November 19, 2017

Archives for September 2011

Will the NJ Attorney General investigate the NJ Attorney General?

Part 3 of 4
In my recent posts I wrote about my discovery that (apparently) a County employee tampered with evidence in a computer that the NJ Superior Court had Ordered the County to present for examination. I described this discovery to the Court (Judge David E. Krell); and then a County employee did admit deleting files. Judge Krell was very concerned about this possible spoliation of evidence. In his Order signed September 9, 2011, he wrote,

“AND IT IS FURTHER ORDERED that the court recommends that the New Jersey Attorney General (New Jersey Department of Law and Public Safety), Division of Criminal Justice, undertake an investigation of … the deletion of files on August 16, 2011, from the Board’s laptop computer … by the County’s computer technician who is reponsible for servicing the Board’s computers.”

During the hearing on September 1, Plaintiffs’ attorneys pointed out that the New Jersey Attorney General’s office had been co-counsel for the Defendants in Zirkle v. Henry. This means that lawyers from the AG’s office had very possibly advised the County employees before and after the evidence was erased. Plaintiffs’ attorneys pointed out that this would mean that Judge Krell was asking the Attorney General’s office to investigate itself. Plaintiffs asked the Court to appoint a Special Master.

Judge Krell explained why he was not inclined to do that. He said, “My understanding is Criminal Justice is totally separate from the Civil part of [the Attorney General’s] office.” That is, during the hearing the Judge stated his belief that the Division of Criminal Justice in the NJ Department of Law and Public Safety is sufficiently independent from the Division of Law in the Department of Law and Public Safety, such that it can properly investigate the possibility of criminal tampering of evidence in which attorneys from the Division of Law might have had a role.

I hope Judge Krell is right about that.

Crowdsourcing State Secrets

Those who regularly listen to Fresh Air may have heard a recent interview with journalist Dana Priest about the dramatic expansion of the intelligence community over the past ten years. The guest mentioned how the government had paid contractors several times what their own intelligence officials would be paid to perform the same analysis tasks. The guest also mentioned how unwieldy the massive network of contractors had become (to the point where even decided who gets top secret clearance had been contracted out). At the same time, in this age of Wikileaks and #Antisec, leaks and break-ins are becoming all the more common. It’s only a matter of time before thousands of military intelligence reports show up on Pastebin.

However, what if we didn’t have to pay this mass of analysts? What if we stopped worrying so much about leaks and embraced them? What if we could bring in anyone who wanted to analyze the insane amount of information by simply dumping large amounts of the raw data to a publicly-accessible location? What if we crowdsourced intelligence analysis?

Granted, we wouldn’t be able to just dump everything, as some items (such as “al-Qaeda’s number 5 may be house X in Waziristan, according to informant Y who lives in Taliban-controlled territory”) would be damaging if released. But (at least according to the interview) many of the items which are classified as top secret actually wouldn’t cause “exceptionally grave damage.” As for particularly sensitive (but could benefit from analysis) information in such documents, we could simply use pseudonyms and keep the pseudonym-real name mapping top secret.

Adversaries would almost certainly attempt to piece together false analyses. This simply becomes an instance of the Byzantine generals problem, but with a twist: because the mainstream media is always looking for the next sensational story, it would be performing much of the analysis. Because this creates a common goal between the public and the news outlets, there would be some level of trust that other (potentially adversarial) actors would not necessarily have.

In an era when the talking heads in Washington and the media want to cut everything from the tiny National Endowment for the Arts to gigantic Social Security, the last thing we need is to pay people to do work that many would do for free. Applying open government principles to data that do not necessarily need to be kept secret could go a long way toward reducing the part of government that most politicians are unwilling to touch.

Did NJ election officials fail to respect court order to improve security of elections?

Part 2 of 4
The Gusciora case was filed in 2004 by the Rutgers Constitutional Litigation Clinic on behalf of Reed Gusciora and other public-interest plaintiffs. The Plaintiffs sought to end the use of paperless direct-recording electronic voting machines, which are very vulnerable to fraud and manipulation via replacement of their software. The defendant was the Governor of New Jersey, and as governors came and went it was variously titled Gusciora v. McGreevey, Gusciora v. Corzine, Guscioria v. Christie.

In 2010 Judge Linda Feinberg issued an Opinion. She did not ban the machines, but ordered the State to implement several kinds of security measures: some to improve the security of the computers on which ballots are programmed (and results are tabulated), and some to improve the security of the computers inside the voting machines themselves.

The Plaintiffs had shown evidence that ballot-programming computers (the so-called “WinEDS laptops”) in Union County had been used to surf the Internet even on election day in 2008. This, combined with many other security vulnerabilities in the configuration of Microsoft Windows, left the computers open to intrusion by outsiders, who could then interfere with and manipulate the programming of ballots before their installation on the voting machines, or manipulate the aggregation of results after the elections. Judge Feinberg also heard testimony that so-called “Hardening Guidelines”, which had previously been prepared by Sequoia Voting Systems at the request of the State of California, would help close some of these vulnerabilities. Basically, one wipes the hard drive clean on the “WinEDS laptop”, installs a fresh copy of Microsoft Windows, runs a script to shut down Internet access and generally tighten the Windows security configuration, and finally installs a fresh copy of the WinEDS ballot software. The Court also heard testimony (from me) that installing these Guidelines requires experience in Windows system administration, and would likely be beyond the capability of some election administrators.

Among the several steps the Court ordered in 2010 was the installation of these Hardening Guidelines on every WinEDS ballot-programming computer used in public elections, within 120 days.

Two years after I testified in the Gusciora case, I served as an expert witness in a different case, Zirkle v. Henry, in a different Court, before Judge David Krell. I wanted to determine whether an anomaly in the June 2011 Cumberland County primary election could have been caused by an intruder from the Internet, or whether such intrusion could reasonably be ruled out. Thus, the question became relevant of whether Cumberland County’s WinEDS laptop was in compliance with Judge Feinberg’s Order. That is, had the Hardening Guidelines been installed before the ballot programming was done for the election in question? If so, what would the event logs say about the use of that machine as the ballot cartridges were programmed?

One of the components of the Hardening Guidelines is to turn on certain Event Logs in the Windows operating system. So, during my examination of the WinEDS laptop on August 17, I opened the Windows Event Viewer and photographed screen-shots of the logs. To my surprise, the logs commenced on the afternoon of August 16, 2011, the day before my examination. Someone had wiped the logs clean, at the very least, or possibly on August 16 someone had wiped the entire hard drive clean in installing the Hardening Guidelines. In either case, evidence in a pending court case–files on a computer that the State of New Jersey and County of Cumberland had been ordered to produce for examination–was erased. I’m told that evidence-tampering is a crime. In an affidavit dated August 24, Jason Cossaboon, a Computer Systems Analyst employed by Cumberland County, stated that he erased the event logs on August 16.

Robert Giles, Director of the New Jersey Division of Elections, was present during my examination on August 17. Mr. Giles submitted to Judge David Krell an affidavit dated August 25 describing the steps he had taken to achieve compliance with Judge Feinberg’s Order. He writes, “The Sequoia hardening manual was sent, by email, to the various county election offices on March 29, 2010. To my knowledge, the hardening process was completed by the affected counties by the required deadline of June 1, 2010.” Mr. Giles does not say anything about how he acquired the “knowledge” that the process was completed.

Mr. Giles was present in Judge Feinberg’s courtroom in 2009 when I testified that the Hardening Guidelines are not simple to install and would typically require someone with technical training or experience. And yet he then pretended to discharge the State’s duty of compliance with Judge Feinberg’s Order by simply sending a mass e-mail to county election officials. Judge Feinberg herself said that sending an e-mail was not enough; a year later, Mr. Giles has done nothing more. In my opinion, this is disrespectful to the Court, and to the voters of New Jersey.