 |
Sat Jul 04 2009 | |||||||||
|
||||||||||
|
Departments Election Issues Optical scan machines hacked in Florida by Black Box Voting June 2, 2005 Tallahassee, FL: "Are we having fun yet?" This is the message that appeared in the window of a county optical scan machine, startling Leon County Information Systems Officer Thomas James. Visibly shaken, he immediately turned the machine off. Diebold's opti-scan (paper ballot) voting system uses a curious memory card design, offering penetration by a lone programmer such that standard canvassing procedures cannot detect election manipulation. The Diebold optical scan system was used in about 800 jurisdictions in 2004. Among them were several hotbeds of controversy: Volusia County (FL); King County (WA); and the New Hampshire primary election, where machine results differed markedly from hand-counted localities. New regs: Counting paper ballots forbidden Some states prohibit elections officials from checking on optical scan tallies by examining the paper ballots. In Washington, according to former supervisor of elections Julie Anne Kempf, Secretary of State Sam Reed declared such spontaneous checkups to be "unauthorized recounts." New Florida regulations will forbid counting paper ballots, even in recounts, except in highly unusual circumstances. Without paper ballot hand-counts, the hacks demonstrated below show that optical-scan elections can be destroyed in seconds. A little man living in every ballot box The Diebold optical scan system uses a dangerous programming methodology, with an executable program living inside the electronic ballot box. This method is the equivalent of having a little man living in the ballot box, holding an eraser and a pencil. With an executable program in the memory card, no Diebold opti-scan ballot box can be considered "empty" at the start of the election. The Black Box Voting team proved that the Diebold optical scan program, housed on a chip inside the voting machine, places a call to a program living in the removable memory card during the election. The demonstration also showed that the executable program on the memory card (ballot box) can easily be changed, and that checks and balances, required by FEC standards to catch unauthorized changes, were not implemented by Diebold -- yet the system was certified anyway. The Diebold system in Leon County, Florida succumbed to multiple attacks. Ion Sancho: Truth and Excellence in Elections Leon County Elections Supervisor Ion Sancho and Information Systems Officer Thomas James had already implemented security procedures in Leon County far exceeding the norm in elections management. This testing, done by a team of researchers including Black Box Voting, independent filmmakers, security expert Dr. Herbert Thompson, and special consultant Harri Hursti, was authorized by Mr. Sancho, in an unusual act of openness and courage, to identify any remaining holes in Leon County's election security. The results of the memory card hack demonstration will assist elections supervisors throughout the U.S., by emphasizing the critical importance of accounting for each and every memory card and protecting access. Findings: Computer expert Harri Hursti gained control over Leon County memory cards, which handle the vote-reporting from the precincts. Dr. Herbert Thompson, a security expert, took control of the Leon County central tabulator by implanting a trojan horse-like script. Two programmers can become a lone programmer, says Hursti, who has figured out a way to control the entire central tabulator by way of a single memory card swap, and also how to make tampered polling place tapes match tampered central tabulator results. This more complex approach is untested, but based on testing performed May 26, Hursti says he has absolutely no reason to believe it wouldn't work. Three memory card tests demonstrated successful manipulation of election results, and showed that 1990 and 2002 FEC-required safeguards are being violated in the Diebold version 1.94 opti-scan system. Three memory card hacks 1. An altered memory card (electronic ballot box) was substituted for a real one. The optical scan machine performed seamlessly, issuing a report that looked like the real thing. No checksum captured the change in the executable program Diebold designed into the memory card. 2. A second altered memory card was demonstrated, using a program that was shorter than the original. It still worked, showing that there is also no check for the number of bytes in the program. 3. A third altered memory card was demonstrated with the votes themselves changed, showing that the data block (votes) can be altered without triggering any error message. How to "Roll over the odometer" in Diebold optical scan machines Integer overflow checks do not seem to exist in this system, making it possible to stuff the ballot box without triggering any error message. This would be like pre-loading minus 100 votes for Tom and plus 100 votes for Rick (-100+100=ZERO) -- changing the candidate totals without changing the overall number of votes. A more precise comparison would be this: The odometer on a car rolls over to zero after 999,999. In the Diebold system tested, the rollover to zero happens at 65,536 votes. By pre-loading 65,511 votes for a candidate, after 25 real votes appear (65,511 plus 25 = 65,536) the report "rolls over" so that the candidate's total is ZERO. This manipulation can be balanced out by preloading votes for candidate "A" at 65,511 and candidate "B" at 25 votes -- producing an articifial 50-vote spread between the candidates, which will not be obvious after the first 25 votes for candidate "A" roll over to zero. The "negative 25" votes from the odometer rollover counterbalance the "plus 25" votes for the other candidates, making the total number of votes cast at the end of the day exactly equal to the number of voters. While testing the hack on the Leon County optical scan machine, Hursti was stunned to find that pre-stuffing the ballot box to "roll over the odometer" produced no error message whatsoever.* *We did not have the opportunity to scan ballots after stuffing the ballot box. Therefore, the rollover to zero was not tested in Leon County. This integer overflow capability is discernable in the program itself. We did have the opportunity to test a pre-stuffed ballot box, which showed that pre-loaded ballot boxes do not trigger any error message. Simple tweaks to pass L&A test and survive zero tape Though the additional tweaks were not demonstrated at the Leon County elections office, Hursti believes that the integer overflow hack can be covered up on the "zero tape" produced at the beginning of the election. The programming to cover up manipulations during the "logic & accuracy test" is even simpler, since the program allows you to specify on which reports (and, if you like, date and time of day) the manipulation will affect. The testing demonstrated, using the actual voting system used in a real elections office, that Diebold programmers developed a system that sacrifices security in favor of dangerously flexible programming, violating FEC standards and calling the actions of ITA testing labs and certifiers into question. In the case of Leon County, inside access was used to achieve the hacks, but there are numerous ways to introduce the hacks without inside access. Outside access methods will be described in the technical report to be released in mid-June. Security concerns Putting an executable program into removable memory card "ballot boxes" -- and then programming the opti-scan chip to call and invoke whatever program is in the live ballot box during the middle of an election -- is a mind-boggling design from a security standpoint. Combining this idiotic design with a program that doesn't even check to see whether someone has tampered with it constitutes negligence and should result in a product recall. Counties that purchased the Diebold 1.94 optical scan machines should not pay for any upgraded program; instead, Diebold should be required to recall the faulty program and correct the problem at its own expense. None of the attacks left any telltale marks, rendering all audits and logs useless, except for hand-counting all the paper ballots. Is it real? Or is it Memorex? For example, Election Supervisor Ion Sancho was unable to tell, at first, whether the poll tape printed with manipulated results was the real thing. Only the message at the end of the tape, which read "Is this real? Or is it Memorex?" identified the tape as a tampered version of results. In another test, Congresswoman Corrine Brown (FL-Dem) was shocked to see the impact of a trojan implanted by Dr. Herbert Thompson. She asked if the program could be manipulated in such a way as to flip every fifth vote. "No problem," Dr. Thompson replied. "It IS a problem. It's a PROBLEM!" exclaimed Brown, whose district includes the troubled Volusia County, along with Duval County -- both currently using the Diebold opti-scan system. This system is also used in Congressman John Conyers' home district, in contentious King County, Washington, and in Lucas County, Ohio (where six election officials resigned or were suspended after many irregularities were found.) Diebold optical scans were used in San Diego for its ill-fated mayoral election in Nov. 2004. - - - - - - - - - - - Optical scan systems have paper ballots, but election officials are crippled in their ability to hand count these ballots due to restrictive state regulations and budget limitations. The canvassing (audit) procedure used to certify results from optical scan systems involves comparing the "poll tapes" (cash register-like results receipts) with the printout from the central tabulator. These tests demonstrate that both results can be manipulated easily and quickly. Minimum requirements to perform this hack: 1. A single specimen memory card from any county using the Diebold 1.94 optical scan series. (These cards were seen scattered on tables in King County, piled in baskets accessible to the public in Georgia, and jumbled on desktops in Volusia county.) 2. A copy of the compiler for the AccuBasic program. (These compilers have been fairly widely distributed by Diebold and its predecessor company, and there are workarounds if no compiler is available.) 3. Modest working language of any one of the higher level computer languages (Pascal, C, Cobol, Basic, Fortran...) along with introductory-level knowledge of assembler or machine language. (Machine language knowledge needed is less than an advanced refrigerator or TV repairmen needs. The optical scan system is much simpler than modern appliances). The existence of the executable program in the memory card was discernable from a review of the Diebold memos. The test hacks took just a few hours for Black Box Voting consultants to develop. Nearly 800 jurisdictions conducted a presidential election on this system. This system is so profoundly hackable that an advanced-level TV repairman can manipulate votes on it. Black Box Voting asked Dr. Thompson and Hursti to examine the central tabulator and the optical scan system after becoming concerned that not enough attention had been paid to optical scans, tabulators and remote access. Thompson and Hursti each found the vulnerabilities for their respective hacks in less than 24 hours. "Open for Business" When it comes to this optical-scan system, as Hursti says, "It's not that they left the door open. There is no door. This system is 'open for business.'" The question now is: How brisk has business been? Based on this new evidence, it is time to sequester and examine the memory cards used with Diebold optical scans in Nov. 2004. The popularity of tamper-friendly machines that are "open for business" in heavily Democratic areas may explain the lethargy with which Democratic leaders have been approaching voting machine security concerns. The enthusiasm with which Republicans have endorsed machines with no paper ballots at all indicates that neither party really wants to have intact auditing of elections. The ease with which a system -- which clearly violates dozens of FEC standards going back to 1990 -- was certified calls into question the honesty, competence, and personal financial transactions of both testing labs and NASED certifiers. Revamp and update hand-counted paper ballot technology? Perhaps it is time to revisit the idea of hand-counted paper ballots, printed by machines for legibility, with color-coded choices for quick, easy, accurate sorting and counting. We should also take another look at bringing counting teams in when the polls close, to relieve tired poll workers. This report is the "non-techie" version of a longer report, to be made available around mid-June, with more technical information. --- See the original at http://www.bbvforums.org/forums/messages/1954/5921.html Email this article to a friend |
Don't forget to check out articles from 2008 and 2009
"An open letter to the Election Assistance Commission"
December 25, 2005
John Gideon, Executive Director of VotersUnite.Org and Information Manager for VoteTrustUSA.Org
"Diebold hack proven in county test!"
December 17, 2005
Glenn Yeagley
"Diebold Inc. in a tailspin after resignation of CEO and filing of a class action fraud lawsuit"
December 17, 2005
VelvetRevolution.us
"Orr thinks machines make voting simpler, more secure "
December 17, 2005
Mario Bartoletti
"Diebold "hack test" - Sec. State / Black Box Lawyer square off"
December 10, 2005
Black Box Voting
"With new legislation, Ohio Republicans plan holiday burial for American Democracy"
December 6, 2005
Bob Fitrakis & Harvey Wasserman
"Important daily voting news"
December 4, 2005
John Gideon
"Poll shock"
November 24, 2005
Robert C. Koehler, Tribune Media Services
"Ohio's Diebold Debacle: New machines call election results into question"
November 24, 2005
Bob Fitrakis & Harvey Wasserman
"Diebold attempts to evade election transparency laws"
November 20, 2005
Matt Zimmerman
"Supreme Court stabs another GOP knife into US democracy by upholding ex-felon vote ban"
November 16, 2005
Bob Fitrakis and Harvey Wasserman
"Has American Democracy died an electronic death in Ohio 2005's referenda defeats?"
November 11, 2005
Bob Fitrakis and Harvey Wasserman
"What John Kerry definitely said about 2004’s stolen election and why it's killing American democracy"
November 10, 2005
Bob Fitrakis & Harvey Wasserman
"Scrap the "secret" ballot - return to open voting"
November 5, 2005
Lynn Landes
"Clarification of NEDA's withdrawal of Ohio exit poll paper"
November 5, 2005
Kathy Dopp
"Clarification of NEDA's withdrawal of Ohio exit poll paper"
November 3, 2005
Kathy Dopp, National Election Data Archive
"Watergate-style money laundering indictments stoke Ohio's stolen election fires"
October 28, 2005
Bob Fitrakis & Harvey Wasserman
"Powerful Government Accountability Office report confirms key 2004 stolen election findings"
October 26, 2005
Bob Fitrakis & Harvey Wasserman
"Did you erase your own vote?"
October 25, 2005
Warren Stewart, Director of Legislative Issues and Policy, www.VoteTrustUSA.org
"Why can't the left face the Stolen Elections of 2004 & 2008?"
October 18, 2005
Bob Fitrakis and Harvey Wasserman
"Carter/Baker Report can't face how the GOP stole America's 2004 election & is rigging 2008"
September 20, 2005
Bob Fitrakis & Harvey Wasserman
"Two Steps Forward, One Step Back"
September 20, 2005
Warren Stewart, Director of Legislative Issues and Policy, VoteTrustUSA
"FEMA Chief Brown Paid Millions in False Claims to Help Bush Win Fla. Votes"
September 19, 2005
Jason Leopold
"Ohio recount lawsuit set for trial; election workers indicted"
September 4, 2005
Blair Bobier
"Ohio Governor's ethics violations expose money trail to stolen 2004 election"
August 30, 2005
Bob Fitrakis & Harvey Wasserman
"Diebold's failure in California"
August 7, 2005
John Gideon, Information Manager, www.VotersUnite.Org and www.VoteTrustUSA.Org
"Did the GOP steal another Ohio Election?"
August 5, 2005
Bob Fitrakis and Harvey Wasserman
"Conyers-Kaptur seek special counsel for Noe probe"
August 4, 2005
John Conyers, Jr. and Marcy Kaptur
"Dramatic new charges deepen link between Ohio's "Coingate," Voinovich mob connections, and the theft of the 2004 election"
July 29, 2005
Bob Fitrakis & Harvey Wasserman
"None dare call it stolen - Ohio, the election, and America's servile press"
July 24, 2005
Mark Crispin Miller, summarized by Mary Anne Saucier, Columbus, Ohio
"Civic Engagement and the Restoration of Community from a voter activist’s view"
July 19, 2005
Terri Zins
"My report from Hocking County, July 5, 2005: An update on Sherole Eaton's unfolding Story"
July 7, 2005
Victoria Parks, Ohio Backbone Campaign
"Handbook for Ohio Voter Activists, Version 2.0"
July 7, 2005
Various activists
"Direct testimony: Presented to Election Assessment Hearing"
July 4, 2005
Richard Hayes Phillips, Ph.D.
"Log Cabin Republicans in Ohio"
July 4, 2005
Richard Hayes Phillips, Ph.D.
"With a limp election theft report, Dems prove why they're unworthy"
June 28, 2005
Harvey Wasserman and Bob Fitrakis
"Voting problems and uncounted votes in Lucas County, Ohio"
June 28, 2005
Justine Smith
"The DNC 2004 Election Report: An indictment of incompetence"
June 25, 2005
Steven Rosenfeld and Bob Fitrakis
"Corporate control of the election process"
June 22, 2005
John Gideon
"Introduction: Did George W. Bush steal America's 2004 election?"
June 16, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"Voter Confidence Committee Calls For Rejection of CA Special Election"
June 16, 2005
Dave Berman
"Activists from 25 states lobby for paper ballots on June 9 and 10"
June 10, 2005
VoteTrustUSA.org
"Fear of riffraff"
June 10, 2005
Robert C. Koehler, Tribune Media Services
"Electoral Politics and the War: Lessons from 2004 and What the Anti-War Movement Should do in 2006"
June 8, 2005
Kevin Zeese
"Optical scan machines hacked in Florida"
June 2, 2005
Black Box Voting
"Does ES&S really want to sell the Automark machines?"
May 28, 2005
John Gideon
"Attack on election board whistleblower and leaked Blackwell threats re-fire Ohio's election theft scandal"
May 23, 2005
Bob Fitrakis and Harvey Wasserman
"Franklin County, Ohio Election Procedures – April and May 2005"
May 6, 2005
Paddy Shaffer
"Carter Gets It – But Will His Electoral Commission?"
April 24, 2005
Kevin Zeese and Linda Schade
"Voter Perceptions and Political Deceptions: Federal, Ohio and Knox"
April 24, 2005
Mike Swinford
"Electoral reform groups call for James Baker's resignation from electoral reform commission"
April 17, 2005
Ilene Proctor
"National Conference on Election Reform Opens with Civil Rights Panel"
April 13, 2005
Abigail Thorton
"View from Another Planet"
April 13, 2005
Josh Mitteldorf
"Democrats! Paper “Trails” Aren’t Good Enough. Count The Damn Ballots!"
April 12, 2005
Lynn Landes
"Democrats, Paper ‘Trails’ Aren’t Good Enough; Count The Damn Ballots!"
April 1, 2005
Lynn Landes, Online Journal Contributing Writer
"Scientific Analysis Suggests Presidential Vote Counts May Have Been Altered"
March 30, 2005
US Vote Counts
"As Blackwell Says, Ohio’s in 2004 was a National Model"
March 24, 2005
Steve Rosenfeld, Bob Fitrakis, and Harvey Wasserman
"Understanding the difference between paper ballots and paper audit trails"
March 20, 2005
Gary Beckwith
"Save Our Democracy"
March 16, 2005
John Irwin
"Republicans maneuvering to get Voting Rights Act killed"
March 10, 2005
Rev. Jesse L. Jackson, Sr.
"Legal filing highlights Blackwell's hypocrisy in Ohio recount case"
March 7, 2005
Blair Bobier
"Selma 40 Years Later"
March 6, 2005
Rev. Jesse L. Jackson, Sr.
"Exit Poll Madness - Analyst Steve Freeman & Company Offer False Choice"
March 4, 2005
Lynn Landes
"Libertarians To Testify in Ohio House: Modernize Ohio's Election Laws"
March 3, 2005
Robert Butler
"The New Voting Rights Movement Begins Here Today"
March 2, 2005
Steven Rosenfeld
"Voting in America"
February 28, 2005
Bob Babson
"The Mighty Texas Strike Force"
February 28, 2005
Nick Mottern - Documentary News Service
"Blackwell presidential election sanctions briefs"
February 22, 2005
Various individuals
"Representative Conyers and others file amicus brief in Ohio Supreme Court"
February 17, 2005
Dena Graziano
"Congresswoman Tubbs Jones Outraged at Blackwell's Failure to Appear During House Administration Hearing"
February 12, 2005
Office of Rep. Tubbs Jones
"Ohio Attorney-General's attack on election protection attorneys draws mountain of documentation on state's stolen election, including new study on exit polls"
February 3, 2005
Steve Rosenfeld and Harvey Wasserman
"Prominent Statisticians Refute 'Explanation' of 2004 U.S. Exit Poll Discrepancies in New Edison/Mitofsky Report and Urge Investigation of U.S. Presidential Election Results"
January 31, 2005
Bruce O'Dell
"The last man to concede..."
January 29, 2005
Sheila Samples
"Report on Washington DC, January 6, 2005"
January 25, 2005
Avram Friedman
"Arkansas in 2004: Did Bush Really Win?"
January 24, 2005
Max Standridge
"New links"
January 23, 2005
Free Press staff
"Voting Problems and Uncounted Votes in Lucas County, Ohio"
January 23, 2005
Justine Smith
"Plan B: Parallel Elections & Signed Ballots"
January 20, 2005
Lynn Landes
"Open Letter to Ohio Attorney General Jim Petro from Representative John Conyers, Jr."
January 20, 2005
Representative John Conyers, Jr.
"Open Letter to Warren Mitofsky and Larry Rosin from Representative John Conyers, Jr."
January 20, 2005
Representative John Conyers, Jr.
"Ohio's GOP Attorney General launches revenge attack on Election Protection legal team"
January 19, 2005
Steve Rosenfeld and Harvey Wasserman
"What are they hiding in New Mexico?"
January 18, 2005
Warren Stewart, National Ballot Integrity Project
"In the Shadow of Dr. King, counting the vote remains a civil rights issue"
January 17, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"Did the “Liberal Media” Get the 2004 Election All Wrong?
"
January 16, 2005
Gene C. Gerard
"'COUNT EVERY VOTE. EVERY VOTE COUNTS'"
January 16, 2005
Mary Anne Saucier
"Moss v. Bush moves on and movement continues"
January 13, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"Rally Continues Drive for Democracy"
January 9, 2005
Mark Huntress
"Estimated vote count in Ohio"
January 8, 2005
Richard Hayes Phillips, Ph.D.
"January 6 Washington, D.C. rally report"
January 8, 2005
Nick Mottern
"Together, we moved three mountains"
January 8, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"What the election challenge means"
January 8, 2005
David Swanson, ILCA
"Progressive Democrats lead historic voting rights protest as Congress ratifies flawed 2004 Electoral College tally"
January 7, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"Arnebeck letter to Congress re Presidential Electoral Challenge"
January 6, 2005
Clifford O. Arnebeck, Jr.
"Senator Barbara Boxer, D-CA and Representative Stephanie Tubbs Jones, D-OH contested the election"
January 6, 2005
Free Press staff
"The "Crime of November 2": The human side of how Bush stole Ohio, and why Congress must investigate rather than ratify the Electoral College (Part Two of Two)"
January 5, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"Status Report of the House Judiciary Committee Democratic Staff"
January 5, 2005
U.S. Rep. John Conyers and staff
"Seven key reasons why the vote must be challenged at the electoral college"
January 3, 2005
Rev. Jesse Jackson, Rainbow/PUSH Coalition
"Ten preliminary reasons why the Bush vote does not compute, and why Congress must investigate rather than certify the Electoral College (Part One of Two)"
January 3, 2005
Bob Fitrakis, Steve Rosenfeld and Harvey Wasserman
"Verified election contest petitions and documents in Ohio Supreme Court "
January 2, 2005
The undersigned
"Distribution of voting machines by county in Ohio"
January 1, 2005
Andy Shifflette
"Did We Bounce An Election?"
January 1, 2005
Warren Stewart, votersunite.org
"Presidential election congressional hearing transcript"
January 1, 2005
Congresspeople Waters, Tubbs-Jones and Conyers and others
Selected articles from 2004
"Ohio's official non-recount ends amidst new evidence of fraud, theft and judicial contempt mirrored in New Mexico"
December 31, 2004
"Impossible Phantom Votes in New Mexico
"
December 30, 2004
"The 2004 Presidential Election: Who Won The Popular Vote? An Examination of the Comparative Validity of Exit Poll and Vote Count Data"
December 29, 2004
"Ohio GOP election officials ducking notices of deposition as Kerry enters stolen vote fray"
December 28, 2004
"Another third rate burglary"
December 25, 2004
"Hacking the vote in Miami County"
December 25, 2004
"Update from the Ohio Frontlines"
December 24, 2004
"Lawsuit Before the Ohio Supreme Court"
December 24, 2004
"Kerry votes switched to Bush and ballots pre-punched for Bush"
December 24, 2004
"Uncounted votes in Cuyahoga County"
December 24, 2004
"GAO report documents how easy it is to hack the vote"
November 15, 2005
"J30 Election Reform Coalition"
March 21, 2005
"The Un-mighty New Hampshire Jam Force"
March 21, 2005
"Petro sanctions democracy"
March 21, 2005
"Progressives helped concede election by conceding the moral high ground"
March 21, 2005
"We will not concede, or get over it, but we shall overcome"
January 23, 2005
"From Selma to Palm Beach to Columbus"
January 23, 2005
"Movement Heroes"
January 23, 2005
Read Articles by Year:
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000
All content © 1970-2009
The Columbus Free Press
Disclaimer