The Eureka Times-Standard was first out of the gate on Saturday morning (archive). There are two things I have to point out about this article. The story's lede, sets the stage:
Local election systems may be vulnerable to hackers James Faulk/The Times-Standard Article Launched: 07/28/2007 04:21:31 AM PDT
EUREKA -- A team of University of California computer scientists were able to hack into several voting systems used by California counties, including the two systems currently used in Humboldt County, the secretary of state announced Friday.
I don't know that Faulk could have written a more straight up or accurate intro to this story. It makes it clear that hackers ARE able to hack into Humboldt voting systems. Then why does the headline say merely that the machines MAY be vulnerable to hackers?
The second comment I have about this article pertains to the last two paragraphs:
Humboldt County Registrar of Voters Carolyn Crnich said it's unclear under what conditions the tests were prepared.
"It's my understanding that the red team attacks that were made during the top-to-bottom review did not take into consideration the security efforts or guidelines that had been added by former Secretary of State Bruce McPherson -- so whether or not the systems could be penetrated with those other security guidelines in place, I don't know," Crnich said.
As I noted in the comments on the T-S website, the introduction of this report dismisses the Registrar's dodge:
In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised. Our study examined what a dedicated attacker could accomplish with all possible kinds of access.
Quoting myself from the T-S site...The greatest threat to our election systems comes not from an individual voter, but rather from insiders at the elections department or working for the machine vendor (Diebold). These are the people with the greatest access to these exploits who can secretly make large scale changes that will never be detected...I go on to say some other things but that's the gist for this post.
Now, the next article to land will be in Tuesday's Eureka Reporter. The story has been online for maybe an hour now. It is kind of strange. There is no byline and I'm the only person quoted other than a Bowen press release. The headline is: "Audit standards review group releases report." This refers to yet another component of Bowen's Top To Bottom Review (TTBR). Check out the 38-page report as a .pdf here. This article is comprised almost entirely of excerpts from the report and then concludes with quotes from me.
I believe the person who called me said her name was Laura. She sounded young and a little uncertain. She told me former elections beat writer Rebecca S. Bender had left the paper as of Friday last week. I knew about this because a few months ago at an Election Advisory Committee meeting, David Cobb inadvertently "outed" Rebecca's planned departure before she really wanted people to know. I had no reason to mention it until now but I do wish her well. So anyway, Laura asked for a comment on this new standards review report that came out today. I declined to comment since I hadn't read it. She then asked about the other related reports and we had a more general conversation about what is happening. Here's what she used:
Though he had not yet seen the report, Dave Berman, one of the founding members of the local Voter Confidence Committee, said he is aware that other studies have been conducted recently regarding the voting process in California, and said he looks forward to Bowen's announcement on Friday as to what action she plans to take.
Berman said the Voter Confidence Committee promotes the idea of handcounting 100 percent of the ballots the first time around and recounting 10 percent for the audit. He said simply increasing the percentage recounted in the audit is like "putting a Band-Aid on a gunshot wound" when the first count is performed by machines.
It seemed out of place at the end of this article but then I'm not sure I've ever had a better quote!
Hank Sims from The Journal and also KHUM called me today too, presumably for his Town Dandy column due out on Wednesday. We actually spoke twice, and in between he spoke with Registrar Crnich. That made our second chat very interesting. During that time he also got to look at something I am now making public for the first time. This is a spreadsheet that allows you to enter different variables, such as how many precincts are in your county and the average number of ballots cast per precinct. All together, the numbers you enter will then estimate how many ballot counters you need and what it will cost to pay them to do an all hand-count election. The Voter Confidence Committee will be incorporating this great new tool into the next iteration of our Report on Election Conditions in Humboldt County, CA. I don't know when that will happen. Meanwhile, election integrity advocates working for HCPB anywhere will find this tool useful. We all owe a debt of gratitude to Nancy Tobi and Democracy For New Hampshire. It is their recent presentation that provided me with the formula for creating the calculator.
I have a feeling that after I've heard from a few people about the calculator I'll probably want to make it the centerpiece of another post instead of burying this announcement 80,000 paragraphs under the sea. At any rate, back to Hank Sims.
He asked me if I felt vindicated by these new reports. I told him I would not use that word. It suggests I had previously been thought wrong but now stand affirmed. The truth is that the findings of Bowen's TTBR explicitly state that previous exploits were again confirmed. Anybody coming around to these findings of fact really can't plausibly exlplain previously thinking otherwise.
Sims informed me that Registrar Crnich took a position with him that was similar to the one she took in the T-S piece above. Having already addressed this once, I realized it wasn't just sounding familiar from the Registrar. Moments before I got the first Sims call, I was looking at a document I had just received from the indefatigable Tom Courbat of Sav-R-Vote in Riverside County, CA. Click here for "the corporate line" by Sequoia, attempting to explain away all the findings of Bowen's Red Team members. I never did finish reading it, but its "those aren't the droids you're looking for" tone pretty much parallel what our Registrar was trying to pull off.
Plain and simple: there is no way to spin these reports to make the machines look good. Their time has passed. We've reached a tipping point of public consciousness where secret vote counting machines are completely unacceptable and public officials who continue to defend them do so at the risk of their own credibility.
Finally, as promised at the beginning of this marathon post, here are excerpts from Bowen's Red Team report on Hart Intercivic. These first two passages are identical to wording in the Diebold report. There are several other passages in common.
page 1
In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" – or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire – is not an acceptable option for any system that can't afford to have its security compromised Our study examined what a dedicated attacker could accomplish with all possible kinds of access.
Great write up, Dave ~ I''m glad I don't have to read those technical reports (unless I upate the annotated bibliography I posted last January.If so, I’ll also be sure to add California’s Red Team reports and FloridaStateUniversity’s just-released report on the failure of optiscans.)
Software Driven Devices (SDDs) have no place in our elections. It's long past time citizens seize the polls and do what is right for democracy - hand count paper ballots at the precinct on election night, before all who wish to observe.
by
Rady Ananda (71 articles, 201 quicklinks, 17 diaries, 521 comments)
on Wednesday, August 1, 2007 at 8:48:53 PM
