Backdoor found in Diebold Voting Tabulators
Major Variola (ret)
mv at cdc.gov
Tue Aug 31 14:01:12 PDT 2004
http://www.blackboxvoting.org/?q=node/view/77 is up
Seems its due to an intentional, insider job, and not just as
an "engineering backdoor" (c) Cisco
Consumer Report: Part 2 - Problems with GEMS Central Tabulator
Submitted by Bev Harris on Thu,
08/26/2004 - 11:38. Investigations
This problem appears to demonstrate
intent to manipulate elections, and
was installed in the program under the
watch of a programmer who is a
convicted embezzler.
According to election industry
officials, the central tabulator is
secure, because it is protected by
passwords and audit logs. But it turns
out that the GEMS passwords can easily
be bypassed, and the audit logs can be
altered and erased. Worse, the votes
can be changed without anyone knowing,
including the officials who run the
election.
Multiple sets of books
(Click "read more" for the rest of
this section)
The GEMS program runs on a Microsoft
Access database. It typically recieves
incoming votes by modem, though some
counties follow better security by
disconnecting modems and bringing
votes in physically.
GEMS stores the votes in a vote
ledger, built in Microsoft Access. Any
properly designed accounting program
will allow only one set of books. You
can't enter your expense report in
three different places. All data must
be drawn from the same place, and
multiple versions are never
acceptable. But in the files we
examined, we found that the GEMS
system contained three sets of
"books."
The elections official never sees the
different sets of books. All she sees
is the reports she can run: Election
summary (totals, county wide) or a
"Statement of Votes Cast" (totals for
each precinct). She has no way of
knowing that her GEMS system uses a
different set of data for the detail
report (used to spot check) than it
does for the election totals. The
Access database, which contains the
hidden set of votes, can't be seen
unless you know how to get in the back
door -- which takes only seconds.
Ask an accountant: It is never
appropriate to have two sets of books
inside accounting software. It is
possible to do computer programming to
create two sets of books, but dual
sets of books are prohibited in
accounting, for this simple reason:
Two sets of books can easily allow
fraud to go undetected. Especially if
the two sets are hidden from the user.
A hidden trigger The data tables in
accounting software automatically link
up to each other to prevent illicit
back door entries. In GEMS, however,
by typing a two-digit code into a
hidden location, you can decouple the
books, so that the voting system will
draw information from a combination of
the real votes and a set of fake
votes, which you can alter any way you
see fit.
That's right, GEMS comes with a secret
digital "on-off" switch to link and
unlink its multiple vote
tables. Someone who tests GEMS, not
knowing this, will not see the
mismatched sets of books. When you put
a two-digit code into a secret
location can you disengage the vote
tables, so that tampered totals table
don't have to match precinct by
precinct results. This way, it will
pass a spot check -- even with paper
ballots -- but can still be rigged.
How and when did the double set of
books get into GEMS?
Black Box Voting has traced the
implementation of the double set of
books to Oct. 13, 2000, shortly after
embezzler Jeffrey Dean became the
senior programmer. Dean was hired as
Vice President of Research and
Development in September 2000, and his
access to the programs is well
documented through internal memos from
Diebold. The double set of books
appeared in GEMS version 1.17.7.
Almost immediately, according to the
Diebold memos, another Diebold
programmer, Dmitry Papushin, flagged a
problem with bogus votes appearing in
the vote tables. The double set of
books remained, though, going through
several tweaks and refinements. From
the time Jeffrey Dean was hired in
September, until shortly before the
Nov. 2000 election, GEMS went through
over a dozen changes, all retaining
the new hidden vote tables.
For four years, anyone who has known
how to trigger the double set of books
has been able to use, or sell, the
information to anyone they want.
Black Box Voting Associate Director
Andy Stephenson has obtained the court
and police records of Jeffrey Dean. It
is clear that he was under severe
financial stress, because the King
County prosecutor was chasing him for
over $500,000 in restitution.
During this time, while Jeffrey Dean
was telling the prosecutor (who
operated from the ninth floor of the
King County Courthouse) that he was
unemployed, he was in fact employed,
with 24-hour access to the King County
GEMS central tabulator -- and he was
working on GEMS on the fifth floor of
the King County Courthouse. (Dean may
now be spending his nights on the
tenth floor of the same building;
after our investigations appeared in
Vanity Fair and the Seattle Times,
Dean was remanded to a work release
program, and may be staying in the
lockup on in the courthouse now.)
Jeffrey Dean, according to his own
admissions, is subject to blackmail as
well as financial pressure over his
restitution obligation. Police records
from his embezzlement arrest, which
involved "sophisticated" manipulation
of computer accounting records, report
that Dean claimed he was embezzling in
order to pay blackmail over a fight he
was involved in, in which a person
died.
So now we have someone who's admitted
that he's been blackmailed over
killing someone, who pleaded guilty to
23 counts of embezzlement, who is
given the position of senior
programmer over the GEMS central
tabulator system that counts
approximately 50 percent of the votes
in the election, in 30 states, both
paper ballot and touch screen.
And just after he is hired, multiple
sets of books appear in GEMS, which
can be decoupled, so that they don't
need to match, by typing in a secret
2-digit code in a specific location.
Dr. David Jefferson, technical advisor
for California voting systems, told
Black Box Voting that he could see no
legitimate reason to have the double
set of books in a voting program. He
surmised that it might be incredible
stupidity.
Dr. Jefferson should speak to Jeffrey
Dean's partners and those who worked
with him. "Stupid" is not how he is
described. The descriptions we get,
from Dean's former business partner,
and from others who worked with him,
are "sophisticated," "cunning," "very
bright," "highly skilled," and "a con
man."
This is the man who supervised the
programming for GEMS when the multiple
set of books was installed. Diebold,
however, is the company that did
nothing about it.
Internal memos show that Dean was sent
the passwords to the GEMS 1.18.x files
months after Diebold took over the
elections company. Diebold clearly did
not examine the GEMS program before
selling it, or, if it did, chose not
to correct the flaws. And after
exposing this problem in 2003, Diebold
still failed to correct it.
Elections were run on this
tamper-inviting system for more than
three years, and anyone who knew could
sell the vote-tampering secrets to
anyone they wanted to, at any time.
It has been a year since this report
was first printed, and Diebold has
never explained any legitimate reason
for this design, which is rather
elegant and certainly is not
accidental.
Consumer Report: Part 3 - More GEMS problems, and why current
solutions / explanations won't work
Submitted by Bev Harris on Thu,
08/26/2004 - 11:33. Investigations But do new security measures solve
the problem?
The MS Access database is not
passworded and can be accessed illicitly through the back door simply
by double-clicking the vote file. After we published this report, we
observed unpassworded access on the very latest, GEMS 1.18.19 system
in a county elections office.
Some locations removed the Microsoft
Access software from their GEMS computer, leaving the back door intact
but, essentially, removing the ability to easily view and edit the
file.
However, you can easily edit the
election, with or without Microsoft Access installed on the GEMS
computer. As computer security expert Hugh Thompson demonstrated at
the Aug. 18 California Secretary of State meeting, you simply open any
text editor, like "Notepad," and type a six-line Visual Basic Script,
and you own the election.
Some election officials claim that
their GEMS central tabulator is not vulnerable to this back door,
because they limit access to the GEMS tabulator room and they require
a password to turn on the GEMS computer.
However...
(Click "read more" for the rest of this
section)
Any county that uses modems to transfer
votes may inadvertently be giving control of the entire central
tabulator to anyone who gets at the computer through the modem phone
lines (even if it is NOT attached to the Internet). This allows
Diebold, or any individual, to manipulate votes at their leisure, from
any personal computer anywhere in the world.
Let's talk about getting at the central
tabulator through telephone lines: Mohave County, Arizona, for
example, has six modems attached to its GEMS computer on election
night. King County, Washington has had up to four dozen modems
attached at once.
You will hear that the GEMS machine is
stand alone, and is never connected to the Internet. It does have an
Internet component, called "jresults," but nowadays most counties say
that they do not hook GEMS up to the Internet. They say that they
remove the disk from the GEMS computer and physically take it to
another computer, from whence the Internet feed comes. Very nice --
BUT:
You can access a computer through phone
lines as well as through the Internet. In fact, famous hacker Kevin
Mitnick liked to hack through telephone lines, not the Internet.
If you have the dial-in numbers, it is
possible to get at the GEMS computer from anywhere, using RAS. The
dial-in protocols are given to poll workers, many people in Diebold
have them, lots of temps have them, and the configurations have been
sitting on the Internet for several years.
What if your county doesn't use any
modems at all? That's excellent, but here's what we found: Harris &
Stephenson visited county elections officials to ask for lists of
names. We asked who was allowed to access the central tabulator, after
it was already turned on, and who is given a password and permission
to sit at the terminal?
Several officials told us they don't
keep a list. Those who did, gave us the names of too many people --
County employees (sometimes limited to one or two). Diebold
employees. Techs who work for the county, like county database
technicians, also get access to GEMS. Printshops who do the ballots
have some access also.
Diebold "contractors," who are
temporary workers hired by subcontractors to Diebold were also
reported to have gained access to the GEMS tabulator. (Diebold
accounts payable reports obtained by Black Box Voting indicate that
Diebold advertises for temps on Monster.com, hotjobs.com, and uses
several temporary employment firms, including Coast to Coast
Temporary, Ran Temps Inc, and also works with many subcontractors,
like Wright Technologies, Total Technical Services, and PDS Technical
Services.)
What if there is a password even to get
onto the GEMS computer itself?
There usually is. The problem is this:
Once that computer is open and running GEMS (on election night, for
example), that password doesn't much matter. Votes are pouring in
pell-mell, and they aren't about to shut that computer down until
hours later, sometimes days later.
Also, Black Box Voting found another
problem with the design of GEMS: Check out the Audit Log, which is
supposed to record everything that happens. In every database, you
find everyone logging is as the same person, "admin."
There is a reason for this. We did not
find a way in GEMS to log in as a new user unless you close GEMS and
reopen the file. Now who, on election night, with votes pouring in, is
going to close and reopen the file? They don't. Instead, everyone
calls themselves the same name, "admin," thereby ruining the audit log
(which can be easily erased and changed anyway.)
What about counties that limit access
to just one person, the county elections supervisor?
We've found nowhere that actually does
this. The reason: Elections officials are dependent on the vendor,
Diebold, during the election.
Suppose we have a computer whiz county
official who is the ONLY person who can access GEMS?
Unlikely, but if you do: "Trust, but
verify." We should never have to trust the sanctity of a million votes
to just one person.
The following things can be done when
you go in the back door in GEMS using Microsoft Access:
1) You can change vote totals.
2) You can change flags, which act as
digital "on-off" switches, to cause the program to function
differently.
According to internal Diebold memos,
there are 32 combinations of on-off flags. Even the programmers have
trouble keeping track of all the changes these flags can produce.
3) You can alter the audit log.
4) You can change passwords, access
privileges, and add new users.
Let's talk about passwords
How many people can have passwords to
GEMS? A sociable GEMS user can give all his friends access to the vote
database. We added 50 people, and gave them all the same password,
which was "password" -- so far, we haven't found a limit to how many
people can be granted access to the election database.
Election meltdown:
We found that you can melt down an
election in six seconds, simply by using the menu items in GEMS. You
can destroy all data with two mouse clicks, and with four mouse
clicks, you can destroy the configuration of the election making it
very difficult to reload the original data.
Does GEMS even work as advertised?
According to testimony given before the Cuyahoga Elections Board, the
Microsoft Access database design used by Diebold's GEMS program
apparently becomes unstable with high volume input. This problem,
according to Diebold, resulted in thousands of votes being allocated
to the wrong candidate in San Diego County in March 2004.
The Audit Log
Britain J. Williams, Ph.D., is the
official voting machine certifier for the state of Georgia, and he
sits on the committee that decides how voting machines will be tested
and evaluated. Here's what he had to say about the security of Diebold
voting machines, in a letter dated April 23, 2003:
"Computer System Security Features: The
computer portion of the election system contains features that
facilitate overall security of the election system. Primary among
these features is a comprehensive set of audit data. For transactions
that occur on the system, a record is made of the nature of the
transaction, the time of the transaction, and the person that
initiated the transaction. This record is written to the audit log. If
an incident occurs on the system, this audit log allows an
investigator to reconstruct the sequence of events that occurred
surrounding the incident.
Since Dr. Williams listed the audit
data as the primary security feature, we decided to find out how hard
it is to alter the audit log.
We went in the front door in GEMS and
added a user named "Evildoer." We had Evildoer perform various
functions, including running reports to check his vote-rigging work,
but only some of his activities showed up on the audit log. When we
had Evildoer melt down the election, by hitting "reset election" and
declining to back up the files, he showed up in the audit log.
No matter. It was a simple matter to
eliminate Evildoer. We went in through the back door and simply
deleted all the references to Evildoer.
Microsoft Access encourages those who
create audit logs to use auto-numbering, so that every logged entry
has an uneditable log number. Then, if one deletes audit entries, a
gap in the numbering sequence will appear. However, we found that this
feature was disabled, allowing us to write in our own log numbers. We
were able to add and delete from the audit without leaving a trace.
Could the double set of books be
legitimate?
From a programming standpoint, there
might be reasons to have a special vote ledger that disengages from
the real one. For example, election officials might say they need to
be able to alter the votes to add provisional ballots or absentee
ballots. If so, this calls into question the training of these
officials. If election officials are taught to deal with changes by
overwriting votes, regardless of whether they do this in vote ledger 1
or vote ledger 2, this is improper.
Also, if it was legitimate, it would be
a menu item in the GEMS program, not executed in a hidden location
triggered by a secret 2-digit code. Nothing in the GEMS documentation
describes the use of any feature like this whatsoever.
Here's why we need to involve CPAs in
vote tabulation regulations, procedures, and design:
If changing election data is required,
the corrective entry must be made not by overwriting vote totals, but
by making a corrective entry.
It is never acceptable to make changes
by overwriting. Data corrections should not be prohibited, but must
always be done by indicating changes through a clearly marked line
item that preserves each transaction.
However, according to elections
officials we interviewed, GEMS is improperly designed, and cannot
perform an adjustment, and you can't journal changes that occur for
weird reasons that really happen. (For example, a poll worker might
accidentally run ballots through twice. You need to be able to correct
this and still show your work.)
Instead of doing an adjustment and
showing the explanation, retaining a permanent record of everything
that happened, a common procedure is to wipe out the mistake, and
simply overwrite it with new data. This is completely improper, from
an auditing standpoint.
It is certainly improper to have the
summary reports come from the second ledger, while pulling the spot
check reports from the first ledger, with a provision in the back door
to allow these two ledgers to be mismatched.
But there is more evidence that these
extra sets of books are illicit: If the extra set of books is
legitimate, the county officials, whose jurisdiction paid for and own
the voting system, should be informed of such functions. Yet Diebold
has not explained to county officials why it is there at all, and in
most cases, never even told them these functions exist.
As a member of slashdot.org commented
when we originally published this information: "This is not a bug,
it's a feature."
More information about the cypherpunks-legacy
mailing list