Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackBox Voting Tests California Diebold Machines

Posted by samzenpus on from the too-little-too-late dept.

Doc Ruby writes "The California Secretary of State has invited Black Box Voting to hack away at some Diebold voting systems. The testing is set for Nov. 30, 2005. Evaluations conducted by Black Box Voting in San Joaquin, Marin, and Alameda counties (Calif.) reveal that a critical paper audit component is missing for all absentee and mail-in ballots, and also for recounts. (Black Box personnel were hired by the Libertarian Party to conduct inspections.)"

11 of 238 comments (clear)

  1. Paper trail... by Pig+Hogger · · Score: 5, Informative

    Paper trail: the magical words. In Montréal, Québec, the recent municipal election is being contested. Mark-sense ballots were counted by machines, but ballots are kept in sealed boxes after being run through the machine (by the elector). Right now, the ballots are being recounted by hand in the courthouse.

  2. Re:No paper trail by Sepper · · Score: 4, Informative

    The machines used in Montréal (the ones I saw) where optical scanners with a sealed box to contain the ballots.

    The problems we had, was that the center database that was used either crashed or could not handle the load...

    Either way thoses sealed box are getting recounted by hand... In the municipal court... In front of provincial judges...

    --
    I live in Soviet Canuckistan you insensitive clod!
  3. Re:Is this how a paper trail should work: by jumpingfred · · Score: 4, Informative

    Person marks ballot with permanent marker (like the old multiple choice tests but not eraseable). Voting machine is a form reader with a ballot box underneath. This is how municipal elections are done in Nanaimo (and I presume most other municipalities in) BC, Canada. Federal and Provincial elections are still hand-counted with scrutineers seeing (and counting) every ballot.

    This is how voting has been done in San Diego County in California for the past couple of elections. I personally don't think that the touch screens are going to be adding much but expense.

  4. FYI by TubeSteak · · Score: 5, Informative
    From TFA:
    To put this in context, the California Secretary of State did not originate the idea and suddenly decide to invite us to a test.

    Black Box Voting formally issued a request for replication of the Hursti findings under California Election Code 19202.


    Here's the link to the specific post detailing their request

    If the editors are listening, it might be worth fixing the /. blurb.
    That little mistake puts the issue in a wrong light.
    --
    [Fuck Beta]
    o0t!
  5. Tell me again: WHY MACHINES ? by Anonymous Coward · · Score: 5, Informative

    Why are they using machines to count the votes ?

    Here in Germany the voting process is 100% transparent.

    The whole country is divided into ~400000 pieces. In each of these pieces, a votingplace is established. Each votingplace is maned by 7 citicens (volunteers prefered. vacant posts are filled by selecting random citicen.).

    The voters vote through making a cross on a piece of paper.

    After the vote, the whole voting comittee counts the votes two times. After that, the votes are sealed in a bag. The result and the votes are then given to /fetched by the administration.

    During the whole process, _every_ citicen has the right to be on place and controll the work of the comittee.

    The whole process is FAST:
    Usually it only takes ~1 hour to count the votes.

    Voters don't need complicated instruction manuals (everybody knows how to use a pen, right ?)

    The whole process is reliable:
    It is very hard for a political party to man a whole comittee.

    As every citisen has the right (and many make use of their right) to be on place and to controll the work, falsifiing is extremely hard.

    Because we have a clear paper-trail, every vote can get re-counted.

    Ever tried to use a machine when there is a power-outage ? Pens work without electricity.

    The whole process is CHEAP:
    No expensive machines.
    Volunteers & citicens don't get paid.

    1. Re:Tell me again: WHY MACHINES ? by innot · · Score: 4, Informative
      Here in Germany the voting process is 100% transparent.
      I wish it was as it used to be, but they are sneaking blackbox voting into german elections as well.

      During the last election a few weeks ago 2.100 out of 80.000 polling stations used computers.
      Of course they had to use computers without paper trail, computers which an expert team of the irish election commission found to be unfit for use due to the usual issues (secret source code, no code audits etc.)

      While small manipulations of the elections would have made no difference in the resulting big coalition, remember that the two parties of the big coalition were only some tenths of a percent from each other, so a few votes in the other direction and Schröder would have remained in Office.

      I really doubt that there have been any manipulations (yet), but Germany is not safe from close calls where a smalll manipulation could make all the difference.

      Here is an article about two two experts who filed a protest against the results of the last election due to the use of unsafe voting machines.
      --
      X IMPRIMITE "SALVE TERRA!"
      XX ITE AD X
  6. As one of the two people invited to this shindig.. by JimMarch(equalccw) · · Score: 5, Informative

    Let's make a few points clear here.

    1) The Libertarian connection happened as a result of California Election Code 15004, which reads:

    ---
    The county central committee of each qualified political party may employ, and may have present at the central counting place or places, not more than two qualified data processing specialists or engineers to check and review the preparation and operation of the tabulating devices, their programming and testing, and have the specialists or engineers in attendance at any or all phases of the election.
    ---

    So we (Black Box Voting) approached the California Libertarian Party to team up and do up-close inspections of these voting machines, or at least explore what's possible under 15004. They hired us at a buck a day. The main result: we ended up with listings of installed software and drivers that make it obvious Diebold wasn't obeying a court order to shut down networking drivers that weren't necessary. We've complained to the California AG's office about this and Diebold's cross-connection of the San Diego central tabulator box to the Internet (also banned by both the same court order and state regulation). More details at:

    http://www.bbvforums.org/cgi-bin/forums/board-auth .cgi?file=/1954/14325.html

    This upcoming "test hack" at the California Secretary of State's office is another matter entirely.

    This all started when we (Black Box Voting) hired Finnish security consultant Harri Hursti to help out in a "test hack" in Leon County FL where the county elections official (Ion Sancho) was worried about all this "Diebold" controversy.

    What Hursti found was pretty wild. In short: before the election, all the precinct memory cards are prepped from the central vote count box with the ballot and candidate data...normal enough. But the cards are also prepped with interpreted BASIC code loaded into all the memory cards to control the output of the summary counter printer at each precinct. Worse, if you mess around with that code loaded first at the central tabulator, you can make that end-of-day-printout read whatever you want...put in a vote-skimming routine, false numbers, whatever. Nothing in the system at the central or precinct ends checks for hashes or whatever to see if the BASIC code is legit. Said code can be date/time sensitive so that the machines will still pass Logic&Accuracy testing before or after the election. With the paper trail at the precinct dickered with, you can use the other major hack available - altering the central database of votes to match the precinct report paper. Not hard - the central database of votes is written in MS-Access so either load a commercial copy of Access and tweak by hand, or load/type a Visual Basic script to monkey with the JET database engine (the "Access back end") on autopilot.

    Net result: one thoroughly "pwned" election.

    The full report:

    http://www.blackboxvoting.org/BBVreport.pdf

    Since then, *nobody* has tried to duplicate the Hursti results. If they're true, Diebold would have to do a nationwide recall and the Federally approved testing labs (Ciber Inc. in Huntsville AL and a division of Wyle also in Huntsville) would need a visit by people with badges, guns and search warrants.

    After the preliminary report on the Leon County hack was released but before the final report linked above, Bev Harris and I formally asked the California Secretary of State's office to check out the issues Hursti found, under yet another obscure clause of the California elections code, 19202:

    ---
    Any person or corporation owning or being interested in any voting system or part of a voting system may apply to the Secretary of State to examine it and report on its accuracy and efficiency to fulfill its purpose. The Secretary of State shall complete his or her examination without undue delay

  7. Re:Just wondering... by JimMarch(equalccw) · · Score: 4, Informative

    Exactly.

    A variant of this for voting machines would involve the distribution of the MD5s or similar on the websites of the vendors, the county governments using it, the Federal Election Commission website and the like, along with a script that will check every file on the voting machine in question for accuracy.

    A concerned voter or party rep or one of us at Black Box Voting or whatever can download all that, put it on CD-ROM.

    The county can then test the CD you bring in and make sure it contains nothing but the "checker program", mark that CD "approved", you then stick it in the voting machine(s) and run it even with very limited "geek quotient". Now everybody can trust everybody.

    --------------

    Another big issue is that the data files need to be made public. As God is my witness, Diebold and other major vendors are claiming that the database files (MS-Access in Diebold's case, SQL in most others) are "proprietary trade secrets"(!) and cannot be released by the counties under various public records laws of each state.

    This is utter BS. Hell, if you have just ONE set of Diebold data files you know their table layouts and whatnot, and many such have been published all over the net for literally years...with Diebold taking no legal action to make them go away since...well they gave up around Oct. of 2003. See also:

    http://www.equalccw.com/dieboldtestnotes.html ...for my personal collection and

    http://www.equalccw.com/liebold.html ...for a view of the first and last time they tried to have any of my stuff taken offline.

    Diebold MS-Access data files *can* hold forensic traces of vote-hacking if the hack wasn't done very professionally. So why is Diebold fighting to make sure the data files don't end up in public hands, when this "trade secrets" argument is clearly horse manure?

    Either they're messing with votes, or they're afraid some of the counties are because Diebold has made it so damned easy.

    Jim March
    BlackBoxVoting (.org)

  8. Bad news: paper ain't the whole answer by JimMarch(equalccw) · · Score: 4, Informative

    Paper trails are great so long as they're USED, at least for spot-checking.

    Right now, California has one of the better laws on this, saying that 1% of the precincts need to be hand-counted once there's a paper trail in place. And paper trails are mandated beginning in '06.

    Great.

    But several counties don't assign their absentee ballots to precincts - they treat them as a distinct batch. And since they're not PRECINCTS, these counties claim they don't fall under the 1% manual recount rule.

    Los Angeles County (population 12 MILLION) is among these.

    So even though absentee voting *always* includes a paper trail (the part people mail in), in LA and elsewhere it doesn't get spot-checked. Hack just that portion of the vote, you're golden.

    Sigh.

    In six states it's ILLEGAL to recount paper ballots...danged if I know why. Most states don't have a spot-check rule.

    Voter verifiable paper is a good start but it's only "part of this complete breakfrast" if you know what I mean...

    Jim March
    Black Box Voting

  9. Good reference: Nevada gaming device standards by Animats · · Score: 5, Informative
    The Nevada Gaming Control Board has a set of technical standards for gambling devices. Those are a good, practical reference for something that has to resist tampering. Voting machine standards need to be at least as strong.

    A few excerpts:

    • A gaming device must exhibit total immunity to human body electrostatic discharges on all player-exposed areas. ... A gaming device may exhibit temporary disruption when subjected to electrostatic discharges of 20,000 to 27,000 volts DC through a network with a series resistance of 150 to 1500 ohms shunted by a capacitance of 100 to 150 picofarads, but must exhibit a capacity to recover and complete an interrupted play without loss or corruption of any stored or displayed information and without component failure.
    • Physical security. A gaming device must resist forced illegal entry and must retain evidence of any entry until properly cleared or until a new play is initiated. A gaming device must have a protective cover over the circuit boards that contain programs and circuitry used in the random selection process and control of the gaming device, including any electrically alterable program storage media. The cover must be designed to permit installation of a security locking mechanism by the manufacturer or end user of the gaming device.
    • Printer mechanisms on gaming devices must be designed to detect low paper, paper out, and paper jam conditions. The device control program must monitor the printer mechanism for these error conditions in all active game states that do not indicate error conditions.
    • All gaming devices which have control programs residing in one or more Conventional ROM Devices must employ a mechanism approved by the chairman to verify control programs and data. The mechanism used must detect at least 99.99 percent of all possible media failures.
    • All gaming devices having control programs or data stored on memory devices other than Conventional ROM Devices must: (a) Employ a mechanism approved by the chairman which verifies that all control program components, including data and graphic information, are authentic copies of the approved components. The chairman may require tests to verify that components used by Nevada licensees are approved components. The verification mechanism must have an error rate of less than 1 in 10 to the 38th power and must prevent the execution of any control program component if any component is determined to be invalid. Any program component of the verification or initialization mechanism must be stored on a Conventional ROM Device that must be capable of being authenticated using a method approved by the chairman. (b) Employ a mechanism approved by the chairman which tests unused or unallocated areas of any alterable media for unintended programs or data and tests the structure of the storage media for integrity. The mechanism must prevent further play of the gaming device if unexpected data or structural inconsistencies are found. (c) Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent validation information. (d) Provide, as a minimum, a two-stage mechanism for validating all program components on demand via a communication port and protocol approved by the chairman. The first stage of this mechanism must verify all control components. The second stage must be capable of completely authenticating all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the authentication information must be stored on a Conventional ROM Device that must be capable of being authenticated by a method approved by the chairman.

    Nevada asked the Gaming Control Board to take a look at voting machines. After that review, Nevada went to a paper trail in 2004.

  10. Please ask for a voter-verified paper ballot. by jbn-o · · Score: 4, Informative

    I understand what you mean, but please ask for "voter-verified paper ballots" instead of a "paper trail".

    I was part of the Champaign County Election Equipment Advisory Board in Champaign county Illinois. We were an appointed body whose job was to evaluate voting machines that would make us compliant with the new "Help America Vote Act" law. Our board heard sales pitches from a few vendors (Diebold, HartIntercivic, ES&S) and their local reps, we asked them questions, collected information, and eventually made a recommendation to the County Board (who are elected). We've given the County Board our advice and the County Board will make the final decision and sign the contracts.

    We took a field trip to Tippecanoe county Indiana and saw a Diebold voting machine, and our guides were nice enough to give us a demonstration. We were familiar with the Diebold system they demonstrated from a user and administrator's perspective, but we were stunned that the long strip of paper the machine printed was not voter-verified. The Diebold machine we saw produced this paper if the operator had a physical key and pressed the appropriate button (typically the election judge on the site would do this at the end of election day). But no voters got to see what was printed on the paper, therefore there was no way for a voter to make sure that there was any accurate written record of their vote, even a printed record that stayed with the election judges (not a receipt).

    Ostensibly, what's on the paper is a record of votes in a pseudo-random order (so as to prevent an election judge from correlating a particular voter with the printed information). But since the paper is not voter-verified, what was written on the paper is completely untrustworthy. Voters were relying on whatever the software says. Tippecanoe county Indiana is a long-time Diebold customer (since before Diebold bought Global Election Systems, if I recall correctly).

    This machine compelled me to distinguish between a "paper trail" (which the Diebold reps and the Tippecanoe county demonstrators assured us the machine could generate) and a "voter-verified paper ballot". The former simply isn't good enough.

    --
    Digital Citizen