Posted on 08/27/2003 5:34:38 PM PDT by vannrox
CONTENTS Introduction Part 1 - Can the votes be changed? Part 2 - Can the password be bypassed? Part 3 ? Can the audit log be altered? ************* According to election industry officials, electronic voting systems are absolutely secure, because they are protected by passwords and tamperproof audit logs. But the passwords can easily be bypassed, and in fact the audit logs can be altered. Worse, the votes can be changed without anyone knowing, even the County Election Supervisor who runs the election system. The computer programs that tell electronic voting machines how to record and tally votes are allowed to be held as "trade secrets." Can citizen's groups examine them? No. The companies that make these machines insist that their mechanisms are a proprietary secret. Can citizen's groups, or even election officials, audit their accuracy? Not at all, with touch screens, and rarely, with optical scans, because most state laws mandate that optical scan paper ballots be run through the machine and then sealed into a box, never to be counted unless there is a court order. Even in recounts, the ballots are just run through the machine again. Nowadays, all we look at is the machine tally. Therefore, when I found that Diebold Election Systems had been storing 40,000 of its files on an open web site, an obscure site, never revealed to public interest groups, but generally known among election industry insiders, and available to any hacker with a laptop, I looked at the files. Having a so-called security-conscious voting machine manufacturer store sensitive files on an unprotected public web site, allowing anonymous access, was bad enough, but when I saw what was in the files my hair turned gray. Really. It did. The contents of these files amounted to a virtual handbook for vote-tampering: They contained diagrams of remote communications setups, passwords, encryption keys, source code, user manuals, testing protocols, and simulators, as well as files loaded with votes and voting machine software. Diebold Elections Systems AccuVote systems use software called "GEMS," and this system is used in 37 states. The voting system works like this: Voters vote at the precinct, running their ballot through an optical scan, or entering their vote on a touch screen. After the polls close, poll workers transmit the votes that have been accumulated to the county office. They do this by modem. At the county office, there is a "host computer" with a program on it called GEMS. GEMS receives the incoming votes and stores them in a vote ledger. But in the files we examined, which were created by Diebold employees and/or county officials, we learned that the Diebold program used another set of books with a copy of what is in vote ledger 1. And at the same time, it made yet a third vote ledger with another copy. Apparently, the Elections Supervisor never sees these three sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a detail report (totals for each precinct). She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden. And here is what is quite odd: On the programs we tested, the Election summary (totals, county wide) come from the vote ledger 2 instead of vote ledger 1, and ledger 2 can be altered so it may or may not match ledger 1. Now, think of it like this: You want the report to add up only the actual votes. But, unbeknownst to the election supervisor, votes can be added and subtracted from vote ledger 2. Official reports come from vote ledger 2, which has been disengaged from vote ledger 1. If one asks for a detailed report for some precincts, though, the report comes from vote ledger 1. Therefore, if you keep the correct votes in vote ledger 1, a spot check of detailed precincts (even if you compare voter-verified paper ballots) will always be correct. And what is vote ledger 3 for? For now, we are calling it the "Lord Only Knows" vote ledger. ************* Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 1) Here's what we're going to do: We'll go in and run a totals report, so you can see what the Election Supervisor sees. Then we'll tamper with the votes. I'll show you that our tampering appears in Table 2, but not Table 1. Then we'll go back and run another totals report, and you'll see that it contains the tampered votes from Table 2. Remember that there are two programs: The GEMS program, which the Election Supervisor sees, and the Microsoft Access database that stores the votes, which she cannot see. Let's run a report on the Max Cleland/Saxby Chambliss race. (This is an example, and does not contain the real data.) Here is what the Totals Report will look like in GEMS:
As it stands, Cleland is stomping Chambliss. Let's make it more exciting. The GEMS election file contains more than one "set of books." They are hidden from the person running the GEMS program, but you can see them if you go into Microsoft Access. You might look at it like this: Suppose you have votes on paper ballots, and you pile all the paper ballots in room one. Then, you make a copy of all the ballots and put the stack of copies in room 2. You then leave the door open to room 2, so that people can come in and out, replacing some of the votes in the stack with their own. You could have some sort of security device that would tell you if any of the copies of votes in room 2 have been changed, but you opt not to. Now, suppose you want to count the votes. Should you count them from room 1 (original votes)? Or should you count them from room 2, where they may or may not be the same as room 1? What Diebold chose to do in the files we examined was to count the votes from "room2." Illustration: If an intruder opens the GEMS program in Microsoft Access, they will find that each candidate has an assigned number:
One can then go see how many votes a candidate has by visiting "room 1" which is called the CandidateCounter:
In the above example, "454" represents Max Cleland and "455" represents Saxby Chambliss. Now let's visit Room2, which has copies of Room1. You can find it in an Access table called SumCandidateCounter:
Now let's put our own votes in Room2. We'll put Chambliss ahead by a nose, by subtracting 100 from Cleland and adding 100 to Chambliss. Always add and delete the same number of votes, so the number of voters won't change.
Now let's run a report again. Go into GEMS and run the totals report. Here's what it looks like now:
Now, the above example is for a simple race using just one precinct. If you run a detail report, you'll see that the precinct report pulls the untampered data, while the totals report pulls the tampered data. This would allow a precinct to pass a spot check. ************* Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 2) CAN THE PASSWORD BE BYPASSED? At least a dozen full installation versions of the GEMS program were available on the Diebold ftp site. The manual, also available on the ftp site, tells that the default password in a new installation is "GEMSUSER." Anyone who downloaded and installed GEMS can bypass the passwords in elections. In this examination, we installed GEMS, clicked "new" and made a test election, then closed it and opened the same file in Microsoft Access. One finds where they store the passwords by clicking the "Operator" table.
Anyone can copy an encrypted password from there, go to an election database, and paste it into that. Example: Cobb County Election file One can overwrite the "admin" password with another, copied from another GEMS installation. It will appear encrypted; no worries, just cut and paste. In this example, we saved the old "admin" password so we could replace it later and delete the evidence that we'd been there. An intruder can grant himself administrative privileges by putting zeros in the other boxes, following the example in "admin."
How many people can gain access? A sociable election hacker can give all his friends access to the database too! In this case, they were added in a test GEMS installation and copied into the Cobb County Microsoft Access file. It encrypted each password as a different character string, however, all the passwords are the same word: "password." Password replacement can also be done directly in Access. To assess how tightly controlled the election files really are, we added 50 of our friends; so far, we haven't found a limit to how many people can be granted access to the election database.
Using this simple way to bypass password security, an intruder, or an insider, can enter GEMS programs and play with election databases to their heart's content. ************* Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 3) CAN THE AUDIT TRAIL BE ALTERED? Britain J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003: "Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident. In addition, passwords are used to limit access to the system to authorized personnel." Since Dr. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log. Here is a copy of a GEMS audit report.
Note that a user by the name of "Evildoer" was added. Evildoer performed various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log. It was a simple matter to eliminate Evildoer. First, we opened the election database in Access, where we opened the audit table:
Then, we deleted all the references to Evildoer and, because we noticed that the audit log never noticed when the admin closed the GEMS program before, we tidily added an entry for that.
Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace. Going back into GEMS, we ran another audit log to see if Evildoer had been purged:
As you can see, the audit log appears pristine. In fact, when using Access to adjust the vote tallies we found that tampering never made it to the audit log at all. Although we interviewed election officials and also the technicians who set up the Diebold system in Georgia, and they confirmed that the GEMS system does use Microsoft Access, is designed for remote access, and does receive "data corrections" from time to time from support personnel, we have not yet had the opportunity to test the above tampering methods in the County Election Supervisor's office. From a programming standpoint, there might be reasons to have a special vote ledger that disengages from the real one. For example, election officials might say they need to be able to alter the votes to add provisional ballots or absentee ballots. If so, this calls into question the training of these officials, which appears to be done by The Election Center, under the direction of R. Doug Lewis. If election officials are taught to deal with changes by overwriting votes, regardless of whether they do this in vote ledger 1 or vote ledger 2, this is improper. If changing election data is required, the corrective entry must be made not by overwriting vote totals, but by making a corrective entry. When adding provisional ballots, for example, the proper procedure is to add a line item "provisional ballots," and this should be added into the original vote table (Table 1). It is never acceptable to make changes by overwriting vote totals. Data corrections should not be prohibited, but must always be done by indicating changes through a clearly marked line item that preserves each transaction. Proper bookkeeping never allows an extra ledger that can be used to just erase the original information and add your own. And certainly, it is improper to have the official reports come from the second ledger, which may or may not have information erased or added. But there is more evidence that these extra sets of books are illicit: If election officials were using Table 2 to add votes, for provisional ballots, or absentee voters, that would be in their GEMS program. It makes no sense, if that's what Diebold claims the extra set of books is for, to make vote corrections by sneaking in through the back door and using Access, which according to the manual is not even installed on the election official's computer. Furthermore, if changing Table 2 was an acceptable way to adjust for provisional ballots and absentee votes, we would see the option in GEMS to print a report of both Table 1 totals and Table 2 so that we can compare them. Certainly, if that were the case, that would be in the manual along with instructions that say to compare Table 1 to Table 2, and, if there is any difference, to make sure it exactly matches the number of absentee ballots, or whatever, were added. Using Microsoft Access was inappropriate for security reasons. Using multiple sets of books, and/or altering vote totals to include new data, is improper for accounting reasons. And, as a member of slashdot.org commented, "This is not a bug, it's a feature." One more time.... |
Diebold - The Face Of Modern Ballot Tampering Tuesday, 12 November 2002, 1:06 pm Opinion: Guest Opinion |
Diebold - The Face Of Modern Ballot Tampering
by Faun Otter
From: http://www.bartcop.com/diebold.htm
You can't vote them out if....
You never voted them in.The lack of any exit polling on November 5 has been oddly ignored by the media. Those pesky tracking polls leading up to the elections have been explained away by a ?late surge to the Republicans? caused by.... hmmmm, how about sun spot activity? With no exit polls, there was no other feedback to conflict with the "official" results, this allowed the Diebold touch screen machines to change the way election fraud is carried out.
Previously, election cheating was a complex matter of ballot tampering combined with sample skewing. That is to say, you screwed up ballots for your opponent with under or over votes, made sure that people likely to vote against you wouldn't even get that chance (the program of voter disenfranchisement in Florida) and padded your own vote total with such things as falsified absentee ballots.
In the much more high tech world of Diebold electronics we are seeing a wonderfully efficient vote rigging system, the long proposed 'black box' technology. Imagine a black box in which you cannot see the workings. The only things you can discern are an input and an output; in this case votes go in and collated totals come out. There is no paper record of each individual vote cast to enable any cross check of the collated output. The only information you can know for sure is the total number of votes cast on the machine. Each vote is stripped of any information as to who cast that ballot to guarantee anonymity for the voters. You now have a system in which you have no way to check vote recording, vote collation and transmission of the collated totals out of the black box.
The perfect crime?
Not quite. Let me suggest an experiment. We take two ?markets? with similar socioeconomic mixtures and a well established record of moving in the same political direction. We provide them with candidates from party X and party Y. We then expose them to similar news stories, we spill TV and radio ads over between the markets to make the effects less ?local? and give them identical weather on election day. The differences between the markets are 1. the candidates and 2. the method of casting and counting the votes. We then take a series of tracking polls on the gap between the candidates leading up to election day.
If we express the tracking poll data as the relative preference for the candidates (12 point lead by X, down one point from last week etc.), any substantial discrepancy between the forecast and actual election outcomes should arise from major news changes, the weather effects on turn out or a a social tendency to misrepresent voting intent. Since both groups get the same news, the same weather and have the same social tendencies, any difference between tracking poll and actual poll data should be in the same direction and of a similar magnitude.
Sooooo...... how come the South Carolina elections had the Democrats doing much better than the tracking poll data showed and the Georgia elections, in an area with the same weather, same news and same social values, had a massive swing in a single day after the last tracking poll, in the opposite direction? Could it be the Diebold touch screen machines in use across the entire state of Georgia but not used at all in SC?
Of course, such a perfect method of mischief has been attempted before,
http://www.votescam.com/frame.html -- Go to the link marked "Chapters" and read all about it. Watch how few lines pass before the names Bush and Sununu come up.
You can trim the wheels in mechanical voting machines but that is easier to spot than a computer program set up to be date sensitive so it causes only to ?misfunction? on November 5. The current problem with virtual ballot tampering was apparent as long ago as 1989. Jonathan Vankin made this warning in "Metro: Silicon Valley's Weekly Newspaper," of Sept. 28, 1989
?A single, Berkeley- based firm manufactures the software used in the machines that compile more than two-thirds of the nation's electronically-counted votes. Analysts describe the software as "spaghetti code," tangled strands of instructions indecipherable to outsiders. The experts say the code could be manipulated without detection. In fact, that may have happened already.?
http://www.conspire.com/vote-fraud.html
After systematic punch card fraud was revealed in the 2000 election, touch screens were proposed as a panacea and have been rapidly adopted against the warning of experts,
?Critics warn local election officials could be trading one set of problems for another potentially as bad, or worse, than last year's election debacle. They vigorously argue that fully electronic systems pose data-security problems and lack a paper trail. "There's no way to independently verify that the voter's ballot as cast was actually the ballot being recorded by the machine,'' said Rebecca Mercuri, a computer scientist and visiting lecturer at Bryn Mawr College in Pennsylvania.?
http://www.kioskcom.com/article_detail.php?ident=1021
It would be interesting to impound a few machines from the heaviest leaning Democratic areas in Georgia and reset the date in the machine to November 5, 2002. A hand counted series of inputs could be made to the machines. Note to James Baker: hand counting is the gold standard against which we check machine counting efficiency. An input of 500 or so ?dummy? votes could then be tabulated and the outcome checked against the inputs. Of course, you could just check the software code. Except for one problem; the company refuses to let anyone see their code on the grounds that is a trade secret.
Oddly enough, Diebold aren?t the only Republican partisans who ?helped? select our candidates for office yesterday:
?According to his press office, in 1995 Chuck Hagel resigned as CEO of American Information Systems (AIS), the voting machine company that counted the votes in his first Senatorial election in 1996. In January 1996 Hagel resigned as president of McCarthy & Company, part of the McCarthy Group that are one of the current owners of Election Systems and Software (ES&S), which itself resulted from the merger of AIS and Business Records Corporation. According to publicist/writer Bev Harris, Hagel is still an investor in the McCarthy Group. ES&S is now the largest voting machine company in America. One of its largest owners is the ultra-conservative Omaha World-Herald Company.?
http://www.dissidentvoice.org/Articles/Landes_Ambush.htm
For more background reading on who gets to play with your ballot, see:
http://www.talion.com/election-machines.html
Who are Diebold? The corporate officers are as thick as thieves with the Republican hard right religious nut division. For those who have been lucky enough to forget, Senator Faircloth was the protege of Jesse Helms in NC. It looks like the board and the directors were all putting up money for a Faircloth victory when Edwards took that senate seat. I wonder if they conspired to put things right.....?
Board of Directors
Louis V. Bockius III (2,4,5)
6/28/00 $15,000.00
REPUBLICAN NATIONAL COMMITTEE - RNC
11/3/00 $10,000.00
REPUBLICAN NATIONAL COMMITTEE - RNC
10/9/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
10/9/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEEChristopher M. Connor
Chairman and Chief Executive Officer, The
Sherwin-Williams Company
5/22/00 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
3/30/00 $1,000.00
DEWINE FOR US SENATE
Gale S. Fitzgerald (2, 6)
President and Chief Executive Officer , QP Group, Inc.
7/12/00 $500.00
NEW YORK REPUBLICAN FEDERAL CAMPAIGN COMMITTEE
10/12/98 $200.00
FRIENDS OF JOHN LAFALCE
10/18/99 $1,000.00
BUSH FOR PRESIDENT INC
Donald R. Gant (1,3,5)
Senior Director, The Goldman Sachs Group, L.P.
L. Lindsey Halstead (2,3,6)
Retired Chairman of the Board, Ford of Europe
12/22/98 $500.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
1/23/97 $500.00
REPUBLICAN NATIONAL COMMITTEE - RNC
5/27/97 $200.00
REPUBLICAN NATIONAL COMMITTEE - RNC
10/31/97 $500.00
REPUBLICAN NATIONAL COMMITTEE - RNC
12/28/99 $500.00
REPUBLICAN NATIONAL COMMITTEE - RNC
3/7/01 $300.00
REPUBLICAN NATIONAL COMMITTEE
6/12/01 $200.00
REPUBLICAN NATIONAL COMMITTEE
11/27/01 $200.00
REPUBLICAN NATIONAL COMMITTEE
1/24/02 $500.00
REPUBLICAN NATIONAL COMMITTEE
Phillip B. Lassiter (1,3,6)
Chairman of the Board and Chief Executive Officer, Ambac Financial Group, Inc.
4/16/98 $250.00
NATIONAL REPUBLICAN CONGRESSIONAL COMMITTEE
CONTRIBUTIONS
9/21/98 $250.00
NATIONAL REPUBLICAN CONGRESSIONAL COMMITTEE
CONTRIBUTIONS
John N. Lauer (1,4,5)
Chairman of the Board and Chief Executive Officer, Oglebay Norton Co.
10/10/00 $1,000.00
DEWINE FOR US SENATE
8/23/00 $250.00
REPUBLICAN NATIONAL COMMITTEE - RNC
3/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
Walden W. O'Dell
Chairman of the Board, President and Chief Executive Officer, Diebold
2/14/01 $2,015.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
1/30/01 $3,950.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
8/16/01 $500.00
VOINOVICH FOR SENATE COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
6/30/00 $1,000.00
DEWINE FOR US SENATE
Eric J. Roorda
Former Chairman, Procomp Amazonia Industria Eletronica, S.A.
W.R. Timken Jr. (2,3,4)
Chairman , The Timken Company
6/23/00 $50,000.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
6/8/01 $100,000.00
2001 PRESIDENT'S DINNER - NON-FEDERAL TRUST
3/14/01 $10,000.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
8/19/99 $15,000.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
11/3/00 $15,000.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
2/22/02 $1,000.00
RELY ON YOUR BELIEFS FUND
6/12/02 $1,000.00
OHIO'S REPUBLICAN SALUTE
Corporate Officers
Walden W. O'Dell
Chairman of the Board, President and Chief Executive Officer, Diebold (See above)
Wesley B. Vance
Chief Operating Officer
8/16/01 $500.00
VOINOVICH FOR SENATE COMMITTEE
Michael J. Hillock
President, Diebold International
11/18/97 $500.00
FAIRCLOTH FOR SENATE COMMITTEE 1998
David Bucci
Senior Vice President, Customer Solutions Group
11/18/97 $500.00
FAIRCLOTH FOR SENATE COMMITTEE 1998
James L.M. Chen
Vice President and Managing Director, Asia-Pacific
Warren W. Dettinger
Vice President, General Counsel and Assistant
Secretary
11/18/97 $300.00
FAIRCLOTH FOR SENATE COMMITTEE 1998
1/30/97 $250.00
DEWINE FOR U S SENATE (2000)
Donald E. Eagon, Jr.
Vice President, Global Communications & Investor
Relations
11/18/97 $300.00
FAIRCLOTH FOR SENATE COMMITTEE 1998
Charee Francis-Vogelsang
Vice President and Secretary
Larry D. Ingram
Vice President, Procurement and Services
1/30/97 $250.00
DEWINE FOR U S SENATE (2000)
11/18/97 $300.00
FAIRCLOTH FOR SENATE COMMITTEE 1998Dennis M. Moriarty
Vice President, Customer Business Solutions
11/18/97 $300.00
FAIRCLOTH FOR SENATE COMMITTEE 1998Anthony J. Rusciano
Vice President, National Accounts
11/18/97 $300.00
FAIRCLOTH FOR SENATE COMMITTEE 1998
--- Hey Tony! Listing yourself as ?retired? and using
your vacation home address to avoid campaign donation
limits is a tad naughty don?t you think?
Home Page | Headlines | Previous Story | Next Story
Copyright (c) Scoop Media
Hol-eee Cow! As much as I love MS, this is about the biggest boneheaded move anybody ever made. Using Access for something like this. Insane.
Eek.
What's so sacred about a "secret ballot", is it in the constitution?
Yes, I know there are Libertarians, Greens, Socialists, QueerVote and so on. They don't count. If they ever pull 5% then they will matter.
I think access is the key word here.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.