Posted on 11-7-2003
How to Rig an Election in the
United States
Sludge Report #154 – Bigger Than Watergate! By C.D. Sludge
Tuesday 08 July 2003
A Diebold touchscreen voting machine Makers of the walk right in, sit right down, replace ballot tallies with your own GEMS vote counting program.
-------
The story you are
about to read is in this writer's view the biggest political scandal in
American history, if not global history. And it is being broken today
here in New Zealand.
This story cuts
to the bone the machinery of democracy in America today. Democracy is
the only protection we have against despotic and arbitrary government,
and this story is deeply disturbing.
Imagine if you
will that you are a political interest group that wishes to control
forevermore the levers of power. Imagine further that you know you are
likely to implement a highly unpopular political agenda, and you do not
wish to be removed by a ballot driven backlash.
One way to
accomplish this outcome would be to adopt the Mugabe (Zimbabwe) or Hun
Sen (Cambodia) approach. You agree to hold elections, but
simultaneously arrest, imprison and beat your opponents and their
supporters. You stuff ballot boxes, disenfranchise voters who are
unlikely to vote for you, distort electoral boundaries and provide
insufficient polling stations in areas full of opposition supporters.
However as so
many despots have discovered, eventually such techniques always fail –
often violently. Hence, if you are a truly ambitious political dynasty
you have to be a bit more subtle about your methods.
Imagine then if
it were possible to somehow subvert the voting process itself in such a
way that you could steal elections without anybody knowing.
Imagine for example if you could:
- secure control of the companies that make the voting machines and vote counting software;
- centralise vote counting systems, and politicise their supervision;
- legislate
for the adoption of such systems throughout your domain, and provide
large amounts of money for the purchase of these systems;
- establish
systems of vote counting that effectively prevent anybody on the ground
in the election – at a booth or precinct level - from seeing what is
happening at a micro-level;
- get
all the major media to sign up to a single exit-polling system that you
also control – removing the risk of exit-polling showing up your
shenanigans.
And imagine
further that you install a backdoor, or numerous backdoors, in the vote
counting systems you have built that enable you to manipulate the
tabulation of results in real time as they are coming in.
Such a system
would enable you to intervene in precisely the minimum number of races
necessary to ensure that you won a majority on election night. On the
basis of polling you could pick your marginal seats and thus keep your
tweaking to a bare minimum.
Such a system would enable you to minimise the risks of discovery of your activities.
Such a system
would enable you to target and remove individual political opponents
who were too successful, too popular or too inquisitive.
And most
importantly of all, such a system would enable you to accomplish all
the above without the public being in the least aware of what you were
doing. When confronted with the awfulness of your programme they would
be forced to concede that at least it is the result of a democratic
process.
How To Rig An Election In The United States
So how would such a system actually work?
Well one way to run such a corrupt electoral system might look like this:
- Each voting
precinct (or booth) could be fitted with electronic voting systems,
optical scanning systems, punch card voting systems or the more modern
touchscreen electronic voting machines;
- At
the close of play each day the booth/precinct supervisor could be under
instructions to compile an electronic record of the votes cast in their
booth;
- They
might print out a report that contains only the details of the total
votes count for that precinct/booth, and then file via modem the full
electronic record of votes through to the County supervisor;
- The
County Supervisor could be equipped with a special piece of software
and a bank of modems that enables all these results to be received and
tabulated in the internals of the computer;
- The
County Supervisors themselves could be assured that their system was
bullet proof, certified and contained tamper-protection mechanisms par
excellence;
- The
Country Supervisor could be given a range of tools for looking at the
data within this software, but nothing to enable them to directly
manipulate the results;
- But unbeknownst to the County Supervisor the software could actually create three separate records of the voting data;
- Meanwhile
- also unbeknownst to the County Supervisor - these three tables of
voting data could be in fact completely insecure and accessible simply
through a common database programme, say Microsoft Access;
- Having
the three tables would enable you to keep the real data in place – so
the system could pass spot tests on individual precincts and booth
results (should a precinct supervisor be particularly astute) -while
simultaneously enabling you to manipulate the bottom line result;
- Finally
you might also enhance the election hacker's powers by including within
the software a utility to enable them to cover their tracks by changing
the date and time stamps on files and remove evidence of your
tampering.
Fantasy Becomes Reality
The above
description of a corrupt voting system is not the result of an
overactive imagination. Rather it is the result of a extensive research
by computer programmers and journalists working around the globe.
Principally it is the work of investigative Journalist Bev Harris,
author of the soon to be published book " Black Box Voting: Ballot
Tampering In The 21st Century "
And most
important of all it is the result of research focussed on investigating
the actual software distributed by one of the largest voting systems
companies operating in the recent U.S. Elections.
CAVEAT: It is
important to note that the research into this subject has not
established that the files we have been working on were in fact in situ
in County Election Supervisors offices at the last election – nor have
we proof that the back door we have discovered - which might enable the
rigging of elections - was actually used in any recent election.
However it is the considered opinion of all those involved in this
investigation that it is not up to us as journalists or programmers to
prove that elections were rigged, rather it is a responsibility of the
electoral system itself to prove its integrity.
What you read
here amounts to revelation of evidence of motive, opportunity, method,
prior conduct , and a variety of items of, consistent unexplained
circumstantial evidence . Significantly we do not believe we have
sufficient resources to complete this investigation to its conclusion
and are therefore making available our findings to the media, community
organisations, political parties, computer scientists and geeks in the
anticipation that they will pick up the torch and take extend this
inquiry into every county in the United States.
How We Discovered The Backdoor
In the course of
investigating the issue of the integrity of new electronic voting
machines Bev Harris learned that people around the world had been
downloading from an open FTP site belonging to Diebold Election Systems
one of the leading manufactures of voting systems.
This website
contained several gigabytes of files including manuals, source codes
and installation versions of numerous parts of the Diebold voting
system, and of its vote counting programme GEMS.
Realising we had
stumbled across what might be the equivalent of the Pentagon Papers for
elections, the full contents of this website have been secured around
the world at several locations. The original website was itself taken
down on January 29th 2003.
We can now reveal
for the first time the location of a complete online copy of the
original data set. As we anticipate attempts to prevent the
distribution of this information we encourage supporters of democracy
to make copies of these files and to make them available on websites
and file sharing networks.
Go to Original Data
At this stage in
this inquiry we do not believe that we have come even remotely close to
investigating all aspects of this data. I.E. There is no reason to
believe that the security flaws discovered so far are the only ones.
Finally, for
obvious reasons it is important that this information is distributed as
widely as possible as quickly as possible. We encourage all web
bloggers, web publishers and web media to re-publish and link to this
article and to its companion article by Bev Harris which contains
detailed descriptions of how to use the GEMS software to rig an
election.:
System
Integrity Flaw Discovered at Diebold Election Systems
To conclude this
overview article I will make a few more comments on the evidence we
have thus far that the U.S. election system has been compromised. As
stated earlier we do not at this stage have proof that it has in fact
been been compromised through this method, just a great deal of
circumstantial evidence that it could have been.
If this was
Watergate, we are effectively at the point of discovering evidence of a
break-in and have received the call from deep-throat telling us that
should dig much deeper.
Proof will follow
in time we expect, but only if the work we have begun is completed and
this inquiry is taken into every corner of the U.S. electoral system.
Evidence Of Motive
This is probably
the easiest part of this puzzle to get your head around. The motivation
of the Republican Party in general and the current administration in
particular to gain ever greater amounts of power - by whatever means
possible and damn the consequences - is evidenced most recently in the
Supreme Court's partisan appointment of George Bush Jr. as President,
the attempt to recall California Governor Gray Davis, and the Ken Starr
investigation and attempted impeachment of President Clinton.
Evidence Of Opportunity
Republican connected control over the major election systems companies in the United States has been thoroughly researched.
Bob Urosevich,
CEO of Diebold Election Systems is also the founder of ES&S, a
competing voting machine company. Together these two companies are
responsible for tallying around 80% of votes cast in the United States.
Also significant, from what we can determine about the architecture of
the software, is that its basic structure was specifically a creation
of Mr Urosevich's company I-Mark.
For more background on Diebold Systems connections to the Republican Party see: Diebold - The Face Of Modern Ballot Tampering
Meanwhile
Presidential wannabee and Republican Party United States Senator Chuck
Hagel has been directly connected to ES&S via his campaign finance
director, Michael McCarthy, who has admitted that Senator Hagel still
owns a beneficial interest in the ES&S parent company, the McCarthy
Group. Senate Ethics Director Resigns; Senator Hagel Admits Owning Voting Machine Company
Evidence Of Method
The evidence of
method has been detailed in a companion article by Bev Harris, author
of the soon to be published block-buster Black Box Voting. Inside A U.S. Election Vote Counting Program
In this article –
which contains screenshots from the software and detailed instructions
on how one might rig an election - Bev Harris explains security flaws
thus:
The GEMS election
file contains more than one "set of books." They are hidden from the
person running the GEMS program, but you can see them if you go into
Microsoft Access.
You might look at
it like this: Suppose you have votes on paper ballots, and you pile all
the paper ballots in room one. Then, you make a copy of all the ballots
and put the stack of copies in room 2.
You then leave
the door open to room 2, so that people can come in and out, replacing
some of the votes in the stack with their own.
You could have
some sort of security device that would tell you if any of the copies
of votes in room 2 have been changed, but you opt not to.
Now, suppose you
want to count the votes. Should you count them from room 1 (original
votes)? Or should you count them from room 2, where they may or may not
be the same as room 1? What Diebold chose to do in the files we
examined was to count the votes from "room2."
Evidence Of Prior Conduct
It is a recorded
fact that every system of balloting established in America has been
gamed and rigged. I.E. America's political practitioners have a very
long history of ballot rigging and vote tampering. This is nothing new
and evidence of the sort we have uncovered has been long predicted by
computer scientists such as Dr Rebecca Mercuri.
In more recent
history investigative Journalist Greg Palast has documented in detail
Katherine Harris's use of electronic data matching technologies to
disenfranchise thousands of Florida voters in advance of the 2000
Presidential election.
We highly recommend readers purchase a copy of "The Best Democracy Money Can Buy" by Greg Palast to read much more about this.
A compendium of links on Palast's investigations can be found via a Google search on: "greg palast florida katherine harris"
Consistent Unexplained Circumstantial Evidence
During the 2002 Mid-term there were numerous reports of unusual happenings in counties throughout the United States.
Among the
phenomena reported were voting numbers suddenly fluctuating in the
middle of the counting process, something you might expect to see if
the backdoor identified above were used clumsily.
An organisation
called Votewatch was set up during the 2002 elections to record unusual
happenings
It will suffice
here to cite a couple of specific examples – these are excerpts from
the soon to be published " Black Box Voting: Ballot Tampering In The
21st Century". These examples of actual events are consistent with the
existence and use of an electronic vote counting hack described above.
November 1990, Seattle, Washington
- Worse than the butterfly ballot, some Democratic candidates watched
votes alight, then flutter away. Democrat Al Williams saw 90 votes
wander off his tally between election night and the following day,
though no new counting had been done. At the same time, his opponent,
Republican Tom Tangen, gained 32 votes. At one point several hundred
ballots added to returns didn’t result in any increase in the number of
votes. But elsewhere, the number of votes added exceeded the number of
additional ballots counted. A Republican candidate achieved an amazing
surge in his absentee percentage for no apparent reason. And no one
seemed to notice (until a determined Democratic candidate started
demanding an answer) that the machines simply forgot to count 14,000
votes.
November 1996, Bergen County, New Jersey -
Democrats told Bergen County Clerk Kathleen Donovan to come up with a
better explanation for mysterious swings in vote totals. Donovan blamed
voting computers for conflicting tallies that rose and fell by 8,000 or
9,000 votes. The swings perplexed candidates of both parties. For
example, the Republican incumbent, Anthony Cassano, had won by about
7,000 votes as of the day after the election but his lead evaporated
later. One candidate actually lost 1,600 votes during the counting.
“How could something like that possibly happen?” asked Michael Guarino,
Cassano’s Democratic challenger. “Something is screwed up here.”
November 1999, Onondaga County, New York
- Computers gave the election to the wrong candidate, then gave it back.
Bob Faulkner, a political newcomer, went to bed on Election Night
confident he had helped complete a Republican sweep of three open
council seats. But after Onondaga County Board of Elections staffers
rechecked the totals, Faulkner had lost to Democratic incumbent Elaine
Lytel.
April 2002, Johnson County, Kansas
- Johnson County’s new Diebold touch screen machines, proclaimed a
success on election night, did not work as well as originally believed.
Incorrect vote totals were discovered in six races, three of them
contested, leaving county election officials scrambling to make sure
the unofficial results were accurate. Johnson County Election
Commissioner Connie Schmidt checked the machines and found that the
computers had under- and over-reported hundreds of votes. “The machines
performed terrifically,” said Bob Urosevich, CEO of Diebold Election
Systems. “The anomaly showed up on the reporting part.”
The problem,
however, was so perplexing that Schmidt asked the Board of Canvassers
to order a hand re-count to make sure the results were accurate.
Unfortunately, the touch screen machines did away with the ballots, so
the only way to do a hand recount is to have the machine print its
internal data page by page. Diebold tried to re-create the error in
hopes of correcting it. “I wish I had an answer,” Urosevich said. In
some cases, vote totals changed dramatically.
November 2002, Comal County, Texas
- A Texas-sized lack of curiosity about discrepancies: The uncanny
coincidence of three winning Republican candidates in a row tallying up
exactly 18,181 votes each was called weird, but apparently no one
thought it was weird enough to audit. Conversion to alphabet: 18181
18181 18181 ahaha ahaha ahaha
November 2002, Baldwin County, Alabama
- No one at the voting machine company can explain the mystery votes
that changed after polling places had closed, flipping the election
from the Democratic winner to a Republican in the Alabama governor’s
race. “Something happened. I don’t have enough intelligence to say
exactly what,” said Mark Kelley of ES&S. Baldwin County results
showed that Democrat Don Siegelman earned enough votes to win the state
of Alabama. All the observers went home. The next morning, however,
6,300 of Siegelman’s votes inexplicably had disappeared, and the
election was handed to Republican Bob Riley. A recount was requested,
but denied.
November 2002, New York
- Voting machine tallies impounded in New York: Software programming
errors hampered and confused the vote tally on election night and most
of the next day, causing elections officials to pull the plug on the
vote-reporting Web site. Commissioners ordered that the voting machine
tallies be impounded, and they were guarded overnight by a Monroe
County deputy sheriff.
November 2002, Georgia
- Election officials lost their memory: Fulton County election officials
said that memory cards from 67 electronic voting machines had been
misplaced, so ballots cast on those machines were left out of
previously announced vote totals. No hand count can shine any light on
this; the entire state of Georgia went to touch-screen machines with no
physical record of the vote. Fifty-six cards, containing 2,180 ballots,
were located, but 11 memory cards still were missing two days after the
election: Bibb County and Glynn County each had one card missing after
the initial vote count. When DeKalb County election officials went home
early Wednesday morning, they were missing 10 cards.
Inside A U.S. Election Vote Counting Program By Bev Harris
Tuesday 08 July 2003
Bev Harris is the Author of the soon to be published book " Black Box Voting: Ballot Tampering In The 21st Century "
Contents Introduction Part 1 - Can the Votes be Changed? Part 2 - Can the Password be Bypassed? Part 3 – Can the Audit Trail be Altered?
--------
Introduction
For both optical scans and touch screens operating using Diebold election systems, the voting system works like this:
Voters vote at the precinct, running their ballot through an optical scan, or entering their vote on a touch screen.
After the polls close, poll workers transmit the votes that have been accumulated to the county office. They do this by modem.
At the county office, there is a "host computer" with a program on it called GEMS.
GEMS receives the
incoming votes and stores them in a vote ledger. But then, we found, it
makes another set of books with a copy of what is in vote ledger 1. And
at the same time, it makes yet a third vote ledger with another copy.
The Elections
Supervisor never sees these three sets of books. All she sees is the
reports she can run: Election summary (totals, county wide) or a detail
report (totals for each precinct). She has no way of knowing that her
GEMS program is using multiple sets of books, because the GEMS
interface draws its data from an Access database, which is hidden.
And here is what
is quite odd: On the programs we tested, the Election summary (totals,
county wide) come from the vote ledger 2 instead of vote ledger 1.
Now, think of it
like this: You want the report to add up ONLY the ACTUAL votes. But,
unbeknownst to the election supervisor, votes can be added and
subtracted from vote ledger 2, so that it may or may not match vote
ledger 1. Her official report comes from vote ledger 2, which has been
disengaged from vote ledger 1.
If she asks for a
detailed report for some precincts, though, her report comes from vote
ledger 1. Therefore, if you keep the correct votes in vote ledger 1, a
spot check of detailed precincts (even if you compare voter-verified
paper ballots) will always be correct.
And what is vote ledger 3 for? For now, we are calling it the "Lord Only Knows" vote ledger.
From a
programming standpoint, there might be reasons to have a special vote
ledger that disengages from the real one. From an accounting
standpoint, using multiple sets of books is NOT OKAY. From an
accounting standpoint, the ONLY thing the totals report should add up
is the original votes in vote ledger 1. Proper bookkeeping NEVER allows
an extra ledger that can be used to just erase the original information
and add your own. And certainly, it is improper to have the official
reports come from the second ledger, the one which may or may not have
information erased or added.
Can These Votes Be Changed?
Let's go into the GEMS program and run a report on the Max Cleland/Saxby Chambliss
race. (This is an example, and does not contain the real data.)
As it stands, Cleland is stomping Chambliss. Let's make it more exciting.
The GEMS election
file contains more than one "set of books." They are hidden from the
person running the GEMS program, but you can see them if you go into
Microsoft Access.
You might look at
it like this: Suppose you have votes on paper ballots, and you pile all
the paper ballots in room one. Then, you make a copy of all the ballots
and put the stack of copies in room 2.
You then leave
the door open to room 2, so that people can come in and out, replacing
some of the votes in the stack with their own.
You could have
some sort of security device that would tell you if any of the copies
of votes in room 2 have been changed, but you opt not to.
Now, suppose you
want to count the votes. Should you count them from room 1 (original
votes)? Or should you count them from room 2, where they may or may not
be the same as room 1? What Diebold chose to do in the files we
examined was to count the votes from "room2."
Illustration: If an intruder opens the GEMS program in Microsoft Access, they will find that each candidate has an assigned number:
One can then go see how many votes a candidate has by visiting "room 1" which is called the CandidateCounter:
"454" represents Max Cleland and "455" represents Saxby Chambliss. let's visit Room2, which has copies of Room1. You can find it in an Access
table called SumCandidateCounter:
Now we will put our own votes in Room2. We'll put Chambliss ahead by
a nose, by subtracting 100 from Cleland and adding 100 to Chambliss. Always
add and delete the same number of votes, so the number of voters won't
change.
we have only tampered with the votes in "Room 2." In Room 1, they remain the
same. Room 1, after tampering with Room 2:
Now let's run a report again.
Now, the example is for a simple race using just one precinct. If you run a
detail report, you'll see that the precinct report pulls the untampered
data, while the totals report pulls the tampered data. This would allow
a precinct to pass a spot check. Can the Password be Bypassed?
At least a dozen
full installation versions of the GEMS program were available on the
Diebold ftp site. The manual, also available on the ftp site, tells
that the default password in a new installation is "GEMSUSER." Anyone
who downloaded and installed GEMS can bypass the passwords in
elections. In this examination, we installed GEMS, clicked "new" and
made a test election, then closed it and opened the same file in
Microsoft Access.
One finds where
they store the passwords by clicking the "Operator" table. Anyone can
copy an encrypted password from there, go to an election database, and
paste it into that.
Example: Cobb County Election file
One can overwrite
the "admin" password with another, copied from another GEMS
installation. It will appear encrypted; no worries, just cut and paste.
In this example, we saved the old "admin" password so we could replace
it later and delete the evidence that we'd been there. An intruder can
grant himself administrative privileges by putting zeros in the other
boxes, following the example in "admin."
How many people
can gain access? A sociable election hacker can give all his friends
access to the database too! In this case, they were added in a test
GEMS installation and copied into the Cobb County Microsoft Access
file. It encrypted each password as a different character string,
however, all the passwords are the same word: "password." Password
replacement can also be done directly in Access. To assess how tightly
controlled the election files really are, we added 50 of our friends;
so far, we haven't found a limit to how many people can be granted
access to the election database.
Using this simple
way to bypass password security, an intruder, or an insider, can enter
GEMS programs and play with election databases to their heart's
content.
Can the Audit Trail be Altered?
Britain J.
Williams, Ph.D., is the official voting machine certifier for the state
of Georgia, and he sits on the committee that decides how voting
machines will be tested and evaluated. Here's what he had to say about
the security of Diebold voting machines, in a letter dated April 23,
2003:
"Computer System
Security Features: The computer portion of the election system contains
features that facilitate overall security of the election system.
Primary among these features is a comprehensive set of audit data. For
transactions that occur on the system, a record is made of the nature
of the transaction, the time of the transaction, and the person that
initiated the transaction. This record is written to the audit log. If
an incident occurs on the system, this audit log allows an investigator
to reconstruct the sequence of events that occurred surrounding the
incident.
In addition, passwords are used to limit access to the system to authorized personnel."
Since Dr.
Williams listed the audit data as the primary security feature, we
decided to find out how hard it is to alter the audit log.
Note that a user
by the name of "Evildoer" was added. Evildoer performed various
functions, including running reports to check his vote-rigging work,
but only some of his activities showed up on the audit log. It was
a simple matter to eliminate Evildoer. First, we opened the election
database in Access, where we opened the audit table:
Then, we deleted
all the references to Evildoer and, because we noticed that the audit
log never noticed when the admin closed the GEMS program before, we
tidily added an entry for that.
Access encourages
those who create audit logs to use auto-numbering, so that every logged
entry has an uneditable log number. Then, if one deletes audit entries,
a gap in the numbering sequence will appear. However, we found that
this feature was disabled, allowing us to write in our own log numbers.
We were able to add and delete from the audit without leaving a trace.
Going back into GEMS, we ran another audit log to see if Evildoer had been purged:
In fact, when using Access to adjust the vote tallies we found that tampering never made it to the audit log at all.
A curious plug-in
was found in the GEMS program, called PE Explorer. Presumably, this is
used to do security checks. Another function, though, is to change the
date and time stamp:
Although we
interviewed election officials and also the technicians who set up the
Diebold system in Georgia, and they confirmed that the GEMS system does
use Microsoft Access, is designed for remote access, and does receive
"data corrections" from time to time from support personnel, we have
not yet had the opportunity to test the above tampering methods in the
County Election Supervisor's office.
We used an actual data file, labeled "Cobb County" for much of our testing.
|