"Computer scientists from California universities have hacked into three electronic voting systems used in California and elsewhere in the nation and found several ways in which vote totals could potentially be altered, according to reports released yesterday by the state." The article includes discussion of the current House bill to require paper audit trails. Source: *The New York Times* http://www.nytimes.com/2007/07/28/us/28vote.html Daniel A. Graifer Home: 703-425-4512 Cell: 703-967-3635
Just in case you haven't seen this yet, here's the California Overview of the Hacking Report: http://www.sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf My executive summary of the overview is as follows: At a cost of $1.8M, the California Secretary of State now has a report that confirms that all of the State's Hart, Diebold and Sequoia DRE and OpScan voting systems can be hacked in various ways. Potential hacks include the all-important ability to have a VVPAT print out one thing and the DRE total reflect something else, thus rendering the VVPAT moot, as well as the capability of detecting election mode (thus enabling the pre-election testing to appear correct, while the actual election has been compromised). All of these are types of hacks that many knowledgeable people have been saying for years could happen, and now we know that for sure they can. Oh, and guess what else? "The security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results." Gee, what a surprise. Unfortunately the report provides a fall-back position whereby these wretched election products can continue to be used — by claiming that many of the attack scenarios can be mitigated through better physical security, security training of staff, and contingency planning. Of course the report fails to mention that if the staff or the vendor is corrupt and their contingency plan is to cover up their tracks, we now know for sure that a game plan for fraud is certainly possible. So let's just throw more money at additional security mechanisms and training while we all pretend that we're conducting legitimate elections. Good job, guys, thanks for letting the CA SoS off the hook. Here's a novel thought: why not just throw this crap in the junk heap where it belongs, vote on paper, and let the citizens do the counting? Maybe for another $1.8M some State can get a team of PhDs to validate that conclusion. Rebecca Mercuri. Permission Granted to Post This Message in its Entirety.
Apparently along with many other Web watchers, I spent time yesterday watching an all-day hearing of the California Secretary of State, Debra Bowen, interrupted by frozen screens presumably resulting from too many people trying to follow the live webcast. In my opinion, Secretary Bowen has consistently sought a better understanding of the integrity, accuracy, reliability, and survivability of the electronic voting systems that are in use in California — or the lack thereof. (Several of us had testified in February 2006 for her California Senate Elections Committee, with my testimony on the relative merits of openness in voting systems available at http://www.csl.sri.com/neumann/calsen06.pdf .) Five reports are now available on the California SoS website: http://www.sos.ca.gov/elections/elections_vsr.htm including the red-team overview, red-team analysis of Diebold, Hart, and Sequoia systems, as well as a detailed analysis of accessibility and usability of the three systems — conducted by Noel Runyan and Jim Tobias. Further reports analyzing source code and documentation for each of the three systems have not yet been released; according to the website, these reports will be posted "as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information." Here are my own personal comments. (NOTE: I was *not* a part of the Top-to-Bottom Review [TTBR], and have not been privy to any inside information.) I applaud analyses that provide greater sunshine in the election process, even if they can address only a part of the total system. (Election system vendors have typically hidden behind proprietary status of everything -- including not only the software but also the data formats, and even internal voting data in disputed elections.) However, analyses must always be considered in the context of the total system — hardware, software, procedures, users, the physical premises, and so on. Given various late starts and the fixed termination date for all of the efforts that was imposed by the hearing, the results available thus far seem worthy — albeit clearly not surprising to those of us (including Rebecca Mercuri) who have been involved in seeking integrity in the election process for many years. (My involvement goes back to the mid-1980s.) The systems have generally been known to be lacking in good software engineering practice, built-in security, and measures that might have obviated the need for extensive operational procedures. The findings of the University of California teams can provide further evidence of that to those people — including lawmakers -- who have not previously been exposed to the innards. The red-team overview report, which notes the need for procedural mitigations to overcome the existence of technological vulnerabilities, tries to give some perspective to the public by pointing out that the electronic voting systems are only one part of a larger process. Long-time RISKS readers by now know how important it is to consider the results of the process as a whole rather than looking only at the individual pieces in isolation. Also, note that the overview does not say *all* flaws can be overcome; it says that the reviewers believe *many* can be compensated for. As Matt Bishop stated during the final question-and-answer session of yesterday's public hearing, his personal opinion is that some flaws require changes to the technology, rather than just procedural adjustments. (This occurs about 6:41:00 into the streaming video, which can be found at http://www.calchannel.com.) I have generally believed this to be true, because people are fallible and not always able or willing to follow the procedures. It seems to be especially important in elections, in which human frailty needs to be avoided and where tamper-resistant and tamper-evident audit trails are essential. There were of course critics in the hearing who believe that the technological study was lacking in reality: for example, it was inherently incomplete because only 3 of the 9 systems currently in use in California were included; it did not adequately address procedural issues, which might compensate for the security and privacy protection vulnerabilities that the TTBR was intended to identify; it failed to caveat the vulnerabilities with an assessment of the risks of exploitation of the vulnerabilities. (On the other hand, RISKS readers are familiar with our persistent warnings about the risks of flawed quantitative risk assessment.) One complaint was that the effort was a waste of time, because no malware was detected. (However, the study never attempted to look specifically for malware. I would presume that the software provided by the vendors was free of intentional malware, and furthermore, given the demonstrated vulnerabilities, installing malware would not be at all difficult — either in the development process or subsequently!) Several election officials reported being completely happy with the electronic systems, and claimed that there have never been any problems. (But many would-be problems with DREs can be undetectable.) All in all, I believe that Secretary Bowen's desire for a top-to-bottom review of the entire election process will benefit from a better understanding of the technological vulnerabilities — even though they certainly represent just one piece of the overall puzzle.
[Another example of the globality of local risks... PGN] By now everyone has heard of the M6.8 earthquake up in Niigata last week, a couple of hours north of Tokyo by shinkansen. Ten people were killed (all in their 70s and 80s, living in traditional-style houses with heavy ceramic tile roofs that collapsed), 6,000 homes and buildings destroyed, roads cracked and/or covered by landslides, a fault slip that came to the surface and displaced a section tens of kilometers long by something like a meter. Net effect was (if I recall) to push one plate 16cm north. The biggest newsmaker has been the effect on the Tokyo Electric Power (TEPCO) nuclear plant, the largest in the world. Leaks of radioactive water, hundreds of barrels of radioactive waste tipped over (some broke open and leaked), etc. The most recent list of problems was 63 items long. Opposed to or in favor of nuclear power, TEPCO's slow response and misinformation are creating a firestorm here. The reactor itself was designed to withstand only a 6.5; regulations were already under revision to up that number, but weaker plants will be in use for decades. But you knew that, and I want to talk about piston rings, not nuclear power. One small company in Niigata, Riken (no relation to the research lab with a similar English name, I'm sure) makes 60% of the piston O rings used by *all* of the car manufacturers in Japan. Their plant was badly damaged. Japan's auto makers, of course, are famed for their "just in time" supply chain management. I know people who have worked for subcontractors, and the penalty for being late in supplying a critical part can easily exceed $100,000 A DAY. Toyota was forced to idle at least 27 plants, Daihatsu four, Honda and other manufacturers several each. Toyota is still shut down, as of this writing (Monday, a week after the quake), and has an output loss of 46,000 cars or more. I haven't seen a breakdown of the percentage intended for domestic consumption versus export. One interesting part of the response is that the auto manufacturers sent teams of their idled workers to Niigata to help Riken clean up and get back in production. They were there helping by Thursday, despite the transportation disruption, general shortages of goods including water, food, and electricity, and risk of aftershocks. One point and one question: * A disaster it is, but a relatively local one, in a mid-level city where events rarely make the world news. And yet it will affect car prices around the world, no doubt. Just one more data point that the world's economy is one large web. * Toyota is a very well-run company, but they let this happen to them with an important single-sourced part. How good is YOUR disaster plan, whether personal or corporate? How good are your suppliers' disaster plans, and their suppliers'? IP Archives: http://v2.listbox.com/member/archive/247/=now
ADS-B ROLLOUT IS ON THE WAY Wilson Felder, director of the William J. Hughes Technical Center in Atlantic City that is evaluating the system, told reporters that ADS-B is something all pilots should want in their panels. He's flown with it personally for about 60 hours in his Cessna 172 and seen its value firsthand. "It's saved my life at least three times," he said. <http://www.avweb.com> issue 13.30e [Must be a pretty lousy pilot if he needs to have his life saved 3 times by a new gadget in 60 hours of flight!]
Frank Van Buran is an accountant in New York. He had an Exxon Mobil credit card for his business, which was expiring. He asked for two copies of the new one. He got them — and then 2,000 more. Which were left in boxes on his doorstep, where anyone could steal them, and which the company expected him to destroy (it took hours). Nothing seems to have been publicized as to what exactly went wrong, but how could it be anything but computer-related? http://www.nydailynews.com/money/2007/07/26/2007-07-26_tomfuelery-1.html Mark Brader, Toronto, firstname.lastname@example.org | "Volts are like proof" --Steve Summit
[Excerpted from Volume 14.15, 27 Jul 2007. PGN] E P I C A l e r t Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_14.15.html Department of Health Proposes New Records System On June 26, the Department of Health and Human Services (HHS) proposed to establish the National Disaster Medical System (NDMS) Patient Treatment and Tracking Records System. The goal of this new records system is to collect individual health data from people receiving medical care provided by NDMS. The NDMS is a joint effort between HHS, the Department of Defense, the Department of Homeland Security, and the Veteran's Administration to provide additional resources to supplement the public health and health care actions local and state governments provide during emergencies. Under the proposal, all persons treated by NDMS medical staff may have their health data recorded and placed into a record system. This would include demographic information as well as data regarding patient diagnosis, treatment, and location. This data may be obtained from the individual patients, their physicians, or by access to the health records of patients. The NDMS Patient Tracking System contains various "routine use" disclosures to all the federal agencies that share responsibility for evacuation and treatment of patients under NDMS in order to ensure the highest level of patient care possible. Routine use disclosures may also be made to consultants, contractors, and grantees who may require access to the health records for business purposes related to the collection of the data. Lastly, routine use disclosures will be made to state and federal agencies as necessary to establish the benefit entitlement of the patient or to help families locate evacuated family members. The routine use disclosures contained within the NDMS Patient Tracking System raise some privacy concerns that EPIC addressed in comments submitted to HHS on July 26. In the comments, EPIC stated that HHS should build privacy protections into the system in order to ensure that patients receive quality emergency health care without having to sacrifice their medical privacy. EPIC also urged HHS to clearly define how the system of records notice will comport with the Health Insurance and Portability Act (HIPAA). Any proposed routine use disclosures that violate HIPAA provisions should not be included. The NDMS Patient Tracking System collects data during emergency situations. Due to the extreme nature of these events, privacy and safety can easily be overlooked if they have not already been built into the system. EPIC urged HHS to consider the impact that the proposed routine use disclosures could have on victims of domestic violence, as well as other displaced individuals. After Hurricane Katrina, numerous evacuees faced instances of personal information abuse. For this reason, EPIC encourages the use of health data collected by the NDMS for patient treatment purposes only. EPIC's Webpage on Hurricane Katrina and Identity Theft: http://www.epic.org/privacy/idtheft/katrina.html EPIC's Webpage on Domestic Violence and Privacy: http://www.epic.org/privacy/dv/ EPIC's Comments on NDMS Patient Treatment and Tracking Records System (pdf): http://www.epic.org/privacy/dv/ndsm_comments.pdf Department of Health and Human Services System of Records Notice (June 26, 2007) (pdf): http://www.epic.org/redirect/hhs2707.html
The report in RISKS 24.75 inadvertently pointed out an example of an organizational antipattern--a kind of behavior that appears on the surface to solve a problem but actually does the opposite. The first sentence: "Comair pilot instructors testified that the crew of Comair Flight 5191 committed numerous procedural violations relating to briefing, taxiing, and 'sterile cockpit' rules (maintaining a distraction-free cockpit) before taking off from the wrong runway..." The fallacy is "post hoc, ergo propter hoc." In other words, the crew violated procedures, then crashed; so it is tempting to assume that the violation caused the crash--despite the other problems cited later in the article. From a bureaucrat's viewpoint, this assumption can then be used to make the procedures more restrictive, increase crew monitoring, etc., all without proving that the procedures are actually useful. Of course it is possible that the procedural violations caused the crash. The antipattern--and one that is particularly tempting for bureaucratic organizations--is to assume without proof that they did so, perhaps because that assumption is the one that most benefits the organization.
I read the submission from Mike Scott, regarding the errors he recalls seeing in the Wimbledon tennis 'Hawkeye' line-call system last year and the reliance of the Lawn Tennis Association upon it this year. Mr Scott makes no allowance for the upgrades to the system, and testing, that have taken place in the intervening 12 months. It would have been wrong to rely on the system in its debut year because it certainly had some accuracy issues. Those have now been largely resolved and the system was used with overall approval from almost everyone It's not perfect, but it's now more accurate than the 'mark one eyeball' of the line judges. There were only 4 days out of the whole tournament where the challenges by players against its performance were upheld more than 50% of the time, after reviewing the footage. This system has now been adopted for all of the Grand Slam tournaments except France, which is a clay court surface. David Alexander, Towcester, Northamptonshire, England [Challenges "upheld more than 50% of the time?" That would be an intolerable error rate for many other situations, such as the Employment Eligibility Verification System or a terrorist watch list or automated face recognition, especially on a large scale. On the other hand, some tennis players are known to have completely lost their cool as a result of egregious line calls. One might think that the chair umpire would call a LET instead of letting a "definitive" simulation stand when the margin of error of the simulation may be much greater than the width of the actual ball suitably flattened by an overhead smash. PGN]
Given the ease of spoofing packets and the other games which can be played on a wireless network, it wouldn't surprise me if the "person sitting next to you" could exploit this to infect your system, e.g., by quickly bursting a HTTP redirect (even before the remote site really completes the handshake and realizes something is wrong) and then carrying out the exploit through the redirected page.
Microsoft had an analogous problem when MS-DOS was introduced, way before the Windows system. The solved it with the SETVER command. This excerpt explains the purpose of SETVER: Definition of: DOS Setver An external command starting with DOS 5 that updates a version table containing names of programs and the DOS version number they need to run under. Programs may test version numbers and function differently as a result (all DOS's are not the same), but some programs didn't plan on DOS 5 and DOS 6 as future numbers. This command "fakes them out" by supplying them with the version number they need. http://www.pcmag.com/encyclopedia_term/0,2542,t=DOS+Setver&i=41854,00.asp Apple needs a version of the SETVER command.
Please report problems with the web pages to the maintainer