Friday, December 23, 2005

Hack The Vote....AGAIN?

More Questions for Florida

Page 1 of 2 next ยป

Researchers: Florida Vote Fishy
House Dems Seek Election Inquiry
Watchdogs Spot E-Vote Glitches
Pull the lever on Machine Politics
By Kim Zetter Kim Zetter | Also by this reporter
2004-12-13 16:30:00.0

A government watchdog group is investigating allegations made by a Florida programmer that are whipping up a frenzy among bloggers and people who believe Republicans stole the recent election.

Programmer Clint Curtis claims that four years ago Rep. Tom Feeney (R-Florida) asked his then-employer to write software to alter votes on electronic voting machines in Florida.

He said his employer told him the code would be used "to control the vote" in West Palm Beach, Florida. But a fellow employee disputed the programmer's claims and said the meetings he described never took place.

Many questions have been raised about Curtis, the 46-year-old programmer, who said he doesn't know if anyone ever placed the prototype code on voting machines. But this hasn't stopped frustrated voters and bloggers from seizing his story. Daily Kos mentioned the allegations, and Brad Friedman of The Brad Blog has written extensively about them.

Staff members for Rep. John Conyers (D-Michigan) met with Curtis last week to discuss the election allegations. Representatives for Sen. Bill Nelson (D-Florida) inquired about other allegations from Curtis that his former company spied on NASA.

The FBI in Tallahassee, Florida, has set up a meeting with Curtis, and Citizens for Responsibility and Ethics in Washington, or CREW, said it was trying to corroborate his claims about possible election fraud and NASA spying.

The group hopes that even if the election allegations aren't proven, they will inspire legislators to pass a law requiring voting software to be open to public inspection to help deter fraud and restore public confidence in the election process. The software code used in voting machines is considered proprietary and it is protected from public examination -- an issue voting activists have been trying to address.

"I think Mr. Curtis helps make that issue a little more difficult to shunt aside," said CREW Executive Director Melani Sloan. "You don't even have to believe what he says (in order to be concerned about voting machines), just that he created a program. If he can do it, anyone can."

In September 2000, Curtis was working for Yang Enterprises in Oviedo, Florida, a software design firm that contracts with NASA, ExxonMobil and the Florida Department of Transportation, among other clients. According to Curtis, Feeney met with him and Lee Yang, the company's president, to request the voting software.

At the time, Feeney was Yang's corporate attorney and a registered lobbyist for the company as well as a member of Florida's legislature. A month later, he would become speaker of Florida's House of Representatives. In 2002 he was elected to Congress.

Curtis said Feeney asked for code that could go undetected on a voting machine and be easily triggered without any devices by anyone using the machine. Curtis had never seen source code for a voting machine, but in five hours, he said he designed code in Visual Basic that would launch if someone touched specific spots on the voting screen after selecting a candidate.

Once the code was activated, it would search the machine to see if the selected candidate's total was behind. If it was, the machine would award that candidate 51 percent of the total votes recorded on the machine and redistribute the remaining votes among the other candidates in the race.

Curtis said he initially believed Feeney wanted the code to see if such fraud were possible and to know how to detect it. The programmer told Feeney that such code could never be undetectable in source code, and he wrote a paper describing how to look for it. But when he gave the paper and code to his employer, Yang told him he was looking at it all wrong. They weren't looking at how to find code, Curtis said she told him. They needed code that couldn't be found.

"Her words were that it was needed to control the vote in West Palm Beach, Florida," Curtis said. "Once she said, 'We need to steal an election,' that put me back. I made it clear that I could not produce code that could do that and no one else should."

Curtis says he left the company in February 2001 because he found its ethics questionable. He doesn't know if his code was ever used.

Neither Feeney's spokeswoman nor election officials in Palm Beach County returned calls for comment. But a man who identified himself as Mike Cohen, Yang's executive assistant at the time whom Curtis said was in the meeting, told Wired News the meeting never occurred. Cohen said Curtis was "100 percent" wrong and that Cohen didn't attend such a meeting. He added he knew nothing of any meeting on the topic that occurred without him.

Yang attorney Michael O'Quinn called Curtis' assertions "absurd and categorically untrue." He said Curtis is an opportunist and a disgruntled former employee furthering an agenda by telling lies. According to O'Quinn, Curtis tried the same tactic in 2002 when he leveled other charges against Yang and Feeney.

Some details of Curtis' statements don't check out. West Palm Beach city didn't use touch-screen machines in 2000, something Curtis didn't know when Wired News spoke to him. It was the pregnant chad controversy in that year's presidential election that led Palm Beach county, where West Palm Beach resides, to replace its much-maligned punch-card system with touch-screen machines made by Sequoia Voting Systems in December 2001.

But Curtis said the program could have been adapted for use in the counting software used with punch-card machines and optical scan machines, or it could have been used on the new touch-screen machines in 2002, the year Feeney was elected to Congress.

Adam Stubblefield, a graduate student in computer science at Johns Hopkins University who co-authored a now-famous report (.pdf) about Diebold's voting machine code last year, thinks the chances that Curtis' code was used in a voting machine are nil.

"(Curtis) clearly didn't have the source code to any voting machine, and his program is so trivial that it would be much easier to rewrite it than to rework it," said Stubblefield.

Stubblefield also found fault in Curtis' statement that any malicious code would be detected in a source code review. This would be true only for unsophisticated malicious code, like Curtis' prototype.

Despite Curtis' concerns about statements Yang and Feeney supposedly made regarding election fraud, Curtis didn't tell the FBI or election officials in West Palm Beach about them, even after the 2000 election thrust Florida into the international spotlight.

He said he didn't worry about the code or Yang's statements because he believed if anyone installed malicious code on a voting machine authorities would find it when they examined the code. It wasn't until he read a news story last spring indicating that voting software is proprietary and is not open for inspection once it's certified that the earlier conversations began to concern him.

He claims he did later tell the CIA, the FBI, an investigator for Florida's Department of Transportation and a reporter for the Daytona Beach News-Journal about the voting issues when he gave them other information about Yang and Feeney. But so far this has not been corroborated. The FBI did not return calls for comment. The Department of Transportation investigator is dead.

And writer Laura Zuckerman who worked closely with Curtis on several stories for the Daytona paper, told Wired News he never mentioned the voting software code.

In 2002, Zuckerman wrote about allegations Curtis made that Yang Enterprises overcharged the Department of Transportation for work it never performed. In addition, Curtis told Zuckerman that Yang employed an illegal Chinese national while working on government contracts for NASA, and that the company was possibly spying on NASA by downloading documents from the NASA computer system.

"I didn't get a hint of anything like that at the time that I was writing any of these stories," Zuckerman (who no longer works for the newspaper) said.

However, other information provided by Curtis has been somewhat corroborated. The overbilling charge was confirmed by a Department of Transportation employee, although an official state investigation found no wrongdoing. Curtis thinks pressure from Feeney and others helped squelch the investigation, charges that Zuckerman did not find implausible from her own research.

And Last March, the Chinese national that Curtis discussed, Hai Lin Nee, was arrested in a 4-year-old Immigration and Customs Enforcement sting operation for trying to mail sensitive computer chips to Beijing in 1999 in violation of export rules.

But no one at Yang has been arrested for spying on NASA or stealing documents, despite a letter Curtis sent to a NASA investigator in February 2002 suggesting the company might be doing so. Curtis believes Feeney squelched that investigation as well to protect Yang. Both CREW and staff for Sen. Nelson's office are looking into those charges.

Curtis recently signed an affidavit (.pdf) and says he's willing to take a polygraph test. In the affidavit, Curtis stated that Feeney once "bragged that he had already implemented 'exclusion lists' to reduce the 'black vote'" and discussed ways of further impeding the black vote through strategic use of police patrols on Election Day.

His willingness to go on record with his vote fraud allegations is what makes some believe him.

Jon Kaney, a prominent Florida attorney who represents the Daytona Beach News-Journal and sparred with Feeney over articles the paper wrote about the lawmaker in 2002, said the affidavit does take things up a notch.

"You don't casually go around swearing under penalties of perjury unless you think you're right," Kaney said. "The affidavit struck me as something somebody ought to be looking at." But he said his first reaction to the affidavit was: "Gag. This can't be believed."

It remains to be seen if any new investigations can uncover the truth.

January 23, 2006
"I Saw It Hacked"
Diebold in Florida


I was one of ten people present at the "hack" of the Leon County, Florida voting system, which took place on Tuesday, December 13, 2005 around 4:30 in the afternoon at the county elections warehouse. Leon County's voting system is the Diebold Accu-Vote OS 1.94w (optical scan).

The Leon County Supervisor of Elections, Ion Sancho, authorized a "test" of his Diebold voting system to see if election results could be altered using only a memory card. Harri Hursti, a computer programmer from Finland facilitated the test and it has come to be known as the "Harri Hursti Hack."

What follows is my description of that hack and its significance for our nation, which I hope will correct much of the misinformation circulating regarding this event.

To select which voting machine to use for the test, Ion drew a serial number of one voting machine from a container holding all the serial numbers of all the Leon County machines.

Since the test took place at the elections warehouse, all the voting machines were already stored there and the one machine, whose serial number was selected, was located and brought into the warehouse office, where it was plugged into an electrical outlet (so it could operate!). It was not networked to any other machines. We checked the serial number of the machine against the serial number that Ion had randomly selected.

Earlier, Ion had given ONE Diebold memory card to Hursti. Bev Harris and Kathleen Wynne of Black Box Voting were also present at the test.

Harri had programmed the memory card that morning, in his hotel room, using an off-the-shelf crop scanner. I drove Harri in my car from the hotel to the warehouse. When we arrived, Harri was asked to stay outside the warehouse office where the central tabulator is located, so that there would be no question about whether he had had any access to the central tabulator. When the randomly-selected voting machine was brought into the warehouse office, all of us went into the warehouse office except Harri, whom we could see sitting in a chair on the other side of a plate glass window separating the office from the rest of the warehouse.

Ion ran a complete mock election. He had had actual paper ballots pre-printed with the following question:

"Can the votes on this Diebold system be hacked using the memory card?"

There were two possible answers: "Yes" or "No," with an oval to the left of each answer to be filled in by the voter.

Everything was conducted as in a normal election. Ion first printed a "zero tape" (a poll tape from the machine that is supposed to show that nothing has been altered before the election begins). This was the first step in the hack --the zero tape showed zero votes for both the "Yes" answer and the "No" answer, even though Harri had altered the memory card and votes had been subtracted from one answer and added to the other answer. Harri used the interpreted (executable) code to cover up the fact that he had changed the vote counters.

Then eight of us voted, filling in the oval on our paper ballot. Six of us voted "No," the election could not be hacked. Two of us voted "Yes," it could be hacked. Then, one by one, we inserted our ballots into the voting machine. Ion checked after each voter to make sure that the counter on the machine was counting properly as each ballot was inserted. So, we ended up with an accurate count of 8 ballots cast on the screen on the front of the voting machine. Then Ion placed an "ender card" in the machine to end the election and printed the poll tape.

Instead of two "Yes" votes, the poll tape showed seven "Yes" votes.

Instead of six "No" votes, the poll tape showed one "No" vote.

Harri did not just flip the votes, as he wanted to show how easy it was to change the totals completely.

At that point, Ion Sancho's technician, TJ, said, "Well, that doesn't prove anything because the printer template can be changed." (And that is true. The poll tape can be made to read anything at all, which was proved in an earlier test on a Leon County op-scan in May of 2005, when the poll-tape was made to say, at the bottom of the tape, "Is this real or is it Memorex?")

Ion responded to TJ that they were taking this to the next level and that he wanted TJ to upload the memory card to the central tabulator. TJ, who had quite apparently been talking to the Diebold reps, said he didn't want that to happen because he didn't know if Harri might have planted some kind of virus on the memory card that would infect the central tabulator. Ion then explained to TJ that, just an hour earlier, he had obtained permission from the Leon County Council to replace the Diebold system. That meant that the Leon County Diebold system would never be used in any election again, and thus Ion said it was all right to upload the memory card to the central tabulator. (The irony here, of course, is that Diebold would worry about a virus being planted on this particular memory card! What about all the thousands of people around the country who have access to memory cards...doesn't Diebold worry about one of them planting a virus? And the second irony is that ITA testing is supposed to catch these security vulnerabilities and yet Diebold claimed to be worried about a security exploitation by Harri Hursti AFTER all ITA testing had been completed).

So, TJ became convinced that it was all right to upload the memory card, which he did. And there, on the central tabulator screen, appeared the altered results: Seven "Yes" votes and one "No" vote, with absolutely no evidence that anything had been altered. It was a powerful moment and, I will admit, it had the unexpected result for me personally of causing me to break down and cry. Why did I cry? It was the last thing I thought I would do, but it happened for so many reasons. I cried because it was so clear that Diebold had been lying. I cried because there was proof, before my very eyes, that these machines were every bit as bad as we all had feared. I cried because we have been so unjustly attacked as "conspiracy theorists" and "technophobes" when Diebold knew full well that its voting system could alter election results. More than that, that Diebold planned to have a voting system that could alter results. And I cried because it suddenly hit me, like a Mack truck, that this was proof positive that our democracy is and has been, as we have all feared, truly at the mercy of unscrupulous vendors who are producing electronic voting machines that can change election results without detection.

Beyond this, however, what is the real significance of the "Harri Hursti hack?" There are several answers to that question.

First of all, the Hursti hack reveals only one vulnerability in an almost unlimited number of potential flaws or vulnerabilities in electronic voting systems (both op-scans and DREs). However, the Hursti hack is individually significant because the flaw it exposed is a planned vulnerability in the system, not something that is accidentally there. It had to be PUT there (programmed) on purpose. For Diebold to claim innocence about this would be absurd. It would be like saying you didn't know your garage had a door while you were standing there holding the garage door opener. Or, because this security vulnerability is so huge, it would more accurately be like saying you didn't know your house had a garage at all!!

Since something like 95% of computer scientists agree that electronic voting machines (op-scans and DREs) have an almost infinite number of potential flaws or vulnerabilities, the Hursti hack shows, above all, THE IMPORTANCE OF HAVING PAPER BALLOTS for an independent confirmation of machine results. The beauty of paper ballots is that they are completely independent of any machine, unlike the printer paper trail. Therefore, they provide a true independent, manual audit of machine results. Paper ballots are also the only electronic voting method that eliminates, almost completely, any question about voter intent because the ballots are voter-generated, filled in by the voter's own hand, thus eliminating the need for a voter to confirm his/her choices on any printer-issued receipt. Paper ballots are the only way to have a fail-safe election with any electronic voting machine. You must have paper ballots and you must manually audit (count) a portion or all of those ballots in every election.

The ONLY evidence in the Hursti hack that could discredit his alteration of results were the paper ballots themselves.But these ballots can only be useful if they are actually counted after an election to check against the machine count. The Hursti hack shows clearly that there must be an independent paper trail that can be manually audited to confirm (or discredit) machine results. The hack exposes a serious electronic voting flaw, but then, ironically, re-instates optical scan as the only electronic voting method that provides truly independent, manual audit capabilities.

Susan Pynchon is a member of Florida Coalition for Fair Elections, and can be reached through Vote Trust USA, where this piece originally appeared.


Post a Comment

<< Home