George:

I see that Mr. Sincere responded to my musing on the shortcomings of electronic voting machines. Specifically, I see that he responded to a portion of my musing; he responded to the first of four points -- my article about breaking into voting machines -- and ignored my comments on software quality, the difference between usability (how well the users like the machines) and reliability (how well the machines work), and my criticism of the financial study he put forth.

Seeing as he responded to only one paragraph of my initial comments, I would only be able to speculate as to his responses on the remaining 12. And, since that would be unfair, I will only address the points he raised in his response.

His response to my article -- which contains a few valid points -- continues to display the lack of imagination that plagues management positions in general, especially where computer security is involved. For example, in my article I wrote

"Less obvious (and more difficult to trace) is an outsider who has access to a DRE machine and can reverse-engineer the data storage format."

Mr. Sincere responds by describing the detailed defenses in Charlottesville

"The only people who have access to the DREs are election officials. Except on Election Day itself, the DREs are kept in a locked room inside the inner office of the General Registrar. Even City cleaning staff are not permitted to enter that room or the room immediately outside its door."

This overlooks the fact that an attacker does not need to get access to a machine in Charlottesville to obtain access to the data storage format. They merely need to get access to /any/ machine running the same hardware and software *anywhere in the world* to understand how the Charlottesville system works.

While Mr. Sincere has complete confidence in his staff, does he have similar confidence in the security procedures used by other jurisdictions in other states? Is he confident that the company shipping the machines to him will not leave them in a warehouse with less-than-perfect security measures (ask CitiGroup and UPS about that one)? Does he have have absolute confidence in the security procedures at the vendor, and their ability to repel intruders? Two vendors (Diebold and VoteHere) have been the victim of hackers or insider leaks already; are there others that we don't know about yet?

"There is general agreement within the elections community that using telecommunications tools for this purpose is, frankly, a dumb idea and it should be rejected out of hand. Mr. Moore’s elevation of this avenue of attack as something deserving of concern is a red herring."

It is definitely reassuring that Mr. Sincere opposes telecommunications as a component of voting. However, if what he says about "the elections community" sharing this view is true, why is the Election Assistance Commission creating guidelines for the proper use of wireless devices in voting equipment? Why is the Election Center promoting vote-anywhere-precincts with networked poll books? Why are various states considering Internet-based voting? If there is "general agreement" that telecommunications are a bad thing, it seems someone forgot to tell the rest of the elections community.

To his credit, Mr. Sincere also presents some partially-valid criticism of my article, pointing out that part of it depends on the attacker disrupting communication between the voting machines and the county seat.

"Moreover, Mr. Moore’s entire argument rests on the assumption that the electronic voting machines are connected to a central tallying location via a modem or some other telecommunications link."

However, this also displays a lack of imagination, as well as missing The Big Picture. Intercepting communication is simply one method of delivering the disruptive virus. Others -- such as using a combination of Windows's 'autorun' feature, the virus, and a USB thumb drive -- would work, although it would require physical access to the machines. However, it would only require the attacker to pay off one "insider" to insert the USB drive into the stand-alone computer, count to five, and remove the drive. And if the hacker's goal is to sow confusion (as opposed to subtle manipulation) then it is unnecessary if this attack is discovered. As long as the electronic results and poll tapes don't match consistently -- perhaps even resulting in a lawsuit or two or seventeen -- it has been successful.

Now, why would I assume that such an attack could succeed or is even feasible? Because similar attacks have worked in the past against banks, phone companies, credit card companies, and every imaginable business or organization. A whole sub-class of computer security focuses on how to recognize and defend against these attacks, known as "social engineering".

For example,

One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network.

 

How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the

company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

 

The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system. (http://www.securityfocus.com/infocus/1527)

My entire argument /actually/ rests on the assumption that if you can delete or damage the digital ballots, there are no physical objects on which you can rely. While procedures around both paper-based and paper-less voting systems are vulnerable to a social engineering-based attack, the consequences of a successful attack against a paper-less system are more severe than those against a paper-based system. Digital records are far easier to manipulate or destroy; they can be modified or deleted en mass without a trace, whereas paper-based records are tangible objects that can be viewed, audited, and secured by your average Joe.

As an aside, someplace like Charlottesville would be a poor place to conduct such an attack. It is a relatively small community, people are familiar with each other, and outsiders are likely to raise eyebrows. Along those lines, the number of votes an attacker could swing would be small; no more than a few hundred without raising eyebrows.

However, you'll notice that my paper focuses on larger localities. These present larger targets, the opportunity to manipulate more votes while staying withing exit poll margins of error, and a more complex and chaotic scene on election day, increasing the odds of physical access to key systems.

Mr. Sincere also asserts this commonly-heard reassurance:

“... in the twenty-plus years that these machines have been used, in many counties all across the country, there has never been a verified case of tampering.”

This argument is not comforting in several respects. The largest mistake -- and unspoken assumption -- is that the only reason paperless voting could possibly go wrong is if someone hacks a machine. I can think of 4,438 reasons from Carteret County, North Carolina alone why this assumption is dead wrong. I can think of another 436 reasons from Wake County in 2002. I can think of a few thousand reasons from Hinds County, Mississippi in November of 2003. And I'm sure Rita Thompson from Fairfax County can think of a few, too.

On top of these documented cases of voting machine failures, there are documented cases of uncertified software running on voting machines. There are documented cases of vendors applying software updates without notifying the state or federal certification boards. There are numerous documented cases in which the processes protecting voting machines break down and present a window of opportunity to an attacker.

Furthermore, I doubt Mr. Sincere -- or anyone else -- could actually prove this argument. After every election, was there a full audit of each and every voting machine to prove that the version running on that machine was identical to the one in escrow? Was there a full examination of every security and event log for evidence of tampering? Was this done before the machines were powered off (memory-resident virii or Trojan horses can be programmed to disappear on reboot, after having done their damage)?

If the answer to any of these is 'no' for any machine in any jurisdiction across the country, then no one can say for certain that tampering has not occurred. They can only speculate.

On a closing note, I will acknowledge that no voting system or process is immune from tampering, including paper-based systems. Mr. Sincere is correct when he states that heterogeneity among voting systems is a good thing. He is also correct that attaching a printer to touchscreen systems not initially designed with that feature is a bad idea. However, there are systems that have paper as a feature built in from the ground up, and have superior accessibility features for the disabled than touchscreen machines.

Mr. Sincere might not oppose paper-based systems on principle, but the vast majority of professional computer scientists oppose paperless systems on principle. And while these computer scientists may not know the procedures that are supposed to protect voting systems from problems, we are more than familiar with two inescapable facts: software is inherently buggy, and processes will eventually and occasionally fail. Combine these two, and you have a perfect argument for a tangible representation of every vote.

Justin Moore (electronic mail, August 25, 2005)