Tuesday, January 15, 2008

KHUM Humboldt Review Review, EAC and Ron Paul Too

The .mp3 archive of last Thursday's KHUM Humboldt Review finally became available yesterday but I didn't have time to listen and thus no blog post. Having listened now, I can accurately quote the top highlight, by far, which was my introduction, now a permanent part of the WDNC blog template*:

"Dave, you're like the conscience of our electoral process."

--Kevin Hoover, Editor, Arcata Eye; Host KHUM Humboldt Review
I was on the show for two segments, the first starting about 20:34 into the .mp3 above. Hoover's great compliment is around 27:35. Click here and look for Arcata's 150th/Voter Information Day to see the rest of the guests. If you aren't here in Humboldt this may give you a few distinct flavors of our community, including celebrating the start of a year-long 150th anniversary for Arcata, and the hot button rail/trail issue. Hoover also interviewed Registrar of Voters Carolyn Crnich. It was so pedestrian that I don't have any other comment on it.

On the other hand, tonight the Registrar convened the monthly meeting of the Election Advisory Committee. The top story there was the announcement of Kelly Sanders as the new Election Manager, effective 1/1/08, filling the position vacated by Lindsey McWilliams last June. The Registrar said this promotion for Sanders, who has worked in the Humboldt Elections Department for years, most recently as Administrative Analyst, is known to other election administrators in the state, but not yet in the local media. A rare scoop here for WDNC.

With Supervisor Jimmy Smith present, the Registrar described two pieces of equipment she said she hoped she could buy from the County General Fund. First is a new DIMS server, which she said contains voter registration info. She also described the regular office scanner as being near death, slyly suggesting that perhaps its replacement would be suitable for the Transparency Project. Acknowledging it could be costly, the Registrar gave a maximum cost of $60,000. I think there was an audible gulp from Smith.

Also of note, I thought, was the approximate number 100 - absentee ballot requests per day. Early voting began on 1/7 with paper ballots and one eSlate available at election department HQ. There is a need for about 8-10 more pollworkers, and the Registrar recommended anyone interested use the application contained in their sample ballot and bring it to HQ.

Another budgetary matter that came up was the Governor's reneging on his promise to reimburse Humboldt County for this February's primary. This was held up as an example of an unfunded mandate. I jokingly suggested we refuse to hold the November election just to spite Arnold.

More seriously, the Registrar said she would be on a conference call tomorrow morning with other Registrars and Secretary of State Debra Bowen. One topic for that call is the "trusted build" program that Bowen implemented following the Top To Bottom Review. According to the Registrar, this involves wiping old memory cards and newly programming them with code supplied directly by Bowen.

The last thing I'll mention from the EAC meeting is the observation panel the Registrar said she wanted to form. If you are interested in this, I think you want to drop by HQ, perhaps Monday at 2pm when the Logic and Accuracy (aka Smoke and Mirrors) dog and pony show will be conducted.

Finally, right after I got home, David Kaftal, my Ron Paul contact, wrote to invite me to talk about election integrity at an "emergency meeting" the local Meet Up group has called for Thursday night at 6pm at the Humboldt Bay Municipal Water District, 828 7th St., Eureka. More details at the link above.

# # #

* Karen Renick, co-host of Vote Rescue Radio also just added a sweet new permanent testimonial to the WDNC left sidebar: "Ultimately, we MUST change the way our votes are being counted - or not counted - and Dave is one of those individuals who is making this a reality."

Permalink:
http://wedonotconsent.blogspot.com/2008/01/khum-humboldt-review-review-eac-and-ron.html

Labels: , , , , , , , , , , , ,

Posted by Dave Berman - 10:33 PM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Thursday, January 03, 2008

Eureka Times-Standard OpEd: Hand-counting ballots can work

As promised last night, below is the My Word opinion column I wrote, published in today's Eureka Times-Standard, though oddly not yet on the paper's website (I picked up a hard copy and found the piece on page A4, including a picture of me from at least three years ago).

UPDATE: 1/3/08 12:20pm -- The T-S website now has my column. It occurred to me over the past few hours that the headline it was given, while certainly a positive statement, doesn't really reflect what this essay is about. I've been saying hand-counting can work for years now. This piece says the T-S is abdicating its responsibility to foster community dialog about whether hand-counting is superior to Diebold opscans, even as the Voter Confidence Committee creates the very means by which the community can make objective comparisons. A more apt headline would have been: "Election Watchdogs Dog Newspaper For More Detailed Dialog on Election Conditions."

* * *
http://www.times-standard.com/ci_7869635
(archive)

Hand-counting ballots can work
My Word, by Dave Berman
1/3/07

Registrar of Voters Carolyn Crnich said hand-counting paper ballots is "not a practical solution" ("As primary fast approaches, election offices are in turmoil," 12/24/07) and she's not convinced it would be more reliable than continuing to use secret vote counting machines repeatedly discredited in actual elections and academic studies, including CA Secretary of State Debra Bowen's Top To Bottom Review.

It is certainly reasonable for the Times-Standard to publish the Registrar's opinion. But did the T-S ever ask her for data comparing counting methods for accuracy, cost or any other measure? The Voter Confidence Committee (VCC) has requested such information, repeatedly, and the Registrar has not only confessed to having no such information, she has failed to deliver on her promise to obtain it and make it available.

Setting the Registrar's unsubstantiated opinion aside, the bigger issue is false balance, which the T-S created by pairing the Registrar's view with superficial mention of the VCC report recommending hand-counting, noting also that we're documenting community support for the idea.

Not mentioned is the VCC hand-count forecast tool (a spreadsheet), used to create projections and plan for the requirements of hand-counting in precincts on election night. This allows the public to objectively judge whether hand-counting is indeed preferable.

In fact, this was our contribution to the federal lawsuit mentioned in the "turmoil" article, and it was previously described in the T-S on August 16.

When this becomes part of the story, an unsubstantiated opinion no longer stands in true balance, instead reflecting false balance. "He-said/she-said" can not truly balance all news articles. The community can and should discuss the relative merits of hand-counting in tangible terms, made possible by the VCC but shunned by the T-S.

Yes, shunned.

Readers should know the T-S editorial board met with VCC members on August 14. Not only was the forecast tool presented at that time, the VCC also reiterated concerns stated in our report about the Registrar's so-called "Transparency Project."

Our critique has appeared elsewhere in local media, but its absence from the "turmoil" article falsely suggested universal support for the project.

Worse still, the article cited Bev Harris as a Project supporter. In response, Harris posted a statement online saying she was misquoted and does not support the Project: "The concept of providing ballot images to the public after running them through an intermediary program developed by David Dill (or anyone else!) is absurd and misses the point entirely. What is it about these guys that they just cannot RESIST inserting "An Expert" in between "The People" and "Our Ballots"?"

To be clear, VCC objections to the Transparency Project are as follows:Going from ridiculous to sublime, another expert was cited as a Project supporter, Harri Hursti, "who famously hacked into Diebold voting machines." Not just Diebold machines, but the exact equipment used here in Humboldt (as well as other models).

The T-S might have mentioned that while bending over backwards to once again congratulate the Registrar for a decision made nearly four years ago. Forgoing touch screen machines in favor of optical scanners was a false alternative. Both types of machines have been repeatedly discredited, and both types count in secret, requiring the public's blind trust without providing any rational basis for confidence in reported results. The Registrar's devotion to casting paper ballots is hollow if counting accuracy is not verifiable.

Please visit www.VoterConfidenceCommittee.org for links to recent media coverage of election integrity issues as well as our report on local election conditions, the forecast tool, and the sign-up form that will allow us to demonstrate there are enough local voters willing to hand-count to get the job done on election night.

Dave Berman is a founding member of the Voter Confidence Committee of Humboldt County. His blog is http://WeDoNotConsent.blogspot.com. He resides in Eureka.

Opinions expressed in My Word pieces do not necessarily reflect the editorial viewpoint of the Times-Standard
# # #

Permalink:
http://wedonotconsent.blogspot.com/2008/01/eureka-times-standard-oped-hand.html

Labels: , , , , , , , , , ,

Posted by Dave Berman - 9:00 AM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Tuesday, December 25, 2007

Eureka Times-Standard: As primary fast approaches, election offices are in turmoil

Monday's Eureka Times-Standard has a front page story that continues on the back page called "As primary fast approaches, election offices are in turmoil" (archive).

This article describes some of the fallout experienced by elections departments throughout CA in the wake of Secretary of State Debra Bowen's Top To Bottom Review. Humboldt is depicted as being on relatively stable footing, and though that may be the case, no mention is made that there has still been no Election Manager named to replace Lindsey McWilliams, who left in June. The last hiring update I got was at the Nov. 20 Election Advisory Committee meeting when Registrar of Voters Carolyn Crnich told us she was checking references on three candidates and didn't have a time frame for making a decision. She also emphasized that she was not feeling desperate because current staff is performing great. So none of that was in the article.

T-S reporter Thadeus Greenson does paint a very favorable picture of the Humboldt Transparency Project, including referencing David Dill, Bev Harris, and Harri Hursti. There was not even a hint of irony in describing Hursti "who famously hacked into Diebold voting machines." Excuse me, but it wasn't just Diebold voting machines, it included the exact equipment we use here in Humboldt. No criticisms of the Transparency Project were included, though I have detailed several on many occasions, as recently as Saturday. That may get recycled into the letter to the editor or My Word column this will prompt me to write.

As with many previous T-S articles, this one contains false balance. This is probably the biggest issue I have with this story. While there are no quotes from VCC members our group is mentioned:

Still, some feel Bowen's decision didn't go far enough and the optical scan vote counting machines are also inaccurate and susceptible to hacking.

The Voter Confidence Committee of Humboldt County released a report on voting conditions in the county that called for a complete transition to hand counting for all ballots. While Crnich said this would put a tremendous strain on poll workers and the election office, she isn't convinced it would be any more reliable than the machine counts and hand-count audits are in place.

"It's just not a practical solution," Crnich said.

But Humboldt's committee is far from the only ones calling for hand counting, which they say is both practical and more accurate than machines counting.

Earlier this month, the committee and 30 other election integrity groups joined an amicus brief in the suit brought against New York State by the Department of Justice. The brief argues hand counting paper ballots is compliant with the Help America Vote Act, and asks the court to order the two federal races on the state's next ballot to be hand counted.

Meanwhile, the Humboldt Committee is busy recruiting Humboldt voters willing to hand count ballots come election day. But Crnich said no such hand counting will take place. She said the procedures are simply not in place, but visitors are welcome to observe election-night happenings according to Bowen's guidelines.
This is false balance because the Registrar offers an opinion with nothing to back it up. How do I know? Because the VCC has asked, repeatedly, and the Registrar does not have data comparing hand-counting and optical scan counting for cost, accuracy or anything else. Yet her dismissive opinion is supposed to balance the VCC recommendations, which come backed by our report (and many others), and tangible projections that will allow the community to judge what is practical. Naturally our ability to take the discussion out of the range of "he said/she said" was left out of the article.

One more bone to pick. This article refers to a lawsuit brought by San Diego County to push back against Bowen's new guidelines. But it does not mention the memory cards that disappeared from a FedEx shipment last week en route from Sacramento to San Diego. If its balance ye want, I'm just sayin'...

Permalink:
http://wedonotconsent.blogspot.com/2007/12/eureka-times-standard-as-primary-fast.html

Labels: , , , , , , , , ,

Posted by Dave Berman - 11:29 PM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Thursday, September 20, 2007

Election Advisory Committee Gets Latest Humboldt Election News

Humboldt County Registrar of Voters Carolyn Crnich convened the monthly meeting of the citizens' Election Advisory Committee Tuesday night at the County Courthouse. First on the agenda was the Election Department's two personnel vacancies. The application period closed Friday for both the Election Specialist, a front office position, and the Election Manager, the central scrutinizer of the department. The Registrar said there are four applicants for the first job and she did not know about the second. The County's Personnel Department will screen the candidates and can refer up to six per position for further consideration. I won't make public the name but there is a high profile candidate we will be lucky to get. Stay tuned.

Also at Tuesday's meeting, the Registrar revealed she received a "Dear John" letter in response to her application for the Pew grant money. The Registrar was hoping to use the funds to buy high-speed off-the-shelf scanners for the so-called Transparency Project (a scanned copy of every ballot would become a .tif file made available to the public on CD). It now seems the Transparency Project will be on the back burner, given the hiring situation, four elections between this November and next, and evolving procedures to keep up with Secretary of State Bowen's conditions of use. Do not expect the Registrar to completely let it go.

The Registrar discussed Secretary Bowen's proposals for new post-election audit standards. The general idea is a variable sample where a close race would have more votes audited than a contest with an apparently bigger margin of victory. The Registrar said the legal requirements are flexible and she couldn't give any specific numbers that would match an audit percentage with a victory margin. When I asked, she refused to commit to seeking a qualified statistical adviser.

Reading from her Palm Pilot or Blackberry or Whatever Brand(TM) hand-held mini super computer, the Registrar quoted Secretary Bowen's remarks on a conference call reported by BradBlog. The topic was Sleepovers and the Secretary said they are not legal. Responding to questions, the Registrar said optical scanners could not be delivered on the morning of election day using Brinks trucks or the Postal service. I don't recall any serious explanation of why not. The Registrar often brings her sense of humor to these meetings. Was she for real when she said no more single or living alone people could be pollworkers? This refers to satisfying the 2-person rule, which requires the secret vote counting machines to be in the presence of no less than two election officials at any time. How far backwards is she willing to bend just to be able to send these ridiculous machines home with pollworkers prior to Election Day?

* * *

I've been traveling a lot in the past few weeks and so I haven't posted since that one night in NY just prior to my sister's wedding. The next day I phoned in as a guest on KHUM's Humboldt Review (.mp3). The Eureka Reporter correction I requested may have run in the print edition but when I checked the website in the middle of last week the article still had it wrong. To their credit, when I then e-mailed Glenn Franco Simmons about this he forwarded my message to Diane Batley who quickly informed me the text has been corrected. "We should never be required to have faith in election results."

The Voter Confidence Committee continues its community outreach on behalf of hand-counted paper ballots. The local ACLU has invited me to speak at their meeting on Thursday, the second consecutive month I've done so. Positions recently taken by the national ACLU afford the local chapter some leeway to lend support to the VCC campaign. With so much new info, the VCC is working on a new update section for the Report on Election Conditions in Humboldt County, CA. Also see revisions made to the spreadsheet tool used for estimating labor, time and cost needs for an all hand-counted election.

Permalink:
http://wedonotconsent.blogspot.com/2007/09/election-advisory-committee-gets-latest.html

Labels: , , , , , , , , , , ,

Posted by Dave Berman - 10:00 AM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Wednesday, August 29, 2007

Humboldt Hand-Count Campaign Maintains Media Presence

Two Tuesdays ago, on the 21st, the Election Advisory Committee had its monthly meeting. The EAC now meets the third Tuesday of the month at 6:30pm at the Eureka Courthouse. The Eureka Reporter ran an article about the meeting the next day, half of which describes the presentation (.mp3) I gave about the the Voter Confidence Committee report, hand-count campaign, and spreadsheet tool (.xls).

Supervisors John Woolley and Jimmy Smith, as well as Registrar of Voters Carolyn Crnich, all attended the 5.5 minute presentation and participated in the roughly 30 minute discussion that followed. I'm pleased with the way this went. The Registrar stated that she had played with the spreadsheet tool and it is "interesting." Supervisor Woolley said he wouldn't be able to support any kind of change without doing the kind of cost and time analysis that the VCC's spreadsheet tool permits. He said he likes the approach we are taking to developing and presenting this info. We agreed Aryay Kalaki is a fine mentor for community organizing. And I politely emphasized at least three times that we are awaiting the Registrar's best estimates to create the most official labor, cost, and time forecasts.

Last Friday the Eureka Times-Standard (archive) published a column with quotes only from Secretary of State Debra Bowen in response to a study she commissioned on voter confidence. I don't put any stock in these figures showing 44% of respondents have a "great deal of confidence that their votes are being accurately counted." 52% reported "some" or "only a little" confidence. Whatever. Like usual, the un-bylined T-S story strays far and wide from the crux of the matter, which is creating a basis for voter confidence, a reason for people to believe the results.

The Eureka Reporter did not mirror the T-S coverage of Bowen's survey. Last Friday, I did receive a call from Cerena Johnson, the new elections beat writer who had written the EAC article. We spent at least 15 minutes talking about some of the fundamental paradigms of the voter confidence movement. She seemed to understand and I figured there would be an article the next day. Those quotes did not appear until today, in an article that had a gross typo of omission. This is the end of the article:

Some say this could create an opportunity to take transparency a step further, with an entirely hand-counted system.

Dave Berman, a founding member of the Voter Confidence Committee, said the committee is trying to work with the county by recommending areas for improvement.

Berman said the criteria for a sound voting system should be transparent, secure and verifiably accurate, also distinguishing casting from counting.

"We should be required to have faith in election results," [EMPHASIS ADDED] he said, adding that results should be tangible. "What we have is a secret process."

The committee is in the process of forecasting a workable format by which votes could be hand-counted, factoring in numbers of volunteers, costs and time.

Ultimately, Berman said, the committee would like to be in a position to bring the county information it doesn't have, as well as the support of the community, to advance the idea that there is "not just one way to do elections in Humboldt County."

Humboldt County will hold its next election on Nov. 6.
As soon as I saw that on the Reporter website this morning I called Editor Glenn Franco Simmons. I reached his voice mail and left a polite request for a correction to be printed. A little later Ms. Johnson called my cell phone. We spoke for maybe seven minutes or so, continuing to break down and spell out why our current vote counting methods are secretive, how this is the opposite of the basic democratic concept of checks and balances, and that faith and trust are not relevant. She assured me a correction would appear. Also look out for a tight letter to the editor from Ruth Hoke.

Now going back to last Friday once again, in the evening I went down to the Ferndale radio studios of KSLG. Plastic Jackson is the evening DJ and he had recently reached out to me wondering how he could plug in to the work of the VCC. First I sent him a public service announcement, which I mentioned last week. He then let me invite myself in for an interview which you can hear in part one and part two (both .mp3 approx. 5.5 min). I hope to return to PJ's "Happy Endings" show, 6pm to midnight, weekdays on KSLG.com.

On Monday I received a phone call from John Matthews, morning host on KSLG, but also producer of the KHUM public affairs show The Humboldt Review, hosted by Arcata Eye editor Kevin Hoover. This week's show (Thursday 6pm PT) will be about election integrity. I will be a guest via phone.

I so prefer to do interviews in the studio, however, I am currently in NY looking forward to my sister's wedding this weekend. More immediately, tomorrow morning at 10:15, my grandfather and I are going to lead a group discussion with his senior's group at the Suffolk Y Jewish Community Center in Commack. This is going to be fun.

* * *

For anyone who missed Dan Rather's expose about voting machines, it is a MUST SEE available here through BradBlog.com.

Permalink:
http://wedonotconsent.blogspot.com/2007/08/humboldt-hand-count-campaign-maintains.html

Labels: , , , , , , , , , ,

Posted by Dave Berman - 9:32 PM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Thursday, August 16, 2007

Accountability Moment For Eureka Times-Standard

Recently here at WDNC, I have been calling attention to fact-deficient articles in the Eureka Times-Standard (see here and here). Naturally the focus has been on the coverage of "voting machine" news. Today the T-S has published a "My Word" guest opinion column (archive) that pulls it all together. The full text is at the bottom of this post.

But first, I want mention this past Tuesday, when Voter Confidence Committee members Rabbi Les Scharnberg, Ruth Hoke, and I met with the T-S editorial board to discuss the VCC's Report on Election Conditions In Humboldt County, our campaign for hand-counted paper ballots, and of course, their recent dreadful coverage. The meeting was roughly 42 minutes and on the record. A complete recording is here (.mp3). It may not be uniformly exciting, but then we stood our ground several times in challenging their assumptions and rejecting some of their marginalization tactics, and that may be worth hearing.

And one last thing before I get to the My Word column, in case you missed it last night, click here for a letter to the editor which I had published in this week's issue of the Journal.

* * *
Eureka Times-Standard

Collective amnesia about e-voting safety
Dave Berman
Article Launched: 08/16/2007 04:15:49 AM PDT

Election conditions have figured prominently in recent news, thanks in part to a technical review of the state's voting systems conducted by California Secretary of State Debra Bowen. Bowen's "Red Teams" of computer security experts compromised the security of every system tested, including Diebold and Hart InterCivic equipment used in Humboldt County. The Times-Standard's coverage of this topic deserves serious scrutiny.

On July 28, the T-S ran this headline [on the Web]: "Local election systems may be vulnerable to hackers." This was the first paragraph: "A team of University of California computer scientists were able to hack into several voting systems used by California counties, including the two systems currently used in Humboldt County, the secretary of state announced Friday."

When clearly reporting that election systems are vulnerable ("were able to hack"), why does the T-S headline say they may be vulnerable? [Editor's note: The headline in the print edition said, "Election systems at risk of hacking."]

The T-S quotes Humboldt Registrar of Voters Carolyn Crnich being dismissive of these results, and in a manner extraordinarily similar to corporate propaganda defensively spun by "voting machine" vendors. This phenomenon is afflicting registrars throughout the state. They want the public to believe some new precautions can offset the machines' systemic design flaws.

In a report found on the secretary's website, Bowen's Diebold Source Code Review Team wrote: "Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design."

On Aug. 7, the T-S presented another distortion: "E-voting order may have little impact here." While I may not think Secretary Bowen went far enough in defining new certification conditions, it is definitely a good thing that she has banned modems from transmitting precinct results to election department headquarters. Memory cards from all precincts will now have to be physically delivered to central HQ, and announcing results on election night may no longer be possible. Little impact?

On Aug. 8, the T-S again created a false impression with the headline: "County election system fares well in review." This headline contradicts previous T-S reporting as well as the facts.

This same article also congratulates the registrar for previously choosing optical scanners over touch screen machines, both of which "count" votes in secret. The T-S is correct to place a premium on paper ballots. But the methods of casting and counting votes must be evaluated separately. Lauding this decision is like feting Ford for new seat belts in response to exploding Pintos.

Why is the T-S shaping news this way, without even a balancing view from within the community? How can the registrar defend previously discredited equipment now again debunked? How could recent test results have strengthened her resolve to use Diebold's optical scanners? Why does the registrar choose to align herself with a company that employs convicted computer fraudsters and faces multiple class action lawsuits from investors, rather than with results of legitimate state-sponsored academic university studies?

Humboldt County's Voter Confidence Committee recently completed an eight-month study and published a "Report on Election Conditions in Humboldt County, California." Over the past several years, Humboldt media have documented numerous breakdowns of "voting machines." Yet somehow, word on the street seems to be that we have never had any problems here. Is there any wonder where such confusion comes from?

Regardless, this report is both an antidote for collective amnesia, and a blueprint for community involvement needed to make our elections transparent, secure, and verifiably accurate. The VCC has developed a spreadsheet tool for creating labor, cost and time estimates for an all hand-counted election. Using the VCC spreadsheet tool, The Journal's Hank Sims "twiddled" with the numbers and found hand-counting "wouldn't be all that time-consuming or costly" ("Town Dandy," Aug. 2).

Publicly counting votes by hand involves the community in its democracy and makes elections a citizen-owned endeavor. The media witnessing and documenting the process would establish the credibility of the reported results.

The VCC tool and report are now available at www.VoterConfidenceCommittee.org. We encourage more public discussion about election conditions, and in particular, what creates a basis for voter confidence without relying on blind trust.

To get involved, e-mail: info@VoterConfidenceCommittee.org or look for our volunteers signing up people who want the county to know they are willing to hand-count paper ballots on election night.

Dave Berman is a founding member of the Voter Confidence Committee. He resides in Eureka. His blog is http://WeDoNotConsent.blogspot.com.

# # #
Permalink:
http://wedonotconsent.blogspot.com/2007/08/accountability-moment-for-eureka-times.html

Labels: , , , , , , , ,

Posted by Dave Berman - 9:52 AM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Wednesday, August 08, 2007

What Have We Learned About Elections Lately?

CA Secretary of State Debra Bowen made a dramatic late-night announcement on Friday, August 3, presenting her certification decisions for the state's voting systems. Bowen completely decertified InkaVote, sold by ES&S and formerly used only in Los Angeles, because the source code was not submitted for review. All other equipment was decertified and recertified with new conditions for use, based in part on the reports (lower on same page as above link) of Bowen's Red Teams of computer security experts (see my summaries of the Diebold and Hart Intercivic reports). Some of these terms are vague or confusing, and I'll cover that in a bit.

What is clear to me is that the public is becoming more aware and more concerned about our election conditions. I have observed more people than ever having open discussions about Diebold, Bowen, and hand-counting paper ballots. More than a few people contacted me by e-mail in the past week to ask how to get involved. The increased interest in election integrity feels palpable to me.

While plentiful, Humboldt media coverage has been mixed, at best, while at other times presenting an alternate reality. On July 28, The Times-Standard gave us a headline of "Local election systems may be vulnerable to hackers" above a lede that makes clear local election systems ARE vulnerable to hackers. Today, a T-S headline read, "County election system fares well in review" - despite the Red Team reports of countless exploits found in our Diebold optical scanners.

Hank Sims had a little more on the ball in last week's Town Dandy column in the Journal: "...the hackers basically made mincemeat of the machines, demonstrating a variety of ways to skew the vote...The Red Team also verified that the optical scanning machines found at our precincts could be easily jimmied and rendered inoperative."

Having checked out the amazing calculator tool (.xls) I wrote about last week, Sims went on to address the feasibility of the Voter Confidence Committee's campaign for hand-counted paper ballots:

Berman's suggestion: Ditch the machines and go to a pure hand-count of all votes cast. Initial twiddling with the numbers suggests that it wouldn't be all that time-consuming or costly -- and wouldn't you rather wait a few days and spend a little more for a trustworthy count?
I have no objection to being called "obsessive" when the same article makes my case this well. The new issue of the Journal is out but not yet online. Sims again writes about elections, referring to Bowen's "weekend massacre." The problems this will cause Humboldt are "relatively minor," says Sims, contrasting with the newly machine-less LA. True that.

However, I believe Sims understates things when saying that shoring up security for the GEMS central tabulator will merely mean "our elections office will have to change up procedure a bit." I leave it to the reader to re-trace my many prior references to the dangers of GEMS. Here I shall only point to the words from another of the reports provided to Bowen in her Top To Bottom Review (TTBR). This is from the Executive Summary of the Source Code Review of the Diebold Voting System:
Vulnerability to malicious insiders
The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county's GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county's voting machines.

Although we present several previously unpublished vulnerabilities, many of the weaknesses that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18], [19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied.

Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit "weakness-in-depth"-even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.

Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.
It doesn't get any more devastating than that. All the preening of Humboldt Registrar of Voters Carolyn Crnich is plainly phoney, and the media pandering to her is reprehensible. Sims gets a pass for his support of HCPB, but here is more bad journalism from the T-S ("E-voting order may have little impact here"), and without Rebecca S. Bender it seems the Eureka Reporter has gone mute on this subject, save a great letter to the editor submitted by VCC members Ruth Hoke and George Hurlburt.

What is happening is that Crnich and other Registrars throughout the state are in a highly defensive posture. Being forced to give up all their equipment would mean maximum uncertainty and the greatest amount of work. Instead, in fine CYA fashion, we see continued apologies for secret vote counting machines. You don't have to look all that closely to see the similarities in the rhetoric of Registrars and machine vendors such as Diebold. It is unconscionable that the results of Bowen's TTBR would make anyone more inclined to support "electronic voting machines." We're past the time of being surprised by such things, including the media's facilitation role. It is time we use these points against them. Ready for the first great example?

As Sims points out in his new column, Bowen has banned the use of modems for transmitting precinct results to the central tabulator. The VCC report addresses the risks of modems and obviously calls for their banishment as they are unnecessary with hand-counting. The beauty of what Sims says:
"The machines will have to be physically delivered back to Elections HQ before the counting commences, which means that we will no longer have election night results."
Of course, one of the most common blusters we hear against HCPB is that it will take too long. We are now very close to having definitive proof that HCPB will be faster. The VCC continues to call upon Crnich to help us narrow down the range of estimates plugged into the calculator tool (.xls) for forecasting manpower needs and costs of hand-counting 100% of the paper ballots. And now, thanks to Sims, I believe we should hereby permanently lay to rest the canard of immediate election results being prioritized over accuracy.

* * *

Now, regarding Bowen's conditional certification of Diebold, the way she has this posted online, I'm unable to copy and paste text directly out of the document. So, here I'll just re-type brief references and encourage you to read the full document for yourself.

Page 2

"voting systems analyzed were inadequate to ensure accuracy and integrity of the election results...contain serious design flaws...which attackers could exploit to affect election outcomes...Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines and on the election management system, which could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results...due to these shortcomings some threats would be difficult, if not impossible, to remedy with election procedures...with access only to the Windows operating system on the Diebold GEMS election management server supplied by Diebold and without requiring access to Diebold source code [Red Team members] were able to access the Diebold voting system server software and to corrupt the election management system database, which could result in manipulated voter totals or the inability to read election results, rendering an election impossible to complete electronically."

Page 3

"...without accessing Diebold source code, [Red Team members] gained access to the election management server to manipulate and corrupt the election management system database...some of these attacks could be carried out in a manner that is not subject to detection by audit, including review of the software logs."

[WDNC]: the next quote is from page four and it strikes me as contradictory and dangerously hypocritical (sorry Bowen)

Page 4

"...tampering with optical scan equipment...can be readily detected and corrected through hand counting of the optical scan paper ballots marked and directly verified by voters."

[WDNC]: First of all, this begs acceptance of the vulnerability. With various exploits described as difficult or impossible to detect, there is no justification for guaranteeing detection, let alone correction, with opscans. This puts an undue burden on the People whose rights are not being secured here, as a government is charged to do. Rules and regulations trying to promote public oversight must first clear the view with a more transparent method of counting votes.

Page 4

"...studies have shown that many voters do not review VVPAT [Voter Verified Paper Audit Trail] records and that test voters who do review VVPAT records to not detect many discrepancies that have been intentionally introduced..."

Page 5

"In order to provide accessible balloting to voters with disabilities in compliance with HAVA, jurisdictions may use no more than once AccuVote-TSx per polling place on Election Day."

[WDNC]: This refers to the touch screen models, not used in Humboldt. Registrars have been complaining about this and it is easy to understand why. They are either going to have massive logjams of voters all trying to vote on one machine where there used to be several or many, or they will urgently have to buy many new optical scanners, or they will have to resort to hand-counting.

Page 5

Requires "a 100% manual count of all votes cast on an AccuVote-TSx."

[WDNC]: This is astounding. Hand-counting 100% of the votes defeats the purpose of having the machine count them. My assumption is that Bowen's is trying to discourage use of the touch screen machines and so the hope would be for relatively few votes cast this way in need of being hand-counted.

Page 6

"Before any use in the February 5, 2008, Presidential primary election, jurisdictions must reinstall all software and firmware (including reformatting all hard disk drives and reinstalling the operating system where applicable) on all election management system servers and workstations, voting devices and hardware components of the voting system. Voting system application software must be reinstalled using the currently approved version obtained directly from the federal testing laboratory or the Secretary of State."

Page 7

"Within 30 days of the date of this document, the vendor must develop and submit to the Secretary of State for approval, a plan and procedures for timely identification of required security updates (e.g., operating system security patches, security software updates, etc), vendor testing of the updates, and secure distribution and application of vendor-approved security updates."

[WDNC]: Why should we have confidence in the machines in their newly approved form when the expectation is that more security flaws will be found? Avi Rubin makes a similar observation. This page also inexplicably allows for networking, though it does have the modem prohibition. It also makes reference to the two-person rule which I believe goes back to the Feb. 2006 VSTAAB report, which recommends that optical scanners and memory cards never be in anyone's sole possession. This would seem to preclude sleepovers, however, page 9 seems to allow poll workers to take home machines prior to Election Day.

Page 8

"Upon request, members of the public must be permitted to observe and inspect, without physical contact, the integrity of all externally visible security seals used to secure voting equipment in a time and manner that does not interfere with the conduct of the election or the privacy of any voter."

[WDNC]: This is looks great on paper but we've seen Registrars plainly obstruct the access of citizens to their Democracy. This should carry a severe criminal penalty. Page 8 also requires posting of poll tapes, another apparent victory that in reality carries no weight. As the VCC learned last November, precinct poll tapes are useless when the County never provides as a basis for comparison raw precinct scanner data that has not been combined with absentee or other ballots not cast on the scanner in the precinct on Election Day.

Page 8

"Any post-election auditing requirements imposed as a condition of this certification shall be paid for by the vendor. Jurisdiction users are required to conduct the audits and the vendor is required to reimburse the jurisdiction."

[WDNC]: I'm getting near the end now. Just a few more stray notes, such as page 9 continuing the requirement (begun under McPherson?) that counties submit a post-election problem report to the SoS. Page 10 describes how to deal with machines whose security has been compromised, and also machines that have been rebooted or which have rebooted themselves. The bottom of page 11 and the top of page 12 is a bit troublesome. It attempts to put vendors on the hook for warrantying their equipment, but all it really does is say they have to stand by their word and repair equipment at their expense when they have been caught lying again. This is not nearly strict enough. Finally, page 12 expands the requirement for vendors to give the SoS a copy of the source code, in addition to placing a copy in escrow.

So, what have we learned about elections lately?

Permalink:
http://wedonotconsent.blogspot.com/2007/08/what-have-we-learned-about-elections.html

Labels: , , , , , , , , ,

Posted by Dave Berman - 11:34 PM | Permalink
Comments (2 So Far) | Top of Page | WDNC Main Page

Monday, July 30, 2007

Bowen Review Lights Up Humboldt Media

Following up on Friday night's post (Bowen's Red Team Compromises Each Voting System Tested) where I excerpted from the Diebold report, (much later) tonight I will present several items from the Hart Intercivic report, which also has relevance here in Humboldt. But first, a check of the local media.

The Eureka Times-Standard was first out of the gate on Saturday morning (archive). There are two things I have to point out about this article. The story's lede, sets the stage:

Local election systems may be vulnerable to hackers
James Faulk/The Times-Standard
Article Launched: 07/28/2007 04:21:31 AM PDT

EUREKA -- A team of University of California computer scientists were able to hack into several voting systems used by California counties, including the two systems currently used in Humboldt County, the secretary of state announced Friday.
I don't know that Faulk could have written a more straight up or accurate intro to this story. It makes it clear that hackers ARE able to hack into Humboldt voting systems. Then why does the headline say merely that the machines MAY be vulnerable to hackers?

The second comment I have about this article pertains to the last two paragraphs:
Humboldt County Registrar of Voters Carolyn Crnich said it's unclear under what conditions the tests were prepared.

"It's my understanding that the red team attacks that were made during the top-to-bottom review did not take into consideration the security efforts or guidelines that had been added by former Secretary of State Bruce McPherson -- so whether or not the systems could be penetrated with those other security guidelines in place, I don't know," Crnich said.
As I noted in the comments on the T-S website, the introduction of this report dismisses the Registrar's dodge:
In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised. Our study examined what a dedicated attacker could accomplish with all possible kinds of access.
Quoting myself from the T-S site...The greatest threat to our election systems comes not from an individual voter, but rather from insiders at the elections department or working for the machine vendor (Diebold). These are the people with the greatest access to these exploits who can secretly make large scale changes that will never be detected...I go on to say some other things but that's the gist for this post.

Now, the next article to land will be in Tuesday's Eureka Reporter. The story has been online for maybe an hour now. It is kind of strange. There is no byline and I'm the only person quoted other than a Bowen press release. The headline is: "Audit standards review group releases report." This refers to yet another component of Bowen's Top To Bottom Review (TTBR). Check out the 38-page report as a .pdf here. This article is comprised almost entirely of excerpts from the report and then concludes with quotes from me.

I believe the person who called me said her name was Laura. She sounded young and a little uncertain. She told me former elections beat writer Rebecca S. Bender had left the paper as of Friday last week. I knew about this because a few months ago at an Election Advisory Committee meeting, David Cobb inadvertently "outed" Rebecca's planned departure before she really wanted people to know. I had no reason to mention it until now but I do wish her well. So anyway, Laura asked for a comment on this new standards review report that came out today. I declined to comment since I hadn't read it. She then asked about the other related reports and we had a more general conversation about what is happening. Here's what she used:
Though he had not yet seen the report, Dave Berman, one of the founding members of the local Voter Confidence Committee, said he is aware that other studies have been conducted recently regarding the voting process in California, and said he looks forward to Bowen's announcement on Friday as to what action she plans to take.

Berman said the Voter Confidence Committee promotes the idea of handcounting 100 percent of the ballots the first time around and recounting 10 percent for the audit. He said simply increasing the percentage recounted in the audit is like "putting a Band-Aid on a gunshot wound" when the first count is performed by machines.
It seemed out of place at the end of this article but then I'm not sure I've ever had a better quote!

Hank Sims from The Journal and also KHUM called me today too, presumably for his Town Dandy column due out on Wednesday. We actually spoke twice, and in between he spoke with Registrar Crnich. That made our second chat very interesting. During that time he also got to look at something I am now making public for the first time.

This is a spreadsheet that allows you to enter different variables, such as how many precincts are in your county and the average number of ballots cast per precinct. All together, the numbers you enter will then estimate how many ballot counters you need and what it will cost to pay them to do an all hand-count election. The Voter Confidence Committee will be incorporating this great new tool into the next iteration of our Report on Election Conditions in Humboldt County, CA. I don't know when that will happen. Meanwhile, election integrity advocates working for HCPB anywhere will find this tool useful. We all owe a debt of gratitude to Nancy Tobi and Democracy For New Hampshire. It is their recent presentation that provided me with the formula for creating the calculator. [NOTE: The presentation was actually made by NH Assistant Secretary of State Anthony Stevens – WNDC regrets the error.]

I have a feeling that after I've heard from a few people about the calculator I'll probably want to make it the centerpiece of another post instead of burying this announcement 80,000 paragraphs under the sea. At any rate, back to Hank Sims.

He asked me if I felt vindicated by these new reports. I told him I would not use that word. It suggests I had previously been thought wrong but now stand affirmed. The truth is that the findings of Bowen's TTBR explicitly state that previous exploits were again confirmed. Anybody coming around to these findings of fact really can't plausibly explain previously thinking otherwise.

Sims informed me that Registrar Crnich took a position with him that was similar to the one she took in the T-S piece above. Having already addressed this once, I realized it wasn't just sounding familiar from the Registrar. Moments before I got the first Sims call, I was looking at a document I had just received from the indefatigable Tom Courbat of Sav-R-Vote in Riverside County, CA. Click here for "the corporate line" by Sequoia, attempting to explain away all the findings of Bowen's Red Team members. I never did finish reading it, but its "those aren't the droids you're looking for" tone pretty much parallels what our Registrar was trying to pull off.

Plain and simple: there is no way to spin these reports to make the machines look good. Their time has passed. We've reached a tipping point of public consciousness where secret vote counting machines are completely unacceptable and public officials who continue to defend them do so at the risk of their own credibility.

Finally, as promised at the beginning of this marathon post, here are excerpts from Bowen's Red Team report on Hart Intercivic. These first two passages are identical to wording in the Diebold report. There are several other passages in common.
page 1

In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised Our study examined what a dedicated attacker could accomplish with all possible kinds of access.

p.10

Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original)

p.11

The Red Team, working in close conjunction with the 2007 TTBR Hart Source Code Team, discovered that the Hart EMS software implicitly trusts all communication coming from devices appearing to be Hart-branded and neither authenticates the devices nor performs adequate input validation on data transmitted to it by the devices. This allows for the possibility that a compromised device, such as an eScan that had been tampered with at a polling station, could infect the EMS systems. In particular, the Source Code Team discovered a weakness in the code that would allow an eScan to perform a buffer overflow attack and execute arbitrary code on the computer running SERVO.

...

The team was also able to access device-level menus that should be locked with passwords but were not. This access could allow an attacker a vector for altering configuration settings and/or executing a denial of service on the eScan.

Some of the findings from previous studies on precinct count optical scanners were replicated on the eScan, and they allowed the Red Team to maliciously alter vote totals with the potential to affect the outcome of an election. These attacks were low-tech and required tools that could be found in a typical office.

The Red Team implemented an attack devised by the 2007 TTBR Hart Source Code Team that was able to extract election-sensitive information from the eScan and issue administrative commands to the eScan. The leaked information would allow an attacker the ability to execute further attacks, while administrative commands issued to the eScan could erase electronic vote totals and audit records from an eScan while putting it out of service for the remainder of the Election Day. For more details on these attacks, please see the 2007 TTBR Hart Source Code Team report.

3. JBC
The Red Team verified previous findings on the JBC regarding access code generation and also discovered that a surreptitious device could issue commands that caused the JBC to authorize access codes. If the JBC is in early voting mode, it will not print receipts for the access codes issued. If the JBC is in regular election mode, it prints a receipt each time an access code is issued. When in early voting mode, an attacker could attach the surreptitious device to the JBC. (Note: the surreptitious device is easily concealable in one hand.) After waiting for about a minute, while all possible access codes are issued, the attacker could then proceed to cast multiple ballots using any access codes.

Additionally, the team expanded on previous findings that the MBB in the JBC is vulnerable to tampering during an election. Extracting the MBB from within the JBC during an election and tampering with it without detection would probably require poll worker access, but the team was able to prove that this access would be sufficient to alter vote totals – and in such a manner that it would not be detected in the course of normal operation, though a very thorough audit might reveal it. Furthermore, the team found that post-election MBB tampering safeguards (by which we mean only the technological safeguards, not procedural safeguards such as the use of tamper-evident seals) are insufficient to guarantee that such tampering would be detected. Thus, the team is confident that post-election MBB tampering would succeed in many, if not all, instances.

Finally, the Red Team collaborated with the 2007 TTBR Hart Source Code Team to decode the protocol used for communication between the JBC and eSlates. This protocol does not authenticate the devices on the bus (the communication line), so all communication is considered trusted. The teams were able to intercept the communication, but they were unable to get an exploit working to interrupt or manipulate the communication; this, again, was due to time constraints. Full details of this work can be found in the 2007 TTBR Hart Source Code Team report. The teams are confident that, given more time, they could craft a device that could maliciously alter vote totals and violate voter privacy.

p.14

IV. Successful Attack Scenarios

The following attack scenarios were successfully carried out in the laboratory environment of the Secretary of State’s testing facility.

1. Attack Scenario 1
In this scenario, a malicious voter prepares a surreptitious device and brings it with her to the polling station during early voting. She registers as usual and is issued an access code. Before she leaves the registration table, however, she quickly connects her device to the JBC and converses with the poll workers for a brief time—thirty to forty seconds should suffice. She proceeds to an eSlate and casts a ballot normally. She then enters arbitrary access codes and casts ballots at will, continuing to do this for as long as she suspects she will be unchallenged in the voting booth, casting an arbitrary number of ballots. This results in an electronic ballot box stuffing attack.

In an early voting situation, when the JBC doesn't print out a ballot access receipt each time an access code is issued, the Polls Suspended Report (automatically printed by the JBC) will indicate an unusually large number of access codes issued and more ballots cast than voters who checked in at the registration desk when polling concludes. In regular election mode, this problem would likely be detected much sooner, since the JBC is designed to print a ballot access receipt each time an access code is issued by the machine.

2. Attack Scenario 2
In this scenario, a malicious poll worker finds an opportunity after the close of polls to alter the contents of the MBB using his personal laptop. The attacker identifies ballots containing votes for a candidate he doesn't want to win the election and overwrites those ballots with records containing votes for a candidate he does want to be successful. After tampering with the MBB, the attacker replaces it in the expected chain of custody. The technological safeguards for detecting this tampering are insufficient and can, by default, go unobserved. This results in altered vote totals that can only be detected in the event of a manual recount of eSlate VVPAT records.

3. Attack Scenario 3
In this scenario, a malicious observer uses a remote device to capture the audio narration – including the narration associated with a voter's actual voted ballot – from an eSlate with audio capabilities. She is able to observe voters walking up to the eSlate and match them to the audio narration she is capturing, allowing her to violate a voter's right to privacy by linking voters to their vote selections.

...

p. 16

VI. Conclusions
Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Hart voting system (System 6.2.1), we were able to discover attacks for the Hart system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that – absent procedural mitigation strategies – can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.

Permalink:
http://wedonotconsent.blogspot.com/2007/07/bowen-review-lights-up-humboldt-media.html

Labels: , , , , , , , , , ,

Posted by Dave Berman - 11:09 PM | Permalink
Comments (1 So Far) | Top of Page | WDNC Main Page

Saturday, July 28, 2007

San Francisco Considers Hand-Counting Paper Ballots (Guest Blog By Jane Allen)

Guest blogged by Jane Allen in San Francisco

According to a recent article in the San Francisco Chronicle, the city is headed for another disaster.

"Earthquake predictions?" you ask. No. This is about the November 2007 election and the city's lack of a certified voting system.

The July 25, 2007 story states that election officials in San Francisco, along with those in California Secretary of State Debra Bowen's office, "are scrambling to find a way to keep the city from having to count more than 200,000 ballots by hand" and calls it "a nightmare process that could drag on for weeks." John Arntz, San Francisco's Director of Elections, was quoted as saying, "There's a very realistic possibility we'll be doing a hand count."

Just one of several disconnects around San Francisco's vote-counting saga is this: at the July 18 Elections Commission meeting, Mr. Arntz seemed rather unconcerned about this issue, saying, "A hand count is not the plan," and "it is most likely" that San Francisco will use the ES&S Optech Eagle (the present, uncertified system) for the November election.

How can it be that Mr. Arntz was, at a meeting last week, unaware of the "nightmare" described by John Wildermuth of the Chronicle? Is the Chronicle indulging in hyperbole? Did Mr. Arntz get a very sudden wake-up call? Or is Mr. Arntz speaking out now to push the Sequoia Voting Systems contract approval, despite a February 2007 thumbs down from the Board of Supervisors?

Looking at the larger picture, maybe that "nightmare" is already here?

The four-year $12.6 million contract with Sequoia for uncertified equipment (negotiated by Arntz) was not approved because, the supes said, Sequoia must publicly disclose the source code. Sequoia declined. Supposedly, negotiations over that are continuing, so it's still on the table ... or maybe at least on the floor next to the table? At the July 18 meeting, Mr. Arntz again expressed his hope that the contract would be approved. With the election only three months away, it sounded like he still can't let go of the fantasy of Sequoia riding to the rescue. (While he was negotiating with Sequoia, public comment at Elections Commission meetings repeatedly urged him to specify open source code. He ignored those pleas, and then -- oops -- the Board of Supervisors demanded the same.)

Mr. Arntz's June 28, 2007 memo to the mayor and supervisors ("Brief Overview of Manually Counting and Tallying Votes for November 6, 2007 Election") gave no cost estimate for a hand count. But in a May 18, 2007 San Francisco Examiner story, he placed that number at "roughly $1 million," which may be quite a bargain compared to the Sequoia deal.

As for the hand-count "nightmare," New Hampshire – yes, the entire state – routinely hand-counts 20% of all ballots on election night, according to Democracy for New Hampshire. In November 2004, New Hampshire recorded 676,227 votes in the presidential race, meaning about 135,000 were tallied by hand. Won't San Franciscans be willing/able to step up and count November’s expected 200,000 ballots?

Adding another bit of mess to this scenario, Brent Turner of the Election Defense Alliance (EDA) mentioned at June and July Elections Commission meetings that Sequoia plans to sue San Francisco over the unapproved contract. Brent said Steve Bennett of Sequoia had made that threat.

So here's what we've got:

- uncertified, old ES&S equipment that may or may not be used to run the November election;

- an ES&S breakdown rate (requiring tech support) of about 25% in June 2006 and 35% in November 2006 -- so those machines are increasingly looking like more trouble than they're worth;

- the Secretary of State trying to work out some sort of accommodation on the ES&S certification issue;

- on July 18 Mr. Arntz sounding pretty optimistic about the SoS giving some kind of OK to ES&S, thus avoiding a hand count;

- a week later, a gloom and doom article from the Chronicle with Mr. Arntz saying a hand count is a "realistic possibility";

- ES&S officials, according to Mr. Arntz, not responding to his phone calls (although others -- Commissioner Townsend and EDA's Brent Turner -- report reaching Lou Dedier, a VP of ES&S, with no problem);

- ES&S consistently ignoring requests to appear at Elections Commission meetings (will they show up on election day? – it's anybody's guess);

- Sequoia possibly going to sue the city/county of SF if their contract isn't approved;

- no sign of Mr. Arntz making comprehensive contingency plans for putting together a hand-counted election; and

- the Elections Commission, at the July 18 meeting, voting to recommend renewal of Mr. Arntz's employment contract.
A hand count could turn out to be the least of our worries.

Permalink:
http://wedonotconsent.blogspot.com/2007/07/san-francisco-considers-hand-counting.html

Labels: , , , , , , , , ,

Posted by Dave Berman - 12:23 AM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page

Friday, July 27, 2007

Bowen's Red Team Compromises Each Voting System Tested

The big announcements will be next Friday, August 3, when California Secretary of State Debra Bowen will reveal decisions on certifications for the various "election machines" used in CA. She is holding a public comment session in Sacramento on Monday, and today issued a press release called "Independent Computer Expert Teams Release Findings in Top-to-Bottom Voting System Review Ordered by Secretary of State Debra Bowen." On the Secretary's website, this page has links to various different reports within the overall review. There are separate reports on the testing of Sequoia, Hart Intercivic, and Diebold, which is the only one I've read so far because it applies here in Humboldt County. The headline of this blog post says it all. I think this report is going to be as important as such landmark documents as the Hursti Hacks, and the Berkeley VSTAAB Report. Here are just a few assorted excerpts from the 17-page Diebold report:

page 10

Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original)

...

still page 10

The GEMS server is on a local area network (LAN) with other Diebold components, and this LAN is supposed to be isolated. However, even Diebold documentation reports that this requirement is not always met. Therefore, attacks via Ethernet against the GEMS server could reasonably be executed by personnel with physical access to the networking components (hubs/switches) in the isolated LAN or— if the Diebold LAN were intentionally or unintentionally connected to a public internet connection—by remote attackers
a. Windows Vulnerabilities
The Red Team performed vulnerability scans against the GEMS server. The results identified multiple vulnerabilities; primarily, these vulnerabilities existed because the Windows 2000 server (configured by the Diebold technicians) was not properly patched3. After noting these vulnerabilities, the Red Team was able to download an exploit from a free public repository of well-known and documented exploits. This exploit gave the Red Team access of a Windows Administrator on the GEMS server.
3 Even if the Red Team had been expected to make other system configuration changes in order to make the GEMS server consistent with Diebold configuration documents, it would have been highly unreasonable for Diebold to expect the Red Team to patch Windows 2000 Server.
Additionally, the Red Team noted that most standard Windows logging capabilities were either disabled or enabled in very limited states in the configuration provided by Diebold. This means that most malicious actions taken by attackers would not be traceable. More detail on the auditing configuration of this system is available in the report prepared by the 2007 TTBR Diebold Documentation Review Team.

Finally, the Red Team uncovered evidence that Diebold technicians created a remotely-accessible Windows account that, by default configuration (according to the Diebold documentation), can be accessed without the need to supply a password. There is evidence to suggest that this account is intended to be used by TSx units for dial-in access at the close of polls on Election Day, but the documentation for election officials never mentions this particular account by name. An attentive system administrator would notice the account. However, the responsibility should not be on election officials to discover remotely-accessible Windows accounts and act appropriately to ensure those accounts are not inappropriately accessed. Devices, as delivered to customers, should only have accounts that are well-documented and remote access that is necessary for the needs of the particular county. Undocumented remotely-accessible logins are contrary to generally-accepted security practices.

b. GEMS Databases
The Red Team used Windows Administrator access on the GEMS server to manipulate and corrupt GEMS databases. These actions could result in manipulated vote totals or in the inability to read previously-generated ballot definitions if no valid database backups were available (whether because the backups were not made or because the backups had also been corrupted). On election night, the inability to read results from the deployed TSx and AV-OS devices could render an election impossible to complete electronically. In this case, a hand count of paper ballots and VVPAT records would be the only option for deducing the intent of the voters who turned out on Election Day.

c. GEMS Audit Logs
The Red Team found methods for executing actions from within the GEMS server that could not be tracked by the GEMS audit logs, allowing malicious GEMS users to conceal actions they had taken while logged in. Additionally, the Red Team noted that one of the standard functions offered by GEMS is the ability for a GEMS administrative user to change the username of her account. This is a non-standard computing practice, and it could potentially be used by a rogue administrator to implicate another GEMS user (i.e. other elections personnel).

...

page 12

2. GEMS Server Networking Components
Using information gained from access obtained as the Windows Administrator user, the Red Team was able to guess the authentication credentials for the networking hardware supplied by Diebold, and gain root access on these devices. These root accesses would provide sufficient access for an attacker to manipulate every setting on the networking devices and on the server. Additionally, the Red Team was able to use this access on the GEMS server to install the drivers for a USB wireless dongle. This small device was then planted on the back of the server, ensuring remote access to the GEMS server even

3 Precinct Count AV-OS
The Red Team was able to verify the findings of some previous studies on the AV-OS unit; the impact of these was to alter vote totals in order to change the vote results on that machine.

Everything about GEMS and the AV-OS applies to Humboldt County. There are a few items worth noting for the TSx touch screen machines used in other parts of the state.
page 12

4. TSx

a. TSx: Physical Security
The Red Team was able to violate the physical security of every aspect of the TSx unit, using only tools that could be found in a typical office. This guaranteed the access necessary to execute physical and electronic attacks.

b. TSx: Malware
The team verified previous findings regarding multiple avenues for overwriting system firmware and software as well as for the introduction of malware that would affect the current software. These avenues, when exploited, are a platform for altering vote totals to potentially change the outcome of an election. They could also be leveraged to violate voter privacy4 or enact a denial of service on affected devices.

Of potentially greater concern, the introduction of malware into a TSx unit could spread virally into the GEMS server via format string errors in the GEMS software as identified by the team. TSx units use PCMCIA cards to store and transport election definitions and vote totals. When those vote totals are communicated back to the GEMS server (either by physical transfer of the PCMCIA card into a TSx unit connected directly to the server’s LAN or over a dial-in connection), an exploited TSx could virally infect the GEMS server. Future TSx and AV-OS units connected to the GEMS server could likewise be infected as ballot definition files are transferred via serial or Ethernet connection.

...

page 14

g. TSx: PCMCIA card
The Red Team verified the results of other studies, which found that modifications to the contents of the PCMCIA card could affect the accuracy of vote totals.

...

page 17

VI. Conclusions
Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Diebold GEMS 1.18.24/AccuVote system, we were able to discover attacks for the Diebold system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that – absent procedural mitigation strategies – can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.
Well there you have it. Really nothing too surprising if you've been paying attention at all in the past several years. What is Bowen going to do? It seems unlikely she will compel the entire state to hand-count paper ballots, yet where is there room to compromise with the continued use of these so-called "election machines"?

By the way, San Francisco is one place that may already be closer to hand-counting than most people realize. Guest blogger Jane Allen has that story very shortly.

Permalink:
http://wedonotconsent.blogspot.com/2007/07/bowens-red-team-compromises-each-voting.html

Labels: , , , , , , ,

Posted by Dave Berman - 11:03 PM | Permalink
Comments (0 So Far) | Top of Page | WDNC Main Page
As shown on
Dave's new blog,
Manifest Positivity

We Do Not Consent, Volume 1 (left) and Volume 2 (right), feature essays from Dave Berman's previous blogs, GuvWurld and We Do Not Consent, respectively. Click the covers for FREE e-book versions (.pdf). As of April 2010, paperbacks are temporarily out of print. Click here for the author's bio.

Back Page Quotes

"Give a damn about the world you live in? Give a damn about what you and I both know is one of the most shameful and destructive periods in American history? If so, do something about it. You can start by reading We Do Not Consent."

— Brad Friedman, Creator/Editor, BradBlog.com; Co-Founder, VelvetRevolution.us

"If in the future we have vital elections, the "no basis for confidence" formulation that GuvWurld is popularizing will have been a historically important development. This is true because by implicitly insisting on verification and checks and balances instead of faith or trust in elections officials or machines as a basis for legitimacy, it encourages healthy transparent elections. It’s also rare that a political formulation approaches scientific certainty, but this formulation is backed up by scientific principles that teach that if you can’t repeat something (such as an election) and verify it by independent means, it doesn’t exist within the realm of what science will accept as established or proven truth."

— Paul Lehto, Attorney at Law, Everett, WA

"Dave Berman has been candid and confrontational in challenging all of us to be "ruthlessly honest" in answering his question, "What would be better?" He encourages us to build consensus definitions of "better," and to match our words with actions every day, even if we do only "the least we can do." Cumulatively and collectively, our actions will bring truth to light."

— Nezzie Wade, Sociology Professor, Humboldt State University and College of the Redwoods

"Dave Berman's work is quietly brilliant and powerfully utilitarian. His Voter Confidence Resolution provides a fine, flexible tool whereby any community can reclaim and affirm a right relation to its franchise as a community of voters."

— Elizabeth Ferrari, San Francisco, Green Party of California

"This is an important collection of essays with a strong unitary theme: if you can't prove that you were elected, we can't take you seriously as elected officials. Simple, logical, comprehensive. 'Management' (aka, the 'powers that be') needs to get the message. 'The machines' are not legitimizers, they're an artful dodge and a path to deception. We've had enough...and we most certainly DO NOT consent."

— Michael Collins covers the election fraud beat for "Scoop" Independent Media

"What's special about this book (and it fits because there's nothing more fundamental to Democracy than our vote) is the raising of consciousness. Someone recognizing they have no basis for trusting elections may well ask what else is being taken for granted."

— Eddie Ajamian, Los Angeles, CA

"I urge everyone to read "We Do Not Consent", and distribute it as widely as possible."

— B Robert Franza MD, author of We the People ... Have No Clothes: A Pamphlet for every American