Category Archives: voting technology

“Experts call for rigorous audit to protect California recall”

AP:

A group of election security experts on Thursday called for a rigorous audit of the upcoming recall election for California’s governor after copies of systems used to run elections across the country were released publicly.

Their letter sent to the secretary of state’s office urges the state to conduct a type of post-election audit that can help detect malicious attempts to interfere.

The statewide recall targeting Democratic Gov. Gavin Newsom, set for Sept. 14, is the first election since copies of Dominion Voting Systems’ election management system were distributed last month at an event organized by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who has made unsubstantiated claims about last year’s election. Election offices across 30 states use the Dominion system, including 40 counties in California.

Election security experts have said the breaches, from a county in Colorado and another in Michigan, pose a heightened risk to elections because the system is used for a number of administrative functions — from designing ballots and configuring voting machines to tallying results. In the letter, the experts said they do not have evidence that anyone plans to attempt a hack of the systems used in California and are not casting blame on Dominion.

“However, it is critical to recognize that the release of the Dominion software into the wild has increased the risk to the security of California elections to the point that emergency action is warranted,” the experts wrote in their letter, which was shared with The Associated Press.

The eight experts signing the letter include computer scientists, election technology experts and cybersecurity researchers.

Jenna Dresner, a spokeswoman for Secretary of State Shirley Weber, said the 40 counties in California using Dominion employ a different version of the election management system that meets various state-specific requirements. She outlined numerous security measures in place to protect voting systems across the state. That includes regular testing for vulnerabilities, strict controls on who has access, physical security rules and pre-election testing to ensure that no part of the system has been modified.

Share this:

“G.O.P. Election Reviews Create a New Kind of Security Threat”

NYT:

Late one night in May, after surveillance cameras had inexplicably been turned off, three people entered the secure area of a warehouse in Mesa County, Colo., where crucial election equipment was stored. They copied hard drives and election-management software from voting machines, the authorities said, and then fled.

The identity of one of the people dismayed state election officials: It was Tina Peters, the Republican county clerk responsible for overseeing Mesa County’s elections.

How the incident came to public light was stranger still. Last month in South Dakota, Ms. Peters spoke at a disinformation-drenched gathering of people determined to show that the 2020 election had been stolen from Donald J. Trump. And another of the presenters, a leading proponent of QAnon conspiracy theories, projected a portion of the Colorado software — a tool meant to be restricted to election officials only — onto a big screen for all the attendees to see.

The security of American elections has been the focus of enormous concern and scrutiny for several years, first over possible interference or mischief-making by foreign adversaries like Russia or Iran, and later, as Mr. Trump stoked baseless fears of fraud in last year’s election, over possible domestic attempts to tamper with the democratic process.

But as Republican state and county officials and their allies mount a relentless effort to discredit the result of the 2020 contest, the torrent of election falsehoods has led to unusual episodes like the one in Mesa County, as well as to a wave of G.O.P.-driven reviews of the vote count conducted by uncredentialed and partisan companies or people. Roughly half a dozen reviews are underway or completed, and more are being proposed.

These reviews — carried out under the banner of making elections more secure, and misleadingly labeled audits to lend an air of official sanction — have given rise to their own new set of threats to the integrity of the voting machines, software and other equipment that make up the nation’s election infrastructure….

Security experts say that election hardware and software should be subjected to transparency and rigorous testing, but only by credentialed professionals. Yet nearly all of the partisan reviews have flouted such protocols and focused on the 2020 results rather than hunting for security flaws….

Christopher Krebs, the former head of the federal Cybersecurity and Infrastructure Security Agency, said such reviews could easily compromise voting machines. “The main concern is having someone unqualified come in and introduce risk, introduce something or some malware into a system,” he said. “You have someone that accesses these things, has no idea what to do, and once you’ve reached that point, it’s incredibly difficult to kind of roll back the certification of the machine.”…

Pulling compromised machines out of service and replacing them is not a foolproof solution, however.

The equipment could have as-yet-undiscovered security weaknesses, Mr. Halderman said. “And this is what really keeps me up at night,” he said. “That the knowledge that comes from direct access to it could be misused to attack the same equipment wherever else it’s used.”

Share this:

“Experts Warn Recent ‘Insider’ Theft, Leak of Vote System Software Imperils CA Recall Election: ‘BradCast’ 8/18/2021”

Brad Blog:

We’ve been covering this story in detail over the past week, as both the national media and California media haven’t covered it at all. But they should. Colorado media finally jumped in, a bit, this week after their Sec. of State on Monday announced that Mesa County Clerk Tina Peters — who appeared on stage several times at Lindell’s forum last week — was behind the theft and copying of two hard drives at the Mesa County Election Division containing Dominion Voting’s Election Management System (EMS) software.

Democratic CO Sec. of State Jenna Griswold’s office, in a news release Monday night, explained how Peters pulled off the heist with two accomplices in the middle of the night back in May, before the software was released into the wild during last week’s symposium. Since then, we have reported on this show about the concerns expressed by voting system and cybersecurity experts like Harri Hursti, who warns that the release of the critical software “lowers the barrier for attack planning and therefore increases the likelihood of future attacks.” That, just after another top expert in the field, University of Michigan’s J. Alex Halderman, filed a 50,000 word report in a long-running federal lawsuit in Georgia, which seeks to ban Dominion’s unverifiable touchscreen voting systems. The report, which he says [PDF] details disturbing, newly discovered vulnerabilities in those systems, which reportedly could allow votes to be changed without detection, has now been sealed by the federal judge due to its sensitivity — even from the plaintiffs and defendants in the case!

Dominion’s vulnerable touchscreens are used in several large jurisdictions in California, even as the recall is now ongoing, including San Diego County, San Francisco and Riverside County. Their EMS software — released to the Internet and downloaded by thousands just last week — is used to tabulate votes, both hand-marked paper ballots and touchscreen votes, in every county where Dominion’s systems are used. The software is used broadly in enough counties here that it could easily effect the computer-tallied results of the Recall election.

Another top expert who is worried about all of this joins us on today’s program to explain why, and what can now be done about this serious security breach. University of California-Berkeley Professor PHILIP STARK is an expert witness in the Georgia case, the inventor of the post-election Risk-Limiting Audit protocol, and currently serves on the Board of Advisors of the U.S. Election Assistance Commission.

He joined Hursti this week in telling me that they were both dubious about vague claims from the CO Sec. of State’s office that the U.S. Cyber Security and Infrastructure Security Agency (CISA) was not particularly concerned about the leak of the Dominion software.

“It is a serious risk,” Stark makes clear today. “The best metaphor I’ve been able to come up with is, if I were trying to break into a bank, how helpful would it be to have blueprints of the bank and the bank vault? How helpful would it be for me to have an actual exact copy of the bank, completely at my disposal, to try different ways of breaking in and so forth? Not even a scale model, but literally the exact same thing, just in a different place. That’s what having a copy of these disks amounts to.”

“To the extent that these systems were not that secure in the first place, this doesn’t make the systems more vulnerable. But it gives a would-be evil-doer lots of help and information to plan an attack, figure out what’s going to work, which then can be conducted later by someone with less technical skill,” Stark warns.

He explains that “these Election Management Systems are used, among other things, to configure the ballot marking devices” as well as “results from the precinct-based scanners” and the high-speed centralized scanners used to tabulate Vote-by-Mail ballots. “The release of the EMS code gives someone a blueprint for how to write malware to infect the ballot marking devices, etc., when they’re configured using these systems.”

We go on to discuss what can and should now be done by California in regards the ongoing Recall election (as well as other jurisdictions, with elections coming up in November, where Dominion systems are used in more than a dozen states) to ensure that results are accurately tabulated and reported, and can be known by the public, after the election, as such. His recommendations include the use of both hand-marked paper ballots and a far more robust post-election audit process than is currently mandated by CA state law.

Moreover, he cites a critical lesson that should be learned from Tina Peters, the Republican County Clerk in Mesa, CO who is alleged to have brought accomplices into the Elections Division in the middle of the night on May 23rd, and turned off the security cameras in order to steal the software and copy it for release into the wild. (She is now under criminal investigation and has been relieved of her duties by CO’s Secretary Griswold.) “This is a very clear reminder that insider threats are real,” observes Stark. “This is a wake-up call. It is very difficult to mitigate insider threats.”

Share this:

“Dominion Sues Newsmax, One America News Network, Others Over Election Claims”

Wall Street Journal on the latest Dominion lawsuit:

One of the largest voting-machine companies in the U.S. on Tuesday sued two conservative media networks and a businessman it said had defamed it by spreading accusations that it rigged the 2020 election for President Biden.

Dominion Voting Systems filed suits against Newsmax Media Inc. and Herring Networks Inc.’s One America News Network. Dominion also sued Patrick Byrne, the former chief executive of Overstock.com Inc., an online seller of furniture and other goods.

Dominion accused the two networks of defaming the company and its products by airing false reports that its machines switched votes from President Donald Trump to Mr. Biden. The company also said Mr. Byrne repeatedly and falsely alleged that Dominion rigged vote tallies to steal the 2020 presidential election for Mr. Biden. In each of the three lawsuits, Dominion is seeking more than $1.6 billion in damages, citing lost profit and other costs.

Share this:

“U.S. Election Assistance Commission Sued for Improperly Loosening Voting System Standards After Private Meetings With Voting Machine Manufacturers”

Free Speech for People press release.

Update – AP reports: “Key elements of the first federal technology standards for voting equipment in 15 years should be scrapped because language that would have banned the devices from connecting to the internet was dropped after private meetings held with manufacturers, according to a federal lawsuit filed Tuesday.”

Share this:

“The stampede away from Trump’s voting-machine claims continues apace, as legal liability looms for allies”

WaPo:

Among the many wild conspiracy theories about the 2020 election, few rank as high when it comes to both baselessness and reach as those involving voting machines. The theory that voting machines were programmed to steal the election from incumbent President Donald Trump had the benefit, while being utterly without merit, of at least being simple and easy for people to grasp.

Unfortunately for their proponents, these theories carry one very significant drawback: legal liability. …

The result: Many if not most of the high-profile purveyors of such claims have since backed off.

Share this:

“New Hampshire Election Audit, part 2”

Andrew Appel:

In my previous post I explained the preliminary conclusions from the three experts engaged by New Hampshire to examine an election anomaly in the town of Windham, November 2020. Improperly folded ballots (which shouldn’t have happened) had folds that were interpreted as votes (which also shouldn’t have happened) and this wasn’t noticed by any routine procedures (where either overvote rejection or RLAs would have caught and corrected the problem)–except that one candidate happened to ask for a recount. At least in New Hampshire it’s easy to ask for a recount and the Secretary of State’s office has lots of experience doing recounts.

Share this:

“Last-Minute Tweaks to Voting Machine Standards Raise Cyber Fears”

USLW:

Last-minute changes to proposed federal standards for new voting machines could expose the equipment to cyberattacks, according to some members of Congress and security professionals.

The Election Assistance Commission, slated to authorize new voting system guidelines on Feb. 10, amended key sections of a 328-page document less than two weeks before the decision. The amended language of the Voluntary Voting System Guidelines 2.0 would allow next generation voting machines to include components capable of wireless communications, as long as they’re disabled. The changes were made even though the EAC’s technical advisory committee recommended an outright wireless ban.

Cybersecurity experts, some of the EAC’s own advisers and members of Congress are calling for the agency’s four commissioners to vote on a version of the document finalized in July 2020 which included the prohibition on wireless capability. In a letter reviewed by Bloomberg, a bipartisan coalition of more than 20 members of Congress led by Representative Bill Foster told the EAC’s Chairman Ben Hovland that the current version would “diminish confidence in both the federal voting system certification program and the security of our election systems.”

“We cannot sanction the use of online networking capabilities when they carry the very real and increased risk of cyber-attacks, at scale, on our voting machines,” reads the letter….

Meanwhile, others are asking the EAC to explain why changes to a document 15 years in the making were made less than two weeks before the scheduled vote.

“The issue here is the EAC made changes to some of the most commented-on sections of the standard without clearly explaining who made the change, why the change was made and that’s inviting a lot of questions,” said Matt Masterson a former EAC commissioner, referring to some of the 50,000 public comments submitted to the EAC in 2020.

Masterson said there’s no reason to believe the late amendments were born out of malfeasance. “There is an opportunity here for further transparency by the commission which I hope they provide,” said Masterson, former election security lead at the Cybersecurity & Infrastructure Security Agency, part of the Department of Homeland Security.

Share this: