Comments on Results of Top-To-Bottom Review
Jerry Berkman, August 1, 2007

Secretary Bowen and Deputy Secretary Finley:

I am Jerry Berkman, a retired computer programmer at U.C. Berkeley, with an interest in and a certification in computer security earned from the SANS Institute [1] in 2003.

Thanks you very much for performing the Top-To-Bottom Review of Voting Systems. It was much overdue.

Claims vs. Reality

One part of the problem may be that the DRE supporters may feel we need only to defend against amateur attacks. If someone wants to fix a Gubernatorial race, or U.S. Senate race, they will probably have millions to spend, and be able to hire real talent, not amateurs.

Supporters claim you can feel confident due the integrity and effort of our elections officials and workers.

• Two election workers from Cuyahoga County, Ohio are now in jail for sabatoging a recount; [2]
• Their supervisor, Michael Vu, is now Assistant Registrar of Voters in San Diego County. He defended his workers. He must have been complicit or clueless. Either way, his hiring does not inspire confidence. [2]
• The former ROV of Monterey County, Tony Anchundo, is now in jail for 43 charges of forgery, misapplication of funds, embezzlement, falsification of accounts, and grand theft of nearly $80,000 of County money. [3]
• A major part of San Diego Registrar Deborah Seiler's testimony was that the Top-To-Bottom Review only reviewed 3 of the 9 systems in use, and if a system is decertified, counties might switch to a non-reviewed, less secure system. [4] The Review press release states: [5]

  "Five other currently certified voting systems were subject to examination under Secretary Bowen's top-to-bottom review. In four of those cases, vendors opted not to subject their systems to the top-to-bottom review because they don't intend to have any county use those systems in California elections after January 1, 2008.

  Why is Registrar Seiler misleading us?
• Los Angeles Registrar Connie McCormack said to the Los Angeles Times: [6]

  "All of us have made changes to our software - even major changes - and none of us have gone back to the secretary of state. But it was no secret we've been doing this all along."

Supporters claim you can depend on the vendors.

But:

• Diebold was decertified in 2004 for installing unauthorized patches without notifying the Secretary of State,
• The Top-to-Bottom Review reports mentions many features do not work as documented,
• Security vulnerabilities such as hard coded passwords and vulnerabilities to election databases which were discovered years ago have not been fixed, [7]
• Continuing to use Windows as a base system, instead of more secure systems such as Free BSD or Linux, calls into question the vendor's commitment to security,
• When a system has undisclosed logins and logins without passwords, this again calls into question the vendor's commitment to security.

Supporters claim the red-team testing was unfair because hackers wouldn't have physical access to systems for that long a time.

• Researchers have been able to buy Diebold and Sequoia machines on eBay. [8]
• Machines can and have been stolen, e.g. six Diebold tabulation machines and a touch-screen voting terminal were stolen from a Ramada Inn in Macon Georgia in June, 2002. [9] (It took Kathy Rogers, then head of the Georgia State Elections Division, two years, until Sep. 2004 before she would acknowledge the theft. [10] She is now Director of Government Relations for Diebold Election Systems and wrote the Diebold statement presented at the public hearing Monday.)
• Machines are lost; there are reports of machines turning up in odd places after elections, e.g. turning up on the streets of Baltimore. [11]

Supporters claim the red-team testing was unreasonable because hackers can't get the source code.

• The Diebold source code was found unprotected on the Web.
• Someone may be able to hack the vendors network to get the source code.
• Social engineering, bribing a vendor programmer, or bribing someone for a copy of the daily backup tapes may work.

Also, the University of Connecticut published a study showing how they altered vote totals; they did not have access to source code. [11a]

Supporters claim these are well tested systems.

• When I looked at the Riverside Statement of Votes Cast for the last general elections, in the race for Governor, I found 16 precincts which it listed as having zero registered voters and one vote for Governor [12]. How can that happen?
• There have been many reports commissioned to look at the security of the voting systems Each one finds new vulnerabilities [13]
• The ITAs test functionality, not security [14].
• The ITA testing system has been found to be lacking and Ciber, a major ITA, being denied initial accreditation by the EAC. [15]
• Many parts of the source code which were supposed to be examined by the ITAs were withheld by the vendors, e.g. Windows CE being claimed as COTS (Commercial Off The Shelf) software, even though it is not.

Supporters claim if a system hasn't been proven to be hacked, then it is secure.

• Kryptonite locks for bicycles were once regarded as the ultimate in security, until an article was published on how to open them quickly and easily with a Bic pen. [16]
• Door locks: easily opened with "bump" keys available for a few dollars on the Internet. [17]
• Even high-security White House locks. [17a]
• RFID keys for cars: these can be bypassed by a series of pulls on the emergency brake [18] and the supposedly unreproducable keys can be reproduced. [19]

The Current Situation

• The systems are not secure.
• The systems are not HAVA compliant.
• The systems are not California Elections Code compliant.
• The vendors resist any attempts at oversight.
• The vendors act in a half hearted manner to address these issues, e.g.:
  • Diebold makes voting terminal stands which are too narrow to be approached by a voter in a wheel chair. The legs are only only 19" apart, while the VVSG calls for 30" apart. Even without the VVSG, 19" is obviously too narrow.
  • None of the vendors show evidence of using modern security practices such as designing in security from the beginning, never using hardcoded passwords, always validating input, etc.
• The systems keep changing, forcing ROVs to keep upgrading their systems.
• The systems are very expensive to buy, maintain, and run.
• Each election, there are new problems, e.g. Sarasota's 18% undervote in the Attorney General race, Charlotte County, Florida's 25% undervote, minority undervotes, etc. The system needs simplifying.

In addition, there is not enough money in the election systems market to cause the vendors to react and fix the problems, or for new vendors to emerge.

Another problem is the vendors development timetables. According to the Elections Technology Council, [20] the timeline:

• for a minor software change to a voting system is 18 months,
• for a minor hardware change to a voting system: 24 months,
• for a major software change to a voting system: 36 months,
• for a major hardware change to a voting system: 42 months,
• for a new product to a voting system: 54 months.

Conclusions

So:

• Decertify immediately any system not reviewed.
• Decertify the reviewed systems. Recertify them for 2008 only, with stringent conditions, including:
  • They are to be used only for accessibility, with a maximum of one DRE per polling place.
  • Recertify the Hart InterCivic system only after the software components Hart withheld are supplied and tested.
  • SOVCs must be posted in a usable format for analysis on the web.
  • The public must be given meaningful observation rights. Being in the room while an activity is being conducted and being told "you can observe the process", is no substitute for getting close enough to see and hear what is happening.

    All central servers (tabulators, high speed optical scanners) will have their event logs posted on the web.

  Other states, such as New Mexico, have switched from DREs quickly and painlessly. And, in fact, the undervotes for minority communities plummeted after the switch from DREs in New Mexico! [21]
• The optical scanners also have many problems; recertify them or switch to hand counting. The February, 2008 primary could easily be counted via hand, as there will be only one partisan race plus, possibly, a few initiatives.

Miscellaneous

The Elections Code allows a maximum of 5 minutes time in the booth with a DRE, 10 minutes for optical scan ballots. The accessibility report showed about 10 minutes average for visual usage, 20-40 for audio usage. The Elections Code should be amended to realistic numbers.

The accessibility report stated there is a need for better privacy. This is true for all voters. Cameras are so small and can zoom from such a distance that privacy must be protected. There should be curtains around the booths as in the old days.

Footnotes:

[2] North County Times, "San Diego County hires Vu as assistant registrar", April 11, 2007

[3] BradBlog, "Monterey County, CA, Registrar Tony Anchundo Pleads 'No Contest' To 43 Criminal Charges", Dec. 21, 2006

[4] Testimony during TTBR Public Hearing, July 30, 2007

[5] Press Release, July 27, 2007

[6] The Connie McCormack quote is cited several places, including:
Kim Alexander: http://www.calvoter.org/issues/votingtech/pub/0707KACOMremarks.html
Doug Jones: http://www.cs.uiowa.edu/~jones/voting/nist2003.html"
ACM Risks: http://catless.ncl.ac.uk/Risks/23.03.html"
LA City Beat: http://www.lacitybeat.com/article.php?id=863&IssueNum=47"

[7] GEMS Central Tabulator 1.17.7, 1.18, August 31, 2004

[8] "Sale on eBay exposes vote security flaw", Jan. 31, 2007.
"Lou Dobbs: Voting Machines Available On Ebay"
"Keeping an eye on the count", June 2, 2007, Princeton professor Andrew Appel bought six Sequoia machines on eBay for $86.

[9] "Steal This Vote", Andrew Gumbel, 2005, page 235.

[10] "Steal This Vote", Andrew Gumbel, 2005, page 236.

[11] "Mysterious touchscreen voting machine found", USA Today, 9/29/04,

[11a] "Why VVPAT 'Paper Trials' are Not Enough", "UCONN Report demonstrates that during a sleepover VVPAT records can be set to misrepresent how votes will be tallied", Aug. 2, 2007.

[12] Riverside SOVC, Nov. 7, 2006, 27.9 MB. The following precincts with 0 registered voters had 1 vote each for Governor: 11971, 14028, 23019, 30073, 35709, 35735, 37675, 37924, 40910, 45041, 46006, 46815, 50023, 50043, 50831, 59005

[13] These include the SAIC, RABA, CompuWare, and Berkeley reports. One exception is the Alameda County report which was referenced in the public hearing, but that report was done without examining the source code and without testing the machines.

[14] Remarks of ITA testers and other panelists at the Secretary of State's Voting Systems Testing Summit, November 28-29, 2005, Sacramento, CA.

[15] New York Times, "U.S. Bars Lab From Testing Electronic Voting", Jan. 4, 2007.

[16] Wired, "Twist a Pen, Open a Lock", Sep. 17, 2004.
Bike Forums, 36 second video demonstration.
New York Times, "The Pen Is Mightier Than the Lock", Sep. 17, 2004.

[17] Lock Bumping in The News, Video of TV news programs on "lock bumping". A source to buy bumpkeys.

[17a] "White House High-Security Locks Broken: Bumped and Picked at DefCon", Kim Zetter, August 05, 2007.

[18] "Pinch My Ride" , Wired.

[19] Code breakers beat security scheme of car locks, gas pumps, Science News, Feb. 5, 2005.

[20] "Comments on HAVA Amendments", Elections Technology, page 10.

[21] "2004 and 2006 New Mexico Canvass Data Shows Undervote Rates Plummet in Minority Precincts When Paper Ballots are Used"