Cylance Discloses Voting Machine Vulnerability(blog.cylance.com) |
Cylance Discloses Voting Machine Vulnerability(blog.cylance.com) |
Typically, tamper seals that are identifiable as broken are placed on all access doors (including the power switch, data load slots, etc), access panels, and openings on the device. All seals were verified in tact before and after the election, and no voter was ever permitted in the back of the access panel where the firmware update would take place.
Before the machine starts, it gives a "zero" report which is verified independently by poll watchers, and confirms candidate choices are in place as needed. When the polls are closed, we seal everything again before the machines are sent back for reporting (at which point the seals are checked and verified prior to dumping results).
If this was really a damaging hack, the protective counter & live counters would show different numbers than what the machine read, but that didn't happen. It very clearly was tampered with, which means these physical measures would counteract any unwanted firmware updates during an election. It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.
I've been an election worker around the country and have never been in a jurisdiction that did seal checks during the election - only once at the beginning and once at the end. Granted, I've never been in a jurisdiction using DREs, but still.
I agree physical security is a defense here, but this just reiterates, to me, how dangerous DRE voting machines are.
I trust further checks were conducted higher up. But at our level, protocol was ignored.
I don't know how it worked when the machines were picked up for counting, but I assume similar measures were in place.
Edit: Also, poll watchers from both parties could observe our methods. Everyone had a vested interest in verifying that no tampering was taking place, even if that didn't include election workers.
The system doesn't have something in place typically that says "if (sealVoided) { throw out election }" it just means that additional precautions are taken to ensure everything is good. It's never a binary answer, unfortunately.
Breaking the external seals would put the device into the "needs further investigation" category. After the election the device would be inspected and the internal seals confirmed. If those were still intact, the results from the machine could be certified.
So for maximum impact make sure you go break the seal at the end of the day...
How many votes are stored on a single machine in a large district?
Plus an attack like this would be isolated to the single machine (not that it wouldn't be bad, but it wouldn't be applied in a distributed fashion).
If someone were to tamper with the seals on many of the machines, and they target precincts that tilt heavily in favor of one party or the other, couldn't they theoretically invalidate a lot of ballots that are likely to help their opponents?
All the seals can do is cast doubt on the results. You can't bring back the voters to try again. Even if you could, time has passed and they might vote differently. You could toss out the results, but that affects things too.
If you toss out the results, an example attack is: break the seals in areas with undesired voters
Similar attacks can be done if you call voters back. Maybe this allows for more-favorable hours or different media exposure.
I think I see the problem.
The machines themselves were sent back and dumped. I don't actually remember if we printed 2 copies of everything (such as a copy for someone to tally up too).
This all sounds complicated and insecure.
Why can you not just do paper voting with simple ballots, like in Canada?
Yes, you have 10x the people, but just get 10x the human counters and scrutineers. Counting is parallelizable.
We run elections and get accurate, verifiable results in the same day.
Ours aren't as nasty as yours are, and we still have better anti-fraud than you do, since every paper ballot can be counted, as many times as needed. And since the thing which is counted is the same physical thing which can be audited, we can always verify the results if anything goes wrong.
You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now. After all, you've gotten people to the moon and robots to Mars--surely you'd want a fair, verifiable presidential election? (Especially when one of the two candidates is, frankly, terrifying to all your friends around the world.)
Love, Canada
Fortunately, there are pretty simple policies we can enact to prevent fraud and give faith in elections (both in America, as well as other countries). If you care, I'd perhaps start at https://www.verifiedvoting.org/
In Germany, we get
(a) a paper ballot
(b) a pen
Works perfectly. And quickly.
- scaled reasonably down. Which allows polling places staffed by fewer people.
- allows a higher number of voting stations as only a low tech physical curtain is needed to ensure privacy.
- throughput is primarily limited by identity verification which takes a cross check of ID document and voting notification card that is mailed to any eligible person once they reach their 18th birthday.
Approaching vote counting as a mere technical problem that can be solved with enough technical safeguards misses the point. You cannot just ask a democracy to beta test vote counting and fix the bugs post-election - that will kill trust in the process.
Politics is polarised enough as is and you will find demagogues who will latch on to anything to reduce the legitimacy of an election.
It shouldn't even be up for discussion that trust and legitimacy are the most important goals in vote counting. Stick to paper voting and only introduce e-voting in parallel and not as the authoritative and final vote counting solution.
A somewhat outdated version of Windows is a common choice, as is some random non-LTS version of Ubuntu. I don't think OpenBSD is particularly popular among self-serve kiosk manufacturers.
Also, what happens if there's a random hardware/software glitch where incrementing one vote actually increments 10 votes? Is this checked for? How much reliance is there on the software and hardware being error free?
The problem is that the actual poll creation is done on a per county basis. I don't know how you would do this in such a way that every random county an precinct in America could have signing keys, firmware updates, etc., just sitting around ready to roll to build elections with.
You mean creating and distributing the keys would be problematic if every county had their own keys? Are there any practical solutions to this?
Couldn't you only have a few keys that are used for many counties and updates should be verified and signed by multiple people? Each county could still verify the contents of the update was correct (e.g. correct names on the ballot).
as if I needed more of a reason to say "wow, this is rigged", now I see this!
I can't imagine how well this will go. november is a cake walk. january is where the fun starts.
As much as I like Canada's easily audited voting system, there's a good reason for the US to not use a simple way of counting votes: They don't have simple ballots. Rather than just voting for one MP, as we do, a typical American might be asked to vote for a President, a Senator, a Representative, yes/no on 17 state propositions, a State Senator, a State Representative, the BART Director, the City College of San Francisco Board of Trustees, the San Francisco Public Schools Board of Education, a Superior Court Judge, and yes/no on 25 city measures.
In order for those to be counted the same way as we do in Canada, you'd need to hand the voter a book of 51 ballots and have them dropped into 51 separate boxes...
Works fine for them. Why are other countries not going the same way.
There is a move in India to get all voting machines to print out your choice which the voter can drop into a ballot box.
Not sure if that is implemented yet. Surely something like that will work fine.
Sounds like an expensive printer
Plus, I don't get the mail in states. What's up with that? Why mess with a process that works?
Many districts use paper ballots with optical scanners but this is totally up to the discretion of the county/state.
During the very close presidential election of 2000, these voting machine issues clearly showed the need for electronic voting machine booths with the added feature of instant vote count.
The current problems that are appearing are temporary and fleeting. With enough time and research these problems will become obsolete and resolved.
But your point of paper ballots requiring greater participation of people is interesting. Indeed, when more people participate even in mundane and simple tasks, there is a healthy feeling that spreads among the community.
The hanging chad fiasco showed the need for following established procedures. Those particular machines had not been cleaned for multiple years. So the holes filled up. Preventing new votes from being cast.
The problem electronic voting machines solved was the vendors were envious of dot com valuations. The HAVA pork triggered a gold rush by the vendors, juicing their revenue and stock prices and exec payouts. The gear didn't actually solve any technical problems. They weren't even "accessible", which was their primary stated purpose.
Some places do - voting is handled at the state and county level, not federal. For example. I vote on paper in the county where I live.
> You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now.
Those were paper ballots, what you see now is largely an attempt to avoid similar multi-day challenges and recounts due to hanging chads and ambiguous markings on paper ballots.
More effective would be to preselect a precise number of votes for a few machines in a swing state, with totals just 3-4 percentage points higher than what polling indicates for that precinct. Email a few journalists before the election: "I'm a engineer working to hack the election for Clinton, but I'm sickened by it and I want to blow the whistle... attached are encrypted tallies for the voting machines we compromised in precinct XXX. I know we have a team in YYY and I think in ZZZ, but I wasn't able to get data for those machines out. Decryption keys will follow Nov 15th."
If I were Russia, I would arrange something so one or two polling stations end up casting many fraudulent votes for Clinton, just to call the entire election into question and give more ammo to the Trump campaign. Even if those instances had no serious impact on the results, the uncertainty alone could definitely cause significant civil turmoil.
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
I also found this slide deck from Ron Rivest interesting:
Auditability and Verifiability of Elections ACM-IEEE talk March 16, 2016
If stuxnet is possible, a voting machine should be a piece of cake.
I'm not familiar with seals used on voting machines but that's common in other "tamperproof container" scenarios.
That said, while I do agree the voting software should be open-source in principle, I'm not really as concerned with hackable bugs in that software that can only be exploited through physical means. If they have physical access to the machine like in this video then you're already shot - ideally you have preventive measures that will make it obvious when physical access has occurred. If you don't physically secure the machine, then it doesn't really matter how good the code is.
1. Open the box. 2. Dump the ballots onto the table. 3. Make sure the box is empty. 4. Pick up ballots one by one, say "this looks like a vote for "Mr. X", and place into the appropriate pile. 5. Count how many ballots are in each pile.
This particular process doesn't work if you have multiple choices on one ballot. I'm not saying that you can't use paper ballots for more complex elections -- you absolutely should, for the well-known verifiability reasons -- just that the counting process is never going to be as simple as the Canadian (or UK) process.
There was a court argument over the use of scales by some municipalities. The scales are used to weigh piles of votes to determine vote count. So ballots with multiple question are cut, sorted, then weighed. I'm looking into lead pens to give my vote more weight :-)
The law in California[0] guarantees you the right to vote even if you are scheduled that day. You can take up to two hours off the beginning or end of your shift to vote if necessary. For other states...[1]
[0]: CEC§14000 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=elec&g...
What mechanism, if any, is in place to prevent voters from being coerced or bribed to cast their vote a particular way? This is the traditional reason for using in-person voting rather than mailed ballots; if you can't show someone how you voted, they can't bribe or coerce you.
(Maybe the answer is "there is no mechanism", but increasing the ease of voting is considered more important than protecting the system from coercion and bribery. Not a tradeoff I would make, but I can see that some people would support that.)
If imcoerced into voting a particular way on my mail-in ballot, I can go to the polling place in Election Day and fill out a provisional ballot hat will be counted in place of my coerced ballot. Not perfect, but this year it allows me to vote even though I'm out of the state next week.
Every state has provisions for absentee voting, and 3/4 allow early voting in person.
[1] https://www.sos.wa.gov/elections/general-election-faqs.aspx
[2] https://www.sos.wa.gov/elections/faq_vote_by_mail.aspx
[3] http://www.kingcounty.gov/depts/elections/how-to-vote/ballot...
[4] https://info.kingcounty.gov/elections/ballottracker.aspx
EDIT: Note that we use these machines with an optional paper-printout add-on, and they're a non-default option mostly used to increase ballot accessibility - most people vote on paper ballots that are fed into a scanner on-site, so the scanner results can be cross-checked against the physical ballots in case of a disputed result.
The main intent of all the security measures is that any such tampering be obvious, and that it be clear whose votes (or at least, which precincts' votes) were compromised.
It's also sometimes possible to do this to digital records without ever being physically present in their vicinity. Once again, this is much harder with paper.
Contrast that with a group of just 1-3 techies.
Question: What constitutes a Democrat or a Republican? Is registering as one enough? What guarantee is there people aren't lying about the parties they identify with?
You, when you volunteer to work at the polls or as a party observer, thereby increasing the redundancy of the checks.
what else could be done to further vet volunteers? you can't interrogate people or drug them with serums for the truth, so I think it's safe to assume registering is enough.
so, to answer your question, I doubt there is any "guarantee" other than the fact that these are volunteers and you'd have to be a real idiot to falsely register to ensure you can tilt the scales...of bipartisan pairs of Arapahoe County poll volunteers.
Well, obviously. But the risk can be high or low, right? You could either let any random voter you don't know walk in and become a volunteer after filling out a form, or you could let maybe ~50 people that the party's head/nominee personally trust pick a set of volunteers nationally based on e.g. personal knowledge or some concrete evidences of their past contributions and allegiance to the party. Or something else; there are lots of possibilities here. So I'm asking what the criteria are so I can understand how likely it is for something to go wrong here... I obviously understand nothing 100% bulletproof, so there's no need to point that out.
I don't know, but you seem to be completely ignoring my point. I'm trying to figure out the probability of this happening. I'm NOT trying to figure out what to do after this happens.