Madlena pavlova security_in__digital_voting_system
-
Upload
madlena-pavlova -
Category
Technology
-
view
50 -
download
0
Transcript of Madlena pavlova security_in__digital_voting_system
0 | P a g e
UWS
Security in Digital Voting System
Data and Network Security Report
Madlena Pavlova B00251633
4/19/2016
1 | P a g e
Contents Introduction .......................................................................................................................................2
1. Brief overview of Security Mindset...................................................................................................2
2. Security Requirements ....................................................................................................................2
2.1. Ballot secrecy ...........................................................................................................................3
2.2. Vote authentications ................................................................................................................3
2.3. Enfranchisement ......................................................................................................................4
2.4. Availability ...............................................................................................................................4
2.5. Tension in the system ...............................................................................................................4
3. Voting security procedure ...............................................................................................................5
3.1. Voting registration....................................................................................................................5
3.1.1. Validating of data authentication ........................................................................................6
3.1.2. Tension between security and privacy .................................................................................6
3.1.3. Commercial reuse of the data .............................................................................................7
3.1.4. Who can modify and change the data .................................................................................8
3.1.5. Voter Authentication........................................................................................................ 10
3.2. Voting technologies ................................................................................................................ 11
3.2.1. Optical scan ..................................................................................................................... 12
3.2.2. DRE ................................................................................................................................. 14
4. Security and privacy advancement and glitches -Trustworthy technology......................................... 15
5. Guarding Against Tampering.......................................................................................................... 18
6. Recommendations for better useable security and privacy .............................................................. 23
7. References ................................................................................................................................... 24
2 | P a g e
Introduction
Voting is an essential feature of democracy, but electoral fraud unfortunately is as old
as voting itself. Increasingly, however, the way we count our votes completely depends
on the computer system. Those systems have to work correctly and securely or the
outcome of the election could be in jeopardy. Many jurisdictions don’t have in place
proper safeguards, which create new opportunities for fraud.
The goal of the coursework is to provide sound understanding of how computer security
is critical to the election process in broadly applicable sense and what we need to do to
keep the election secure.
1. Brief overview of Security Mindset
Security mindset is about what could go wrong in particular system and seeks out ways
to make a system fail. This is the notion of adversary. The adversary is an intelligence
force that wants to make the system misbehave and fail. Security of term of adversarial
problem is the core of mindset. In fact we analyzed computer security as study of how
the system behaves in a presence of adversary.
When we building the system we have to justify few key points:
How to thinks as Attacker
• Looking for weakest links in the system.
• Identifying the assumptions that security system depends on.
• Thinking outside the box – not constrained by system designer‘s worldview.
Assessing the probability is critical element of the system, as there is cost involved in
any defending mechanism and influence the choice of countermeasures and defenses.
Those criteria could be technical and less technical (legal policy, threat of prosecutions
cost vs. benefits analyses).
2. Security Requirements
Adapting security Mindset is a pre - setup requirement before even start thinking of any
secure system. After this, we can go ahead with security requirement that the voting
system need to enforce in order to be consider as a secure.
3 | P a g e
This can be prioritized as:
• Integrity – the outcome of the election matches the actual voting.
• Voting intent – the vote is cast in the exact way as it was made.
• Votes are counted as cast.
There are room of errors in both cases (technical and less technical requirements),
which require the proper design, so we can avoided this pitfalls.
Well design election system has to comply with:
Secrecy
Authentications
Enfranchisement and availability
Tension in the system
Cost effectiveness
Accessibility
Intelligibility (usability).
2.1. Ballot secrecy
Ballot secrecy is where no one can configure how you vote. This protects not only
privacy but also the level of accuracy, because if it easily to revel to the other people
how you vote, it will make it easy to sell your voice and vote for particular candidate.
Strong Ballot security mechanism protects again coercion of the criminal who might
come up to you and forced you to vote in certain way by expecting the evidence of it.
2.2. Vote authentications
Vote authentications mean that:
• Only outraised voters can take part (Set up by the Law).
• The voter can only be able to vote ones (legal requirement).
Voting multiple times has being recorded numerous times in the past and is known as
the most comment form of cheating.
4 | P a g e
2.3. Enfranchisement
Enfranchisement is considered as the hardest earned civil rights and democratic value
in many societies as all the authorized voters should have an opportunity to vote. We
may things that this is a corollary to authentications, mention above, but discourage
people who are authorized to vote could be equally powerful attack.
2.4. Availability
Problem:
Availability in election system cannot be challenged because that Election Day is
usually fixed and there is no privation of the Law in many places to postpone the
Election Day or to run the voting machines again if somehow it loosed the
information they supposed to have counted. Attack on availability will target the
system functionality either having to turn people away on election day for
accessing delay, or other form as denial of service attacks by huge traffic, to
knocking service offline and preventing from being available for real time users.
Solution:
The system must be able to accept all votes on schedule (during Election Day) and
produce result in timely manner but It is hard this entire requirement to meet the criteria
which explained why election security is very difficult to be achieved.
2.5. Tension in the system
Problem:
Tension between two or more system’s requirements contradicts with each other
and creates conflict.
Example of common problems and tension within the system could be:
• Tension between integrity and Ballot secrecy
If for instance we decided to make publicly available the vote outcome and
list the names, address, voting choice of the people in local news paper, we
will achieve 100% Integrity but what can we say for Ballot secrecy.
5 | P a g e
• Tensions between Voter Authentication and Enfranchisement
If we adopted very high level of authentications, for example we requested
Drive License, Passport, Fingerprint, Birth certificate to anyone who enters
ballots section we will drive away a lot of people who are authorized to vote
but because they don’t have the required documentation will decided not to
do it. In other hand, if we want to make voting process easy by no asking
for any form of identification, it will make it very easy also for people who
are unauthorized to vote to do so.
Solution:
These tensions still cannot be resolved completely and are often political matter where
we want to be in the spectrum of possibilities in addition to the election security context.
In addition to the security features, discussed above they are also few more
requirements worth to mention because they are also considered of high importance to
the election system.
1. Cost effectiveness - as the resources are usually limited to spend on the voting
system.
2. Accessibility – for physically disable voters.
3. Convenience - how easy is to access to the physical location of the voting
system.
4. Intelligibility - if the system is too complicate also can effect in way how the
voter behavior - be active or decide not to participate.
Solution: The system of election technology has being struggling to satisfy this various
requirement at the same time because of the tension between them, as there is no one
way to balanced them all, as well, there is no right answer to all differed societies.
3. Voting security procedure
3.1. Voting registration
The security of elections isn't just about the security of computer hardware and
software, but it's also about the security measures of the involved procedures.
To illustrate what can go wrong I am going to provide an example of typical voting
procedure in US and particular Washington D.C. The process required filling online
registration form which raised a number of security issues concerned with validation,
security and privacy of the data.
6 | P a g e
3.1.1. Validating of data authentication
Problem:
1. One of the issues is matching state database with federal database, as it
can be difficult and can lead to falsely rejection of people due to the format
of how their personal information has being kept.
2. Another obstacle is that most states prohibit people who have been
convicted of serious crimes in further elections by creating a list and
matching it with voter registration databases. This creates potential issues
as many people with same name can enter the prohibited list and wouldn’t
know until they arrived on the Election Day.
Solution: Database system had to have in place standardization of Data Entry
Conventions, which will ensure data integrity and provide better data quality.
3.1.2. Tension between security and privacy
Figure 1. Tension between security and privacy
Problem:
Another kind of risk caused by registration database is the tension between
security and privacy. Collected information as name, address, and signature, date
of birth, telephone number, gender and ID number stored in this massive
database raised up the question of who can access this data. The big problem is
that most of those fields are publicly available and can usually be obtained and
purchased from the state website. In many states the voter registration list is also
7 | P a g e
used to select people for jury duty which creates a trade-off because people who
try to avoid jury duty will also avoid voter registration.
3.1.3. Commercial reuse of the data
Problem:
Another issue is that voting database is available to parties and they can used it
for campaign purposes as one example is Obama’s campaign:” Is Your Neighbor
a Democrat?” by encouraging volunteers to go out and campaign to registered
Democrats. Commercial reuse of the data is another privacy issue as companies
can combine the voter’s personal information for their business & marketing
purpose for example: home mortgage, credit card debt etc.
Figure2. Commercial reuse of the data
Solution (3.1.2 and 3.1.3.):
Restrict policy for access to the publicly available information by introducing security
mechanism for validating each visitor. Other possibility is to increase the privacy of data
by limited its availability, thus will reduce the level of risk of unlawful use of the personal
information.
8 | P a g e
3.1.4. Who can modify and change the data
Strong access control again malicious insiders or hackers are another big concern for
security of voting database.
Big part of the security mindset is about the ethics; therefore we need to get into the
attacker's methods and techniques in order to understand how security can fail.
I would like to discuss documented example of voter registration system - Washington
D.C. The system is designed to maintain the list of eligible voters and to keep the
records of the correct address where it should be send the ballot to.
Voter registration database in Washington State also provide an online application to let
voters see and update their records.
Problem:
If we are potential attacker and know the name of someone who lives in
Washington State and want to try to target him for example have their ballot
misdirected to another address so that they won't be able to vote, this scenario
will examine how strongly does the system protect against this sort of attack.
In order to log into the Washington D.C. online registration system, we need the
name and date of birth of the voter. If we don't know person’s date of birth but
know the person's name there is way to figure this out.
Figure 3. Washington Election Voting home page
9 | P a g e
Date of birth is one of those fields collected during the voter registration process
and publicly available. By simple searching we can easily discover voter
registration record with voter's date of birth and other relevant information
(Figure 4). Having this in hand we can easily log on and accessed to voter
registration home page (Figure 3).
Figure 4.Wachington State Voter DB
Figure 5. Washington Election voting home page update
As the attacker's target is to misdirect the ballot, he will try to update the voter’s
address and will be asked for Driving License number which also is not a piece of
secret information and can be easily retrieved ( Figure 6).
10 | P a g e
Figure 6.Drive License Washington DB
This kind of attack is pretty scary especially in state where voters participated in the
election process entirely by mail as we can imagine consequences of wide scale attack
where someone tried to automate this process and change the voter’s registration
information automatically through large numbers of people right before the deadline for
mailing out those ballots.
Solution: Clearly voter registration databases like this need stronger protections. One
way that the state could protect against that would be to mail out confirmation before
changing your address for example sending a card to the old and the new address
saying that the address has being modified in the database. Washington State has not
implemented a protection like this but it seems like a key part of the validation process
in order to maintain the integrity of the registration system.
3.1.5. Voter Authentication
Assuming that we have an accurate voter registration database and we know who the
proper voters are. The next procedural question is how we are going to authenticate
those voters when they arrive at the polling place. In many countries, there are national
ID card, driver’s licenses issued by each state and passports issued by the Federal
Government, but it's really a patchwork rather than just one single standardized system.
Many US states required only a signature to verify that the voter is who they claim to be.
The voter registration database is printed into a list at each polling place and each voter
who's eligible to vote at that polling station has a space on this list. Many states now
11 | P a g e
introduced computerized poll books that maintain a copy of the voter registration
database in a digital form. This can provide a lot of advantages for instance it may be
faster to find people’s files and can also be used to allow voters to visit different polling
stations. But this brought also some security concerns such us the data being
manipulated or denial of service which could interfere with polling and delay the
election.
Problem:
Today, US states considered to implement some kind of requirement for checking
photo ID but its turn out to have a number of issues between voter authentication,
enfranchisement and illegal voting. Another issue is that not everyone has an ID.
About eight percent of the US population, which make more than 21 million US
(African-American, senior citizens etc.) wouldn't be able to produce the required
ID under these rules. For that reason, ID requirements have the potential to be
imposed or opposed for political reasons because the parties in power will fear
that adding these requirements or removing them, would cause a political shift to
their benefit or detriment.
Other problem with voter ID is that getting a quality fake ID is easy and can be
purchase online for relatively little money and hard to detect by ordinary poll
workers.
Solution: Possible higher tech solutions to this voter authentication enfranchisement
trade-off for countries like the US where not everyone has an ID it could be in form of
adding other identifiers to the voter registration database as biometrics, fingerprint scan
or an iris scan. Even adding photograph ID to the voter registration database could
provide high level authentication but again will violate voter privacy.
3.2. Voting technologies
Two kinds of voting technologies were introduced last quarter of the twentieth century.
One of these technologies is DRE voting (direct-recording electronic), this is voting on
computer devices that directly add up and total the votes. The other is optical scan.
Optical scan voting involves filling out a paper ballot and then having a computer read
that ballot and produce the election totals.
DRE and optical scan voting systems fundamentally depend on computers and
especially on computers at the polling place.
12 | P a g e
3.2.1. Optical scan
The idea with optical scan was to replace these potentially malicious humans who were
part of the counting process with an impartial automated machine. Most of these
machines have a removable memory card. This has positive implications as it can
capture much more information from the ballot and be used to distinguish marks with
greater accuracy, however in order to go from a picture to knowledge it had to be linked
to computer algorithms implemented in software.
The biggest advantage is that the optical scan machine can look for problems with the
ballot and helps cut down the number of over-votes which is important kind of usability
feature, but there was also chance of something to go wrong.
The other benefits are that optical scanning machine alone with electronic records also
stored the physical paper ballot.
Problem:
One of the more prominent issues has to do with the way people interact with
optical scan ballots as not everyone follows the instructions exactly right as
some people use blue ink, some people marked an x instead of filling in the oval.
This is a challenge for optical scan machines because it's possible that the
machines are not going to interpret every one of these marks as a valid vote.
Styles of ways that different people fill out those little circles on an optical scan
form also could be used to compromise voter privacy.
Potential issues with optical scan voting are:
• Accuracy of detector sensors
If the ballot changes its size in humid or dry day or if the ballot inserted into
the machines slightly crooked the sensors it can affect quality of the reading.
• Calibration
Sensors in the machines might respond slightly differently to the same
intensity of light because of physical variations in the electronics.
Solution: In election of any size it is almost certainly that we are going to have some
fraction of ballot’s votes that are misread or lost because of problems like these. This is
fundamentally a challenge to every voting system as it has not being yet design voting
system that will work on a very large scale with absolutely zero error.
13 | P a g e
Optical scan fraud case study
This Case study is an example to demonstrate the way computer voting machine could
be used to cheat.
The attack was conceived and demonstrated by a voting researcher Harri Hursti on
optical scan voting machine made by Diebold. Harris’s attack looked at what would
happen if the criminal an attacker had access to that memory card that's used to hold an
electronic copy of the results and take it back to the central office for counting. We
assume that the card is going to be very well protected after the voting process finishes
as an important part of election integrity.
But what if someone was able to get access to the card before all of those votes were
cast? Hursti's attack works like this: Before the election he's going to load up the
memory card with a number of votes( for example 10) for the candidate he wants to win,
let's say- Ben .At the end of the election, this number is going to be added to the total
votes for Ben. The problem with the simple version of the attack is it would be pretty
easy to detect. All that the election officials would need to do is observe that the total
number of votes in the machine is ten more than the number of people who used it,
therefore that would be caught right away.
Problem:
Hursti realized that the voting machine's record of how many votes belong to
each candidate performs arithmetic in a very similar way to the mechanical
counter and if he programmed ten votes for the candidate, that he wanted to win
and say 990 votes for the other candidate, when real voters used the machine,
both numbers would increase.
Solution: Luckily, because these are optical scan ballots, there is a way to catch this
kind of fraud which is to actually look at the paper ballots in the ballot box.
With optical scan voting machines, there were still some drawbacks from the point of
view of election administration, as printing and distributing the paper to the polling
places. Because of these issues, the next generation of voting machines, eliminated the
paper ballot entirely. These are known as DRE voting machines.
14 | P a g e
3.2.2. DRE
DRE stands for direct recording electronic. Inside the machine is an electronic computer
controlled counter that maintains a record of each vote but unlike an optical scan
machine in a DRE generally the only record of the vote is something that's stored in a
computer's memory.
Figure 7.Diebold AccuVote TS
Figure 8.Voting card
Around 1990s was introduced touch screen DRE Diebold AccuVote TS(Fig.7) which
was for a while the most widely used DRE voting machine in the US. When voters come
to the polling place they sign and election officials handed a smart card with chip in it as
authentication mechanism. When the voter inserts the card into the slot on the machine
his vote is recorded in the machine’s memory. At the end of the election, authorized poll
workers used special kind of card supervisor card get accesses to the special screen
with some other features including the ability to close the election and print out a paper
tape with the results on it. The election officials remove that memory card with its record
of the votes and send that with the tape to the election headquarters, where another
kind of machine with special software totals up the votes from every machine. Those
15 | P a g e
totals are the basis for what they announce at the end of the election night results as the
results of the count.
Problem:
Several problems have being encountered with DRE. Writing software that does
something simple as counting up election results correctly turns out to be really
difficult task with much more complicated problem than we might think of.
Machines (computers) are very good at following instructions but they don’t have
any ability to exercise judgment and realize on their own that something is wrong
and take course of action in response.
Solution: Developer had to supply all the correct instructions to the machine; have to
anticipate the cases that can arise, test them and write instructions for handling all of
them.
Voting turns out to be a very specialized area because of this tension between integrity
and ballot secrecy. When things go wrong, when there's an error in the count or when
there's an attack, it's often very hard to be caught up. Something could go wrong and
we won't even know because the counting process is supposed to be happening in
secret, as we can't just go back to the voters and make sure each of their votes has
been counted correctly. That kind of failure detection or correction mechanism is not
something that's typically engineer able within the confines of a DRE.
4. Security and privacy advancement and glitches -Trustworthy
technology
In a real situation we can have enormous number of potential complications, where
writing the correct software that handles all of these cases in a sensible way is a
problem that is at the very limits of human capability. We can just expect that the
developers who are writing software for a voting machine are going to get it right.
Writing software that is correct is hard, but writing software that's secure is even harder,
because what an attacker does is to look for situations that the developers and testers
have not accounted for. Those situations aren’t just a natural failure, but the failure
that's been forced on the machine by the attacker (Security Mindset: Thinking as an
attacker).
16 | P a g e
Problems:
Errors
Those errors could be based on design flaws, where the machine is working the
way designers intended but fails to take into account certain major requirements
or there could be implementation glitches or bugs. All of this adds up to the
potential for miscounting and cause reliability problems. There have been cases
where voting machines have been tremendously unreliable and just haven't been
able to function within the demands of a polling place, because of errors in the
software development process.
Vulnerabilities
The second category of problems is vulnerabilities, where an attacker could
sabotage the hardware and manipulate the data if the data's integrity is not
protected.
Hursti’s attack with optical scan is an example of a data manipulation attacks on
vulnerabilities that can lead to privacy leaks.
Integrity
Finally, just knowing that the integrity of the system has being preserved is a very
difficult challenge with voting machines itself. Even if the company that built the
machine posts its software to the internet and says everyone can look at in, there
is no way that we can know that software that's asserted to be the voting machine
software is actually the software running in the machine.
There have been many cases where software that is never been tested or certified
by a government ends up being the software running in a machine on Election
Day. That is just another opportunity for sabotage and error to be introduced and
undetected.
Some software in voting machines is COTS software or commercial off the shelf,
a software package developed by someone else and used for other purposes.
This just provides a further opportunity for problems with integrity because these
packages have to be updated every time in order to fix bugs and other glitches
that has been discovered in them.
17 | P a g e
Figure 9. Trustworthy Technology
Solution: The next set of procedures is the actions that election organizations put in
place to guard the voting system against tampering.
The first and foremost requirement is to provide assurance that no one added, removed
or changed any of the ballot papers between the start of polling and the time that
counting finished, as between polling and counting is the period of vulnerability of the
ballot box that need to be guarded. With the introduction of electronic voting machines,
this situation changed dramatically as with DREs, for example, it's not only necessary to
safeguard them during polling and counting but also to safeguard the machine at all
times as even after the machine is no longer used for elections, it could still have data
on it that's going to reveal voters' secret ballots. It is really a lifetime of security and one
of the things that just adds to the cost of DRE voting in a way that most people don't
realize.
What safeguarding procedure is required for machines like this?
We have to keep track of them in storage.
We have to keep track of them on Election Day.
We have to keep track of the removable memory cards, and so forth.
One aspect of secure facility is with cameras and watchman. Another aspect is making
sure that they're being secured while they're being transported to polling places and
when the memory cards are being removed and brought back to counting.
Maintaining the physical security by observing is one kind of procedural safeguard that
can be a big challenge, especially for bulky machines like DRE's, as often those
18 | P a g e
machines are going to be delivered in advance as many elections authorities drop these
machines off the day before the election.
Procedures like this, leaving the voting machines overnight, creates a tremendous
opportunity for fraud, because the machines are relatively easy to tamper with.
Another mechanism to safeguard the physical integrity of the machines against
tampering is what's known as tamper- evident seals.
Tamper-evident seals can come in different styles, for example padlock, little wire rope
or a sticker. The question is how secured are whose seals as the attacker might try a
few different ways to defeat them. One would be to remove the seal and replace it with
a new one that looks just like the original. Another possibility would be to find a way to
take the seal off and put the original one back on without leaving any evidence that it
had ever been removed.
5. Guarding Against Tampering
Problems:
These turn out to be empirical questions:
1. How easy is it for the seals that are actually in use on the market to be
replaced with fresh ones?
The result of experimental group why tried to defeat 244 different kinds of
seals found out, that the average time to defeat them for just a single
person working alone was only 1.4 minutes, and the average cost to break
a seal was only 62 cents, as most of the seals on the market perform
extremely poorly design with low security functionality and the interesting
fact was that 99% of those seals, considered in this study, were being
currently use for nuclear safeguards. Attackers would almost certainly be
able to defeat these seals with the minimal amount of time.
2. Other concern is what kind of defense mechanism is appropriate if there is
broken seal and what is the chance of tempering to be caught if someone
tampered and installed fraudulent software in DRE. Often, that fraudulent
software could just wipe itself out, and remove all traces of the fraud at the
end of the election.
3. Another kind of attack is, what is if someone breaks the seals but doesn’t
actually do any tampering. This kind of, low in cost and easy to do attack
also could create a denial of service.
19 | P a g e
Solution: Roger Johnston and his colleagues come up with anti-evidence approach,
where when the seal is tampered, will create and display some visual indicator that
creates evidence of the event. Protocol based on hashes or MACs as the nature of the
anti-evidence approach and perhaps, someday seals based on an approach like this will
be able to provide future stronger defense.
5. Inside the voting black box
DRE voting machines are referred to Black Box Voting Machines, because recording of
the votes is unobservable. Voting machine companies claim that their software is trade
secret, which is common practice in software development generally, but when it comes
to voting, it seems like there shouldn't be anything fundamentally secret about the way
our votes are cast and counted. The actual process of counting votes and announcing a
total is something that many people believe should be transparent to the public. There's
a further objection of keeping the software in the voting machine secret, based on
security grounds. If a piece of software relies on being secret for its security and that
software leaks out, then they'll never be any way to get that security back.
For many years, Diebold - the makers of the AccuVote TS was extremely secretive
about allowing anyone to do an independent security evaluation of their machines or the
software running in them. Diebold even threaten election officials who proposed to have
their independent security evaluation done.
Diebold case study
All of that started to change in 2003, when a voting activist named Bev Harris was
Google in for documents about the Diebold machines and came across with a file
posted to a Diebold Internet server. This file happened to be a copy of the complete
source code to the Diebold voting machine.
20 | P a g e
Figure 10. Analysis of an Election Voting System
This was the first time that anyone independently was able to see what was inside the
software, do a security analysis and talk to the public about the results. A team of
scientists from the University of California, San Diego, Johns Hopkins University and
Rice University looked at the software Bev Harris found and did a security analysis. This
is the paper they published in 2003(Fig.10).
Problems:
They found a number of problems as one problem they found was with the
software handled the voter access cards.
It turned out that using just easily obtainable hardware and software you
wrote yourself a voter could make any number of these cards that would
work in the normal election. This would allow a voter to cast as many times
as he wanted within the election booth.
Another problem this research group found had to do with the encryption
that was used in the Diebold voting machines. Encryption is a means of
scrambling data files so that they're impossible to read unless you have an
encryption key for the file. A key is usually a very large randomly generated
number that's used in the scrambling process and the corresponding de-
scrambling process to get the data back requires the key. Without the key
it's practically infeasible to recover the data. Diebold applied the encryption
to try to protect the integrity and ballot secrecy in data that in the data
stored on the voting machine's memory cards. It’s turned out that they
applied encryption incorrectly in a variety of ways because of design
errors. The most interesting of these errors, the simplest one, was that all
of the voting machines used exactly the same encryption key. This is a
terrible security practice because if a criminal were able to get one of those
voting machines say it, it's stolen from a polling place, or fell of a truck, or
21 | P a g e
the criminal is an insider in one election district, then that criminal can take
that information and apply it to break the encryption on all of the other
Diebold voting machines in use nationwide. That key is happened to be the
string F2654hD4. That was the secret that was protecting the integrity on all
of these machines and once the code leaked to the Diebold website anyone
could decrypt any of the data files from any of the machines.
Figure 11. Diebold Encryption
The next problem was a ballot secrecy problem. It had to do with the way
ballots were stored on the memory card. The machine made a record of
every time someone cast a vote; the votes were stored in a file on the
memory card. In the Diebold memory card the votes were stored in order.
What this meant was that if someone was just observing at the polling
place, watching the order in which people went into the machine and cast
their votes and they had access to the memory card at the end, they could
determine exactly how every one of those voters voted which is a major
weakness in ballot secrecy. Finally, the researchers looked at the software
development practice.
They looked for evidence that the software engineering methodologies
used to produce the software in the Diebold machine weren’t up to the
exceeding standards of critical software. What they found when they
looked into the code was a lot of evidence of poor engineering practice
which resulted one insecure and unreliable software. The easiest way to
illustrate what it is mean by that is to have a look at the some of the
comments that were found in the code comments and notes programmers
leaved inside the software source code to let themselves and others more
easily understand what's going on.
22 | P a g e
Figure 11.Poor developer notes
These notes are reflection of the internal development chaos and evidence that the
development practice was far from the level needed to produce critical infrastructure
software .All of these problems painted a pretty grim picture of what's going on inside
the Diebold DREs, but the company's reaction paints an even grimmer one. The
company Diebold first denied the problems. Secondary they claimed that the software
that was studied was not something used in actual machines. Third- personally attacked
the researchers involved. And finally they said that if there were any problems they've
been fixed in the new version of the software. We might think that fixing these problems
in the new version of the software would be an adequate response but actually finding
problems like this is evidence that there's something rotten to the core.
Secure and reliable software is a product of a certain development practice,
mentality and methodology and finding problems like this so easily indicate that
those development practices are broken. Every group that's had a look at the
system has found even more severe problems with security and reliability. Here
is an example of one of those problems. This is something that wasn't spotted in
the Hopkins study but is actual security bug spotted in Diebold voting machine
where everyone with programming skills can detect easily.
Figure 12. Poor coding practice
23 | P a g e
6. Recommendations for better useable security and privacy
Solution: Every voting technology had problems as it luck strong defensive mechanism. Many
researchers’ opinion is that in order to have voting security community, we have to add paper as
a form of defense. Paper can offer very important security advantages, especially when it's
coupled with electronic system and makes sense as computers are not always available,
reliable and correct, therefore any form of physical backup of the votes’ records can be useful
disaster recovery strategy. Most researchers believe that it is beneficial to combine paper
records and electronic records into one redundant record.
Advantage of having those two records is that they have differed security nodes, hard to violate
in ones. With an old fashion paper record stored in a ballot box, we have the possibility of
physical tampering and retail fraud. With the digital records, where the data is stored in a
memory card site, we have the possibility of cyber-tampering or electronic tampering that would
cause a form of wholesale fraud as its require only a very small conspiracy, perhaps, just one
person with brief access to the electronics. When we combine these records however, if we
checked to make sure that they agree by performing some kind of auditing process after the
election, we can have a very difficult situation for the criminals as they would need to have a
large conspiracy to change paper records to match the electronic records and they have to be
sophisticated enough to make sure that they cheat in both records in a way that agrees or else,
we're going to notice a mismatch in the audit. By combining these low tech and high tech
records, we can have something that's far more secure than either paper ballots or electronic
records on their own. The problem is that in many places, the audits to check that the paper
records and electronic records agree are exceedingly rare, and only happen if, there's very
large or very small margin of victory. For these reasons, most researchers in this field
considered precinct count optical scan with audits to be the gold standard in what today's
technology can do for securing the election. But there is another way that you can combine
paper and electronic records, and this is a technology that was invented to try to overcome
some of the objections to DRE voting machines.
The idea is pretty simple and it’s called a Voter-Verifiable Paper Audit Trail VVPAT, where every
time someone votes, prints out a piece of paper with record of that individual ballot.
The critical thing about VVPAT is that it has to be something that the voter can see and check at
the time their casting their vote. A Voter-Verifiable Paper Audit Trail adds some kinds of
protections but there are still a number of pretty important criticisms.
First of all since the VVPAT is completely controlled by the computer in the voting
machine, if the computer software is dishonest, it could print paper records that don't
match the voter's intent. If the voter doesn't check that these records are what they
thought they would be this creates the opportunity for DRE to cheat and get away with it.
The DRE depending on the specifics of the design of the VVPAT mechanism which
might try to print extra ballots when no one is there interacting with it. It might try to
cancel and replace the voter's ballots after the voter walks away.
Secondary other problem has to do with the most common way of implementing a
VVPAT, which is to use a cash register tape style paper printing device, which is
24 | P a g e
economical but not particularly reliable and permanent. Those records will fade away if
they were leave out on the sun for too long or at list very hard to read. Some
mechanisms even require the voter to open a door to look at the tape and see how their
votes have been recorded.
The final problem with having a cash register style tape is similar to the problem with
the Diebold memory cards as if you not cutting the tape between each voters vote, you
have a record of all of the votes in the order they were cast which means that if someone
is watching the polling place and seeing who goes up to that particular machine that
votes later on can look at the tape and configured person’s choices.
For these reasons and some others most researchers prefer precinct count optical scan and
consider the VVPAT to be a flawed security enhancement but it’s still probably better than a
purely paperless DRE.
7. References
E- Book
1) Bibliography: Jones, D.W. and Simons, B. (no date) Broken ballots. Available at:
http://press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html (Accessed: 30 March 2016).
In-line Citation: (Jones and Simons, no date) chapters 4, 5, 6, 7, 8, 10.
2) Encyclopedia of Contemporary American Social Issues [4 volumes] - Google Books. 2016. Encyclopedia
of Contemporary American Social Issues [4 volumes] - Google Books. [ONLINE] Available at:
https://books.google.co.uk/books?id=BjKWfAz0tx4C&pg=PA1659&lpg=PA1659&dq=Counting+Mark-
Sense+Ballots+by&source=bl&ots=tQHQBPT9ex&sig=rhlIPjdO8fEfYAMWj0F2cUaLvIc&hl=en&sa=X&ved=
0ahUKEwiBu5Cn1- bLAhWHCCwKHXbAA3UQ6AEINjAE#v=onepage&q=Counting%20Mark-
Sense%20Ballots%20by&f=false. [Accessed 29 March 2016].
Computers at the Polls
1) Electronic Elections: The Perils and Promises of Digital Democracy - R. Michael Alvarez, Thad E. Hall -
Google Books. 2016. Electronic Elections: The Perils and Promises of Digital Democracy - R. Michael
Alvarez, Thad E. Hall - Google Books. [ONLINE] Available at:
https://books.google.co.uk/books?hl=en&lr=&id=OOhhIGSca7gC&oi=fnd&pg=PP1&dq=Electronic+Electi
ons:+The+Perils+and+Promises+of+Digital+Democracy+by&ots=c4U-
DX_ph8&sig=YmCJNUQ5C9LfN0npvnHwfMXoSo4#v=onepage&q=Electronic%20Elections%3A%20The%2
0Perils%20and%20Promises%20of%20Digital%20Democracy%20by&f=false. [Accessed 29 March 2016].
25 | P a g e
2) The Machinery of Democracy | Brennan Center for Justice. 2016. The Machinery of Democracy |
Brennan Center for Justice. [ONLINE] Available at:
https://www.brennancenter.org/publication/machinery-democracy. [Accessed 29 March 2016].
3)2016. . [ONLINE] Available at: https://www.truststc.org/pubs/352/1-%20Wagner.pdf. [Accessed 29
March 2016].
4) Project Everest: Security Review of Ohio E-Voting Systems | Election Defense Alliance. 2016. Project
Everest: Security Review of Ohio E-Voting Systems | Election Defense Alliance. [ONLINE] Available at:
http://electiondefensealliance.org/project_everest_security_review_ohio_e_voting_systems. [Accessed
29 March 2016].
5). 2016. . [ONLINE] Available at: https://jhalderm.com/pub/papers/stopgap-evt08.pdf. [Accessed 29
March 2016].
6). 2016. . [ONLINE] Available at: http://www.blackboxvoting.org/BBVreport.pdf. [Accessed 29 March
2016].
Optical Scan
1)Security Analysis of the Diebold AccuBasic Interpreter by Wagner, Jefferson, and Bishop, et al. (2006).
Available at: https://css.csail.mit.edu/6.858/2012/readings/accuvote-ts.pdf (Accessed: 30 March 2016).
2)voter (2006) Center for voting technology research. Available at: https://voter.engr.uconn.edu/voter/tag/optical-scan/ (Accessed: 30 March 2016).
3)Bubble Trouble: Off-Line De-Anonymization of Bubble Forms by Calandrino, Clarkson, and Felten. In Usenix Security (2011). Prospects of re-identifying individuals who fill out optical scan forms.
https://www.cs.princeton.edu/~jcalandr/papers/bubbles-usenix11.pdf
4)Fingerprinting Blank Paper Using Commodity Scanners by Clarkson, Weyrich, Finkelstein, Heninger,
Halderman, and Felten. In IEEE Symp. on Security and Privacy (2009).
Available at: http://citpsite.s3-website-us-east-1.amazonaws.com/oldsite-htdocs/pub/paper09oak.pdf
(Accessed: 30 March 2016).
5)Humbolt County Election Transparency Project. California jurisdiction provides online images of voted ballots. Available at: https://www.google.co.uk/webhp?sourceid=chromeinstant&ion=1&espv=2&ie=UTF-8#q=Humboldt+County+Election+Transparency+Project.+California+jurisdiction+provides+online+image
s+of+voting+ballots (Accessed: 30 March 2016).
26 | P a g e