My Letter to the Secretary of State

Good Morning. I recently contacted your office with questions about a standard audit, in response to a bill that has been presented by Rush Holt. H.R. 5036: Emergency Election Assistance for Secure Elections Act- the "EASY" bill to secure the November 2008 elections. This bill reimburses states that wish to implement measures to insure the accuracy of our votes.
http://holt.house.gov/HR_5036.shtml
I was surprised that the person I spoke to was not aware of the importance of standard audits, as they pertain to the Optical Scan voting systems used across our state. As a result of that phone call I am emailing information from a few of the many studies regarding the vulnerabilities in our voting systems. I would hope that those who get paid to conduct elections in this state would be knowledgeable of the problems inherent in our voting systems, and the simple measures recommended to secure our elections.
Thank you,


THE MACHINERY OF DEMOCRACY:
PROTECTING ELECTIONS
IN AN ELECTRONIC WORLD
THE BRENNAN CENTER TASK FORCE
ON VOTING SYSTEM SECURITY
SUMMARY OF FINDINGS AND RECOMMENDATIONS
BRENNAN CENTER
FOR JUSTICE
AT NYU SCHOOL OF LAW
www.brennancenter.org
Three fundamental points emerge from our threat analysis:
■ All three voting systems have significant security and reliability vulnerabilities,
which pose a real danger to the integrity of national, state, and local elections.
■ The most troubling vulnerabilities of each system can be substantially remedied
if proper countermeasures are implemented at the state and local level.
■ Few jurisdictions have implemented any of the key countermeasures that
could make the least difficult attacks against voting systems much more difficult
to execute successfully.
Voting System Vulnerabilties
After a review of more than 120 potential threats to voting systems, the Task
Force reached the following crucial conclusions:
For all three types of voting systems:
When the goal is to change the outcome of a close statewide election, attacks
that involve the insertion of Software Attack Programs or other corrupt software
are the least difficult attacks

■ Voting machines that have wireless components are significantly more vulnerable
to a wide array of attacks. Currently, only two states, New York and
Minnesota, ban wireless components on all voting machines.
For DREs without voter-verified paper trails:
■ DREs without voter-verified paper trails do not have available to them a
powerful countermeasure to software attacks: post-election Automatic
Routine Audits that compare paper records to electronic records.
For DREs w/ VVPT and PCOS:
■ The voter-verified paper record, by itself, is of questionable security value.
The paper record has significant value only if an Automatic Routine Audit is
performed (and well designed chain of custody and physical security procedures
are followed). Of the 26 states that mandate voter-verified paper
records, only 12 require regular audits.
■ Even if jurisdictions routinely conduct audits of voter-verified paper records,
DREs w/ VVPT and PCOS are vulnerable to certain software attacks or
errors. Jurisdictions that conduct audits of paper records should be aware of
these potential problems.
Security Recommendations
There are a number of steps that jurisdictions can take to address the vulnerabilities
identified in the threat analysis and thus to make their voting systems significantly
more secure. Specifically, we recommend adoption of the following
security measures: 6
1. Conduct Automatic Routine Audits comparing voter-verified paper records
to the electronic record following every election. A voter-verified paper
record accompanied by a solid Automatic Routine Audit of those records can
go a long way toward making the least difficult attacks much more difficult.
-----------------
Fortunately, these steps are not particularly complicated or cumbersome. For the
most part, they do not involve significant changes in system architecture.
Unfortunately, few jurisdictions have implemented any of the recommended countermeasures.
*Please read more.
http://brennan.3cdn.net/a56eba8edf74e9e12e_r2m6b86s2.pdf


Security Analysis of the Diebold AccuBasic Interpreter
David Wagner David Jeerson Matt Bishop
Voting Systems Technology Assessment Advisory Board (VSTAAB)
with the assistance of:
Chris Karlof Naveen Sastry
University of California, Berkeley
February 14, 2006

http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf
Page 13
Impact. The consequence of these vulnerabilities is that any person with unsupervised access to
a memory card for sucient time to modify it, or who is in a position to switch a malicious memory
card for a good one, has the opportunity to completely compromise the integrity of the electronic
tallies from the machine using that card.
Many of these vulnerabilities allow the attacker to seize control of the machine. In particular,
they can be used to replace some of the software and the rmware on the machine with code of
the attacker's choosing. At that point, the voting system is no longer running the code from the
vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace
the running code of the machine, the attacker has full control over all operation of the machine.
Some of the consequences of this kind of compromise could include:
 The attack could manipulate the electronic tallies in any way desired. These manipulations
could be performed at any point during the day. They could be performed selectively, based
on knowledge about running tallies during the day. For instance, the attack code could wait
until the end of the day, look at the electronic tallies accumulated so far, and choose to modify
them only if they are not consistent with the attacker's desired outcome.
 The attack could print fraudulent zero reports and summary reports to prevent detection.
 The attack could modify the contents of the memory card in any way, including tampering
with the electronic vote counts and electronic ballot images stored on the card.
 The attack could erase all traces of the attack to prevent anyone from detecting the attack
after the fact.
 It is even conceivable that there is a way to exploit these vulnerabilities so that changes could
persist from one election to another.
In other words, these vulnerabilities mean that a procedural lapse in one
election could potentially aect the integrity of a subsequent election. However, we would
not be able to verify or refute this possibility without experimentation with real systems.

 It is conceivable that the attack might be able to propagate from machine to machine, like a
computer virus.
----------------------------------
In addition, most of the bugs we found could be used to crash the machine. This might
disenfranchise voters or cause long lines. These bugs could be used to selectively trigger a crash only on some machines, in some geographic areas, or based on certain conditions, such as which
candidate has received more votes. For instance, it would be possible to write a malicious AccuBasic
script so that, when the operator prints a summary report at the end of the day, the script examines
the vote counters and either crashes or continues operating normally according to which candidate
is in the lead.

The impact on the paper ballots (AV-OS). It is important to note that even in the worst
case, the paper ballots cast using an AV-OS remain trustworthy; in no case can any of these
vulnerabilities be used to tamper with the paper ballots themselves.
*Please read more:
http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf



Security Assessment of the Diebold Optical Scan Voting Terminal
A. Kiayias L. Michel A. Russell A. A. Shvartsman
UConn VoTeR Center and
Department of Computer Science and Engineering,
University of Connecticut
{akiayias,ldm,acr,aas}@cse.uconn.edu
with the assistance of
M. Korman, A. See, N. Shashidhar, D. Walluck
October 30, 2006


1 Introduction
The subject of this paper is the AccuVote Optical Scan voting terminal (AV-OS) manufactured by Diebold,
Incorporated, Election Systems division.

Security Vulnerabilities Page 5
We briefly describe the new vulnerabilities that were discovered during our evaluation process. A detailed presentation of these vulnerabilities is available in an extended version of the report that can be provided on a need-to-know basis.
The AV-OS leaks the memory card contents: The AV-OS terminal allows any operator to obtain a dump
of its installed memory card contents without any authentication control. In particular, given access
to an AV-OS machine one can obtain all the information that is stored in the memory card in a matter
of seconds. In order to obtain this information, it is sufficient to use an off-the-shelf RS-232 serial cable (null modem cable) and a laptop. The AV-OS performs no authentication test to ensure that a trusted system is present on the other side while the dump is delivered in cleartext form. Moreover, the terminal does not prompt the operator for a password in order to produce such memory dump. It is easy to identify the election data when observing a memory dump; other sensitive information, including the password (PIN) and audit records associated with the memory card can also be reconstructed from the dump. Alternatively, the same dump can be obtained by using the built-in modem on the AV-OS to transmit the data to a remote PC.
The communication between AV-OS and GEMS is unauthenticated: During the initialization of a machine
for election the GEMS system communicates with the AV-OS terminal to write the initial election setup
to the memory card. No encryption or cryptographic authentication is performed during this transmission.
The serial line protocol does use a cyclic redundancy check (CRC) mechanism for error control.
While the CRC polynomial used is standard, the details of the protocol are undocumented by the manufacturer;
as such, this is a de facto lightweight authentication mechanism. However, it is possible to
reverse-engineer the whole protocol, including the CRC scheme formula (as we have done in our assessment).
The lack of cryptographic authentication opens the possibility for an unauthorized attacker
computer to impersonate the GEMS system to the terminal (this is one of the ingredients of our main
election compromising attack in the next section).
Executable code within the AV-OS memory card: Each memory card contains executable code that is used
for printing the reports. The code is written in a proprietary symbolic language. Such executable files are identified as .abo (AccuBasic Object) bytecode. The possibility to modify the code that prints the results opens the possibility to corrupt machines and coerce them into misinterpreting their counters.
The presence of conditionals and arithmetic in the language enables bytecode “malware” to operate
even conditionally on the state of the machine and thus appear to operate properly in some occasions

* Please read more-

http://www.votetrustusa.org/pdfs/Diebold%20Folder/uconn-report-os.pdf



PROTECTING ELECTIONS
IN AN ELECTRONIC WORLD
Summary
• All three of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities.
• Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute.
• Millions of Americans with disabilities cannot vote independently and secretly on the voting machines in their precincts.
• The design of ballots and instructions has a large and demonstrable effect on loss of votes as a result of residual errors.
• The initial costs of a voting system are likely to be a small percentage of the total cost over its life-span.
All three of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities. These vulnerabilities pose a real danger to the integrity of national, state, and local elections. When the goal of an attack on voting systems is to change the outcome of a close statewide election, attacks that involve the insertion of corrupt software are the least difficult attacks. Voting machines that have wireless components are significantly more vulnerable to a wide array of attacks.
Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute.


Of the 27 states that mandate voter-verified paper trails, only 13 require regular audits. Current federal guidelines for voting systems do not ban wireless components; only two states, New York and Minnesota, ban wireless components in voting machines. Only four states conduct parallel testing statewide. After evaluating more than 120 possible attacks on voting systems for more than a year, the Brennan Center’s Task Force on Voting System Security recommends: (1) automatic routine audits of paper records; (2) parallel testing of voting machines; (3) banning of wireless components on all voting machines; (4) transparent and random selection procedures for parallel testing and audits; (5) decentralized programming and voting system administration; and (6) implementation of effective procedures for addressing evidence of fraud or error.


THE WORK OF THE BRENNAN CENTER
►Providing legal analysis and legislative counseling. The Brennan Center offers legal support to state officials interested in policy change. In conjunction with the California Secretary of State’s office, we held a seminar for the chief election offices in ten other states to explain our security findings and recommendations. We have worked with a number of legislators and policymakers on the federal, state, and local level to adopt legislation and regulations that will ensure that voter preferences are counted accurately. Since the release of our report on voting system security, Arizona, Utah and Wisconsin have announced they will audit voter verified paper records in this November’s elections.
►Working with local jurisdictions to increase the effectiveness of voting systems. The Brennan Center consults with county election officials to help them put measures in place to ensure the accuracy, accessibility, and security of their voting systems. Specifically, we have worked with Palm Beach County, Florida to develop a Parallel Testing regime for their paperless DREs this November. Pima County, Arizona (which includes Tucson) explicitly adopted a number of the Brennan Center’s security recommendations for this November’s elections. And the Cuyahoga County Election Review Panel, which was asked by Cuyahoga County, Ohio officials to review election and voting system practices, used the Brennan Center security report in developing new security recommendations for the county

Brennan Center for Justice at NYU School Of Law
161 Avenue of the Americas, 12th Floor • New York, NY 10013
212-998-6730 • www.brennancenter.org
http://www.federalelectionreform.com/pdf/Voting%20Systems%20Issue%20Brief.pdf

matters too. I watched a video of the New Hampshire recount showing boxes with loose covers and supposedly "sealed" with officially marked tape that could be pulled off without leaving a mark and re applied. This is very important as well as machine irregularities.

suggested in every one of these studies. I believe that those paid to conduct elections in my state are responsible for their own ignorance and their lack of action to secure my vote. When I know more about my voting system, than the Secretary of State's office, something is very fucked up.