www.scoop.co.nz/mason/stories/HL0307/S00065.htm
It is offered freely for publication in full or part on any and all internet forums, blogs and noticeboards. All other media are also encouraged to utilise material. Readers are encouraged to forward this to friends and acquaintances in the United States and elsewhere. CONTENTS 20 Introduction 21 Part 1 - Can the votes be changed? But the passwords can easily be bypassed, and in fact the audit logs can be altered. Worse, the votes can be changed without anyone knowing, even the County Election Supervisor who runs the election system. The companies that make these machines insist that their mechanisms are a proprietary secret. Can citizen's groups, or even election officials, audit their accuracy? Not at all, with touch screens, and rarely, with optical scans, because most state laws mandate that optical scan paper ballots be run through the machine and then sealed into a box, never to be counted unless there is a court order. Even in recounts, the ballots are just run through the machine again. Therefore, when I found that Diebold Election Systems had been storing 40,000 of its files on an open web site, an obscure site, never revealed to public interest groups, but generally known among election industry insiders, and available to any hacker with a laptop, I looked at the files. Having a so-called security-conscious voting machine manufacturer store sensitive files on an unprotected public web site, allowing anonymous access, was bad enough, but when I saw what was in the files my hair turned gray. The contents of these files amounted to a virtual handbook for vote-tampering: They contained diagrams of remote communications setups, passwords, encryption keys, source code, user manuals, testing protocols, and simulators, as well as files loaded with votes and voting machine software. Diebold Elections Systems AccuVote systems use software called "GEMS," and this system is used in 37 states. The voting system works like this: Voters vote at the precinct, running their ballot through an optical scan, or entering their vote on a touch screen. After the polls close, poll workers transmit the votes that have been accumulated to the county office. At the county office, there is a "host computer" with a program on it called GEMS. GEMS receives the incoming votes and stores them in a vote ledger. But in the files we examined, which were created by Diebold employees and/or county officials, we learned that the Diebold program used another set of books with a copy of what is in vote ledger 1. And at the same time, it made yet a third vote ledger with another copy. Apparently, the Elections Supervisor never sees these three sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a detail report (totals for each precinct). She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden. And here is what is quite odd: On the programs we tested, the Election summary (totals, county wide) come from the vote ledger 2 instead of vote ledger 1, and ledger 2 can be altered so it may or may not match ledger 1. Now, think of it like this: You want the report to add up only the actual votes. But, unbeknownst to the election supervisor, votes can be added and subtracted from vote ledger 2. Official reports come from vote ledger 2, which has been disengaged from vote ledger 1. If one asks for a detailed report for some precincts, though, the report comes from vote ledger 1. Therefore, if you keep the correct votes in vote ledger 1, a spot check of detailed precincts (even if you compare voter-verified paper ballots) will always be correct. For now, we are calling it the "Lord Only Knows" vote ledger. Here's what we're going to do: We'll go in and run a totals report, so you can see what the Election Supervisor sees. I'll show you that our tampering appears in Table 2, but not Table 1. Then we'll go back and run another totals report, and you'll see that it contains the tampered votes from Table 2. Remember that there are two programs: The GEMS program, which the Election Supervisor sees, and the Microsoft Access database that stores the votes, which she cannot see. Let's run a report on the Max Cleland/Saxby Chambliss race. You might look at it like this: Suppose you have votes on paper ballots, and you pile all the paper ballots in room one. Then, you make a copy of all the ballots and put the stack of copies in room 2. You then leave the door open to room 2, so that people can come in and out, replacing some of the votes in the stack with their own. You could have some sort of security device that would tell you if any of the copies of votes in room 2 have been changed, but you opt not to. Or should you count them from room 2, where they may or may not be the same as room 1? We'll put Chambliss ahead by a nose, by subtracting 100 from Cleland and adding 100 to Chambliss. Always add and delete the same number of votes, so the number of voters won't change. If you run a detail report, you'll see that the precinct report pulls the untampered data, while the totals report pulls the tampered data. At least a dozen full installation versions of the GEMS program were available on the Diebold ftp site. In this examination, we installed GEMS, clicked "new" and made a test election, then closed it and opened the same file in Microsoft Access. One finds where they store the passwords by clicking the "Operator" table. Example: Cobb County Election file One can overwrite the "admin" password with another, copied from another GEMS installation. In this example, we saved the old "admin" password so we could replace it later and delete the evidence that we'd been there. A sociable election hacker can give all his friends access to the database too! In this case, they were added in a test GEMS installation and copied into the Cobb County Microsoft Access file. To assess how tightly controlled the election files really are, we added 50 of our friends; JPG Using this simple way to bypass password security, an intruder, or an insider, can enter GEMS programs and play with election databases to their heart's content. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003: "Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log. JPG Note that a user by the name of "Evildoer" was added. Evildoer performed various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log. JPG Then, we deleted all the references to Evildoer and, because we noticed that the audit log never noticed when the admin closed the GEMS program before, we tidily added an entry for that. JPG Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace. In fact, when using Access to adjust the vote tallies we found that tampering never made it to the audit log at all. Although we interviewed election officials and also the technicians who set up the Diebold system in Georgia, and they confirmed that the GEMS system does use Microsoft Access, is designed for remote access, and does receive "data corrections" from time to time from support perso...
|
http://csua.com/feed/