Wednesday, August 08, 2007
What Have We Learned About Elections Lately?
CA Secretary of State Debra Bowen made a dramatic late-night announcement on Friday, August 3, presenting her certification decisions for the state's voting systems. Bowen completely decertified InkaVote, sold by ES&S and formerly used only in Los Angeles, because the source code was not submitted for review. All other equipment was decertified and recertified with new conditions for use, based in part on the reports (lower on same page as above link) of Bowen's Red Teams of computer security experts (see my summaries of the Diebold and Hart Intercivic reports). Some of these terms are vague or confusing, and I'll cover that in a bit.
What is clear to me is that the public is becoming more aware and more concerned about our election conditions. I have observed more people than ever having open discussions about Diebold, Bowen, and hand-counting paper ballots. More than a few people contacted me by e-mail in the past week to ask how to get involved. The increased interest in election integrity feels palpable to me.
While plentiful, Humboldt media coverage has been mixed, at best, while at other times presenting an alternate reality. On July 28, The Times-Standard gave us a headline of "Local election systems may be vulnerable to hackers" above a lede that makes clear local election systems ARE vulnerable to hackers. Today, a T-S headline read, "County election system fares well in review" - despite the Red Team reports of countless exploits found in our Diebold optical scanners.
Hank Sims had a little more on the ball in last week's Town Dandy column in the Journal: "...the hackers basically made mincemeat of the machines, demonstrating a variety of ways to skew the vote...The Red Team also verified that the optical scanning machines found at our precincts could be easily jimmied and rendered inoperative."
Having checked out the amazing calculator tool (.xls) I wrote about last week, Sims went on to address the feasibility of the Voter Confidence Committee's campaign for hand-counted paper ballots:Berman's suggestion: Ditch the machines and go to a pure hand-count of all votes cast. Initial twiddling with the numbers suggests that it wouldn't be all that time-consuming or costly -- and wouldn't you rather wait a few days and spend a little more for a trustworthy count?
I have no objection to being called "obsessive" when the same article makes my case this well. The new issue of the Journal is out but not yet online. Sims again writes about elections, referring to Bowen's "weekend massacre." The problems this will cause Humboldt are "relatively minor," says Sims, contrasting with the newly machine-less LA. True that.
However, I believe Sims understates things when saying that shoring up security for the GEMS central tabulator will merely mean "our elections office will have to change up procedure a bit." I leave it to the reader to re-trace my many prior references to the dangers of GEMS. Here I shall only point to the words from another of the reports provided to Bowen in her Top To Bottom Review (TTBR). This is from the Executive Summary of the Source Code Review of the Diebold Voting System:Vulnerability to malicious insiders
It doesn't get any more devastating than that. All the preening of Humboldt Registrar of Voters Carolyn Crnich is plainly phoney, and the media pandering to her is reprehensible. Sims gets a pass for his support of HCPB, but here is more bad journalism from the T-S ("E-voting order may have little impact here"), and without Rebecca S. Bender it seems the Eureka Reporter has gone mute on this subject, save a great letter to the editor submitted by VCC members Ruth Hoke and George Hurlburt.
The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county's GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county's voting machines.
Although we present several previously unpublished vulnerabilities, many of the weaknesses that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18], [19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied.
Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit "weakness-in-depth"-even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.
Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.
What is happening is that Crnich and other Registrars throughout the state are in a highly defensive posture. Being forced to give up all their equipment would mean maximum uncertainty and the greatest amount of work. Instead, in fine CYA fashion, we see continued apologies for secret vote counting machines. You don't have to look all that closely to see the similarities in the rhetoric of Registrars and machine vendors such as Diebold. It is unconscionable that the results of Bowen's TTBR would make anyone more inclined to support "electronic voting machines." We're past the time of being surprised by such things, including the media's facilitation role. It is time we use these points against them. Ready for the first great example?
As Sims points out in his new column, Bowen has banned the use of modems for transmitting precinct results to the central tabulator. The VCC report addresses the risks of modems and obviously calls for their banishment as they are unnecessary with hand-counting. The beauty of what Sims says:"The machines will have to be physically delivered back to Elections HQ before the counting commences, which means that we will no longer have election night results."
Of course, one of the most common blusters we hear against HCPB is that it will take too long. We are now very close to having definitive proof that HCPB will be faster. The VCC continues to call upon Crnich to help us narrow down the range of estimates plugged into the calculator tool (.xls) for forecasting manpower needs and costs of hand-counting 100% of the paper ballots. And now, thanks to Sims, I believe we should hereby permanently lay to rest the canard of immediate election results being prioritized over accuracy.
Now, regarding Bowen's conditional certification of Diebold, the way she has this posted online, I'm unable to copy and paste text directly out of the document. So, here I'll just re-type brief references and encourage you to read the full document for yourself.
Page 2
"voting systems analyzed were inadequate to ensure accuracy and integrity of the election results...contain serious design flaws...which attackers could exploit to affect election outcomes...Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines and on the election management system, which could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results...due to these shortcomings some threats would be difficult, if not impossible, to remedy with election procedures...with access only to the Windows operating system on the Diebold GEMS election management server supplied by Diebold and without requiring access to Diebold source code [Red Team members] were able to access the Diebold voting system server software and to corrupt the election management system database, which could result in manipulated voter totals or the inability to read election results, rendering an election impossible to complete electronically."
Page 3
"...without accessing Diebold source code, [Red Team members] gained access to the election management server to manipulate and corrupt the election management system database...some of these attacks could be carried out in a manner that is not subject to detection by audit, including review of the software logs."
[WDNC]: the next quote is from page four and it strikes me as contradictory and dangerously hypocritical (sorry Bowen)
Page 4
"...tampering with optical scan equipment...can be readily detected and corrected through hand counting of the optical scan paper ballots marked and directly verified by voters."
[WDNC]: First of all, this begs acceptance of the vulnerability. With various exploits described as difficult or impossible to detect, there is no justification for guaranteeing detection, let alone correction, with opscans. This puts an undue burden on the People whose rights are not being secured here, as a government is charged to do. Rules and regulations trying to promote public oversight must first clear the view with a more transparent method of counting votes.
Page 4
"...studies have shown that many voters do not review VVPAT [Voter Verified Paper Audit Trail] records and that test voters who do review VVPAT records to not detect many discrepancies that have been intentionally introduced..."
Page 5
"In order to provide accessible balloting to voters with disabilities in compliance with HAVA, jurisdictions may use no more than once AccuVote-TSx per polling place on Election Day."
[WDNC]: This refers to the touch screen models, not used in Humboldt. Registrars have been complaining about this and it is easy to understand why. They are either going to have massive logjams of voters all trying to vote on one machine where there used to be several or many, or they will urgently have to buy many new optical scanners, or they will have to resort to hand-counting.
Page 5
Requires "a 100% manual count of all votes cast on an AccuVote-TSx."
[WDNC]: This is astounding. Hand-counting 100% of the votes defeats the purpose of having the machine count them. My assumption is that Bowen's is trying to discourage use of the touch screen machines and so the hope would be for relatively few votes cast this way in need of being hand-counted.
Page 6
"Before any use in the February 5, 2008, Presidential primary election, jurisdictions must reinstall all software and firmware (including reformatting all hard disk drives and reinstalling the operating system where applicable) on all election management system servers and workstations, voting devices and hardware components of the voting system. Voting system application software must be reinstalled using the currently approved version obtained directly from the federal testing laboratory or the Secretary of State."
Page 7
"Within 30 days of the date of this document, the vendor must develop and submit to the Secretary of State for approval, a plan and procedures for timely identification of required security updates (e.g., operating system security patches, security software updates, etc), vendor testing of the updates, and secure distribution and application of vendor-approved security updates."
[WDNC]: Why should we have confidence in the machines in their newly approved form when the expectation is that more security flaws will be found? Avi Rubin makes a similar observation. This page also inexplicably allows for networking, though it does have the modem prohibition. It also makes reference to the two-person rule which I believe goes back to the Feb. 2006 VSTAAB report, which recommends that optical scanners and memory cards never be in anyone's sole possession. This would seem to preclude sleepovers, however, page 9 seems to allow poll workers to take home machines prior to Election Day.
Page 8
"Upon request, members of the public must be permitted to observe and inspect, without physical contact, the integrity of all externally visible security seals used to secure voting equipment in a time and manner that does not interfere with the conduct of the election or the privacy of any voter."
[WDNC]: This is looks great on paper but we've seen Registrars plainly obstruct the access of citizens to their Democracy. This should carry a severe criminal penalty. Page 8 also requires posting of poll tapes, another apparent victory that in reality carries no weight. As the VCC learned last November, precinct poll tapes are useless when the County never provides as a basis for comparison raw precinct scanner data that has not been combined with absentee or other ballots not cast on the scanner in the precinct on Election Day.
Page 8
"Any post-election auditing requirements imposed as a condition of this certification shall be paid for by the vendor. Jurisdiction users are required to conduct the audits and the vendor is required to reimburse the jurisdiction."
[WDNC]: I'm getting near the end now. Just a few more stray notes, such as page 9 continuing the requirement (begun under McPherson?) that counties submit a post-election problem report to the SoS. Page 10 describes how to deal with machines whose security has been compromised, and also machines that have been rebooted or which have rebooted themselves. The bottom of page 11 and the top of page 12 is a bit troublesome. It attempts to put vendors on the hook for warrantying their equipment, but all it really does is say they have to stand by their word and repair equipment at their expense when they have been caught lying again. This is not nearly strict enough. Finally, page 12 expands the requirement for vendors to give the SoS a copy of the source code, in addition to placing a copy in escrow.
So, what have we learned about elections lately?
Permalink:
http://wedonotconsent.blogspot.com/2007/08/what-have-we-learned-about-elections.html
Labels: Carolyn Crnich, Debra Bowen, Diebold, Eureka Reporter, Eureka Times-Standard, hand-counting paper ballots, Hank Sims, The Journal, Voter Confidence Committee, VSTAAB
Read or Post a Comment
Dave:
Regarding para. 5, I believe Bowen's intent is to allow the TSx machines for use mainly by disabled voters...
Did you see Matt Blaze's blog http://www.crypto.com/blog/ca_voting_report/ It's his personal comments about the California Top to Bottom Review. He was on the team that examined Sequoia's source code. Just two of his paragraphs demonstrate clearly the shockingly inadequate security of the machines that have been counting our votes:
"I was especially struck by the utter banality of most of the flaws we discovered. Exploitable vulnerabilities arose not so much from esoteric weaknesses that taxed our ingenuity, but rather from the garden-variety design and implementation blunders that plague any system not built with security as a central requirement. There was a pervasive lack of good security engineering across all three systems, and I'm at a loss to explain how any of them survived whatever process certified them as secure in the first place. Our hard work notwithstanding, unearthing exploitable deficiencies was surprisingly -- and disturbingly -- easy.
"Much of the controversy around electronic voting concerns the possibility of hidden "backdoors" incorporated by a nefarious vendor. Properly obfuscated, such mischief would be almost impossible to detect. Yet our reports chronicle software weakened not by apparent malice but by a litany of elementary mistakes: static cryptographic keys, unsecured interfaces, poorly validated inputs, buffer overflows, and basic programming errors in security-critical modules. Deliberate backdoors in these systems, if any existed, would be largely superfluous."
Let's not forget that we the taxpayers have spent millions and millions of dollars for these machines, making the vote counting companies rich and giving us warehouses full of junk.
Handcounts are looking better every day.
Jane
Permalink to comment | Top of Page | WDNC Main Page
Thanks for the link, Jane. Those are great excerpts.
As for Bowen's intent, I think you must be correct at least in part. Of course she wants to provide for HAVA compliance rather than risk provoking a federal lawsuit. My point was more about the net effect - either tons of votes cast on the sole surviving DRE, and lots to hand count, or more likely discouragement from DRE voting and limited numbers requiring hand counting.
--Dave
Permalink to comment | Top of Page | WDNC Main Page