pl.net accvot 11-7-2003

Posted on 11-7-2003

How to Rig an Election in the United States
Sludge Report #154 – Bigger Than Watergate!
By C.D. Sludge

Tuesday 08 July 2003

A Diebold touchscreen voting machine
Makers of the walk right in, sit right down, replace ballot tallies with your own GEMS vote counting program.

-------

The story you are about to read is in this writer's view the biggest political scandal in American history, if not global history. And it is being broken today here in New Zealand.

This story cuts to the bone the machinery of democracy in America today. Democracy is the only protection we have against despotic and arbitrary government, and this story is deeply disturbing.

Imagine if you will that you are a political interest group that wishes to control forevermore the levers of power. Imagine further that you know you are likely to implement a highly unpopular political agenda, and you do not wish to be removed by a ballot driven backlash.

One way to accomplish this outcome would be to adopt the Mugabe (Zimbabwe) or Hun Sen (Cambodia) approach. You agree to hold elections, but simultaneously arrest, imprison and beat your opponents and their supporters. You stuff ballot boxes, disenfranchise voters who are unlikely to vote for you, distort electoral boundaries and provide insufficient polling stations in areas full of opposition supporters.

However as so many despots have discovered, eventually such techniques always fail – often violently. Hence, if you are a truly ambitious political dynasty you have to be a bit more subtle about your methods.

Imagine then if it were possible to somehow subvert the voting process itself in such a way that you could steal elections without anybody knowing.

Imagine for example if you could:

secure control of the companies that make the voting machines and vote counting software;
centralise vote counting systems, and politicise their supervision;
legislate for the adoption of such systems throughout your domain, and provide large amounts of money for the purchase of these systems;
establish systems of vote counting that effectively prevent anybody on the ground in the election – at a booth or precinct level - from seeing what is happening at a micro-level;
get all the major media to sign up to a single exit-polling system that you also control – removing the risk of exit-polling showing up your shenanigans.

And imagine further that you install a backdoor, or numerous backdoors, in the vote counting systems you have built that enable you to manipulate the tabulation of results in real time as they are coming in.

Such a system would enable you to intervene in precisely the minimum number of races necessary to ensure that you won a majority on election night. On the basis of polling you could pick your marginal seats and thus keep your tweaking to a bare minimum.

Such a system would enable you to minimise the risks of discovery of your activities.

Such a system would enable you to target and remove individual political opponents who were too successful, too popular or too inquisitive.

And most importantly of all, such a system would enable you to accomplish all the above without the public being in the least aware of what you were doing. When confronted with the awfulness of your programme they would be forced to concede that at least it is the result of a democratic process.

How To Rig An Election In The United States

So how would such a system actually work?

Well one way to run such a corrupt electoral system might look like this:

Each voting precinct (or booth) could be fitted with electronic voting systems, optical scanning systems, punch card voting systems or the more modern touchscreen electronic voting machines;
At the close of play each day the booth/precinct supervisor could be under instructions to compile an electronic record of the votes cast in their booth;
They might print out a report that contains only the details of the total votes count for that precinct/booth, and then file via modem the full electronic record of votes through to the County supervisor;
The County Supervisor could be equipped with a special piece of software and a bank of modems that enables all these results to be received and tabulated in the internals of the computer;
The County Supervisors themselves could be assured that their system was bullet proof, certified and contained tamper-protection mechanisms par excellence;
The Country Supervisor could be given a range of tools for looking at the data within this software, but nothing to enable them to directly manipulate the results;
But unbeknownst to the County Supervisor the software could actually create three separate records of the voting data;
Meanwhile - also unbeknownst to the County Supervisor - these three tables of voting data could be in fact completely insecure and accessible simply through a common database programme, say Microsoft Access;
Having the three tables would enable you to keep the real data in place – so the system could pass spot tests on individual precincts and booth results (should a precinct supervisor be particularly astute) -while simultaneously enabling you to manipulate the bottom line result;
Finally you might also enhance the election hacker's powers by including within the software a utility to enable them to cover their tracks by changing the date and time stamps on files and remove evidence of your tampering.

Fantasy Becomes Reality

The above description of a corrupt voting system is not the result of an overactive imagination. Rather it is the result of a extensive research by computer programmers and journalists working around the globe. Principally it is the work of investigative Journalist Bev Harris, author of the soon to be published book " Black Box Voting: Ballot Tampering In The 21st Century "

And most important of all it is the result of research focussed on investigating the actual software distributed by one of the largest voting systems companies operating in the recent U.S. Elections.

CAVEAT: It is important to note that the research into this subject has not established that the files we have been working on were in fact in situ in County Election Supervisors offices at the last election – nor have we proof that the back door we have discovered - which might enable the rigging of elections - was actually used in any recent election. However it is the considered opinion of all those involved in this investigation that it is not up to us as journalists or programmers to prove that elections were rigged, rather it is a responsibility of the electoral system itself to prove its integrity.

What you read here amounts to revelation of evidence of motive, opportunity, method, prior conduct , and a variety of items of, consistent unexplained circumstantial evidence . Significantly we do not believe we have sufficient resources to complete this investigation to its conclusion and are therefore making available our findings to the media, community organisations, political parties, computer scientists and geeks in the anticipation that they will pick up the torch and take extend this inquiry into every county in the United States.

How We Discovered The Backdoor

In the course of investigating the issue of the integrity of new electronic voting machines Bev Harris learned that people around the world had been downloading from an open FTP site belonging to Diebold Election Systems one of the leading manufactures of voting systems.

This website contained several gigabytes of files including manuals, source codes and installation versions of numerous parts of the Diebold voting system, and of its vote counting programme GEMS.

Realising we had stumbled across what might be the equivalent of the Pentagon Papers for elections, the full contents of this website have been secured around the world at several locations. The original website was itself taken down on January 29th 2003.

We can now reveal for the first time the location of a complete online copy of the original data set. As we anticipate attempts to prevent the distribution of this information we encourage supporters of democracy to make copies of these files and to make them available on websites and file sharing networks.

Go to Original Data

At this stage in this inquiry we do not believe that we have come even remotely close to investigating all aspects of this data. I.E. There is no reason to believe that the security flaws discovered so far are the only ones.

Finally, for obvious reasons it is important that this information is distributed as widely as possible as quickly as possible. We encourage all web bloggers, web publishers and web media to re-publish and link to this article and to its companion article by Bev Harris which contains detailed descriptions of how to use the GEMS software to rig an election.:

System Integrity Flaw Discovered at Diebold Election Systems

To conclude this overview article I will make a few more comments on the evidence we have thus far that the U.S. election system has been compromised. As stated earlier we do not at this stage have proof that it has in fact been been compromised through this method, just a great deal of circumstantial evidence that it could have been.

If this was Watergate, we are effectively at the point of discovering evidence of a break-in and have received the call from deep-throat telling us that should dig much deeper.

Proof will follow in time we expect, but only if the work we have begun is completed and this inquiry is taken into every corner of the U.S. electoral system.

Evidence Of Motive

This is probably the easiest part of this puzzle to get your head around. The motivation of the Republican Party in general and the current administration in particular to gain ever greater amounts of power - by whatever means possible and damn the consequences - is evidenced most recently in the Supreme Court's partisan appointment of George Bush Jr. as President, the attempt to recall California Governor Gray Davis, and the Ken Starr investigation and attempted impeachment of President Clinton.

Evidence Of Opportunity

Republican connected control over the major election systems companies in the United States has been thoroughly researched.

Bob Urosevich, CEO of Diebold Election Systems is also the founder of ES&S, a competing voting machine company. Together these two companies are responsible for tallying around 80% of votes cast in the United States. Also significant, from what we can determine about the architecture of the software, is that its basic structure was specifically a creation of Mr Urosevich's company I-Mark.

For more background on Diebold Systems connections to the Republican Party see:
Diebold - The Face Of Modern Ballot Tampering

Meanwhile Presidential wannabee and Republican Party United States Senator Chuck Hagel has been directly connected to ES&S via his campaign finance director, Michael McCarthy, who has admitted that Senator Hagel still owns a beneficial interest in the ES&S parent company, the McCarthy Group.
Senate Ethics Director Resigns; Senator Hagel Admits Owning Voting Machine Company

Evidence Of Method

The evidence of method has been detailed in a companion article by Bev Harris, author of the soon to be published block-buster Black Box Voting.
Inside A U.S. Election Vote Counting Program

In this article – which contains screenshots from the software and detailed instructions on how one might rig an election - Bev Harris explains security flaws thus:

The GEMS election file contains more than one "set of books." They are hidden from the person running the GEMS program, but you can see them if you go into Microsoft Access.

You might look at it like this: Suppose you have votes on paper ballots, and you pile all the paper ballots in room one. Then, you make a copy of all the ballots and put the stack of copies in room 2.

You then leave the door open to room 2, so that people can come in and out, replacing some of the votes in the stack with their own.

You could have some sort of security device that would tell you if any of the copies of votes in room 2 have been changed, but you opt not to.

Now, suppose you want to count the votes. Should you count them from room 1 (original votes)? Or should you count them from room 2, where they may or may not be the same as room 1? What Diebold chose to do in the files we examined was to count the votes from "room2."

Evidence Of Prior Conduct

It is a recorded fact that every system of balloting established in America has been gamed and rigged. I.E. America's political practitioners have a very long history of ballot rigging and vote tampering. This is nothing new and evidence of the sort we have uncovered has been long predicted by computer scientists such as Dr Rebecca Mercuri.

In more recent history investigative Journalist Greg Palast has documented in detail Katherine Harris's use of electronic data matching technologies to disenfranchise thousands of Florida voters in advance of the 2000 Presidential election.

We highly recommend readers purchase a copy of "The Best Democracy Money Can Buy" by Greg Palast to read much more about this.

A compendium of links on Palast's investigations can be found via a Google search on:
"greg palast florida katherine harris"

Consistent Unexplained Circumstantial Evidence

During the 2002 Mid-term there were numerous reports of unusual happenings in counties throughout the United States.

Among the phenomena reported were voting numbers suddenly fluctuating in the middle of the counting process, something you might expect to see if the backdoor identified above were used clumsily.

An organisation called Votewatch was set up during the 2002 elections to record unusual happenings

It will suffice here to cite a couple of specific examples – these are excerpts from the soon to be published " Black Box Voting: Ballot Tampering In The 21st Century". These examples of actual events are consistent with the existence and use of an electronic vote counting hack described above.

November 1990, Seattle, Washington - Worse than the butterfly ballot, some Democratic candidates watched votes alight, then flutter away. Democrat Al Williams saw 90 votes wander off his tally between election night and the following day, though no new counting had been done. At the same time, his opponent, Republican Tom Tangen, gained 32 votes. At one point several hundred ballots added to returns didn’t result in any increase in the number of votes. But elsewhere, the number of votes added exceeded the number of additional ballots counted. A Republican candidate achieved an amazing surge in his absentee percentage for no apparent reason. And no one seemed to notice (until a determined Democratic candidate started demanding an answer) that the machines simply forgot to count 14,000 votes.

November 1996, Bergen County, New Jersey - Democrats told Bergen County Clerk Kathleen Donovan to come up with a better explanation for mysterious swings in vote totals. Donovan blamed voting computers for conflicting tallies that rose and fell by 8,000 or 9,000 votes. The swings perplexed candidates of both parties. For example, the Republican incumbent, Anthony Cassano, had won by about 7,000 votes as of the day after the election but his lead evaporated later. One candidate actually lost 1,600 votes during the counting. “How could something like that possibly happen?” asked Michael Guarino, Cassano’s Democratic challenger. “Something is screwed up here.”

November 1999, Onondaga County, New York - Computers gave the election to the wrong candidate, then gave it back. Bob Faulkner, a political newcomer, went to bed on Election Night confident he had helped complete a Republican sweep of three open council seats. But after Onondaga County Board of Elections staffers rechecked the totals, Faulkner had lost to Democratic incumbent Elaine Lytel.

April 2002, Johnson County, Kansas - Johnson County’s new Diebold touch screen machines, proclaimed a success on election night, did not work as well as originally believed. Incorrect vote totals were discovered in six races, three of them contested, leaving county election officials scrambling to make sure the unofficial results were accurate. Johnson County Election Commissioner Connie Schmidt checked the machines and found that the computers had under- and over-reported hundreds of votes. “The machines performed terrifically,” said Bob Urosevich, CEO of Diebold Election Systems. “The anomaly showed up on the reporting part.”

The problem, however, was so perplexing that Schmidt asked the Board of Canvassers to order a hand re-count to make sure the results were accurate. Unfortunately, the touch screen machines did away with the ballots, so the only way to do a hand recount is to have the machine print its internal data page by page. Diebold tried to re-create the error in hopes of correcting it. “I wish I had an answer,” Urosevich said. In some cases, vote totals changed dramatically.

November 2002, Comal County, Texas - A Texas-sized lack of curiosity about discrepancies: The uncanny coincidence of three winning Republican candidates in a row tallying up exactly 18,181 votes each was called weird, but apparently no one thought it was weird enough to audit. Conversion to alphabet: 18181 18181 18181 ahaha ahaha ahaha

November 2002, Baldwin County, Alabama - No one at the voting machine company can explain the mystery votes that changed after polling places had closed, flipping the election from the Democratic winner to a Republican in the Alabama governor’s race. “Something happened. I don’t have enough intelligence to say exactly what,” said Mark Kelley of ES&S. Baldwin County results showed that Democrat Don Siegelman earned enough votes to win the state of Alabama. All the observers went home. The next morning, however, 6,300 of Siegelman’s votes inexplicably had disappeared, and the election was handed to Republican Bob Riley. A recount was requested, but denied.

November 2002, New York - Voting machine tallies impounded in New York: Software programming errors hampered and confused the vote tally on election night and most of the next day, causing elections officials to pull the plug on the vote-reporting Web site. Commissioners ordered that the voting machine tallies be impounded, and they were guarded overnight by a Monroe County deputy sheriff.

November 2002, Georgia - Election officials lost their memory: Fulton County election officials said that memory cards from 67 electronic voting machines had been misplaced, so ballots cast on those machines were left out of previously announced vote totals. No hand count can shine any light on this; the entire state of Georgia went to touch-screen machines with no physical record of the vote. Fifty-six cards, containing 2,180 ballots, were located, but 11 memory cards still were missing two days after the election: Bibb County and Glynn County each had one card missing after the initial vote count. When DeKalb County election officials went home early Wednesday morning, they were missing 10 cards.

Inside A U.S. Election Vote Counting Program
By Bev Harris

Tuesday 08 July 2003

Bev Harris is the Author of the soon to be published book " Black Box Voting: Ballot Tampering In The 21st Century "

Contents
Introduction
Part 1 - Can the Votes be Changed?
Part 2 - Can the Password be Bypassed?
Part 3 – Can the Audit Trail be Altered?

--------

Introduction

For both optical scans and touch screens operating using Diebold election systems, the voting system works like this:

Voters vote at the precinct, running their ballot through an optical scan, or entering their vote on a touch screen.

After the polls close, poll workers transmit the votes that have been accumulated to the county office. They do this by modem.

At the county office, there is a "host computer" with a program on it called GEMS.

GEMS receives the incoming votes and stores them in a vote ledger. But then, we found, it makes another set of books with a copy of what is in vote ledger 1. And at the same time, it makes yet a third vote ledger with another copy.

The Elections Supervisor never sees these three sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a detail report (totals for each precinct). She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden.

And here is what is quite odd: On the programs we tested, the Election summary (totals, county wide) come from the vote ledger 2 instead of vote ledger 1.

Now, think of it like this: You want the report to add up ONLY the ACTUAL votes. But, unbeknownst to the election supervisor, votes can be added and subtracted from vote ledger 2, so that it may or may not match vote ledger 1. Her official report comes from vote ledger 2, which has been disengaged from vote ledger 1.

If she asks for a detailed report for some precincts, though, her report comes from vote ledger 1. Therefore, if you keep the correct votes in vote ledger 1, a spot check of detailed precincts (even if you compare voter-verified paper ballots) will always be correct.

And what is vote ledger 3 for? For now, we are calling it the "Lord Only Knows" vote ledger.

From a programming standpoint, there might be reasons to have a special vote ledger that disengages from the real one. From an accounting standpoint, using multiple sets of books is NOT OKAY. From an accounting standpoint, the ONLY thing the totals report should add up is the original votes in vote ledger 1. Proper bookkeeping NEVER allows an extra ledger that can be used to just erase the original information and add your own. And certainly, it is improper to have the official reports come from the second ledger, the one which may or may not have information erased or added.

Can These Votes Be Changed?

Let's go into the GEMS program and run a report on the Max Cleland/Saxby Chambliss race. (This is an example, and does not contain the real data.)

As it stands, Cleland is stomping Chambliss. Let's make it more exciting.

The GEMS election file contains more than one "set of books." They are hidden from the person running the GEMS program, but you can see them if you go into Microsoft Access.

You then leave the door open to room 2, so that people can come in and out, replacing some of the votes in the stack with their own.

You could have some sort of security device that would tell you if any of the copies of votes in room 2 have been changed, but you opt not to.

Illustration:
If an intruder opens the GEMS program in Microsoft Access, they will find that each candidate has an assigned number:

One can then go see how many votes a candidate has by visiting "room 1" which is called the CandidateCounter:

"454" represents Max Cleland and "455" represents Saxby Chambliss.

let's visit Room2, which has copies of Room1. You can find it in an Access table called SumCandidateCounter:

Now we will put our own votes in Room2. We'll put Chambliss ahead by a nose, by subtracting 100 from Cleland and adding 100 to Chambliss. Always add and delete the same number of votes, so the number of voters won't change.

we have only tampered with the votes in "Room 2." In Room 1, they remain the same. Room 1, after tampering with Room 2:

Now let's run a report again.

Now, the example is for a simple race using just one precinct. If you run a detail report, you'll see that the precinct report pulls the untampered data, while the totals report pulls the tampered data. This would allow a precinct to pass a spot check.

Can the Password be Bypassed?

At least a dozen full installation versions of the GEMS program were available on the Diebold ftp site. The manual, also available on the ftp site, tells that the default password in a new installation is "GEMSUSER." Anyone who downloaded and installed GEMS can bypass the passwords in elections. In this examination, we installed GEMS, clicked "new" and made a test election, then closed it and opened the same file in Microsoft Access.

One finds where they store the passwords by clicking the "Operator" table. Anyone can copy an encrypted password from there, go to an election database, and paste it into that.

Example: Cobb County Election file

One can overwrite the "admin" password with another, copied from another GEMS installation. It will appear encrypted; no worries, just cut and paste. In this example, we saved the old "admin" password so we could replace it later and delete the evidence that we'd been there. An intruder can grant himself administrative privileges by putting zeros in the other boxes, following the example in "admin."

How many people can gain access? A sociable election hacker can give all his friends access to the database too! In this case, they were added in a test GEMS installation and copied into the Cobb County Microsoft Access file. It encrypted each password as a different character string, however, all the passwords are the same word: "password." Password replacement can also be done directly in Access. To assess how tightly controlled the election files really are, we added 50 of our friends; so far, we haven't found a limit to how many people can be granted access to the election database.

Using this simple way to bypass password security, an intruder, or an insider, can enter GEMS programs and play with election databases to their heart's content.

Can the Audit Trail be Altered?

Britain J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003:

"Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident.

In addition, passwords are used to limit access to the system to authorized personnel."

Since Dr. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log.

Note that a user by the name of "Evildoer" was added. Evildoer performed various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log.
It was a simple matter to eliminate Evildoer. First, we opened the election database in Access, where we opened the audit table:

Then, we deleted all the references to Evildoer and, because we noticed that the audit log never noticed when the admin closed the GEMS program before, we tidily added an entry for that.

Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace.

Going back into GEMS, we ran another audit log to see if Evildoer had been purged:

In fact, when using Access to adjust the vote tallies we found that tampering never made it to the audit log at all.

A curious plug-in was found in the GEMS program, called PE Explorer. Presumably, this is used to do security checks. Another function, though, is to change the date and time stamp:

Although we interviewed election officials and also the technicians who set up the Diebold system in Georgia, and they confirmed that the GEMS system does use Microsoft Access, is designed for remote access, and does receive "data corrections" from time to time from support personnel, we have not yet had the opportunity to test the above tampering methods in the County Election Supervisor's office.

We used an actual data file, labeled "Cobb County" for much of our testing.