My Dad Now Blogs...

blogging, politics, family

My father has entered the blogosphere: Rousing from Lethargy... stand the hell back.

Election Technology and Problems in the Field

elections, problems, San Francisco, friends, research, policy, legal

In conjunction with Election Protection 2006, I gave a short talk at the firm Fenwick and West in San Francisco today on the various flavours of voting technology and problems that we've seen with them in the field. You can get my slides here:

Here they are in PPT and PDF not from Slideshare:

UPDATE [2006-10-21T11:20:14]: I realized at some point that SlideShare is still in invitation-only beta. If you'd like an invitation, holla!

Problems with The Alameda County Report

elections, certification/testing, vendors, news, research, policy

Alameda county released a security vulnerability assessment of their voting system last Thursday, conducted by a firm called Pacific Design Engineering. Thad Hall over at Election Updates has a new post, "ALAMEDA COUNTY E-VOTING REPORT", in which he says:

All men and women may be created equal, but a new report from Alameda County suggests that all voting machines are not. The report examines security vulnerabilities with the Sequoia voting equipment used in the County. According to a report by Pacific Design Engineering that was done for the County, the Sequoia voting system is a secure system, when basic physical security initiatives are in place. (I have a hard copy of the report; it is not at present online).

The most important take-away is in a table in the report that outlines a series of vulnerabilities that voting systems have to attack, both in precincts and in the central office. It then compares the vulnerabilities of a Diebold system, as documented in various reports, with the Sequoia system. The study finds that the Sequoia system is only vulnerable to one of the 12 precinct attacks and one of the five central attacks and both can be mitigated through security procedures. By contrast, the Diebold system has been found to be vulnerable to 13 of 15 precinct attacks and 4 of 5 central attacks.

I was able to obtain a copy of the report last Thursday and then scanned and OCR'd it (unfortunately, I've been too busy to post about it until now). You can get the report here (or in a more permanent location from the ACCURATE web site, here).

(Doug Jones has some draft comments on this report here: "Critique of the Alameda County Report".)

Alameda County should be given a great deal of credit for commissioning this report. This report should be required reading for all election officials (and their technical staff) that use these Sequoia systems, especially those that don't have robust auditing procedures including a random manual audit of voter-verified paper records of each vote.

A close reading of the report shows that the investigation revealed a number of new security vulnerabilities. The good thing is that Alameda county has procedural mitigations that help to reduce the risk that these vulnerabilities pose.

Here are some key discoveries discussed in the report:

  • The Sequoia AVC Edge uses cryptographic protection in an effort to preclude tampering with the memory pack's contents. However, the cryptographic key that is used in this process is the same key for every AVC Edge. This makes the protection irrelevant, because to attack any AVC Edge unit, all an attacker would need is a the secret key from just one of the units. The DESI AccuVote-TS system has been criticized by the Hopkins/Rice Report and California's VSTAAB as also suffering from this vulnerability when used in its default configuration; however, at least on the TS, this key can be changed by the election official.

  • The report points out a second vulnerability on the AVC Edge. Apparently, the contents of the memory cards are not bound together cryptographically. This means that the contents of one card can be duplicated over the contents of another. The EMS will know that the second is a duplicate record and will notify election officials, but the written-over results will not be part of the tally. If just the results file and SHA-1 hash value (instead of the entire contents of the card) are copied over, the EMS still won't include the duplicate results in its tally but will not notify election officials of the duplicate. (This doesn't seem too serious other than allowing an inefficient DoS attack.)

  • The memory packs used on the Sequoia Insight precinct-based optical scan machine contain binary executable code. Further, this code is not technically protected whatsoever (i.e., through the use of cryptographic signatures) so anyone with unsupervised physical access to these units could change the executable code, including placing code of their own. This vulnerability is similar to the Hurst I flaw, but worse; in the Hursti I flaw found in the DESI AccuVote-OS system, the code was interpreted, so a malicious attacker would be constrained by the language of the interpreter to mount an attack whereas with the Sequoia Insight, a maldoer can use any binary executable. Also, unlike the AccuVote-TS, there is no writeable storage medium other than on the memory pack, which means that the Insight would not be susceptible to a virus attack or bootloader-replacement attack like that recently revealed by Feldman et al.).

(I note some other problems that are more difficult to de-geekify at the end of the post.)

Fortunately, adhering to strict custody controls for memory packs associated with the AVC Edge and Insight systems will reduce the likelihood that any of these vulnerabilities can be exploited. The report also mentions that Sequoia already has new software that will fix these vulnerabilities, but that this software won't be available nor certified by the November election.

My take-away from this report is somewhat different than Prof. Hall's. I believe this report provides us with more evidence -- this time in voting technology provided by a vendor other than DESI -- that the current ITA process overseen by NASED is completely broken. The report reveals that Sequoia isn't the only vendor that has equipment with significant and avoidable vulnerabilities associated with secure systems design and poor use of cryptography.

Given this, I was very much excited to see the EAC's recent call for comments on their Manual for Voting System Certification. This document will serve as a policy and procedure manual for the future federal-level voting system certification process. I was pleasantly surprised at the high quality of this document and have many fewer gripes with it than I thought I would (especially after the 2005 VVSG). ACCURATE will be submitting comments.

Here are some other problems raised by the report:

  • The use of the Data Encryption Standard (DES) cipher (which has small 56-bit keys) on the Voter Access Cards with the AVC Edge is puzzling. DES is obsolete and susceptible to brute-force attacks. However, this is probably not a serious vulnerability here as the information on the cards (ballot style information, if the card has been used already, etc.) wouldn't pose a particularly heightened risk if revealed. If they were serious about protecting the contents of memory packs from eavesdroppers (which is what encryption is good for), it seems like they could have used triple-DES or even another more efficient cipher. If, however, their intention is to prevent tampering with the contents of the card, they wouldn't need to encrypt the contents but use digital (cryptographic) signatures or a Message Authentication Code (MAC).

  • I had thought they were just calculating a normal SHA-1 hash, which would be unkeyed. It turns out that what they are doing is including a (constant) "key" with the input into the hash function... which makes it effectively keyed, although poorly. Here's what I wrote originally: I don't understand the usage of the SHA-1 hash on the memory cards used with the AVC Edge. It would only make sense if one were to calculate the hash, store the hash value on the card and then sign the contents of the card to prevent tampering. However, the "checking" (page 16) of the SHA-1 hash would then involve: verify the signature of the card, calculate the hash of the payload and then compare it with the hash value recorded on the card. It would be better if they did something like a SHA-1 keyed-hash MAC (HMAC-SHA-1 or SHA1-HMAC)... however, they screw this up by using a constant key, the same key, in all of the systems they sell.

  • The report's authors laud the usage of Cyclic Redundancy Checks (CRCs) throughout the report through the use of the term "polynomial checksum". CRCs are a form of checksum, but they should be using cryptographic checksums which are hard if not impossible to fake compared to CRCs. In general, the usage of CRCs for strict data integrity is poor design; their linear nature (the math is not complex) and the fact that they are not keyed algorithms (you can't use a secret key to reduce opportunities for forgery) allow a great deal of latitude in changing message contents without changing the CRC value. For example, even in the more powerful CRC-32 (32-bit CRC as opposed to the 16-bit CRC-16 used in the Sequoia systems), if any four bytes in the file can be changed at will (and presumably not affect program execution), that file can assign any CRC value one might desire.

UPDATE [2006-10-14T09:40:35]: I changed the last two bullets above. 1) It appears that they are using some sort of keyed-version of a SHA-1 hash. 2) Apparently, "checksum" is a very broad term and I was incorrect about stating that it's common usage is to refer to cryptographic checksums. Also, I changed the second bullet in the first set of bullets to reflect that the EMS would notify election officials if a card is copied wholesale, but not if just the hash and results are copied.

Marc Smith, "Pictures of Traces of Places, People, and Groups" (iSchool DLS)

berkeley, research, podcasts, iSchool


Marc Smith speaking at the UC Berkeley School of Information Today, Marc Smith from Microsoft Research gave the third iSchool Distinguished Lecture of the 2006-2007 academic year, "Pictures of Traces of Places, People, and Groups".

Here is the abstract for his talk and the audio is linked below:

The Microsoft Research Community Technologies group focuses on the study and enhancement of computer mediated collective action systems. In this talk I will present recent developments in projects that highlight and attempt to enhance computer mediated collective action: Netscan, SNARF and AURA.

Netscan is a set of tools and services for online communities. Netscan manufactures ?social accounting metadata? about Usenet newsgroups and web boards, providing reports about discussion spaces and individuals that highlight patterns of activity and contribution in tabular and graphical forms. We have recently developed faster data update models, new Web service interfaces, a custom community portal page, and a new information visualization application (?Usenet Views?) that makes it simple to map and chart newsgroup communities. New sources of community content, from web boards, forums, discussion boards, email lists, and related repositories of threaded conversation are being analyzed by the Netscan system.

SNARF applies the concepts explored in the Netscan project to personal collections of email. SNARF provides tools to implement ?social sorting? ? reordering email collections based on the strength of different dimensions of the relationship between sender and receiver. For example, using SNARF, unread email from people can be ranked higher if they are often replied to by the user. A by-product of this tool is the generation of a high-dimensional dataset describing the structure and temporal patterns created through the exchange of email overtime. This dataset offers useful insights into the nature of email-based communications. Results from initial deployments of SNARF will be presented along with recent images generated by the SNARF Views extension to SNARF.

The AURA: Advanced User Resource Annotation system is a platform for Pocket PCs, Smartphones and mobile PCs that have various kinds of sensors such as barcode readers, digital cameras, WiFi signal strength detection, radio frequency identification (RFID) tag readers, and GPS. Using AURA today, users can scan the barcodes on everyday objects in the home, office, or store and gain access to related information and services such as competitive pricing and product reviews. Other kinds of tags, such as tags placed on art or equipment asset tags, can be easily linked to related data through Web sites or Web service interfaces. This talk covers several developments in the mobile annotation space and describes future directions for AURA and related services.

Marc Smith speaking at the UC Berkeley School of Information

Search for Amazon Prime Items


(Sorry, I just had to post this as I've probably spent hours looking for Amazon Prime crap.)

UPDATE [2006-10-23T18:09:53]: Another interesting search tool for Prime items (with a better UI):

Contact / Help. (cc) 2021 by Joseph Hall. blog software / hosting.
Design & icons by N.Design Studio. Skin by Tender Feelings / Evo Factory.
And a few words about the structure of the eye . Everyone " retina ". Especially often we hear it buy clomid online in the phrase " retinal detachment ." So what is the retina ? This - the front edge of the brain, the most distant from the brain part of the visual analyzer. The retina receives light first , processes and transforms light energy into irritation - a signal that encodes all the information about what the eye sees . The retina is very complex and in their structure and function . Its structure resembles the structure of the cerebral cortex. The shell of the retina is very thin - about 0.14 mm.