If you didn’t already know, California’s Secretary of State Debra Bowen sanctioned tests of all of the certified systems being used in the state. They just posted the results a few days ago, and received some press about it from the NY Times and SF Chronicle.

The results of the red team tests are scary but not very surprising. It has been evident for years now that vendors on the whole build voting systems and then add-on security features, and as anyone who’s taken a class in computer security knows — that’s just not the way you do things. It was good to hear that Matt Bishop lead the red teams, he’s written several
books, and is probably one of the best you could get to do such testing.

There was a hearing about it all today, but I haven’t been able to access it. It appears to be a bandwidth issue (haven’t these people heard of youtube?!), so hopefully it will be viewable soon.

In both of the press articles there appears to be this notion that the problems they found are somehow less valid because in the real world people wouldn’t have access to the same resources, or some procedure would protect the machines. The most egregious of those statements came from the SF Chronicle article:

Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines “is like giving a burglar the keys to your house,” said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.

Actually, it would be more like giving the burglar the lock, it’s manual, and other schematics, and asking them to pick it. Anyone in their right mind would conclude that if the burglar couldn’t pick it, then it must be pretty secure if the burglar was fairly good at picking locks (although, this doesn’t guarantee it couldn’t be picked).

We are actually talking about two different premises: “Our attackers won’t know enough to do it”, and “Procedures will protect us”. The first is a variant of security through obscurity, and most people would say its a bad idea. I think that it is a particularly dangerous notion in the voting world because it is, by its very nature, an adversarial environment. This isn’t the CIA or NSA where most people have been vetted to be “on your side” with background checks and lie detector tests, particularly those in sensitive positions (and even then, these guys are watched carefully). In voting the vast majority of your workforce is volunteer, and what isn’t is a mixture democrats, republicans, and others who are by no definition a fully cooperative group. This doesn’t even consider the leanings of the vendors.

The bottom line is that the attacks you need to look out for shouldn’t just be from the outside looking in. The security through obscurity is particularly weak in this environment because who has the information is well known.

The other argument of “procedures will protect us” is also not so great because it depends on who’s following the procedures. In order for them to work, you need to be very explicit about starting fresh, what happens during the whole process, and how you end. Then, you need to define how oversight is done: is the person being recorded the whole time? Is there a person from another party watching? As you can imagine, this is a tedious process, and it is only as strong as its weakest link — what happens when the watchers cooperate with the watched, or when they aren’t watching?

As I said, the red team results weren’t surprising, but the accessibility report was pretty astonishing. From the report:

Although each of the tested voting systems included some
accessibility accommodations, none met the accessibility requirements of current
law and none performed satisfactorily in test voting by persons with a range of
disabilities and alternate language needs.

Isn’t the accessibility what the DREs were supposed to help with in the first place?

This entry was posted on Monday, July 30th, 2007 at 11:30 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.