Diebold GEMS central tabulator contains a stunning security hole

BlackBoxVoting ^ | 8/26/04 | Bev Harris

[Brownie74]

Bump.

[Joe Brower]

jdege, I just got a reply from Jim March on your comment in post# 63. Here it is:

***

OK, there's two problems with what JDedge is saying.

Problem one is the EXACT nature of what we're dealing with here with GEMS.

All of the vote totals go into two "tables" within the MS-Access database. Each of these tables lists votes per candidate, by precinct.

One table (CandidateCounter) is used to generate the precinct-by-precinct reporting data and the other (SumCandidateCounter) is used to generate the vote totals when you ask GEMS for the countywide figure. The "front door user" (running just GEMS versus hacking in the data with MS-Access or Visual Basic scripts) doesn't realize that two different tables are supplying the data for each type of request.

By default, the two tables are "linked" and provide the same data.

But there's a third table: SumVCenterStats

SumVCenterStats has only two columns. The first lists precinct numbers (VCenterID). The second is literally called "Dirty". That second will have a one or two digit code for each precinct ("Voting Center").

Exactly what the code IS varies by version of GEMS, we've had to play around and try various things and we know what the codes are for maybe 2/3rds of the various GEMS versions. A typical example: a "zero" in the precinct's "dirty" entry means the two data tables (CandidateCounter and SumCandidateCounter) are cross-linked and always provide the same numbers. A "-1" code "decouples" the two data tables and allows vote-hacking on a precinct-by-precinct basis.

Once the two main tables are decoupled, then votes can be altered in the table that generates countywide summary data, yet if you go back and spot-check ANY precinct, or even a group or ALL of them, your numbers for a given precinct will be compared to "CandidateCounter" and NOT "SumCandidateCounter". To find this, you'd have to print out the results for each precinct, add these thousands (in a decent sized county) on a hand-calculator and compare to the results for the whole county. And why would you do that? It appears that GEMS is pulling the data from the same source, I mean...why wouldn't they?

To commit fraud, that's why.

Still don't think this is deliberate?

In all elections, some paper optical scan ballots (used for absentee vote in touchscreen counties) will fail to be scannable. Some moron will write them in crayon, blood, God knows what. So some clerk will have to do a manual entry in GEMS on a stack of, say, 30 or so. Well it's human nature to go check your work. After entering, a clerk is liable to make sure that the data incremented FIRST on the precinct data and then they might check the countywide totals to "be sure". Knowing this, Diebold programmed GEMS to alter the "dirty" field whenever a manual entry happens, re-coupling any precinct where manual entries happen.

Joe, in accounting terms, this is what you call "two sets of books". It's a hallmark of fraud.

Problem two:

Bev Harris downloaded a bunch of versions of GEMS, between the 1.16.xx era and 1.18.17. The latest certified in California is 1.18.19 (and an AZ elections official let her check that briefly, all of the above is still going on).

She decided to find out how long "two sets of books" has been the norm in this thing. She was able to pin down the version it first appeared (1.17.5) and based on the 15,000 EMails released summer of '03, the approximate data of release: late Oct. 2000, in time for the Nov. election.

This is significant. Why?

Between the early '80s and about 1990ish, a computer consultant name of Jeffrey Dean ripped off the biggest law firm in Seattle using sophisticated software to rig their books. Early '90s, he was convicted of 23 counts of fraud for almost half a million bucks. He told Seattle PD in a police report that he'd gotten in a fight with somebody in Canada, they'd died afterwards and he was paying blackmail (yes, I've read the report).

While in jail, he met one of the co-founders of Global Election Systems. By the late '90s, he was out and part-owner of a ballot printing company. A bit later he did computer consulting for the King County WA elections division. He was then hired as HEAD OF PROGRAMMING for Global Election Systems.

In early Oct. of 2000.

This is fact, Joe. Confirmed six ways from Sunday.

Need full documentation? Go to google and search with:

"Jeffrey Dean" site:www.blackboxvoting.org

Share this with whoever you want.

- Jim

[Joe Brower]

weegee, I just got a reply from Jim March on your comment in post# 77. Here it is:

***

Joe, when attorney Lowell Finley came to me with the idea of suing Diebold to get the California counties their money back, I told him I wouldn't do it unless Bev Harris was also involved. Understand, in that sort of "whistleblower" action he was telling me about, the "whistleblowers" get to split a percentage of the collected winnings. In the case of Alameda County alone, that's a $14.5mil contract; prove fraud and it's $43.5mil, the "cut" is either 15% (if the gov't attorneys help out) or 30% (if they don't).

So I automatically decided to drop my cut in half, because I couldn't walk away with that kind of money without Bev Harris also collecting.

That was in my FIRST conversation with Finley, in Oct. of '03.

So that's what I think of Bev Harris. And nothing has changed my opinion since.

Jim

[jdege]

Given that explanation, fraud does certainly seem possible.

But the corrupt code can be removed. I'm even less convinced of the security of the system than before.

It's using Access? Ye gads! The data store for this needn't be complex, but it needs to be secure from modification by mechanisms outside software control. Data stored in Access is not so secured.

And it's storing counts? Even worse.

It should be storing digitally signed ballot-equivalents. The counts should be generated from these. The counts should not be stored, let alone allowed to be modified by the users.

[Joe Brower]

As a database engineer for the last twenty years, I had the same reaction. "Access!?!" I almost fell out of my chair.

[Pilsner Porterstout]

Greetings,

Before everyone jumps on the Democratic vote fraud bandwagon, one should consider who is at the helm at Diebold. This is not new information.

Regardless of party affiliation - these computer voting machines are a very BAD idea! Bring back paper ballots!

-PP

Published on Thursday, August 28, 2003 by the Cleveland Plain Dealer
Voting Machine Controversy
by Julie Carr Smyth

COLUMBUS - The head of a company vying to sell voting machines in Ohio told Republicans in a recent fund-raising letter that he is "committed to helping Ohio deliver its electoral votes to the president next year."

The Aug. 14 letter from Walden O'Dell, chief executive of Diebold Inc. - who has become active in the re-election effort of President Bush - prompted Democrats this week to question the propriety of allowing O'Dell's company to calculate votes in the 2004 presidential election.

O'Dell attended a strategy pow-wow with wealthy Bush benefactors - known as Rangers and Pioneers - at the president's Crawford, Texas, ranch earlier this month. The next week, he penned invitations to a $1,000-a-plate fund-raiser to benefit the Ohio Republican Party's federal campaign fund - partially benefiting Bush - at his mansion in the Columbus suburb of Upper Arlington.

The letter went out the day before Ohio Secretary of State Ken Blackwell, also a Republican, was set to qualify Diebold as one of three firms eligible to sell upgraded electronic voting machines to Ohio counties in time for the 2004 election.

Blackwell's announcement is still in limbo because of a court challenge over the fairness of the selection process by a disqualified bidder, Sequoia Voting Systems.

In his invitation letter, O'Dell asked guests to consider donating or raising up to $10,000 each for the federal account that the state GOP will use to help Bush and other federal candidates - money that legislative Democratic leaders charged could come back to benefit Blackwell.

They urged Blackwell to remove Diebold from the field of voting-machine companies eligible to sell to Ohio counties.

This is the second such request in as many months. State Sen. Jeff Jacobson, a Dayton-area Republican, asked Blackwell in July to disqualify Diebold after security concerns arose over its equipment.

"Ordinary Ohioans may infer that Blackwell's office is looking past Diebold's security issues because its CEO is seeking $10,000 donations for Blackwell's party - donations that could be made with statewide elected officials right there in the same room," said Senate Democratic Leader Greg DiDonato.

Diebold spokeswoman Michelle Griggy said O'Dell - who was unavailable to comment personally - has held fund-raisers in his home for many causes, including the Columbus Zoo, Op era Columbus, Catholic Social Services and Ohio State University.

Ohio GOP spokesman Jason Mauk said the party approached O'Dell about hosting the event at his home, the historic Cotswold Manor, and not the other way around. Mauk said that under federal campaign finance rules, the party cannot use any money from its federal account for state- level candidates.

"To think that Diebold is somehow tainted because they have a couple folks on their board who support the president is just unfair," Mauk said.

Griggy said in an e-mail statement that Diebold could not comment on the political contributions of individual company employees.

Blackwell said Diebold is not the only company with political connections - noting that lobbyists for voting-machine makers read like a who's who of Columbus' powerful and politically connected.

"Let me put it to you this way: If there was one person uniquely involved in the political process, that might be troubling," he said. "But there's no one that hasn't used every legitimate avenue and bit of leverage that they could legally use to get their product looked at. Believe me, if there is a political lever to be pulled, all of them have pulled it."

Blackwell said he stands by the process used for selecting voting machine vendors as fair, thorough and impartial.

As of yesterday, however, that determination lay with Ohio Court of Claims Judge Fred Shoemaker.

He heard closing arguments yesterday over whether Sequoia was unfairly eliminated by Blackwell midway through the final phase of negotiations.

Shoemaker extended a temporary restraining order in the case for 14 days, but said he hopes to issue his opinion sooner than that.

© 2003 The Plain Dealer

[jdege]

For some problems, cheap simple tools are fine.

And this isn't something that needs the massive I/O capabilities of an Oracle server.

But it does need to ensure that the data cannot be changed from outside the control of the program.

In fact, what it really needs is a way to ensure that the data cannot be changed, period.

That is, like all auditable systems, it should be impossible to remove or overwrite existing data. You should be allowed only to add data.

If, for example, a user accidently runs a batch of ballots through twice, then all of those ballots should be recorded twice. And if the election supervisor then wants to undo one of the runs, she should be adding an adjustment record, that includes who she is and why she is doing it.

In other words, the ledger (and there should be a ledger) should include:

District:41A Precinct:4 Batch:A, operator:Donna time:13:42

Ballot:1101 Smith:Y Jones:N
Ballot:1107 Smith:N Jones:Y
Ballot:1113 Smith:Y Jones:Y
Ballot:1144 Smith:Y Jones:N
Ballot:1175 Smith:N Jones:Y
Ballot:1206 Smith:N Jones:N

Summary Smith:2 Jones:2 Overvotes:1 Undervotes:1
Cumulative Smith:112 Jones:72 Overvotes:6 Undervotes:8

District:41A Precinct:4 Batch:A, operator:Donna time:13:44

Ballot:1101 Smith:Y Jones:N
Ballot:1107 Smith:N Jones:Y
Ballot:1113 Smith:Y Jones:Y
Ballot:1144 Smith:Y Jones:N
Ballot:1175 Smith:N Jones:Y
Ballot:1206 Smith:N Jones:N

Summary Smith:2 Jones:2 Overvotes:1 Undervotes:1
Cumulative Smith:114 Jones:75 Overvotes:7 Undervotes:9

District:41A Precinct:4 Batch:A, operator:Hanna time:13:45

Adjustment Smith:-2 Jones:-2 Overvotes:-1 Undervotes:-1
Reason: Donna ran Precinct of District 41A twice
Authorization Official:Sam Johnson auth_num:41561

Summary Smith:-2 Jones:-2 Overvotes:1 Undervotes:1
Cumulative Smith:112 Jones:72 Overvotes:6 Undervotes:8

Every change made to the data should be permanently recorded, including mistakes and corrections to compensate for the mistake.

And every individual entry in the ledger should be signed so that changes can be detected.

[Joe Brower]

I agree 100%. Standard accounting methodology. Nothing gets deleted -- new rows are inserted, and then multiple rows are detected and handled at final processing. The very fact that it deliberately wasn't done this way speaks volumes.

I think you and I should get the contract to fix these things and redeploy. I figure $100 million might get the project off to a good start. $:-)

[Phantom Lord]

I fully agree that the electronic voting is a serious issue. My comments were directly in regard to Bev Harris and her crazy conspiracy theories and the looney tunes over at DU that believe it 100%

[djreece]

Thank you for posting this. Absolutely bone chilling.

[supercat]

I agree 100%. Standard accounting methodology. Nothing gets deleted -- new rows are inserted, and then multiple rows are detected and handled at final processing. The very fact that it deliberately wasn't done this way speaks volumes.

Indeed, a number of machine-readable technologies exist which implement this sort of construct. For example, if one has means in place to prevent outright substitution, I believe CD-R media fit this criterion. Because of the way information is encoded on the disk, it is basically impossible to alter existing data without something 'fishy' being detected [the data coding wouldn't allow any data to be added without flagging an error, but it may be possible to 'burn' extra spots on a disk sector so it will show up with a 'recoverable read error' that yields data different from the original; forensic analysis of the disk would show the alteration, however).

[Capricam]

Yeah, but luckily, we've got most of the military on our side and we're the ones that are still 'armed'. If Kerry cheats his way in, we'll be disarmed so fast our heads will spin, and Kerry will gut the military ten times worse than Clinton did. (I plan to hide my guns before that happens)

[Capricam]

It's too late now. We've had FOUR years to fix these problems and if we haven't by now, whose fault is that? OURS.

[Looking for Diogenes]

One specification (in at least in one large county) which complicates the design of the voting machines is the one that requires that the votes must not be recorded sequentially. I presume that they do not want anyone to be able to determine which voter cast each ballot. The Registrar will not allow a scheme in which the data can be recorded like in a ledger book.

Here's a recent story of the testing of the voting system in Riverside County, California.
DOWN FOR THE COUNT
http://www.lacitybeat.com/article.php?id=1013

[mdmathis6]

If the entering the code causes a second column of votes to be created and manipulated...and read, are the first votes actually deleted or just stored in memory somewhere?

If stored, or at least changed, it should still be possible to track the deletions or changes especially when time codes are involved. Courts might end up discounting entire hard drives.

People should be instructed to write down their voting order number, then write down what they or who they actually vote for...that way in any court fight, they can actually sue to find out what was tabulated against their number.

[.38sw]

Jim March wrote this explanation on The High Road:

Whenever Diebold sells a voting system, they install "voting terminals". These are either "touchscreens" which involve no paper trail at all and are theoretically the LEAST secure, and "optical scan" stations at the polls which read your filled-in-with-a-#2-pencil cards - you fill in the dots on pre-printed sheets, it "scans" the sheets for your vote which is recorded electronically BUT the paper you filled out still exists for recounts.

So far so good, right?

The counties that buy the higher-end "touchscreen" systems also use some optical scan, as that's how absentee votes are dealt with.

So Diebold needs ONE piece of software running on one computer per customer county that "tallies" the incoming votes, both optical scan and touchscreen.

That program is called "GEMS" (Global Election Management Software). It runs on a single beefed up PC per county.

Somebody at Diebold Election Systems rigged the GEMS program for fraud. (Actually, the "rig" first appeared in Oct. of 2000 when it was "Global Election Systems" based in Canada, bought by the Diebold corp in Canton Ohio in 2002.)

The rig works like this:

GEMS takes in the data and keeps it in two separate places internally, without telling honest election officials it's doing so.

By default, the two internal counts of votes match.

One count is used to supply county-wide TOTAL data, while the other provides the precinct-by-precinct details.

There's a "cheat code" that allows you to make the two totals NOT MATCH.

Once you do that, you can tinker with the county-wide totals all you want, and it won't be caught.

Why not?

Because if an honest elections official of any state "smells a rat", they do "spot checking". They know precinct #341 had 450 votes for Bush, 297 for Gore, based on the paper if it's optical scan, or the touchscreen terminal printouts if that's what's up. So they check to see if GEMS reports those numbers for that precinct. They spot-check a couple more. In California, they're required by law to do this for 1% of the total vote every time.

They can do that all they want, because the set of numbers that feeds the precinct-by-precinct counts aren't rigged. They're left clean. It's the set that feeds the countywide data that's rigged.

Not knowing there's "two sets of books" inside the program, the honest election officials and clerks have no idea what's possible via "back door tampering". If they print out the hundreds of pages of precinct-by-precinct tallies and add them up on a hand calculator for EVERY race, then compare that to the GEMS totals, they can catch this kind of fraud but the workload for that would be nuts and who would bother not knowing the damn program is rigged?

THAT is what's going on here!

So, there are two sets of internal "books" with a "cheat code" that is used to access the set of books that is sent up as the tally. Unbelievable.

[Joe Brower]

weegee,

Here is a bit more from Jim March on Bev Harris. My take on Bev, and what I told Jim, is this:

Just because someone's a Democrat doesn't matter a hoot to me if they're doing the good work she's doing. (Plus the fact that she's a gun owner is a good sign! $;-)

Too many folks on FR instantly brand a person a "traitor" the second it's revealed that they ever logged onto "democraticunderground.com". I don't buy that -- that kind of knee-jerk extremism only hurts, not helps. This issue goes beyond party lines in a big way, as I see it. EVERYONE needs to know about this.

***

Joe,

Fairly early in the game (esp. through about Nov. of '03) DU became THE central discussion place for Bev's findings. I was a frequent poster too, until they found out I wasn't a Dem and threw me off on that basis :). And yes, that's where Harris met Andy Stephenson, who I can't say enough good things about regarding his work on this issue. (And yes, HE is pro-gun despite being both gay and a Democrat.) DU was used in large part because during this period, various hacks and manipulations kept hosing Bev's blackboxvoting.org site.

Now, all DU gets is basically updates. The real strategizing happens elsewhere, mainly on the blackboxvoting.org forums.

Thanks for the cross-posts to Freep. I'll track that thread as I have time, let me know if anything interesting pops up.

Jim

[Joe Brower]

Jim March just sent me this. I advise everyone to go over there and check it out. And yes, before anyone goes "HOWARD DEAN"!?!, this is because he was the only politician who has deigned to look at it. The vast majority of politicans have, so far, refused to even consider what is being said here.

***

Post the following link to Freep:

http://www.equalccw.com/deandemo.html

It's the same thing Howard Dean saw on CNBC less than a month ago, via screenshots. Just made that page.

[Goldwater Girl]

Thanks for the ping, Joe. I agree the accusation is chilling, but it seems to me rather easy to confirm. Florida wouldn't certify Diebold touch screen systems until a couple of months ago and the system they approved is not in use in any other state- it will be in Duval, if they can get it on line in time. But we do use Diebold optical scan in some counties- and presumably the GEMS system, too.
Why not send this info to Paul Kraft at Division of Elections (he's the one who tests and certifies all the systems before they can be used in Fla)-- if the counties using GEMS have 2 sets of books, we still have the hard ballots and the final printout from the Primary- we can prove the fraud- and in time to prevent them stealing the election in November. GG

[Prime Choice]

What's truly scary is this:

www.diebold.com/dieboldes/GEMS.htm

Bear in mind that Diebold is talking up Microsoft software, but the hardware they're showing off on this page is Sun Microsystems SPARC hardware; a platform on which Windows does not run and has never run.

We're entrusting our votes to a firm that can't even get its story straight on what the system they made is comprised of? Who do these jackwits think we are? Democrats??