Please see the Election Integrity Homepage for complete coverage and the latest news.
The county made a point of stressing that they only paid Mr. King $10 for his testimony, seeking to bolster his credibility with the judge: I think they may have paid too much.
"The Man from Diebold" is the maybe-not-so-affectionate cognomen given to Mr. Merle King by election integrity activists at the trial. His testimony constituted the big hired gun for the defense - the county's best hope to defend the honor of Diebold, and to justify the withholding of the database by explaining the risks inherent in the release of this data "into the wild," as King and the county's attorneys put it.
Given that King clearly admits that an operator could rig an election using Diebold's GEMS software, and may escape detection in doing so, he would seem to have failed his primary task of protecting Diebold's reputation. Given that Bill Risner picked apart every threat scenario on cross-examination, making those threats seem vanishingly implausible, if not down-right impracticable, compared to the clear and admitted threat of a corrupt insider, he signally failed at the latter task as well.
King made the damaging admission that, to his knowledge, no outsider has ever even attempted to rig an election through hacking of the sort he hypothesizes. The only actual example of electoral mayhem he ever came up with was a guy with a hammer who tried to smash a touch-screen computerized polling machine. Apparently, we need to keep the location of hardware stores a secret.
I would not be surprised if attorneys across the nation will be studying Risner's cross examination in preparation for their own suits to liberate Diebold's and other vendors' tabulator software databases for public scrutiny. It was just that good. A pleasure to watch, and, I'm sure, even more of a pleasure to deliver.
King's expert testimony was the spine of the county's case. Risner broke it like a professional wrestler taking on a rube from the crowd.
Risner used a tried and true technique: when confronted with an expert claim full of vague and alarming claims, simply ask, "How." When King claimed specific threats, such as the reprogramming of memory cards in scanners, or creating spurious ballots, or simply spreading chaos and uncertainty, Risner just got down to the business of asking exactly how these exploits would be accomplished.
What emerged was a taxonomy of threats that break down into three categories; the impractical, the absurd, and the unspecified.
Let's start with the impractical. King described possible exploits using data that might be found in the databases; using the codes and ballot rotation information to reprogram precinct scanners to spoof the reading of ballots, and using ballot layout information to print spurious ballots that would result in misassigned votes.
Both exploits are certainly possible, but have two pre-requisites that make them impractical; they require that one acquire the needed information from the database before the close of the election (and the parties would get the databases only after the election was closed - and because of the preparation and execution time required, one would really need the information considerably in advance of the election), and they require physical access to election equipment (which would be very difficult due to security protocols such as tamper evident seals and mixed-party observers present during the exploits).
Risner also demonstrated that information in the databases needed for these exploits is often already in the public domain (such as ballot rotations and ballot layout), or that the exploit would be far easier to accomplish using other means (such as spoofing ballots by modifying early voting ballots with Photoshop).
Next, there was the absurd. Most vexing was the claim that some party with enough public esteem to be credible would squander that credibility by modifying the copy of the database provided them and claim publicly that theirs was the true outcome of the election. This was described repeatedly by defense counsel and witnesses as a realistic strategy for spreading chaos and uncertainty to undermine our elections and discredit the election system vendors involved (I think I can detect who promoted this particular trial strategy...). I call this the reputational suicide exploit. Bill Risner asked King rhetorically how long it would take before this theoretical party would be "tarred and feathered" and have to "high-tail it outta town."
You see, all political parties would receive the same database and the original would also be retained. It would be a trivial task to prove such claims to be a sham and then to destroy the credibility of the claimant - and the other political parties would be only too happy to help do so. There is a balance of power inherent in transparent security arrangements. Our own government's separation of powers structure is such a security protocol - or, at least it is supposed to be... In any case, King's claim really only applies to fringe conspiracy groups and malcontents who might get the database from "the wild."
At one point during King's testimony, as he was describing hackers who persistently delved into the vulnerabilities of election systems, Jim March of BlackBoxVoting.org, who sat at the plaintiff's counsel table typing messages to Risner calling bullshit on matters technical, typed during King's testimony in a giant font size so that people in the audience behind him could see, "Gee, you think he's talkin' about me?" I think King certainly was really talking about him and folks like him. King's "chaos theory" as it came to be known around the plaintiff's table was really aimed at those who annoy and bedevil the vendors whom King and those like him speaks for. They might actually believe that these hacker-activists aim to bring down and discredit the election system: but most people readily understand that their aim is to strengthen democracy, not undermine it.
Another specimen in the absurdity menagerie is the leverage hypothesis. King claimed that information in the database could be used to reduce the probability space for a brute force attack on encrypted passwords in the database. That's just true enough not to be perjury. What he certainly tried to avoid highlighting is the inconvenient fact that those passwords are constantly changed; so they are useless. And that cracking one password doesn't give any leverage for cracking another; so they are useless. And that GEMS is vulnerable to a very simple exploit to avoid password protection with just a few clicks of the mouse; so they are useless.
The final category of threats I call the unspecified. These are the Rumsfeldian unknown unknowns. The claim is that hackers are wily beasts. You can never tell to what clever use they might put that additional jot of seemingly innocuous information. You can't trust them, so it is good security to just deny them all the information you can. If this is sounding familiar, it should: it's the Bush Administration's approach to public information in the face of the terrorist threat - treat the public as if they were terrorists.
This is not only a rather contemptible policy for a free society, it is legally questionable in this context. You see, the county bears an evidentiary burden of persuasion as to the balancing test between the public interest in access and the government's interest in confidentiality. By using such a vague and unspecified threat as an element of that burden, they are in essence saying that it is incumbent on the plaintiff to show that there is no possible harm. That is known as burden shifting - and it is a big no-no.
These vague imprecations underlie a lazy and deficient approach to security that the election integrity crowd refers to as "security through obscurity." Keeping a weakness secret is the worst possible way to implement security. Conservatives like to say "security through strength." Well, election integrity folks agree. Security systems around something as important and fundamental as our franchise should be robust and transparent systems that do not rely on dirty little corporate secrets; nor on just trusting any one person or group of people to do the right thing.
You see, the plain truth is that secrecy is cheap on the front-end and expensive on the back end. The corps have to pay the front-end costs of implementing security in the systems they vend, so they like secrets, not real security solutions. But the public pays all the back-end costs in stolen elections, undermined public confidence in the system, and unintended Presidencies that cost us lives, treasure, and precious reputation.
The EI movement is about putting those back-end costs back up front and forcing the corporations who only see a way to make a buck to meet much higher standards if they want to play a role in our elections. Lawsuits like this one, which expose this con game, and the con men like King who enable it, are an integral part of that fight.
I feel proud and humbled to have had the privilege to watch this work being done, and to have been inspired by the patriots doing it for no other reason than a burning love of democracy and the American way. As John Brakey of AuditAZ explained about why he does this work on his own time and his own dime, "Once your grand-daughter grabs you by the finger - that's it, buddy. You're done."
After the flip, the summary of Merle "the Man from Diebold" King's testimony. Big props to David Safier for his able and tireless work to compile these summaries. Please recall that these are paraphrased condensed summaries, not transcripts...
Summary of testimony by Merle King
Direct examination by Thomas "Tad" Denker, Deputy Pima County Attorney.
Merle King is an associate professor at Kennesaw State University in Georgia. His background is in business information and information systems.
King has wide experience dealing with voting systems technology, including working on federal commissions exploring voting systems and software.
SQL is a programming language. People take classes in “SQL Programming,” and books on SQL refer to it as a program.
The GEMS software stores tables and queries in the database. Queries are questions posed to tables to perform operations on tables.
Since the database files contain SQL queries, they contain programming. GEMS cannot conduct elections without the code stored on the database files.
Making the database files public would create multiple risks. Never assume you have thought through all the ways materials can be used to increase risk. There are people all over the world who like to play around with election data. If these people find a weakness they can exploit, it would take about two years to fix the problems in the software, because of the complex certification process.
If the Democratic Party were given the databases, they would soon be released “into the wild.” The more information people have about the databases, the quicker and more easily they can find ways to hack into the system.
“Brute force attacks” on a system are easier for hackers if they can reduce the variables, and letting them study the databases would reduce the variables. The more databases they study, the easier their tasks become.
Studying the databases might allow people to figure out how to write other applications to manipulate the databases.
Pima County databases are created with current GEMS software, while other databases “in the wild,” like those from Alaska, are from older versions. So the newer databases would be more helpful to hackers.
Someone who had a database after an election could alter its results, release the results and cast doubt on the elections.
We haven’t seen any effective attacks at this time. They’re harder to do than to talk about.
Seeing multiple databases can reveal patterns that make other databases easier to hack into.
If the databases were released, Pima County would have to make databases from scratch for each election instead of using the same basic database each time, just changing the specific information. That would take time and money, and it would increase the chance for errors creeping into the database. Most people don’t understand how complex the election software is.
Cross Examination by Bill Risner.
Kennesaw State University is the sole escrow agent for GEMS software code used in Georgia.
King has looked at some GEMS code, because he was curious about some function of the source code, but he can’t remember now what he was curious about.
While GEMS software is licensed, GEMS databases are not licensed.
SQL code is only involved in displays. It prepares data to be used to display ballots.
King has never attempted to manipulate data using a GEMS database.
MS Access can be used to manipulate data. It is possible the manipulation can be detected by looking at date and time stamp changes, etc.
King is not aware of any instance where outsiders have attempted to hack into elections computers.
One of the only ways the Pima County GEMS computer can be hacked into is when it goes out for repair. He’s not sure if the repairs would be handled by Diebold, though it is done for many counties.
In King’s deposition, he said security issues can be a “red herring” that causes jurisdictions to overlook other concerns, like assuring that voters are assigned to the proper precincts.
Risner stated that in a report from the California Secretary of State, it says that outsiders are the least likely to attack a voting system, because of lack of access, and that voters pose little risk. King said he disagrees with some of the report’s model. He says voters can nullify their own votes by mismarking their ballots.
Risner said that the highest risk in the report’s list is vendor employees, and the next highest is election officials. King said that is the model the report uses.
King is not aware that the Alaska databases that have been released on the internet have caused any problems.
Georgia uses 100% touch screen voting machines without paper backups in the polls. Mail-in ballots are optical scan. The only investigations of voter fraud has been in the handling of absentee ballots.
King agreed that officials sometimes tamper with vote totals, but only in the case of machine failure, when they have to change the vote count to reflect the will of the voters.
It is a potential problem that the Pima County GEMS computer doesn’t have user IDs.
It could be a security risk if vendors hire untrustworthy employees.
Risner asks if King knows that someone convicted of computer fraud worked on the original GEMS software. King wasn’t aware of that.
Asked if there were examples of people spoofing election computers or trying to create chaos, King cited the example of someone who used a hammer to destroy a voting machine at a polling station.
King says we mustn’t lower our guards. We must be prudent stewards.
Asked if he knows if the Arizona Secretary of State did any testing before certifying the GEMS software, King said he didn’t know.
King doesn’t know if a fraudulent ballot could be created by Photoshopping an early ballot.
He doesn’t know if a fraudulent mail-in ballot would be detected.
Redirect by Tad Denker.
It’s not just the political parties that could create chaos. Anyone who got hold of the databases could create chaos.
Questions from Judge Miller.
King’s only training on GEMS software is from Diebold. His staff gives him updates.
King had never held the Alaska database in his hands. The first time he knew of its existence was 30-45 days ago when it was mentioned during the deposition. The database was released some time around 2003. His staff didn’t indicate they were aware of the Alaska database. The staff is focused on Georgia, not national matters. And the vendor tends to be tardy about informing him about events.
Judge Miller asked, can the metadata be scrubbed from the database, removing any programming and leaving the data? King said, probably not.
Questions by Bill Risner.
King agreed that seeing the metadata in the database would help someone trying to understand the history of that database. He also agreed scrubbing could remove the time stamps, which are vital to see if anything has been changed.
"King is not aware of any instance where outsiders have attempted to hack into elections computers."
It is not the outsiders that we fear. We fear manipulation by INSIDERS...
In Sarasota County, FL, the GEMS database server was infected from an INTERNAL source using a variant of the SQL Slammer worm:
http://computerworld.com/action/article.do?command=printArticleBasic&articleId=9019560
"One of the only ways the Pima County GEMS computer can be hacked into is when it goes out for repair. He’s not sure if the repairs would be handled by Diebold, though it is done for many counties."
In Sarasota County, FL, the service and maintenance of the elections department computer systems is handled via 3rd party companies under contract to the county. It is way to easy for a 3rd party company to install a Windows server with an incomplete set of security patches. Sarasota County IT staff failed in their Windows patch management oversight. But then again, they're overworked and understaffed as are most IT staffs.
In Sarasota County, FL, 18,000 ballots recorded NO VOTE for a highly publicized and sharply contested Congressional election.
"Asked if there were examples of people spoofing election computers or trying to create chaos, King cited the example of someone who used a hammer to destroy a voting machine at a polling station."
He needs t speak to Clint Curtis. In Fact, Clint should have been subpeona'd, he'd be more than happy to describe the software he wrote for the singular purpose of flipping and manipulating votes.
"It is a potential problem that the Pima County GEMS computer doesn’t have user IDs."
Gee, is the guest account live? This is a favorite exploit vector.
Coulda done a lot more with this loser.
Posted by: Dan | December 10, 2007 at 08:22 AM
What was the outcome of this. Does anyone know??
http://www.choicearizona.com/arizona_auto_insurance.php
Posted by: arizona auto insurance | December 11, 2008 at 09:00 PM