Black Box Voting : 10-26-05: The 'Perimeter Defense'

SHORTCUTS: How to find what you're looking for

Forum Navigation
  Topics
  Log In
  Log Out
:
Forum Search
  New Today
  New This Week
  Advanced Search
  Tree View

Forum Account
  Edit Profile
  Register
  Forgot Password

Forum Tools
  Help/Instructions
  Policies

CLICK STATE TO SEE:

"WATCH LIST"
Marked with:

"OPEN & HONEST"
Marked with:

...

10-26-05: The 'Perimeter Defense' - F...

Black Box Voting » Latest Investigations from Black Box Voting » 10-26-05: The 'Perimeter Defense' - Follies and Failures

« Previous Next »

Author

Message

BBV Admin
Board Administrator
Username: Admin

Post Number: 2261
Registered: 12-2004

Best of Black Box?
Votes: 2 (A keeper?)

Posted on Wednesday, October 26, 2005 - 8:18 am:

This article will help prepare you to observe the Nov. 8 elections. It contains specific observations, vulnerabilities, and risk mitigation suggestions for King County, Washington and other jurisdictions that use the Diebold optical scan system.

We are entering an era where activists, security experts, and election officials are starting to communicate in meaningful terms about voting system integrity. The GAO Report and the recent NIST "Threats" conference (see related article) demonstrate that the process has begun, but we've a long way to go.

Citizens vs. election officials: A disconnect

During the upcoming Nov. 8, elections, citizens will once again witness the disconnect between election officials and appropriate security procedures. This is your opportunity to document and get a dialog going.

Go. Observe. Ask questions.

In our "Forums" section, each state has a live forum for you to post your observations during the upcoming election. Also in our forums, you'll find the "Help Desk" where you can get one-on-one coaching.

The folly of depending on a Perimeter Defense:

Brad Friedman reports a conversation with the Monterey County, California Registrar of Elections. The elections official seems to be urging him to accept "faith-based voting" -- a system dependent on the Perimeter Defense (people, policies and procedures) for its integrity.

On Monday this week, Black Box Voting attended functionality testing in King County, Washington -- another location largely dependent on the perimeter defense.

We encourage you to observe your local elections and the testing of the machines. However, when you open a dialog with your local elections official, you may find yourself entering a surreal world where the answers you get don't match the questions you ask.

When you ask questions about security of voting machines, you'll get answers explaining the people, policies and procedures. Here's where you begin to feel a disconnect, which can lead to frustration, mistrust, and a communications breakdown. You're not crazy. Election officials are just now learning about modern security concepts, and many are still unaware of the risks, much less the methods to mitigate the risks. This is compounded by the failure of the Independent Testing Authorities (ITAs) to catch significant defects, and the half-truths and untruths that your local officials are being told by voting machine vendors.

Security should not dissolve if a security layer is penetrated

Voting machine security should be layered. Each layer of security must be truly independent of the other layers. If there are dependencies between the layers, you do not have real security.

You can find out if there are dependencies by asking this simple question:

If this layer fails, can your election system be penetrated?

When evaluating the strength of any one layer, you should make the assumption that another layer has failed.

The election official who Brad Friedman spoke with was, basically, urging him to accept a Perimeter Defense as the only defense. Unfortunately, the perimeter defense is dependent on the weakest human in the chain -- and there's always a weak human around.

Here's an example of a PERIMETER DEFENSE

You are Bill Gates. You have a high fence and a guard dog. Because you have a fence and a dog:

- you choose not to have locks on your house
- you keep your billions of dollars in an unlocked box on the mantle rather than in the bank (or diversified investments)
- you leave your precious jewels in the drawer rather than in a safe deposit box
- you have no video surveillance
- you put your address in the phone book

You assume no one will penetrate the perimeter (and if you are like the local elections office, you staff with volunteers, temps, and employees of vendor who believes his operation should be kept secret from you).

The importance of observers

Some states have political party observers, some have both party observers and citizen observers. In Ohio, we have frequently been told that tampering could not occur because both a Democrat and a Republican observer are present. They are the guard dogs in the perimeter defense.

Perimeter defense vulnerability: We have noticed that the party observers often don't pay attention to much of anything, and when they do pay attention, they seem to have no idea what vulnerabilities to watch for. Therefore, it is important that you, as a citizen, attend testings and election functions to observe and report for yourself.

King County, Washington: Perimeter defense vulnerabilities

Black Box Voting visited a King County voting machine test on Oct. 24, 2005. Here is an analysis of perimeter defense weaknesses for just a single vulnerability: the possible swapping of maliciously coded memory cards for King County's Diebold precinct-based optical scan system.

While the following describes several failures and vulnerabilities in the Perimeter defense, it also shows why this system should not have been certified in the first place. The perimeter defense is just one layer, the voting system itself should be designed to thwart the simple perimeter breakdowns listed below.

The architecture of the Diebold optical scan puts an unsustainable burden on the perimeter defense.

On Monday Oct. 24, King County was training new temps while organizing and inserting memory cards and testing machine functionality.

The temps were unaware of the memory card vulnerability (see Hursti Report). It turns out the King County staff overseeing this testing, which involved extensive handling of memory cards, was also unaware of the vulnerability, although we have documentation that elections supervisor Bill Huennikens and IT specialist Garth Fell were both provided with a copy of the Hursti Report by their boss, Dean Logan. Apparently the critical importance of memory card security was not passed along to the personnel who supervise the sorting, logging, and inserting of memory cards before the election.

The King County perimeter defense:

1. Video Cameras: Supposedly, video cameras were trained on the memory card processing.

Perimeter defense failure: However, only two of the planned four cameras had been installed, and these two cameras were not set up to capture all of the areas where memory card processing was taking place.

2. Badges People in the facility were supposed to wear badges.

Perimeter defense failure: However, King County did not have dates on the badges, which were just a piece of paper stuck into a lanyard. They also did not keep track of the badges, which are easily duplicatable. In fact, we took our badges away with us. If we wanted, instead of notifying King County of this problem as we are doing, Black Box Voting could hand out a hundred King County "Staff badges" in the Nov. 8 election, simply by running them off at Kinkos and ordering additional matching lanyards (the necklace and plastic holder for the badge -- King County uses basically the same lanyards you get at any convention or trade show). We're posting this so that King County can improve its badge security.

Mitigation recommendations: Badges should differ for each election event in some discernable way. They should be monitored and collected. The staff badges should be more difficult to duplicate than the observer badges. There should be a procedure for poll workers and supervisors for how to check badges and what procedure to follow if they don't match.

3. Control of memory cards The optical scan memory cards were supposedly carefully controlled.

We asked several questions about chain of custody of the memory cards. Remember, memory card security is only as strong as the weakest link in the chain.

3a. Memory card programming: Memory cards are programmed in another facility, by an employee named Garth Fell, or sometimes by a Diebold employee. We were told that the Diebold employee has an office in the elections department. No one knew the name of the Diebold employee -- it was suggested that Diebold's Robert Chen or Sophia Lee might be the programmer, but no one seemed to know exactly who programmed the memory cards.

Significant weakness in the chain: The procedures in King County appear to put TOTAL trust in single individuals who program the cards, who also have access to GEMS, the passwords, and the machines.

Perimeter defense vulnerability: Corruption of one individual, who uses the Hursti Report combination of pre-loading the cards with negative/positive votes with reprogramming of the zero report function, can defeat ALL SUBSEQUENT SECURITY DEFENSES, INCLUDING THE L&A TEST, THE ZERO REPORT, THE POLL TAPES, AND THE CANVASSING PROCEDURE.

A single failure at this point appears to have the ability to control the entire election without detection by any computer program, personnel, policy or procedure. The security of King County elections therefore appear to depend solely on the integrity of the weakest of any single individual who programs memory cards.

Risk mitigation suggestion: King County could mitigate this by obtaining a memory card "dump" (an exact record of the programming contents of each memory card) before and after the election, along with better chain of custody. The telltale signs in the memory card will appear mostly before the election, with a subtle sign after the election, but there are currently no procedures to obtain the memory card dumps, and therefore this kind of tampering will go undetected and, if done properly, leave no telltale signs that can be caught by any current King County procedure.

3b. Chain of custody during transfer: The employees at the testing facility could not tell us anything about the chain of custody bringing the cards from the programming location . At this point, the cards were loose and not in the machines.

Perimeter defense vulnerability: During transport, any single individual could swap cards. This would be most likely to succeed if the swapped cards had similar information on their labels, or if the perpetrator used a solvent to remove and reaffix the labels onto the swapped cards.

Card labeling: Not all the cards matched. Some had Diebold stickers on them, others had homemade blank white stickers with typing on them. We saw a number of people handling the cards and no one paused or examined cards that contained homemade labels.

3c. Card handling prior to initial testing: After they arrived at the testing facility, cards were logged in and matched up to test ballots. (This was not the L&A test, but the test of the printer and memory cards).

Perimeter defense vulnerability: The process of logging cards and preparing them to be put in the machine was not entirely in view of the video cameras, and was vulnerable to card-swapping. Although there were two people working with the cards, they were often not monitoring each other. Sometimes one was left alone with the cards. Sometimes a single individual handling the cards had their back to everyone else, and no one, including any video camera, could see what they were doing.

3d. Card vulnerability during "tours" - Then the cards, matched to testing ballots, were placed on another table which was in view of the video cameras, but mostly unsupervised.

Perimeter defense vulnerability We were allowed to be up close and personal with that table when we participated in a "tour." While the supervisor was interacting with people, it would have been a trivial matter to have someone large, like BBV's Jim March, stand in front of someone small, like BBV's Kathleen Wynne, blocking both video camera view and supervisor view while cards were swapped. We did not, of course, do this, but we did videotape the vulnerability.

It should be noted that, in Hursti's analysis, due to the Diebold design, a single memory card may be able to corrupt many or all precincts at once, because it can mimic multiple precincts with its data.

Mitigation suggestion: Have a ribbon separating the card area from the observers, such that visibility is very good but materials are out of arm's reach by a foot or two.

3e. Prior to putting cards in machines - Cards and ballots were then placed atop each optical scan voting machine.

Perimeter defense vulnerability: We were seated (and standing) less than three feet away, and were able to get within one foot. Card swapping here could have been achieved easily. We were not supposed to get too close, but no one stopped us when we snuggled up to the cards, and sometimes no one was watching.

Mitigation strategy: It is important to have the processing close enough for observers to see what's going on, but it should not be within arms reach. We've seen this achieved in other counties by placing a ribbon between observers and materials, close enough to see clearly but a foot or two out of arm's reach.

3f. Card failure and replacement - Then the cards were put into the machine, with basic functionality tested. Of the first 20 cards, two failed.

These cards were pulled out and put in a box. We were told that replacement cards were created in another facility, no one could name who was doing the new cards, and the replacements were then brought in and stuck in the machines and tested.

We noted that one of the first failures was one of the cards that lacked the standard Diebold label.

Perimeter defense vulnerabilities: The "bad cards" were put in a box that was unsupervised and easily accessible to any of us who went to the restroom, left to make a phone call, or went on lunch break. We could easily have removed the "bad memory cards" from the box for later reprogramming. Often, this is just a matter of replacing the battery.

Using "runners" to go get replacement cards should be subject to strict chain of custody requirements.

3g. Sealing the memory card bay - After testing, a seal was placed on the memory card bay in the voting machine. The number of the seal was recorded on a log.

Perimeter defense vulnerabilities: We picked up a broken seal, which contains information on how and where to order more. The intact seals were close enough that we could have picked up a handful of them, and there were times we could have done this unobserved.

However, if we replaced a seal, the number on it wouldn't match -- but this assumes that the numbers are logged on the other end, and that the machine will be taken out of service if the seal number doesn't match.

We do not know the written procedure King County provides poll workers with in the event that a seal number does not match.

Perimeter defense vulnerability: Note that if you wanted to violate a seal, you can purchase more of these seals off the Internet, and order the numbers you want. However, a simpler method would be to break the seal, which is a tiny plastic thing like they put on your luggage, and simply melt it back together using a cigarette lighter.

Mitigation You can purchase seals made of a special type of plastic that becomes visibly discolored if melted back together. This does not appear to be the kind of seal used by King County.

Perimeter defense vulnerability: The modem and the telephone jack were not sealed. (Examination done by Harri Hursti indicates that the memory card bay can remain sealed, and the card can be reprogrammed through a telephone line, so both the modem unit and the telephone jack should also be sealed).

3h. Optical scan machine chain of custody - The optical scan machines with the memory cards sealed inside will be transported to the L&A testing facility, shortly before Nov. 4.

We do not have any information about chain of custody during transport.

After L&A testing, shortly before the election, we were told that the optical scan machines are sent home with the elections judge for each polling place. In King County, this would be about 500 people taking voting machines home.

Perimeter defense vulnerability: In a system where a single individual can destroy security by swapping a memory card, sending machines home with 500 people places an inappropriate burden on the perimeter defense.

Until this point, perhaps a dozen people in the chain of custody had access. After this point, over 500 people have inside access to the election.

Because the modem unit and the telephone jack are not sealed, it would be possible to replace the memory card contents without disturbing the memory card bay seal, thereby corrupting the election. As mentioned above, the seal on the memory card bay is also vulnerable to replacement or tampering without detection.

3i. Memory cards and the depot drop off locations - After the polls close, the voting machines are taken to one of 17 depots and dropped off. Here, the results from the voting machines are modemed in to headquarters. There are 17 depots in King County, and not nearly enough observers to go around.

Perimeter defense vulnerability: One person swapping cards at the depot can affect dozens of precincts at once. In Volusia County, we found significant anomalies in poll tapes in the Nov. 2004 election. Most of these traced back to a single depot, indicating that there was a procedural breakdown of some sort which did not appear on the trouble slip documentation.

Mitigations: The King County depot locations should be heavily observed and monitored, including video surveillance, as this is a high risk location for memory card swapping.

3j. Political party observers: The test we observed had a Republican and a Democrat observer. Unlike previous party observers we have watched, the Democrat observer, Ken Davis, was vigilant and qualified. He had good technical knowledge, asked good questions, and was generally observant. The Republican observer paid no attention whatsoever to what was going on. He appeared to be sleeping and working a crossword puzzle.

However, even the Democrat, and BBV's own Jim March sometimes handled the tedium by engaging in conversations and paying no attention to the testing. Bev Harris did that as well at times.

And herein lies the trap for observers -- during the first hour, most observers watch carefully. Then things get into a routine, seem tedious, so you drop your watching and engage in socializing or other activities.

Mitigation recommendations: Like BBV's Kathleen Wynne did, observers should watch (and video, if possible) everything. The purpose of observing should be to function as a "human audit log" -- recording the time, precinct number, machine serial number, names of personnel for each anomaly. There are many anomalies if you are vigilant.

For political observers, these logs should be posted on the party Web site, and they should certainly be required by King County, since this county pays its observers.

We have witnessed paid King County party observers reading books, sleeping, working crossword puzzles, wandering around the facility, socializing, and making excuses for defective performance of the voting system to other observers, but except for Ken Davis, we have rarely seen them do their job.

Summary

The above analysis shows the vulnerability of a perimeter defense for just one exploit (see the Black Box Voting attack tree presentation for more attacks that are vulnerable to a perimeter defense (large, allow time to download).

What the above illustrates even more clearly, however, is the importance of designing voting systems correctly in the first place. It is wholly inappropriate to have a system which is compromisable by swapping a credit-card sized object. This system should be decertified.

We hope to see the Election Assistance Commission move ahead swiftly with replication of the Hursti Report, and subsequent decertification of the system. County officials should prepare to request reimbursement from Diebold during a product recall or replacement.

Bob Fleischer
Voting Rights Forum Participant
Username: Rjf7r

Post Number: 26
Registered: 09-2005