- Voting activist Bev Harris and a computer scientist say
they found more vulnerabilities in an electronic voting system made by
Diebold Election Systems, weaknesses that could allow someone to alter
votes in the election this November.
-
- Diebold said Harris' claims are without merit and that
if anyone did manage to change votes, a series of checks and balances that
election officials perform at the end of an election would detect the changes.
-
- Harris demonstrated the vulnerabilities to officials
in the California secretary of state's office several weeks ago and will
be showing them to federal legislative staff and journalists Wednesday
in Washington, D.C. Harris and another activist have filed a lawsuit against
Diebold in California, which the state has joined, maintaining that Diebold
engaged in aggressive marketing to sell millions of dollars worth of equipment
that it knew was insecure. Harris and the activist stand to make millions
from the suit if they and the state win their case.
-
- The vulnerabilities involve the Global Election Management
System, or GEMS, software that runs on a county's server and tallies votes
after they come in from Diebold touch-screen and optical-scan machines
in polling places. The GEMS program generates reports of preliminary and
final election results that the media and states use to call the winners.
-
- David Jefferson, a computer scientist at Lawrence Livermore
National Laboratory and a member of the California secretary of state's
voting systems panel, agreed with Diebold that election procedures could
help prevent or detect changes in votes, but said that election officials
and poll workers do not always follow procedures. Therefore, election observers
need to know about the vulnerabilities so they can help reduce the risk
that someone could use them to rig an election.
-
- Jefferson added that he doesn't believe that the vulnerabilities
show deliberate malice on Diebold's part to aid fraud, as Harris has sometimes
contended in public statements. But the vulnerabilities do show incompetence
and indicate that Diebold programmers simply don't know how to design a
secure system.
-
- Harris said the problem lies in the fact that GEMS creates
two tables of data that don't always match. One table consists of rows
showing votes for each candidate that were recorded on voting machine memory
cards at each precinct. The other table consists of summaries of that precinct
data. Officials use the raw precinct data to spot-check accuracy. For example,
if all of the machines at a precinct record a total of 620 votes for Arnold
Schwarzenegger, then the data in GEMS should show 620 votes for Schwarzenegger
for that precinct. The official results that go to the state are based
on the vote summaries produced by GEMS.
-
- When election officials run a report on GEMS on election
night, it creates the vote summaries from the raw precinct data. Then as
absentee and provisional ballots get counted after Election Day and added
into GEMS, the raw data numbers increase, while the vote summaries remain
the same until the next time officials run a summary report and it regenerates
totals from the raw precinct data.
-
- Harris said it's possible to alter the vote summaries
while leaving the raw data alone. In doing so, the election results that
go to state officials would be manipulated, while the canvas spot check
performed on the raw data would show that the GEMS results were accurate.
Officials would only know that the summary votes didn't match precinct
results if they went back and manually counted results from each individual
polling place and compared them to the vote summaries in GEMS.
-
- Diebold said because the two sets of data are coupled
in GEMS it would be impossible for someone to change the summaries without
changing the precinct data that feeds the summaries. And if they did, the
system would flag the change.
-
- But Harris said it's possible to change the voting summaries
without using GEMS by writing a script in Visual Basic -- a simple, common
programming language for Windows-based machines -- that tricks the system
into thinking the votes haven't been changed. GEMS runs on the Windows
operating system.
-
- The trick was uncovered by Herbert Thompson, director
of security technology at Security Innovation and a teacher of computer
security at the Florida Institute of Technology. Thompson has authored
several nonfiction books on computer security and co-authored a new novel
about hacking electronic voting systems called The Mezonic Agenda: Hacking
the Presidency.
-
- After Harris met Thompson at the Defcon hacker conference
this year, she asked him to examine the GEMS program. He found he could
write a five-line script in the Notepad text editor that would change the
vote summaries in GEMS without changing the raw precinct data. The auditing
log in GEMS wouldn't record the change because it only tracks changes that
occur within GEMS, not changes that occur on the computer outside of GEMS.
-
- After writing the script, Thompson saved it as a Visual
Basic file (.vbs) and double-clicked it to execute it.
-
- The command happens in the background where no one can
see it. To verify that the changes occurred, Thompson could write another
script to display the vote data in a message box after the change. Once
the scripts finished their work, they would go into the Recycle Bin, where
Thompson could delete them.
-
- When Harris demonstrated the vulnerability to officials
in California, she opened the GEMS program to show that the votes changed
as the script commanded them to.
-
- "You have to know in advance what you want to change,"
Thompson said, "but it's pretty easy to write a script to find the
data that you want to change. If you want Stan Smith to have more votes
than he currently has, you write a line of your script that says select
everything in the table where candidate equals Stan Smith, and increment
the votes. Then you delete the votes from another candidate by the same
amount."
-
- Thompson acknowledged that the hack would take an insider
with knowledge of the voting system and election procedures and access
to GEMS. But this could include technical people working for a county or
Diebold employees who sometimes assist technically challenged election
officials on election night. It's unlikely that unsavvy election officials
or observers would notice or understand the significance of someone writing
five lines of code in Notepad.
-
- Thompson was pretty stunned to find that some of the
same vulnerabilities that appear in the Diebold system appear in the fictional
voting system he and his co-author created in their recent novel.
-
- "When we wrote the book, we thought the election
system it described was a bit far-fetched," Thompson said. "We
thought it's impossible that any real voting system would have these problems.
Then we saw the GEMS software, and it had four of the vulnerabilities that
we wrote about in the book."
-
- Thompson said Diebold could easily have designed the
system to use cryptographic hashes to detect if vote summaries changed
when they weren't supposed to change. But he said the company probably
never imagined a scenario in which someone would change the vote data through
Windows, bypassing the audit logs.
-
- There is one way in which changing vote totals in GEMS
might not work. If someone changed the summary totals before all precinct
votes came in, the altered summary votes would be written over with the
new precinct data once election officials ran another summary report. But
Harris said that "a hidden program for vote manipulation" exists
in GEMS that could allow "any teenager or terrorist with a laptop"
or "anyone with an agenda or a profit motive" to trick the system
into thinking the votes haven't changed by using what Harris calls a "two-digit
code" or trigger in GEMS.
-
- Thompson said the "hidden program" is more
of a feature in GEMS that is put there for a good reason, but is easily
abused. GEMS has a method for flagging whether vote data is old or up-to-date
by marking it with a 0 or a -1. Thompson said it's likely that when election
officials run a new summary report, the 0 and -1 tell the program which
data is old and which is new or updated. But someone could trick the system
into thinking that old data is updated data by switching the numbers. Harris
was able to do this easily in demonstrations.
-
- When asked to comment on this, Diebold sent Wired News
an excerpt from a seven-page rebuttal that it distributed to election officials
to counter Harris' claims. The excerpt said that the flagging feature is
"typically used (for example) to reset any test results that were
uploaded as part of any pre-election testing." No further explanation
of this feature was forthcoming.
-
- But speaking generally on the vulnerabilities Harris
mentions, Diebold spokesman David Bear said by phone that no one would
risk manipulating votes in an election because it's against the law and
carries a heavy penalty. He also said that election "policies and
procedures dictate that no (single) person has access or is in control
of a (voting) system," so it would be impossible for anyone to change
votes on a machine without others noticing it. And even if someone managed
to change the votes, auditing procedures would detect it.
-
- Diebold spokesman Mark Radke said that after an election,
counties are supposed to go back to the memory cards taken from voting
machines and manually add vote totals stored on the cards as well as vote
totals on a paper printout that poll workers take from each machine at
the close of the polls. Officials compare these totals to the GEMS summary
totals and if there is a discrepancy, Radke said, the totals from the memory
cards take precedence over the GEMS totals.
-
- Jefferson, the Lawrence Livermore computer scientist,
agreed that election procedures usually indicate that there should not
be one person operating the counting software. He also agreed with Bear
that officials could catch discrepancies in vote totals if they went back
and manually added up the results from every individual polling place and
compared the totals with the tallies in the summary report. But Jefferson
said that election officials and poll workers don't always follow procedures.
In the California March primary, he pointed out, several counties refused
to follow procedures that were requested by the secretary of state's office
and others failed to follow procedures that are mandated under California
election law.
-
- Rather than creating a system that relies on the "perfect
execution of (poll worker) procedures," Jefferson said, Diebold should
have designed the system to better prevent fraud.
-
- "You don't want to make up for poor design by adding
more burden to beleaguered poll workers and election officials who don't
understand the reasons for all of the rules that they have to obey and
(are therefore) likely to cut corners," Jefferson said.
-
- As for why Diebold would have designed such a poor system,
Jefferson thinks the company simply didn't know how to do it any better.
-
- "There are a lot of reasons why you might want parallel
tables of vote totals," Jefferson said. "But there are better
designs that avoid (these vulnerabilities) entirely. If you are not a world-class
designer, if you're making it up as you go along and not deeply educated
in data management, this is the kind of design you might come up with.
-
- "I think the designers of the Diebold system never
seriously understood what it would take to prevent vote manipulation by
insiders," Jefferson said. "I consider that to be inexcusable."
-
-
- © Copyright 2004, Lycos, Inc. All Rights Reserved.
http://wired.com/news/evote/0,2645,65031,00.html?tw=wn_tophead_1
|
