Following up on a previous post, on Blaine Burnham's risk assessment of digital elections that "put the very fabric of the country at risk"
<risk assessment process>
"Hey, Sven ya got the risk/reward ratio spreadsheet done on those digital elections yet?"
"Ya sure, Ole, says here we can save at least 14 bucks, that's green in my book!"
"Ya betcha, well let's run with it Sven!"
</risk assessment process>
Of course, as Burnham stated in his address at Usenix security a few years ago, in computer security we basically only have two working mechanisms (which aint enough but that's another story). One is the reference monitor, and the other is crypto. A reference monitor would be a kinda useful thing to have in an election, right? After all it is
tamperproof, always-used, and small enough to be fully-tested and analyzed module that controls all software access to data objects or devices
Thats not too much to ask, is it? An audit trail? But apparently it is too much to ask:
"I'm on the Virginia state commission charged with making recommendations around voting systems, and we watched the Princeton video as part of our most recent meeting. The reaction from the election officials was amusing and scary: "if this is so real, why don't you hack a real election instead of this pretend stuff in the lab". Pointing out that it would (most likely) be a felony, and people like Rubin, Felten, and others are trying to help security not go to jail didn't seem to impress them. Also pointing out that the Rubin & Felten examples used out-of-date code because vendors won't share anything up-to-date doesn't seem to impress them. [This in response to Diebold's claim that they were looking at old code, and the problems are all "fixed".]
I frankly don't think anything is going to impress the election officials (and some of the elected officials) short of incontrovertible evidence of a DRE meltdown - and of course, we know that there could well be a failure (and may have been failures) that are unproveable thanks to the nature of software.
P.S. One of the elected officials on the commision insisted that Felten couldn't possibly have done his demo exploit without source code, because "everyone" knows you can't do an exploit without the
source. Unfortunately, the level of education that needs to be provided to someone like that is more than I can provide in a Q&A format. I tried giving as an example that around 50% of the Microsoft updates are due to flaws found by people without source, but he wouldn't buy it.... (he was using a Windows laptop, but doesn't seem to understand where the fixes come from)."
And of course, why worry about software flaws when you can worry about hardware as well? Ed Felten:
Machines with flawed boards were normally identified when they “froze” on election day. When personal computers crash, they often manage to reboot themselves, but the Diebold machines don’t reboot themselves on a crash, so any kind of general system crash will make the system freeze. So the bug was usually identified when a voting machine crashed. Mystery crashes typically don’t happen at random times but are concerntrated at certain stages of the machine’s use, because the detailed technical conditions that trigger the crash are more likely to happen at some times than at others. ... Were votes ever actually corrupted? We’ll never know. If we had a voter-verified paper audit trail, we could compare it to the records kept by the crashed machines. But with only the electronic records to go on, it’s probably impossible to tell.
The good news is that all of the affected motherboards have now been replaced. The bad news is that Diebold knew about these problems in March 2004, and yet they allowed thousands of affected machines to be used in the November 2004 election.
Have a great super Tuesday! If you see any reference monitors say "hi" for me.