April 18, 2014

avatar

Corruption Bureau assigns fox to guard henhouse

Recently I wrote about my discovery that someone erased evidence on an election computer in Cumberland County, NJ. After something went wrong in a Primary Election in June 2011, the Superior Court (the Hon. David E. Krell) had ordered the County Board of Elections to make the computer available for me (the Plaintiffs’ expert) to examine.

When I examined the computer on August 17, among those watching me were the County Administrator of Elections (Lizbeth Hernandez), the Director of the New Jersey Division of Elections (Robert Giles), and a Deputy Attorney General of the State of New Jersey (George Cohen). This is quite a lot of firepower for reviewing a rather small election (43 votes cast in total).

In my examination of the computer, I noticed that files and logs were erased on the day before. I notified the Court, and within a few days an IT specialist employed by the county wrote, in an affidavit, that he had been asked by the County Administrator of Elections to examine the computer the day before my own examination, and at that time he erased the files and cleared the logs.

We do not know exactly what motivated Ms. Hernandez to ask the IT specialist to fiddle with the computer. The IT specialist himself says “I was asked by Lizbeth Hernandez to determine the date the hardening process was applied to the laptop.” Why is this date important? Back in 2010, a different judge of the Superior Court (the Hon. Linda R. Feinberg) had ordered the State to secure the computers used in conduction elections by applying these “hardening guidelines.” Mr. Giles was the one responsible for making sure the State (and all its Counties) complied with this order, more than a year ago. In August 2011, did Mr. Giles ask Ms. Hernandez whether the “hardening guidelines” had been applied? Perhaps these election officials were concerned that I might discover something about late compliance, or noncompliance, with Judge Feinberg’s order.

That is, the IT specialist’s affidavit points to concern about whether Mr. Giles had effectively brought New Jersey (including Cumberland County) into compliance; by erasing the logs and temporary files, he erased evidence about compliance or noncompliance.

Judge Krell, down in Cumberland County, does not like people tampering with evidence in the cases that come before him. On September 9 he referred the possible evidence-tampering to the prosecutor, that is, to the NJ Attorney General’s office. As I described in “Will the NJ Attorney General Investigate the NJ Attorney General,” the Plaintiffs doubted that the AG would do a real investigation.

Judge Krell’s referral was directed to Christine Hoffman, Chief of the Corruption Bureau of the Office of the Attorney General. On September 20, 2011, Ms. Hoffman wrote in an official letter, “the Division of Criminal Justice will not pursue criminal charges at this time. This matter is being forwarded to your office for your review and whatever action you deem appropriate.”

And to whom is this letter addressed? To Mr. Robert Giles, Director, Division of Elections. This is like asking the fox to investigate whether proper security measures have been installed at the henhouse. Does this instill confidence in the integrity of elections in New Jersey?

Plaintiffs have asked that Judge Krell assign a special master to investigate all irregularities associated with the June 8, 2011 primary election, including the erasure of the information concerning hardening guidelines. The recent turn of events shows why an independent investigation should take place in Cumberland County.

avatar

Open Access to Scholarly Publications at Princeton

In its September 2011 meeting, the Faculty of Princeton University voted unanimously for a policy of open access to scholarly publications:

“The members of the Faculty of Princeton University strive to make their publications openly accessible to the public. To that end, each Faculty member hereby grants to The Trustees of Princeton University a nonexclusive, irrevocable, worldwide license to exercise any and all copyrights in his or her scholarly articles published in any medium, whether now known or later invented, provided the articles are not sold by the University for a profit, and to authorize others to do the same. This grant applies to all scholarly articles that any person authors or co-authors while appointed as a member of the Faculty, except for any such articles authored or co-authored before the adoption of this policy or subject to a conflicting agreement formed before the adoption of this policy. Upon the express direction of a Faculty member, the Provost or the Provost’s designate will waive or suspend application of this license for a particular article authored or co-authored by that Faculty member.

“The University hereby authorizes each member of the faculty to exercise any and all copyrights in his or her scholarly articles that are subject to the terms and conditions of the grant set forth above. This authorization is irrevocable, non-assignable, and may be amended by written agreement in the interest of further protecting and promoting the spirit of open access.”

Basically, this means that when professors publish their academic work in the form of articles in journals or conferences, they should not sign a publication contract that prevents the authors from also putting a copy of their paper on their own web page or in their university’s public-access repository.

Most publishers in Computer Science (ACM, IEEE, Springer, Cambridge, Usenix, etc.) already have standard contracts that are compatible with open access. Open access doesn’t prevent these publishers from having a pay wall, it allows other means of finding the same information. Many publishers in the natural sciences and the social sciences also have policies compatible with open access.

But some publishers in the sciences, in engineering, and in the humanities have more restrictive policies. Action like this by Princeton’s faculty (and by the faculties at more than a dozen other universities in 2009-10) will help push those publishers into the 21st century.

The complete report of the Committee on Open Access is available here.

avatar

What happens when the printed ballot face doesn't match the electronic ballot definition?

Part 4 of 4. Complete 4-part series available here.
The Sequoia AVC Advantage is an old-technology direct-recording electronic voting machine. It doesn’t have a video display; the candidate names are printed on a large sheet of paper, and voters indicate their choices by pressing buttons that are underneath the paper. A “ballot definition” file in an electronic cartridge associates candidate names with the button positions.

Clearly, it had better be the case that the candidate names on the printed paper match the candidate names in the ballot-definition file in the cartridge! Otherwise, voters will press the button for (e.g.,) Cynthia Zirkle, but the computer will record a vote for Vivian Henry, as happened in a recent election in New Jersey.

How do we know that this is what happened? As I reported to the Court in Zirkle v. Henry, the AVC Advantage prints the names of candidates, and how many votes each received, on a Results Report printout on a roll of cash-register tape. The printout reads, in this case,

    I23   Cynthia Zirkle      10
    I24   Ernest Zirkle         9
    J23   Vivian Henry        34
    J24   Mark A. Henry      33


In this election, four candidates are running for two positions in a vote-for-any-two election. Here, J23 indicates that the button at column J, row 23 on the face of the AVC advantage received 34 votes. The problem was that the poster-size printed paper covering the buttons had the name Cynthia Zirkle printed at position J23. Vivian Henry’s name was printed at position I23. That is, there was a mismatch between the printed paper and the electronic ballot-definition file. Similarly, the positions of Ernest Zirkle and Mark Henry were swapped.

Rebecca Mercuri told me that until the mid 1990s, the AVC Advantage firmware did not print the row/column numbers at all, so that mismatches like this were harder to detect.

One might think that all is well–there’s a fail-safe mechanism that can catch mistakes (or deliberate fraud) where the paper doesn’t match the electronic file. But in this election, the fail-safe mechanism did not work well at all.

First, there are almost no candidates or pollwatchers out there who know enough to look out for this kind of mismatch. In the Zirkle v. Henry election, Cynthia and Ernest Zirkle couldn’t tell from the documents available to them that the positions were switched. They and their lawyer got 28 (or more) sworn affidavits from citizens who said they voted for the Zirkles, and on that basis they got a court to permit an investigation. In any election that involved significantly more than 43 voters, it’s impractical to get sworn affidavits from everyone who voted for you. This election took place all on one voting machine; in big-time elections one would need to double-check the face of the ballot against the Results Report printout in every single precinct. This is physically possible, but it isn’t easy and independent pollwatchers are not trained to do it. In Zirkle v. Henry this came to light because certain experts got involved, but one can’t count on that in general.

Second, even in this case, the Court was uncomfortable just swapping the votes and declaring the Zirkles to be the winners of the election. That is, both the Plaintiffs (lawyers and expert witness for the Zirkles) and the Defendants (lawyers for the State of New Jersey and the County of Cumberland) stated to the court that they believed that Cynthia and Ernest Zirkle got 34 and 33 votes, respectively. Defendants Vivian and Mark Henry, representing themselves, took the position that a new election should be held.

In his ruling, the Court (Judge David Krell) said,

Based on all of the above, it is clear that the election at issue was defective and must be voided by the Court. While I do believe I have the authority to certify the Plaintiffs as the winners, I do not feel that this is the ideal result in this matter. … Accordingly, I am ordering a new election to be conducted.

If there was ever a case in which these row-and-column numbers could clearly indicate who won an election, this was it. And yet a very reasonable judge is uncomfortable using this information to declare a winner, and instead orders a new election.

Ordering a new election is not at all unreasonable, but it is important to remember that a new election can have its own problems. Citizens who came out to vote the first time may not have the time or inclination to vote again, and if so their (previous) legitimate exercise of the franchise is being devalued. Or, some who did not bother to vote the first time may take advantage of the “do-over.”

It is instructive to consider what would have happened if a similar kind of error had happened with optical-scan voting. It’s certainly possible that the position of names on the op-scan paper ballot might not match the programming of the optical-scan ballot-counter. In this case, the results would come out reversed just as they did in Zirkle v. Henry. But the Court would have simply ordered a recount, by hand, of the original paper ballots. Those ballots would have clearly showed the true result. No experts, and no do-over election, would have been necessary at all.

avatar

Will the NJ Attorney General investigate the NJ Attorney General?

Part 3 of 4
In my recent posts I wrote about my discovery that (apparently) a County employee tampered with evidence in a computer that the NJ Superior Court had Ordered the County to present for examination. I described this discovery to the Court (Judge David E. Krell); and then a County employee did admit deleting files. Judge Krell was very concerned about this possible spoliation of evidence. In his Order signed September 9, 2011, he wrote,

“AND IT IS FURTHER ORDERED that the court recommends that the New Jersey Attorney General (New Jersey Department of Law and Public Safety), Division of Criminal Justice, undertake an investigation of … the deletion of files on August 16, 2011, from the Board’s laptop computer … by the County’s computer technician who is reponsible for servicing the Board’s computers.”

During the hearing on September 1, Plaintiffs’ attorneys pointed out that the New Jersey Attorney General’s office had been co-counsel for the Defendants in Zirkle v. Henry. This means that lawyers from the AG’s office had very possibly advised the County employees before and after the evidence was erased. Plaintiffs’ attorneys pointed out that this would mean that Judge Krell was asking the Attorney General’s office to investigate itself. Plaintiffs asked the Court to appoint a Special Master.

Judge Krell explained why he was not inclined to do that. He said, “My understanding is Criminal Justice is totally separate from the Civil part of [the Attorney General's] office.” That is, during the hearing the Judge stated his belief that the Division of Criminal Justice in the NJ Department of Law and Public Safety is sufficiently independent from the Division of Law in the Department of Law and Public Safety, such that it can properly investigate the possibility of criminal tampering of evidence in which attorneys from the Division of Law might have had a role.

I hope Judge Krell is right about that.

avatar

Crowdsourcing State Secrets

Those who regularly listen to Fresh Air may have heard a recent interview with journalist Dana Priest about the dramatic expansion of the intelligence community over the past ten years. The guest mentioned how the government had paid contractors several times what their own intelligence officials would be paid to perform the same analysis tasks. The guest also mentioned how unwieldy the massive network of contractors had become (to the point where even decided who gets top secret clearance had been contracted out). At the same time, in this age of Wikileaks and #Antisec, leaks and break-ins are becoming all the more common. It’s only a matter of time before thousands of military intelligence reports show up on Pastebin.

However, what if we didn’t have to pay this mass of analysts? What if we stopped worrying so much about leaks and embraced them? What if we could bring in anyone who wanted to analyze the insane amount of information by simply dumping large amounts of the raw data to a publicly-accessible location? What if we crowdsourced intelligence analysis?

Granted, we wouldn’t be able to just dump everything, as some items (such as “al-Qaeda’s number 5 may be house X in Waziristan, according to informant Y who lives in Taliban-controlled territory”) would be damaging if released. But (at least according to the interview) many of the items which are classified as top secret actually wouldn’t cause “exceptionally grave damage.” As for particularly sensitive (but could benefit from analysis) information in such documents, we could simply use pseudonyms and keep the pseudonym-real name mapping top secret.

Adversaries would almost certainly attempt to piece together false analyses. This simply becomes an instance of the Byzantine generals problem, but with a twist: because the mainstream media is always looking for the next sensational story, it would be performing much of the analysis. Because this creates a common goal between the public and the news outlets, there would be some level of trust that other (potentially adversarial) actors would not necessarily have.

In an era when the talking heads in Washington and the media want to cut everything from the tiny National Endowment for the Arts to gigantic Social Security, the last thing we need is to pay people to do work that many would do for free. Applying open government principles to data that do not necessarily need to be kept secret could go a long way toward reducing the part of government that most politicians are unwilling to touch.

avatar

Did NJ election officials fail to respect court order to improve security of elections?

Part 2 of 4
The Gusciora case was filed in 2004 by the Rutgers Constitutional Litigation Clinic on behalf of Reed Gusciora and other public-interest plaintiffs. The Plaintiffs sought to end the use of paperless direct-recording electronic voting machines, which are very vulnerable to fraud and manipulation via replacement of their software. The defendant was the Governor of New Jersey, and as governors came and went it was variously titled Gusciora v. McGreevey, Gusciora v. Corzine, Guscioria v. Christie.

In 2010 Judge Linda Feinberg issued an Opinion. She did not ban the machines, but ordered the State to implement several kinds of security measures: some to improve the security of the computers on which ballots are programmed (and results are tabulated), and some to improve the security of the computers inside the voting machines themselves.

The Plaintiffs had shown evidence that ballot-programming computers (the so-called “WinEDS laptops”) in Union County had been used to surf the Internet even on election day in 2008. This, combined with many other security vulnerabilities in the configuration of Microsoft Windows, left the computers open to intrusion by outsiders, who could then interfere with and manipulate the programming of ballots before their installation on the voting machines, or manipulate the aggregation of results after the elections. Judge Feinberg also heard testimony that so-called “Hardening Guidelines”, which had previously been prepared by Sequoia Voting Systems at the request of the State of California, would help close some of these vulnerabilities. Basically, one wipes the hard drive clean on the “WinEDS laptop”, installs a fresh copy of Microsoft Windows, runs a script to shut down Internet access and generally tighten the Windows security configuration, and finally installs a fresh copy of the WinEDS ballot software. The Court also heard testimony (from me) that installing these Guidelines requires experience in Windows system administration, and would likely be beyond the capability of some election administrators.

Among the several steps the Court ordered in 2010 was the installation of these Hardening Guidelines on every WinEDS ballot-programming computer used in public elections, within 120 days.

Two years after I testified in the Gusciora case, I served as an expert witness in a different case, Zirkle v. Henry, in a different Court, before Judge David Krell. I wanted to determine whether an anomaly in the June 2011 Cumberland County primary election could have been caused by an intruder from the Internet, or whether such intrusion could reasonably be ruled out. Thus, the question became relevant of whether Cumberland County’s WinEDS laptop was in compliance with Judge Feinberg’s Order. That is, had the Hardening Guidelines been installed before the ballot programming was done for the election in question? If so, what would the event logs say about the use of that machine as the ballot cartridges were programmed?

One of the components of the Hardening Guidelines is to turn on certain Event Logs in the Windows operating system. So, during my examination of the WinEDS laptop on August 17, I opened the Windows Event Viewer and photographed screen-shots of the logs. To my surprise, the logs commenced on the afternoon of August 16, 2011, the day before my examination. Someone had wiped the logs clean, at the very least, or possibly on August 16 someone had wiped the entire hard drive clean in installing the Hardening Guidelines. In either case, evidence in a pending court case–files on a computer that the State of New Jersey and County of Cumberland had been ordered to produce for examination–was erased. I’m told that evidence-tampering is a crime. In an affidavit dated August 24, Jason Cossaboon, a Computer Systems Analyst employed by Cumberland County, stated that he erased the event logs on August 16.

Robert Giles, Director of the New Jersey Division of Elections, was present during my examination on August 17. Mr. Giles submitted to Judge David Krell an affidavit dated August 25 describing the steps he had taken to achieve compliance with Judge Feinberg’s Order. He writes, “The Sequoia hardening manual was sent, by email, to the various county election offices on March 29, 2010. To my knowledge, the hardening process was completed by the affected counties by the required deadline of June 1, 2010.” Mr. Giles does not say anything about how he acquired the “knowledge” that the process was completed.

Mr. Giles was present in Judge Feinberg’s courtroom in 2009 when I testified that the Hardening Guidelines are not simple to install and would typically require someone with technical training or experience. And yet he then pretended to discharge the State’s duty of compliance with Judge Feinberg’s Order by simply sending a mass e-mail to county election officials. Judge Feinberg herself said that sending an e-mail was not enough; a year later, Mr. Giles has done nothing more. In my opinion, this is disrespectful to the Court, and to the voters of New Jersey.

avatar

NJ election cover-up

Part 1 of 4
During the June 2011 New Jersey primary election, something went wrong in Cumberland County, which uses Sequoia AVC Advantage direct-recording electronic voting computers. From this we learned several things:

  1. New Jersey court-ordered election-security measures have not been effectively implemented.
  2. There is a reason to believe that New Jersey election officials have destroyed evidence in a pending court case, perhaps to cover up the noncompliance with these measures or to cover up irregularities in this election. There is enough evidence of a cover-up that a Superior Court judge has referred the matter to the State prosecutor’s office.
  3. Like any DRE voting machine, the AVC Advantage is vulnerable to software-based vote stealing by replacing the internal vote-counting firmware. That kind of fraud probably did not occur in this case. But even without replacing the internal firmware, the AVC Advantage voting machine is vulnerable to the accidental or deliberate swapping of vote-totals between candidates. It is clear that the machine misreported votes in this election, and both technical and procedural safeguards proved ineffective to fully correct the error.

Cumberland County is in the extreme southern part of New Jersey, a three-hour drive south of New York. In follow-up posts I’ll explain my 3 conclusions. In the remainder of this post, I’ll quote verbatim from the Honorable David E. Krell, the Superior Court judge in Cumberland County. This is his summary of the case, taken from the trial transcript of September 1, 2011, in the matter of Zirkle v. Henry.

(click here to continue)

[From the TRANSCRIPT OF RETURN OF ORDER TO SHOW CAUSE, Docket No. CUM-L-000567-11, starting at page 43.]

THE COURT: The 2011 New Jersey Primary Election was held on June 7, 2011. In District 3 of Fairfield Township, Cumberland County, four individuals ran for two open seats on the Democratic Executive Committee. Following the election, the County Clerk certified the results as Vivian Henry, 34 votes; Mark Henry, 33 votes; Ernest Zirkle, 9 votes; and Cynthia Zirkle, 10 votes.

On June 20, 2011, the Plaintiffs, Ernest Zirkle and Cynthia Zirkle, filed a Petition to declare the election void and of no effect and to order a recount or a new election. In their Petition, they asserted that the voting machined used in the election was a Sequoia AVC Advantage direct recording electronic voting machine. They also produced Affidavits of in excess of 28 voters, who stated under oath that they had voted for the Zirkles in the primary election.

As a result of the filing of the June 20 Petition, the Court on June 21, 2011, executed an Order to Show Cause, requiring the Defendants Henrys, the Cumberland County Board of Elections, and the County Clerk, to show cause why the relief in the Petition should not be granted. The Court also at that time issued an Order directing the Cumberland County Board of Elections to impound the Sequoia AVC direct recording electronic voting machine and all documents pertaining to the election, until a determination of the issues raised in the Petition.

On July 11, 2011 the parties and their attorneys, with the exception of the Henrys, appeared before the Court in response to the Order to Show Cause. Prior to the return date of the Order to Show Cause the Attorney General, on behalf of the Cumberland County Board of Elections, filed a Response with the Court. In this Response, the Attorney General submitted a Certification of Lizbeth Hernandez, the Administrator of the Cumberland County Board of Elections.

Ms. Hernandez in her Certification stated, “As a result of human error in the programming of the voting machine used in this election, the votes cast for Cynthia and Ernest Zirkle registered for Vivian and Mark Henry, and the votes cast for Vivian and Mark Henry registered for Cynthia and Ernest Zirkle.” Ms. Hernandez attached to her Certification a Memo dated June 24, 2011, in which she provided the claims and facts that she believed led to this error in the programming.

In the June 24, 2011 Memo, Ms. Hernandez claimed that she has programmed the voting machines in Cumberland County since June of 2008, to avoid the cost of the County of hiring a programmer. She further claimed that she mistakenly placed the position for Vivian and Mark Henry onto the position of Cynthia and Ernest Zirkle, and vice versa. This information was then put into the voting machine cartridge and sent to the warehouse for testing. The voting machine technicians inserted the cartridge into the voting machine and began the necessary testing. Ms. Hernandez then claims that the voting machine technicians did not catch her error in the programming.

On July 11, 2011 this Court conducted a hearing on the Order to Show Cause. At that hearing, the Attorney General conceded that there was a mistake in the results of the particular election and encouraged the Court to order a new election.

By this time, the Court had read in full the February 1, 2010 Opinion of Mercer County Assignment Judge Linda R. Feinberg in the Gusciora v. Corzine case. This case involved a broad challenge to the use of direct recording electronic voting machines in the State of New Jersey, and specifically the AVC Advantage made by Sequoia Voting Systems. Judge Feinberg, in her very lengthy Decision, went into great detail as to how the AVC Advantage works and the various testing procedures that are available to avoid the type of problem and mistakes, which the Administrator claims occurred in this case.

As a result of the Court’s review of Judge Feinberg’s Decision, at the hearing on July 11, the Court raised a number of questions as to the Administrator’s claim that these erroneous results were simply the result of human error. The Court questioned whether it had an obligation to investigate further, to make sure that the claims of human error could be supported.

The Sequoia AVC Advantage is a direct recording electronic voting machine. The preparation of the machine for an election begins with the County Clerk preparing the ballot definition, which includes the names of the candidates, the names of the contests, and the identification of the buttons on the voting machine that corresponded to each candidate.

The County Clerk, after preparing the ballot definition, delivers the ballot definition to the County Board of Elections. A specific software has been developed in order to program the ballot definition into each voting machine. This software is known as WinEDS, and runs on a Microsoft Windows operating system. The ballot definition is copied to a results cartridge, which is the size of a standard VHS tape. This is accomplished with the use of an ordinary Windows laptop computer, which has been installed with the appropriate WinEDS software. The laptops and the result cartridge are to be kept in a secured room.

The technicians who are to test the machine conduct tests known as Pre-LAT. These are logic and accuracy tests, to make sure the machines have been programmed properly. Essentially, the testing technicians are to conduct a mock election, where they enter a certain number of votes for each candidate and with the use of simulation cartridges, will determine and assure that the machine has been properly programmed.

So that the votes for each candidates are properly recorded for that candidate, PreLAT results are printed or supposed to be printed and kept with the machine, and there are seals placed on the machine after the PreLAT tests are conducted.

Following the July 11 hearing on the Order to Show Cause, the Court entered what I [Judge David Krell] would describe as a Discovery Order, which was prepared by the parties, after back-and-forth (I believe) negotiations. That Order declared the results of the June 7, 2011 election to be void and of no effect. The Order further provided that the Sequoia AVC Advantage machine used in the election, together with election results report and results cartridge, and all other documents pertaining to the election, shall remain impounded.

The Order further permitted additional discovery, including giving expert witnesses an opportunity to examine, take notes of, photograph, or otherwise copy the voting machine paper results report and result cartridge, any laptop used to program the ballot, and an files for that purpose stored in removable storage media.

And finally, that Order provided for a Plenary Hearing to be held August 29, and I believe it was continued to today at the request of the parties. I forget the exact reason but today is September 1 and it’s only two days later.

On August 17, 2011, an expert retained by the Plaintiffs, Dr. Andrew W. Appel, made an inspection of the voting machine and the laptop, pursuant to the Order following the July 11 hearing. In conducting this inspection, Mr. Appel found certain concerns with the security procedures which the Administrator had put in place.

He also discovered that his ability to examine the Administrator’s WinEDS laptop was seriously compromised by what appeared to be an action that someone performed on the computer on August 16, 2011, which erased a number of files which Dr. Appel wanted to examine.

As a result of this discovery, the Plaintiffs filed a Notice of Motion for an Order to Show Cause and presented this Motion to the Court. That Order to Show Cause is returnable today. The Court in fact signed a Second Order to Show Cause, dated August 22, requiring the defense to appear today and show cause, as to whether the Court should enter further Discover Orders for Plaintiffs to explore this activity, which took place on the Administrator’s laptop on August 16.

In response to the August 22, 2011 Order to Show Cause, the Attorney General filed a Certification of Jason W. Cossaboon, Sr., a Computer System Analyst employed by Cumberland County. Mr. Cossaboon, in his Certification, states that on August 16, 2011, he was asked by the Administrator to determine the date the hardening process was applied to the laptop used to program the voting machines. [editor's note: I'll explain "hardening" in the sequel article]

He apparently was not able to find a log file for the laptop to indicate the date the hardening was done. However, he states that while working on the laptop, he noticed the computer was running very slowly. As a result, he deleted certain “temporary files.” He also, for some reason, deleted the event view logs.

In the Attorney General’s responsive papers, he asserts that further investigation of this election is simply not necessary by the Court and that the Court should simply order a new election or declare the Plaintiffs the winners of the election.

In response to the Attorney General’s filing and position, the Plaintiffs have submitted an additional Certification from Andrew W. Appel, in which he set forth five possible scenarios for what has taken place in this case.

The first scenario, which he rejects, is that the votes recorded on election day are accurate. The Court, and I believe the parties, agree that this scenario seems extremely unlikely, based on the position that all are taking that this election was wrong.

The second scenario proposed by Dr. Appel is that the internals of the voting machine were manipulated so that the election results bear no correspondence to the voters’ actions. Dr. Appel rejects this scenario and the Court agrees that there has been no competent evidence offered to suggest that the voting machine was manipulated improperly or illegally prior to the election.

The third scenario he poses is that poll workers manipulated the voting machine during the election, so that some votes were not recorded. He rejects this scenario and I agree, the Court agrees, as again there is no competent evidence to support this theory.

The fourth scenario is that the positions of the parties were swapped in the election ballot files by an unauthorized intruder, wishing to flip the election results, either through Internet access to the WinEDS laptop or by physical access to the WinEDS laptop. Dr. Appel concludes that he cannot exclude this scenario, although there is no evidence to support this or to suggest this is the case–other than the rather circumstantial and curious concurrence of the two human errors in the programming and testing of the machine prior to the election, and the technician’s [Mr. Cossaboon's] erasing of files one day prior to the inspection.

The fifth scenario posed by Dr. Appel is that the programmer switched the names in programming the computer and the voting machine, and this is what the Administrator claims happened. Dr. Appel also concludes that he cannot exclude this scenario, and the Court tends to believe that this is the most likely explanation for the erroneous results in this case, but cannot totally conclude that.

Based on all of the above, it is clear that the election at issue was defective and must be voided by the Court. While I do believe I have the authority to certify the Plaintiffs as the winners, I do not feel that this is the ideal result in this matter.

I do not know and may never know exactly why this election was defective. I have suspicions that something happened here that was improper and I even question whether something happened here that may have been criminal. And I strongly encourage the Attorney General to turn this over to the Attorney General Division of Criminal Justice, so that appropriate criminal investigators can conduct a full and complete investigation of this matter, to assure that criminality did not take place.

Although the Board of Elections and the Administrator maintain that human error was all that was involved here, for me to believe that I have to believe that three independent errors, human errors, occurred here, and that somewhat stretches my belief of common sense and reality, but it’s possible.

Accordingly, I am ordering a new election to be conducted on September 27, 2011.

This ends my extended quotation of Judge David E. Krell’s oral summary of his conclusions in Zirkle v. Henry. In my next articles in this series, I’ll explain,

  • What are the “hardening guidelines” that the judge refers to, and why would someone be motivated to erase computer files relating to them on the very day before Dr. Appel was scheduled to inspect the computer?
  • How we can tell that the votes were swapped, and how did certain technical safeguards in this DRE voting machine prove to be much less effective than desirable?

avatar

DigiNotar Hack Highlights the Critical Failures of our SSL Web Security Model

This past week, the Dutch company DigiNotar admitted that their servers were hacked in June of 2011. DigiNotar is no ordinary company, and this was no ordinary hack. DigiNotar is one of the “certificate authorities” that has been entrusted by web browsers to certify to users that they are securely connecting to web sites. Without this certainty, users could have their communications intercepted by any nefarious entity that managed to insert itself in the network between the user and the web site they seek to reach.

It appears that DigiNotar did not deserve to be trusted with the responsibility to to issue certifying SSL certificates, because their systems allowed an outside hacker to break in and issue himself certificates for any web site domain he wished. He did so, for dozens of domain names. This included domains like *.google.com and www.cia.gov. Anyone with possession of these certificates and control over the network path between you and the outside world could, for example, view all of your traffic to Gmail. The attacker in this case seems to be the same person who similarly compromised certificate-issuing servers for the company Comodo back in March. He has posted a new manifesto, and he claims to have compromised four other certificate authorities. All signs point to the conclusion that this person is an Iranian national who supports the current regime, or is a member of the regime itself.

The Comodo breach was deeply troubling, and the DigiNotar compromise is far worse. First, this new break-in affected all of DigiNotar’s core certificate servers as opposed to Comodo’s more contained breach. Second, this afforded the attacker with the ability of issuing not only baseline “domain validated” certificates but also higher-security “extended validation” certificates and even special certificates used by the Dutch government to secure itself (see the Dutch government’s fact sheet on the incident). However, this damage was by no means limited to the Netherlands, because any certificate authority can issue certificates for any domain. The third difference when compared to the Comodo breach is that we have actual evidence of these certificates being deployed against users in the real world. In this case, it appears that they were used widely against Iranian users on many different Iranian internet service providers. Finally, and perhaps most damning for DigiNotar, the break-in was not detected for a whole month, and was then not disclosed to the public for almost two more months (see the timeline at the end of this incident report by Fox-IT). The public’s security was put at risk and browser vendors were prevented from implementing fixes because they were kept in the dark. Indeed, DigiNotar seems to have intended never to disclose the problem, and was only forced to do so after a perceptive Iranian Google user noticed that their connections were being hijacked.

The most frightening thing about this episode is not just that a particular certificate authority allowed a hacker to critically compromise its operations, or that the company did not disclose this to the affected public. More fundamentally, it reminds us that our web security model is prone to failure across the board. As I noted at the time of the Comodo breach:

I recently spoke on the subject at USENIX Security 2011 as part of the panel “SSL/TLS Certificates: Threat or Menace?” (video and audio here if you scroll down to Friday at 11:00 a.m., and slides here.)