VoteTrustUSA - Public Comments on Top to Bottom Review of Voting Systems Used in California

The image “http://www.votetrustusa.org/images/votetrust-small2.jpg” cannot be displayed, because it contains errors.

ElectionAudits.org

The nation's clearinghouse for election audit information!

State and Local Election Integrity Organizations

Alaska

Count Every Vote Alaska

Arizona

Arizona Citizens for Election Reform

Arizona Citizens for Fair Elections

Arkansas

Arkansas Vote Watch

California

California Election Protection Network

California Voter Foundation

Colorado

Citizens for Verifiable Voting

Coloradoans for Voting Integrity

Connecticut

True Vote Connecticut

Florida

Broward Election Reform Coalition

Broward Verified Voting

Election Reform Coalition Pinellas

Florida Fair Elections Coalition

Miami-Dade Election Reform Coalition

Palm Beach Coalition for Election Reform

Sarasota Alliance for Fair Elections

Voting Integrity Alliance of Tampa Bay

Georgia

Defenders of Democracy

Georgians for Verified Voting

Hawaii

Safe Vote Hawaii

Idaho

Election Integrity Idaho

Illinois

Illinois Ballot Integrity Project

Indiana

Verify The Vote Indiana

Iowa

Iowans for Voting Integrity

Maryland

Maryland Election Reform Coalition

Michigan

Michigan Election Reform Alliance

Minnesota

Citizens for Election Integrity

Missouri

Missourians for Honest Elections

Montana

Enduring Vote Montana

New Jersey

Coalition for Peace Action

New Mexico

United Voters of New Mexico

Verified Voting New Mexico

New York

Where's The Paper New York

New Yorkers for Verified Voting

North Carolina

North Carolina Coalition for Verified Voting

Ohio

Citizen's Alliance for Secure Elections

J30 Voting Coalition

Center for Election Integrity (Cleveland State)

Oregon

Oregon Voter Rights Coalition

Pennsylvania

Coalition for Voting Integrity

Concerned Voters of Centre County

Election Reform Network (Montgomery County)

Mercer County Citizens for Better Government

PA Verified Voting

South Carolina

SC Progressive Network

Tennessee

Gathering to Save Our Democracy

Texas

Vermont

Vermonters for Verified Voting

Virginia

New Electoral Reform Alliance for Virginia

Virginia Verified Voting

Wisconsin

Washburn's World

Fair Elections Wisconsin

VoteTrustUSA does not speak on behalf of any of the listed organizations.

: mosShowVIMenu( $params ); break; } ?>

Around the States

Public Comments on Top to Bottom Review of Voting Systems Used in California

PDF

Print

Email

By John Washburn, VoteTrustUSA Voting Technology Task Force

July 31, 2007

Secretary Bowen, I thank you for this opportunity to make a public comment on the results of the top to bottom review. My name is John Washburn. I am a resident of Germantown, Wisconsin. I have worked as a software tester and in the field of quality assurance since 1994. I currently am certified by the American Society for Quality as a CSQE; certified software quality engineer. It is a certification I have held continuously and proudly since 1998. I have read the documents found on the website of the California Secretary of State and would like to submit the following comments.

I read with fascination the various attack scenarios. Many are elegant applications to voting systems of well understood attack vectors used against other computerized systems. The results are important, disturbing, and must be addressed. But, as disturbing and import as these technical findings are, I do not believe they are the most disturbing information uncovered by the top to bottom review. The most disturbing findings are:

1. The systems are inaccessible and, in some cases, is an active obstacle to voting accessibility.
2. The revelation that vendor representations may be fraudulent.
3. The continuing evidence the NASED/ITA model for certification has failed and is not worth the
paper it is written on.
4. The continuing evidence voting systems are defect-dense.

The Systems are not Accessible

The Accessibility Review by Noel Runyan and Jim Tobias is thorough, detailed, and precise in its findings. None of the three systems reviewed meets the minimum accessibility of the Help America Vote Act (HAVA) or the 2005 Voluntary Voting System Guidelines (2005 VVSG). Direct Recording Electronic (DRE) systems compared to precinct based optical scanning are more expensive to purchase, more expensive to test, more expensive to maintain and, by all indications, are more insecure. The justification for why American elections must endure the addition insecurity and expense of DRE systems is that DRE systems allow disabled voters and voters in language minorities the opportunity to vote privately and independently. This accessibility review refutes this justification in exceptional detail. For the first time, someone has enumerated all of the accessibility requirements of the both HAVA and the 2005 VVSG and objectively tested for conformance. Moreover, under some conditions the DRE system is an active impediment to voting.

If the person is voting in a language other than English and which uses a non-Roman alphabet such has Chinese, the DRE screen does not render characters at all. Even if the translation were well done, it is worthless if the translated text cannot be rendered for display. This is an active impediment to voting by these language minorities.

If the person is has normal vision, normal hearing, and normal upper body strength and dexterity, but is confined to a wheel chair, the DRE system is inaccessible because the forward approach is blocked by the narrow legs of the stand, hard to reach because of the height, and subject to parallax errors. For this class of voters, the DRE either prevents voting or make voting uncomfortably arduous because of the need for a side approach. Since Wisconsin has paper ballots which are tallied by optical scanner or are hand counted, voters who are wheel chair bound can be accommodated with a clip board or a suitably low table. If the polling location has only DRE equipment though, then the DRE equipment introduces a barrier to voting which did not exist before.

Representations of the Systems May be Fraudulent

The Red Team Report for Sequoia by Vigna, Kemmerer, et. al. includes several comments where the properties of the Sequoia Voting System where misrepresented to the security testing team by Sequoia. Section 4.4 and 4.8 are two such examples. Section 4.4 of the security assessment report states:

There is no way to determine which version of the firmware is running on an Edge device. The Sequoia documentation states that the firmware is stored in ROM and that checksum-based mechanisms are used to determine if the firmware has been modified maliciously. However, in reality there is no secure, hardware based mechanism to ensure that no corrupted firmware gets loaded and executed. In addition, the Edge firmware is stored on a flash memory card and can be easily overwritten. Hardware support for trusted software execution and the use of non-writable memory would protect the Edge device from a large range of attacks from both insiders and outsiders.

Section 4.8 of the security assessment reads:

In the documentation ([10], p. 3-1), it is stated that: “WinEDS currently does NOT utilize code outside of MS SQL Server and no connections or permissions are required on the server (besides SQL Client.) The lack of server access by individual users provides the application with a secure client-server environment. The election data stored on the server can only be modified by authorized users only through the application.”

Unfortunately, this is not true. In fact, it is possible to connect to the database and completely compromise the MS SQL server host without using the WinEDS application. This is achieved by exploiting two security problems. First of all, the WinEDS access control procedures can be bypassed. Second, the MS SQL server delivered with the Sequoia system enables users to execute arbitrary commands.

The emphasis of the quoted sections above is mine and highlights the diplomatic language of the assessment team. The representations of section 4.8 were made by Sequoia to the Wisconsin State Elections Board during the May 16, 2007 of the Elections board. To me this indicates the representation by Sequoia Voting Systems of the security of WinEDS is a consistent representation.

Another consistent representation is that the firmware of the system is in read-only memory (ROM). Instead the security team found the firmware is stored on EEPROM/Flash memory. Flash memory is the same type of memory used in a portable flash drive or an iPOD. Read-only memory is just that; read-only. Once created the contents cannot be re-written, but can only be read. While flash memory retains its contents when the power is off (non-volatile), it is can be re-written (mutable). Read-only memory is both non-volatile and immutable. Flash memory is not.

Both of these representations (ROM based firmware and secured SQL architecture) are false. Since, I am not an attorney, I cannot judge whether such false representations constituted fraud. But, the misrepresentations to me are fundamental and hard to classify as anything other than an effort to deceive.

The NASED/ITA Testing Model has Failed

The security reports as a whole present more evidence that the NASED/ITA framework for testing and certification has been an utter failure. This is a significant problem which stretches across the whole country. The NASED/ITA model was used to as the basis for certification of EVERY voting system currently in use in the United States. With the exception of lever machines in New York, only equipment qualified by the NASED/ITA process was used in the most recent Federal election held on November 7, 2006. That this testing and certification model is ineffective and flaw is a concern for the whole country not just the State of California.

The NASED/ITA testing framework failed to find any of the findings of these three reports during repeated rounds of testing conducted over the course of several years. The results of these three reports from the Top-To-Bottom Review on the other hand were all uncovered in less than one month of examination. Each of the findings in the security reports are evidence of the failure of the NASED/ITA process. For illustration I will focus on only two of the findings from the Sequoia security assessment. The NASED/ITA testing and certification system failed to find:

• There is no way to determine which version of the firmware is running on an Edge device.

Section 4.4 of the Sequoia Security Assessment Report.

• The Edge firmware was discovered to include a shell-like scripting language interpreter.

Section 4.5 of the Sequoia Security Assessment Report.

The inability to identify the system under test is a violation of Section 8.6.d, Volume I, Section 8.7.1, Volume I, and Appendix B.3 Volume II of the 2002 VVSG.

Section 8.6.d Volume I states:

The vendor shall establish such procedures and related conventions, providing a complete description of those used to:

a. Perform a first release of the system to an ITA;
b. Perform a subsequent maintenance or upgrade release of the system, or a particular components, to an ITA;
c. Perform the initial delivery and installation of the system to a customer, including confirmation that the installed version of the system matches exactly the qualified system version; and
d. Perform a subsequent maintenance or upgrade release of the system, or a particular component, to a customer, including confirmation that the installed version of the system matches exactly the qualified system version.

Section 8.7.1 Volume I states:

8.7.1 Physical Configuration Audit

The PCA is conducted by the ITA to compare the voting system components submitted for qualification to the vendor’s technical documentation. For the PCA, a vendor shall provide:

a. Identification of all items that are to be a part of the software release;

Section B.3 Volume II (System Identification) states:

B.3 System Identification

This section gives information about the tested software and supporting hardware, including:

a. System name and major subsystems (or equivalent);
b. System Version;
c. Test Support Hardware; and
d. Specific documentation provided in the vendor's TDP used to support testing.

Since, “There is no way to determine which version of the firmware is running on an Edge device”, it is not possible to meet any of these three requirements of the 2002 VVSG. How was failure to conform this missed by the vendor funded test labs during repeated rounds? Paul Craft, Steven V. Freeman, and Britt Williams of the technical subcommittee of the NASED Voting Systems Board reviewed every report generated by the vendor funded ITA labs. How it that they failed to notice that the labs were not testing for conformance to the system identification requirements? One possibility is that these three granted a waiver to Sequoia Voting Systems on the matter of conformance to standard. Such waivers to conformance are permitted by Appendix B.5 Volume II of the 2002 and 2005 VVSG. The relevant paragraph of

Appendix B.5 of the 2002 VVSG reads:

Of note, any uncorrected deficiency that does not involve the loss or corruption of voting data shall not necessarily be cause for rejection. Deficiencies of this type may include failure to fully achieve the levels of performance specified in Volume I, Sections 3 and 4 of the Standards, or failure to fully implement formal programs for qualify[sic] assurance and configuration management described in Volume I, Sections 7 and 8. The nature of the deficiency is described in detail sufficient to support the recommendation either to accept or to reject the system, and the recommendation is based on consideration of the probable effect the deficiency will have on safe and efficient system operation during all phases of election use.

As the security assessment report states interpreters are prohibited by the 2002 VVSG. Again, how is that the vendor funded ITA labs failed to notice the presence of a prohibited interpreter during any of several rounds of testing? The problem for California on this matter is more acute. In December of 2005 it became public knowledge that the voting systems from Diebold Election Systems Inc. used prohibited interpreters and interpreted code. In response, Bruce McDannold, Interim Director of the Office of Voting System Technology Assessment, specifically asked Paul Craft and Steven V. Freeman if there were any other voting systems used in California which also had interpreters and interpreted code. In this email exchange, Mr. McDannold states reveals the State of California is “picking on” Diebold over the interpreted code issue. At the time Mr. Craft and Mr. Freeman stated no other voting system used in California used interpreters or interpreted code. It is ironic that the security assessment team has vindicated Diebold Election Systems. There were two voting systems in California using interpreters, but only Diebold was singled out for investigation.

Paul Craft and Steven V. Freeman are 2 of the 3 people on the technical subcommittee of the NASED Voting Systems Board. How is it they were unaware of the interpreter found in the Edge voting systems from Sequoia? Mr. Craft and Mr. Freeman were hired because of their connection with the NASED process and their expert knowledge of voting systems. The State of California specifically and directly asked both Mr. Craft and Mr. Freeman if about interpreters in California Voting Systems. They stated Diebold was unique. Mr. Craft and Mr. Freeman failed the State of California when they provided this incorrect answer. One may ask what other work product from Mr. Craft and Mr. Freeman may also defective.

The Systems are Defect-Dense

Over the years, every time a vendor independent team investigates a voting machine the team finds new, significant, and possibly election-altering defects. An incomplete list of these past studies is:

• The 2003 John Hopkins report,

• The 2003 RABA report from Maryland,

• The 2003 Compuware report from Ohio,

• The 2004 follow ups reports by Compuware to the initial 2003 Ohio report,

• The 2005 examinations by Hugh Thompson in Leon County,

• The 2005 examinations of Hari Hursti in Leon County, Florida,

• The 2006 examinations by Hari Hursti in Emery County, Utah,

• The 2006 Princeton report on the TSx,

• The 2007 report from the University of Connecticut on the AccuVote OS, and

• The 2007 report from the University of Connecticut on the AccuVote TSx.

These three security assessments again find new and significant defects which are distinct than those found in these prior reports. In my expert opinion this is a symptom of the software that the software in these systems is defect-dense. A defect-dense system is one where the number of defects per line of code is high. Other measures of software size such as function points may be used to describe defect density. Defect-dense systems are marked by the same properties as exhibited by voting systems:

1. Different testers find different defects. In defect-sparse systems, different testers tend to find the same defects over and over. This is because there are so few defects to find that effective testing by different groups repeatedly find the few defects present.

2. The defects found are generally severe. This is because severe defects are usually found before minor defects. Major defects are easier to detect because the behavior is manifestly incorrect and major defect tend to hide or obscure the presence of more minor defects.

Consider a line of automobiles from the fictional manufacturer Washburn Motors. What if every time a mechanic or engineer not hire by Washburn Motors examines one of my cars and find something new which is wrong and that something found is serious? One mechanic fines the engines stalls at 60 miles per hour. A second discovers the axles tend to break. A third notices the brakes fail intermittently in warm weather. A fourth discovers the lock on the doors can be bypassed by unscrewing the door from its hinges. A fifth discovers the odometer does not sometimes loses 18,000 miles. Would you by a car from Washburn Motors? Most would not. This is because even though they do not use the term defect-dense, most people instinctively recognize the symptoms and would rationally avoid buying a lemon from Washburn Motors.

Voting systems currently exhibit the same behavior as the fictional cars from Washburn Motors. Every time someone not hired by the manufacturer examines the product they find something new which is wrong and that something found is serious.

Conclusion

Secretary Bowen faces some hard choices which must be made in a short time frame. I wish I could offer more than the following suggestions.

1. Do not rely on the results of the NASED/ITA model. It has failed and the certifications issued under the program may not be worth the paper they are written on. I would urge the Secretary to consider creating a multi-state testing consortium. This idea was first presented to the state by Eric Lazarus during the Voting Testing Summit sponsored by the State of California in 2005. His paper is found here. An expansion on the framework proposed by Mr. Lazarus is found here. I have misgivings that the EAC/NIST/VSTL model currently under construction is little more than the NASED/ITA model with different acronyms.

2. To the extent possible limit the expansion of this unreliable and inaccessible voting technology. Consider technology which actually expands accessibility such as non-tallying ballot marking devices (e.g. Automark or Vote-PAD) or systems which print ballots on demand under the direction of voters. Expanding the franchise to those with disabilities or who are in a language minority is goal which resonates with the deepest aspirations of the American ideal. We should select technology which is both appropriate and effective in realizing this ideal.

3. Sequoia was asked by Bruce McDannold in December of 2005 if there were interpreters or interpreted code found on voting systems from Sequoia. What was the company response to this question? The representations made by Sequoia which have been contradicted by the security assessment team must be assessed to determine if those representations constitute fraud.

4. Where the non-conformances found by the top-to-bottom review also found by the NASED/ITA?

Testing results are under the NASED/ITA model are consider trade secrets held by the equipment manufacturer. Thus it is possible the reported non-conformances were discovered by the NASED/ITA process and granted waivers, but the disclosure of such waivers has be blocked by the assertion of trade secrets.

Comment on This Article

You must login to leave comments...

Other Visitors Comments

There are no comments currently....

< Prev		Next >

State Resources

Election Law @ Moritz

Voting Equipment & Ballot Design

Voting Procedures

State Recount Laws

Electionline

Paper Trail Legislation

Voter ID Legislation

Felon Voting Legislation

National Conference of State Legislatures

Verified Voting

Legislation Overview

State Audit Legislation

Model Legislation

Verification Language

: mosShowVIMenu( $params ); break; } ?>

State Pages

District of Columbia

: mosShowVIMenu( $params ); break; } ?>