Dr. Williams, says Michael Barnes (Georgia Secretary of State's Office, his interview also appears on this page) is the man who certifies voting machines for the state of Georgia.
Professor Emeritus - CSIS Dept, Kennesaw State College - Kennesaw, Georgia
Harris: "I have questions regarding your certification of the machines used in Georgia during the last election."
Dr. Williams: "For the state of Georgia — I don't do certification. The law gives the Secretary of State the authority to say what systems are certified and what are not. What I do is an evaluation of the system. The FEC publishes standards for voting systems. We have national labs that examine for compliance with FEC and if they are in compliance, certification is issued by NASED. Once that's done it's brought into the state and I evaluate them as to whether or not they comply with any state laws. Then we look at ease of installation and operation. Then I prepare a report to the Secretary of State, essentially stating whether or not the system is in compliance with Georgia rules and regulations. Then the Secretary of State takes that report, in combination with the others, and certifies it."
Harris: "What was your involvement in certifying the program patch that was put on? Did you actually certify the patch, or did you determine that it was not necessary?"
Dr. Williams: "Part of our testing program is when these machines are delivered we look at the machines and see that they comply. And in the process of doing that — representatives of Kennesaw University did this — we found about 4-5% of the machines were rejected, not all because of screen freezes but that was one of the problems."
Harris: "It was the screen freezes that caused them to issue a program patch?"
Dr. Williams: "Yes. The vendor created a patch addressing the screen freezing. It made it better but didn't completely alleviate the problem."
Harris: "Did you do a line by line examination of the original source code?"
Dr. Williams: "For the original — no. We don't look at the source code anyway, that's something done by the federal ITAs."
Harris: "Did you do a line by line examination of the patch?"
Dr. Williams: "The patch was to the operating system, not to the program per se."
Harris: "It only changed Windows files? Do you know that it didn't change anything in the other program, did you examine that?"
Dr. Williams: "We were assured by the vendor that the patch did not impact any of the things that we had previously tested on the machine."
Harris: "Did anyone look at what was contained in the replacement files?"
Dr. Williams: "We don't look at source code on the operating system anyway. On our level we don't look at the source code, that's the federal certification labs that do that."
Harris: "Did you issue a written report to the Secretary of State indicating that it was not necessary to look at the patch?"
Dr. Williams: "It was informal — not a report — we were in the heat of trying to get an election off the ground. A lot was done by e-mails."
Harris: "What month did you install that program patch?"
Dr. Williams: "When we took delivery we were seeing that the patch was on there."
Harris: "I have a memo from the Secretary of State's office that is dated in August, and it says that due to a problem with the screens freezing, a patch was going to be put on all the machines in Georgia. It references a Rebecca Mercuri report —"
Dr. Williams: "Rebecca Mercuri is a professor who has done a lot of writing on these things —"
Harris: "Well, I know, and I don't have the memo she apparently wrote which he referenced, all I have is the response from the Secretary of State's office, so let's just deal with that. Apparently, someone had already taken delivery on these machines and they had already been shipped out around the state before the patch was applied, is that right?"
Dr. Williams: "The patches were done while we were doing acceptance testing. One of the things we looked for during acceptance testing was to make sure the patch was put in."
Harris: "But as I understand it, a team of people went around the state putting these patches on."
Dr. Williams: "By the time they put the patches in, the majority of the machines had been delivered."
"Actually, it was going on at the same time. When they started putting the patches in around the state, we tested the machines where they did that [put the patches in] at the factory.
Harris: "When I spoke with Michael Barnes, he said that you tested all the machines, or a random sampling of the machines, after the patch was put on."
Dr. Williams: "We had five or six teams of people with a test script that they ran on each machine —"
Harris: "The test script did what?"
Dr. Williams: "The test script was generic. It was in two parts. One part tested the functionality of the machine. It was a hardware diagnostic, it primarily tested that the printer worked, that the serial port worked, that the card reader worked, tested the date and time in the machine, and to an extent checked calibration of the machine. Then if it passed all of those, it tested the election. We loaded a small sample election in, the same as the one used during certification testing, and we ran a pattern of votes on there."
Harris: "You mean a logic and accuracy test?"
Dr. Williams: "Yes. A little miniature election. If the machine passed, we wrote it up and sent the report back to the office. If it failed -- if it froze up or there were other failures, and there were some of those, like the card reader was broken or the case was broken, then we didn't pass it."
Harris: "Can you tell me about the digital signature?"
Dr. Williams: "That's part of the test that involves looking at the software -- putting the patch on wouldn't change the digital signature."
Harris: "But if you put in a program patch, wouldn't that show that a change has been made?"
Dr. Williams: "No, because the patch was only in the Windows portion — there was no digital signature check on the operating system."
Harris: "Was the digital signature put on by Diebold during development, or by the lab, or who?"
Dr. Williams: "No, that's not how it works. It's inherent in the system — it exists in the system like your fingerprint. They write the source code and the source code is submitted to the federal lab. When it passes the lab they freeze the source code, at that point it's archived. Any change after that is subject to retesting.
Harris: "What was the security around the creation of the cards used to implement the patch?"
Dr. Williams: "That's a real good question. Like I say, we were in the heat of the election. Some of the things we did, we probably compromised security a little bit -- Let me emphasize we've gone back since the election and done extensive testing on all this."
Harris: "Based on your knowledge of what that patch did, would it have been needed for all the machines of same make, model and program? Including machines sold to Maryland and Kansas that were built and shipped around the same time?"
Dr. Williams: "Yeah, but now the key phrase is with the 'same system.' Maryland ran a similar version with a different version of Windows and did not have this problem."
Harris: "So the program was certified by the federal labs even when it ran on different versions of the operating system?"
Dr. Williams: "Yes, they don't go into the operating system."
Harris: "There was an unprotected FTP site which contained software and hardware specifications, some source code, and lots of files. One file on that site was called "rob-georgia" and this file contained files with instructions to "replace GEMS files with these" and "replace Windows files with these and run program." Does this concern you?"
Dr. Williams: "I'm not familiar with that FTP site."
Harris: "Is there a utility which reports the signature? Who checks this, and how close to election day?"
Dr. Williams "We do that when we do acceptance testing. That would be before election testing."
Harris: "What way would there be to make sure nothing had changed between the time that you took delivery and the election?"
Dr. Williams: "Well there wouldn't — there's no way that you can be absolutely sure that nothing has changed."
Harris: "Wouldn't it help to check that digital signature, or checksum, or whatever, right before the election?"
Dr. Williams: "Well that is outside of the scope of what some of the people there can do. I can't think of any way anyone could come in and replace those files before the election —"
Harris: "Since no one at the state level looks at the source code, if the federal lab doesn't examine the source code line by line, we have a problem, wouldn't you agree?"
Dr. Williams: "Yes. — But wait a minute — I feel you are going to write a conspiracy article."
Harris: "What I'm looking at is the security of the system itself, specifically, what procedures are in place to make sure an insider cannot insert malicious code into the system."
Dr. Williams: "There are external procedures involved that prevent that."
Harris: "This is exactly what I want to know. If you know what procedures would prevent that, could you explain them to me?"
Dr. Williams "We have the source code. How can they prevent us from reviewing it? I have copies of source code that I've certified."
Harris: "But you said you do not examine the source code."
Dr. Williams: "Yes, but the ITA did it. The ITA, when they finish certifying the system, I get it from the ITA — someone would have to tamper with the source code before it goes to the ITA and the ITA would have to not catch it."
Harris: "And if someone inside the company tampered with the source code, and the ITA does not do a line by line examination of the source code, this would not be secure, isn't that right?"
Dr. Williams: "Well, but I don't believe that. Have you spoken with the testing labs to verify that?"
Harris: "I have spoken with Wyle, who tells me they stopped certifying voting machine software in 1996. I have spoken with the founder of a voting machine testing lab, who told me the companies refused to allow him to do a detailed examination of the source code —"
Dr. Williams: "How is that possible?"
Harris: "I'm just telling you what he told me."
Dr. Williams: "Which lab was this?"
Harris: "It will be in my article."
Dr. Williams "Well I don't believe that the labs don't examine the source code."
Harris: "I have seen a testing report from one of the labs [Ciber] that certifies these things, and it indicates that operational tests were done, but it did not indicate that a line by line testing of the source code was done."
Dr. Williams: "I think you are basing your story on incorrect information and if you're going to report some kind of a conspiracy theory —"
Harris: "I take issue with that characterization. Not a conspiracy at all. What I am examining is security. I am looking into whether it is possible, assuming you buy a programmer or two, or find a programmer who is a zealot, if it is possible to tamper with the results these machines give out. We do know that, for instance, with the lever machines in New York, people manipulated election results by buying the technicians."
Dr. Williams: "Well you'd have to have access."
Harris: "Yes. What I'm asking you is, if the lab does not do a line by line testing of the source code itself, do we have a problem?"
Dr. Williams: "Yes, but I'm sure they do that."
