Danaher Electronic Voting Machine - Need More Info...

This is a follow up thread to the "Hey All Computer Science/Programmer Dudes - Check This Out!" post.

As you all know Franklin County had the issue with the 3,893 extra votes that were applied to Bush's total in Gahanna.

A cartridge from one of three voting machines at the polling place generated a faulty number at a computerized reading station. Matthew Damschroder, director of the Franklin County Board of Elections said the cartridge was retested Thursday and there were no problems. He couldn't explain why the computer reader malfunctioned.

Franklin is the only Ohio county to use Danaher Controls Inc.’s ELECTronic 1242, an older-style touchscreen voting system.

Danaher has yet to comment on this issue. Essentially no detailed explanation has be provided to why this had happened.

I was curious if anyone knew more about the Danaher system? I know that the Diebold source code was exposed, how about Danaher?

Here's some info I got from their website (http://guardianvoting.com/gvs/sw2.html):

Guardian Election Management Software
- NASED certified

- Network Ready

- Creates and prints all ballots

- Collects and tallies votes from multiple tabulation centers

- Secure database with password protection and 32 bit encryption

- Friendly and familiar Windows 9x/NT user interface

- Intuitive and easy to use

- Easy to import data from external media or systems

- Easy to export results to other media or systems including the World Wide Web

- Integral absentee module

The Franklin County machines are not "touch screen" machines. There is no monitor involved.

Basically it is a large panel of pushbuttons over which a layer of plastic is placed with the specific ballot printed on it. This is sometimes known as a membrane switch machine.

Lots of pushbuttons and blinkenlights, but no screen.

Joe

The reports mentioned a computerized reading station, and their site talks about the voting management system. What do we know about that?

Philadelphia City Commissioners Office
Report on Proposed "Ballot Receipts"
Risk Assessment of Danaher Controls DRE Electronic Voting System and Philadelphia Procedures

Prepared by: Bob Lee, Voter Registration Administrator

March 28,2001; Revised – March 9, 2004

http://www.seventy.org/electioninfo/DREReceipts2004.html



4.c Election Management Software Security
The hardware configuration uses a multi-tier password protection scheme. The Guardian EMS has 4 levels of security including user ID and password in addition to access level and function. The EMS protects the data files through an access mode which, locks the database and refuses to allow any modifications or changes therein. There are probably 30 -40 different civil service employees involved in preparing, proofing and testing an election setup. The EMS has an audit log function that tracks user activities on the system. When a user logs on to the system, the audit trial starts by recording the name of the user and the date and time he or she logged on and the modules the user accessed.

Election database setup in the EMS is encrypted, locked and password protected to prevent anyone from tampering or altering any codes or programs for tabulating votes.

City election personnel will not have access to EMS source code and it will not be available for public inspection. The source code will be placed in escrow. Vendors and escrow agents who have access to source codes will not have access to the system for programming the DRE EVMs for elections.

The EMS is a closed loop system; it is completely secure from outside access where one might gain access to the System. Typically, if the System had the ability to be accessed through a dial up modem for entry to the file system, there could be a breach of security on the network. This feature is not available in the Guardian EMS. City Commissioners' personnel will install any EMS updates from Danaher Controls directly on the System

But it does run on Windows platform, so it makes me wonder how secure this is.

They claim to keep people away from their machine who know anything about the source code, I wonder how they know a person has ever seen the source?

Most of the hackage that goes on happens without any access to source code. E.g. games 'cracked' to not need the CD or the program key.

The database is encrypted, but the program includes the encryption key and the machine code for the encryption, It's just harder to find without the Source. I wonder if it's built with debugger switches?

DVD movies are encrypted, but the codes been broken. Satellite TV receivers have sophisticated encryption which changes and uses hardware cards etc, takes a week or 2 for the hackers to figure it out and start making new pirate cards. These piracies cost the media companies Billions - and their best efforts are constantly cracked.

If they're actually concerned with security then they have probably made it so a monkey couldn't be trained to hack the vote on these. But a hacker who gets hold of the software in advance, and then gets access to the machine during the count/canvass, could likely disable the audit logging quite easily. If he has access to load some software then he could gain unfettered access to the database.

Insert floppy/cd, run program, wait, wait, Ding!! vote adjustments complete! have a nice day

You can lock the machine up, and rely on all the people with access to it to be trustworthy. You can lock it up tighter with no floppy or CD drive - and require fewer people to be trustworthy.

But whats the point when the certification process is so weak?

Delaware has the right idea, post a duplicate paper copy of the vote on the polling place door for everyone to see, then post detailed polling-place level totals on the web so people can verify their neighborhood machine counts and run their own totals without using the tabulator software. Keep the machine as simple as possible, keep firmware updates on ROM and infrequent (make it expensive to upgrade so it gets tested more thoroughly to avoid the financial loss associated with bad firmware) and make the ballot independent of the firmware.

This management system is where the database is created and accessed for reports, and could also be compromised to change results....

some nice hardware pics near the end.

Not much on the tabulation machine, they recommend using a removable hard drive for the machine and physically securing the drive when the machine isn't in use.

http://www.state.de.us/doe_ncc/Pubs/VM_Report.pdf

More good info.

This caught my eye:

"Additionally, an image of each voter’s ballot (with no information to identify the voter) is
created and stored in random order in the machine’s non-volatile and in the memory
cartridge. These records are not lost even if power is removed from the machine."

Excellent! That means that a much better recount/audit can be done (as opposed to just re-adding the aggregated totals). What would be super terrific is if they put a time stamp on each vote record. In that way, the entire traffic engineering picture on Nov. 2nd could be reconstructed, including machine load and downtime.

Ballots stored randomly and no timestamp so that your vote is private. You can't have a poll worker jotting down that you were the 123rd voter on the machine, or that you voted at 10:11am and then go later to see how you voted by looking at the 123rd or the 10:11 ballot.

This could also foil the simplest paper system where you just print a log of votes as they happen, someone can go look at the 123rd vote on the roll of paper. So paper needs to be cut into single-voter chunks and deposited in a box in a disordered fashion (randomized paper)

Kind of a pain as it means a zillion small pieves instead of one roll from each machine.

Thanks for that link. The BOE says that the memory cartridge read process was in error when first put in the tabulator, causing the extra 3,893 votes for Bush. They say the problem was not reproducible.

That stinks of horseshit.

First of all, I found it hard to believe that they didn't have some kind of checksum on the records read from the cartridge, so they would know that the data was corrupt.

Not only that, their aggregation software is evidently so brain-dead that it doesn't even do simple checks like whether the sum of the candidates individual vote totals exceeds the number of votes cast.

But in your link we see this:

"City Commissioners personnel will use EVS workstations at 5 or 7 RTC's to electronically read the votes from the EVM memory cartridges. The EMS on the Central Server will call on each of the 5 or 7 RTCs on a continual, rotating basis, via a secure Wide Area Network (WAN) to retrieve encrypted files of vote results read from the DRE EVM memory cartridges. As results are tabulated on the Central Server, they will be continually copied to a Backup Server located on an identical LAN (BTCC) at a different City Commissioners facility."

Points:

The data on the cartridge is encrypted. Therefore there is no way for the data to be read back from it such that only one vote total (that of Bush) is in error while leaving most of the other totals intact. The BOE explanation that it was a glitchy (now healed) memory cartridge does not hold water.

Instead, the error had to be introduced upstream, after being transmitted to the central server over the WAN.

And this central server is running a Windows custom App... There's something here! IMOP

The answer is there!

IMOP.