Wednesday, September 24, 2008

Re-media Election Transparency Coalition on Election Defense Radio

Andi Novick and Rady Ananda interviewed on September 17th Election Defense Radio on the case for retaining the lever machines in New York. Link at:

ElectionDefenseRadio_2008.09.17.mp3

Fatally Flawed Systems Await Voters

'Fatally Flawed' Systems Await Voters: 'Drastic Change Needed'

By Rady Ananda

Original version posted at OpEdNews.


A new paper, and video, has been issued by the Computer Security Group at the University of California, Santa Barbara. This group contributed to voting system reviews conducted by Ohio and California last year. The 11-page paper was presented in July at the Proceedings of the International Symposium on Software Testing and Analysis held in Seattle. Much of it is comprehensible to most voters. The Group also prepared a 17-minute video, presented in two parts that illustrates several attacks, and shows how security seals are ineffective.

The paper clarifies that security is lacking in both Sequoia and ES&S voting systems: "the electronic voting systems that we have reviewed are neither secure nor well-designed." It spends time discussing the certification process which does not and cannot adequately secure a software driven voting system:
"While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny. A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed and that their quality does not match the importance of the task that they are supposed to carry out." (emphasis added)
This conclusion corroborates many prior statements made by security experts. Twelve such quotes are reproduced here. The UCSB paper states:
"All voting systems recently analyzed by independent security testers have been found to contain fatal security flaws that could compromise the confidentiality, integrity, and availability of the voting process."
...
"Our experience suggests that there is a need for a drastic change in the way in which electronic systems are designed, developed, and tested.
...

"Unless electronic voting systems are held up to standards that are commensurate with the criticality of the tasks they have to perform, the very core of our democracy is in danger."
(emphasis added)
While detailing many of the vulnerabilities in touchscreen (DRE) voting systems, which more than half the states have outlawed1, the paper specifically discusses optical scan systems:

"Evaluations of the various optical scanners offered by both vendors followed much the same pattern of the previous voting system components. A patent disregard for cryptographic authentication and integrity checks allows attackers to overwrite a system's firmware with malicious versions and modify or construct election data to be processed by an EMS.

"Physical security measures were also lacking. In particular, the ES&S scanner lock was easily picked with a paper clip during our tests, while the "unpickable" lock on the Sequoia scanner was bypassed by removing a few screws and pulling out the lock cylinder from the scanner's chassis by hand. In both cases, this allows an attacker to access machine internals to potentially execute arbitrary code."

The Computer Security Group at UCSB issued a statement introducing this information, reposted with permission:

Evaluating the Security of Electronic Voting Systems: Are your votes really counted?


Electronic voting systems have been introduced to improve the voting process. Since their inception, they have been controversial, because both the technologists and the general public realized that they were losing direct control over an important part of the voting process: counting the votes.

A quote attributed to Stalin says: "Those who cast the votes decide nothing. Those who count the votes decide everything." It is clear that voting systems represent a critical component of a democracy.

Although the consequences of a malfunctioning electronic voting system are not as readily apparent as those for air traffic control or nuclear power plant control systems, they are just as important, because the well-being of a society depends on them. While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny.

A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed, and that their quality does not match the importance of the task that they are supposed to carry out.

In the Summer of 2007, the Security Group of UCSB participated in the Top-To-Bottom Review (TTBR) of the electronic voting systems used in California.

The Report

Our team focused on the security analysis of the Sequoia voting system. Our public report can be found here . We found a number of major flaws that can be exploited to compromise the integrity, confidentiality, and availability of the voting process. In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines. The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail (VVPAT).

The Paper

We wrote a paper that describes our methodology and our findings: Are Your Votes Really Counted? Testing the Security of Real-world Electronic Voting Systems, D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, in Proceedings of the International Symposium on Software Testing and Analysis, Seattle, WA July 2008.

The Movie

We also prepared a movie that shows how the virus-like attack would be carried out, and exemplifies the different scenarios that our malicious firmware would exploit. The video shows how one can use a simple USB key to infect the laptop used to prepare the cards that initialize the various voting devices. As a result, the cards are loaded with a malicious software component.

When a card is inserted in a voting terminal, the malicious software exploits a vulnerability in the terminal loading procedure and installs a modified firmware, effectively "brainwashing" the terminal. Later, when the terminal is used by the voters to cast their votes, the firmware uses a number of different techniques to modify the contents of the ballots being cast.

The movie also shows that the physical security measures being used to limit access to essential parts of the voting systems are ineffective.

In the end, voters will decide whether to continue voting on systems that over 50 scientific studies, comments and testimony have warned are not securable. That decision will be made by whether they participate in a system that leaves no rational basis for confidence. Or, elections will be decided by computer hackers.

Much thanks to John Gideon of VotersUnite.org for his Daily Voting News feed.

1 Election Data Services President Kimball Brace said touch screens would be used statewide this fall in Maryland, Delaware, New Jersey, Nevada, Utah, Louisiana, Georgia and South Carolina, and in significant parts of or pockets of a dozen other states, according to an August 15, 2008 McClatchy article.

Tuesday, September 23, 2008

Sequoia's Sinking Ship

by Rady Ananda

Cross posted at OpEdNews

"Right now, there is not a single voting system on the market or in use anywhere in the country that meets current federal voting standards, and very few people realize it." ~ Douglas Kellner, New York State Board of Elections Commissioner (AP)


From New York to New Jersey, from D.C. to Florida, Sequoia Voting Systems continue to fail. Vendor response is, we're not at fault and don't you dare study our product. That's because experts tell us in report after report these machines are fatally flawed by design, lacking the most basic security protocols. Yet, election managers continue to use them, and "voter advocacy" groups continue to support their use. A recent University of California (Santa Barbara) paper by the Computer Security Group warned that "the very core of our democracy is in danger."

Designed-to-be-hacked is what we discovered in our own investigation. The physical security of Sequoia's optical scan ballot marking device is designed with a slotted hole that allows up to ten cardstock ballots to be stuffed at once into the locked ballot box. Here's exclusive video.

New York's state level election officials also tend to blame election workers when Sequoia's machines fail. New York tested out its shiny new $12,000 Ballot Marking Device made by Sequoia-Dominion in the September 9th election. When state election commissioners tried to vote on the machines, the BMDs didn't work. At the Sept. 17th NY SBOE meeting, Anna Svizzzero, Director of Election Operations, advised better training of poll workers was needed.

Of 3,350 BMDs deployed in the Sept. 9th election, only 1,333 people voted on them. Only one voter used the BMD in Ulster County – John Decker (D-Highland), who complained that he first watched the 20-minute instructional video and then it took another 20 minutes to vote on the machine. McClatchy reports:

"Decker said he couldn't believe that it took him so long to vote and would like to see the county retain the older lever pull machines."

In Nassau County, 126 BMDs were deployed but only twelve voters used them, reported Nassau County Elections Commissioner, William Biamonte. Making his job even tougher, Sequoia failed to deliver the BMD's privacy materials until the Saturday before the election – after the machines had already been deployed. Twenty technicians had to be dispatched to deliver and install the materials.

Faulty design, hackable software, lengthy voting process and an inability to accurately count the votes won't stop the League of Women Voters of New York State from insisting these machines be used, and promoted for use.

Tempers flared at the end of Friday's NY SBOE meeting when the NY LWV accused election officials in four counties of dissuading voters from using the new software driven optical scan ballot marking devices. Naming Buffalo, Binghamton (Broome), Utica, and Albany, they charged:

"The counties are actively discouraging voters who are not disabled from using the ballot marking devices."

Phew, smart commissioners, even if they are violating state-mandates that all voters can use the BMDs. Maybe they're avoiding hand counts. This year, NY election officials must hand count the ballots cast on BMDs since Sequoia still hasn't been certified for use in NY.

Sequoia admits to hundreds of document discrepancies – that's where they provide one thing but the document says something else; or they provide and document something that New York specifically forbids.

The League also reported that the Albany County LWV co-president "was asked to produce evidence of disability." Because she's not disabled, she lied in order to use the new BMD. Not a smart admission to make in the public record, especially after accusing counties of violating NY election rules.

The NY SBOE was highly skeptical of the League's reports, prompting another LWV rep to became hostile. Commissioner Evelyn Aquilla practically called them liars:

"We'd like to have that in writing, because, you know what? We didn't see that anywhere. Not any place.... To say that every single commissioner did that, across the state, I don't know if that's true or not, because we saw, I saw four different ... counties, and I never saw that anywhere. I went into at least twelve places."

The New York League of Women Voters wholly supports the use of software driven optical scanners, despite scientific condemnation. They must have been ignoring the papers, too, that amplified our breaking story on July 1st when we reported that Sequoia's BMD failure rate in Nassau County stood at 85%. Two weeks later, Wired.com reported a 50% statewide failure rate. Failure rate be damned, the League wants these machines in use. But then, the League of Women Voters also supported paperless touchscreen voting systems until June of 2004.


Sequoia Fails around the Nation


Florida's Palm Beach County, right now, reports that 12,000 votes were not counted by Sequoia's optical scanners in its unending nightmare of conflicting results from the August election. That's where 3,400 votes (or 3500, depending on which news article you read) went missing, then were found, and now 12,000 more ballots have been found that the machines didn't count. This is an ongoing fiasco. Today's manual recount of 12,000 ambiguous votes "turned up an additional 159 uncounted ballots." South Florida's Sun Sentinel reported that "software issues" with Sequoia's optical scanners were to blame.

But the Palm Beach Post reports today that election officials will run another recount through the $5.5 million voting system:
County Commissioner Jess Santamaria questioned the reliability of the machines the county bought from Sequoia Voting Systems.

"I do have serious concerns," said Santamaria, who also serves on the canvassing board. "My concern affects this election and the November election as well. I don't see how we can have confidence in this system."

John Gideon of VotersUnite.org summarizes the situation this way:

“The county now wants to do another machine recount of the recount of the recount and may also ask to do another hand recount of the newly requested machine recount.”

The August vote count troubles follow the June snafu, also in Palm Beach County, when the scanners failed to count 14% of the ballots. At that time, Palm Beach officials were looking to pay Sequoia more money to take over more of the ballot counting process. In January's presidential primary, "defective cartridges" prevented Palm Beach from posting results for several hours. Yet, still, no one in Palm Beach is considering junking the machines, although voters reportedly did dump Elections Director, Arthur Anderson.

Washington, D.C. election officials have had enough, and have subpoenaed Sequoia records to explain why over 12,000 "phantom votes" appeared in the software driven results from this month's primary. When D.C. officials ran the supposedly "faulty cartridges” through the same software, three different results were produced. When they hand counted three precincts, none of the totals matched Sequoia's reported totals.

Better to seize the machines and run a forensic investigation; although, that didn't work out too well when New Jersey tried it earlier this year.

In New Jersey's February 5th primary, Sequoia's AVC Advantage touchscreen voting system produced conflicting vote totals from its own internal memory. When the numbers didn't add up, Union County officials sought the expertise of Princeton University computer security scientists. They caught errors in 60 precincts. Computer scientist Ed Felten produced the tapes showing those errors, and refutes Sequoia's explanations (blaming the pollworkers) for why their computer can't add. Felten concludes:

"Sequoia's own explanation makes clear that they made an engineering error that caused the voting machine to behave incorrectly."

New Jersey officials seized the machines via subpoena, which Sequoia sought to prevent. Sequoia threatened to sue Union if they studied the machines that Union owns. Union County dropped the investigation. Better to have expensive, faulty counting devices than an expensive lawsuit, I guess. Ed Felten explains this case in the second video embedded in this article, starting at about 4:23.

A month later, Sequoia's website was hacked and defaced.

The Computer Security Group at UCSB may be in trouble for posting that How-to-Hack Sequoia video, but only democracy loyalists would warn the public so instructionally. No doubt, the November 2008 election will be determined by computer hackers, or enough citizens will show up to hand count the ballots after the next round of ridiculous totals are reported. Let's not forget the negative 25 million votes reported for John Kerry in one precinct in Youngstown, Ohio in 2004. That had to be a red flag sent up by a loyalist.

Twenty states and the District of Columbia plan to use Sequoia Voting Systems in what is shaping up to be the third questionable presidential "election" in a row.


Note from the editor:

Is the prospect of yet another questionable "election" result at all related to the following report from the Army Times (via democracynow.org.):

Army Unit to Deploy in October for Domestic Operations

Beginning in October, the Army plans to station an active unit inside the United States for the first time to serve as an on-call federal response in times of emergency. The 3rd Infantry Division’s 1st Brigade Combat Team has spent thirty-five of the last sixty months in Iraq, but now the unit is training for domestic operations. The unit will soon be under the day-to-day control of US Army North, the Army service component of Northern Command. The Army Times reports this new mission marks the first time an active unit has been given a dedicated assignment to Northern Command. The paper says the Army unit may be called upon to help with civil unrest and crowd control. The soldiers are learning to use so-called nonlethal weapons designed to subdue unruly or dangerous individuals and crowds.


-jl