Monday, July 30, 2007

Bowen Review Lights Up Humboldt Media

Following up on Friday night's post (Bowen's Red Team Compromises Each Voting System Tested) where I excerpted from the Diebold report, (much later) tonight I will present several items from the Hart Intercivic report, which also has relevance here in Humboldt. But first, a check of the local media.

The Eureka Times-Standard was first out of the gate on Saturday morning (archive). There are two things I have to point out about this article. The story's lede, sets the stage:

Local election systems may be vulnerable to hackers
James Faulk/The Times-Standard
Article Launched: 07/28/2007 04:21:31 AM PDT

EUREKA -- A team of University of California computer scientists were able to hack into several voting systems used by California counties, including the two systems currently used in Humboldt County, the secretary of state announced Friday.
I don't know that Faulk could have written a more straight up or accurate intro to this story. It makes it clear that hackers ARE able to hack into Humboldt voting systems. Then why does the headline say merely that the machines MAY be vulnerable to hackers?

The second comment I have about this article pertains to the last two paragraphs:
Humboldt County Registrar of Voters Carolyn Crnich said it's unclear under what conditions the tests were prepared.

"It's my understanding that the red team attacks that were made during the top-to-bottom review did not take into consideration the security efforts or guidelines that had been added by former Secretary of State Bruce McPherson -- so whether or not the systems could be penetrated with those other security guidelines in place, I don't know," Crnich said.
As I noted in the comments on the T-S website, the introduction of this report dismisses the Registrar's dodge:
In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised. Our study examined what a dedicated attacker could accomplish with all possible kinds of access.
Quoting myself from the T-S site...The greatest threat to our election systems comes not from an individual voter, but rather from insiders at the elections department or working for the machine vendor (Diebold). These are the people with the greatest access to these exploits who can secretly make large scale changes that will never be detected...I go on to say some other things but that's the gist for this post.

Now, the next article to land will be in Tuesday's Eureka Reporter. The story has been online for maybe an hour now. It is kind of strange. There is no byline and I'm the only person quoted other than a Bowen press release. The headline is: "Audit standards review group releases report." This refers to yet another component of Bowen's Top To Bottom Review (TTBR). Check out the 38-page report as a .pdf here. This article is comprised almost entirely of excerpts from the report and then concludes with quotes from me.

I believe the person who called me said her name was Laura. She sounded young and a little uncertain. She told me former elections beat writer Rebecca S. Bender had left the paper as of Friday last week. I knew about this because a few months ago at an Election Advisory Committee meeting, David Cobb inadvertently "outed" Rebecca's planned departure before she really wanted people to know. I had no reason to mention it until now but I do wish her well. So anyway, Laura asked for a comment on this new standards review report that came out today. I declined to comment since I hadn't read it. She then asked about the other related reports and we had a more general conversation about what is happening. Here's what she used:
Though he had not yet seen the report, Dave Berman, one of the founding members of the local Voter Confidence Committee, said he is aware that other studies have been conducted recently regarding the voting process in California, and said he looks forward to Bowen's announcement on Friday as to what action she plans to take.

Berman said the Voter Confidence Committee promotes the idea of handcounting 100 percent of the ballots the first time around and recounting 10 percent for the audit. He said simply increasing the percentage recounted in the audit is like "putting a Band-Aid on a gunshot wound" when the first count is performed by machines.
It seemed out of place at the end of this article but then I'm not sure I've ever had a better quote!

Hank Sims from The Journal and also KHUM called me today too, presumably for his Town Dandy column due out on Wednesday. We actually spoke twice, and in between he spoke with Registrar Crnich. That made our second chat very interesting. During that time he also got to look at something I am now making public for the first time.

This is a spreadsheet
that allows you to enter different variables, such as how many precincts are in your county and the average number of ballots cast per precinct. All together, the numbers you enter will then estimate how many ballot counters you need and what it will cost to pay them to do an all hand-count election. The Voter Confidence Committee will be incorporating this great new tool into the next iteration of our Report on Election Conditions in Humboldt County, CA. I don't know when that will happen. Meanwhile, election integrity advocates working for HCPB anywhere will find this tool useful. We all owe a debt of gratitude to Nancy Tobi and Democracy For New Hampshire. It is their recent presentation that provided me with the formula for creating the calculator. [NOTE: The presentation was actually made by NH Assistant Secretary of State Anthony Stevens – WNDC regrets the error.]

I have a feeling that after I've heard from a few people about the calculator I'll probably want to make it the centerpiece of another post instead of burying this announcement 80,000 paragraphs under the sea. At any rate, back to Hank Sims.

He asked me if I felt vindicated by these new reports. I told him I would not use that word. It suggests I had previously been thought wrong but now stand affirmed. The truth is that the findings of Bowen's TTBR explicitly state that previous exploits were again confirmed. Anybody coming around to these findings of fact really can't plausibly explain previously thinking otherwise.

Sims informed me that Registrar Crnich took a position with him that was similar to the one she took in the T-S piece above. Having already addressed this once, I realized it wasn't just sounding familiar from the Registrar. Moments before I got the first Sims call, I was looking at a document I had just received from the indefatigable Tom Courbat of Sav-R-Vote in Riverside County, CA. Click here for "the corporate line" by Sequoia, attempting to explain away all the findings of Bowen's Red Team members. I never did finish reading it, but its "those aren't the droids you're looking for" tone pretty much parallels what our Registrar was trying to pull off.

Plain and simple: there is no way to spin these reports to make the machines look good. Their time has passed. We've reached a tipping point of public consciousness where secret vote counting machines are completely unacceptable and public officials who continue to defend them do so at the risk of their own credibility.

Finally, as promised at the beginning of this marathon post, here are excerpts from Bowen's Red Team report on Hart Intercivic. These first two passages are identical to wording in the Diebold report. There are several other passages in common.
page 1

In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised Our study examined what a dedicated attacker could accomplish with all possible kinds of access.

p.10

Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original)

p.11

The Red Team, working in close conjunction with the 2007 TTBR Hart Source Code Team, discovered that the Hart EMS software implicitly trusts all communication coming from devices appearing to be Hart-branded and neither authenticates the devices nor performs adequate input validation on data transmitted to it by the devices. This allows for the possibility that a compromised device, such as an eScan that had been tampered with at a polling station, could infect the EMS systems. In particular, the Source Code Team discovered a weakness in the code that would allow an eScan to perform a buffer overflow attack and execute arbitrary code on the computer running SERVO.

...

The team was also able to access device-level menus that should be locked with passwords but were not. This access could allow an attacker a vector for altering configuration settings and/or executing a denial of service on the eScan.

Some of the findings from previous studies on precinct count optical scanners were replicated on the eScan, and they allowed the Red Team to maliciously alter vote totals with the potential to affect the outcome of an election. These attacks were low-tech and required tools that could be found in a typical office.

The Red Team implemented an attack devised by the 2007 TTBR Hart Source Code Team that was able to extract election-sensitive information from the eScan and issue administrative commands to the eScan. The leaked information would allow an attacker the ability to execute further attacks, while administrative commands issued to the eScan could erase electronic vote totals and audit records from an eScan while putting it out of service for the remainder of the Election Day. For more details on these attacks, please see the 2007 TTBR Hart Source Code Team report.

3. JBC
The Red Team verified previous findings on the JBC regarding access code generation and also discovered that a surreptitious device could issue commands that caused the JBC to authorize access codes. If the JBC is in early voting mode, it will not print receipts for the access codes issued. If the JBC is in regular election mode, it prints a receipt each time an access code is issued. When in early voting mode, an attacker could attach the surreptitious device to the JBC. (Note: the surreptitious device is easily concealable in one hand.) After waiting for about a minute, while all possible access codes are issued, the attacker could then proceed to cast multiple ballots using any access codes.

Additionally, the team expanded on previous findings that the MBB in the JBC is vulnerable to tampering during an election. Extracting the MBB from within the JBC during an election and tampering with it without detection would probably require poll worker access, but the team was able to prove that this access would be sufficient to alter vote totals – and in such a manner that it would not be detected in the course of normal operation, though a very thorough audit might reveal it. Furthermore, the team found that post-election MBB tampering safeguards (by which we mean only the technological safeguards, not procedural safeguards such as the use of tamper-evident seals) are insufficient to guarantee that such tampering would be detected. Thus, the team is confident that post-election MBB tampering would succeed in many, if not all, instances.

Finally, the Red Team collaborated with the 2007 TTBR Hart Source Code Team to decode the protocol used for communication between the JBC and eSlates. This protocol does not authenticate the devices on the bus (the communication line), so all communication is considered trusted. The teams were able to intercept the communication, but they were unable to get an exploit working to interrupt or manipulate the communication; this, again, was due to time constraints. Full details of this work can be found in the 2007 TTBR Hart Source Code Team report. The teams are confident that, given more time, they could craft a device that could maliciously alter vote totals and violate voter privacy.

p.14

IV. Successful Attack Scenarios

The following attack scenarios were successfully carried out in the laboratory environment of the Secretary of State’s testing facility.

1. Attack Scenario 1
In this scenario, a malicious voter prepares a surreptitious device and brings it with her to the polling station during early voting. She registers as usual and is issued an access code. Before she leaves the registration table, however, she quickly connects her device to the JBC and converses with the poll workers for a brief time—thirty to forty seconds should suffice. She proceeds to an eSlate and casts a ballot normally. She then enters arbitrary access codes and casts ballots at will, continuing to do this for as long as she suspects she will be unchallenged in the voting booth, casting an arbitrary number of ballots. This results in an electronic ballot box stuffing attack.

In an early voting situation, when the JBC doesn't print out a ballot access receipt each time an access code is issued, the Polls Suspended Report (automatically printed by the JBC) will indicate an unusually large number of access codes issued and more ballots cast than voters who checked in at the registration desk when polling concludes. In regular election mode, this problem would likely be detected much sooner, since the JBC is designed to print a ballot access receipt each time an access code is issued by the machine.

2. Attack Scenario 2
In this scenario, a malicious poll worker finds an opportunity after the close of polls to alter the contents of the MBB using his personal laptop. The attacker identifies ballots containing votes for a candidate he doesn't want to win the election and overwrites those ballots with records containing votes for a candidate he does want to be successful. After tampering with the MBB, the attacker replaces it in the expected chain of custody. The technological safeguards for detecting this tampering are insufficient and can, by default, go unobserved. This results in altered vote totals that can only be detected in the event of a manual recount of eSlate VVPAT records.

3. Attack Scenario 3
In this scenario, a malicious observer uses a remote device to capture the audio narration – including the narration associated with a voter's actual voted ballot – from an eSlate with audio capabilities. She is able to observe voters walking up to the eSlate and match them to the audio narration she is capturing, allowing her to violate a voter's right to privacy by linking voters to their vote selections.

...

p. 16

VI. Conclusions
Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Hart voting system (System 6.2.1), we were able to discover attacks for the Hart system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that – absent procedural mitigation strategies – can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.

Permalink:
http://wedonotconsent.blogspot.com/2007/07/bowen-review-lights-up-humboldt-media.html


Labels: , , , , , , , , , ,

Posted by Dave Berman - 11:09 PM | Permalink
Comments (1 So Far) | Top of Page | WDNC Main Page

Read or Post a Comment

I'm left wondering why Hart Intercivic was treated so much nicer than Sequoia or Diebold, which, for now, are not allowed to use their touchscreens for non-disabled voting in elections. But Hart Intercivic's eSlate touchscreen is allowed.

Among the other disturbing implications of this is that Bowen implicitly found nothing wrong with the touchscreen itself, at its basic level, to justify decertification (if she or the teams even looked at this, that is). For example, the fact that the voter never sees their electronic ballot, the fact that the votes are always and unavoidably counted in secret, the total lack of accountability that secrecy provides, etc.

Posted by Blogger PR Finn @ Aug 9, 2007, 1:01:00 PM
Permalink to comment | Top of Page | WDNC Main Page
 
<< Home
As shown on
Dave's new blog,
Manifest Positivity

We Do Not Consent, Volume 1 (left) and Volume 2 (right), feature essays from Dave Berman's previous blogs, GuvWurld and We Do Not Consent, respectively. Click the covers for FREE e-book versions (.pdf). As of April 2010, paperbacks are temporarily out of print. Click here for the author's bio.

Back Page Quotes

"Give a damn about the world you live in? Give a damn about what you and I both know is one of the most shameful and destructive periods in American history? If so, do something about it. You can start by reading We Do Not Consent."

— Brad Friedman, Creator/Editor, BradBlog.com; Co-Founder, VelvetRevolution.us


"If in the future we have vital elections, the "no basis for confidence" formulation that GuvWurld is popularizing will have been a historically important development. This is true because by implicitly insisting on verification and checks and balances instead of faith or trust in elections officials or machines as a basis for legitimacy, it encourages healthy transparent elections. It’s also rare that a political formulation approaches scientific certainty, but this formulation is backed up by scientific principles that teach that if you can’t repeat something (such as an election) and verify it by independent means, it doesn’t exist within the realm of what science will accept as established or proven truth."

— Paul Lehto, Attorney at Law, Everett, WA


"Dave Berman has been candid and confrontational in challenging all of us to be "ruthlessly honest" in answering his question, "What would be better?" He encourages us to build consensus definitions of "better," and to match our words with actions every day, even if we do only "the least we can do." Cumulatively and collectively, our actions will bring truth to light."

— Nezzie Wade, Sociology Professor, Humboldt State University and College of the Redwoods


"Dave Berman's work is quietly brilliant and powerfully utilitarian. His Voter Confidence Resolution provides a fine, flexible tool whereby any community can reclaim and affirm a right relation to its franchise as a community of voters."

— Elizabeth Ferrari, San Francisco, Green Party of California


"This is an important collection of essays with a strong unitary theme: if you can't prove that you were elected, we can't take you seriously as elected officials. Simple, logical, comprehensive. 'Management' (aka, the 'powers that be') needs to get the message. 'The machines' are not legitimizers, they're an artful dodge and a path to deception. We've had enough...and we most certainly DO NOT consent."

— Michael Collins covers the election fraud beat for "Scoop" Independent Media


"What's special about this book (and it fits because there's nothing more fundamental to Democracy than our vote) is the raising of consciousness. Someone recognizing they have no basis for trusting elections may well ask what else is being taken for granted."

— Eddie Ajamian, Los Angeles, CA


"I urge everyone to read "We Do Not Consent", and distribute it as widely as possible."

— B Robert Franza MD, author of We the People ... Have No Clothes: A Pamphlet for every American