Navigation
Topics
Log In
Log Out
:
Special Search
New Today
New This Week
Advanced Search
Tree View
Your Account
Edit Profile
Register
Forgot Password
Tools
Help/Instructions
Policies
CLICK STATE TO SEE:
"WATCH LIST"
Marked with: 
"OPEN & HONEST"
Marked with: 
...
|
| Ohio Election Worker Needs to Know Wh... |
|
| Author |
Message |
    
Lisa Cech
Voting Rights Forum Participant
Username: Lalock
Post Number: 2
Registered: 03-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, March 29, 2006 - 6:05 am: | 
|
What should I ask in elections worker training?
I'm an election worker for Cuyahoga County, Ohio (Cleveland and suburbs), and I'm going in for my 3-hour training on our new Diebold systems on April 24. I'd like to know what I should know before I go in, if that makes any sense. What should I look out for, and what questions should I ask? |
Kathleen Wynne
Moderator
Username: Admin_ii
Post Number: 224
Registered: 08-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, March 29, 2006 - 7:12 am: |
|
Lisa,
Welcome to BBV!
I'm from Cuyahoga County and am very interested in these Diebold TSx machines.
Of course, we will be glad to help you. Later this morning, I'll meet with Bev and Jim to discuss what would be the best questions for you to ask and more importantly, things you should look for regarding these machines.
Keep visiting the site as often as possible and look for our response.
Kathleen Wynne
* * * * * *
* * * * * *
* * * * * *
* * * * * *
TRIPLE PROTECTION FOR ELECTION 2006 - STARTING NOW:
(1) Use Freedom of Information, public records requests ("All American Paper Chase")
(2) Try Dumpster Diving for Democracy
(3) Candid America Project - Don't leave home without your camcorder
HOW TO DO IT: http://www.bbvforums.org/forums/messages/6/6.html
|
Kathleen Wynne
Moderator
Username: Admin_ii
Post Number: 225
Registered: 08-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, March 29, 2006 - 9:44 am: |
|
Lisa,
Could you send me a telephone number, so that I can speak with you personally regarding what you should do?
You can send it to kathleen@blackboxvoting.org. Thanks.
Kathleen
(Message edited by admin_ii on March 29, 2006)
* * * * * *
* * * * * *
* * * * * *
* * * * * *
TRIPLE PROTECTION FOR ELECTION 2006 - STARTING NOW:
(1) Use Freedom of Information, public records requests ("All American Paper Chase")
(2) Try Dumpster Diving for Democracy
(3) Candid America Project - Don't leave home without your camcorder
HOW TO DO IT: http://www.bbvforums.org/forums/messages/6/6.html
|
Lisa Cech
Voting Rights Forum Participant
Username: Lalock
Post Number: 3
Registered: 03-2006
Best of Black Box? 
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 10:41 am: |
|
Okay, so I went through the training. It was horrifying. I deeply regret that I was unable to bring a recorder to the meeting, since I didn't have it with me and didn't have time between work and the training to go home to get it.
Anyway, the paper roll in the guy's machine next to mine got stuck outside the locked secure casing, so when he opened the lid to remove the supposedly confidential and secure paper trail, it spilled out onto the floor of the training room. The Diebold technician on site said that the poll worker should break the seal on the casing, roll the paper trail onto it, then put a new seal on. The Board of Elections representative said that poll workers are in no circumstance to break that seal. The Diebold guy's reaction? "This isn't supposed to happen." The final suggestion was to wrap the confidential(!) information around the outside of the casing and put it in a bag to return to the BOE at the end of the day with the rest of the casings.
The next thing that stunned me was the flat-out wrong information in the training booklet. Our trainer at one point, having been made aware that she told us to push a different option than is listed in the booklet, said, "Oh, there are so many problems with that book, just listen to what I tell you." Later in the session, when the trainer told us to do something other than what the book told us to do, then backtracked and said, "Wait. That's wrong. The book has the right information. You should always follow what the book says." She evidently did not see the dichotomy.
Finally, when we were bringing our disks up for final tabulation at the one central machine (marked with an orange dot to know which one is the central tabulator), our trainer accidentally pushed the power button and turned the machine off in the middle of tabulation. The power button is right next to where you push in the disks. So she turned the machine back on, muttered, "Did I already process this one?" and proceeded to tell the machine to process the disk in the slot. No one really remembered if she had or had not already processed that disk, and there were no safeguards for counting the same disk twice that I saw.
All in all, after going through the training, I fear for our democracy. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2190
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 10:49 am: |
|
Lisa, it's invaluable having your report of what went on. Many thanks for writing it up. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 101
Registered: 04-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 11:22 am: |
|
Lisa,
You are right to be concerned. If the Diebold system does not have a "fail safe" procedure to prevent double-counting a disk, then SHAME on them. I'd not be surprised to hear that such a safeguard has been left out.
I do know that some systems simply will not count the same machine twice, no matter how many times you enter the same disk or cartridge, as the case may be. I even demonstrated this very "mistake" in all my training sessions. I intentionally tried to tabulate the precinct totals by putting in the same cartridge over and over, and the machines would only count it once. A well designed system should act like that.
The evidence is huge that Diebold does not meet the "well-designed" threshold.
Another "they all ought to have" is the fact that precicnt tabulation should NEVER affect the final total tabulation. Each machine's vote should be sufficient to present final county numbers, whether precinct level "totalization" happens or not.
An example. My jurisdiction had 180 precincts using 410 machines. If I had results from all 410 machines, it mattered not whether precinct A's two machines were ever totalled together at the precinct level.
In other words, the flow should go:
Machine -----> Total for jurisdiction
and separately
Machine -----> Total for precinct
never
Machine -----> Total for precinct -----> Total for jurisdiction
It amazes and dismays me that any company would get that wrong. In Philadelphia, PA, the precinct officials are never asked to totalize their precincts. They post a tape from each machine and that's it. That may be a bit extreme but it works for them.
Totalizing machines together is too complicated for it to be a "mission critical" task for a twice-a-year "volunteer" to do at the precinct level after having been at a polling place for 13+ hours. Any system that relies on that being done correctly desrves a place in a national "Hall of Shame".
Kurt |
Lisa Cech
Voting Rights Forum Participant
Username: Lalock
Post Number: 4
Registered: 03-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 11:34 am: |
|
Yes, the impression we were given was that we all had to turn in our individual machines' cards, but they would only be using the orange-dotted card from our location to tabulate the final results at City Hall. The individual machines' cards were only necessary in the case of a problem or recount. |
Denise Zollman
Voting Rights Forum Participant
Username: Azadvocate
Post Number: 30
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 11:36 am: |
|
Hi Lisa,
What model Diebold machine were you trained on? Assuming it was the model with all the problems.
I'm out in Arizona. The district chairs of the Democratic party will be having a field trip to elections central tomorrow night...for a dog and p(h)ony show to show that there are no major concerns with the machines.
Our SOS just ordered $11M Diebold touch screens (don't know which model yet) and some Sequoias. I need to know specific questions to ask our County Elections Director...with follow-ups so she won't be able to wiggle out of them.
The most important thing to come out of this meeting tomorrow night is that ALL district chairs know that there ARE problems with the machines.
For some reason, there are some people in the democratic party here who rabidly defend the machines and the elections officials who keep saying there's nothing wrong.
Thanks! |
William Brandes
Voting Rights Forum Participant
Username: Williambrandes
Post Number: 14
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 11:42 am: |
|
My wife will be a poll worker May 2 primary. She might be given more authority. She has a masters degree and I think you might need one to figure out all the regs and procedures. We use ES&S here in Knox county. Did I say during training that the technician used a paper clip to seat the memory card. New machines. What happens in November when they sit for 6 months. Imagine leaving your computer off for that period of time. I think the electronics degrades. Planned obsolescence? William |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 102
Registered: 04-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 12:07 pm: |
|
Lisa,
I'd dearly love to know if that idea of using the individual machine disks ONLY for a problem or recount is Diebold's idea or Ohio's. If it's Diebold's, it's one more reason why they have no business in this industry. If it's Ohio's, it begs the question, "Why have an unnecessary intermediate step in your tabulation process?" It's one more place for error or mischief to be inserted. I have no way to know, but I'd be willing to bet (given the other security problems documented well here) that it is POSSIBLE to create a bogus precinct total disk, that may or may not be discovered down the road. And for what? Simply use the damned individual machine disks. BTW, you've called them disks. Are they floppies? CD's? CompactFlash? PCMCIA? Something unique? Inquiring minds.... |
Lisa Cech
Voting Rights Forum Participant
Username: Lalock
Post Number: 5
Registered: 03-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 12:34 pm: |
|
Denise: I wrote down the software version in my booklet, which I don't have with me right now. I can post that information tomorrow. You can see the machines and how to use them on the Board of Elections' website, http://boe.cuyahogacounty.us/.
Kurt: Like I said, that was the impression we were given. They didn't specifically say it, and I didn't think to clarify until I was on my way home. The disks are rectangular, slightly larger than a credit card, and heavier and more rigid. Again, I didn't really inspect it to see if there is a socket connection, like a USB or serial port, or if a "door" slides open for disk access, like a floppy has. Now that I've looked around the Internet(s), it looks a lot like a PCMCIA card, but never having seen one in person, I can't say for sure.
The more I think about it, the more I want to attend another session this weekend. They're offering second classes to any poll worker who feels they might need it. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2192
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 1:16 pm: |
|
It would be great if you could videotape, and ask some challenging questions--like, exactly what are you supposed to do if the confidential roll of VVPB falls out on the floor?
And any of those other examples where you were told to do something different from what was in the manual. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2193
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 1:20 pm: |
|
And you can ask exactly what happens if you accidentally turn off the power when you're in the middle of tabulating the election, like your trainer did. What does it mean? And how could you figure out whether or not any votes were lost or not?
And what happens if you put in the same card more than once when you're tabulating the votes?
And what happens to all those memory cards you turn in? are they locked up? (Maybe you should just film, and not ask.) And what happens to all the cards used at your training? Would you have been able to sneak off alone with one for a couple of minutes without anyone noticing? Would you have been able to take it to the bathroom at any point in the day without anyone noticing?
Were the memory cards being guarded with the same care as if they were, say, $100,000 bills?
(Message edited by Catherine_a on April 26, 2006) |
Lisa Cech
Voting Rights Forum Participant
Username: Lalock
Post Number: 6
Registered: 03-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 1:34 pm: |
|
I can answer your last two paragraphs. The memory cards are put into each machine in the morning before voting begins, and the door to the disk slot is locked with a key that every ward has a copy of, then an adhesive seal applied. Getting it out during the day would not be easy to do without anyone noticing, especially since the disk slot is on the left-hand side, which in most voting configurations is going to be against the wall.
The memory cards are to be removed from each machine after voting has ended by two people, one representing each party. They are then walked across the room to the central tabulating machine by those same two people, who hold on to them until they are put into the machine one by one by the presiding judge of the district who has the tabulating machine. Those same two people monitor the action and are to get the cards back from the presiding judge as soon as they have been tabulated. They then take the cards back to their own ward and pack them together in a case which is then locked and a breakable seal applied. Two people of opposing parties from each ward then drive the whole kit and caboodle (paper roll canisters, poll books, alphabet books, optical scan ballots, memory disks, etc.) down to the City Hall, where a whole gang of workers is there to take everything from you.
The process seems pretty secure in theory, but in practice, I know sometimes different wards have only used one person to drive the stuff down to City Hall, sometimes because no one else wants to go, and sometimes because there is no one from the opposing party who CAN go. The area I live in is pretty liberal, so finding that many Republicans is not an easy task. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 103
Registered: 04-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 1:45 pm: |
|
Lisa,
"The area I live in is pretty liberal, so finding that many Republicans is not an easy task."
This is more frequent a problem than most people know. Neutral or bipartisan election officials at the precinct level is a wonderful concept that sometimes does not work in practice. A lot of people don't realize this. You do. Good catch.
I have had precincts in which every single voter of the minority party has been called, and not one will serve. Bipartisanship (or more) of precinct boards is a goal that should never be surrendered, but its difficulty to attain should never be underestimated, nor should the whole system rely on it.
Kurt |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 80
Registered: 02-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 2:20 pm: |
|
locked with a key that every ward has a copy of.
With diebold equipment (as reported by Dr Shamos of PA) there are only 4 possible keys for any door on any piece of equipment. So the lock is useless as it is like a the same key is used by every single ward in the state.
The seal is a separate issue. Can it be cut with a razor or X-acto knife and still look intact? A surprising number of self adhesive seals provided by vendors have this property. You should get proper tamper evident seals from a logistics company or an evidence lab company.
Here are examples.
http://www.setonresourcecenter.com/transportation/
http://www.copquest.com/43-1110.htm
http://www.chiefsupply.com/evidence.phtml
http://www.polylabel.com/
http://www.rightertrack.com/coupons.htm |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 81
Registered: 02-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 2:45 pm: |
|
The memory cards are to be removed from each machine after voting has ended by two people, one representing each party. They are then walked across the room to the central...
I hope the removal of memory cards is after all possible machine-level reports (vote tallies and audit logs) for each machine in the precinct are printed. If no machine-level reports are printed, then is is likely cheating is going on either using the VScript attack at the GEMS central tabulator or the Husrti attack to change the memory card contents while in transit to the central tabulator.
Because of the CA VSTAAB report, WI, IA, FL, and CA all now require the printing of ALL reports possible for each machine in the precinct, specificaly to prevent changing the contents of the meory cards in transit between the ward and the central tabulator.
Here are links.
Iowa: http://www.washburnresearch.org/archive/Iowa-SecurityRegulations.doc
Wisconsin: http://www.washburnresearch.org/archive/WI-DRAFTSecurityProcedureRecommendations .doc |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2194
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 3:38 pm: |
|
Lisa, thanks for the additional comments.
What I was wondering was, how tight was the security of the memory cards on your training day? Were they guarded as carefully then as the procedure you described for election day, with multiple observers of each card, security seals, and so forth? Or could you have borrowed a spare memory card for a moment or two at any point during the day if you had wanted to?
If procedures were less secure on the training day, this would imply that memory card security was perceived to be an issue only on election day. That could be a dangerous and inaccurate assumption, judging from the FL Hursti Hack experience. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 104
Registered: 04-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 5:01 pm: |
|
Catherine,
According to the official PA documents I have seen, the Diebold TSx is not susceptible to the Hursti attack, only the opscan is.
I'm not saying I personally know that to be ultimately true, I'm just stating that the official PA Dept. of State documents say that it is not. The TSx was called back for recertification after the Hursti findings, and the Department is satisfied that the TSx is not susceptible to the attack. |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 82
Registered: 02-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 9:55 pm: |
|
The Official PA recertification document does NOT say that. Read it for yourself.
It says the Hursti attack in some respects is more difficult and more difficult if and only if ALL of the following assertions from Diebold are true.
The election official has created an AES password which is not the default AES password hard-coded into the interpreter.
The non-default AES password is stored, transfered and managed properly on both the GEMS server and the TSx unit.
The implementation of the Message Authentication Code (MAC) is correct if the AES keyword is not the default, hard-coded AES KEY. [The TSx use a MAC scheme not digital signatures. As a lawyer Dr. Shamos is aware The Uniform Electronic Transactions Act legally defines this distinction]
The boot procedure using the MAC does indeed prevent the boot up of a TSx if the MAC is incorrect.
The tally of votes from TSx memory card do in fact ingnore the counters values on the TSx memoyr card and re-calculates the vote totals from the ballot encodings stored on the TSx memory card.
Dr. Shamos admits in the certification report the above assertions were accepted as true based on a letter written to him from Diebold and the examination of some source code provided to him by Diebold. No tests on an actual TSx system were performed.
I am less trusting than Dr. Shamos of statements made by Diebold. How reliable are statement provided by Diebold? I know one at least is false.
Page 6 of the Shamos document for Pennsylvania states:
A TSx memory card does not contain counters. Instead it is a repository for full ballots [encodings].
This is untrue. On Page 8 of this California VSTAAB Report it is reported the TSx memory card contains both ballot encodings AND summary counters.
Thus, the Hursti attack is at best more difficult on a TSx an only more difficult if the cyptographic features of the TSx are used by an election official and the TSx cryptographic features actually work as documented.
Here are 2 rebuttals to Dr. Shamos's flawed re-certification document of January 17, 2006.
Rebuttal from Verified voting
Rebuttal from VoteTrustUSA |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 83
Registered: 02-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, April 26, 2006 - 10:46 pm: |
|
I proposed manupulation of the contents of the memory cards AFTER removal from the TSX units. This is NOT the Hursti Attack demonstrated in Leon County and refered to in the PA certification document you mentioned.
The Hursti attack is manipulation of the memory card contents PRIOR to insertion into the TSX unit. I was proposing manipulation of the contents of the memory cards AFTER removal from the TSx unit.
The memory cards are pocket-sized ballot boxes and should be thought of as such.
What I was proposing is to plug the PCMCIA card from a TSx unit into a computer, palm pilot, or other computational device and alter the contents between the time the final vote is recorded and the first report of vote tallies is generated.
If no machine-level reports are printed PRIOR to the removal of the PCMCIA memory card from the TSX unit, the window of opportunity to manipulate the contents of this pocket-size ballot box widens to include the whole time the mamory card is in transit and the whole time the memory card is lying on a table top at the County Election office awaiting insertion into the GEMS central tabulator.
Without machine level reports generated PRIOR to teh removal of the memory card, there is no reporting of the memory contents until a report is printed by the GEMS central server.
Here is the chain of custody Linda describes.
Machine memory card for an individual TSx DRE-->
Precinct Accumulator memory card -->
Transport of cards to Central location -->
Store Cards on table top next to GEMS Central tabulator -->
Insert precinct Accumulator Cards into GEMS server and copy card to GEMS central tabulator -->
Interpret the ballot encodings copied to the GEMS central tabulator and store the clculated vote tallies in the MS JET database used by GEMS -->
Access the MS JET data records using crystal reports -->
Print SOVC (Statement of Votes Cast) report from GEMS central tabulator.
In this long chain, there is no data verification or data reporting of any kind at any step until the printing of the SOVC report. I propose you could manipulate this first reporting of memory card contents (the SOVC report) without detection using ANY of the following options.
Changing the contents of the TSx PCMCIA card from an indiviudal DRE while in transit to the accumulating TSx used in the precinct.
Substitute the PCMCIA card from an indiviudal DRE with another PCMCIA card while in transit to the accumulating TSx used in the precinct.
Changing the contents of the TSx PCMCIA card from the TSx used for precinct accumumation while in transit to the GEMS Central server.
Substitute the PCMCIA card Changing the contents of the TSx PCMCIA card from the TSx used for precinct accumumation while in transit to the GEMS Central server.
Change the contents of the TSx PCMCIA card from the TSx used for precinct accumumation while the card is sitting on table top in the county office.
Substitute the PCMCIA card Changing the contents of the TSx PCMCIA card from the TSx used for precinct accumumation the card is sitting on table top in the county office.
Change the contents of the file created on the GEMS server after the contents of the TSx PCMCIA card used for precinct accumumation has been copied to the GEMS server.
Change the contents of MS JET database records after the contnets of teh GEMS file have been stored in the MS JET database. (such as with this delightful tool: DBTools.hta. No paswords needed and can be run from the internet. Cool)
Change or substitute the Crystal Reports .RPT file stored on the GESM server used to generate SOVC report so the SQL used by the RPT file alters the data in the MS JET database. (The act of reporting alters the underlying data and then accurately reports the now-altered data).
Change or substitute the Crystal Reports RPT file stored on the GESM server used to generate SOVC report so the generated report simply lies, but does not change the underlying data in the MS JET database.
Contradictory do records exist (memory card contents) but as Linda stated these memory cards will be exmined ONLY if the election officials determine the "glitch" is bad enough "to affect the outcome of the ellection". In real life this translates to never examined. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2197
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, April 27, 2006 - 12:22 am: |
|
I also feel my questions to Linda about custody of memory cards even on the training day are justified because we do not yet know what new vulnerabilities may be exposed in the upcoming report due from Hursti in relation to the TSx.
Additionally, the care with which memory cards are handled in non-election scenarios may possibly reflect the degree of understanding election workers and officials have as to the potential vulnerability of these memory cards in general. |
Lisa Cech
Voting Rights Forum Participant
Username: Lalock
Post Number: 7
Registered: 03-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, April 27, 2006 - 6:29 am: |
|
John: After the memory card is inserted, locked and stickered (by the way, we were told that the sticker will read VOID if it is removed and re-pasted, letting any election worker know if that adhesive seal had been tampered with), the first thing we are supposed to do after turning on the machine and setting up the paper rolls is to run a zero sum report.
After the end of the voting, we are to run a full report from each machine, twice, which tallies that individual machine's votes. One of those reports is at the end of the paper roll that goes into the sealed canister with the rest of the voting information. The other report is put in the same bag as the zero-sum report from the beginning of the day. Then the two representatives remove the memory card and take it over to the presiding judge for tabulation.
Catherine: The security at our training session was abysmal. The main trainer even borrowed our lanyard (which is what they called the cord you wear around your neck that has the voter card programming device and the key for all of the machines' locks) because her programming device wasn't working. One trainer said there were supposed to be 3 supervisor cards, which are used to run the final reports, but they could only find 2 at the end of the day. I don't know if they ever found the third one, or even in fact if it existed in the first place.
The memory cards were not handled very securely at all. They handed one to each two-person training group, but there were at least 15 training groups (30 people), plus a few extra cards floating around. It would have been easy to simply take one if you were of a mind to. |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 84
Registered: 02-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, April 27, 2006 - 6:45 am: |
|
John: After the memory card is inserted, locked and stickered (by the way, we were told that the sticker will read VOID if it is removed and re-pasted,...
I used to work for a logistics company which used all kinds of seals for many purposes. I will admit that ended 10 years ago. I know technology advances, but, I know of no self-adhesive seal (any seal actually) with those properties. Even so it still does not sound as if the seals used are numbered. An un-numbered seal is less than worthless because it provides the illusion of security without the substance.
Can you ask to see a demonstration of tamper-evident properties of the seals? After all you as an election worker would need to know what tamered seal looks like would you not? If for no other reason than to be able to properly report such a defective seal on your election report. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 108
Registered: 04-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, April 27, 2006 - 11:45 am: |
|
John,
I have seen these seals, and have worked with them. They are as Lisa has characterized them. Once the adhesive is disturbed the word VOID shows up even if you carefully realign the sticker.
What they ARE susceptible to is a "slitting attack". You can leave the seal there, slice it, and assuming you have enough room for a liitle excess length to create a little width, you could, if you were good, remove a PCMCIA card.
I don't know the precise orientation or location of the seal, but seals like this do indeed exist. |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 85
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, April 27, 2006 - 1:20 pm: |
|
Learn somthing every day. Thanks. Now I am keen to buy some of these seals.
Since theses seals are un-number what about replacement? Will the adhesive of the first seal (now removed) trigger the "VOID" display on the second seal? |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 109
Registered: 04-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, April 27, 2006 - 1:49 pm: |
|
John,
If the remaining adhesive is removed (like with a weak solvent or scraper), no. No one would be the wiser. Which is why access must be strictly controlled.
Kurt |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2204
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, April 27, 2006 - 1:52 pm: |
|
Are these seals for sale on the open market? What's to stop someone from ordering them? |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 110
Registered: 04-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, April 27, 2006 - 2:03 pm: |
|
Catherine,
Excellent question. I dunno. I do know that colors are sometimes used to make an order unique, and the companies that make them will not willy-nilly sell them to just anyone, but a trusted insider could certainly "repurpose" a shipment easy enough if he or she were so inclined, or if a slick operator were persistent enough.
Knowing ahead of time the precise seal being used might present a problem. These puppies many times have holographic features as well, like the Major League Baseball stickers. In my county, with a different system, we used the zip-strip type of seal, like a tie-wrap, but much more sturdy and ours were serial numbered, and documentation of the numbers was extensive. You needed wirecutters or "dykes" to break them. One pollworker ruined a fingernail clipper trying to cut one. A toenail clipper works fine, though.
Diebold's machine seems to me to be designed with a design spec first and foremost to make them cheap and easy for the company to build. Security was clearly an afterthought, if that. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2207
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, April 27, 2006 - 2:18 pm: |
|
Thanks, Kurt.
Is anyone besides me dismayed at what Lisa had to say about the non-existant security of the memory cards on her training day? They couldn't even figure out whether any of the supervisor memory cards had gone missing or not. I found this shocking.
Somehow I don't think these folks would notice if one or more machines had different holographic patterns on the security seal. It doesn't seem like they are that careful.
(Message edited by Catherine_a on April 27, 2006) |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 111
Registered: 04-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, April 27, 2006 - 2:37 pm: |
|
Mr. Washburn,
I looked at both the Pennsylvania and California reports you referenced and I disagree that they say what you have alleged.
Specifically, at the VERY BOTTOM of page 6 of the PA recertification report, the last paragraph is summarized thusly: "Therefore, any attempt to perform the Hursti exploit on TSX will fail even if .abo files can be altered." Sounds pretty certain to me. The text on page 7 elaborates, but I'll not put in here. read it yourself if you care.
Regarding the counters on the OS, they are what the Hursti exploit exploits. Even the California report does not even allege that ballot position or candidate total counters exist in the TSx. Both reports are consistent that the OS has such counters, but the TSx does not. The TSx has what are called "ballot encodings and summary counters" which are NOT the same thing as ballot position or candidate vote total counters. If you carefully parse the language on page 8 of the California report you referenced, you will see that this is true. Do you even know what summary counters are? I do. They are counters that involve things such as public counts, i.e. number of ballots processed, and various other now HAVA mandated data fields, such as undervote counts. Neither report indicates that the TSx has candidate vote totals on the card.
Undervoting is a near fetish these days, and is the subject of much research. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 113
Registered: 04-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, April 27, 2006 - 7:46 pm: |
|
Catherine,
In my opinion, what is even sloppier is that the form factor of the data cards is an industry standard "off the shelf" card at all. PCMCIA or "PC card" as it is now known is a shortcut that should not have been taken, in my opinion. Yes, it's easy to build into a voting machine, and you can buy a "drive" to read them as an "off the shelf" component, but it opens an easy "hardware related attack vector".
Why didn't Diebold use a hardware form factor that they owned and developed themselves, so that an item purchased at a Compuworld or even a Staples couldn't be used as a substitute card?
Again, security as a bolt-on idea at work. Sheesh! They should have built every component with an idea toward security. Not to beat a dead horse, but the Danaher system did. |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 86
Registered: 02-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, April 28, 2006 - 11:33 am: |
|
I will conceed the reference to the summary counters is vague and could be limited to the lifetime counters and other HAVA counters. But, these summary counters are supposed to bound to the TSx unit not the memory card which slips in and out of the TSx unit. So I will wait until Mr. Shamos or the CA VSTAAB actually examine a memory card before I will believe their repitition of a sales statement by the vendor is actually as things are.
I think the report is unclear. But your reading is likely the correct one.
A lifetime counter though should be in both sets of memory (TSx and removeable memory card). But, as you state security is clearly a bolt on.
As for the last paragraph is summarized thusly: "Therefore, any attempt to perform the Hursti exploit on TSX will fail even if .abo files can be altered." does sound certain provided you, the election official:
Use the MAC feature at all,
Use a non-hard coded AES key, and
The TSx boot up procedure works as document in the manual.
Both authors conceed they did not see if the MAC scheme on the TSx unit actually works as advertised. Shamos accepted a letter from Diebold and the CA VSTAAB looked as some source code which may or not be excuted on an actual TSx unit.
One of the first test Harri Hursti did on the OS in May, 2005 in Leon County was to see if an alteration detection feature of the AccuVote OS worked or not. It did not. Why should I believe the TSx alteration detection code works on the rare events when the election official ask GEMS to use the feature?
You have put your finger on the root cause though: Bolt-on security only enough to make the customer stop squawking.
(Message edited by johnwashburn on April 28, 2006) |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 117
Registered: 04-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, April 28, 2006 - 12:21 pm: |
|
John:
Agreed. Keep 'em honest, John.
I know a fair number of Diebold employees and ex-employees. Some wish things had been handled differently. The Diebold has its warts. All the systems do. I wonder why Diebold is singled out for as much harsh treatment as it is here. Are AVS, ES&S, Hart, et al, fundamentally much better? Not that I have seen, but then I never actually was shopping that intently since my county was updating Danahers, and not in the market to replace them.
Any thoughts? Yes, Diebold did some real gaffes, but are other companies being spared the same scrutiny here? I'd like a few opinions on that.
Kurt |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 87
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, April 28, 2006 - 1:18 pm: |
|
Are AVS, ES&S, Hart, et al, fundamentally much better?
Well I think AccuPoll and Populex are better but not still ready for use in a real election, IMHO. But, the big 4 (Diebold, ES&S, Hart and Sequois), NO.
In fact I think ES&S and Sequoia are far worse from a security point of view. ES&S for using xBase as it database platform via CodeBase. and Sequoia for installing Enterprise Manager on the WinEDS server.
Using MS Jet as GEMS does is bad. Using xBase (remember dBase III) in the UNITY software is far worse.
The presence of Enterprise Manager means the SQL in ever stored procedure used by Sequoia's WinEDS is human-readable, interpreted SQL code. A clear violation of 4.2.2 AND 6.1.4.e since Enterprise Manager is clearly a development to accessable to anyone on the WinEDS server within the prohibitted time period.
Here is a link to some hypothetical code using stored procdures. Enterprise Manager allows the substituion of the SQL in the body of the stored procedure. With Enterprise Manager you could substitute the SQL found in the JWW version of the file for the correct version found in the non-JWW version. The C++ code will execute whatever SQL is found within the body of the stored procedure at the time the stored procedure is invoked via the EXEC statement in the C++ code. This is bad.
Diebold published their source code on the web for all to see and a disgruntled employee posted 13,000 emails to the web. Thus, Diebold presents a larger target of opportunity because more actual facts are known than are known for the other vendors more successfull at maintaining the "wall of secrecy".
Also, the only 2 investigations not covered by restrictive non-disclosure agreements (NDA's) have both happened to have been on Diebold equipment. The Ion Sancho, of Leon County, FL and Bruce Funk of Emery county, UT are just the first of the nation's election officials to test their elections systems on their own using hired, independent experts. Both happen to use Diebold equipment.
As more election officials understand the legal peril vendors put them in (as Sequoia does here on line 2 page 27) via the EULA (end user license agreement), the examination of equipment from other vedors will emerge. Notice Sequoia states it can't be sued because they never promised the software or election system would conform to WA state election law, is state-approved or is fit for use in an election. Such EULA's (and all vendors ask election officials to sign them) leave election officials out in the legal code when problems emerge.
(Message edited by johnwashburn on April 28, 2006) |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 2211
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, April 28, 2006 - 1:28 pm: |
|
Do a search here and you'll find lots of information on all the other companies. The known and unknown weaknesses of other manufacturers, and the reasons why there are more data for Diebold hence more opportunities for scrutiny, have been mentioned numerous times on BBV. This includes discussion of available technical data and logs, reports on serious problems and so forth.
BradBlog reported on a Hart and ES&S whistleblower in Texas and Ohio but there have not been any recent reports since this story first broke. The news reports were posted here BBV as well.
The reason there's more info about Diebold has to do with more available data, which meant people could find out where the skeletons were buried. This in turn led to lots of bad PR for Diebold, arguably all of its own making. For example:
1) Diebold left the 2003 source code on an insecure ftp site on the internet where Bev discovered it and downloaded it. After examining it and recognizing the significance, she distributed it privately to a number of computer professionals (who unfortunately did not report back on what they found, meaning the 2004 election went ahead on machines with obviously inadequate security), and then the code was put on the net where folks from DU and elsewhere had a look and made observations. This meant that the Diebold code was subject to lots of scrutiny. The various vulnerabilities led directly to the various hacks of GEMS, the OS, and most recently the TSx. The hacks confirmed the multiple security vulnerabilities and poor design of all these systems. Not surprisingly this has led to lots of poor press for Diebold.
2) the dumpster dive in which Kathleen Wynne found loads of Diebold documents, meaning there was more raw material to investigate in addition to the code itself. This uncovered numerous irregularities (money trail to lobbyists who hadn't declared their interests, apparent SEC violations, and memos revealing that Diebold was aware of specific vulnerabilities and brazenly lied about them to state election officials). This led to yet more bad publicity for Diebold.
3) Using the memos Bev Harris and Jim March took a successful Qui Tam case against Diebold for lying (perpetrating a fraud) on CA state. Diebold had to pay a fine of approx. $2.6 million. More bad publicity for Diebold.
3) I believe the Johns Hopkins Institute tests and reports done in Maryland were also about Diebold machines. When the equipment's defects were revealed this meant more bad publicity for Diebold.
4) Diebold stockholders have filed 2 lawsuits alleging irregularities in stock trading by top Diebold executives. More bad publicity for Diebold.
5) Whistleblower Stephen Heller shared documents with Bev that he obtained from Diebold's lawyers which showed both Diebold and a their legal team from Jones Day apparently conspiring to lie to the CA state election officials. The documents were handed over to the appropriate authorities to enable investigation. When Heller--the whistsleblower!--was recently arrested this caused another wave of bad publicity for Diebold.
The other manufacturers' products may be even worse than Diebold for all anyone knows. Their track records seem pretty horrible, judging by the stories already reported at BBV & elsewhere.
Then there are the vulnerabilities we don't know about yet. Hursti's report mentioned that it was possible that other OS may have similar vulnerabilities, but it was impossible to know without an opportunity to check.
Numerous attempts have been made to get access to other manufacturers' machines so that they can be subjected to the same degree of scrutiny. Some other experts have had this opportunity to investigate but couldn't disclose the findings due to unusually restrictive Non Disclosure Agreements drawn up by the manufacturers and evidently not questioned by the people who signed them. Not good for the public interest.
If you know of anyone who could arrange access for inspection/investigation of any other manufacturers' equipment, please let Bev know. She has asked on many occasions, and even bid for a used ES&S machine on e-bay.
As bad as Diebold is, it may not be the worst. But no one can know without having access to the machines and subjecting them to independent testing. |
|
|
