of 28
8/2/2019 Diebold 06
1/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
17-803/17-400 Electronic Voting
Session 6: The Diebold Reports
Michael I. Shamos, Ph.D., J.D.
Institute for Software Research International
Carnegie Mellon University
8/2/2019 Diebold 06
2/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Outline
Rubin (Johns Hopkins) Report
SAIC Report
RABA Report
Schade v. Maryland State Board of Elections
8/2/2019 Diebold 06
3/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
DIEBOLD DEMO
The Diebold System
AccuVote-TS
75,000 in US
Used statewide in GA, MD
Global Election Management System(GEMS)
1,000 in US
Audio feature
http://www.diebold.com/dieboldes/OnLine_Demo/screen1.htmlhttp://www.diebold.com/dieboldes/OnLine_Demo/screen1.html8/2/2019 Diebold 06
4/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Diebold Audit Trail
Maryland Election Code
9-102. Certification of voting systems.
(c) Standards for certification.- The State Board may not
certify a voting system unless the State Board determines
that: the voting system will:
(vi) be capable of creating a paper record of all votes
cast in order that an audit trail is available in the event of
a recount.
Diebold audit trail is similar to Hart Intercivic computer
file that is printed after the polls are closed
8/2/2019 Diebold 06
5/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Diebold System (Preparation)
County prepares ballot definitions on GEMS system Transfers ballot definitions to voting machine on
machine-readable media (or by FTP)
Machines are distributed to polling places
8/2/2019 Diebold 06
6/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Diebold System (Election Day)
Officials verify a voters eligibility to vote Voter receives a signed paper Voter Authority Card
(VAC) (used for later verification of vote totals)
Voter presents VAC to a different election official
Voter receives a smartcard and is directed to a votingmachine. Official puts the VAC in an envelope attached
to the machine
Voter inserts smartcard into machine to activate ballot
8/2/2019 Diebold 06
7/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Diebold System Post-Election
Polls are closed Vote totals printed out for each machine, signed by
election judges
Unofficial totals uploaded to county GEMS server by
modem Memory cartridges sent to county canvassing board
Statewide canvass lists all results from all polling
places; can be verified by election judges
8/2/2019 Diebold 06
8/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Rubin Report
Voters can easily program their own smartcards With such homebrew cards, a voter can cast multiple
ballots without leaving a trace
FALSE
Voter can perform administrative actions: viewing
partial results, terminating the election
No cryptography in vote reporting Even unsophisticated attackers can perform
untraceable man in the middle attacks
8/2/2019 Diebold 06
9/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Rubin Report
Code written in C++, not type-safe No evidence of disciplined software engineering
No evidence of change-control procedures
Buffer overflows
8/2/2019 Diebold 06
10/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Rubin Report
Voting terminal runs Windows CE Could expose system to attack
audio library fmod is used can access voting program
memory
Ballot definitions in election.edb file Ending the election. ender administrator card + PIN
PINs insecure in Diebold
Protective counter implemented poorly (total stored in
an unencrypted file) Tampering with ballot definitions
8/2/2019 Diebold 06
11/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Rubin Report
Impersonating a voting terminal during upload Hard-coded DES key
Tampering with election results
weak cryptography
Sequential vote storage file Linear congruential random number generator for serial
numbers
generates a sequence Xi+1 = (aXi + c) mod m) given
parameters a, c, m, X0 (the seed) Audit log (not the ballot images) weakly encrypted
8/2/2019 Diebold 06
12/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
Rubin Report Summary
8/2/2019 Diebold 06
13/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
SAIC Report
Report commissioned by Maryland Governor Ehrlich SAIC = Science Applications International Corporation
SAIC is the largest employee-owned R&D engineering company
in the US. 44,000 employees; 150 locations
State of Maryland is a large customer of SAIC
No election expertise
SAIC website contains no occurrence of voting, Diebold or
election
The system, as implemented in policy, procedure, and
technology, is at high risk of compromise. Application of the
listed mitigations will reduce the risk to the system.
8/2/2019 Diebold 06
14/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
SAIC Report
While many of the statements made by Mr. Rubin weretechnically correct, it is clear that Mr. Rubin did not have a
complete understanding of the State of Marylands
implementation of the AccuVote-TS voting system, and the
election process controls or environment.
In general, most of Mr. Rubins findings are not relevant to theState of Maryland because the voting terminals are not
connected to a network.
LBE procedures and the openness of the DRE voting booth
mitigate a large portion of his remaining finding.
8/2/2019 Diebold 06
15/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
SAIC Recommendations (Diebold)
Apply cryptographic protocols to protect vote transmission
Change default passwords and passwords printed indocumentation immediately
Removes the GEMS server from any network connection
Rebuild the server from trusted media and validate it has not
been compromised
Remove all extraneous software from the GEMS server
8/2/2019 Diebold 06
16/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
SAIC Recommendations (Process)
Bring system into compliance with Maryland Information Security
Policy and Standards Create Chief Information Systems Security Officer within the
State Board of Elections
Develop formal, documented set of policies and procedures
Create a formal System Security Plan
Require 100 percent verification of results transmitted to media
Require review of audit trails
Provide formal info security training
Review any system modification by a risk assessment process
Implement a documented process to respond to unauthorizedaccess attempts
Document how the general support system identifies access to
the system
8/2/2019 Diebold 06
17/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
SAIC Recommendations (Process)
Verify that the ITA-certified version of software and firmware is
loaded Modify Logic and Accuracy testing to include testing of time-
oriented exploits
Discontinue ballot distribution by FTP
Implement an interative process to ensure integrity of the system
is maintained
http://www.raba.com/8/2/2019 Diebold 06
18/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA Report
Commissioned by Maryland legislature Financed by Spring Capital Partners LP
Top tier information technology services for
government and commercial applications
Former National Security Agency employees No election expertise
Laboratory Red Team exercise
http://www.raba.com/8/2/2019 Diebold 06
19/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA Report
Rubin Report: The subsequent revelation of a conflictof interest involving one of its authors with a Diebold
competitor has only served to detract form the
substance of the results.
Many of the statements made by the authors appear tofunction more are attention gathering sound bites than
actual statements of fact.
Had the authors approached the State Board of
Elections with their preliminary findings, many of their
false hypotheses could have been corrected and the
discussion not diluted by specious claims.
8/2/2019 Diebold 06
20/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA Report
Report generally agrees with Rubin and SAIC opinionon code quality (poor)
RABA conducted a Red Team exercise January 19,
2004
Eight computer security specialists, none with election
expertise
Exercise conducted in a laboratory, not under election
conditions
No one from the State Board of Elections was present
8/2/2019 Diebold 06
21/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA Recommendations
Create smartcards with computer-generated passwordsby precinct
Apply tamper tape to AccuVote-TS terminals
Institute procedures to prevent use of unauthorized
Supervisor cards
Add locks to prevent removal of PCMCIA cards from
machines
Prevent screen from being disconnected
Secure physical access to the AccuVote
8/2/2019 Diebold 06
22/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA Recommendations
Create smartcards with computer-generated passwordsby precinct
Apply tamper tape to AccuVote-TS terminals
Institute procedures to prevent use of unauthorized
Supervisor cards
Add locks to prevent removal of PCMCIA cards from
machines
Prevent screen from being disconnected
Secure physical access to the AccuVote
8/2/2019 Diebold 06
23/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA GEMS Recommendations
Create smartcards with computer-generated passwordsby precinct
Apply tamper tape to AccuVote-TS terminals
Institute procedures to prevent use of unauthorized
Supervisor cards
Add locks to prevent removal of PCMCIA cards from
machines
Prevent screen from being disconnected
Secure physical access to the AccuVote
8/2/2019 Diebold 06
24/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
RABA GEMS Immediate Recommendations
1. Install all Microsoft security patches on servers
2. Ensure modem access to servers only when expected3. Block at firewall all ports not needed by GEMS
4. Update anti-virus software
5. Turn off all services not needed by GEMS
6. Install Tripwire to enable configuration audit
7. Disable autorun in the Windows registry
8. Lock the front panel, store server in a secure location;
use tamper tape
9. Change boot order to hard drive first; password
protect the BIOS
8/2/2019 Diebold 06
25/28
SOURCE: TRIPWIRE
Tripwire
Portland, OR software company
Change monitoring and analysis software
http://www.tripwire.com/products/technology/index.cfmhttp://www.tripwire.com/products/technology/index.cfm8/2/2019 Diebold 06
26/28
8/2/2019 Diebold 06
27/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
MICHAEL I. SHAMOS
A Well-Designed e-Voting Machine
READ-ONLY
MEMORY
READ-ONLY
MEMORY
RANDOM ACCESS
MEMORY
WRITE-ONCE
MEMORYINTERNAL
PAPER
TRAIL
VOTER CHOICES
PROPRIETARY OPERATING SYSTEM(NOT WINDOWS)
BALLOT SETUP DATA
SOFTWARE FROM A
TRUSTED SOURCE
(NOT THE VENDOR)
16-HOUR BATTERY
NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET
TOTALS REPORT
SIGNED BY ELECTION JUDGES
WRITE-ONCE MEMORY
TO COUNTY BOARD
MACHINE SEALED WITH PAPER TRAIL
8/2/2019 Diebold 06
28/28
17-803/17-400 ELECTRONIC
VOTING
FALL 2004COPYRIGHT 2004
Q A