Our Worst Fears - Diebold WasEngineering Rigged Elections: Consumer Report Part 3

[Guest guest]

http://www.blackboxvoting.org/?q=node/view/76

 

 

Consumer Report: Part 3 - More GEMS problems, and why

current solutions / explanations won't work

Submitted by Bev Harris on Thu, 08/26/2004 - 11:33.

Investigations

But do new security measures solve the problem?

 

The MS Access database is not passworded and can be

accessed illicitly through the back door simply by

double-clicking the vote file. After we published this

report, we observed unpassworded access on the very

latest, GEMS 1.18.19 system in a county elections

office.

 

Some locations removed the Microsoft Access software

from their GEMS computer, leaving the back door intact

but, essentially, removing the ability to easily view

and edit the file.

 

However, you can easily edit the election, with or

without Microsoft Access installed on the GEMS

computer. As computer security expert Hugh Thompson

demonstrated at the Aug. 18 California Secretary of

State meeting, you simply open any text editor, like

" Notepad, " and type a six-line Visual Basic Script,

and you own the election.

 

Some election officials claim that their GEMS central

tabulator is not vulnerable to this back door, because

they limit access to the GEMS tabulator room and they

require a password to turn on the GEMS computer.

 

However...

 

(Click " read more " for the rest of this section)

 

Any county that uses modems to transfer votes may

inadvertently be giving control of the entire central

tabulator to anyone who gets at the computer through

the modem phone lines (even if it is NOT attached to

the Internet). This allows Diebold, or any individual,

to manipulate votes at their leisure, from any

personal computer anywhere in the world.

 

Let's talk about getting at the central tabulator

through telephone lines: Mohave County, Arizona, for

example, has six modems attached to its GEMS computer

on election night. King County, Washington has had up

to four dozen modems attached at once.

 

You will hear that the GEMS machine is stand alone,

and is never connected to the Internet. It does have

an Internet component, called " jresults, " but nowadays

most counties say that they do not hook GEMS up to the

Internet. They say that they remove the disk from the

GEMS computer and physically take it to another

computer, from whence the Internet feed comes. Very

nice -- BUT:

 

You can access a computer through phone lines as well

as through the Internet. In fact, famous hacker Kevin

Mitnick liked to hack through telephone lines, not the

Internet.

 

If you have the dial-in numbers, it is possible to get

at the GEMS computer from anywhere, using RAS. The

dial-in protocols are given to poll workers, many

people in Diebold have them, lots of temps have them,

and the configurations have been sitting on the

Internet for several years.

 

What if your county doesn't use any modems at all?

That's excellent, but here's what we found: Harris &

Stephenson visited county elections officials to ask

for lists of names. We asked who was allowed to access

the central tabulator, after it was already turned on,

and who is given a password and permission to sit at

the terminal?

 

Several officials told us they don't keep a list.

Those who did, gave us the names of too many people --

County employees (sometimes limited to one or two).

Diebold employees. Techs who work for the county, like

county database technicians, also get access to GEMS.

Printshops who do the ballots have some access also.

 

Diebold " contractors, " who are temporary workers hired

by subcontractors to Diebold were also reported to

have gained access to the GEMS tabulator. (Diebold

accounts payable reports obtained by Black Box Voting

indicate that Diebold advertises for temps on

Monster.com, hotjobs.com, and uses several temporary

employment firms, including Coast to Coast Temporary,

Ran Temps Inc, and also works with many

subcontractors, like Wright Technologies, Total

Technical Services, and PDS Technical Services.)

 

What if there is a password even to get onto the GEMS

computer itself?

 

There usually is. The problem is this: Once that

computer is open and running GEMS (on election night,

for example), that password doesn't much matter. Votes

are pouring in pell-mell, and they aren't about to

shut that computer down until hours later, sometimes

days later.

 

Also, Black Box Voting found another problem with the

design of GEMS: Check out the Audit Log, which is

supposed to record everything that happens. In every

database, you find everyone logging is as the same

person, " admin. "

 

There is a reason for this. We did not find a way in

GEMS to log in as a new user unless you close GEMS and

reopen the file. Now who, on election night, with

votes pouring in, is going to close and reopen the

file? They don't. Instead, everyone calls themselves

the same name, " admin, " thereby ruining the audit log

(which can be easily erased and changed anyway.)

 

What about counties that limit access to just one

person, the county elections supervisor?

 

We've found nowhere that actually does this. The

reason: Elections officials are dependent on the

vendor, Diebold, during the election.

 

Suppose we have a computer whiz county official who is

the ONLY person who can access GEMS?

 

Unlikely, but if you do: " Trust, but verify. " We

should never have to trust the sanctity of a million

votes to just one person.

 

The following things can be done when you go in the

back door in GEMS using Microsoft Access:

 

1) You can change vote totals.

 

2) You can change flags, which act as digital " on-off "

switches, to cause the program to function

differently.

 

According to internal Diebold memos, there are 32

combinations of on-off flags. Even the programmers

have trouble keeping track of all the changes these

flags can produce.

 

3) You can alter the audit log.

 

4) You can change passwords, access privileges, and

add new users.

 

Let's talk about passwords

 

How many people can have passwords to GEMS? A sociable

GEMS user can give all his friends access to the vote

database. We added 50 people, and gave them all the

same password, which was " password " -- so far, we

haven't found a limit to how many people can be

granted access to the election database.

 

Election meltdown:

 

We found that you can melt down an election in six

seconds, simply by using the menu items in GEMS. You

can destroy all data with two mouse clicks, and with

four mouse clicks, you can destroy the configuration

of the election making it very difficult to reload the

original data.

 

Does GEMS even work as advertised? According to

testimony given before the Cuyahoga Elections Board,

the Microsoft Access database design used by Diebold's

GEMS program apparently becomes unstable with high

volume input. This problem, according to Diebold,

resulted in thousands of votes being allocated to the

wrong candidate in San Diego County in March 2004.

 

The Audit Log

 

Britain J. Williams, Ph.D., is the official voting

machine certifier for the state of Georgia, and he

sits on the committee that decides how voting machines

will be tested and evaluated. Here's what he had to

say about the security of Diebold voting machines, in

a letter dated April 23, 2003:

 

" Computer System Security Features: The computer

portion of the election system contains features that

facilitate overall security of the election system.

Primary among these features is a comprehensive set of

audit data. For transactions that occur on the system,

a record is made of the nature of the transaction, the

time of the transaction, and the person that initiated

the transaction. This record is written to the audit

log. If an incident occurs on the system, this audit

log allows an investigator to reconstruct the sequence

of events that occurred surrounding the incident.

 

Since Dr. Williams listed the audit data as the

primary security feature, we decided to find out how

hard it is to alter the audit log.

 

We went in the front door in GEMS and added a user

named " Evildoer. " We had Evildoer perform various

functions, including running reports to check his

vote-rigging work, but only some of his activities

showed up on the audit log. When we had Evildoer melt

down the election, by hitting " reset election " and

declining to back up the files, he showed up in the

audit log.

 

No matter. It was a simple matter to eliminate

Evildoer. We went in through the back door and simply

deleted all the references to Evildoer.

 

Microsoft Access encourages those who create audit

logs to use auto-numbering, so that every logged entry

has an uneditable log number. Then, if one deletes

audit entries, a gap in the numbering sequence will

appear. However, we found that this feature was

disabled, allowing us to write in our own log numbers.

We were able to add and delete from the audit without

leaving a trace.

 

Could the double set of books be legitimate?

 

From a programming standpoint, there might be reasons

to have a special vote ledger that disengages from the

real one. For example, election officials might say

they need to be able to alter the votes to add

provisional ballots or absentee ballots. If so, this

calls into question the training of these officials.

If election officials are taught to deal with changes

by overwriting votes, regardless of whether they do

this in vote ledger 1 or vote ledger 2, this is

improper.

 

Also, if it was legitimate, it would be a menu item in

the GEMS program, not executed in a hidden location

triggered by a secret 2-digit code. Nothing in the

GEMS documentation describes the use of any feature

like this whatsoever.

 

Here's why we need to involve CPAs in vote tabulation

regulations, procedures, and design:

 

If changing election data is required, the corrective

entry must be made not by overwriting vote totals, but

by making a corrective entry.

 

It is never acceptable to make changes by overwriting.

Data corrections should not be prohibited, but must

always be done by indicating changes through a clearly

marked line item that preserves each transaction.

 

However, according to elections officials we

interviewed, GEMS is improperly designed, and cannot

perform an adjustment, and you can't journal changes

that occur for weird reasons that really happen. (For

example, a poll worker might accidentally run ballots

through twice. You need to be able to correct this and

still show your work.)

 

Instead of doing an adjustment and showing the

explanation, retaining a permanent record of

everything that happened, a common procedure is to

wipe out the mistake, and simply overwrite it with new

data. This is completely improper, from an auditing

standpoint.

 

It is certainly improper to have the summary reports

come from the second ledger, while pulling the spot

check reports from the first ledger, with a provision

in the back door to allow these two ledgers to be

mismatched.

 

But there is more evidence that these extra sets of

books are illicit: If the extra set of books is

legitimate, the county officials, whose jurisdiction

paid for and own the voting system, should be informed

of such functions. Yet Diebold has not explained to

county officials why it is there at all, and in most

cases, never even told them these functions exist.

 

As a member of slashdot.org commented when we

originally published this information: " This is not a

bug, it's a feature. "

 

Click here to donate

 

(For practical solutions -- and it is not too late to

implement them -- go to Part 4)