As someone who manages complex software and systems projects, you can’t test a system to prove it’s secure. You must have access to the source code, and verify an unbroken chain from the source code to the tools that build it, all the way to the images loaded onto the system. This post says what I was most afraid of - that the the states who are responsible for election security don’t have access to the source code, and don’t oversee and verify the process of who puts code into the change management system.
This is the worst case. If what I’m reading is true, we have a completely insecure election system. In this case, the testing performed is meaningless.
How can the Secretaries of State across the country let this happen?
Yes, your note needs to be re-stacked one million and one times - we have a completely insecure election system and the bad guys have been taking full advantage and gaslighting us about it.
I agree that you need access to the source code, among other things. Your comment reminded me of a number of interviews with Stephen Spoonamore back in 2005 to 2008 that are posted at https://econdataus.com/election24.htm#Spoonamore . It's chilling to listen to some of them and see how little things have changed. For example, #8 at https://www.youtube.com/watch?v=1xIZLizSnGc concludes that the fact that Diebold and ES&S won't allow their systems to be inspected is a huge red flag. Some of the other ones I remembered were #23 at https://www.youtube.com/watch?v=4Z7DK3LgiOA titled "Evangelical Christians and electronic voting machines" and #26 at https://www.youtube.com/watch?v=s07oi2G_K4c titled "People should doubt the vote...because it's being stolen". At 6:05 in this last video, Spoonamore states, "The target as far as I can tell has always been the same from the beginning. It's a Supreme Court that will overturn Roe v. Wade". This video is from September of 2008. It could just as well have been from yesterday.
Given the hollowing out of the federal government by Trump and Musk, perhaps some states might have the political will to institute effective testing of voting systems.
I was impressed by a 2014 report of independent testing of Dominion's Democracy Suite 4.14-A and 4.14-A.1, now hosted at Verified Voting:
As a result of an initial round of testing, Dominion corrected some, but not all, of the vulnerabilities discovered. That's the kind of "positive feedback mechanism" that we want to see with current voting systems (only, please, correct *all* of the problems). This approach to testing actively encourages independent testing that finds problems, and requires a response from the vendors that corrects those problems. Then, further testing to show that the vendor response actually fixed the problems.
Just considering my home state of NY, I have seen nothing like this in the NYS BOE tests of the currently available voting machine systems approved in NY (ClearBallot, Dominion, ES&S, and Hart InterCivic). The NYS BOE published only one high-level, completely inadequate report for each voting system tested. See:
Regarding labs that are accredited by the EAC to certify U.S. voting machines, there is an interview with Harri Hursti at https://www.youtube.com/watch?v=rr-rljXL1iU that describes the certification. Harri describes the standards for the testing from about 4:48 thorugh 7:42 of the video. At 5:00, he states that "voting machines are certified against volunteer voting system guidelines". He then lists volunteer guidelines that range from a 2005 1.0 standard to a 3.0 standard. He then says "Almost every machine today certified is still certified against the 2005 volunteer guidelines". At 5:43, he states that "only 3.0 actually starts to implement some security measures". He then states something like, "1.0 is just like humidity test, drop test, you know, safety means, the voting machine shouldn't electrocute the voter or poll worker". So we can take solace in the fact that our current voting machines are not electrocuting any voters or poll workers!
As mentioned, the Internet Archive reveals much about how the site has changed. At https://web.archive.org/web/20240416175520/https://www.provandv.com/ , you can see the site as it appeared on April 16, 2024 and you can click on any of the items in the upper menu to go to related pages. But then https://web.archive.org/web/20240709124537/https://www.provandv.com/ shows the error page that was there on July 9, 2024 and some other dates around then. Finally, https://web.archive.org/web/20240718182108/https://provandv.com/ shows how the page appeared on July 18, 2024. This looks similar to how it appeared on April 16 except that hovering over the items in the menu now reveal links that all start with "http://provandv.com/wordpress/" and no longer appear to work. Wordpress is described at https://elementor.com/blog/what-is-wordpress-2/ as "a tool for creating, managing, and changing content on your website without knowing how to code". Hence, I would not be surprised if the move to Wordpress but done in an attempt to cut costs. In any event, it would appear that whoever migrated the site didn't know what they were doing.
As someone who manages complex software and systems projects, you can’t test a system to prove it’s secure. You must have access to the source code, and verify an unbroken chain from the source code to the tools that build it, all the way to the images loaded onto the system. This post says what I was most afraid of - that the the states who are responsible for election security don’t have access to the source code, and don’t oversee and verify the process of who puts code into the change management system.
This is the worst case. If what I’m reading is true, we have a completely insecure election system. In this case, the testing performed is meaningless.
How can the Secretaries of State across the country let this happen?
Yes, your note needs to be re-stacked one million and one times - we have a completely insecure election system and the bad guys have been taking full advantage and gaslighting us about it.
I agree that you need access to the source code, among other things. Your comment reminded me of a number of interviews with Stephen Spoonamore back in 2005 to 2008 that are posted at https://econdataus.com/election24.htm#Spoonamore . It's chilling to listen to some of them and see how little things have changed. For example, #8 at https://www.youtube.com/watch?v=1xIZLizSnGc concludes that the fact that Diebold and ES&S won't allow their systems to be inspected is a huge red flag. Some of the other ones I remembered were #23 at https://www.youtube.com/watch?v=4Z7DK3LgiOA titled "Evangelical Christians and electronic voting machines" and #26 at https://www.youtube.com/watch?v=s07oi2G_K4c titled "People should doubt the vote...because it's being stolen". At 6:05 in this last video, Spoonamore states, "The target as far as I can tell has always been the same from the beginning. It's a Supreme Court that will overturn Roe v. Wade". This video is from September of 2008. It could just as well have been from yesterday.
Thank you, Lulu, for this excellent explanation.
Given the hollowing out of the federal government by Trump and Musk, perhaps some states might have the political will to institute effective testing of voting systems.
I was impressed by a 2014 report of independent testing of Dominion's Democracy Suite 4.14-A and 4.14-A.1, now hosted at Verified Voting:
https://verifiedvoting.org/wp-content/uploads/2020/08/red-team-support.pdf
As a result of an initial round of testing, Dominion corrected some, but not all, of the vulnerabilities discovered. That's the kind of "positive feedback mechanism" that we want to see with current voting systems (only, please, correct *all* of the problems). This approach to testing actively encourages independent testing that finds problems, and requires a response from the vendors that corrects those problems. Then, further testing to show that the vendor response actually fixed the problems.
Just considering my home state of NY, I have seen nothing like this in the NYS BOE tests of the currently available voting machine systems approved in NY (ClearBallot, Dominion, ES&S, and Hart InterCivic). The NYS BOE published only one high-level, completely inadequate report for each voting system tested. See:
https://elections.ny.gov/voting-systems-testing
Regarding labs that are accredited by the EAC to certify U.S. voting machines, there is an interview with Harri Hursti at https://www.youtube.com/watch?v=rr-rljXL1iU that describes the certification. Harri describes the standards for the testing from about 4:48 thorugh 7:42 of the video. At 5:00, he states that "voting machines are certified against volunteer voting system guidelines". He then lists volunteer guidelines that range from a 2005 1.0 standard to a 3.0 standard. He then says "Almost every machine today certified is still certified against the 2005 volunteer guidelines". At 5:43, he states that "only 3.0 actually starts to implement some security measures". He then states something like, "1.0 is just like humidity test, drop test, you know, safety means, the voting machine shouldn't electrocute the voter or poll worker". So we can take solace in the fact that our current voting machines are not electrocuting any voters or poll workers!
Fascinating work as always 👏👏👏 This is not at all surprising given everything we know so far. Keep speaking up!
As mentioned, the Internet Archive reveals much about how the site has changed. At https://web.archive.org/web/20240416175520/https://www.provandv.com/ , you can see the site as it appeared on April 16, 2024 and you can click on any of the items in the upper menu to go to related pages. But then https://web.archive.org/web/20240709124537/https://www.provandv.com/ shows the error page that was there on July 9, 2024 and some other dates around then. Finally, https://web.archive.org/web/20240718182108/https://provandv.com/ shows how the page appeared on July 18, 2024. This looks similar to how it appeared on April 16 except that hovering over the items in the menu now reveal links that all start with "http://provandv.com/wordpress/" and no longer appear to work. Wordpress is described at https://elementor.com/blog/what-is-wordpress-2/ as "a tool for creating, managing, and changing content on your website without knowing how to code". Hence, I would not be surprised if the move to Wordpress but done in an attempt to cut costs. In any event, it would appear that whoever migrated the site didn't know what they were doing.