Friday, July 25, 2003

Diebold Election Systems on their Touchscreen Units

Company Defends Electronic Voting System

Diebold Election Systems said computer security experts at Johns Hopkins University in Baltimore reached their conclusions by using outdated computer code for its touchscreen software. The company also said the researchers ran the software on a device on which it was not designed to work.

In addition, Diebold said many of the weaknesses attributed to the operating system on which the software was tested are inapplicable to the operating system used by the North Canton, Ohio-based company.

OK. I just read the report, and I'm not done digesting it. The analysis covers a different area of the overall e-voting system than my last blog entry on GEMS, which is on the ballot server, not the touchscreen units that would be deployed in the field. This report focuses on the actual touchscreen units, which are discussed somewhat in Bald-Faced Lies about Black Box Voting Machines -- and according to one of the technicians interviewed, the touchscreen units are running Windows CE.

Some things to keep in mind:

When you install upgrade software on your computer, you use a floppy disk, CD, or download an archive from some location on line.

Installing or upgrading software on an embedded system (your DVD player is an embedded system) you frequently save the new software to a PCMCIA or other kind of 'smart card', and insert that card into the device. An area of memory ('flash') on the device is overwritten, and that constitutes installation. So the card is like your upgrade CD.

My recent blog entry focused on GEMS, Diebold's back-end server (ballot server). This entry and probably a much longer one will discuss the touchscreen units and precinct-ballot server communications, as analyzed in the John Hopkins ISI report.

Diebold is currently protesting that the analysts ran the allegedly Diebold source code on a Win2K machine, which was not the correct OS.

I'm going to go out on a limb here, but the differences between WinCE and Win2K are probably smaller than the differences between RedHat linux and BeOS. The code compiled on the 2K box, and after reading the John Hopkins ISI report, nothing they discuss concerns the compile OS, beyond the broad discussion of the implications of using an unsafe OS -- such as any version of Windows.

The OS protest is bull. I'm sorry, guys. My best advice to you right now is to pull your methodologies together, get a serious QA and project management team in place if you haven't found one by now, and completely redesign and rewrite the application, including tossing legacy code. It's obvious the older stuff had minimal oversight in development (this, by the way, is typical for software teams' first projects, and the reason why I'm not an early adopter of any technology that might come near my money, in fact, why I've been known to laugh out loud when discussing 'emerging' software).

The report does discuss certain distinctions between Windows and WinCE with regards to CE's treatment of smartcards, that is, how smartcards 'appear' when mounted on a system running CE, and what dangers may be present in a touchscreen box running the e-voting system they analyze. That's the only OS-specific discussion, and it's about the 'right' (runtime) OS.

Some initial notes:

The language of choice of the analyzed application, which is allegedly a version of the current Diebold application, was C++, which, like C, makes it easy to induce errors in memory management. Not on purpose.

Each instance of a voter corresponds to a voter card, a 'smartcard' provided to the voter either via mail or at the time of sign-in at the precinct (the process is not defined).

There are multiple ways to attack one of these systems, as discussed in the JH ISI report, and *not all of them* require advanced computer knowledge. Some of the CS-experience-required include reordering ballot lists so candidate 1 gets swapped with candidate 2 and gets their votes, creating a fake admin/ender card to terminate the election prematurely, generating fake cards that ignore the 'this card's vote complete, cancel card' function call, to permit substantial re-use and multiple votes. Flaw in e-voting software? by Randall Edwards mentions reprogramming a smart card to enable a voter to cast multiple votes for one candidate. The scary thing about this idea is that once programmer A has created this card, they're easy to duplicate and don't take any technical savvy to actually use. The Hopkins report discusses different scenarios, including (shudder) taking advantage of code that appears to permit use of the preinstalled 'manufacturers' password present on every smartcard at the time of sale. So you don't even need the 'real' password to use a smartcard.

In addition, whether you try to hack the touchscreen end of the system, by building fake smartcards, or whatever, when all is said and done, election data is transmitted IN THE OPEN, in this version of the application. Not to mention the passwords in the open between the touchscreen and the card.

You know how when you go shopping online, your browser changes from http to https, thus indicating you're now about to transmit your credit card data via a secure connection (SSL)?

Not in use, here. Should be in use. Without that kind of protection, someone can perform a 'man in the middle' attack and intercept data sent from a precinct to the main ballot server via the Internet (dialup too, if you know the right kind of person), and

a. simply keep it from getting to the final destination (if the ballot server doesn't have builtin checks for precincts, this would drop a balloting station off the map)
b. replace the ballot data with a modified set, thus falsifying election results.

This one flaw by itself is enough to warrant not using the application.

Transmission of election results, if made online, must be encrypted. Further, no handshake or data integrity analysis is performed when data from a precinct station is transmitted 'home', which means that data could be intercepted, its format parsed, and replaced with a false data stream. Worse, a precinct could be simulated entirely, sending false returns to the ballot server.

I heard on the radio that e-voting (I assume, Diebold) units are slated to appear in San Diego elections in the not too distant future. I am thoroughly opposed to the introduction of these systems without substantial oversight, and that means a non-partisan, non-corporate affiliate group analyzing both the code and the process. Where's a standards Working Group when you need one?

I'll say two final things on this subject (for now):

I'd feel a lot more comfortable if the source for these systems were in the open - because e-voting is an emerging technology, and involves a critical process concerning the government of this and other nations. It needs to be secure.

Failing that, I'd feel a lot more comfortable if I were one of the people working on this application.

Possibly both.

John Hopkins Information Security Institute: Analysis of an Electronic Voting System
Diebold Election Systems
Bald-Faced Lies about Black Box Voting Machines
Company Defends Electronic Voting System
Flaw in e-voting software?

Go Read

The President Has Misled Us -- an excellent, albeit chilling, compilation of promises and statements made by Bush, and the actions of the Administration. Some of the smaller, but more disturbing, in my opinion, contrasts:

promising money for HUD Hope VI homes, and cutting all funding
promising money to Boys and Girls Clubs, and slashing funding
lauding Teach For America and AmeriCorps, and slashing funding or cutting it entirely

Honestly, it seems like when you're dealing with Bush, if a promise is made, expect the exact opposite.

The Truth IS Out There

9/11 report: No Iraq link to al-Qaida

The report of the joint congressional inquiry into the suicide hijackings on Sept. 11, 2001, to be published Thursday, reveals U.S. intelligence had no evidence that the Iraqi regime of Saddam Hussein was involved in the attacks, or that it had supported al-Qaida...

"The report shows there is no link between Iraq and al-Qaida," said a government official who has seen the report.

Former Democratic Georgia Sen. Max Cleland, who was a member of the joint congressional committee that produced the report, confirmed the official's statement.

Asked whether he believed the report will reveal that there was no connection between al-Qaida and Iraq, Cleland replied: "I do ... There's no connection, and that's been confirmed by some of (al-Qaida leader Osama) bin Laden's terrorist followers." [emphasis added - sid]

The revelation is likely to embarrass the Bush administration, which made links between Saddam's support for bin Laden -- and the attendant possibility that Iraq might supply al-Qaida with weapons of mass destruction -- a major plank of its case for war.

Cleland goes on to assert (quite correctly, in my view), that the Bush Administration manipulated intelligence "for political ends", to scare the American people and justify war on Iraq.

ref snagged from Medley.

Wednesday, July 23, 2003

Best Programming Quote Ever

"OS X: Because making Unix user-friendly was easier than debugging Windows."
-- Simon Slavin, on a.f.c

(spotted in someone's .sig)

Sunday, July 20, 2003

Genetic Vulnerability to Depression?

Gene Variant Keeps Stress from Becoming Depression

Research published today in the journal Science indicates that variation in a single gene more than doubles a person's chances of succumbing to depression in response to life's stresses.
Although the findings are promising, the authors caution that they cannot yet form the basis for screening for depression. Says Moffitt: "If replication studies confirm that genotypes can predict in advance who is vulnerable to life stresses that bring on depression, this new knowledge could advance efforts to develop a diagnostic test of vulnerability to depression."

Hm! Very interesting. It's too bad there so little long-term clinical data to work with on depression. By long term, I mean, you don't have Egyptian hieroglyphs describing so-n-so's depression, detailing that in the spring they'd perk up and in the autumn they'd be all down in the mouth again.

Spinning Yarn

Janis finally sat and did a Navajo three-ply in front of my face and proved it works, so I went and three-plied a small ball of some of my famous loaves-and-fishes single. It was called that because the ball of roving never seemed to get smaller. I've spun this stuff into some serious bulkyweight yarn needing size 13-17 needles, and singles that you could weave with, or, say, three-ply into a nice sportweight/dk yarn that would use size 3-5 needles to knit up. That what's so cool about spinning. The same two spinners, sitting at the same two spinning wheels/drop spindles/whatever, can produce drastically different yarns from the exact same stuff.

So, to date I've spun with a drop spindle, a spinning wheel, and have done some passable plying with an Andean plying bracelet (into a two-ply yarn), and much nicer looking stuff with my wheel and a crochet hook and the Navajo technique.

A drop spindle is a fancy term for a stick with a weight at one end. You hold the ball of fluff you want to spin, 'draw out' some from the edge to kind of loosen and thin it, and twist it in your hands. Pouf, you just made a bit of yarn, a 'single'. Use that to tie a loop around the stick just under the weight. Spin the stick to generate more twist, and thus more yarn. Then take up the new yarn onto the stick. The direction you spin the stick in is important -- be consistent until you're done with this patch of yarn. Basically, be consistent in general, so you don't have to think later. You can then 'ply' the 'singles' into yarn, or work with them as-is. When you ply, you'll hold two or more singles parallel to one another and twist them together in the opposite direction. Doesn't matter which direction you choose for spinning versus plying, just so long as you go one way for producing singles and one way for plying them into yarn. If you use a spinning wheel, the direction is pretty much chosen for you.

A spinning wheel looks far more complicated but does exactly the same thing as your hands, or a drop spindle: applies twist to some fluff (roving) that you're holding in your hands. A drop spindle uses gravity to apply tension and you to apply twist, as you spin the spindle with your hand, say, against your leg. A spinning wheel takes a more mechanistic approach, using the big wheel bit -- the part everyone notices -- to spin a bobbin (like a bobbin for thread, only you're putting on thread instead of using it up) and a 'flyer' that rotates around the bobbin at a slightly different speed (and actually wraps your single onto the bobbin). I like the wheel because my feet keep everything 'spinning', applying twist, instead of me having to grab my drop spindle and start it going again. A drop spindle is great for travelling, for introducing kids to the art, and I use it a lot for plying. Though, know that Janis has demo'd Navajo three-ply, that may change.

So, plying? Wha?

Modern yarn is all 'plied', you rarely see singles unless you shop for custom yarns or spin yourself. If you pick apart yarn, it'll split up into 2 or 3 or 4 strands. Those are the singles, and they were spun up first, then twisted all together to form the plied yarn. It's a completely separate step.

I've mentioned two methods, but I'm going to gloss over the first (and link to a great description, with photos):

An Andean plying bracelet is a method of holding a long single on one hand in such a way that you can

1. get at both ends at the same time;
2. keep the stuff in some kind of order as you ply up the ends.

Otherwise you end up with a right holy mess. Note that there are two ends getting twisted together, thus you create two-ply yarn. All you're really doing is folding a single in half around your hand and twisting the two ends together -- in the opposite direction of the spin used to create the singles in the first place! Attach the new piece of two-ply yarn to the base of your spindle, twist up the next section, and eventually you'll work through the whole folded single.

Navajo three-ply is a clever way of twisting very long chain stitchs made out of one single -- again in the opposite direction of the spin used to create the singles. The more singles that go into a plied yarn, the smoother and more even it appears. The chain stitch bit lets you lay three sections of the same single next to one another, and apply twist to them.

Take the end of your single in your hand. Draw out a length (doesn't matter how long). Double and then triple the single up so that you have three strands side by side. Keep your finger, or a crochet hook in the loop that is closest to your bobbin or ball. Apply "contrary" twist to the other end (the start of your new yarn) and attach the end of this new yarn to your bobbin or the base of your drop spindle. Now, go look at the other end. There's a loop with your crochet hook dangling from it, and a strand leading back to the ball/bobbin. Use the crochet hook to draw that strand through the loop, thus creating a new chain stitch. Stretch it as long as the spirit, variation in color, whatever, moves you. You now have three parallel sections waiting for twist. So twist! You've just created the next section of three-plied yarn. Repeat until you've used up the bobbin/ball/whatever.

You don't really need a hook, just a stick or your finger or whatever will do, anything to pull up the next chain stitch.

Andean Plying Bracelet
Navajo Three Ply
Spinning and Navajo 3-ply Instructions Using a drop spindle.