Category: Electronic Vulnerability

Diebold Documentation – CA Top-To-Bottom Review

Debra Bowen has recently released the “Documentation Assessment of the Diebold Voting Systems”. Having served as a software buyer and as a product manager, I can attest that software documentation is almost always an afterthought, usually poor, hard to keep up to date, and expensive to do well. Its also a very boring and mundane topic for the average software developer and untechnical user.

Yet, don’t overlook this report. There are Gems (no pun intended) and very valuable insights available from the report. Below are several excerpts to hopefully entice some to read at least a few pages of the report:

conscientious local election officials attempting to master the Diebold system will find the documentation presents numerous impediments to their managing the voting system correctly, in a manner that achieves high accuracy, security, and other core objectives…

Pursuant to the federal standards, Diebold submitted to CIBER [Independent Testing Authority] a set of voting system security policies…A comparative analysis shows that the security policies Diebold filed with CIBER were considerably more stringent and extensive than those it ultimately documented in Diebold’s product manuals..

Continue reading “Diebold Documentation – CA Top-To-Bottom Review”

TalkNationRadio – Part 4 of 4

Dori Smith completes her four part service to Connecticut Voters with two interviews. <read>

Excellent interviews with Daniel Seligson from the PEW Research Center and Prof Michael Fisher, President of TrueVoteCT.Â

However, I must take exception to Daniel Seligson’s faith in Connecticut’s audit law.  Has he read it?  Or has he fallen into the trap of believing the press releases?  You be the judge.  Review the loopholes and inadequacies covered on this site.  Read the law for yourself.

Myth-Based Voting

Your editorial “Fail-Safe Voting?”, September 20, 2007, could be titled “Myth-Based Voting?”.

Last week the Hartford Courant had a fact lite editorial, “Fail-Safe Voting”. I sent a letter to the editor to provide an accurate view. It took almost 250 words, however, I wanted to provide facts and the Courant has often run letters longer than their 200 word ‘limit’.
It does not bother me that my letter was not published. However, it is a problem when there is no responsible alternate opinion printed. In the past week there were several letters addressing the renaming of Bradley Airport, but none addressing the voting machine editorial. Here is the letter:
Your editorial “Fail-Safe Voting?”, September 20, 2007, could be titled “Myth-Based Voting?”.  

It is inaccurate to state that”So far, no one appears to have figured out how to tamper with the machines” Dr. Alex Shvartsman, UConn, consultant to Secretary Bysicwicz, independently confirmed specific vulnerabilities and recently said “The concerns are very valid and very real.”  The Brennan Center for Justice, frequently referenced by the legislature and Secretary Bysiewicz, says “One of the primary conclusions of this report is…using Trojan horses or other Software Attack Programs provide the least difficult means to affect the outcome of a statewide election using as few informed participants as possible”.

It is precisely because “It would take a conspiracy by a lot of people to stuff a ballot box.” that Brennan concluded that a software attack would be most attractive.

It is true that “The 10 percent threshold [of districts audited] is highest among states”. What is seldom noted is that only three or 20% of races are audited, or that loopholes in the law reduce the odds of detecting fraud in most local elections and all State Representative races to about 2%-4%.

Yes,”It would be a shame if, after spending hundreds of millions of dollars to correct the mistakes of 2000, it were still possible to alter the results.” Let us invest the $0.25-$0.50 per voter it would take to provide a truly sufficient audit and assurance of the correct results.

Surely You’re Joking, Professor Altschuler!

Recently I attended a meeting of the Cornell Club of Hartford as a guest of a member. She had invited me and several other voting advocates because the speaker was Cornell Professor of American Studies, Glenn C. Altschuler. He is an expert on election history.

Professor Altschuler was an entertaining speaker, spiking the talk with jokes, and bantering with some members of the audience. He is obviously a popular faculty member. I found the whole talk quite interesting.

His basic thesis is that elections in the U.S. are primarily decided by three factors Timing, Tactics and Turnout. He analysed the 2008 presidential election based on that frame, pointing out similar aspects of past elections. Not being a history expert, I cannot comment on his theory’s relation to other alternative theories.

There is an old joke about the sandwich store with a sign that read “We have an agreement with the Bank, they don’t make sandwiches and we don’t cash checks.” I propose an agreement between computer experts and political historians: “We won’t attempt to clarify political history and you won’t certify voting machines.”

I asked a very simple question, very quickly, simply, honestly and innocently. (You were not there. You will have to trust me on this.) I asked approximately: “I would add another T, Tinkering. Could you tell me why politicians like John Kerry and the loser in our 2nd District Congressional race with a margin of 91 votes throw in the towel so quickly”

He then proceeded to characterize me as a conspiracy theorist, said that I only believed the machines were unsafe because of Mr. Diebold’s unfortunate statement (He indicated could not recall his name, which is Walden O’Dell.). Said there was no evidence of computer fraud. And that it was hard to do. It would take too many people. I would have loved an opportunity to debate him, I saw that as inapproprite, and did not continue. I did not want to offend anyone, especially since I was a guest in front of an admired, legendary professor.

He went on to state that Bush had stolen the election fair and square in Ohio as it has always been done. (My contention would be then that his theory of the three T’s is, at best, incomplete as an explanation of who won in the past and why.)

Continue reading “Surely You’re Joking, Professor Altschuler!”

CT News Roundup

TalkNationRadio.org Part 3 of 4 <read>

It’s not in LHS’s interest to have their machines viewed as failure prone and I don’t think that they should be in the pipeline between the moderator and the registrar on the one hand and the SOS on the other. So I think the whole flow of information that has been set up is wrong. — Prof. Michael Fisher, TrueVoteCT

Another “Good News” Press Release (press release)
(see other “Good News”)

“The initial recount results confirm that the optical scan machines performed well and that every vote was recorded accurately,” said Bysiewicz. “…Together, these post election procedures should send a strong and simple message to voters – your vote will be counted, we’ll make sure of it.” – Secretary of the State, Susan Bysiewicz, Press Release

When one truck from one trucking company goes down Avon Mountain and does not crash once, it is proof that Avon Mountain and can work as a truck route, but not close to proof that Avon Mountain is generally safe for every truck and driver, almost every time. At CTVotersCount we agree that the Diebold AccuVote-OS can count elections accurately. The fact is that no electronic voting machine can be proven reliable, the Diebold AccuVote-OS is far from secure, the Diebold AccuVote has been proven to be easily compromised, and Connecticut adds to that vulnerability by outsourcing the coding of each election to our vendor, LHS. What we do claim is that elections can be incorrectly decided electronically by error or fraud. The only solution we support is sufficient random audits of each race and question.

What’s the difference: Alderman or Selectman?

Shelton Weekly: Candidates question registrar’s position

A letter drafted by two candidates for city aldermen was sent to the secretary of state’s office questioning incumbent Alderman John “Jack” Finn’s dual roles as registrar of voters and his candidacy for alderman…

Continue reading “CT News Roundup”

Conference Call With Debra Bowen

Debra Bowen is California Secretary of the State responsible for the Top To Bottom Review, and the decertification of electronic voting machines from Diebold and two other vendors: <transcript and conference call>

Some people have criticized the Review as being biased and not conducted in the real world, and it certainly was not, it was conducted in a laboratory setting. The major criticism has been that it did not take into account the physical security that is used in many counties–most counties–but I think it is a mistake to assume that an attacker who wants to interfere with the outcome of an election will not find a way to get their hands on either a voting machine that is used in the polling place, one of the memory cards that is used, or on some other piece of equipment. Or the source code itself…

I’m often asked by people what they can do to support my efforts and to ensure that their votes are accurately counted. My answer would be to get even more involved. Clearly members of the Courage Campaign are already involved, but I’m asking people to go beyond that. If you have concerns about their being an adequate number of well-trained poll workers and you can afford a day, please become a poll worker.

Thorns In The Side or Unappreciated Donors?

“Hackers Welcome” is a refreshing read, at least for the technically inclined.  A great comparison of how different companies treat the discovery of software problems by outsiders – as things to be covered up or as gifts to be appreciated.  Insiders who do the same are either appreciated, suppressed, or out themselves for our benefit – we call them Whistle-blowers.

That kind of stonewalling, enmity and miscommunication has long characterised relations between hackers and software developers, says Jennifer Granick, a cyber-law attorney who represented Lynn in his legal battles…But that attitude is now changing. Software developers are learning that cooperating with hackers is better than ignoring or attacking reports of exploitable holes in software…
Companies, including 3Com’s TippingPoint division and iDefense, offer to buy vulnerabilities from hackers for several thousand dollars apiece, promising to inform the vendor of exploitable flaws.
“Had (Diebold) engaged with us, they’d have a reasonably secure system,” says Felten[Professor, Princeton University]. “Instead, they stonewalled, and look where it got them.”

My only caveat is that the reasoning applies to many people who do not fit the definition of “Hackers”.

FAQ: Have they have fixed all the problems with the voting machines?

Lately I have heard several versions of this statement. In July a registrar said something close to the following to me: The company let go of all the bad (convicted felon) programmers and they have fixed all the problems with the machines. Last week a local monthly paper had this to say in an editorial: … Continue reading “FAQ: Have they have fixed all the problems with the voting machines?”

Lately I have heard several versions of this statement. In July a registrar said something close to the following to me:

The company let go of all the bad (convicted felon) programmers and they have fixed all the problems with the machines.

Last week a local monthly paper had this to say in an editorial:

Potential glitches uncovered by the University of Connecticut Voting Technology Research Center in 2006 have been remedied. – Glastonbury Life

The security holes discovered by UConn have not been fixed. We are using the same version,1.96.6, of the software that UConn tested. The state requires that all software versions be certified by the Secretary of the State before they are used in our elections. Thus far 1.96.6 is the only version that has ever been certified in Connecticut. Time is running out for a coordinated update of machines before the November 6th election.

Continue reading “FAQ: Have they have fixed all the problems with the voting machines?”

CT Voting and Audit Stories – NJ Certification Problems

Doubts Cast On Voting Machines. Westport News – An excellent summary of the concerns with the AccuVote-OS in Connecticut.

Cromwell Vote To Be Audited. Middletown Press – “Town officials learned of the audit in a telephone call from a reporter Thursday night.” I wonder what the official plans are to notify registrars that their towns have been chosen and the municipal clerks who will need to randomly select offices for audits?

N.J. To Miss Voting Deadline, Cherry Hill Courier Post – Optical Scan will not be certified to meet Jan 1 deadline: “The New Jersey Institute of Technology conducted its first round of testing this past summer on three of the machines. Although the machines received a ‘good bill of health,’ Milgram said the results did not meet the criteria the office set in the spring.” More details in the NY Times and the blog from Larry Norden of the Brennan Center.

Voting Vendor and Yale Professor – Suggest Changes To Election Procedures

Dori Smith aired the second segment of a four part series on voting integrity, yesterday at 5:00 PM on WHUS. Once again, I highly recommend listening to the audio and reading the transcript while also marking your calendar for next week. Also review segment one.

This segment has further interviews with John Silvestro, President of LHS, our voting machine vendor and Professor Michael Fisher of Yale University and President of TrueVoteCT.

Mr. Silvestro suggests that the problem of ignored or violated procedures, like the one in the 2nd District in November, 2006, can be handled by auditing fully the machines involved:

Then automatically in my mind that precinct should come into the post election audit OK? And that you know although you are going to select 10% that one precinct may end up being, and it should, end up being one of the automatic entries into that 10% post election audit. And that’s the beauty of post election audits is that you can take situations that arise on election day and say OK. We want to do 10% of 793 with whatever that comes to, 79 or let’s call it 80 precincts. But we had problems in precinct you know A, B, C and D or E and F and whatever. Eight precincts? Those eight are already included and the other 72 are going to be randomly withdrawn. And that’s how I believe you would do this. – John Silvestro

I agree that Mr. Silvestro has a basically good idea, yet I also have three concerns:

Continue reading “Voting Vendor and Yale Professor – Suggest Changes To Election Procedures”