As many readers have probably already heard (I’m a bit behind in writing about this two-day-old story), there’s been another “leak” of the Diebold voting software. There’s some disagreement as to whether the software that was released is still in use, but even if it isn’t the latest version it is difficult to believe that it doesn’t contain a great deal of code in common with the latest stuff — you don’t just go replacing software like that wholesale, it would be prohibitively expensive.
While I should think that the camel’s back would have collapsed under all the straws some time ago, this is yet another reminder that the way we are going about automating voting is fundamentally broken. Diebold is, at this point, just rearranging the deck chairs on its rapidly sinking ship. Any security expert worth listening to could have told you that secrecy of the sort practiced by Diebold and Microsoft (the author of the underlying systems used by Diebold) is not just an inadequate way to maintain the security and integrity of these systems, it actually makes matters worse because of the unwarranted trust that people place in them. As security expert Bruce Schneier wrote in an essay a couple of years ago, “Secrecy prevents people from assessing their own risks.” Moreover, if the security of a system depends on secrecy, then the unauthorized disclosure of the secret renders the system utterly worthless. But with millions of dollars invested in something like the Diebold voting system, people are reluctant to just toss it away, and think (or hope) that the problem can be fixed by changing the system just enough to make it work differently than what was disclosed. Anyone who thinks about this just a little, however, would immediately see the fallacy: All this does is start the cycle over again.
In another essay specifically about electronic voting, Schneier wrote,
Software used on DRE machines must be open to public scrutiny. This also has two functions. One, it allows any interested party to examine the software and find bugs, which can then be corrected. This public analysis improves security. And two, it increases public confidence in the voting process. If the software is public, no one can insinuate that the voting system has unfairness built into the code. (Companies that make these machines regularly argue that they need to keep their software secret for security reasons. Don’t believe them. In this instance, secrecy has nothing to do with security.)
The thing he doesn’t bother to add is that what the secrecy does have to do with is money: Companies such as Microsoft and Diebold depend on the secrecy of their code to keep other people from using it for free. But in my mind, this is little more than a persuasive argument that proprietary code should never be used for a voting system.
Also from that essay,
Proponents of DREs often point to successful elections as “proof” that the systems work. That completely misses the point. The fear is that errors in the software — either accidental or deliberately introduced — can undetectably alter the final tallies. An election without any detected problems is no more a proof the system is reliable and secure than a night that no one broke into your house is proof that your door locks work. Maybe no one tried, or maybe someone tried and succeeded…and you don’t know it.
That, of course, isn’t the half of it. As we have seen in previous elections, even pervasive reports of system failure aren’t enough to convince people to abandon this technology. Schneier again:
In Fairfax County, VA, in 2003, a programming error in the electronic voting machines caused them to mysteriously subtract 100 votes from one particular candidates’ totals.
In San Bernardino County, CA in 2001, a programming error caused the computer to look for votes in the wrong portion of the ballot in 33 local elections, which meant that no votes registered on those ballots for that election. A recount was done by hand.
In Volusia County, FL in 2000, an electronic voting machine gave Al Gore a final vote count of negative 16,022 votes.
The 2003 election in Boone County, IA, had the electronic vote-counting equipment showing that more than 140,000 votes had been cast in the Nov. 4 municipal elections. The county has only 50,000 residents and less than half of them were eligible to vote in this election.
There are literally hundreds of similar stories.
Nor is fundamental cluelessness (or possibly disingenuousness) on the part of the manufacturer. From one of Schneier’s blog entries:
Diebold Doesn’t Get It
This quote sums up nicely why Diebold should not be trusted to secure election machines:
David Bear, a spokesman for Diebold Election Systems, said the potential risk existed because the company’s technicians had intentionally built the machines in such a way that election officials would be able to update their systems in years ahead.
“For there to be a problem here, you’re basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software,” he said. “I don’t believe these evil elections people exist.”
If you can’t get the threat model right, you can’t hope to secure the system.
Anyway, as for this week’s story:
Robert McMillan reports in IDG via Computerworld:
October 21, 2006 (IDG News Service) — Source code to Diebold Election Systems Inc. voting machines has been leaked once again.
On Wednesday, former Maryland state legislator Cheryl C. Kagan was anonymously given disks containing source code to Diebold’s BallotStation and GEMS (Global Election Management System) tabulation software used in the 2004 elections. Kagan, a well-known critic of electronic voting, is Executive Director of the Carl M. Freeman Foundation, a philanthropic organization based in Olney, Maryland.
The disks were created and distributed by two federal voting machine testing labs run by Ciber Inc. and Wyle Laboratories Inc. They had been testing systems on behalf of the state of Maryland, Diebold said in a statement.
[Avi] Rubin, who was shown the latest source code by a reporter at the Washington Post, said that it appeared to be “just another version” of the code that was published in 2003.
The disks came with a letter that was highly critical of Maryland State Administrator of Elections Linda Lamone, Rubin said on his blog. “It read like it was from somebody with a very, very serious axe to grind,” he said. “It was one of the more outlandish things I’ve read.”
Rubin believes the disks were given to Kagan because of her past criticism of electronic voting machines. “I guess whoever did this knew she would pursue it doggedly, which she did.”
More from Avi Rubin’s blog,
The disks contained source code for the BallotStation software, which is the software on the voting machine, and what was labeled as GEMS, which is the back end tabulation system. The GEMS disks were password protected, and while I’m certain we could have cracked them, we chose not to. The BallotStation source code was not protected at all. It was the 2004 version, which is newer than the source code we analyzed in 2003, and appears to be slightly later than the version analyzed by the Princeton team. I would love the opportunity to perform a similar analysis on this code, but yesterday, we were only given the opportunity to inspect to the code to determine whether it was genuine.
Jake Tapper, Rebecca Abrahams and Eduardo Sunol report in ABC News,
Diebold, the company that makes the voting machines, told ABC News, “These discs do not alter the security of the Diebold touch-screen system in any way,” because election workers can set their own passwords.
But ABC News has obtained an independent report commissioned by the state of Maryland and conducted by Science Applications International Corporation revealing that the original Diebold factory passwords are still being used on many voting machines.
The SAIC study also shows myriad other security flaws, including administrative over-ride passwords that cannot be changed by local officials but can be used by hackers or those who have seen the discs.
The report further states that one of the high risks to the system comes if operating code discs are lost, stolen or seen by unauthorized parties — precisely what seems to have occurred with the discs sent to Kagan, who worries that the incident indicates the secret source code is not that difficult to obtain.
Melissa Harris reports in the Baltimore Sun:
A spokesman for Diebold, which manufactures the state’s touch-screen voting machines, said the company is treating the software Kagan received as “stolen” and not as “picked up” at the State Board of Elections, as the anonymous note claimed. Lawyers for the company are seeking its return.
The disclosure comes amid heightened concerns nationwide about the security of the November elections and the ability of the state to keep tight controls on the thousands of machines that will be used next month.
Update: Also in the Baltimore Sun, Sumathi Reddy writes:
Gov. Robert L. Ehrlich Jr., who has been a critic of the Diebold machines, said the leak of the source code is disturbing but, given problems in the September primary with Maryland’s new voting system, not surprising.
Ehrlich has encouraged voters to consider absentee ballots if they feel uncomfortable with the voting technology and has been joined by some Democrats, including Montgomery County Executive Douglas M. Duncan.
Kagan said the focus should be less on the investigation and more on what she said is a long history of glitches within the State Board of Elections. “Why is it that Marylanders cannot go to vote in a couple of weeks with confidence that their voting machines will work and that their votes will be counted accurately?” Kagan asked.
Cameron W. Barr writes in The Washington Post,
Ross Goldstein, deputy administrator of the Maryland State Board of Elections, said documents indicate that the disks were sent to Maryland so Raba Technologies Inc. could assess the security of the state’s electronic voting system, which is provided by Diebold Election Systems. A receptionist at Raba, based in Columbia, declined to comment yesterday after consulting with her supervisor.
Labels on the disks indicate that they contain the versions of two Diebold programs that powered electronic voting machines in Maryland in 2004, Goldstein said Thursday. Diebold said one version of one program is still in use in some jurisdictions elsewhere in the United States.
Yesterday, Henry Fawell, a spokesman for Gov. Robert L. Ehrlich Jr. (R), said the suspected leak “raises yet another unanswered question about the Diebold technology on which our election system depends.” Ehrlich initially supported the Diebold technology but in recent years has said Maryland should switch to a system that provides a paper trail.
Some computer scientists said the incident shows why the makers of voting systems should publicly disclose their software. “It’s hard to keep a secret like this for a long time,” said Edward Felten, a Princeton University computer scientist who demonstrated in September how Diebold’s machines could easily be hacked. The company called Felten’s work inaccurate and unrealistic.
The Post also has two earlier stories on this incident.
The AP, via WTOP, reports Diebold’s wishful thinking:
The president of Diebold says the system that will be used in next month’s election is safe and tamperproof.
What I want to know is, will he promise that if he turns out to be wrong about this, he will jump off of a thirty-story building? I didn’t think so.
