Avi Rubin, well known for his role as electronic voting machine critic, spent yesterday as an election judge in Baltimore County. He wrote about it here, and came away with a much better understanding of the process and the Diebold machines' flaws. A little taste for you:
In our paper, we described how the smartcards used by these machines had no cryptography on them, and we made the widely criticized claim that a teenager in a garage could manufacture smartcards and use them to vote 20 times. I now believe that this particular attack is not a real threat -- at least not in the primary I worked today. We had 9 judges and 5 machines. Whenever a voter took what seemed to be too long, we always had a judge ask them if they needed help, or if something was wrong. Also, the machines make a loud clicking sound when the smartcard is ejected, and we almost always had a judge standing there waiting to collect the card and give the voter a sticker, as they are ushered out.
In general, multiple voting attacks during the election are not likely to work in a precinct such as the one where I worked. Every hour or so, we counted all of the voter authorization cards (different from the smartcards), which were in an envelope taped to the machine, and compared them to the number of votes counted by the machine so far. I believe that if any voter somehow managed to vote multiple times, that it would be detected within an hour. I have no idea what we would do in that situation. In fact, I think we'd have a serious problem on our hands, but at least we would know it.
There were also some security issues that I found to be much worse than I expected. All of the tallies are kept on PCMCIA cards. At the end of the election, each of those cards is loaded onto one machine, designated as the zero machine. (I found it interesting that Diebold numbered the machines 0 through n-1, disproving my notion that they don't have anyone on board who knows anything about Computer Science.) The zero machine is then connected to a modem, and the tallies are sent to a central place, where they are incorporated with the tallies of other precincts. In our case, the phone line was not working properly, so we went to the backup plan. The zero machine combined all the tallies from the PCMCIA cards that were loaded one at a time onto the machine. It then printed out the final tallies. One copy of that went onto the outside door of the building where there were talliers and poll watchers eagerly waiting. The other was put into a pouch with all of the PCMCIA cards, each wrapped in a printed tally of the machine to which it corresponds, and that pouch was driven by the two head judges to the board of elections office.
The security risk I saw was that Diebold had designated which machine would be the zero machine, and at one point, all of the vote tallies were loaded onto that one machine in memory. That would be the perfect point to completely change the tallies. There is no need to attack all of the machines at a precinct if someone could tamper with the zero machine. In fact, even when the modem is used, it is only the zero machine that makes the call. In the code we examined, that phone call is not protected correctly with cryptography. Perhaps that has been fixed. I was glad to see that the administrator PIN actually used in the election was not the 1111 that we used in our training, and that we had seen in the code.
One thing absolutely amazed me. With very few exceptions, the voters really LOVED the machines. They raved about them to us judges. The most common comment was "That was so easy." I can see why people take so much offense at the notion that the machines are completely insecure. Given my role today, I just smiled and nodded. I was not about to tell voters that the machines they had just voted on were so insecure. I was curious that voters did not seem to question how their votes were recorded. The voter verifiability that I find so precious did not seem to be on the minds of these voters. One woman did come up to Joy and complain that she wanted a paper ballot to verify. But, Joy managed to convince her that these machines were state of the art and that there was nothing to worry about, which was followed by a smile and a wink in my direction. I just kept quiet, given the circumstances. As an election judge, my job is to make the election work as well as possible, and creating doubts in the voters' minds at the polls does not figure into my idea of responsible behavior. Perhaps the lightest moment in the day came when one voter standing at his machine asked in the most deadpan voice, "What do I do if it says it is rebooting?" Head judge Marie turned white, and Joy's mouth dropped. My heart started to beat quickly, when he laughed and said "just kidding." There was about a two second pause of silence followed by roaring laughter from everyone.
I found the reaction to that joke interesting. Everybody was willing to believe that this had happened, and yet when it became clear that it didn't, we all felt relief. I'm sure that the other judges would have claimed that this was impossible, and yet, for a brief instant, they all thought it had happened.
UPDATE: Urk. Rubin did his thing last week, on Super Tuesday, not yesterday. My bad. Thanks to Morat for the catch.Posted by Charles Kuffner on March 10, 2004 to Election 2004 | TrackBack