Wednesday, December 17, 2008
After missing several consecutive monthly meetings of the ad hoc volunteer Election Advisory Committee (EAC), convened by Humboldt County, CA Registrar of Voters Carolyn Crnich, on Tuesday night I rejoined the group to learn Crnich has at last given up on Diebold/Premier's optical scanners and GEMS central tabulator as our official vote counting method. After years of opposing Diebold, this might seem like a dream come true. But that's only the beginning of the story.
Crnich informed the group that we will continue to use paper ballots and precinct based scanning with Hart InterCivic's eScan system (complementing Hart's eSlate machines already in use for HAVA compliance). A distinction was made between Diebold's optical scanners and Hart's so-called digital scanners, though a similarity worth noting is that rather than counting the actual ballots both technically count the images of the ballots internally created within black box technology.
Whatever the supposed relative merits may be for Hart compared to Diebold, this is the epitome of a false alternative, the appearance of choice in a no-win situation. We will still be using an accuracy-challenged proprietary and secret system found vulnerable to undetectable manipulation by California's Top To Bottom Review, Ohio's EVEREST study, and Colorado's Secretary of State.
Humboldt County has made news lately for its Election Transparency Project, which revealed a failure in GEMS that caused Crnich to certify inaccurate results from last month's election. Crnich later told Wired.com:
Crnich told Threat Level the issue has made her question her confidence in the voting system because, even though the company provided officials with a workaround, the problem indicated a fundamental flaw in the company's programming. She said she'd heard a lot of stories from other election officials about problems with voting machines, but never thought they applied to California.Crnich has been widely praised for working with citizen volunteers to create the audit mechanism that identified the problem, which was entirely the fault of Diebold and not at all of Crnich's doing. Certainly some credit is due there, though as I explained last week, this has been exaggerated in an unhelpful way that now will likely make it more difficult to challenge her decision to switch to eScan. Indeed, at the EAC meeting I was accused of "casting aspersions" for raising questions of timing and public input. Yet check out how this almost went down...
"I've always sort of listened to those anecdotal incidents with a jaundiced ear because California has some very stringent requirements of election systems that are in use here as well as some very strict security procedures and I didn't think those things affected us here," she said. "But this has sort of put a cloud over any confidence that I had in the Premier equipment that's been in this department since 1995."
At Tuesday's EAC meeting, Crnich said she has the sole authority to choose our vote counting method and had already done so. In fact, she had hoped to take delivery of nearly 80 new machines on Wednesday in order to get a $28,000 discount offered by Hart if the deal could be completed by year's end. The total cost is estimated to exceed $600,000 and would be paid entirely out of the County's unused HAVA and Proposition 41 funds. Procedurally, Crnich said she needs the County Board of Supervisors to approve her plan, and then approval of the CA Secretary of State for the use of funds.
Crnich said she attempted to get a spot on the agenda at Tuesday's Supes' meeting. An unusually long list of business items prevented that and has likely created a reprieve until January 6. However, that isn't guaranteed as Supervisor Jimmy Smith, in attendance at Tuesday's EAC meeting, suggested the possibility of a short-noticed special Supes meeting that could possibly occur this year if it would still allow the $28k savings.
Crnich told the EAC the next scheduled election is not until November 2009, though there is talk of a possible statewide special election as early as March. In that regard, she did not express urgency for the Hart transition to begin. If anything, she said she looked forward to having the time to evaluate candidates for an open position within the elections department. She lamented the delay between the announced opening in July and her recent receipt of the qualified applicant list.
The intent here is not to attack Crnich. These are the things she has done and said, which fairly raise the following questions.
There is an element of deja vu here. In 2005 I wrote about efforts to prevent Crnich's flirtation with going touchscreen, though it certainly wasn't presented as an argument for the status quo. Crnich periodically receives heaps of praise for nixing the switch, typically without reference to the public resistance.
I can only think to call this a bittersweet irony. After years of urging the immediate abandonment of Diebold equipment, now Humboldt County can't drop the hot potato fast enough. The glow of the Transparency Project is currently blinding and seems to shield the sense of embarrassment for not only certifying inaccurate results but also defending the continued use of equipment known to be flawed all along. Who else will make clear that one laudable achievement does not mean complete deference on important questions of public policy?
* * *
p.11Here are some key observations from Harri Hursti and others about Ohio's EVEREST study:
The Red Team, working in close conjunction with the 2007 TTBR Hart Source Code Team, discovered that the Hart EMS software implicitly trusts all communication coming from devices appearing to be Hart-branded and neither authenticates the devices nor performs adequate input validation on data transmitted to it by the devices. This allows for the possibility that a compromised device, such as an eScan that had been tampered with at a polling station, could infect the EMS systems. In particular, the Source Code Team discovered a weakness in the code that would allow an eScan to perform a buffer overflow attack and execute arbitrary code on the computer running SERVO.
The team was also able to access device-level menus that should be locked with passwords but were not. This access could allow an attacker a vector for altering configuration settings and/or executing a denial of service on the eScan.
Some of the findings from previous studies on precinct count optical scanners were replicated on the eScan, and they allowed the Red Team to maliciously alter vote totals with the potential to affect the outcome of an election. These attacks were low-tech and required tools that could be found in a typical office.
The Red Team implemented an attack devised by the 2007 TTBR Hart Source Code Team that was able to extract election-sensitive information from the eScan and issue administrative commands to the eScan. The leaked information would allow an attacker the ability to execute further attacks, while administrative commands issued to the eScan could erase electronic vote totals and audit records from an eScan while putting it out of service for the remainder of the Election Day. For more details on these attacks, please see the 2007 TTBR Hart Source Code Team report.
3.2 Insider DefensesFor more see this 2006 report from VotersUnite.org, the same site's Election Problem Log 2004 - Present, as well as BradBlog.com.
Attack Class 6: eScan Manipulation – We were able to exploit a number of vulnerabilities in the eScan that could give election insiders the ability to compromise election results and voter privacy. Some of these were a result of a lack of physical security. We were able to replace the eScan's internal flash memory card containing the eScan executable and configuration file with only a screwdriver in about 2 minutes. After replacing the card, we were able to boot the eScan into the Linux operating system. This simple attack gives a single poll worker with a few minutes of unobserved access to the eScan the ability to undermine all votes cast at a precinct (EVEREST 20.3.1).
While opening the eScan to replace the memory card, we broke three tamper evident seals. While such seals may prove that a machine was opened, a preventative measure is preferable. A poll worker may intentionally break these seals in order to cast doubt on election results. It has also been shown that tamper evident seals do not always correctly show that tampering occurred .
Insiders may also wish to use their access to ballots to determine voter choice. This can be done with the eScan due to the design of its ballot box (EVEREST 20.3.4). The eScan's scanner sits on top of its ballot box, which is essentially a plastic tub. When a ballot is scanned, it is subsequently dropped into the box. No measures are taken to disturb the order in which ballots fall, allowing a malicious poll worker to note the position in which certain votes are cast and then relay these positions to an election official with access to the ballots. We observed ten numbered ballots as they were cast with the eScan, and verified that the vote order was preserved.
Attack Class 14: Open Audit Interfaces – Both the Hart JBC and eScan have open interfaces that allow for the erasure of votes and audit log records. As detailed in Issue 3 of the CA TTBR, the eScan is managed through an accessible Ethernet port that listens for connections on TCP port 4600. This port is normally used for sending and receiving commands from SERVO, such as file transmission and reading images of the eScan's memory. No cryptographic tokens are required for these operations to occur.
We discovered that with a handheld device such as a Palm computer, an attacker with an Ethernet cable can mimic the actions of SERVO to the eScan during a live election, and cause the vote records and audit logs to be erased from both the eScan's internal memory and the MBB inserted into it (EVEREST 20.3.7). Any voting that had occurred on the eScan to that point would be erased, necessitating a manual recount.
Attack Class 19: Autovoting – A final example of unsafe features intentionally added to the Hart systems is the Ballot Now’s "Autovote" feature (EVEREST 20.7.2). Autovote allows for the creation of pre-filled-in paper ballots. Once again, this feature is enabled through Windows registry entries. Once these entries are enabled, Ballot Now displays the Autovote menu option when started.
The Autovote menu allows the Ballot Now user to choose the number of pre-filled-in ballots to print. The user has no control over the selected filled in entry for each contest, however, the selected entries are uniformly distributed. This allows an arbitrary number of ballots with the desired results to be printed with the overhead of some ballots with undesired results that may simply be discarded.
Paper ballots generated by Autovote initially say "Autovote" on the front and back, making them conspicuous and easy to detect in an audit or recount. We were able to overcome this by installing a PNG printer driver on the Ballot Now machine. This driver allows ballots to be printed to PNG image files as opposed to paper. We could then open the files in an image editor, remove the Autovote label and print them. Aside from the label, Autovote ballots are identical to regular ballots. We conducted a normal election and an election with Autovote ballots, and could not identify any differences in the eScan unofficial printout, the audit logs, or the cast vote records on the eScan's MBB.
Autovote could be used in tandem with the eScan's duplicate ballot feature to perform a ballot stuffing attack. Using Autovote ballots is advantageous over using photocopies, as each Autovote ballot has a unique serial number, and thus cannot be differentiated from legitimate votes in an audit.