Home

VRTF

Alameda County

Security Testing

Contract Problems

Testing Rules

Whitewash

Security Assessment Report

• Download Alameda county's report.

• Critique of the Alameda County Report by Dr. Douglas Jones, University of Iowa.

Registrar Issues Whitewash of Sequoia Security Vulnerabilities

The assessment issued by Pacific Design Engineering is useful in that it identifies vulnerabilities in Alameda County's configuration of its voting system. For example, suggestions concerning antivirus software, firewalls, and IPSEC security are useful. They will help to make the systems less vulnerable to outsider or insider attack, and it is appreciated.

However, the Supervisors' amendment of June 8 requires "independent security vulnerability testing of the whole system". This assessment fails to meet those requirements for the following reasons:

1. There was no testing. It did not take place, and it needs to. Independent testing demonstrates that insider and outsider attacks can alter elections. Theoretical assessments do not.

2. It was not independent. Indeed, it is biased. For lay people, this is clear in the tables comparing Sequoia with Diebold on page ii.

   • The Supervisors did not ask for a comparison of Sequoia systems with Diebold systems. They asked for independent security testing of the Sequoia system, the whole system. Sequoia's marketing department writes comparisons with the Diebold, not independent testers.

   • The comparison itself is biased. It ignores many of Sequoia's vulnerabilities (re: Compuware report), while listing those known about Diebold, including those discovered by testing.

   • The tables claim that Sequoia is not vulnerable to many of these types of attacks, yet we have no idea if that's true without extensive security testing. The testing required by the supervisors has not taken place.

   • It is deliberately misleading to claim that Sequoia has no known software bugs. That suggests that they have no bugs, when all complex software has bugs.

   • It is outright false to claim that the precinct and central voting systems are not subject to "Malicious Code Insertion". All software is subject to this type of attack, especially if it runs on Windows, which Sequoia's central systems do.

   • We do not know if Sequoia system are vulnerable to "Memory Card Tampering", "Miscalibration Attacks", or "Election Software Tampering". They probably are. This is what we need to check. That's why the Supervisors voted for indepentent testing of the whole system.

   • This marketing comparisons made on page ii and v are clear evidence that the entire assessment was biased in favor of a whitewash of Sequoia's own security vulnerabilities.

3. The report does not "assess non-technical processes and security" (pg ii). Yet it repeatedly makes claims that county procedures and audits make the system "secure" (pg ii). "Further, post-election vote count analytics and validation decision-making processes were not considered part of this engagement." (pg 1) Yet we know that the county's audits are inadequate, and that the county does not consistently follow procedures. As evidence, we know that in June the county was not going to conduct a legal audit of the Diebold DRE VVPATs until a citizen insisted that the law be followed.

4. The report relies the audits of 1% of precincts to make the systems secure. Yet, it makes that claim, without having assessed its veracity. Indeed, we know that a 1% audit is inadequate, especially if poorly executed.

5. The report ignores the greatest threats, which are from insiders. They may be Sequoia insiders, who have planted hidden code in the software, or, let's face it, county staff, subject to bribery, blackmail, or overzealous political action. The report recognizes that "an attacker must not gain unauthorized access the inside of the scanner." (pg 10) Also, "attacks could be initiated against the high-speed optical scanners, ..., the tally servers, or network infrastructure devices." (pg 9) Yet the report does not discuss in any professional manner the problem of insiders attacking the system. This cannot be called a complete assessment of the whole system.

6. The report glosses over a major threat to the central Windows-based systems, the loading of "patches from Windows and 3rd party vendors" (pg. 11). These patches are not safe. Installing them makes the assumption that the vendors have no vested interest in the outcome of an election. This assumption is dangerous, yet the report fails to deal with it.

7. The report discusses Pre-LAT testing on page 17, and yet again glosses over the obvious, that malicious software would indeed know if the system is in testing or real election mode. The software would then escape detection during testing, change a real election, and then erase itself, leaving no trace.

This biased report is about Alameda county, not Sequoia voting systems : "Our charter for this engagement is thus restricted to practical countermeasures that can actually be implemented by Alameda County." (pg. 19) This means that it ignores the software on the systems, hidden code, and hardware vulnerabilities. It also largely ignores insider attacks, procedural problems with overworked staff, and weak auditing. There is no real-world testing of the system involved, which means that it fails to meet the requirements of the supervisors.

Nobody, and no machine, should be counting American votes in secret.