24 October 2003 Blog Home : October 2003 : Permalink
This doesn't affect me since I can't vote in the US but if I could it would concern me a lot.
Diebold, the maker of new voting machines that are supposed to replace the chad ones such as in Florida, seems to have a major problem with them. But rather than come clean and fix the problem it seems it would prefer to spin and try to get its critics silenced.
From this Salon article (http://www.salon.com/tech/feature/2003/09/23/bev_harris/index_np.html )
But according to Bev Harris, a writer who has spent more than a year investigating the shadowy world of the elections equipment industry, the replacement technologies the court cited may be worse -- much worse -- than the zany punch-card systems it finds so abhorrent. Specifically, Harris' research into Diebold, one of the largest providers of the new touch-screen systems, ought to give elections officials pause about mandating an all-electronic vote.
Harris has found critical flaws in Diebold's voting software, and she's uncovered internal Diebold memos in which employees seem to suggest that the vulnerabilities are no big deal. The memos appear to be authentic -- Diebold even sent Harris a notice warning her that by posting the documents on the Web, she was infringing upon the company's intellectual property. Diebold did not return several calls for comment.
...
Tell me about the flaw you uncovered in the Diebold system.
Well, we uncovered a few problems in the memos, but the first one that we published specifically supported the flaw that I wrote about in July of 2003. And to my surprise these memos admitted they were aware of the flaw, and it was actually brought to their attention by Ciber labs � which is a certifier � in October 2001, and they made a decision not to fix it.
So it was brought to their attention two years ago?
Right.
So what was the flaw?
Specifically the flaw was that you can get at the central vote-counting database through Microsoft Access. They have the security disabled. And when you get in that way, you are able to overwrite the audit log, which is supposed to log the transactions, and this [audit log] is one of the key things they cite as a security measure when they sell the system.
So you can break in and then hide your tracks.
You don't even need to break in. It will open right up and in you go. You can change the votes and you can overwrite the audit trail. It doesn't keep any record of anything in the audit trail when you're in this back door, but let's say you went in the front door and you didn't want to have anything you did there appear anywhere � you can then go in the backdoor and erase what you did.
Who would have access to this? Are we talking about elections officials?
A couple situations. Obviously anybody who has access to the computer, whether that's the election supervisor, their assistants, the IT people, the janitor � anybody who has access to the computer can get into it.
Where is this computer � is there one per county?
Yes, there's one per county.
The other situation would be supposing someone gets in by either hacking the telephone system or by going backwards in through the Internet, because the Internet does connect to these GEMS computers, even though they deny it. A lot of the press watches election results come in on the Web and what they're watching is actually being uploaded directly off the GEMS computer.
These computers in the counties are connected to the Internet, and someone can go through the Internet �
� and just go into it, correct. It would be as the results are uploading. You see, they make a big point of the fact that there's no Internet connection to the voting machine, but that's sort of parsing the issue. That's true, in the polling places there's no Internet connection, but the voting machines connect into the GEMS machine through modem. And the GEMS machine then connects to the Internet, and that's what the press watches.
A gentleman in California - Jim Marsh - has a site whence it is possible to download the GEMS software in a format such that it can be installed in on computers running a wide variety of Microsoft Windows OSes.
In fact the more I read about this the more I wonder just "what were they thinking?". Essentially they seem to be relying on misdirection and security through obscurity as a way to evade what would probably be a large and expensive recall of the machines. In my opinion trust in the democratic process is more important that the financial costs of a bungling corporation. More critically I believe this demonstrates potentially criminal negligence
Using Microsoft Access was inappropriate for security reasons. Using multiple sets of books, and/or altering vote totals to include new data, is improper for accounting reasons. And, as a member of slashdot.org commented, "This is not a bug, it's a feature."
From http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm
I am not in anyway endorsing the various "Electronic Civil Disobedience" steps being taken by some of the "anti-Dieblod" lobby (see http://www.kuro5hin.org/story/2003/10/21/2367/2543 and various other places) but it does seem to me that Diebold is going about this the wrong way.
More links:
http://www.jerrypournelle.com/mail/mail266.html#vote
http://www.theinquirer.net/?article=12180
http://www.theinquirer.net/?article=12243
http://www.theinquirer.net/?article=12261
http://www.wired.com/news/print/0,1294,60927,00.html
http://why-war.com/features/2003/10/diebold.html
(extracts from the latter below)
�I have become increasingly concerned about the apparent lack of concern over the practice of writing contracts to provide products and services which do not exist and then attempting to build these items on an unreasonable timetable with no written plan, little to no time for testing, and minimal resources. It also seems to be an accepted practice to exaggerate our progress and functionality to our customers and ourselves then make excuses at delivery time when these products and services do not meet expectations.� [source]
�I feel that over the next year, if the current management team stays in place, the Global [Election Management System] working environment will continue to be a chaotic mess. Global management has and will be doing the best to keep their jobs at the expense of employees. Unrealistic goals will be placed on current employees, they will fail to achieve them. If Diebold wants to keep things the same for the time being, this will only compound an already dysfunctional company. Due to the lack of leadership, vision, and self-preserving nature of the current management, the future growth of this company will continue to stagnate until change comes.� [source]
�I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb".�
The article from the UK newspaper "The Independant" reproduced here at this page below has some hints at a republican conspiracy theory that I do not think are accurate, however the description of the faults in the Diebold voting systems seem consistent with what is available elsewhere
In case someone feels like doing their own verification the source documentation is in this Gzipped TAR
What concerns me most is that voting software would seem to be a case where public oversight and validation is of primary importance and yet the entire process is being hidden behind claims of commercial confidentiality. Even with about 5 minutes study I can even suggest some fixes. They all boil down to
"What part of MD5 checksum do you not understand?"
If you don't want to write your own system go borrow someone else's. This is not rocket science, its basic security/authentication 101 and there are endless systems such as PGP that allow people to cryptographically sign emails to remove the chance of tampering. I know bugger all about how to make voting machines work but I grok checksums and I also grok the one-wayness of MD5 and the fact that with 128 bits its next to impossble to get doubles by mistake.