To Bev Harris and the Black Box warriors

Given that other great thread you have going, I want to share with you aspects of the interview I did Wednesday. It is not done by half, not polished, and whatever wasn't covered yet is waiting for me on the tape.

These people knew their stuff.

---

WP = me

BS = Barbara S.

DD = David D.

RM = Rebecca M.

WP: The document, ‘Who Gets To Count Your Vote?’ says, “The ideal voting technology would have five attributes: anonymity, scalability, speed, audit and accuracy. Explain the importance of these five attributes.

BS: Voting has to be anonymous; that’s how we do voting in this country. Scalability means that when you build the system, you have to be able to use it for however many people who come to vote. It might work well for a small number of people, but not work for a large number of people. Speed is pretty clear-cut; it has to be fast and convenient, so there are no long lines of people waiting to vote. Audit means you must be able to know what happened after you vote. You must be able to prove the votes.

DD: Let me clarify here. The basic idea of audits in banks, for example, is that you can reconstruct the results from the original records. In voting that means being able, even if your election system fails, or if you question it, being able to figure out what the vote totals are for an individual candidate from the original records. The original records were the paper ballots.

BS: Accuracy simply means we want to be sure the votes are accurately reported and counted.

WP: How does this Direct Recording Electronic Voting Machine (DRE’s) abrogate any of these five requirements?

BS: We are particularly concerned about auditability…

(snip)

DD: If you look at this auditing problem, there’s an audit gap between the voter’s finger on the touch screen and the record that is made inside the machine. With DRE’s as they currently work, the voter cannot tell what is being recorded inside the machine. What you really need to have is a workable audit trail, when you’ve got this funny anonymous system, is that the voter, before they leave the voting booth, has to be able to check that their vote has been properly recorded.

There’s another company that has a fancy cryptographic scheme called VoteHere. The way they explain some of what we’ve said is that there are two phases to voting where you want two guarantees. One of them is making sure the voter’s vote is correctly recorded. The way they say it is, “Cast As Intended.” The second phase is adding up all the votes from all the precincts, which they call “Counted As Cast.” These fancy schemes deal with the “Counted As Cast” problem very well, and they have various ways to deal with the “Cast as Intended” problem. The more primitive solution that is talked about – what is available now that we can do – is either use a paper ballot system like an optical scan system, where you’re filling out a paper ballot and you just put that in the ballot box, and that’s the voter verified audit record. Or, and this was Rebecca’s idea, is to take the touch screen machines and put a printer on it – in fact, they already have printers – and it will print the ballot, and the voter can look at that to make sure it has the right stuff on it. That then goes into the ballot box.

WP: It strikes me – and you can correct me if I’m wrong about this – but it seems like these things you are describing with the verified voting records technologies are pretty profoundly revolutionary, over and above whatever is going on with these DRE’s. I’ve been voting for a while now. My precinct in Boston uses those old-school monster voting machines where you yank the big lever and the curtain comes across behind you in the booth, and you throw all the vote switches, and you yank the handle back. I don’t have a clue if the machine recorded my vote. I get no verification. I just haul the handle, make the sign of the cross, and hope it got recorded. You are talking about not only making sure that the technology within these systems functions in such a way that the votes are actually recorded, but you’re adding the extra layer – giving the voters verification that their vote has been counted and recorded. Given what happened in Florida, that strikes me as one of the better ideas I’ve heard in a very long time.

BS: I don’t think it is all that revolutionary. I voted on those old handle machines when I lived in New York, and of course there was no way to verify. But there are other systems people use to vote, like optical scans, which have been around for a while. With those, you do see your vote, and you do get a piece of paper. There is no additional technology needed. In the old days, people used paper to vote. Actually, in some sense, the lever machines you use are a step backwards. They took away the ability of the voter to make sure that the vote was at least cast the way they intended.

WP: In Massachusetts, we had an interesting little mini-scandal with these old handle machines after the 2000 election. They realized that the machines, the interior works, hadn’t been cleaned in something like thirty years, and this led to substantial vote loss.

RM: Those traditional lever machines were actually invented by Thomas Edison. They came up with those machines because there was so much vote fraud going on – ballot stuffing and so forth – but the traditional lever machine is fully mechanical. The great thing about them is that you can crack open the back and see how it works. If there is a question whether one specific machine is working correctly, you can open up and look at the gears and the odometers like they have in cars, and you see the gears connected to the levers. It is like looking into a piano – you can watch the hammer strike the string and make the tone.

The problem, and the difference between those lever machines and these new DRE’s, is that the DRE’s are basically using electrons. I actually have a lot more faith in the old lever machines. I can’t open the DRE and look inside and see that the button I pushed on the touch screen is being recorded inside the device. It’s invisible. You can see in the old machines if a lever is connecting to the wrong place, or if there was some foul play.

The other issue is that if someone were going to do some foul play and throw an election, they’d have to go around and mess up an incredible number of those old machines, one machine at a time and one lever at a time. With these DRE’s, if there’s some mistake in the programming – even if it is not intentional, just some bad code – it could affect all of them, the whole quantity of the DRE’s. It might not just be your city. It might be your state. It might be all the DRE’s in all the counties in all the states that were provided by the manufacturer who let the bad code get by them.

WP: Come on, that never happens. Microsoft never has to throw warnings about tens of thousands of flawed programs, about huge gaping security holes in Outlook and so forth.

DD: No, they just distribute 34 megabyte patch files because they never make any mistakes.

(Laughter)

WP: Explain to me what kind of non-malicious errors can manifest themselves in these DRE’s.

BS: Your readers will recall when our spaceship crashed into Mars because one group involved was using feet to measure things and another was using meters. That’s one example, but you might say that this was not a software error. The point is that the code was written such that it didn’t work.

RM: Some of these problems are very simple. The addition of a semi-colon or an equals sign in the wrong place in a line of code can completely change the programming. This would be someone who just slipped up. There are plenty of examples of this happening. In the midterm elections down in Dallas, Texas, people tried to vote on the new touch-screen machines. They found that, no matter where they touched on the Democratic side, it would vote for the Republican candidate. These people were pretty upset, and it just kept happening and happening. In Texas they have early voting, and this problem showed up in the early voting. If this had happened on Election Day, who knows what would have transpired? They might have had to shut down voting in all of Dallas.

The Democratic Party went to court over this. They had affidavits demonstrating that there were machines making this error. Ultimately it was decided that seventeen of the machines were somehow misaligned. I don’t know how that could happen, but it was decided that they were misaligned, and those machines were taken out of service.

WP: What are the names of the companies making these DRE’s?

RM: Diebold, Sequoia and ES&S. Those are the big three.

WP: What kind of testing are these three main companies doing to ensure that the misplaced equals sign, the misplaced semi-colon, the misaligned machine, is not happening?

DD: I’ve tried to find out. What kind of testing that goes on in these companies is something we don’t know. They won’t tell us a thing about their code or what they do to test it.

WP: In ‘Who Gets To Count Your Vote,’ there is a statement that, even when these machines get brought to court, you can’t even see the code.

RM: That was the Sequoia case. I was involved in that. I was the expert witness on that case down in Florida. They would not allow us to see the code.

DD: There is a general theme of secrecy, which is frustrating to me. I understand some of the reasons for secrecy. It is frustrating to be because claims are made about these systems, how they are designed, how they work, that frankly I don’t believe. In some cases, I don’t believe it because the claims they are making are impossible. I am limited in my ability to refute these impossible claims because all the data is hidden behind a veil of secrecy.

What testing do the manufacturers do? Who the hell knows? Once it gets out of the manufacturers, we are reassured by everyone about the qualification process. There is something called the NASED Qualification Process. NASED is an organization called the National Organization of State Election Directors which has affiliated with it something called the Election Center, which I believe is a private organization. The Election Center oversees the NASED qualification process. There are Independent Testing Authorities, though their level of independence is unknown. There are three of them, called SYSTEST, CYBER and WYLE. The conventional wisdom about WYLE is that they deal with hardware and firmware. Some vendors have found out the hard way that they actually deal with all of the software that goes into the voting machine. They are the ones dealing with the software that I am most concerned about.

If you go to their web pages, it says, “If you’d like to know something about us, please go to hell” in the nicest possible way. They refer you to the Election Center, which will carefully explain to you that they scrutinize every line of code. When I was on the California Task Force dealing with all this, along with another computer scientist named David Jefferson, we wanted to know what these Independent Testing Authorities (ITA’s) do. They were all invited. Everybody else on the Task Force, which included some election officials at both the state and local level, and a few people of various political affiliations, wanted to know what these Test Authorities do. So we invited them to speak to us.

SYSTEST came and spoke to us. It turns out that they are one of the small ones. They don’t deal with the big stuff, and they don’t deal with the software inside the voting machines. The other two, which are apparently very close, are CYBER and WYLE. They refused to come visit us. They were also too busy to join us in a phone conference. Finally, out of frustration, I wrote up ten or fifteen questions and sent it to them via the Secretary of State’s office. They didn’t feel like answering those questions, either.

These Test Authorities use the word ‘Certified’ as if it were some magical holy blessing. It’s been ‘Certified.’ Well, what does that mean? We didn’t get any answers. My friend David Jefferson has been involved in internet voting and some other election-related issues for a while now. A couple of years ago, he got the right passwords to call up WYLE and ask them what they do, and he got a description. The basic description, according to David, is that they bake the machines to see if they die. The drop them to see if they break.

And then what they do is run scripts over the computer program to check for bugs. A script is just another computer program to check for superficial things. There is no human involved. They don’t want functions that are too long, and they don’t want functions with multiple exit points. They actually say ‘Modules,’ but they are basically talking about chunks of code. It is basically nothing more than a style-checker, like running a spell-check. The problem with running a spell-check…

WP: …is that you miss the homonyms.

DD: Right. The concept of running one of these style-checkers on a program is, at the end of the day, you know the functions are short and they don’t have multiple exit points. You don’t have any clue if they are doing the right thing at security holes or anywhere else. After this process, there are several other steps. There is something called an ‘Acceptance Test.’ When the machines get delivered to either the state or county government, they power them up and put them through the paces to make sure they work. Basically, they sign a form that says they got the thing and it’s not busted. Before each election, and sometimes after each election, they have something called a Logic and Accuracy Test where, to one degree or another, they will try casting some votes on the machine to make sure they come out right. That’s basically all there is to it.

As a computer scientist, I know that the worst problem that could happen is that you have someone at the company, such as a programmer who knows all the details of the code, or a mysteriously overqualified janitor, who could basically insert something malicious into the code. Given the fat that they are using the ‘C’ programming language, we know that such an act can be concealed. They wouldn’t even have to change the program. They could just change some of the results of the program. Malicious code could be concealed in ways that are practically impossible to detect by any means, and certainly wouldn’t be detectable given what we understand to be the detection and inspection process.

The computer scientist who oversees elections in Georgia told us yesterday that, by Black Box Testing, this logic and accuracy testing, he could catch any malicious code. It is completely ridiculous. If you go to the Microsoft Excel spreadsheet program, and go to row 2000, column 2000 and type a specific thing, you will get something like a flight simulator. The Microsoft programmers, even though it is a firing offense, can slip this stuff into the programming code so none of the testing people can discover it. They are called ‘Easter Eggs.’ If you type ‘Easter Eggs’ into a Google.com search, you’ll get instructions on how to find all these things in Microsoft software programs.

Without even knowing very much about how these systems work, computer scientists know that you can put malicious code into a program, you can change the results of an election, and it can’t be detected by inspection or testing. Period.

RM: You have to give at least some credit to this computer scientist from Georgia. He at least tests these machines. Some states just take the things out of the box from the manufacturer, plug it in and run their hands over it a few times, and then send it off for the voters to use. He, at least, takes the trouble to try and test them out.

DD: Yes. This man does the best testing of anybody in the country. But there is just no way to test for the problems we are worried about. He is doing the best job he can.

would it absolutely burst your bubble if I told you that 2 of your 3 "experts" have never touched Microsoft Windows?????? And that they're proud of that fact?

I don't know who your 3rd expert is.......

Ouch.

I have no idea if Microsoft experience is helpful in this. Their main point in the interview was that there is no way to confirm that the votes got counted correctly, and that the machines basically do away with recounts. Does one have to know Windows to know the vagaries of computer code? These are three computer science PhD's with CVs from here to Columbia. I dunno. Seemed like knowedgeable people.

When I discovered this. Trust me when I say I have been working with these experts for months without this knowledge.

Not trashing the investigation. Just saying there are more discoveries on the way.

on edit:
And, yes, when malicious code is hidden in the Windows Operating System an intimate knowledge of Windows is prefential. Especially when Windows is completely excluded from the "certification" process.

and intrigued. :)

But if the malicious code is hidden within the Windows OS, it would be a fairly massive conspiracy involving those who set up the machines... It might rely on an OS call, but the kludged code will be within the application, or a DLL or ActiveX control specific to the application. You don't need to be a Windows expert to understand this, it is the same in other Operating Systems as well, under different nomenclature.

Certainly, it would behoove one to have a machine to look at, to see if it had a standard Windows OS installation, to see if there are any processes checking/modifying timestamps. {A secure system would write system performance audit files to hidden directories with embedded timestamps and checksums for the database files that correspond to the times the polls were closed.}


Now, the big mistake a Unix analyst might make, is to either under sell, or oversell the OS's file security. Which is a lot less robust than say Linux.

But Easter Eggs and other backdoors are commonly written into applications in C, C++, Java, VB, Pascal, Smalltalk, and other programming environments. It is a tiny bit of code, usually tied to an obscure object's main public event, but not executing much.
This code would be executing not in a hard to find text box event, but at the moment a vote is cast. So in order to hide the dirty work, it would most likely be in a DLL library function or a system application hooking a specific message. It would be at arms length from the application during a cursory inspection, but visible if you were running a trace in black ice and paying attention. Places to hide such code might be in the Microsoft Access database engine DLL's, whatever programming environment database dll's might be employed (such as the BDE from Borland), or other non-OS library calls by the program.

Otherwise you have to invade the environment and physically alter files, their timestamps, possibly their checksums...
much easier to cheat farther upstream.

The point is, if you do not have the application plus DDL's it may call, including such monsters as the VBRUN series, and the OS and the hardware it was supposed to run on, you could be floating on a calm sea, with the real shipwreck below you and not know it. I have been saying since 1997 or so that any voting system that is a digital system must be owned and operated specifically by the GAO, and that the entire environment, not just the hardware, or the application must be certified.

I would go so far as to recommend that the OS be burned onto EPROM with encoded keys posessed only by the GAO and the Public key given only to the election polling supervisor.
And I think Windows would be a poor choice of OS. I would prefer Linux or Java embedded on chip.

I propose a new start on the whole voting debacle, with an eye toward a nationally standardized system, with all code and hardware owned and certified by the GAO and Treasury dept. Give a contract for the best design, but specify ownership in the design contract to remain with the government.

Voters need to understand the voting process from start to finish. My local voting officials have got a pretty good handle on how to count marks on pieces of paper, and how to insure a secret ballot, but frankly all or most of them don't know anything about computer operating systems, nor do they put much faith in the general competence of our Federal Bureaucracies.

(BTW, I wouldn't be surprised if the Florida "hanging chad" and "butterfly ballot" debacles were engineered to sell electronic voting to the public... Just so's you know about my tinfoil hat ;) )

Actually, Diebold had a whole manual on making dll files, and hid other things in them too. But they had special fun with the Windows developer files.

Bev

I would be surprised if Richard Stallman ever has written a line of Windows code, much less run Windows more than a handful of times in his life. Having said that, if he were to chime in with comments about the methods and best practices of programming and how they relate to this situation, I know I would listen to what he says quite closely.

C is C. C++ is C++. Coding is coding. Best practices are just that.

definitely.

you need specific knowledge of Windows and ActiveX.

Sorry, but when push came to shove we got these comments: "Couldn't make hide nor hair of this, I don't really know Windows" and "I don't know Windows, and had to look up what a dll is." And from another famous one: "I actually don't know anything about Windows, can't help you there, don't even own a machine with Windows on it."

People with hacking experience know how to play Windows like a violin. One hacker I spoke with today asked three questions and said "Okay. There are at least 200 ways in, I'll take a look and tell you which way they use."

Not a hope of that kind of expertise with C++ guys who don't know Windows, sorry.

Another source said "okay, they've edited the Windows source code about a hundred times..."

Not a hope of that either with experts who don't know Windows.

I have the utmost respect for all that Will Pitt spoke with, and they are aware of our little problem, and at least some of our academic experts are attempting to expand their circle of acquaintances now so we can get academic sign-off. Failing that, I'll have to ask some 22-year old Nintendo enthusiasts to do a demonstration.

This is very important.

Bev

...utterly cursed, snakes coming out everywhere... it's too horrible to think about.

Scientists of many stripes won't look at Windows for fear of turning to stone.

I'm not exaggerating.

:)

Software glitches leave Navy Smart Ship dead in the water

http://www.gcn.com/archives/gcn/1998/july13/cov2.htm

Some snippets from that article:

The Yorktown has been towed into port several times because of the systems failures...

“Because of politics, some things are being forced on us that without political pressure we might not do, like Windows NT,” Redman said. “If it were up to me I probably would not have used Windows NT in this particular application..."

Same old shit, different application.

It turned out that one of the times, the immediate cause of the shipwide failure was that a crewman entered a 'zero' into an entry field where there shouldn't have been one. The entire ship's operating system crashed due to a divide by zero error.

Now THAT's stability...:eyes:

So obviously, not just the operating system was the problem (modern operating systems should certainly be able to handle divide-by-zero without blue-screening), but the application programming of the ship systems was bunk as well.

Bet it cost a fortune, too.

In the work that I do: I have to sometimes enter machine level codes directly from tty, which loads into the instruction register, after which the machine attempts to execute that hand-entered code ....

Imagine: .. a brand spankin new Inertial NAV system (shouldnt say what) just going through 'qual testing' as an integrated system .... the ENTIRE management team flooding the area, all focused on the system you had groomed for 3 days to establish proper operating parameters ... ALL cooling systems and temps and pressures and pumps and prelim sys tests and computer counting tests and gases and gauges and meters and buttons and engineers and managers and technicians and directors and VP and customers ..... ALL in place ..... ALL ready ... ALL eyes waiting and watching .....

ALL is GO for power up and functional verification of the brand spankin new system ......

The tenured technician on-site (yours truly) was to then enter the specific machine level hexadecimal number to form the instruction ....

and THAT tenured technician failed to properly count the NUMBER of ZERO digits in the hex number .... entering a '0x0d00000' instead of the PROPER '0x0d000000' .......

Even his engineer, who was to verify ever TTY entry, gave his nod of approval ...... after which the command was verified as valid by the tech and engineer .....

Suddenly: ..... the lights started flashing: the power supply consoles DROPPED out: .... and the alarms kicked in .....

The red faced technician AND engineer looked at the last code entered, slowly counting the digits entered ... and realized they had entered an invalid directive, which trapped the system into a FAIL mode .... killing a 3 day test ..... in front of about 50 people who worked MONTHS to pass that test milestone .......

Fortunately: ... I work with wonderful and understanding people ....

ALSO fortunately: ... the 3 days prep could be made up with ONE day REprep ..... I didnt waste THREE days worth of salary ... just one days worth ......

Nevertheless: .. its a day I will never forget: the day I entered the wrong code and FUCKED UP a very significant test: .... and brought most of a whole corporate division to a halt ....

One single missing digit killed the whole system .....

One digit ......

Thats all it takes ......

Sometimes the names change for various languages, routines, functions, indexing techniques, drivers, etc. but much of this concern is not related to the fact that it runs in a Windows environment. It's just that the Windows environment, and Microsoft Access, adds an additional level of serious concern.

But you're right to point out their lack of experience with Windows just in case there's some expectation that what they're talking about is based on Windows experience.

Basically, since they're talkinga bout things that can go wrong in other environments and Windows adds another level of things that can go wrong, the problem is worse than what they're describing.

Just keeps inexhorably growing, doesn't it?

it just keeps going and going and going.....

If you go to their web pages, it says, “If you’d like to know something about us, please go to hell” in the nicest possible way.

Someone's been to the Election Center site on the advice of the FEC or NASED to get their questions answered!

R. Doug, Ya got your suit pressed? It's time to answer some questions! :)
(Don't forget to hit the gym, those cameras put 10 pounds on ya!) :evilgrin:

has been my favorite mistery man. Can't wait for him to start answering questions, like who hired you?

pretty please?

appartently appointed himself to the Election Center. A private non profit company that goes around the country selling these voting machines. Try and find out something about him. Other than he worked in the White House, worked for Dems and Repubs campaigns, but no details at all any where who he really is. I think I got this right check out Bev's site, you'll see its pretty weird.

of running down info on people and I could never get anything going with R. Doug Lewis. Every little thread just dead-ended. He is one big enigma and to think that he holds the power of every voter in this country in his clutched little fist is almost as scary as Bush becoming President. OMG....bush is the president !!


:scared:

An R D Lewis is the Dallas policeman that did the polygraph test on I believe on Jack Ruby at the time of JFK assination. Just one of those strange things. He would be too old to be our guy but could be the father? A man with no history pushing these machines very very weird. Where did he come from?

I begin to wonder if one day we're going to wake up and find that the democracy we thought we had has been MIA for decades.

It organizes the secretaries of state and the state election directors

It trains them

It oversees the selection of the certifying and testing bodies

It recommends voting systems

It's damn powerful for a private organization build around just one guy who hasn't backed up his credentials.

R. Doug Lewis: Before running The Election Center, he owned Micro-Trade Mart, a used computer parts seller that went out of business. What are his credentials for overseeing the security of elections in the United States again?

Bev Harris

Shouldn't that be enough?

.

Probably the most interesting is the one for

Supervisor of Elections: Miami-Dade County

Maybe we should get somebody to apply!

I noticed at one point they were asking for resumes for Pima County also. Why do the people of Pima County want R. Doug Lewis screening resumes for their election supervisor?

Bev

Especially liked Dr. Dill on certification:

DD: "I’ve tried to find out. What kind of testing that goes on in these companies is something we don’t know. They won’t tell us a thing about their code or what they do to test it.

"...claims are made about these systems, how they are designed, how they work, that frankly I don’t believe. In some cases, I don’t believe it because the claims they are making are impossible.

"...What testing do the manufacturers do? Who the hell knows? ...
If you go to their web pages, it says, “If you’d like to know something about us, please go to hell” in the nicest possible way..."

By the way, these experts are very important to the cause, but DemActivist is right in that we desperately need experts with at least a rudimentary knowledge of Windows, since, indeed, Diebold changed Windows files (and lied about it). And the guy in Georgia they talked about is Dr. Brit Williams, who is pretty thoroughly discredited by his own writings.

We can't all be up on everything. Once the experts you interviewed read what Dr. Williams has written and said, they'll get the heebie-jeebies about him, too.

Great job, can't wait to read the full interview when you're done!

Bev Harris

...to use that quote about the style-checker in a local article I'm attempting to write?

If it makes print, it won't be until later in the week, so yours should be out by then.

Very good point at the beginning of the piece about the mechanical voting machines.

A sidelight. Years ago, in the 1970s when I was growing up in California, they had punch-card paper ballots. My father brought me home the top stub from one of those ballots that said, "I have voted - Have You?" I was a 9-year old fascinated by the voting process.

I always associated the machines with voting in the South because I had seen pictures of the machines in the newspapers showing voters in Alabama. This was probably the 1972 election when George Wallace was running.

There is no reason whatsoever to change our voting system from the machines, which have worked fine for years, to an electronic system that leaves no paper trail and is not mechanically verifiable.

the prospect of a statewide hand recount in Florida.

Perhaps someone realized that they were at great risk if someone actually compared all those ballots to what the machine count said.

Just a thought.

I wish we could make examination of the certification process a sexier story, because this is a key element. Certification falls -- the whole touch screen system falls.

It's threads like this that prove the internet is our saving grace, if we have one!

Ya'll have done good getting all this together and out to these here hinterlands. The stuff I've read about how my VOTE IS COUNTED, makes my skin crawl. Ya'll can't ever let up. There will always be somebody who will attempt to change how our votes are counted.

Wanna see the New American Heroes? Take a look in the mirror.

Thank ya'll and bless you.

.

.

.