Black Box Voting study hits the New York Times

New Fears of Security Risks in Electronic Voting Systems

http://www.nytimes.com/2006/05/12/us/12vote.html?ex=114...

..."It's the most severe security flaw ever discovered in a voting system," said Michael I. Shamos, a professor of computer science at Carnegie Mellon University who is an examiner of electronic voting systems for Pennsylvania, where the primary is to take place on Tuesday.

Officials from Diebold and from elections' offices in numerous states minimized the significance of the risk and emphasized that there were no signs that any touch-screen machines had been tampered with. But computer scientists said the problem might allow someone to tamper with a machine's software, some saying they preferred not to discuss the flaw at all for fear of offering a roadmap to a hacker.

"This is the barn door being wide open, while people were arguing over the lock on the front door," said Douglas W. Jones, a professor of computer science at the University of Iowa, a state where the primary is June 6.

<snip>

The new concerns about Diebold's equipment were discovered by Harri Hursti, a Finnish computer expert who was working at the request of Black Box Voting Inc., a nonprofit group that has been critical of electronic voting in the past. The group issued a report on the findings on Thursday.

<snip>

As word of Mr. Hursti's findings spread, Diebold issued a warning to recipients of thousands of its machines, saying that it had found a "theoretical security vulnerability" that "could potentially allow unauthorized software to be loaded onto the system."

<snip>

Aviel Rubin, a professor of computer science at Johns Hopkins University, did the first in-depth analysis of the security flaws in the source code for Diebold touch-screen machines in 2003. After studying the latest problem, he said: "I almost had a heart attack. The implications of this are pretty astounding."

The tide is turning.

Welcome to DU.

I live in El Paso County Colorado and they have been telling me for TWO YEARS these machines are just excellent and lovely thankyouverymuch.

I'm glad I've been talking to them day in and day out. Polite but unstoppable. NOW we've got the ammunition we really need.

Holy shit! Google this puppy. It's all over the 'net and all over the MSM!!!!!

:toast: :toast: :toast:

Theoretical, my ass.

"Could potentially allow" the wrong man to be in the White House. And DID.

Diebold voting systems critically flawed
Robert Lemos, SecurityFocus 2006-05-12

http://www.securityfocus.com/news/11391

Michael Shamos remembers that the call came late at night, during the last week of April.

"It is like the nuclear bomb for e-voting systems. It's the deal breaker. It really makes the security flaws that we found (in prior years) look trivial. "

Avi Rubin, computer science professor, Johns Hopkins University The call--from election watchdog BlackBoxVoting.org--described a critical vulnerability in Diebold Election Systems' touchscreen voting systems that could allow any person with access to a voting terminal the ability to completely change the system code or ballot file on the system. As a professor of computer science at Carnegie Mellon University and adviser to the Commonwealth of Pennsylvania on electronic voting, Shamos realized that, at the very least, a workaround for the flaw needed to be in place by Pennsylvania's next election--at the time, less than three weeks away.

"This one is so bad, that we can't do just nothing," Shamos told the state's election officials at the time. "Any losing candidate could challenge the election by saying, 'How do I know that the software on the machine is the software certified by the state?'"

Late Thursday, BlackBoxVoting published a redacted version of a paper describing the design flaw in Diebold AccuVote TSX and TS6 touchscreen election systems. Because of the seriousness of the flaw, the full report detailing the issue has only been distributed to a limited group of computer scientists, state and federal election officials, and security groups.

"We have elections every single week this month, and there is no way to do meaningful remediation at this point," said Bev Harris, founder of BlackBoxVoting.

Three states have already issued alerts on the flaws to election officials. The Pennsylvania Department of State told county clerks to reinstall the software on election devices and then lock them up in a secure location until the May 16 general primary.

"The Department of State will furnish the authorized software to the counties on a PCMCIA card along with instructions for its installation," a copy of the memo seen by SecurityFocus stated.

Both Iowa and California have also issued alerts, according to the Associated Press.

The incident represents the most major failure of the federal process to create secure election technology to date. While researchers and civil rights groups have voiced strong criticism of electronic voting technology--and in particular the systems' security--the national elections held in November 2004 saw only small problems that would likely not have impacted the outcome of the election.

...

Other computer scientists do not believe the threat to be theoretical.

"It is like the nuclear bomb for e-voting systems," said Avi Rubin, computer science professor at Johns Hopkins University. "It's the deal breaker. It really makes the security flaws that we found (in prior years) look trivial."

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

Oh my. I have been trying to understand this report and I must tell you, I could not really "get" it until I read it about ten times. I am overwhelmed by the amount of news articles on this today. The reporters do a much better job than I can. I am printing out the articles to send to everyone I know!

:)

Diebold has to be totally in or totally out. I cant motivate people to vote with this shit going on every time I turn on the news. If they cant run a trustworthy system GET THEM THE HELL OUT because this has turned into a flesh eating wound.

I dont want to spend my time battling voting machines. I refuse to do it. I am a 43 year old black male and we can't fight the enfranchisment battle on so many levels at once. This needs to get cleaned up.

Glad to have you here and please know that we all (here at DU) have been fighting this fight for the past 5+ years. We're really getting close to getting it all out there.

:hi:

Welcome to Du.

I can understand your frustration because I am working on issues too and I hate to see obstacles put in my way. I can see how the voting machine problems are obstacles if you are trying to motivate people to vote and work on voter disenfranchisement issues.

But what if the problems with the voting machines really do make it so that busting your ass doesn't matter? I'm just saying, give it some thought. Good job on what you're doing, just keep an open mind.

and I will be able to sleep again.

Oh, and better late than never, NYT.

Let's get ready to rumble

Computerworld http://www.computerworld.com/blogs/node/2515
WNEP TV http://www.wnep.com/Global/story.asp?S=4893162&nav=5ka4
The Tribune Democrat http://www.tribune-democrat.com/local/local_story_131234049.html?keyword=secondarystory
Post Gazette http://www.post-gazette.com/pg/06132/689559-85.stm
Akron Beacon Journal http://www.ohio.com/mld/beaconjournal/business/14561489.htm
KCPW TV http://www.kcpw.org/article/649
Judicial Watch http://www.corruptionchronicles.com/2006/05/major_security_hole_in_voting.html
E-Commerce Times http://www.ecommercetimes.com/story/8ORCZwsBUtfng4/States-Beef-Up-E-Voting-Security-After-Report-on-Weaknesses.xhtml
SC Magazine http://www.scmagazine.com/uk/news/article/558936/voting+machine+flaw+threat+not/
Tech-News World http://www.technewsworld.com/story/8ORCZwLNt0AAQf/States-Beef-Up-E-Voting-Security-After-Report-on-Weaknesses.xhtml
ZDnet http://blogs.zdnet.com/BTL/?p=3025
TMCnet http://www.tmcnet.com/viewette.aspx?u=http%3a%2f%2fwww.tmcnet.com%2fusubmit%2f2006%2f05%2f12%2f1647862.htm
MIT Security Review http://www.technologyreview.com/read_article.aspx?id=16840

And now this: Diebold ships uncertified machines (AGAIN)
http://www.bradblog.com/archives/00002821.htm

Kick them out NOW! :toast: :kick:

of voting machine security problems.

lol

We need to come up with a coordinated plan of attack that makes best use of this situation. That's in the works! Paper ballots anyone? :)

Is he kidding??
"Officials from Diebold and from elections' offices in numerous states minimized the significance of the risk and emphasized that there were no signs that any touch-screen machines had been tampered with."

Widespread touchscreen switching was documented in half the states in 2004
http://www.flcv.com/ussumall.html
http://www.flcv.com/fraudpat.html

I cannot find anything in the article which says that the BBV.org study is the "biggest ever"

we seem to be excusing a Bev supporter for less than honest behaviour.

Thats pretty big, NO?

No one said the problem wasn't severe, only that it was discovered some time ago. That Bev knew this, and yet pretends it is a new discovery and fails to credit earlier work.

Standard Bev MO.

Maybe Raba gave it to bev, maybe your crew is right and she stole it (thats between Bev and Raba), what does matter is that this particular crime of the election theft machines is out there, for all to see.

as much as I think Diebold should be run out of town on a rail, Bev did NOT uncover evidence of "election theft", neither did RABA. A door left open in your home is not evidence of a burglary. While we all may have our personal views about what is going on, let's not mix opinion and fact.

that the machines are "election theft machines," i.e., inherently prone to election theft, and therefore to sell them is a "crime." (Some folks call them "stealer machines.")

AFAIK kster does think that the 2004 election was stolen, so I may be cutting this too fine. I totally agree that we shouldn't mix opinion and fact. (And I have always been seriously weirded out by people who "quote" phrases that didn't actually appear in the source document, as in the OP. I don't want folks around who just make stuff up. I take no comfort whatsoever in the possibility that they may not have noticed that they just made it up.)

I feel that both the 2000 and 2004 election were stolen.

However, I think it was pulled off the old fashioned way:

Voter suppression, intimidation, rules lawyering, and purging voting lists.

I think 2000 is pretty much a slam dunk. It's hard to be sure about 2004, but I would not want to argue the negative.

Some of us have struggled to convey that it is possible simultaneously (1) to distrust electronic voting machines and (2) to doubt that the 2004 election was stolen on them. Well, as Ellis Paul sings, it's a big blue world.

Damn, I wish I could hit those notes. But I digress. ;) Pleasure talking with you.

"Officials from Diebold and from elections' offices in numerous states minimized the significance of the risk and emphasized that there were no signs that any touch-screen machines had been tampered with." Too, they claim the machines are hunky-dory and would never harm our votes.

So you don't think the same machines, the ones this thread is all about, helped them steal the 2004 election? How can anyone profess such a thing:

"The machines did not contribute to the stolen election".

Hogwash, BS, Incredible! UN-believable.

Please go back and read what I said. I have not seen any evidence, that I, was a professional would swear to in court. I PERSONALLY believe the elections were stolen, and while voting machines may have had some small part, I firmly believe that it was done the old fashioned way.

I am sorry this opinion upsets your world view, but I am getting a little bit tired of claims that I support Diebold in any way.



Could you show me where I said that?

But I will now....

... believe the elections were stolen, and while voting machines may have had some small part..."

Some small part? C'mon.

Ok, ok, clear this up for me.... What small part? Explain please. Take all the page that you need. I really would like to hear what "small part"?

long threads can sometimes cause confusion.

Some machines due to error or manipulation may have caused votes to be lost or misapplied. But to claim a widespread conspiracy is not supported by the evidence.

Just wow. Unbelievable, that somebody in this day and age having been around long enough to see the body of evidence presented on this forum, would deny that evidence existed.

Unbelievable. But it is true, eh?

is lots of insinuation, supposition and questionable conclusions.

I also believe Oswald acted alone and we did land on the moon.

manipulation of evidence also happens to be 'insinuation, supposition and questionable conclusions'!!!! Quick give your brain a shake, stir things up. You cant PROOVE that all the shit with the machines was only innocent booboos.......or if you can, please do it...........or else be upfront and say that's just your own faith.

You takes your pick.........seems to me like theres more evidence on the side of some dirty tricks with voting machines compared with no dirty tricks with voting machines.......How do you explain away the 3 hours of missing time on the King Co. tape??? Just for the time when the election was bein counted.....But of course that's just coincidence right? And all those problems with Volusia Co. and the little ballot-makin activity and throwing out official docs in the trash the morning after Bev Harris shows up lookin for them....Nope, no problem for Mr. Kelvin nothing seems like fraud to him..........but hey, buddy, your such an honest guy everybody else must be as honest as you, right?

Snicker snicker snicker.

...Kelvin supports Diebold, I said your post agreed with Diebold. Big difference. Why so defensive?

But now I see why some might think you do support Diebold.

Has just become much, much clearer.

You don't believe the machines made a difference in the 2004 election. Have I got that right?

Maybe if you spent less time tearing down, you could have found the evidence that has been presented on DU? Come to think of it, I can't reacll you ever arguing that part of your case here, at least not relatively speaking. Instead, about all I can recall from Kelvin is anti-Bev. Maybe you can clear that part of your record?

First, please, clear up what the "small part" the machines did effect the 2004 election. That needs to be cleared up, forthwith, in my mind.

I deal in fact, not speculation. If you want speculation and insinuation, then Bev's group is the group for you.

Are paperless voting machines insecure, error-prone, over priced and a danger to democracy?

Absolutely.

Is there competent evidence that they were used to steal the 2004 election? Nope, sorry, it just isn't there. It is possible they were used in this fasion. Yes, but highly unlikely.

This is reality. Folks wishing to disagree with me, are welcome to do so.

Edited to add this point:

If you wish to be taken seriously by your representatives and change the law to protect your vote, then you have to deal in fact, not speculation.

If I had walked into the committee I served on and started spouting about Diebold conpiracies, I would have destroyed my ability to influence the law. By sticking to the facts, we now have the toughest law in the nation for voting machines. So tough, in fact, that Diebold walked away from the state and $50 million in sales rather comply with the law.

Do you want results, or a Oliver Stone movie?

Message removed by moderator. Click here to review the message board rules.

whether you like me or not.

If you think talking at length about stolen elections will accomplish your goals, then by all means, do as you please.

I am not "taking credit" simply stating that if I had espoused the views in committee that you have, no one would have paid the least bit of attention to me and given the bill came out of committee on a 6-5 vote, it is likely things would have been quite different.

Maybe it would have passed by a larger margin if you had spoken out?

Who knows.

The question I have is why you are against the machines if you don't think the machines caused harm?

Oh, still waiting on that "small part" explanation. To refresh your memory, you said the machines played a "small part" in the stolen election and I asked you to explain that small part. Take all the space you need.

in this fashion, I did not say they WERE used in this fashion.

Why are you obsessed with my reasons?

Are you saying that ONLY if voting machines can be used to rig elections, is there a problem? If voting machines were tamper-proof, yet unreliable in function, you would be OK with that?

If you wish to believe that Karl Rove has midgets inside each machine controlling the votes, knock yourself out. The machines are a danger designed, but for some reason unless I believe exactly as you, my motives are suspect.

No, just trying to pry out the truth. Truth is important, eh?

I think the machines should be thrown in Boston Harbor. I think the evidence shows that the machines were factory programmed to make altering votes as easy as possible.

I think millions of votes were stolen in 2004, by the machines, and quite a few were stolen in North Carolina, right in your backyard, and the wise legislators saw that and passed the new law as a consequence.

I think the machines played a large part in the stolen election and you don't. You attack others for disagreeing with you, but if you are approached you scream bloody murder. If you can't stand the heat, stay out of the kitchen.

I do not share your opinion that "millions of votes were stolen" with these machines. You are certainly welcome to beleve this if you wish. Why you seem to think that my refusal to assume your opinion somehow disqualifies me from fighting against BBV is baffling.

... me to your enemies list ... forthwith ... as I concur with Davidz assessment of sElection MMIV, stolen conventionally in NM & OH.

"Kelvin's opinion and Diebold's opinion are the same?!?!?"

Surely you are too smart to think that this is just a wordier way of saying "Kelvin agrees with Diebold" or "Your post agrees with Diebold." Yes?

And you still have an unattributed "quotation" that, as far as I can tell, no one in the world ever said before you. What's that about?

The enemies list, sir, the enemies list. Step away from the enemies list and maybe we can get somewhere. Pending that, you might be well advised not to lecture people about "truth" and "poison."

Partial agreement with me about one thing does not equal absolute agreement with Diebold about everything.

Saying that 2004 was stolen the old-fashioned way does not mean that no votes were stolen on machines, much less that "the machines are hunky-dory and would never harm our votes."

And quotation marks are generally reserved for, umm, quotations. (I mean, I suppose you may have been quoting someone....)

Welcome to the reality-based community. Please enjoy your stay.

I don't think I've ever heard you ever get close to saying the machines stole votes. But it looks like you just did.

Looks like yer learnin'.

Tell me, what votes, if any, in your opinion, did the machines steal?

IMO the DREs definitely stole: several thousand votes in Franklin County Ohio, the great majority of which would have gone to Kerry.

Those DREs stole the votes by not being available.

And of course, there is abundant evidence that punchcard machines stole the presidency from Gore.

What do you have?

those "golden oldies".

The ones that are EASY to get away with.

They are the ones for which there is excellent evidence.

And I understand the argument that better-disguised fraud will be better disguised. I also understand the evidence that such fraud would have been be feasible under certain fairly stringently defined conditions in 2004.

But I'd like the people who understand the security vulnerabilites that have been uncovered to posit specific mechanisms by which fraud exploiting those vulnerabilities could have been employed in 2004 - because that way we might actually have testable hypotheses.

Do you have any hypotheses yourself?

Edit: on reading some of your other posts in the thread I gather you share my view that there is little evidence that millions of votes were stolen on DREs in 2004. I also agree with you that the electoral injustices of 2004 were of a sort that, sadly seem to have been endemic in US elections for sometime.

even if there was evidence, they won't let us get to it.

200% turnout, they refuse to let us look at the machines.

DOES THAT GIVE YOU THE LEAST LITTLE BIT OF A CLUE?

If you will post what you think is the evidence to the contrary, I am happy to go through it with you.

I have defended you on this board, and I will continue to, because I play that way. But screeching at Febble does not do you any credit.

(EDIT: Actually, that was too kind. You really ought to apologize for #76. It wasn't just a screech, it was an unsubstantiated and unfounded smear.)

Message removed by moderator. Click here to review the message board rules.

My own question was:



Do you have an answer?

ETA a further question:

What do you, kster, consider the evidence is that millions of votes were stolen on DREs?

using a real world event, the "mysterious" -16,000 Gore votes in Volusia Co. in 2000.

I will pare this down to the bare points for simplicity. Let's start with the facts:

- Reporters watching the totals during election night noticed Gore's count going BACKWARDS.

- When investigated it was discovered that a PCMCIA card was uploaded which had NEGATIVE votes.

- The data was discarded, and the correct data re-uploaded.

- It was reported an unaccounted for PCMCIA card had been used in the system, this card later could not be found.

Nature of the bug:

- Program allows negative integer values (negative votes) to be uploaded into database.

Probable reason: Poor error-trapping. The first thing a *good* programmer does is type his variables (text, whole numbers, integers, dates, etc) and build error traps, ways the program can determine that an error has occurred and how to deal with them. In this case, a logical check when votes are uploaded would be to check data values for the presence of negative or fractional votes, which would be invalid. The program did not perform this check and the data was accepted. When negative numbers are added to positive numbers, subtraction occurs.

My theory on what happened:

- The PCMCIA card had a write error which corrupted the data.

Why this is the likely explanation?:

If you are going to try and steal votes, stealing 16,000 in a precinct where only 600 people voted is rather stupid. It sticks out like a sore thumb, which it did, which is why it was caught.

How it could be used as a cheat:

- Tamper with the cards deliberately and alter the data, but in smaller amounts over multiple precincts.

This would require secret access to the PCMCIA cards, or the substitution of duplicate cards.

How it could be detected:

- Comparison of precinct vote tallies during a random recount.

How it could be prevented:

- PCMCIA cards use hard encryption to foil attempts at altering.
- PCMCIA cards are marked with identifying serial numbers and tamper-resistant seals to prevent substitution.
- Stringent security procedures for handling PCMCIA cards (cards signed in and out, serial numbers and seals checked).
- Mandatory random recounts.
- Paper ballots.

Most likely fate of the mysterious card:

Joe: Hey, Fred! What do I do with this memory card that didn't work?
Fred: Ah, chuck it out. We don't want it to be used accidentally next time.

*THUNK*

Later.

Election official: Did you guys see a bad PC card? I hope no one threw it out because they could lose their job.

Joe & Fred (nervously): Uh, no, haven't seen one. Nope, no memory cards around here. Did you check the break room?

Again this is a VERY basic primer on a bug that could be exploited. It would be easy to affect a small local race because the number of votes involved would be much smaller. The bigger the race, the harder it is since you must gain access to a larger number of cards, or enlist more people in the scheme.

Of course, we've mostly been focused on forensic analysis of the returns. A pretty ill-formed problem -- we aren't sure what we are looking for. I would say it keeps me humble, although I gather that opinions vary about that.

The interpretation of *apparently* anomalous data. You find something that doesn't jive with what you expect. So, the question becomes, "why the deviation from expected norm?".

Some folks see deviation and immediately yell, "See, they are rigging the election!", and get their panties in a major hangman's noose when you don't agree with them. These folks don't understand that this is exactly the kind of subjective thinking found on the Religious Right when they try to wrap their brains around evolution. In this case, they expect to see God everywhere, so any anomaly in fossil data is proof God was involved. On our side, it's proof votes were stolen by Diebold/ES&S etc.

David Allen
www.blackboxvoting.com

Actually, I don't lay it on that thick in the paper. But yes, that is exactly what I have concluded. It used to be called "God of the gaps" (invoke God to account for anything otherwise unexplained, which makes God sort of inversely proportional to science), so I think of it as Fraud of the Gaps.

I'm rereading one to see if I've got it right. First the guy says there is no independent evidence of non-response bias. Then he sort of concedes that some evidence exists, but he says that it can't explain all the exit poll discrepancy. Then -- poof! -- the whole subject Just Goes Away. Very, umm, parsimonious.

I like something Bruce O'Dell posted here long ago, which went roughly like this: "I am so concerned that the 2004 election might have been stolen, I am actually trying to find the evidence!" He mostly got torched for undermining the unity of the cause, of course.

if everybody involved in elections weren't tryin so damned hard to keep any evidence from bein looked at. That goes for the nitty gritty detail about the exit poll locations.........Keepin this stuff secret forces everyone to speculate, even scientists, and no one ends up lookin good.

with all the reports coming out online about these machines the silence in the media and from our Government is my evidence.

The Government mostly because they owe the millions of online people that are in doubt about these machines some open, honest and ON TV discussion about these machines.

Short of that, the whole Government will continue to look like CROOKS.

I take back post 76 , the one thing for sure you are brilliant, its just that I can't figure out why you never factor in the complete silence from the Government and in the Media.

no problem, and for sure I am not brilliant. But I am a scientist, and I probably take a different view of data to that of either lawyers or campaigners! In principle I am completely against DREs anyway (being a Brit I can't see the problem with paper ballots, hand counted), although whether it is most practical to get rid of them, insist they have paper records, insist they are audited, make them secure, or what, is up to you guys. They are certainly a disaster right now.

As for your comment, I agree that your government looks like crooks (so does ours), and I agree that the machines are insecure. My questions is: if that crooked government wanted to steal the 2004 election, how could it do so? And is there any evidence that it did so in that way?

• Well they could lie, and there is evidence for that.


• They could manipulate the ballot so that the gay marriage question influenced the presidential vote in Bush's favour, and there is evidence for that.


• They could sell one line to one demographic, and another, contradictory line, to another, and hope that no-one who mattered would notice, and there is evidence for that.


• They could suppress the Democratic vote in all kinds of ways, and turn a blind eye to clear conflicts of interest like that of Ken Blackwell, and there is evidence for that.


• They could mess around with provisional ballots in black consituencies and there is evidence for that.

And they could hack the vote. And while there is evidence that it is possible, at least at the level of the individual machines, there is no evidence that it was done on a massive scale (millions of votes). Sure there is some evidence that it may have happened in places, and sure there is some evidence that the damn things just didn't work properly. There is even evidence that they tended to go wrong in Bush's favour, although any scientists is going to look askance at that data before generalising from it. But their is no evidence that DREs stole millions of votes and considerable evidence that they did not. The only evidence for the millions of votes story is from the exit polls, as far as I know, and in my very thoroughly considered view, the evidence from the exit polls is actually evidence the other way.

So, in short, while I agree that motive and opportunity have to be taken into consideration, so does means, and so does supporting evidence, and I think it the evidence that millions of votes were stolen on DREs is extremely sparse. If you can hypothesise just how millions of votes were electronically changed from Bush to Kerry by way of any of the vulnerabilities now emerging, without anyone being caught with a screwdriver, and without leaving any trace in the exit poll data or the demographic data, then I would, genuninely, be delighted to hear of it. I am NOT brilliant, and there could well be something I've overlooked. But it's not for want of trying to figure it out.

Cheers

Lizzie

It is quite enough to feel millions of votes were stolen just by looking around and seeing how many people hate the *.

Anyway, IIRC, you used to ask us to show you how machines could be hacked. We told you then, and you argued it couldn't be true, but now the facts are coming out just as we said years ago.

Tell you what, take a look at this thread and get back to us on your theory of how such funny numbers could happen without using the machines you finally agree can be hacked.

http://www.democraticunderground.com/discuss/duboard.php?az=show_mesg&forum=170&topic_id=2562&mesg_id=2562

what I have been asking is how the machines could be hacked without showing up as a trace in the exit poll data.

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=398267

I have never been in any doubt that the machines could be hacked. What I still want to know is how they could be hacked in such a way as to shift millions of votes but leave the redshift in the poll no greater where DREs were used than when they were not.

I would really appreciate it, BeFree, if you would actually check my posts before alleging what I have asked and what I have said. If you do, you will find that I have consistently argued that they are insecure, unreliable, too expensive to be fair, unauditible, and that I think they are an absurd way for a democracy to vote. Of course I think they are hackable. It was why I was initially persuaded that the exit poll discrepancy might be due to massive fraud.

However, on closer examination of the evidence, I find that this is unlikely to be the case, and no-one has suggested any evidence, other than the exit polls, that DREs were responsible for the theft of millions of votes. There are millions of guns in America. There are not millions of murders. Tell me what the evidence is that hacked DREs stole millions of votes.

I am certainly very interested, however, in what happened in North Carolina.

....IIRC, you were bugging us sometime ago to prove the machines could be hacked. Glad to see we got thru to you. You are now a believer!

First read the thread at the link I posted, then will talk.

for the "bugging" you allege I have done.

My problem has always been, and remains, with the kind of hack that would account for millions of votes switched to Kerry and yet be consistent with the exit poll data.

There is a difference.

If you have been misreading my posts it may explain why you have been apparently so angry with me.

I have to add, though, much as it might be nice for you to think of me a convert, I'm afraid nothing I have read here has changed my views regarding the hackability of DREs. I have always considered them hackable; however I do not see how any of the DRE vulnerabilities could have resulted in the theft of millions of votes without the exit polls demonstrating greater redshift in DRE precincts; nor can I see how this could have happened and yet left no correlation between redshift and swing to Bush since 2000, seeing as how DREs were largely introduced since 2000. If you present me with a hypothesis that we can try to test, good.

But it would be much more pleasant not to have to conduct this conversation in a hailstorm.

Read the link. You can click on links, right? Just try it, it won't bite you.

Exasperated, I mean.

You gave me a link to a post with some data suggesting that the vote in North Carolina was hacked. I read it. I see suggestive evidence that there may have been tampering with the vote. I see no evidence that it was done on DREs. The post suggests that it was stolen on the tabulators. This is possible of course. As I said (if you read my previous post) I would be interested to know what was going on in North Carolina. However, for sure, millions of votes weren't stolen in NC.

The problem, as I keep saying, is that I don't see any evidence for millions of votes being stolen on DREs nationally. The only evidence for "millions" of votes being stolen that I have seen has been the exit poll data, and as I said, the exit poll data suggests that DREs were not responsible for the discrepancy. The data also suggest that tabulator fraud was not responsible either, as the discrepancy is calculated on largely precinct counts.

However, it is perfectly possible that, in certain places, votes were stolen on DREs. I see no evidence for millions.

Message removed by moderator. Click here to review the message board rules.

If you read the exit-poll data and it tells you that millions of votes were stolen on DREs then you are reading it differently to the way I am reading it, and as, from your innuendo, you are apparently aware that I have had an opportunity to read the data fairly closely, you may like to consider the possibility that I may have good reasons for my reading. I disagree with your assessment, and if you read the link I gave you, you will discover why I believe that the data is evidence against the case that millions of votes were stolen on DREs.

If you want to believe that I am Making Stuff Up because I was contracted to analyse the damn things, then that is your prerogative. You would, however, be wrong. I was contracted to analyse the data because I am a good data analyst, and because I had made a fair bit of fuss over the way it had been originally analysed. The reason I made a fair bit of fuss is that I wanted to know why Bush had won the election, when he was clearly a lousy president. I suspected, from the exit poll evidence, that he had cheated, possibly by means of electronic voting machines.

But being not only a fairly good data analyst, but an honest data analyst, I try to approach data without bias, and if it tells me something I'd rather not hear, I listen nonetheless. It is often informative.

But then I've found fact more useful than fiction. I have never been prone to accuse someone of lying simply because I don't like what they are telling me.

since you refuse to validate his fantasy, he impugns your integrity by claiming your are "in" with a nafarious plot.

Mitofsky did hire me to analyse the data. You can either read that as evidence that Mitofsky wanted the truth enough to hire a DU/DKos poster, or as evidence that Mitofsky wanted a cover-up so bad he planted a shill at DU/DKos.

I think the evidence supports the former reading. It also happens to be the truth.

Thanks for your support.

folks that when you make a statement, they choose what parts to read, or simply read words that are not there, then accuse you of making statements you never made. I have even seen someone place a comment in quotation marks, attribute the statement to another poster and demand he explain the remark. Trouble was, the text in quotation marks didn't exist anywhere in the thread.

If you cite your own expertise as authority for a remark, they will tell you that you don't know what you are talking about, despite the fact that they have no expertise. If you cite an online source, they will impeach the source, EVEN WHEN THE SOURCE IS FROM THEIR OWN SIDE.

Good example found in this thread:

http://journals.democraticunderground.com/Kelvin%20Mace/10

Message removed by moderator. Click here to review the message board rules.

it was NEVER prosecuted. Oh, wait, that's right, John Kerry was in on the conspiracy to throw the election to Bush.

It is hard to talk about everything simultaneously.

Febble and I came through the exit polls. If you happen to be looking at the exit polls, nationally, the problem with stipulating lots and lots of votes stolen on DREs and op-scans is that the exit poll "red shift" is about the same on punch cards (they are bad, but not that bad), and even higher on lever machines.

That obviously doesn't mean that the DREs, or op-scans, were hack-free nationwide -- who the heck knows? It just weakens the case that the exit polls evince hacking on DREs and/or op-scans. There turn out to be some other reasons to think that there wasn't huge widespread hacking. As for Volusia 2004, I express no opinion.

I will get back to you on this sometime next week. Ironically, the exit polls provide some reason to think that the NC results are legit, even though I agree with ignatzmouse that they look bizarre. But I need to think about it some more -- and I need to think about some other things first! (One reason I haven't thought more about NC is that, as I mentioned to Kelvin somewhere recently, the aggregate county results look pretty legit. IIRC Bush's biggest gains over 2000 came in hand count counties.)

Here's the thing you don't seem to get: you and I and Febble are rarely arguing about whether something "couldn't be true." At least, Febble and I aren't arguing with you about that. We are looking for evidence regarding whether it was true, in a particular context. If you really don't care, that is fine, but then why are you arguing with us, and why do you keep attributing opinions to us that aren't ours?

that for people who claim to be very interested in the truth, folks are not happy when they hear it. I really wish I could say this was not a problem on the Left. Sadly, it seems to be the human condition.

I'm already convinced that the whole Government is involved due to the Silence on this issue. Having said that, I don't need to look for EVIDENCE in the past election, they obviously got that evidence buttoned up.

I would rather spend my time explaining to people how they are going to manipulate the results of the next election thats easier to explain, and people will watch for it. The more people who ask "how do them machines count votes" the better.

When the people come to realize how secretive the vote counting and tabulating is, is when they will realize how we were prevented from getting at any EVIDENCE from the past elections and WILL be prevented from getting at any EVIDENCE in future elections.

Kevin

evidence isn't everything. You are right that there is a major problem with transparency that urgently needs to be fixed.

However, you might, at some stage, be interested in the kinds of ways that even "invisible" fraud can be detected, statistically. I've looked so damn hard for statistical evidence in the 2004 data, I have some pretty good ideas about where to look next time.

Always remember - it isn't a victimless crime. You can't steal an election without giving the winner more votes. That's evidence.

Call me if you need me ;)

I asked him if he would send me a copy of the memo from Karl Rove ordering them not to cover voting machine issues. He said he certainly would.

Did the reporter give you permission to post it?

Jeebus!

You can see from my post time that I "was up in the night" I should have realized that Karl is to politically damaged to still be threatening reporters. Could you just make up a memo and post it. It would be good follow-up humor.

When we look at a particular piece of code and see a security hole, we can ascertain one, and only one thing factually: The security hole exists and compromises the system. We can examine the hole and determine other facts such as the extent and circumstances under which the hole may be exploited, the difficulty in exploiting the hole, and the equipment and/or expertise required to exploit the hole.

These are *facts* that can be determined by competent programmers.

Then we move to WHY is the hole there? At this point we move from easy fact to conjecture. Some conjecture is easier to prove than others. Some are more logical than others. Occam's Razor says the simplest answer is *usually* the correct one. For some people, this is a criminal conspiracy, for others it is incompetence.

If we look at a program and find well written code everywhere, but gaping security holes, a reasonable person might be convinced to follow a criminal conjecture. After all, it is odd that the code is clean and tight everywhere else, but has shoddy code here and there which compromises security. If the entire program contains crappy code, a reasonable person might be convinced that poor QA, incompetent programmers, time constraints, or poor management are to blame. And examination of the personnel records would answer many of these questions.

The point is, the further we stray away from the facts, the more nebulous the issue becomes.

Now, if we are trying to affect change via the legislature, we can follow one of two paths. We can stick to hard factual evidence which no one can dispute: The code is buggy and insecure. Or we can try and prove that the code is the way it is due to a grand criminal conspiracy, at which point we depart from cold fact and move into speculation.

Which is a more productive avenue?

An example:

We can prove to you that the Ford Pinto was a poorly designed car in which the gas tank could rupture and burst into flames if struck from behind at speeds greater than 15 MPH. We have the blueprints, we have crash test data, we have accident reports and the expert testimony of fire investigators.

Or we can try and prove that the design flaw was a deliberate effort on the part of Ford executives to kill specific members of the public.

Which is the easier case?

David Allen
www.blackboxvoting.com

That the code can be used maliciously. And that the owners of the code are maliciuos:i.e. Odell's statements that Ohio would be delivered to *.

That this is an internet forum and you can speak freely here... oh wait, you did, and Diebold's opinion and yours on voting machines are damn near parralell.

Again: what "small part" did the machines play in the stolen election?

Then explain this post about your backyard:
http://www.democraticunderground.com/discuss/duboard.php?az=show_mesg&forum=170&topic_id=2562&mesg_id=2562

You don't like the answers. You continue to impugn my integrity by claiming that my opinons are the same or nearly the same. I will suffer this from you no further.

Good day, sir.

They've got all kinds of mechanisms that don't leave a trace, all you need is a couple of minutes access.........and that can happen in the factory, at the vendors, during shipment, at any time they're in an election office location which are often insecure, or at a pollworker's house or an insecure location at the polling place.

The opportunities are so many and so little time is needed........and no way to prove that an election has been manipulated because of what can be programmed into the hardware level and bootloader......for example so that if its told to look for a certain file, one that would prove tampering, that file will be wiped out instead.

You don't seem to get it that the very nature of the vulnerabilities makes their actual use in an election impossible to prove!!!!! When you've got a situation like this you have to take voter reports of problems like vote flipping way more seriously because all your goin to see for evidence are the places where an incompetent jerk did the hacking......who knows maybe if you paid the right person the right money you'd get shown vulnerability A and if you paid more or if you were the right person's pal you'd get shown vulnerability B and on and on......Man there's no end to what could have been done to these machines and lots of them DONT leave a trace.

Even when physical evidence was produce to Law authorities they just ignored it, didn't investigate, didn't prosecute. This is the same with other companies, don't know if the machines are as bad or worse but the same things happen, problems get reported but no one investigates even when it mighta been possible to get evidence if they looked at the machines.

It's a bunch of crap what has been goin on over here and maybe you just dont realize how bad it is.

Lots of people -- including me -- are worried that stealing a lot of votes on DREs might be surprisingly easy. At least, it seems that one insider could flip a bunch of votes in an entire county, and even grimmer scenarios are possible.

Febble and I have spent a lot of time looking at election returns to assess which scenarios might be true in 2004. That's how we've formed our present opinions. Lots of people (of course I don't mean you!) who ignore what we actually say, and what sort of evidence we actually cite, seem to think that we are trying to promote trust in the machines. But if we trusted the machines, we probably never would have looked at the election returns.

So, anyway... I don't know exactly how easy it would be to steal lots of votes on DREs, and/or op scans, and/or miscellaneous central tabs -- or even to "get away with" it, in the sense that the results would never be overturned. But the election returns tend not to support it, as far as I can tell. It does seem hard to steal lots of votes without ending up with lots more votes, and I can't find the votes.

Lots of armchair heroes just get mad at us (me, Febble, various social scientists, all social scientists...) for saying such things, when they could more usefully help us find the votes (if they are out there) or focus on undisputed facts. Or so it seems to me.

I want to get back to North Carolina, analytically speaking. The best arg for fraud in NC is that the absentee/early vs. election day split is wildly different for the presidential race than for other races. There is, ironically, some (fuzzy) exit poll evidence that that is exactly what happened, and the aggregate county-level returns don't look suspicious, but I still have some questions about what happened, even if it was "clean."

Tried and true methods that are almost impossible to prosecute. How do you prove an election official sent too few machines to a precinct DELIBERATELY. How do you prove a police car parked at a precinct in a black neighborhood is there to DELIBERATELY suppress voting.

These tactics worked fine for a century, and will do well for another century at least.

and make some effort to pay attention to what people actually write. Just a thought. I haven't said anything the least bit new here. I do try to learn, but I think you are missing the point -- accidentally, I hope.

I'm with Kelvin, more or less -- when it comes to vote-flipping and that sort of thing, I haven't seen anything yet that would stand up. (In my case, I would not say "in a court of law," although I don't disagree, but "in a journal article or conference paper" -- in other words, any evidence I could use to convince someone that at least a certain magnitude of votes is likely to have been altered in a particular jurisdiction.) The problem is that in states that had both touch screens and other voting technologies (at least the ones I've looked at), Bush didn't tend to do better (controlling for past results) in DREs, or even on op scans, than on other technologies. So while some votes could have been 'stolen on machines' through vote-flipping, the statistical evidence I have seen suggests not many. That isn't my final answer; I don't have a final answer. I am still looking. I do not trust these machines, and I have never indicated that I did.

It looks like thousands of votes were 'eaten' (not counted) on the pushbutton DREs in New Mexico. Franklin County is probably not the only place where scarce DREs contributed to long lines and lost votes that way. Not sure what else.

some folks to believe in elaborate conspiracies than it is to believe the truth. What amuses me is that we agree the election was stolen, but BeFree is angry at me and now casts apersions on my character because I don't agree with him HOW the elction was stolen.

Pretty damn sad.

What amuses me is that you are full of conspiracy theories here, but deny that the machine owners had a conspiracy going to steal the election.

Why fight the machines if they caused no great harm? That's the question that must be answered. That, and what "small part" did the machines play in the stolen election?

am I "full of"?

About the "small part", then I will educate you about your conspiracy theories. Deal?

Why not answer the question?

you just don't seem to like the answers, which is your right, but I am going to bed.

:spank:

If you don't like what I write, you have an ignore button.

I have seen someone quote something that wasn't actually said.

gave the keys to my door to every crook in the neighborhood. That would be a crime.

Can you name the "crooks" Diebold gave the information to?

I'd change the locks on my door, then as Raba and Bev are doing with the voting machines, I'd try and get the word out to anyone else who has a lock on their door from this particular builder.

nothing that hasn't been covered before by RABA and three years ago by Rob Behler.

(this would be your cue to invoke those spin points Bev gave you).

is to first examine the differences between it and the previous reports. The primary difference is that the bootloader being modifiable is a 'new' public revelation. I see nothing about that anywhere in the RABA report. That is a completely different problem in and of itself. It's also the "deal breaker" when talking about using these machines.

The actual exploit that Harri Hursti divulged in the redacted portions of his report make it clear that the bootloader can be overwritten by using the (REDACTED) port, completely bypassing the PCM/CIA slots that are meant to upload the software. Harri's exploit has nothing to do with using the PCM/CIA slot to hack the machine per se. It deals with hacking in via a separate port, and subverting the subsequent use of the PCM/CIA port by corrupting the bootloader. That's why their mitigation strategy is not effective.

The PCM/CIA attack vector has been known for years now. It's no different than using a floppy disk to plant a virus. The stock answer to that has always been that there are mitigations like passwords or external security measures that can be put in place to fix it. (locks put on the front door)

The Hursti attack exploit waltzes in through missing security on the (REDACTED) port (missing back door) to overwrite the bootloader itself via replacement of the (REDACTED) files, completely bypassing the PCM/CIA route to do it. This problem is built in to the design of the motherboard. It was a deliberate design decision and there is no way to go back and fix it now.

IOW, I can go into that machine and plant my own programs in deep hidden directories, and take control of the PCM/CIA / bootloader / software update process at startup. It can be done in such a way as to have the bootloader ignore the legitimate program on the memory card, and load my hidden program instead. You can completely remove all of the software from the machine and re-load it from scratch, with known good software, but the machine will still do what I told it to do, and run what files I want it to run after it's been completely reloaded.

I can also write my program in such a way as to have it automatically delete the hidden files, rather than expose them, if someone types in the path to where they're hidden. None of this is covered by the RABA report in it's redacted form. If it's in the full reports, then the people who authored them, as well as the people who read the reports and covered this up have a lot of explaining to do.

I'm certain that Harri must have contacted both Doug and Avi by now to set them straight on this matter. That's just the kind of guy that he is. :)

You can't even communicate effectively to me, how am I supposed to get this incomprehensible message to the people I'm trying to sign up to vote. Why would they sign up to vote? What do you expect me to do about this. There are some of us pounding the pavement. Put <redacted> and <red> all over it for all I care, my bro Kelvin from NC has it down. (Hi from Raleigh). Old fashioned methods haven't changed and maybe your right but no way I can take that message to my peeps.

Next time speak english, thanks.

that these machines just plain suck and any high school kid could fuck up an election with one in two freekin' minutes. Tell them that the man lied to them when they said they were safe to use and there's no fuckin way to fix 'em. Just say "Honey, light my torch and hand me my pitchfork, it's party time down to the election office"! When y'all get there, tell them election folks you want paper ballots that y'all can fill out. Tell them they can pay themselves in voting machines so the money aint wasted. :)

:hi: Welcome to DU :toast:

easier here are some more links you can look here and you'll see a sweet list of links with plain talkin that your gonna love.

the hardware allows updating boot software stored on the motherboard (flash the BIOS?) via the (Incredibly Redacted) port?

none, nada, zip.

Wireless connection?

that's real funny cause several news reports quoting computer scientists said the flaws were so bad it wasn't safe to mentione them because of the election coming up..........so all those major newspapers and scientists are insiders?!!!

:rofl: :rofl: :rofl: :rofl: :rofl:

Thanks!

No jumping involved - a straight up question. It's not a toughie, a simple yes or no would suffice ... from the person is was directed to.

and it would be misleading to start spreading a rumor it was something that it wasn't........Maybe they'll publish the unredacted version as soon as the primaries are all over.

It's not a toughie, a simple yes or no would suffice ... from the person it was directed to.

As far as the premise that secrecy is required because of the upcoming elections, I would think that would be even more reason for full (unredacted) info to be released to the public. Far & wide. I've already had more than enough people saying 'you don't need to know, trust us - we'll keep you safe, ad nauseum'. We have been screaming for open sources, full disclosure, nothing to hide government - but we're supposed to hesitate at opening all the doors?

Putting something as foul & dangerous as this is said to be in the open loses them the cover they've hidden behind till now. They can't keep the genie in the bottle if it's opened in full view - but, insisting on helping to keep the secrets hidden? That is more like accessory-after-the-fact to me. If activists truly want (paraphrasing something I see constantly) the machines thrown into the harbor, hiding anything that is ostensibly as damaging as claimed would, IMHO, be criminal.

:-)

...which is interesting.

>>>None of the previously published studies uncovered this flaw. Did SAIC? It might exist in the unredacted report, but to date, nobody outside of Maryland officials and SAIC has been able to see that report.<<<


http://www.freedom-to-tinker.com/?p=1014

Thursday May 11, 2006 by Ed Felten
< This entry was written by Avi Rubin and Ed Felten. >

A report by Harri Hursti, released today at BlackBoxVoting, describes some very serious security flaws in Diebold voting machines. These are easily the most serious voting machine flaws we have seen to date — so serious that Hursti and BlackBoxVoting decided to redact some of the details in the reports. (We know most or all of the redacted information.) Now that the report has been released, we want to help people understand its implications.

Replicating the report’s findings would require access to a Diebold voting machine, and some time, so we are not in a position to replicate the findings at this time. However, the report is consistent with everything we know about how these voting machines work, and we find it very plausible. Assuming the report is accurate, we want to summarize its lessons for voters and election administrators.

Implications of the Report’s Findings
The attacks described in Hursti’s report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools. The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes.

Hursti’s findings suggest the possibililty of other attacks, not described in his report, that are even more worrisome.

In addition, compromised machines would be very difficult to detect or to repair. The normal procedure for installing software updates on the machines could not be trusted, because malicious code could cause that procedure to report success, without actually installing any updates. A technician who tried to update the machine’s software would be misled into thinking the update had been installed, when it actually had not.

On election day, malicious software could refuse to function, or it could silently miscount votes.

What can we do now?
Election officials are in a very tough spot with this latest vulnerability. Since exploiting the weakness requires physical access to a machine, physical security is of the utmost importance. All Diebold Accuvote machines should be sequestered and kept under vigilant watch. This measure is not perfect because it is possible that the machines are already compromised, and if it was done by a clever attacker, there may be no way to determine whether or not this is the case. Worse yet, the usual method of patching software problems cannot be trusted in this case.

Where possible, precincts planning on using these machines should consider making paper backup systems available to prepare for the possibility of widespread failures on election day. The nature of this technology is that there is really no remedy from a denial of service attack, except to have a backup system in place. While voter verified paper trails and proper audit can be used to protect against incorrect results from corrupt machines, they cannot prevent an attack that renders the machines non-functional on election day.

Using general purpose computers as voting machines has long been criticized by computer scientists. This latest vulnerability highlights the reasoning behind this position. This attack is possible due to the very nature of the hardware on which the systems are running. Several high profile studies failed to uncover this. With the current technology, there is no way to account for all the ways that a system might be vulnerable, and the discovery of a problem of this magnitude in the midst of primary season is the kind of scenario we have feared all along.

Timeline and Perspective
This is not the first time Diebold has faced serious security issues — though this problem appears to be the worst of them all. Here is a capsule history of Diebold security studies:

2001: Doug Jones produces a report highlighting design flaws in the machines that became the Diebold touchscreen voting machines.
July 24, 2003: Hopkins/Rice study finds many security flaws in Diebold machines, including ones that were pointed out by Doug Jones.
September 24, 2003: SAIC study finds serious flaws in Diebold voting machines. 2/3 of the report is redacted by the state of Maryland.
November 21, 2003: Ohio’s Compuware and InfoSentry reports find critical flaws in Diebold touchscreen voting machines
January 20, 2004: RABA study finds serious security vulnerabilities in Diebold touchscreen voting machines.
November, 2004: 37 states use Diebold touchscreen voting machines in general election.



March, 2006: Harri Hursti reports the most serious vulnerabilities to date discovered.

None of the previously published studies uncovered this flaw. Did SAIC? It might exist in the unredacted report, but to date, nobody outside of Maryland officials and SAIC has been able to see that report.

We believe that the question of whether DREs based on commodity hardware and operating systems should ever be used in elections needs serious consideration by government and election officials. As computer security experts, we believe that the known dangers and potentially unknown vulnerabilities are too great. We should not put ourselves in a position where, in the middle of primary season, the security of our voting systems comes into credible and legitimate question.

:)

May 15th. You are quoting something Rubin wrote on the 11th, before he had the relevant passage of the RABA report sent to him.

doesn't include all the things in Hurst II........can't figure out why your tryin so hard to make out that Hursti II has nothing new?!!!!!

Can't you read? There are clear explanations in plain English over on BBV.........Or are you still just interested in throwing mud around and you hope that if you just keep moving you'll never get dirty? Buddy boy I feel real sorry for you........Someday your legs are gonna get too tired to keep jumping out of the way of your own mud and your gonna get real, real dirty.

is "RABA doesn't cover all of Hursti II"

Again, Bev is banned from here and must operate through proxies. She has been caught in lies repeatedly. I am not the one with a credibility problem.

even if you wish it weren't.

Do you REALLY think people are stupid enough just to take your word for it?

to take YOUR word for anything.

Looks like your getting quite a name for stirrin up trouble in all kinds of places.

that Rob Behler's interview covered what RABA did not.

that Behler never said what Hursti said.

But go ahead your NC fan club doesn't seem to care whether or not your informed or not. Just keep makin stuff up.

...Doug urged me to share his explanation so he can put the record straight...


On May 17, 2006, at 6:52 AM, Russ Michaels wrote:

If you've time could you clarify a point that I'm getting confused about here... Some people have said that the latest serious security flaw Harri has identified is nothing new and yet of course yourself and many of the other experts have commented in national newapapers that this security problem is worse than anything that has been uncovered/documented before... Has anything changed in your understanding of Harri's report since we spoke last week?


PROF. DOUG JONES: Yes and I've been in communication with Hursti about this.

A bit over 2 years ago, RABA Technologies was paid by the state of
Maryland to investigate the security of the Diebold Accuvote TS.
Their report was very negative, and one paragraph clearly documented
the fact that the Diebold Accuvote TS firmware was far to simple to
update, although very little detail was given. Nonetheless, it's
clear that RABA understood at least part of the problem.

In a way, RABA is to Hursti as I am to Avi Rubin. RABA and I both
found major security vulnerabilities in the Diebold system. Rubin
found that I'd only touched the tip of the iceberg, and that Diebold,
despite being told of the flaw, had done nothing in 5 years to fix
it. Hursti found that RABA had only touched the tip of the iceberg,
and again, that Diebold had done nothing in 2 years to fix it.

The Hursti report, without the context provided by the RABA report,
can be taken as strong evidence that Diebold has merely been incompetent.
This is the conclusion you'd draw from Rubin's work if it weren't for
my earlier observations. In the context of the RABA report, the Hursti
report makes it clear that Diebold was not merely incompetent, but
that they've been blatantly negligent. Of course, this negligence
is even worse, because Rubin's work, in the context of my earlier
disclosures, has exactly the same implications.

Hursti and I appear to be in pretty clear agreement about this
interpretation. It appears, however, that there are spin-mongers
(spinsters?) who are out there to put another spin on this. Oh, they
say, Hursti didn't report anything new. This appears to be an effort
to discredit Hursti and those of us who consider his report important.

Also, it's noteworthy that the RABA and Hursti reports raise questions
about Maryland's election administration. Maryland asserted that they
were taking the recommendations of the RABA and SAIC reports to heart.
Now, two years later, we find that Maryland hasn't been very hard nosed
about Diebold's followup on the RABA report. Because of redactions
in the SAIC report, we have no idea whether SAIC also found this flaw,
and we cannot tell if Maryland has been equally sloppy about followup
on the SAIC report.

In sum, now that we've found evidence that the RABA study found at least
one and possibly more of the vulnerabilities Hursti found, the story
is even more damning than it was with just Hursti's work.

Doug Jones

------------------------------------------------------------------------------


On May 17, 2006, at 8:18 PM, Russ Michaels wrote:

If I understand correctly the bootloader (a) and operating system (b) vulnerabilities which Harri has identified do seem to be newly specifically stated problems (unless they are in some redacted unknown parts of SAIC/RABA reports)...


PROF. DOUG JONES: The RABA report is sufficiently vague that it is unclear
whether they caught just one of these or whether their wording is intended
to encompass all of them.


RUSS: RABA doesn't mention a three layer vulnerability.


PROF. DOUG JONES: RABA says nothing about the details, just that new
software can be put on the PCMCIA card and injected into the system.
An attempt to read detail into their description makes it sound like
Hursti's third layer, but I'm not sure that reading such detail in is correct.


RUSS: So am I right in thinking that what Harri describes in his report as .. "Three-layer architecture - three security problems. Each can stand alone or combine for three-layer offense in depth" .. is a highly dangerous attack combination which no one else has identified and set out?


PROF. DOUG JONES: Certainly RABA did not identify this in any detail.
I agree that Hursti, at the bare minimum, gets credit for exposing the
fact that Diebold made not one vulnerability of this type, but three
separate ones, each of which, in isolation, is sufficiently bad to allow
an outsider to take over the system, and which can, indeed, be combined.


RUSS: The "offense in depth" attack Harri identifies which could be used to conceal the contamination by an attacker and which could 're-infect' the system also seems an important new discovery. Is there any evidence that this deep penetration attack has been properly documented before by anyone?


PROF. DOUG JONES: No, Hursti gets credit here, and he gets credit for
observing that a virus is possible, transmitted from machine to machine
through contaminated PCMCIA cards.

But, we don't know what was redacted in the SAIC report. I want to know,
but I have no leverage with anyone on this. I know that the people at
NIST have tried and failed to get a copy of the non-redacted version.
They say that Linda Lamone wanted to give them a copy, but that she
was blocked by higherups, probably at the state attorney general level
or the lieutenant governor level.

Doug Jones

WARNING! SEVERE VERBAL GYMNASTICS AHEAD! :rofl:

Published on the CounttheVote.org website in 2004 in response to Brit Williams:

Williams: Voters need to know that even if the election official is sloppy about some procedures, that it is still improbable (vs. impossible) a "rogue vendor" could act alone to change election results (to use an allegation that has been made).

CTV Response: We allow technicans full access to the machines, the data and the votes yet deny the voters any access. We allow technicans to override policies and procedures, yet we would prosecute an elections official for overriding those same policies and procedures. We have granted the "rogue vendor" access while denying the voters and officials the same access. The terms of this contract appear to break the law in Georgia.

Let's use an all too probable example: It is election day, voters have been casting votes on a machine for 2 hours. Suddenly, the machine appears to fail. A technician is called in and alleges that the PCMCIA card (the ballot box) has malfunctioned. The technician replaces the card with one he/she decrees is functioning correctly. No elections official has inspected this card, no official has any idea what this card contains. It is possible that the card is loaded with fraudulent votes. It is possible that the card is not functioning while appearing to do so. It is possible that the ballot box simply isn't receiving every 3rd vote. It is possible the PCMCIA card contains a program to alter the contents of ALL PCMCIA cards during the accumulation process. It is possible that any number of things on that card are altering the election results. It is possible that an unsworn technician has introduced a "rogue" ballot box. And yet, no one has violated the policies and procedures in place. But those policies and procedures have failed to protect the sanctity of the vote.

In fact, this situation DID occur in March, 2004 in Walker County, Georgia:

Problems became apparent with Walker’s first returns about 9 p.m. when neighboring counties were wrapping up their tallies. A Diebold computer technician began providing incorrect numbers to news organizations. The botched returns were fed to the media for more than two hours after the polls closed before the problem was corrected.

“Their technicians were not loading something right,” Walker County Board of Elections and Registration Chief Clerk Barbara Berry said Wednesday. “That’s the reason we can’t even use the modems to get our results in. We have tried and tried to get our results in by modem, and something is wrong somewhere.”

As reported in the Walker County Messenger

Williams: Here are the steps that a person would have to go through to be able to change the outcome of an election.

snip.....

Williams: H) If the software is programmed onto a ROM (Read Only Memory) chip then you have to have physical access to the units.

CTV Response: Not true. One only needs to write a small utility which is a part of the GEMS system, because every time the machines are initiated (turned off and on) the ROM is re-programmed.

Williams: I) With access to the units, you must be able to remove enough of the ROMs in the units to reprogram them. This entails having enough time to either erase the ROMs installed in the units or having enough supplies of identical ROMs that you can have them preprogrammed and inserted into the units... all undetected.

CTV Response: Not true. One only needs to write a small utility which is a part of the GEMS system, because every time the machines are initiated (turned off and on) the ROM is re-programmed.

Williams: J) You then have to have access a second time to remove the "malignant" ROMs after the election and replace them with the real ones you removed (so that you can get away with the election fraud undetected).

CTV Response: Not true. One only needs to write a small utility which is a part of the GEMS system, because every time the machines are initiated (turned off and on) the ROM is re-programmed.

Williams: K) You have to do this not only on enough machines in one jurisdiction (unless your intent is to manipulate a local election - and why would anyone take these kinds of risks for a County Commissioner’s race, or Sheriff’s race or Mayor’s race?), but in many jurisdictions in order to steal a Congressional race or state race? And for the presidency, this would involve thousands and thousands of people.. .unless of course we go to one system nationally (or Internet voting).

CTV Response: Not true. One only needs to write a small utility which is a part of the GEMS system, because every time the machines are initiated (turned off and on) the ROM is re-programmed.

read the rest at:
http://www.countthevote.org/elec_center_0403.htm

Paging Votergate..........

Paging BeFree..........

Paging the rest of the BevBots.........

SteveAPlay? Jim Dandy?

The FCC (even Bush's FCC) has an incy bincy problem with that kind of thing. Unless, of course, the lie helps Republicans.

THE LEAST BIT OF A CLUE?

"Well, see, they have this thing about putting LIES on TV
The FCC (even Bush's FCC) has an incy bincy problem with that kind of thing. Unless, of course, the lie helps Republicans".

This isn't a republican scandal!!!!!!!! George Bush even bought her book! Had it shipped overnight!
:sarcasm:

Stephen Heller says you're wrong.

Thanks for helping fill out the list of people who need to be deposed as witnesses. :evilgrin::thumbsup:

:kick:

Who knew what when?

:kick:

Whatever you say.......just remember this is only the beginning.

that CountTheVote document was created April 4, 2004.

So how is it that anyone can "twist" words which haven't been spoken yet?

And you might wanna tell Bev she needs to remember the Virginia citizen who sent us that Brit Williams piece upset that he was selling himself AND Diebold to her state.

you can't get your story across. I'm sure you said something very profound but what good is that if nobody knows what it is? This reminds me of warring experts in a courtroom. Effect on the jury? Tune 'em all out.

Is that what you want? If not, learn to tell a more compelling story.

This single picture is compelling (but would be best with a clever caption). The "page 4 of 3" tells all of us something is wrong with this voting machine and we can see that even if we are enjoying a white russian instead of a double espresso.



The picture is apparently from the BBV study in Utah.
(edited for attribution)

Not to worry. They'll laugh your documwhatever out of the theaters.

Message removed by moderator. Click here to review the message board rules.

Message removed by moderator. Click here to review the message board rules.

since the original poster is no longer with us.

best,
wakemeupwhenitsover
DU Moderator