5 November 2008
Following Avi Rubin's lead, I volunteered as a poll worker in Union County, NJ, for this election. It was partly happenstance — by chance I stumbled on a link on a county web site asking for people — and partly professional curiousity: as a systems and security guy with a strong interest in public policy, I was curious how they protected the integrity of the election while still handling exceptions.
The polling place I was assigned to has about 2000 registered voters split among three districts; each district had one machine. The ballot was relatively short by American standards (president, senator, representative, three votes (out of N candidates) for members of the county legislature, plus two constitutional amendments; lines were generally not too long. Each district had a crew of four or five people; one to work the machine, two or three handling the check-in, and one filling in or handling special situations such as provisional ballots.
All poll workers are required to attend a training session at least every other year. I originally thought that the training was not thorough enough; in fact, it covered more than we needed to know for most of what we encountered, and experience and common sense generally served to fill in the blanks. If you're curious, the training session slides can be found via the links here.
To vote, one first has to check in with the proper district's desk. Districts are geograhically assigned; most voters do not know their districts, but remember that "I usually go to this part of the room". We had booklets that mapped addresses to districts; we needed to consult them frequently. Once the poll worker has found your name in the proper poll book, you're asked to sign in. The signature space is marked in various ways, for example to note that the voter must provide ID or that address verification is needed. New Jersey does not, in general, require voters to show ID; however, by Federal law new voters who registered by mail must show ID the first time they vote. That said, a very high percentage of people walked up to the desk with driver's license or passport in hand. This was useful because it eliminated questions about spelling or address.
The poll worker then fills out the voting authority slip. This is a two-part piece of paper. Both halves are numbered; the number is recorded in the poll book next to the signature. The voter then signs the top half, which is retained by the poll worker; the bottom half is given to the voter to bring to the machine. The voter's ID number is written on the retained half of the slip. One can thus go both ways, from the voter's name and address to a slip number (and therefore on which machine that person voted), or from the slips retained at a machine to the voter's record.
The poll worker controlling the machine verifies and retains the authority slip; in my county, the slips are strung on a wire attached to the machine. (Not surprisingly, lots of people opt for the shortest voting machine line; unfortunately, that's wrong, since you're supposed to use the machine for your district.) If all is in order, he or she activates the machine; the vote enters the booth, chooses among the various candidates, presses the "cast vote" button, and leaves.
We use Sequoia AVC Advantage machines similar to the ones Andrew Appel bought. They are direct recording electronic (DRE) voting machines; others have written about the evils of such machines and I won't belabor the point here, save to note that I'm more afraid of bugs than malware. (Appel did a detailed analysis of security issues concerning this machine. Although I'm not sure I agree on all points, I regard it as largely correct. The report also has a detailed explanation of the voting procedure used.)
Many voters were confused by the machine. To vote for a candidate, you're supposed to press a square next to the person's name, at which point a green X lights up. If you've never used these machines, the location to press is not intuitive. Many people tried to type names using the keypad; it, however, should only be used for write-in (so-called "personal choice") votes. People would call out from inside the machine, asking for help. We'd try to describe what they should do; on more than one occasion, someone would come out and ask us to come in to "help me vote for Obama". (I was never asked for help in voting for McCain. I'm not sure what that means…) We're not supposed to do that. Fortunately, if someone is having trouble voting, generally they haven't managed to record anything, so there is no privacy violation in me looking at the screen and pointing to squares — but again, we're not supposed to be inside the booths.
The personal choice option caused the one significant problem we had. Someone accidentally pressed that option, activating the keypad. At that point, nothing else would work until the person either pressed the personal choice option again, disabling it, or typed in a name via the keypad and hit enter. We were worried that we were going to have to call for service before I finally figured out what had happened. We did have some emergency paper ballots, but the room was not set up for that; there was no suitably private table for voters to use.
Another weak point is the delay between when one voter leaves and when the machine can be activated for the next voter. For reasons I don't undertand, there was about a 10-second delay between the two events. Anecdotal reports from another polling place suggest that pressing the activation button too soon crashed the machine. I did not experience that at all.
Turnout was heavy, especially between 6:00am (there were 30-40 people waiting outside when we opened the polls) and 8:30. After that, things slowed down. Frequently, there is an evening rush; that didn't happen this time. My assumption is that people really wanted to be sure they got to vote, even if there were traffic or late trains home. In-person turnout was about 74%; about another 10% of voters in the district requested absentee ballots. The more experienced members of the crew said that seeing 25% was unusually good.
There were a few problematic voters: people who had moved, one person whose name appeared twice: a middle initial in one listing, the full middle name in the other, etc. If we couldn't sort things out, we gave them provisional ballots. One woman went to the trouble of going to the county seat (Elizabeth, about a 30 minute drive each way, even without traffic) and seeing a judge; she got a court order giving her the right to vote on the machine. None of us had ever seen such a thing before (though there is a staff of judges on duty on Election Day, for just such eventualities), and while we puzzled through the procedures the woman seemed a bit concerned that we were going to deny her the right to vote. She calmed down when she realized that we simply had to figure out the paperwork necessary. The pollbooks, for example, do have blank slots for just such eventualities, but we had no documentation on what to use for a voter's ID number to put on the authority slip.
Because the districts are geographically dileneated, they have somewhat different demographics. One of them includes some apartment buildings, which are unusual in my town; perhaps as a consequence, that district had a notably higher percentage of African-Americans. Many of them (and many of the young, new voters) were very excited and very eager to participate in what everyone knew was a historic event. There was a fair amount of picture-taking, too, a tangible symbol of participation in this election. There was no discernible grumbling about the delays this caused. This district gave Obama a signficant win; McCain had a slight edge in a second, and the third was essentially a tie.
In general, things went smoothly. We closed the machines on schedule and packed up the printouts and memory cartridge for delivery to the Elections Board. (My county, at least, does not use electronic transmission of results.)
So — what were the security flaws? First, of course, there are the ones identified in Appel report. There is really nothing I can add to it. Voting multiple times would have been difficult unless the poll books were tampered with. A corrupt poll worker could have issued authority slips to someone whose name did not appear in the poll books, but it would have been difficult for a small number of people to cast a large number of votes that way; the repeat-voting would likely have been identified. We certainly recognized the little kids who came first to "help Mommy vote" and then came back to "help Daddy". (My perception, I should add, is that most of those very young voters wanted Obama; I could often hear the discussions in the voting booth. Five-year-old: "Daddy, I want to press the button for Obama!. Slightly older sib: "No, I want to!" We were told to advise parents to have their child stand on the left, where it's harder for them to hit the big red button prematurely…)
It was a long day — 0515-2025 — but it was interesting. I'll probably volunteer again for the next general election.
24 November 2008
A pair of articles today — one on how useful Google is, and how Google wants "a little bit of Google in many parts of your life", and one on reported layoffs at Google (but also see this) — made me wonder: if, 50 years from now, Google is in some sort of crisis, would it be too big to fail?
Naturally, it's hard to imagine that Google could fail. Of course, 50 years ago, it was hard to imagine the state of today's U.S. auto industry, or what has happened to this country's steel industry. It's certainly not inconceivable that some day, Google, too, may be a creaky dinosaur, unable to cope with a changed environment. But a bailout? Perhaps…
The defining characteristics of those companies that are the current recipients of today's Federal largesse is that they're big: AIG, Citigroup, etc. They've been called "too big to fail", because their failure would have a drastic effect on the rest of the economy. Could that describe Google some day?
Today, Google all but owns the search market. They're a major player in Internet advertising. They're one of the biggest mail hosts. It isn't a stretch to believe that several decades from now, there won't be other major players, and that we'll all be massively dependent on Google. Besides, there's another issue: if they do fail, what happens to all of their data on Google users? Sold to the highest bidder? What will happen? What should?
To be sure, much (arguably, most) of Google's prominence is due to sheer technical excellence. But "too big" is too big, regardless. Would we be better off if there were barriers to any companies achieving such market dominance in critical fields? As I understand U.S. antitrust law, market dominance per se is not illegal; however, anti-competitive practices to achieve or maintain such dominance is. Perhaps that is the wrong standard?
28 November 2008
For various reasons, the wireless portion of my home network has been using WEP (Wired Equivalent Privacy). While I'm certainly aware of the security issues, I've continued to use WEP because (a) some of my client machines didn't properly support anything better; (b) I perceive a minimal threat model (I live on a very quiet suburban street); and (c) the computers in the house are hardened and encrypt just about everything anyway.
That said, I decided it was time to switch to WPA2 (WPA itself has its own security problems). Accordingly, I looked at various boxes around the house to see what the options looked like.
The first thing to check, of course, was the access points: a pair of Linksys WAP54Gs with v2.0 hardware and 2.07 firmware. They offered WEP, RADIUS, WPA-Preshared Key, and WPA Radius. Hmm — no WPA2. On to my iPhone (with 2.2 firmware): it offers WEP, WPA, WPA2, WPA Enterprise, and WPA2 Enterprise. So — is "WPA Radius" the same as "WPA Enterprise"? Is "WPA" the same as "WPA-Preshared Key"? For fun, I upgraded the access points to v3.04 firmware, even though the Linksys web site didn't say anything about other security modes being added via that upgrade. It helped: I can now use WEP, WPA-Personal, WPA2-Personal, WPA2-Mixed, WPA-Enterprise, and RADIUS. Perhaps "Personal" is the same as "Preshared Key", though I generally avoid getting too personal with cryptographic devices. But "RADIUS" is now separate from "Enterprise", and I have yet to figure out what "Mixed" is. Of course, some of the options only permit hex keys (more secure, but impossible to type properly on, say, an iPhone), while some like ASCII. Also, there's now a completely separate option for authentication; the choices for it are "Open System" and "Shared Key". This, of course, is under "Advanced Wireless Settings", rather than "Wireless Security".
I next looked at my NetBSD laptop. NetBSD (and many other Unix clones, including some Linux distributions), use wpa_supplicant for security. It offers WPA-PSK, WPA-EAP, IEEE8021X, plus "NONE" which for some reason covers WEP. But I also get to specify a choice of several different authentication algorithms: OPEN, SHARED, and LEAP. Furthermore, I can pick an encryption algorithm, such as AES or TKIP. There's no sign of that on the other clients, though the access points will offer that as a choice (sometimes) if you ask on the right menu.
Windows is different still. XP lets me choose among WEP, WPA-PSK, 802.1x, or 802.1x EAP (Cisco LEAP). (This is on a Thinkpad, with an IBM add-on for managing connections.) A Dell laptop running Vista offered a choice of None (Open), Shared, WPA2 Personal, WPA Personal, WPA2 Enterprise, WPA Enterprise, and 802.1x. To make life interesting, however, those choices were under "Authentication", not "Security" or "Encryption".
And Ubuntu 8.10? It offers a choice of WEP 40/128-bit key, WEP 128-bit Passphrase, LEAP, Dynamic WEP (802.1x), WPA and WPA2 Personal, and WPA and WPA2 Enterprise. The interesting thing is that it combines the WPA and WPA2 options, implying that it can figure out the difference while no one else can.
It's pretty clear that the choices are very confusing. There is no standard nomenclature, nor even standard categorization. There are unanswerable questions, such as why XP has a "Cisco" option, but the access points — remember that Linksys is a subsidary of Cisco — do not.
The more interesting question is what should be done. Some of the options reflect evolution over time (i.e., WEP vs. WPA vs. WPA2). Others reflect different environments: the Enterprise options require a login name and password, and often a certificate and associated private key. In other words, the differences are not just cosmetic; there are substantive distinctions, and there really are preferred choices for different environments. But how should this be presented to the user?