BBV - Stunning flaws found in ITA certifiers

Full editorial: http://www.blackboxvoting.org

Stunning Flaws Found in the Certification Model Used to Approve Voting Systems

Does anyone find it peculiar that, after reports like the RABA report (http://www.raba.com/press/TA_Report_AccuVote.pdf), the CompuWare report (http://www.sos.state.oh.us/sos/hava/files/compuware.pdf), the SAIC report (http://www.dbm.maryland.gov/dbm_search/technology/toc_voting_system_report/votingsystemreportfinal.pdf) and the Original report by Avi Rubin, et. al (http://avirubin.com/vote), reports which show that software with "stunning, stunning security flaws" (hey, the New York Times said it, not me) — and after two devastating reports demonstrating flaws with Diebold (http://www.blackboxvoting.org/access-diebold.htm) and Sequoia (http://www.blackboxvoting.org/sequoia-voting.htm) central count systems — after all this, we are allowing the manufacturers send their "corrected" software versions right back to the same certification labs for approval?

- "328 security flaws, 26 deemed 'critical'" — SAIC report.
- All four major manufacturers found to have critical security flaws — Compuware Report
- Hacked in 5 minutes, left no trace — RABA report
- Wyle labs admits to certifying Sequoia software despite known flaws — discovery materials from a recent lawsuit

Hey. Guys? Why are we sending the "new and improved" versions right back to the same places that missed all the problems the first time around?

Under the Help America Vote Act (HAVA), we were supposed to revamp certification procedures. Nice idea, but they failed to fund it.

I've been saying for many months now that what we have is an auditing problem, not a certification problem. We've been using the wrong model to ensure the integrity of our elections. We can examine source code until we're blue in the face, but (even with a voter verified paper ballot) that won't provide the safeguards we need. What we have to do is use that ballot to verify the correctness of the election results, and we need to run reports to compare the vote totals as they travel through the system.

This is called auditing. It's not rocket science. It's not computer science either. It involves things like: Comparing the paper ballots against the voting machine totals; comparing the polling machine totals against the central count machine totals; using business reply mail (best) or postal receipts, to compare the number of absentee ballots received with the number counted.

I received this in an e-mail today, and speaks directly to our flawed certification model:

"A programer friend gave me an interesting website (http://www.acm.org/classics/sep95/) to look at the other day...Mr. Thompson is the co-creator of an operating system called UNIX...what he did was reveal to the world that for 15 years UNIX had a bug. The bug was installed by him when he wrote the code and it allowed him to override any password protection by his unique knowledge of the key. For all those years he had waited for someone to question his implanted bug and no one ever did, so he dropped it on his peers at this award ceremony.

"His quote from this presentation pretty much tells the whole story...No amount of source-level verification or scrutiny will protect you from using untrusted code.

Think open source will solve it? Open source, which is the equivalent of writing the program in the town square, in plain view of all the computer programmers in the world who care to watch, is important. It can tell us if someone slipped something undesirable into the code.

Open source code, though, won't guarantee that the program is secure. Linux was compromised at one time simply by adding the "=" sign into one of the many thousands of code lines. That went undetected, and there are probably more eyes on Linux than any other program in the world.

Counting votes is just bookkeeping. As in accounting, we may use a computer to help us, but the computer can't dictate the procedures. Certification won't save us, but sensible, publicly observed, appropriately chosen auditing procedures will restore trust quickly.

You've totally NAILED IT when you say: "I've been saying for many months now that what we have is an auditing problem, not a certification problem."

Absolutely!

How the hell can we even have confidence these systems work if they don't accommodate any kind of error detection?

Great job, though your time was too short you packed in the message!

Yes I find what you have posted extremely peculiar. Why can we audit everything else in our lives but our vote? That is UNAMERICAN!

As to the back door in UNIX:

"Ken Thompson has since confirmed that this hack was implemented and that the Trojan Horse code did appear in the login binary of a Unix Support group machine. Ken says the crocked compiler was never distributed."
( http://www.houghi.org/jargon/back-door.php )

As for Open Source, you are correct. It isn't going to solve all of the problems. But who would you trust most, a Magician who only performs on TV in front of the shows producers and cameramen, or a Magician who performs in public in front of anyone who cares to watch what he is doing. In both cases an illusion is being created, but with the TV magician you aren't really sure who is performing the illusion.

Absolute security is an illusion. Absolute security cannot be guaranteed through Auditing or through Open Source. The question is, at what point do you start feeling comfortable with the quality of the illusion. My feeling is that with Open Source comes Open Auditing, and with these two combined, I start to reach a certain comfort level with the illusion being performed.

There is, as you pointed out still the problem of who is counting the votes, how they are counted and how are the numbers verified to be reasonably accurate.

For example, open source would show us if they were tracking votes and removing privacy -- and simply auditing the correctness of the count could not reveal that.

But the FIRST thing we need to do is audit. The fight for auditing can be quick, cheap. As long as we have paper ballots, the other audit steps are simple -- basically, run a report, compare it.

I know some computer folks consider this fight their baby, but I find that some of these scientists, because they don't understand simple auditing concepts, try to reinvent the wheel, sometimes don't understand simple procedures and suggest replacing them with procedures that are incorrect, or spend a lot of time refocusing the problem into computer code.

Just yesterday, in response to my editorial saying we need to run reports from polling place machines to compare them with central count machines, a computer scientist (twice!) responded by saying he disagreed, because that was cumbersome, and he recommended to a whole listserv that instead we just post the central count reports on the Internet where everyone can get them easily. He completely missed the point.

Last summer, talking to some of the most famous computer guys in the voting issue, they were still saying it was okay to have two sets of books and it was okay to be able to have them mismatch. What they didn't understand is this: In accounting, the integrity of the data is dependent on not having extra sets of books floating around. What was particularly troublesome about these computer guys analysis: At issue as that the GEMS program pulled the totals from one set of books but spot checked from another set of books. Very, very dangerous. A prescription for fraud. But they kept looking at it as a computer problem and, worse yet, said this stuff in public with academic credentials behind it. The subtlety that most people missed: Their credentials did not include auditing.

Just received this email:

"My favorite simple story is The Emporer's New Clothes. Sometimes the obvious such as improving and still not relying on the certification process is not in great demand.

"In the 1980's Roy Saltman of NIST (then the National Bureau of Standards) wrote a paper on computerized voting.

"His principal thesis (paraphrasing) was that vote management is accounting just like with money. At the appropriate time before an election a vote is deposited in the account of every eligible voter for each qualified office and question. That vote must be tracked through the election with no loss of control (chain of evidence)."

from John Medcalf, CEO ofVOTEC Corp

John, and Roy Saltman, are dead-on.

Bev

The UNIX code wasn't in there for 15 years, but he'd designed it and shown it could be done. Adjusted the web page to say:

"It gets kind of technical but what he did was reveal to the world that he'd figured out how to get a bug into UNIX, a bug which allowed him to override any password protection by his unique knowledge of the key. It was a bug that would be diabolically hard to track down if done well.

The Linux hack involved deleting the = sign, not adding it, and though it was detected, it survived several passes and a more clever insertion could have gotten it clean through. Adjusted web page to say:

"Open source code, though, won't guarantee that the program is secure. Linux was compromised at one time simply by deleting the "=" sign in one of the many thousands of code lines. It took multiple passes of inspection before someone spotted the change. One senior programmer remarked he had looked right at it and did not see it because it was so clevely subtle. This bug was found before the code branch was merged into the main linux branch, but it was a close call, and if the hacker had been a bit more clever, compromising a developer's copy (or if the bug had been put in by one of the developers) it might have gone undetected for a very long time. "

Thanks!