Since its release last August we have covered the California Top-To-Bottom Review and its implications for Connecticut <here> <here> <here> it is an outstanding collection of reports based on research and evidence. It helped earn a deserved “Profile In Courage” award to its sponsor, Debra Bowen, Secretary of State of California.
How far will those patriotic voting machine vendors go to stretch the truth? How far to discredit a report demonstrating massive flaws in their voting systems? We have the answer. It seems that they stretch it beyond the breaking point. Dan Wallach was testifying last week about the California Top-To-Bottom Review to the Texas Legislature. <read his report>
Wow, was I disappointed. Here’s a quote from Peter Lichtenheld, speaking on behalf of Hart InterCivic:
Security reviews of the Hart system as tested in California, Colorado, and Ohio were conducted by people who were given unfettered access to code, equipment, tools and time and they had no threat model. While this may provide some information about system architecture in a way that casts light on questions of security, it should not be mistaken for a realistic approximation of what happens in an election environment. In a realistic election environment, the technology is enhanced by elections professionals and procedures, and those professionals safeguard equipment and passwords, and physical barriers are there to inhibit tampering. Additionally, jurisdiction ballot count, audit, and reconciliation processes safeguard against voter fraud.
..Did our work cast light on questions of security? Our work found a wide variety of flaws, most notably the possibility of “viral” attacks, where a single corrupted voting machine could spread that corruption, as part of regular processes and procedures, to every other voting system. In effect, one attacker, corrupting one machine, could arrange for every voting system in the county to be corrupt in the subsequent election…
Were we given unfettered access? The big difference between what we had and what an attacker might have is that we had some (but not nearly all) source code to the system. An attacker who arranged for some equipment to “fall off the back of a truck” would be able to extract all of the software, in binary form, and then would need to go through a tedious process of reverse engineering before reaching parity with the access we had. The lack of source code has demonstrably failed to do much to slow down attackers who find holes in other commercial software products. Debugging and decompilation tools are really quite sophisticated these days. All this means is that an attacker would need additional time to do the same work that we did.
Did we have a threat model? Absolutely! See chapter three of our report, conveniently titled “Threat Model.” The different teams working on the top to bottom report collaborated together to draft this chapter. It talks about attackers’ goals, levels of access, and different variations on how sophisticated an attacker might be. It is hard to accept that the vendors can get away with claiming that the reports did not have a threat model, when a simple check of the table of contents of the reports disproves their claim.
