1. 15

    I think this is a good step in the right direction, but secure machines alone won’t increase my confidence in election results. I’ll explain why.

    Galois and DARPA are creating basically a proof of concept that other companies can adopt for free. Maybe I missed it, or maybe I’m being pessimistic, but it doesn’t say that the implementations must also remain open source.

    A major problem with the current voting paradigm is that the voting machines are privately owned. What kind of sense does it make for our voting infrastructure to be privately owned? This is insane because every time someone wants to inspect voting machines to ensure the results of an election, they’re rejected on the grounds that the software is proprietary 1 2.

    If we want to move to a more transparent process that gives voters confidence in the system (while also allowing watchdog organizations to do their jobs), we need to make it possible to inspect the machines as well. That said, I know basically nothing about security, so maybe I’m blowing things out of proportion here. @nickpsecurity what do you think?

    1. 4

      While the OSI-approved license has not been chosen yet, we certainly are knowledgeable about the pros and cons of various licenses and how a choice of license can impact a technology’s adoption in industry. We give DARPA our input, and they make the decision about licensing. Many of the technologies we have created in SSITH are already open source, and so far all are under the BSD license, I think.

      Of course, if we base a new technology on an existing project, that project’s license may give us little or no flexibility.

      1. 4

        I literally came to comment this comment.

        I’m all for OSS software, but the thing is…

        a) their implementations probably won’t be OSS (just as zmitchell said)… AND

        b) even if the implementations are OSS, how do you know the code you see on github** is what’s actually ON the voting machine you’re using?

        github** = whatever location they make it public at, just using github as an example

        1. 9

          We have previously developed a formally verified measured boot for RISC-V. It measures the state of the system in a deeper fashion than any existing verified boot insofar as we can measure the SoC, the firmware, and the full software stack, ensuring that every bit there is exactly as it should be before the system begins execution. This work has been presented or published at past RISC-V workshops (the 7th, I think) and last year’s CARRV 2019 conference.

          1. 2

            That’s awesome, thanks for sharing. Is that this paper?

            1. 2

              Yes.

          2. 2

            Perhaps a hash of the compiled/installed image shown on the screen? or even better, ability to grab the running firmware off the system you’re using to vote?

            1. 1

              Who says the display of the hash or the black box that dumps out the firmware is telling the truth? Both of those are just as easy to fake as they are to really implement.

          3. 3

            (Sorry for delay. Work’s been rough. Had to take a nap before a deep response.)

            “This is insane because every time someone wants to inspect voting machines to ensure the results of an election, they’re rejected on the grounds that the software is proprietary 1 2.”

            We could make security regulations that force them to be shared source for inspection of hardware, firmware, software, etc. That hasn’t happened largely due to voters being unaware of this option (no push) and corruption (bribes) driving the adoption process of voting machines. These companies couldn’t have kept peddling this garbage without such corruption. They be kicked out by higher standards followed by competition. If Galois can open this, it creates the possibility of competition by shared-source, highly-inspectable implementations which can be used to create more pressure on buyers and suppliers. Who knows, though.

            “so maybe I’m blowing things out of proportion here.”

            I don’t think so. There’s quite a few categories of risk I don’t think Galois even has the capability to address, esp in analog and RF subversions. I only know a few folks that even understand how they work much less could stop them all. I wrote here about steps to secure in hardware based on applying generic, security engineering to hardware lifecycle (I’m not hardware guy). The mixed-signal and EMSEC parts of my smartphone teardown apply here, too. If all this sounds like a lot, remember that we’re talking about elections that competing parties spend anywhere from hundreds of thousands to hundreds of millions on winning. Higher the stakes, the more likely someone will pay a few million to some rogue engineers, do interdictions, etc.

            I’m with Bruce Schneier on this: we don’t want computers handling voting. He has repeatedly written about the risks of digitized voting on his blog where we all debated it a lot. He, Clive Robinson (hardware/software high-security guy), and I all seemed to agree on paper of some form with optical scans. The scans are for the “get results in quick!” requirement Americans seem to have. The process security, though, gets three benefits from paper-based method:

            1. Everyone can understand how it works from children to ambitious youth in college to senior citizens who are cautious about technology. You get more buy-in when they can wrap their heads around something. Crypto, boot attestation, RISC-V, C language or SPARK… yeah, they’re going to see a black box they might or might not trust.

            2. Following 1, the audit process is something that anyone can participate in. Votes can be randomly split up by a community with each person recounting piles or several people counting piles. They can add it up every which way. If scan, they can use a different vendor for scan machine. It’s a recount they can trust more than some computer telling them “trust us.”

            3. Most important: scalability of attack/defense. The computerized voting has a handful of vendors. The attacks were easy to find in the past. An adversary might find remote ones in each. If they do, they might be able to easily compromise all kinds of votes. Whereas, if it’s paper, they need more bodies or insiders to compromise the votes. It’s hard to scale up without detection. The main trick they’ll use there are focusing on swing states or just anywhere where a small number of fake votes can win. So, we have to give them extra scrutiny, maybe even recounts by default. Nonetheless, vast improvement here.

            If already doing paper, the best a company such as Galois could do is design a system that makes paper that scanning machines never screw up on and/or a secure system for reporting early results that aren’t final. Americans might like that. The buyers might get it for the convenience. The disturbing thing, though, is they’re already on insecure, voting machines. I doubt what we’re discussing will even factor into the decision. So, I’m glad Galois is working on voting machines with more security in case we can’t stop them from buying voting machines. The lesser of two evils with potentially less sabotage. They also mentioned an optical scan system. That’s good, too. :)

            1. 1

              This approach seems to work for encryption, sounds reasonable for sanity checking public use software.

              1. 1

                Sorry, which approach are you referring to?

                1. 2

                  Encryption algorithms are transparent, built and vetted in public forums. In fact, privately built encryption is often trivially broken. To me that supports the idea that privately built voting machines are likely to be riddled with vulnerabilities.

                  So yeah, I’m most likely to put my money towards transparent voting machine implementations where we can all take a crack.

            1. 1

              Doesn’t Australia already have an open-source voting system? Why can’t the US just use and improve upon that? Isn’t that what open source is for?

              1. 6

                They do not. Australia has several different computer-based voting systems, none of which are open source. Some have outdated disclosed source snapshots (e.g., the VEC) and others are proprietary (the various incarnations of the notorious iVote system in NSW). All of these systems have been shown to have serious architectural, design, and development flaws.

                Authorities have not been kind, to put it lightly, to public employees (i.e., professors with expertise in relevant areas) who point out problems.

                Have a look at the excellent work of my colleagues Vanessa Teague, Roland Wen, Rajeev Gore, and others who are excellent scientist-activists in Australia doing important public good work pro bono.

                1. 4

                  Cuz throwing Galois at a hard problem to see what they come up with is always a good idea. They do high-assurance security. They often open-source things they build. They might produce a better, voting system than Australia’s. The components their solution uses might also be reusable in other projects.

                1. 1

                  Thanks for your interest! Let us know if you have any questions about our mission or technology.

                    1. 3

                      For a bit more color on things…

                      The Travis County STAR-Vote RFP had five mandatory components: (1) voting system, (2) ballot box, (3) red team, (4) UX team, (5) existing certified vendor must modify their Election Management System (EMS) to work with STAR-Vote.

                      My company, Free & Fair, submitted a bid for #1 and #2, some of the best red teams in the world submitted a bid for #3, and the best UX teams in the world submitted a bid for #4.

                      Unfortunately, and unsurprisingly, the existing vendors did not submit bids that were compliant with the RFP for #5—instead they submitted bids that said “STAR-Vote is a Bad Idea, buy our system instead”, so the County Commissioners cancelled the entire RFP. How do we know this? We filed a FOIA request.

                      If you’d like to see what the future of End-to-End Verifiable Voting might look like, have a look at our STAR-Vote proposal, linked below. Yes, we do, in fact, make all of our software and proposals public.

                      https://github.com/FreeAndFair/Transparency/tree/master/RFP%20responses/Voting%20Systems/Travis%20County

                      1. 1

                        It’s because they’re using technology to solve a people/political problem. The problem is these companies are powerful enough to deliver garbage on a regular basis for high profit with no liability for its problems. The fix for that will be in government. Most likely avenues are requirements changes in Congress that guarantees their favored groups continued profits if they meet certain requirements and/or lawsuits hitting them for knowingly producing/selling defective parts.

                        Then, they’ll have a financial reason to improve their offerings. Then it will happen or new suppliers will show up. Until then, they can stall or squash efforts like these most of the time since they represent only a tiny, financial hit.

                        1. 2

                          New manufacturers have occasionally shown up over the years. Unfortunately, they nearly always get litigated out of existence or get bought and shutdown by an existing vendor.

                          There are still only five-ish vendors that matter in the USA: ES&S, Hart-Intercivic, Dominion Voting, Unisyn, and Clear Ballot Group.

                          Smartmatic is starting to break into the US market by virtue of winning L.A. County’s VSAP project. That’s a whole ’nother can of worms…

                          See http://vsap.lavote.net/ for more information.

                        2. 1

                          Too much hand waving and not enough traction.

                          1. 1

                            I TAed and wrote curriculum for Dan Wallach’s undergrad security class a couple years ago. He is doing good work that needs to be done but has to deal with too many people who don’t understand that this stuff is important. Some of these people need to spend a day in the DEF CON voting village. :-(

                            1. 2

                              We had a bunch of election officials there this year. Our main panel included several notable national figures at the intersection of politics, elections, and cybersecurity. See https://defcon.org/images/defcon-26/voting-village-schedule.pdf for more information.

                              Next year’s Voting Village will be significantly larger and more interesting and impactful than this year.