The Little Bits Matter


Introduction

Jenny Cohn published an excellent piece of investigative journalism called “Election Assistance Commission Investigated ES&S Voting Systems”:

https://whowhatwhy.org/2021/03/08/election-assistance-commission-investigates-ess-voting-systems/

It exposes how software from the prominent election system company, Election Systems & Software (ES&S). was installed in several states, including Texas, bypassing standard checks to confirm that election software tested by the federal Election Assistance Commission (EAC) is the exact same software that is now on those machines. It turns out, it was not, and this was not properly reported.

“Documents obtained by WhoWhatWhy show that, about 40 days before the 2020 election, the federal Election Assistance Commission (EAC) quietly investigated concerns that ES&S’s software installation and validation methods could have left touch-screen voting systems in up to 19 states vulnerable to the installation of malicious or otherwise unapproved software. The documents also suggest that ES&S may have initially misled election officials about this issue.”

Also:

“ES&S was conducting the hash-validation tests itself, as opposed to having the jurisdictions conduct them, a “fox guarding the henhouse” situation…”

The Little Bits Matter

Elections matter. This should be very clear, especially since Insurrection Day, January 6th, 2021. We need to be able to confirm beyond a doubt that election results are indeed accurate. This is very difficult to do, as elections are extremely complex, involving over 1,000 steps in detailed procedures. With over 3,000 counties, there will necessarily be issues. But we must aspire to make as much of the process as public as possible.

Early on, the EAC tests election systems to see, in theory, if they work as they should. They then bundle the software into a package, run the package through a “hash function”, which reads everything in the package, and comes up with a very long number, which I will liken to a finger print for the entire package. The EAC then sends the package on to elections officials, who install it onto the election systems. If you scan that software, it should come up with the exact same long number. If not, we have a problem (Texas).

The problem was, (1) some ES&S systems in Texas did not have the correct number. And (2) officials who should have reported the problem failed to do so.

Once this was discovered, some digging around found that an innocuous looking file called “sysload.bmp” was different. A bmp file, for “bitmap”, is a file containing a picture, similar to a png or jpg file, only it’s used in MS Windows. Some officials called this situation “de minimus”, which is jibberish (aka Latin) for : trivial. It doesn’t really matter, it’s just a picture.

Only every bit matters. All of them. Experts can program a computer to ignore the “bmp” at the end of a file name, read the bits in the file as real computer code, and follow the instructions in that code, whatever it says.1 People checking out a system are likely to not pay attention to bmp files, as they are “just pictures”. Only if that file has been changed, and someone has programmed the system to follow the instructions hidden in the picture, you can rig the system, and nobody knows. This is one of the kinds of insider threats I’m been most concerned about since 2005. The possibility is real, and it’s why we have to double-check our election systems down to the last bit.

History is littered with red-flag warnings from engineers that were ignored by politicians and bureaucrats. The o-rings on the space shuttle Challenger are an example. It’s the specialists who understood the implications of seemingly trivial details. They were warning about the o-rings for years, were ignored, until Challenger blew up.2

In election systems, every little bit matters. When they don’t add up, something could be wrong. When they are not fully reported, something is wrong. I’m not saying that these systems were rigged. I don’t know; but that’s the problem.

The three problems Ms. Cohn refers to in her article need to be addressed, soon. They are red-flags. These details matter.

“Election Assistance Commission Investigated ES&S Voting Systems”:

https://whowhatwhy.org/2021/03/08/election-assistance-commission-investigates-ess-voting-systems/


1) “Alert: BMP Files May Contain a New Virus”, https://www.helpnetsecurity.com/2004/05/14/alert-bmp-files-may-contain-a-new-virus/

2) “Challenger: The Final Flight” (Netflix), https://www.netflix.com/watch/81012171 About the o-ring ref-flags, see especially the 3rd and 4th episodes.

One comment on “The Little Bits Matter
  1. Moderator says:

    https://www.helpnetsecurity.com/2004/05/14/alert-bmp-files-may-contain-a-new-virus/
    May 14, 2004
    Share
    Alert: BMP Files May Contain a New Virus
    Agent, a new Trojan using BMP files has been mailed to users worldwide

    Kaspersky Labs, a leading information security software developer has detected a mass mailing of a new Trojan named Agent. Agent infects victim machines when users view graphics in BMP format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Details Matter

KENNEDY SPACE CENTER, UNITED STATES: Picture taken 28 January 1986 by NASA showing the solid fuel rocket booster of the space shuttle Challenger starting to explode over Kennedy Space Center. The US space shuttle exploded seconds after lift-off, killing it crew of seven. Challenger was 72 seconds into its flight, travelling at nearly 2,000 mph at a height of ten miles, when it was suddenly envelope in a red, orange and white fireball as thousands of tons of liquid hydrogen and oxygen fuel exploded. AFP PHOTO NASA (Photo credit should read AFP/AFP/Getty Images)

%d bloggers like this: