Part 3 ** CA State Sen. Bowen Finally Grills 2 ITAs. (LONG transcript)

Posted on Monday, April 03, 2006 - 12:34 am:
Minutes 90-120 (of 200). Now this one contains some scary statements. By the way, we'll put the whole thing out in pdf format in a few days:

=====================

Senator Debra Bowen: So when you've got a split about hardware and firmware versus software do you coordinate with the ITA that's going to do the software testing so that you don't get into this situation where you've got Diebold – Global at this point – saying "we don't need to get Win CE 3.0 certified by Wyle" -- he doesn't say, but the justification could be "it's not hardware or firmware" so if they go off an say to Ciber "That's the operating system, it's not within your purview." How would anybody know whether or not anybody was looking at that?

Wyle (Joe Hazeltine): But we do coordinate with the, Ciber, about the front end of the project, generally the customer's going to Ciber first to do some of the activities that Brian's been talking about, their software development process, the functional and physical configuration audit work, before they come to us, and at the end they're doing the end-to-end work as well. A lot of the times the end-to-end work is done physically inside our laboratory, they're using our setup if you will, to actually conduct that test. To answer your question, yeah there is coordination that's going on.

Systest (Brian Phillips): Actually quite a bit of coordination that happens. Because as defects and discrepancies are found, say in the hardware testing environment, we need to know of the changes made to the hardware environment so that those changes are then made to our own test environments, and vice versa. If we're finding software discrepancies, those get fixed, the software that's used to create ballots that may be run in the hardware functional testing environment that Wyle does, those changes reflected in that so they can run the same ballot configurations through so there's a lot of coordination going on.

Senator Debra Bowen: How do you deal with – I mean, this is an iterative process all computer development is an iterative process, if you have patches, new modules, a printer, upgrades, removable media, what happens? And just as an example when Ciber reviewed and approved the TSx, the Diebold TSx, it found a number of flaws, recommended some fixes, but then as I understand it, approved the system without ensuring the fixes were made or ensuring that they work. And some of them dealt with hardware. So how does this then go back, I haven't seen, Diebold right now, the secretary of state is claiming that Diebold has a NASED number and is therefore certified despite the Ciber report that identifies a series of problems that need to be fixed. So how does the NASED number work with this, if flaws are uncovered subsequent to the issuance of a NASED number – that's probably a question I should be asking NASED –

Wyle (Joe Hazeltine): And Ciber.

Senator Debra Bowen: But how do YOU deal with that, since it's your name that's on the line that generated that number, if you become aware that --

Wyle (Joe Hazeltine): Again, what's going between Ciber and the vendor is something that we can't speak to, but I mean for us, if a defect, any type of defect shows up in the functional work which we're doing, then we'll pick it up. But if a defect doesn't show during the testing we're doing then the defect, as far as we're concerned, it wasn't there, we didn't see it.

Senator Debra Bowen: Well I'm not even asking about a defect at this point--

Wyle (Jim Neu): Now, here's a case where apparently one was known and had to be corrected.

Senator Debra Bowen: Let's just take a situation where the hardware and firmware seem to be okay, there's a subsequent review done of something, and there's either a patch, a new module, an upgrade, something has changed, does that automatically come back to you for further review, or who has to iniatiate that?

Wyle (Joe Hazeltine): That's really no different than a vendor deciding that he wants to do an upgrade to a program to fix some fault that they found or someone identified to them, it comes back to us and it goes through the process that we've already talked about, it'll be reviewed--

Senator Debra Bowen: -- But this is subsequent to the issuance of a NASED code--

Wyle (Joe Hazeltine): That's correct, it already has a NASED code, a change has been made to it, it comes back to us, I consider it to be a brand new product, we start from scratch on going through it. Now there may be some tests that are not required, if it's a software change only we're probably not going to rerun the drop tests, we may not rerun the vibration tests, we may not, if it had nothing to do with lightning coming in to the device, we might not deal with that, but those tests which are required are rerun. And the software code is reviewed, every function evaluated. And that happens often on a program that they desire to make a change to it or improve it.

Senator Debra Bowen: How do you know that there's been a change that should require you to re-look at the work that you did?

Wyle (Joe Hazeltine): I think the check and balance on that is, as they're selling the machines to the different jurisdictions, there's a version number of the software code that's provided and that report that they provide to that jurisdiction, if those two don't match, then the vendor knows he has to go back and get that recertified.

Systest (Brian Phillips): Actually I can expand on that a little bit. Let me back up a little bit, there's a couple of things. If we're in the middle of testing, or towards the end of testing, and I'm going to use an example where Systest Labs is doing just the software ITA part of it and perhaps Wyle maybe, and this happens, Wyle is doing the hardware ITA part of it, if we find a defect in anything that can impact the firmware or the use of data that Wyle's working with, we notify them, the vendor will then send them new pieces of software and so forth that may affect them and then they'll rerun those tests. Conversely if we're testing with version 1 of a piece of hardware and Wyle identifies discrepancies that get fixed, and this is, say, an internal version number and the hardware now goes to version 2 we've got to get version 2 into Systest Labs. We then regression test our software against version 2 as well as continue on the rest of the tests.

So there's that kind of coordination going on. That's what ends up extending a lot of the ITA efforts beyond what anyone thinks it may take to get it done, because we're finding things at the end that take that level of coordination and retest. And then, to check for differences, if a vendor's coming back to us, they already have a qualification number, and they want to come back and get their product requalified because there have been some discrepancies found in the field, some new functionality, they have to resubmit their entire TDP again.

Senator Debra Bowen: But why would they recertify if the position is once they have a NASED number they're certified, period, no matter what anybody finds after that. Why would they bother to come back to you?

Wyle (Joe Hazeltine): Well the NASED certification number is tied to a software version.

Senator Debra Bowen: Right, but I think—

Wyle (Joe Hazeltine): --the certification number and the software version are linked. Are you saying if there's a defect that they're aware of, why would they go out and fix it?

Senator Debra Bowen: Well I think we're specifically looking here at the instances like the memory card on the Diebold TSx where -- and the interpreted code, which it's my understanding Wyle didn't test either the memory card or look for interpreted code, you can correct me if I'm wrong about that.

Wyle (Jim Neu): No, I think that's correct.

Senator Debra Bowen: So, subsequently we had this Finnish programmer, Harri Hursti, who showed that it is possible for someone with access only to a removable memory card to modify scripts written in the Diebold AccuBasic language that are stored on the code and to modify the vote counts stored on the card in such a way that that tampering could affect the outcome of the election and not be detected by the canvass procedures. Here in California the secretary of state has taken the position that because that system had a NASED number, it's certified! And it doesn't matter what either Wyle or Ciber did after that, because it's certified.

Wyle (Joe Hazeltine): But you're talking about tampering of the hardware after it's been removed from the machine?

Systest (Brian Phillips): In what way does that --

Wyle (Joe Hazeltine): How does that invalidate the accreditation of the hardware to start with?

Systest (Brian Phillips): There's no discrepancy there. The use of the system in a normal process doesn’t mean that you can then corrupt the ballot counts, it would have to be an actual tampering attempt by someone to change it. The same would occur for the paper ballots, someone could absolutely tamper with those between the polling place and central count as they transport them. So it has to, you know, you've got to have some physical process in place to be able to control those things.

Senator Debra Bowen: But this is a security – I mean, you're looking at, in looking at your tests of voting system function, the very first thing under functional testing is overall system capabilities -- security. Evaluating the access control aspects of the system including locks, passwords and pollworker activities.

Wyle (Jim Neu): Well it sounds to me that the description you just provided though told us that someone was given access to the locks, to the interconnects as if it were, for example, a dishonest pollworker.

Senator Debra Bowen: Your security test, that involves locks, passwords and pollworker activities, isn't intended to look for what a dishonest poll worker might do?

Wyle (Joe Hazeltine): Ours is to evaluate the system, and you've got to understand that you can't certify the machine and say, okay, we can put it into any environment that we want a bunch of dishonest people are going to run it and therefore that certification is going to cover any malicious attempt to it. The machine has certain locks built into it that prevent you from getting access to these things. If you're going to permit that access at the polling station, how can you hold the machine responsible for a poll worker who is corrupt? I mean the machine can't accommodate for all of this.

Senator Debra Bowen: Well I'm reading your criteria. Your criteria say "security, including the access control aspects of the system, including locks passwords and poll worker activity."

Wyle (Jim Neu): Tested to the standard.

Wyle (Joe Hazeltine): We test to the standard with the proviso that there are procedures and policies that are followed at the precinct.

Senator Debra Bowen: So why did NASED send back the memory card with a letter that said "It is clear the memory card and AB component of the Diebold voting system should have been tested but were not."

Wyle (Joe Hazeltine): Okay, you're mixing up issues here. On that card, the issue was that the software was presented to us as COTS. What the software does, it's like Crystal Reports, it takes data and it prints out a report, and all through the certification process that we did the reports were accurate and correct. There was no issue with that. What happened in this case is that apparently this software had been modified yet it was presented to us as COTS.

Senator Debra Bowen: Well I asked you if you had had anybody misrepresent software and you said "No."

Wyle (Joe Hazeltine): Um -- Not knowingly.

Wyle (Jim Neu): Yeah I guess, as it turns out--

Senator Debra Bowen: What do you mean it was "presented to you as COTS"?

Wyle (Jim Neu): It was inadvertent.

Senator Debra Bowen: Somebody inadvertently described it as COTS?

Wyle (Joe Hazeltine): I believe they'd been using it for a number of years and in their minds this was part of the system, they didn't see it as something which they had modified.

And in terms of the process, we went through it worked properly, even the letter that you're referring to the same thing, there's no issue of operability or functionality on the machine, the issue was of, was that software as presented or not. It was discovered, it was corrected, it was re-evaluated and, um -- moving on.

Senator Debra Bowen: But the question I have is why the vendor would send it back to you if they have a valid NASED number. Because you're saying "well, you know the vendor will come back to us if there's an issue and I'm saying the vendor is NOT coming back to you.

Wyle (Joe Hazeltine): There wasn't an issue in its functionality.

Senator Debra Bowen: Okay, so you don't consider the use of a memory card that can change the outcome of a canvass, an issue with functionality?

Wyle (Jim Neu): This device, I do believe in the end it was, as it went through with the state of California, that the functionality, I'm sorry, the code review was not a part of the code review that Wyle should have done anyway, and I believe it subsequently has been done, was done by Ciber.

But in any case it was presented to the ITAs as COTS software, and therefore was not reviewed. When it was discovered that it was not COTS software it subsequently was reviewed and now has required a protection that memory cards be treated the same as a ballot box.

Senator Debra Bowen: Okay, so again my question to you is, how you could, if you're looking at voting system functionality, and again, this is from Wyle's presentation, "Overall system capability: Security, evaluating access control aspects of the system including locks, passwords, and pollworker activities." Which I have to believe should include things like, do you basically give a pollworker access to the ballot box with no control? Which a swap of the memory card would do. It gets the pollworker, anybody who has a memory card, which is about this big, right,--

Wyle (Jim Neu): Well, let me just, we have, together with NASED established the standards and we test to those standards. I don't have right in front of me the checklist that speaks to those particular items but I will guarantee you we test fully to the standard that's been developed and agreed to.

Wyle (Joe Hazeltine): I don't think the issue is the pollworker having access to that, because they will, before and after the election. The issue is, does the voter? Can I as the voter go in and have access to that memory card during an actual election. And you can't. The system is designed to have checks and balances to prevent that from occurring. After the election's over, the poll worker does have access to it. If that's what the question is, I'm not sure I understand where we're going.

Wyle (Jim Neu): <(whispered) Take a look at the standards>.

Systest (Brian Phillips): But I think what your saying…

Senator Debra Bowen: Well I think the question really is, how -- and there's another issue that we haven't gotten into which is the fact that, as I understand it at least, the equivalent of the crypto key in the Diebold machines was set to be "1111", in a line of code, and it's the same in every single machine nationally, and nobody said "Gee, this is a security risk."

Wyle (Joe Hazeltine): Well that would be an issue to address with Diebold, we have no control over that or access to that.

Systest (Brian Phillips): Actually that's, the situation with that, and I believe this was prior to 2002 standards and even in the 2002 standards it's not expressly discussed, but there was no requirement that prohibits the vendor from having a hard-coded password. And we encountered that at Systest Labs. We've never looked at a Diebold, we've never tested Diebold, they've never come to us, but with other vendors and we point that out. "You have hard-coded passwords in your software." But I can't fail the system because there's nothing that says they can't do it. Now, someone says, well, inherently, aren't you saying, doesn't that compromise security? Only if they give out the password. Only if somebody guesses the password.

But yes, I mean, it's not the best solution but there's nothing we can do to actually force—and it comes down to, We actually write those up, and they go in as informational and they're part of the qualification report.

Senator Debra Bowen: Okay, so NASED has it and the vendor has it but the public doesn't have it.

Systest (Brian Phillips): Yep, and they can review that.

Senator Debra Bowen: But the public doesn't have it.

Systest (Brian Phillips): That's something beyond our control.

Senator Debra Bowen: I understand. I mean, you're living with the system the way it's set up. But I think one of the issues that we keep getting into with this testing is that, we go back, the client is the vendor and we tell them what we found, but we don't have to tell the public. Well, the public is coming to me, and and saying "we've got a hard wired password, it's 1111, and it's wired into every single Diebold machine" -- the testing authority knows that, Diebold knows that, but it takes Avi Rubin at Johns Hopkins to do an independent review on source code that Diebold lost control of.

Wyle (Jim Neu): But NASED is the national association of state elections directors.

Systest (Brian Phillips): They're the ones who are responsible for administering this, and they're the ones I would think that, I mean their role as state elections directors, as secretaries of state and elections directors and so forth, have the most at stake as far as elections, excuse me, as far as public officials. And they're the ones who control the review of the final reports and issuance of the qualification number.

So if I write an informational discrepancy that says "vendor A has hard-coded their passwords" and all I can write is informational because it doesn't violate a requirement, unfortunately, then, you know, NASED still doesn't have to qualify it. They can go back to say, there's all sorts of things they can do. We don't have the authority to actually say "yea or nay" on the qualification. We can just give our recommendations and our results.

Senator Debra Bowen: And I'm not trying to -- I'm just trying to figure out how, when you're doing your work, whatever you come across then gets filtered through NASED or the EAC and at that point it's a pass-fail grade. So whoever is doing the NASED number and whoever is doing the certification there has two choices: certify it or don't certify it – or certify it with conditions that say, you know, you have to put a seal across the memory card and some things like that.

Wyle (Joe Hazeltine): Or, that the condition is, it needs a 3-digit password, it met that condition. And it's not uncommon when you're getting a prototype, when you buy your cell phone the password may be set to 0000 or 1234, something simple, and when we're seeing a prototype in the first article, more than likely we're probably going to see something like that. The issue is if it has to be random and reassigned, you know, after it's been certified. But the requirement of having a password was there. It's an operational issue, it wasn't a hardware or a design issue, it's just the way it was fielded.

Senator Debra Bowen: So there is a security requirement that there be a password.

Wyle (Joe Hazeltine): Yes there are, security requirements.

Senator Debra Bowen: But that's met if the password is hard-wired into the code and it's "1111" for every machine?

Wyle (Joe Hazeltine): Ah, I would say it's probably not the intent of what that design would be, why have it if you're going to have it the same?

Senator Debra Bowen: Well you passed it. I didn't pass it that way. You passed it that way.

Wyle (Jim Neu): Okay. We have the standard, here, I can tell you what the standard says, we can read to you what the standard says, I can assure you that whatever we passed was in accordance with the standard.

But we provide all of this information to an association of state elections directors. So it seems to me that we're clearly not withholding any information, we're simply doing what we're hired to do. Test to the standard, provide the report.

Senator Debra Bowen: And I want to be clear, I'm not saying that you, as the test labs, ITAs, have the responsibility to release proprietary test results. You don't. You are under a contractual obligation not to.

I'm looking at the way we have set this system up. And asking whether or not it serves the public interest to have a system in which you do testing, find some things that I'm sure are insignificant, you know, forgot to put this in the comment, or made a snotty comment on line five, you know, in the comments, stuff that's completely irrelevant. But then you find something.

I mean, I have no idea having not seen the test results whether you wrote up a concern that the password is hard-wired in and it's "1111" I believe actually was included but Diebold didn't do anything about it and then, the most recent testing I've seen on it is that they've replicated the same flaw in the newest version of their software even though they were told that it was a security risk.

And the result of the testing that was done here in California between December and February, identifying 16 new security flaws that were never found, requires a manual workaround that each pollworker, that each poll, precinct captain reprogram, or each registrar of voters, reprogram every machine before it's used.

And that to me raises the question whether we should be relying on manual workarounds when the flaw is so basic that it seems to me the answer is just to take it out of the code and the machine doesn't work if somebody hasn't set a password that's actually meaningful.

I mean, to me this is equivalent of having all the gated community gate manufacturers around the state just set their default as 12345 for the gate code access. And then, I'm sure they tell somebody when they sell them, "Oh you have to change the password." And probably still if you go around the state and go into gated communities, some significant percentage of them you can get in by dialing 12345. Did that last week, two weeks ago, I got in that way.

Wyle (Joe Hazeltine): And is that a fault of the gate manufacturer or is that a fault of the consumer? Telephones are privacy coded so you can call into them from the outside and they're four or five digits, maybe three digits, and it tells you right in the manual what they are. I'm sure out of the millions and millions of phones that are out there, the majority are with the default code.

Senator Debra Bowen: But I think the question is what the consequences are of that. What are the consequences of somebody not resetting the default, either their cell phone, or even the gate code on a community, versus a voting machine?

Wyle (Jim Neu): But what you're asking in fact is whether the standards are sufficient. And I guess I'd prefer not to comment for Wyle on whether the standards are sufficient. I will simply guarantee that we will test to the standard, however it gets developed. Frankly the more severe the standard, the more revenue we get by testing.

Senator Debra Bowen: I think this goes back to some of the discussion that Mr. Phillips and I had earlier on what the inherent limitations of testing are. And whether or not you would ever test for the kind of slot machine scam that I described. Which I think, no matter how well testing criteria were written, you wouldn't test for that.

Systest (Brian Phillips): Well we're always looking for those types of things, but will we always be able to see them? No. Not always. Even in some of the most simplest logic flaws where the software works perfectly fine – and it's not intentional -- but the software works perfectly fine in all cases but one out of 10,000 and invariably you hit that one in production out in the real world.

One other thing that should be noted is that, as a state, looking at products from different vendors, determining who to purchase and who not to purchase, and who to certify and not to certify, you yourselves have the option to say "You know what, we've seen the report, we've done our own review and we found hard-coded passwords. We're not going to buy your product until you fix it. Your competitors don't do that. Your competitors have a much more secure product."

So it does come down to that as well. One of the things we need to keep in mind is that qualification process came about, a lot of it was, early on vendors and new vendors were coming in with new versions of the products, which in some cases were really good viable products and in some cases were more vaporware. So to protect counties and everyone else making decisions on what to buy, you had to at least show your system could run a general and primary election, and then it began to grow upon that.

Senator Debra Bowen: And I think that's a point well taken but I would go a step further with that and say that one of the difficulties that we have with the system in which we procure voting systems in this country is that we're asking a great deal of township or county officials or even state officials who don't have technical expertise. So even if they were to look at your report – I mean I'm not a software engineer, and I probably have spent more time digging around under the hood of software systems than most of the people who've ever been elected in California, which probably just says something terrible about me as a person, because that's what I spend my time doing, I don't know -- but trying to understand what these criteria really mean in terms of what the likely result is, I think is a huge challenge and the smaller the county or township, the bigger the problem. Because there isn't anybody – you know -- if everybody had an IV&V vendor, this would probably work a lot better.

Systest (Brian Phillips): But my understanding is that, for instance, the state of California, the secretary of state's office, has consultants who are experts in this field who does support their state's certification process, who are as good or better in some cases you might say, experts in some of the processes that we do, because they've been in this for 30-plus years, and other states do the same thing. So I'm not sure what an ITA can do to create a report that comes out with information that a lay person can pick up and read and understand that everything is either very very good, or marginally good, or bad. We try to document everything that we find.

Senator Debra Bowen: I don't think you can. My concern is, to some extent it's with that. I mean, I have to say, it concerns me that nobody looked at the memory card during the certification process. And I don't know whether that's – I mean, NASED issued this memo saying that memory card is an important issue and that the memory cards should have been tested, but were not. So there's that problem of what just – again, it's not going to be perfect -- but then there's the other question where we've got this system where we have this elaborate testing done, but the vendor and whoever the purchaser is, because of the fact that its proprietary software and there's a contractual relationship with the ITAs, that information about what the problems were, only comes out by accident.

Wyle (Jim Neu): I would say, having looked at a couple reports, the information about what we saw when reviewing the firmware is in great detail submitted to NASED for peer review, looked at by three individuals, and then the feedback is given to us and a final report is – but there's 150 pages of information about what was in that code.

Senator Debra Bowen: But I don't have access to it. I can't see it.

Wyle (Jim Neu): I guess I'm – this is not really in my role as an ITA is -- I'm a little confused about the fact that all this information is available at the EAC.

Senator Debra Bowen: But not to me. Not to me. It's "proprietary."

Wyle (Jim Neu): That is a government problem, not an ITA problem.

Senator Debra Bowen: Right. I agree. That's why I'm trying to be very clear. This is not your responsibility. You have a certification by NASED to do this work. Then you have a client that is the vendor of the voting machine, system. And work gets done. And one of the difficulties is, if it is 150 pages, you know -- and that's great and it's awful because somewhere in that 150 pages there are probably three things I really should focus on.

But there's so much there that aren't the top three mission critical things that it's very hard to find the three things that are really important.

Wyle (Joe Hazeltine): Something that I don't understand is, it's not uncommon for us to get a letter from a vendor saying that such and such a state is considering procuring this device, please send them a copy of the report, which we do. Would we send it to an individual? No, because I think that would really invalidate the system. But if you're a customer for that vendor and you need a copy of the document, you can get it.

Wyle (Jim Neu): But if our customer in fact asked it us to send it even to an individual, we would, because it is owned by our customer so we would follow our customer's instructions.

Senator Debra Bowen: Absolutely. The customer could certainly provide it directly. But I want to assure you that none of the vendors are sending me their information. And I have asked. I have asked. And I have asked the secretary of state for the information. And I can't have it.

Systest (Brian Phillips): Actually, once it's sent to the sate, any party within the state, I was going to ask you did you not get them from the secretary of state's office.

Senator Debra Bowen: No I do not, I do not have it. It's proprietary and I am precluded from looking at it.

Senator Debra Bowen: Absolutely. The customer could certainly provide it directly. But I want to assure you that none of the vendors are sending me their information. And I have asked. I have asked. And I have asked the secretary of state for the information. And I can't have it.

Systest (Brian Phillips): Actually, once it's sent to the sate, any party within the state, I was going to ask you did you not get them from the secretary of state's office.

Senator Debra Bowen: No I do not, I do not have it. It's proprietary and I am precluded from looking at it.