[EL] The $45M Heist from NYC ATMs - Cushman

Fri May 17 11:57:42 PDT 2013

Reply to Mr. Cushman, whose Original Message is below.

One problem w/ imaging scary scenarios is that the emotion of fear can soar beyond all factual considerations. God will turn you into a block of stone if you look back while fleeing from the city He set ablaze. Or, if He feels in a watery mood, He’ll flood the planet to punish people for having too much fun.  Faith that the Omnipotent Power really and truly exists makes these stories so intimidating that people will alter their behavior so as to avoid His wrath.

In the same way, that Omnipotent Lone Super Hacker, lurking somewhere out there in the vast unknown, uploads vote changing malware in the Windows Update server, and vola! – 51% of the votes cast are for the Great Hacker’s favorite gubernatorial candidate. Microsoft Security Division never caught it. The FBI never caught it. McAfee and all of the other security companies never caught it. Security organizations around the world never caught it. For these are mere mortals. 

Since this is a One Superman operation, the winning candidate has no obligation to work the Hacker’s will. There was no criminal conspiracy for law enforcement to detect. So, what’s in it for the Hacker? Not money. Not political power. Just the thrill of exercising His omnipotency?

Public policy should not be cowed by silly scary stories.

To understand how fact-respecting Social Science can clarify Internet voting security analysis, see http://ssrn.com/abstract=2229557
Also, similar scary scenarios are discussed at length there.

William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund 
Email: Internetvoting at gmail.com 
Blog: http://tinyurl.com/IV4All 
Twitter: wjkno1
LinkedIn: www.linkedin.com/pub/william-j-kelleher-ph-d/9/466/687/

Author of Internet Voting Now!  

-----Original Message-----
From: Jack Cushman <jcushman at gmail.com>
To: wjk <wjkellpro at aol.com>
Cc: law-election <law-election at department-lists.uci.edu>
Sent: Thu, May 16, 2013 4:53 pm
Subject: Re: The $45M Heist from NYC ATMs - Cushman

I'm sympathetic in general to the idea of risk management -- that any election system is imperfect and susceptible to attack, and perfect should not be the enemy of the good. What gives me pause about internet voting is that it's not really amenable to risk management, because the risk is absolute and unquantifiable. By which I mean, there is no limit on how large an attack can be and still succeed.

For example, consider the risk in Massachusetts, where we use paper ballots and optical scan for the most part. I can describe attacks on this model, such as corrupting the optical scan counts; corrupting officials to throw out ballots; coercing absentee ballots; and designing ballots so that some voters cast the wrong votes. But I cannot describe an attack that would meaningfully shift the vote without being detected. Any meaningful attack would require thousands of accomplices throughout the state including the cooperation of opposing observers, or would be defeated by a hand recount. So I can put a low upper bound on corruption with great confidence. And this is true regardless of the resources brought to bear in the attack. For example, it's interesting to consider whether you could arbitrarily rewrite the vote count in Massachusetts without being detected, assuming you had unlimited financial resources and unlimited human assistance from people who were not physically in Massachusetts. I lean towards no.

By contrast, the attacks I can describe on internet voting systems are much more powerful. For example: a zero-day exploit in the Windows Update server that installs itself a week before the election on computers throughout California and deletes itself afterward might allow me to control north of 50% of ballots without detection. The same might go for, oh, a zero-day exploit in Amazon's Elastic Load Balancer, which would allow me to filter every request and response to every voting website hosted by Amazon, which would be most of them. So I end up with an upper bound on the number of votes that could be modified undetectably as, oh, 50%? 75%? And a lower bound on the resources required to pull it off of, oh, 10 people? One person?

(By undetectably, I mean technically. Obviously at some point the corruption would become statistically unmistakeable, although the true vote would still be irretrievable.)

In short: we are adopting a critical vulnerability -- the power for one person to decide the election -- where one does not currently exist. (The Cabal notwithstanding. There is no Cabal.) Before we do that we should be able to confidently say that the vulnerability will never be exploited. We cannot.

I can see you've decided that the risk of the one-person scenario is effectively zero, but it seems to me you've decided that based on a gut-level analysis of the complexity of the task which does not translate to computers. The virtual machines we use to build websites and the virtual machines we use to break them are not ten times as complex as physical machines, they are millions of times as complex. They don't contain several layers of abstraction, they contain dozens. People who can take advantage of that complexity are able to accomplish extraordinary things. 

Consider the one guy who hacked into 400,000 internet-connected devices undetected, just because he could; the teenager named Pinkie Pie who combined six different newly-discovered bugs to hack the near-bullet-proof Chrome browser; or the schizophrenic programmer who over eight years wrote his own flight simulator in his own programming language in his own from-scratch operating system. (To say nothing of the absurdities that can be pulled off by governments.) This is an area where our intuitions about what can be accomplished by one brilliant, weird person stop being even close to right. So are you right that there's a close to 0% chance someone could pull it off? Maybe. Or maybe 10%. Or maybe 99%. 

But the idea that you can accurately estimate the risk of this new critical vulnerability you would introduce, that's unsupportable. So is the idea that we might have a problem if there was one county to hack, but 54 counties is way too many. That's not how things scale here.

Speaking of counties, I'm concerned that you would rely on heterogeneity here. The security experience in other areas has been that, if 54 people try to implement secure cryptographic systems, approximately 53 of them screw it up. The only path that will even plausibly get you to a secure voting system is to have a small number of open systems that everyone can bang on and try to prove secure. Of course that puts you firmly in the realm of "homogeneous enough for one dedicated person to break" -- but it's better than "poorly implemented enough in some counties that kids screw around with vote counts just because they're bored at school." 

Maybe what I should ask is: if you compare your dream of internet voting to the very best system you can think of that has safety characteristics more like our current system in Massachusetts (for example, how about vote-by-mail with a cancellation option to address coercion?), what about your dream is so much better that it's worth accepting a safety profile that is so much worse?

Best,
Jack

-----Original Message-----
From: Jack Cushman <jcushman at gmail.com>
To: wjk <wjkellpro at aol.com>
Cc: law-election <law-election at department-lists.uci.edu>
Sent: Thu, May 16, 2013 4:53 pm
Subject: Re: The $45M Heist from NYC ATMs - Cushman