Last week the Department of the Commonwealth of Pennsylvania released a report confirming the certification of the Diebold TSx touch screen voting machine and reversing an earlier decision to deny certification for the Diebold OS central count optical scanner. The state continued to deny state certification of the Diebold precinct count optical scanner. The report reveals how the Department of State of Pennsylvania and their expert consultant worked together with Diebold to fabricate a justification for state certification of machines that contain prohibited code and have the same potential of being hacked undetectably that was demonstrated in a well publicized test in Florida last month. The report refers to this test as the "Hursti Exploit".
On December 13, 2005 in a test election conducted by Leon County Florida Supervisor of Elections Ion Sancho, Finnish computer programmer Harri Hursti succeeded in altering the election results from a Diebold optical scan system undetectably, in spite of all the normal election security procedures. As a result of this "exploit", the California Secretary of State deferred certification for both the Diebold touchscreen and optical scan system until they were reviewed by the Independent Testing Authority (ITA) laboratory that had originally certified them. With 17 California counties heavily invested in Diebold equipment, there is no doubt considerable pressure to dismiss the significance of the defect in Diebold's software, particularly its presence in their touchscreen system, so that they can be re-certified for use in this year's elections. There has thus far been no response from the ITA, but the Pennsylvania report may be an indication of the obfuscation and fact-bending to come.
The Pennsylvania Department of State appears desperate to spend taxpayer dollars on Diebold equipment but, like California, they apparently couldn't just ignore the fact that this time concerned citizens and even The Washington Post are paying attention.
Just after the new year an exchange took place involving representatives of the Pennsylvania Department of State, their consultant, Dr. Michael Shamos, Professor of Computer Science at Carnegie Mellon University, and Diebold Election Systems intended to make it officially "okay" to certify the TSX touchscreen machines and the central count optical scan systems. The statements made in the report by Dr. Shamos display a deep misunderstanding of the Hursti Exploit, a disregard for the requirements of State and Federal law, and a willingness to accept unsubstantiated and disingenuous claims by Diebold with, at best, minimum independent corroboration.
The "Hursti Exploit" and Interpreted Code
Hursti exploited the fact that Diebold’s software employs an "interpreted code" called AccuBasic. Interpreted code is quite appropriately prohibited by Section 4.2.2. of the Federal Election Commission’s 2002 Voluntary Voting System Guidelines (2002 VVSG) to which they were certified by the ITA. This Federal certification is required as a prerequisite to state certification in 37 states, including California and Pennsylvania.
Dr. Shamos himself was quoted in a San Mateo County Times article that "if there is some way to slip in interpreted code, then we have no way to control what the machine is executing." Hursti's exploit has revealed that interpreted code is basic to Diebold's software architecture. And it's not only on the optical scan system.
Hursti's exploit was performed on Diebold's AcuVote precinct based optical scan voting system, but the use of AccuBasic programming is not limited to Diebold's optical scanners. The Diebold AccuVote TSx touchscreen machines store vote totals for candidates on a different kind of memory card - a PCMCIA card. Steve Freeman, on behalf of the California Secretary of State, published an executive summary of the Diebold Certification Testing in California, in which he states that the same AccuBasic files are run on both the optical scanner's 24-pin memory card and the PCMCIA cards of the AccuVote TSx touchscreen system. Thus, the same AccuBasic file can be used to mask the pre-stuffing of ballots on the AccuVote TSx as well.
So if interpreted code allowed an election to be altered undetectably, it’s a good thing it’s prohibited, right? After all, it’s a good idea to ensure that the software tested and approved during the qualification process can’t be modified “on the fly” – as Hursti demonstrated. But wait, Pennsylvania certified Diebold anyway! How could they do that?
How Diebold and Dr. Shamos Made Diebold "Okay" for Pennsylvania
First, Dr. Shamos claims on page 5 of the Pennsylvania report that AccuBasic does not reside on Diebold’s election management software (Global Election Management Software, or GEMS, viewable online here). Aside from the fact that this statement is false, it is also beside the point. Nowhere in the paper Harri Hursti submitted to the National Institute of Standards and Technology or in his Full Report is there any assertion that the AccuBasic resides on the central GEMS server. The “Hursti Exploit” involves only the memory card in the optical scanner and the AccuBasic file on that memory card.
Dr. Shamos’ mention of the GEMS server is a completely spurious distraction. Once the voting machine's memory card has been pre-stuffed, all the electronic records - the memory card contents, the poll tape printed by the machine at the end of the day, the machine level data in the GEMS database, every summary number from the GEMS database, every report printed by the GEMS central tabulator - stem from a single source and that source is the corrupted memory card. Because there is a single source, every electronic record will be in agreement - and incorrect.
(It is worth noting that none of the electronic records would agree with totals derived from hand counts of voter verified paper records and this inconsistency would be revealed in a routine manual audit. But Pennsylvania, unlike 27 other states, does not yet have a requirement for a voter verified paper record.)
Next, Dr. Shamos claims that the prohibition of self-modifying code, dynamically loaded code, and interpreted code found in section 4.2.2 of the 2002 VVSG does not apply to the Diebold equipment (both optical scanners and touch screen DRE’s) because of an exception. Section 4.2.2 reads:
“Self-modifying, dynamically loaded or interpreted code is prohibited, except under the security provisions outlined in section 6.4.e.” The only problem is that there is no section 6.4.e! It doesn’t exist.
Dr. Shamos notes that this “appears to be a typographical error” and then takes the initiative and decides that it is “apparently meant to refer to 6.4.1(e)”. Whether Dr. Shamos’s speculative interpretation of Section 4.2.2. is correct or not, he should know that he has no authority to interpret the 2002 VVSG. The sole arbiter of the 2002 VVSG is the National Association of State Election Directors (NASED) Voting Systems Board. This is clearly stated in Section 9.6.4 of the 2002 VVSG:
The NASED Voting Systems Board (the Board) is responsible for resolving questions about the application of the Standards in the testing of voting systems. The Secretariat for the Board will relay its decisions to the NASED certified ITAs and voting system vendors. The Federal Election Commission will monitor these decisions in order to determine which of them, if any, should be reflected in a subsequent version of the standards. There is no indication that Dr. Shamos consulted with the NASED Voting Systems Board to determine if his interpretation of the section 4.2.2, and by extension Pennsylvania state law, is correct.
Instead, Dr. Shamos took the initiative upon himself and decided by fiat that the exception to the prohibition of interpreted code was 6.4.1(e). So, just what is that exception?
“After initiation of Election Day testing, no source code or compilers or assemblers shall be resident or accessible.”Having established this interpretation of the typo, he draws the conclusion that dynamically loaded, interpreted code is permissible if, and only if, the AccuBasic file on a memory card cannot be changed between the time of testing and an election. This point of contention cannot be over stated. It is the critical, bright line test between whether the Diebold system conforms to the 2002 VVSG (and is legal to use in the state of Pennsylvania) or does not conform to the 2002 VVSG (and is illegal to use in the state of Pennsylvania).
How did Dr. Shamos gather his evidence on this critical, multi-million dollar point of law? He asked Diebold and took their word for it.
A conference call was held on January 3rd involving representative of the Department of state, Dr. Shamos and representaives of Diebold Election Systems. Four questions were posed to Diebold, which the company answered in a letter dated January 5th. Dr. Shamos reviewed Diebold’s answers and reported back on January 7th that everything was fine, in spite of the fact that Diebold's letter is rife with false and contradictory statements. (See "Diebold's Letter to Pennsylvania: A Rebuttal".) Apparently Dr. Shamos chose to accept Diebold's disingenuous claims.
Lies Of Omission
In the San Mateo County Times article cited above, Dr. Shamos followed the Diebold party line:
Voting-system experts say the vote fraud fails if the hacker can't gain access to the memory cards or can't change the vote reports without detection. The vulnerability is not as great with Diebold's touchscreen voting machines, which also use interpreted code stored on PC cards. But those programs are encrypted, making it more difficult to alter their contents, Shamos said, and unlike the older optical scanners, the touchscreens automatically clear their memory for storing votes when started up for an election.However, in public statements and in their response to the state of Pennsylvania Diebold has not said that the programs ARE encrypted, they say that they CAN be encrypted. There are no requirements and no procedures for validating the software on Election Day. If the AccuBasic scripts have modified the code, as in "Hursti's Exploit", there is no process for detection. Diebold has graciously provided Shamos with an excuse to ignore the serious security risk posed by the presence of interpreted code in their software.
Further, Dr. Shamos appears to be proposing that the optical scanners retain the last election while conducting the current election. Of course they don't. All voting machines "clear their memory for storing votes" when starting up an election - they MUST because this process deletes the votes from any previous election. Dr. Shamos is incorrect in suggesting that the memory in the touchscreen machines is somehow less vulnerable to modification through the resident interpreted code.
In fact, they are more vulnerable to such manipulation.
What Dr. Shamos Is Ignoring
Had Dr. Shamos consulted with NASED Voting Systems Board to determine if his interpretation of section 4.2.2 of the 2002 VVSG was correct, he might have spoken with Dr. Brit Williams. In addition to his position on the Voting Systems Board, Williams is the chief consultant from Kennesaw State University who performed the certification test on the Diebold touchscreen machines used for the state of Georgia. At the March 9, 2005 meeting of The National Institute of Standards and Technology (NIST) Technical Guidelines Development Committee (TGDC), Dr. Williams explained just how PCMCIA cards are programmed on Diebold's touchscreen machines.
“…right now the primary use of wireless technology in a voting system is to program voting stations. Because if I have got 3,000 voting stations and I have to load those with pc cards, then I have got to sit down and manufacture 3,000 pc cards, and keep them separated by precinct. Whereas if I could sit in my warehouse and load those ballot images wirelessly, there is a tremendous advantage. We need to address that. What are the dangers there?” According to Dr. Williams, the AccuBasic file in the Diebold TSx can be altered using the same wireless fidelity (WiFi) networking protocol found at your local Starbucks café. Given that the AccuBasic file can be altered remotely during the period between certification and its use in an election, Dr. Shamos, as the state evaluator responsible for ensuring the confidence of the citizens of Pennsylvania in their elections, should have asked this question: Would the TSx machine boot up properly with a PCMCIA card altered in the manner described by Dr. Williams?
There is no evidence in the Pennsylvania report that any effort was made to answer this critical question.
They just took Diebold’s word for it.
This is an odd inversion of the burden of proof to be used by the consultant hired by the State of Pennsylvania to ensure the elections laws of the State are not evaded or broken. Until these questions are answered, Pennsylvania should revoke certification of both the Diebold TSx and optical scanners as well as any equipment from other vendors that also has a PCMCIA or other memory card.
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...