s choices.

For these reasons and some others most researchers prefer precinct count optical scan and

consider the VVPAT to be a flawed security enhancement but it’s still probably better than a

purely paperless DRE.

7. References

E- Book

1) Bibliography: Jones, D.W. and Simons, B. (no date) Broken ballots. Available at:

http://press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html (Accessed: 30 March 2016).

In-line Citation: (Jones and Simons, no date) chapters 4, 5, 6, 7, 8, 10.

2) Encyclopedia of Contemporary American Social Issues [4 volumes] - Google Books. 2016. Encyclopedia

of Contemporary American Social Issues [4 volumes] - Google Books. [ONLINE] Available at:

https://books.google.co.uk/books?id=BjKWfAz0tx4C&pg=PA1659&lpg=PA1659&dq=Counting+Mark-

Sense+Ballots+by&source=bl&ots=tQHQBPT9ex&sig=rhlIPjdO8fEfYAMWj0F2cUaLvIc&hl=en&sa=X&ved=

0ahUKEwiBu5Cn1- bLAhWHCCwKHXbAA3UQ6AEINjAE#v=onepage&q=Counting%20Mark-

Sense%20Ballots%20by&f=false. [Accessed 29 March 2016].

Computers at the Polls

1) Electronic Elections: The Perils and Promises of Digital Democracy - R. Michael Alvarez, Thad E. Hall -

Google Books. 2016. Electronic Elections: The Perils and Promises of Digital Democracy - R. Michael

Alvarez, Thad E. Hall - Google Books. [ONLINE] Available at:

https://books.google.co.uk/books?hl=en&lr=&id=OOhhIGSca7gC&oi=fnd&pg=PP1&dq=Electronic+Electi

ons:+The+Perils+and+Promises+of+Digital+Democracy+by&ots=c4U-

DX_ph8&sig=YmCJNUQ5C9LfN0npvnHwfMXoSo4#v=onepage&q=Electronic%20Elections%3A%20The%2

0Perils%20and%20Promises%20of%20Digital%20Democracy%20by&f=false. [Accessed 29 March 2016].

Page 26: Madlena pavlova security_in__digital_voting_system

25 | P a g e

2) The Machinery of Democracy | Brennan Center for Justice. 2016. The Machinery of Democracy |

Brennan Center for Justice. [ONLINE] Available at:

https://www.brennancenter.org/publication/machinery-democracy. [Accessed 29 March 2016].

3)2016. . [ONLINE] Available at: https://www.truststc.org/pubs/352/1-%20Wagner.pdf. [Accessed 29

March 2016].

4) Project Everest: Security Review of Ohio E-Voting Systems | Election Defense Alliance. 2016. Project

Everest: Security Review of Ohio E-Voting Systems | Election Defense Alliance. [ONLINE] Available at:

http://electiondefensealliance.org/project_everest_security_review_ohio_e_voting_systems. [Accessed

29 March 2016].

5). 2016. . [ONLINE] Available at: https://jhalderm.com/pub/papers/stopgap-evt08.pdf. [Accessed 29

March 2016].

6). 2016. . [ONLINE] Available at: http://www.blackboxvoting.org/BBVreport.pdf. [Accessed 29 March

2016].

Optical Scan

1)Security Analysis of the Diebold AccuBasic Interpreter by Wagner, Jefferson, and Bishop, et al. (2006).

Available at: https://css.csail.mit.edu/6.858/2012/readings/accuvote-ts.pdf (Accessed: 30 March 2016).

2)voter (2006) Center for voting technology research. Available at: https://voter.engr.uconn.edu/voter/tag/optical-scan/ (Accessed: 30 March 2016).

3)Bubble Trouble: Off-Line De-Anonymization of Bubble Forms by Calandrino, Clarkson, and Felten. In Usenix Security (2011). Prospects of re-identifying individuals who fill out optical scan forms.

https://www.cs.princeton.edu/~jcalandr/papers/bubbles-usenix11.pdf

4)Fingerprinting Blank Paper Using Commodity Scanners by Clarkson, Weyrich, Finkelstein, Heninger,

Halderman, and Felten. In IEEE Symp. on Security and Privacy (2009).

Available at: http://citpsite.s3-website-us-east-1.amazonaws.com/oldsite-htdocs/pub/paper09oak.pdf

(Accessed: 30 March 2016).

5)Humbolt County Election Transparency Project. California jurisdiction provides online images of voted ballots. Available at: https://www.google.co.uk/webhp?sourceid=chromeinstant&ion=1&espv=2&ie=UTF-8#q=Humboldt+County+Election+Transparency+Project.+California+jurisdiction+provides+online+image

s+of+voting+ballots (Accessed: 30 March 2016).

Page 27: Madlena pavlova security_in__digital_voting_system

26 | P a g e