from Blackboxvoting.org:
Friday May 7, 2004
Stunning Flaws Found in the Certification Model Used to Approve Voting Systems
By Bev Harris
Does anyone find it peculiar that, after reports like the RABA report, the CompuWare report, the SAIC report and the Original report by Avi Rubin, et. al, reports which show that software with "stunning, stunning security flaws" (hey, the New York Times said it, not me) — and after two devastating reports demonstrating flaws with Diebold and Sequoia central count systems — after all this, we are allowing the manufacturers send their "corrected" software versions right back to the same certification labs for approval?
"328 security flaws, 26 deemed 'critical'" — SAIC report.
All four major manufacturers found to have critical security f> Hacked in 5 minutes, left no trace — RABA report
Wyle labs admits to certifying Sequoia software despite known flaws — discovery materials from a recent lawsuit
Hey. Guys? Why are we sending the "new and improved" versions right back to the same places that missed all the problems the first time around?
Under the Help America Vote Act (HAVA), we were supposed to revamp certification procedures. Nice idea, but they failed to fund it.
I've been saying for many months now that what we have is an auditing problem, not a certification problem. We've been using the wrong model to ensure the integrity of our elections. We can examine source code until we're blue in the face, but (even with a voter verified paper ballot) that won't provide the safeguards we need. What we have to do is use that ballot to verify the correctness of the election results, and we need to run reports to compare the vote totals as they travel through the system.
This is called auditing. It's not rocket science. It's not computer science either. It involves things like: Comparing the paper ballots against the voting machine totals; comparing the polling machine totals against the central count machine totals; using business reply mail (best) or postal receipts, to compare the number of absentee ballots received with the number counted.
Proper auditing is the solution. Certification is just a side dish. I received this in an e-mail today, and speaks directly to our flawed certification model:
"A programer friend gave me an interesting website to look at the other day. This is the rough minutes of an award speech given by Ken Thompson in 1984. Mr. Thompson is the co-creator of an operating system called UNIX. UNIX was first used in 1969 and became the first widely used Operating System for what was then called mini computers (the first desktop computers).
"It gets kind of technical but what he did was reveal to the world that he'd figured out how to get a bug into UNIX, a bug which allowed him to override any password protection by his unique knowledge of the key. It was a bug that would be diabolically hard to track down if done well.
"His quote from this presentation pretty much tells the whole story when it comes to computers. 'The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.'"
Think open source will solve it? Open source, which is the equivalent of writing the program in the town square, in plain view of all the computer programmers in the world who care to watch, is important. It can tell us if someone slipped something undesirable into the code, like the "get firstname lastname birthdate streetaddress city state zip" command that I've seen in the Diebold code, which is used to find the right ballot, but could be tweaked to remove voter privacy.
Open source code, though, won't guarantee that the program is secure. Linux was compromised at one time simply by deleting the "=" sign into one of the many thousands of code lines. It took multiple passes of inspection before someone spotted the change. One senior programmer remarked he had looked right at it and did not see it because it was so clevely subtle. This bug was found before the code branch was merged into the main linux branch, but it was a close call, and if the hacker had been a bit more clever, compromising a developer's copy (or if the bug had been put in by one of the developers) it might have gone undetected for a very long time.
I know some computer folks consider this fight their baby, but I find that some of these scientists, because they don't understand simple auditing concepts, try to reinvent the wheel, sometimes don't understand simple procedures and suggest replacing them with procedures that are incorrect, or spend a lot of time refocusing the problem into computer code.
For example: My editorial in the Seattle Times recommends comparing the results from the polling place machines with the central count machine results. I received e-mails from computer programmers saying that would be cumbersome, and recommending putting the central count results on the web instead. That entirely misses the point. That is not an audit, because it takes central count results and compares them with themselves.
But some computer scientists got the auditing model right two decades ago. Just received this email:
"My favorite simple story is The Emporer's New Clothes. Sometimes the obvious such as improving and still not relying on the certification process is not in great demand.
"In the 1980's Roy Saltman of NIST (then the National Bureau of Standards) wrote a paper on computerized voting.
"His principal thesis (paraphrasing) was that vote management is accounting just like with money. At the appropriate time before an election a vote is deposited in the account of every eligible voter for each qualified office and question. That vote must be tracked through the election with no loss of control (chain of evidence)."
(from John Medcalf, CEO ofVOTEC Corp)
John, and Roy Saltman, are dead-on.
Counting votes is just bookkeeping. As in accounting, we may use a computer to help us, but the computer can't dictate the procedures. Certification won't save us, but sensible, publicly observed, appropriately chosen auditing procedures will restore trust quickly. |
