Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Evidence Mounts that the Vote Was Hacked
From: "Gary Halleen \(ghalleen\)" <ghalleen () cisco com>
Date: Wed, 10 Nov 2004 15:29:05 -0800

Political commentary by a left-leaning talk show host is not worthy of
posting to this list. 

It's unfortunate the moderator allowed the posting at all.  This article
contained only opinions regarding the discrepancies between the exit polls
and final election results.

I'm not interested in entertaining thoughts of a group of hackers changing
the results of an election, or of a massive conspiracy between elections
managers manually changing Access databases, unless you can back it up with
actual factual data.  

Show us log files, packet captures, or e-mail messages from the conspirators
or leave this commentary to gossip columns where it belongs.

Gary

 

-----Original Message-----
From: Jei [mailto:jei () cc hut fi] 
Sent: Tuesday, November 09, 2004 10:41 PM
To: Jay D. Dyson
Cc: Bugtraq; full-disclosure () lists netsys com
Subject: Re: Evidence Mounts that the Vote Was Hacked

On Tue, 9 Nov 2004, Jay D. Dyson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 8 Nov 2004, Atom 'Smasher' wrote:

Evidence Mounts that the Vote Was Hacked

      Read the whole thing and didn't see any evidence.  Just wild 
speculation and baseless conjecture.  Hell, there were countless 
counties across the nation in which more people were registered to 
vote than were eligible residents, but -- for some reason -- that ain't
news.

It would be _major_ news, were it not America where it happened.
Even India managed to hold a secure digital election recently, without any
such major exit poll or other discrepancies happening.

Also note that Americans aren't the only people in the world with capable
intelligence agencies. Teenage kid hackers aren't the only people who might
influence US elections' outcomes, given a viable chance. You need to
consider all the factors.

Digital voting needs to be as secure and reliable as bank accounts are from
an independent (democratic) nation's national security point of view. A
digital vote discrepancy == national bank account discrepancy, in it's
importance, in this regard.

Arguing that vote discrepancies don't really matter, is like a system admin
arguing that system binary checksum discrepancies do not matter.

In any case, it means you're royally f*cked, and although you may wish to
fantasize otherwise, it doesn't change the reality.

You need to know that you're secure, or your security people aren't doing
their job.

// Jei

http://www.infosecwriters.com/hhworld/hh9/voting.txt

                 Hitchhiker's World (Issue #9)
              http://www.infosecwriters.com/hhworld/

                     Observable Elections
                     --------------------

     Vipul Ved Prakash <mail () vipul net>
     November 2004


     This is an interesting time for electronic voting. India,
     the largest democracy in the world, went completely paper-
     free for its general elections earlier this year. For the
     first time, some 387 million people expressed their
     electoral right electronically. Despite initial concerns
     about security and correctness of the system, the election
     process was a smashing success. Over a million electronic
     voting machines (EVMs) were deployed, 8000 metric tonnes of
     paper saved[1] and the results made public within few hours
     of the final vote. Given the quarrelsome and heavily
     litigated nature of Indian democracy, a lot of us were
     expecting post-election drama, but only a few, if any,
     fingers were found pointing.

     Things didn't fare so well in the United States. The
     Dieobold electronic machines, slated for use in many states
     for the November 2004 Federal elections, turned out to have
     rather large security holes. Cryptography experts, Avi Rubin
     et al, did a formal analysis of the machines and found that
     they could be subverted to introduce votes that were never
     casted[2]. An independent government-backed analysis
     confirmed this[3] and concluded that the Diebold voting
     system "as implemented in policy, procedure, and technology,
     is at a high risk of compromise."

     It is clear, even to a cursory observer, that Diebold
     systems are sloppily designed, never mind the sloppiness is
     a function of incompetence or intent. The recent controversy
     from the "Black Box Voting" security advisory titled "the
     Diebold GEMS central tabulator contains a stunning security
     hole"[4] has added to the confusion. It claims that a code
     entered at a remote location can replace the real vote count
     with a fabricated one. This security hole, discovered last
     year, is still not fixed says the advisory. In response,
     Diebold claims that this is possible, but only in debug
     mode, which does little to make people confortable.

     What is disturbing to me as a technologist is the
     burgeoning public opinion that electronics is an unviable
     medium for conducting the serious business of elections.
     Over the last year I've seen numerous formal reports and
     articles in popular press[5] equating the failures of
     Diebold systems with the untenability of electronic voting.
     This is rather silly. Diebold systems are not only poorly
     engineered, they are also seriously flawed in design. Even
     if they were immaculately bug-free, they are so far from
     what electronic voting systems should be, that I have
     trouble categorizing them as "voting systems". "Electronic
     counters" is more accurate.

     Various augmentations have been proposed to Diebold systems;
     most revolve around parallel paper trails. Verified
     Voting[6] for example proposes that a vote be printed based
     on the voter's touch-screen selection, so the voter can
     touch, feel and verify their vote before casting it into a
     traditional ballet box. These votes would then be processed
     with an OCR type machine to compute a cumulative result and
     the physical votes would be saved so an independent party
     can verify the electronic result at a latter date. This is a
     reasonable tradeoff -- after all integrity of elections is
     way more important than saving trees and time.

     While this is the best recommendation for the upcoming
     elections, it subtly promotes the primacy of paper and
     distrust in electrons. We know that paper elections are no
     more secure. The history of vote tampering in paper based
     elections is quite illustrious (I'll simply refer the gentle
     reader to [7]) and the reason electronics was considered in
     the first place was to eliminate such tampering. Verified
     Voting recommends that count of the physical votes is to be
     considered superior than that of the electronic counterparts
     in case of a difference. What happens if the process of this
     count is tampered using traditional methods? We are back to
     square one.

     The central point that I want to get across in this paper is
     that the promise of electronic voting is not merely a
     quicker, slightly more secure and ecologically enlightened
     replacement for paper elections. Electronic voting, if
     implemented correctly, could be a major qualitative leap,
     not only changing the way in which we approach democratic
     elections, but also the the way in which we expect a
     democratic government to function.

     Cryptographic Integrity

     I want to draw attention to the work done by cryptographic
     community in the last 20 years to study, formalize and solve
     many of the problems of Internet Voting. This area of work
     is focused on building election systems that leave behind a
     trail of mathematical proofs of the integrity of the voting
     process. With mathematical solutions to the common issues of
     vote tampering, it becomes unnecessary to trust election
     officials and it becomes possible to build voting systems
     that are open and universally verifiable.

     A voting system for appointing a democratic government has
     certain "ideal properties". These are rather obvious, but I
     recount them for the purpose of this discussion. First, all
     votes must be counted exactly like they were casted.
     Altering a vote, or leaving one out from the final tally
     must be impossible. Ballot stuffing, ie. artificial
     injection of invalid votes must be impossible as well. The
     system should reject non-eligible voters, and ensure
     eligible users can cast only a single vote. And, finally,
     votes must be absolutely anonymous -- even the voter should
     be unable to prove the way in which they voted. Systems like
     Diebold's depend on large-scale observation to uphold the
     ideal properties. Large-scale observation is hard, and once
     an act of tampering is done, there is little that can be
     done to detect or correct it. The attacks such as the one
     described by the Black Box Voting advisory are particularly
     heinous, since they compromise the entire election process.

     The ideal properties are true in paper elections when they
     are implemented perfectly, but the nature of paper precludes
     proofs of correctness without compromising anonymity. The
     problems are much the same as in the "Electronic Counter"
     systems; without correctness proofs, it is largely
     infeasible to detect and correct tampering.

     Cryptographers have been trying to emulate the property of
     anonymity that is inherent to paper when it us used as cash
     or votes. The research in the field has led to invention of
     several mathematical primitives and computing systems that
     not only model paper but go beyond to provide proofs of the
     properties they emulate. Techniques like blind signatures,
     homomorphic encryption, digital mixes and onion routing have
     been used to build systems that provide strong anonymity.

     The pioneering cryptographer David Chaum introduced the
     blind signature in order to build permit truly anonymous
     interaction on the Internet[8]. Since then, they have been
     applied to all manner of problems from untraceable
     electronic cash to electronic voting schemes. Blind
     signatures are a class of digital signatures that allow a
     document to be signed without revealing its contents. The
     effect is similar to placing a document and a sheet of
     carbon paper inside an envelope. When the envelope is
     signed, the signature transfers to the document and remains
     on it even when the envelope is removed.

     In his paper, Chaum hinted that blind signatures could be
     used for secret ballot elections. Fujioka, Okamoto, and
     Ohta[9] created the first significant blind signature based
     voting protocol, which made it practical to use blind
     signatures in democratic elections. However, some problems
     were discovered in their work, most notably the system's
     vulnerablity to a corrupt election authority. I present a
     system, dubbed ``Athens'', that builds on their work, but
     solves several problems in their model. I also focus on a
     real-world election system, rather than an Internet one, and
     adopt a pragmatic approach, in that I make use of physical
     resources like volunteers and physical infrastructure
     usually available for large-scale democratic elections.
     Athens also borrows elements and thinking from the
     Sensus[10] system and David Chaum's recent work on Visual
     Cryptography[11].

     Design of Athens

     The basic procedure for conducting a democratic election is
     fairly standard. The procedure has four tasks: Registration,
     Validation, Collection and Tallying. In Athens, these four
     tasks are carried out with a few specialized machines and
     software, most of which are connected through the Internet.
     While Athens employs an Election Authority to oversee the
     process of elections, it does away with the dependence on
     trustworthiness of one. Athens philosophy is that there are
     no truly non-partisan parties; even the Election Authority
     can't be completely trusted. The Athens model is closer to a
     "game" between contesting parties, such that the only way to
     cheat in the game is for all competitors to collude - an
     axiomatic impossibility. The Election Authority performs
     tactical tasks to optimize the election process, but all
     tasks performed by the Authority are open to review by
     competing parties.

     Registration

     Registration is the process of determining eligible voters,
     and is conducted by the "Registrar" -- a distributed
     authority put in place by the Election Authority. The Athens
     registration process involves validating voters (through
     traditional means) and registering their "Voter Public Key"
     in the "Register." The corresponding "Voter Secret Key"
     remains with the voter, magnetically encoded (or bar coded
     for cheaper implementation) on a "Voting Card".

     The keys are generated through the "Voting Card Creator
     Machine". The Card Creator Machine is also implemented as
     software that can be used by a voter on their home computer.
     It is not hard to imagine Card Creators installed in local
     registration offices or even at Kinko's and shopping malls,
     where they charge a few dollars for generating a card.
     Fairness in design is important, because Card Creators could
     compromise the security of the system by storing the key
     pairs they generate.

     A card creator is mostly an RSA key generator - it needs
     computing power of a 300 Mhz PC, and is constructed fairly
     cheaply. Once the voter enters their personal information
     into the machine, it spits out two cards: one with the
     public key, that is handed over to the Registrar and the
     other with the secret key and identification information
     required by the Election Authority (like the social security
     number of the voter.) The second card is known as the
     "Voting Card" and is used to validate the voter at the time
     of elections. Both cards also contain a large random number,
     known as the Voter Id. This is used throughout the voting
     process to facilitate lookups in the Register without
     compromising the privacy of the voter.

     Once all voters have handed their Voter Public Key Card over
     to the Registrar, the registration process is considered to
     be complete. As with traditional elections, there is a cut-
     off date for this process.

     On completion of registration, the Election Authority hands
     the Register over to all the competitors. The competitors
     then check every 1 in 1000 entries (or more according to
     their capacity) to ensure that they belong to a legitimate
     voter, i.e. it isn't a fake entry inserted by a corrupt
     competitor to stuff the ballot. This process is woefully
     lacking in elections of today, and a hence a major vector
     for election fraud. Mathematics can do little to alleviate
     the dangers of registering fake voters, but competitors who
     depend on the correctness of the Register and raise funds
     for the purpose can easily perform this task. Register
     verification would be a lucrative business for independent
     professional services organizations, so it is not hard to
     imagine such organizations sprouting up to assume delegation
     of this responsibility.

     The competitors also put the Register on the Internet before
     the election so that voters can ensure their voter key is
     present in all copies of the Register. When requested, each
     competing party provides a digitally signed proof that the
     voter is registered to vote, i.e. their key is present in
     the Register. The voter, if denied the right to vote, can
     take this proof to a court of law. A pre-voting verification
     of eligibility limits the kind of fiasco that occurred in
     Florida during the Presidential elections of 2000, where a
     large number of people were denied vote.

     Validation

     In most electronic voting protocols, there exists the notion
     of the "Validator" - a party that holds the Register and
     validates voters during the election. In Athens, the
     competing parties, that were handed a copy of the Register
     in the previous step, all serve as Validators. Athens,
     therefore, is a multi-validator system. It is reasonable to
     assume that independents or fiscally constrained parties
     would team up and have a single Validator represent them.

     Validators are connected to the Internet and run Validation
     software, that accepts validation requests over a TCP port.
     The Validators are firewall'ed off to accept data only from
     certain IP addresses. The Electronic Voting Machines talk to
     the Validators via a Proxy. EVMs could theoretically talk
     directly to Validators, but the reasons for using a proxy
     will become apparent later. The Proxy is operated by the
     Election Authority and observed by representatives from all
     competing parties.

     Validators have their own RSA key pair, the public portion
     of which is published widely over the Internet. They also
     maintain two lists (other than the Register). This is the
     list of voters who have casted a vote and a list of
     corresponding validation requests.

     Before the commencement of the election, the Election
     Authority chooses a a random number which is known as the
     "Election Number". The only property of this number is its
     uniqueness to the election - it should not have been used in
     a previous election. The Election Number is distributed to
     all Validators.

     Electronic Voting Machines (EVMs) used in Athens are quite
     unlike Diebold's or the ones used in the Indian elections.
     Athens' EVMs are simply "agents" that vote on behalf of the
     voter. Each EVM has an Id and a RSA key pair. The public
     part of the EVM key is published widely over the Internet.
     Communications initiated by the EVM are signed with EVMs
     secret key. The elections are considered formally commenced,
     when the Validators broadcast the Election Number and their
     public keys to EVMs via the Proxy.

     The Athens Voting Protocol

     The voter enters a private booth and swipes their Voting
     Card on the EVM. The EVM reads the secret key and the Voter
     Id off the Card. The EVM has a little printer attached to
     it, much like a cash register receipt printer, on which it
     prints out the Voter Id. It the sends the voter Id off to
     the Validators via the proxy to initiate a "voting session"
     on behalf of the voter. If the voter has already casted a
     vote, Validators return a "proof" of previously casted vote.
     The proof and its implications are discussed a little later.
     If there's no previous vote, the Validators send a positive
     acknowledgment and the EVM asks the voter to cast a ballot.
     The voter enters their vote using the on-screen display. The
     EVM concatenates the Voter's choice with the Election Number
     (EN) and the result is encrypted with a secret key (randomly
     generated) using a symmetric cipher like AES. The encrypted
     ballot is then blinded. At this point, the EVM has:

[....]

http://www.infosecwriters.com/hhworld/hh9/voting.txt


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]