unsafe for any ballot count: south carolina ’ s voting machines and their analysis
DESCRIPTION
Unsafe for any Ballot Count: South Carolina ’ s voting machines and their analysis. Duncan A. Buell (and others) For the League of Women Voters of South Carolina. Technology. How much technology is too much technology? - PowerPoint PPT PresentationTRANSCRIPT
Unsafe for any Ballot Count:
South Carolina’s voting machines and their analysis
Duncan A. Buell (and others)For the League of Women Voters of
South Carolina
Technology
How much technology is too much technology?
What is the right way to apply technology given the constraints of the application?
Follow links from www.lwvsc.org
Source MaterialSC (Buell), 2013 of the November 6, 2012 election
dataSC (Buell/Hare/Heindel/Moore/LWVSC), 2011 of the
November 2, 2010 election dataOhio, Dec 2007, study for the Sec’y of StateFlorida, 2007, study after the 2006 electionBurr, Rivest, et al., for NISTOhio, Nov 2003, study for the (previous) SoSCalifornia, 2007, study for the SoSBurr, Rivest, et al., for NIST Follow links from www.lwvsc.org
Why is Vote-Counting Hard?
An election is a one time event—no do-oversHard to test the scaling-up to full sizeHighly distributed, largely independent,
using volunteer workersVulnerable to corruptionVulnerable to disruptionHighly vulnerable to error
Issues and Concerns
Should voters get a receipt?Are ballots indeed secret?How do we accommodate persons with
disabilities?How do we handle overvotes and
undervotes?Are ballots “voter-verifiable”?Are ballots recountable and auditable?Can we audit the results?
A Common Misconception
A voting machine is NOT like an ATM. (With money, there are laws, you have rights, there are receipts, and your money is somewhere.)
A voting machine is much more like a slot machine. (What is your guarantee that the machine EVER pays out?)
Voting Machines, ATMs, and the Internet
A voting machine is NOT like an ATM. (There are laws, you have rights, there are receipts, and your money is somewhere.)
With elections, you have a complete right to privacy under most state laws; with ATMs, you are governed by the company’s decision on how much $ it can afford to lose
A voting machine is much more like a slot machine. (What is your guarantee that the machine EVER pays out?)
(Recent) HistoryFlorida’s hanging chads and butterfly ballot, 2000HAVA (Help America’s Vote Act), 2002Florida 13th congressional district election, 2006Lots of complaints, some of which are known to be
justified (Horry County 19 January 2008) and many of which are probably not justified.
Richland County, 2012, with lines up to seven hours and 29 ballots cast after midnight…
Electronic Voting MachinesSouth Carolina: Election Systems and Software
iVotronic DRE (Direct Recording Electronic) and Unity software/system for counting votes
Operative study: EVEREST, submitted December 7, 2007, to the SoS of Ohio, done by UPenn and UC Santa Barbara
EVEREST: the ES&S iVotronic systems “lack the fundamental technical controls necessary to guarantee a trustworthy election under operational conditions … from several pervasive, critical failures”
April 23, 2023Computer Science and Engineering 10
ES&S iVotronics
(From the Verified Voting website)
Something Will Have to Be Done
Equipment is aging rapidlyOur SC design is decades oldThe software is pre-2007
But what’s out there?
Internet Voting
Companies exist and sell software systemsNone has been publicly testedElection officials seem enamored of the ideaClaim: increased turnout (false)Claim: increased young voter turnout (false)Claim: it can be secure (says who?)We could go to the moon, so surely …
Estonia Does Internet Voting
But no one tests the softwareMandatory national ID card with an RSA keyVote often, only the last vote counts
Does anyone much care about Estonia?
Norway Did Internet Voting
Software written for Norwegian municipal elections
Idea was abandoned
Canada
Some municipal electionsSome party caucusesSome disastersNo increase in turnout
South Carolina
“Voters want to be able to vote using their personal electronic device, whether it’s a smartphone or an iPad or some other type of tablet. And I would like to see that incorporated into the next generation of voting systems.”
(Marci Andino, Executive Director, South Carolina Election Commission, PCEA Hearing Testimony, Philadelphia, PA, at 12 (Sept. 4, 2013))
Can you say, “SC Department of Revenue”?
STAR-Vote
Travis County, Texas (Austin)Dana Debeauvoir, Clerk of CourtAnd a cast of very smart people …
Commodity hardwareThe paper is the official ballotSecure by design
Los Angeles County
Dean Logan, director of elections
Ten million residents (2-1/2 times SC)
Secure by design
Paper is the official ballot
Other Discredited Systems
Diebold/Premier (RABA, Avi Rubin/JHU)Sequoia (Appel and Felten, Princeton)Nedap (Rop Gonggrip)
There are no machines that have been tested by computer experts and have not been discredited.
Voting Machine Testing
All machines are tested by “Independent Testing Authorities” (ITAs)
But there are only a few ITAsAnd one was decertified for falsifying testsAnd none test for “computer security” issuesAnd the paper trail shows that the same
problem can occur multiple times without being fixed, but with ITA certification
The Issues
Security—can the system be corrupted?
Quality—can the system be trusted to be correct?
Human factors—can the system function as it should under normal conditions?
Security
Security (page 29-30)“lack the fundamental technical controls necessary to guarantee a trustworthy election under operational conditions … from several pervasive, critical failures”“…we attempted to identify practical procedural safeguards that might substantially increase the security of the ES&S system in practice. We regret that we ultimately failed to find any such procedures that we could recommend with any degree of confidence.”
Security (page 29-30)“The security failings of the ES&S system are severe and pervasive. There are exploitable weaknesses in virtually every election device and software module, and we found practical attacks that can be mounted by almost any participant in an election. For this reason, the team feels strongly that any prudent approach to security ES&S-based elections must include a substantial re-engineering of the software and firmware to make it ‘secure by design’.”
Security Through Obscurity?
The Palm Pilot emulates a PEB and can reset all passwords. (page 66)
25
Security Through Obscurity?(page 52)“The mechanical locks supplied … were uniformly of very low-security designs that can easily be picked …”
“For the first weeks of the project, we did not have the correct keys for much of the equipment; we frequently had to pick the locks in order to conduct our analysis.”
26
Software Quality
Software Quality• Writing bad, confusing, un-maintainable,
and sloppy code is not that hard.• Writing clean, professional, maintainable,
secure, code that is and secure and does exactly and only what it’s intended to do is very hard.
• What we would simply mark off in a freshman’s work would be unacceptable from a senior.
Software Quality
“a visible lack of sound software … practices”
“a buggy, unstable, and exploitable system”
The ES&S System (page 84)
• 515,000 lines of code• Nine programming languages• Four hardware platforms
A large and complicated computer system by any standard
Code Analysis (pp. 53ff, 83ff)All code modules have buffer overflow bugs.
“Avoiding buffer overflow bugs in input processing is regarded as one of the most basic defenses a system must have.”
About 63% of the code is in memory-unsafe programming languages.
Compilation on Visual Studio 2005 fails unless one turns off modern security standards.
31
Code Analysis (pp. 53ff, 83ff)
Fortify (a standard code analysis program) finds hundreds of vulnerabilities in the source code, which indicates “that the vendor did not sufficiently validate their code.”
In grading CSCE 240 undergraduate homework, I take off 20% for EACH use of a memory-unsafe function.
32
Passwords (Florida excerpt)• Passwords are hard coded in the firmware,
identical in every machine.• An undocumented back door exists.• “This represents poor practice”• “These passwords provide very little
security.”• “poorly conceived and poorly implemented”• Passwords are coded in the clear in devices.• Crypto keys are stored in the clear.
33
Passwords (Florida excerpt)“The Service Menu password, Clear and Test password, ECA password, and Upload Firmware password are three-letter case-insensitive passwords. Each one is chosen to be mnemonic and easy to remember. The problem is that they are also likely to be fairly easy to guess. They follow a memorable pattern. Someone who knows one of these passwords can probably guess what the other ones are without too much difficulty.”
34
Ballot Image Randomization (page 73)
• The iVotronic “uses a weak randomization procedure” that “does not properly randomize voter selections in its audit logs”.
• Random number generation is a well-established mathematical and computational science. NIST even publishes a testing document and test suite (Publ. 800-22).
• Failing to use proper, tested, RN generators is just unprofessional and sloppy.
35
Software Quality Summary• These software problems are common in
the code written by first-year students.• A first-year student’s A grade (for
submitting code that ostensibly worked) would probably drop to a C for these errors.
• A senior student’s A grade (for submitting code that ostensibly worked) would probably drop to an F.
36
Human Factors
Human Factors, 2010Duncan Buell, Eleanor Hare, Frank Heindel, Chip Moore
FOIA-d data from several counties, including Richland, Charleston, Colleton, Lancaster, Berkeley, Lexington, Sumter, Florence
We have tried to reconcile the certified official counts with the counts that are supported by the data.
We have yet to find a county whose numbers add up properly.
:
The Election ProcedureGreenstripe master PEB to open and close all iVosRedstripe PEB for individual votesClosing causes event log and vote image file to be written
to flash driveTOTALS (only) collected into PEB at closingPEB totals become paper tape totalPEB totals are totalled at county HQ
Results to be certified by Friday for a Tuesday election
:
Observed Failures (1)If two PEBs are used to close, then maybe only one
has its data collectedWard 21, Richland County: 339 + 355 votes, only 339
countedRacepath Pct, Horry County: 114 votes not counted?? Pct, Horry County: one machine not counted
Given the audit data, we can detect this
:
Observed Failures (2)If terminals are not closed, their votes are not collectedBluff Pct, Richland County: six of eight machines not
closed, 772 votes not counted
Sumter County, cranky machine, and ES&S decided for South Carolina what constituted “a vote”
Given audit data, we can detect this
:
Observed Failures (3)The procedure for tallying votes is basically to overlay a
spreadsheet from the iVotronic onto a spreadsheet at the county level
If the ballots are not configured the same (too many contests, too few?), then this fails
Lancaster and Williamsburg counties failed complete in November 2010
Beaufort didn’t catch an error until we told them about it
Given audit data, we can detect this
:
Observed Failures (4)If the flash memory cards are not collected, we don’t have data• Charleston never could find 25% of the data• Horry gave several different incorrect reports• Oconee only had 1/3 of the data• Bluff Pct, Richland County: six of eight machines not closed,
772 votes not countedSumter County, cranky machine, and ES&S decided for South
Carolina what constituted “a vote”
Given audit data, we can detect this
:
What Did We Do?FOIA of EL68, EL68A, EL152, EL155 files
Buell wrote programs, Chip Moore wrote programs
We cannot actually check that the results are correct
Essentially all we are doing is verifying consistency
EL155 Vote Image File5120350 5 * 10 Nikki R Haley GOVERNOR5120350 5 15 Ken Ard LIEUTENANT GOVERNOR5120350 5 19 Mark Hammond SECRETARY OF STATE5120350 5 23 Curtis Loftis STATE TREASURER5120350 5 27 Alan Wilson ATTORNEY GENERAL5120350 5 31 Richard A Eckstrom COMPTROLLER GENERAL5120350 5 36 Mick Zais STATE SUPERINTENDENT5120350 5 42 Bob Livingston ADJUTANT GENERAL5120350 5 45 Hugh Weathers COMMISSIONER OF AGRIC5120350 5 50 Jim DeMint U.S. SENATOR5120350 5 61 Jim Pratt CON0006 U.S. House of 5120350 5 70 W/I HENRY CAPSTANCE HOU074 State House of 5120350 5 73 W/I DAFFY DUCK 5TH CIRCUIT SOLICITOR5120350 5 76 W/I JOHN DIXON PROBATE JUDGE5120350 5 79 W/I MICKEY MOUSE COUNTY AUDITOR5120350 5 82 W/I BOB BARKER COUNTY TREASURER5120350 5 84 Mark W Huguley Soil and Water5120350 5 90 W/I GEORGE WASHINGTON CCL0004 COUNTY COUNCIL 5120350 5 95 Joe Boyes SAL0001 RICHLAND COUN5120350 5 99 Rob Tyson SCH0013 School Board 5126362 3 * 13 W/I JESSIE JOANNE SCHMITZ GOVERNOR5126362 3 16 Ashley Cooper LIEUTENANT GOVERNOR5126362 3 20 Marjorie L Johnson SECRETARY OF
EL152 Event Log File5121076 152523 SUP 11/02/2010 06:01:41 0002808 Terminal - opening state SUP 11/02/2010 06:02:30 0001303 Transfer PEB vote data to terminal... SUP 11/02/2010 06:03:17 0001672 Terminal Opened SUP 11/02/2010 06:03:21 0001633 Terminal shutdown 104621 SUP 11/02/2010 06:11:54 0001510 Vote cast by voter 152604 SUP 11/02/2010 06:21:57 0001510 Vote cast by voter5121076 153424 SUP 11/02/2010 17:47:05 0001510 Vote cast by voter SUP 11/02/2010 17:56:20 0001510 Vote cast by voter... SUP 11/09/2010 14:30:03 0002810 Terminal - time to close voting SUP 11/09/2010 14:30:15 0001626 Close terminal SUP 11/09/2010 14:30:15 0002809 Terminal - closing state SUP 11/09/2010 14:30:15 0001221 Collect terminal vote data to PEB SUP 11/09/2010 14:30:44 0001303 Transfer PEB vote data to terminal SUP 11/09/2010 14:30:51 0001208 Merge terminal & PEB vote data SUP 11/09/2010 14:30:54 0002802 Terminal - open state SUP 11/09/2010 14:30:54 0002803 Terminal - closed state SUP 11/09/2010 14:30:54 0002809 Terminal - closing state SUP 11/09/2010 14:30:58 0001210 Transfer terminal vote data to PEB SUP 11/09/2010 14:31:24 0001211 Terminal votes to PEB successful SUP 11/09/2010 14:31:24 0001214 Transfer terminal writein data to PEB SUP 11/09/2010 14:31:36 0001215 Terminal write-in data to PEB successful SUP 11/09/2010 14:31:36 0001222 Terminal vote collection successful SUP 11/09/2010 14:31:36 0002803 Terminal - closed state SUP 11/09/2010 14:31:36 0001673 Terminal Closed SUP 11/09/2010 14:31:42 0001401 Copy terminal flash audit data to CF SUP 11/09/2010 14:31:42 0001400 Verify terminal flash audit data SUP 11/09/2010 14:31:50 0001416 Copy audit data from TF 1 to CF
EL68A System Log File 11-02 09:28 pm START PACK ACCUMULATION (Replace Mode - restarting) 11-02 09:29 pm STOP PACK ACCUMULATION 11-02 09:39 pm PRC 0009 MANUAL ENTRY 11-02 09:40 pm STATS CANVASS - NUMBERED KEY WAS PRINTED TO LPT1 11-02 09:43 pm START PROCESS PEBS 11-02 09:43 pm PEB votes retrieved for P0153832 11-02 09:43 pm SPP file record created for P0153832 11-02 09:43 pm STOP PROCESS PEBS 11-02 09:43 pm iVotronic GROUP 3 SELECTED FOR UPDATE EQUIPMENT TYPE VTR - UPDATE PRECINCTS COUNTED:Y 11-02 09:44 pm START PACK ACCUMULATION (Replace Mode - restarting) 11-02 09:45 pm STOP PACK ACCUMULATION 11-02 09:45 pm CLEARED PEBS DATA 11-02 09:46 pm START PROCESS PEBS 11-02 09:46 pm PEB votes retrieved for P0153832 11-02 09:46 pm SPP file record created for P0153832 11-02 09:46 pm STOP PROCESS PEBS 11-02 09:46 pm iVotronic GROUP 3 SELECTED FOR UPDATE EQUIPMENT TYPE VTR - UPDATE PRECINCTS COUNTED:Y 11-02 09:46 pm START PACK ACCUMULATION (Replace Mode - restarting) 11-02 09:46 pm 0009-Time stamp mismatch (Reply was: Update) 11-02 09:46 pm PRC 0009 PACK RECEIVED VTR (BALS=340 TOT=375) 11-02 09:46 pm STOP PACK ACCUMULATION 11-02 09:47 pm STATS CANVASS - NUMBERED KEY WAS PRINTED TO LPT1
CountingThe actual votes come from the 155
Vote counts come also from the 152
Closing an iVo shows PEB closing serial number
The 68A shows data uploaded from the PEBs
The 68A shows memory card uploadsBasically just a check and cross check
The State Newspaper
What Actually Happened?
We found four different errors:•Memory cards not collected, so individual votes were not in the vote image file.•Two entire precincts were missing from the vote image file.•TWO PEBs (not one) were used to collect data in Ward 21, but only one had its totals uploaded.•SIX machines were not closed in Bluff and their data not collected until 11/9/2010.•1127 votes not counted, 2800 votes without support
LWVUS Positions
SARAT--Voting systems must be Secure, Accurate, Reliable, Accessible, and Transparent, and voting systems must provide a paper ballot or record of the voters intent that the voter can verify during the voting process and that can be used for random audits and recounts.
(LWV, Impact on Issues 2006-2008, p.11)
LWVSC Positions
Voting machines must– include a paper audit trail that allows the voter
to verify his/her vote and provides a reliable basis for a recount if required
– be randomly tested during every election– use source code that is open for inspection.
LWVSC believes that SC’s iVotronics do not meet these criteria
The End
April 23, 2023 Computer Science and Engineering
56