Year: 2015

Consensus Reached on Recommendations Toward the Future of Internet Voting

USVoteFoundationThe U.S. Vote Foundation has released a report on the feasibility and requirements for Internet voting. This is the result of about eighteen months of work by computer scientists, security experts, and election officials.  The goal was to answer definitively once and for all if Internet voting was feasible today or in the future.

The short version is the Internet voting is not ready for prime time, not ready for democracy. Yet, it is possible in the future that a system may be developed which could provide safe Internet voting.  The paper lays out the requirements and testing criteria for such a system.

(Internet voting includes online voting, email voting, and fax voting).

USVoteFoundationThe U.S. Vote Foundation has released a report on the feasibility and requirements for Internet voting:  <press release> <report summary> <full report>  This is the result of about eighteen months of work by computer scientists, security experts, and election officials.  The goal was to answer definitively once and for all if Internet voting was feasible today or in the future.

The short version is the Internet voting is not ready for prime time, not ready for democracy. Yet, it is possible in the future that a system may be developed which could provide safe Internet voting.  The paper lays out the requirements and testing criteria for such a system.

(Internet voting includes online voting, email voting, and fax voting).

From the press release:

Developed by a team of the nation’s leading experts in election integrity, election administration, high-assurance systems engineering, and cryptography, the report starts from the premise that public elections in the U.S. are a matter of national security. The authors assert that Internet voting systems must be transparent and designed to run in a manner that embraces the constructs of end-to-end verifiability – a property missing from existing Internet voting systems…

As election technology evolves and more states evaluate Internet voting, caution on compromises to integrity and security is warranted, and according to the report, should be particularly avoided by the premature deployment of Internet voting. The report aims to list the security challenges that exist with Internet voting and emphasizes that research should continue as the threat landscape continues to shift. Existing proprietary systems that meet only a subset of the requirements cannot be considered secure enough for use in the U.S.

Key recommendations in the report to make Internet voting more secure and transparent include:

  • Any public elections conducted over the Internet must be end-to-end verifiable

  • End-to-End Verifiable systems must be in-person and supervised first

  • End-to-End Verifiable Internet Voting systems must be high assurance

  • End-to-End Verifiable Internet Voting systems must be usable and accessible to all voters

  • Maintain aggressive election R&D efforts

I would recommend that anyone supporting Internet voting read the Press Release, Summary, and Full Report and then recruit experts of equal credibility to do the work and make an equally compelling case refuting this report

 

Top security official, spouts NonScience Nonsense

Comey’s problem is the nearly universal agreement among cryptographers, technologists and security experts that there is no way to give the government access to encrypted communications without poking an exploitable hole that would put confidential data, as well as entities like banks and power grids, at risk.

We are used to climate change deniers ignoring science and ridiculing scientists. Like frogs in slowly warming water, we are no longer surprised when members of Congress deny science, or members of the public and election officials tout “safe” Internet voting, despite the science showing impossibility of security and the almost daily headlines of serious security failures.

Now we have the Director of the FBI directly contradicting top security scientists – when his job actually requires him to be an informed champion of actual security.  This NonScience Nonsense is best summed up in an article this week in The Intercept: FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma <read>

Testifying before two Senate committees on Wednesday about the threat he says strong encryption presents to law enforcement, FBI Director James Comey didn’t so much propose a solution as wish for one.
Comey said he needs some way to read and listen to any communication for which he’s gotten a court order. Modern end-to-end encryption — increasingly common following the revelations of mass surveillance by NSA whistleblower Edward Snowden — doesn’t allow for that. Only the parties on either end can do the decoding.

Comey’s problem is the nearly universal agreement among cryptographers, technologists and security experts that there is no way to give the government access to encrypted communications without poking an exploitable hole that would put confidential data, as well as entities like banks and power grids, at risk.

In my early teens, a friend who did not do well in school smoked. It was a time when the dangers of smoking were just becoming public, with heavy and obviously false denial by the tobacco companies.  My friend said “If they are right, by the time I would get cancer, the scientists will have come up with a cure.”  At that time there was a lot of blind faith in science, cheered on by the media, that anything was possible – like curing cancer, going to the moon, or flying cars in cities of the future.  Science frequently surprises us with miraculous developments, yet there are no miracles. We have no cities of the future, we have not gone to the moon, hunger has not been cured, leisure and the middle class are endangered along with the planet.  Yet, we have miraculous cell phones and the Internet, along  with inaccurate and distorted ideas of risks and fears.  Some fears are overblown and unjustified, while in other areas we have a false sense of security.

Director Comey runs an agency which for years has claimed unquestioned expertise in matching fingerprints, blood samples, and hair samples, all of which have proven highly inaccurate, with little proof of accuracy in practice or in theory.

Sadly and dangerously, Comey’s blind faith combined in scientists coupled with distrust of  those same scientists is matched by many in Congress:

Comey said American technologists are so brilliant that they surely could come up with a solution if properly incentivized.

Julian Sanchez, a senior fellow at the Cato Institute, was incredulous about Comey’s insistence that experts are wrong: “How does his head not explode from cognitive dissonance when he repeats he has no tech expertise, then insists everyone who does is wrong?” he tweeted during the hearing.

Prior to the committee hearings, a group of the world’s foremost cryptographers and scientists wrote a paper including complex technical analysis concluding that mandated backdoor keys for the government would only be dangerous for national security. This is the first time the group has gotten back together since 1997, the previous instance in which the FBI asked for a technical backdoor into communications.

But no experts were invited to testify, a fact that several intelligence committee members brought up, demanding a second hearing to hear from them.

Hopefully Congress will hear from scientists – scientists who represent objective, predominant security expertise – and Congress will listen to them.

“Security online today, is not up to the task of online voting today.”

My friend, Duncan Buell, sent along a .pdf with a blog post of his, Computer Security and the Risks of Online Voting, along with another blog post about drones Meet A.I. Joe

My friend, Duncan Buell, sent along a .pdf with a blog post of his, Computer Security and the Risks of Online Voting, along with another blog post about drones Meet A.I. Joe <read>

They are both worth reading and contemplating. Duncan’s focus is on the unique responsibility of computer scientists to warn the World of the dangers of Internet/Online voting. It is also a quick, high-level introduction to the relevant history and arguments:

many election officials around the country and around the world seem enchanted with the marketing hype of Internet voting software vendors and are buying in to the notion that we could—and should—vote online now and in the very near future.
Never mind the almost-daily reports of data breaches of financial organizations with deep pockets to spend on securing their computers. Never mind that governments, with shallower pockets, are routinely hacked…Election officials seem in awe of ill-defined vendor terms like “military-grade encryption.”…
Many U.S. states are toying with the notion of online voting, contracting their elections to private companies whose code has never been given a public vetting. As scientists, we would all probably rather be doing science than trying to find ways to convince the public and election officials that security online today is not up to the task of voting online today.

The second article highlights a risk similar to one that I have been contemplating myself, the take over of drones by opposing forces. In short we could fund and provide an enemy, including terrorists the power to defeat, kill, and terrorize us:

Even worse, can robots be hacked? The Iranians claim to have hacked an American drone and brought it down safely on their territory back in 2011.However it happened, they have it, and refused to return it when President Obama somewhat cheekily asked for it back. This incident should prompt us to consider the question: What if robots could be taken over and turned on their masters?

My concern is that if cars can be hacked, why not police vehicles, especially, those armored military vehicles now in the hands of our local police?

The Power of Partnership: Do you know what your election officials have been watching?


Direct from the Dominion web, a marketing video featuring Denver election officials.services from Dominion.

We recommend caution for election officials, along with concern and skepticism for voters and taxpayers.

https://www.youtube.com/watch?v=Zyqg-LcAkC0
Direct from the Dominion web, a marketing video featuring Denver election officials.  The  apparently intended message from the officials is “See how great we are.  See all the great things we are doing for you voters, with your money.”  The apparently intended message from Dominion is “See how happy we can make officials.  We can make you look good for your voters too.  If you play with us we will promote you.”

Yet, I hope the questions raised for voters in Denver and elsewhere are:

  • Where are the testimonials from happy voters or average voters recruited to test and provide feedback on the human factors.
  • Where are the evaluations from independent security experts, election integrity experts, and human factors experts?
  • Did wining and dining of officials have anything to do with the product selection or supper happy evaluation?
  • How much did this system cost or save for Denver?
  • Should voters question the integrity of this or any other future purchase of equipment and services from Dominion?

Reminds us of those travel promotion ads featuring Connecticut Governors that somehow tend to be shown during election season, touting the benefits of vacationing in Connecticut to residents of Connecticut.  Or those register and vote billboards in that same season prominently featuring the Secretary of the State.

We recommend caution for election officials, along with concern and skepticism for voters and taxpayers.

Aging Voting Machines Sitting Rusts for Hacking

Over the last few years, we have provided many posts on the real risks of Internet voting.  A new report and article highlighting that report, remind us all of the risks of voting machines in use several years ago: Hack the vote: Cyber experts say ballot machines easy targets

Reminder:  We are still using those machines.

Over the last few years, we have provided many posts on the real risks of Internet voting.  A new report and article highlighting that report, remind us all of the risks of voting machines in use several years ago: Hack the vote: Cyber experts say ballot machines easy targets <read>

Reminder:  We are still using those machines.

Voter fraud is nearly as old as elections themselves, and different states and precincts use different voting systems and machines. But in many cases, even the electronic ballots could be manipulated remotely, according to a new report by the Commonwealth Security and Risk Management for the Virginia Information Technologies Agency. That report found that the AVS WINVote machines Virginia has used since 2002 have such flimsy security that an amateur hacker could change votes from outside a polling location.

“This means anyone could have broken into the machines from the parking lot,” said Cris Thomas, a strategist with the Columbia, Md.-based Tenable Network Security, one of the nation’s leading cyber and enterprise security firms. “…

“Anyone who thinks that there are not folks out there – from lone hackers to foreign governments – who are willing to exploit the security vulnerabilities of our election system is living in a fantasy world,” said [Hans] von Spakovsky…

[Chris] Thomas said. Manufacturers are not sufficiently testing systems before selling them to municipalities, often using off-the-shelf hardware and software with minimal security; and local government certification agencies seldom have the time, resources or knowledge to properly test machines for vulnerabilities and often just accept the manufacturer’s claims for security…

Data Breach Today – Infinite Future Harm!

From the Intercept, an explanation of the harm of data retention and theft: Data Theft Today Poses Indefinite Threat of “Future Harm”

We hear continuous claims that “I have nothing to hide, so who cares if they have my data”. Lets look at what might actually happen. The possibilities are endless.

From the Intercept, an explanation of the harm of data retention and theft: Data Theft Today Poses Indefinite Threat of “Future Harm”  <read>

We hear continuous claims that “I have nothing to hide, so who cares if they have my data”. Lets look at what might actually happen:

Benjamin Nuss was one of the nearly 80 million people whose social security number and personal information were compromised in this year’s Anthem data breach. He seems to have taken things in stride, continuing his daily routine of sharing computer time with his brother, eating healthy snacks and making crafts. Benjamin is four years old.

While it may seem trivial to think about the harm a preschooler will suffer from a data breach, the question is not what happens to him now, but what will happen years from now. Data theft poses an indefinite threat of future harm, as birthdate, full name and social security number remain a skeleton key of identity in many systems…

If the hackers pursue next steps in cyberespionage, they are likely to use the records they’ve acquired, cross-hatched with information from credit databases and even social media, to see who is vulnerable to blackmail or bribery for financial or personal reasons…

A first-person article by William Gerrity published two years ago by Slate and the website Zócalo Public Square gives a vivid picture of what may lie ahead for those targeted. In 2007, Gerrity was checking his email after a long day working as a real estate developer in Shanghai. “The message greeted me by a nickname known only to family and close friends,” he wrote, “and it contained a proposal: I could pay 1 million renminbi (about $150,000 at the time), in exchange for which the sender would not forward the attachments to my business partners or competitors.”

In this case, the hackers had obtained confidential business documents, as well as personal correspondence about the death of his mother. The FBI advised him to refuse the request, which he did. But imagine that the request was not for payment in cash, but in federal information. And imagine the trade was not in business documents, but evidence of misconduct or criminal behavior on or off the job. That’s bait, if acquired and used, that could be harder for some to refuse…

In fact, federal officials later acknowledged that the OPM breach included what’s called a Standard Form-86, on which new hires (including military and intelligence officials) must reveal details that could make them vulnerable to blackmail or influence, including prior drug use, financial woes, and criminal convictions. The form also asks for ties to citizens of other countries; thus the hackers, if they are Chinese, would quickly be able to determine who has friends and family in their country…

The possibilities are endless, or infinite as the article says. Lets just say:

  • A teen commits a crime due to negligence, error, or immature intention. It hurts another person, it would be embarrassing and could have a huge criminal penalty.
  • An adult commits a sexual, consenting indiscretion.
  • Even unknown to a person, they make an material error in a business transaction. For instance a mortgage application, or real estate listing that causes another person or organization significant harm.
  • Such could be used to intimidate that individual at any time.  Especially if they become a prominent public or private decision maker. Especially a law maker, chief executive, department head, Cabinet Member, Judge, regulator or President. Or even a person attaining a lower level critical position, with security clearances or control over government contracts.
  • Actually, the individual could be,unknowingly, groomed for that position by others who have that information, ready to use at the appropriate time.
  • Perhaps the individual was setup to commit the crime or indiscretion.  Perhaps it never actually happened, yet there is enough of a long buried false record, created for this specific purpose.

Read the article for more details on the risks and the legal issues surrounding this.  Be very careful before you ever sign on to accepting a settlement in a class action suit for a data breech.

 

Common Sense: Laws must be Sufficient, Enforceable, and Enforced

In one of his books, Gerry Weinberg pointed out that employee evaluations should be multiplicative not additive, that is, the various dimensions of performance and capabilities should be multiplied rather than added to determine the overall value of an employee.

There is an analogy with laws, including election laws.  Laws must be Sufficient, Enforceable, and Enforced. Missing one of the three, all value is lost.

Note: This is then eleventh post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <next> <previous>

In one of his books, Gerry Weinberg pointed out that employee evaluations should be multiplicative not additive, that is, the various dimensions of performance and capabilities should be multiplied rather than added to determine the overall value of an employee.  e.g. If my writing and verbal communication are poor, no matter how much technical knowledge I have, what I can contribute is very limited, yet with just average skills in every other area matched with high technical knowledge one can accomplish a lot.  Similarly with great interpersonal skills, yet poor technical judgement, I can be less than valuable!

There is an analogy with laws, including election laws.  Laws must be Sufficient, Enforceable, and Enforced e.g.

  • Sufficient  –  Laws have to be sufficient to prevent that which they are designed to prevent, or to protect what they have been designed to protect. e.g. In Connecticut we have weak ballot security laws: They do not protect all ballots until they are needed for post-election audits; some of the security requirements are ambiguous, open to multiple interpretations; and are based on unwarranted trust in weak seals and entirely lacking in seal protocols.
  • Enforceable – There has to be a reasonable means of enforcing the law.  Once again, we point to ballot security in Connecticut where it is generally believed (ambiguous law) that two individuals from opposing parties must be involved in any access to ballots, yet most ballots are locked in cabinets in rooms with a single lock, with both registrars and often others having access to a key, along with a log of access maintained by an honor system.
  • Enforced – In reality the must actually be enforced. In recent years we have seen many examples, from banking fraud, leaks of classified information by high-level officials, and campaign finance laws.

We were reminded of this limitations today with an article, one among several recently, on the Federal Elections Commission: More Soft Money Hard Law <read>  The FEC is stymied by partisan gridlock.

We all have seen the lack of strong enforcement against the fraudulent activities of big banks, their management, and employees. Or, perhaps less known, existing trade agreements with environmental and labor protections which are ignored, rendering the provisions that sound powerful, generally meaningless.

So, whenever we ask for sufficient election laws, we remind that more is needed. They must also be enforceable and enforced. Missing one of these three components, all value is lost.

Net of Insecurity — risks not anticipated by Founders

The Washington Post has a new set of articles, interviewing some of the founders of the Internet on how the it came to be built with insufficient security:

“I believe that we don’t know how to solve these problems today, so the idea that we could have solved them 30, 40 years ago is silly,”…

“They thought they were building a classroom, and it turned into a bank.”

The Washington Post has a new set of articles, interviewing some of the founders of the Internet on how the it came to be built with insufficient security: Net of Insecurity <read>

“I believe that we don’t know how to solve these problems today, so the idea that we could have solved them 30, 40 years ago is silly,” said David H. Crocker, who started working on computer networking in the early 1970s and helped develop modern e-mail systems…

“People don’t break into banks because they’re not secure. They break into banks because that’s where the money is,” said Abbate, author of “Inventing the Internet,” on the network and its creators.

She added, “They thought they were building a classroom, and it turned into a bank.”

ddfss

 

9 things about voting machines

The National Council of State Legislatures has a released a report on voting machines: Elections Technology: Nine Things Legislators May Want to Know

It makes a strong case for the importance of technology in elections, planning, and understanding the details. We especially an additional borrowed list within the report: Ten Things to Know About Selecting a Voting System

The National Council of State Legislatures has a released a report on voting machines: Elections Technology: Nine Things Legislators May Want to Know  <read>

It makes a strong case for the importance of technology in elections, planning, and understanding the details.

“What makes you lose sleep?” That’s what NCSL staff asked members of the National Association of State Election Directors back in September 2012. The answer wasn’t voter ID, or early voting, or turnout, as we expected. Instead, it was this: “Our equipment is aging, and we aren’t sure we’ll have workable equipment for our citizens to vote on beyond 2016.”

That was NCSL’s wake-up call to get busy and learn how elections and technology work together. We’ve spent much of the last two years focusing on that through the Elections Technology Project, funded by the MacArthur Foundation. One thing we learned is that virtually all election policy choices have a technology component. Just two examples: vote centers and all-mail elections. While both can be debated based on such values as their effect on voters, election officials and budgets, neither can be decided without considering technology. Vote centers rely on e-poll books, and all-mail elections depend on optical scan equipment to handle volumes of paper ballots.

It  points to the importance of security in voting systems, the risks of Internet voting and pointing out the ‘pressure’ to do Internet voting.  We especially an additional borrowed list within the report:

Ten Things to Know About Selecting a Voting System

While NCSL was finalizing its list of “things to know,” Merle King, executive director of the Center for Election Systems at Kennesaw State University in Georgia was working on another brand-new list with a similar goal. His list focuses on what to look for when choosing a voting system. Interestingly, there are no points of disagreement between our list and his and no overlap.

1. A voting system is the core technology that drives and integrates the system—and it is the part the voter touches.

2. Know who does what and why. Without clearly defined roles and responsibilities, problems will occur.

3. The true cost of ownership is the cost to purchase, operate and maintain a voting system over its life span. It is more than you think.

4. The request for proposal (RFP) is your first, last and best chance to get the system requirements right. Systems are never better than the RFPs used to define the requirements.

5. Changing a voting system is like changing tires on the bus … without stopping. A transition plan may allow the seamless migration from the old system to the new system, with minimum disruption.

6. Training and education may cost more than the purchase price of the system when you factor in voter education, poll workers, election officials, etc.

7. How long will new systems last? What shortens their lives? What needs to be done before purchase to ensure long life?

8. All modern voting systems are “multimodal,” meaning they will have to function for vote-by-mail ballots, in-person voting, online ballot return, etc. That means flexibility in the architecture is required to avoid retrofitting later.

9. Either you manage vendors or they manage you. Pick.

10. Know the “known unknowns,” such as security, accessibility, auditability, usability, voter convenience, transparency of process and testing and certification requirements.

Concerned with two partisan registrars? Be careful what you ask for.

How to manage and judge our elections without partisan bias is tough. Occasionally Secretary’s of State act in blatantly partisan ways. Cases in recent history include Catherine Harris in Florida and Ken Blackwell in Ohio.

Here in Connecticut the Secretary of the State proposed turning elections over to a single unelected official in each town, rather than the current two elected registrars of opposing parties.

Meanwhile in Kansas a bill would give the Secretary of State the power to prosecute election fraud.

How to manage and judge our elections without partisan bias is tough. Occasionally Secretary’s of State act in blatantly partisan ways. Cases in recent history include Catherine Harris in Florida and Ken Blackwell in Ohio.

Here in Connecticut the Secretary of the State proposed turning elections over to a single unelected official in each town, rather than the current two elected registrars of opposing parties. Later that bill was changed dramatically – watered down, yet still increasing the Secretary’s powers in several ways, including temporarily suspending registrars.  We are skeptical of a single unelected official in each of our 169 towns would actually be non-partisan.  We would rather see regionalization with professional administration because it would be more professional, and less likely to be partisan. We are also skeptical of a single elected official being able to suspend other elected officials.

Bi-partisan management/judgement does not always work.  It seems to work better in Connecticut towns than it does Nationally. Take the Federal Elections Commission – please! A recent article in the Hill:   Partisanship stalemates FEC, says report <read>

Meanwhile in Kansas a bill would give the Secretary of State the power to prosecute election fraud.  How one feels about that bill may depend on one’s political opinion of the sitting Secretary and one’s opinion of election fraud.  Similarly one may lean for or against the Connecticut Secretary being able to remove registrars based on the current Secretary.

We suggest caution in Connecticut and in Kansas.