[VVSG-post-election] Single Point of Failure - the Scan Head - RE:
Stephen Berger
Good points.
Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - <http://www.temconsulting.com> www.temconsulting.com
E-MAIL - <mailto:stephen.berger at ieee.org> stephen.berger at ieee.org
Phone - (512) 864-3365
Mobile - (512) 466-0833
FAX - (512) 869-8709
From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
Sent: Thursday, July 28, 2016 8:31 AM
To: Arthur Keller <ark at soe.ucsc.edu>
Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
Susan
On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu <mailto:ark at soe.ucsc.edu> > wrote:
But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
Best regards,
Arthur
On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com <mailto:hdeutsch at essvote.com> > wrote:
Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
From: vvsg-interoperability-bounces at nist.gov <mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 12:30 AM
To: John Wack
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
What should the election community do about this threat?
Best regards,
Arthur
By November, Russian hackers could target voting machines
If Russia really is responsible, there's no reason political interference would end with the DNC emails.
By Bruce Schneier July 27 at 3:10 PM
Bruce Schneier <https://www.schneier.com> is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is <https://www.schneier.com/book-dg.html> Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly <http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html> concluded.
The FBI is investigating. WikiLeaks promises <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there is more data to come. The political nature <http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/> of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> essential <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/> . If foreign governments learn that they can influence our elections with impunity, this opens the door for future <http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html> manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help <http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing> Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.? <https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are <http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/> insecure <https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable <https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security> to <http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/> attack <http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine> .
[Your iPhone just got less secure. Blame the FBI. <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/> ]
But while computer security experts like <https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html> me have sounded <https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm <https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html> for <https://citp.princeton.edu/research/voting/> many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
We no <https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92> longer have time <https://xkcd.com/463/> for that. We must ignore the machine manufacturers? spurious <https://www.salon.com/2006/09/13/diebold_3/> claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified <http://votingmachines.procon.org/view.answers.php?questionID=000291> paper audit trails, and no <http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/> Internet <https://www.verifiedvoting.org/resources/internet-voting/vote-online/> voting <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting> . I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting <http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records> voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin <http://www.bloomberg.com/features/2016-how-to-hack-an-election/> America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
[Why would Russia try to hack the U.S. election? Because it might work. <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/> ]
Last April, the Obama administration issued <https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know> an <https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats> executive <https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi> order <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.
--
--
Susan Eustis
President
WinterGreen Research
6 Raymond Street
Lexington, Massachusetts
phone 781 863 5078
cell 617 852 7876
Arthur Keller
Best regards,
Arthur
> On Jul 30, 2016, at 1:19 AM, Brent Turner <turnerbrentm at gmail.com> wrote:
>
> All-- My apologies for not realizing Kapor had backed away from his association with OSET. Through the succession of name changes it is hard to track principals. The main thing to recognize here is that even though an " open source " group may technically obtain Open Source Initiative licensing.. OSI recommends the group attempting to peddle services or products under the open source flag should be scrutinized for open source history and their participation with the open source community. A group that does not reach out to the said open source community - is founded by proprietary purveyors- and invents new licenses and licensing schemes is obviously going to raise eyebrows. The open source community is very protective of reputation as it is now understood the proprietary code businessmen are discovering the traction of open source.. and the traction coming available in the election system arena. Obviously there is not only a money grab issue inherent .. but also a power grab issue due to the outflow of elections
>
> Groups that do not advocate the ubiquitous General Public License continue to raise hackles (even though we have managed to curtail most efforts to pass through offending aspects of ill conceived license attempts.) Furthermore, misdirection statements such as " The government purchasers say they want a new open source license " are flags as well. The idea is to utilize a license that will encourage participation from the community.
>
> Billionaires like Kelly - Kapor and Paul Allen are coming into the space of elections with a fury, but this issue is not simply solved by throwing money toward politicians or large designs. The best design is so simple it's almost evasive. By keeping it simple with GPL and COTS .. the jurisdictions will be economically empowered.. and removed from the current " vendor trap "
>
> BT
>
>> On Fri, Jul 29, 2016 at 7:52 PM, Gregory Miller <gmiller at osetfoundation.org> wrote:
>> Apologies folks,
>>
>> But my Legal Department has me under an obligation whenever this comes up, to clarify that Mitch Kapor is no longer involved with the OSET Institute (Foundation) or its TrustTheVote Project, and has not been since 2011.
>>
>> The OSET Institute is funded by several private philanthropists, led by former Facebook general counsel Chris Kelly, the Democracy Fund, and the Knight Foundation. Moreover, we receive no funding whatsoever from Microsoft Corporation nor any commercial vendor of election technology.
>>
>> Sorry, but I am obligated by agreement to make this clarification due to continued misstatements by others.
>> Thank you and respectfully,
>> Gregory Miller
>> OSET Institute
>>
>> On Thu, Jul 28, 2016 at 9:49 AM, Brent Turner <turnerbrentm at gmail.com> wrote in relevant part
>>
>>> ..... we need to watchdog anything that has Microsoft's involvement as it might in fact be an in-road for Mitch Kapor's OSET effort to nuance the open source voting effort--
>
Arthur Keller
I agree we should return the issue to voting system security.
NIST staff has suggested we move this discussion to the TWiki, or a perhaps VVSG security mailing list, but I?m not sure we are all on that list.
We are sending lots of messages to many people who do might not want to receive a whole discussion.
I started this thread by posting an op ed by Bruce Schneier. I didn?t expect the torrent of messages that followed, but clearly I struck a nerve. I apologize to those whose e-mailboxes were clogged.
Best regards,
Arthur
> On Jul 30, 2016, at 2:37 PM, Gregory Miller <gmiller at osetfoundation.org> wrote:
> <snip>
>
> Finally, I'm not sure whose moderating here, but I submit that ad-hominem attacks are not productive.
>
> My two cents and some fact to go with it.
> Best
> Greg
> OSET Institute
>
>
> PS: For those receiving this, for some reason my posts are being held-up in a moderator queue and I'm listed as unsubscribed which is weird, unless something changed with my subscription. I've asked John Wack for some direction to the Admin to fix that.
>