My analysis of Sequoia's vulnerability assessment
[Adapted from a letter I sent to my county supervisor:]
I read through the Sequoia voting machine's vulnerability assessment I mentioned in the previous post.
I found that the report was very thorough in some aspects, but it was also extremely flawed.
1) My main problem with the report was that it was completely passive. From what I could determine, these security experts did not actually get their hands on any of these machines. They seemed to be basing their conclusions of product specifications and interviews along with checks of facilities. They did not actually test the machines and attempt to "hack" into them (similarly to how a group at Princeton did and as staff was directed to do. (Apparently The terms "hack test" and "hackability" were brought up 4 times in a 10-minute period in the discussion leading up to the June 8th vote, so it's clear what was supposed to be done.)
2) I was perhaps most surprised at some of the security conclusions, notably on page v that lauds the "precinct equipment [that] does not have an underlying operating system that can be obtained in the public domain, inspective, analyzed, and vulnerability-exploting tools created, as is true with Windows, Linux, and most every standard operating system." This is called "security through obscurity", an extremely controversial technique because it allows for "inside job" security back doors and is susceptible to leaking of secrets. (See Wikipedia for more information.) Furthermore, I find it distressing that this statement also lumps Windows (a very insecure operating system, as the report itself admits, which also relies on security through obscurity) in with Linux, an operating system whose much, much stronger security is gained through intense public scrutiny. To have a security consultant promote "security through obscurity" is extremely questionable.
3) The possibility of sabotage before delivery was not questioned. If the vendor were motivated, it could sabotage the voting machines before they were delivered to the county. Because the consultants did not actually test the machines, there is no way to know if this is the case.
4) Sabotage by insiders was not questioned. The two-person security procedures described in the report are certainly an improvement over one person, but what if those two persons are in collaborating? Clearly the higher up the chain this happens, the worse the risk is. The attacks mentioned in the above point would be possible to some extent. I was surprised that this was not questioned in the report.
5) Here are a couple of possible attacks that might take place due to weaknesses listed above: The system's test mode run just before an election [see page 5, item "b)"] might be programmed to register just fine, but then in "election mode", it might skew the vote, as was shown in the Diebold video. Or, if the paper record of the ballot [section "e)" pages 5-6] goes into the secure physical chamber of the VVPAT without the voter being able to see that the vote on the paper actually matches their vote as cast, then even the paper trail could be flawed, and the recount could not happen. It was almost laughable that these scenarios were not addressed.
In conclusion, I believe that although the report did address a few issues and offer some improvements, the company did not do the job they were directed to do, and furthermore, they ignored several obvious scenarios that would have resulted in a rejection of the system. I almost suspect that somebody directed them behind the scenes to not "rock the boat" -- to come up with a report that looks impressive on the surface but not to go anywhere that could lead them to a negative conclusion.
I am a computer programmer, but I'm not a specialist at computer security. I have to know about these kinds of issues for my job, but I'm not an expert at security issues as this consultant purports to be -- but the fact that I was able to come up with several flaws that they completely ignored leads me to believe that the supervisors are not being given the whole truth.
I believe that this report should be rejected and that the registrar of voters should produce an authentic security test as the supervisors requested.
I read through the Sequoia voting machine's vulnerability assessment I mentioned in the previous post.
I found that the report was very thorough in some aspects, but it was also extremely flawed.
1) My main problem with the report was that it was completely passive. From what I could determine, these security experts did not actually get their hands on any of these machines. They seemed to be basing their conclusions of product specifications and interviews along with checks of facilities. They did not actually test the machines and attempt to "hack" into them (similarly to how a group at Princeton did and as staff was directed to do. (Apparently The terms "hack test" and "hackability" were brought up 4 times in a 10-minute period in the discussion leading up to the June 8th vote, so it's clear what was supposed to be done.)
2) I was perhaps most surprised at some of the security conclusions, notably on page v that lauds the "precinct equipment [that] does not have an underlying operating system that can be obtained in the public domain, inspective, analyzed, and vulnerability-exploting tools created, as is true with Windows, Linux, and most every standard operating system." This is called "security through obscurity", an extremely controversial technique because it allows for "inside job" security back doors and is susceptible to leaking of secrets. (See Wikipedia for more information.) Furthermore, I find it distressing that this statement also lumps Windows (a very insecure operating system, as the report itself admits, which also relies on security through obscurity) in with Linux, an operating system whose much, much stronger security is gained through intense public scrutiny. To have a security consultant promote "security through obscurity" is extremely questionable.
3) The possibility of sabotage before delivery was not questioned. If the vendor were motivated, it could sabotage the voting machines before they were delivered to the county. Because the consultants did not actually test the machines, there is no way to know if this is the case.
4) Sabotage by insiders was not questioned. The two-person security procedures described in the report are certainly an improvement over one person, but what if those two persons are in collaborating? Clearly the higher up the chain this happens, the worse the risk is. The attacks mentioned in the above point would be possible to some extent. I was surprised that this was not questioned in the report.
5) Here are a couple of possible attacks that might take place due to weaknesses listed above: The system's test mode run just before an election [see page 5, item "b)"] might be programmed to register just fine, but then in "election mode", it might skew the vote, as was shown in the Diebold video. Or, if the paper record of the ballot [section "e)" pages 5-6] goes into the secure physical chamber of the VVPAT without the voter being able to see that the vote on the paper actually matches their vote as cast, then even the paper trail could be flawed, and the recount could not happen. It was almost laughable that these scenarios were not addressed.
In conclusion, I believe that although the report did address a few issues and offer some improvements, the company did not do the job they were directed to do, and furthermore, they ignored several obvious scenarios that would have resulted in a rejection of the system. I almost suspect that somebody directed them behind the scenes to not "rock the boat" -- to come up with a report that looks impressive on the surface but not to go anywhere that could lead them to a negative conclusion.
I am a computer programmer, but I'm not a specialist at computer security. I have to know about these kinds of issues for my job, but I'm not an expert at security issues as this consultant purports to be -- but the fact that I was able to come up with several flaws that they completely ignored leads me to believe that the supervisors are not being given the whole truth.
I believe that this report should be rejected and that the registrar of voters should produce an authentic security test as the supervisors requested.
0 Comments:
Post a Comment
<< Home