Inside A U.S. Election Vote Counting Program






	Inside A U.S. Election Vote Counting Program By Bev Harris CAN THE PASSWORD BE BYPASSED? At least a dozen full installation versions of the GEMS program were available on the Diebold ftp site. The manual, also available on the ftp site, tells that the default password in a new installation is "GEMSUSER." Anyone who downloaded and installed GEMS can bypass the passwords in elections. In this examination, we installed GEMS, clicked "new" and made a test election, then closed it and opened the same file in Microsoft Access. One finds where they store the passwords by clicking the "Operator" table. Anyone can copy an encrypted password from there, go to an election database, and paste it into that. Example: Cobb County Election file One can overwrite the "admin" password with another, copied from another GEMS installation. It will appear encrypted; no worries, just cut and paste. In this example, we saved the old "admin" password so we could replace it later and delete the evidence that we'd been there. An intruder can grant himself administrative privileges by putting zeros in the other boxes, following the example in "admin." How many people can gain access? A sociable election hacker can give all his friends access to the database too! In this case, they were added in a test GEMS installation and copied into the Cobb County Microsoft Access file. It encrypted each password as a different character string, however, all the passwords are the same word: "password." Password replacement can also be done directly in Access. To assess how tightly controlled the election files really are, we added 50 of our friends; so far, we haven't found a limit to how many people can be granted access to the election database. Using this simple way to bypass password security, an intruder, or an insider, can enter GEMS programs and play with election databases to their heart's content. *********** Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 3) CAN THE AUDIT TRAIL BE ALTERED?** Britain J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003: "Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident. In addition, passwords are used to limit access to the system to authorized personnel." Since Dr. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log. Here is a copy of a GEMS audit report. Note that a user by the name of "Evildoer" was added. Evildoer performed various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log. It was a simple matter to eliminate Evildoer. First, we opened the election database in Access, where we opened the audit table: Then, we deleted all the references to Evildoer and, because we noticed that the audit log never noticed when the admin closed the GEMS program before, we tidily added an entry for that. Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace. Going back into GEMS, we ran another audit log to see if Evildoer had been purged: As you can see, the audit log appears pristine. In fact, when using Access to adjust the vote tallies we found that tampering never made it to the audit log at all. Although we interviewed election officials and also the technicians who set up the Diebold system in Georgia, and they confirmed that the GEMS system does use Microsoft Access, is designed for remote access, and does receive "data corrections" from time to time from support personnel, we have not yet had the opportunity to test the above tampering methods in the County Election Supervisor's office. From a programming standpoint, there might be reasons to have a special vote ledger that disengages from the real one. For example, election officials might say they need to be able to alter the votes to add provisional ballots or absentee ballots. If so, this calls into question the training of these officials, which appears to be done by The Election Center, under the direction of R. Doug Lewis. If election officials are taught to deal with changes by overwriting votes, regardless of whether they do this in vote ledger 1 or vote ledger 2, this is improper. If changing election data is required, the corrective entry must be made not by overwriting vote totals, but by making a corrective entry. When adding provisional ballots, for example, the proper procedure is to add a line item "provisional ballots," and this should be added into the original vote table (Table 1). It is never acceptable to make changes by overwriting vote totals. Data corrections should not be prohibited, but must always be done by indicating changes through a clearly marked line item that preserves each transaction. Proper bookkeeping never allows an extra ledger that can be used to just erase the original information and add your own. And certainly, it is improper to have the official reports come from the second ledger, which may or may not have information erased or added. But there is more evidence that these extra sets of books are illicit: If election officials were using Table 2 to add votes, for provisional ballots, or absentee voters, that would be in their GEMS program. It makes no sense, if that's what Diebold claims the extra set of books is for, to make vote corrections by sneaking in through the back door and using Access, which according to the manual is not even installed on the election official's computer. Furthermore, if changing Table 2 was an acceptable way to adjust for provisional ballots and absentee votes, we would see the option in GEMS to print a report of both Table 1 totals and Table 2 so that we can compare them. Certainly, if that were the case, that would be in the manual along with instructions that say to compare Table 1 to Table 2, and, if there is any difference, to make sure it exactly matches the number of absentee ballots, or whatever, were added. Using Microsoft Access was inappropriate for security reasons. Using multiple sets of books, and/or altering vote totals to include new data, is improper for accounting reasons. And, as a member of slashdot.org commented, "This is not a bug, it's a feature." <back