Results 1  10
of
21
Security analysis of the Diebold AccuVoteTS voting machine
 In Proc. 2007 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT ’07
, 2006
"... This paper presents a fully independent security study of a Diebold AccuVoteTS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. ..."
Abstract

Cited by 57 (8 self)
 Add to MetaCart
This paper presents a fully independent security study of a Diebold AccuVoteTS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities—a votingmachine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures. 1
Efficient postelection audits of multiple contests: 2009 California tests ∗
"... Abstract: Risklimiting postelection audits have a prespecified minimum chance of requiring a full hand count if the outcome of the contest is not the outcome that a full hand count of the audit trail would show. The first risklimiting audits were performed in 2008 in California. Two refinements ..."
Abstract

Cited by 24 (12 self)
 Add to MetaCart
Abstract: Risklimiting postelection audits have a prespecified minimum chance of requiring a full hand count if the outcome of the contest is not the outcome that a full hand count of the audit trail would show. The first risklimiting audits were performed in 2008 in California. Two refinements to increase efficiency will be tested in Marin and Santa Cruz counties, California, in November 2009. The first refinement is to audit a collection of contests as a group by auditing a random sample of batches of ballots and combining observed discrepancies in the contests represented in those batches in a particular way: the maximum acrosscontest relative overstatements (MACRO). MACRO audits control the familywise error rate (the chance that one or more incorrect outcomes fails to be corrected by a full hand count) at a cost that can be lower than that of controlling the percomparison error rate with independent audits. A risklimiting audit for the entire collection of contests can be built on MACRO using a variety of probability sampling schemes and ways of combining MACRO across batches. The second refinement is to base the test on the KaplanMarkov confidence bound, drawing batches with probability proportional to an error bound (PPEB) on the MACRO. The KaplanMarkov bound is especially well suited to sequential testing: After each batch is audited, a simple calculation—a product of fractions—determines whether to audit another batch or to stop the audit and confirm the apparent outcomes. Keywords: familywise error rate, KaplanMarkov martingale confidence bound, nonnegative random variable, percomparison error rate, probability proportional to size, sequential test, simultaneous test, statistical audit.
On auditing elections when precincts have different sizes
, 2008
"... We address the problem of auditing an election when precincts may have different sizes. Prior work in this field has emphasized the simpler case when all precincts have the same size. Using auditing methods developed for use with equalsized precincts can, however, be inefficient or result in a loss ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
We address the problem of auditing an election when precincts may have different sizes. Prior work in this field has emphasized the simpler case when all precincts have the same size. Using auditing methods developed for use with equalsized precincts can, however, be inefficient or result in a loss of statistical confidence when applied in to elections with variablesized precincts. We survey, evaluate, and compare a variety of approaches to the variablesized precinct auditing problem, including the safe method [11] based on theory developed for equalsized precincts. We introduce new methods such as the negativeexponential method (negexp) that select precincts independently for auditing with predetermined probabilities, and the “ppebwr ” method that uses a sequence of rounds to select precincts with replacement according to some predetermined probability distribution that may depend on error bounds for each precinct (hence the name ppebwr: probability proportional to error bounds, with replacement), where the error bounds may depend on the sizes of the precincts, or on how the votes were cast in each precinct. We give experimental results showing that negexp and ppebwr can dramatically reduce (by a factor or two or three) the cost of auditing compared to methods such as safe that depend on the use of uniform sampling. Sampling so that larger precincts are audited with appropriately larger probability can yield large reductions in expected number of votes counted in an audit. We also examine the optimal auditing strategy, which is nicely representable as a linear programming problem but only really computable for small elections (fewer than a dozen precincts). We conclude with some recommendations for practice. 1
SuperSimple Simultaneous SingleBallot RiskLimiting Audits
"... Simultaneous risklimiting audits of a collection of contests have a known minimum chance of leading to a full hand count if the outcome of any of those contests is wrong. Risklimiting audits are generally performed in stages. Each stage involves drawing a sample of ballots, comparing a hand count ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Simultaneous risklimiting audits of a collection of contests have a known minimum chance of leading to a full hand count if the outcome of any of those contests is wrong. Risklimiting audits are generally performed in stages. Each stage involves drawing a sample of ballots, comparing a hand count of the votes on those ballots with the original count, and assessing the evidence that the original outcomes agree with the outcomes that a full hand count would show. If the evidence is sufficiently strong, the audit can stop; if not, more ballots are counted by hand and the new evidence is assessed. This paper derives simple rules to determine how many ballots must be audited to allow a simultaneous risklimiting audit to stop at the first stage if the error rate in the sample is sufficiently low. The rules are of the form “audit at least ρ/µ ballots selected at random. ” The value of ρ depends on the simultaneous risk limit and the amount of error to be tolerated in the first stage without expanding the audit. It can be calculated once and for all without knowing anything about the contests. The number µ is the “diluted margin”: the smallest margin of victory in votes among the contests, divided by the total number of ballots cast across all the contests. The initial sample size does not depend on any details of the contests, just the diluted margin. This is far simpler than previous methods. For instance, suppose we are auditing a collection of contests at simultaneous risk limit 10%. In all, N ballots were cast in those contests. The smallest margin is V votes: The diluted margin is µ = V/N. We want the audit to stop at the first stage provided the fraction of ballots in the sample that overstated the margin of some winner over some loser by one vote is no more than µ/2 and no ballot overstates any margin by two votes. Then an initial sample of 15.2/µ ballots suffices. If the sample shows any twovote overstatements or more than 7 ballots with onevote overstatements, more sampling might be required, depending on which margins have errors. If so, simple rules that involving only addition, subtraction, multiplication, and division can be used to determine when to stop. 1
A gentle introduction to risklimiting audits
 IEEE Security and Privacy
"... Abstract—Risklimiting audits provide statistical assurance that election outcomes are correct by manually examining portions of the audit trail—paper ballots or voterverifiable ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract—Risklimiting audits provide statistical assurance that election outcomes are correct by manually examining portions of the audit trail—paper ballots or voterverifiable
You Go to Elections with the Voting System You Have: StopGap Mitigations for Deployed Voting Systems
"... In light of the systemic vulnerabilities uncovered by recent reviews of deployed evoting systems, the surest way to secure the voting process would be to scrap the existing systems and design new ones. Unfortunately, engineering new systems will take years, and many jurisdictions are unlikely to be ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
In light of the systemic vulnerabilities uncovered by recent reviews of deployed evoting systems, the surest way to secure the voting process would be to scrap the existing systems and design new ones. Unfortunately, engineering new systems will take years, and many jurisdictions are unlikely to be able to afford new equipment in the near future. In this paper we ask how jurisdictions can make the best use of the equipment they already own until they can replace it. Starting from current practice, we propose defenses that involve new but realistic procedures, modest changes to existing software, and no changes to existing hardware. Our techniques achieve greatly improved protection against outsider attacks: they provide containment of viral spread, improve the integrity of vote tabulation, and offer some detection of individual compromised devices. They do not provide security against insiders with access to election management systems, which appears to require significantly greater changes to the existing systems. 1
Understanding the Security Properties of BallotBased Verification Techniques (Short Paper)
"... As interest in the concept of verifiable elections has increased, so has interest in a variety of ballotoriented mechanisms that offer the potential for more efficient verification than traditional precinct or machinelevel audits. Unfortunately, threat analysis of these methods has lagged their d ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
As interest in the concept of verifiable elections has increased, so has interest in a variety of ballotoriented mechanisms that offer the potential for more efficient verification than traditional precinct or machinelevel audits. Unfortunately, threat analysis of these methods has lagged their design and in some cases implementation. This makes it difficult for policy makers to assess the merits and applicability of these techniques. This paper provides a fairly nontechnical description of the security threats facing these systems with the intent of informing deployment decisions. 1
A “sum of square roots” (SSR) pseudorandom sampling method for election audits
, 2008
"... This note proposes a cute little heuristic method of generating a uniformly distributed pseudorandom number between 0 and 1 for each precinct in an election, for use in selecting a sample of precincts for a postelection audit. A function f is described that takes as input a 15digit “seed ” S and ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
This note proposes a cute little heuristic method of generating a uniformly distributed pseudorandom number between 0 and 1 for each precinct in an election, for use in selecting a sample of precincts for a postelection audit. A function f is described that takes as input a 15digit “seed ” S and a sixdigit precinct number i, and produces a pseudorandom output xi = fS(i) between 0 and 1. The seed S is obtained by rolling fifteen dice in a public ceremony. For a 5 % audit, precinct i will be audited if xi ≤ 0.05. This approach also works well for auditing methods, such as negexp, that set different auditing probabilities for different precincts. We call the proposed method the “SSR ” method, as it is based on taking the fractional part of a sum of three square roots. One of the nice features of this method is that it can be performed on the simplest of pocket calculators (assuming it has a squareroot button). Thus, local election officials and/or election observers can easily determine and/or verify whether or not each particular precinct should be audited, once the seed S has been determined at headquarters. The SSR method should be highly unpredictable to an adversary—an adversary who does not know the seed should have no advantage in determining which precincts to corrupt. The SSR method is also highly efficient, since only 15 dice rolls need to be done, instead of thousands. Finally, it is easily verifiable
Bubble Trouble: OffLine DeAnonymization of Bubble Forms
"... Fillinthebubble forms are widely used for surveys, election ballots, and standardized tests. In these and other scenarios, use of the forms comes with an implicit assumption that individuals ’ bubble markings themselves are not identifying. This work challenges this assumption, demonstrating that ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Fillinthebubble forms are widely used for surveys, election ballots, and standardized tests. In these and other scenarios, use of the forms comes with an implicit assumption that individuals ’ bubble markings themselves are not identifying. This work challenges this assumption, demonstrating that fillinthebubble forms could convey a respondent’s identity even in the absence of explicit identifying information. We develop methods to capture the unique features of a marked bubble and use machine learning to isolate characteristics indicative of its creator. Using surveys from more than ninety individuals, we apply these techniques and successfully reidentify individuals from markings alone with over 50% accuracy. This bubblebased analysis can have either positive or negative implications depending on the application. Potential applications range from detection of cheating on standardized tests to attacks on the secrecy of election ballots. To protect against negative consequences, we discuss mitigation techniques to remove a bubble’s identifying characteristics. We suggest additional tests using longitudinal data and larger datasets to further explore the potential of our approach in realworld applications. 1
Weight, Weight, Don’t Tell Me: Using Scales to Select Ballots for Auditing
"... Ballotbased auditing offers a much higher level of statistical confidence for any given number of ballots counted than does precinctbased auditing. Unfortunately, it also comes with the problem of efficiently finding any particular ballot so that it can be audited. Previous work on ballotbased au ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Ballotbased auditing offers a much higher level of statistical confidence for any given number of ballots counted than does precinctbased auditing. Unfortunately, it also comes with the problem of efficiently finding any particular ballot so that it can be audited. Previous work on ballotbased auditing has required modifying the ballots to add a serial number which could be used for indexing. We describe a method for using scales and ballot weight to quickly index into a stack of ballots. Preliminary experiments suggest that this method may be a practical alternative that is compatible with existing hardware. 1