Alex Halderman Clarifies: Not Sure If Election Was Hacked, But, Uh, Shouldn't Someone Be Checking To Make Sure?

from the that's-a-good-point dept

So lots of people have been discussing the story claiming that some e-voting experts believe the Clinton campaign should be asking for a recount in certain battleground states, where it's possible there were some e-voting irregularities. As we noted in our post, the story would barely be worth mentioning if one of the people involved wasn't Alex Halderman, a computer science professor we've been talking about for nearly a decade and a half, going back to when he was a student. Halderman is basically the expert on e-voting security -- so when he says something, it's worth paying attention.

Halderman has now posted something of a follow-up to the NY Magazine article clarifying his views and what he's suggesting. He's not saying there's evidence of a hack, but basically saying that no one knows if there was a hack or not, and because of that, there should be a recount as a way to audit the results to see if there were any irregularities.

After the election, human beings can examine the paper to make sure the results from the voting machines accurately determined who won. Just as you want the brakes in your car to keep working even if the car’s computer goes haywire, accurate vote counts must remain available even if the machines are malfunctioning or attacked. In both cases, common sense tells us we need some kind of physical backup system. I and other election security experts have been advocating for paper ballots for years, and today, about 70% of American voters live in jurisdictions that keep a paper record of every vote.

There’s just one problem, and it might come as a surprise even to many security experts: no state is planning to actually check the paper in a way that would reliably detect that the computer-based outcome was wrong. About half the states have no laws that require a manual examination of paper ballots, and most other states perform only superficial spot checks. If nobody looks at the paper, it might as well not be there. A clever attacker would exploit this.

There’s still one way that some of this year’s paper ballots could be examined. In many states, candidates can petition for a recount.

So, in effect, Halderman isn't saying that he's got evidence of e-voting fraud, but is simply arguing that if no one checks, no one will ever know. So we should check in order to be sure that there wasn't hacking. That's... pretty sensible.

Examining the physical evidence in these states — even if it finds nothing amiss — will help allay doubt and give voters justified confidence that the results are accurate. It will also set a precedent for routinely examining paper ballots, which will provide an important deterrent against cyberattacks on future elections. Recounting the ballots now can only lead to strengthened electoral integrity, but the window for candidates to act is closing fast.

Basically, the only way we can actually get an effective audit to see if there were any voting irregularities is to ask for a recount. The problem, of course, is a political one. If the Clinton campaign does call for a recount, it will immediately be seen as a political play, and lead to a ton of negative publicity. My guess is that the campaign won't want to go there. If we lived in a time where people were intellectually honest, the campaign could present it exactly the way Halderman has framed it -- not as a claim that they believe fraud happened, but rather as a way to ensure that the e-voting machines were accurate and not manipulated -- but does anyone think that the press (either those that supported or those that opposed Clinton) would treat it that way? It would become a complete mess in about two-and-a-half seconds.

And, that's unfortunate. Because as Halderman points out (and, like us, has been pointing out for over a decade), it absolutely is possible to hack most e-voting machines. Especially if the attacker is determined enough to do so:

Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election. This summer, attackers broke into the email system of the Democratic National Committee and, separately, into the email account of John Podesta, Hillary Clinton’s campaign chairman, and leaked private messages. Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. And there’s evidence that hackers attempted to breach election offices in several other states.

In all these cases, Federal agencies publicly asserted that senior officials in the Russian government commissioned these attacks. Russia has sophisticated cyber-offensive capabilities, and has shown a willingness to use them to hack elections. In 2014, during the presidential election in Ukraine, attackers linked to Russia sabotaged the country’s vote-counting infrastructure and, according to published reports, Ukrainian officials succeeded only at the last minute in defusing vote-stealing malware that was primed to cause the wrong winner to be announced. Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.

So, yes, it would be good if the votes here were reviewed, if only as an opportunity to explore the potential problems of e-voting machines, rather than as a political ploy. The only problem is that everyone would see it as a political ploy and with political ploys comes general dumpster fires of idiocy.

Filed Under: alex halderman, audits, democracy, donald trump, e-voting, hillary clinton, voting

After All That, E-Voting Experts Suggest Voting Machines May Have Been Hacked For Trump

from the just...-no dept

In this topsy-turvy world where nothing makes any sense at all any more, Donald Trump spent months and months spinning stories about how the election was "rigged" and e-voting machines were going to be hacked in favor of Hillary Clinton. While we've spent nearly two decades pointing out problems with e-voting machines, and urged governments to do away with them, it still seemed unlikely that a hack would be sustainable on a large scale -- in part because our election system is such a mess and is handled differently from state to state. And, as Ed Snowden himself pointed out, hiding such a hack would be quite difficult. But with Trump refusing to say if he would concede, and talking up how the vote would be rigged, combined with false stories that made the rounds incorrectly claiming that George Soros owned a company that was making millions of e-voting machines, it seemed like a recipe for disaster if Trump lost and his supporters started insisting that the voting machines were hacked.

But, of course, everything is upside down this year. Trump won... and now suddenly some Clinton supporters are arguing that e-voting machines may have been hacked. Now, to be clear, I wouldn't even bring up this story at all under most circumstances. Even as I don't trust e-voting machines, stories of actual hacked elections tend to be the kind of thing that conspiracy theory kooks pass around, rather than anything substantiated in any real way. What's giving some people pause this time around, is that one of the people claiming that the votes in some states may have been hacked is J. Alex Halderman.

Halderman is legit. He's basically the guy who studies how hackable e-voting machines are. We've been writing about Halderman since he was just a Princeton student, and hacking DRM systems. But he's been hacking e-voting machines for almost as long. And he's really, really good at it. Remember the story of the e-voting machine that was reprogrammed to play Pac-Man? That was Alex Halderman.

That said... this story still seems unlikely. The NY Mag story on it is woefully lacking in detail:

The academics presented findings showing that in Wisconsin, Clinton received 7 percent fewer votes in counties that relied on electronic-voting machines compared with counties that used optical scanners and paper ballots. Based on this statistical analysis, Clinton may have been denied as many as 30,000 votes; she lost Wisconsin by 27,000. While it’s important to note the group has not found proof of hacking or manipulation, they are arguing to the campaign that the suspicious pattern merits an independent review — especially in light of the fact that the Obama White House has accused the Russian government of hacking the Democratic National Committee.

But... it's not clear this holds up under much scrutiny. Perhaps Halderman and voting rights expert John Bonifaz have more details on what they found, but as Nate Silver noted, a more rigorous statistical look at the data -- controlling for education and race -- seems to make the statistical anomaly disappear. A big claim of actual vote rigging via e-voting machines would need a tremendous amount of evidence to be believable, no matter who won. So far, it doesn't seem like there's enough proof here, even if someone as respected as Halderman is involved in making these claims. But the fact that he is involved at least makes it worthy of further scrutiny.

But... either way, can we please finally get people to realize that e-voting machines without a verifiable paper trail are a disaster and should have no place in any election system? We'd all be better off if there wasn't even a question of hacked voter machines.

Filed Under: alex halderman, donald trump, e-voting, election, hillary clinton

If The NSA's Not Complaining About Encryption, It's Likely Because It Has Already Found A Way In

from the we-left-ourselves-a-key-to-the-back-door-under-the-mat dept

The NSA hasn't said much (well... compared to the FBI) over the past several months about the default phone encryption offered by Google and Apple. This lack of public outcry has to do with the NSA's capabilities, rather than a sudden interest in ensuring people around the world have access to secure communications. If it truly felt the world would be a better place with safer computing, it wouldn't have invested so much in hardware implants, software exploits and -- its biggest black budget line -- defeating encryption.

Where there's no smoke, there's a great deal of fire which can neither be confirmed nor denied. The NSA has very likely punched holes in encryption in existing encryption. But how does it do it? A brute force attack on encryption would be largely futile, even with the computing power the agency possesses. Alex Halderman and Nadia Heninger at Freedom to Tinker have a theory, and it involves a "flaw" in a highly-recommended encryption algorithm.

The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.

For the nerds in the audience, here’s what’s wrong: If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.

The belief that these common primes (or at least some of them) wouldn't be cracked relied on the assumption that no one entity would have the money to assemble the computing force needed to break the code. The problem is that the NSA likely has the time, money and power to tackle this enormous project. Here's why it first seemed unlikely:

For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.

And here's the reality of the situation, as exposed by documents leaked by Snowden.

The 2013 “black budget” request, leaked as part of the Snowden cache, states that NSA has prioritized “investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.” It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.

What was once considered to be beyond the capabilities of even the biggest intelligence agency is obviously well within its reach. As the authors point out, this would explain the other information seen in leaked documents, like the NSA's ability to decrypt some secured connections "on command" or eavesdrop on VPN traffic.

This is still just a theory, but it does seem to explain much of what's been uncovered in leaked documents. It also shows the NSA is still doing what the NSA does best: leaving lots of stuff poorly-secured, despite directives otherwise.

Our findings illuminate the tension between NSA’s two missions, gathering intelligence and defending U.S. computer security. If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem.

As the authors point out, the NSA has recommended better encryption methods, but no one's in any hurry to adopt them because no one trusts the NSA to recommend a method it hasn't already weakened, if not completely compromised. If there's any truth to what's covered here, the NSA has sat quietly by and allowed researchers to recommend yet another encryption method that it's already made large strides towards defeating. And, once again, we can see that when the word "security" is combined with the word "national," it means something completely different than when it stands on its own.

Filed Under: alex halderman, backdoors, diffie hellman, diffie hellman key exchange, encryption, hacking, https, nadia heninger, nsa, surveillance, vpns

The Details On How To Elect Futurama's Bender To Whatever Election Is Using Online Voting

from the bite-my-shiny-metal-ass dept

Back in October of 2010, we wrote about how some "hackers" had broken into a test of the Washington DC e-voting system, and had managed to have the system play the University of Michigan "fight song" every time people voted -- University of Michigan being where the researchers (led by e-voting security expert J. Alex Halderman) were from. A day later, we discussed some more details of the hack, noting how just a tiny vulnerability could take down the integrity of the entire system.

It's been a bit of time since then, but Halderman has released the academic paper they wrote about the experience, which is now getting some new attention, including the fact that, beyond playing the UMich fight song, they also installed their own slate of "fictional" candidates, including Bender from Futurama, who is presumably running on a Kill All Humans platform.

The full paper has some other interesting tidbits, as well, including the fact that they didn't just hack into the e-voting machines... but also accessed the security cameras watching the e-voting servers, which were left open to public access. I'm not kidding. While that might not seem like such a big deal, as the researchers noted, it was actually really useful:

These webcams may have been intended to increase security by allowing remote surveillance of the server room, but in practice, since they were unsecured, they had the potential to leak information that would be extremely useful to attackers. Malicious intruders viewing the cameras could learn which server architectures were deployed, identify individuals with access to the facility in order to mount social engineering attacks, and learn the pattern of security patrols in the server room. We used them to gauge whether the network administrators had discovered our attacks—when they did, their body language became noticeably more agitated.

Either way, the entire thing suggests just how insecure e-voting can be, and the paper suggests these are fundamental, systematic problems with any e-voting approach these days, rather than just a poor implementation.

Filed Under: alex halderman, bender, dc, e-voting, hacking, security, university of michigan

Details Of How The DC Online Voting System Was Hacked: Small Vulnerability, Huge Consequences

from the validate,-validate,-validate dept

We already wrote about the news that some folks at the University of Michigan had successfully hacked an online voting trial in DC, and suggested that Alex Halderman was the guy behind it (though, he was not identified in the press). Halderman has now written a blog post noting that, indeed, it was him and a few others, and providing a pretty thorough explanation of what happened. The DC project had called on anyone to try to hack it during an open hack period, though they only gave three days notice. Still, it didn't take long for Halderman, two PhD. students and a member of UMich's technical staff to find a vulnerability:

The problem, which geeks classify as a "shell-injection vulnerability," has to do with the ballot upload procedure. When a voter follows the instructions and uploads a completed ballot as a PDF file, the server saves it as a temporary file and encrypts it using a command-line tool called GnuPG. Internally, the server executes the command gpg with the name of this temporary file as a parameter: gpg [...] /tmp/stream,28957,0.pdf.

We realized that although the server replaces the filename with an automatically generated name ("stream,28957,0" in this example), it keeps whatever file extension the voter provided. Instead of a file ending in ".pdf," we could upload a file with a name that ended in almost any string we wanted, and this string would become part of the command the server executed. By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename "ballot.$(sleep 10)pdf" would cause the server to pause for ten seconds (executing the "sleep 10" command) before responding. In effect, this vulnerability allowed us to remotely log in to the server as a privileged user.

Also, while the press pointed out the fact that after people voted the University of Michigan fight song played, that was hardly the only thing that these researchers did. The reason it got attention was that after they successfully made a bunch of changes to the system, they didn't tell anyone just to see how good the voting system's intrusion detection system was -- and it still took a while for anyone to notice. And it wasn't even the voting system folks who figured it out. Apparently, it was other testers who came across the fight song (hence that being what got reported in the press). They also changed all the votes to write-in candidates they liked and set the system to automatically change all future votes to the same candidates. You can see the ballot that they used to replace all of the votes below. You might like some of their write-in choices. Of course, that's all fun and games, but this revealed a bunch of serious issues. Beyond the fact that the hack basically gave them total control of the system (yikes) and the fact that any intrusion detection system didn't work even though these guys did almost nothing to hide their trail, they were also able to install:

a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.

Think about that for a second. This wasn't just a little hack. This was a big, big deal, for a voting system that someone had hoped to actually use in real elections next month. As Halderman notes, this does not bode well for internet voting:

We've found a number of other problems in the system, and everything we've seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I'm confident that we would have found another way to attack the system.

And just think: this was done in just a few days with a voting commission that was open to outsiders trying to hack the system. In the meantime, most of us will use electronic voting equipment next month that has not been subject to any sort of tests like that, and probably includes similarly damaging vulnerabilities (though, thankfully, not via the internet).

Filed Under: alex halderman, dc, online voting, security

Washington DC Pulls Down Internet Voting Trial After Hackers Program It To Play UMich Fight Song

from the usability-issues dept

There are many who believe that there is simply no secure and safe way to conduct voting over the internet. However, it hasn't stopped the government from trying. Washington DC was getting ready to test an internet voting initiative for overseas soldiers, when the system was pulled down last week initially claiming "usability issues," and then saying that they shut it down to "to incorporate feedback received from the testing community." You see, it turned out that the testing community included a professor at University of Michigan who "unleashed" his students on the system, and it didn't take them long to set it up so that, every time you voted, the University of Michigan fight song, "Hail to the Victors," played. Oddly, no one names the Michigan professor, but it seems likely that it was Alex Halderman, who has long been closely associated with various e-voting security issues. In the meantime, it appears that DC will not be allowing internet voting for the upcoming elections...

Filed Under: alex halderman, e-voting, online voting, university of michigan, washington dc

Police Arrest Researcher Who Showed E-Voting Machines Are Not Secure

from the this-is-concerning dept

A few months back, a research report came out noting that e-voting machines in India were not secure. I had seen it at the time, but considering how many stories we've seen of e-voting machines with security problems, I let it pass and didn't write it up. However, the story has just taken a distressing turn. One of the researchers, Hari Prasad, who had obtained the e-voting machine from an anonymous source in the first place, has been arrested and taken into custody because he will not reveal who gave him the machine:

The police did not state a specific charge at the time of the arrest, but it appears to be a politically motivated attempt to uncover our anonymous source. The arresting officers told Hari that they were under "pressure [from] the top," and that he would be left alone if he would reveal the source's identity.

Prasad was taken from his home and driven to Mumbai, a 14-hour journey, where he is to be interrogated. Alex Halderman, who has done lots of research on e-voting machines over the years, and worked with Prasad on the research on the Indian e-voting machine was able to speak to him while he was being driven to Mumbai. Prasad worries that his arrest will create serious chilling effects on other security researchers, and plans to stand up to authorities to hopefully prevent such chilling effects from occurring. You can listen to excerpts from the call in the following YouTube video: The initial post, written by Halderman, also gives plenty of background on the machines. The Indian government has refused to let researcher review the machine, and insists that it's tamper-proof. Even after the initial report came out proving this not to be the case, the government has continued to insist the machines are fine and have no problems. Here in the US, it's quite troubling how much the government has relied on e-voting machines without allowing security researchers to really test them, but at least they don't arrest those who have been able to access and test the machines. This is a hugely troubling move by the Indian government, and hopefully getting more attention on such a questionable arrest will make the Indian government regret this decision -- and open up the machines for real security testing.

Filed Under: alex halderman, e-voting, hari prasad, india, security