
Decertifying the worst voting machine in the US - germinalphrase
https://freedom-to-tinker.com/blog/jeremyepstein/decertifying-the-worst-voting-machine-in-the-us/
======
viraptor
I'm having a hard time understanding the way voting machines are created these
days. Why are they complete operating systems? Why do they have ports? Why do
they look like they're overengineered in so many ways?

What's stopping the companies from producing a closed box with SoC+board
connected to: N buttons, display, card reader/scanner, printer, wifi/ethernet.
All you need is to take cards, register the result, add it to some
continuously hashing database, print vote proofs, periodically upload data
(again, public-key encrypted). If they need to be updated, allow only signed
code. (ARM SoCs have secure-boot-like capabilities)

Am I missing something? Why do we get multiple iterations of machines with
exposed ports, running XP, having hardcoded passwords, allowing admin access,
having physical locks which can be opened without a key, etc. How can these
things be created without at least one person saying "this shit is
unacceptable"?

~~~
drewcrawford
What you are missing is that the technical part is not the hard part. The hard
part is all the rest of it.

For example, here [0] is a link to the 200-page "volume 1" of the federal
standards, merely one of a complex web of certifications that these things go
through.

One random paragraph is illustrative:

Vote scanning and counting equipment for paper-based systems, and all DRE
equipment, shall be able to withstand, without disruption of normal operation
or loss of data, electrical fast transients of: a. +2 kV and −2 kV on External
Power lines (both AC and DC) b. +1 kV and −1 kV on Input/Output lines(signal,
data, and control lines) longer than 3 meters c. Repetition Rate for all
transient pulses will be 100 kHz

Now I am a software engineer, and quite frankly I have no idea whether these
are large tolerances which would require specialized equipment to withstand or
whether e.g. my laptop would sail through this kind of event. Nor do I have
any idea how I would demonstrate compliance with these requirements to the
satisfaction of a federal examiner.

And _that_ is what voting machines are. They are checkboxes on a
specification. That means that you can buy them with confidence that somebody
else's ass will be on the line when they turn out to be awful. The fact that
they actually record votes is ancillary at best, the primary feature and the
reason for buying them is that they tick the checkboxes.

As to why they seem overpriced, the reason is that it costs a lot of money to
have an engineer hook the thing up to his fancy oscillator and write you a
report that yes, this machine complies with requirement 4.1.2.6.c, over and
over again.

[0]
[http://www.eac.gov/assets/1/Documents/VVSG.1.1.VOL.1.FINAL.p...](http://www.eac.gov/assets/1/Documents/VVSG.1.1.VOL.1.FINAL.pdf)

~~~
msravi
I used to consult for a company that made WiMax base station equipment in
India. Typically, the way government would work, is that they'd send out
request for information to multiple vendors. Then, they'd take the list of
parameters that they got from each vendor, create a master list of parameters,
and pick the "best" under each parameter as a requirement. Then, they'd send
out a request for quotes to all vendors with a list of requirements that would
be impossible to meet simultaneously.

~~~
johnchristopher
What happens then ? How did they pick up the most appropriate ? Or maybe they
wait for one the vendors (the fastest) to produce a product up to the specs ?

~~~
msravi
I really don't know. I wasn't there long enough and didn't have full insight
into the workings. But my guess is that they eventually settled on a solution
that met most of the specs at a reasonable cost.

However, what that opens up, is a way for corrupt officials to favor a vendor
and use the others-did-not-meet-this-particular-spec as a justification.

Just my 2c. I really have no idea if it actually was ever used in this way.

------
mikeash
It's very much worth reading the comments on this one, in which a Virginia
elections official who was involved with these machines repeatedly defends
them in a delightfully earnest but disturbingly clueless manner.

One of the points he's stuck on is that WiFi is short-range and unreliable
from outside a building. Thus hacking these things from the parking lot would
be impractical because you couldn't get access. Apparently the very concept of
directional antennas is completely unfamiliar to this person.

Another strange point is that these defects weren't known when Virginia chose
these machines. To him, that seems to mean "therefore it was a reasonable
decision." To me, it raises the question: why didn't anyone look into their
security as the choice was being made? Apparently the process by which
Virginia chooses its voting machines, or at least the process it used at the
time, involves _no_ third-party security evaluation. What the hell?

~~~
nmrm2
_> Apparently the very concept of directional antennas is completely
unfamiliar to this person._

IMO that was not the disturbing part. I don't expect elections officials to
know anything about RF.

What's disturbing to me is that several experts explain in very plain terms
why his assumptions are wrong, and he persists in his misunderstanding.

~~~
mikeash
I certainly wouldn't expect advanced RF knowledge, but satellite dishes are a
common sight in this country, so I would hope that passing familiarity with
the basic concept of directional antennas (even if they don't know what to
call them) would exist.

Even barring that, I would at least expect an official to know the depths of
their own ignorance. If you don't know anything about WiFi, fine, but then
don't try to make arguments about it.

And yes, persisting in making those arguments, not only being ignorant of the
subject but after being corrected by people who know, is a special kind of
ridiculous.

------
lazaroclapp
Voting machines are a very hard problem from a security standpoint to solve.
So even a well designed and audited voting machine might still not be safe
enough to use when compared with manual voting (which is not perfectly secure,
but at least is more generally understood).

This, however, is stuff out of a Dilbert cartoon: "The wireless connection
uses WEP (which we knew). What we didn’t know is that a few minutes of
wireless monitoring showed that the encryption key is “abcde”, and that key is
unchangeable"

~~~
peterwwillis
Are ATMs also a hard problem from a security standpoint? Because we have
relied on them to exchange currency around the world, 24 hours a day, 7 days a
week, for decades. And they are basically identical in function to a voting
machine, except of course for having more functionality.

Why don't we just use ATMs as voting machines?

~~~
zurn
ATMs are actually a pretty fruitful point of comparison since people have a
good idea of how ATMs work in their heads already. Some differences in the
threat model come to mind:

\- ATMs and their backend systems invest heavily into making complete
transaction records, voting systems must be anonymous.

\- ATM transactions can be undone.

\- ATM operators can better afford to take a reactive approach, monitoring
fraud levels and first taking a liability hit, until they can fixing the
systems or must do a temporary network shutdown to stop the losses.

\- ATMs get by with fewer controls for insider fraud due to above controls

\- ATMs don't worry about nation state level adversaries

\- Amount of damage from ATM compromise is clearly bounded, unlike
legislation/election

~~~
nightcracker
You're missing the most crucial point: ATMs provide instant tangible
demonstrable feedback to the user that it has done exactly what it said it
would do. The machine spits out money, and the money is not only the result of
the interaction, but also the perfect witness.

With voting machines, so far, there has been absolutely no provable feedback
whatsoever that allows you to assure your vote has been counted. Even worse,
there is no system that allows you to verify no votes have been counted that
did not exist. I'm not saying these problems can't be solved with
cryptography, all I'm saying is that so far, they haven't been
solved/implemented yet.

Voting ballots don't have the same problem.

~~~
TeMPOraL
> _Voting ballots don 't have the same problem._

How so? How do you know if your vote was really counted? How do you know
someone didn't slip in a bunch of votes while you weren't looking? How do you
know numbers aren't doctored as they're aggregated?

~~~
nmrm2
All of these questions can be answered by "you have to trust the election
officials, and the election officials have to do their due diligence."

Which is true of paper voting as well.

~~~
huxley
Doesn't have to be.

You can have a system with multiple levels of verification. For example in
Canada, each party is allowed to appoint an on-site representative for each
ballot box to observe the voting process, the count (and ensure it matches the
number of voters and ballot stubs) and the paperwork (a copy of which is
sealed in the ballot box which can be unsealed in the event of a judicial
recount).

Trusting election officials doesn't have to be a passive process like it would
be in an electronic voting system.

~~~
nmrm2
The US also has this; we call them poll watchers.

My point was just that at some point, you have to trust that _someone_ is
paying attention. Paper doesn't magically solve that problem.

------
Vespasian
Why is there the need to use these machines in the first place? IMHO the
overengineering started when using a tech solution for a non tech problem.

Voting on paper seems to work for most democratic countries and it's
definitely harder to rig than the electronics. I just don't see any
siginificant advantage in using technology here (and no, a few $/€ saved every
other year is not significant in my honest opinion)

~~~
ekimekim
Manual vote counting takes significant time and effort, and a properly
implemented electronic system would have advantages in tamper-proofness. It
also could have advantages in being interactive so users can't fill things out
incorrectly, can be guided through the process, etc, which is especially
important for people with disabilities.

Unfortunately, all the advantages rely on implementing a _good_ system, so I
doubt we'll be seeing them any time soon.

~~~
verytrivial
Electronic voting machine implementation, testing and deployment also takes a
significant time and effort. Tamper-proofness obviously has a original and
natural physical implmentations that do not require first chosing two large
prime numbers: tape and sign the damn box! Though you didn't raise the point,
some argue that the time it takes to manually count is a problem, as if people
seriously can't wait an extra half-day. Just WAIT. It's important.

The clear advantage of paper voting is everyone--the entire electorate-- can
see and understand the process. The legitimacy of the outcome depends on this
understanding and trust.

------
m_mueller
So this machine has now been decertified. Fine. What I'd like to know: How
could it ever get _certified_? What does _certified_ even mean if not
accountability of a certifier in case a system doesn't do what it's certified
to do? Or is the certification process flawed? In that case I guess that
should be fixed next.

~~~
bbanyc
The certification was done by the Election Assistance Commission, created in
the wake of the Florida 2000 punchcard ballot debacle. The EAC hastily
certified the first batch of electronic voting machines, issued grants to the
states to buy them before the ink on the certifications was dry, and then was
promptly forgotten about. (There was a 3-year period when the EAC was unable
to do business because all the seats on its board were vacant.)

~~~
gpvos
Why didn't they just fall back to paper and pencil, and manual counting? We've
been doing that in the Netherlands since election machines were discredited
after a successful campaign by hackers. Haven't had any real problems with it.

~~~
mikeash
Why would an agency create a reliable system for counting votes, when it was
created by an administration which came to power because of problems with
counting votes?

------
germinalphrase
It likely speaks to my ignorance, but my gut reaction to using electronic
voting machines has always been that they are inherently insecure and
can't/shouldn't be trusted to provide an accurate tally. There is so much
money (available) and motive to cheat an election count that I have a hard
time believing large and significant races haven't already been victims of
tampering in the US (even if we haven't seen hard evidence of such).

Is this cynicism misplaced?

~~~
flashman
At the very minimum, I would expect a voting machine to create two paper
receipts after each vote: one provided to the voter and another stored
internally. These would hopefully be on something more durable than thermal
paper, though that might suffice. The receipt would contain the machine ID,
timestamp and vote recorded.

Administrators could get a quick count from the machine memory, then perform a
verification by pulling a sample of votes from the printed receipt and
comparing them to the electronic values with the same timestamp. And any voter
can compare their receipt with publicly-available voting records.

Of course, then you have to worry about exploits that can cause the machine to
print votes on demand, because those would appear legitimate, especially if
the voter's receipt printout can be suppressed - there'd be no incriminating
receipt trail hanging out of an unattended machine.

~~~
hughw
You can't print out a person's vote on a receipt an admin could see; that's
not a secret ballot. And, using that receipt, the voter can do little to
verify his vote was counted.

Edit: the timestamp gives the voter away

~~~
function_seven
No identifying info needs to be printed. Just a GUID. Use a dot matrix printer
with triplicate ("biplicate"?), let the voter take their receipt, and keep the
other one on the spool.

Yeah, there's still might be some issue with external coercion on the voter to
produce their receipt and prove they voted the way they were paid to. I
suppose that could be solved by making the voter's copy an XOR of the audit
tape, and by only having both copies together, can the vote be verified.
Presumably the forces doing the coercion wouldn't have access to the audit
tape. If they did, then we're already screwed no matter what system we
implement.

Just a thought. Not sure if there's some fundamental contradiction between
secrecy in voting and voter-auditability.

~~~
ars
The machine may not print a log in order.

i.e. the attack scenario is a small town, where you record each person as they
come in. Then later you can look at the vote in order and know who voted what.

> Presumably the forces doing the coercion wouldn't have access to the audit
> tape.

That is not a valid assumption. Your machine must be resistant even to that
attack.

> If they did, then we're already screwed no matter what system we implement.

No. The audit must not be able to be correlated with the person, the order, or
the time.

~~~
function_seven
So basically the response to my last sentence:

> Not sure if there's some fundamental contradiction between secrecy in voting
> and voter-auditability.

Is, "yes, there is"? By "voter-auditability" I mean the ability for any single
person to verify that their ballot was cast the same way they intended.

~~~
reagency
"zero knowledge proofs" is a textbook solved problem. Your local college
library has books that explain how to do secure voting. It is how AWS and
HTTPS works.

------
kristopolous
so the real question is where is the startup with the solution of $35 tablet
"voting machines" on $10 stands and a $30 SBC "voting server" in a $15 lockbox
that can deliver 4 "deluxe voting terminals" with a "server" for $2,000? (89%
profit)

The references of the current players in the industry I see talk upwards of
$3,000 per terminal! The industry standard pricing for this would be $12,000.
$12,000 for buggy, insecure, closed-source, non-updateable, unverifiable,
crappity crap. Awesomes.

How about this ... a voter walks into the polling station and can either use a
terminal or their own smart-phone - connect to the open wireless "voting
hotspot" where they can enter in an anonymous token at something that we use
as the "hot spot sign-in page" that they are given by the people who volunteer
the polling station that they can use to cast their ballot without waiting in
line.

It's not like secure voting is an open problem. There just needs to be some
crotchety capitalist company with people in suits selling it. Open source,
anonymous, verifiable voting machines on open hardware with an optional paper
trail (cups + network printer). We can do this making comfortable profits and
at atleast a 60% savings to the tax payer.

The best part is that if the company goes out of business, everything is open
source and documented, so we don't put communities at risk of the security
issues with code rot.

So ... who wants to make some money? email me: kristopolous (at) gmail

~~~
bhickey
How about this: A voter takes a paper ballot. The voter marks the ballot with
a felt pen a deposits it in a bin. Polling place staff mark the voter's thumb
with indelible ink.

Electronic voting is a problem looking for a problem. You need voter
verifiable ballots with a high degree of tamper resistance. As far as
trustworthiness goes it's hard to complete with ballot boxes and adversarial
observers.

~~~
agarden
The attack on paper voting is not flipping votes, it is invalidating votes. In
Chicago, election officers counting the votes used to hide a small piece of
pencil lead under their finger nail. If there were too many Republic votes,
they would start putting an extra mark on some of them, thus invalidating the
vote because of stray marks.

I think the solution is to crowd-source verifying the vote. If every ballot
were given a unique number or code, and when the ballot was counted each
ballot with who it was counted for as available for download on the web, third
parties could verify that the numbers were counted correctly. And each voter
now has an anonymous number that he can use to look at how the vote was
counted and verify that it was counted correctly. If it wasn't, he complains.
The political parties would be happy to urge their loyal constituents to check
that their vote was correctly counted and to sue should they have a sufficient
number of members claim theirs was wrong.

~~~
reagency
Modern paper voting involves a thick black markers, OCR computers, and
election monitors from both parties. The 1880s are long ago history.

~~~
eterm
Not in the UK it doesn't. All pencil and human counting here.

------
cjslep
An interesting documentary is "Hacking Democracy" (2006) [0] that championed
open voting machines and open election processes to help prevent election
fraud. The documented fraud that occurred in the early 2000's really lifted
some of my childhood innocence from my teenage brain.

When mistakes that happen are chalked up to "computer glitches", but it only
takes such a few bugs in a few key locations to change the outcome of an
election, the results can be game-changing.

The full documentary was pretty concerning, and I have carried very little
faith in the voting process since.

[0]
[https://www.youtube.com/watch?v=5Qk95SVRdEo](https://www.youtube.com/watch?v=5Qk95SVRdEo)
(Last minute contains the section where the grandmother "steals" proprietary
Diebold Election Systems code off an open webpage)

[1]
[https://en.wikipedia.org/wiki/Hacking_Democracy](https://en.wikipedia.org/wiki/Hacking_Democracy)

------
Marazan
Why does America have alove affair with voting machines? What is wrong with
paper and pencil?

~~~
uptown
Paper and pencil aren't a perfect solution either. This page shows a few
examples of where things have gone wrong.

[http://blogs.mprnews.org/newscut/2008/12/timewasters_the_bal...](http://blogs.mprnews.org/newscut/2008/12/timewasters_the_ballots/)

In the case of the Florida Presidential vote, they ran into the problem of
"hanging chads" where parts of the page that were intended to be fully
punched-out so a machine could detect the vote were still attached to the
page, leading to further scrutiny over deciphering the true intent of the
voter's ballot.

~~~
slasaus
That was not a pencil but still a lot of technology/mechanics. But you're
right, paper and pencil are not perfect, just the most secure we can
practically achieve these days and probably for the upcoming decade. See this
video of J. Alex Halderman on e-voting in Estonia and about electronic voting
in general [0]. (Halderman is a professor also known from the cold boot attack
and the more recent vulnerabilities in a lot of Diffie-Hellman
implementations).

[https://www.youtube.com/watch?v=JY_pHvhE4os](https://www.youtube.com/watch?v=JY_pHvhE4os)

------
krapp
I kind of feel like "worst voting machine in the US" is a meaningless standard
without knowing how much better the "best" such machine is. Or, to restate,
are there any of these electronic voting machines that _aren 't_ crap?

~~~
hughw
Without giving details, the author says Diebold machines are 100 time more
secure.

~~~
agarden
And still horrendously bad. [http://gizmodo.com/200693/how-to-steal-an-
election-with-a-di...](http://gizmodo.com/200693/how-to-steal-an-election-
with-a-diebold-machine)

------
sb057
I feel the need to share this video again:

[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

------
mcv
This is unbelievable. How did they even get certified in the first place? What
standards are there for voting machines in the US?

A couple of years ago, a Dutch group of hackers (led by Rop Gongrijp) argued
very strongly against the use of any kind of voting machine. Not because
they're so easily hacked (I assume the Dutch voting machines were fairly
secure), but simply because they're a black box and you simply have to trust
that whatever comes out is correct, and there's no paper trail you can verify
to check whether it actually is correct. If they've been tampered with, you
most likely don't know, and even if you do know, there's no way to correct it.

Netherland has very specific voting laws to ensure that elections are reliable
and verifiable, and when voting computers were introduced, an exemption was
added to the law because voting computers couldn't possibly meet those rules.

The hackers successfully argued their case, so we're back to voting with
pencils again. Cumbersome, but we know (and can verify) that it works.

------
avivo
It would be fascinating to see if there is a correlation between potential
signal strength of an external attacker, and votes for a particular candidate.
This seems like the only good way to see at this point if there was any
tampering by a (somewhat limited) adversary. While this would only work to
detect external wifi based attacks, those seem like the most likely.

Perhaps a "simple" first pass could be done by looking at building type
(concrete vs. wood?) via aerial maps, and correlating that to local polling
data. If anyone does do an analysis like this, I'd love to see the results!

------
maze-le
Voting machines should be called voting computers. That is what they are, they
"compute" a vote-count (with all problems and fallacies that word implies).

------
chrischen
I'd say that for most people if you aren't hacked, or had your identity
stolen, it's because no one has tried.

------
Beltiras
50$ android tablets with USB tethered networking and WiFi physically removed
(take out the antenna). Software solution has been described ad nauseum both
in this thread and elsewhere. This would be at least as secure as the current
state of affairs and you could actually get this up and running quickly.

------
Sami_Lehtinen
Why do you need voting machines, when everyone got smartphone, tablet or
computer? [http://estonia.eu/about-estonia/economy-a-
it/e-voting.html](http://estonia.eu/about-estonia/economy-a-it/e-voting.html)

~~~
kakoni
Some controversy on that topic [https://pacsec.jp/psj14/PSJ2014_Hursti-
MacAlpine_Estonia-Pac...](https://pacsec.jp/psj14/PSJ2014_Hursti-
MacAlpine_Estonia-PacSec.pdf)

~~~
slasaus
Mirror in the Netherlands, Amsterdam:
[http://controleerbareverkiezingen.nl/pub/PSJ2014_Hursti-
MacA...](http://controleerbareverkiezingen.nl/pub/PSJ2014_Hursti-
MacAlpine_Estonia-PacSec.pdf)

------
davotoula
"If an election was held using the AVS WinVote, and it wasn’t hacked, it was
only because no one tried."

Ouch!

------
JulianMorrison
It's going to be interesting to see who suddenly gets voted out, as soon as
these are replaced.

------
itburnswheniit
Most voters aren't relevant anymore.

Princeton confirmed it in a study earlier this year. It's neatly summed up
here:
[https://www.youtube.com/watch?v=5tu32CCA_Ig](https://www.youtube.com/watch?v=5tu32CCA_Ig)

------
owlish
I'm curious, what security measures are in place for human vote counters?

~~~
wglb
One member from each party, minimum of two, involved in the count.

~~~
rdsnsca
Thats pretty much how they do it here in Canada. One member from each party
plus an Elections Canada official. The ballot box is sealed in front of at
least two voters , who determine that it is empty before sealing and then sign
the seals. ( I know this because I was so early to vote the last election I
had to wait for another voter to show up).

------
m3h
Is this really America you are talking about? O.o

