FW: Problems with El Paso County Diebold election machines

["Paul Tiger" <paul.tiger@xxxxxxxxxxxx>]

-----Original Message-----
From: Dr. Charles E. Corry [mailto:ccorry@xxxxxxxx]
Sent: Sunday, September 12, 2004 10:26 AM
To: Wayne Williams (Dist 1); Tom Huffman (Dist 2); Chuck Brown (Dist 3);
Jeri Howells (Dist 4); Jim Bensberg (Dist 5)
Cc: Douglas Bruce; Sallie and Welling Clark; Dennis Hisey; Robert Balink;
Terry Sholdt; John Gardner; Bill Compton; Ed Quillen; Kevin Simpson; Ed
Sealover; Joe Barber; Mike Cacioppo; Michael Gardner; Lou Kilzer RMN; Rep.
Dave Schultheis; Senator Andy McElhany; Senator Ron May; Rep. Keith King
Subject: Problems with El Paso County Diebold election machines

Dear El Paso County Commissioners,
    On August 31st I sent the County Clerk, Robert Balink, the following
notice of a severe security problem with the Diebold election system used in
this county, together with the included documentation of the issue. Bill
Compton, Esq., elections director for the State of Colorado, was also copied
on the notice.
     As of this date I have not received any acknowledgement or response
from either Mr. Balink or Mr. Compton.
     Ms. Bev Harris, the author of the security report below, has a
well-established track record of accurately describing problems with the
Diebold election system in use here. Other authors, e.g. Bill Vaughn, are
describing our system as  Toy Voting Machines
<http://www.processor.com/editorial/article.asp?article=articles%2Fp2636%2F0
6bp36%2F06bp36%2Easp&guid=2355A4F03BF04EA79CC16DB6527DAAA0&searchtype=&WordL
ist=&bJumpTo=True> . Publications as diverse as Vanity Fair (April 2004) and
Playboy (September 2004), and as prestigious as the New York Times
<http://nytimes.com/ref/opinion/making-votes-count.html?pagewanted=all>
(almost every week for months), have been carrying article after article
describing the problems and failures of Diebold election systems. There can
be no question at this point that the shortcomings of Diebold voting
equipment are real and pose a definite threat to the integrity of our
elections. Yet I can't even get a response or acknowledgement from our
County Clerk that he is aware of the problems, nor what steps he may or may
not have taken to fix them.
     It is no secret that El Paso County hopes to double their sales tax in
the coming election, and that school districts also have tax measures on the
ballot. In other areas, e.g., Riverside County, California, such measures
have mysteriously passed after a switch to electronic vote counting despite
having been repeatedly defeated in previous elections. And that says nothing
of the fact this is a presidential and senatorial election where citizen
confidence in the entire election process is at stake due to the effectively
infinite number of reported election problems involving electronic voting
machines, e.g. see Vote Fraud and Election Issues
<http://www.ejfi.org/Voting/Voting.htm> .
     There is also the open question of whether the Diebold election system
currently in use in this county has been tested and certified. In August I
once again asked the Deputy County Clerk, Terry Sholdt, if she would obtain
current certification for the Diebold election system from the Secretary of
State. On August 9th, Deputy Clerk Sholdt sent me the following email:
  _____

Subject: RE: forwarding a question about voting in Colorado
Date: Mon, 9 Aug 2004 08:03:44 -0600
To: "Dr. Charles E. Corry" <ccorry@xxxxxxxx>,
        "Ruth Barton" <RBarton@xxxxxxxxxxxxxxxxxxx>
Cc: "Robert Balink" <RobertBalink@xxxxxxxxxxxx>

Dr. Corry,

I have forwarded your request for the certifications to Drew Durham,
Director of HAVA for the Secretary of State.

Terry Sholdt
Chief Deputy
  _____

However, no documentation for the certification of the Diebold election
system has yet been received. Thus, to the best of my knowledge, the coming
election will be conducted with uncertified voting equipment.
     Supposed testing by "Independent" Testing Authorities (ITAs) isn't. The
ITAs are hired and paid by the voting equipment manufacturers, e.g.,
Diebold. Further, the testing methods and results used by the ITAs are
secret. But what has leaked clearly shows what testing does take place is
minimal, the competency of the individuals and laboratories doing the work
has been severely questioned, and the testing is demonstrably grossly
inadequate.
      Having been a member of the IEEE Voting Equipment Standards
<http://grouper.ieee.org/groups/scc38/1583/>  committee since its inception,
I am all too painfully aware that no uniform standards exist to which our
electronic voting machines can be tested.
     Therefore, it is incumbent upon our county election officials, namely
Mr. Balink and his staff, to take all reasonable steps and precautions to
ensure the Diebold equipment that is, unfortunately, currently being used is
as secure and accurate as possible in the coming election. As Mr. Balink and
his staff have been very cooperative in the past, I am extremely
disappointed at the lack of response from him and his staff to the grave
security threat described below.

Requests
      I call on the El Paso County Commission to request a public report
from the County Clerk on what steps he has taken to ensure the security of
the Diebold system he is using, e.g., removal of all modem connections to
precincts or elsewhere, background checks on any and all individuals,
especially Diebold employees or temps, who had, have or will have access to
the voting equipment, a moratorium on the use of his DREs, etc. Most such
reasonable precautions that can be accomplished prior to the coming election
are outlined in the article by Ms. Harris below.
      Further, computer security is a subject beyond the established scope
and competence of Mr. Balink and his staff. As many of the United States
best experts on computer security work and reside in El Paso County, I call
on the County Commission to establish a citizen committee of computer
security experts to review the measures taken by the County Clerk and to
suggest such further precautions that might reasonably be instituted to
ensure a fair, open, and honest election this November, as well as in
succeeding years. I feel confident such individuals, who hold or have held
the highest security clearances this nation awards, can be trusted to keep
any information confidential that may be provided them during such an
investigation. A nondisclosure agreement signed by each member of such a
committee might also be deemed reasonable.
      Thank you for you help in this, an issue that is a cornerstone of our
democracy.
Charles E. Corry, Ph.D., F.G.S.A.
  _____

President, Equal Justice Foundation http://www.ejfi.org/
455 Bear Creek Road
Colorado Springs, Colorado 80906-5820
Telephone: (719) 520-1089
Personal home page: http://corry.ws
Curriculum vitae:
http://www.marquiswhoswho.net/charleselmocorry/Default.aspx

The good men may do separately is small compared with what they may do
collectively.
Benjamin Franklin
  _____


Date: Tue, 31 Aug 2004 06:28:45 -0600
To: Robert Balink <RobertBalink@xxxxxxxxxxxx>
From: "Dr. Charles E. Corry" <ccorry@xxxxxxxx>
Subject: Diebold GEMS security problem
Cc: "Bill Compton" <Bill.Compton@xxxxxxxxxxxxxxx>
Bcc:
X-Attachments:
Dear Mr. Balink,
     I have copied below portions of a recent article
<http://www.blackboxvoting.org/?q=node/view/78>  documenting a severe
security problem with the Diebold GEMS software in use in El Paso County
elections. Despite the sensationalism inherent in her reporting, the level
of detail and documentation, combined with the credibility the author has
established through her previous efforts, leaves little doubt that the
problem she describes exists.
    Further, the probability for exploitation of this security hole in
Diebold's GEMS software is sufficiently high that, in my professional
opinion, this breach constitutes a palpable threat to the integrity of the
forthcoming election in this county and other counties in Colorado using
Diebold election systems.
     In her article Ms. Harris proposes a series of straightforward remedial
measures that could easily be implemented prior to the November election. I
note that you already have some of the measures she recommends in place but
urge you and your elections department to follow through with the rest of
the steps necessary to close this "backdoor."
     As one can reasonably predict that Ms. Harris' article will draw
national attention, may I suggest that you also provide a public description
of the steps you have taken to alleviate this threat when they have been
completed.
     If I can be of any further help in this matter I would be glad to offer
my services.
     Your attention to this critical threat to the security of our elections
is deeply appreciated.
Charles E. Corry, Ph.D., F.G.S.A.
cc: Bill Compton, Esq., Colorado Elections Director

  _____



Diebold GEMS central tabulator contains a stunning security hole
by Bev Harris
http://www.blackboxvoting.org/?q=node/view/78

Issue

A vote manipulation technique has been found in the Diebold central
tabulator. By entering a 2-digit code in a hidden location, a second set of
votes is created. This set of votes can be changed, so that it no longer
matches the correct votes. The voting system will then read the totals from
the bogus vote set. It takes only seconds to change the votes, and to date
not a single location in the U.S. has implemented security measures to fully
mitigate the risks.

This program is not "stupidity" or sloppiness. It was designed and tested
over a series of a dozen version adjustments.

Whether you vote absentee, on touch-screens, or on paper ballot (fill in the
bubble) optical scan machines, all votes are ultimately brought to the
"mother ship," the central tabulator at the county which adds them all up
and creates the results report.
These systems are used in over 30 states and each counts up to two million
votes at once.
The central tabulator is far more vulnerable than the touch screen
terminals. Think about it: If you were going to tamper with an election,
would you rather tamper with 4,500 individual voting machines, or with just
one machine, the central tabulator which receives votes from all the
machines? Of course, the central tabulator is the most desirable target.
Public officials

If you are in a county that uses GEMS 1.18.18, GEMS 1.18.19, or GEMS
1.18.23, your secretary or state may not have told you about this. You're
the one who'll be blamed if your election is tampered with. Find out for
yourself if you have this problem: Black Box Voting will be happy to walk
you through a diagnostic procedure over the phone. E-mail Bev Harris or Andy
Stephenson to set up a time to do this.

Findings

The GEMS central tabulator program is incorrectly designed and highly
vulnerable to fraud. Election results can be changed in a matter of seconds.
Part of the program we examined appears to be designed with election
tampering in mind. We have also learned that election officials maintain
inadequate controls over access to the central tabulator. We need to beef up
procedures to mitigate risks.

Much of this information, originally published on July 8, 2003, has since
been corroborated by formal studies (RABA) and by Diebold's own internal
memos written by its programmers.
Not a single location has yet implemented the security measures needed to
mitigate the risk. Yet, it is not too late. We need to tackle this one,
folks, roll up our sleeves, and implement corrective measures.
In November 2003, Black Box Voting founder Bev Harris, and director Jim
March, filed a Qui Tam lawsuit in California citing fraudulent claims by
Diebold, seeking restitution for the taxpayer. Diebold claimed its voting
system was secure. It is, in fact, highly vulnerable to and appears to be
designed for fraud.

Problems with GEMS Central Tabulator

This problem appears to demonstrate intent to manipulate elections, and was
installed in the program under the watch of a programmer who is a convicted
embezzler.
According to election industry officials, the central tabulator is secure,
because it is protected by passwords and audit logs. But it turns out that
the GEMS passwords can easily be bypassed, and the audit logs can be altered
and erased. Worse, the votes can be changed without anyone knowing,
including the officials who run the election.
Multiple sets of books

The GEMS program runs on a Microsoft Access database. It typically receives
incoming votes by modem, though some counties follow better security by
disconnecting modems and bringing votes in physically.

GEMS stores the votes in a vote ledger, built in Microsoft Access. Any
properly designed accounting program will allow only one set of books. You
can't enter your expense report in three different places. All data must be
drawn from the same place, and multiple versions are never acceptable. But
in the files we examined, we found that the GEMS system contained three sets
of "books."
The elections official never sees the different sets of books. All she sees
is the reports she can run: Election summary (totals, county wide) or a
"Statement of Votes Cast" (totals for each precinct). She has no way of
knowing that her GEMS system uses a different set of data for the detail
report (used to spot check) than it does for the election totals. The Access
database, which contains the hidden set of votes, can't be seen unless you
know how to get in the back door - which takes only seconds.
Ask an accountant

It is never appropriate to have two sets of books inside accounting
software. It is possible to do computer programming to create two sets of
books, but dual sets of books are prohibited in accounting, for this simple
reason: Two sets of books can easily allow fraud to go undetected.
Especially if the two sets are hidden from the user.

A hidden trigger

The data tables in accounting software automatically link up to each other
to prevent illicit back door entries. In GEMS, however, by typing a
two-digit code into a hidden location, you can decouple the books, so that
the voting system will draw information from a combination of the real votes
and a set of fake votes, which you can alter any way you see fit.
That's right, GEMS comes with a secret digital "on-off" switch to link and
unlink its multiple vote tables. Someone who tests GEMS, not knowing this,
will not see the mismatched sets of books. When you put a two-digit code
into a secret location can you disengage the vote tables, so that tampered
totals table don't have to match precinct by precinct results. This way, it
will pass a spot check - even with paper ballots - but can still be rigged.
How and when did the double set of books get into GEMS?

Black Box Voting has traced the implementation of the double set of books to
October 13, 2000, shortly after embezzler Jeffrey Dean became the senior
programmer. Dean was hired as Vice President of Research and Development in
September 2000, and his access to the programs is well documented through
internal memos from Diebold. The double set of books appeared in GEMS
version 1.17.7.

Almost immediately, according to the Diebold memos, another Diebold
programmer, Dmitry Papushin, flagged a problem with bogus votes appearing in
the vote tables. The double set of books remained, though, going through
several tweaks and refinements. From the time Jeffrey Dean was hired in
September, until shortly before the Nov. 2000 election, GEMS went through
over a dozen changes, all retaining the new hidden vote tables.

For four years, anyone who has known how to trigger the double set of books
has been able to use, or sell, the information to anyone they want.
Black Box Voting Associate Director Andy Stephenson has obtained the court
and police records of Jeffrey Dean. It is clear that he was under severe
financial stress, because the King County prosecutor was chasing him for
over $500,000 in restitution.
During this time, while Jeffrey Dean was telling the prosecutor (who
operated from the ninth floor of the King County [Washington] Courthouse)
that he was unemployed, he was in fact employed, with 24-hour access to the
King County GEMS central tabulator - and he was working on GEMS on the fifth
floor of the King County Courthouse. (Dean may now be spending his nights on
the tenth floor of the same building; after our investigations appeared in
Vanity Fair and the Seattle Times, Dean was remanded to a work release
program, and may be staying in the lockup in the courthouse now.)
Jeffrey Dean, according to his own admissions, is subject to blackmail as
well as financial pressure over his restitution obligation. Police records
from his embezzlement arrest, which involved "sophisticated" manipulation of
computer accounting records, report that Dean claimed he was embezzling in
order to pay blackmail over a fight he was involved in, in which a person
died.
So now we have someone who's admitted that he's been blackmailed over
killing someone, who pleaded guilty to 23 counts of embezzlement, who is
given the position of senior programmer over the GEMS central tabulator
system that counts approximately 50 percent of the votes in the elections in
30 states, both paper ballot and touch screen.
And just after he is hired, multiple sets of books appear in GEMS, which can
be decoupled, so that they don't need to match, by typing in a secret
2-digit code in a specific location.
Dr. David Jefferson, technical advisor for California voting systems, told
Black Box Voting that he could see no legitimate reason to have the double
set of books in a voting program. He surmised that it might be incredible
stupidity.
Dr. Jefferson should speak to Jeffrey Dean's partners and those who worked
with him. "Stupid" is not how he is described. The descriptions we get, from
Dean's former business partner, and from others who worked with him, are
"sophisticated," "cunning," "very bright," "highly skilled," and "a con
man."

This is the man who supervised the programming for GEMS when the multiple
set of books was installed. Diebold, however, is the company that did
nothing about it.
Internal memos show that Dean was sent the passwords to the GEMS 1.18.x
files months after Diebold took over the elections company. Diebold clearly
did not examine the GEMS program before selling it, or, if it did, chose not
to correct the flaws. And after exposing this problem in 2003, Diebold still
failed to correct it.
Elections were run on this tamper-inviting system for more than three years,
and anyone who knew could sell the vote-tampering secrets to anyone they
wanted to, at any time.
It has been a year since this report was first printed, and Diebold has
never explained any legitimate reason for this design, which is rather
elegant and certainly is not accidental.
More GEMS problems, and why current solutions/explanations won't work
But do new security measures solve the problem?

The MS Access database is not passworded and can be accessed illicitly
through the back door simply by double-clicking the vote file. After we
published this report, we observed unpassworded access on the very latest,
GEMS 1.18.19 system in a county elections office.
Some locations removed the Microsoft Access software from their GEMS
computer, leaving the back door intact but, essentially, removing the
ability to easily view and edit the file.

However, you can easily edit the election, with or without Microsoft Access
installed on the GEMS computer. As computer security expert Hugh Thompson
demonstrated at the August 18 California Secretary of State meeting, you
simply open any text editor, like "Notepad," and type a six-line Visual
Basic Script, and you own the election.

Some election officials claim that their GEMS central tabulator is not
vulnerable to this back door, because they limit access to the GEMS
tabulator room and they require a password to turn on the GEMS computer.
However...
Any county that uses modems to transfer votes may inadvertently be giving
control of the entire central tabulator to anyone who gets at the computer
through the modem phone lines (even if it is not attached to the Internet).
This allows Diebold, or any individual, to manipulate votes at their
leisure, from any personal computer anywhere in the world.
Let's talk about getting at the central tabulator through telephone lines

Mohave County, Arizona, for example, has six modems attached to its GEMS
computer on election night. King County, Washington has had up to four dozen
modems attached at once.
You will hear that the GEMS machine is stand alone, and is never connected
to the Internet. It does have an Internet component, called "jresults," but
nowadays most counties say that they do not hook GEMS up to the Internet.
They say that they remove the disk from the GEMS computer and physically
take it to another computer, from whence the Internet feed comes. Very
nice - BUT:
You can access a computer through phone lines as well as through the
Internet. In fact, famous hacker Kevin Mitnick liked to hack through
telephone lines, not the Internet.
If you have the dial-in numbers, it is possible to get at the GEMS computer
from anywhere, using RAS. The dial-in protocols are given to poll workers,
many people in Diebold have them, lots of temps have them, and the
configurations have been sitting on the Internet for several years.
What if your county doesn't use any modems at all?

That's excellent, but here's what we found: Harris and Stephenson visited
county elections officials to ask for lists of names. We asked who was
allowed to access the central tabulator, after it was already turned on, and
who is given a password and permission to sit at the terminal?
Several officials told us they don't keep a list. Those who did, gave us the
names of too many people - County employees (sometimes limited to one or
two). Diebold employees. Techs who work for the county, like county database
technicians, also get access to GEMS. Printshops who do the ballots have
some access also.
Diebold "contractors," who are temporary workers hired by subcontractors to
Diebold were also reported to have gained access to the GEMS tabulator.
(Diebold accounts payable reports obtained by Black Box Voting indicate that
Diebold advertises for temps on Monster.com, hotjobs.com, and uses several
temporary employment firms, including Coast to Coast Temporary, Ran Temps
Inc, and also works with many subcontractors, like Wright Technologies,
Total Technical Services, and PDS Technical Services.)

What if there is a password even to get onto the GEMS computer itself?

There usually is. The problem is this: Once that computer is open and
running GEMS (on election night, for example), that password doesn't much
matter. Votes are pouring in pell-mell, and they aren't about to shut that
computer down until hours later, sometimes days later.
Also, Black Box Voting found another problem with the design of GEMS: Check
out the Audit Log, which is supposed to record everything that happens. In
every database, you find everyone logging is as the same person, "admin."
There is a reason for this. We did not find a way in GEMS to log in as a new
user unless you close GEMS and reopen the file. Now who, on election night,
with votes pouring in, is going to close and reopen the file? They don't.
Instead, everyone calls themselves the same name, "admin," thereby ruining
the audit log (which can be easily erased and changed anyway.)

What about counties that limit access to just one person, the county
elections supervisor?

We've found nowhere that actually does this. The reason: Elections officials
are dependent on the vendor, Diebold, during the election.
Suppose we have a computer whiz county official who is the only person who
can access GEMS?
Unlikely, but if you do: "Trust, but verify." We should never have to trust
the sanctity of a million votes to just one person.

The following things can be done when you go in the back door in GEMS using
Microsoft Access

*         You can change vote totals.
*         You can change flags, which act as digital "on-off" switches, to
cause the program to function differently.
According to internal Diebold memos, there are 32 combinations of on-off
flags. Even the programmers have trouble keeping track of all the changes
these flags can produce.
*         You can alter the audit log.
*         You can change passwords, access privileges, and add new users.

Let's talk about passwords

How many people can have passwords to GEMS? A sociable GEMS user can give
all his friends access to the vote database. We added 50 people, and gave
them all the same password, which was "password" - so far, we haven't found
a limit to how many people can be granted access to the election database.
Election meltdown

We found that you can melt down an election in six seconds, simply by using
the menu items in GEMS. You can destroy all data with two mouse clicks, and
with four mouse clicks, you can destroy the configuration of the election
making it very difficult to reload the original data.
Does GEMS even work as advertised?

According to testimony given before the Cuyahoga Elections Board, the
Microsoft Access database design used by Diebold's GEMS program apparently
becomes unstable with high volume input. This problem, according to Diebold,
resulted in thousands of votes being allocated to the wrong candidate in San
Diego County in March 2004.
The Audit Log

Britain J. Williams, Ph.D., is the official voting machine certifier for the
state of Georgia, and he sits on the committee that decides how voting
machines will be tested and evaluated. Here's what he had to say about the
security of Diebold voting machines, in a letter dated April 23, 2003:
"Computer System Security Features: The computer portion of the election
system contains features that facilitate overall security of the election
system. Primary among these features is a comprehensive set of audit data.
For transactions that occur on the system, a record is made of the nature of
the transaction, the time of the transaction, and the person that initiated
the transaction. This record is written to the audit log. If an incident
occurs on the system, this audit log allows an investigator to reconstruct
the sequence of events that occurred surrounding the incident.

Since Dr. Williams listed the audit data as the primary security feature, we
decided to find out how hard it is to alter the audit log.
We went in the front door in GEMS and added a user named "Evildoer." We had
Evildoer perform various functions, including running reports to check his
vote-rigging work, but only some of his activities showed up on the audit
log. When we had Evildoer melt down the election, by hitting "reset
election" and declining to back up the files, he showed up in the audit log.

No matter. It was a simple matter to eliminate Evildoer. We went in through
the back door and simply deleted all the references to Evildoer.
Microsoft Access encourages those who create audit logs to use
auto-numbering, so that every logged entry has an uneditable log number.
Then, if one deletes audit entries, a gap in the numbering sequence will
appear. However, we found that this feature was disabled, allowing us to
write in our own log numbers. We were able to add and delete from the audit
without leaving a trace.
Could the double set of books be legitimate?