1 / 56

Unsafe for any Ballot Count: South Carolina ’ s voting machines and their analysis

Unsafe for any Ballot Count: South Carolina ’ s voting machines and their analysis. Duncan A. Buell (and others) For the League of Women Voters of South Carolina. Technology. How much technology is too much technology?

phelan-mcmillan
Télécharger la présentation

Unsafe for any Ballot Count: South Carolina ’ s voting machines and their analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unsafe for any Ballot Count:South Carolina’s voting machines and their analysis Duncan A. Buell (and others) For the League of Women Voters of South Carolina

  2. Technology How much technology is too much technology? What is the right way to apply technology given the constraints of the application? Follow links from www.lwvsc.org

  3. Source Material SC (Buell), 2013 of the November 6, 2012 election data SC (Buell/Hare/Heindel/Moore/LWVSC), 2011 of the November 2, 2010 election data Ohio, Dec 2007, study for the Sec’y of State Florida, 2007, study after the 2006 election Burr, Rivest, et al., for NIST Ohio, Nov 2003, study for the (previous) SoS California, 2007, study for the SoS Burr, Rivest, et al., for NIST Follow links from www.lwvsc.org

  4. Why is Vote-Counting Hard? An election is a one time event—no do-overs Hard to test the scaling-up to full size Highly distributed, largely independent, using volunteer workers Vulnerable to corruption Vulnerable to disruption Highly vulnerable to error

  5. Issues and Concerns Should voters get a receipt? Are ballots indeed secret? How do we accommodate persons with disabilities? How do we handle overvotes and undervotes? Are ballots “voter-verifiable”? Are ballots recountable and auditable? Can we audit the results?

  6. A Common Misconception A voting machine is NOTlike an ATM. (With money, there are laws, you have rights, there are receipts, and your money is somewhere.) A voting machine is much more like a slot machine. (What is your guarantee that the machine EVER pays out?)

  7. Voting Machines, ATMs, and the Internet A voting machine is NOTlike an ATM. (There are laws, you have rights, there are receipts, and your money is somewhere.) With elections, you have a complete right to privacy under most state laws; with ATMs, you are governed by the company’s decision on how much $ it can afford to lose A voting machine is much more like a slot machine. (What is your guarantee that the machine EVER pays out?)

  8. (Recent) History Florida’s hanging chads and butterfly ballot, 2000 HAVA (Help America’s Vote Act), 2002 Florida 13th congressional district election, 2006 Lots of complaints, some of which are known to be justified (Horry County 19 January 2008) and many of which are probably not justified. Richland County, 2012, with lines up to seven hours and 29 ballots cast after midnight…

  9. Electronic Voting Machines South Carolina: Election Systems and Software iVotronic DRE (Direct Recording Electronic) and Unity software/system for counting votes Operative study: EVEREST, submitted December 7, 2007, to the SoS of Ohio, done by UPenn and UC Santa Barbara EVEREST: the ES&S iVotronic systems “lack the fundamental technical controls necessary to guarantee a trustworthy election under operational conditions … from several pervasive, critical failures”

  10. ES&S iVotronics (From the Verified Voting website) Computer Science and Engineering 10 1 December 2014

  11. Something Will Have to Be Done Equipment is aging rapidly Our SC design is decades old The software is pre-2007 But what’s out there?

  12. Internet Voting Companies exist and sell software systems None has been publicly tested Election officials seem enamored of the idea Claim: increased turnout (false) Claim: increased young voter turnout (false) Claim: it can be secure (says who?) We could go to the moon, so surely …

  13. Estonia Does Internet Voting But no one tests the software Mandatory national ID card with an RSA key Vote often, only the last vote counts Does anyone much care about Estonia?

  14. Norway Did Internet Voting Software written for Norwegian municipal elections Idea was abandoned

  15. Canada Some municipal elections Some party caucuses Some disasters No increase in turnout

  16. South Carolina “Voters want to be able to vote using their personal electronic device, whether it’s a smartphone or an iPad or some other type of tablet. And I would like to see that incorporated into the next generation of voting systems.” (Marci Andino, Executive Director, South Carolina Election Commission, PCEA Hearing Testimony, Philadelphia, PA, at 12 (Sept. 4, 2013)) Can you say, “SC Department of Revenue”?

  17. STAR-Vote Travis County, Texas (Austin) Dana Debeauvoir, Clerk of Court And a cast of very smart people … Commodity hardware The paper is the official ballot Secure by design

  18. Los Angeles County Dean Logan, director of elections Ten million residents (2-1/2 times SC) Secure by design Paper is the official ballot

  19. Other Discredited Systems Diebold/Premier (RABA, Avi Rubin/JHU) Sequoia (Appel and Felten, Princeton) Nedap (Rop Gonggrip) There are no machines that have been tested by computer experts and have not been discredited.

  20. Voting Machine Testing All machines are tested by “Independent Testing Authorities” (ITAs) But there are only a few ITAs And one was decertified for falsifying tests And none test for “computer security” issues And the paper trail shows that the same problem can occur multiple times without being fixed, but with ITA certification

  21. The Issues Security—can the system be corrupted? Quality—can the system be trusted to be correct? Human factors—can the system function as it should under normal conditions?

  22. Security

  23. Security (page 29-30) “lack the fundamental technical controls necessary to guarantee a trustworthy election under operational conditions … from several pervasive, critical failures” “…we attempted to identify practical procedural safeguards that might substantially increase the security of the ES&S system in practice. We regret that we ultimately failed to find any such procedures that we could recommend with any degree of confidence.”

  24. Security (page 29-30) “The security failings of the ES&S system are severe and pervasive. There are exploitable weaknesses in virtually every election device and software module, and we found practical attacks that can be mounted by almost any participant in an election. For this reason, the team feels strongly that any prudent approach to security ES&S-based elections must include a substantial re-engineering of the software and firmware to make it ‘secure by design’.”

  25. Security Through Obscurity? The Palm Pilot emulates a PEB and can reset all passwords. (page 66)

  26. Security Through Obscurity? (page 52) “The mechanical locks supplied … were uniformly of very low-security designs that can easily be picked …” “For the first weeks of the project, we did not have the correct keys for much of the equipment; we frequently had to pick the locks in order to conduct our analysis.”

  27. Software Quality

  28. Software Quality • Writing bad, confusing, un-maintainable, and sloppy code is not that hard. • Writing clean, professional, maintainable, secure, code that is and secure and does exactly and only what it’s intended to do is very hard. • What we would simply mark off in a freshman’s work would be unacceptable from a senior.

  29. Software Quality “a visible lack of sound software … practices” “a buggy, unstable, and exploitable system”

  30. The ES&S System (page 84) • 515,000 lines of code • Nine programming languages • Four hardware platforms A large and complicated computer system by any standard

  31. Code Analysis (pp. 53ff, 83ff) All code modules have buffer overflow bugs. “Avoiding buffer overflow bugs in input processing is regarded as one of the most basic defenses a system must have.” About 63% of the code is in memory-unsafe programming languages. Compilation on Visual Studio 2005 fails unless one turns off modern security standards.

  32. Code Analysis (pp. 53ff, 83ff) Fortify (a standard code analysis program) finds hundreds of vulnerabilities in the source code, which indicates “that the vendor did not sufficiently validate their code.” In grading CSCE 240 undergraduate homework, I take off 20% for EACH use of a memory-unsafe function.

  33. Passwords (Florida excerpt) • Passwords are hard coded in the firmware, identical in every machine. • An undocumented back door exists. • “This represents poor practice” • “These passwords provide very little security.” • “poorly conceived and poorly implemented” • Passwords are coded in the clear in devices. • Crypto keys are stored in the clear.

  34. Passwords (Florida excerpt) “The Service Menu password, Clear and Test password, ECA password, and Upload Firmware password are three-letter case-insensitive passwords. Each one is chosen to be mnemonic and easy to remember. The problem is that they are also likely to be fairly easy to guess. They follow a memorable pattern. Someone who knows one of these passwords can probably guess what the other ones are without too much difficulty.”

  35. Ballot Image Randomization (page 73) • The iVotronic “uses a weak randomization procedure” that “does not properly randomize voter selections in its audit logs”. • Random number generation is a well-established mathematical and computational science. NIST even publishes a testing document and test suite (Publ. 800-22). • Failing to use proper, tested, RN generators is just unprofessional and sloppy.

  36. Software Quality Summary • These software problems are common in the code written by first-year students. • A first-year student’s A grade (for submitting code that ostensibly worked) would probably drop to a C for these errors. • A senior student’s A grade (for submitting code that ostensibly worked) would probably drop to an F.

  37. Human Factors

  38. Human Factors, 2010 Duncan Buell, Eleanor Hare, Frank Heindel, Chip Moore FOIA-d data from several counties, including Richland, Charleston, Colleton, Lancaster, Berkeley, Lexington, Sumter, Florence We have tried to reconcile the certified official counts with the counts that are supported by the data. We have yet to find a county whose numbers add up properly. :

  39. The Election Procedure Greenstripe master PEB to open and close all iVos Redstripe PEB for individual votes Closing causes event log and vote image file to be written to flash drive TOTALS (only) collected into PEB at closing PEB totals become paper tape total PEB totals are totalled at county HQ Results to be certified by Friday for a Tuesday election :

  40. Observed Failures (1) If two PEBs are used to close, then maybe only one has its data collected Ward 21, Richland County: 339 + 355 votes, only 339 counted Racepath Pct, Horry County: 114 votes not counted ?? Pct, Horry County: one machine not counted Given the audit data, we can detect this :

  41. Observed Failures (2) If terminals are not closed, their votes are not collected Bluff Pct, Richland County: six of eight machines not closed, 772 votes not counted Sumter County, cranky machine, and ES&S decided for South Carolina what constituted “a vote” Given audit data, we can detect this :

  42. Observed Failures (3) The procedure for tallying votes is basically to overlay a spreadsheet from the iVotronic onto a spreadsheet at the county level If the ballots are not configured the same (too many contests, too few?), then this fails Lancaster and Williamsburg counties failed complete in November 2010 Beaufort didn’t catch an error until we told them about it Given audit data, we can detect this :

  43. Observed Failures (4) If the flash memory cards are not collected, we don’t have data • Charleston never could find 25% of the data • Horry gave several different incorrect reports • Oconee only had 1/3 of the data • Bluff Pct, Richland County: six of eight machines not closed, 772 votes not counted Sumter County, cranky machine, and ES&S decided for South Carolina what constituted “a vote” Given audit data, we can detect this :

  44. What Did We Do? FOIA of EL68, EL68A, EL152, EL155 files Buell wrote programs, Chip Moore wrote programs We cannot actually check that the results are correct Essentially all we are doing is verifying consistency

  45. EL155 Vote Image File 5120350 5 * 10 Nikki R Haley GOVERNOR 5120350 5 15 Ken Ard LIEUTENANT GOVERNOR 5120350 5 19 Mark Hammond SECRETARY OF STATE 5120350 5 23 Curtis Loftis STATE TREASURER 5120350 5 27 Alan Wilson ATTORNEY GENERAL 5120350 5 31 Richard A Eckstrom COMPTROLLER GENERAL 5120350 5 36 Mick Zais STATE SUPERINTENDENT 5120350 5 42 Bob Livingston ADJUTANT GENERAL 5120350 5 45 Hugh Weathers COMMISSIONER OF AGRIC 5120350 5 50 Jim DeMint U.S. SENATOR 5120350 5 61 Jim Pratt CON0006 U.S. House of 5120350 5 70 W/I HENRY CAPSTANCE HOU074 State House of 5120350 5 73 W/I DAFFY DUCK 5TH CIRCUIT SOLICITOR 5120350 5 76 W/I JOHN DIXON PROBATE JUDGE 5120350 5 79 W/I MICKEY MOUSE COUNTY AUDITOR 5120350 5 82 W/I BOB BARKER COUNTY TREASURER 5120350 5 84 Mark W Huguley Soil and Water 5120350 5 90 W/I GEORGE WASHINGTON CCL0004 COUNTY COUNCIL 5120350 5 95 Joe Boyes SAL0001 RICHLAND COUN 5120350 5 99 Rob Tyson SCH0013 School Board 5126362 3 * 13 W/I JESSIE JOANNE SCHMITZ GOVERNOR 5126362 3 16 Ashley Cooper LIEUTENANT GOVERNOR 5126362 3 20 Marjorie L Johnson SECRETARY OF

  46. EL152 Event Log File 5121076 152523 SUP 11/02/2010 06:01:41 0002808 Terminal - opening state SUP 11/02/2010 06:02:30 0001303 Transfer PEB vote data to terminal ... SUP 11/02/2010 06:03:17 0001672 Terminal Opened SUP 11/02/2010 06:03:21 0001633 Terminal shutdown 104621 SUP 11/02/2010 06:11:54 0001510 Vote cast by voter 152604 SUP 11/02/2010 06:21:57 0001510 Vote cast by voter 5121076 153424 SUP 11/02/2010 17:47:05 0001510 Vote cast by voter SUP 11/02/2010 17:56:20 0001510 Vote cast by voter ... SUP 11/09/2010 14:30:03 0002810 Terminal - time to close voting SUP 11/09/2010 14:30:15 0001626 Close terminal SUP 11/09/2010 14:30:15 0002809 Terminal - closing state SUP 11/09/2010 14:30:15 0001221 Collect terminal vote data to PEB SUP 11/09/2010 14:30:44 0001303 Transfer PEB vote data to terminal SUP 11/09/2010 14:30:51 0001208 Merge terminal & PEB vote data SUP 11/09/2010 14:30:54 0002802 Terminal - open state SUP 11/09/2010 14:30:54 0002803 Terminal - closed state SUP 11/09/2010 14:30:54 0002809 Terminal - closing state SUP 11/09/2010 14:30:58 0001210 Transfer terminal vote data to PEB SUP 11/09/2010 14:31:24 0001211 Terminal votes to PEB successful SUP 11/09/2010 14:31:24 0001214 Transfer terminal writein data to PEB SUP 11/09/2010 14:31:36 0001215 Terminal write-in data to PEB successful SUP 11/09/2010 14:31:36 0001222 Terminal vote collection successful SUP 11/09/2010 14:31:36 0002803 Terminal - closed state SUP 11/09/2010 14:31:36 0001673 Terminal Closed SUP 11/09/2010 14:31:42 0001401 Copy terminal flash audit data to CF SUP 11/09/2010 14:31:42 0001400 Verify terminal flash audit data SUP 11/09/2010 14:31:50 0001416 Copy audit data from TF 1 to CF

  47. EL68A System Log File 11-02 09:28 pm START PACK ACCUMULATION (Replace Mode - restarting) 11-02 09:29 pm STOP PACK ACCUMULATION 11-02 09:39 pm PRC 0009 MANUAL ENTRY 11-02 09:40 pm STATS CANVASS - NUMBERED KEY WAS PRINTED TO LPT1 11-02 09:43 pm START PROCESS PEBS 11-02 09:43 pm PEB votes retrieved for P0153832 11-02 09:43 pm SPP file record created for P0153832 11-02 09:43 pm STOP PROCESS PEBS 11-02 09:43 pm iVotronic GROUP 3 SELECTED FOR UPDATE EQUIPMENT TYPE VTR - UPDATE PRECINCTS COUNTED:Y 11-02 09:44 pm START PACK ACCUMULATION (Replace Mode - restarting) 11-02 09:45 pm STOP PACK ACCUMULATION 11-02 09:45 pm CLEARED PEBS DATA 11-02 09:46 pm START PROCESS PEBS 11-02 09:46 pm PEB votes retrieved for P0153832 11-02 09:46 pm SPP file record created for P0153832 11-02 09:46 pm STOP PROCESS PEBS 11-02 09:46 pm iVotronic GROUP 3 SELECTED FOR UPDATE EQUIPMENT TYPE VTR - UPDATE PRECINCTS COUNTED:Y 11-02 09:46 pm START PACK ACCUMULATION (Replace Mode - restarting) 11-02 09:46 pm 0009-Time stamp mismatch (Reply was: Update) 11-02 09:46 pm PRC 0009 PACK RECEIVED VTR (BALS=340 TOT=375) 11-02 09:46 pm STOP PACK ACCUMULATION 11-02 09:47 pm STATS CANVASS - NUMBERED KEY WAS PRINTED TO LPT1

  48. Counting The actual votes come from the 155 Vote counts come also from the 152 Closing an iVo shows PEB closing serial number The 68A shows data uploaded from the PEBs The 68A shows memory card uploads Basically just a check and cross check

  49. LWVSC Press Release, 14 Feb 2011 http://www.lwvsc.org

  50. The State Newspaper

More Related