Ballot Boxing

Joel N. Shurkin

OCTOBER 29, 2004
Dr. Rubin

Last month, U.S. Sen. Barbara A. Mikulski decided to try one of
Maryland's new voting machines in Takoma Park. It was a brand-new
Diebold AccuVote-TS. The state of Maryland has just spent $55 million
for the ATM-like electronic voting devices to be used in the upcoming
presidential election.

The AccuVote, acting just as a demonstration, offered two choices:
"yes" and "no." Sen. Mikulski pressed "no." The machine registered "yes."

The cackling sound you heard was Avi Rubin, technical director of the
Information Security Institute at Johns Hopkins. But, as Dr. Rubin
will openly confess, it really wasn't funny.

One-third of voters in the November election will be using electronic
voting machines, simple-minded computers that record and report votes.
Dr. Rubin and many computer scientists see nothing less than a threat
to American democracy in these machines. They are easy to tamper with,
he believes, and that makes it possible to rig elections. Indeed,
there already are conspiracy theories flying around the Internet of a
conservative plot to steal the presidential election. (A number of
Conservative groups are equally unhappy about the instruments.) In
many cases they are set up to prevent recounts in case of disputes.

Plots to the contrary, after what happened in Florida in 2000 — and
what is happening in Florida now — attention must be paid.

It was Dr. Rubin who first raised serious security issues with the
electronic voting machines and who has taken the brunt of attacks from
the voting machine industry. He instantly rose from an obscure Jewish
computer scientist to a media star, and he's having a wonderful time.

"After my study broke, the public relations office had television
crews lined up outside my office and for a five-week stretch, I was on
national television every week," he said.

He is still quoted regularly in the national media on the debate over
the machines as the election nears, and this spring he reached the
apogee of contemporary culture, a brief appearance as a "Zen moment"
on the "Daily Show with Jon Stewart" on cable. He was scheduled for
"60 Minutes" this week.

Someone recognized him at the swimming pool at the Owings Mills Jewish
Community Center as the guy on television, and even his plumber
announced himself impressed.

How much effect his efforts have had in curbing the use of the
electronic devices or in modifying how they are used is not clear.
Several states, confronted with challenges to the integrity of their
elections, have backed away from using them, several have changed the
voting method to make them more secure and others — most particularly
Maryland — became defensive and refused to budge.

"His study had an enormous effect," said Barbara Simons, former
president of the Association of Computing Machines (ACM), the computer
scientists' professional organization. "Of course it didn't prevent
Maryland from buying the stupid machines."

"What we're fighting about is democracy. If we lose confidence that
our votes will be accurately counted, that's it," she said.

The voting machines are technically known as Direct Recording
Electronic voting machines or DREs.

Dr. Rubin's adventure began last year almost by accident. Bev Harris,
a writer in Renton, Wash., was researching a book on electronic voting
in January 2003. While "googling" for background, she stumbled on a
Web site that turned out to be an electronic archive of a company
bought by Diebold Inc. The site was huge, containing hundreds of
unprotected company files that could be downloaded by anyone who
wanted them. One file hinted that Diebold had put code that was
uncertified for elections in DREs headed for a Georgia election, which
is illegal, so she downloaded it to see. The download took 40 hours
and filled seven CDs.

She posted what she found on a Web site in New Zealand (geographic
distance means nothing to these people) and someone told her that one
file looked suspiciously like Diebold's source code, the programming
that lies at the heart of the DREs.

Posting unprotected source codes for a commercial product on the Web
is rare and considered unspeakably stupid in the computer world, so,
word spread quickly, and a computer scientist at Stanford University
told Dr. Rubin. Dr. Rubin, in turn called in Adam Stubblefield, a
doctoral student at Hopkins, and Tadayoshi Kohno, a summer graduate
student, telling them they needed to drop everything and come see what
was on his computer. What they were looking at, they concluded, was a
program compiled in 2000 and its April 2002 update, apparently posted
so programmers could work on it. It was nothing less than the
programming that made the voting machines voting machines.

The students pored over 49,609 lines of "code," computer language
commands that look like hieroglyphics to anyone not trained as a
programmer. One line blew them away. It means nothing to laymen, but
it was enough to make Dr. Rubin's hair stand on end.

#define DESKEY ((des_key* "F2654hd4".

All commercial programs have provisions to be encrypted, protected by
secret code so that no one could read or change the contents without
the encryption key. That is particularly true of programs that require
transmission by telephone or wireless networks. The line that
staggered the Hopkins team told them first, that the method used to
encrypt the Diebold machines was a method called Digital Encryption
Standard (DES), a code that was broken in 1997 and is no longer used
by anyone to secure programs. F2654hd4 was the key to the encryption.

The programmers had done the equivalent of putting the family jewels
in a safe, putting up a blinking neon sign reading "Jewels in Here!"
and taping the lock's combination to the safe door. Moreover, because
the key was in the source code, all Diebold machines responded to the
same key. Unlock one, you can unlock them all.

That was only one of the problems Dr. Rubin's team found. The computer
language used to write the program, C++, is never recommended for
secure programs because hackers can — and do — attack it easily. There
are other programming languages far more secure that the Diebold
programmers ignored, perhaps because they didn't know them well.

Additionally, all large computer programs, which can sometimes run
into the hundreds of thousands of lines, are written by teams and
therefore are extensively annotated. One programmer or a team puts in
an instruction and then adds a note explaining why it was done that
way. Other programmers can add comments or base what they do on the
reasoning in the comments. Or, they can use the annotations to hunt
for bugs when the program misbehaves.

Dr. Rubin said that when he worked for IBM one summer, there were
three pages of notes for every line of code, and no line was added
until committees of reviewers approved. Whole pages of the Diebold
source code were without annotations or signs of review, something you
don't see on professionally written programs, he said. Some of the
annotations that existed even warned that the code contained unfixed
bugs. Clearly, Dr. Rubin thought, Diebold was not using the top of the
class at M.I.T. to write programs for its voting machines.
Dr. Rubin

The code is so badly written, Dr. Rubin shows sections to audiences at
computer science conferences to get laughs.

Moreover, the Diebold program was written for computers using Windows,
Microsoft's relatively unstable and notoriously insecure operating
system, the target of choice for hackers everywhere. (Almost all the
staff of Hopkins' security institute uses Apple Macintoshes, which are
virus-free and far more difficult to tinker with.)

Oh, there is more. The method chosen by Diebold for voting required
the voting officials to check the registration of each voter and then
hand them a "smartcard," a credit card-like piece of plastic
containing digital information that essentially turns the machine on.
The machine reads the card and if the information is correct, permits
the voter to cast his or her ballot.

The smartcards chosen for the Diebold DREs were not encrypted and
could be forged by a 15-year-old in his bedroom at an equipment cost
of about three weeks' allowance, Dr. Rubin said. Anyone with a phony
card could vote more than once.

Dr. Rubin, the Hopkins students and a colleague from Rice University
posted their findings on the Internet (later in an engineering
journal) and then Dr. Rubin, who is not shy, called John Schwartz of
The New York Times, at which point, all hell broke loose.

The reaction of the voting machine industry — especially Diebold, one
of four voting machine manufacturers — was furious. The first comment,
besides attacking Dr. Rubin and company, was to deny there were
problems. When other studies showed the same things, the defense
switched to admitting there were problems but they had been fixed.
Diebold says the programming in the machines it sells now — including
those to be used in Maryland — is not the same programming the Hopkins
study looked at. Since the programming also is proprietary and Diebold
won't show any new versions to anyone, the claims must go unverified,
which is a whole other problem.

Dr. Rubin does not believe the machines are fixable. Diebold says the
smartcards now are encrypted.

"The problems were at different levels. Some are fixable, like they
used broken encryption, but you can fix that — put in good encryption.
But there was a very bad software engineering process that went into
the machines. It was clear looking at the code. If you have a software
package that is as bad, the answer is not to try to plug the holes and
fix it because every time you do that, you introduce new bugs. I don't
think you should try to evolve 45,000 lines of broken code into a
system that's secure. You need to start over with a more talented and
experienced team.

"I joked with my wife about wearing a bulletproof vest," Dr. Rubin
said. "We lost them a lot of business and put their industry in turmoil."

Nonetheless, whatever is in those machines is what you will use in the
November election and so will voters in 38 states.

He was not planning on such a public life.

He was born in Kansas where his parents, both academics, were graduate
students. In something of a reversal of roles, his father became an
English professor (specialty: English Jews in English literature) and
his mother is a mechanical engineer, the type of person who writes
computer programs in FORTRAN to create recipes for dinner.

In 1970, they made aliyah..

The Rubins taught in Israeli universities for six years, Then Israel
was inundated with refugees from the Soviet Union and the universities
thought they were in more need than former Americans, so the Rubins
lost tenure. They moved back to the United States in 1976. The family
moved to Alabama where Dr. Rubin was in the first graduating class at
the Birmingham Jewish day school. Dr. Rubin and his three siblings and
parents (who now teach at Vanderbilt) often speak Hebrew when they are
together.

He got his Ph.D. in computer science from the University of Michigan.

"When I got my Ph.D., my adviser said, you have a Ph.D., you're a
computer scientist. Don't be too narrow. Now I've managed to become
synonymous not only with computer security but a tiny little subfield
of it," he said.

What he also got involved with was a battle between bureaucrats,
including those who staked their careers on buying DREs, and
academics. Both sides accuse the other of not knowing what they are
talking about. Most of his colleagues in computer science, he said,
support his position. Dr. Simons, now a co-chair of ACM's public
policy committee, agreed.

Other computer security specialists, including the National Security
Agency, testified in support of the Hopkins study.

Legislators, concerned with what the Hopkins study showed, asked the
Department of Legislative Services to review the state's purchase of
the Diebold machines and held hearings. First, they hired a firm
called SAIC to study the situation, and then hired RABA Technologies,
a Maryland consulting company to review both studies. SAIC said Dr.
Rubin was correct in his assessment but didn't completely understand
the Maryland voting system. RABA supported the Hopkins study in most
of its accusations and found even more problems.

RABA's Michael A. Wertheimer and a team of company hackers broke into
the Board of Elections computer, changed the results of a mock
election and then backed out without leaving a trace.

"We did it in under five minutes," he told "The Daily Show."

Then there is what happens when the results are uploaded from the DREs
to the state's computer.

"You're more secure buying a book from Amazon," he concluded.
Dr. Rubin

He also found that the Maryland election officials had not upgraded
Windows with security patches from Microsoft and were, in fact, 15
upgrades behind. Every time they tried to load a patch, Windows crashed.

Mr. Wertheimer finally suggested the machines be wrapped in
tamper-resistant tape around the machines, something Linda Lamone, the
state's election administrator, says can't be done in time and would
look awful.

More important to Dr. Rubin, "RABA found the Hopkins report to be a
thorough, independent review of the AccuVote source code and should be
credited with raising valid issues that have resulted in considerable
improvements," concluded RABA.

But the state hasn't done enough improvements to suit Dr. Rubin and
his allies.

There are 150 million registered voters in America and a third will be
using voting machines despite the fact the machines have never been
tested in a mass scale. Anecdotally, there are reasons for concern.

New Mexico, a leader in electronic voting, went to Al Gore in 2000 by
366 votes. In one county, 678 out of 2,300 votes cast went uncounted.
The voting machines lost them.

Remember the hanging chads in Florida? They weren't the only problem
the state has had with elections. Some areas used electronic machines,
including Miami-Dade County. A study by the American Civil Liberties
Union reported that in the Democratic gubernatorial primary in 2002, 8
percent of the votes cast in 31 Miami-Dade precincts was lost.

California bought the machines, decertified them and changed its mind.
It is suing Diebold and once threatened criminal charges on grounds
that the company made false claims about the machines. Ohio, one of
the election's swing states, is only one of several that have pulled
the plug on DREs, as has Missouri. The revelation that Diebold made
political contributions to the Republican Party didn't make critics
any happier, although Diebold's competitors are Democratic contributors.

Critics have been stunned by the reaction of Maryland officials,
especially Ms.Lamone, the state's administrator, who apparently is now
fighting for her job. Officials have defended the machines with a
passion that sometimes even exceeded the manufacturer's defense,
claiming all the problems have been fixed. Ms. Lamone went to court to
defend against a suit brought by a voter group to force the state to
change its system and she won.

"Maryland is acting as though they are the ones selling the machines
instead of buying them," Dr. Rubin said. "I think there is some face
saving and some embarrassment. If you spend $55 million and someone
says it was a bonehead purchase you might get defensive. Some jobs are
on the line about this, I believe."

Del. Jon Cardin (D-11th) defends the state's decision. He is a member
of the House Ways and Means Committee and participated in a summer
investigation of the voting process in Maryland. He said that of the
more than 100 suggestions made to improve the machines and the voting
process "almost every single one was complied with by the State Board
of Elections." Part of the problem with sorting through the issues is
clear differences of opinion among the experts.

Mr. Cardin says that the rate of error in paper balloting is 7-9
percent, while the error rate with computers is minuscule. (A joint
study by the California Institute of Technology and the Massachusetts
Institute of Technology disagrees. Paper has the lowest error rate,
the study said. Electronic machines were no better than punch cards.
Mr. Cardin says he has not seen the study.)

Mr. Cardin also said breaking into the machines and changing votes
would be very difficult and require great computer skills and
technical knowledge and is hence very unlikely.

"I am [more] concerned that there is a contingent of people that have
lost confidence in the voting system, not in the integrity of voting,"
he said.

There is a process that can mitigate some of the danger: a paper
"trail." The DREs would be attached to printers and whenever a vote
was cast, the printer would reproduce the vote on paper. The voter
could then certify that, unlike the machine Sen. Mikulski played with,
the DRE got it right. Also, if there were a need for a recount, there
would be a paper record of the votes. By comparing numbers, it would
even be possible to detect multiple votes or ballot stuffing.

Several states have implemented paper trails, and Nevada successfully
held an election this summer with paper backup that everyone,
including Dr. Rubin, thinks went well. "A paper trail keeps them
honest — if [the paper ballots] are counted," Dr. Rubin said.

Nevada, however, wasn't using Diebold DREs and Diebold's machines
aren't designed for use with printers. Printers also cost money,
another reason for resistance by state officials.

Florida election officials (all Republicans), on the other hand, have
barred paper trails and ruled against manual recounts in case a result
is contested, a decision that was thrown out by a state court on Sept.
27. If the officials appeal and win, we would never know the true
winner of another close Florida election.

"If we have an election that is really close like we did in 2000 and
there are places in which the vote is disputed that were fully
electronic, we won't have hanging chads to recount," Dr. Rubin said.

Another state without paper trails, of course, is Maryland, partly
because it is using Diebold's devices, and partly because of the
stubborn insistence by Ms. Lamone's office that paper trails are
unnecessary.

Sen. Mikulski, meanwhile, has signed onto a bill in Congress that
would make paper backup mandatory but not until 2006. Meanwhile, in
many places where results could be very close, it may not be possible
to do recounts and we may never know the outcome of the races. The
ACM's Dr. Simons thinks the upcoming election may wind up in court
again, and this time because of electronic voting. If there is
cheating, it may go undetected, she said.
Dr. Rubin

Dr. Rubin is keeping himself busy at Hopkins and as an expert witness
in computer security matters, a very lucrative trade. He also has a
raucous family at home with three young kids, including 2-year-old
twins. His eldest goes to Krieger Schechter Day School and Dr. Rubin
is on the school's computer technology advisory committee. The family
belongs to Chizuk Amuno.

Journalists and voting advocacy groups still regularly consult him

Dr. Rubin points out that there actually is an almost foolproof voting
method, hard to corrupt and capable of producing completely accurate
counts: paper.

Paper can be used in two ways, he said. One is simply having people
mark the ballots, put them in boxes for recounting later, the way it
was done in the 18th century and as far as anyone knows, still the
most exact way of running an election. Cheap too.

Another possibility, if people insist on 21st-century technology,
would be to take the paper ballots, put them in optical scanners and
let the scanners accumulate the votes. That might be faster than
manual counting, is very accurate, and if there are problems, election
officials can always go back and recount the paper ballots.

Stung a bit by the criticism that he — an academic — knew nothing
about voting procedures, Dr. Rubin volunteered to be an election judge
in Baltimore County in the spring. His experience is that well-run
voting places are of great help in protecting the integrity of the
vote. He no longer worries about the smartcard problem in efficient
polling places. With nine judges and five machines, it would have been
easy to spot someone fooling around in the booth.

One flaw he found worse than he expected is the use in the Diebold
plan of a "zero" machine, one of the DREs that would accumulate all
the votes in the other computers for counting. "There is no need to
attack all the machines," he said. All a hacker had to do was attack
that one DRE, especially since that machine is the one that phones in
results, making it vulnerable in multiple ways.

He still doesn't think DREs are a good thing, even with a paper trail.
The only machines he prefers would be simple devices that act as
intermediaries between the voter and a printer. He is not worried
about people hacking the network between the voting machines and the
state computer.

"The biggest concern I have is that someone would rig the machines,"
Dr. Rubin said. "This would be somebody at the manufacturer or
somebody with physical access to the machines who could change the
software. Traditional Internet-based hacking is not the issue."

If jurisdictions use paper trails to DREs, the same manufacturer
should not make both the DREs and the printers, he said. That would
reduce the chances of a conspiracy or at least broaden the conspiracy
and make it more difficult to operate and easier to detect. He admits,
however, that when he was a primary voting judge the people using the
Diebold DREs loved them.

"They raved about them to us judges. The most common comment was 'that
was so easy.' I can see why people take so much offense at the notion
that the machines are completely insecure... I was curious that voters
did not seem to question how their votes were recorded.

"I continue to believe that the Diebold voting machines represent a
huge threat to our democracy. I fundamentally believe that we have
thrown our trust in the outcome of our elections in the hands of a few
companies who are in a position to control the final outcomes of our
elections.

"The more e-voting is viewed as successful, the more it will be
adopted," he said, "and the greater the risk when someone decides to
actually exploit the weaknesses in these systems.

"I am not against technology. I drive a car, get on airplanes and ride
elevators. However, if the code in any of these was as bad as
Diebold's software, I wouldn't. I think that the real difference is
the adversary model. If there were trillions of dollars worth of
incentives for people to rig elevators so that they crashed, I would
be advocating for only using stairs."


To read more, pick up a copy of the Jewish Times at one of our
newsstand locations.