• Frank
• Jul 20,2008
• In: Features

The Last HOPE, Part 2 of 4

I continue the series of my experience on Friday at The Last HOPE.

At 12 PM I attended Packing and the Friendly Skies: Why transporting firearms may be the best way to safeguard your tech when you fly, presented by “Deviant Ollam”. The PowerPoint is available online. Essentially, when you pack a “firearm”–which, by TSA guidelines, can include a short or long gun, a flare gun, an airsoft gun (yes!), a replica or prop weapon, or weapon parts and hardware–there are all sorts of extra security processes that one must go through, which will ensure that your luggage remains safe.

When checking the bag in, the passenger must declare the firearm–worded carefully, of course, as “I have a gun” goes over differently from “I would like to declare a firearm”–and show that it is unloaded; the bag must be a hard case locked with a secure non-TSA lock: Deviant recommends a rotating disk lock, which is among the most difficult to compromise. The passenger then gets to follow the bag through TSA screening; the most important part is that it is impossible for an unscrupulous TSA employee or criminal to use a TSA master key to steal things out of the passenger’s luggage, and care will be taken to ensure that the bag is not lost, so that they do not have a lost gun on their hands. I found this presentation extremely informative, and I give it 5 / 5.

At 1 PM I grabbed a bite to eat, then perused the various tables and displays on the second-floor part of the conference. Among books, lock-picking tools and soldering stations for TV-B-Gone and other useful kits there were a few things that seemed totally irrelevant, but totally cool at the same time: a 3-D audio renderer, for instance. Then another cramped elevator ride up.

At 2 PM I attended Hacking Democracy: An In Depth Analysis of the ES&S Voting Systems, presented by a team of researchers from the University of Pennsylvania that was commissioned by the State of Ohio as part of the Project EVEREST Voting Study to analyze and identify the security of electronic voting systems made by Elections Systems and Software (ES&S), which had not been independently reviewed before. After a brief sojourn through the system of voting in the US and the history of electronic voting, especially the Help America Vote Act of 2002. In reaction to the debacle of 2000, which for those who remember came down to a bunch of recounters in Florida puzzling over hanging chads:

the Act mandated a shift to disabled-accessible voting technology, and funded states to make such a shift. That was the genesis of computerized voting, which promised at leats in theory to be much more accessible to the disabled than punch cards or levers could be. Two main systems came into place: direct computer voting, and optically scanned paper ballots in the mode of the SAT, counted either at the precinct or county levels.

Here the problems start. There are four vendors of electronic voting systems: ES&S (which the presenters reviewed), Hart Intercivic, Premier (formerly known as Diebold–yes, that Diebold), and Sequoia. Questions have been raised about the security of these systems and their vulnerability to tampering. The code for all the machines are trade secrets and are tested by vendor-supported labs.

Independent reviews have all raised questions. Thus Project EVEREST, a comprehensive security review commissioned by the State of Ohio, came into being in fall 2007; check the above link for details. The UPenn team negotiated hard for hacker-friendly ground rules: they wanted to approach the problem as hackers, and ensured the review would be independent, have full access to the machine and have total editorial control over the final report.

In theory, voting should work something like the following:
votes[candidate] = votes[candidate] + 1
but in practice, there are procedures and levels of software at the machine, precinct and county levels. Also, voting machines are somewhat unique in that they can be attacked (i.e., the vote totals changed by more than 1) in a number of different ways: deletion, alteration, forgery, compromise of one of five parts, or use of viruses are all potential attacks. They are also unique in that data integrity must be combined with a lack of accountability–the votes must be trustable, but cannot be traced back to a particular machine, which is not how most data work.

There were a large number of things that the team was asked to review in a short period of time (about two months). In the iVotronic direct recording machines, which had custom touchscreen computers with proprietary firmware (and, in Ohio, a printer for a paper trail) there were 88,000 lines of C and assembly language to be reviewed. Those machines have a Personalized Electronic Ballot (PEB), a small hardware module that is basically an infrared device with a magnet–more on this later. The precinct optical scan system has a scanner on top of the ballot box to read and accept a ballot, or reject it if it is improperly bubbled. It has an internal memory card with the ballot definitions and a tally of votes; it has 30,000 lines of code. The centrally-scanned optical system is a high-speed batch ballot counter, essentially, since it is designed to process all the ballots in one day; it has 22,800 lines of code. ES&S uses for the actual electoral back-end a comprehensive election management software suite, Unity, that runs on a Windows computer at the county election office; it has 400,000 lines of code in languages including C, C++, SQL, Visual Basic and COBOL. It is intended to take the modules from the voter-end or sorting machines and count full results with them. The data flow was described by the presenters as “complicated”, and they set about using triage to attack it in multiple ways. Their findings were nothing if not depressing for the state of America: It was possible to compromise virtally every component of the election system; they could alter or forge results; propagate viruses from one machine to the back-end; and alter firmware.

The physical layer of security was somewhat lacking. The locks on the iVotronic machines were standard filing cabinet locks that had the same two keys in every polling station in every state where the machines were used. The tamper evident seals over the memory cards were easily replaceable, and removable by heat or cold. There were accessible ports, including Ethernet and modem, that things could be plugged into, and the printer cable could be easily disconnected to disable the paper trail. It was easy to recalibrate the screens so that a press in one place registered somewhere else: for instance, a press on one candidate registers on a second candidate. The PEB could be easily replaced with a PDA and a magnet; the PEBs typically came in blue for voters, red fo supervisors and yellow to reset, but there was a fourth type they found that gave complete backdoor access to the machine. Not the most comforting feature, to be sure. It was not difficult for them to build a virus, put it on their substituted PEB and have it propagate to the Unity back-end and alter the results. In summary: When running for office, always be sure to get your supporters to use a few easy tricks to rig the election in your favor. Don’t you love democracy?

Paper ballots, while an improvement, have caveats of their own. It was possible to forge ballots, essentially. All ballots had some parts in security ink, which the scanner is unable to read, and some parts in regular ink. While a pure photocopy of the ballot was rejected, using composite ink from an inkjet printer–what it makes when it’s out of black by mixing the colors–the security ink could be spoofed and thus the ballots tampered with prior to voting to alter results.

The presenters list a number of fixes that could be made to improve the situation. In the short term, they said, audits and procedural controls are essential; in the long term, they emphasized that machines must be built from the ground up with a focus on security and a careful design. They recommend open source software and paper ballots.

I found this presentation very informative and enlightening. Rating: 5 / 5.

I will be continuing my posts of my experience yesterday at HOPE with Part 3, featuring Wikipedia, urban farming and lockpicking.