The next set of procedures I wanna talk about are procedures that election organizations put in place to guard the voting system and the voting machines against tampering. Now if you think back to paper balloting, when in the election cycle, was it necessary to guard the ballot box against tampering? Well, you needed to make sure at the beginning that it was empty and that it didn't have a false bottom or false side and you needed to make sure that no one added or removed or changed any of the ballot papers between the start of polling and the time that counting finished. So between polling and counting was the biggest period of vulnerability for the ballot box and the time it had to be guarded. But with the introduction of electronic voting machines, that situation changes dramatically. So, a DRE voting machine that has only its electronic record of the count, it might be tampered with before the election, maybe years before the election, maybe even while it was being, the software was being written. And that tampering could alter the software in a way that would change votes on election day. So with DREs, it's not only necessary to safeguard them during polling and counting, we need to safeguard the machine at all times, up until as we saw in an earlier lecture, even after the machine is no longer used for elections, it could still have data on it that's going to reveal voters' secret ballots. So it's really a lifetime of security. This is one of the things that just adds to the cost of DRE voting in a way that most people don't realize. So, how would you safeguard machines like this? You have to remember that we have to keep track of them in storage. We have to keep track of them on election day, and we have to keep track of the removable memory cards, and so forth. One aspect of that is making sure that the location where they're stored is going to be secure. You need a secure facility, probably one with cameras, maybe one with a watchman. All of these are costly add ons to the voting process. Another aspect is making sure that they're being secured while they're being transported to polling places and when the memory cards are being removed and brought back to counting. So for those procedures something that we can import from older forms of elections, like the paper ballot box you see on the left is something called a two person rule. That is, you have to have at least two people watching at all times when it's being transported or in use. That's sort of a minimal security requirement to impose. So there's, that's on the thinking that, if you have two people who are watching each other, the temptation for fraud or the ability to coerce both of them would be reduced. So maintaining the physical security by observing, by watching is one kind of procedural safeguard that can be put in place to protect these voting machines and technologies. In practice however these procedures the real procedures that are followed are much more lax than we might like. When you think about the, the logistics of conducting a real election you have to make sure that the machines are going to be there on the polling day in time for the polling places to open. And this can present a big challenge, especially for bulky machines like big DRE's or lever machines. Those machines are going to need to be delivered some time in advance. Just, there are not enough people, not enough trucks to drop all of them off at say seven in the morning when polls open. So what many elections authorities do in practice is they'll drop these machines off the day before the election. These are some pictures from elections in New Jersey where this kind of procedure is common. These are polling places that are in local schools, and there are the machines unguarded the evening before the election. These particular machines, ABC Advantage Machines, are one of the machines that I showed you how, they could be tampered with back, in the second week of the course. So. Procedures like this, leaving the voting machines overnight, are usually called sleepovers. They might be left in the polling place. They might even be left for smaller equipment with some of the poll workers. All of this just creates a tremendous opportunity for fraud though because the machines are relatively easy to tamper with. And any tampering would not necessarily be observable on election day. So this kind of sleepover procedure is one of the Achilles heels of the entire chain of custody procedure, that is the procedures that are in place to make sure that the machines will be guarded and remain untampered at all times. Another mechanism that's put in place to try to safeguard the, the physical integrity of the machines against tampering is what's known as tamper- evident seals. These are physical devices like the that come in many different styles, but the intent is always to have some kind of way to tell whether an enclosure has been opened between the time the seal was put in place and the time it's been inspected. So, we can look at this example here. This is a tamper-evident seal of the style used on the New Jersey machines. And it consists of the sticker that's placed over part of the case. If the sticker is pealed back or removed it is designed so that it will look different. It will show this VOID writing in the background on the right. Now there are a number of procedures that have to be followed in order to use tamper- evident seals correctly for them to have any value at all. And one of the most basic is you have to make sure that the seal that's there when you're checking is the same as the seal that was there when the case was closed. That is you have to check that the serial number on the seal is right. If it's changed, like you can see these are slightly different, then that could just be that someone's removed the original seal and replaced it with another one of the same kind but with a different serial number. So that's the most basic procedural check. There are a lot more procedural checks that are important. So, we'll see those in a minute. Tamper-evident seals come in many different forms. Some of them are in the style of a padlock, some of them are a little wire rope, some of them are, like the ones we just saw, a sticker. The question is whether these seals are actually that tamper resistant. I'd like to pause for a minute and let you think about this question. How might you try to tamper with some of these different kinds of seals? The attacker might try a few different ways to defeat these so-called tamper- evident seals. One would be to remove the seal and replace it with a new one that looks just like the original. Another possibility would be to find a way to take the seal off and put the original one back on without leaving any evidence that it had ever been removed. So, these turn out to be empirical questions. How easy is it for the kinds of seals that are actually in use or on the market to either replace them with fresh ones without being detected, or to take them off and put them back on without leaving enough evidence? This man, Roger Johnston, who is the head of the vulnerability assessment team at Argonne National Lab has done very extensive studies of tamper-evident seals. And asking just these questions, how easy would it be to defeat them in the ways I've talked about? So in one result after trying to defeat 244 different kinds of seals, he found that the average time it would take to defeat them for just a single person working alone was only 1.4 minutes, and the average cost to break a seal was only 62 cents. To devise a successful attack starting from scratch with a new kind of seal took an average of less than two, less than 2.5 hours. And the median times are even and costs are even worse than these. So most of the seals on the market perform extremely poorly, being defeated in less than a minute at a cost of less than $0.10. And, this is not just low security seals he's looking at, or ones that are advertised for low security purposes. Nineteen percent of those he considered in this study were either being evaluated for or currently in use for nuclear safeguards. So, the state of seals on the market, of typical seals, is just much, much poorer than you might think, if you didn't take time to think about how they might be defeated. Johnston also found that there was very little correlation between the cost of the seal and how quickly it could be defeated. Expensive seals might be as easy as cheap seals so cost is not a factor that you, you can use very reliably in evaluating how, how much security a seal might give you. Now when we go from just seals in general for lots of applications to the way seals are used in voting machines we, we can look at some actual evidence from the way they're used in the field. This man Andrew Appel, who's a computer scientist at Princeton, has spent a lot of time looking at the seals and seal procedures that are used in New Jersey on those machines I just showed you the ABC Advantages. And the seals, they are really important because as we saw, the machines are left unguarded overnight before the election. And as Appel's and my own research has shown it's easy to tamper with the machines by changing the software, if you can get them open. So, how strong a deterrent or a defense do those seals provide? Appel has looked at the seal procedures in place in New Jersey and, right now, they actually use a number of different seals on the same machine, different styles of seals. There are seals over the screw caps, you need to open it up. There are wire seals on certain parts of the machine. There are also sticker-style seals on other places. So, they're trying to make it really tough by putting a lot of different kinds of seals on the same kind of device. But Appel has shown in his research that he was able to easily defeat every one of these seals using commonly available tools and a little bit of ingenuity. One of those kinds of seals is this cup seal that is placed over the screw caps. Apell was able to defeat the cup seal using a pair of pliers and a chisel. What he did was he figured out a way that he could lift it enough to chisel around the bottom, take it off, and then remove the screw. And then he was able to put it back on and replace that damaged part with a new one, but have the original cap, which is the place with the serial number, show little or no evidence that it had ever been removed. Another kind of seal he looked at was this padlock style seal that goes on another part of the machine. What Appel found was that he could make a jig that would allow him to drill two very, very small, almost invisible, holes into this padlock steel, and then he could open it up, put it back together, and it would be extremely unlikely that this attack would be detected just by a cursory visual inspection. There there's the, the tape and sticker seals, that are on other parts of the voting machine. What Apell found was that he could just take a heat gun, and warm them up a little bit, and then pry them off, and reattach them after opening the machine without exposing them and making them show that they had been tampered with. So, just, again, another example of a little bit of a clever application of commonly available tools allows each of these kinds of seals to be defeated. That's how you get up to these amazingly low costs for breaking them. So real attackers would almost certainly be able to defeat these seals if they had a minimal amount of time to apply to each of the machines. Using tamper-evident seals in practice requires a pretty complicated set of procedures. And if we're going to look at the set of procedures, we might call this a procedural protocol, there are a lot of questions we need to ask to make sure that the procedures provide a minimal amount of protection. So first, is the seal even going to be there when the attacker has access to the machine? If the machine's not sealed when it's in the warehouse and attackers potentially are going to access the machine there, it's not providing any protection. Second, does the seal actually need to be removed to get in? One thing they found on the machines in New Jersey was that there were alternate ways to get in and at those memory chips without actually removing the seals. So you might go in through another door or compartment. Another question is, can the attacker just temporarily remove the seal? This one has to do with the security of the seal, as Appel and Johnston researched. Or, can he just replace it with a new seal? The other attack we considered. In order to prevent replacing it with new seals, one of the minimum things that you need to do is record the serial number written on the seal. So the seal protocol has to incorporate some mechanism for that. You also don't need to check that it's the same later and if the procedures don't include a provision for reliably doing this, you're in trouble. Finally, even if the serial number matches, do officials actually inspect for any evidence of tampering like those tiny screw holes that Appel made in the padlock style seal. And if anomalies are detected, are they recorded and reported? Both of these are important because you have to be able to figure out that it's not just one broken seal or one place where maybe for human errors someone wrote down the wrong serial number. If it's a pattern of fraud, you're only going to be able to find it if the people who are doing the inspection communicate with other people doing the inspection. And the a, a wide scale series of anomalies can be noted. Now, the last question is, is appropriate action taken when problems are found with the seals? This is really the hardest one, because what's the appropriate thing to do if there are a lot of seals broken? Well, clearly, you have to investigate and figure out what's happened, and whether any tampering was done. But if they're DRE voting machines and someone tampered with them and installed fraudulent software. Often, that fraudulent software could just wipe itself out, and remove all traces of the fraud at the end of the election. So, what, what constitutes appropriate action is hard. Another possibility though, another kind of attack that we haven't talked about so far is, what if someone just goes in and breaks a lot of the seals but doesn't, doesn't actually do any other tampering? He just say, breaks those, those stickers or tapes in order to try to disrupt the election. So this kind of attack could create a denial of service if you that, that would be very low in cost and probably easy to get away with if you if you create evidence of fraud without committing it you might you might prevent the votes from being counted in a timely manner, you might cause a very long and protracted investigation, you might certainly undermine voter confidence. So seals are just not very good at distinguishing between that kind of denial of service attack and someone actually getting in and tampering with the internals of the election. The last thing I wanna talk about, having to do with seals, is a new approach to making them. A, a way we might end up with much better tamper evident seals. This is an idea that comes out of Roger Johnston and his colleague's work at Oregon. So the way that seals work mostly today, the, the, the current approach is, is what we might call an evidence method. When the seal is tampered with it's supposed to create and display some kind of visual indicator that, that cause, creates evidence that it has been opened, like the void lettering in the background of this tape seal you see here. Johnston's new approach is, something that he and his colleagues call, anti-evidence, and this is a really, really neat concept. So, the way it works is you can imagine your seal is some kind of electronic device. And inside, it has some amount of secret information, and it doesn't display this information. But it has some way of proving to someone who challenges it that it knows this information. For technical people, you might imagine some protocol based on hashes or MACs. But what happens when the seal is broken is that it erases that secret information. It can no longer do that kind of proof so after it's broken there's no way to open it up and get the information, there's no way to put that information back in. It's gone forever. This is the nature of the anti-evidence approach and perhaps some day seals based on an approach like this will be able to provide a stronger defense.
