E-voting terminals: gambling with data?

Playing the slots with votes

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Opinion Making electronic voting terminals more like slot machines won't keep elections secure from tampering. Neither will using ATMs as a model improve the prospects for data integrity.

There is a children's day care facility in my area called "The Pied Piper". Apparently, many people around here don't have a problem with that. Presumably they consider the fairy tale of a stranger saving a town by leading away rats via dance and melody, and think it worthy criterion by which to base the name of such an operation.

Of course, anyone who knows the whole story will immediately realize that in the end, the Piper actually steals away all the children (save one) after the local town-folk cheated him out of his thousand guilders fee. Had the owners of the business considered all the available information, I doubt seriously that they would have decided upon that particular moniker.

In the continuing debate over the use of e-voting machines to replace paper-ballots, I fear that both sides - those designing controls around these systems, and those critical of said security measures - are falling prey to the same kind of short-sightedness.

By way of example, a recent dialog regarding the insecurity of electronic voting machines compared them with slot machines, and found them lacking. Much was made of the fact that a computerized slot machine could withstand a Taser gun attack without evident failure, while an e-voting machine apparently could not.

This is a kind of security-modeling-by-resemblance, and it takes away from designing a security foundation that actually serves the needs.

When designing security around a new technological process, we must first consider what problems we seek to remedy. For a video poker machine, that's obvious: if it gets broken into, manipulated, or zapped into dispensing money, someone gets away with the cash. Being "tamper resistant" is the most important element in countering that scenario. The tamper resistant properties of the unit - including standing up to a little high voltage - is what protects the asset.

But despite a certain physical and architectural resemblance to their casino cousins, e-voting machines have a completely different threat model, and need to value a completely different set of security properties.

The asset that these units seek to protect is the integrity of the data it holds. Consequently, it is much more important to have mechanisms in place that immediately alert officials to the fact that voting data was somehow altered, such as cryptographic and algorithmic checks, than any physical means that attempts to prevent attacks in the first place. These machines must be "tamper evident", not zap-proof.

Data Integrity

If e-voting critics really want to take a lesson from Vegas, they should look at the history of gambling machine security. New means of stealing money still come along from time to time, and new measures are taken to prevent it. There was a time where a piece of aluminum foil could make a slot machine pay out, and there will always be new attacks against these units. Some are trivially simple, and at some point cash will be lost.

There's no reason to think e-voting machines can hold up better. Knowing this, it stands to reason that voting machine security should be concentrated on the aftermath of an attack, and not the attack itself. Regardless of how someone breaks an electronic ballot, the fact that it was broken into must remain the most important point of knowledge - data integrity must be required. The attack vector can be addressed later; we must first know if any votes were tainted, and we need a plan for recovering lost votes.

Other comparisons fare little better than the slot machines. Academics have suggested ATM machines as a model for e-voting machines, and one of the largest e-voting players, Diebold, also makes cash machines. ATMs are very physically secure, and even possess data integrity mechanisms (like having crypto keys embedded in the keypads rather than some extraneous software exchange). But, here, too, the security is directed at protecting cash, not data. Moreover, ATM's are hardly invulnerable themselves: they're increasingly deployed on insecure networks. I write about just this scenario in Syngress' new book, "Stealing the Network: How to Own a Continent".

We've already seen the dangers of applying the wrong kind of security to e-voting. Earlier deployments of Diebold's physically secure voting machines used a Microsoft Access database to store and tally votes. Diebold reportedly left this database anonymously accessible via the Internet, with no password, and no change log. It doesn't matter if the unit could withstand a tactical nuclear missile attack if someone on the Internet could point and click someone into elected office from the comfort of their desktop.

This is what happens when any security measure is designed without first determining what issues it sets out to solve. As elections draw near, it is time that we as a security community revisit this topic. We can't let facile comparisons lead us like the Piper away from e-voting's true problem.

Copyright © 2004, 0

SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Related stories

E-voting security: getting it right
E-voting security: looking good on paper?
E-voting promises US election tragicomedy

New hybrid storage solutions

More from The Register

next story
Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence
World's top Google-finding website calls it for the UK
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.