January 22, 2019

Archives for September 2011

NJ election cover-up

Part 1 of 4
During the June 2011 New Jersey primary election, something went wrong in Cumberland County, which uses Sequoia AVC Advantage direct-recording electronic voting computers. From this we learned several things:

  1. New Jersey court-ordered election-security measures have not been effectively implemented.
  2. There is a reason to believe that New Jersey election officials have destroyed evidence in a pending court case, perhaps to cover up the noncompliance with these measures or to cover up irregularities in this election. There is enough evidence of a cover-up that a Superior Court judge has referred the matter to the State prosecutor’s office.
  3. Like any DRE voting machine, the AVC Advantage is vulnerable to software-based vote stealing by replacing the internal vote-counting firmware. That kind of fraud probably did not occur in this case. But even without replacing the internal firmware, the AVC Advantage voting machine is vulnerable to the accidental or deliberate swapping of vote-totals between candidates. It is clear that the machine misreported votes in this election, and both technical and procedural safeguards proved ineffective to fully correct the error.

Cumberland County is in the extreme southern part of New Jersey, a three-hour drive south of New York. In follow-up posts I’ll explain my 3 conclusions. In the remainder of this post, I’ll quote verbatim from the Honorable David E. Krell, the Superior Court judge in Cumberland County. This is his summary of the case, taken from the trial transcript of September 1, 2011, in the matter of Zirkle v. Henry.

(click here to continue)

[From the TRANSCRIPT OF RETURN OF ORDER TO SHOW CAUSE, Docket No. CUM-L-000567-11, starting at page 43.]

THE COURT: The 2011 New Jersey Primary Election was held on June 7, 2011. In District 3 of Fairfield Township, Cumberland County, four individuals ran for two open seats on the Democratic Executive Committee. Following the election, the County Clerk certified the results as Vivian Henry, 34 votes; Mark Henry, 33 votes; Ernest Zirkle, 9 votes; and Cynthia Zirkle, 10 votes.

On June 20, 2011, the Plaintiffs, Ernest Zirkle and Cynthia Zirkle, filed a Petition to declare the election void and of no effect and to order a recount or a new election. In their Petition, they asserted that the voting machined used in the election was a Sequoia AVC Advantage direct recording electronic voting machine. They also produced Affidavits of in excess of 28 voters, who stated under oath that they had voted for the Zirkles in the primary election.

As a result of the filing of the June 20 Petition, the Court on June 21, 2011, executed an Order to Show Cause, requiring the Defendants Henrys, the Cumberland County Board of Elections, and the County Clerk, to show cause why the relief in the Petition should not be granted. The Court also at that time issued an Order directing the Cumberland County Board of Elections to impound the Sequoia AVC direct recording electronic voting machine and all documents pertaining to the election, until a determination of the issues raised in the Petition.

On July 11, 2011 the parties and their attorneys, with the exception of the Henrys, appeared before the Court in response to the Order to Show Cause. Prior to the return date of the Order to Show Cause the Attorney General, on behalf of the Cumberland County Board of Elections, filed a Response with the Court. In this Response, the Attorney General submitted a Certification of Lizbeth Hernandez, the Administrator of the Cumberland County Board of Elections.

Ms. Hernandez in her Certification stated, “As a result of human error in the programming of the voting machine used in this election, the votes cast for Cynthia and Ernest Zirkle registered for Vivian and Mark Henry, and the votes cast for Vivian and Mark Henry registered for Cynthia and Ernest Zirkle.” Ms. Hernandez attached to her Certification a Memo dated June 24, 2011, in which she provided the claims and facts that she believed led to this error in the programming.

In the June 24, 2011 Memo, Ms. Hernandez claimed that she has programmed the voting machines in Cumberland County since June of 2008, to avoid the cost of the County of hiring a programmer. She further claimed that she mistakenly placed the position for Vivian and Mark Henry onto the position of Cynthia and Ernest Zirkle, and vice versa. This information was then put into the voting machine cartridge and sent to the warehouse for testing. The voting machine technicians inserted the cartridge into the voting machine and began the necessary testing. Ms. Hernandez then claims that the voting machine technicians did not catch her error in the programming.

On July 11, 2011 this Court conducted a hearing on the Order to Show Cause. At that hearing, the Attorney General conceded that there was a mistake in the results of the particular election and encouraged the Court to order a new election.

By this time, the Court had read in full the February 1, 2010 Opinion of Mercer County Assignment Judge Linda R. Feinberg in the Gusciora v. Corzine case. This case involved a broad challenge to the use of direct recording electronic voting machines in the State of New Jersey, and specifically the AVC Advantage made by Sequoia Voting Systems. Judge Feinberg, in her very lengthy Decision, went into great detail as to how the AVC Advantage works and the various testing procedures that are available to avoid the type of problem and mistakes, which the Administrator claims occurred in this case.

As a result of the Court’s review of Judge Feinberg’s Decision, at the hearing on July 11, the Court raised a number of questions as to the Administrator’s claim that these erroneous results were simply the result of human error. The Court questioned whether it had an obligation to investigate further, to make sure that the claims of human error could be supported.

The Sequoia AVC Advantage is a direct recording electronic voting machine. The preparation of the machine for an election begins with the County Clerk preparing the ballot definition, which includes the names of the candidates, the names of the contests, and the identification of the buttons on the voting machine that corresponded to each candidate.

The County Clerk, after preparing the ballot definition, delivers the ballot definition to the County Board of Elections. A specific software has been developed in order to program the ballot definition into each voting machine. This software is known as WinEDS, and runs on a Microsoft Windows operating system. The ballot definition is copied to a results cartridge, which is the size of a standard VHS tape. This is accomplished with the use of an ordinary Windows laptop computer, which has been installed with the appropriate WinEDS software. The laptops and the result cartridge are to be kept in a secured room.

The technicians who are to test the machine conduct tests known as Pre-LAT. These are logic and accuracy tests, to make sure the machines have been programmed properly. Essentially, the testing technicians are to conduct a mock election, where they enter a certain number of votes for each candidate and with the use of simulation cartridges, will determine and assure that the machine has been properly programmed.

So that the votes for each candidates are properly recorded for that candidate, PreLAT results are printed or supposed to be printed and kept with the machine, and there are seals placed on the machine after the PreLAT tests are conducted.

Following the July 11 hearing on the Order to Show Cause, the Court entered what I [Judge David Krell] would describe as a Discovery Order, which was prepared by the parties, after back-and-forth (I believe) negotiations. That Order declared the results of the June 7, 2011 election to be void and of no effect. The Order further provided that the Sequoia AVC Advantage machine used in the election, together with election results report and results cartridge, and all other documents pertaining to the election, shall remain impounded.

The Order further permitted additional discovery, including giving expert witnesses an opportunity to examine, take notes of, photograph, or otherwise copy the voting machine paper results report and result cartridge, any laptop used to program the ballot, and an files for that purpose stored in removable storage media.

And finally, that Order provided for a Plenary Hearing to be held August 29, and I believe it was continued to today at the request of the parties. I forget the exact reason but today is September 1 and it’s only two days later.

On August 17, 2011, an expert retained by the Plaintiffs, Dr. Andrew W. Appel, made an inspection of the voting machine and the laptop, pursuant to the Order following the July 11 hearing. In conducting this inspection, Mr. Appel found certain concerns with the security procedures which the Administrator had put in place.

He also discovered that his ability to examine the Administrator’s WinEDS laptop was seriously compromised by what appeared to be an action that someone performed on the computer on August 16, 2011, which erased a number of files which Dr. Appel wanted to examine.

As a result of this discovery, the Plaintiffs filed a Notice of Motion for an Order to Show Cause and presented this Motion to the Court. That Order to Show Cause is returnable today. The Court in fact signed a Second Order to Show Cause, dated August 22, requiring the defense to appear today and show cause, as to whether the Court should enter further Discover Orders for Plaintiffs to explore this activity, which took place on the Administrator’s laptop on August 16.

In response to the August 22, 2011 Order to Show Cause, the Attorney General filed a Certification of Jason W. Cossaboon, Sr., a Computer System Analyst employed by Cumberland County. Mr. Cossaboon, in his Certification, states that on August 16, 2011, he was asked by the Administrator to determine the date the hardening process was applied to the laptop used to program the voting machines. [editor’s note: I’ll explain “hardening” in the sequel article]

He apparently was not able to find a log file for the laptop to indicate the date the hardening was done. However, he states that while working on the laptop, he noticed the computer was running very slowly. As a result, he deleted certain “temporary files.” He also, for some reason, deleted the event view logs.

In the Attorney General’s responsive papers, he asserts that further investigation of this election is simply not necessary by the Court and that the Court should simply order a new election or declare the Plaintiffs the winners of the election.

In response to the Attorney General’s filing and position, the Plaintiffs have submitted an additional Certification from Andrew W. Appel, in which he set forth five possible scenarios for what has taken place in this case.

The first scenario, which he rejects, is that the votes recorded on election day are accurate. The Court, and I believe the parties, agree that this scenario seems extremely unlikely, based on the position that all are taking that this election was wrong.

The second scenario proposed by Dr. Appel is that the internals of the voting machine were manipulated so that the election results bear no correspondence to the voters’ actions. Dr. Appel rejects this scenario and the Court agrees that there has been no competent evidence offered to suggest that the voting machine was manipulated improperly or illegally prior to the election.

The third scenario he poses is that poll workers manipulated the voting machine during the election, so that some votes were not recorded. He rejects this scenario and I agree, the Court agrees, as again there is no competent evidence to support this theory.

The fourth scenario is that the positions of the parties were swapped in the election ballot files by an unauthorized intruder, wishing to flip the election results, either through Internet access to the WinEDS laptop or by physical access to the WinEDS laptop. Dr. Appel concludes that he cannot exclude this scenario, although there is no evidence to support this or to suggest this is the case–other than the rather circumstantial and curious concurrence of the two human errors in the programming and testing of the machine prior to the election, and the technician’s [Mr. Cossaboon’s] erasing of files one day prior to the inspection.

The fifth scenario posed by Dr. Appel is that the programmer switched the names in programming the computer and the voting machine, and this is what the Administrator claims happened. Dr. Appel also concludes that he cannot exclude this scenario, and the Court tends to believe that this is the most likely explanation for the erroneous results in this case, but cannot totally conclude that.

Based on all of the above, it is clear that the election at issue was defective and must be voided by the Court. While I do believe I have the authority to certify the Plaintiffs as the winners, I do not feel that this is the ideal result in this matter.

I do not know and may never know exactly why this election was defective. I have suspicions that something happened here that was improper and I even question whether something happened here that may have been criminal. And I strongly encourage the Attorney General to turn this over to the Attorney General Division of Criminal Justice, so that appropriate criminal investigators can conduct a full and complete investigation of this matter, to assure that criminality did not take place.

Although the Board of Elections and the Administrator maintain that human error was all that was involved here, for me to believe that I have to believe that three independent errors, human errors, occurred here, and that somewhat stretches my belief of common sense and reality, but it’s possible.

Accordingly, I am ordering a new election to be conducted on September 27, 2011.

This ends my extended quotation of Judge David E. Krell’s oral summary of his conclusions in Zirkle v. Henry. In my next articles in this series, I’ll explain,

  • What are the “hardening guidelines” that the judge refers to, and why would someone be motivated to erase computer files relating to them on the very day before Dr. Appel was scheduled to inspect the computer?
  • How we can tell that the votes were swapped, and how did certain technical safeguards in this DRE voting machine prove to be much less effective than desirable?

DigiNotar Hack Highlights the Critical Failures of our SSL Web Security Model

This past week, the Dutch company DigiNotar admitted that their servers were hacked in June of 2011. DigiNotar is no ordinary company, and this was no ordinary hack. DigiNotar is one of the “certificate authorities” that has been entrusted by web browsers to certify to users that they are securely connecting to web sites. Without this certainty, users could have their communications intercepted by any nefarious entity that managed to insert itself in the network between the user and the web site they seek to reach.

It appears that DigiNotar did not deserve to be trusted with the responsibility to to issue certifying SSL certificates, because their systems allowed an outside hacker to break in and issue himself certificates for any web site domain he wished. He did so, for dozens of domain names. This included domains like *.google.com and www.cia.gov. Anyone with possession of these certificates and control over the network path between you and the outside world could, for example, view all of your traffic to Gmail. The attacker in this case seems to be the same person who similarly compromised certificate-issuing servers for the company Comodo back in March. He has posted a new manifesto, and he claims to have compromised four other certificate authorities. All signs point to the conclusion that this person is an Iranian national who supports the current regime, or is a member of the regime itself.

The Comodo breach was deeply troubling, and the DigiNotar compromise is far worse. First, this new break-in affected all of DigiNotar’s core certificate servers as opposed to Comodo’s more contained breach. Second, this afforded the attacker with the ability of issuing not only baseline “domain validated” certificates but also higher-security “extended validation” certificates and even special certificates used by the Dutch government to secure itself (see the Dutch government’s fact sheet on the incident). However, this damage was by no means limited to the Netherlands, because any certificate authority can issue certificates for any domain. The third difference when compared to the Comodo breach is that we have actual evidence of these certificates being deployed against users in the real world. In this case, it appears that they were used widely against Iranian users on many different Iranian internet service providers. Finally, and perhaps most damning for DigiNotar, the break-in was not detected for a whole month, and was then not disclosed to the public for almost two more months (see the timeline at the end of this incident report by Fox-IT). The public’s security was put at risk and browser vendors were prevented from implementing fixes because they were kept in the dark. Indeed, DigiNotar seems to have intended never to disclose the problem, and was only forced to do so after a perceptive Iranian Google user noticed that their connections were being hijacked.

The most frightening thing about this episode is not just that a particular certificate authority allowed a hacker to critically compromise its operations, or that the company did not disclose this to the affected public. More fundamentally, it reminds us that our web security model is prone to failure across the board. As I noted at the time of the Comodo breach:

I recently spoke on the subject at USENIX Security 2011 as part of the panel “SSL/TLS Certificates: Threat or Menace?” (video and audio here if you scroll down to Friday at 11:00 a.m., and slides here.)