Re: code validation? - rom based attacks

From: Ron Crane <voting_at_lastland_dot_net>
Date: Wed Feb 23 2005 - 16:01:07 CST

On Feb 23, 2005, at 12:41 PM, David Mertz wrote:

>> This would mean forgoing the security benefits of open source
>> software and falling back upon the second level of security provided
>> by VVPAT.
> Not forgoing. We want both.
> The BIOS attack is significant, but not as overwhelming as Ron seems
> to think. Stipulate that a nasty BIOS corrupts machines. It's not
> all that easy to make that happen: the software on CD is quite a bit
> bigger than normal ROM holds; tampering would have to detect/modify
> the specific certified code version; the machine modification would
> need to hide itself from visual and on-screen detection; etc. None of
> these hacks are in-principle impossible to do, but they're not that
> simple. Especially once you add chain-of-custody procedures around
> the physical machines.

I'm not talking about BIOS attacks. I'm talking about a scenario where
vendors provide turn-key systems using OVC's software. Since the vendor
controls how such a system is manufactured, it could include a ROM that
contains a version of OVC's software identical to the publicly-reviewed
one except for cheating code. A voting station based upon such a ROM
would simulate booting from the (approved) CD, but would really boot
from the cheating ROM.

> But the paper acts as a check. Suppose a machine does various nasty
> thing. Voters inspect their ballots. If the tallies of paper don't
> match the electronic tallies and audit records,

That's an obvious kind of cheating that's easily detected, and perhaps
is fairly easily remedied. I'm talking about more subtle varieties of
cheating, such as printing a ballot (and recording a matching
electronic record) that contains the cheater's choices instead of the
voter's, and relying upon an insufficient number of voters actually
verifying their ballots.

> Not every voter needs to actually inspect their ballot. Not even the
> majority of voters need to. Just a moderately large random slice of
> them need to make the actual checks to make it statistically HIGHLY
> likely discrepancies will be detected. Maybe one of the statisticians
> around here can tell us whether we need 2%, 5%, 10%, or what exactly
> for actual voter verification.

Alright, calling all statisticians! How many voters need to verify
their ballots to make it "HIGHLY likely" that they'd detect cheating?
Bear in mind that history (e.g. Ohio and Florida in 2004) has shown
that voting officials are likely to dismiss a small number of
complaints as the result of "voter error" or "glitches". And, even once
cheating is detected, what's the legal process to purge the taint from
the election? Remember that some elections are conducted under strict
timelines. For example, a state's presidential electoral slate must be
selected by early December (~ 1 month after election day) for the state
to avoid certain kinds of challenges to its slate
section_5.html ).

>> in a way that attempts to avoid the effects of VVPAT. An example of
>> the former would be occasionally presenting the favored candidate
>> first, or occasionally omitting disfavored candidates from the
>> selections, or presenting the favored candidate in slightly bolder
>> text than the disfavored ones, or making the favored candidate's
>> selection area larger than the others (!),
> Yeah... those are more subtle changes. But voters should be presented
> with instructions prior to voting. As in, a piece of paper that says:
> your on-screen ballot should look exactly like the below picture. Of
> course not all voters will concretely check and catch subtle
> discrepancies like font size and candidate position. But SOME of them
> would. And those who noticed would report complaints. And scrutiny
> is heightened, forensic analysis performed, etc.

Perhaps scrutiny is heightened. Perhaps forensic analysis is performed.
But history (Ohio and Florida again) does not provide much support for
that idea, even when voters actually complain. History would say that
the tainted election will be certified and the cheaters will remain
uninvestigated by the powers that be.

I think we need to avoid that scenario by becoming the sole vendor for
systems based upon our software.


OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Feb 27 17:17:12 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST