X-mas present from SE regional Co-ord for Green Recount (repost)

megalith (10 posts)
Sat Dec-25-04 09:36 AM
7. Hard Info on Triad - An Xmas present

Hello
I am the SE Ohio regional Co-ord for the Green Recount, Hocking is my county and I have spent hours interviewing Ms Eaton. I was also present at the BoE meeting this Monday at Hocking. This is what I know about the Triad program <ElecTab V 1.s > that runs the card reader. And note: the card reader can be any manufactuers that adheres to the original IBM standard from the 40's-50's for punch cards. Triad builds the data aquisition/reporting software that runs the card reader, not the card reader.

Electab V1.s is old code, written in Cobol and runs under DOS, it is not Windows code. It is primitive. The machine running it varies from county to county, in Hocking it was a 14 year old Dell 386 .5 meg ram, running DOS 6. In Hocking the computer running the software is not connected to the BoE local ethernet. It does not have a modem. File transfer is by floppy disk. Printed reports on vote totals are produced from the printer attached to the tabulating computer. I do believe that other installations of Electab V1.s MAY exist on other machines in the office, but cannot confirm. Triad also provides the voter registration database for Hocking as a separate product. This is the data base that may run under more modern operating systems and applications <FoxPro as an example> I do not know anything about Triads Total Election Management Software.

I have been told by another county BoE <not Hocking> that every BoE has a T-1 line installed from the state. In my sources county the BoE is tight about security, that T-1 IS NOT connected to the local BoE's ethernet. And their tabulator is not connected to the local eithernet. However this particular BoE's tabulator does have a modem. To use it they have to unplug their fax line and plug the modem in from their office. This is occationally done to upgrade the Electab software. We are told by Triad that the same version of ElecTab is in use in all Ohio Triad counties. Triad also allowed us to print the directory tree for the Hocking computer.
Triad does take floppy copies of the tabulator count files on the night of the election or shortly thereafter. Remember that this data is what the BoEs hand out the night of the election, so it is public record. However the application required to read the data <Electab> is not public. Handy data to have.
Triad maintains open web space on their server that local BoEs may use to post local election results. Triad claims that they do not post the data, but that the local BoEs do the posting.

What does this all mean? That installations and practical security vary from BoE to BoE.


About reprogramming the tabulator.
Ohio has for many decades insisted that in recounts, only the race to be recounted will be tabulated. They do not want any found or corrected votes in the recount race to affect down ballot races and throw them into question. <A tacit admission that there are errors in vote counting > Again this is state, not Triad policy. Triad contracts with individual BoEs, not the state. As part of their standard sevice agreement, they create at no separate charge a new SETUP FILE so that only the race being recounting is tabulated and reported. I believe that this is policy for ESS optical scans as well.

About the recount:
You take a precinct(s) that combined, total at least 3% of the county's vote total, handcount that precinct(s), then run that stack through the tabulator. If totals votes match exactly then the rest of the county is run through the tabulator and machine recounted.
If totals on the 3% sample do not match, you handcount the entire county. Which is what every one, except us, wants to avoid.
I think only one county has gone to handcount, and they invited it, because they found a major accounting error in their official total.

About "Un-rigging" via modem.
Actually any hack that affects the official tabulation of votes must also be present for the recount, because the whole point is for the recount machine tabulated totals to closely match the official totals. So the hack code <if any> must be resident and active for both runs. Additionally it must anticipate which precincts are likely to be preselected for a 3% handcount, and NOT hack the totals in those precincts. Additionally it must pass the test decks without applying the hack, as these are handcounted also. A tall order but possible. The point being that once resident and applying the hack, the script must stay in place and remain active. There is no reason to remove it. Got it?

About illegal "tampering" by the Triad tech
Fact is, batteries fail and in old systems they will take down the BIOS with them. I have worked on hardware since before the first IBM PC and have had this very thing happen. When it does the system no longer knows the track and sector assignments for the HD and thus cannot read the HD. Fix is to open the case, read the HD serial number, find someone that has a database for that series of drive and re-setup system BIOS with new track and sector assignments, the data on the drive is not affected. And that is in fact what happened and what the tech fixed. Happened again on Monday during the BoE meeting in Hocking. Old, beat equipment.

About the "cheat sheet"
This is far more intersting, as it indicates that there is a tacit assumtion amoungst all parties that:
* BoEs will preselect their 3% precincts <in plain violation of Ohio statute which requires that the selection be random, for obvious reasons>
* That the precincts selected will be those most likely to scan well by the tabulator.
* That the tech was trying to point out a way that BoE ballot handcounters could remember how many over and under votes are in the precinct to be handcounted as part of the 3%, and thus anticipate and make sure to find them. This is important because it is undervotes that punchcards are most likely to miss. If missed the county goes to a hand count.

Given these assumptions, the clever evil green man intent upon hacking the system will stay away from precints likely to be selected for the 3% count, and instead focus on those precincts least likely to be hand counted to apply the hack. Focus on these and you have a way to hack the results, provided you can predict which precincts will never be pre-selected for the 3% handcount.

Remember, this does not mean that the system is hacked. But it provides a rational for how it could be. Got It?

Lastly, there is more to the logic that any hack script MUST incorporate, given the presently observered behavior of the system. Knowing this it should be possible to construct a logical test run protocol that would defeat any logically possible hack and prove that either:
* the count is honest OR
* The count is hacked

That's what I am working on. Preparing to make history or dash a lot of hopes, but seeking the truth of the matter in either case.

Best and Brightest Soltice to all.
Sure in the promise that the light will return in these darkest of days.

Orren Whiddon
SE Ohio Co-ord
Green Recount


http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x195088

But ... will we ever FIND it?

Is there a card reader/tabulator at every precinct or just one at the county BOE? Can the votes be counted at each individual polling place or are all the cards transported to BOE headquarters to be run through the card reader?

http://cardamation.com you can see what a punch card tabulator looks like. I bet there is only 1 per county. I know the physical ballots are delivered to the BoE.

You can also look at a card punch machine. Presumably a machine that could punch cards that match the hacked totals.

It means that you can check the tabulator and everything which happened to the system afterwards. So if the machines are correct and the hacks are in the tabulator or further down the line then you can take the floppies, read the data and do your own tabulations. If those tabulations match the outcome then everything is fine otherwise there has been a hack.

It's more likely that you would hack the tabulator instead of the reading machines, so what is needed is a way the figure out how to data is stored on the floppies and even though it isn't public, I would assume that it is in a very simple format, because Cobol programs tend to store everything in text anyhow. ( " 125, 128" instead of 007D0080xH etc. )

Edit: Stupid typo

Asregards number of tabulators, in my region the counties all bring their ballots into the BoE for counting. I do not know about the huge counties like Clevelend and Cinnci.

As I mentioned in my post, the floppy data from the election is public, the program required to read it is not.

Any hack should be checked for at the precinct data level, because that is the base level source for the data. If the hack is upstream, it will return differing values than the precinct count. This is verifyed by our 3% samples passing the handcount. This requires fairly subtle logical reasoning to get ones arms around it.

I am writing out a test protocol that will fully exercize the system and strip out any possible way a possible hack could operate. This is developing over the next few days.

We will see were it goes

Orren Whiddon
SE Ohio Green

If the ballots are only counted at the county's BOE headquarters then there would be nothing to hack at the precinct level.

The "floppy data" presented to the public was processed by the TRIAD tabulation software. It reads the raw output from the card reader/scanner, totals it, and relates the data to the precinct/race/candidate in a form that humans can easily read.

Since precinct# is a mandatory field for each card, it would be a simple matter to pick and choose which precincts to have the tabulator software manipulate and which ones to leave alone.

If you knew before the election exactly which precincts would be chosen for the hand count/machine count match...you could program the tabulator to record those precincts accurately on election day. If you knew which precincts would NOT be hand counted, then you could hack all those precincts. Therefore you could hack approximately 97% of the precincts and get away with it.

To avoid a full hand recount, Ohio law requires counting only 3% percent of the county's vote and having it match up perfectly with a second machine count. That 3% percent is taken from the least number of polls/precincts that will total 3% of the total county vote. To avoid the recount, it is absolutely crucial to make sure that 1) the tabulator knew to count those precincts accurately the first time and 2) that it will count them accurately the second time as well.

Hand counting ballots is HARD WORK, so its very helpful to have the total from machine count posted on the wall ;-) Especially if you're not 100% confident that Nos. 1 & 2 above were satisfied.

Great and perceptive post Torches!

You have the picture. But I would point out in your first statement that if results are hacked upstream of the local tabulator, that will be found out when the actual precinct deck is rescanned, as its totals will not match the hacked totals. Precint level rescans will uncover all upstream hacking IF you can do them without using the ElecTab software as the overlay.

Please remember also that nothing I am saying is an accusation of fraud. Merely surmising how it could be done, and how to find it; IF it has occured.

Orren

If all the ballots for the county are only counted at one sight, the county BOE, then that is the only place manipulation needs to occur.

You mention "local" tabulator. Are you referring to the one at the county BOE? I would assume the results are tallied there and sent to the state to aggregate all the counties. So I see only two tabulators: one at the county level (for card reading) and the other at the state level (for summing). The central tabulator at the state level reads the finished, not raw, data from the counties. Therefore there is no need to manipulate upstream. Thus the "local" tabulator, the one connected to the card reader and programmed to interpret its results, is the only place one would need to hack.

Reading the raw output from the card readers, left unprocessed by TRIAD, would surely indicate whether any hanky-panky took place in the tabulation software. Of course, a hand recount of the entire county would also settle matters.


I am not accusing fraud either. I'm just trying to understand the architecture and data design to discover potential areas where fraud could occur. I think the key here is to determine whether TRIAD knew beforehand which precincts would be re-counted.

Toech

I misread your previous post, you are dead on. If it happens, it likely happened at the local level and will certainly be found at the local level.
Best

Orren

...this is exactly what we need: hard information from the front lines.

Best of luck to you. Thank you for doing the "hard work" of democracy.

then it's possible to bypass triad altogether for a recount. All you need to do is copy the cards to a file and then import it to a DB. Duck soup.

-Hoot

Conceptually correct. In fact one should be able to disable the Triad program and collect just the raw punchcard data, ie: which hole is punched and how many times, without the data aquisition and reporting overlay that ElecTab V1.s provides. Do the tabulation of the raw data manually in a notebook and presto, verified results.

Orren

I'm curious, and maybe just too ignorant to understand: what you're working on now, is it a test of that particular tabulator in Hocking County? DO you have access to test this or other actual tabulators? What about the question raised about having changed out the harddrive? Does that come into it at all?

And by the way, I am so thankful to see the diligent, thoughtful, thorough work being done by you and so many people posting here. It offers inspiration and hope.

The test Protocol should be applicable to all punchcard and optical systems, irrespective of vendor.

I really should not get more specific as this is developing. The Eleves work right on through Christmas you know. Santa is a hard task master :)

Best
Orren

prejudging the precincts thwarts recount law in Ohio

It appears to me (from your note) that a 3% sample is hand-counted, then the cards are fed into the machine. Both counts should match.

However, I have also read that after a 3% sample is hand-counted, the count should match the results from already certified results. If they don't match, then the cards are fed thru the machine.

So which is correct, or have both methods been done in different counties.

Thanks

p.s. edited to correct typo.

I think the intent of the law is clear. Hand count must match machine count must match official for the 3% precinct.
BoEs have their own mysterious ways and disagree when the 3% doesn't match the official.
Your milage will vary

Orren

We have heard several times that the 3% recount involved precincts not chosen randomly, as law requires. HOW IN THE WORLD WAS THIS ALLOWED TO HAPPEN?

Isn't this key?

I also wondered how or why this was allowed to happen. Either the Glibs did not know about it until later when all the recounts started yileding perfect matches OR they kept going with it to actually reveal how the recount was rigged

It is important to understand that legally, we are witnesses. We have no power to demand or insist on thing. All we can do is object, and log our objections.
So we objected to the non random selection and they said "We disagree" if a nice BoE and "F--- Y--" if not so nice. Some BoEs just presented a single precinct. Most had preselected say 6 precincts and then voted on the final ones to use, still not randow. We had one county in the state actually put slips of paper in a can and pull them out, and that is random. Se K Olbermans blog for my take on this.

In relatively clean BoEs we will probally let the preselection stand. In not so clean BoEs the affidavits are being sworn out on this and other matters. We simply do not have the resources to take all the BoEs to the mat. There are 88 of them

Remember that we Greens are bucks down, can do, with minimal resources. If you think you care, donate. We are not getting funds from anywhere else. Money does make it happen. <Advertising pitch OFF>

Orren

i truly admire what you are doing and i am not alone. without you guys and the freepress guys we would have been nowhere

Sorry if I was misinterpreted, absolutely no offence taken on my part.
Best
Orren

that is crucial, and without you guys there would have been non at all

....especially since 3 Nov 2004, here at DU and at many other websites, have done is send the freeplurkers and other scumlurkers, scurrying to cover-up.

I do think we've provided many, many pointers for them.

I also hope some savy, strategic folk have been 'watching' the scurrying. :evilgrin:

Peace.

I started reading DU about 2 months before I volunteered for the recount. 95% of the DU posts are noise, 5% are pure gold and pointed me in the right directions to look. Big problem in filtering the noise from the gold.

Regarding punchcards, if you read my openning you will see that anything inserted to hack the machine tallies would have to still be there, so stating where we are going to look does not help the evil little green men in their coverup. This is not true however in DRE counties.

DU is a real service to those who think slowly and with consideration.
Best

Orren

are belong to us

I too, started reading DU a couple months ago. Just recently got an ID to post. Definitely, more noise than gold, but the gold is priceless! Thanks for your help in the recount.

..in each county, in every State. So, so many levels of concern, as you can well imagine, regarding those systems -- especially in those counties/precincts in which 'hard copy' of each ballot has been systematically eliminated by the fools (or worse) who installed 'all electronic' vote-casting devices.

Peace.

This is the best place to go if your county is large and is running DREs. The DREs just make it a one stop shopping experience with the Central Tabulator.

If you are running paper, you go to the local level to hack. I do not know for a fact if any very large paper counties have remote ballot tabulation sites that then feed to a county wide central data tabulator for colating the final results. Would like to confirm this though. However, if such a paper county exited, and the central data tabulator was hacked, you would find it by simply recounting a local precinct deck of ballots with a clean card reader. The precinct totals would disagree. See previous post regarding developement of a Test Protocol.

Orren

And always get the same results IF you knew in advance which precincts to keep clean. The important question is WHEN the precincts for the 3% hand counting were picked -- BEFORE or AFTER election day? Without this prior information I don't see any way it could be hacked and still withstand a limited hand re-count.

Touch screen machines OTOH have numerous ways they can be hacked as well as multiple ways to audit them. Unfortunately the only reliable method for auditing requires a paper trail. There is NO WAY to reliably audit a completely paper-less system...

Torches

What I have observed is the following. BoEs can be counted on to reduce their work. They do not want to spend Xmas handcounting their county and will work < as human nature dictates> to avoid the handcount. They will try to preselect precincts that are just over 3% in total vote counts in small counties. In larger counties they will select multiple precincts that are geographically distribited and have a close to even split of presidential votes. They will preselect 6-10 precincts and then vote on the final few <bear in mind that a county with 35k votes might have 100 precincts, a large county well over a thousand>

If you had access to complete vote tabulations for previous elections, you could separate out your precincts into two piles of 50% each based on the above criterion PRIOR TO THE ELECTION. Safe precincts to hack are those with wide margins between canidates in large counties, or those furthest away from 3% of the vote in small counties. I think you would have a very good chance of never having one of your piles pulled for a hand count. Thus your hack would pass muster on the 3% handcount. You would also stay away from small, well run counties altogeather.

In the case of 35k votes with 100 precincts, your script now randomly flips 2% of the vote in those precints, that creates a 4% difference. Thats just 6-7 flipped ballots in a 350 vote precinct. You just hacked a 2% margin into that county. There are issues around how to get past the test decks, but I think I have them figured out. It all only works if you can count on BoEs to preselect precienct according to some identifyed pattern. Thats why the state legislature insisted on RANDOM selection.

Now this is not a 100% fool proof hack, none are. But I bet it would work.

DISCLAIMER: I have no physical evedence that this has taken place, but to catch a thief, you must think like one.

Orren

Triad would know exactly which combination of precincts would yield the 3% most easily to save extra work. Its risky but might be statistically safe.

In a 350 vote precinct, what is the average number of overvotes/undervotes? If only six or seven ballots need to be flipped in each precinct, then the hand counter could probably just add or subtract to the under/overvote total. Or explain away the inconsistency by assuming its due to the undervotes. If its real close and the hand counters are lazy they probably wouldn't mention the discrepancy because then they would have to count all over again.

I know Winternals ERD commander and EasyRecovery can do this, and I think it would likely turn up any suspicious software. You can also scan for *.bat, *.com, etc and find all the executables that have ever been deleted frm the system (assuming nobody has ever defragged it or wiped the freespace clean).

See above post regarding witnesses.

We are observers, we cannot touch anything during the actuall recount. Most BoE's can barely turn their equipment on and will s--t a b---k if I load software on their drive. Bet I would be writing this from jail too! I can see the headlines now, "Green volunteer inserts fake hack software on BoE's tabulator" :)

Orren

I know you guys don't have the access, but technically ERD commander doesn't install anything because it is a bootable cd and Easyrecovery also supports a recovery disk that will do what it does via a bootable floppy. If you want I can email you the floppy image

ja_investigate@earthlink.net

I think I would still go to jail.
:)

Orren

That is why I believe the memme, "dems would have to be in on the fraud because the BoEs are run by 2 republicans and 2 democrats" is absolutely false. Tabulation fraud is invisible, there is nothing to see. A naive BoE dem would be so easy to fool. Even Ms. Eaton showed how trusting she was when she counterclaimed the Greens twisted her words. That nice young man from Triad who was so helpful, could not have been up to no good, in her eyes. After seeing the video of Barbian, I could just see how anything he said would be accepted at face value.

I agree Rose
It is important to understand that with the offices that I have seen, anyone could get to the system. Sales rep, citizen, janitor, ethernet if hooked up. And you have months if not years of time to install the hack before you need it.

It certainly does not require corrupt BoE officials or corrupt machine vendors. That would help though :)

Some officials are trusting, and some are quite knowledgable about their gear and process. It varies from BoE to BoE. The knowledgable hacker will stay away from knowledgable offices.

Anyway, the real point is to develope a test protocol and go through a very suspicious county with a fine tooth comb. We cannot do that as part of the recount, but as citizens we can do it afterwards. I know that makes no sence, but it is how the law works.

Best

Orren Whiddon
SE OHIO Green

What came into my mind while reading this post is Triad could send their own POTS (Plain old telephone) line through the T-1, have the local election officials plug in the special modem line, also ensuring them transparency from the local telephone company. You need a telecom tech (like myself) to trace this line and see if goes to this particular circuit.
They probably bought a PBX switch, have T-1s going out to all the locations, and send them single-line circuits, to connect to dial-up modems. That way the phone company cannot monitor any suspicious telephone activity. All they see is a bunch of 0's and 1's (binary code) going through their equiptment.

As posted above someone must manually plug in the modem to transmit data. And Hocking County's tabulator workstation did not even have a modem. These computers are not connected to the LAN. That begs the question as to how Hocking's results were transmitted to TRIAD or to the state BOE.

The data could be saved to floppy and loaded onto another workstation in the office that runs the tabulator software and is connected to the LAN or internet. The data could then be transmitted by any of the ways you mentioned.

Hit the nail Torches!

Good old sneaker-net works too. Anyone could in an idle moment snarf a floppy to the tabulator. If its the hack, could be months ahead of the election.

And as I mentioned in my main post, Triad does keep copies the night of the election because it is public record at that point. You have to have a copy of Electab V1.s to read it of course.

Now if I was an evil little green man, having raw tabulator data for every state in the USA would be a real asset in developing custom hacks. And remember, that floppy is public record, I do not need Triad to get it <helps though> I would have real data to test my hack against. Make my hack unbeatable. Until the man in the White Hat shows up. <That would be those yapping pit bull terriors, the Greens> :)

Opps, there went that particular cat, but I have more in the bag.

Orren

Do keep most of them 'in the bag' pleeeeasssseee :toast:

Peace.

I don't know if any ideas can be gleaned from what allegedly happened in Cincinnati in 1987.

http://www.networkamerica.org/wiretap.htm

http://www.networkamerica.org/wiretap2.htm

I've heard that several counties (?) are already finished. If they're finished, and the hacking protocol is discovered, can they be ordered to do it again, I hope?

Its all a question of time, lawyers and money, money, money.

Nothing would suit my own perverse sence of humor better than for some states to be proven fraudulent months after the inaugeration. I think this could be the best possible longterm outcome for any possibility of a constitutional admendment giving citizens the direct right to vote in federal elections. Which is the crux of the d--n problem.

Having said that, as an ex manufacturing engineer, I work very hard NOT to let my emotions affect my collection or accessment of the data.

There lies the tinfoil hat. I dare not go there.

Orren

out how to read them: My sister-in-law speaks Cobol, and I can't believe the data fields will be very difficult to decipher.

We should be able to get them as they are public record, but right now have bigger fish to fry. They may well be under some form of compression or encryption too. Ongoing developements are more important to pursue.

Best
Orren

to glibs, arnebeck, nvri, freepress

<here>

But I need to go away for a bit, I will check in later.

I do want to say that I have spent at least 2 hours in conversation with Brett Rapp, the president of Triad. He has been open, cooperative and pleasant. His firm has always had a policy of not donating to political parties, unlike some others. As individuals they do make personal donations, and that is right and proper.

In short, let us not endulge our emotions by charicterizing an individual without hard evidence. When we do so we become no better than the folks we are resisting.

having said that, what we are resisting nationally is

The New Face of Fascism

"This is not the end of the fight, nor the beginning of the end. It is the end of the beginning." --Thanks Winston

Best

Orren Whiddon
SE Ohio Green

I apologize for jumping into your thread, but please have your counterpart in SW Ohio (Specifically Warren County) contact me. I've been trying to get clarification/confirmation of the recount numbers as posted on the votecobb.org site.

I can be reached as
harmonyguy2000 at yahoo dot com

Thanks
HG

Harmony
se
http://ohio-recount.info/phpbb2/index.php
our discussion forum from here I believe you can ping the SW Regional Coord. Of course contact over the holidays may be spotty.
Good Luck
Orren

:kick:

Has anyone interviewed this woman? She might be helpful She worked for ES&S but there may be similarities.

http://www.wishtv.com/Global/story.asp?S=1806520

I can't wait for Lady Karma to smack those little bandits right upside the head!:bounce:

Karma and Justice are both blind and lazy, reacting best to a good kick in the a--!
Best
Orren

This is exactly what I hope will happen. Either we'll prove that the count was hacked or that it was valid. We can finally proceed from either result. Right now, we're in limbo.

BTW, COBOL?! ROFL! Even I could alter that and I haven't programmed in well over a decade. COBOL is child's play.

The more I read, the more I believe that Triad is the weak link. Which suits me just fine. ;)

Yes, cobol is old. Triad could be involved.

Bur remember...
If we are actually able to run the test protocol on real ballots it may very well prove that at least paper based voting system vote counts are in fact valid in this election, in Ohio. Gonna break a lot of hearts I think.

But I tpoo want the truth. If that means the citizens of Ohio really voted for Bush, I want to be able to support that choice.

Orren