Now there’s something I need to admit here. Hopefully it won’t scare you courageous readers away. You see, as much as I (and fortunately, my employer) consider myself a security expert it wasn’t exactly my major. Nope, wasn’t computer science either. History, you ask? With a bit of molecular biology? Yep, you got it.
So when Pete Lindstrom reminds me that it’s not like voter fraud is new to US elections I have to admit he’s right, and I knew it. Heck, to this day rumors still float around that Joe Kennedy may have been a bit of a proactive campaigner for his son. Ballot stuffing and voter intimidation are fine American traditions with a long and- well respectable isn’t the right word, but a long and something- history. I doubt there’s been a single election in the United States, on any level, from kindergarden class president to the President, that’s escaped some degree of shenanigans.
So I will admit that despite my FUD and hand waving, the country won’t come to an end nest Tuesday leaving us all in some whacked out version of Mad Max where we mount staple guns to our Saturns. (Actually, I drive a Ford Escape… hybrid. I did used to live in Boulder and all).
The thing is, as cynical, pessimistic, and paranoid as I am after a lifetime of working security and rescue and seeing the worst in human behavior, I still cling to some shred of patriotic optimism that this country is something more. More than what? Just more. I grew up on 4th of July parades, Boy Scouts, and little American flags on our car antennas. I’ve been in some sort of continuous volunteer (or paid) service to this country since I was 16. I’m proud that, on occasion, I still get to wear a uniform (not military- rescue stuff).
Thus the hyperbole of my previous post is only the result of a deep desire to see this country live up to its potential. If we all keep rolling over and accepting things like voter fraud, there really won’t be anything left but voter fraud.
Fortunately there are plenty of indications that, in this case, we not only have a chance to mitigate the problem, but enough people are becoming aware that we have a problem to incite action. Us security experts do have an important role to play in exposing inherent flaws in current electronic voting systems. This is full disclosure at its very best.
E-voting itself isn’t dangerous; just the way we’re doing it now.
And all you non-security experts have the responsibility to ask questions and implement change. Kind of the whole democracy thing and all, since it really isn’t dead yet. Just resting.
But I hope Pete was kidding and is also worried, because e-voting is different. As with all information technology, it supports a scope and scale of fraud far beyond ballot stuffing or registering dead Civil War veterans. One programming change or glitch can swing elections on entire systems in a nearly undetectable way. A few pre-programmed memory cards can disenfranchise entire districts. If someone is stupid enough to connect these things to the Internet, one good worm or hacker could hand the Presidency to a 19 year old Diebold technician.
All those scenarios are very possible. It doesn’t take a conspiracy theory. Election fraud has always existed; now we’re enabling it on the scale of the Internet.
But the Boy Scout in me truly believes it won’t happen. Well, more than once. At least not on a national scale. Hopefully.
As long as we get off our asses.
And yes, keep watching this space.
On a separate but related note it looks like Diebold is turning into the Court Jester of voter fraud. According to Slashdot, Diebold is insisting HBO not air a documentary questioning the integrity of voting machines.
I’m not the biggest fan of using ROI to justify security expenses, but Diebold probably has a great case that the cost of threatening, suing, and defending themselves from allegations of security flaws is greater than the cost of actually fixing their damn product. Seriously guys, a couple of good security engineers are probably cheaper than all your lawyers and PR flacks. I can refer a few if you want.
I just saw the article and it looks like “Hacking Democracy” airs tonight. Knowing HBO it will run like, every hour, for a few months, so I’m off to set the TiVo…
Reader interactions
3 Replies to “I Admit it: on E-Voting Hyperbole and Optimism;—Also, Diebold Fights HBO”
Rich, sorry, I messed up on the RSS feeds and didn’‘t see your reply here—all which make a great deal of sense. The point about the lack of diversity of voting machines is very real, and could potentially be a problem.
My larger point is you can’‘t have a discussion about e-voting security without talking about voting security generally. And that requires a knowledge of voting problems across the board. If you spend all the time arguing about paper trails, you miss out the allocation of voting machine into precints—which is what happened to us in Franklin County, OH (Columbus. And when you compare the e-vote problems with general problems, there are not on the top ten things to solve.
It is very easy to lose a ballot box or rather a cartoon contianing thousands of votes. Happens all the time. Usually is not discovered until well after the election, or during a recount.
Another factor is speed—we like electronic e-vote machines because they are quick (and paper/older machines) are slow. People don’‘t want to wait up all night to hear election results.
Again, I think the risk of an attack is low. Cheating in elections occurs on the margins—you are looking to get an extra 1%, not an extra 10%. I agree that if you found an easily exploitable flaw in a networked voting machine one hacker might be able to pull of an attack on that class of machines. But those machines might be so spread out across the county—and in particular in your states that you are trying to target, and in the precincts you are tyring to target, that it may not make a difference. If you want to influece 1% of the election,there are much, much more targetd and effective ways. A legengary story is that during the 1972 New Hampshire Democrat primary Nixon was worried about Ed Muskie winning. SO he got phone calls going to hard core Muskie supporters at 3 in the monring before the election saying “Hey, it’s homosexuals for Muskie…just asking you to vote tomorrow morning!”.
If you preserve diveristy inside a state, with each county making it own decision on voting, then it becomes very very hard to steal an election. However, thank to Bush V. Gore, that disparate treatment may not meet legal standards. So rather than worrying about e-votes, worry about local control of your voting rights.
Before delving into the reasons I think e-voing deserves special attention remember that I’‘m a security guy- while I like to think I’‘m smart, I don’‘t have expertise in turnout, early ballots, and most of those thousand other things to help the process. I’‘m a security expert; one who is paid to evaluate information security, and happens to have a background in physical security.
Here’s why I don’‘t think the risk is overblown. First of all there are only a few manufacturers of voting machines. The problems we see are systemic to those manufacturers and systems. Thus the potential exits for a single attack to potentially work on a massive scale- maybe a number of states.
Second, the attacks can be much harder to detect and not require as much collusion as attacks on paper systems. A single technician, programmer, or hacker (for networked systems) can succeed. The normal physical controls we have to reduce election fraud are less effective, or even worthless.
There are also availability issues- paper is much more resilient to power outages and system crashes. It’s a lot easier to lose a single memore chip with thousands (or more) votes than a big ballot box with equivalent numbers (which, on occasion, also happens).
Thus the scope and scale of the problems is dramatically different.
I actually think smart e-voting can improve the electoral process and reduce voter fraud. I’‘m not against e-voting itself, just many of the current implementations.
As for my friends and family, I’‘d place the number of voters at maybe 80%. Maybe a little less on off elections, and a little more in presidential years. I know that’s skewed compared to most sample sets, but I’‘d be shocked if the number is less than 70%.
Besides- I’‘d rather not have people vote who don’‘t follow the issues. Raw turnout isn’‘t the answer. It’s our right and responsibility to vote, it’s also our responsibility to know what we’‘re voting for.
You spent 5 hours babysitting one wacko? Damn.
Rich:
First, your concerns are overblown. Many people first come into voter fraud issues by first looking at the (flawed) voting machines, and don’‘t realize the potential dangers of paper balloting.
Put your analyst cap back on. Why is voting so messed up? Because it’s run by a bunch of amateurs at a local level—underfunded amateurs at that. 5000+ county election boards. It’s the opposite of a monoculture. The danger is when a state standardizes on a particular voting machine, then it makes it marginally easier to hack an election.
Becuase of this diffuse nature, incompotence, not fraud, is the biggest threat.
And don’‘t get me started on voter turnout—and the ways to manipulate that number….
Apple pie and the Boy Scouts in great—but ask yourself what percentage of your friends and family are going to vote on Tuesday?
I admit I am biased about the e-vote issues. In 2002, I got an emergency call on the night before the election from a friend who is the Maryland House of Delegates. Could I come and stand outside a voting location for him? Of course…but why? A long term supporter had turned against him because of the voting machine issue. I did, and just subjected to five hours of abuse by the irrate gentleman in question. Not to mention 2004….
The good thing about this issue it is raising the issue of security with your local election officals. However, I think an appeal to your local election board on issues or turnout, or early balloting, or a thousand others things would help the democratic process more than worrying about Diebold….