Guest blogged by Ernest A. Canning
Neither the recent claim made by anonymous hacker, Abhaxas, that he/she had hacked into Florida's e-voting database nor the efforts by FL election officials to minimize the breach of its system comes as a surprise to The BRAD BLOG.
In fact, minimization of the vulnerability following the reported hack calls to mind what Roger G. Johnston, Ph.D of the Argonne National Laboratory describes as the Arrogance Maxim:
One would think that Abhaxas had Johnson's Arrogance Maxim in mind. As reported by Doug Chapin of the University of MN, the anonymous hacktivist responded to the official denials by hacking into the FL voting system a second time; posting "a directory listing of the Florida database with the (sarcastic) observation 'Glad you cleaned up, pretty secure now guys'."
As an encore, Abhaxas then hacked into Montana's government website, where he/she exposed 16 databases.
While Chapin acknowledges the vulnerability exposed by the hack, once again, as is his habit over the years, Chapin draws the entirely wrong lessons in pointing to the need for better training and security procedures...
'Canary in the electronic coal mine'
This is not the first time that the vulnerability of a FL electronic voting system has been exposed.
As reported by Brad Friedman, first at Computer World, and then here at The BRAD BLOG, on the first day of early voting for the November 2006 general election, an SQL slammer worm breached the firewall of the Sarasota, FL database system, halted voting, and rewrote administrative passwords.
This just happened to have taken place in relation to the hotly contested FL-13 special Congressional election between Christine Jennings (D) and Vern Buchanan (R) that had been conducted on the 100% unverifiable ES&S iVotronic touch-screen Direct Recording Electronic (DRE) voting systems.
Ironically, that special election was to find a replacement for former 2000 FL Sec. of State Katherine Harris who had, by then, become a Congresswoman. Harris gave up her seat in favor of a futile run for the U.S. Senate. Yet, according to the iVotronics, 15% of Sarasota voters (17,846) failed to cast a vote in the race to fill the infamous Harris' vacated seat. That was nearly six times greater than the undervote rate in each of the other counties participating in the District 13 race. At the same time, the undervote rate in Sarasota on paper absentee ballots for the Buchanan/Jennings race was just 2.5%.
Jennings carried Sarasota 53% - 47%, even with all of the "lost" votes, but, according to the machines, she was narrowly defeated by Buchanan in the race's final unverifiable tally by 369 votes.
In April 2007, nearly a month before the slammer worm attack was disclosed, The BRAD BLOG covered a Florida State University study that revealed that a single malicious user could introduce a virus into the iVotronic system which "could potentially steal all the votes in that county, without being detected."
Jennings' protracted Congressional challenge was denied after the Government Accountability Office (GAO), which had been tasked to investigate the matter, employed a backwards burden of proof. While no reasonable alternative explanation was ever advanced to explain the bizarre numbers, the GAO said it couldn’t conclusively state the machines caused the undervote because there is a "lack of assurance whether the source code…if compiled, would correspond to the iVotronic firmware that was used in Sarasota County for the 2006 election."
Why was the burden not placed upon the manufacturer, or even the county, to prove that its e-voting system accurately recorded the vote?
The bizarre numbers prompted E. J. Dionne of the Washington Post to refer to Sarasota as "the canary in the electronic coal mine."
That 2006 failure was ultimately the straw that broke Florida e-voting's back (again), and led to the incoming Governor at the time, Republican Charlie Crist, finally joining with Democrats to ban touch-screen electronic voting in the state once and for all.
machines transparency, stupid!
"I follow the vote," CIA cyber-security expert Steven Stigall explained to the U.S. Election Assistance Commission (EAC) in 2009. "And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to...make bad things happen."
As initially reported by Greg Gordon at McClatchy, "Stigall said that voting equipment connected to the Internet could be hacked, and machines that weren't connected could be compromised wirelessly. Eleven U.S. states have banned or limited wireless capability in voting equipment, but Stigall said that election officials didn't always know it when wireless cards were embedded in their machines."
The insanity of Internet voting was demonstrated when a team of white hat hackers led by University of MI Computer Science Prof. J. Alex Halderman not only hacked into the D.C. Internet Voting System, taking over the entirety of the system, but then successfully prevented potentially malicious hackers from Iran and China --- who Halderman and his team had noticed were also attempting to access the same system --- from being able to access it. Good guy hackers changed the password on the vulnerable system, during a live experiment, in order to keep the bad guy hackers out.
As revealed in study-after-study, systemic vulnerability is not limited to Internet hacks. The principle threat comes from insiders, including election employees, officials and e-voting vendors. It is a vulnerability that exists not only with respect to the computers upon which we vote but the computers that store voter eligibility rolls --- a point poignantly demonstrated nearly a decade ago by Greg Palast in The Best Democracy Money Can Buy.
Palast described an illegal purge in the run-up to the 2000 election from Florida's computerized voter rolls by then FL Sec. of State Katherine Harris and ChoicePoint's DBT unit. Tens of thousands of innocents, who were guilty of nothing more than having registered to vote while being Black, a Democrat, or both, were disenfranchised when they were falsely labeled as felons and then illegally prevented from casting votes that could well have changed the course of history.
Florida's switch from 100% unverifiable DREs to optical scanners did not eliminate vulnerability --- a point underscored when malicious software was discovered in the Pinellas County, FL vote tabulation system.
Both the 100% unverifiable DREs and the optical scan systems entail reliance upon computer counts which can be undetectably rigged by a single malicious insider, or simply fail due to mis-programming or physical failure. An example of such rigging was dramatically captured on film and shown in the climactic final scene of the Emmy-nominated 2006 HBO documentary Hacking Democracy.
As our recent series of articles pertaining to the hotly contested WI Supreme Court Election underscored, while paper ballots are used in optical scan systems, they provide no assurance of accuracy unless they are publicly hand-counted by human beings --- and even that recourse can prove ephemeral absent strict, secure, transparent post-election chain-of-custody procedures. Those articles also underscored that the MSM can be counted on to ignore the problem, no matter how blatantly obvious, well-documented, and independently verifiable the concerns.
Over the past decade, most Americans have engaged in faith-based voting, conducted on exorbitantly-priced, and utterly insecure e-voting systems. We have turned to complex security concerns while ignoring the elegantly simple, inexpensive and transparent solution that is to be found in "Democracy's Gold Standard" --- hand-marked, paper ballots, publicly hand-counted at the precinct level on Election Night.
You can watch that remarkable landmark hack described above, as it happened in real time in Leon County, Florida, in the climactic scene from Hacking Democracy, as posted below [appx 9 mins]...