10-5-05: Diebold Lies Move Up the Ladder

Author Message   Bev Harris Board Administrator Username: Admin Post Number: 2063 Registered: 12-2004 Best of Black Box?  Votes: 7 (A keeper?) Posted on Wednesday, October 5, 2005 - 6:21 am:        - July 4: Harri Hursti report released: Critical Security Alert for Diebold Optical Scan System - July - August: Security Alert sent to 1,000 secretaries of state and elections officials - Sept 7: Requests for responses to the security alert sent to 1,000 jurisdictions - October: Responses have begun to arrive. What we've learned: 1. Diebold chose to lie to public officials when asked about the security alert. 2. Surprisingly weak control processes: Diebold responses to public officials do not appear to have gone through legal vetting, or any quality control process. A letter to the secretary of state of Arizona written by Diebold's Steve Moreland, for example, differs markedly from Diebold responses sent to other election officials. Curiously, the most widely distributed Diebold response, sent to election officials, contains no corporate identifier. No signatures, no names, no company letterhead -- yet elections officials in state after state have now provided Black Box Voting with an identical document, labeling it as "from Diebold." It is clear that someone in Diebold spent time crafting and distributing responses, coining new techno-babble phrases and spouting whoppers. Some of Diebold's technical explanations are not even theoretically possible. The Hursti Report has formally been submitted to the NIST (National Institute of Standards and Testing) Voting System Threat Analysis team, and Diebold's responses, which contain remarkable and impossible technical claims, will be hand delivered to the NIST voting systems team in Washington D.C. this weekend. NIST is in the process of developing new standards for voting systems, and these Diebold responses will help NIST become acquainted with the level of mendacity to expect from vendors. Other troubling responses: Many public officials still have inadequate understanding of public records laws and fiduciary duty. "We threw it away immediately." The technical report by Harri Hursti has been well received by experts and in peer review. On the cover page are the words "Critical Security Alert." Yet, many elections officials proudly reported to us that they threw the report away immediately without reading it. Many did not ask a single question, of their secretary of state, of the state board of elections, of the certifiers, or of Diebold. Several also reported that they discarded follow-up materials from state officials and Diebold as well. This response shows a naivete about security and fiduciary duty, to say the least. One can't help but wonder how it would play in court: Candidate's lawyer: Did you receive this document, entitled "Critical Security Alert" Elections official: Yes, but I threw it away immediately without looking at it. Candidate's lawyer: Did you receive a subsequent letter from your secretary of state about this matter? Elections official: I threw away everything about the security alert. I only talk to my vendor. Election officials need more training on public records requirements: One public official stated that she considered correspondence from Black Box Voting, and subsequent related correspondence, to be "her personal records," and therefore not subject to public records requests. One elections official responded to our mailed public records request by writing that he will turn future letters from us over to a lawyer and "prosecute us for harassment." Needless to say, sending public records requests is a right of every citizen in America, and it is required by law that public officials comply with public records laws. (The text of the public records request we sent can be found here) One elections official told us that, in order to search her e-mails, Black Box Voting would be required to pay for a programmer to write a program to design a search function for the county e-mail. In most cases, we treat these kinds of responses with compassion. Kathleen Wynne calls the public officials in question and gently updates them on how public records law works, and in almost all cases a pleasant conversation ensues. Usually these responses come from small counties, and sometimes elections officials were given incorrect advice by advisors. More concerning is the response of Thomas Mishou on behalf of the state of Georgia. First, he claimed no records existed. After learning that Black Box Voting had made the same request of all 159 county officials in Georgia (many of whom complied with the request immediately, sending us documents pertaining to the Hursti report written by Georgia elections director Cathy Rogers), Mishou then redacted his original response, but now refuses to copy the documents he subsequently admits he has (even for a fee). Mishou's latest correspondence tells us we must travel to Georgia to view the public records. Washington State has been "looking for documents" for weeks, but Washington's own King County wrote to us that they have the documents, which they will provide for three dollars. A finger-pointing game is taking place. The Kansas secretary of state, for example, takes no responsibility for the integrity of the system, giving a nod to the ITA and then telling county officials it is up to them to decide what response is appropriate. Massachusetts state officials lean heavily on the ITAs; Diebold lays the blame for its product defects squarely on the public official who allowed a security test to be performed. Some good has already come of the Hursti Report The Arizona Secretary of State has issued new security recommendations for handling memory cards. Leon County's Ion Sancho has added a security step to his elections, using the memory card reader to check the contents of the cards before putting them in the voting machines, an appropriate step. The manufacturer of the memory card reader we used to examine Diebold memory cards (Cropscan) reports that a handful of other election jurisdictions have purchased card readers of their own. Next steps Black Box Voting is currently going through the tedious process of logging hundreds of responses, writing small checks, collecting documents, and then we'll publish the information. We are considering what to do about Diebold's decision to misrepresent their product to their customers, and to the secretaries of state who certify their system. It is, of course, entirely possible that Mark Radke, who is in marketing, and Steve Moreland, who is in customer service, were misled by Diebold programmers, causing them to make false statements. That won't suffice. We sent a certified copy of the Hursti Report to the secretary and general counsel of the Diebold Inc. Board of Directors, which invokes fiduciary duty upon the parent company to get the truth. Ignorance does not excuse misleading the secretary of state, or making false claims to state and county officials. For jurisdictions involved in procurement When false claims are made by a vendor during the procurement process, it may constitute fraud and unfair competition. Given these concerns, jurisdictions that have not yet signed contracts may want to add a clause to allow them to get out of the contract if it is discovered that the vendor made material misrepresentations during the sales process. Vendors who have already purchased may want to consider redress under consumer protection law. In each jurisdiction where Diebold equipment has been purchased following false claims, other vendors may now have a viable claim for false advertising and unfair competition.   Bruce Sims Frequent Voting Rights Forum Participant Username: Ubetchaiam Post Number: 548 Registered: 06-2005 Best of Black Box? N/A Votes: 0 (A keeper?) Posted on Wednesday, October 5, 2005 - 7:52 pm:        "In each jurisdiction where Diebold equipment has been purchased following false claims, other vendors may now have a viable claim for false advertising and unfair competition."-personally I think this would be an excellent strategy as it brings the Feds into the picture since it is a matter of interstate commerce. Send every vendor of voting equipment a list of the jurisdictions and a 'suggestion'   Bev Harris Board Administrator Username: Admin Post Number: 2064 Registered: 12-2004 Best of Black Box?  Votes: 1 (A keeper?) Posted on Saturday, October 8, 2005 - 11:00 am:        Bruce -- I agree that this is an interesting strategy. I doubt that many vendors will partake of it, since it would call their own sales claims into question, and possibly open them up to discovery themselves. At the N.I.S.T. "Threats to voting systems" conference yesterday, the Hursti report was praised by panelists (as was his new "VotoScope" software, a powerful public auditing tool). Hursti met with the media and several of the scientists and computer people from N.I.S.T., and also with some public officials. This conference represented an important breakthrough, in that for the first time, elections officials had a real dialogue about security issues, with the consensus coming out of this conference that security risks are real, the attack trees must be catalogued, and risk mitigation strategies must be developed and used. See the concept of "attack trees" outlined here: (large pdf file): http://www.bbvdocs.org/presentations/attacks-public.pdf I believe there will be steps going forward that will be positive. Therefore, I think Diebold made a major tactical error by responding to the Hursti Report in the way they did. It is now only a matter of time before the Hursti exploits are replicated elsewhere, formally, at the direction of public officials, and when they are replicated, Diebold's written responses will collapse. It remains to be seen what will happen to Diebold when their misleading responses to the original report are exposed.   Catherine Ansbro Frequent Voting Rights Forum Participant Username: Catherine_a Post Number: 972 Registered: 12-2004 Best of Black Box? N/A Votes: 0 (A keeper?) Posted on Saturday, October 8, 2005 - 12:38 pm:        Bev, Thanks for this news about the NIST conference. I see that the NIST website has posted links to all the papers that were submitted, plus the presentations that were given, plus the full audio of the entire conference. This could be a great resource for media and for friends/neighbors/work colleagues who still need convincing that electronic voting machines pose a risk to democracy. Would you consider posting this link http://vote.nist.gov/threats/papers.htm (or separate links for the papers, presentations and audio) in a well-labeled part of the BBV website? (Possibly the Resources section?) Can you identify (or highlight) specific submissions and/or presentations that you felt were most valuable? In your opinion would it be worthwhile to listen to the audio of the whole conference? Are there certain parts that you'd recommend strongly?   Bev Harris Board Administrator Username: Admin Post Number: 2066 Registered: 12-2004 Best of Black Box? N/A Votes: 0 (A keeper?) Posted on Saturday, October 8, 2005 - 3:21 pm:        Yes, I'll be posting all of the papers in a prominent location, along with a fairly extensive follow up article. I cannot stress enough how important this event was. I think you'll be seeing some surprising announcements from various places during the next month -- some representing real advocacy for reform and security mitigation, and some, of course, representing damage control and red herrings. Unfortunately, I am sick as a dog right now, came down with a bad cold the day before we left, not improved by sitting in the middle seat of a 5-hour flight, nor improved by the 4-day pouring rain here in D.C. In fact, I had to miss some after-hours socializing that would have been very interesting. So, I'll wait a bit before tackling all my notes and writing up the event, probably tomorrow or Monday. I saw Bob Fleischer there (that was you, right, Bob, asking those excellent questions?) Also said hello to Joe Hall, who has often posted here. My favorite panelist was certainly Doug Jones, who possesses not only excellent technical knowledge, but an outstanding knowledge of the history of exploits of various kinds of voting systems.

All original content on this website is Copyright (c) 2008-2009 by Black Box Voting. All rights reserved.
Forums powered by Discus Professional - www.discusware.com.
Original site and logo design is by Andy Markley - art101.com.