April 25, 2014

avatar

NJ Voting-machine Trial: Defense Witnesses

I’ve previously summarized my own testimony and other plaintiffs’ witnesses’ testimony in the New Jersey voting machines trial, Gusciora v. Corzine.

The defendant is the State of New Jersey (Governor and Secretary of State). The defense case comprised the following witnesses:

Defense witness James Clayton, the Ocean County voting machine warehouse supervisor, is a well-intentioned official who tries to have good procedures to secure the Ocean County voting machines. Still, it became apparent in his testimony that there are security gaps regarding transport of the machines, keys to the machines, and security at polling places before and after election day.

Richard Woodbridge is a patent attorney who has chaired the NJ Voting Machine Examination Committee for more than 20 years. It’s not clear why the defendants called him as a witness, because they conducted only a 15-minute direct examination in which he didn’t say much. On cross-examination he confirmed that his committee does not conduct an independent analysis of software and does not consult with any computer security experts.

Robert Giles, Director of Elections of the State of New Jersey, testified about experimenting with different forms of seals and locks that New Jersey might apply to its AVC Advantage voting machines. On cross examination, it became clear that there is no rhyme or reason in how the State is choosing seals and other security measures; that they’re not getting expert advice on these matters. Also he admitted that there are no statewide control or even supervision of the procedures that counties use to safeguard the voting machines, the results cartridges, keys, and so on. He confirmed that several counties use the cartridges as the official tally, in preference to paper printouts witnessed and signed (at the close of the polls) by election workers.

Edwin Smith testified as an expert witness for the State defendants. Mr. Smith is vice-president and part owner of Sequoia Voting Systems. He stands to gain financially depending on the verdict in this trial: NJ represents 20% of Sequoia’s market, and his bonuses depend on sales. Mr. Smith testified to rebut my testimony about fake Z80 processors. (Wayne Wolf, who testified for plaintiffs about fake Z80s, testified after Mr. Smith, as a rebuttal witness.) Even though Mr. Smith repeatedly referred to replacement of Z80s as “science fiction”, he then offered lengthy testimony about methods to try to detect fake Z80s. This gave credence to the fact that fraudulent CPUs are not only a possibility but a real threat.

Mr. Smith also confirmed that it is a security risk to connect WinEds computers (that prepare electronic ballot definitions and tabulate results) to the Internet, and that those counties in NJ that do so are making a mistake.

Paul Terwilliger testified as a witness for the defense. Mr. Terwilliger is a longtime employee and/or contractor for Sequoia, who has had primary responsibility over the development of the AVC Advantage for the last 15 years. Mr. Terwilliger admitted that in 2003 the WIPO found that he’d acted in bad faith by cybersquatting on the Diebold.com domain name at the request of Sequoia. Mr. Terwilliger testified that it is indeed possible to program an FPGA to make a “fake Z80″ that cheats in elections. But, he said, there are some methods for detecting FPGAs installed on AVC Advantage voting machines instead of the legitimate (Some of these methods are impractical, others are ineffective, others are speculative; see Wayne Wolf’s report.) This testimony had the effect of underscoring the seriousness of the fake-Z80 threat.

Originally the defendants were going to rely on Professor Michael Shamos of Carnegie Mellon University as their only expert witness. But the Court never recognized him as an expert witness. The Court ruled that he could not testify about the security and accuracy of the AVC Advantage, because he had not offered an opinion about security and accuracy in his expert report or his deposition.

The Court did permit him to testify in general terms. He said that in real life, we have no proof that a “hacked election” has ever occurred; and that in real life, such a hack would somehow come to light. He offered no studies that support this claim.

Professor Shamos attempted to cast doubt in the Court’s mind about the need for software independence, and disparaging precinct-based optical scan voting (PCOS). But he offered no concrete examples and no studies regarding PCOS.

On many issues, Professor Shamos agreed with the plaintiffs’ expert: it’s straightforward to replace a ROM chip, plastic-strap seals provide only a veneer of protection, the transformed machine can cheat, and pre-election logic-and-accuracy testing would be ineffective in detecting the fraud. He does not dispute many of the bugs and user-interface design flaws that we found, and recommends that those should be fixed.

Professor Shamos admitted that he is alone among computer scientists in his support of paperless DREs. He tried to claim that other computer scientists such as Ted Selker, Douglas W. Jones, Joseph Lorenzo Hall also supported paperless DREs by saying they supported parallel testing–implying that those scientists would consider paperless DREs to be secure enough with parallel testing–but during cross-examination he backed off a bit from this claim. (In fact, as I testified in my rebuttal testimony, Drs. Jones and Hall both consider PCOS to have substantially stronger security, and to be substantially better overall, than DREs with parallel testing.)

Parallel testing is Professor Shamos’s proposed method to detect fraudulent software in electronic voting machines. In order to catch software that cheats only on election day, Professor Shamos proposes to cordon off a machine and cast a known list of test votes on it all day. He said that no state has ever implemented a satisfactory parallel testing protocol, however.

Summary of the defendant’s case

One of the plaintiffs’ most important claims–which they demonstrated on video to the Court–is that one can replace the firmware of the AVC Advantage voting machine with fraudulent firmware that changes votes before the polls close. No defense witness contradicted this. To the extent that the defense put up a case, it hinged on proposed methods for detecting such fraudulent firmware, or on proposed methods for slowing down the attack by putting tamper-evident seals in the way. On both of these issues, defense witnesses contradicted each other, and plaintiffs presented rebuttal witnesses.

Comments

  1. Valerie Lane says:

    I did not make this up …..you can find it in the Press-Enterprise archives.
    Comments by Ed Smith to Riverside County election review panel before the CA TTBR.
    It’s all about the bottom line! Read it and weep……….
    .
    Voting system maker fields Riverside County’s security questions

    11:28 PM PDT on Wednesday, May 2, 2007
    By KIMBERLY TRONE
    The Press-Enterprise
    Survey: What, if anything, should be done to improve the security of ballots in Riverside County?
    Sequoia Voting Systems representatives said Wednesday that they welcome Secretary of State Debra Bowen’s rigorous review of voting technologies in use by California counties.
    Ed Smith, vice president of quality, certification and compliance for Sequoia, told Riverside County’s election review panel that the company has turned over its equipment and source codes to Bowen’s office for testing.
    The source codes are kept private by manufacturers, but critics of electronic voting have called for open-source software to increase transparency in voting.
    Bowen has said she will issue findings by Aug. 3 on whether the voting systems used by California counties comply with the federal Help America Vote Act…………………………………………………………
    Sequoia made the touch-screen voting machines in use in Riverside County, and its representatives were in Riverside to answer security questions posed by the county’s election review panel.
    San Bernardino County also uses Sequoia’s touch-screen machines.
    Riverside County supervisors late last year appointed the panel to study and recommend improvements to the electoral system. The supervisors acted after being inundated with complaints about machine malfunctions and delays at the polls during the November 2006 election.
    Smith said any voting system, paper or electronic, can be manipulated. But, he added, Sequoia machines are equipped with safeguards that immediately shut them down if they are tampered with.

  2. Alan Brau says:

    How does Dr. Shamos explain the reliability of parallel testing in machines which cannot be independently tested? From a scientific standpoint, what percentage of machines would have to run as “dummies” to achieve statistical significance for accurate voting results?
    In my home state of Pennsylvania, Dr. Shamos is the most respected consultant in the State Department, but in my opinion his work is sloppy and uncritical.

  3. Jiang Ying says:

    Dear Professor:
    I am now taking a course called “Compiler”, and I bought a book recommended by teacher which is called “Modern Compiler Implementation in Java”, wrote by you, but I can’t find any answers for the problems after each chapter, and I think the problems are very useful for me to practise for understanding the exact meaning of the book, but some of them are hard and I need a solution, then I searched the internet and found your email address, can you help me?
    Please contact me by jy.1118@qq.com, that’s really very nice of you. Thanks very much^_^
    Jiang Ying, from China^_^

  4. Anonymous says:

    It’s unworkable because it requires consistent, careful use, in every election, which experience with other election administration tasks has shown to be far beyond most election administrators’ capabilities.

    And parallel testing is insufficient for at least two reasons. First, it can (at best) only detect attacks, not remedy them. An election in which parallel testing detects an attack is still compromised, and the compromise can’t be backed out, even in the (unlikely) event that the election is (or legally can be) re-run. Second, a sufficiently-adept attacker can anticipate and sidestep parallel testing. For example, an attacker might write her code to assume that a run of continuous voting is really a test, or that several “voters” using a statistically-similar touch pressure are really one person. Or, if the machine contains a proximity sensor (ostensibly for, e.g., turning the backlight on when a voter approaches), a RFID reader (ostensibly for, e.g., unlocking the machine to begin voting), or a microphone (ostensibly for disability assistance) she might be able to determine that a single person has been sitting in front of the machine for a long time, casting multiple ballots.

    Shamos underestimates attackers’ capabilities — especially those of vendor-attackers — and overestimates the effectiveness of parallel testing.

  5. Anonymous says:

    To clarify my comment about backing out compromise by re-running elections: a re-run (if not attacked) does back out corruption of the original election, but it is a different election, and is therefore unfair to everyone who relied upon the original election’s timing. A re-run is, thus, at best a best-efforts, incomplete remedy to a corrupted election.

  6. Fred says:

    I cannot stand the amount of fraud that runs rampant with voting machines. I suggest everyone check out the HBO documentary “Hacking Democracy”.

    Freight Bill Factoring