Forum Navigation
Topics
Log In
Log Out
:
Forum Search
New Today
New This Week
Advanced Search
Tree View
Forum Account
Edit Profile
Register
Forgot Password
Forum Tools
Help/Instructions
Policies
CLICK STATE TO SEE:
"WATCH LIST"
Marked with: 
"OPEN & HONEST"
Marked with: 
...
|
| 7-4-2005: The Black Box Report |
|
| Author |
Message |
    
admin
Board Administrator
Username: admin
Post Number: 685
Registered: 12-2004
Best of Black Box? 
Votes: 14 (A keeper?) | | Posted on Monday, July 4, 2005 - 10:39 am: | 
|
SECURITY ALERT: Critical Security Issues with Diebold Optical Scan Design - by Harri Hursti
http://www.blackboxvoting.org/BBVreport.pdf
EXCERPTS FROM THE REPORT: Incorporated into the foundation of the Diebold Precinct-Based Optical Scan 1.94w system is the mother of security holes, and no apparent cure will produce infertility, or system safety.
...the removable media (memory card), which should contain only the ballot box, the ballot design and the race definitions, but also contains a living thing – an executable program which acts on the vote data. Changing this executable program on the memory card can change the way the optical scan machine functions and the way the votes are reported. The system won’t work without this program on the memory card. Whereas we would expect to see vote data in a sealed, passive environment, this system places votes into an open active environment.
With this architecture, every time an election is conducted it is necessary to reinstall part of the functionality into the Optical Scan system via memory card, making it possible to introduce program functions (either authorized or unauthorized), either wholesale or in a targeted manner, with no way to verify that the certified or even standard functionality is maintained from one voting machine to the next.
...Within the context of expected security responsibilities, one layer of security should be preventive cost factors. While the system will always be breakable, the feasibility of penetration should be inhibited by the cost of such an endeavor. What the author has identified, however, is an exceptionally flexible one-man exploit requiring only a few hundred dollars, mediocre technical ability, and modest persuasive skills (or, in lieu of persuasive skills, just a touch of inside access).
...This design would not appropriately be characterized as “a house with the door open.” The design of the Diebold Precinct-Based Optical Scan 1.94w system is, in the author’s own view, more akin to “a house with an unlockable revolving door.”
...Only awareness of the flaws will facilitate development of the countermeasures needed to hamper the effectiveness of the attack vectors. If the layers of protection are interconnected and relying on each other they are not true layers – it is just a one-layer system which is only as strong as its weakest point. Also bear in mind that layer interaction removes the layer separation. Therefore, a proper security analysis should always begin with the assumption that the previous layer has been compromised.
If that assumption cannot be made, the layers are interconnected and the dominoes will fall.
... (Background) On May 26, another visit was scheduled at the Leon County Elections Warehouse, and the author quickly penetrated the security of the Diebold Precinct-Based Optical Scan 1.94w system three times, each time with a different memory card manipulation.
...The Diebold optical scan system
The Diebold optical scan system consists of three components: The optical scan reader used at the polling place to scan and interpret ballot data; the central tabulator, which resides on a standard PC computer using the Windows operating system, used at the county election office to collect and tally votes from polling places; and a removable data storage unit, the memory card that stores the votes.
Before each election, the Diebold central tabulator program, called “GEMS,” defines the races in the election. The optical scan machine is then connected to the GEMS server via an RS-232 serial port connection.
The removable storage (memory card) is placed into the optical scan machine, and GEMS writes information onto the memory card through the optical scan unit.
According to the Diebold optical scan user’s manual, the programming of the memory card can also be done remotely by modem connection over a public telephone network.(7) After the cards have been programmed, they are interchangeable among voting machines with the same or similar firmware version. Therefore a single machine can be used to program all cards needed.
During the election, voters place filled-out ballots into the scanner, which interprets the ballot data and stores the totals (but not the individual votes) on the memory card. After the election, the data on the memory card is transferred into the central tabulator by a modem through a modem pool, or is physically brought to the county elections office and uploaded through an optical scan machine there via an RS-232 serial port connection. It is noteworthy that operational practices may vary -- from election office in-house operated modem pools to a virtual modem pool purchased as access service from a 3rd party provider.
...Findings
It has been known for years that Diebold uses its own proprietary programming language, Accu-Basic, for report-generation. This can be known from publicly available information, including compiler source code(10), an unfinished programming manual(11), AccuBasic source code files(12), pre-compiled files(13) and memos(14).
A large number of experts have reviewed this information but they have generally failed to understand the role and execution environment of Accu-Basic. A contributing factor could be that these critical pieces of information may have been omitted from official documentation, evidenced from the AccuVote-OS 1.94 Precinct Count User’s Manual, Revision 2.0, July 18, 2002, page 14, which fails to list the executable program as an item stored in the memory card.(15)
Accu-Basic programming is a two phase process. First the Accu-Basic program source code needs to be pre-compiled with a compiler, converting it from a human readable source code form into token based pseudo-code. The pseudo-code is still a non-binary, ascii file. This first phase programming is normally done on a standard PC running Windows or *ix –variant operating system. The author used the FreeBSD platform. Then this pseudo-code is transferred to the final execution environment (that is, to the voting machine), where the pseudo-code is executed by an interpreter.
Note: The interpreter, built into the optical scan firmware, will execute the code following the instructions on the memory card. No information has been provided about the interpreter.
A publicly available Diebold memo from Guy Lancaster to Steve Ricke, dated 18 Nov 1999 17:28:23, subject “Re: Report Failure”(16) (Provided in Appendix), revealed that:
- The pre-compiled AccuBasic program is uploaded and is executed from the memory card.
- The AccuBasic program is not protected against corruption nor tampering with checksums.
This omission appears to be in conflict with the word and intention of the 1990 Federal Election Commission Standards, Chapter 5, specifically, but not limited to, articles 5.1, 5.3 and 5.5.(17)
Implications of this design:
With this design, the functionality – the critical element to be certified during the certification process -- can be modified every time an election is prepared. Functionality is downloaded separately into each and every machine, via memory card, for every election. With this design, there is no way to verify that the certified or even standard functionality is maintained from one voting machine to the next.
With regard to certification, please also note that, because of the architecture, a trustworthy certification cannot be done separately for hardware and software. For a true understanding of the execution environment, the certifier must understand both of these components.
...Security exploits
Exploits available with this design include, but are not limited to:
1) Paper trail falsification – Ability to modify the election results reports so that they do not match the actual vote data
1.1) Production of false optical scan reports to facilitate checks and balances (matching the optical scan report to the central tabulator report), in order to conceal attacks like redistribution of the votes or Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)
1.2) An ingenious exploit presents itself, for a single memory card to mimic votes from many precincts at once while transmitting votes to the central tabulator. The paper trail falsification methods in this report will hide evidence of out-of-place information from the optical scan report if that attack is used.
2) Removal of information about pre-loaded votes
2.1) Ability to hide pre-loaded votes
2.2) Ability to hide a pre-arranged integer overflow
3) Ability to program conditional behavior based on time/date, number of votes counted, and many other hidden triggers.
According to public statements by elections officials(20), the paper trail produced by the precinct optical scan has been placed into the role of a vital safeguard mechanism. The paper report from the optical scan machine is the key record used to confirm the integrity of the central tabulator record.
... It is important to understand that, because the AccuBasic program is aware of the election definitions and structure, attacks can be prepared months ahead of time, before the candidate and ballot design have been decided.
(Measures like ballot rotation have no affect on these exploits whatsoever, and do not need to be considered.)
...combining the false report method (demonstrated on page 16) with the pre-arranged integer overflow (demonstrated on 18) seems to be an especially efficient exploit because it is a one-step process that takes out both the actual process and its safeguard at the same time, while surviving scrutiny of almost anything short of a full manual recount.
Delivery mechanisms for memory card tampering
Delivery of a malicious program can be achieved with multiple methods; among them:
- Direct alterations to the memory cards themselves.
- Replacement of the “.abo” (AccuBasic executable) file(s) in the central tabulator before election definitions are uploaded to memory cards. In this approach the election office, while not necessarily aware of the situation, will distribute the malicious code when preparing the elections.
- The central tabulator approach (.abo file replacement) will also enable even remote work. Remote attacks can either use a technical approach or a social engineering approach. Social engineering can turn out to be quite effective to deliver malicious code to the GEMS computer. An example of this could be providing an automated CD/DVD disc or USB device “patch” or update, delivered to the elections office accompanied by a phone call recommending its installation.
Even if checksums were to be implemented in future versions of the firmware to protect the executable on the memory card, using GEMS to contaminate the memory card will neutralize the checksums because the program is inserted before the checksums are calculated.
...Proof of concept in detail
To show that the executable program on the memory card controls the optical scan report and the user interface, and to test the memory card alteration theory, the author was able to test sample cards from Leon County, Florida. These memory cards contained an election constructed for the purpose of educating poll workers for future elections. All relevant elements were identical to the platform and implementation of all elections run within the environment in question.
...When the author viewed the raw dump of the image file, which can be done using any hexadecimal or binary file editor, it became self-evident where the starting position of the executable pseudo-code was. Because the program is stored after election specific data, it is safe to assume that the starting location is not fixed.
(screen shot included in report)
The author also found the end location of the executable block to be self-evident.
(screen shot included in report)
...The author wrote and pre-compiled his own program. Please note that the compiler has been publicly available for several years(22). This significantly helps the average Joe to make his own program for the voting machine, although for sophisticated programmers this help is far from necessary. The compiler output is a pseudo-code in the format for GEMS to upload to the card....
(additional specifics provided in report)
...the memory card was inserted to the Optical Scan unit, and it was verified that the voting system functionalities changed according the programming concepts the author had chosen.
...The following images show the original optical scan report side-by-side with reports that were produced by modifying the program code on the memory cards. On all memory cards, the vote data remains identical in this particular exploit. Only the reporting mechanism was modified to give false results.
(image of scanned poll tapes provided in report)
Note that the run date and time on all reports are the same. The original report was run in Leon County on May 16, when the author was not present. However, the reports from the tampered memory cards, which also state run time to be May 16, were actually run on morning of May 26, when the author conducted the proof of concept test. These reports demonstrate that report data, including the date and other information, are easily altered on optical scan reports.
(image of scanned audit tape is provided in report)
Above is the Diebold “audit report” for the optical scan machine, printed on May 26. This audit log is printed from the optical scan firmware, not from the executable on the memory card. No changes were made on this report. Note that it shows no error messages. The memory card this report purports to be auditing was tampered with on an airplane at an earlier date in May, but nothing in the audit log reflects the actual timing of memory card events.
No anomalies appeared on the audit report because none of the changes made by the author affected any of the Diebold audit log information.
...Manipulation through integer overflows
Currently, many programmers have become accustomed to higher level programming languages, which give warnings and guidance to adjust integer overflow problems. The problem defined below will be familiar to programmers who have worked in earlier environments and/or with lower level programming languages. Please note that only 16 bit integers (2 byte) are used instead of longer integers, which are the default in today’s environment.
It is clear that the checksum algorithm used was chosen to be the simplest possible one, because it has been chosen to protect the votes against random corruption of the data instead of intentional tampering.
This finding led the author to create an exploit with the idea of inserting votes that will cancel each other out when added.
By the way: There were no error messages during start-up with this card, nor did any error messages appear afterward.
(image of scanned "zero tape" provided in report, with pre-loaded votes to trigger integer overflow)
...Pre-stuffing the ballot box with votes 65511 and 25 is essentially the same as if one candidate had -25 votes and the other +25 votes at the start. Naturally, the choice of -25 and +25 was arbitrary and different figures could have been used.
Further considerations
When the firmware turns control over to Accu-Basic, the user is not notified, nor is the user notified when control returns to the firmware. The Accu-Basic program on the memory card not only has control over the printer as output media, but also enables interaction with the user over the LCD display, and “YES” and “NO” the buttons located underneath the LCD.
The implications of this are:
1) Conditional behavior of malicious code can be based on user input
2) The user can be made to believe that his activities are real, while they are not, by programming the memory card so that it will not return control back to firmware.
(image of message "Are we having fun yet" on LCD screen, for the demonstration of control over the user interface performed in Leon County)
Conclusions
The Accu-Vote Precinct Count Optical Scan system inherits numerous attack vectors from flexibility to modify over security design.
Operational procedures required to secure the system would put an un-sustainable burden on the perimeter defense, training of the personnel and supervision among the other layers of security.
Recommendations
1. Further evaluation should be performed on the 1.96.x and 2.0.x versions of the Diebold optical scan system to determine whether they do or do not have the same fundamentally insecure architecture. A similar examination should also be performed on the Diebold touch-screens, including the TS-R4 and TS-R6 versions, the TSx version, and the new “VVPAT” version, along with any other component of the accumulation process for any of these systems.
2. Because memory cards have been given a pre-eminent position in the Diebold voting system studied, they should be deemed to contain critical data and should be considered to be a public document. Of course, they should be retained for 22 months in federal elections, as required by U.S. federal election law.
3. Memory cards or, in the event they are not available, the voting systems themselves, should be examined for all jurisdictions using any Diebold voting system which relies on this type of architecture. If manipulation is done properly, there will be no telltale anomalies in the reports printed for the public. In areas like Volusia County, (24)(25)(26) and Brevard County (27)(28) Florida, where significant anomalies have appeared related to vote tabulation, memory cards, or poll tapes, the memory cards should be certainly inspected by someone experienced in forensics.
4. The architecture of other manufacturers should be examined for similar vulnerabilities. Priority should be set for this examination according to the significance of the vendor.
Footnotes, acknowledgements
List of Appendices:
Appendix A: Diebold memo about memory cards used
Appendix B: Diebold memo about checksums
Appendix C: Diebold memo with more information about checksums
Appendix D: Sample program
Appendix E: List of locations that use Diebold voting systems
* * * * *
Here, we leave the report by Harri Hursti.
Let us now discuss practical next steps. It is important to achieve several things:
1) A product recall, as this vulnerability is not fixable with any software patch. It would be entirely inappropriate for taxpayers to foot the bill of corrective actions. Those costs should be born by the vendor. Bear in mind that when Diebold acquired Global Election Systems, its investment banking partner performed, (or should have done) a due diligence analysis of this system. Diebold Inc. either knew, and sold the system anyway, or did not know, but should have known. It is therefore appropriate that Diebold should foot the bill for the product recall. Certainly not the taxpayers.
2) It becomes important to understand who knew what, and when. Did the ITA certifiers (Wyle, and Ciber) know of this? If they knew, but certified it anyway, an investigation of the certification process must be conducted. If they did not know, their credentials as certifiers should be revoked. Did the state-level evaluators know? (Paul Craft - Florida; Britain Williams - Georgia, Maryland, Virginia; Steve Freeman - California).
Please note that this product was certified to 1990 FEC standards. However, it appears to violate a number of these standards, which can be found here: http://www.bbvforums.org/forums/messages/2197/2383.html
One item of review, when you look at the standards, should be the requirement to use checksums and parity. Another should be the prohibition against using nonstandard language. A third area to look at is the prohibition of self-modifying code. Be your own certifier. See what you think.
3) It is now very important to do forensics on the memory cards and voting systems used in the Nov. 2, 2004 election. Because this system is so open to tampering, please urge your local and state officials to sequester the memory cards for recent elections, so that they can be examined by a forensic expert, or an otherwise qualified expert, like Hursti, who has shown that he is both competent to evaluate this issue, and forthcoming about notifying the public. These memory cards are clearly of public interest, and should be deemed a public document.
4) Please urge local and state officials to have a competent, qualified examiner evaluate both the new optical scan systems, including the high speed central count system, and the touch-screen systems, because there are some indications that this architecture is being used (and even increased) in newer versions. The touch-screens may be using a different but similar architecture. Contact Black Box Voting when you have indications that such cooperation is forthcoming. (contact kathleen@blackboxvoting.org to help schedule an evaluation, or call 425-793-1030).
No new elections should be run on Diebold optical scan systems until these evaluations are complete.
Please note that any agency that redacted this issue from its report, perhaps working privately with the manufacturer behind the scenes to correct it, or working on some other private remedial concept should be disqualified from further certification or evaluation work. The reasons for this are twofold:
- The presidential primary, and a federal general election, were allowed to be held on the Diebold system, which is now used in 1,207 locations.
(Some of these locations are new purchases, the number of jurisdictions using Diebold in the 2004 election is closer to 800. Of these, approximately 200 used touch-screens at the precinct, with optical scans counting absentee votes. Of the 600 remaining jurisdictions, a handful used the 1.96.x firmware version, which probably carries the same vulnerability but has not yet been field-tested for it. At least 500 jurisdictions used systems that were certainly open to the exploits described in this report.)
In Nov. 2004, in Florida alone, the Diebold Precinct-Based Optical Scan 1.94w system counted approximately 2.5 million votes in 30 counties, or about one-third of all the votes in Florida. Nationwide, this version of Diebold voting machines counted approximately 25 million votes in Nov. 2004, or about 25 percent of the national election.
Any entity that allowed the Nov. 2004 election to proceed on a system with a fundamental architecture that is "open for business" -- even if working with a vendor behind the scenes -- compromised the integrity of the election.
We do not know if any scientists or testing authorities have been working privately with Diebold to correct the problems, but it is very difficult to explain why no one has come forth publicly with this information. It may be that someone feels they have a superior plan of action, which requires keeping the information quiet, but in view of the stunning hole through the security of the 2004 presidential election, this position would seem insupportable.
- The concept of working privately behind the scenes with a vendor to secretly correct flaws is incorrect as a consumer protection measure. Running a United States federal election on a voting system with this architecture is certainly parallel to letting people drive cars with exploding gas tanks.
* * * * *
Permission to reprint granted with a link to http://www.blackboxvoting.org, and provided that no edits or changes of text or graphics from EXCERPT FROM THE REPORT, OR THE REPORT ITSELF, are made in any way. ALL QUOTES AND EXCERPTS FROM THE REPORT, EVEN BRIEF ONES, MUST BE ATTRIBUTED.
Please send this report to the public officials using Diebold (here is a list of locations: http://www.blackboxvoting.org/diebold/locations.pdf).
Please also consider sending a printout of this report to the network security administer of each jurisdiction that uses Diebold systems. This would be an employee who does not work for the elections division, but instead is responsible for the integrity of the data for the county or township.
Please send this report on to other computer professionals.
Please distribute this report to your lists. |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 396
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, July 4, 2005 - 2:53 pm: |
|
Congrats to you all.
I hope there will be a press release soon, particularly about some of the key recommendations at the end of the above post.
Perhaps it could also include key points that have come up in different posts (and comments in red on posts) in various threads. E.g., the Diebold documents that have gone to the SEC, the possible legal actions that might ensue, the fallout from the video with Andrade, and more about why you had to get computer experts from Finland and the silence of US computer experts and certifiers. And mention of the additional reports that are due to follow (technical reports on the Tabulating Computer Attacks and Remote Access Attacks; audit results and analyses).
There is loads of great info hidding throughout many threads here but if some folks don't check in on a regular basis they'll miss a lot of it.
I hope you all get a little time to relax and celebrate! |
harmonyguy
Voting Rights Forum Participant
Username: harmonyguy
Post Number: 64
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, July 4, 2005 - 3:39 pm: |
|
So, do Sarbanes-Oxley rules apply to publicly owned corporations (incorporated jurisdictions such as cities, towns or maybe even counties) or just to publicly traded corporations?
I wonder if the records retention/management controls rules apply? Does erasure or over-writing of memory cards constitute willful destruction of public records?
HG |
ubetchaiam
Voting Rights Forum Participant
Username: ubetchaiam
Post Number: 14
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, July 4, 2005 - 9:37 pm: |
|
Thank all of you that contributed to this report occurring. Now it's up to the rest of us to 'leverage' it to the hilt. |
linda_franz
Voting Rights Forum Participant
Username: linda_franz
Post Number: 130
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, July 4, 2005 - 11:31 pm: |
|
Thanks and gratitude to the people who brought this information to the light of day. Persistance and hard work, day in and day out, has resulted in important information on our elections system, information that must now be used to take back our elections and return them to the control of the PEOPLE.
THANK YOU:
Bev Harris
Kathleen Wynne
(For persistance in getting to the core of the issue, working way beyond overtime in the process to do it)
Harri Hursti
Dr. Herbert Thompson
(For telling it like it is)
Ion Sancho
(Who bucked the "system" and determined it was more important to really test security)
Light has a cleansing effect. Let's shine all the light we can on this issue. It is central to everything we are as a country.
Linda Franz
President
BOD
Black Box Voting |
jol
Voting Rights Forum Participant
Username: jol
Post Number: 7
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 6:17 am: |
|
Great work. Mr Hursti, Dr Thompson, have you considered submitting this for academic publication? Offhand, the widest distribution would be either IEEE Spectrum or IEEE Computer Society "Queue", but there may be more specialized journals, and of course there are conferences on security which may be applicable.
Thanks, jol -- This report was almost all Harri Hursti's work, with Dr. Thompson doing a small proof of concept on the central tabulator.
We opted first to report it to CERT and equivalent organizations, as the academic journals have a long time span and this is more on the level of an emergency alert, since elections are being held on these machines every few weeks.
Glad you like the report. I will pass your suggestions along to Mr. Hursti. -- Bev |
amgovern
Voting Rights Forum Participant
Username: amgovern
Post Number: 1
Registered: 07-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 7:37 am: |
|
Curiouser and curiouser. In Illinois 13 Andersen received a bit less than 104,000 votes in the US Representative race according to the official state site.
According to the FEC site the same candidate received over 108,000 votes in the same race.
In statistics a 3% deviation when conducting a poll is to be expected, and actually a deviation this low would be considered a successful poll.
Elections though are supposed to be more objective. Elections are supposed to be counting results for a specific real event. The FOIA requested in this election was denied as it would not have effected the outcome of this election.
District 13 includes DuPage County, a Diebold optical scan location. Originally, the Black Box Report contained a list of locations with problematic situations, recommending a forensic memory card audit on all of them. We cut the list in final edits -- but you should know that DuPage County was one of the top 10, nationwide. Anomalies in DuPage County include a written letter we have from Robert Saar, its elections chief, claiming that he had destroyed the poll tapes. That would be a violation of the law, which requires that they be kept for 22 months in federal elections.
Congressional districts usually don't match up to specific county results, so getting the numbers from a different source than the state source requires identifying each county in the district, then checking the results within each county for the candidate, then adding them up. You have to take care that you are using the certified results after all absentees and provisionals are included.
We would be very, very interested to see if the District 13 discrepancy between FEC and State reports boils down to DuPage County discrepancies. If anyone can find that, please post.
And by the way -- they cannot deny a FOIA request (public records request) just because they say it wouldn't affect the outcome. But then again, DuPage County violates public records laws pretty regularly, based on our experience with them. -- BBV |
admin
Board Administrator
Username: admin
Post Number: 692
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 8:08 am: |
|
We need to start pushing hard for forensic examinations of the memory cards. When discrepancies like the above post are noted, especially since it happens to be DuPage County, a Diebold optical scan location, and one of our "Top 10" problem locations for election integrity, please post them here. The above discrepancy needs a bit more legwork -- identifying the county by county results, comparing them with state, then FEC, to see which locations produced the mismatch.
For starters, we need to know the other counties in District 13. Black Box Voting only has 2 investigators, so to the extent that we can get volunteers to run down the details, it will expedite things. |
jol
Voting Rights Forum Participant
Username: jol
Post Number: 8
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 9:41 am: |
|
One possible venue is First Monday (www.firstmonday.org), which is a peer-reviewed online journal.
Excellent suggestion, jol. Just submitted it. - BBV admin |
tyydyy
Voting Rights Forum Participant
Username: tyydyy
Post Number: 1
Registered: 07-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 10:12 am: |
|
I would suggest some other "next steps" in the process of limiting the effects of the threat of another Diebold election theft.
1.) Challange the "hacker" community to develop countermeasures to the vulnerabilities.
2.) Recruit as many potential deliverers of the proposed countermeasures in the affected precincts.
I don't advocate voter fraud in any way. What I am suggesting is disenfranchising Diebold!
We wouldn't advocate recruiting hackers. Thanks, though -- and did you know, Dr. Rebecca Mercuri initiated just such a challenge last year at defcon. Michael Shamos offered $10,000 to anyone who could hack the system without detection and we've been sorely tempted to arrange for Harri to go after that. We haven't been able to locate the rules, though, so if someone can post a link to that, it would be great. -- Bev Harris
Got it -- thanks to Steve J. Full rules are posted downthread. Link http://euro.ecom.cmu.edu/DREChallenge.htm |
admin
Board Administrator
Username: admin
Post Number: 693
Registered: 12-2004
Best of Black Box?
Votes: 2 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 1:05 pm: |
|
FROM BRUCE SCHNEIR'S BLOG:
http://www.schneier.com/blog/archives/2005/06/diebold_opti-sc.html#comments
Bruce Schneir is a top-level cryptography expert. He reported briefly on the hack, based on the earlier report here. We enjoyed some of the responses from his blog:
like this:
Posted by: Probitas - Not to worry, citizens. We can fix that problem by applying more technology to it. All is well. Move along.
and this:
Posted by: Davi Ottenheimer - Amazing that the system appears to lack any data verification at all -- an attacker can change executables or data (votes) without triggering any red flags (pun intended).
This will undoubledly come up again, so let's deal with it now:
Posted by: David Mackintosh - "I don't understand the vunerability of optical vote readers. Surely it would be trivial to check the counts of "suspect" machines by dividing the ballots from the suspect machine in two, running those two piles through two different machines, and comparing the sums of the two machines to the total from the first -- especially if the two machines were each 'calibrated' with a shuffled stack of ballots with a known count. This would make tampering far more difficult and require more widescale fraud to significantly alter an election result.
Actually, according to Hursti, such a check would easily be bypassed by using a polynomial algorithm, and the structure of the AccuBasic program will handle that nicely. (But please, don't ask me to explain that because I have no idea what it means -- Bev)
Right on:
Posted by: Davi Ottenheimer - "I'd love to imagine that voting systems are built and managed in some independent and honest vaccum, but this is the land of opportunity..."
and we enjoyed the response to this:
>>"After the election, some random statistically signifigant subset of machines are recounted by hand. You have a Democrat, a Republican, and an Independent or Third Party member counting. One holds up a ballot, and all must agree on who the vote is for."
Response posted by: Rob Mayfield - "I think this is an excellent idea - but it doesnt go far enough. A better solution would be to get the candidates to count *all* ballot papers using this method. The more time they spend doing it, the less time they spend annoying everyone else ;-) If they finish too quickly, order a recount."
And for a chuckle:
Posted by: Erik Carlseen - "People, there's no great conspiracy here. Have any of you met / talked to / hung out around / gotten drunk with many politicians? With a few exceptions, these people are dumber than rocks...They don't write bills. They get handed bills written by lobbyists, and ask their staff to proof-read them...we vote for them because we'd really be screwed if the other guy got elected and we don't want to waste our vote on the loony third-party guy (who might actually have an idea, even if it is a loony one)."
And this:
Posted by: Clive Robinson - "I have yet to meet a politition who would not be interested in a "surefire" way to get elected irrispective of the method used (as long as they could deny they had knowledge...Voter confidence is based on seeing that their vote (is) counted. The old metal box with the wax seal and the civil servant sitting there checking the voter forms and lists actuall inspires confidence in the system simply because it's simple and there are just to many people and pieces of paper involved for a plausable fraud to happen...The only reasons I have been given for electronic voting machines are,
1, More efficient (ie costs less)
2, Produces faster results
And this:
Posted by: John Smith - "This is the basic pattern with electronic voting machines--they just don't have any serious thought devoted to securing them. It's embarrassing to see how bad the procedures are, how bad the old VSS was (now very lightly edited and reissued by the EAC, along with the decision that the previously planned major rewrite of the standard isn't necessary), how few people in the area of electronic voting have even seriously thought through how to do meaningful auditing, or how to recover when some problem is detected.
Emphasis ours, on the last point. After all the hoopla about the "VVPAT" (Voter Verified Paper Audit Trail"), even with the word "audit" in its title, no one even addresses the most key point: how to do the audit (except Kathy Dopp, who, although we don't agree with everything she says, at least should be commended for taking a stab at the issue!) The biggest two problems with spot-checks, by the way, are that they labor under the delusion that we are trying to catch random error, not cleverly constructed fraud, and while in the field, we are witnessing huge problems with compliance with proper methodology when "random" spot check audits are performed, with no consequences whatsoever for flaunting the law. Note that without proper methodology, and chain of custody, random spot checks won't work at all. -- BBV admins
Thanks to the Bruce Schneir blog for the intelligent commentary. |
amgovern
Voting Rights Forum Participant
Username: amgovern
Post Number: 2
Registered: 07-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 1:31 pm: |
|
IL-13 contains Downers Grove Township, Lisle Township and Nperville Township with a few precincts from Warrenville Township and York Township in DuPage County IL. In Will County it has all of DuPage Township, (no error-DuPage Township is really in Will County) Wheatland Township, Lockport Township and a bit of Plainfield. The Cook County portions include Lemont, parts of Orland Township and parts of Palos Township and a few precincts in Lyons Township. There are also a few precincts in Kane County. Hope that helps.
Thank you for your concern. What we asked for in the FOIA was for 5 specific precincts each with a specific reason to be counted by hand. All five requests were turned down...with the reasoning that the ballots could not be disturbed for 22 months unless the outcome of the recount would change the outcome of the election.. |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 402
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, July 5, 2005 - 1:36 pm: |
|
Was the FOIA request to look at the original ballots in those 5 precincts? And then the officials interpreted that as a request for a recount? |
admin
Board Administrator
Username: admin
Post Number: 698
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 7:53 am: |
|
Check out the rules to win Dr. Michael Shamos's $10,000 reward for hacking a machine:
http://euro.ecom.cmu.edu/DREChallenge.htm
The DRE Tampering Challenge
I do not believe it is feasible in practice to tamper undetectably with a well-designed direct-recording electronic (DRE) voting machine. To demonstrate my conviction, I am willing to bet $10,000 at 2:1 odds with anyone under the following conditions:
1. I put up $10,000; you put up $5,000. The combined $15,000 is held in an escrow account.
from BBV - We'd be inclined to take him up on this, if we could choose a real machine from a real manufacturer -- i.e. one that is certified and in widespread use, and if the rest of the rules made any sense.
2. I choose the DRE machine and lend it to you.
You have one month to do anything you want to it. At the end of one month you bring it back to me.
3. I get one day (24 hours) to inspect it. I can do anything I want to it during that time. At the end of one day I will state either: (a) you have modified this machine and here is an example of what you changed; or (b) this machine will count votes correctly.
4. If I’m right, I get the $15,000. If I’m wrong, you get the $15,000. If I choose (a), I have to demonstrate at least one modification you made. If I can’t do that, I lose. If I choose (b), you have to show me a sequence of votes, within the operating parameters of the machine, that will not be counted correctly. If you can’t do that, you lose.
5. Determination of the winner will be by an independent observer agreeable to both parties. If we cannot agree in advance on such a person, the challenge does not take place. The observer will have control over the escrow account.
6. Rebecca Mercuri has claimed that this challenge is ineffective since you might have to engage in illegal activities to discover how the machine works. This is not correct since you will be operating under a letter of permission from the vendor of the machine granting you the right to disassemble, reverse engineer, or defeat copyright protection mechanisms (if any), etc. You will not be given plans, diagrams, schematics, flowcharts, or code.
7. Except for provision 6, this challenge has been in effect since 1996 under the above terms and no one has accepted it.
Michael I. Shamos
Pittsburgh, PA
August 2, 2004 |
harmonyguy
Voting Rights Forum Participant
Username: harmonyguy
Post Number: 65
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 9:13 am: |
|
Keep in mind that there are simple qualifiers in this challenge, that preclude the possibility of it being met.
"...undetectably with a well-designed direct-recording electronic (DRE) voting machine."
If the machine can be compromised, then it obviously wasn't well-designed and therefore wouldn't qualify for the challenge.
"...show me a sequence of votes, within the operating parameters of the machine..."
One of the problems is that all too often, the machines are run outside their published operating parameters. (incorrect environment, untrained operators, improperly set-up election definitions etc)
HG |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 405
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 10:06 am: |
|
And I supposed they wouldn't consider using a hacked memory card to be "within the operating parameters of the machine."
And they probably wouldn't consider it to be "within the operating parameters of the machine" if it was networked or accessed by modem, if the instructions say this should not be done.
Who is Michael I. Shamos, anyways? |
admin
Board Administrator
Username: admin
Post Number: 699
Registered: 12-2004
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 10:16 am: |
|
This could go in "from the mailbag" but I'm posting it here, because it relates to the BBVreport.
"Dear Friends,
You are on the wrong track here. Of course, it is important that the machines work reliably and that someone from the outside cannot tamper with them. That goes without saying. However, it is infinitely more important than that to make sure that the results, even on a totally "secure" machine, cannot be programmed or changed by the real insiders, prior to release to the public.
As of now, the public has absolutely no way to see if the results are released accurately. They could all be fabricated, even without tampering. The public must have true oversight by technical experts on OUR side, of absolutely every step from voting to release of results. Otherwise, the reliability and security you are pushing for are a false security and a waste of time."
We are finding that the omnibus hack discovered by Harri Hursti is hard for people to grasp. It is like people are looking for a specific song, whereas what Harri gave them is an entire music studio, where you can make as many songs as you want, and then he made three songs to prove the studio exists.
Each song, in this analogy, is a different method of manipulating the votes. One is a pre-stuffed electronic ballot box; another keeps the (hidden) votes intact, but alters reporting of them, etc. The Diebold design itself is a studio, wonderfully designed to produce new hacks.
Now, to address the misunderstandings in the letter above:
The BBVreport shows that insider access can be devastating, and will not be spotted.
The author of the above letter seems to believe that insiders could manipulate with no one knowing how. He may not understand how elections work:
1) The poll tape is printed with individual voting machine results. It is (should be) printed at the polling place.
2) All the results are compiled into the central tabulator and added up. That machine prints another report.
3) During routine canvassing, elections officials compare the poll tapes with the central tabulator report.
If procedures are done correctly, the poll tapes are signed by the poll workers, dated, and submitted with a secure chain of custody. Therefore, someone with inside access cannot manipulate those results unless they can figure out how to manipulate the poll tapes.
Harri showed that you can re-run poll tapes, changing the date and the results. He also showed how to pre-stuff the ballot box, so the poll tapes will automatically match the central tabulator.
Before this, everything was conjecture, argued against by elections officials and vendors who insisted that the machine would catch such manipulations. Now it is fact -- the manipulations are relatively simple to achieve, and (if done correctly) will leave no telltale signs, except on the memory card. -- Bev |
patty
Voting Rights Forum Participant
Username: patty
Post Number: 27
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 10:38 am: |
|
Bev: Shamos' rules make sense to me. Every one of them. I can reword them for you and explain, if that would help? (Your writing is hard for me to follow, his makes sense --- different styles ---- and I think this explains in part, your later comment that "people don't understand the report" --- in fact when I get an infrequent response to my mails on this topic, this is usually what people say.
Have you suggested to him, that you would take him on, if you could stipulate the machine? I'd chuck in 100 bucks for your 5,000 dollar up-front money.
Feedback on my questions/offers above? |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 406
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 11:23 am: |
|
patty,
Harmonyguy's questions make the loopholes in Shamos' rules pretty clear. My comments were just additions to Harmonyguy's point.
It would be interesting to see if he'd let Bev stiuplate the machine. However, based on Harmonyguy's point there'd have to be some other clarifications first.
E.g., what if the manual say "don't do XXX" but a real-life hacker would obviously do XXX and the system would not prevent this from happening? Then Shamos would say, "oh, but the manual says you're not supposed to do XXX. So the fact that you did it means that I win and you lose because you stepped outside the machine's operating parameters."
If there was prior agreement about what the operating parameters consisted of (say, temperature and humidity, correct voltage of the power supply), then maybe that could lead to a fruitful experiment. As it is currently expressed, Shamos is too vague and he could try to claim that changing anything would break his rules. |
patty
Voting Rights Forum Participant
Username: patty
Post Number: 28
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 12:13 pm: |
|
The intent of Shamos's rules are clear to me.
He is not trying to trip anyone up.
Instead of saying "this will never work because we don't trust Shamos," he should be approached with questions and concerns about the rules. Otherwise, it looks to the casual observer (me) like there isn't really any confidence in Hursti's demonstration.
Harmonyguy's first comment would be addressed by Bev's comment that a functional machine must come from the certified, general use machines.
Harmonyguy's second concern is completely unrelated to the hacks that were demonstrated in February and May.
Your followup comment - Of course the memory card would not be part of the system that is not to be compromised. Shamos is saying, plainly, that you have to show the machines as they stand at the polling place, are hackable. He is saying that if you go "under the hood" and change everything around - that your hack won't count: Because THAT would never happen on election day! The memory card is a different issue.
He is protecting against shysters.
Having been a professional scientist, and understanding about controls in experiments and demonstrations, and familiarity with the writing styles such as Shamos, I can assure you that Shamos' rules sound completely legit. He may be corrupt along with John Kerry and Jimmy Carter and everyone else that apparently can't be trusted, but you certainly can't deduce that from the rules he presented here.
And if you are going to just decide, without even contacting him, that he can't be trusted, then that looks to me like a strike against BBV. |
patty
Voting Rights Forum Participant
Username: patty
Post Number: 29
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 12:14 pm: |
|
No offense. When I re-read your post just now, it didn't sound as confrontational as the first time I went through it. |
arn
Voting Rights Forum Participant
Username: arn
Post Number: 69
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 3:34 pm: |
|
Michael Shamos is an academician working in electronic commerce. To him, voting is a natural application for eCommerce, and that basically defines him. This "challenge" of his is meant to be nothing more than one more of his bogus arguments that DREs belong in a voting place, and everybody who claims there is anything wrong with that is wrong, misguided, paranoid, etc. It seems obvious, his real intent with coming up with this thing was to be able to say whenever it suits him that here, I offered $10,000 to critics to either put up or shut up, and they won't do either. What other proof do you need that they are full of it? Pretty smart, and pretty devious. But that what he is, very smart and very devious.
I think trying to take him up on his challenge would be a waste of time, and may play into his hands by giving him exposure with his little scheme. The conditions in 2) and 5) allow him to back out either early or late, as he chooses. (He's also a lawyer, don't forget.)
There are two recent papers out there, one by him, expounding his views about a benign nature of electronic voting and another one tearing into them and exposing him for what he is, a hired hand for eVoting corporate interests.
http://www.cfp2004.org/program/materials/p12-shamos.pdf
http://www-db.stanford.edu/pub/keller/2005/Shamos-rebuttal.pdf |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 407
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 3:40 pm: |
|
patty,
That's ok, I don't mind your comments. Like you I appreciate good scientific controls. (I'm from a family of rather prominent scientists. And there is also a lawyer in the family. So I am aware of verbal loopholes and how they can be used by either side in an issue.)
I'm really letting my mind ramble here. . . bear with me.
For starters, give Bev a break--she only got these rules! For all we know she has already tried to contact this guy. I don't know who he is and whether or not he plays clean or dirty. It would be wrong to assume one or the other. (Though since he'd be putting up most of the money, and is taking the side that "it's not possible" I assume his interests lie with the vendors. And they have shown themselves to be extremely untrustworthy, so it might be safe to expect foul play.)
If it were me, I would need more clarity about the ground rules. In daily life it is easy to assume one understands something, and then find out another person has a different understanding. This happens all the time and is not necessarily nefarious. When there's a bet involved, and a vendor's reputation, and the control of US elections, it's particularly important to be clear about the ground rules up front.
Your comment about "going under the hood" is interesting. I wonder what that might include or exclude. For example, would it include something like putting in a different component, such as the Triad operator apparently did before the Ohio recounts, and then perhaps replacing that component after the election? The rules Shamos proposes wouldn't allow that kind of exploit, yet that kind of substitution could happen in real life. There's no way a band of IT experts would go out to every voting machine across the company and examine them microscopically immediately after the count of each election to see if every component serial number and piece of code was the same as whatever had been previously installed. These rules don't prove that certain things aren't possible, this would only possibly show that certain exploits are possible. And that's already been shown, with the machines that counted 25% of the vote!
And how would one deal with the memory card issue? Especially now that the report is published and it is a known exploit?
Same for remote access exploits. With these vulnerabilities being already known, and a vendor knowing their reputation was on the line, they could jam relevant radio frequencies during the examination period or only during the test itself, even though the exploit could work perfectly during an election.
And as for going under the hood--that should be fine, if it is to examine and see what's there (e.g., machine code, etc.) That's the whole point of having physical access to the machine, I assume.
Maybe if Bev could pick a machine from any precinct she chooses, anywhere in the country, with no advance notice then that would be a fair test. But if there were any advance notice given--that would no longer be a real test. Why not? It seems clear that these machines can be controlled remotely. It also seems that vendors have no qualms about making unauthorized adjustments before an election--what would prevent them from doing the same in a test where there reputation was on the line, particularly (as in the case of Diebold) when the company knew about the vulnerabilities all along?
Also--and this is important--the vendor should have to give permission in advance for any participant to report in detail on the results, including disclosure of any information necessary to document the vulnerabilities and exploits. The only point of doing such an exercise would be to serve the public good, not for the money. A vendor should not be able to cover up any problems that might be exposed by such an endeavor.
Let me put on my tinfoil hat here--how could one assure a "clean" bug-free zone where the work would be carried out? There are microscopic cameras that could be put into a pre-arranged machine. If I thought my ability to control national elections was at stake would I use all the tools at my disposal? Of course I would. (If I were that type, that is--which I'm not).
The agreed adjudicator is also an interesting point of vulnerability in the exercise. These rules introduce "bet-rigging" possibilities that are unrelated to carrying out a successful hack of an election.
I'd be interested in whether or not the voting machine companies would cooperate and give their permission. Somehow, I rather doubt it. Have ANY voting machine companies responded to this challenge and said they would make any of their standard systems available? If not one of them has indicated they would gladly participate in such a test, does that tell you anything? I think the only tests done so far have been at the request of government officials as a result of problems.
One could also get quite obsessive about "demonstrating one modification that was made". (E.g., one could say, well, you opened the back of the machine, and the door is now 3 microns to the left of where it was originally--and that may or may not be true, or it may or may not be related to anything that you did, and may have nothing to do with how the machine functions or counts votes.) Any finding should have to be something directly relevant to an effective exploit and not a legal-type loophole like "oh, now there is a fingerprint on the side that wasn't there before" or an observation about something that was part of the month-long examination but might have nothing to do with a successful hack.)
A more appropriate test would be that Shamos would have 24 hours to examine it, and record any observations and give them to the independent observor in a sealed envelope (noting any precise changes and how they could result in an effective hack.) Then, hackers would give a sealed envelope to the observor describing all the hacks they were about to perform and how they would be accomplished. The hack would be performed (perhaps multiple ones). Then both envelopes would be opened and compared, and Shamos would have to have identified in advance modifications relevant to each successful hack. That would be a better and more relevant test. Actually, that might be a fun and interesting exercise, without any money being involved at all. It might be better to have 2 independent teams on each side.
Shamos' whole premise of defending the security of voting machines is kind of silly, seeing as how 3 exploits have already been demonstrated under election conditions with watchful scrutiny of election officials and other observors. The hackability of the Diebold scanners in question has been proven. It would be great to have the opportunity to do the same to a broader range of equipment. Bev's been trying to get access. I wonder why no one else has agreed to participate, if they are so convinced of their system's security?
The more I think of it, this contest looks like a smoke screen to try to make the machines look impenetrable. It would be much better just to make the machines available (such as the U of MD/Johns Hopkins penetration threat test). That is more scientific than relying on the assessment of 1 observor. We need more conscientious election officials like Ion Sancho to allow their systems to be examined. We need honesty, integrity and curiosity, and cooperation from vendors and election officials--not bets or monetary rewards. |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 408
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 4:01 pm: |
|
Thanks for these links, arn. I agree with your conclusions.
The second paper (rebuttal) seems to have been removed by Stanford--is there another link?
Reading Shamos' paper I was amazed at the number of false arguments he makes. Even I could rebut many or most of his claims. My favorite line of nonsense is on p.4:
"The people who run voting systems are likewise committed to clean elections."
(Message edited by catherine_a on July 06, 2005) |
kathleen_wynne
Voting Rights Forum Participant
Username: kathleen_wynne
Post Number: 92
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 6, 2005 - 7:17 pm: |
|
catherine_a,
Wow! What an astute and thorough analysis of Shamos' bet! I'm not surprised there are lawyers in your family. You would be an excellent lawyer yourself.
I agree with your assessement. "No bets or monetary rewards." We need honest and open election officials like Ion Sancho and vendors willing to make their systems open for examination.
I can't believe how many hoops we have to jump through on a daily basis trying to get this point across. This is definitely an agenda-ridden issue, isn't it?
Thanks for all your input. It's always a pleasure and I'm not saying that because of my Irish heritage either!
Kathleen |
arn
Voting Rights Forum Participant
Username: arn
Post Number: 70
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, July 7, 2005 - 3:23 pm: |
|
catherine, here's another link
http://www.openvotingconsortium.org/ad/shamos-rebuttal.pdf
"The people who run voting systems are likewise committed to clean elections." --
Unfortunately, in his own devious way of thinking, this is not incorrect. In their minds they are, except that they have been corrupted and manipulated to the point that they are no longer capable of being honest even with themselves. It strikes you as absurd because you are informed, but to regular folks it may not be. Spinners like Shamos are very skillful in confusing issues and altering perceptions. |
trent
Voting Rights Forum Participant
Username: trent
Post Number: 138
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, July 7, 2005 - 9:15 pm: |
|
Screw Shamos,
Why does he get to pick the machine? What's the point anyway since it has already been shown that a machine could be hacked?
A big waste of time and keystrokes.
Trent |
admin
Board Administrator
Username: admin
Post Number: 706
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 8, 2005 - 6:22 am: |
|
Trent -- I agree with you. His "contest" was nothing more than a publicity stunt.
The whole problem is that he gets to pick the machine -- probably not one from Diebold, ES&S, Sequoia or Hart Intercivic. How pointless.
I do appreciate the help with finding his contest rules, because, had they been legit, we might have countered his PR with a challenge, to bring attention to the issue. That would only be of value if it was a real voting system, however.
Bev |
sagitta
Voting Rights Forum Participant
Username: sagitta
Post Number: 2
Registered: 07-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 8, 2005 - 4:54 pm: |
|
Shamos's challenge is perfectly reasonable, insofar as such contests are useful in security.
However, he's addressing a completely different question. His claim is that he can build a tamper-evident box (which happens to have some electronics inside it, but that makes no difference to the challenge). Your claim is that the Diebold 1.94w can be made to generate fraudulent results without tampering. Both claims are very probably true. |
catherine_a
Frequent Voting Rights Forum Participant
Username: catherine_a
Post Number: 414
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 8, 2005 - 5:00 pm: |
|
That's a great point about the 2 different claims, sagitta.
I don't that that Shamos's invention would be of much practical use in the "real world" though, if it meant that he (or his colleagues) had to examine every voting machine for 24 hours to see whether or not it had been tampered with.
And then just imagine--all you'd have to do would be to bribe one of the "examiners" to give a voting machine a clean bill of health.
I still think there are loopholes in Shamos's rules as to how you define "tampering." |
patty
Voting Rights Forum Participant
Username: patty
Post Number: 30
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 8, 2005 - 7:55 pm: |
|
Oh Fine. Throw your hands up in the air and say "It wouldn't have worked, thank God we didn't try."
I'll email Shamos.
For Christ's sake.
Uh, Patty? When you e-mail him ask him if he'll consider a more real-world challenge. It needs to be on one of the systems actually used in elections. Let me tell you why:
The consistent response we get when we show these systems to security experts is that they can't believe how badly designed they are. We'd like to hack something as badly designed as a real voting machine.
If Shamos will entertain that adjustment to his challenge, we'll talk turkey.
-- Bev |
mapleboard
Voting Rights Forum Participant
Username: mapleboard
Post Number: 4
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 20, 2005 - 7:08 pm: |
|
Can forensics detect whether any memory cards were tampered with? Will they be allowed to conduct tests on them? Who has the memory cards right now, DIEBOLD or the local voting precincts? If forensic experts are not allowed to see the memory cards, is this illegal?
(from BBV) Forensics can probably detect tampering, in most cases. The memory cards are held by elections officials -- but apparently not in Georgia where they take a copy of the memory card contents and put it on a CD, then overwrite the cards. That procedure isn't valid, because Diebold appears to have altered the source code on the memory card driver. It has not yet been fully litigated as to whether a memory card is a public record. |
mapleboard
Voting Rights Forum Participant
Username: mapleboard
Post Number: 5
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, July 20, 2005 - 7:09 pm: |
|
Is anything being done legally, to take DIEBOLD voting machines off the market?
Perhaps. There are various kinds of lawsuits afoot, filed, unfiled, publicly available and (apparently) sealed. That's nice. However, depending on a judge to do the right thing is iffy, no matter how strong the case. |
ubetchaiam
Voting Rights Forum Participant
Username: ubetchaiam
Post Number: 36
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, July 21, 2005 - 11:37 am: |
|
mapleboard,what State are you a resident of? |
admin
Board Administrator
Username: admin
Post Number: 868
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, July 21, 2005 - 11:54 am: |
|
Mapleboard -- I answered your questions within your posts -- Bev |
John Dean
Frequent Voting Rights Forum Participant
Username: Bozosforbush
Post Number: 328
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, May 8, 2006 - 6:05 pm: |
|
test |
|
|
