Rep. McKinney (D-GA) Discusses Hack as Diebold Attacks Elections Official
By: Matthew Cardinale YubaNet Jun 27, 2005
"The bottom line is we can't trust the machines, and we can't trust the results being told to the American people," U.S. Rep. Cynthia McKinney (D-GA) said in a phone interview for the progressive news community, adding "we are planning some as-yet-undefined events in [our] district" around the issue.
The problem, the Congresswoman said, is that the machines "haven't been provided with appropriate software and safeguards. If they had the appropriate software and safeguards, then the machines wouldn't be a problem. So either [provide] that, or go back to paper ballots," she advised.
Rep. McKinney, along with Rep. Corrine Brown (D-FL), had been on hand for a hack demonstration in the Leon County Elections Office, in Florida, in May 2005. The demo was one of three meetings that had been organized by Bev Harris and the team at Black Box Voting.
Diebold has since issued a vitriolic letter to Mr. Ion Sancho, Leon County Elections Supervisor, for allowing Black Box Voting to conduct the hack demo on site.
Mr. Sancho defended his actions in a phone interview and explained his concerns regarding electronic voting.
As Black Box Voting announced in recent weeks, two computer science experts have been able to hack into Leon County's Diebold central tabulator as well as individual optical scan machines. For a recent interview with Bev Harris written by the present columnist about the hack, which ran on YubaNet, please click here.
Rep. McKinney, who was on site for the second of the three hack demos, clarified she did not see the entire demo, particularly the hack on the individual scan machines, "because they were not able to do the hack in the prescribed time," and she had to get going on that day.
"I understand they were able to do the hack afterwards," Rep. McKinney said, adding she had been troubled by the news of it which was relayed "by way of press release."
"Granted the same access as an employee of our office, it was possible to enter the computer, alter election results, and exit the system without leaving any physical record of this action," said a formal statement posted by Mr. Ion Sancho on the Leon County Election's Office official website.
The statement is available here.
"It was also demonstrated that false information or instructions could be placed on a memory card (the device used to program the individual voting machines and record the voter's votes) and create false results or election reports," the statement said.
Harri Hursti, 36, who ran the hack demo on the individual machines and memory cards, reiterated Congresswoman McKinney's concerns.
"I had prepared memory cards provided by Leon County having elections data for educational purposes. I modified three of these [cards], demonstrating three different attack methods, three different ways to penetrate the layer of security to change the outcome of elections to demontrate how to change the papertrail believed to protect the election integrity," Hursti said.
Drawing upon his long-time experience with computers, Hursti concluded strongly, "There is poor security because of the very design of the machines, not the implementation. It was been designed to be flexible to modifications, over considerations for security. I think optical scan should be redesigned and implemented based on new architecture," Hursti said.
Hursti has worked for many years on computer graphics, databases, and even government systems for the nation of Finland. Hursti has also worked on issues related to security, encryption, and telecommunition, helping to co-found the first commercial internet service in Finland, and helping design a pan-European internet service called EUnet, part of which was later acquired by Qwest.
To be sure, Black Box Voting was only able to perform the hack from on-site, not remotely. However, vulnerabilities still exist, Ion Sancho of Leon County, Florida, warned.
"One of my concerns now is I know other jurisdictions allow the vendor [Diebold] to do the entire process, programming memory cards, and generating results, especially in rural counties of Florida," said Ion Sancho.
"It's not that uncommon to be that dependent on vendors," Sancho warned, adding, "This is too sensitive an issue to cut corners on."
Mr. Sancho, who says he's worked with electronic voting machines since their inception, said he was shocked when he learned that his boss at the Florida Division of Elections, Mr. Paul Craft, was already aware of the system vulnerability on the memory cards prior to the hack.
"Surprisingly he was aware of this feature and no other elections supervisors were told," Sancho said. "It was shared later to Diebold and it turned out they were already aware of it. In the state of Florida, only the ones in charge of doing security were unaware of this potential problem."
Rep. McKinney explained "I became involved [in this issue] because of the intervention of a computer programmer who is Georgia-based who had concerns about the? election voting machines," Rep. McKinney said.
The programmer's name is Roxanne Jeqot, Rep. McKinney said. "She's the one who did so much to bring this issue to my attention," Rep. McKinney added, saying she had also heard from many constituents of Decatur, Georgia, who do not trust the elections machines.
"We were in a warehouse full of machines. We had the opportunity to look at the mother of all the machines that does the counting, and to simulate the process as votes would come in on election night," Rep. McKinney described of the demo.
Diebold Elections Systems, Inc., (DESI) appeared to be none too happy about the affair, however.
A copy of an abrasive letter from Diebold, dated June 8th, 2005, was obtained by the present writer. The letter was written by Michael E. Lindroos, a Diebold Senior Corporate Counsel.
"You [Mr. Sancho]? appear to have intentionally and negligently allowed unauthorized personnel to make modifications to your system that are not discernable to you or your IT staff. Aside from potential violations of our licensing agreements and intellectual property rights, we believe this to have been a very foolish and irresponsible act," Lindroos wrote.
"We are investigating whether your actions may have violated your responsibilities under our licensing agreements or voided any extended warranty. As your system has been compromised by your acts, DESI cannot confirm at this time whether you can conduct any future elections reliably," Lindroos continued.
Bev Harris at Black Box Voting asserts that Diebold's angry letter only proves the point being made by consumer advocates, in an ironic way, by underscoring the hackability of the machines.
Ion Sancho, who has worked as an elections official for 17 years, said "I'm very glad I did what I did because now I'm aware of the steps that need to be taken to ensure that this kind of attack can be prevented."
"Not only do you have to have paper ballots," Sancho said, "but the elections administrator has to be able to use his or her discretion to ensure that the machines are working properly."
"I'm sort of the Black Sheep of Florida Elections here for not going along with the Elections Association," Sancho said, adding that he had been appointed in 2000 to recount the Miami-Dade ballots in the Presidential Election by the Florida Supreme Court, before the US Supreme Court intervened and disrupted the recount.
"The main reaction [by Diebold] has been to stonewall Black Box Voting, and that's only feeding the sense that something wrong may be occurring," Sancho said. "Diebold's corporate stance is to deny and attack the credibility of individuals who are raising these issues. The response is to hide it, pretend it doesn't exist, and further attack the messenger. Their own lack of openness is their greatest shortcoming," Mr. Sancho said.
Black Box Voting is set to issue a technical report on their Diebold findings in the coming days, and is currently working on another Diebold related project which is sure to knock people's socks off upon its official announcement.