Diebold Internal Mail Confirms U.S. Vote Count Vulnerabilities
By Alastair Thompson
Scoop has obtained internal mail messages from Diebold Election Systems which clearly and explicitly confirm security problems in the GEMS vote counting software that were highlighted in reports published on Scoop.co.nz and widely elsewhere in July.
In the internal mail Diebold Election Systems principal engineer R&D Ken Clark - then working for Global Election Systems before Diebold took the company over - responded to an internal query over a security problem. The official certification laboratory responsible for assessing the voting technology company software's robustness had noticed a problem, and a staff member was seeking Clark's advice.
Diebold Election Systems technical writer R&D Nel Finberg wrote to the "support" list on 16th October 2001: "Jennifer Price at Metamor (about to be Ciber) [this is the certification lab responsible for certifying all United States voting software] has indicated that she can access the GEMS Access database and alter the Audit log without entering a password. What is the position of our development staff on this issue? Can we justify this? Or should this be anathema?"
The "GEMS Access database" that Finberg refers to is a piece of computer software which is loaded onto county election supervisors computers. It is responsible for tallying votes from county precinct voting booths, these results are typically modemed into the central computer.
Significantly this software is responsible for tallying all votes, optical scan, touchscreen and absentee ballots. It was this software that Scoop initially reported was all too easy to hack in its July 8th report from Bev Harris.
In reply to Finberg's query Clark responded with an astonishingly frank posting which clearly confirms most of the worst aspects of the GEMS system security outlined by Harris in her July report.
Clark: "Right now you can open GEMS' .mdb file with MS-Access, and alter its contents. That includes the audit log. This isn't anything new. In VTS, you can open the database with progress and do the same. The same would go for anyone else's system using whatever database they are using. Hard drives are read-write entities. You can change their contents.
Now, where the perception comes in is that its right now very *easy* to change the contents. Double click the .mdb file. Even technical wizards at Metamor (or Ciber, or whatever) can figure that one out." (Clark's full email response is attached below)
In these two
paragraphs Clark confirms:
- That anyone using an
off-the-shelf copy of Microsoft Access can freely open and
alter the election tally database;
- That in doing so
they can also edit the audit log (which is hyped in sales
literature as preventing tampering) thereby removing any
evidence of their tampering;
- That these security flaws
have been in place for a considerable period of
time.
Clark here confirms the findings about GEMS first reported by Bev Harris and recently demonstrated by San Luis Obispo county voting activist Jim March.
CORRECTION/CLARIFICATION 29/11/2003: Scoop's copies of the memo's used for this article and others were supplied by "Black Box Voting in the 21st Century" author Bev Harris.
WHERE THE INTERNAL MAIL CAME FROM
The internal Diebold Election Systems – then Global Election Systems - communications come from a database of Diebold Election systems support staff internal communications which Wired Magazine reported on August 7th had been sent to the media.
"The unidentified attacker provided Wired News with an archive containing 1.8 GB of files apparently taken March 2 from a site referred to by the Ohio-based company as its 'staff website.' " Wired reported.
At the time of the breach Wired quoted representatives of Diebold Election Systems, saying the company was investigating the security breach and reviewing the contents of the archive.
"Director of Communications John Kristoff said the stolen files contained 'sensitive' information, but he said Diebold is confident that the company's electronic voting system software has not been tampered with.," Wired reported.
Reading further in the internal mail folder we discover how Global Election Systems responded to the software certification company Metamor, and how it is possible that these security flaws - noted by the certifier's in October 2001 – came to still be present in software found on the insecure Diebold Election Systems FTP site in early 2003.
Clark continues: " Bottom line on Metamor is to find out what it is going to take to make them happy. You can try the old standard of the NT password gains access to the operating system, and that after that point all bets are off. You have to trust the person with the NT password at least. This is all about Florida, and we have had VTS certified in Florida under the status quo for nearly ten years.
"I sense a loosing battle here though. The changes to put a password on the .mdb file are not trivial and probably not even backward compatible, but we'll do it if that is what it is going to take."
As it turns out Clark was wrong. His battle to maintain an easily compromiseable vote counting software architecture was entirely successful.
Nel Finberg's response to Ken shows the official software certification laboratory bought the "the old standard" explanation hook line and sinker – notwithstanding the fact that this is in fact no solution at all, and that even Clark is acknowledging this to be the case.
Finberg: " Thanks for the response, Ken. For now Metamor accepts the requirement to restrict the server password to authorized staff in the jurisdiction, and that it should be the responsibility of the jurisdiction to restrict knowledge of this password. So no action is necessary in this matter, at this time."
And so in other words nothing was done. The security hole was left wide open for Bev Harris to discover this year.
Moreover Clark is saying here in his reference to Florida that this hole has been open for at least a decade!
In layman's terms the effect of the above is to show this.
The election supervisor or anyone else with administrator access to the Windows NT machine running the tally - which is hackable by definition as Windows NT is hackable - can alter the vote tally in the course of an election and delete any evidence of their tampering with impunity. All they would need to know, as Bev Harris exposed recently, is that they need a copy of Microsoft Access. And this software need not even be located on the machine that is being tampered on.
Moreover if Clark is to be taken on his word (see below) then the fact that Microsoft Access can be used in this way is fairly well known in election supervisor circles. Clark refers in his email (read in full below) to "fancy footwork" being done in Gaston County, and to King County, Washington State, being "famous" for end-running the database – a phrase which on its face appears to mean hacking with the election tallying database.
And so in a single email message Diebold Election Systems' Ken Clark has effectively placed not only his own competence and integrity into question, but also that of the official voting software certification lab and that of numerous election officials. And remember that this is just one of well over 15,000 internal Diebold Election Systems internal mail messages that are now in public circulation.
Watch this space for more….
(For further information on how easy it is to tamper with GEMS
see...
"Inside A U.S. Election Vote Counting Program"
Part
1: Can the votes be changed?
Part
2 - Can the password be bypassed?
Part
3 – Can the audit log be altered?
To download a copy of GEMS and demonstrate these vulnerabilities on your own computer Click Here…)
APPENDICES:EMAIL 1
To: "support"
Subject: alteration of Audit Log in Access
From: "Nel Finberg"
Date: Tue, 16 Oct 2001 23:31:30 -0700
Importance: Normal
Jennifer Price at Metamor (about to be Ciber) has indicated that she can access the GEMS Access database and alter the Audit log without entering a password. What is the position of our development staff on this issue? Can we justify this? Or should this be anathema?Nel
EMAIL 2
To: "support"
Subject: RE: alteration of Audit Log in Access
From: "Ken Clark"
Date: Thu, 18 Oct 2001 09:55:02 -0700
Importance: NormalIts a tough question, and it has a lot to do with perception. Of course everyone knows perception is reality.
Right now you can open GEMS' .mdb file with MS-Access, and alter its contents. That includes the audit log. This isn't anything new. In VTS, you can open the database with progress and do the same. The same would go for anyone else's system using whatever database they are using. Hard drives are read-write entities. You can change their contents.
Now, where the perception comes in is that its right now very *easy* to change the contents. Double click the .mdb file. Even technical wizards at Metamor (or Ciber, or whatever) can figure that one out.
It is possible to put a secret password on the .mdb file to prevent Metamor from opening it with Access. I've threatened to put a password on the .mdb before when dealers/customers/support have done stupid things with the GEMS database structure using Access. Being able to end-run the database has admittedly got people out of a bind though. Jane (I think it was Jane) did some fancy footwork on the .mdb file in Gaston recently. I know our dealers do it. King County is famous for it. That's why we've never put a password on the file before.
Note however that even if we put a password on the file, it doesn't really prove much. Someone has to know the password, else how would GEMS open it. So this technically brings us back to square one: the audit log is modifiable by that person at least (read, me). Back to perception though, if you don't bring this up you might skate through Metamor.
There might be some clever crypto techniques to make it even harder to change the log (for me, they guy with the password that is). We're talking big changes here though, and at the moment largely theoretical ones. I'd doubt that any of our competitors are that clever.
By the way, all of this is why Texas gets its sh*t in a knot over the log printer. Log printers are not read-write, so you don't have the problem. Of course if I were Texas I would be more worried about modifications to our electronic ballots than to our electron logs, but that is another story I guess.
Bottom line on Metamor is to find out what it is going to take to make them happy. You can try the old standard of the NT password gains access to the operating system, and that after that point all bets are off. You have to trust the person with the NT password at least. This is all about Florida, and we have had VTS certified in Florida under the status quo for nearly ten years.
I sense a loosing battle here though. The changes to put a password on the .mdb file are not trivial and probably not even backward compatible, but we'll do it if that is what it is going to take.
Ken
EMAIL 3
To: "support"
Subject: RE: alteration of Audit Log in Access
From: "Nel Finberg"
Date: Wed, 17 Oct 2001 14:48:16 -0700
Importance: NormalThanks for the response, Ken. For now Metamor accepts the requirement to restrict the server password to authorized staff in the jurisdiction, and that it should be the responsibility of the jurisdiction to restrict knowledge of this password. So no action is necessary in this matter, at this time.
Nel
Bev Harris is author of Black Box Voting:
Ballot Tampering In The 21st Century … See
http://www.blackboxvoting.com/ and it's activist arm
http://www.blackboxvoting.org/ For more
background and live news links on this news subject see also
Scoop's Special Feature – A Very American
Coup… --- NOTE
TO SCOOP EMAIL SUBSCRIBERS... THIS HAS BEEN POSTED AS A
SPECIAL ITEM TO THE SLUDGE REPORT MAILING LIST
---
Pre-Order your copy
of Black Box Voting today…