http://guvwurld.blogspot.com/2006/02/despite-illegalities-diebold-election.htmlDespite Illegalities, Diebold Election Machines Certified In CACA Secretary of State Bruce McPherson issued a
press release (.pdf) Friday afternoon, buried at the start of the long holiday weekend, announcing conditional certification of Diebold OS and TSX voting machines.
SACRAMENTO, CA - Secretary of State Bruce McPherson today announced his decision to certify with conditions the Diebold TSX and Optical Scan (OS) voting systems for use in California's 2006 elections. The decision comes after months of thorough review of both voting systems, their compliance with both state and federal laws and the completion of an additional security analysis by independent testers from computer labs at the University of California, Berkeley.
That's only the first paragraph and we have several problems. In the first sentence we learn that this certification is conditional. We'll get to the conditions later. First consider this summary statement of Diebold's certification efforts published in an
April 2004 CA Secretary of State Staff Report (.pdf).
1. marketed and sold the TSx system before it was fully functional, and before it was federally qualified;
2. misrepresented the status of the TSx system in federal testing in order to obtain state certification;
3. failed to obtain federal qualification of the TSx system despite assurances that it would;
4. failed even to pursue testing of the firmware installed on its TSx machines in California until only weeks before the election, choosing instead to pursue testing of newer firmware that was even further behind in the ITA testing process and that, in some cases, required the use of other software that also was not approved in California;
5. installed uncertified software on election machines in 17 counties;
6. sought last-minute certification of allegedly essential hardware, software and firmware that had not completed federal testing; and
7. in doing so, jeopardized the conduct of the March Primary.
We've been down this path before. Once again unqualified equipment is given provisional approval, this time despite a clearly documented track record showing Diebold's brazen disregard for such arrangements. They do not genuinely strive to comply with federal laws, and in fact, are currently out of compliance with federal law by inclusion of
interpreter code. In his 12/20/05
letter to Diebold (.pdf), Secretary McPherson wrote:
It is the Secretary of State's position that the source code for the AccuBasic code on these cards, as well as for the AccuBasic interpreter that interprets this code, should have been federally reviewed.
So less than two months ago the Secretary recognized the illegal component is present, though without acknowledging that interpreter code is prohibited by both
federal guidelines (.doc) and McPherson's own
edict (.pdf) requiring compliance with those standards as a condition of state certification. And now he just pretends the equipment is compliant, a fantasy asserted twice in Friday's press release. Let's be clear - the determination of the interpreter code's existence in December and continued presence today should be all that is necessary to reject Diebold's bid for certification.
Furthermore, McPherson's December letter referred Diebold's equipment to the federal Independent Testing Authority (ITA), not the Voting Systems Technology Assessment Advisory Board (VSTAAB). Never mind the conflicts of interest Dr. Avi Rubin
recently described between the ITA and the election machine manufacturers who fund them.
So we already had reason to be suspect of McPherson's December maneuver even before he broke his word and stealthily tapped VSTAAB, a newish body that seems to have risen from the ashes of the Voting Systems and Procedures Panel which was hastily disbanded late last year. The VSTAAB, in conjunction with UC Berkeley grad students, issued a 38 page report called "
Security Analysis of the Diebold AccuBasic Interpreter" (.pdf) - again confirming the existence of the interpreter code.
While the analysis is too long to fully dissect here and now, GuvWurld will surely pull more detailed quotes in future reports. For now, a "Security Analysis..." summary:
- We did not do a comprehensive code review of the whole codebase, nor look at a very broad range of potential security issues. Instead, we concentrated attention to the AccuBasic scripting language, its compiler, its interpreter, and other code related to potential security vulnerabilities associated with the memory cards.
- We found a number of security vulnerabilities, detailed below. Although the vulnerabilities are serious, they are all easily fixable. Moreover, until the bugs are fixed, the risks can be mitigated through appropriate use procedures. Therefore, we believe the problems as a whole are manageable.
- Memory card attacks are a real threat: We determined that anyone who has access to a memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have the modified cards used in a voting machine during election, can indeed modify the election results from that machine in a number of ways. The fact that the the results are incorrect cannot be detected except by a recount of the original paper ballots.
- Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server.
- Interpreter bugs lead to another, more dangerous family of vulnerabilities: However, there is another category of more serious vulnerabilities we discovered that go well beyond what Mr. Hursti demonstrated, and yet require no more access to the voting system than he had. These vulnerabilities are consequences of bugs--16 in all--in the implementation of the AccuBasic interpreter for the AV-OS. These bugs would have no effect at all in the absence of deliberate tampering, and would not be discovered by any amount of functionality testing; but they could allow an attacker to completely control the behavior of the AV-OS. An attacker could change vote totals, modify reports, change the names of candidates, change the races being voted on, or insert his own code into the running firmware of the machine.
- Successful attacks can only be detected by examining the paper ballots: There would be no way to know that any of these attacks occurred; the canvass procedure would not detect any anomalies, and would just produce incorrect results. The only way to detect and correct the problem would be by recount of the original paper ballots, e.g. during the 1 percent manual recount.
- Interpreted code is contrary to standards: Interpreted code in general is prohibited by the 2002 FEC Voluntary Voting System Standards, and also by the successor standard, the EAC's Voluntary Voting System Guidelines due to take effect in two years. In order for the Diebold software architecture to be in compliance, it would appear that either the AccuBasic language and interpreter have to be removed, or the standard will have to be changed.
This is devastatinglyy stupid. If not these problems, what findings would have caused the analysts to withhold their recommendation? McPherson's decision to conditionally certify based on this security analysis would seem to be an invitation for a legal showdown, not to mention a competency hearing and a criminal investigation.
Gee, this report is getting awfully long and I've still only commented on the first paragraph of the certification announcement. I'm not going to take this too much further today but I do want to comment a little on the second paragraph:
"As the State's chief elections official, the decision to certify voting systems is a very serious responsibility, and a number of factors must be carefully weighed before I determine whether to grant certification," said Secretary McPherson. "This is precisely why I created 10 strict standards that must be met for a voting system to be certified, making California's process the most stringent in the nation. We have applied these standards and after rigorous scrutiny, I have determined that these Diebold systems can be used for the 2006 elections."
The Secretary of State's website has the "10 strict standards"
here (.pdf). Check out step 3:
State certification testing does not begin until the federal qualification testing is successfully completed.
That is not the only part of the process developing out of order. Public comment and a hearing are the last two steps before Step 10: "Final review of system and decision by Secretary of State." That would suggest the public will yet still have its chance to be heard. Instead, it would seem McPherson is providing his rubber stamp with disregard for the public forums--held last year, out of the "strict standards" sequence--that ran overwhelmingly in opposition to certification for Diebold.
Battles now seem primed to ensue on at least two levels. There will surely be a response on the state level, likely from a host of election integrity organizations banding together. And there must be county level resistance anywhere Boards of Supervisors appear willing to allow their Registrars to accept the path of least resistance. At a minimum, it would be foolish for counties to begin spending money knowing that major modifications must still be undertaken, and that even then, Diebold's track record leaves no basis for confidence that the equipment will be made secure, transparent, and accurate, let alone "compliant" with optional laws. Perhaps the silver lining is this, from Friday's
press release (.pdf):
Diebold will be required to make all recommended long-term programming modifications contained in the report and submit the modified product to the Federal Independent Testing Authority (ITA) for requalification and state certification.
So not only is the certification provisional, apparently it is going to be completely up for review again if/when Diebold ever complies with the law. So why certify it now? Notice that the press release only mentions California's 2006 elections.
For broader perspective, Diebold is like the hotshot quarterback whose teachers give him passing grades just so he can play ball. The more potent analogy here is Mr. Bush saying unconstitutional spying on Americans is legal - because he is already doing it. If we are not a people beholden to laws, what inhibits our potential responses? Election reform is not a goal unto itself but rather a tactic in the peaceful revolution. Here's a
Blueprint.
www.HumboldtRevolution.orgNon-violent revolution is necessary, NOW!