, , , , , , , , , , , , , , , , ,

July 19, 2008

Debunking myths can be a full time job in the election integrity world.  Someone recently asserted: 

“As for vote switching, not sure how many times I have to tell you, the election goes thru a logic and accuracy test that proves the votes are counted correctly. There is no vote switching … on ES&S machines. Not sure where you get this information. You shouldn’t believe everything you hear.” 

Malware can easily defeat pre-election testing and certification processes: logic and accuracy tests cannot “prove” that software is free of malicious code.  Assertions that no vote switching has ever been shown to have occurred on an ES&S system or any other computerized voting system is explained by the fact that malware (malicious software code) can be self-erasing.   

A few hours later, the same software advocate said: 

“I was a programmer for over 40 years. But lets take it a step further. What if the hacking is done in the module that does the election reporting and not the machines or media? How can we ever trust anything that the computer does? My answer is that so far, the ES&S machines have not been hacked and the state does extensive testing, so how did this hacking get by them? You keep harping on human hand counts, I trust the machines much more than the humans. Machines don’t care who wins, they do as they are told. And as our testing shows, they have been doing exactly that.”

Over 50 scientific studies have been published in recent years which contradict these assertions.  Here are a dozen published statements by computer security experts: 

1. “[E]xperience in testing software and systems has shown that testing to high degrees of security and reliability is from a practical perspective not possible.”  

— National Institute of Standards and Technology (NIST). Requiring Software Independence in Voluntary Voting Systems Guidelines 2007: Security and Transparency Subcommittee Recommendations for the Technical Guidelines Development Committee. November, 2006.  

2.  In Dec. 2007 Ohio tested ES&S, Hart and Diebold.  “All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election.”   

— Ohio Secretary of State, Project EVEREST Report of Findings, December 14, 2007  

3. “[T]he growing use of information technology in elections … provides the opportunity for new kinds of attacks, from new kinds of attackers.”

And, later, “New and more ingenious kinds of malware are constantly being invented and used. There are now tens of thousands of known viruses, and the sophistication of tools used to develop and use new ones has increased. 

“Malware in a voting system could be designed to operate in very subtle ways, for example, dropping or changing votes in a seemingly random way to make detection more difficult. Malware can also be designed to be adaptive – changing what it does depending on the direction of the tally. It could also potentially be inserted at any of a number of different stages in the development and implementation process – from the precinct all the way back to initial manufacture – and lie in wait for the appropriate moment.” 

— Fischer, Eric A. CRS Report for Congress: Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues. Congressional Research Service, November 4, 2003.    

4.  “This is a classic computer security problem. Whoever gets into the machine first wins. So if the Trojan horse software is in there first, you ask it to test itself — it will always lie to you and tell you everything is fine. And no matter what testing code you try to add after the fact, it’s too late. It can now create a world where the testing software can’t tell that the machine has been compromised, even though it has….” 

— Dan Wallach, Rice University computer security expert has examined electronic voting systems since 2001, and has testified about voting security issues before government bodies in the U.S., Mexico, and the European Union. Quote from Peering through the chinks in the armor of high-tech elections, May 27, 2007  

5. “An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine.  The damage could be extensive – malicious code could spread to every voting machine in polling places and to county election servers.” 

— Calandrino, Joseph A., Ariel J. Feldman, J. Alex Halderman, David Wagner, Harlan Yu, and William P. Zeller. Source Code Review of the Diebold Voting System. University of California, Berkeley under contract to the California Secretary of State, Top to Bottom Review, July 20, 2007. 

6. “There would be no way to know that any of these attacks occurred; the canvass procedure would not detect any anomalies, and would just produce incorrect results. The only way to detect and correct the problem would be by recount of the original paper ballots.” 

— California Voting Systems Technology Assessment Advisory Board (VSTAAB), Security Analysis of the Diebold AccuBasic Interpreter, February 14, 2006  

7.  “[W]hile ‘logic-and-accuracy testing’ can sometimes detect flaws, it will never be comprehensive; important flaws will always escape any amount of testing.” 

— Wallach, Dan S. Testimony to National Institute of Standards and Technology and Election Assistance Commission Technical Guidelines Development Committee, September 20, 2004.  

8. “The current certification process may have been appropriate when a 900 lb lever voting machine was deployed. The machine could be tested every which way, and if it met the criteria, it could be certified because it was not likely to change. But software is different. The software lifecycle is dynamic…[Y]ou cannot certify an electronic voting machine the way you certify a lever machine…. [W]e absolutely expect that vulnerabilities will be discovered all the time…. 

“Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software.” 

— Rubin, Avi (Professor of Computer Science at Johns Hopkins University). Secretary Bowen’s Clever Insight. Avi Rubin’s Blog, August 7, 2007.     

9. “Flaws in the Optical Scan software enable an unofficial memory card to be inserted into an active terminal. Such a card can be preprogrammed to swap the electronically tabulated votes for two candidates, reroute all of a candidate’s votes to a different candidate, or tabulate votes for several candidates of choice toward a different candidate. 

— Gardner, Ryan, Alec Yasinsac, Matt Bishop, Tadayoshi Kohno, Zachary Hartley, John Kerski, David Gainey, Ryan Waalega, Evan Hollander, and Michael Gerke. Software Review and Security Analysis of the Diebold Voting Machine Software. Florida Dept. of State: Florida State University, Security and Assurance in Information Technology Laboratory, July 27, 2007. 

10. When discussing its study of ES&S systems (the iVotronic touch screen, and the M100 and the M650 optical scan systems), Project EVEREST researchers reported: 

“The second key finding of the review was the apparent vulnerability of the system to malware infection and manipulation. If a properly skilled and resourced attacker can gain access to any of several components in the system at any time during their life-cycle, there exists a large possibility that they could implement malicious programming (malware) into the system with little chance of detection. Once the malware was in place on the system, it could perform a variety of tampering and could likely spread from component to component throughout the system.  

“The ability of malware to affect the integrity and availability of the elections process is profound and disturbing, but the lack of capability to detect and report potential malware attacks against the system makes it the single largest threat.” 

— Ohio Secretary of State. Project EVEREST: ES&S System MicroSolved, Inc. Executive Summary Report. n.d. (December 2007).  

Assertions that no vote switching has ever been shown to have occurred on an ES&S system or any other computerized voting system is explained by the fact that malware can be self-erasing.  That’s why computer experts are calling for “software independence” – we cannot rely on results reported by easily mutable software and must count the ballots by other means. 

11. “Of course, numerous studies have shown that currently deployed voting systems are susceptible to undetectable malicious attacks….  

“It is against this background-unreliability in the field; the prospect of undetectable, malicious attacks; and the inconclusiveness of post-election analysis in purely electronic systems-that the EAC should view the software independence requirement.” 

— Burstein, Aaron, and Joseph Lorenzo Hall. Public Comment on the Voluntary Voting System Guidelines, Version II (first round) Submitted to the U.S. Election Assistance Commission. National Science Foundation ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections), May 5, 2008.     

Software is fragile and undetectably mutable.  Source code for voting systems is hundreds of thousands of lines in length.  This complexity increases opportunity for software failure, despite programmers’ best intentions.  To assert that machines “do as they are told” ignores the reality that software is issued in versions because programmers understand fixes will have to be made once defects show up in the field where the software is used. It also conceals that while machines usually do what they’re told, we don’t know what they’re told by rogue programmers.

12. “As an example, look at the way Apple distributes releases of the iPhone software.  The first release was 1.0.0.  Two minor version numbers.  When the first serious flaw was discovered, they issued a patch and called it version 1.0.1.  Apple knew that there would be many minor and some major releases because that is the nature of software.  It’s how the entire software industry operates.”  Rubin, supra 

No amount of software testing will ensure that errors or malware do not exist before, during or after an election.  Because of its undetectably mutable and unstable nature, software can never provide us with a rational basis for confidence in reported election results.  Running democratic elections on software is the worst possible choice of all technologies available to us, from a security perspective.  And this doesn’t even touch the cost factor.


Click here to see a list of nearly 50 scientific studies that have condemned software driven voting systems.

To learn how to keep software driven voting systems out of New York, visit http://www.re-mediaetc.org/.

For a short list of expert quotes, see Warning: This Product Is Hazardous to Your Freedom.