Re: MORE Questions from election officials

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Tue May 04 2004 - 10:26:12 CDT

On May 4, 2004, at 9:43 AM, charlie strauss wrote:

> example #1: Shamos says serious parallel testing would defeat any
> time-activated logic bomb. It might miss the case where the logic
> bomb is activated my a shill but that would require one shill per
> machine or precint.

Consider the problem of gaining control of the House
of Representatives. In any given election year, there are usually
a fair number of house districts with close races, and if you
could target just those races, you'd probably be able to take
control of the house. A congressional district has about 500,000
people these days. So, assume half the population turns out to
vote (election 2000 in Iowa had that kind of turnout). That's
250,000 voters. Assume we're interested in throwing elections
that are within 1/5 of a percent. that's 500 votes, a very
typical number of voters in one precinct. Of course, throwing
the whole precinct would be pretty obvious, but a small conspiracy
that could trigger the fix in 10 precincts to pick up 50 votes
would be enough to go under the radar in many areas.

So, use opinion polling to pick your target congressional districts
and then use misdirection. Your accomplices don't know that they're
accomplices in vote fraud. You tell them that you're counting on
them to vote for Trigger A Trojan for drain commissioner in order to
audit the county's handling of write-in votes or something equally
lame. You're counting on their cooperation. We are asking exactly
36 of our most trusted supporters to vote for this fictional person
in order to test the county, so please don't tell anyone you've done
this. And, of course, if you don't get something close to 36 votes
for Trigger Trojan, you complain, because indeed, many counties don't
bother to note write-ins, despite the legal requirement that they
do so.

Oh yes, the name Trigger A Trojan only works during that election day.
Next year, it will be Trigger B Trojan, and the year after that,
Trigger C Trojan, just to make sure that nobody guesses what this
write-in name does (and, of course, it's not Trigger Trojan at all,
but some perfectly normal sounding name).

So, this conspiracy is small, most participants are genuinely
innocent, and it lets you gain control of congress. Parallel testing
won't detect it because the fix is triggered only on the machines that
are in actual use.

> Example #2: Shamos says any bug or deliberate attempt to shift votes
> from one party to another would have to be the same on all machines of
> the same type and therefore would be caught by the pronounced
> demographic shift on those machines.

You have to make the shift plausable and small. Shift 1% of the
Democratic vote to the Green Party, or shift 1% of the Republican
vote to the Libertarian Party. These are plausible shifts because many
Democrats have Green sympathies, and many Republicans have Libertarian
leanings, but what you've really done is throw votes to the mainline
party on the other side. This 1% shift is nothing spectacular, and
I'll bet it would suffice to take control of congress.

> Example #3: Shamos says hacking being impossible at a non-local level
> because machine makers dont know the ballots/contestants ahead of time
> is an argument that an amazing number of "important" people have
> recited to me, even carries weight with ones you would think
> sympathetic (e.g. ACLU). Shamos goes one better and suggests the
> simple expedient of making the contest descriptors graphics would be
> sufficient to thwart any lurking expression like"if m/republican/i "
> since to insert a graphic reader would such a huge change it would
> surely be noted.

This isn't an original proposal. See my discussion of the importance
of using graphics in Internet voting (and in fact, in other secure
internet transactions).

However, if you allow any bug patches to be installed between the date
the candidates are determined (primary day, party conventions, whatever)
and the date of the election, this argument is no longer valid because
you could customize an OS patch, for example, to target a particular
candidate, then announce it as a "first priority security patch" a few
weeks before the election.

Of course, getting people dummed down enough to fall for this trick
requires that you train them to install all OS security patches as a
knee-jerk response, so make sure you release such patches frequently,
and make sure that there is a real penalty for failure to patch. You
need an environment where there are plenty of genuine security threats
(viruses, worms, etc) to train people that they must accept patches.

And, as I showed back in the spring of 2000, OS patches can change the
outcome of an election.

> In my own presentations I generally dont emphasize hacking (I think
> bugs are quite suffieint an issue) but somehow everyone always wants
> to bring up fraud so its an unavoidable topic.

When someone brings it up, I always point out that, for every hacker,
there are hundreds or thousands of innocent people who make normal
human mistakes. My favorite example of this was a new release of
Windows 95 that contained a perfect example of an attack on the
voting system from within the window manager. It was entirely innocent,
Microsoft didn't mean to break the voting system made by Fidlar and
Chambers. They did, though. It was an innocent enhancement, totally
upward compatable and with no impact on existing code and no need to
change any use of the Windows API. The consequence was to reveal, to
each voter, exactly how the person who used the machine before them
voted. (the radio button widget had a new GUI feature, a subtle
highlight indicating which button had been pressed most recently.)

                        Doug Jones
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:09 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT