Ballot Boxing

[Guest guest]

http://www.jewishtimes.com/2435.stm

 

 

 

Ballot Boxing

 

Joel N. Shurkin

 

OCTOBER 29, 2004

Dr. Rubin

 

Last month, U.S. Sen. Barbara A. Mikulski decided to try one of

Maryland's new voting machines in Takoma Park. It was a brand-new

Diebold AccuVote-TS. The state of Maryland has just spent $55 million

for the ATM-like electronic voting devices to be used in the upcoming

presidential election.

 

The AccuVote, acting just as a demonstration, offered two choices:

" yes " and " no. " Sen. Mikulski pressed " no. " The machine registered " yes. "

 

The cackling sound you heard was Avi Rubin, technical director of the

Information Security Institute at Johns Hopkins. But, as Dr. Rubin

will openly confess, it really wasn't funny.

 

One-third of voters in the November election will be using electronic

voting machines, simple-minded computers that record and report votes.

Dr. Rubin and many computer scientists see nothing less than a threat

to American democracy in these machines. They are easy to tamper with,

he believes, and that makes it possible to rig elections. Indeed,

there already are conspiracy theories flying around the Internet of a

conservative plot to steal the presidential election. (A number of

Conservative groups are equally unhappy about the instruments.) In

many cases they are set up to prevent recounts in case of disputes.

 

Plots to the contrary, after what happened in Florida in 2000 — and

what is happening in Florida now — attention must be paid.

 

It was Dr. Rubin who first raised serious security issues with the

electronic voting machines and who has taken the brunt of attacks from

the voting machine industry. He instantly rose from an obscure Jewish

computer scientist to a media star, and he's having a wonderful time.

 

" After my study broke, the public relations office had television

crews lined up outside my office and for a five-week stretch, I was on

national television every week, " he said.

 

He is still quoted regularly in the national media on the debate over

the machines as the election nears, and this spring he reached the

apogee of contemporary culture, a brief appearance as a " Zen moment "

on the " Daily Show with Jon Stewart " on cable. He was scheduled for

" 60 Minutes " this week.

 

Someone recognized him at the swimming pool at the Owings Mills Jewish

Community Center as the guy on television, and even his plumber

announced himself impressed.

 

How much effect his efforts have had in curbing the use of the

electronic devices or in modifying how they are used is not clear.

Several states, confronted with challenges to the integrity of their

elections, have backed away from using them, several have changed the

voting method to make them more secure and others — most particularly

Maryland — became defensive and refused to budge.

 

" His study had an enormous effect, " said Barbara Simons, former

president of the Association of Computing Machines (ACM), the computer

scientists' professional organization. " Of course it didn't prevent

Maryland from buying the stupid machines. "

 

" What we're fighting about is democracy. If we lose confidence that

our votes will be accurately counted, that's it, " she said.

 

The voting machines are technically known as Direct Recording

Electronic voting machines or DREs.

 

Dr. Rubin's adventure began last year almost by accident. Bev Harris,

a writer in Renton, Wash., was researching a book on electronic voting

in January 2003. While " googling " for background, she stumbled on a

Web site that turned out to be an electronic archive of a company

bought by Diebold Inc. The site was huge, containing hundreds of

unprotected company files that could be downloaded by anyone who

wanted them. One file hinted that Diebold had put code that was

uncertified for elections in DREs headed for a Georgia election, which

is illegal, so she downloaded it to see. The download took 40 hours

and filled seven CDs.

 

She posted what she found on a Web site in New Zealand (geographic

distance means nothing to these people) and someone told her that one

file looked suspiciously like Diebold's source code, the programming

that lies at the heart of the DREs.

 

Posting unprotected source codes for a commercial product on the Web

is rare and considered unspeakably stupid in the computer world, so,

word spread quickly, and a computer scientist at Stanford University

told Dr. Rubin. Dr. Rubin, in turn called in Adam Stubblefield, a

doctoral student at Hopkins, and Tadayoshi Kohno, a summer graduate

student, telling them they needed to drop everything and come see what

was on his computer. What they were looking at, they concluded, was a

program compiled in 2000 and its April 2002 update, apparently posted

so programmers could work on it. It was nothing less than the

programming that made the voting machines voting machines.

 

The students pored over 49,609 lines of " code, " computer language

commands that look like hieroglyphics to anyone not trained as a

programmer. One line blew them away. It means nothing to laymen, but

it was enough to make Dr. Rubin's hair stand on end.

 

#define DESKEY ((des_key* " F2654hd4 " .

 

All commercial programs have provisions to be encrypted, protected by

secret code so that no one could read or change the contents without

the encryption key. That is particularly true of programs that require

transmission by telephone or wireless networks. The line that

staggered the Hopkins team told them first, that the method used to

encrypt the Diebold machines was a method called Digital Encryption

Standard (DES), a code that was broken in 1997 and is no longer used

by anyone to secure programs. F2654hd4 was the key to the encryption.

 

The programmers had done the equivalent of putting the family jewels

in a safe, putting up a blinking neon sign reading " Jewels in Here! "

and taping the lock's combination to the safe door. Moreover, because

the key was in the source code, all Diebold machines responded to the

same key. Unlock one, you can unlock them all.

 

That was only one of the problems Dr. Rubin's team found. The computer

language used to write the program, C++, is never recommended for

secure programs because hackers can — and do — attack it easily. There

are other programming languages far more secure that the Diebold

programmers ignored, perhaps because they didn't know them well.

 

Additionally, all large computer programs, which can sometimes run

into the hundreds of thousands of lines, are written by teams and

therefore are extensively annotated. One programmer or a team puts in

an instruction and then adds a note explaining why it was done that

way. Other programmers can add comments or base what they do on the

reasoning in the comments. Or, they can use the annotations to hunt

for bugs when the program misbehaves.

 

Dr. Rubin said that when he worked for IBM one summer, there were

three pages of notes for every line of code, and no line was added

until committees of reviewers approved. Whole pages of the Diebold

source code were without annotations or signs of review, something you

don't see on professionally written programs, he said. Some of the

annotations that existed even warned that the code contained unfixed

bugs. Clearly, Dr. Rubin thought, Diebold was not using the top of the

class at M.I.T. to write programs for its voting machines.

Dr. Rubin

 

The code is so badly written, Dr. Rubin shows sections to audiences at

computer science conferences to get laughs.

 

Moreover, the Diebold program was written for computers using Windows,

Microsoft's relatively unstable and notoriously insecure operating

system, the target of choice for hackers everywhere. (Almost all the

staff of Hopkins' security institute uses Apple Macintoshes, which are

virus-free and far more difficult to tinker with.)

 

Oh, there is more. The method chosen by Diebold for voting required

the voting officials to check the registration of each voter and then

hand them a " smartcard, " a credit card-like piece of plastic

containing digital information that essentially turns the machine on.

The machine reads the card and if the information is correct, permits

the voter to cast his or her ballot.

 

The smartcards chosen for the Diebold DREs were not encrypted and

could be forged by a 15-year-old in his bedroom at an equipment cost

of about three weeks' allowance, Dr. Rubin said. Anyone with a phony

card could vote more than once.

 

Dr. Rubin, the Hopkins students and a colleague from Rice University

posted their findings on the Internet (later in an engineering

journal) and then Dr. Rubin, who is not shy, called John Schwartz of

The New York Times, at which point, all hell broke loose.

 

The reaction of the voting machine industry — especially Diebold, one

of four voting machine manufacturers — was furious. The first comment,

besides attacking Dr. Rubin and company, was to deny there were

problems. When other studies showed the same things, the defense

switched to admitting there were problems but they had been fixed.

Diebold says the programming in the machines it sells now — including

those to be used in Maryland — is not the same programming the Hopkins

study looked at. Since the programming also is proprietary and Diebold

won't show any new versions to anyone, the claims must go unverified,

which is a whole other problem.

 

Dr. Rubin does not believe the machines are fixable. Diebold says the

smartcards now are encrypted.

 

" The problems were at different levels. Some are fixable, like they

used broken encryption, but you can fix that — put in good encryption.

But there was a very bad software engineering process that went into

the machines. It was clear looking at the code. If you have a software

package that is as bad, the answer is not to try to plug the holes and

fix it because every time you do that, you introduce new bugs. I don't

think you should try to evolve 45,000 lines of broken code into a

system that's secure. You need to start over with a more talented and

experienced team.

 

" I joked with my wife about wearing a bulletproof vest, " Dr. Rubin

said. " We lost them a lot of business and put their industry in turmoil. "

 

Nonetheless, whatever is in those machines is what you will use in the

November election and so will voters in 38 states.

 

He was not planning on such a public life.

 

He was born in Kansas where his parents, both academics, were graduate

students. In something of a reversal of roles, his father became an

English professor (specialty: English Jews in English literature) and

his mother is a mechanical engineer, the type of person who writes

computer programs in FORTRAN to create recipes for dinner.

 

In 1970, they made aliyah..

 

The Rubins taught in Israeli universities for six years, Then Israel

was inundated with refugees from the Soviet Union and the universities

thought they were in more need than former Americans, so the Rubins

lost tenure. They moved back to the United States in 1976. The family

moved to Alabama where Dr. Rubin was in the first graduating class at

the Birmingham Jewish day school. Dr. Rubin and his three siblings and

parents (who now teach at Vanderbilt) often speak Hebrew when they are

together.

 

He got his Ph.D. in computer science from the University of Michigan.

 

" When I got my Ph.D., my adviser said, you have a Ph.D., you're a

computer scientist. Don't be too narrow. Now I've managed to become

synonymous not only with computer security but a tiny little subfield

of it, " he said.

 

What he also got involved with was a battle between bureaucrats,

including those who staked their careers on buying DREs, and

academics. Both sides accuse the other of not knowing what they are

talking about. Most of his colleagues in computer science, he said,

support his position. Dr. Simons, now a co-chair of ACM's public

policy committee, agreed.

 

Other computer security specialists, including the National Security

Agency, testified in support of the Hopkins study.

 

Legislators, concerned with what the Hopkins study showed, asked the

Department of Legislative Services to review the state's purchase of

the Diebold machines and held hearings. First, they hired a firm

called SAIC to study the situation, and then hired RABA Technologies,

a Maryland consulting company to review both studies. SAIC said Dr.

Rubin was correct in his assessment but didn't completely understand

the Maryland voting system. RABA supported the Hopkins study in most

of its accusations and found even more problems.

 

RABA's Michael A. Wertheimer and a team of company hackers broke into

the Board of Elections computer, changed the results of a mock

election and then backed out without leaving a trace.

 

" We did it in under five minutes, " he told " The Daily Show. "

 

Then there is what happens when the results are uploaded from the DREs

to the state's computer.

 

" You're more secure buying a book from Amazon, " he concluded.

Dr. Rubin

 

He also found that the Maryland election officials had not upgraded

Windows with security patches from Microsoft and were, in fact, 15

upgrades behind. Every time they tried to load a patch, Windows crashed.

 

Mr. Wertheimer finally suggested the machines be wrapped in

tamper-resistant tape around the machines, something Linda Lamone, the

state's election administrator, says can't be done in time and would

look awful.

 

More important to Dr. Rubin, " RABA found the Hopkins report to be a

thorough, independent review of the AccuVote source code and should be

credited with raising valid issues that have resulted in considerable

improvements, " concluded RABA.

 

But the state hasn't done enough improvements to suit Dr. Rubin and

his allies.

 

There are 150 million registered voters in America and a third will be

using voting machines despite the fact the machines have never been

tested in a mass scale. Anecdotally, there are reasons for concern.

 

New Mexico, a leader in electronic voting, went to Al Gore in 2000 by

366 votes. In one county, 678 out of 2,300 votes cast went uncounted.

The voting machines lost them.

 

Remember the hanging chads in Florida? They weren't the only problem

the state has had with elections. Some areas used electronic machines,

including Miami-Dade County. A study by the American Civil Liberties

Union reported that in the Democratic gubernatorial primary in 2002, 8

percent of the votes cast in 31 Miami-Dade precincts was lost.

 

California bought the machines, decertified them and changed its mind.

It is suing Diebold and once threatened criminal charges on grounds

that the company made false claims about the machines. Ohio, one of

the election's swing states, is only one of several that have pulled

the plug on DREs, as has Missouri. The revelation that Diebold made

political contributions to the Republican Party didn't make critics

any happier, although Diebold's competitors are Democratic contributors.

 

Critics have been stunned by the reaction of Maryland officials,

especially Ms.Lamone, the state's administrator, who apparently is now

fighting for her job. Officials have defended the machines with a

passion that sometimes even exceeded the manufacturer's defense,

claiming all the problems have been fixed. Ms. Lamone went to court to

defend against a suit brought by a voter group to force the state to

change its system and she won.

 

" Maryland is acting as though they are the ones selling the machines

instead of buying them, " Dr. Rubin said. " I think there is some face

saving and some embarrassment. If you spend $55 million and someone

says it was a bonehead purchase you might get defensive. Some jobs are

on the line about this, I believe. "

 

Del. Jon Cardin (D-11th) defends the state's decision. He is a member

of the House Ways and Means Committee and participated in a summer

investigation of the voting process in Maryland. He said that of the

more than 100 suggestions made to improve the machines and the voting

process " almost every single one was complied with by the State Board

of Elections. " Part of the problem with sorting through the issues is

clear differences of opinion among the experts.

 

Mr. Cardin says that the rate of error in paper balloting is 7-9

percent, while the error rate with computers is minuscule. (A joint

study by the California Institute of Technology and the Massachusetts

Institute of Technology disagrees. Paper has the lowest error rate,

the study said. Electronic machines were no better than punch cards.

Mr. Cardin says he has not seen the study.)

 

Mr. Cardin also said breaking into the machines and changing votes

would be very difficult and require great computer skills and

technical knowledge and is hence very unlikely.

 

" I am [more] concerned that there is a contingent of people that have

lost confidence in the voting system, not in the integrity of voting, "

he said.

 

There is a process that can mitigate some of the danger: a paper

" trail. " The DREs would be attached to printers and whenever a vote

was cast, the printer would reproduce the vote on paper. The voter

could then certify that, unlike the machine Sen. Mikulski played with,

the DRE got it right. Also, if there were a need for a recount, there

would be a paper record of the votes. By comparing numbers, it would

even be possible to detect multiple votes or ballot stuffing.

 

Several states have implemented paper trails, and Nevada successfully

held an election this summer with paper backup that everyone,

including Dr. Rubin, thinks went well. " A paper trail keeps them

honest — if [the paper ballots] are counted, " Dr. Rubin said.

 

Nevada, however, wasn't using Diebold DREs and Diebold's machines

aren't designed for use with printers. Printers also cost money,

another reason for resistance by state officials.

 

Florida election officials (all Republicans), on the other hand, have

barred paper trails and ruled against manual recounts in case a result

is contested, a decision that was thrown out by a state court on Sept.

27. If the officials appeal and win, we would never know the true

winner of another close Florida election.

 

" If we have an election that is really close like we did in 2000 and

there are places in which the vote is disputed that were fully

electronic, we won't have hanging chads to recount, " Dr. Rubin said.

 

Another state without paper trails, of course, is Maryland, partly

because it is using Diebold's devices, and partly because of the

stubborn insistence by Ms. Lamone's office that paper trails are

unnecessary.

 

Sen. Mikulski, meanwhile, has signed onto a bill in Congress that

would make paper backup mandatory but not until 2006. Meanwhile, in

many places where results could be very close, it may not be possible

to do recounts and we may never know the outcome of the races. The

ACM's Dr. Simons thinks the upcoming election may wind up in court

again, and this time because of electronic voting. If there is

cheating, it may go undetected, she said.

Dr. Rubin

 

Dr. Rubin is keeping himself busy at Hopkins and as an expert witness

in computer security matters, a very lucrative trade. He also has a

raucous family at home with three young kids, including 2-year-old

twins. His eldest goes to Krieger Schechter Day School and Dr. Rubin

is on the school's computer technology advisory committee. The family

belongs to Chizuk Amuno.

 

Journalists and voting advocacy groups still regularly consult him

 

Dr. Rubin points out that there actually is an almost foolproof voting

method, hard to corrupt and capable of producing completely accurate

counts: paper.

 

Paper can be used in two ways, he said. One is simply having people

mark the ballots, put them in boxes for recounting later, the way it

was done in the 18th century and as far as anyone knows, still the

most exact way of running an election. Cheap too.

 

Another possibility, if people insist on 21st-century technology,

would be to take the paper ballots, put them in optical scanners and

let the scanners accumulate the votes. That might be faster than

manual counting, is very accurate, and if there are problems, election

officials can always go back and recount the paper ballots.

 

Stung a bit by the criticism that he — an academic — knew nothing

about voting procedures, Dr. Rubin volunteered to be an election judge

in Baltimore County in the spring. His experience is that well-run

voting places are of great help in protecting the integrity of the

vote. He no longer worries about the smartcard problem in efficient

polling places. With nine judges and five machines, it would have been

easy to spot someone fooling around in the booth.

 

One flaw he found worse than he expected is the use in the Diebold

plan of a " zero " machine, one of the DREs that would accumulate all

the votes in the other computers for counting. " There is no need to

attack all the machines, " he said. All a hacker had to do was attack

that one DRE, especially since that machine is the one that phones in

results, making it vulnerable in multiple ways.

 

He still doesn't think DREs are a good thing, even with a paper trail.

The only machines he prefers would be simple devices that act as

intermediaries between the voter and a printer. He is not worried

about people hacking the network between the voting machines and the

state computer.

 

" The biggest concern I have is that someone would rig the machines, "

Dr. Rubin said. " This would be somebody at the manufacturer or

somebody with physical access to the machines who could change the

software. Traditional Internet-based hacking is not the issue. "

 

If jurisdictions use paper trails to DREs, the same manufacturer

should not make both the DREs and the printers, he said. That would

reduce the chances of a conspiracy or at least broaden the conspiracy

and make it more difficult to operate and easier to detect. He admits,

however, that when he was a primary voting judge the people using the

Diebold DREs loved them.

 

" They raved about them to us judges. The most common comment was 'that

was so easy.' I can see why people take so much offense at the notion

that the machines are completely insecure... I was curious that voters

did not seem to question how their votes were recorded.

 

" I continue to believe that the Diebold voting machines represent a

huge threat to our democracy. I fundamentally believe that we have

thrown our trust in the outcome of our elections in the hands of a few

companies who are in a position to control the final outcomes of our

elections.

 

" The more e-voting is viewed as successful, the more it will be

adopted, " he said, " and the greater the risk when someone decides to

actually exploit the weaknesses in these systems.

 

" I am not against technology. I drive a car, get on airplanes and ride

elevators. However, if the code in any of these was as bad as

Diebold's software, I wouldn't. I think that the real difference is

the adversary model. If there were trillions of dollars worth of

incentives for people to rig elevators so that they crashed, I would

be advocating for only using stairs. "

 

 

To read more, pick up a copy of the Jewish Times at one of our

newsstand locations.