Tuesday, June 12, 2012

Voting Machine Verifications Show Walker Lost Recall Election

The required verification of Wisconsin's electronic voting equipment after elections has shown that election fraud occurred in several counties during Scott Walker's recall election. The corrected election results show that Barrett won with 51% of the vote, matching the percentage of voters that voted for Democratic Senator John Lehman and favoring President Obama in the exit polls as well as more closely matching the 50/50 split exit polls for Walker and Barrett. It turns out that it wasn't the exit polls that needed to be adjusted, it was the election results.

As one of the first steps in the canvassing process after an election, each electronic voting machine and ballot counting machine is verified for its integrity. The post-election verification process is the same as the pre-election verification process. First, the integrity of the software on each machine is verified, and if the verification fails, it's assumed the machine was tampered with. If the machine passes, the function of the machine is tested. For optical scanners, election officials run a number of randomly selected completed paper ballots through the scanner and match the totals against a hand-count. For touchscreen voting machines, election officials repeat a number of votes from a random position in the paper log and match the totals against a hand-count. The machine has been compromised if the totals don't match.

The verification of the open software installed on the equipment uncovered nearly 100 machines across Wisconsin that had been compromised. It's believed that at least one person, most likely two or three, compromised the optical scanners after the pre-election verification by connecting a small device to the diagnostic port on the machine which automatically downloaded the modified software. The software only affected the gubernatorial election, which explains Lehman's win.

All of the votes counted with the compromised machines were recounted by verified machines or hand count, and the recounts show that 110,805 Barrett votes had been wrongfully switched to Walker by the compromised machines. It appears as though the modified software flipped Barrett votes at random short durations of time, so the modified software changed vote totals differently across machines. Outagamie County had the largest percentage of switched votes with 7,741 votes, 10% of the total votes in the county, but Walker still won the county nearly as much as he did in 2010. Milwaukee County had the largest number of flipped votes with 31,154, followed by Dane County with 10,682 flipped votes. The other counties with modified software were Brown, Calumet, Dodge, Door, Kewaunee, Kenosha, Marathon, Manitowac, Oconto, Racine, Shawano, and Winnebago. Interestingly, nearly every county is along Highway 41 or very close.

Since we control the open software on the machines, we can quickly plug the security hole at no cost to taxpayers for both detection and the fix. Several Wisconsin software engineers wrote a fix for the problem within a few hours of the announcement by the Government Accountability Board, and the new software will go through a number of tests before it's certified. Rest assured, our voting machines will be fixed and certified long before the next election thanks to it being open source software.

As a truly bipartisan measure, Scott Walker reportedly asked Tom Barrett to attend the brats and beers today. Walker conceded, "We have yet to determine who tampered with the equipment, but I'll relinquish my command to the rightful Governor of Wisconsin, Tom Barrett." The person(s) responsible for tampering with election equipment and swinging the election are still being investigated.

Unfortunately, someone may have tampered with voting equipment during the recall election, but we'll never be able to find out. Nearly everything above is just a dream. Voting machines are not open and are not verified after elections, and so there is no way to detect such election fraud. None of the precautions listed above are actually done in Wisconsin, but the possibility of someone swinging an election by tampering with voting machines so easily is real. Barrett could really have won with 51%, but we'll never know.

I'm very sorry if that was painful, but I hope it was effective in convincing you how important this issue is. It's a far more critical issue than voter fraud. We have no proof whether or not Walker really survived his recall, but we could. The next time a Democrat wins a big election, you can bet the Republicans will be shouting election fraud, knowing the problem exists but refusing to do anything about it. Lets get this fixed now.

I wrote a blog post following the Prosser/Kloppenburg election detailing the issues with our elections and the solutions available. By fixing these issues, we could detect and compensate for election fraud, and the story above could be a reality. The following is a minor update to the post, putting it into the context of this election.

Our most pressing issues with elections in Wisconsin continue to be:
  1. Ballot security and integrity
  2. Antiquated unsupported voting equipment
  3. Insecure and inaccurate voting equipment
  4. Voting equipment hardware design and software not open, owned and controlled by the people of Wisconsin
  5. The integrity of every voting machine isn't verified before and after every election
  6. Various vote-tallying processes are not open
  7. Ease and likelihood of errors in reporting
    • Voting equipment and software is not uniform across the state
    (1) Ballot security and integrity. There were many unsealed and ripped ballot bags during the Prosser/Kloppenburg election. Nothing was done to prevent this from occurring in future elections. The only reason we knew about these issues was because of the recount and the ability to watch some online. There could be far more issues than we are aware of from other elections.

    (2) Antiquated unsupported voting equipment. The Prosser/Kloppenburg recount showed us that at least one approved model of our voting equipment, the Optech Eagle, is antiquated and must be removed from service. The original vote tallies from that election had to be deleted, against the law, in order to carry out the recount with the machines, because there were not enough memory packs and those memory packs are no longer manufactured. Although, I will say that I believe it's good that the issue forced a hand recount in parts of the state instead of simply re-feeding the ballots back through the same machines for a recount. This model should be replaced quickly, though the following issues may warrant some delay. A full review of all our voting equipment should occur first.

    (3) Insecure and inaccurate voting equipment. Our electronic voting equipment is insecure and inaccurate, but you're not supposed to know that. The very equipment we use to cast and count votes can be manipulated without detection in seconds, swinging the results by any number of votes. There's not a single computer or security expert that would argue with that. However, even if tampering doesn't occur, our vote-tallying machines rarely count the exact number of votes. These are inevitable consequences of using electronics to cast and count our votes. Unfortunately, the design of our electronic voting machines and their margins of error are secrets kept tightly by their manufacturers. So we have no way of knowing just how insecure and inaccurate our machines are (more on this in (4)).

    Quite near anyone with the knowledge to write moderately sophisticated computer programs can manipulate a voting machine and its vote tally in literally seconds. That's well into the tens of thousands if not hundreds of thousands of people in Wisconsin with that ability. Not at any other point in our country's history do so many people have such an ability to swing elections so dramatically. It really does take some time to stop and consider.

    No one has any "bullet-proof" solutions to this problem, and it's likely we never will. If we want to count votes using electronic equipment, and I for one think it's a "good thing," we must have verifiable guarantees of voting machine security and accuracy. We don't have that now, and we almost certainly won't have that until we solve (4).

    There are other issues regarding accuracy specific to the voting machines we use. A GAB memo from December 2009 shows that there were several issues with voting machines that we currently use in many parts of Wisconsin. An error message "error while printing" occurred 15% of the time during a test of the AutoMARK VAT. This was due to a malfunction in the system which required replacement, and the replacement had similar non-tallying related issues about 5% of the time. Such errors can cause inaccuracies, and they can also cause voter disenfranchisement as voters may be told to come back later or may have to wait for an excessive period of time.

    The AutoMARK VAT is used as an option for voters with disabilities in many municipalities across Wisconsin. However, the GAB memo says that the testing by the GAB and testing by the Wisconsin Election Administration Council shows that
    "The AutoMARK VAT does not provide full privacy and independence for voters with disabilities, especially voters with dexterity or motor disabilities, as voters may need assistance inserting the ballot, removing the ballot and placing the ballot in the ballot box or tabulator."
    The Wisconsin Election Administration Council had even more to say. The memo notes several issues including vision-impaired voters won't be able to verify their vote, inadvertent steps that cause a cancellation of votes, the device doesn't meet 2005 US-EAC guidelines, "it takes longer to cast a ballot with the AutoMARK than manually marking the ballot with a marking device," and screen reading difficulties. Yet the AutoMARK VAT was approved by the GAB for Wisconsin voters with disabilities. The GAB said, "The ES&S voting system technically meets" the requirement of a voter to privately verify their votes. The GAB later notes in a bordered paragraph,
    "The AutoMARK voting systems for which approval is being sought, do not change the degree of accessibility currently provided by previously approved AutoMARK systems."
    I'm appalled that so many of our voting machines do "not provide full privacy and independence for voters with disabilities," and that the GAB would approve such a machine. Are we that desperate for voting equipment?

    Another machine mentioned in the memo with issues regarding its ease of use is the intElect DS200. It may not be immediately clear that these issues are issues with accuracy. Any time a voter's intention doesn't get correctly included in the official results, the system is inaccurate. The more difficult a machine is to use, the less accurate it will be.

    Similar touch-screen machines continue to have worrisome issues in other states as well. In the 2010 election, a touch-screen voting machine in Pennsylvania began casting votes for the opposite candidate from the one selected by the voter, and the machine required "recalibration" to resolve. We don't use the same machine here, but the same manufacturer, ES&S. So there's good reason to suspect the same issues can and may have happened here. Luckily for us, all of our touch-screens mark or print a paper ballot, but most people expect the machines won't make a mistake. So they may not properly inspect the results before casting their vote and walking away.

    The GAB incorrectly states on their website "Adminstrative(sp) Code Chapter 5 Ballot and Electronic Voting Equipment Security insures all electronic voting systems used in Wisconsin are accurate and reliable." This is plain false, and it provides a false sense of security to those voters who aren't aware of the issues. I don't believe we will ever fully be able to insure electronic voting systems are accurate and reliable, but I believe we could publicly guarantee much higher security, accuracy and reliability if we solved issue (4).

    Wisconsin does have some of the best electronic voting machine laws in the country, but they're far from perfect. What's worse is that at any time the GAB can exempt a machine from complying with Wisconsin law. The GAB can exempt a voting machine from Wisconsin law if they choose, or as they say, "for good cause" GAB 7.03(5). I don't see how exempting a voting machine from Wisconsin law is a good idea at any time for any reason.

    (4) Voting equipment design not owned by the people of Wisconsin. When I say that the people of Wisconsin should own the designs for our voting equipment I mean that the hardware designs and the software source code should be open, i.e., in the public domain. I'll elaborate more on this in the solutions section later, but I'll briefly cover some highlights and comparisons now.

    The manufacturers of our voting machines will never provide us with the information and control we need to conduct our elections in the most fair, open and transparent way. The people who run our elections, like your county clerk, have no control or idea of what's going on inside our voting machines. (They can, but I'm not sure who's gone through the trouble s.5.905(5).) It doesn't appear as though anyone from the state government or the Wisconsin public has inspected the code or designs of these machines. We're just expected to have blind faith in these systems, but we know the manufacturers can't and/or won't solve all of their problems.

    Currently, certain portions of the software for every electronic voting machine model approved for use in Wisconsin is stored in an escrow s.5.905(2). It's unclear if every software version in use is stored in the escrow, and we have no way of knowing how much of any particular software is stored. The GAB most likely knows the exact components, but they don't make the information available on their website as they should. This escrow provision is meant to make us feel better about the insecure proprietary software, but it does little or nothing to increase the security of our voting equipment. We need all of the software components at the very least, and even that won't provide us with the security, accuracy and reliability that we could achieve with open voting equipment.

    Even if the manufacturers gave public access to the design and software of their voting machines, we won't get the full value of an open system if the hardware designs and software source code aren't in the public domain. We wouldn't necessarily be able to ensure the integrity of a voting machine simply because we have that information, because the machine itself may have certain vulnerabilities we would have very little ability to control. If all we can do is look at the designs and code, and we're not be given the ability to implement modifications, what happens if we want to make a change but the manufacturer wouldn't agree to it? That's unacceptable and completely avoidable.

    There are many advantages to creating an open election system, and I'll defer talking in detail about those for the solutions section. One of the most beneficial advantages of using an open election system is the amount of people who can inspect the design and code to ensure the utmost security and accuracy, anyone who would want to could. This doesn't make the machine less secure, because there will always be ways to "hack" a machine. Instead, vulnerabilities and issues can be spotted and resolved more quickly, including right on the spot by county clerks or other officials (through appropriate processes of course). This openness has been shown to produce highly successful software many times, e.g. LinuxFirefox and WordPress to name just a few.

    We can do better than these voting machine companies, and we must, because there's no better solution to many of our issues than using an open election system.

    (5) Integrity of voting machines not verified before and after every election. The Government Accountability board conducts periodic audits of a random selection of machines, but that won't detect a singular instance of an issue. Nor will the audits detect widespread issues that were created and manifested between audits. Even still, the GAB doesn't post the results of the audits, just the municipalities in which the audits took place. The GAB should be required to post the results of their audits. These audits are helpful, but they aren't sufficient for detecting all likely issues with our voting machines.

    The integrity of a machine can only be inspected during a recount if a candidate requests permission from the GAB, and as long as they sign a Non-Disclosure Agreement s.5.905(4). This process should be automatic for every machine for every election, regardless of the closeness, because that's the only way we can have any hope to guarantee any amount of security, accuracy and reliability. Simply "matching numbers" during canvassing will not uncover many possible issues with our voting machines. So we need a process to ensure every machine is counting votes as accurately as possible during an election.

    Verifying the integrity of a voting machine after an election includes making sure that the software currently on the machine is the software that actually counted the votes. Wisconsin Statue 5.905(3) states that "the verification procedure shall include a determination that the software components correspond to the instructions actually used by the system to count votes." However, the GAB may not have enough information or there just may not be any possible way to determine if the software instructions in a particular machine were the actual instructions used to count the votes in an election. I can't find any details as to how the GAB would make such a determination. If we solve (4) this issue becomes much easier to solve.

    There are several ways to determine the accuracy of a voting machine without verifying its integrity, although the integrity is the ultimate test. Municipalities employ a simple pre-election test of running a predetermined set of votes through a machine and verifying that the counts match. It wouldn't be difficult to write software to pass the pre-election test but still manipulate the vote counts later. At the very least, this same test must be run on every machine after an election as well as before. However, without verifying the integrity of a machine or running a hand recount, there's no way to guarantee that the results from a machine match the actual votes.

    As for recounts, there's really no point to a recount if each machine isn't inspected for its integrity, because the device should give back very near the same results a second time whether the device was manipulated or not. Fortunately, there are some hand recounts occurring throughout the state, but not nearly enough to provide information beyond most glaring types of discrepancies. Since recounts are meant to try to determine the actual vote count, why don't we at least inspect every machine automatically before proceeding with a recount? Otherwise, we're just another example of the classic definition of insanity, continuing to do the same thing but expecting different results.

    (6) Various vote-tallying processes are not open. I already mentioned the issues with the closed vote-tallying processes within our voting equipment in (4). Here, I'm referring to vote-tallying process outside of our voting equipment. This GAB manual for county clerks says, "The counting of votes is always done publicly after the polls close at 8:00 p.m." (their emphasis) If the counting of votes is always done publicly, we would have found out about the Waukesha County error much sooner. So, this law is clearly not being enforced properly, and the GAB felt it necessary to emphasize "publicly" to officials who presumably should know that very well.

    As evidenced by my reporting on the ballot bag issues, the availability of information during the Prosser/Kloppenburg recount was scarce. Yes, there was a live stream of the Waukesha County recount, but they're not the only county in Wisconsin. And even with the live stream we couldn't figure out exactly how many ballot bags had discrepancies and where they're from. There was no mention of the issues with the ballot bags on the GAB website, even though at the very least the Journal SentinelThe CapTimes and WisPolitics had reported the issues.

    Every county in Wisconsin should have a live stream of vote-tallying and machine verification. Though, even then, few of us have time to intently watch a single county. So, there should be a live stream of each county with the ability to look back at previously streamed events. There would be very little cost but a huge increase in election transparency. The cost could be further reduced by using third-party sites such as YouTube.

    Any disputed ballots during a recount should be scanned and posted online for everyone in Wisconsin to see as they were in 2008 during the Minnesota recount for the U.S. Senate election between Al Franken and Norm Coleman. We should see what causes errors, so that we can learn from those ballots. Also, it makes the process much more transparent with very little extra effort. In fact, some voting machines take "photos" of ballots, and those photos could be quickly cropped appropriately and posted for all to see. We have online banking, why not "online" recounts?

    (7) Ease and likelihood of errors in reporting. This was thought to only pertain to Waukesha County, but it also happened (on a slightly smaller scale) in Winnebago County during the Prosser/Kloppenburg recount. Therefore, it's probably just as likely in the rest of Wisconsin. This issue is not as serious if the previous six issues are resolved. However, until then, errors in reporting will continue to exacerbate the concerns we have.

    (8) Voting equipment and software is not uniform across Wisconsin. We should have a standard set of strict vote-tallying processes and one standard set of voting machines, i.e., at most a few touch-screen machines and one paper ballot-tallying machine. Variation creates unnecessary complexity and cost, and complexity increases the chances of an error. We could reduce a lot of the learning curve involved in voting as well as the cost to train staff, volunteers and maintain the equipment. Obviously, I believe that we should standardize around a set of open voting machines.

    We must seek real solutions to relevant issues by determining the best way to solve these issues. I for one won't be able to trust an election in Wisconsin until issues 1-6 are fixed, and I hope you feel just as worried.

    Are There Real Solutions?

    So what are some possible solutions? There's at least one very beneficial and realistic solution to many of these issues. Voting equipment whose hardware design and software is owned and controlled by the people of Wisconsin, i.e., open source, would be much more secure and instill much more voter confidence than any proprietary equipment ever could. We asked for nearly this back in 2005 via AB 627, but the bill was amended to remove the half-hearted provision before the bill was passed. Those who control our elections want desperately for it to stay that way, but it's not what's good for us. We will end up choosing this option at some point. So why not now?

    Standardizing open voting equipment across the entire state of Wisconsin would provide greater benefits over those from standardizing over proprietary equipment. The learning curve for voters would be reduced, because everyone would use the same user-friendly and accessible system. Reporting of votes would be faster and less prone to error. The cost of maintaining and approving voting equipment would be drastically reduced. Many other costs at both the state and municipality level would be reduced. We would know exactly how secure and accurate our voting equipment is. There would be no doubt, because anyone could inspect the code. That also means that more people can help improve the system. There are valid reasons against complete homogeneous standardization, but that debate is for a later time.

    I realize that I'm glossing over quite a few major details here. It's not guaranteed that the first, or even tenth..., version will be user-friendly and accessible. Over time it will no doubt improve, but by beginning with effective guidelines and true experts, the first version could easily be much more user-friendly and accessible than we've come to expect from our voting machines. This also applies to the costs of developing such a set of systems. Successful open source projects gain momentum quickly when they're driven by knowledgeable and thoughtful leaders. The more knowledgeable people who contribute to the project the less taxpayers will end up having to pay. I have no doubt that such a project would create more than enough enthusiasm from capable people in Wisconsin. We can do it, other less wealthy countries have successfully done this.

    I also realize that converting to an open system can't happen overnight, but a deadline should have been set a long time ago and needs to be set now. I don't know how much it would cost the state to implement and convert to such a system, but it's clear we need to replace at the very least the unmaintainable equipment, and it's quite possible the conversion would cost less than the full cost of implementing and enforcing voter suppression with photo ID.

    There's a very good chance we could partner with other states to share the burden of development. There would be no reason not to. These tough economic times add to the value of governments working together and sharing the software code they run on. Also, various other municipalities, states, organizations and countries have either begun or completed open source election systems that we could implement as is or modify to our desires. So, I believe converting to an open election system should be one of the top priorities in fixing our elections (if not the top priority).

    I'd like to have a discussion about the relevant issues with our elections and possible real solutions. Any other suggestions for solving some of these issues? Any other issues I'm not listing? Is there anything I could clarify? Did I increase your concern?

    Please, contact your state representatives and tell them why you're concerned with the security and accuracy of our voting equipment, not voter fraud. They won't do anything unless we demand it.


    1. Thumbs down on this little adventure.

      1. I'm sorry. Definitely not the reaction I was hoping for, though I was a bit worried. I was hoping that there were enough things that were not true right from the beginning that readers would know long before they got to the end. Is it the shock or the strategy itself?

        It could all be true except the part where we find out.

        Would the point get across better, less offensive, if I begin by saying it's a dream?

    2. Many, but not all, of the places you talk about (Dane, Milwaukee) use the OpTech Eagle, that you refer to. Somebody has gone to the trouble of putting a bunch of photos of the OpTech Eagle online for us.


      You see the chips with either the little window in the middle of them (or the ones with stickers covering the window)? Those chips are known as EPROMs - Erasable Programable Read Only Memory.

      They are erasable, but not ELECTRONICALLY erasable, as they would have to be for your scenario. To program them, they have to be sitting in a special programming device; they cannot be re-programmed once they are installed, as you would need. To be reprogrammed, they would have to be uninstalled, (no I'm not kidding) bombarded with a couple hours of intense UV light, and then put into the programming device.

      That is to say, no it could not "all be true".

      1. Thank you very much for your comments. Unfortunately, I believe you are not correct. Detailed information on voting equipment is scarce, but from what I can tell, these are pictures of the memory cards which hold election data, not application software. And they are EEPROMs which are electronically programmable. I may have missed the photos you were referring to, but the following contradicts your statement.

        Even if the machine has an EPROM, the modified software doesn't need to be installed in the EPROM, just in RAM, as long as the machine is not turned off. The EPROM can be left untouched. Also, the EPROM chip could simply be swapped with an already programmed EPROM chip. No big deal.

        However, according to this paper from the University of Connecticut School of Engineering, the Optech-OS, the application software, is electronically reprogrammable.

        Also, I mention the Optech Eagle as antiquated technology, because the memory needs to be erased in order to do a recount, which is a violation of Wisconsin law. None of the Optech Eagles should be in service today.

        While my story highlights one way of hacking voting machines, there are far more that have been and have yet to be uncovered. Here's a video of another one on the Optech Eagle cartridges http://www.youtube.com/watch?v=3bZvqTKOtjI

      2. A quick search of that document for mentions of Optech and we see that the guy who wrote it understands that the executable code is in a separate piece of memory from what he refers to as the "vote total memory". That looks to me to be correct. But maybe not complete. (and those are the only mentions of Optech).

        On the device's motherboard there looks to be at least one EPROM, along with other larger memory chips (we don't get a good up-close photo of the main board). My guess (yes, I am guessing, but it is a guess based on over twenty years of working on and programming devices of this era using such chips) is that the memory of the main board are for the basic functionality of the device - processing 'keystrokes' from the number pad at the back, driving the printer and the number display, etc.

        It is on the board inside the memory pack where the specific info for that election is contained. And the pre-programmed info - Walker is first position on the ballot, Barrett is second, eg - is burned onto the EPROM. That's the point of having an EPROM n that board. If all that board needed was x amount of memory storage for vote totals and whatever other info it 'remembers' from the ballots, you could just have two EEPROMs instead of one EEPROM and one EPROM.(EEPROMs are/were a lot cheaper, for one thing).

        You say that the document says "is electronically reprogrammable". T\Neither the phrase "electronically reprogrammable" or "reprogrammable electronically" appears in the document. Could you tell me where he says that?

        In the Kloppenburg recount, the reason the GAB raised the possibility of erasing (from EEPROM) vote totals, etc., was because they have too few memory packs to be able to maintain a full set with Kloppenburg-Prosser results while conducting a machine recount on a second set. That is partly a function of the age of the devices, but isn't particularly relevant to a discussion of how easily or difficult it would be to 'hack' the device.

        As I said, over twenty years working on such devices. I'm pretty darn sure I'm right.

      3. As I said before, the scenario I outlined in my story could be carried out during an election, where the machine is not turned off. The modified software only needs to be inserted into RAM, where it is always run from. There is no need to change the EPROM.

        However, if you still want to continue to debate whether the Optech Eagle has an EPROM, the document doesn't state exactly the words "electronically reprogrammable." I put two-and-two together. Under "Executable Code," you'll find this:

        "Included in the executable code is the operating system, which
        for some machines is embedded in the hardware (e.g., AV-OS), while in others it is stored in removable media (e.g.,
        M100-OS, Optech-OS). Code not embedded in hardware is
        usually dynamic and election dependent. Thus such code may
        be generated and transferred to the system (usually by the
        EMSS) at the beginning of each election process, and remains
        unchanged throughout the election it was intended for."

        Later, the document says that AV-OS uses EPROM, which they define as embedded in hardware. So, the Optech Eagle must be dynamic electronically programmable from the EMSS.

        The entire document talks about many ways these devices can be compromised.

        The Optech Eagle memory cards are a problem, because they are no longer manufactured. Therefore, we can't get more memory cards. That was the problem in the Prosser/Kloppenburg recount. Again, the Optech Eagles shouldn't be in service.

        I've worked on embedded devices like these with EEPROMs for the military for over 10 years, so I think I know what I'm talking about when it comes to these devices and security.

      4. Well, your years of working in the military doesn't seem to have taught you what an EPROM is.

        We're not "debating" whether there is an EPROM on the memory pack of the Optech Eagle because the picture show quite clearly that there are Intel D27128As and Toshiba TMM27128As. Those are EPROMs. Period. They CANNOT be "electronically reprogrammed" without first being erased. Period. And they cannot be erased electronically AT ALL. Period.


      5. I did not work in the military, but instead I developed devices sold to the military.

        Again, I'm not talking about the memory packs. I'm talking about executable code. It doesn't matter whether the Optech Eagle uses EPROM or not. It doesn't even matter if there is absolutely no way to change the code. The code still needs to be transferred to RAM in order to be executed. It is in RAM that malicious code can be inserted, and RAM is always modifiable and stored as long as power is not turned off. This is how my scenario works, but my exact scenario doesn't matter.

        Is all of the executable code stored on these EPROM memory packs? If so, then the peer-reviewed paper that I cited is incorrect. The paper says the AV-OS uses EPROM which differs from the dynamically programmable Optech-OS that runs on the Optech Eagles.

        My point is, the software could be hardwired with no way of changing without changing the motherboard circuitry, and it could still be circumvented as I outlined. It just needs to change the running code in RAM. So, the debate about EPROM is really irrelevant.

      6. "The code still needs to be transferred to RAM in order to be executed."

        Nope. Executable code burned into EPROM runs from that EPROM. It does not need to be copied to RAM to execute.

        "Again, I'm not talking about the memory packs."

        The video you pointed me to talked *entirely* about the memory packs, and how the memory pack could be corrupted by the cigarette pack device.

      7. Do you know for sure that's how the Optech Eagle operates, solely in EPROM? There peer-reviewed research I cited refutes your claim.

        As I said before, I mentioned the video simply as another example. This all started because you said the executable code needed to be on the EPROM, and as far as any peer-reviewed documentation I can come up with, the OS executable code is not stored on EPROMs. I don't refute that election data is stored on those cartridges, but that's not the OS.

        These specific arguments avoid the point, there is no way to guarantee security for any machine, and we are not properly accounting for that.

      8. This document, prepared by the California Secretary of State Elections Division, clearly states that the Optech Eagle has an EEPROM, not a EPROM.

    3. And now I've watched the video.

      Yes, such a device *could* be built....IF you had *extensive* knowledge of the inner workings of the prom pack, including details of the connector interface, the data storage formats, etc etc. I'm not at all sure that you could 'flip votes' using such a device; you probably could add votes, but that would be caught a number of ways at 'the canvass'. (And of course, this is a different scenario than the one you first laid out.)

      The video talks about how in Maracopa, one poll worker takes an unsealed pack to whatever central drop-off. You talk about Dane Co totals having been changed. I am a poll worker in Dane Co. Besides the fact that 1) two poll workers take the prom pack 'downtown', and 2) the prom pack is sealed inside a bag using a plastic seal which is numbered, the number being already known 'downtown' so that it can be checked upon arrival, the video also ignores one extremely important fact. It is required (in Dane Co, and I assume anywhere and everywhere else) that before the prom pack is removed, printouts of the results are made: one for the city clerk, one for the county clerk, one each for any and all observers that may be present (we had two observers on June 5th), and poll workers themselves often take copies. With June 5th being historic, I think as many as six or seven of us took copies. I have mine right here on my desk right now. (These printouts, reported on election night by a local web site, are the reason we know the vote totals missed and then reported in Waukesha Co in the Kloppenburg race were correct.)

      So even if someone 'flipped votes' in the prom pack, those new totals wouldn't match the printouts made before the prom pack was removed. That mismatch would be caught at the post-election canvass, at which time they could do a recount of the paper ballots, the vote flipping would be caught, and we'd all read about it in the paper.

      So once again, no it could not "all be true".

      1. I mentioned this video only as an example of ways in which these devices can be compromised, not to say that my story could happen. Which is true by manipulating the machine's RAM, not memory storage as you assumed.

        My story was not intended to outline an exact strategy for circumventing the machines. I only wanted to paint a picture that was understandable. There are endless ways to circumvent these devices. There will never be a sure way to secure these devices. Never. No computer security expert would tell you differently. In fact, many prominent ones have studied and written about this problem. For one example search Google on "bruce schneier electronic voting." A good overview by Schneier is http://www.opendemocracy.net/media-voting/article_2213.jsp

        If you really feel strongly about this, I recommend reading up on electronic voting machine security, not specific problems with specific machines. You can fix every issue a person comes up with, and someone will always be able to find another. That's why we need open source election equipment and strict verifications pre and post election.

      2. There is one thing in my story that is not true beyond us being able to find out about such fraud, open source election equipment and our ability to have fixed and re-certified election equipment before the next election.

        As I state in the post, the details of our election equipment are held tightly by private companies. We are at their mercy when it comes to fixes. Some fixes could be extremely difficult, and the company could find it impossible to fix without a large sum of money for more engineers. They won't allow people to work on it for free, as we could with open source, as they want to keep everything secret, and they want as few people working on it as possible to reduce chance of leaks.

        The only way that we could be sure that we could make the required changes to fix a problem with our election equipment is to have open source equipment.

      3. Your "story" undermines confidence in election procedures without giving a full picture of those procedures.

        Maybe you don't have a full understanding of those procedures; if that is the case, I suggest you become a poll worker and learn more about them. If you do have a full understanding, and still tell your "story" in the way you have here...well then you're just being dishonest.

      4. Really? You have not shown me one way in which my scenario is impossible, and I have shown you many examples of possible scenarios. There are many people far more versed and experienced in these matters than you and I who have studied electronic voting machine security and election processes, and everything I said is inline with what they say. Read any of the two documents I cited, particularly Bruce Schneier's overview: http://www.opendemocracy.net/media-voting/article_2213.jsp. Or read anything else by computer security experts.

        I know I don't have a full understanding of election procedures, but I know enough to know there's holes. I pointed out at least two, the lack of a thorough pre and post election verification process. There is no post election verification process whatsoever.

        Difficulty is also not security. Just because something is difficult to circumvent does not mean it won't be circumvented. Just look at Iran's nuclear reactors as an example of a highly secure, much more secure than elections, environment that was circumvented. Or how about the CIA, which admitted to being hacked.

        There's simply no denying electronic voting machines can be circumvented, because there will never be a software solution, and we currently lack the procedures and control to detect and compensate for election fraud on a small and large scale.

    4. "There is no post election verification process whatsoever."

      The printout verifies the prom pack; the prom pack verifies the printout; the paper ballots verify them both. The timing of when the prom pack could be corrupted (if it is even possible) as shown in the video comes after the printing of the tape. The existence of the printout precludes the prom pack from being corrupted. If a mismatch were seen, the ballot could be recounted. THERE IS NO "HOLE"! Telling gullible people there is one is irresponsible and destructive.

      1. I really can keep this up. I can refute all of your claims of impossibility, and I will.

        If the executable code is modified, as I've been talking about here, then the printout and everything else will match. The hole is that there is no verification of code integrity and proper function after the election. Pre-election, not every machine is tested, only a random sample, and such verification can easily be programmed to pass before running malicious code during the election. The printouts will match everything, and poll workers will think nothing happened.

        I'm not making this up. This is what every computer security experts says. It's in all the published research. This isn't just me. This is me informing the public of information that has existed for years unrefuted and increasing.

      2. It's willful as well as unknowing ignorance that has kept the majority of the public in the dark about this. Instead of proclaiming you know, please read what all of the experts have been saying in public for years. They've demonstrated countless times how nearly every commercially available electronic voting machine can be circumvented, and there will always be more to find.

      3. Please tell me when the paper ballots are ever hand-counted and compared with the machine totals. Doesn't happen under most conditions. I would be happier if it was done for even 2% of the ballots as a random audit.

      4. You're absolutely right Grant, such verifications are not conducted, yet they are vital for knowing whether or not a voting machine has been compromised.

        The purpose of this was post to try to show what would happen if our electronic voting machines were compromised and we had the proper verifications to detect it.

    5. audience response system

      I found your internet site while i was searching Google for websites based on this short article. We’ve tell you, your website is good. I favor the look too, its nice. I do not possess long at this time to fully read your web blog but I’ve got noted it and that i also registered on your Feed. We are in a short time.

    6. Thanks for sharing this site, it is very informative for the business personals.

      cigarette machines - Buy a cigarette machine for your establishment.

    7. Hi. Fantastic job. I did not anticipate this. This is a great story. Thank you! if you find same related blog or Copy machine touch screen so just visit

    8. Nice article and thanks for sharing your knowledge. I really appropriate your views. If you find the same related blog or Konica transfer belt assembly so just visit.

    9. Nice article and thanks for sharing your knowledge. I really appropriate your views. If you find same related blog or Bizhub 600 Developer Unit just visit today.

    10. I have go through your site, this is a good one. If you want to know more about this please visit our website :
      Every business unit has printers and for running them they need bizhub toner. There are other accessories required to run a Copy machine touch screen which are just good for the people who wants to work in style. While doing Konica transfer belt assembly one may need different parts like 9J06R70400 Image Transfer Belt Unit Kit and A03UR70700 Developer Unit so that the machine works properly.

    11. Wow!nice blog this is the good blog on printer follow us:- With time 4040R71000 Fuser Assembly the ranges of printers and copiers that re coming up in the market are of new specialties. This copier touch screen article showcases and A03UR70700 Developer Unit brings into light the new features that are included and comes with the printers. Make sure to go through the piece and this will help in serving the process in best 4030R70200 Fuser Assembly possible way.

    12. This is a nice informative blog in which you discuss about the electronic voting machine fraud during elections and this fact have come out during Scott Walker recall election.

      Ballot Boxes | Voting Booths | Ballot Boxes China

    13. Hi, Publius:

      Are you still interested in working for verified accurate elections in Wisconsin? Your care with facts and commitment to honest, accurate elections makes you look to me like someone I’d like to work with.

      I’m coordinator of the Wisconsin Election Integrity Action Team (www.wisconsingrassroots.net/election_integrity_project) . We support all sorts of election-integrity issues, but are intently focusing this year and next on getting Wisconsin county clerks to conduct transparent verification of voting-machine output during the county canvass period, in line with the recommendations of the Presidential Commission on Elections Administration (2014). This need not be a full hand count; it can be a statistically valid risk-limiting audit, if the sample is good enough to verify the outcome.

      This practice is possible under current Wisconsin law, particularly since our group got the GAB in October 2014 to change its written guidance to allow for the opening of sealed ballots bags for the purpose of routine verification during the canvass period (our biggest concrete victory so far.)

      Since you wrote this post, the technology changes have been mostly good. There are fewer antiquated machines out there, and the newer voting machines in all of Wisconsin’s larger counties (where any hacks would be targeted) create a digital image of each ballot at the moment it is cast. GAB has required the clerks to configure the machines to save these images, and they become part of the election record.

      Verification can be conducted using these digital images with breathtaking speed—check out this video:
      www.youtube.com/watch?v=SUmOrTt2DvQ The digital images can be hacked, but you need to know the ballot design before you write the hack, so it’s more complicated (ballot design differs among jurisdictions) and is forced into a smaller window of time (ballot design usually isn’t settled until a few weeks before each election) than simple hacks that need to affect only tabulation. In counties that do their own set-up, like Dane, the voting-machine-company-insiders don’t necessarily even get a copy of the ballots design before each election. So it’s not perfect, but we’re okay with county clerks using the digital images for verification at least to get over their initial hump of denial that they need to check the output.

      Anyway, please get in touch with me through wiscelectionintegrity@gmail.com, if you’re interested in our work or have any questions.

    14. I read your blogs like every week. Your humoristic style is awesome about Voting Machine, keep up the good work!Thanks for sharing such beneficial information with us.

      Ballot Box Suppliers | Voting Booths

    15. where to buy cigarette machine parts online?
      vaportech vaporizer

    16. This is a very nice article.thanks for sharing.

    17. This one is good. Keep up the good work I also visit here: and I get lot of information. Verifications IO

    18. It’s a very good post with helpful information of voting machine information. I really understand this detail that you approach these topics from a stand point of knowledge and information. I am impressed with your site’s blog of content.
      Election equipment | Ballot boxes | Voting booths