Thursday, December 20, 2007
NY Judge Threatens To Jail NY Board of Elections (Was He Just Kidding?)
A quick search of Google News this morning just after 9am Humboldt Standard Time turned up this brief Newsday article posted just moments before (NOTE: the article currently at this link is an updated and much longer version):http://tinyurl.com/ynwtwo
That seems pretty heavy duty. Will members of the NY Board of Elections really be jailed? According to Election Defense Alliance attorney Jonathan Simon, who was in the Albany courtroom this morning, "the threat to jail the Board members was a rhetorical flourish, not a literal threat. It was more of the nature of, look, here is what my powers are, here is the scope of my options."
Judge says NY must comply with voting machine law by Jan. 4
12:03 PM EST, December 20, 2007
ALBANY, N.Y. - A federal judge is giving New York until Jan. 4 to comply with a federal election law to make voting more accurate and easier.
U.S. District Court Judge Gary Sharpe spent much of a court hearing Thursday expressing his disgust with the state for its failure to meet the requirements of the Help America Vote Act while every other state took action. He reminded officials several times he could jail members of the state Board of Elections for contempt of court.
If the state doesn't act by Jan. 4, Sharpe says he will consider establishing a "special master" _ perhaps Gov. Eliot Spitzer _ to force the state into compliance with the law, which was enacted after the contested 2000 presidential election.
Simon tells me the judge was clearly frustrated and angry and rejected the role of having to become involved in choosing voting systems. "The Judge wants a definitive plan as opposed to competing plans from the Republican and Democratic parties, which essentially become delay tactics. From the Judge's standpoint it is about getting it done and getting it done now. It is not about whether HAVA is good or bad or what other states are doing."
Was the hard work of the NY amici all for naught? It certainly doesn't appear to have influenced the Judge in our favor. But he didn't complete ignore us either. He took the time to slowly read the names of supporting organizations, "dealing with them in a formally respectful way," said Simon. Then adding, "but with a hint of derision."
Simon described "near-stroke" laughter from the Judge, "mocking California or Pennsylvania for trying to tell New York how it should run elections. What struck me," continued Simon, "was what he didn't get (and he had a lot on the ball) but what he didn't get was why everyone was weighing in, choosing not to acknowledge the national repercussions and why this transcended the timing or particulars of the state. To the judge it was cut and dry. He wants to see HAVA compliance and it appears and he was aligned with the DOJ argument."
Politics on the Hudson, a blog written by reporters and editors from Westchester, Rockland and Putnam counties, as well as Albany and Washington, reports that Judge Sharpe "berated state elections officials" and "said the situation makes him 'embarrassed' to be a New Yorker." The PotH article concludes:In a speech tinged with hyperbole, Sharpe asked if he needed to do what the late President Dwight D. Eisenhower did in 1957—call out the National Guard to force compliance with a federal court order. In that case, the military was sent to Little Rock, Ark., to enforce school desegregation. Black students were being blocked from entering a high school there.
So what about the copious evidence of machine failure and NY's high standards for certifying voting systems? Forgive me, but, Simon says, "The Judge doesn't care that no systems jibe with state requirements. Federal law trumps state. Federal law is preemptive. The judge is prioritizing meeting federal requirements, no matter how poorly conceived, rather than trying to satisfy state certification requirements."
"We didn’t let Little Rock, Ark., thumb its nose at the country, and we're not going to let New York thumb its nose at the country," he said.
As for what to expect next, Simon reports the Judge made a potential concession and may allow rolling compliance to occur through 2008, provided a firm plan for full compliance is in place for after that. Simon added: "NY has to come back by January 4 with a definitive plan. Since the Democrats' plan is the plan that has the most definitive time table, there was a strong urging that the plan should be modeled after the Democrats' "Zalen" plan."
Aside from what sounds like the spectacle of it all, this outcome can't really come as too much of a surprise. But it isn't the end for the work of the NY amici. The combined effort in detailing and forecasting the logistics of hand-counting paper ballots across New York will serve the election integrity movement just as pivotal reports in the past have become oft-quoted sources (i.e. Hursti Hacks, Bowen's Top To Bottom Review, etc.).
This is also a national story with a big local hook here in Humboldt. Continuing the outreach I wrote about last night, this morning I left a message for the Journal's Hank Sims (and a second one at the end of the day) and another for James Faulk at the Times-Standard. A call to T-S editor Rich Sommerville then confirmed my hunch that Faulk wasn't the reporter I should be looking for. He referred me to Kimberly Wear, who I spoke with at the end of the day, only to learn that the VCC media advisory and press release had never crossed her desk. She asked that I e-mail same and we'll see about coverage in the next few days.
While nothing in the above paragraph should be construed as awesome progress, you may say what you will about this newscast (.mp3) this afternoon on KGOE. My next call after the newspapers was Tom Sebourn, who recorded me detailing the Newsday article, the amicus brief which creates the local angle here, and finally the plug for Friday's Peter B. Collins show on which both Humboldt Registrar of Voters Carolyn Crnich and I will be appearing between 5-6pm HST. Rather than paraphrasing what I called in to tell Sebourn, he actually broadcast a lot more of the news segment in my voice and words than I would have imagined. Score.
At noon, new Voter Confidence Committee webmaster(!) Paula Long and I met with some of the members of the Redwood ACLU. Their prepared agenda included discussing support for the VCC hand-count proposal. However, certain key people were not present. While those of us in the room did discuss at length much of what I hoped would be covered, ultimately revising their draft statement was tabled until their January 17 meeting.
At the end of the day I also called the Registrar, leaving her the second message in as many days offering to touch base with her prior to the Peter B. show in order to familiarize her with the updates to the hand-count forecast tool (.xls) created in front of her eyes and now used across the country. And so it grows. I have received adapted or spin-off versions of the spreadsheet from several people in recent weeks, most recently today from Brian Rothenberger who has done a tremendously detailed analysis of hand-count needs in Monterey County, CA. If he is making it publicly available I'll post a link here soon.
UPDATE/CORRECTION 12/25 4:25pm: Sincere apologies to Brian Rothenberger. His spreadsheet was developed completely independently of mine. He was not even aware of my work at the time he developed his model, which he has not made available online at this time. While our two spreadsheets are entirely different in approach, layout, and various other aspects, what they have in common with each other and several additional forecast spreadsheets circulating in the election integrity movement is the tactic of creating quantifiable projections for hand-counting paper ballots. Should Registrars everywhere be able to do this on their own? Of course. But have they done the work? It does not appear so, particularly here in Humboldt, which is why the VCC is intent on ultimately presenting forecasts based on our Registrar's assumptions. Thanks also to Brian for suggestions now included my hand-count forecast tool (it is permanently archived there with a record of revisions embedded in comments).
Permalink:
http://wedonotconsent.blogspot.com/2007/12/ny-judge-threatens-to-jail-ny-board-of.html
Labels: ACLU, Carolyn Crnich, Election Defense Alliance, Hank Sims, James Faulk, Jonathan Simon, Judge Gary Sharpe, Paula Long, Politics on the Hudson, Rich Sommerville, US v NY Board of Elections, VCC
Wednesday, December 19, 2007
Advancing the HCPB Framing, Outreach and Media
Thursday's Eureka Reporter, online as of a few minutes ago, carries a solid report from Cerena Johnson on both the recent Voter Confidence Committee media advisory and press release, plus a phone interview conducted this morning. Excerpts:The VCC is renewing the request for information following a meeting with Crnich in May and participation on the Nov. 30 Peter B. Collins radio show.
Much of the article details the information we requested in the letter distributed with the media advisory. The best thing about this article, without a doubt, is the extension of the key new frame: let the public judge the viability of our proposal.
The VCC has developed a forecast tool that illustrates how hand-counting is possible, factoring in costs, time and required labor.
"The community can judge the viability of what we are proposing," VCC co-founder Dave Berman said.
Among many concerns, Berman said the main problem with the current system is that the voting machines operate in secret.
In a related matter, the VCC recently joined more than 30 election groups throughout the country in an amicus brief filed in the case of U.S. v. New York State Board of Elections, intended to enforce compliance with requirements in the Help America Vote Act of 2002.
(snip)
Berman and Crnich are scheduled to return on the Collins show, KGOE 1480 AM, Friday between 5 p.m. and 6 p.m.
Johnson called me this morning before I had a chance to call her, as I intended. I did reach out to James Faulk at the Eureka Times-Standard but he has not yet returned my call. In addition, I left a voice message for Humboldt Registrar Carolyn Crnich just to be sure she knew I was also going to be on with Peter B. on Friday, but also to make sure she knows about the amicus brief (.pdf), and most importantly, to propose that we meet prior to Friday's broadcast so I could bring her up to speed on the many changes that have been made to the hand-count forecast tool (.xls). I told her I hope we can avoid appearing adversarial.
In further outreach efforts, tomorrow I'll be attending the regular monthly board meeting of the Redwood ACLU. Their agenda includes: "consideration of the request by the Voter Confidence Committee for support of a policy to require the use of hand-counted paper ballots in Humboldt County elections." I have attended several of their recent meetings and engaged them in dialog about the VCC Report on Election Conditions in Humboldt County. I have been shown a draft of a statement they are considering making with regard to a variety of election issues. However, it does not quite cover everything I would hope they might address so tomorrow's meeting is all about potential.
Finally, Dan Ashby of the Election Defense Alliance called me Tuesday afternoon to see if I could appear on the debut episode of EDA's new radio show. We made it happen and you can listen to the .mp3 archive here. Other guests on the program included Jonathan Simon, EDA attorney in the courtroom Thursday representing the NY amici, and also Mary Ann Gould, host of Voice of the Voters. This is one of many broadcasts archived on this page, which also includes a recent series hosted by Bev Harris of Black Box Voting. EDA also now has a page devoted to documents related to US v NY Board of Elections.
Permalink:
http://wedonotconsent.blogspot.com/2007/12/advancing-hcpb-framing-outreach-and.html
Labels: Carolyn Crnich, Cerena Johnson, Dan Ashby, Election Defense Alliance, Eureka Reporter, hcpb, James Faulk, Jonathan Simon, Mary Ann Gould, Peter B. Collins, Report on Election Conditions, VCC
Monday, July 30, 2007
Bowen Review Lights Up Humboldt Media
Following up on Friday night's post (Bowen's Red Team Compromises Each Voting System Tested) where I excerpted from the Diebold report, (much later) tonight I will present several items from the Hart Intercivic report, which also has relevance here in Humboldt. But first, a check of the local media.
The Eureka Times-Standard was first out of the gate on Saturday morning (archive). There are two things I have to point out about this article. The story's lede, sets the stage:Local election systems may be vulnerable to hackers
I don't know that Faulk could have written a more straight up or accurate intro to this story. It makes it clear that hackers ARE able to hack into Humboldt voting systems. Then why does the headline say merely that the machines MAY be vulnerable to hackers?
James Faulk/The Times-Standard
Article Launched: 07/28/2007 04:21:31 AM PDT
EUREKA -- A team of University of California computer scientists were able to hack into several voting systems used by California counties, including the two systems currently used in Humboldt County, the secretary of state announced Friday.
The second comment I have about this article pertains to the last two paragraphs:Humboldt County Registrar of Voters Carolyn Crnich said it's unclear under what conditions the tests were prepared.
As I noted in the comments on the T-S website, the introduction of this report dismisses the Registrar's dodge:
"It's my understanding that the red team attacks that were made during the top-to-bottom review did not take into consideration the security efforts or guidelines that had been added by former Secretary of State Bruce McPherson -- so whether or not the systems could be penetrated with those other security guidelines in place, I don't know," Crnich said.In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised. Our study examined what a dedicated attacker could accomplish with all possible kinds of access.
Quoting myself from the T-S site...The greatest threat to our election systems comes not from an individual voter, but rather from insiders at the elections department or working for the machine vendor (Diebold). These are the people with the greatest access to these exploits who can secretly make large scale changes that will never be detected...I go on to say some other things but that's the gist for this post.
Now, the next article to land will be in Tuesday's Eureka Reporter. The story has been online for maybe an hour now. It is kind of strange. There is no byline and I'm the only person quoted other than a Bowen press release. The headline is: "Audit standards review group releases report." This refers to yet another component of Bowen's Top To Bottom Review (TTBR). Check out the 38-page report as a .pdf here. This article is comprised almost entirely of excerpts from the report and then concludes with quotes from me.
I believe the person who called me said her name was Laura. She sounded young and a little uncertain. She told me former elections beat writer Rebecca S. Bender had left the paper as of Friday last week. I knew about this because a few months ago at an Election Advisory Committee meeting, David Cobb inadvertently "outed" Rebecca's planned departure before she really wanted people to know. I had no reason to mention it until now but I do wish her well. So anyway, Laura asked for a comment on this new standards review report that came out today. I declined to comment since I hadn't read it. She then asked about the other related reports and we had a more general conversation about what is happening. Here's what she used:Though he had not yet seen the report, Dave Berman, one of the founding members of the local Voter Confidence Committee, said he is aware that other studies have been conducted recently regarding the voting process in California, and said he looks forward to Bowen's announcement on Friday as to what action she plans to take.
It seemed out of place at the end of this article but then I'm not sure I've ever had a better quote!
Berman said the Voter Confidence Committee promotes the idea of handcounting 100 percent of the ballots the first time around and recounting 10 percent for the audit. He said simply increasing the percentage recounted in the audit is like "putting a Band-Aid on a gunshot wound" when the first count is performed by machines.
Hank Sims from The Journal and also KHUM called me today too, presumably for his Town Dandy column due out on Wednesday. We actually spoke twice, and in between he spoke with Registrar Crnich. That made our second chat very interesting. During that time he also got to look at something I am now making public for the first time.
This is a spreadsheet that allows you to enter different variables, such as how many precincts are in your county and the average number of ballots cast per precinct. All together, the numbers you enter will then estimate how many ballot counters you need and what it will cost to pay them to do an all hand-count election. The Voter Confidence Committee will be incorporating this great new tool into the next iteration of our Report on Election Conditions in Humboldt County, CA. I don't know when that will happen. Meanwhile, election integrity advocates working for HCPB anywhere will find this tool useful. We all owe a debt of gratitude to Nancy Tobi and Democracy For New Hampshire. It is their recent presentation that provided me with the formula for creating the calculator. [NOTE: The presentation was actually made by NH Assistant Secretary of State Anthony Stevens – WNDC regrets the error.]
I have a feeling that after I've heard from a few people about the calculator I'll probably want to make it the centerpiece of another post instead of burying this announcement 80,000 paragraphs under the sea. At any rate, back to Hank Sims.
He asked me if I felt vindicated by these new reports. I told him I would not use that word. It suggests I had previously been thought wrong but now stand affirmed. The truth is that the findings of Bowen's TTBR explicitly state that previous exploits were again confirmed. Anybody coming around to these findings of fact really can't plausibly explain previously thinking otherwise.
Sims informed me that Registrar Crnich took a position with him that was similar to the one she took in the T-S piece above. Having already addressed this once, I realized it wasn't just sounding familiar from the Registrar. Moments before I got the first Sims call, I was looking at a document I had just received from the indefatigable Tom Courbat of Sav-R-Vote in Riverside County, CA. Click here for "the corporate line" by Sequoia, attempting to explain away all the findings of Bowen's Red Team members. I never did finish reading it, but its "those aren't the droids you're looking for" tone pretty much parallels what our Registrar was trying to pull off.
Plain and simple: there is no way to spin these reports to make the machines look good. Their time has passed. We've reached a tipping point of public consciousness where secret vote counting machines are completely unacceptable and public officials who continue to defend them do so at the risk of their own credibility.
Finally, as promised at the beginning of this marathon post, here are excerpts from Bowen's Red Team report on Hart Intercivic. These first two passages are identical to wording in the Diebold report. There are several other passages in common.page 1
In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised Our study examined what a dedicated attacker could accomplish with all possible kinds of access.
p.10
Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original)
p.11
The Red Team, working in close conjunction with the 2007 TTBR Hart Source Code Team, discovered that the Hart EMS software implicitly trusts all communication coming from devices appearing to be Hart-branded and neither authenticates the devices nor performs adequate input validation on data transmitted to it by the devices. This allows for the possibility that a compromised device, such as an eScan that had been tampered with at a polling station, could infect the EMS systems. In particular, the Source Code Team discovered a weakness in the code that would allow an eScan to perform a buffer overflow attack and execute arbitrary code on the computer running SERVO.
...
The team was also able to access device-level menus that should be locked with passwords but were not. This access could allow an attacker a vector for altering configuration settings and/or executing a denial of service on the eScan.
Some of the findings from previous studies on precinct count optical scanners were replicated on the eScan, and they allowed the Red Team to maliciously alter vote totals with the potential to affect the outcome of an election. These attacks were low-tech and required tools that could be found in a typical office.
The Red Team implemented an attack devised by the 2007 TTBR Hart Source Code Team that was able to extract election-sensitive information from the eScan and issue administrative commands to the eScan. The leaked information would allow an attacker the ability to execute further attacks, while administrative commands issued to the eScan could erase electronic vote totals and audit records from an eScan while putting it out of service for the remainder of the Election Day. For more details on these attacks, please see the 2007 TTBR Hart Source Code Team report.
3. JBC
The Red Team verified previous findings on the JBC regarding access code generation and also discovered that a surreptitious device could issue commands that caused the JBC to authorize access codes. If the JBC is in early voting mode, it will not print receipts for the access codes issued. If the JBC is in regular election mode, it prints a receipt each time an access code is issued. When in early voting mode, an attacker could attach the surreptitious device to the JBC. (Note: the surreptitious device is easily concealable in one hand.) After waiting for about a minute, while all possible access codes are issued, the attacker could then proceed to cast multiple ballots using any access codes.
Additionally, the team expanded on previous findings that the MBB in the JBC is vulnerable to tampering during an election. Extracting the MBB from within the JBC during an election and tampering with it without detection would probably require poll worker access, but the team was able to prove that this access would be sufficient to alter vote totals – and in such a manner that it would not be detected in the course of normal operation, though a very thorough audit might reveal it. Furthermore, the team found that post-election MBB tampering safeguards (by which we mean only the technological safeguards, not procedural safeguards such as the use of tamper-evident seals) are insufficient to guarantee that such tampering would be detected. Thus, the team is confident that post-election MBB tampering would succeed in many, if not all, instances.
Finally, the Red Team collaborated with the 2007 TTBR Hart Source Code Team to decode the protocol used for communication between the JBC and eSlates. This protocol does not authenticate the devices on the bus (the communication line), so all communication is considered trusted. The teams were able to intercept the communication, but they were unable to get an exploit working to interrupt or manipulate the communication; this, again, was due to time constraints. Full details of this work can be found in the 2007 TTBR Hart Source Code Team report. The teams are confident that, given more time, they could craft a device that could maliciously alter vote totals and violate voter privacy.
p.14
IV. Successful Attack Scenarios
The following attack scenarios were successfully carried out in the laboratory environment of the Secretary of State’s testing facility.
1. Attack Scenario 1
In this scenario, a malicious voter prepares a surreptitious device and brings it with her to the polling station during early voting. She registers as usual and is issued an access code. Before she leaves the registration table, however, she quickly connects her device to the JBC and converses with the poll workers for a brief time—thirty to forty seconds should suffice. She proceeds to an eSlate and casts a ballot normally. She then enters arbitrary access codes and casts ballots at will, continuing to do this for as long as she suspects she will be unchallenged in the voting booth, casting an arbitrary number of ballots. This results in an electronic ballot box stuffing attack.
In an early voting situation, when the JBC doesn't print out a ballot access receipt each time an access code is issued, the Polls Suspended Report (automatically printed by the JBC) will indicate an unusually large number of access codes issued and more ballots cast than voters who checked in at the registration desk when polling concludes. In regular election mode, this problem would likely be detected much sooner, since the JBC is designed to print a ballot access receipt each time an access code is issued by the machine.
2. Attack Scenario 2
In this scenario, a malicious poll worker finds an opportunity after the close of polls to alter the contents of the MBB using his personal laptop. The attacker identifies ballots containing votes for a candidate he doesn't want to win the election and overwrites those ballots with records containing votes for a candidate he does want to be successful. After tampering with the MBB, the attacker replaces it in the expected chain of custody. The technological safeguards for detecting this tampering are insufficient and can, by default, go unobserved. This results in altered vote totals that can only be detected in the event of a manual recount of eSlate VVPAT records.
3. Attack Scenario 3
In this scenario, a malicious observer uses a remote device to capture the audio narration – including the narration associated with a voter's actual voted ballot – from an eSlate with audio capabilities. She is able to observe voters walking up to the eSlate and match them to the audio narration she is capturing, allowing her to violate a voter's right to privacy by linking voters to their vote selections.
...
p. 16
VI. Conclusions
Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Hart voting system (System 6.2.1), we were able to discover attacks for the Hart system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that – absent procedural mitigation strategies – can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.
Permalink:
http://wedonotconsent.blogspot.com/2007/07/bowen-review-lights-up-humboldt-media.html
Labels: Debra Bowen, Diebold, Eureka Reporter, Eureka Times-Standard, Hank Sims, Hart Intercivic, James Faulk, KHUM, Rebecca S. Bender, The Journal, Voter Confidence Committee
