State Senator Outraged, Says Machines, Certification Violates State, Federal Standards and Law...
SoS' Own Report Agrees! McPherson Waits Until 5pm Friday of Holiday Weekend to Announce! [UPDATED WITH MUCH MORE INFO...]
By John Gideon on 2/17/2006, 6:29pm PT  

Guest Blogged by John Gideon (with some additional updates/info from Brad)

Updated with much more information...

Secretary of State McPherson seems to have a thing for making major announcements late on Fridays just before holidays. Following in what seems to be a pattern of his, he announced late this afternoon that he was certifying Diebold Optical Scan and AccuVote TSx (touch-screens) for use in elections in the state.

The re-certification (they had been originally decertified in California in 2004 when it was revealed Diebold had installed illegal software updates on the machines) is conditional on some items but not on the one thing point he had announced last December when he sent the system back to federal authorities for further testing. At that time he said he was sending the machine's memory cards to the federal Independent Testing Authority (ITA) Lab for reinspection in light of the news out of Leon County, Florida that the cards used "intepreted code" which is specifically banned by the Help America Vote Act (HAVA). A "hack test" in that county revealed that an entirely election could have its results flipped by a hacker exploiting that "interpreted code" --- without a trace being left behind.

McPherson made his announcement today without waiting to hear back from the ITA lab.

Last summer, after a massive mock election test with Diebold touch-screen machines revealed that 10% of them failed entirely with screens freezing and printers jamming --- later reports would reveal that as many as 30% of the machines actually failed! --- McPherson said, "We certainly can't take any kind of risk like that with this kind of device on California voters."

Apparently the Secretary of State of America's largest "voting market," as Diebold refers to it, was just kidding about that.

State Senator Debra Bowen, (D-Redondo Beach), the chairwoman of the Senate Elections, Reapportionment, & Constitutional Amendments Committee issued the following Press Release after learning of McPherson's remarkable decision.

FOR IMMEDIATE RELEASE
CONTACT: Evan Goldberg (###) ###-4028/(###) ###-9176

February 17, 2006

BOWEN ON SECRETARY OF STATE'S DECISION TO RE-CERTIFY DIEBOLD MACHINES FOR USE IN CALIFORNIA

SACRAMENTO ? "How the Secretary can re-certify the Diebold machines when they don't comply with California law, they violate the standards set by the Election Assistance Commission (EAC) that the Secretary said he intended to follow, and he still doesn't have the report back from the ITAs that he said he was waiting for is beyond me."

That's how Senator Debra Bowen (D-Redondo Beach), the chairwoman of the Senate Elections, Reapportionment, & Constitutional Amendments Committee, reacted to today's decision by the Secretary of State to re-certify Diebold's electronic voting machines for the 2006 elections.

"Last December, the Secretary announced with great fanfare that he was sending the Diebold machines back for review by the Independent Testing Authorities (ITAs) because the memory cards those machines rely on hadn't been reviewed," continued Bowen. "Now, contrary to what he said two months ago, he's approving the Diebold machines without waiting for the report from the ITAs. Instead, he's basing his decision on a supposedly 'independent state audit' that no one has seen before today. There's a March 1 public hearing for four other voting machine vendors before their machines can be certified for use in California, so what was the rush to certify Diebold and side-step a public hearing on this issue?"

Seventeen California counties rely on the Diebold optical scan machines and a number of other counties have bought or are planning to buy the Diebold TSx touch-screen machines to use in the 2006 elections in order to comply with the federal Help America Vote Act (HAVA). The Secretary's decision is only good for the 2006 elections and comes with a number of conditions.

"In August, the Secretary said any machine approved in California would have to comply with all federal standards and regulations, yet the EAC bans machines that contain interpreted code and these Diebold machines rely on that type of code to operate, so he's gone back on that commitment," continued Bowen. "In December, he said he'd wait for a report from the ITAs before acting on the Diebold re-certification request, yet now he's re-certified the Diebold machines without hearing from the ITAs. He says he's acting based on the recommendations of an 'independent state audit' that came out on Tuesday, but the California State Auditor hasn't issued any reports on this issue and hasn't been asked to do a report. Asking a board appointed by the Secretary to make recommendations doesn't constitute an 'independent state audit' in my book.

"The other thing that no one has mentioned is the fact that the Diebold machines don't comply with the state's paper trail law because they don't provide blind or visually impaired voters with a 'read-back' of what the paper trail recorded, they only read back what the machine recorded electronically," noted Bowen. "That's not what the law requires, yet the Secretary has decided to go ahead and approve these machines for use anyway. If the Secretary wants to say he's changing his mind and lowering the safeguards California voters are entitled to have to ensure their votes are accurately counted, that's certainly his decision to make, but saying these Diebold machines comply with state law and with all federal regulations and requirements simply isn't accurate."

Under Elections Code Sections 19250 and 19251, all direct recording electronic (DRE) voting systems have to come with an accessible voter verified paper audit trail (AVVPAT). The AVVPAT must be "provided or conveyed to voters via both a visual and a nonvisual method, such as through an audio component." The Diebold TSx doesn't contain that feature, therefore making the AVVPAT that all DREs are required to have as of January 1, 2006, useless for blind or visually-impaired voters.

###

VOTING SYSTEMS HEARINGS, MARCH 1:
Also of note is the announcement of public hearings (as mentioned in Bowen's release) persuant to the certification of various voting systems, many of which are still not federally qualified. This announcement is not accompanied by any of the test reports necessary for citizens to go to this hearing with any knowledge of what the state found in their testing. Perhaps this is because none of these systems have been tested by the state yet?

...DEVELOPING...MUCH MORE BELOW...UPDATES, ACTION ITEMS, ADDITIONAL INFO...

Voting Systems Technology Assessment Advisory Board Report Posted:
The report that McPherson used as a basis for his decision to recertify Diebold has been posted. This report is a pretty scathing report into the severe security problems that are present on Diebold voting machines. This includes the use of banned "interpreted code". How McPherson turned this report into a reason to recertify Diebold is beyond common sense.

Also note the following from this report:

? But the implementation of cryptographic protection is flawed: There is a serious flaw in the key management of the crypto code that otherwise should protect the AV-TSx from memory card attacks. Unless election offcials avail themselves of the option to create new cryptographic keys, the AV-TSx uses a default key. This key is hard-coded into the source code for the AV-TSx, which is poor security practice because, among other things, it means the same key is used in every such machine in the U.S. Worse, the particular default key in question was openly published two and a half years ago in a famous research paper, and is now known by anyone who follows election security, and can be found through Google.

This is not the '1111' password that was discovered by the Compuware inspection for Ohio, as previously reported. Instead the above discusses a hard-coded key that was reported by a research group from Johns Hopkins and Rice Universities and reported by them. This report was the first in a string of reports from Compuware and RABA.

...MORE...

Guvwurld points out still more incredible information regarding this virtually inexplicable move by McPherson. Here's a few highlights from GuvWurld after reviewing McPherson's "Security Analysis of the Diebold Interpreter" [PDF]. Remember, while reading the following, that this report was used to okay the use of Diebold's machines!...

While the analysis is too long to fully dissect here and now, GuvWurld will surely pull more detailed quotes in future reports. For now, a "Security Analysis..." summary:

  • We did not do a comprehensive code review of the whole codebase, nor look at a very broad range of potential security issues. Instead, we concentrated attention to the AccuBasic scripting language, its compiler, its interpreter, and other code related to potential security vulnerabilities associated with the memory cards.
  • We found a number of security vulnerabilities, detailed below. Although the vulnerabilities are serious, they are all easily fixable. Moreover, until the bugs are fixed, the risks can be mitigated through appropriate use procedures. Therefore, we believe the problems as a whole are manageable.
  • Memory card attacks are a real threat: We determined that anyone who has access to a memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have the modified cards used in a voting machine during election, can indeed modify the election results from that machine in a number of ways. The fact that the the results are incorrect cannot be detected except by a recount of the original paper ballots.
  • Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server.
  • Interpreter bugs lead to another, more dangerous family of vulnerabilities: However, there is another category of more serious vulnerabilities we discovered that go well beyond what Mr. Hursti demonstrated, and yet require no more access to the voting system than he had. These vulnerabilities are consequences of bugs--16 in all--in the implementation of the AccuBasic interpreter for the AV-OS. These bugs would have no effect at all in the absence of deliberate tampering, and would not be discovered by any amount of functionality testing; but they could allow an attacker to completely control the behavior of the AV-OS. An attacker could change vote totals, modify reports, change the names of candidates, change the races being voted on, or insert his own code into the running firmware of the machine.
  • Successful attacks can only be detected by examining the paper ballots: There would be no way to know that any of these attacks occurred; the canvass procedure would not detect any anomalies, and would just produce incorrect results. The only way to detect and correct the problem would be by recount of the original paper ballots, e.g. during the 1 percent manual recount.
  • Interpreted code is contrary to standards: Interpreted code in general is prohibited by the 2002 FEC Voluntary Voting System Standards, and also by the successor standard, the EAC's Voluntary Voting System Guidelines due to take effect in two years. In order for the Diebold software architecture to be in compliance, it would appear that either the AccuBasic language and interpreter have to be removed, or the standard will have to be changed.
  • It's pointed out that McPherson claims to have devised "10 strict standards" that must be in place for Diebold to receive re-certification in CA. Those standards are posted on the SoS website here [PDF]. GuvWorld points out step #3, seemingly ignored entirely by McPherson:

    3) State certification testing does not begin until the federal qualification testing is successfully completed.

    Again, apparently McPherson was just kidding about those "strictness" of those "standards".

    JIM MARCH OUTLINES STEPS YOU CAN TAKE REGARDING ALL OF THE ABOVE!...

    ...AND MORE...

    In McPherson's letter to Diebold the Secretary of State acknowledges the fact that the AccuBasic code on the Diebold voting systems had never been inspected by the Federal ITAs. The letter says:

    The voting systems submitted to our office for certification had been through the federal testing process and had received a qualifying NASED number; however, the AccuBasic source code on the memory card in both voting systems had not been reviewed by federal testers.

    This, clear evidence that the Secretary of State knows the Diebold AccuBasic was not properly federally qualified. And ?

    We believe that the failure by the federal ITA to review the source code was an oversight that had to be corrected. Accordingly, we directed you to transmit the source code back to the ITA with direction from this office regarding how that federal review should be conducted.

    Inexplicably, the Secretary of State did not wait for that ITA review. What will they do when the ITA recommends that Diebold be federally disqualified? Or does the Secretary of State already know something the EAC is not telling us?

    UPDATE 2/21/06: Much more, including exclusive video-tape of McPherson promising NOT to do what he did, now right here...