Sunday, July 31, 2005

Now About Those Exit Polls . . . 

Our venerated colleague Avedon Carol links to Black Box Voting's final report on the security flaws in Diebold's optical-scan vote-counting machines, which turn out to be every bit as hackable as touchscreen units. In the last presidential election the model tested by BBV tallied one third of all the votes in Florida, and 25 million nationwide. Bruce O'Dell of Digital Agility, Inc., supplies the following overview:
The Diebold Precinct-Based Optical Scan 1.94w device accommodates a removable memory card. It had been believed that this card contained only the electronic "ballot box", the ballot design and the race definitions; astonishingly enough, the memory card also contains executable code essential to the operation of the optical scan system. The presence of executable code on the memory card is not mentioned in the official product documentation. This architecture permits multiple methods for unauthorized code to be downloaded to the memory cards, and is wide open to exploitation by malicious insiders.

The individual cards are programmed by the Diebold GEMS central tabulator device via a RS-232 serial port connection or via modem over the public phone network. There are no checksum mechanisms to detect or prevent tampering with the executable code, and worse yet, there are credible exploits which could compromise both the checksum and executable. The report notes that this appears to be in violation of Chapter 5 of the 1990 Federal Election Commission Standards for election equipment, and therefore should never have been certified for use . . . .

According to the report:

Exploits available with this design include, but are not limited to:

1) Paper trail falsification - Ability to modify the election results reports so that they do not match the actual vote data

1.1) Production of false optical scan reports to facilitate checks and balances (matching the optical scan report to the central tabulator report), in order to conceal attacks like redistribution of the votes or Trojan horse scripts such as those designed by Dr. Herbert Thompson.

1.2) An ingenious exploit presents itself, for a single memory card to mimic votes from many precincts at once while transmitting votes to the central tabulator. The paper trail falsification methods in this report will hide evidence of out-of-place information from the optical scan report if that attack is used.

2) Removal of information about pre-loaded votes

2.1) Ability to hide pre-loaded votes

2.2) Ability to hide a pre-arranged integer overflow

3) Ability to program conditional behavior based on time/date, number of votes counted, and many other hidden triggers.
[T]he mere presence of a paper trail will not deter or detect electronic vote manipulation by malicious insiders unless the voter-verified paper ballot or optical scan ballot is actually randomly audited - preferably, in-precinct, on election night. Yet the cost and time required by a truly effective and random audit protocol undermines the case for electronically-assisted vote tallying. Therefore some analysts now recommend US implementation of the Canadian system - hand-counting of paper ballots in-precinct on Election Night, with accommodation for the visually-impaired - as the best countermeasure to systematic electronic election fraud.

Based on my experience in the financial services industry, discovery of multiple security vulnerabilities of this severity in equipment in use by any bank or brokerage house would trigger an immediate shutdown of all the affected systems, followed by a full internal and external audit, and, in all likelihood, formal investigation by regulatory and law enforcement agencies. We should accept no less from the election services industry.

The affected Diebold optical scan equipment should be immediately withdrawn from use in any election until independent recertification is achieved, or a secure alternative is obtained. All other election equipment - manufactured by Diebold or by other vendors - should be examined, and if subject to the same vulnerability, should also be withdrawn. An investigation to determine how equipment with such serious vulnerabilities to insider manipulation could ever have been certified should also be launched, and certification and oversight procedures enhanced.
If the Republicans did not swing thousands, or tens of thousands, or hundreds of thousands of votes George Bush's way last November, we should be grateful for their sense of restraint and commitment to fair play. They certainly had the means and the opportunity.

Unfortunately, as our distinguished colleague Peter of Lone Tree at BlondeSense reminds us, we probably do not have much to be grateful for. The Columbus (OH) Free Press has a long and detailed story limning the connections between the Coingate scandal and "the GOP theft of Ohio 2004." You knew that scam artist and Bush pioneer Tom Noe pocketed millions from Ohio state pension funds, but did you know that:
While Tom chaired the regional Bush-Cheney campaign, his wife Bernadette chaired the scandal-torn Lucas County Board of Elections that played a key role in caging votes to put Bush back in the White House . . . .

Election day in Ohio 2004 was defined by partisan chaos, confusion and theft everywhere in the state. But the Noe's Toledo was uniquely rife with corruption and illegality.

Well before election day, Lucas County's Democratic headquarters was broken into. Key voter data went missing.

On November 2, inner city voting machines mysteriously broke down en masse. Polls opened late. The Toledo Blade has reported that the sole machine at the Birmingham polling site in east Toledo broke down around 7 a.m. By order of Secretary of State Kenneth Blackwell, no paper ballots were available for backup.

At one school polling station the voting machines were locked in the office of the principal, who called in sick. The Gesu School in West Toledo temporarily ran out of ballots. There were huge lines, missing ballots and technical anomalies associated with the leased Diebold Optical-Scan voting tabulators. Lucas County BOE Director Paula Hicks-Hudson admitted that the Diebold machines had jammed during the previous week's testing, but the BOE did not bother to fix them for the election.

Sworn statements at public hearings in Toledo and Columbus confirmed that scores of citizens were disenfranchised because they had to go to work. According to the Toledo Blade, at the Birmingham polling site in east Toledo, the sole machine broke down around 7am. When Ohio Rep. Peter Ujvagi tried to cast his ballot an hour later, a poll worker told him to place his ballot in "a secure slot under the machine" so it could be scanned in later, after Ujvagi had left.

When voting rights activists challenged Republican Secretary of State Blackwell's controversial partisan handling of provisional ballots, Tom Noe sued on Blackwell's behalf. Bernadette Noe worked hard to reverse the traditional Ohio practice of allowing provisional ballots to be cast in precincts other than the one in which voters were registered. Her efforts helped disenfranchise innumerable Toledo voters, most of them inner city Democrats..

Ms. Noe also reversed standard procedure and banned public testimony at an open meeting meant to discuss a Republican Party challenge to 35,000 newly registered Ohio voters. The challenge was blocked by a federal judge.

But the election in Lucas County had become so infamous that on April 8, Blackwell fired the entire County Board of Elections. Bernadette Noe had announced her plans to resign in December, 2004. But Blackwell's desperate move was a slap in her face, especially since the Secretary of State himself is at center stage in deepening disputes over how Ohio's 2004 election might have been stolen. Blackwell served as Ohio's Bush-Cheney co-chair while running what he claimed to be a fair election.
And just by the bye -- if you haven't yet read Mark Crispin Miller's "None Dare Call It Stolen" in the current Harper's, get thee to a newsstand muy pronto.

| | Technorati Links | to Del.icio.us