Wednesday, November 10, 2004

Article concerning Dr. Avi Rubin 

This is an article that highlights the history of Beverly Harris's involvement in the exposure of the flaws of electronic voting, and the connection between she and Dr. Avi Rubin, who conducted the John Hopkins study of electronic voting systems. It also highlights Diebold's response to Hopkins' study of electronic voting systems. I going to print the entire article, until I can find a more permanent link:


Ballot Boxing
Joel N. Shurkin
OCTOBER 29, 2004

Last month, U.S. Sen. Barbara A. Mikulski decided to try one of Maryland's new voting machines in Takoma Park. It was a brand-new Diebold AccuVote-TS. The state of Maryland has just spent $55 million for the ATM-like electronic voting devices to be used in the upcoming presidential election.

The AccuVote, acting just as a demonstration, offered two choices: "yes" and "no." Sen. Mikulski pressed "no." The machine registered "yes."

The cackling sound you heard was Avi Rubin, technical director of the Information Security Institute at Johns Hopkins. But, as Dr. Rubin will openly confess, it really wasn't funny.

One-third of voters in the November election will be using electronic voting machines, simple-minded computers that record and report votes. Dr. Rubin and many computer scientists see nothing less than a threat to American democracy in these machines. They are easy to tamper with, he believes, and that makes it possible to rig elections. Indeed, there already are conspiracy theories flying around the Internet of a conservative plot to steal the presidential election. (A number of Conservative groups are equally unhappy about the instruments.) In many cases they are set up to prevent recounts in case of disputes.

Plots to the contrary, after what happened in Florida in 2000 — and what is happening in Florida now — attention must be paid.

It was Dr. Rubin who first raised serious security issues with the electronic voting machines and who has taken the brunt of attacks from the voting machine industry. He instantly rose from an obscure Jewish computer scientist to a media star, and he's having a wonderful time.

"After my study broke, the public relations office had television crews lined up outside my office and for a five-week stretch, I was on national television every week," he said.

He is still quoted regularly in the national media on the debate over the machines as the election nears, and this spring he reached the apogee of contemporary culture, a brief appearance as a "Zen moment" on the "Daily Show with Jon Stewart" on cable. He was scheduled for "60 Minutes" this week.

Someone recognized him at the swimming pool at the Owings Mills Jewish Community Center as the guy on television, and even his plumber announced himself impressed.

How much effect his efforts have had in curbing the use of the electronic devices or in modifying how they are used is not clear. Several states, confronted with challenges to the integrity of their elections, have backed away from using them, several have changed the voting method to make them more secure and others — most particularly Maryland — became defensive and refused to budge.

"His study had an enormous effect," said Barbara Simons, former president of the Association of Computing Machines (ACM), the computer scientists' professional organization. "Of course it didn't prevent Maryland from buying the stupid machines."

"What we're fighting about is democracy. If we lose confidence that our votes will be accurately counted, that's it," she said.

The voting machines are technically known as Direct Recording Electronic voting machines or DREs.

Dr. Rubin's adventure began last year almost by accident. Bev Harris, a writer in Renton, Wash., was researching a book on electronic voting in January 2003. While "googling" for background, she stumbled on a Web site that turned out to be an electronic archive of a company bought by Diebold Inc. The site was huge, containing hundreds of unprotected company files that could be downloaded by anyone who wanted them. One file hinted that Diebold had put code that was uncertified for elections in DREs headed for a Georgia election, which is illegal, so she downloaded it to see. The download took 40 hours and filled seven CDs.

She posted what she found on a Web site in New Zealand (geographic distance means nothing to these people) and someone told her that one file looked suspiciously like Diebold's source code, the programming that lies at the heart of the DREs.

Posting unprotected source codes for a commercial product on the Web is rare and considered unspeakably stupid in the computer world, so, word spread quickly, and a computer scientist at Stanford University told Dr. Rubin. Dr. Rubin, in turn called in Adam Stubblefield, a doctoral student at Hopkins, and Tadayoshi Kohno, a summer graduate student, telling them they needed to drop everything and come see what was on his computer. What they were looking at, they concluded, was a program compiled in 2000 and its April 2002 update, apparently posted so programmers could work on it. It was nothing less than the programming that made the voting machines voting machines.

The students pored over 49,609 lines of "code," computer language commands that look like hieroglyphics to anyone not trained as a programmer. One line blew them away. It means nothing to laymen, but it was enough to make Dr. Rubin's hair stand on end.

#define DESKEY ((des_key* "F2654hd4".

All commercial programs have provisions to be encrypted, protected by secret code so that no one could read or change the contents without the encryption key. That is particularly true of programs that require transmission by telephone or wireless networks. The line that staggered the Hopkins team told them first, that the method used to encrypt the Diebold machines was a method called Digital Encryption Standard (DES), a code that was broken in 1997 and is no longer used by anyone to secure programs. F2654hd4 was the key to the encryption.

The programmers had done the equivalent of putting the family jewels in a safe, putting up a blinking neon sign reading "Jewels in Here!" and taping the lock's combination to the safe door. Moreover, because the key was in the source code, all Diebold machines responded to the same key. Unlock one, you can unlock them all.

That was only one of the problems Dr. Rubin's team found. The computer language used to write the program, C++, is never recommended for secure programs because hackers can — and do — attack it easily. There are other programming languages far more secure that the Diebold programmers ignored, perhaps because they didn't know them well.

Additionally, all large computer programs, which can sometimes run into the hundreds of thousands of lines, are written by teams and therefore are extensively annotated. One programmer or a team puts in an instruction and then adds a note explaining why it was done that way. Other programmers can add comments or base what they do on the reasoning in the comments. Or, they can use the annotations to hunt for bugs when the program misbehaves.

Dr. Rubin said that when he worked for IBM one summer, there were three pages of notes for every line of code, and no line was added until committees of reviewers approved. Whole pages of the Diebold source code were without annotations or signs of review, something you don't see on professionally written programs, he said. Some of the annotations that existed even warned that the code contained unfixed bugs. Clearly, Dr. Rubin thought, Diebold was not using the top of the class at M.I.T. to write programs for its voting machines.

The code is so badly written, Dr. Rubin shows sections to audiences at computer science conferences to get laughs.

Moreover, the Diebold program was written for computers using Windows, Microsoft's relatively unstable and notoriously insecure operating system, the target of choice for hackers everywhere. (Almost all the staff of Hopkins' security institute uses Apple Macintoshes, which are virus-free and far more difficult to tinker with.)

Oh, there is more. The method chosen by Diebold for voting required the voting officials to check the registration of each voter and then hand them a "smartcard," a credit card-like piece of plastic containing digital information that essentially turns the machine on. The machine reads the card and if the information is correct, permits the voter to cast his or her ballot.

The smartcards chosen for the Diebold DREs were not encrypted and could be forged by a 15-year-old in his bedroom at an equipment cost of about three weeks' allowance, Dr. Rubin said. Anyone with a phony card could vote more than once.

Dr. Rubin, the Hopkins students and a colleague from Rice University posted their findings on the Internet (later in an engineering journal) and then Dr. Rubin, who is not shy, called John Schwartz of The New York Times, at which point, all hell broke loose.

The reaction of the voting machine industry — especially Diebold, one of four voting machine manufacturers — was furious. The first comment, besides attacking Dr. Rubin and company, was to deny there were problems. When other studies showed the same things, the defense switched to admitting there were problems but they had been fixed. Diebold says the programming in the machines it sells now — including those to be used in Maryland — is not the same programming the Hopkins study looked at. Since the programming also is proprietary and Diebold won't show any new versions to anyone, the claims must go unverified, which is a whole other problem.

Dr. Rubin does not believe the machines are fixable. Diebold says the smartcards now are encrypted.

"The problems were at different levels. Some are fixable, like they used broken encryption, but you can fix that — put in good encryption. But there was a very bad software engineering process that went into the machines. It was clear looking at the code. If you have a software package that is as bad, the answer is not to try to plug the holes and fix it because every time you do that, you introduce new bugs. I don't think you should try to evolve 45,000 lines of broken code into a system that's secure. You need to start over with a more talented and experienced team.

"I joked with my wife about wearing a bulletproof vest," Dr. Rubin said. "We lost them a lot of business and put their industry in turmoil."

Nonetheless, whatever is in those machines is what you will use in the November election and so will voters in 38 states.

He was not planning on such a public life.

He was born in Kansas where his parents, both academics, were graduate students. In something of a reversal of roles, his father became an English professor (specialty: English Jews in English literature) and his mother is a mechanical engineer, the type of person who writes computer programs in FORTRAN to create recipes for dinner.

In 1970, they made aliyah..

The Rubins taught in Israeli universities for six years, Then Israel was inundated with refugees from the Soviet Union and the universities thought they were in more need than former Americans, so the Rubins lost tenure. They moved back to the United States in 1976. The family moved to Alabama where Dr. Rubin was in the first graduating class at the Birmingham Jewish day school. Dr. Rubin and his three siblings and parents (who now teach at Vanderbilt) often speak Hebrew when they are together.

He got his Ph.D. in computer science from the University of Michigan.

"When I got my Ph.D., my adviser said, you have a Ph.D., you're a computer scientist. Don't be too narrow. Now I've managed to become synonymous not only with computer security but a tiny little subfield of it," he said.

What he also got involved with was a battle between bureaucrats, including those who staked their careers on buying DREs, and academics. Both sides accuse the other of not knowing what they are talking about. Most of his colleagues in computer science, he said, support his position. Dr. Simons, now a co-chair of ACM's public policy committee, agreed.

Other computer security specialists, including the National Security Agency, testified in support of the Hopkins study.

Legislators, concerned with what the Hopkins study showed, asked the Department of Legislative Services to review the state's purchase of the Diebold machines and held hearings. First, they hired a firm called SAIC to study the situation, and then hired RABA Technologies, a Maryland consulting company to review both studies. SAIC said Dr. Rubin was correct in his assessment but didn't completely understand the Maryland voting system. RABA supported the Hopkins study in most of its accusations and found even more problems.

RABA's Michael A. Wertheimer and a team of company hackers broke into the Board of Elections computer, changed the results of a mock election and then backed out without leaving a trace.

"We did it in under five minutes," he told "The Daily Show."

Then there is what happens when the results are uploaded from the DREs to the state's computer.

"You're more secure buying a book from Amazon," he concluded.

He also found that the Maryland election officials had not upgraded Windows with security patches from Microsoft and were, in fact, 15 upgrades behind. Every time they tried to load a patch, Windows crashed.

Mr. Wertheimer finally suggested the machines be wrapped in tamper-resistant tape around the machines, something Linda Lamone, the state's election administrator, says can't be done in time and would look awful.

More important to Dr. Rubin, "RABA found the Hopkins report to be a thorough, independent review of the AccuVote source code and should be credited with raising valid issues that have resulted in considerable improvements," concluded RABA.

But the state hasn't done enough improvements to suit Dr. Rubin and his allies.

There are 150 million registered voters in America and a third will be using voting machines despite the fact the machines have never been tested in a mass scale. Anecdotally, there are reasons for concern.

New Mexico, a leader in electronic voting, went to Al Gore in 2000 by 366 votes. In one county, 678 out of 2,300 votes cast went uncounted. The voting machines lost them.

Remember the hanging chads in Florida? They weren't the only problem the state has had with elections. Some areas used electronic machines, including Miami-Dade County. A study by the American Civil Liberties Union reported that in the Democratic gubernatorial primary in 2002, 8 percent of the votes cast in 31 Miami-Dade precincts was lost.

California bought the machines, decertified them and changed its mind. It is suing Diebold and once threatened criminal charges on grounds that the company made false claims about the machines. Ohio, one of the election's swing states, is only one of several that have pulled the plug on DREs, as has Missouri. The revelation that Diebold made political contributions to the Republican Party didn't make critics any happier, although Diebold's competitors are Democratic contributors.

Critics have been stunned by the reaction of Maryland officials, especially Ms.Lamone, the state's administrator, who apparently is now fighting for her job. Officials have defended the machines with a passion that sometimes even exceeded the manufacturer's defense, claiming all the problems have been fixed. Ms. Lamone went to court to defend against a suit brought by a voter group to force the state to change its system and she won.

"Maryland is acting as though they are the ones selling the machines instead of buying them," Dr. Rubin said. "I think there is some face saving and some embarrassment. If you spend $55 million and someone says it was a bonehead purchase you might get defensive. Some jobs are on the line about this, I believe."

Del. Jon Cardin (D-11th) defends the state's decision. He is a member of the House Ways and Means Committee and participated in a summer investigation of the voting process in Maryland. He said that of the more than 100 suggestions made to improve the machines and the voting process "almost every single one was complied with by the State Board of Elections." Part of the problem with sorting through the issues is clear differences of opinion among the experts.

Mr. Cardin says that the rate of error in paper balloting is 7-9 percent, while the error rate with computers is minuscule. (A joint study by the California Institute of Technology and the Massachusetts Institute of Technology disagrees. Paper has the lowest error rate, the study said. Electronic machines were no better than punch cards. Mr. Cardin says he has not seen the study.)

Mr. Cardin also said breaking into the machines and changing votes would be very difficult and require great computer skills and technical knowledge and is hence very unlikely.

"I am [more] concerned that there is a contingent of people that have lost confidence in the voting system, not in the integrity of voting," he said.

There is a process that can mitigate some of the danger: a paper "trail." The DREs would be attached to printers and whenever a vote was cast, the printer would reproduce the vote on paper. The voter could then certify that, unlike the machine Sen. Mikulski played with, the DRE got it right. Also, if there were a need for a recount, there would be a paper record of the votes. By comparing numbers, it would even be possible to detect multiple votes or ballot stuffing.

Several states have implemented paper trails, and Nevada successfully held an election this summer with paper backup that everyone, including Dr. Rubin, thinks went well. "A paper trail keeps them honest — if [the paper ballots] are counted," Dr. Rubin said.

Nevada, however, wasn't using Diebold DREs and Diebold's machines aren't designed for use with printers. Printers also cost money, another reason for resistance by state officials.

Florida election officials (all Republicans), on the other hand, have barred paper trails and ruled against manual recounts in case a result is contested, a decision that was thrown out by a state court on Sept. 27. If the officials appeal and win, we would never know the true winner of another close Florida election.

"If we have an election that is really close like we did in 2000 and there are places in which the vote is disputed that were fully electronic, we won't have hanging chads to recount," Dr. Rubin said.

Another state without paper trails, of course, is Maryland, partly because it is using Diebold's devices, and partly because of the stubborn insistence by Ms. Lamone's office that paper trails are unnecessary.

Sen. Mikulski, meanwhile, has signed onto a bill in Congress that would make paper backup mandatory but not until 2006. Meanwhile, in many places where results could be very close, it may not be possible to do recounts and we may never know the outcome of the races. The ACM's Dr. Simons thinks the upcoming election may wind up in court again, and this time because of electronic voting. If there is cheating, it may go undetected, she said.

Dr. Rubin is keeping himself busy at Hopkins and as an expert witness in computer security matters, a very lucrative trade. He also has a raucous family at home with three young kids, including 2-year-old twins. His eldest goes to Krieger Schechter Day School and Dr. Rubin is on the school's computer technology advisory committee. The family belongs to Chizuk Amuno.

Journalists and voting advocacy groups still regularly consult him

Dr. Rubin points out that there actually is an almost foolproof voting method, hard to corrupt and capable of producing completely accurate counts: paper.

Paper can be used in two ways, he said. One is simply having people mark the ballots, put them in boxes for recounting later, the way it was done in the 18th century and as far as anyone knows, still the most exact way of running an election. Cheap too.

Another possibility, if people insist on 21st-century technology, would be to take the paper ballots, put them in optical scanners and let the scanners accumulate the votes. That might be faster than manual counting, is very accurate, and if there are problems, election officials can always go back and recount the paper ballots.

Stung a bit by the criticism that he — an academic — knew nothing about voting procedures, Dr. Rubin volunteered to be an election judge in Baltimore County in the spring. His experience is that well-run voting places are of great help in protecting the integrity of the vote. He no longer worries about the smartcard problem in efficient polling places. With nine judges and five machines, it would have been easy to spot someone fooling around in the booth.

One flaw he found worse than he expected is the use in the Diebold plan of a "zero" machine, one of the DREs that would accumulate all the votes in the other computers for counting. "There is no need to attack all the machines," he said. All a hacker had to do was attack that one DRE, especially since that machine is the one that phones in results, making it vulnerable in multiple ways.

He still doesn't think DREs are a good thing, even with a paper trail. The only machines he prefers would be simple devices that act as intermediaries between the voter and a printer. He is not worried about people hacking the network between the voting machines and the state computer.

"The biggest concern I have is that someone would rig the machines," Dr. Rubin said. "This would be somebody at the manufacturer or somebody with physical access to the machines who could change the software. Traditional Internet-based hacking is not the issue."

If jurisdictions use paper trails to DREs, the same manufacturer should not make both the DREs and the printers, he said. That would reduce the chances of a conspiracy or at least broaden the conspiracy and make it more difficult to operate and easier to detect. He admits, however, that when he was a primary voting judge the people using the Diebold DREs loved them.

"They raved about them to us judges. The most common comment was 'that was so easy.' I can see why people take so much offense at the notion that the machines are completely insecure... I was curious that voters did not seem to question how their votes were recorded.

"I continue to believe that the Diebold voting machines represent a huge threat to our democracy. I fundamentally believe that we have thrown our trust in the outcome of our elections in the hands of a few companies who are in a position to control the final outcomes of our elections.

"The more e-voting is viewed as successful, the more it will be adopted," he said, "and the greater the risk when someone decides to actually exploit the weaknesses in these systems.

"I am not against technology. I drive a car, get on airplanes and ride elevators. However, if the code in any of these was as bad as Diebold's software, I wouldn't. I think that the real difference is the adversary model. If there were trillions of dollars worth of incentives for people to rig elevators so that they crashed, I would be advocating for only using stairs."