Wednesday, August 08, 2007

What Have We Learned About Elections Lately?

CA Secretary of State Debra Bowen made a dramatic late-night announcement on Friday, August 3, presenting her certification decisions for the state's voting systems. Bowen completely decertified InkaVote, sold by ES&S and formerly used only in Los Angeles, because the source code was not submitted for review. All other equipment was decertified and recertified with new conditions for use, based in part on the reports (lower on same page as above link) of Bowen's Red Teams of computer security experts (see my summaries of the Diebold and Hart Intercivic reports). Some of these terms are vague or confusing, and I'll cover that in a bit.

What is clear to me is that the public is becoming more aware and more concerned about our election conditions. I have observed more people than ever having open discussions about Diebold, Bowen, and hand-counting paper ballots. More than a few people contacted me by e-mail in the past week to ask how to get involved. The increased interest in election integrity feels palpable to me.

While plentiful, Humboldt media coverage has been mixed, at best, while at other times presenting an alternate reality. On July 28, The Times-Standard gave us a headline of "Local election systems may be vulnerable to hackers" above a lede that makes clear local election systems ARE vulnerable to hackers. Today, a T-S headline read, "County election system fares well in review" - despite the Red Team reports of countless exploits found in our Diebold optical scanners.

Hank Sims had a little more on the ball in last week's Town Dandy column in the Journal: "...the hackers basically made mincemeat of the machines, demonstrating a variety of ways to skew the vote...The Red Team also verified that the optical scanning machines found at our precincts could be easily jimmied and rendered inoperative."

Having checked out the amazing calculator tool (.xls) I wrote about last week, Sims went on to address the feasibility of the Voter Confidence Committee's campaign for hand-counted paper ballots:

Berman's suggestion: Ditch the machines and go to a pure hand-count of all votes cast. Initial twiddling with the numbers suggests that it wouldn't be all that time-consuming or costly -- and wouldn't you rather wait a few days and spend a little more for a trustworthy count?
I have no objection to being called "obsessive" when the same article makes my case this well. The new issue of the Journal is out but not yet online. Sims again writes about elections, referring to Bowen's "weekend massacre." The problems this will cause Humboldt are "relatively minor," says Sims, contrasting with the newly machine-less LA. True that.

However, I believe Sims understates things when saying that shoring up security for the GEMS central tabulator will merely mean "our elections office will have to change up procedure a bit." I leave it to the reader to re-trace my many prior references to the dangers of GEMS. Here I shall only point to the words from another of the reports provided to Bowen in her Top To Bottom Review (TTBR). This is from the Executive Summary of the Source Code Review of the Diebold Voting System:
Vulnerability to malicious insiders
The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county's GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county's voting machines.

Although we present several previously unpublished vulnerabilities, many of the weaknesses that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18], [19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied.

Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit "weakness-in-depth"-even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.

Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.
It doesn't get any more devastating than that. All the preening of Humboldt Registrar of Voters Carolyn Crnich is plainly phoney, and the media pandering to her is reprehensible. Sims gets a pass for his support of HCPB, but here is more bad journalism from the T-S ("E-voting order may have little impact here"), and without Rebecca S. Bender it seems the Eureka Reporter has gone mute on this subject, save a great letter to the editor submitted by VCC members Ruth Hoke and George Hurlburt.

What is happening is that Crnich and other Registrars throughout the state are in a highly defensive posture. Being forced to give up all their equipment would mean maximum uncertainty and the greatest amount of work. Instead, in fine CYA fashion, we see continued apologies for secret vote counting machines. You don't have to look all that closely to see the similarities in the rhetoric of Registrars and machine vendors such as Diebold. It is unconscionable that the results of Bowen's TTBR would make anyone more inclined to support "electronic voting machines." We're past the time of being surprised by such things, including the media's facilitation role. It is time we use these points against them. Ready for the first great example?

As Sims points out in his new column, Bowen has banned the use of modems for transmitting precinct results to the central tabulator. The VCC report addresses the risks of modems and obviously calls for their banishment as they are unnecessary with hand-counting. The beauty of what Sims says:
"The machines will have to be physically delivered back to Elections HQ before the counting commences, which means that we will no longer have election night results."
Of course, one of the most common blusters we hear against HCPB is that it will take too long. We are now very close to having definitive proof that HCPB will be faster. The VCC continues to call upon Crnich to help us narrow down the range of estimates plugged into the calculator tool (.xls) for forecasting manpower needs and costs of hand-counting 100% of the paper ballots. And now, thanks to Sims, I believe we should hereby permanently lay to rest the canard of immediate election results being prioritized over accuracy.

* * *

Now, regarding Bowen's conditional certification of Diebold, the way she has this posted online, I'm unable to copy and paste text directly out of the document. So, here I'll just re-type brief references and encourage you to read the full document for yourself.

Page 2

"voting systems analyzed were inadequate to ensure accuracy and integrity of the election results...contain serious design flaws...which attackers could exploit to affect election outcomes...Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines and on the election management system, which could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results...due to these shortcomings some threats would be difficult, if not impossible, to remedy with election procedures...with access only to the Windows operating system on the Diebold GEMS election management server supplied by Diebold and without requiring access to Diebold source code [Red Team members] were able to access the Diebold voting system server software and to corrupt the election management system database, which could result in manipulated voter totals or the inability to read election results, rendering an election impossible to complete electronically."

Page 3

"...without accessing Diebold source code, [Red Team members] gained access to the election management server to manipulate and corrupt the election management system database...some of these attacks could be carried out in a manner that is not subject to detection by audit, including review of the software logs."

[WDNC]: the next quote is from page four and it strikes me as contradictory and dangerously hypocritical (sorry Bowen)

Page 4

"...tampering with optical scan equipment...can be readily detected and corrected through hand counting of the optical scan paper ballots marked and directly verified by voters."

[WDNC]: First of all, this begs acceptance of the vulnerability. With various exploits described as difficult or impossible to detect, there is no justification for guaranteeing detection, let alone correction, with opscans. This puts an undue burden on the People whose rights are not being secured here, as a government is charged to do. Rules and regulations trying to promote public oversight must first clear the view with a more transparent method of counting votes.

Page 4

"...studies have shown that many voters do not review VVPAT [Voter Verified Paper Audit Trail] records and that test voters who do review VVPAT records to not detect many discrepancies that have been intentionally introduced..."

Page 5

"In order to provide accessible balloting to voters with disabilities in compliance with HAVA, jurisdictions may use no more than once AccuVote-TSx per polling place on Election Day."

[WDNC]: This refers to the touch screen models, not used in Humboldt. Registrars have been complaining about this and it is easy to understand why. They are either going to have massive logjams of voters all trying to vote on one machine where there used to be several or many, or they will urgently have to buy many new optical scanners, or they will have to resort to hand-counting.

Page 5

Requires "a 100% manual count of all votes cast on an AccuVote-TSx."

[WDNC]: This is astounding. Hand-counting 100% of the votes defeats the purpose of having the machine count them. My assumption is that Bowen's is trying to discourage use of the touch screen machines and so the hope would be for relatively few votes cast this way in need of being hand-counted.

Page 6

"Before any use in the February 5, 2008, Presidential primary election, jurisdictions must reinstall all software and firmware (including reformatting all hard disk drives and reinstalling the operating system where applicable) on all election management system servers and workstations, voting devices and hardware components of the voting system. Voting system application software must be reinstalled using the currently approved version obtained directly from the federal testing laboratory or the Secretary of State."

Page 7

"Within 30 days of the date of this document, the vendor must develop and submit to the Secretary of State for approval, a plan and procedures for timely identification of required security updates (e.g., operating system security patches, security software updates, etc), vendor testing of the updates, and secure distribution and application of vendor-approved security updates."

[WDNC]: Why should we have confidence in the machines in their newly approved form when the expectation is that more security flaws will be found? Avi Rubin makes a similar observation. This page also inexplicably allows for networking, though it does have the modem prohibition. It also makes reference to the two-person rule which I believe goes back to the Feb. 2006 VSTAAB report, which recommends that optical scanners and memory cards never be in anyone's sole possession. This would seem to preclude sleepovers, however, page 9 seems to allow poll workers to take home machines prior to Election Day.

Page 8

"Upon request, members of the public must be permitted to observe and inspect, without physical contact, the integrity of all externally visible security seals used to secure voting equipment in a time and manner that does not interfere with the conduct of the election or the privacy of any voter."

[WDNC]: This is looks great on paper but we've seen Registrars plainly obstruct the access of citizens to their Democracy. This should carry a severe criminal penalty. Page 8 also requires posting of poll tapes, another apparent victory that in reality carries no weight. As the VCC learned last November, precinct poll tapes are useless when the County never provides as a basis for comparison raw precinct scanner data that has not been combined with absentee or other ballots not cast on the scanner in the precinct on Election Day.

Page 8

"Any post-election auditing requirements imposed as a condition of this certification shall be paid for by the vendor. Jurisdiction users are required to conduct the audits and the vendor is required to reimburse the jurisdiction."

[WDNC]: I'm getting near the end now. Just a few more stray notes, such as page 9 continuing the requirement (begun under McPherson?) that counties submit a post-election problem report to the SoS. Page 10 describes how to deal with machines whose security has been compromised, and also machines that have been rebooted or which have rebooted themselves. The bottom of page 11 and the top of page 12 is a bit troublesome. It attempts to put vendors on the hook for warrantying their equipment, but all it really does is say they have to stand by their word and repair equipment at their expense when they have been caught lying again. This is not nearly strict enough. Finally, page 12 expands the requirement for vendors to give the SoS a copy of the source code, in addition to placing a copy in escrow.

So, what have we learned about elections lately?


Labels: , , , , , , , , ,

Posted by Dave Berman - 11:34 PM | Permalink
Comments (2 So Far) | Top of Page | WDNC Main Page

Read or Post a Comment


Regarding para. 5, I believe Bowen's intent is to allow the TSx machines for use mainly by disabled voters...

Did you see Matt Blaze's blog It's his personal comments about the California Top to Bottom Review. He was on the team that examined Sequoia's source code. Just two of his paragraphs demonstrate clearly the shockingly inadequate security of the machines that have been counting our votes:

"I was especially struck by the utter banality of most of the flaws we discovered. Exploitable vulnerabilities arose not so much from esoteric weaknesses that taxed our ingenuity, but rather from the garden-variety design and implementation blunders that plague any system not built with security as a central requirement. There was a pervasive lack of good security engineering across all three systems, and I'm at a loss to explain how any of them survived whatever process certified them as secure in the first place. Our hard work notwithstanding, unearthing exploitable deficiencies was surprisingly -- and disturbingly -- easy.

"Much of the controversy around electronic voting concerns the possibility of hidden "backdoors" incorporated by a nefarious vendor. Properly obfuscated, such mischief would be almost impossible to detect. Yet our reports chronicle software weakened not by apparent malice but by a litany of elementary mistakes: static cryptographic keys, unsecured interfaces, poorly validated inputs, buffer overflows, and basic programming errors in security-critical modules. Deliberate backdoors in these systems, if any existed, would be largely superfluous."

Let's not forget that we the taxpayers have spent millions and millions of dollars for these machines, making the vote counting companies rich and giving us warehouses full of junk.

Handcounts are looking better every day.


Posted by Blogger Jane Allen @ Aug 9, 2007, 11:40:00 AM
Permalink to comment | Top of Page | WDNC Main Page

Thanks for the link, Jane. Those are great excerpts.

As for Bowen's intent, I think you must be correct at least in part. Of course she wants to provide for HAVA compliance rather than risk provoking a federal lawsuit. My point was more about the net effect - either tons of votes cast on the sole surviving DRE, and lots to hand count, or more likely discouragement from DRE voting and limited numbers requiring hand counting.


Posted by Blogger Dave Berman @ Aug 9, 2007, 12:13:00 PM
Permalink to comment | Top of Page | WDNC Main Page
<< Home
As shown on
Dave's new blog,
Manifest Positivity

We Do Not Consent, Volume 1 (left) and Volume 2 (right), feature essays from Dave Berman's previous blogs, GuvWurld and We Do Not Consent, respectively. Click the covers for FREE e-book versions (.pdf). As of April 2010, paperbacks are temporarily out of print. Click here for the author's bio.

Back Page Quotes

"Give a damn about the world you live in? Give a damn about what you and I both know is one of the most shameful and destructive periods in American history? If so, do something about it. You can start by reading We Do Not Consent."

— Brad Friedman, Creator/Editor,; Co-Founder,

"If in the future we have vital elections, the "no basis for confidence" formulation that GuvWurld is popularizing will have been a historically important development. This is true because by implicitly insisting on verification and checks and balances instead of faith or trust in elections officials or machines as a basis for legitimacy, it encourages healthy transparent elections. It’s also rare that a political formulation approaches scientific certainty, but this formulation is backed up by scientific principles that teach that if you can’t repeat something (such as an election) and verify it by independent means, it doesn’t exist within the realm of what science will accept as established or proven truth."

— Paul Lehto, Attorney at Law, Everett, WA

"Dave Berman has been candid and confrontational in challenging all of us to be "ruthlessly honest" in answering his question, "What would be better?" He encourages us to build consensus definitions of "better," and to match our words with actions every day, even if we do only "the least we can do." Cumulatively and collectively, our actions will bring truth to light."

— Nezzie Wade, Sociology Professor, Humboldt State University and College of the Redwoods

"Dave Berman's work is quietly brilliant and powerfully utilitarian. His Voter Confidence Resolution provides a fine, flexible tool whereby any community can reclaim and affirm a right relation to its franchise as a community of voters."

— Elizabeth Ferrari, San Francisco, Green Party of California

"This is an important collection of essays with a strong unitary theme: if you can't prove that you were elected, we can't take you seriously as elected officials. Simple, logical, comprehensive. 'Management' (aka, the 'powers that be') needs to get the message. 'The machines' are not legitimizers, they're an artful dodge and a path to deception. We've had enough...and we most certainly DO NOT consent."

— Michael Collins covers the election fraud beat for "Scoop" Independent Media

"What's special about this book (and it fits because there's nothing more fundamental to Democracy than our vote) is the raising of consciousness. Someone recognizing they have no basis for trusting elections may well ask what else is being taken for granted."

— Eddie Ajamian, Los Angeles, CA

"I urge everyone to read "We Do Not Consent", and distribute it as widely as possible."

— B Robert Franza MD, author of We the People ... Have No Clothes: A Pamphlet for every American