Posted tagged ‘Matt Griffin’

Computer security professor: Sequoia voting system would get a D or an F

August 13, 2007

Originally Published on, 8/13/2007 2:59:58 PM

“It would be like giving someone the key to the bank, and the combination to the safe, then leaving them alone for months. You shouldn’t be surprised if the money is gone when you come back.”  This is the analogy repeated separately by various people who discount California’s security review of its electronic voting systems.  By this, the critics mean that teams of computer scientists who were able to hack the systems were armed with source codes, and had “unfettered access to the machines” — this is the other oft-repeated term  – for the four-month duration of the experiment.

Critics also point out that the tests were conducted in a laboratory setting, which did not recreate actual election day conditions. On election day, they say, there would be another team playing defense, which might prevent hackers from compromising the election.

Skeptics include Nevada’s election officials.  The Silver State uses the Sequoia system, not that it would matter.  All the systems in California ‘s test were hacked, including Sequoia.  The “keys to the bank and combination to the safe” analogy has been used by Washoe County Voter Registrar Dan Burk, and the Secretary of State’s Elections Deputy Matt Griffin.

Wrong analogy, says Dr. Matt Bishop of U. C. Davis, who led the so-called Red Team that  produced an extensive list of ways to penetrate the Sequoia electronic voting system.  A closer parallel would be the crash-testing performed on cars by the National Highway Traffic Safety Administration.  NHTSA, he says, is evaluating the limits of the machinery, not the conditions under which cars move around on the road with real people behind the wheel.  It’s an extremely rare driver who pushes the pedal to the metal, and drives, head-on, into a brick wall.  But such “laboratory” tests are useful because they document the machine’s behavior when it’s subjected to a crash, and the physical damage to the occupants.

And yes, says Bishop, the Red Team did have Sequoia’s source codes, allowing it, in effect, a guided tour of the software design, and an insider’s knowledge of how the system performs its functions.   Bishop believes an organized conspiracy to commit electronic voting fraud would also have the source codes.

The codes most likely would be leaked or stolen, since most information security breaches are committed with the help of insiders.  But source codes might be obtained in a variety of ways. Voting machines have been sold on eBay, for instance, by government surplus agencies, notably to a curious geek whose purchase was chronicled in Wired Magazine.  He promptly took the machines apart to figure out how they function.

Most information is out there, Bishop says, if you dig deeply enough. He cites several incidents involving national security, where classified information was unintentionally posted in a place where it could be viewed online by the public. The information was removed, but the bell can’t be un-rung after it’s had thousands of page views.

Source codes were given to the University of California teams primarily to help them meet the deadline imposed by the California Secretary of State.  Four months is a short period for the kind of work requested, and the source codes made the work go faster.  Without the codes, Bishop says, the team could have discovered and performed the same list of hacks, it would simply have taken longer.

The California test resulted in decertification of the Sequoia system as it is currently used in that state. In the same document, there is a long list of conditions Sequoia must meet in order for its system to be used in California’s upcoming primary, and a long list of new procedures that must be developed by each election jurisdiction.  In short, the recertification conditions create a large and expensive headache for everyone involved, with a short window for completion.

At this point, the only certain use of the Sequoia in the California primary will be for the disabled. Access for the disabled was among the original objectives of the “Help America Vote Act,” the law that spawned universal implementation of electronic touchscreen machines. The machines are wheelchair accessible, and are equipped with a listen-only ballot and headphone jack for blind voters.  Secretary of State Debra Bowen has ordered a single machine in each precinct for HAVA disabled compliance.

Nevada officials say they’ve watched the California tests with interest, as has the entire national community of election managers.  Both Washoe’s Dan Burk and State Elections Deputy Matt Griffin say they’ve read the reports issued to California’s secretary of state.  Griffin says the information will be used at the state level by Nevada election committees who have been assigned to make recommendations for various aspects of the election process. One of the committees is an IT committee, which will presumably study the technical exploits from California’s tests. The findings of the tests will be used by another committee to develop enhanced training for elections personnel.

In general, though, Nevada’s focus seems to be on policy and procedure, not on the shortcomings of the Sequoia system itself, which Matt Bishop says he would grade D or F if it were  submitted as a project in one of his computer security classes at U.C. Davis.