Sunday, June 07, 2015
Voting Machines
The electronic voting machine, a purely electronic kiosk where you vote, has many challenges.
The code that the machine runs must be correct (without significant bugs or errors), which is difficult (and expensive).
Worse, you must be certain that the code you have validated is actually the code it runs for every vote during the election, which is impossible. As in, literally impossible. The problem is, the only way to find out what code the machine is running is to ask it. Because machines are programmed by humans, machines can lie, just like humans.
Here's how it works:
2. Computer says "I am running the validated code"
2. Computer expert queries the computer about what code it is running
3. The malicious code lies and says "I am running the validated code"
This is not theoretical, this is exactly what a rootkit does.
So if the machine only records votes electronically, you can never be sure if your vote was correctly recorded. (This is not to mention the possibility of alteration during a long electronic chain of transmission to get to the final election results.)
The only way to verify your vote is to get a paper printout, so that you can look at the paper and validate that it shows your vote as cast. But again, remember the computer can lie. You can vote for party A, the computer can record the vote for party B and then print a paper receipt saying you voted for party A.
The only way to actually be certain of the vote count is to count the paper...
which means you just spent millions of dollars replacing a pen.
These are just the core issues, in an ideal system.
In reality, there are many more problems with voting machines. Although some were based on ATMs, ATMs are physically bigger, have a simpler job, have much clearer transactional validation (ask for $100, complain if you don't get $100), and have dedicated maintenance teams. While some voting machines were build by ATM manufacturers (like Diebold), the coding was rushed (at least we assume so, we don't get to see the coding), the machines are only used once a year at most, and the maintenance is done by amateurs who don't have the bank's monetary motivations for maintaining accuracy. In such a situation, voting machines can have many errors including:
* touchscreen misalignment
* coding errors
* introduction of malicious code e.g. via USB
* failure due to poor storage or aging out
* existing software vulnerabilities (particularly since most run Windows) that are uncovered during the lifetime of the machine but never patched, opening them to network or USB attack
The code that the machine runs must be correct (without significant bugs or errors), which is difficult (and expensive).
Worse, you must be certain that the code you have validated is actually the code it runs for every vote during the election, which is impossible. As in, literally impossible. The problem is, the only way to find out what code the machine is running is to ask it. Because machines are programmed by humans, machines can lie, just like humans.
Here's how it works:
Computer running the validated code
1. Computer expert queries the computer about what code it is running2. Computer says "I am running the validated code"
Computer running hacked code
1. Computer is hacked, adding malicious (lying) code to the validated code2. Computer expert queries the computer about what code it is running
3. The malicious code lies and says "I am running the validated code"
This is not theoretical, this is exactly what a rootkit does.
So if the machine only records votes electronically, you can never be sure if your vote was correctly recorded. (This is not to mention the possibility of alteration during a long electronic chain of transmission to get to the final election results.)
The only way to verify your vote is to get a paper printout, so that you can look at the paper and validate that it shows your vote as cast. But again, remember the computer can lie. You can vote for party A, the computer can record the vote for party B and then print a paper receipt saying you voted for party A.
The only way to actually be certain of the vote count is to count the paper...
which means you just spent millions of dollars replacing a pen.
These are just the core issues, in an ideal system.
In reality, there are many more problems with voting machines. Although some were based on ATMs, ATMs are physically bigger, have a simpler job, have much clearer transactional validation (ask for $100, complain if you don't get $100), and have dedicated maintenance teams. While some voting machines were build by ATM manufacturers (like Diebold), the coding was rushed (at least we assume so, we don't get to see the coding), the machines are only used once a year at most, and the maintenance is done by amateurs who don't have the bank's monetary motivations for maintaining accuracy. In such a situation, voting machines can have many errors including:
* touchscreen misalignment
* coding errors
* introduction of malicious code e.g. via USB
* failure due to poor storage or aging out
* existing software vulnerabilities (particularly since most run Windows) that are uncovered during the lifetime of the machine but never patched, opening them to network or USB attack
Labels: electronic voting, security, voting machines
Tuesday, April 05, 2011
Cyber attacks hit Canadians. Again.
The threat of cyberattack is not abstract. When there is information of value, there are now very sophisticated attackers who will attempt to penetrate your systems.
Two recent incidents are:
* the Epsilon breach in the US, where Canadian email addresses were compromised
Air Miles among firms hit by huge data breach
* the attack on four Bay Street law firms
Major law firms fall victim to cyber attacks
Now imagine that instead of email addresses and mergers and acquisitions information, the prize was the entire Canadian election, the direction of the entire Canadian economy.
Do you imagine for a second that the same sophisticated computer attackers that have already successfully broken into computer systems will somehow not decide to attack an online voting system? Keep in mind that corporations and law firms have huge financial and reputation incentives to protect their systems, and they still fail. Do you think the government will do any better? Do you think that the millions of Canadians using their personal computers to vote will have better Internet security than Bay Street law firms?
Voting over the Internet is an invitation to successful cyberattack. And following such an attack, the entire integrity of your voting system is compromised. To compromise a paper-based election you need people to physically intervene simultaneously at locations all across Canada, somehow escaping detection of all the citizens and elections officials present. It would require massive coordination and risk of detection and capture. To compromise an Internet-based election, all you need is one person with an Internet connection anywhere in the world, pushing a button.
Two recent incidents are:
* the Epsilon breach in the US, where Canadian email addresses were compromised
Air Miles among firms hit by huge data breach
* the attack on four Bay Street law firms
Major law firms fall victim to cyber attacks
Now imagine that instead of email addresses and mergers and acquisitions information, the prize was the entire Canadian election, the direction of the entire Canadian economy.
Do you imagine for a second that the same sophisticated computer attackers that have already successfully broken into computer systems will somehow not decide to attack an online voting system? Keep in mind that corporations and law firms have huge financial and reputation incentives to protect their systems, and they still fail. Do you think the government will do any better? Do you think that the millions of Canadians using their personal computers to vote will have better Internet security than Bay Street law firms?
Voting over the Internet is an invitation to successful cyberattack. And following such an attack, the entire integrity of your voting system is compromised. To compromise a paper-based election you need people to physically intervene simultaneously at locations all across Canada, somehow escaping detection of all the citizens and elections officials present. It would require massive coordination and risk of detection and capture. To compromise an Internet-based election, all you need is one person with an Internet connection anywhere in the world, pushing a button.
Labels: canada, cybersecurity, online voting, security
Wednesday, October 08, 2008
the security stuff problem
I recognize that most people don't spend much time thinking about computer security. To the extent that they do, they either assume that there's some "security stuff" that is protecting their computer and transactions, or that such stuff could be created.
Here's the problem: lots of people have tried to create secure systems for a long time, and have failed miserably.
I don't have to get technical at all, I can just talk in the consumer space.
1. For years, games companies put elaborate efforts and skilled people into trying to protect their games from piracy. They had special codes, special floppy disks with holes punched into the magnetic media or deliberate errors, physical dongles, you name it.
And yet their games were always pirated. Eventually most of them just gave up on protecting their games.
2. For years, continuing today, media companies like the record and movie industry have attempted to protect their content from piracy with Digital Rights Management (DRM). They have sophisticated hardware, elaborate codes, highly skilled people and a large monetary incentive. And they have failed.
iTunes music DRM? There's a hack.
DVD DRM? There's a hack.
3. Apple has an incentive to protect its iPhone from being used on any network, as it has an exclusive deal with AT&T. Their phone is "locked".
iPhone locking? There's a hack
THERE IS ALWAYS A HACK.
Because any piece of software or hardware you can create, I can put a layer in front of. Your software talks to a hardware dongle? I write a layer of software that pretends to be the hardware.
And we're not talking big power or political incentives here, we're talking smart kids (mostly) who wanted to play some games, listen to some music, or watch some movies.
So if they couldn't even protect SONGS, do you seriously think they're going to be able to protect AN ENTIRE ELECTION?
There is no unbreakable "security stuff" to do that, it simply doesn't exist.
And even if it did, the incredible complexity of it would mean that the entire election would boil down to "trust the machine and the computer guys".
Wouldn't you rather trust a piece of paper you can see, a counting system so simple elementary school students could perform it, and volunteers and scrutineers from your own neighbourhood that you can watch?
Here's the problem: lots of people have tried to create secure systems for a long time, and have failed miserably.
I don't have to get technical at all, I can just talk in the consumer space.
1. For years, games companies put elaborate efforts and skilled people into trying to protect their games from piracy. They had special codes, special floppy disks with holes punched into the magnetic media or deliberate errors, physical dongles, you name it.
And yet their games were always pirated. Eventually most of them just gave up on protecting their games.
2. For years, continuing today, media companies like the record and movie industry have attempted to protect their content from piracy with Digital Rights Management (DRM). They have sophisticated hardware, elaborate codes, highly skilled people and a large monetary incentive. And they have failed.
iTunes music DRM? There's a hack.
DVD DRM? There's a hack.
3. Apple has an incentive to protect its iPhone from being used on any network, as it has an exclusive deal with AT&T. Their phone is "locked".
iPhone locking? There's a hack
THERE IS ALWAYS A HACK.
Because any piece of software or hardware you can create, I can put a layer in front of. Your software talks to a hardware dongle? I write a layer of software that pretends to be the hardware.
And we're not talking big power or political incentives here, we're talking smart kids (mostly) who wanted to play some games, listen to some music, or watch some movies.
So if they couldn't even protect SONGS, do you seriously think they're going to be able to protect AN ENTIRE ELECTION?
There is no unbreakable "security stuff" to do that, it simply doesn't exist.
And even if it did, the incredible complexity of it would mean that the entire election would boil down to "trust the machine and the computer guys".
Wouldn't you rather trust a piece of paper you can see, a counting system so simple elementary school students could perform it, and volunteers and scrutineers from your own neighbourhood that you can watch?
Labels: security
