As usual, we scooped everyone yesterday with our scintillating coverage of noted computer security expert/programmer Harri Hursti's agreement to accept the challenge thrown down by Riverside County, California, Supervisor Jeff Stone to allow someone to come in an attempt to "manipulate" the county's electronic voting equipment made by Sequoia Voting Systems.
The local media in Southern California, however, have now been fairly quick to jump into the game as well with several articles on the matter so far today. Their reports reveal that both the County Board of Supervisors and Sequoia, both as expected, are beginning to try and create some wiggle room to back out from the "thousand to one" bet Stone made publicly last week to local Election Integrity advocates.
Several national Election Integrity individuals and watchdog organization VelvetRevolution.us (VR) have staked $1000 on the bet and have helped to facilitate the participation of Hursti. None of the press coverage dealt with that point. [DISCLOSURE: The BRAD BLOG is a co-founder of VelvetRevolution.us and would be more than willing to discuss that aspect with any such media, if they wish. We can be reached here.]
Stone's video-taped shot-from-the-hip "bet" to local advocate Maxine Ewig, allowing that he would arrange with a programmer to "set up an appointment with one of our machines and...verify that they can manipulate that machine," was issued during a public meeting of the Board of Supervisors last week. (Streaming video of the exchange can be seen here, a text transcript is here.)
Stone also added, "And maybe we should bring the media in and let’s see if your programmer can manipulate that machine. My guess is that it is not gonna happen, but I’m willing to take a chance on that."
Well, the "media" are "in" for the moment. Yet reports in the news today already indicate that the rest of Riverside County's all-Republican 5-person Board of Supervisors and the voting machine company, Sequoia, may be less confident than Stone that their equipment can stand up to any actual independent security analysis such as one that Hursti would be likely bring.
For the record, our call to Stone yesterday for comment has still gone unreturned.
Press reports today reveal that both the board, the company --- and even Stone --- are already laying the groundwork for several "outs" for themselves. Anyone surprised? Let's take a look...
CBS2 News jumped in with a piece late yesterday as based on the press release issued earlier in the day by the Election Integrity advocates from the SAVE R VOTE project announcing their acceptance of the challenge. The name of the specific hacker had not yet been publicly released at the time of the CBS story, and neither the county nor the company commented in the article, headlined "Group Accepts Voting Machine Hacking Challenge."
The Californian ran this article today on both the Supervisors convening of a "Blue Ribbon" panel to investigate the many reported problems during the county's recent election cycle (a separate issue, though one running concurrently to this one --- no citizen advocates from SAVE R VOTE were named to the panel) and several points where the other Supervisors, Sequoia --- and even Stone --- begin to go wobbly....
It isn't clear whether the panel would oversee a challenge --- issued last week --- over the terminals' vulnerability to hackers. Responding to a member of Save R Vote, Stone said at the board's Dec. 5 meeting that he would bet "a thousand to one" a computer expert wouldn't be able to manipulate vote totals on one of the machines. He invited the group to bring in such an expert.
[SAVE R VOTE member Tom] Courbat said Harri Hursti, a Finnish computer scientist who reportedly hacked into another manufacturer's voting machines, has agreed to attempt the same in Riverside County. [ed note: The other manufacturer is Diebold, and it wasn't "reportedly hacked," it was done on video tape, widely confirmed internationally and featured live as it happened in the HBO documentary Hacking Democracy.] It wasn't immediately clear whether the conditions here would be the same as in Hursti's previous demonstrations. Stone said he expected the would-be hacker to step up to a terminal as a voter would do in a real election, without any visible tools.
Here Stone makes a move to create unrealistic ground rules, which Dr. Herbert F. Thompson of Security Innovation, a partner with Hurtsi in his confirmed Diebold hacks, says are simply not the way such testing is done. Since Stone, and everyone else paying attention, knows full well that the greatest threat to such systems is from insiders and that it's unlikely any would-be hacker would simply "step up to a terminal as a voter would" with the intention of committing an election fraud felony without any advance preparation.
In fact, as Stone also well knows, his county sends such voting machines home, pre-programmed and election-ready, with pollworkers on "sleepovers" for days prior to the election. The opportunity for unsupervised access with such systems has been the subject of much controversy, and regulations --- issued, in fact, in light of Hursti's original Diebold hack in Leon County, Florida, late last year --- both the state of California and the federal oversight bodies ruled that such unsupervised access to such voting machines is a grave breach of security. Riverside carries out such "sleepovers" anyway.
Back to the Californian coverage...
Also unclear is whether a demonstration would violate the contract between the county and Sequoia, said Michelle Shafer, a spokeswoman for Sequoia. It would depend on the conditions of the test, Shafer said.
"Our software has been certified and has gone through numerous rigorous tests," Shafer said. "We're not going to put ourselves out there with a group that is purported to have an agenda and already knows what outcome it wants."
Of course, the "outcome" that any legitimate security analyst "wants" is to determine whether or not the system in question is secure. The process occurs by attempting to exploit security holes in the system. Of the "numerous rigorous tests" that Shafer speaks of, none of them --- none of them --- are independent security tests. All such testing is done, if at all, by either the companies themselves or the so-called "Independent Testing Authority" (ITA), a group of three companies, selected and paid for by the voting machine vendors, who look only at the things the vendors ask them to. They do not release the results of such testing to anybody but the company.
As to Stone's comment about seeking approval from the Secretary of State, Riverside's Board of Supervisors had been very close to the outgoing, discredited SoS Bruce McPherson. The incoming SoS, Debra Bowen, actually seems to give a damn about voting system security, so Riverside may need some speedy action from McP before he leaves office if they hope he might save them.
Finally, lots of wiggle room created by the responses from the other Supervisors in this article from today's Press Enterprise (NOTE: there is more in the article on this than just the stuff we're quoting below)...
VOTING MACHINES: Other supervisors distance themselves from Jeff Stone's proposal.
Some supervisors questioned whether opening up the machine to a hacker was the right way to test it.
"This is not the time for stunts. Stunts are not going to be very helpful," said Bob Buster, chairman of the Board of Supervisors.
Perhaps Mr. Buster should have mentioned that to Stone before his "stunt" last week. That said, we hardly see an independent "red team" type of security analysis, or "hack test," to be a stunt. We'd call it "prudence" and "due dilligence." The same type of prudence would be displayed by any company spending millions of dollars on the same type of mission-critical, high-security equipment. If they didn't, and there was a breach of security, they'd be held accountable in a court of law. Unfortunately, public officials seem to feel they're above that sort of responsible behavior and that nobody will hold them accountable. So far, for the most part, they have been right. Thus, they think they can get away this sort of bullshit.
"This will demonstrate the county's open-mindedness," he said.
Buster said the county should rely on state experts to test the machines with the right set of controls and in the right conditions.
While Supervisor Roy Wilson said he supported a thorough review of the machines' accuracy, he expressed doubts about turning one over to a hacker.
"There has been no dialogue among the board members about (Stone's) idea. It was a personal challenge made by Supervisor Stone at a public meeting," Wilson said.
Supervisor Marion Ashley said he supports Stone's view that the machines will stand up to a hacker, but he agreed that the board may need to vote to decide whether Stone's challenge should be carried out.
"If these machines are vulnerable, we need to know," Ashley said.
So there you have it for today. The five member board, it would appear, will set up an opportunity for them to vote on Stone's offer.
It may get them out of the deal, though in the bargain it would demonstrate, in fact, that all of their bluster at last week's meeting --- and much bluster in the years prior --- about having confidence in the security of their systems is little more than empty posturing.
If they had confidence in their system, this would be a no-brainer for them. As it is, they seem to be working their brains big time to figure out how to slither out of the deal. Let's hope they stand up for the voters, as one might suggest Stone --- accidentally or not --- seems to have done so far, and that they allow the challenge to go forward.
Anyone want to place "a thousand to one" bet on it?