But the most startling information in the state's 13-page report (.pdf) is not about why the system lost votes, which Threat Level previously covered in detail, but that some versions of Diebold's vote tabulation system, known as the Global Election Management System (GEMS), include a button that allows someone to delete audit logs from the system.

Auditing logs are required under the federal voting system guidelines, which are used to test and qualify voting systems for use in elections. The logs record changes and other events that occur on voting systems to ensure the integrity of elections and help determine what occurred in a system when something goes wrong.

"Deleting a log is something that you would only do in de-commissioning a system you're no longer using or perhaps in a testing scenario," says Princeton University computer scientist Ed Felten, who has studied voting systems extensively. "But in normal operation, the log should always be kept."

Yet the Diebold system in Humboldt County, which uses version 1.18.19 of GEMS, has a button labeled "clear," that "permits deletion of certain audit logs that contain – or should contain – records that would be essential to reconstruct operator actions during the vote tallying process," according to the California report.

Larger than acceptable number of cards contained what we describe as “junk” data. By saying that we understand that the card does not contain proper programming, and instead contains what appears to be random noise. When one puts the card containing the “junk” data into the AV-OS terminal it issues a prompt requesting to format the card. Thus such cards are easily detectable and cannot possibly be used in an election. It seems unlikely that these cards were (electromagnetically) damaged in shipping. Consequently, it appears that these cards were either not adequately tested by LHS Associates, or they experienced some kind of hardware/software failure at some point. Among the audited cards 5.4% of the cards contained junk data. This percentage is high and this issue has to be resolved in the future.…

We performed pre-election audit of cards for all districts, and in this sense it is a complete audit. However the cards do not contain the results of pre-election testing done by the districts, and they were not randomly selected by the districts for the purpose of the audit. Instead the cards were provided to us directly by LHS. The results of the audit would be strengthened if it covered also the pre-election testing done by the districts. Our previous memory card audits in fact included this. However, our forthcoming companion report (to be available at http://voter.engr.uconn.edu/voter/Reports.html) will document the results of the post-election audit, covering most of the districts, and containing the observations about the card usage in pre-election testing at districts and in the election itself.

This article appeared on the wired.com Threat Level Blog and is reposted here with permission of the author.

More than a hundred computer chips containing voting machine software were lost or stolen during transit in California this week.

Two cardboard shipping tubes containing 174 EPROMs loaded with voting machine software were sent via Federal Express on December 13th from the secretary of state's office in Sacramento to election officials in nineteen California counties that use optical-scan voting machines made by Diebold Election Systems.

But on Monday, two shipping tubes arrived empty to one of these counties.

In San Diego County, one of the empty tubes arrived with no lid on the end of it to close the tube; the second tube had a lid, but it was loosely taped shut.

Nicole Winger, spokeswoman for the secretary of state's office, says that the California highway patrol and the Sacramento County sheriff's department are investigating whether the chips fell out of the tubes or were stolen.

This article appeared on Avi Rubin's Blog and is reposted here with permission of the author.

In an Associated Press story today, Diebold confirms that they tried and failed to sell their voting technologies business. Given the recent reports in California and Florida, I imagine it will be even harder for them now. I think people, even within Diebold, are coming to the realization that DREs are the wrong model for voting systems. There are several reasons for this.

1. DREs are too complex. There are typically 50,000+ lines of code in a DRE, much of that involves user interface and audio capability, and providing the DRE interface and user experience is not worth the hit in complexity.
   
   
2. DREs serve as a bottleneck on election day. DREs are expensive, and so it is unlikely that precincts will have more than they need. Since voters typically spend several minutes voting, and I've observed as a poll worker that quite a few voters take more than 10 minutes, the potential for long lines is tremendous. Once a backlog of voters is created, it only gets worse, as the effect propagates much like the airline systems gets backed up in a positive feedback loop of delays once some flights are late.
   
   
3. DREs are non-transparent. The public justifiably does not trust them. They cannot be independently audited, despite the vendor's insincere claims to the contrary. Even DREs with a VVPAT cannot be properly audited because they just don't work as we would hope. Voters often do not check the paper. The paper rolls used by most vendors do not lend themselves to easy recounts, and the retrofitting of DREs with VVPAT has led to awkward and sometimes ill defined procedures, especially when a voter disputes the printout.
   
   
4. Finally, a much better model for voting systems exists, namely, paper ballots with optical scan precinct counting and ballot marking machines for disability access.
   

This article appeared on Avi Rubin's Blog and is reposted here with permission of the author.

The Florida Secretary of State has just released a report from the Security and Assurance in Information Technology Laboratory (SAIT) at Florida State University titled "Software Review and Security Analysis of the Diebold Voting Machine Software". This report is the output of a study that Florida commissioned to determine whether flaws reported in previous studies of voting systems, including my group's study, had been fixed yet. I was a reviewer of this report, and my graduate student, Ryan Gardner, played a key role in the study. The group was led by Alec Yasinsac who led the previous FSU study on voting machine security for Florida.

I am pleased to see that there are so many studies of voting systems being performed. In this past year, Connecticut, California, and now Florida have conducted thorough reviews, and all of them have highlighted serious problems with the voting systems. All this is happening as the House is considering federal legislation to improve the auditability of voting equipment.

Once again this new report shows serious, serious problems with Diebold, and that they clearly have not fixed some of the most egregious problems. One of the weaknesses that our report in 2003 pointed out was that Diebold used a single, fixed encryption key for all encryption in the system. Diebold has moved from using DES to AES. However, the key management is just as bad as before, and possibly worse. Here is an excerpt from the new report released today.

Download the UConn Report on the Diebold TSX Terminal

The University of Connecticut Voting Technology Research Center has released a report , which presents certain integrity vulnerabilities in the Diebold AV-TSx Voting Terminal. We present two attacks based on these vulnerabilities: one attack swaps the votes of two candidates and another erases the name of one candidate from the slate. These attacks do not require the modification of the operating system of the voting terminal (as it was the case in a number of previous attacks). These attacks against the voting terminal can be launched in a matter of minutes and require only a computer with the capability to mount a PCMCIA card file system (a default capability in current operating systems).
 
The security problems are present in the system despite the fact that a cryptographic integrity check appears to be employed in the voting system’s memory card. The attacks presented in this report were discovered through direct experimentation with the voting terminal and without access to any internal documentation or the source code from the manufacturer.

the AV-TSX voting terminals are quite different from the AccuVote Optical Scan terminals, and the vulnerabilities presented in this report do not apply to the Optical Scan terminals used by the State of Connecticut. The AV-TSX terminals are not used in Connecticut. 

This article was posted at the Wired.com Threat Level Blog and is reposted here with permission of the author. 

Maryland's Linda Lamone isn't the only election official appearing in literature to market Diebold voting systems (see this post from last week). Another, older, brochure has surfaced featuring photos and quotes from four other current and former election officials from Maryland and other states. Conny McCormack, the registrar of voters from Los Angeles County; Margaret Jurgensen, election director of Montgomery County, Maryland; Cathy Cox, Georgia's former secretary of state; and Connie Schmidt, former election commissioner of Johnson County, Kansas. All four appear in a Diebold brochure titled "We Won't Rest" touting the company and its machines.

Last week Lamone, Maryland's Board of Elections administrator, was chastised by the governor after Wired News revealed Lamone's participation in a Diebold brochure praising Diebold's new e-pollbook product -- a product that experienced widespread failure during the state's September primary last year. The governor ordered Lamone to tell Diebold to cease using the brochure, which she did, and asked the state ethics commission to look into the matter. Lamone's actions violated a state ethics law.

The Diebold AccuVote TSx, like those used here in Washington County, Wisconsin, were discovered to have a failure rate of between 23% and 38% in Montgomery County, Ohio.

The failure here is very noteworthy because the failure is the failure of the AccuVote TSx to accurately record the ballot within the invisible computer memory. This was not a failure of the poorly designed toilet paper VVPAT printer. This was not a failure within the insecure GEMS server. This was not data corruption created by the unstable Microsoft JET database used by GEMS. This was a failure of the AccuVote TSx DRE to accurately translate the screen touches of the voters (testers) into invisible, electronic ballots stored within the flash memory of the AccuVote TSx.