« Do Our Votes Really Count? | Main | Software Quality is not Software Security 4 »

Election Season

It's election season again. This post describes why I think voting is such a perfect exemplar of a security topic and summarizes the two big-picture questions that have to be asked about any new-fangled voting system. Those two questions give me an ideal place to stash my favorite links on voting.

Three things make voting an ideal security topic:

  1. Voting is important. It's the foundation of our political system. If voting doesn't work, our system of government doesn't work.
  2. Voting seems easy, safe, and trustworthy. The concept is easy to understand, the polls don't appear to be run by partisan thugs, and most voters come away believing that their vote has been counted. By and large, people trust the system.
  3. Our track record is less than stellar. Looking back, we have a long history of election fraud and corruption. If you're wondering why we need to be worried about ballot box stuffing, election rigging, and widespread disenfranchisement, it's because we've seen them all before.

A lot of software security topics follow this same pattern. Everyone agrees it's important, but at a casual glance the risks appear to be minimal. Only when you take a longer look at where we've been and where we're headed do you see the potential for real trouble.

Where we're headed is pretty clear: electronic voting. For the reasons above, any new voting system raises two big questions:

1) Does the system design make it easier to subvert an election?
The most common complaint we hear these days about electronic voting systems is that don't create a voter-verifiable audit trail. Once you cast your ballot, you just have to trust that the system does the right thing with it. Election officials have to trust these machines too. If they'd like to go back and re-count the votes, there's often nothing to go back and count.

Avi Rubin does a great job of laying out the present-day situation in his book Brave New Ballot. He keeps an up-to-date account of his work as an election judge in Maryland.

Voting systems don't have to be this way. Ron Revest (the "R" in "RSA") has a fascinating proposal for a voting system that allows auditing along with a number of other desirable properties, all without requiring cryptography or any other complex computation. It's called the ThreeBallot voting system.

2) Do shortcomings in the implementation of the system make it easy to take advantage of weaknesses in the design?
It doesn't matter how good the design is, if the implementation is weak, the system can be compromised. But if the design is less than perfect, it puts additional strain on the implementation; bugs or coding oversights can cause a lot of trouble. In 2003, a group of researchers got their hands on some voting machine source code that Diebold accidentally leaked onto the Internet. They found lots to be worried about from both a design and implementation point of view. A study commissioned by the State of California in 2005 found serious bugs too (Disclaimer #1: the auditors used Fortify Source Code Analysis for part of their work.)

All of these bugs led one researcher to wonder what would happen if a voting machine maker was actually *trying* to manipulate votes. The result was a competition based loosely on the Obfuscated C Contest.

This year, Ed Felton's lab found that electronic voting machines have more than just software problems. At least one model can be opened with a hotel minibar key.

Before you get the idea that electrons and voting just don't mix, there are ways that the digital age can make voting easier, even without going near the ballots. I like what PostX did to help soldiers stationed abroad receive their absentee ballots (Disclaimer #2: I also like the fact that PostX used Fortify to help make sure the system is secure!)

Posted by Brian Chess on October 25, 2006 10:02 AM |

Comments (1)

Martin McKeay:

Brian,

You might want to check out Ed Felten's response to the Three Ballot Voting System. http://www.freedom-to-tinker.com/?p=1076

There are a number of issues with this system, even though it looks good at first glance. It works well in the optimum cases, but when you start throwing possible exceptions at the three ballot voting system, a number of weaknesses show up.

Martin

Posted by Martin McKeay | October 31, 2006 11:30 AM

Posted on October 31, 2006 11:30

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Presented By

House Rules

This blog is a place for discussion and feedback, both positive and negative. If you post here, you are agreeing to the following Participation Policy...more

Meet the Bloggers

Recent Posts

About

This page contains a single entry from the blog posted on October 25, 2006 10:02 AM.

The previous post in this blog was Do Our Votes Really Count?.

The next post in this blog is Software Quality is not Software Security 4.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34