Thursday, December 18, 2008
Humboldt Envy?
Last week I posted a letter to the editor I had published in the Eureka Times-Standard (archive). It was written quickly on the morning of December 5, in the midst of the breaking news that the Humboldt County Election Transparency Project had revealed a failure in Diebold's GEMS central tabulator causing the County's certified election results from November to be proven inaccurate.
I sent the same letter to the North Coast Journal since there was also a breaking story on their website about it, even though it hadn't yet appeared in their weekly print edition. When that came out last Wednesday, I wasn't too surprised the letter wasn't published or that editor Hank Sims had editorialized about the story. So I used his column as the basis for yet another letter, which the Journal has published in this week's paper:North Coast Journal
It is tough to be timely in a weekly paper when commenting on a fluid situation. See my exclusive report from Wednesday morning about Humboldt County Registrar of Voters Carolyn Crnich announcing her intention to dump Diebold scanners in favor of similar secret corporate vote "counting" machines from Hart InterCivic. It is a major advance of the narrative above and has been republished at OpEdNews and Scoop.
Mail Box
12/18/08
Dear Editor:
Hank Sims now says Humboldt's official method of counting votes is an outrage ("Town Dandy," Dec. 11) and the Diebold/Premier folks "should be shunned. Maybe indicted." He may be late to the party, but the top hat and tails are always welcome.
Yes, Humboldt has joined Florida, Ohio, and towns and counties across the land who have experienced the failures of electronic voting. Our certification of inaccurate results has made national news and broken down some of the local wall of denial.
A December 7 editorial in The Times-Standard said local opponents of Diebold "were right to make noise, and right to complain about a company that has been less than responsible." Humboldt Registrar of Voters Carolyn Crnich told Wired.com in a Dec. 8 article, "this has sort of put a cloud over any confidence that I had in the Premier equipment that's been in this department since 1995."
Has Humboldt finally reached a tipping point? Are we ready to consider alternatives to Diebold? If so, a careful evaluation of the possibilities and input from a well informed community would be both appropriate and desirable.
I'd like to see more consistency in Sims' election integrity advocacy. And bottom line, I hope he'll push for a thorough examination of our options. A lot of work has already been done to facilitate evaluating hand-counting paper ballots, though Election Transparency Project volunteers may have other preferences and ideas to contribute to what could become the most envied process and dialog in the country.
Dave Berman, Eureka
Permalink:
http://wedonotconsent.blogspot.com/2008/12/humboldt-envy.html
Labels: Carolyn Crnich, Diebold, Eureka T-S, Hank Sims, Hart Intercivic, Humboldt County, Letter to the editor, North Coast Journal
Wednesday, December 17, 2008
Humboldt's False Alternative to Diebold
After missing several consecutive monthly meetings of the ad hoc volunteer Election Advisory Committee (EAC), convened by Humboldt County, CA Registrar of Voters Carolyn Crnich, on Tuesday night I rejoined the group to learn Crnich has at last given up on Diebold/Premier's optical scanners and GEMS central tabulator as our official vote counting method. After years of opposing Diebold, this might seem like a dream come true. But that's only the beginning of the story.
Crnich informed the group that we will continue to use paper ballots and precinct based scanning with Hart InterCivic's eScan system (complementing Hart's eSlate machines already in use for HAVA compliance). A distinction was made between Diebold's optical scanners and Hart's so-called digital scanners, though a similarity worth noting is that rather than counting the actual ballots both technically count the images of the ballots internally created within black box technology.
Whatever the supposed relative merits may be for Hart compared to Diebold, this is the epitome of a false alternative, the appearance of choice in a no-win situation. We will still be using an accuracy-challenged proprietary and secret system found vulnerable to undetectable manipulation by California's Top To Bottom Review, Ohio's EVEREST study, and Colorado's Secretary of State.
Humboldt County has made news lately for its Election Transparency Project, which revealed a failure in GEMS that caused Crnich to certify inaccurate results from last month's election. Crnich later told Wired.com:Crnich told Threat Level the issue has made her question her confidence in the voting system because, even though the company provided officials with a workaround, the problem indicated a fundamental flaw in the company's programming. She said she'd heard a lot of stories from other election officials about problems with voting machines, but never thought they applied to California.
Crnich has been widely praised for working with citizen volunteers to create the audit mechanism that identified the problem, which was entirely the fault of Diebold and not at all of Crnich's doing. Certainly some credit is due there, though as I explained last week, this has been exaggerated in an unhelpful way that now will likely make it more difficult to challenge her decision to switch to eScan. Indeed, at the EAC meeting I was accused of "casting aspersions" for raising questions of timing and public input. Yet check out how this almost went down...
"I've always sort of listened to those anecdotal incidents with a jaundiced ear because California has some very stringent requirements of election systems that are in use here as well as some very strict security procedures and I didn't think those things affected us here," she said. "But this has sort of put a cloud over any confidence that I had in the Premier equipment that's been in this department since 1995."
At Tuesday's EAC meeting, Crnich said she has the sole authority to choose our vote counting method and had already done so. In fact, she had hoped to take delivery of nearly 80 new machines on Wednesday in order to get a $28,000 discount offered by Hart if the deal could be completed by year's end. The total cost is estimated to exceed $600,000 and would be paid entirely out of the County's unused HAVA and Proposition 41 funds. Procedurally, Crnich said she needs the County Board of Supervisors to approve her plan, and then approval of the CA Secretary of State for the use of funds.
Crnich said she attempted to get a spot on the agenda at Tuesday's Supes' meeting. An unusually long list of business items prevented that and has likely created a reprieve until January 6. However, that isn't guaranteed as Supervisor Jimmy Smith, in attendance at Tuesday's EAC meeting, suggested the possibility of a short-noticed special Supes meeting that could possibly occur this year if it would still allow the $28k savings.
Crnich told the EAC the next scheduled election is not until November 2009, though there is talk of a possible statewide special election as early as March. In that regard, she did not express urgency for the Hart transition to begin. If anything, she said she looked forward to having the time to evaluate candidates for an open position within the elections department. She lamented the delay between the announced opening in July and her recent receipt of the qualified applicant list.
The intent here is not to attack Crnich. These are the things she has done and said, which fairly raise the following questions.
There is an element of deja vu here. In 2005 I wrote about efforts to prevent Crnich's flirtation with going touchscreen, though it certainly wasn't presented as an argument for the status quo. Crnich periodically receives heaps of praise for nixing the switch, typically without reference to the public resistance.
I can only think to call this a bittersweet irony. After years of urging the immediate abandonment of Diebold equipment, now Humboldt County can't drop the hot potato fast enough. The glow of the Transparency Project is currently blinding and seems to shield the sense of embarrassment for not only certifying inaccurate results but also defending the continued use of equipment known to be flawed all along. Who else will make clear that one laudable achievement does not mean complete deference on important questions of public policy?
* * *p.11
Here are some key observations from Harri Hursti and others about Ohio's EVEREST study:
The Red Team, working in close conjunction with the 2007 TTBR Hart Source Code Team, discovered that the Hart EMS software implicitly trusts all communication coming from devices appearing to be Hart-branded and neither authenticates the devices nor performs adequate input validation on data transmitted to it by the devices. This allows for the possibility that a compromised device, such as an eScan that had been tampered with at a polling station, could infect the EMS systems. In particular, the Source Code Team discovered a weakness in the code that would allow an eScan to perform a buffer overflow attack and execute arbitrary code on the computer running SERVO.
...
The team was also able to access device-level menus that should be locked with passwords but were not. This access could allow an attacker a vector for altering configuration settings and/or executing a denial of service on the eScan.
Some of the findings from previous studies on precinct count optical scanners were replicated on the eScan, and they allowed the Red Team to maliciously alter vote totals with the potential to affect the outcome of an election. These attacks were low-tech and required tools that could be found in a typical office.
The Red Team implemented an attack devised by the 2007 TTBR Hart Source Code Team that was able to extract election-sensitive information from the eScan and issue administrative commands to the eScan. The leaked information would allow an attacker the ability to execute further attacks, while administrative commands issued to the eScan could erase electronic vote totals and audit records from an eScan while putting it out of service for the remainder of the Election Day. For more details on these attacks, please see the 2007 TTBR Hart Source Code Team report.3.2 Insider Defenses
For more see this 2006 report from VotersUnite.org, the same site's Election Problem Log 2004 - Present, as well as BradBlog.com.
Attack Class 6: eScan Manipulation – We were able to exploit a number of vulnerabilities in the eScan that could give election insiders the ability to compromise election results and voter privacy. Some of these were a result of a lack of physical security. We were able to replace the eScan's internal flash memory card containing the eScan executable and configuration file with only a screwdriver in about 2 minutes. After replacing the card, we were able to boot the eScan into the Linux operating system. This simple attack gives a single poll worker with a few minutes of unobserved access to the eScan the ability to undermine all votes cast at a precinct (EVEREST 20.3.1).
While opening the eScan to replace the memory card, we broke three tamper evident seals. While such seals may prove that a machine was opened, a preventative measure is preferable. A poll worker may intentionally break these seals in order to cast doubt on election results. It has also been shown that tamper evident seals do not always correctly show that tampering occurred [14].
Insiders may also wish to use their access to ballots to determine voter choice. This can be done with the eScan due to the design of its ballot box (EVEREST 20.3.4). The eScan's scanner sits on top of its ballot box, which is essentially a plastic tub. When a ballot is scanned, it is subsequently dropped into the box. No measures are taken to disturb the order in which ballots fall, allowing a malicious poll worker to note the position in which certain votes are cast and then relay these positions to an election official with access to the ballots. We observed ten numbered ballots as they were cast with the eScan, and verified that the vote order was preserved.
...
Attack Class 14: Open Audit Interfaces – Both the Hart JBC and eScan have open interfaces that allow for the erasure of votes and audit log records. As detailed in Issue 3 of the CA TTBR, the eScan is managed through an accessible Ethernet port that listens for connections on TCP port 4600. This port is normally used for sending and receiving commands from SERVO, such as file transmission and reading images of the eScan's memory. No cryptographic tokens are required for these operations to occur.
We discovered that with a handheld device such as a Palm computer, an attacker with an Ethernet cable can mimic the actions of SERVO to the eScan during a live election, and cause the vote records and audit logs to be erased from both the eScan's internal memory and the MBB inserted into it (EVEREST 20.3.7). Any voting that had occurred on the eScan to that point would be erased, necessitating a manual recount.
...
Attack Class 19: Autovoting – A final example of unsafe features intentionally added to the Hart systems is the Ballot Now’s "Autovote" feature (EVEREST 20.7.2). Autovote allows for the creation of pre-filled-in paper ballots. Once again, this feature is enabled through Windows registry entries. Once these entries are enabled, Ballot Now displays the Autovote menu option when started.
The Autovote menu allows the Ballot Now user to choose the number of pre-filled-in ballots to print. The user has no control over the selected filled in entry for each contest, however, the selected entries are uniformly distributed. This allows an arbitrary number of ballots with the desired results to be printed with the overhead of some ballots with undesired results that may simply be discarded.
Paper ballots generated by Autovote initially say "Autovote" on the front and back, making them conspicuous and easy to detect in an audit or recount. We were able to overcome this by installing a PNG printer driver on the Ballot Now machine. This driver allows ballots to be printed to PNG image files as opposed to paper. We could then open the files in an image editor, remove the Autovote label and print them. Aside from the label, Autovote ballots are identical to regular ballots. We conducted a normal election and an election with Autovote ballots, and could not identify any differences in the eScan unofficial printout, the audit logs, or the cast vote records on the eScan's MBB.
Autovote could be used in tandem with the eScan's duplicate ballot feature to perform a ballot stuffing attack. Using Autovote ballots is advantageous over using photocopies, as each Autovote ballot has a unique serial number, and thus cannot be differentiated from legitimate votes in an audit.
Permalink:
http://wedonotconsent.blogspot.com/2008/12/humboldts-false-alternative-to-diebold.html
Labels: Carolyn Crnich, Diebold, Election Advisory Committee, eScan, EVEREST, false alternative, Hart Intercivic, Jimmy Smith, Top To Bottom Review, Transparency Project
Wednesday, December 10, 2008
Humboldt At The Tipping Point: Who Dares Defend Diebold?
Here in Humboldt County, CA a local story of national interest broke last Thursday on the websites of the Eureka Times-Standard (archive) and North Coast Journal. The next morning I wrote a letter to the editor that appeared in today's T-S (archive). I'll let this serve as a summary then provide links to much of what's been published already and add some further reasons for optimism at the bottom.Any defenders?
So here's a summary of links from the past several days, then I've got a few more observations.
Letters to the editor
Posted: 12/10/2008 01:15:38 AM PST
First I'd like to congratulate Kevin Collins, Tom Pinto, Mitch Trachtenberg, Parke Bostrom and all the volunteers of the Election Transparency Project.
Their work revealed a discrepancy caused by Humboldt's electronic voting equipment last month.
Over the last few years I've made many different arguments for getting rid of the Diebold (now Premier) equipment used to count votes in Humboldt County. Somehow it wasn't enough that they “count” in secret, can be easily manipulated without detection, and report results impossible in a legitimate election.
Somehow local decision makers weren't deterred from doing business with a company that admitted to illegally installing uncertified software here and elsewhere; that was sued in class action suits filed by company shareholders; and whose then -- CEO said he was “committed to helping Ohio deliver its electoral votes” to Bush in 2004.
Now we learn that Humboldt has finally experienced what is euphemistically called a “glitch.” In reality it was a bug in Diebold's central tabulation program, GEMS. This caused the results of November's election, already certified as accurate by Registrar of Voters Carolyn Crnich, to be proven inaccurate.
Worse still, Diebold knew about the bug at least four years ago and never fixed it. Other counties were made aware of the problem and told how to work around it. Crnich says she never knew, and I believe her.
This raises many questions, most important among them: Who dares defend the continued use of these machines and the county's relationship with Diebold/Premier?
Dave Berman
Eureka
T-S, 12/5/08: Software glitch yields inaccurate election results (archive)
T-S, 12/7/08 Local elections office commended (archive)
T-S Editorial, 12/7/08 - A glitch that should never have been (archive)
Wired - two Kim Zetter articles from 12/8/08:
Serious Error in Diebold Voting Software Caused Lost Ballots in California County
Unique Transparency Program Uncovers Problems with Voting Software
Election Transparency Project volunteers:
Parke Bostrom - http://hum.dreamhosters.com/etp/news/20081204.html (main site)
Mitch Trachtenberg - http://www.mitchtrachtenberg.com/ourvotes.html (main site)
Tom Pinto - http://humtp.com/
John Gideon & Brad Friedman at BradBlog.com, 12/8/08 - 'Humboldt Transparency Project' Reveals Diebold, U.S. Federal E-Voting Scam
The BradBlog piece includes this link to an .mp3 of Crnich with Brad on the Peter B. Collins show on the afternoon of 12/5/08.
* * *The fact that Diebold/Premier did not take the action to recall the systems, actually puts them into a situation where they may very well have violated federal law. The Help America Vote Act of 2002 Title III Section 301(a)(5) mandates an acceptable error rate for voting systems in use in federal elections. That error rate, not counting any error caused by an action of the voter, cannot exceed 0.00001%.
Parke Bostrom's post above describes how "deck zero" became the batch of ballots that were handled properly by the elections department, and yet vanished from the final certified total. He comments further that the audit log for the Diebold GEMS central tabulation software matched the wrongly decreased total:
However, in the case of the Humboldt County vote count, the error rate was 0.31%.
We have asked both the Secretary of State of California and the EAC if they plan to take action by asking the US Attorney Office to investigate this seemingly clear violation of federal law. Neither the CA SoS, nor the EAC has yet replied to our queries on that matter.This means the audit log is not truly a "log" in the classical computer program sense, but is rather a "re-imagining" of what GEMS would like the audit log to be, based on whatever information GEMS happens to remember at the end of the vote counting process.
This demonstrates the system will cover its tracks when reporting an inaccurate result, destroying assurances of built-in memory redundancies and making a mockery of logic and accuracy testing. Not just here, everywhere. Frankly this is just another example of something we've known a long time.
Crnich herself has been very interesting through all of this. In the "Serious Error..." article above, Zetter reports:Crnich told Threat Level the issue has made her question her confidence in the voting system because, even though the company provided officials with a workaround, the problem indicated a fundamental flaw in the company's programming. She said she'd heard a lot of stories from other election officials about problems with voting machines, but never thought they applied to California.
Crnich losing confidence of course should be music to our ears. She also said a great thing in the interview with Peter B., explaining why she's been willing to work with citizen volunteers. As Humboldt County Clerk/Recorder and Registrar of Voters, Crnich is an elected official and I'm glad she acknowledged a responsibility to listen to constituents.
"I've always sort of listened to those anecdotal incidents with a jaundiced ear because California has some very stringent requirements of election systems that are in use here as well as some very strict security procedures and I didn't think those things affected us here," she said. "But this has sort of put a cloud over any confidence that I had in the Premier equipment that's been in this department since 1995."
In all, the media coverage above practically lionizes Crnich, which I think goes too far. Consider this analogy. Someone builds a fire in the middle of their bedroom and burns down the house. Would this person be praised for the wisdom of having an insurance policy? Using secret corporate vote counting computers, whether by Diebold or any other vendor, is playing with fire.
I've been unable to reach Crnich by phone in the past two days, repeatedly getting voice mail that could not accept more messages.
Also today, The North Coast Journal came out with Hank Sims' "Town Dandy" column called Deck Zero. Sims writes in reference to the known failure of the GEMS central tabulation software:The fact that Diebold/Premier let it stand for over four years, potentially undermining the first principle of American democracy, is an absolute outrage. These people should be shunned. Maybe indicted.
Throw in a little validation from the T-S editorial board...:They were loud, and they were strident in proclaiming that they didn't trust election technologies as much as they trust the ability of actual human beings to count votes.
...and it is starting to sound like we may be at a tipping point here. You might expect me to be frothing about hand-counting paper ballots right about now. You'd be wrong. Thinking as an organizer, I would hope now to establish three things that would be widely agreeable throughout the community:
The recent discovery, thanks to the Humboldt County Election Transparency Project, of a discrepancy in election results due to flawed software reveals that these activists were right to make noise, and right to complain about a company that has been less than responsible in dealing with the problem.
That said, if this is the nature of the opportunity now, I will re-offer to the community the materials I've developed to evaluate hand counting, most notably the forecast tool (spreadsheet) for estimating time, cost and labor needs for hand-counting in the precinct on election night. Back in the summer of 2007, when I first made this public, Sims noted: "Initial twiddling with the numbers suggests that it wouldn't be all that time-consuming or costly -- and wouldn't you rather wait a few days and spend a little more for a trustworthy count?"
I'd like to see more consistency in Sims' election integrity advocacy. And bottom line, I hope he'll push for a thorough examination of Diebold alternatives, as I'm sure Transparency Project volunteers will have other preferences and ideas to contribute to what could become the most envied process and dialog in the country.
This is all another way of saying "what would be better" is an inclusive and engaging community dialog aimed at literally defining "better" than Diebold.
Permalink:
http://wedonotconsent.blogspot.com/2008/12/humboldt-at-tipping-point-who-dares.html
Labels: Brad Friedman, Carolyn Crnich, Diebold, Eureka T-S, Hank Sims, Humboldt Transparency Project, Kevin Collins, Mitch Trachtenberg, North Coast Journal, Parke Bostrom, spreadsheet tool, Tom Pinto