Election Defense Alliance Blog

August 3, 2006

Strong-Arming the Vote
A New York Times editorial

Go to the original

President Bush’s Justice Department has been criticized for letting partisanship guide its work on voting and elections. And party politics certainly appears to have been a driving force in a legal maneuver it just pulled off in Alabama, where it persuaded a federal judge to take important election powers away from the Democratic secretary of state and give them to a Republican governor. The Justice Department says it is trying to enforce the election law, but that is unconvincing. There are plenty of ways to enforce the law without creating the impression that it is tilting the electoral landscape in favor of Republicans.

By Alan Dechert / Open Voting Foundation / July 31, 2006
Go to original.

SACRAMENTO, CALIFORNIA -- “This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

“Diebold has made the testing and certification process practically irrelevant,” according to Dechert. “If you have access to these machines and you want to rig an election, anything is possible with the Diebold TS -- and it could be done without leaving a trace. All you need is a screwdriver.” This model does not produce a voter verified paper trail so there is no way to check if the voter’s choices are accurately reflected in the tabulation.

Open Voting Foundation is releasing 22 high-resolution close up pictures of the system. (Click the image for a larger view) This picture, in particular, shows a “BOOT AREA CONFIGURATION” chart painted on the system board.

The most serious issue is the ability to choose between "EPROM" and "FLASH" boot configurations. Both of these memory sources are present. All of the switches in question (JP2, JP3, JP8, SW2 and SW4) are physically present on the board. It is clear that this system can ship with live boot profiles in two locations, and switching back and forth could change literally everything regarding how the machine works and counts votes. This could be done before or after the so-called "Logic And Accuracy Tests".

A third possible profile could be field-added in minutes and selected in the "external flash" memory location, the interface for which is present on the motherboard.

This is not a minor variation from the previously documented attack point on the newer Diebold TSx. To its credit, the TSx can only contain one boot profile at a time. Diebold has ensured that it is extremely difficult to confirm what code is in a TSx (or TS) at any one time but it is at least theoretically possible to do so. But in the TS, a completely legal and certified set of files can be instantly overridden and illegal uncertified code be made dominant in the system, and then this situation can be reversed leaving the legal code dominant again in a matter of minutes.

“These findings underscore the need for open testing and certification. There is no way such a security vulnerability should be allowed. These systems should be recalled”

OPEN VOTING FOUNDATION is a nonprofit non stock California corporation dedicated to demonstrating the need for and benefits of voting technology that can be publicly scrutinized.

by David Dill, Doug Jones & Barbara Simons / Opednews.com / 7/23/06
Diebold spokesman David Bear admitted to the New York Times that the back door was inserted intentionally so that election officials would be able to update their systems easily. Bear justified Diebold's actions by saying, "For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software... I don't believe these evil elections people exist."

Most computer scientists have long viewed Diebold as the poster child for all that is wrong with touch screen voting machines. But we never imagined that Diebold would be as irresponsible and incompetent as they have turned out to be.

Recently, computer security expert Harri Hursti revealed serious security vulnerabilities in Diebold's software. According to Michael Shamos, a computer scientist and voting system examiner in Pennsylvania, "It's the most severe security flaw ever discovered in a voting system."

Even more shockingly, we learned recently that Diebold and the State of Maryland had been aware of these vulnerabilities for at least two years. They were documented in analysis, commissioned by Maryland and conducted by RABA Technologies, published in January 2004. For over two years, Diebold has chosen not to fix the security holes, and Maryland has chosen not to alert other states or national officials about these problems.

Basically, Diebold included a "back door" in its software, allowing anyone to change or modify the software. There are no technical safeguards in place to ensure that only authorized people can make changes.

A malicious individual with access to a voting machine could rig the software without being detected. Worse yet, if the attacker rigged the machine used to compute the totals for some precinct, he or she could alter the results of that precinct. The only fix the RABA authors suggested was to warn people that manipulating an election is against the law.

Typically, modern voting machines are delivered several days before an election and stored in people's homes or in insecure polling stations. A wide variety of poll workers, shippers, technicians, and others who have access to these voting machines could rig the software. Such software alterations could be difficult to impossible to detect.

Dear Ilene Proctor,

There were no electronic machines in our district, the heart of the Busby-Bilbray district. they were instead very fragile, tacky, old cardboard election boxes in which you dropped your traditional ballot. Inexplicably, the machine refused to accept my husband's completed ballot. I tried mine as well, but the same thing happened, though the woman before us had had no trouble. A poll watcher rushed over, adjusted the machine and said it was working again. We expected to slip our ballots into the box then, but the man stopped us, saying our votes had already rung up. I said I didn't care, my vote was not in the box yet and I was going to insert it. The man literally grabbed our ballots out of our hands and shoved them into another box, which he said was the one containing the absentee ballots. I protested but he claimed they would be counted along with the absentee votes.

Papantonio-Kennedy Lawsit Filed

Blowing the Whistle on Diebold

By John Ireland, In These Times Monday 17 July 2006 http://www.inthesetimes.com/site/main/article/2750

On July 13, the Pensacola, Fla.-based law firm of Robert F. Kennedy Jr. filed a "qui tam" lawsuit in U.S. District Court, alleging that Diebold and other electronic voting machine (EVM) companies fraudulently represented to state election boards and the federal government that their products were "unhackable."

Kennedy claims to have witnesses "centrally located, deep within the corporations," who will confirm that company officials withheld their knowledge of problems with accuracy, reliability and security of EVMs in order to procure government contracts. Since going into service, many of these machines have been linked to allegations of election fraud.

Wednesday, July 12, 2006
Michael Parenti, The Columbus Free Press

Original can be found here

The 2004 presidential contest between Democratic challenger Senator John Kerry and the Republican incumbent, President Bush Jr., amounted to another stolen election. This has been well documented by such investigators as Rep. John Conyers, Mark Crispin Miller, Bob Fitrakis, Harvey Wasserman, Bev Harris, and others. Here is an overview of what they have reported, along with observations of my own.

Some 105 million citizens voted in 2000, but in 2004 the turnout climbed to at least 122 million. Pre-election surveys indicated that among the record 16.8 million new voters Kerry was a heavy favorite, a fact that went largely unreported by the press. In addition, there were about two million progressives who had voted for Ralph Nader in 2000 who switched to Kerry in 2004.

Yet the official 2004 tallies showed Bush with 62 million votes, about 11.6 million more than he got in 2000. Meanwhile Kerry showed only eight million more votes than Gore received in 2000. To have achieved his remarkable 2004 tally, Bush would needed to have kept all his 50.4 million from 2000, plus a majority of the new voters, plus a large share of the very liberal Nader defectors.

Nothing in the campaign and in the opinion polls suggest such a mass crossover. The numbers simply do not add up. In key states like Ohio, the Democrats achieved immense success at registering new voters, outdoing the Republicans by as much as five to one. Moreover the Democratic party was unusually united around its candidate-or

States and local jurisdictions did not take sufficient action to mitigate risks.
From blackboxvoting.org / July 4, 2006

Black Box Voting has provided the following to VoterAction.org for its litigation. This will become a public record via the litigation filed by Lowell Finley. Because public officials who have received the unredacted reports have failed to take this risk seriously and arrange for appropriate mitigations, and because Black Box Voting believes this information is of critical public interest for pending litigation and citizen actions, we are releasing it publicly now.

Here's an informal synopsis of the unmitigated risks in the Diebold TSx:
A huge risk to the integrity of elections is a contaminated bootloader. Here's why: If you own the bootloader, you own the machine. The source code for the TSx, along with the technical data package, have been publicly released since 2003. Estimates are that it would take approximately three months for a reasonably skilled programmer to design a working malicious bootloader. You cannot clean a maliciously designed bootloader with the mitigations performed so far by state officials (replacing programs via memory cards).

Here are some specific problems with the Diebold bootloader:
1) It appears not to have been examined by the Independent Testing Authorities (ITAs). Therefore, we don't even know whether the original bootloader contains malicious code.

2) There appears to be no authentication procedure when installing "clean versions" to ensure that the code is the same as that which was examined by the ITAs (and in this case, the ITAs didn't even examine it).

3) There is no forensic test that will reveal a malicious bootloader

4) Because of the design of the Diebold TSx machine, a malicious bootloader can be installed at any time from factory installation to the election itself. Once a bootloader is contaminated, it can control the machine permanently. A contaminated bootloader, especially in combination with other security issues in the TSx, has the potential to allow manipulation on an election-by-election basis, at any time during the election cycle and even years in advance of the election.

5) The Diebold TSx machine's motherboard contains a JTAG connection which can be used to take control of the motherboard. Although you cannot reliably clean a malicious bootloader by reinstalling it with a memory card, you can install a pristine version using the JTAG cable. However, there appears to be no pristine version of the bootloader, since it has never been examined by the ITAs.

6) Unfortunately, the JTAG connector can also be used to overwrite a so-called authentic and proper bootloader with a malicious one. Thus, even if a so-called pristine bootloader is installed via the JTAG connector, the same connector can be used to replace that one with a new one at any time.

7) In order to access the JTAG connection, you must pop open the case to the TSx tablet. Unfortunately, the case on the TSx is designed with no security. You can open it by unscrewing 8 standard phillips head screws, access the JTAG connector, replace the bootloader and control the machine for the rest of its life, despite L&A tests, reinstallations of "clean" copies via memory cards or network connections, etc.

8) TSx machines in California -- 10,000 machines in San Diego alone -- were sent home for "sleepovers" with poll workers in back in 2004, when they were used for the March primary election. Over 1,000 machines originally used in Solano County, Calif, are now being used in Johnson County, Kansas. The TSx machines are now being used throughout the states of Mississippi, Utah, in dozens of Ohio counties, and in many high-population California counties. A case can be made that the Diebold TSx machine will dictate control of the U.S. congress in November. The sleepovers broke chain of custody. The combination of unsecured cases with the ability to quickly alter the bootloader using the JTAG connector means these machines cannot be considered "trusted" until proper mitigations are done.

By Miriam Raftery / RAWSTORY / July 3, 2006
Go to original.

Southern California Democrats are racing to file a challenge to an election they say was compromised, after being given just one business day to do so, RAW STORY has learned. “This is not about Busby or Bilbray. This is about November and the entire election,” Brad Friedman of Bradblog.com told residents of San Diego County at an emergency town hall meeting in Oceanside, California on June 28th.

Bilbray was sworn into Congress following the special election in the 50th Congressional District, despite the fact that thousands of absentee ballots remained uncounted. According to the Registrar’s office, Bilbray nosed out Busby 49.57% to 45.02% in the final tally, which was certified late Thursday on the eve of the 4th of July weekend.

The holiday-eve certification poses a major hurdle for activists, as California law allows only five days to file for a recount or challenge.

At the Oceanside event, Friedman, who is the co-founder of Velvet Revolution, a voting reform movement, called for a hand-count of ballots and urged that San Diego Registrar of Voters Mikel Haas be held accountable for allegedly lax security procedures, including allowing poll workers to take home voting machines with programmable memory cards up to two weeks before the election. Under state law, violating the chain of custody for voting machines decertifies the machines.

Friedman noted that the national spotlight is focused on voting machine issues in the 50th Congressional District, the first House race of 2006. He added, “This our line in the sand.”