There were two fresh articles this week in the media on the Riverside Hack Challenge as initially reported by The BRAD BLOG after the throw-down by Riverside County Supervisor Jeff Stone to Election Integrity Advocates just before the holidays in early December.
You’ll recall he bet “a thousand to one” that the county’s touch-screen Sequoia voting system could not be hacked. He did so during a public meeting on video tape. If you don’t recall, we’ll summarize as briefly as we can. He challenged and the Election Integrity Advocates accepted, as noted voting machine hacker and computer security expert Harri Hursti agreed to take the challenge, and then Stone and the rest of the Riverside Supervisors began to go wobbly. Stone even went so far as to invent ridiculous, unrealistic, unilateral conditions for the hack test in a desperate letter sent to then-outgoing Secretary of State Bruce McPherson, in an apparent hope for a life line from the county’s old, but now out-of-power, state ally up in Sacramento. He doesn’t appear to have gotten one. The new SoS Debra Bowen’s office has informally told The BRAD BLOG they see no legal hurdles to such an independent test of voting machine security.
But with internationally respected computer security experts such as Hursti and Dr. Herbert F. Thompson of Security Innovation (the author of some 12 books on the topic including How to Break Software Security: Effective Techniques for Security Testing and The Software Vulnerability Guide) and others having pointed out that Stone’s unilaterally created conditions meant to simulate an attempted hack by a voter on election day were silly, unrealistic, and not the way such a penetration test would ever be carried out in the real world, Stone continues to cower behind them as reported by both media reports this week.
In doing so, Stone is tacitly admitting, of course, that his county’s electronic voting systems — which the Board of Supervisors and Riverside Registrar of Voters Barbara Dunmore have devoutly declared to be “secure” — are, in fact, anything but.
They know damned well they are not. And their evidence-free claims to the contrary over the last 10 years or so are revealed as little more than unsubstantiated hot air now that their true lack of confidence in their own voting systems has been put on display for the world.
As they well know — as do the Election Integrity advocates on the ground in Riverside — the real threat to unsecured, hackable Electronic Voting Machines comes from insiders. That much has been written about time and again by computer security experts and in any number of reports on the topic. Even the biased and partisan and pro-electronic voting machine Baker/Carter Commission admitted as much when their final report on National Election Reform said, “Software can be modified maliciously before being installed into individual voting machines. There is no reason to trust insiders in the election industry any more than in other industries.”
Revealed along with Stone’s disingenuous “condition” in his letter to McPherson, that the hack tester may not “reach around the back of the machine” — (Stone may have forgotten when he made his challenge initially that The BRAD BLOG had long ago reported that voters could vote as many times as they wanted on Sequoia touch-screen systems by merely pressing a yellow button on the back of the machine) — the folks in Riverside have exposed themselves as knowing full well about the unreliability of their crappy, unsecured voting system.
Unless Stone allows a legitimate security penetration test to be held on his systems, as would occur in the commercial world for any such mission-critical, secure system, he is signaling to his constituents, the state of California, and America that even he has no confidence in the security of the equipment supplied to his voters to exercise their precious democratic franchise.
Two more reporters picked up the shameful tale this week in local media.
The Desert Sun’s Nicole C. Brambila filed a short piece on Sunday headlined “Hacking debate gains traction” in which Stone and his pusillanimous peeps once again re-iterate the phony conditions for “no tools and no dismantling the machine. And, the hacker has to infiltrate the system in 15 minutes, the estimated time it takes a voter to do his or her civic duty.”
We laugh knowingly in Stone’s general direction. Even as he likely cries inside.
Of fresh note in Brambila’s piece are these final grafs…
“If there’s somebody that can demonstrate that they can hack into the machines we want to know about it,” he said. “And, then we’ll be throwing away a lot of machines.”
Of course, Lauritzen wants “to know about” no such thing. Otherwise, they would allow for a legitimate “red team” penetration hack test. If they did, we can only hope that Riverside County has plenty of landfill room still available.
And on Monday, the excellent syndicated columnist Tom D. Elias ran a piece which summarized the whole sorry story and reminded us of Stone’s words as he wagered his “thousand to one” bet (which has been met, by the way, with $1000 as wagered by an assorted group of Election Integrity advocates).
“Maybe we should bring the media in and let’s see if your programmer can manipulate that machine,” Stone strutted. “My guess is that it is not gonna happen, but I’m willing to take a chance on that.”
Having taken “a chance on that” with the challenge now accepted, it’s time for the Riverside County Supervisors to put up or shut up.
Elias calls on them to do just that, writing that it’s time for the County’s electronic voting system to be put to the test and then noting:
Then Stone allowed that any would-be hacker should step up to a voting terminal as an ordinary voter might do in a real election. No one has ever suggested that ordinary voters can rig the machines. Instead, episodes of machines recording more votes than there are voters in a precinct, or reversing the tally of votes involve alleged manipulation of machines before or after votes are cast.
…
A test that doesn’t allow the designated computer hacker to work on the machines as they might be handled prior to the election and after it is no real test at all.
As ever, Elias is dead on the money. And we continue to wait to see if the challengers will now follow through with their ill-advised boast which, if conducted legitimately, would do nothing less than actually serve their constituents very well.
If not, and if they continue to tacitly admit they’ve forced unsecured voting systems on their own constituents in which even the Supervisors do not have confidence, it’s likely their legacy will be little more than to be ignominiously known throughout history as the Cowards of Riverside County.
3 more for the gallows.
“Prosecutor says presidential recount rigged in Ohio county”
CLEVELAND – Three elections workers in the state’s most populous county conspired to avoid a more thorough recount of ballots in the 2004 presidential election, a prosecutor told jurors during opening statements Thursday.
“The evidence will show that this recount was rigged, maybe not for political reasons, but rigged nonetheless,” Prosecutor Kevin Baxter said. “They did this so they could spend a day rather than weeks or months” on the recount, he said.
after revolution
I would imagine the new secretary of state’s being willing to work with the county of Riverside to provide a stringent test of their chosen hardware and software for voting. The supervisor who suggested the test likely is under a lot more pressure now than at the time that county selected its preferred vendor; and, if the machines fail the hack test on the secretary of state’s terms, if Riverside county lets a test proceed on that basis, with Bowen overseeing it, then the office of secretary of state will help negotiate the remedies. There was a sensible* thread on this discussion here in mid December, as the challenge by supervisor Stone made the rounds in the news media and thoughtful feedback began to appear.
—-
*see https://bradblog.com/?p=3908#comment-148890
In truth, while Bowen’s office could (if they chose to) oversee the testing, there’s really no need for it. It may be computer science, but it’s not rocket science 🙂
There are many legitimate security professionals out there who know exactly the way these things are done.
Ultimately though, as there are countless ways for insiders to get at these very machines — whether it’s folks in the Elections office in Riverside who have pretty much unlimited access, to Sequoia employees who generally also get access to the systems after deployed but certainly before they are shipped, to Poll Workers who take the systems home in pre-programmed, election-ready setup several weeks prior to the election, or even folks with access to the libraries, etc. where the machines have been left unguarded in the days prior to Election Day etc. — the test need be little more than allow a moderate amount of access to the hack testers and seeing if they can figure out how it could be done without a trace being left behind.
If someone wants to get to these systems and spend time with them, they can and they will. With billions of dollars hanging on the outcome of these elections, you’d have to be a knucklehead to think that some folks wouldn’t have a driving need — and incentive — to do just that.
And then there’s the access after the election. Though I didn’t mention it in the above story, please remember U. of Penn’s Professor Dr. Michael Shamos, a big e-voting supporter and tester of systems for Pennsylvania who accidentally hacked the Sequoia tabulator while demonstrating to some folks how it was unhackable! 🙂 That story is here if ya missed it.
Politician Stone has shown his big mouth and his small ability to manage his big mouth.
Is that they best person for that job?
All mouth and absolutely no “STONES”. Where do they find these people? Several months ago I spoke with Stone and Dunmore, at the time all they did was spew inane retoric and it continues to this day. Riverside County needs to clean house as do so many other counties. Do they clone these Supes and ROV’S somewhere?
Who is a “County Supervisor” supposed to be working for? Who pays his salary? Surely, not US taxpayers, since he is fighting against them in the War On American Voters, the traitor. What was the US penalty for treason, again?
Come one, people. Don’t you think just about any minimally competent computer geek could hack just about any system, including your bank, the IRS, the Federal Reserve, the Pentagon, your local school and any other system you can think of if they’re allowed unrestricted access to it? Whether or not a particular system is hackable is not really the important issue. In all of those cases, the reason they typically do not get hacked is because of all the other physical and data security around them.
This is why sleepovers and such, for example, are such a bad, bad idea. But it says nothing about the quality of the machines or the software. Let me into Wells Fargo with no restrictions and I’ll hack their system, too. So what?
Just as in any other computer system in the world, the important things are (1) restrict access so that the bad guys hopefully can’t touch the system in the first place and (2) have methods in place to detect and counteract tampering if it does occur. Auditability. That’s why we need paper trails and cross checks, something you do NOT get with the simple paper systems so many ignorantly propose. Electronic voting, properly done, provides levels of auditability not otherwise available. The important thing is that they be used by the election officials in a way demonstrable to the public.
Demonstrating that someone with unrestricted access can alter data in a system is a worthless exercise. It feeds the rumor mill, provides reasons for outrage to those who apparently need a hobby and gives Brad something to bray about, but that’s about it.
The real threats to elections do come from the inside, but not in regard to the voting systems themselves, but rather the policies and procedures that allow election officials to keep people from voting, to leave votes uncounted or to leave their systems insecure. We should be focusing on those issues rather than gumming up the works with worthless diversions.
Wilson (#7) admits sleepovers are a bad,bad idea. I couldn’t agree more. So is having a warehouse full of voting machines and no video surveilance. So is not maintaining chain-of-custody logs on 555 or more machines out of the 3,500 used on election night, November 7, 2006. So is not posting precinct results at all precincts. So is not allowing any viewing of the error messages in the central tabulator room as the votes are being processed. So is the ROV spending just 3 1/2 minutes with the officially appointed Election Observer Panel and then leaving without indicating she wouldn’t be returning to the orientation meeting.
Regarding the hack, it should be under the same conditons the county presently allows to exist, including up to 12 days of unsecured machines on sleepovers, who knows how many days in the warehouse without surveilance, and a litany of other security breaches that nearly invite, no BEG someone to infect the system and flip the election results, without anyone being the wiser.
Let the test go forward, and then follow it up with a full-blown security consultation/analysis with recommendations for beefing up security. Better yet, trash the machines and go back to hand counted paper ballots – Back to the Future – what a novel concept!9FEE1
Tom Wilson (#7) said on 1/19/2007 @ 8:03 pm PT.”That’s why we need paper trails and cross checks, something you do NOT get with the simple paper systems so many ignorantly propose”.
You seem so knowledgeable and superior to the ignorant voting masses, Tom. What do you mean by “simple paper systems”? Paper ballots?
And, what are you referring to with, “paper trails and cross checks”? Does that include paper ballots? Or something else like those rolls that resemble toilet paper?
Kind of strange how the trolls have come back so soon after the FCC had to give us Net Neutrality for a couple of more years, isn’t it.
They are worried, folks! They are cross checking their paper trails.
Tom Wilson slithered onto the scene, then left, leaving behind a trail of slime.
If we could just get them to bathe.
“Tom Wilson slithered onto the scene, then left, leaving behind a trail of slime.”
Some people have more important things to do than sit on these web sites throwing stones. Unless you have real, implementable solutions to the problems, and hand-counted paper ballots are not a solution, then I would suggest you and your constant harangue are part of the problem, not part of the solution. You would do better to sit in your back yard looking for balck helicopters.