Presentation is loading. Please wait.

Presentation is loading. Please wait.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 6: The Diebold Reports Michael I.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 6: The Diebold Reports Michael I."— Presentation transcript:

1 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 6: The Diebold Reports Michael I. Shamos, Ph.D., J.D. Institute for Software Research International Carnegie Mellon University

2 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Outline Rubin (Johns Hopkins) Report SAIC Report RABA Report Schade v. Maryland State Board of Elections

3 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS DIEBOLD DEMO The Diebold System AccuVote-TS 75,000 in US Used statewide in GA, MD Global Election Management System (GEMS) 1,000 in US Audio feature

4 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Diebold Audit Trail Maryland Election Code § 9-102. Certification of voting systems. “(c)Standards for certification.- The State Board may not certify a voting system unless the State Board determines that: … the voting system will: … (vi)be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount.” Diebold audit trail is similar to Hart Intercivic – computer file that is printed after the polls are closed

5 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Diebold System (Preparation) County prepares ballot definitions on GEMS system Transfers ballot definitions to voting machine on machine-readable media (or by FTP) Machines are distributed to polling places

6 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Diebold System (Election Day) Officials verify a voter’s eligibility to vote Voter receives a signed paper Voter Authority Card (VAC) (used for later verification of vote totals) Voter presents VAC to a different election official Voter receives a smartcard and is directed to a voting machine. Official puts the VAC in an envelope attached to the machine Voter inserts smartcard into machine to activate ballot

7 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Diebold System Post-Election Polls are closed Vote totals printed out for each machine, signed by election judges Unofficial totals uploaded to county GEMS server by modem Memory cartridges sent to county canvassing board Statewide canvass lists all results from all polling places; can be verified by election judges

8 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rubin Report “Voters can easily program their own smartcards” “With such homebrew cards, a voter can cast multiple ballots without leaving a trace” –FALSE Voter can perform administrative actions: viewing partial results, terminating the election No cryptography in vote reporting “Even unsophisticated attackers can perform untraceable ‘man in the middle’ attacks”

9 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rubin Report Code written in C++, not type-safe No evidence of disciplined software engineering No evidence of change-control procedures Buffer overflows

10 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rubin Report Voting terminal runs Windows CE Could expose system to attack –audio library fmod is used – can access voting program memory Ballot definitions in election.edb file Ending the election. “ender” administrator card + PIN –PINs insecure in Diebold Protective counter implemented poorly (total stored in an unencrypted file) Tampering with ballot definitions

11 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rubin Report Impersonating a voting terminal during upload Hard-coded DES key Tampering with election results –weak cryptography Sequential vote storage file Linear congruential random number generator for serial numbers –generates a sequence X i+1 = (aX i + c) mod m) given parameters a, c, m, X 0 (the “seed”) Audit log (not the ballot images) weakly encrypted

12 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rubin Report Summary

13 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS SAIC Report Report commissioned by Maryland Governor Ehrlich SAIC = “Science Applications International Corporation” SAIC is the “largest employee-owned R&D engineering company in the US.” 44,000 employees; 150 locations State of Maryland is a large customer of SAIC No election expertise SAIC website contains no occurrence of “voting,” “Diebold” or “election” “The system, as implemented in policy, procedure, and technology, is at high risk of compromise. Application of the listed mitigations will reduce the risk to the system.”

14 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS SAIC Report “While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland’s implementation of the AccuVote-TS voting system, and the election process controls or environment.” “In general, most of Mr. Rubin’s findings are not relevant to the State of Maryland … because the voting terminals are not connected to a network.” “LBE procedures and the openness of the DRE voting booth mitigate a large portion of his remaining finding.”

15 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS SAIC Recommendations (Diebold) Apply cryptographic protocols to protect vote transmission Change default passwords and passwords printed in documentation immediately Removes the GEMS server from any network connection Rebuild the server from trusted media and validate it has not been compromised Remove all extraneous software from the GEMS server

16 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS SAIC Recommendations (Process) Bring system into compliance with Maryland Information Security Policy and Standards Create Chief Information Systems Security Officer within the State Board of Elections Develop formal, documented set of policies and procedures Create a formal System Security Plan Require 100 percent verification of results transmitted to media Require review of audit trails Provide formal info security training Review any system modification by a risk assessment process Implement a documented process to respond to unauthorized access attempts Document how the “general support system” identifies access to the system

17 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS SAIC Recommendations (Process) Verify that the ITA-certified version of software and firmware is loaded Modify Logic and Accuracy testing to include testing of “time- oriented exploits” Discontinue ballot distribution by FTP Implement an interative process to ensure integrity of the system is maintained

18 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA Report Commissioned by Maryland legislature Financed by Spring Capital Partners LP “Top tier information technology services for government and commercial applications” Former National Security Agency employees No election expertise Laboratory “Red Team” exercise

19 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA Report Rubin Report: “The subsequent revelation of a conflict of interest involving one of its authors with a Diebold competitor has only served to detract form the substance of the results.” “Many of the statements made by the authors appear to function more are attention gathering ‘sound bites’ than actual statements of fact.” “Had the authors approached the State Board of Elections with their preliminary findings, many of their false hypotheses could have been corrected and the discussion not diluted by specious claims.”

20 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA Report Report generally agrees with Rubin and SAIC opinion on code quality (poor) RABA conducted a Red Team exercise January 19, 2004 Eight computer security specialists, none with election expertise Exercise conducted in a laboratory, not under election conditions No one from the State Board of Elections was present

21 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA Recommendations Create smartcards with computer-generated passwords by precinct Apply tamper tape to AccuVote-TS terminals Institute procedures to prevent use of unauthorized Supervisor cards Add locks to prevent removal of PCMCIA cards from machines Prevent screen from being disconnected Secure physical access to the AccuVote

22 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA Recommendations Create smartcards with computer-generated passwords by precinct Apply tamper tape to AccuVote-TS terminals Institute procedures to prevent use of unauthorized Supervisor cards Add locks to prevent removal of PCMCIA cards from machines Prevent screen from being disconnected Secure physical access to the AccuVote

23 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA GEMS Recommendations Create smartcards with computer-generated passwords by precinct Apply tamper tape to AccuVote-TS terminals Institute procedures to prevent use of unauthorized Supervisor cards Add locks to prevent removal of PCMCIA cards from machines Prevent screen from being disconnected Secure physical access to the AccuVote

24 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS RABA GEMS “Immediate Recommendations” 1.Install all Microsoft security patches on servers 2.Ensure modem access to servers only when expected 3.Block at firewall all ports not needed by GEMS 4.Update anti-virus software 5.Turn off all services not needed by GEMS 6.Install Tripwire to enable configuration audit 7.Disable “autorun” in the Windows registry 8.Lock the front panel, store server in a secure location; use tamper tape 9.Change boot order to hard drive first; password protect the BIOS

25 SOURCE: TRIPWIRETRIPWIRE Tripwire Portland, OR software company Change monitoring and analysis software

26

27 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS A Well-Designed e-Voting Machine READ-ONLY MEMORY READ-ONLY MEMORY RANDOM ACCESS MEMORY WRITE-ONCE MEMORY INTERNAL PAPER TRAIL VOTER CHOICES PROPRIETARY OPERATING SYSTEM (NOT WINDOWS) BALLOT SETUP DATASOFTWARE FROM A TRUSTED SOURCE (NOT THE VENDOR) 16-HOUR BATTERY NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET TOTALS REPORT SIGNED BY ELECTION JUDGES WRITE-ONCE MEMORY TO COUNTY BOARD MACHINE SEALED WITH PAPER TRAIL

28 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Q A &

Download ppt "17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 6: The Diebold Reports Michael I."

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Wardens/Moderators & Clerks Training RI BOARD OF ELECTIONS.

Wardens/Moderators & Clerks Training RI BOARD OF ELECTIONS.
Voting Systems.  DS200 – new 2013  DS850 – new 2013  AutoMARK Voting Equipment.

Voting Systems.  DS200 – new 2013  DS850 – new 2013  AutoMARK Voting Equipment.
Analysis of an Electronic Voting System

Analysis of an Electronic Voting System
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.

By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
Charlie Daniels Arkansas Secretary of State HAVA Compliant Voting Systems Security Considerations General Recommendations to Enhance Security and Integrity.

Charlie Daniels Arkansas Secretary of State HAVA Compliant Voting Systems Security Considerations General Recommendations to Enhance Security and Integrity.
Data Security The Best Data Security In The Industry.

Data Security The Best Data Security In The Industry.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
ECAM ANNUAL MEETING January 25 - 27, 2012 Updates to SEMS And Election Prep Presented by Madalan Lennep, PMP.

ECAM ANNUAL MEETING January , 2012 Updates to SEMS And Election Prep Presented by Madalan Lennep, PMP.
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certifying Voting Systems Michael I. Shamos, Ph.D., J.D. Institute for Software Research.

UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certifying Voting Systems Michael I. Shamos, Ph.D., J.D. Institute for Software Research.
Electronic Voting Network Security 1 Edward Bigos George Duval D. Seth Hunter Katie Schroth.

Electronic Voting Network Security 1 Edward Bigos George Duval D. Seth Hunter Katie Schroth.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 5: Direct Recording Electronic (DRE)

17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 5: Direct Recording Electronic (DRE)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 2: Paper Trails Michael I. Shamos,

17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 2: Paper Trails Michael I. Shamos,
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Similar presentations

Ads by Google