Chapter 9 - Black Box Voting
Contents
1. There was an unprotected FTP site which contained soft ware and hardware specifications some source code and lots of files One file on that site was called rob georgia and this file contained files with instructions to replace GEMS files with these and replace Windows files with these and run program Does this concern you Dr Williams T m not familiar with that FTP site Harris Is there a utility which reports the signature Who checks this and how close to Election Day Dr Williams We do that when we do acceptance testing That would be before election testing Harris What way would there be to make sure nothing had changed between the time that you took delivery and the election Dr Williams Well there wouldn t there s no way that you can be absolutely sure that nothing has changed Harris Wouldn t it help to check that digital signature or checksum or whatever right before the election Dr Williams Well that is outside of the scope of what some of the people there can do I can t think of any way anyone could come in and replace those files before the election Harris Since no one at the state level looks at the source code if the federal lab doesn t examine the source code line by line we have a problem wouldn t you agree Dr Williams Yes But wait a minute I feel you are going to write a conspiracy article Ha2. t think rob georgia could possibly mean rob Georgia he said I left a somewhat more agitated message on Woodward s voicemail and submitted my experience to a Web site called Media Whores Online These files might contain evidence These files might go away I called people in various places around the world and urged them to go look at rob georgia I thought long and hard And then I down loaded the files all 40 000 of them It took 44 hours nonstop I gave them to someone I trust who put them in a safe deposit box and there they sit to this day Why in the world would an ATM manufacturer like Diebold leave sensitive files hanging out there on an unprotected Internet site I made a few phone calls which confirmed that Diebold knew the site was unprotected and learned that the site had been there for years I kept asking if anyone knew who Rob was Everyone told me there was no employee named Rob in Georgia Perhaps rob was a verb Bey rob georgia zip Co Place the contents in the Gems Folder Replace what is in the Gems Folder with these Run this program Install To C Winnt System32 z Instructions tk This free internet version is available at www BlackBoxVoting org 90 Black Box Voting rob georgia is a compressed folder with three more folders containing 3 794 more files inside it It contains uncertified program modifications a way to slip any damn thing you want into a voting machine Why did they r
3. If this testing is rigorous might we expect them to invest say 10 min utes per machine The testing just described adds up to every touch screen unit being tested three times before it gets to the logic and accuracy test You can check the footnotes for my calculations All this testing would take 17 people working 40 hours per week for four months doing nothing but rigorous testing Call me a skeptic but I want to see the payroll records on that What does all that modifying at the last minute do to security Wait don t program modifications need to be recertified How many people had to get access to these machines to do this Was this legal And what exactly was in rob georgia zip ck ck ok ck Ok With so many unanswered questions I decided to ask the public officials responsible for voting systems in the state of Georgia about these program modifications Here are excerpts from a February 11 2003 interview with Michael Barnes Assistant Director of Elections for the state of Georgia Harris I want to ask you about the program update that was done on all the machines shortly before the election Barnes All right Harris Was that patch certified Barnes Yes Harris By whom Barnes Before we put anything on our equipment we run through state certification labs and then in addition to that we forwarded the patch to Wyle labs in Huntsville Wyle said it did not
4. no files were transferred And the modems which James Rellinger the contractor who installed the Georgia servers for 159 counties was instructed to put into ev ery county voting system were never used except for once When questioned on August 22 2003 Dr Britain Williams claimed that most counties did not use these modems at all Some counties don t have phone lines Some don t even have bathrooms he told a group of people that included computer programmer Roxanne Jekot and Atlanta Journal Constitution reporter Jim Galloway On February 12 2003 I interviewed Dr Williams Kennesaw Elec tion Center an organization funded by the Georgia Secretary of State Harris I have questions regarding your certification of the ma chines used in Georgia during the last election Dr Williams For the state of Georgia I don t do certification This free internet version is available at www BlackBoxVoting org 96 Black Box Voting The law gives the Secretary of State the authority to say what systems are certified and what are not What I do is an evaluation of the system Harris What was your involvement in certifying the program patch that was put on Did you actually certify the patch or did you determine that it was not necessary Dr Williams Part of our testing program is when these machines are delivered we look at the machines and see that they comply And in the process of doing that r
5. Georgia Sec retary of State Media Backgrounder Before leaving the factory each touch screen terminal receives a diag nostic test If each touch screen was tested before leaving the factory why did every single machine need modifications in order not to crash after they reached Georgia The machines were shipped to Geor gia in June 2002 And once they arrived we are told there was more testing Upon arrival at Diebold s central warehouse in Atlanta each unit was put through a diagnostic sequence to test a variety of functions including the card reader serial port printer the internal clock and the calibration of the touch screen itself These tests were audited by experts from Kennesaw State University s Center for Election Systems The following statement on Georgia Secretary of State letterhead remains posted on the state s Web site as of the writing of this book This free internet version is available at www BlackBoxVoting org 92 Black Box Voting After shipment to each of Georgia s 159 counties county acceptance testing which consists of the same types of diagnostic procedures was performed by KSU staff on each voting terminal Was this testing rigorous Yes rigorous they promised Accord ing to the Media Backgrounder Georgia s multi tiered election equipment testing program is among the most rigorous in the nation Could someone take a moment to do the math with me
6. affect This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 93 the certification elements So it did not need to be certified Harris Where s the written report from Wyle on that Can I have a copy Barnes Vd have to look for it I don t know if there was ever a written report by Wyle It might have been by phone Also in Georgia we test independently at Kennesaw University a state university Harris Can I see that report Barnes You d have to talk to Dr Williams and he s out of town Dr Williams is on the National Association of State Election Di rectors NASED certification and I think he s also at Kennesaw University He does the certification for the state of Georgia Harris Was this new patch tested with a Logic and Accuracy test or was it tested by looking at the code line by line Barnes Logic and Accuracy and also they verify that our version is identical and also any software is tested through Ciber and Wyle Harris But Wyle decided not to test the patch you say Was this patch put on all the machines or just some of the machines Barnes All the machines Harris So every machine in Georgia got this program update Barnes Yes every one of the machines used on election day in November If it had been sent out to counties prior already D
7. certified but were used anyway This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0 The First Public Look 107 Enter your emer kagon name and passed o an Al this piini lindows wii siai Setting System Date and Times The password for the GEMS program is GEMSUSER Akor Windoern saris of tbe bottom right comer of fie screen is the systom CAFX_DATA_INIT CSmartCardEmuD1g m_ByAccLevel 0 Supervisor access at the polling m_ID _T 01234567890 place is granted by the password m_Levell 1 1111 Instead of allowing supervisors m_Level2 l m_Level3 lt 1 to control the password it is written m Party 1 into the source code and printed in _PIN _T 1111 the manuals ADMIN CARD m_Type VOTER_CARD AFX_DATA_INIT at VC_NOACCESS else NEWTYPE CARD CVoterInfo writeVoter Info writeVoterInfo m_CardType VOTER CARD weiteVoterInfo m Version VCI VERSIONI writeVoterInfo m ElectionKey pVCardInfo gt m_ElectionId weiteVoterInfo m VCenter CV Center pVCardInfo gt m VCenterId weiteVoterInfo m DLVersion pVCardInto gt m_DLVersion writeVoterInfo m Reportunit CDistrict pVCardInfo gt m Precinct Id writeVoterInfo m Baseunit CBaseunit p CardInfo gt m_PortionId writeVoterInfo m_CounterGroup CCounterGroup pVCardInfo gt m_ GroupId writeVoterInfo m_VGr
8. precincts found in the GEMS folders VCProgrammer exe programs to sign in and validate voter cards Just about every version of the Diebold programs ever certified and hundreds that were never certified were available It might be helpful also to know what kind of testing the voting system goes through especially the details on the Logic and Accu racy testing done right before and after the election After all you d want to make sure that whatever hacking you do doesn t get caught Testing procedures sample testing results and instructions on how This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 105 to do the testing were also on the Diebold FTP site You d want to see some typical ballot configurations or better yet get the data files created for actual elections That way you d know the positioning of the candidates on the ballot and you could even get the candidate I D number used by the computers to assign votes You could do test runs using real election files No problem On the FTP site were files designated for counties in California Maryland Arizona Kentucky Colorado Texas Geor gia North Carolina Kansas and Virginia Some files like one for San Luis Obispo County California were date stamped on an elec tion day curiously five hours before the polls closed By now you may have heard abo
9. the patch was put in Harris But as I understand it a team of people went around the state putting these patches on Dr Williams By the time they put the patches in the majority of the machines had been delivered Actually it was going on at the same time When they started putting the patches in around the state we tested the machines where they did that put the patches in at the factory Harris When I spoke with Michael Barnes he said that you tested all the machines or a random sampling of the machines after the patch was put on Dr Williams We had five or six teams of people with a test script that they ran on each machine Harris The test script did what Dr Williams The test script was generic It was in two parts One part tested the functionality of the machine It was a hardware diagnostic it primarily tested that the printer worked that the serial This free internet version is available at www BlackBoxVoting org 98 Black Box Voting port worked that the card reader worked tested the date and time in the machine and to an extent checked calibration of the machine Then if it passed all of those it tested the election We loaded a small sample election in the same as the one used during certification testing and we ran a pattern of votes on there This is good but he s telling me about testing printers and things Barnes had told me that Dr Williams an
10. She made this statement in August 2003 in September Sequoia s secret voting software was found on an unprotected Web site It had been sitting there for a year and a half This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0
11. The First Public Look 85 This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris Rights reserved ISBN 1 890916 90 0 Papberback version can be purchased at www Amazon com 9 The First Public Look Ever into a secret voting system Author and historian Thom Hartmann writes You d think in an open democracy that the government answerable to all its citizens rather than a handful of corpo rate officers and stockholders would program repair and control the voting machines You d think the computers that handle our cherished ballots would be open and their soft ware and programming available for public scrutiny You d be wrong If America still is a democratic republic then We The People still own our government And the way our ownership and man agement of our common government and its assets is asserted is through the vote Many citizens believe however that turning the program ming and maintenance of voting over to private for profit cor porations answerable only to their owners officers and stock holders puts democracy itself at peril Historians will remind us of a concept called the public com mons Public ownership and public funding of things that are es sential to everyone means we get public scrutiny and a say in how things are run This free internet version is available at www BlackBoxVoting org 86 B
12. ation system would be better than what we dis covered is really happening Diebold has used software directly off its FTP site without sub mitting it for certification at all Quite literally this software went from a programmer s desk directly into our voting machines The Diebold FTP site and election tampering If you want to tamper with an election through electronic voting machines you want to play with Ballot configuration Switch the position of candidates A vote for one candidate goes to the other Vote recording Record votes electronically for the wrong can didate or stuff the electronic ballot box Vote tallying Incorrectly add up the votes or substitute a bo gus vote tally for the real one or change the vote tally while it is being counted You d want to find out as much as you could about procedures No problem the Diebold open FTP site contained the Ballot Station User Manual the Poll Worker Training Guide and at least two versions of the GEMS User Manual along with the Voter Card Programming Manual and hardware configuration manuals for the AccuVote touch screen system It would be helpful to play with elections in the comfort of your own home Not a problem full installation versions of the Diebold voting programs were on the Web site BallotStation exe vote recording and precinct tallying for the touch screen machines GEMS exe county level tallying of all the
13. ce code Source code contains the commands given to the computer that tell it how to execute the program Many people are surprised to learn that source code files consist of English like programming commands that people can read After software engineers write the program it is compiled to make it machine readable The cvs tar file that Diebold left on its Web site was a source code tree for the program used to cast votes on touch screens The tree contains the history of Diebold s software development process going all the way back to Bob Urosevich s original company I Mark Systems through Global Election Systems and including 2002 pro gramming under Diebold Election Systems Leaving other people s pants unzipped It s bad enough when you leave your own sensitive stuff on the Web But Diebold exposed other people s confidential information also Diebold left 15 900 of Microsoft s proprietary Windows CE source code files on its public Web site ready to assemble like a set of Legos The Microsoft Windows CE Platform Builder is a set of develop ment tools for building a Windows CE operating system into cus tomized gadgets You are supposed to have a license to use it and according to Bill Cullinan of Venturcom Inc a Waltham Massachussetts based Windows CE distributor and developer the kit is not free The Platform Builder development kit for the new Windows CE net runs about 995 he told me Earl
14. code Even if they did we d detect it 7 Dr Britain Williams This free internet version is available at www BlackBoxVoting org 112 Black Box Voting For 144 years Diebold has been synonymous with security and we take security very seriously in all of our products and services Diebold Web site It is all fine and well to upload results over the Internet but we don t exactly have a lot of experience in Internet security in this company and government computers are crackers fa vorite targets Barry Herron Diebold Regional Manager Diebold internal E mail 2 3 99 Joe Richardson official spokesman for Diebold in response to a question from the author Our ongoing investigation has found no merit to the insinuations of security breaches in our election solutions Harris So if there were 20 000 files including hardware software specs testing protocols source code you do not feel that is a security breach Richardson shuffling papers Our ongoing investigation has found no merit to the insinuations of security breaches in our election solutions The scientists are undermining people s confidence in democ racy None of the critics is giving any credence to the exten sive system of checks and balances that we employ internally Mischelle Townsend Registrar of Voters Riverside County CA Associated Press 8 17 03 Townsend s county uses Sequoia machines
15. d November 5 2003 and we ve been told that it took about a month to go out and touch every machine What we have here is a group of Georgia election officials run ning around the state replacing the computer commands in the vot ing system right before the election without anyone examining what the new commands actually do Who ordered this Let s find out where the buck stops Harris Where did the actual cards come from Barnes Diebold gave a physical card one card that activates each machine There were about 20 teams of technicians They line the machines up install the card turn on boot up take that card out move on then test the machine Harris Were people driving around the state putting the patches on the machines Barnes Yes The order came from Diebold and was implemented by Georgia election officials and Diebold employees Harris What comment do you have on the unprotected FTP site Barnes That FTP site did not affect us in any way shape or form because we did not do any file transferring from it None of the servers ever connected so no one could have transferred files from it No files were transferred relating to state elections When someone issues that many denials in a single answer it makes me wonder if the truth lies somewhere in the opposite direction Harris How do you know that no one pulled files from the FTP site This free internet v
16. d his team went out and tested every machine afterwards to make sure nothing was installed on them that shouldn t have been I wanted to know if anything had been put in the software that might affect our votes Harris Can you tell me about the digital signature A digital signature is used to show that no changes in the software were done Dr Williams That s part of the test that involves looking at the software putting the patch on wouldn t change the digital signature Harris But if you put in a program patch wouldn t that show that a change has been made Dr Williams No because the patch was only in the Windows portion there was no digital signature check on the operating system I m sorry to subject you to this excruciating interview and I apolo gize for throwing terms like digital signature around I had heard that this checksum or digital signature was a way to determine that no unauthorized code was put into our voting system so I was trying to find out how it worked or if they used it at all But Dr Williams the official voting machine examiner for Mary land Virginia and Georgia was indicating that he did not check things if they involved the Windows operating system That would open up a security hole the size of British Columbia All you d have to do is mess with Windows upload your handiwork into the Georgia voting system and you d have di
17. dified them they became subject to certification They did not come from Microsoft They came directly from Diebold Therefore they were not as is off the shelf Someone should have looked at these too The rob georgia zip file includes one folder containing replace ments for the Windows operating system and two folders with re placement files that are not for Windows You don t need to be a computer scientist to see this Just look at the file names which instruct the user to alter the GEMS program GEMS is not part of the Windows operating system Someone should have looked at these Someone should have looked at all these files but no one did In fact no one has any idea what was on those Georgia voting machines on Nov 5 2002 Georgia certified an illegal election Now what ck cK k Ok Ok As word spread about voting system files found on an open FTP site it became a favorite topic of conversation on Internet discus sion forums This could make Watergate look like a game of tiddlywinks Get a good seat This could be quite a long ride TruthIsAll Public examination of the files is the best thing that could have happened It s the only way we can engage in an informed debate about voting machines I m glad we got a look inside but what we found should divest you once and for all of the idea that we can trust secret voting systems created by for profit corporations There is no reason to be
18. ding machines sold to Maryland and Kansas that were built and shipped around the same time Dr Williams Yeah but now the key phrase is with the same system Maryland ran a similar version with a different version of Windows and did not have this problem Harris So the program was certified by the federal labs even when it ran on different versions of the operating system Dr Williams Yes they don t go into the operating system Maybe the federal labs don t and Williams said that he didn t but someone was going into the operating system Talbot Iredale senior vice president of research and development for Diebold Elec tion Systems one of the two original programmers hired during the Vancouver Manuever era modified the Windows CE operating sys tem used in Georgia One man One million votes Talbot Iredale could be as honest as a church pastor actually one of the pastors at my church once ran off with 16 000 but even if Iredale has absolute integrity allowing one person unchecked access to a million votes at once has got to be the biggest security This free internet version is available at www BlackBoxVoting org 100 Black Box Voting breach in the history of the U S electoral system Now if one man got his own uncertified software into Diebold s optical scan system that would be bigger In 2002 those machines counted about seven million votes More on that later Harris
19. ells them to do They can be set up to delay their launch until a triggering event occurs There is nothing wrong with dll files but there is something very wrong with putting new dll files into a voting machine if no one has examined them Other files such as nk bin also contain executables that can literally rewrite the way the system works The nk bin file is like a mini Windows operating system If a programmer modifies the nk bin file and these unexamined files are put on the voting machine the truth is we have no idea what that machine is doing Any time you do a program modification you can introduce a small trojan horse or virus that can corrupt the election The rob georgia zip folder includes a file called setup exe that was never examined by certifiers It contains many dll files The clockfix zip file is an nk bin file Someone should have looked at these fy ClockFix zip NK bin BIN File 7 16 2002 8 43 PM Hey What s this I found it on the ix zi Diebold FTP site ClockFix zip iebo site This tree internet version is available at www BlackBoxVoting org 102 Black Box Voting Now about the Windows operating system In order to use COTS software Commercial Off The Shelf without having certifiers ex amine it the commercial software must be used as is with no modi fications If the patches that Barnes and Williams referred to were Windows patches the moment Diebold mo
20. eplace voting machine stuff Did they replace voting machine files As I Googled around with various Georgia voting machine Diebold search words here s what popped out 16 Sep 2002 Memo from Chris Riggall press secretary for Georgia Secretary of State Cathy Cox Diebold programmers developed a patch which was applied to the units deployed in Hall and Marion counties and we were pleased that not one freeze was reported among the tens of thousands of votes cast there Unfortunately we simply did not have the time to apply the patch to the demo units but that is now occurring to all units in all counties and the last increment of shipments from Diebold had this fix loaded before leaving the factory A program modification was needed because the touch screens were freezing up crashing the machines Makes sense The problem must be a big one to justify modifying the progam on all 22 000 machines in Georgia But wait a minute This is in the Media Backgrounder put out by the Georgia Secretary of State Press Office 7 Before being considered for acquisition in Georgia software is exam ined for reliability and hardware is subjected to a variety of torture tests The state testing examines both hardware and software for accuracy and reliability and mock elections are conducted on the equipment witnessed by county election officials The document names Wyle Laboratories and Ciber Inc citing their extens
21. epresentatives of Kennesaw University did this we found about 4 5 percent of the machines were rejected not all because of screen freezes but that was one of the problems Harris It was the screen freezes that caused them to issue a pro gram patch Dr Williams Yes The vendor Diebold created a patch addressing the screen freezing It made it better but didn t completely alleviate the problem Harris Did you do a line by line examination of the original source code Dr Williams For the original no We don t look at the source code anyway that s something done by the federal ITAs Harris Did you do a line by line examination of the patch Dr Williams The patch was to the operating system not to the program per se Harris It only changed Windows files Do you know that it didn t change anything in the other program Did you examine that Dr Williams We were assured by the vendor that the patch did not impact any of the things that we had previously tested on the machine The evaluator was assured by the vendor Who s in charge Harris Did anyone look at what was contained in the replace ment files Dr Williams We don t look at source code on the operating system anyway On our level we don t look at the source code that s the federal certification labs that do that Harris Did you issue a written report to the Secretary of S
22. ersion is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 95 Barnes One voting machine calls the servers and uploads the info We don t allow the counties to hook up their servers to a network line Harris I notice that one of the things the network builder put on the county machines was a modem Barnes The only time you use the modem is on election night That is the only time the unit was used was election night when they plug it into the phone Harris Having the screens freeze up is a pretty severe error how did 5 percent of the machines get out of the factory with that How did they get through Wyle testing labs Barnes All I know is that the machines were repaired Harris How do you know that the software in the machines is what was certified at the labs Barnes There is a build date and a version number that you can verify Kennesaw University did an extensive audit of the signature feature Dr Williams and his team went out and tested every ma chine afterwards to make sure nothing was installed on them that shouldn t have been Harris They tested every one of 22 000 machines Barnes They did a random sampling So the FTP site which contained 40 000 files placed there over a period of six years was never used and no one transferred files from it no one could transfer files from it
23. ha De he valag jibl nibiing amiri Mirnim liro dim bma adr iiw i E PT a te the clertian T Peas Alesse Biv 2S Toe HELA TEES ne _ _ Old Global Election Systems Web page GESN com This free internet version is available at www BlackBoxVoting org 88 Black Box Voting I clicked all the links including the link called FTP which took me to a page full of files I called David Allen What am I looking at Allen admitted that the file names like BS4 and GA 062802 meant nothing to him but we both knew that this was an online file stash He snorted and offered a comment Incredible stupidity Be Director pots jMitotapo Fle Edt Wee Go Conmuricator Help lt 24 2 m Beck Foreesd Reed Hove Search Newcape Beckmaks A Location Apip GESW com FmeADL aur BriwiatMessagoe FP wawat FZ Ciordia E Pant Current directory is Up co higher level directory fa 833 B34 Incoming ola Ea Incowing Lib aD 5 I d found the crown jewels for Diebold Election Systems What follows is the first detailed look ever into a secret voting system rob georgia zip Noun or verb What do you do when you find 40 000 secret files on an unpro tected file transfer site on the Internet Probably just look and go away But what if you have pledged allegiance to the United States and to the republic for which it stands What if you knew that
24. he End Election button For some reason Diebold s voting machines were less secure than your briefcase That s because programmers hard wired the password into the source code That way no one could change the password and anyone inside the polling place the janitor a crooked politician could pretend to be a supervisor by entering 1111 In case you need a fancy password the files called passwd might come in handy I don t know if anyone found a use for the Diebold programmer passwords but these were sitting there E passwd ken Cx4JrK4Q4uebk E passwd guy LPHmbSVeBSUO6 ken Cx4drKk404uebk tri GubsAUF5T109Q Es een ee ar whitman KnSetwE DYtUM admitry dyNCBK1INDVDU nel 187 xesCnmxBu whitman g6P ENseGdSio6b mike XS5oEayCPicxN kponti b t1lxLFSaVUVE toma h skrGZaF iuqg denisel b tlxLFSaVUVE bill 6bFseyII9RxV ataaib t1xLFSaVUVE quest cZmeUJv9sgzyc josh ZHwPOhdSis3JE At the county election supervisor s office the results from all the polling places are tabulated using a program called GEMS and the password GEMSUSER was in the user manual The election supervisor can change GEMSUSER but later P11 show you how a 10 year old could change it right back A cracker who wants to pretend he is the elections supervisor might start by installing one of the GEMS vote tallying programs on his home computer There were over 100 versions of this program on the FTP site many of which were never
25. iebold and their technicians went out and manually touched every machine Some of the machines were still at the manufacturer they did the patches on those Harris How long did it take to do patches on what was it around 22 000 machines Barnes It took about a month to go back out and touch the systems Harris Can you tell me about the procedure used Barnes The actual installation was a matter of putting in a new memory card They take the PCMCIA card install it and in the booting up process the upgrade is installed OK let s regroup So far we have thousands of defective voting systems that somehow made it through Wyle s hardware testing Ciber s software testing Diebold s factory testing rigorous testing on ar rival at the Georgia warehouse and more testing when delivered to each of Georgia s 159 counties But the machines didn t work This free internet version is available at www BlackBoxVoting org 94 Black Box Voting Then we have a set of file replacements called rob georgia and a Georgia state elections official telling us they replaced files on all 22 000 machines in Georgia In an act of computer science clair voyance it was determined by telephone that nothing was on the modi fications that anyone needed to look at We know from a memo dated September 16 that there were plans to install program modifications we know that the Georgia general election was hel
26. ier the cost was up over 2 000 Any cracker in the world could access the pricey Microsoft developer s platforms through the Diebold FTP site Despite a notice that says You may not copy the Hewlett Packard Software onto any public network copies of Hewlett Packard software were on the public FTP site hosted by Diebold A document marked Intel Confidential pertaining to microprocessor development for personal PCs was on the FTP site This free internet version is available at www BlackBoxVoting org 110 Black Box Voting along with the Merlin PPC Sourcekit for personal PCs and the Intel Cotulla development kit and board support packages for Microsoft Windows CE NET and PocketPC 2002 So Diebold expects us to trust them with our vote yet they are quite cavalier with other people s intellectual property and as we will see in the next section with people s personal information On the Diebold FTP site Private info on 310 000 Texans During the writing of this chapter I tried to take a more complete inventory of what was on that site and was surprised to find per sonal information for 310 000 Texans Identity thieves can work anonymously from anywhere in the world and armed with your Social Security number and a few other details can quite literally ruin your life And all they need is your name address and birthday to get your Social Security number In this file were birthdays First middle and last
27. ing with this information anyway I wondered if any reporters had their personal information posted Yep two reporters for the Dallas Morning News the publisher for the Plano Star Courier and the managing editor of the Herald amp Times Newspapers And does Bob Urosevich the president of Diebold Election Sys tems know that his wife and daughter had their private information on that FTP site What do Diebold and the other guardians of our vote have to say about this We protect the Bill of Rights the Constitution and the Decla ration of Independence We protect the Hope Diamond Now we protect the most sacred treasure we have our secret ballot Diebold CEO Wally O Dell Sometimes our customers use the FTP site to transfer their own files It has been up quite some years People go there from counties cities sometimes there is stuff there for state certifi cation boards federal certification a lot of test material gets passed around Guy Lancaster Diebold contractor the current group of computer wizards who are so shrilly attacking are no longer behaving like constructive critics but rather as irresponsible alarmists and it s getting a little old Dan Burk Registrar of Voters Washoe County NV from Diebold web site They re talking about what they could do if they had access to the computer program code But they re not going to get access to that
28. ive experience in NASA related testing So how did these NASA testing labs miss something so obvious that all 22 000 voting machines required a modifications to keep them from crashing Here is what Diebold wrote to certifier Wyle Laboratories in its latest touch screen certification documents It is Diebold Election Systems Inc policy that the only acceptable level of conformance is Zero Defects This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 91 Okay we all know that zero defects is one of those terms that sounds good and doesn t happen But we ought to at least hold Diebold to this promise The manufacturing test location test date and inspector initials will be recorded on a label on every voting machine Whose initials are on the Georgia machines Anyone s In its RFP soliciting purchase by the state of Georgia Diebold submitted the following in its Schedule for Deployment Prior to our GEMS hardware installation at each Georgia county the hardware will be staged in McKinney Texas for software integration and testing As part of the installation process Diebold promised that all software and drivers small programs which drive specific pieces of hard ware such as printers touch screens or modems would be loaded prior to being shipped to Georgia And according to the
29. lack Box Voting When you privatize a thing like the vote strange things happen For example you can t ask any questions Jim March a California Republican filed a public records request in Alameda County California to ask about the voting machines it had entrusted with his vote The county s reply Please be advised that the county will not provide the information you re quested The County will not allow access or disclose any information regarding the Diebold election system as any information relating to that system is exempted from the PRA Public Records Act The system pro vided by Diebold Election Systems Inc DESI is a proprietary system that is recognized as such in the contract between the County and DESI The County contends that the official information privilege in section 1040 of the Evidence Code is applicable because the information requested was acquired by the County in confidence and the County is required to main tain its confidentiality Any copying or disclosing of such information would violate the license agreements When I called ES amp S to ask the names of its owners the company simply declined to take my call When former Boca Raton Florida mayor Emil Danciu requested that Dr Rebecca Mercuri perhaps the best known expert on elec tronic voting in America be allowed to examine the inner workings of Palm Beach County s Sequoia machines the judge denied the re quest
30. lieve that other manufacturers such as ES amp S and Sequoia are any better than Diebold in fact one of the founders of the original ES amp S system Bob Urosevich also oversaw development of original software now used by Diebold Election This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 103 Systems Because voting systems except AccuPoll which is open source are kept secret I am focusing on Diebold only because we can t find out anything about the other vendors systems We do know that ES amp S filed a patent infringement lawsuit against Global Election Systems at one time indicating that some part of the system was alleged to be identical Also Chapter 2 shows that Diebold Sequoia and ES amp S have all miscounted elections many times Some advocates confuse what happened with Diebold s unprotected FTP site with open source Very reputable programs such as the Linux operating system have been developed through open source letting the whole world examine the system and suggest improve ments What Diebold did though is quite different If you never obtain public feedback to improve your software what you have is horrific security not an open source system People have by now examined the Diebold files but it s still not open source be cause no one has the slightest idea what Diebold has done to correc
31. names Street addresses Apartment numbers School districts Political affilia tions Voting habits I assume they will say it was some kind of voter registration file but it sure has a lot of information Each kind of information name zip code etc is called a field and this file had 167 fields which included data from about three dozen elections logged in over several years by many different people Ninety five thousand people from Plano are in this file and a couple hundred thousand more from Richardson McKinney Wylie Dallas and surrounding areas People have a right to privacy even in the Internet age Any woman who has an abusive ex boyfriend will tell you that she doesn t want her apartment number published on a Web site Child custody cases can get nasty Thieves who find a database like the one left in the open by Diebold may try to sell the information Because of this file I know that Bob L of Plano is a Republican and likes to do absentee voting and that he and his wife are the same age But does Bob know that Diebold hung his undies out the win dow for all to see Someone will explain to me that you can buy voter registra tion files for a nominal fee But that doesn t mean you can buy This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0 The First Public Look 111 those lists and stick them on the Internet and what was Diebold do
32. oupl C Group pVCardInfo gt m_VGroup1Id weiteVoterInfo m VGroup2 CVGroup pV CardInfo gt m_ VGroup2 Id strcpy writeVoterInfo m PIN 1111 strcpy writeVoterInfo m Description weiteVoterInfo m Flags1 UCHAR pVCardInfo gt m Flags amp 0x07 weiteVoterInfo m Flags2 USHORT pVCardInfo gt m Flags gt gt 4 writeVoterInfo m VoterSN pVCardInfo gt m VoterId if m_CardReader Write writeVoterInfo SNC_OK st VC_FAILEDWRITE else st VC_OKAY if m CardReader IsOpen f This free internet version is available at www BlackBoxVoting org 108 Black Box Voting GEMS is on the central computer at the county elections office This is the software that creates the ballots before the election and it also accumulates the incoming votes from the polling place and creates election reports The same GEMS program handles both touch screens and optical scan machines There were many vote databases tagged to cities and counties so a cracker could practice tampering with real software and real votes Any computer that has Windows seems to work but meticulous people would follow the instructions left on the FTP site and put the GEMS program on a Dell PC with Windows NT 2k installed Diebold support techs have also helped counties set up GEMS on Windows XP and Windows 2000 So many versions of the GEMS program so little time A good version to start with would be GEMS 1 17 17 according to NASED document
33. please go to hell in the nicest possible way You can t examine a machine or even look at a manual David Allen who published an Internet version of this book wanted me to find out how the machines work These things are so secret we re supposed to just guess whether we can trust them he said We ve got to get our hands on a tech nical manual somehow He didn t have that information and neither did anyone else I decided to find some programmers for the vendors I was most in terested in ES amp S at that time I hadn t done much work at all on Diebold Election Systems I entered essvote com into the Google search engine looking for e mails that might give me names I could contact and found a few dozen employees who work for ES amp S I postponed calling them What would I say So I stalled by con vincing myself that I should find as many names as possible I got some from Sequoia I entered Global Election Systems and found some old documents with e mails ending in gesn com On page 15 of Google looking for anything with gesn in it I found a Web page You can still find this page at www archive org for GESN com The FTP link still appears aia B A Gora E LES TION SYSTEMS GLOBAL LL Tt p W skeme 1e tha Babal erties Seamer Sete Ep Hams af hee Hata i arate pinal e aa hag Spe d are ate TE The PEHE Vilmbead Llenties byeee je dedii ated te peeling i nie Pathe art
34. rect access to a million votes at once Dr Williams was interested in the non Windows code and the ITA labs I wanted to know about the Windows modifications and the other security problems associated with sticking program modifications on voting machines using PCMCIA cards This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 99 Dr Williams They write the source code and the source code is submitted to the federal lab When it passes the lab they freeze the source code at that point it s archived Any change after that is subject to retesting That s nice but he just said they changed the frozen source code without retesting it And why stop at replacing the Windows operat ing system maybe the whole program could be replaced by sub stituting unauthorized cards during this process of patching the voting software Harris What was the security around the creation of the cards used to implement the patch Dr Williams That s a real good question Like I say we were in the heat of the election Some of the things we did we probably compromised security a little bit Let me emphasize we ve gone back since the election and done extensive testing on all this Harris Based on your knowledge of what that patch did would it have been needed for all the machines of same make model and program Inclu
35. rris What I m looking at is the security of the system itself specifically what procedures are in place to make sure an in sider cannot insert malicious code into the system Dr Williams There are external procedures involved that pre vent that Harris This is exactly what I want to know If you know what procedures would prevent that could you explain them to me Dr Williams We have the source code How can they prevent us from reviewing it I have copies of source code that I ve certified This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0 The First Public Look 101 Harris But you said you do not examine the source code Dr Williams Yes but the ITA did it The ITA when they finish certifying the system I get it from the ITA someone would have to tamper with the source code before it goes to the ITA and the ITA would have to not catch it Of course both Williams and Barnes just told us that the ITA never examined the modifications made to 22 000 machines in Georgia Let s consider a few points here Tiny programs can be added to any program modification The file Setup exe launches many of these some of which are dll files which stands for dynamic link library These are small files that hide inside executable programs and can launch various functions whatever the programmer t
36. ruling that neither Mercuri nor anyone else would be allowed to see the code to render an opinion When best selling author William Rivers Pitt interviewed Dr David Dill a professor of computer science at Stanford University about his experience with voting machines Pitt got an earful about secrecy It is frustrating because claims are made about these systems how they are designed how they work that frankly I don t believe says Dill In some cases I don t believe it because the claims they are making are impossible I am limited in my ability to refute these impossible claims because all the data is hidden behind a veil of secrecy 5 When members of the California Task Force on Electronic Voting asked how the machines were tested Wyle and Ciber declined to answer We wanted to know what these ITAs do said Dill So we invited them to speak to us They refused to come visit us They were also This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0 The First Public Look 87 too busy to join us in a phone conference Finally out of frustration I wrote up 10 or 15 questions and sent it to them via the Secretary of State s office They didn t feel like answering those questions either What testing do the manufacturers do asks Dill If you go to their Web pages it says if you d like to know something about us
37. s that was an officially certified version of GEMS during the general election in November 2002 A folder called Pima Upgrade might be a good choice for a hacker living in Tucson and the new 1 18 series was also available An even newer program version 1 19 was put on the FTP site on January 26 2003 just three days before it was taken down Suppose you wanted to simulate an actual touch screen voting ma chine You need to activate those with a smart card and the average desktop computer isn t set up for that Put the word votercard into a text search on the Diebold files and this pops up in a file called votercard cpp v v3 10 19 1 5 v3 10 18 1 5 b1 1 3 votercard hack 1 5 0 4 v3 10 17 1 5 v3 10 16 1 5 we INITGe G Now if I m a cracker and I get the Votercard cpp v file and I m running a computer that really isn t a voting machine but want to figure out how it works here it is a neat little program that can cancel out the card reader entirely Diebold handed me the road map and helped me find it by naming it votercard hack A moderately This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris ISBN 1 890916 90 0 The First Public Look 109 skilled programmer will know how to paste it into the latest touch screen source code recompile install and start playing around The suffix cpp stands for C and these files are sour
38. t the flaws if anything If the Diebold system had allowed everyone with expertise to cri tique the software during development and then showed how it cor rected the flaws that would be open source Such a procedure would no doubt arrive at a very simple and secure program with a voter verified paper ballot to back it up Instead Diebold allowed only a small handful of programmers to look at its software Then they put all the software along with passwords and encryption keys on an open Web site and left it there for six years where crackers could download it and people interested in elections could find it but respectable experts and citizens groups were not told of its existence or allowed to ex amine anything Putting that kind of material on an unprotected Web site was a major security stuff up by anyone s reckoning That s how Thomas C Greene of The Register describes what Diebold did and he s right Diebold s entire secret election system was avail able to any hacker with a laptop Our certification system is fundamentally broken The system is secret relies on a few cronies and is accountable to no one Worse the certifiers have clearly given a passing grade to soft ware so flawed that it miscounts loses votes and invites people This free internet version is available at www BlackBoxVoting org 104 Black Box Voting to come in the back door to make illicit changes But even this inadequate certific
39. tate indicating that it was not necessary to look at the patch Dr Williams It was informal not a report we were in the This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0 The First Public Look 97 heat of trying to get an election off the ground A lot was done by e mails So Barnes points to the ITAs but admits they never examined the program modifications and then he points to Williams who in turn points to the ITAs and then points to the vendor No one writes a report about any of this Dr Williams implies that this program re placement was put on when they took delivery but that was in June The program modifications were done in October Harris What month did you install that program patch Dr Williams When we took delivery we were seeing that the patch was on there Harris I have a memo from the Secretary of State s office that is dated in August Sept 16 actually and it says that due to a problem with the screens freezing a patch was going to be put on all the machines in Georgia Apparently someone had already taken de livery on these machines and they had already been shipped out around the state before the patch was applied is that right Dr Williams The patches were done while we were doing ac ceptance testing One of the things we looked for during acceptance testing was to make sure
40. the devil went down to Georgia on No vember 5 2002 and handed that state an election with six upsets tossing triple amputee war veteran Max Cleland out of the U S Senate in favor of a candidate who ran ads calling Cleland unpatriotic Suppose you knew that in Georgia the first Republican governor in 134 years had been elected despite trailing in every poll and that African American candidates fared poorly even in their own districts This free internet version is available at www BlackBoxVoting org Black Box Voting 2004 Bev Harris e ISBN 1 890916 90 0 The First Public Look 89 If you learned that these machines had been installed just prior to an election and then you saw a folder called rob georgia looked inside and found instructions to replace the files in the new Georgia voting system with something unknown what would you do I don t know about you but I m a 52 year old grandma and I never expected to have to make a choice like this I wanted someone else to take care of it We need investigators like Woodward and Bernstein I thought so I called the Washington Post Of course Carl Bernstein isn t there anymore but I left a spicy message on Bob Woodward s voicemail Never heard from anyone I learned that reporter Dan Keating was doing a story on voting machines so I called him Will you call Diebold and find out what rob georgia is I asked No Why not Because I don
41. ut a report by Johns Hopkins and Rice University scientists which used these files What you may not realize is that these scientists studied less than 5 percent of the information on the FTP site They studied the source code of one of the voting system components the touch screen The FTP files also included source code for many other components of the voting system and compiled files databases and technical documentation and drawings The site also contained information on how to set up remote access and passwords Guessing many of the passwords is easy because files are named for Diebold employees and many passwords are simply the name of the location using the software 25 x110700 pimageneral zip password pima E norfolk election zip password norfolk E docs zip password voter EI chrisbellis zip password bellisc EJ wyle zip password wyle99 E Juank zip password juan The supervisor password for voting machines at the polling place was 1111 When I saw this in the manual it reminded me of buy ing a new briefcase It comes with a default combination but of course you change the combination as soon as you start using the briefcase This free internet version is available at www BlackBoxVoting org 106 Black Box Voting 4 Insert the Manager card into the card reader 2 Enter the password 1 1 1 1 and touch OK 3 Remove card when instructed 4 When the screen below appears press t
Download Pdf Manuals
Related Search