Bradblog refuted by Prof. Mebane, U of Mich - - NH vote subset study results below

I knew it, I knew it, I knew it................I knew it HAD to be election fraud.........let the election season fraud begin.

Brennan Center For Justice AT NYU School of Law
THE MACHINERY OF DEMOCRACY:
PROTECTING ELECTIONS
IN AN ELECTRONIC WORLD
BRENNAN CENTER TASK FORCE
ON VOTING SYSTEM SECURITY,
LAWRENCE NORDEN, CHAIR
http://brennan.3cdn.net/a56eba8edf74e9e12e_r2m6b86s2.pdf

Security Analysis of the Diebold AccuBasic Interpreter
David Wagner David Jefferson Matt Bishop
Voting Systems Technology Assessment Advisory Board (VSTAAB)

with the assistance of:
Chris Karlof Naveen Sastry
University of California, Berkeley
February 14, 2006

Memory card attacks are a real threat: We determined that anyone who has access to a
memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have
the modied cards used in a voting machine during election, can indeed modify the election
results from that machine in a number of ways. The fact that the the results are incorrect
cannot be detected except by a recount of the original paper ballots.
 Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is denitely real. He was
indeed able to change the election results by doing nothing more than modifying the contents
of a memory card. He needed no passwords, no cryptographic keys, and no access to any
other part of the voting system, including the GEMS election management server.
 Interpreter bugs lead to another, more dangerous family of vulnerabilities: However, there is
another category of more serious vulnerabilities we discovered that go well beyond what Mr.
Hursti demonstrated, and yet require no more access to the voting system than he had. These
vulnerabilities are consequences of bugs|16 in all|in the implementation of the AccuBasic
interpreter for the AV-OS. These bugs would have no eect at all in the absence of deliberate
tampering, and would not be discovered by any amount of functionality testing; but they
could allow an attacker to completely control the behavior of the AV-OS. An attacker could
change vote totals, modify reports, change the names of candidates, change the races being
voted on, or insert his own code into the running rmware of the machine.
 Successful attacks can only be detected by examining the paper ballots: There would be no
way to know that any of these attacks occurred; the canvass procedure would not detect any
anomalies, and would just produce incorrect results. The only way to detect and correct the
problem would be by recount of the original paper ballots, e.g. during the 1 percent manual
recount.
 The bugs are classic, and can only be found by source code review: Finding these bugs was only
possible through close study of the source code. All of them are classic security flaws, including
buer overruns, array bounds violations, double-free errors, format string vulnerabilities, and
several others. There may, of course, be additional bugs, or kinds of bugs, that we did not find.
---------------------------------------------

Impact. The consequence of these vulnerabilities is that any person with unsupervised access to
a memory card for sucient time to modify it, or who is in a position to switch a malicious memory
card for a good one, has the opportunity to completely compromise the integrity of the electronic
tallies from the machine using that card.
Many of these vulnerabilities allow the attacker to seize control of the machine. In particular,
they can be used to replace some of the software and the rmware on the machine with code of
the attacker's choosing. At that point, the voting system is no longer running the code from the
vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace
the running code of the machine, the attacker has full control over all operation of the machine.
Some of the consequences of this kind of compromise could include:
could be performed at any point during the day. They could be performed selectively, based
on knowledge about running tallies during the day. For instance, the attack code could wait
until the end of the day, look at the electronic tallies accumulated so far, and choose to modify
them only if they are not consistent with the attacker's desired outcome.
 The attack could print fraudulent zero reports and summary reports to prevent detection.
 The attack could modify the contents of the memory card in any way, including tampering
with the electronic vote counts and electronic ballot images stored on the card.
 The attack could erase all traces of the attack to prevent anyone from detecting the attack
after the fact. For instance, once the attack code has gained control, it could overwrite
the malicious AccuBasic object code (.abo le) stored on the memory card with legitimate
AccuBasic object code, so that no amount of subsequent forensic investigation will uncover
any evidence of the compromise.
 It is even conceivable that there is a way to exploit these vulnerabilities so that changes could
persist from one election to another. For instance, if the rmware or software resident on
the machine can be modied or updated by running code, then the attack might be able to
modify the rmware or software in a permanent way, aecting future elections as well as the
current election. In other words, these vulnerabilities mean that a procedural lapse in one
election could potentially aect the integrity of a subsequent election. However, we would
not be able to verify or refute this possibility without experimentation with real systems.
---------------------------------------------------------------------------
It is conceivable that the attack might be able to propagate from machine to machine, like a
computer virus. For instance, if an uninfected memory card is inserted into an infected voting
machine, then the compromised voting machine could replace the AccuBasic object code on
that memory card with a malicious AccuBasic script. At that point, the memory card has
been infected, and if it is ever inserted into a second uninfected machine, the second machine
will become infected as soon as it runs the AccuBasic script.
------------------------------------------

In addition, most of the bugs we found could be used to crash the machine. This might
disenfranchise voters or cause long lines. These bugs could be used to selectively trigger a crash only on some machines, in some geographic areas, or based on certain conditions, such as which
candidate has received more votes. For instance, it would be possible to write a malicious AccuBasic script so that, when the operator prints a summary report at the end of the day, the script examines the vote counters and either crashes or continues operating normally according to which candidate is in the lead.
Unfortunately, the ability of malicious AccuBasic scripts to crash the machine is currently embedded in the architecture of the interpreter. Any innite loop in the AccuBasic script immediately translates into an innite loop in the interpreter (which causes the machine to stop responding, and is indistinguishable from a crash), and any innite recursion in the AccuBasic script translates into stack over row in the interpreter (which could corrupt stack memory or crash the machine).
http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf

http://itpolicy.princeton.edu/voting/
Security Analysis of the Diebold AccuVote-TS Voting Machine
Executive Summary
Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
http://itpolicy.princeton.edu/voting/summary.html

Main Findings The main findings of our study are:

1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

3. AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.

4. While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.

Security Assessment of the Diebold Optical Scan Voting Terminal
A. Kiayias L. Michel A. Russell A. A. Shvartsman
UConn VoTeR Center and
Department of Computer Science and Engineering,
University of Connecticut
{akiayias,ldm,acr,aas}@cse.uconn.edu
with the assistance of
M. Korman, A. See, N. Shashidhar, D. Walluck
October 30, 2006
------------------------------------------
In particular we show that even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box. Our attacks include the following:
1. Neutralizing candidates. The votes cast for a candidate are not recorded.
2. Swapping candidates. The votes cast for two candidates are swapped.
3. Biased Reporting. The votes are counted correctly by the terminal, but they are reported incorrectly using conditionally-triggered biases.
Our attacks exploit the serial communication capability of the AV-OS and demonstrate how the attacker can easily take control of the machine and force it to compromise its sealed-in resident memory card. Moreover, we demonstrate how one can make the AV-OS appear to be uncompromised to an evaluator that performs a pre-election test by voting hand-counted ballots, or to an evaluator that examines the audit reports that are produced by the terminal. A corrupted terminal will in fact appear to be faithfully reporting any election procedure that is conducted prior to the day of the election, only to misreport its results on the day of the election.
We also present a low-tech “digital ballot stuffing” attack that is made possible due to the mechanical characteristics of the optical scan reader. This simple attack enables any voter to vote an arbitrary number of times using two Post-it-notes. This attack makes it imperative to have the terminal under constant supervision during elections.
The vulnerability assessment provided in this paper is based only on experimentation with the system. At no point in time had we used, or had access to, internal documentation from the manufacturer or the vendor, including internal machine specifications, source code of the machine’s operating system, layout of the data on the memory card, or the source of the GEMS ballot design and tabulation software. We developed attacks and software that compromises the elections from first principles, by observing system’s behavior and interaction with its environment. Based on this fact, we conclude that attackers with access to the components of the AVOS system can reverse-engineer it in ways that critically compromise its security, discover the vulnerabilities presented herein and develop the attacks that exploit them.
----------------------------------------------
4.1.3 Compromised Election Results
An election is deemed corrupted when the miscounted results get tabulated into the overall election totals. If this is performed manually using the printed receipts that are produced by a corrupted terminal, the corruption of an election would be immediate. The results can also be tabulated electronically, by consolidating memory cards using a terminal and communicating such results to the central tabulation system implemented in GEMS.
The compromised cards that contained the improperly aligned counters are accepted by the central tabulation system without any warning or any other indication that they may be corrupted.
Figure 9: The prepared ballot used for the re-voting attack. Ballot stuffing is as easy as obtaining a couple of standard Post-It notes if the terminal is not closely monitored during an election.
of an election would be immediate. The results can also be tabulated electronically, by consolidating memory cards using a terminal and communicating such results to the central tabulation system implemented in GEMS.
The compromised cards that contained the improperly aligned counters are accepted by the central tabulation system without any warning or any other indication that they may be corrupted.
4.2 Multiple Voting Using Two Post-It R

In this section we present a simple low-tech attack that is based on the following facts regarding the ballot feeding mechanism of the AV-OS terminal:
• The ballot-feed sensor is located on the right side of the slot. Feeding paper into the left side does not trigger the feed mechanism.
• Once a ballot is fed into the AV-OS, the rollers cease. It is thus possible to retract a ballot from the other side of the rollers. This is easily done even when the AV-OS has been properly locked into position atop the ballot box. Moreover, this can be done very quickly, so that the amount of extra votes is only limited to the amount of time the voter is able to spend alone with the ballot box on election day.
• The machine is unable to recognize ballots that have already been cast. Although the AV-OS verifies an election identifier which is global to every ballot in a precinct, it allows the same ballot to be cast as many times as desired.
UConn VoTeR Center Security Assessment of the Diebold Optical Scan Voting Terminal 13
We demonstrate how this vulnerability can be very easily exploited by any voter during the actual election if she is allowed to operate the machine without being observed by a poll-worker. See Figure 9 for an example of an AV-OS ballot with the two Post-it notes affixed to its side. The attacker in this case is allowed to use the machine while unattended and he can pull out and re-insert the shown ballot so that the same vote is cast multiple times.

Democrat Christine Jennings is touting results of an independent study that cites new evidence of machine failure in Sarasota County and concludes that misleading ballot design, voter turnoff and other theories do not account for the "extraordinarily high undervote rate" in the county.

The authors of the report, who said they performed a statistical analysis of electronic ballot and "event log data" from the November election, said they were "unable to propose a convincing mechanism based on voter, machine or ballot characteristics that completely explains the phenomenon.

"In a nutshell," wrote authors David Dill and Walter Mebane, "the excessive CD-13 undervote rate in Sarasota County is not yet well-understood and will not be understood without further investigation."

http://miamiherald.typepad.com/nakedpolitics/2007/01/theres_more_tha.html