Guest Blogged by John Washburn
Currently, the public portions of the top to bottom review published by California last week have rightly been the subject of banner headlines. A report from the University of Connecticut, however, which was entitled “Integrity Vulnerabilities in the Diebold TSx Voting Terminal” and released a few days prior with not quite as much fanfare, provides an excellent counter to the oft-repeated vendor talking point that the California testing is similar to “giving keys to a thief.”
The University of Connecticut report is immune to this specious argument. The University of Connecticut team had no access to source code or any information which was not publicly available. These limitations are precisely what all three vendors defined as “realistic” in their testimony in California at the public hearing on Monday July, 30, 2007. Yet, under these vendor-approved conditions, the University of Connecticut found yet another set of new, serious, and election altering defects and was able to exploit them in a disturbingly effective manner.
The primary finding of the report is that in a “sleepover” situation where the TSx DRE is sent home with the poll worker days or in the case of San Diego weeks ahead of time, it is possible to alter the ballot definitions of the DRE. The alteration would create the behavior where the votes for two candidates are exchanged. Thus, the voter touches the screen next to name of John Smith, the screen lights up the selection for John Smith, the voter verifiable paper audit trail prints the name John Smith, but, nonetheless, the invisible electronic ballot accrues the vote to Pocahontas. Similarly, voters intending to vote for Pocahontas would have their votes accrue to John Smith. This is a straight up exchange of votes between two candidates.
The report also mentions how to suppress the display of a given candidate.
This exploit manipulates the ballot definition and nothing else. The successful exploits in the UCONN report take advantage of the fact that the ballot definition is split between the election database and the display portion stored the .XTR files, but without corresponding mechanisms to maintain referential integrity between the two halves of the ballot definition. The election database portion of the ballot definition controls how votes accrue to candidates based on the ballot line. The display portion of the ballot definition controls how names are printed on the screen and VVPAT record based on the ballot line. Both exploits introduce a referential integrity break between these two halves of the ballot definition.
In the example above, the election database has Pocahontas and Smith on ballot lines 5 and 20; respectively. By swapping the .XTR files, the display portion of the ballot definition has Pocahontas on ballot line 20 and Smith on ballot lines 5. Thus, a screen touch to ballot line 5 accrues a vote to the candidate assigned to ballot line 5. According the election database portion of the ballot definition, this is Pocahontas. The screen and VVPAT print the name associated with ballot line 5. According the display portion of the ballot definition (the .XTR files) this is Smith. Thus, both the screen and VVPAT say Smith, but the vote on the invisible electronic ballot actually accrues to Pocahontas.
- IF a VVPAT trail exists and,
- IF the VVPAT trail is undamaged
and,
- IF an audit is actually performed, then, and only then,
-
would a careful audit of the VVPAT audit trail discover this manipulation of
the ballot definition.
The needed tools for either of these exploits are:
- 1) A laptop with a PCMCIA card reader,
- 2) One of the following three: a screw driver, lock picking skills, or a hotel mini-bar key, and
- 3) The desire to “take one for the team” and commit a felony to further your candidate.
It must be stressed again that this all was discovered with nothing more than access to the DRE machine. This examination was under vendor-approved conditions. There was no access to any information an election official would not normally have or any information which a determined citizen could not find out during a DRE sleepover prior to an election.
The take away here is that if you can poison the well, the computer programming and/or configuration files in the DRE, everything which proceeds from the DRE is potentially corrupted as well. The UCONN report demonstrates the Diebold TSx DRE can produce consistent election records that are not accurate election records.
Thank you John for blogging this; this is especially noteworthy since -at least in San Diego- poll workers do not undergo background checks.
It seems to me that, where VVPAT’s are concerned, it isn’t simply a case of “not enough.” Any reliance on the placebo of toilet paper actively makes matters worse, not better.
Great report, John. And deeply disturbing.
Thanks for such a clear description of the problem and the implications. Just think–millions could be spent “verifying” this system, source code, etc.–and yet just a small period of unsupervised time with one of the machines could turn around an entire election in some circumstances. And if you had access to several machines, or many machines (e.g. partisan poll workers), there’s no telling what might happen.
Background checks would be no help. Most white-collar criminals appear quite respectable and probably wouldn’t have criminal records that would arouse suspicion.
The root cause of this exploit is found on page 4 in section 2.2.2
Election Data and Database File Each candidate name (in an RTF file) is packaged with a 128 bit integrity check, however, these are not used correctly. [emphasis mine]
Good, well implimented cryptography is hard to get right even for competent, experienced programmers.
Bruce Schneier has an excellent article on this entitled: “Why Cryptography Is Harder Than It Looks”
“Thus, the voter touches the screen next to name of John Smith, the screen lights up the selection for John Smith, the voter verifiable paper audit trail prints the name John Smith, but, none the less, the invisible electronic ballot accrues the vote to Pocahontas.”
I said this a couple of articles back. You touch a screen where it says “Kerry”, the inside electronics tabulate +1 for Bush, and the paper prints out that you voted for Kerry. Paper trails do not prove ANYTHING!
There are THREE distinct things, unlike paper ballots. 1) the screen 2) the inside of the machine 3) the printout. THREE DIFFERENT THINGS!
The screen isn’t the paper printout. The inside isn’t the screen, and the paper printout is not the inside electronics. You have to be an IDIOT not to realise this!
Theoretically, 10 people can touch the screen where it says “Kerry”, it can print out 10 “Kerry” printout receipts, and register 10 votes for “Bush” inside!!!
YOU DON’T KNOW WHAT’S GOING ON INSIDE THE MACHINE!
Furthermore, inside the machine you don’t even see any NUMBERS! It’s all electronics!
This is why Digital Pen Voting is such a great way to vote. See http://www.votingindustry.com for a Youtube video of this. It’s PAPER based, an unlike Optical Scan (that so many of you are enamored with), it SHOWS you how the machine has interpreted your results. With OpScan it sucks it in and you have NO IDEA what it did.
The time is now for a new technology!!! View it!!
… Chris Wilson gushed…
“… it SHOWS you how the machine has interpreted your results.”
No. It shows you what it wishes you to think it interpreted the results as.
Then it tabulates your ballot as a straight-party ticket for the NeoPNAC Alliance.
Upon the winning 98.6% of the popular vote the new Neo Project for the Neko American Century government of America then launches a pre-emptive strike by invading and occupying the Akihabara district in Japan… where it spends 9 billion dollars a month in Nekomimi Maid and Butler Cafes.
Humor aside, you are obviously unclear on the concepts involved here… and in your position you can’t afford to be.
By the way ZAPKITTY, it’s TRUE that it isn’t PROOF of how you voted. NOTHING (Let me repeat, NOTHING, does that). Not even hand counted paper ballots counted in the precinct will do that–think about it.
But instead, dude, you are happy with optical scan systems that suck the paper in and you are DONE–no confirmation of how it was marked. Again, it isn’t PROOF. Nothing does that. By the way, I’ve been in this game for a LONG LONG time and I have worked in election offices and in the election vendor community. I know it inside and out, and you I’m afraid you are a Luddite. See my site for my qualifications; I know they are better than yours.
C. Wilson http://www.votingindustry.com