Black Box Voting: Second Volley - Truth About Rob-Georgia

Don't pass this link out, it's the temp link until it becomes morning in New Zealand. I'll post the permanent link in a few hours. Scoop is continuing to distribute those files.

The story of the day is:

Bald-Faced Lies About Black Box Voting Machines
and
The Truth About the Rob-Georgia File

Temp address: http://www.talion.com/lies.htm

See ya,

Bev

I think this will get picked up. It may be a long hot summer for Bush.

But then the Wilkinson Report in Capitol Hill Blue and Japan Today is 10 hours into the news cycle, and US media is playing the pretend that they do not report allegations.

So Wilkinson must be "confirmed" before the ethics bar of US media is met and our media folks will allow wide distribution.

They may pull the same game with your story Bev.

Which means it may be time to blast the media with the story again, and let them know how loud and easily heard by non-media folks is the horse laugh of the free press media in other countries as they view the inaction of US media.

One would think they would be picking up this story. Anyone have any ideas why that hasn't happened yet?

reviewing the data now as we speak.

It will never go anyhwere. But it is early, so they may be researching the story.

they are researching the story themselves before going out on a limb.

You never know with today's media, though some of them are starting to write contrary to Bush* these days.

You must not be getting any sleep. I look your threads over and you post at all hours of the day and night. Take care and don't kill yourself. We need you to be lucid when the big media starts knocking on your door.

I've started spreading the word to my acquaintances within and without my state's party. This is very exciting to watch. I very much appreciate all your hard work and that of your helper elves.

:toast:

Bev,

Are you attending any of the election official meetings this summer? Going to have a face to face with Diebold in such a public forum?

I'd love to see it hashed out in public. Bring in the whole cast of characters. Better than any reality tv... I am thinking pay-per-view... We could vote on the outcome on Accuvote machines... A recall vote on Diebold...

JNC

most likely.

Yes, that is the big one in Denver. There is also the SOS meeting in Maine a few days prior. There is also the National County Meeting and there is Doug Lewis' meeting and there are various state meetings (don't know when GA's meeting is). Don't know if I will be let out of my cage to attend any of these meetings. Would pay my own way to see you and Radke debate on the show floor.

<sharpening pencil>

Denver meeting info found at www.iacreot.com

Meetings are the week of 7/28

I love the way you explain things.

SharonAnn - formerly known as ShaddAnn

who knows that there's such a thing as "dial out only capability"? Do a Google, for Pete's sake.

Or that a connection to a web server doesn't mean a connection to the Internet

Message removed by moderator. Click here to review the message board rules.

Message removed by moderator. Click here to review the message board rules.

Dissent will not be tolerated here. What do you think this is, a diverse political forum? </sarcasm>

... as is Fredda.

But, speech doesn't make you right. Dig the code, my man. Dig the manuals. Then come back and say, "you're all wrong."

For example, Fredda says, "am I not the only person who understands dial-out only?" Maybe Fredda should ask herself what happens at the end of election day and that modem on the Accumulator station queries and _something_ , _somewhere_, goes "ACK."

Geez. Let's just waste time with "it can't possibly happen."

There's a might large difference between being obstreperous and being helpful.

Cheers.

Message removed by moderator. Click here to review the message board rules.

nor do we need trolls. Yes we need devil's advocates. Let's let Fredda speak and have her arguments stand or fall on their merits.

just tell the people that Iraq has nukes
and then they'll support the war we want to fight.

not very accurate. I've yet to see anything useful from birdman. Just my opinion, and delete if I'm breaking a rule, stayed up all night and feeling grouchy.

Bev

and the Scoop site told us this was "bigger than Watergate"
and you told your friends here that if you don't post every day
they might as well start dragging the river. Is that not correct?

But thus far all I've seen is some security holes and a very large, confused hardware and software rollout that prompted some last minute
hysteria, none of which is all that atypical in the computer business.
Neither are employees who badmouth their former employers.

I haven't seen one vote flipped so far and the disclaimer on the Scoop
site yesterday flat out says that you have no evidence of
election tampering.

As I've said to you before if your point is that greater safeguards
are needed for the new voting technologies then I heartily agree but
if, as some of your supporters here claim, the contention is that
there is widespread election fraud and the newer machines are being
used to rig elections for Republicans then you're coming up way short.

Nothing to see here, move along.

(PLEASE move along.)

Eloriel

if you would like to dwell on PC security issues
and software patches go ahead, Eloriel. But I
think this was hyped as a good deal more than
that.

\

How would you like those same security issues associated with your bank account? How would you like untested and unverified software patches applied to the electronic system that keeps track of your money? I'm sorry you don't find this subject sexy enough, but I feel sorry for anyone who doesn't consider serious security issues with the electronic voting systems that determine who runs our governments a big deal.

for a number of years I would suspect that you wouldn't
want to know about the security issues at your bank.

The hype in no way matches the story and there's no evidence
at all of vote fixing (they admitted as much on the Scoop site).

But people generally know how much they have in their accounts and would know if something happened to their money. With black box voting it's all hidden. I hardly ever hear a story of someone's money being electronically stolen from their bank account. But if someone steals your vote, how would you ever know?

but I'd like to point out that the system is demonstrably insecure and ripe for abuse.

The nature of the security problem is that *if* someone chooses to rig the system, there is an excellent chance their will be NO evidence of tampering.

This the whole danger we are trying to get people to recognize.

If there is NO evidence of a vote other than what is digitally encoded on a piece of magnetic media, you have ABSOLUTELY NO way of knowing if your vote is recored correctly or not. The whole process may be subverted, accidently or deliberately.

If we show you that the bank's employees can't be trusted, show you that the vault is made of cardboard, show you that the auditors are incompetent or non-existant and show you that the guards are are deaf, blind and have no bullets in their guns, why do I also have to catch a thief in the act of stealing before anyone will admit there is a problem?

David Allen
Publisher, CEO, Janitor
Plan Nine Publishing
1237 Elon Place
High Point, NC 27263
http://www.plan9.org

hyperbole doesn't further the cause.

If the point is that all paperless systems are faulty, making baseless accusations against Diebold doesn't help. All you do is improve their competition ES&S.

If there was anything deliberately put into Diebold's code to commit fraud - let's see it; but to have Bev Harris criticize GEMS's architecture is frankly ludicrous to observe.

That was a hypothetical analogy for the purpose of making a point. I cannot believe you are actually so obtuse as to think that the poster was actually suggesting that any bank vault is made of cardboard. I have to conclude that you are deliberately "playing dumb." The point was that when a system is shown to have severe security holes, it should not be necessary to also prove that those security holes have been exploited and that the system has been infiltrated. It is enough to show that such a thing is easily possible. That in itself is a very important problem.

If there is anything in the architect's blueprints that proves they deliberately wanted the bridge to fail - let's see it. But to criticize the bridge's engineering is frankly ludicrous to observe.

This statement is as ludicrous as your claim that a "service pack" isn't a patch.

This kind of thinking is what got Challenger and Columbia's crews killed.

David Allen
Publisher, CEO, Janitor
Plan Nine Publishing
1237 Elon Place
High Point, NC 27263
http://www.plan9.org

he was able to reproduce the O ring behavior under operating temperatures. Just this week, we've seen a demonstration that conclusively demonstrated the cause of the Columbia accident.

In both instances, there was a documented record of previous physical evidence to prove that management ignored warnings.

Compared to that, you've got bubkus. And the less you have, the more you bluster. And the less secure you are, the more viciously you attack.

Your statements border on the absurd: to claim that those who use MS products don't care about security isn't credible.

"If we show you that the bank's employees can't be trusted, show you that the vault is made of cardboard, show you that the auditors are incompetent or non-existant and show you that the guards are are deaf, blind and have no bullets in their guns, why do I also have to catch a thief in the act of stealing before anyone will admit there is a problem?"

Anyone ever tell you that you have a real mouth on you?

Can you just IMAGINE how many Democrats we could elect if we took all the energy being spent on this kooky issue and turned it into activism?

This is all embarrassing as HELL!

that this kooky issue of converting Democratic votes into Republican votes will go away all by itself.

What part of "you can't vote them out if you didn't vote them in" don't you understand?

Good grief! This is activism at it's finest!

That's a mighty big assumption - insinuating these people aren't invovled in other forms of activism!

until we take care of this "kooky issue."

Activism can only get the voters to the polls. If their votes are then stolen, it was all for nothing.

I'm not a bit embarrassed by this "kooky issue." I'm embarrassed that a fascist coup took place in my country and we didn't lift a finger to stop it. I'm utterly humiliated by that.

***>>> M O V E . . A L O N G ! ! ! <<<***

I suppose the beauty is in the eyes of the beholder ...

WHO are YOU ? .... the "You Promised Me A Rose Garden" earth-shattering-story-for-all-the-ages" neilson pollster ? ....

Watergate took 18 months to fully develop, and this is JUST hitting the outlets now ....

I LOVE those IDIOTS (NOT You Birdman, I would NEVER call you an idiot .. THAT would violate the rules ) who dont do a FUCKING THING in their lives, except criticize anyone else who does, while holding an IMPOSSIBLY HIGH threshold defining when another has 'success': making THEM happy .. yeah: as if .....

Tell ya what ? .... you will NOT be happy, nor is Bev nor ANYONE ELSE HERE obligated to MAKE you happy .....

Dont ASK to have all your dreams fulfilled by others ... and you WONT be disappointed ...

SHEEEEESH .. the NOIVE ! ....

"I suggest you pick up a rifle, and stand a post: ... either way: I dont give a DAMN what the FUCK you think you are entitled to ! " ... Colonel Jessup ...

computer programming and basic accounting is not the same thing.

As posted on slashdot.org: It's a feature, not a bug.

and that's precisely the problem. Unfortunately, what Diebold is going to have to do is exactly the reverse: try to prove it's a bug and NOT a feature.

Eloriel

appreciated her comment, and need to tweak the wording of the "one-way" modem info unless I'm sure it's bullshit. I've had a zillion programmers tell me that's bullshit about the "one way" communication, and it probably is, because we know they can get email on these things and a county official has reported getting patches on the GEMS machine, interestingly, foisted in by tech support rather than dialled out for on purpose. (That one could be big, but I'd want to triple confirm or see it with my own eyes.)

But, it's not that important and it does help to fine tune the story a bit. HOWEVER: If the modem is two-way and they are taking the trouble to hype it as one-way, that would be in the "methinks thou dost protest too much" category and would justify a much closer examination of what they are doing with modems.

Clearly, Fredda has taken to concentrating only on nitpicking, but we need to get as bulletproof as possible, so pick the nits.

I guess Fredda doesn't feel the need to explain Dr. Brit William's statement that the machines have no communications connection at all?

Bev

Yes you can configure a system to not dial out. But that in no way limits the system to be switched back to be able to dial out. Its not a hardware only solution. Thus the system is not isolated. It merely requires a mod to the registry which can easily occurr during any of the patch sessions.

Or Williams or anyone else. I'm pointing out that you could do a Google on dial out only capability and find multiple instances where that's the case.

They're not nits ... you're calling people liars - but their statement is plausible.

Getting email still doesn't mean you're on the Internet. Intranets carry messages too.

And if the e-mail is from the intranet these machines are on, can you show us where the mail server program is loaded and running? :shrug:

:evilgrin:

then there is a fair chance that machine is hooked up to the internet directly or indirectly. It may not have a domain name, but it is reachable via its IP address.

See my post #189 below. Seems like some education is in order for the non-techies?

You get to the mail server, all right - which could have Internet connectivity. But depending on the topology, you could connect peer to peer, or on the same side of a firewall or use a protocol like Netware or Appletalk.

There's lots of ways.

....we're talking about the election system computers here. We're also talking election workers checking their personal e-mail not a 'peer to peer' network. Just what intranet are they connected to that is running a mail server? :shrug:

Why you bring up Appletalk I have no idea and the Diebold system has nothing to do with Novell. (Show me the drivers!) Please go back to the original post where the receipt of e-mail was first mentioned and give us an explanation of how it could have occurred on this system without a connection to the Internet. :)

BTW: As far as "I guess you've never worked on an intranet" is concerned, I've worked with an Intranet system that used satellite lease lines to connect facilities around the globe in more countries than I can remember, tracking thousands of production and test stations in 'real time' 24/7/365 operation. The same system also offered inter connectivity to all of our management and engineering groups via Lotus Notes on a Novell Netware based network. All of our database management was done with Oracle to achieve JIT manufacturing and delivery.

In short, you guessed wrong. :evilgrin:

The GEMS machine connects peer to peer, and you can receive mail on an intranet. Try to keep the two separate - because the barrage of stories doesn't.

You're still posting aren't you? Who cares whether people want to listen to you or not? You think that everyone has to sit back and listen to what you have to say and if they disagree then THEY should just keep it to themselves? Free speech is a two-way street, buddy.

Oh, that's right, you can't anymore because they got deleted. The got deleted because the moderator agreed with me, not you.

If you don't like what a person is saying, use the ignore button, don't tell them to "shut the fuck up". Its that simple.

Like I said, YOU are still here so no one is censoring your opinion. And since my posts are still here I assume I'm getting my disagreement with you across without being too rude or attacking so what's the problem?

Unfortunately most of the people here at DU are so caught up in this, convinced that somehow it will bring Bush or some other Republican down, that they won't listen to reason. If I were Diebold, I would set up a machine in public and say to Bev and her crew, "Here you go. Here's a machine with a modem in it, and here's the phone number. Let's see you rig an election." If they did this I'm pretty sure that many here would end up looking pretty foolish.

This is not to say that I think the product isn't horribly flawed. I've looked at a large portion of the code and was disturbed by what I saw. Its clear to me that a system like this cannot be trusted to count votes properly 100% of the time. However, there is a huge difference between a machine that is unreliable and a machine that was rigged. I've seen lots of evidence that Diebold makes a flawed product, but absolutely none that an election was ever rigged.

BTW, I liked your comment on yesterday's thread that people were assuming that CandidateCounter and SumCandidateCounter were copies. Like so many comments that are critical of the DU conventional wisdom, it was ignored.

If there wasn't a problem then Diabold would prove that there isn't a problem, right? Why haven't they?

And you are a total idiot if your only interest in this if whether it will bring Bush or a Republican down, Nederland. There is NO way short of the American Civil War II to bring whomever decideds to use the gaping security holes to cheat in elections down. So, we have to fix this problem before we can even have a shot at bringing Bush down. Got that?

I wouldn't be at all surprised if Diebold made the offer.

As for bringing "Bush or a Republican down", no that's not my only concern. You'd know that if you read my posts more carefully.

they would be scared that we would bring in some "white hat" hackers -- legitimate hackers that work side by side with the FBI -- who know where the backdoors are a lot better than the rest of us.

Okay, Bev has got the mad dog that bit us in a cage, and it's snarling and foaming at the mouth, all covered with ticks and fleas, and some people are complaining that she didn't catch all the fleas?????

I'd be willing to bet that the "Dial out only capability" in these machines is merely a software abstraction, and not something hardwired. All we have to do is look at the modem, but even if it is some fancy device with hardwired encryption, it is still connected to Windows CE, which is a steaming pile of crap...

Oh yeah, Diebold says, half your stew is fresh crap, but it's been boiling all night, so it won't hurt you, we promise! Eat hearty, it's good for you!

I love Behler's description of the bad serial numbers and general inventory control problems. I've been there, done that... I've seen frankenstein machines cobbled together at the last minute on the warehouse floor, just before they are shipped out...

Wow... wow... This story is amazing.

Peace

Straight from the play book eh'? :evilgrin:

Kinda like the Nixon era on steroids. :) COINTELPRO anyone? :shrug:

like a few days ago, when fredda's breathless contention (the only way she could have added any emphasis would be to go all caps) that because dan spillane hadn't gotten back to her on his testing, it was all unreliable and speculative or 'hype.'

well, it would appear that this guy spillane got back to somebody:

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=8019&mesg_id=8019&page=

you might notice that as of this writing (9:40a MDT), there's a distinct lack of "this is a bullshit story" replies to that post.

but of course the GEMS-to-net connection angle of the story is what's bullshit today. i wonder what it will be tomorrow?

big smile

and has enough caveats to drive a truck through.

On that basis, I concluded the following:

This software violates normal or best practices and the certification guidelines in the following areas:

1) General - Data path verifiability ("integrity", "accuracy"); cannot prove votes are those of the voters as cast.

2) General - Security and Access control; cannot prove vote count was safe from fraud.

3) Specific - Component in question (as identified by me) is explicitly prohibited from allowing data modifications, yet, given the tests illustrated, allows them. (An area for more exploration, given subsequent non-published information).

4) Incidental - there is a question of whether MS Access should be used at all in this context, given it is insecure, and due to loopholes in the guidelines and lax application of them, a data management layer such as Access may never be reviewed at all, yet hold all the votes.

ONLY apparent caveat:

Now, the code is assumed to be genuine, and if the detailed analysis is correct...and this is actually the code used in various elections, this is a big problem. The second report below seems to include confirmations which allay my earlier questions as to whether or not this is a genuine problem.

which appeared to be resolved for him:

So, it appears that it is a genuine problem. Moreover, it seems to show, once again, a severe breakdown in the application of the certification process, which hundreds of millions of our tax dollars are bound to.

i'm looking for the lukewarm part of this, or the caveat i can drive a truck through. not only am i not finding it, but i expect that other reasonable people are also failing to find it, which might make you appear a bit un-ah, you figure it out.

so these people whom you purport to work for...do you suppose they're reading this tripe?

Yes, appearances can be deceiving. That's why I'm looking for answers.

that was such a monumentally weak response that i think i'll just let it speak for itself.

I like and want the devil's advocate on any thread, but as I read your numerous posts day after day, what I see is not a devil's advocate but someone who is following, or maybe even stalking these threads with the intent to discredit, embarass and demand.

With all due respect, what is your motivation here?

Implying that there's no such thing as dial out only capability is simply false. What's your motivation in overlooking such a glaring error?

There is no "motivation in overlooking such a glaring error" as conversations with county IT professionals indicate that the support for the GEMS computers comes from remote access with a company in another state. He says "We call them up and they call the computer to download patches and fix corrupted files." That doesn't imply dial out only in my book.

it questioned whether dial out only capability existed at all.

I'll be happy to read any thread you post on DU with your research.

I don't flame, ever, so I will skip over your posts here and wait for your thread.

for an article on Saudi funding of terrorist networks that I've been working on all morning for my client. If you want something on this subject, see http://www.wordsunltd.com/voting_machine_fiasco.htm

.....Someone seem to confuse the term 'dial out only' with 'one way communications'. "Dial out only" merely means that communications are initiated by the terminal only. No 'dial in' access is allowed. If someone attempts to 'dial up' that unit the connection is refused!
Hence the 'dial out only' designation.

Once the connection is established by the terminal , two way communications are established. :evilgrin:

For those of you playing along at home, simply go to the B.O.M. (Bill of Materials] .pdf file for the terminal and locate the modem IC, note the Manufacturer and part #. Go to the manufacturers web site and download the specs. Now try to find out how one could possibly limit the communications to one way only. The short answer is, you can't! All communications through a modem depend on a series of 'back and forth communications to establish the packet timing across the network. :)

and showed the author didn't understand. Otherwise how she could question whether dial out only capability "really exists"?

....like JAVA, Active X, Pearl and the like. If you knew anything about what is really in this code, you wouldn't keep dwelling on the 'dial out only' aspect of this. Remember all of those strange files with nothing but one or two numbers each? :evilgrin:

Did it ever occur to you how easy it would be to bury a small code snippet that would auto dial a number on its own or just flip a bit from false to true for a permission setting? :)

If you want to play confuse the issue, Two can play that game!

Hmmm, "the author didn't understand" and you publicly stated Access is an adequate database for elections! LOL! Give it a rest. :(

I have GEMS installed on my system, as well as the source code that was available. What strange files are you talking about?

You are playing a game - but I'm serious. I don't know where you got the idea that Access wasn't suitable for a standalone application that counts votes, but it's reasonably priced and is obviously adequate.

I'm not dwelling on anything. I'm responding to a load of confused insinuations, baseless accusations and otherwise reasonable paranoia.

is that it is relatively insecure compared to other database products which would also work very well.

furthermore, and ominously, there are functions in access which allow GEMS password controls to be bypassed and the database totals altered. please read "Inside A U.S. Election Vote Counting Program" (haven't you?).

....throw out some speculation and meaningless technobabble and....:evilgrin:

Like I said, two can play that game all day long! But I have more important things to do. :) Thanks for playing!

... is that they must initiate the communication with the outside world. After a connection is established, anything goes. I'm not much of a programmer, but I could write a simple AppleScript, running in the background, that dials-up my ISP at regular intervals, checks my email, and logs off.

Imagine having a standard phone with the ringer disabled -- you can still call and chat with anyone you like, pass information back and forth... whatever.

Also, if you friends are familier with your "ringer" problem, they'll know that when you're on the phone they can get your attention via call-waiting, and that you'd be more than happy to take their call.

In the case of computers -- where you've got a fixed IP or block-range address -- I could simple "ping" those addresses until I saw that it went online.

This is assuming it didn't just call me directly.

When you care about security, you don't leave your machines connected when they don't have to be. The GEMS machines are, as documented, not to be connected on public networks. They do their business peer to peer and disconnect.

Here are a couple things I found:

"In pre-Internet times, dial-out modems were considered safe to use, but with PPP that is no longer the case since IP supports initiating traffic in both directions."

"Dial-Out Modems
Those modems that are set to dial out only are more secure. Unlike dial-in modems, the outsider cannot attempt to trespass at their leisure. Instead, they must wait for the user to make a connection to the Internet themselves. However, this is one of their few security advantages, overcome by the attacker waiting for the connection to appear, made easier when – as is often the case – the user is assigned a fixed IP address, or address range. The attack is then very much like an attack on a fixed connection except that there is generally less security: no firewall and sometimes no router."

In any case, there are people even on DU with a heck of a lot more knowledge in this area, so don't expect me to get into a technical discussion about this with you. But I see no reason for Bev not to publish her research and open it up to public debate. And I see no reason you shouldn't participate in that debate if you choose.

Also, there are massive security problems she notes that don't require any computer expertise to understand -- people walking around without any ID badges, fixes being done last minute without anyone checking them. Many, many machines that are not functioning properly at all. Why don't you address those?

yes, the fact that i worked for rocky mountain internet, and was also a network administrator for a VoIP long distance provider is pretty much irrelevant to this debate.

i keep remembering something about refusing to engage in a battle of wits with unarmed people...

Or did mean to reply to another post?

i thought i was agreeing with you. but i have had alot of coffee this morning...

:)

:)

thank you.

But my interpretation was that they are "dial-out" in name only and are not actually completely secure in the sense of the communication being only one way. I think that is what Bev was trying to get at, but she acknowledged in post #46 that her wording could be improved.

it's a question of knowing with whom you're handshaking. Not accepting inbound connections is one way of securing a system.

... the system it is calling is part of the rigged game.

Nothing wrong with that, right? I'll post it at a friends hackz site, and then you can let me know "with whom you're handshaking". I might suggest you back up you hard drive first.

I suspect the Diabold systems use a bank of fixed IP's so no one even needs to ask what the addresses are.

No disrespect, but you'd do well to research this subject a little bit more.

I don't have to research security again. It's been my day job for twenty years.

Your scenario assumes that the dial-out makes a connection to a network. The system connects peer-to-peer, just like my good ol' slip days. You remember serial line interface protocol, don't you?

Stick to your day job ... I'll keep up with technology.

there is probably some limited accuracy to this. it's necessary to clarify in our minds what we're talking about:

certainly dialup connections are possible that have nothing in any way to do with IP networking (or the relatively unsecure connection it implies). a variety of communications protocols exist for simplified peer-to-peer dialup connections, going all the way back to an original Bell system spec of 110 bits per second. anybody who ever used an apple II or IBM PC-XT to dialup a BBS has (wait for it) connected via modem without exposing his system to attack from the larger internet (even if it had existed at the time).

which means that yes, many updates to the voting system *could* be performed on a relatively secure basis by using dialup into a BBS or other host. various ecrypted modulation standards exist for such direct, secure, dialup communications (this means that if you don't have the right encryption, you can't even connect—cool stuff), and the host computer need not be connected to any IP network.

the problem is that's not how they're updating these machines! this report shows clearly that updates were not taking place with any meaningful controls—or even organized procedures to carry them out. total chaos in the tech rooms. multiple FTP xfers from a public site. 'bug fix' after 'bug fix.' and no—no!—security during the process, physical or IT.

and goddamn it, i'm not so worried about the system being broken into from outside. why don't you try getting your head around that.

If you want a convincing argument, don't distract with obvious inaccuracies.

If we want the authorities to overlook their own interests and change procedures that make their jobs easier, we have to overcome objections that are going to be raised by technically sophisticated opponents.

I'm a friendly critic - but DUers are losing their cool and supporting absurd statements in our enthusiasm.

You shouldn't be reluctant to concede a point, if the greater objective is being served.

about just how 'civil my tongue' is on the right day, but i think i'll just chuckle to myself and spare you.

i agree that every technical claim made as a result of this investigation must be thoroughly vetted to ensure its veracity and use of proper context. i think bev also has conceded this point, and made corrections based upon your punctilious, semantic objections here and there. that serves a purpose even if it does occasionally annoy.

the point on this subject (GEMS connectivity to the public network) is that the system doesn't use this secure dialup technology i just described to you. there is a detailed system described in the GEMS for realtime streaming results reporting (JResults), straight from the GEMS PC. so, let's see, you've got a continuous connection, with a TCP/IP stack loaded, and IP transport. stop me when you find the BOLDLY WORDED ADDENDUM in the GEMS documentation about how to secure this now highly exposed computer on election night. of course you and i know how to do it, but what was that thing bev said about these election officials when they meet the diebold pitchmen? 'clueless, meet snakeoil salesman.' how funny is that?

so i'll say it again: all this babble about ways to secure a modem carrier connection is completely useless. because that's not how they do it in the field. and because there IS a TCP/IP public network connection running on these GEMS PCs on election night. period.

i don't like hyperbolic claims any more than you do. if you can show me one i've made, sure go for it, i'm happy to take some of your heat so others busier than myself don't have to. were you addressing that whole 'obvious inaccuracies' remark towards me?

and yes, some DUers should get a grip, but some DUers always need to get a grip. it's their nature, and we should go ahead and let them vent. the occasional overreaction of DU posters regarding various subjects does no, imo, impugn the credibility of bev's investigation.

... ensuring that only 'deeply authorized' connections are accepted. I believe that userid and (with no) password is the lowest level of a secured system.

secure socket layer
http://www.webopedia.com/TERM/S/SSL.html

VPN, or Virtual Private Network
http://www.webopedia.com/TERM/V/VPN.html

For mo' information on good secure systems ...
http://www.nsa.gov/snac/index.html

and Tempest-I rated hardware systems.
http://www.nsa.gov/isso/bao/tempest1/endorsed.htm

I would want to hold the Diebold election systems to such high standards in the interest of national security. Hey its my vote! OK, I might compromise a bit on the Tempest ratings.

that is, until you hit the hayes-compatible modem in question with the command ATA. it's like a blow-up girlfriend. it'll do anything you want with the right command.

as was pointed out in post #57, once these GEMS computers dialup (using a fixed or highly predictable dynamic IP like any government agency), they are meat at the hands of anybody with basic knowledge of the huge number of vulnerabilities which exist in win2k (and that's assuming these machines are up to date with the win2k service packs and security patches, which is highly unlikely).

also, #57 pointed out that county elections officials were aware of dial-IN capability to update and patch remotely. that statement would appear to make a few people liars.

you sound like microsoft, insisting it's not possible, when it absolutely is.

But if you're there to key in the AT command, why do you need to dial in?

isn't this whole line of questioning misdirecting and irrelevant?

(and of course my point was that dial-out only versus autoanswer is just a setting).

... as I remember a claim like a "dial out only capability" modem is only valid if the modem's internal registers have auto-answer off.

I'm assuming of course Hayes compatible modems.

And most modem purchase will typically have their default settings as auto-answer on. If a call comes in, the modem will answer and attempt to establish a connection.

If a modem is intended to provide 2-way communication (why modems have auto-answer turned on as default), the modem will come ready to support both dial-in and dial-out. This 'configuration issue' definitely can be a security risk (unauthorized external access) unless the technician ensures that auto-answer is off.

If the modem is intended for only 1-way comm, then it needs to have it's auto-answer register set to off. I'm not aware of any solely 1-way/dial-out (Hayes compatible) modems that are manufactured with auto-answer turned off.

Excellent point about the web server, it also can be an intranet or extranet web server. However that then assumes an office network exists and that would most likely have a gateway to the internet.

Uhhh: "I was absolutely astounded that they functioned at all in the election."

Not perfectly, not mostly right, not marginally, but "at all."

BWAHAHAHAHAHAHAHA!!!!!!

Great stuff!

untested patches. no security. wide-open communications links from GEMS, despite insistent denials from diebold. techs report total chaos trying to update voting machines before public testing. 'political men' you're not supposed to talk to. patch after patch, applied in this chaotic environment without safeguards or even knowledge of the contents by public officials. company men showing up in vans to fix the continuing problem before the public gets inconvenienced (which might look bad for elections officials).

saxby chambliss elected to the united states senate.

god. god!

and to all the people here at DU who have given their support to you. This is amazing stuff and I feel so blessed to have been a fly on the wall during the unfolding of this story.
I am sending all info my friends at the Interfaith Network. I'm sure they will be very interested in your work also.
And I can not wait to here more about R Doug Lewis.

"The only people that that cost was Diebold, who had to pay all kinds of extra expenses. The rumor around the office was that Diebold lost maybe $10 million on the Georgia thing. I mean, they only sold the machines for what, $2,000, or $2,500, and then you have to build them and then you're paying people $30 an hour and you are out touching 22,000 machines FOUR TIMES -- there's no way they didn't lose money on this deal.

They didn't care that they were losing money. They know damn well and good they'll be making a bundle after these machiens are mandated for use in every precinct in the country, not to mention kickbacks and quid pro quos from teh guys who get "elected".

If they did Georgia right, they stood to win the $3.9 billion the feds were gonna hand out!

My favorite Rob quote is this one:
It was supposed to say either 'low battery,' 'high battery' or 'charging.' But when the real time clock was messed up, you'd boot the machine and it would say 'No battery!' I mean, you don't have the machine plugged in, you boot it up, and it starts, and says it 'has no battery.' That's like saying, 'this morning I got out of bed and I stood up and I had no brain.'

"This morning I got out of bed and I stood up and I had no brain."

O8)

nt

Can we maintain a list of links that we can push to the local media?

I don't want a flood to this temp address, need to wait for New Zealand to wake up. The site the temp gets hacked, and the permanent home (the one reporters get) should be Scoop. It will be up in, my guess, 2-4 hours. I'll post here when that one goes live, and I'll also start blasting it out.

I just jumped the gun and gave you guys a peek.

Bev

Will see if we get a bite. I will push the second salvo once you have the perm site updated.

... as someone who has worked on similar small-computer systems, I can tell you the scenario depicted by Rob is unsettlingly familiar.

Trying to get machines running on a tight deadline do-or-die is every techs nightmare.

But I'm curious about some stuff. First, the picture painted in the interview is more one of a lot of rampant incompetence than a controlled vote theft. On the other hand, one could make the case that what better way to sneak a black patch onto the systems under the radar than to create a fabricated need to go into "we don't have time for protocol" mode. Would probably be easy to do.

It would be very interesting to know if other states, using the same model machine, had similar last minute problems. Especially states where the outcome of the election was pretty much as predicted by the polling.

Because if the last minute mad dash only happened in the "strange result" states, well, theres another brick in the wall.

...underscores the insecurity of these machines and their unsuitiblity for use in their primary function: as voting machines.

.... but being able to make a case for actual fraud is a lot more likely to light a media fire.

If incompetency in critical situations were news... well, you get my drift :)

This is an area I feel folks haven't thought about a lot. There is a concentration on rigging an election by changing the vote tallies, but an easier, less elegant way, is to simply blow the data away totaly.

If you want to swing an election one way, then attack machines in precincts/counties with a major one party advantage.

Most blacks vote Democrat. It data is destroyed in predominently black precincts then their votes are eliminated. How do you destroy the votes? Attack the machines.

How do you do that?

1) When you go into cast your vote, steal the PCMCIA card from the machine and replace with another one. It doesn't matter that the card won't work. It will be assumed to be a malfunction. All votes are stored on the card and unless the machine has an alarm to sound when a card is removed during an election (haven't see evidence of one), who will know?

2) Fry the electronics - This can be accomplished any number of ways by simply running current through a USB/serial/modem port. You are bypassing the surge supressor, so it won't take much to destroy the circuitry. The battery would fit in your pocket. A simple re-worked stun gun would fit the bill

3) Upload a virus - This can be done via a USB memory key. When you plug in a memory key (it is about the size of a Bic lighter and can store 512MB of data) when the Windows OS detects new hardware and sends a query command to the key, the key could respond by invoking an installation program. The program could then scramble voter data.

And who says that any of this has to be deliberate? Just the usual problems of life can screw things up. The system's Achilles heel is:

Power

The machines have a battery backup, but only two hours capacity. Anything longer than this and you can't record votes. In North Carolina this past year, ice storms knocked out power all over the state. Some places were without power for over four weeks. What happens when an ice storm takes out power the morning of the election? Paper ballots? I asked my local registrar and they had no provision to record votes on paper if they lost power. The thought had never occurred to them.

Ice storm not your bag? Well, regular thunderstorms can wreck havock on the power grid. November is the tail-end of hurricane season in the Atlantic. Tornadoes have occured.

A single moron with a car hitting a telephone pole with a transformer can take out several blocks for an entire day.

Voting in this copuntry takes place on a *single* day. Anything that causes disruption to the voting process for that day, prevents people from voting.

Also, what happens if the software has an unforseen bug which only manifests itself under certain weird conditions (having exactly 22 races of which six have Libertarian candidates and at least 52 votes are cast for the Libertarian candidates (and please don't tell me this doesn't happen, it does)).

Here it is, election day in our favorite state of Florida. Around about 11:30 AM, the bug begins to manifest all over the state. Tens of thousands of machines STOP WORKING. How many techs does the vendor have in Florida? How many programmers does it have to devote to the problem? How long will it take figure out the bug? (Also remember that the election is going on in 49 other states and techs and programmers will be dealing with the usual collection of problems as well).

A good Heisenbug can take WEEKS to find.

Your comments?

David Allen
Publisher, CEO, Janitor
Plan Nine Publishing
1237 Elon Place
High Point, NC 27263
http://www.plan9.org

When I was a kid, my father told me about what it was like counting paper ballots back in the old days. There's be one person counting from each of the parties, and you'd try to gently nudge things in favor of your own party.

So if you were counting in a precinct where the other party had the advantage, you'd insist on being very strict about the standards and disquality any ballot where the X went outside the circle, or where the voter made a checkmark instead of an X. On the other hand, if your own party had the advantage, you'd push for more generous standards. Either way, you'd try to present your position in such a natural, just-trying-to-do-the-job-right sort of way that the other party's representative never suspected what you were pulling.

It sounds like it is definitely possible to deal with electronic voting in the same way. If you can make sure the machines in the precincts that favor you record all the votes impeccably, while the machines in the precincts that are likely to go against you have a greater tolerance of error, you will subtly slant things towards your own candidate without ever having to actually change a vote.

It isn't even necessary for votes to go uncounted. A setup that randomly records occasional votes as being for the wrong candidate will always take more votes away from the candidate who is ahead than from the one who is behind. For example, if candidate A gets 60 votes and candidate B gets 40, then a glitch which randomly switches every tenth vote will move 6 votes from A to B but only 4 votes from B to A. The result is that the count will show not 60-40 but 58-42.

It was clear in Florida in 2000 that a lot of this sort of thing was happening simply because the poorer distracts had inferior voting machines -- but what I'd like to know is whether it would be possible to build it in as a deliberate feature on a system like Diebold's.

I read the whole damn thing...AND I encourage everyone to read it all and not just the Blue fonted parts. How anyone on DU read this and still be skeptical of what you are doing Bev is beyond me....

Bravo!

and they are shocked to hear just the basic summary of this. No one in DC knows about this yet. Call your congresspeople. Call your senators. Get the word out. NOW.

So some of them are surely aware of this. I had spoken with someone who works on the Hill about this issue a few months ago. The Congresswoman who he works for was aware of this issure, but did not think that there was anything to it.

Months ago. I was shocked to see the lack of enthusiam for this, from
the Democrats especially! I will continue to correspond with them, along with state election officials, armed with Bev's news releases. We will not be ignored!

It is that they have yet to be convinced that there is a problem.

Try saying that. And including Rob-Georgia's statement. And maybe offer a few Tumms.

And we hadn't had a Republican governor in 130 years... until the 2002 election, that is. After I read "The Best Democracy Money Can Buy" I was pretty sure that something like that had to have happened in my state. There is no other explanation.

seem to be reading this! (i know i'm not there yet but give me time ;-) but seriously, looks like we need to get the rest of the internet to pull a dean with this, and get it out into the massmind as quickly as possible. oh, and btw- dean has already mentioned this! he and his staffers are at least aware and acknowledging the problem.

Welcome to DU, don't let the 1000+ get in your way of having an enjoyable and informative experience here. We are all equal.

Where did Dean mention this? Can you provide a link?

:)

He had spoken that people must be aware and active locally, especially techie types(not his word) and equal justice types(also not his words). Will do follow-up tomorrow.

Please realize that this one (rob-georgia) really hurts them badly. We now have PROOF that they not only used these files on the FTP site, they used them at the direction of Diebold at the highest levels. And the guy in charge of Security was watching them do it.

These people are going to try to do a lot of deflection from the issues. They'll twist your posts and change your words. They have no choice.

I'll ask you a simple question, just as I did above.

What would you do if Diebold were to set up a machine in public and say to Bev and the rest of you, "Here you go. Here's a machine with a modem in it, and here's the phone number. Let's see you rig an election." Could you do it?

Now perhaps you've keep something up your sleeve that you are not revealing yet. If so, kudos to you for playing the media game well. If not, I'm afraid all you've got here is a story about a flawed product. Its nothing along the lines of the Pentagon Papers, and certainly nothing the deserves all the cloak and dagger shit I've been listening to for the past few weeks.

So answer my simple question. Could you rig an election?

... I don't think anyone thinks that an *outsider* is rigging anything.

But the real possibility that *insiders*, who have essentially directed the addition of the backdoors in the code, could do pretty much anything they want because there is nothing in the code to stop them.

I don't think anyone thinks that an *outsider* is rigging anything.

Precisely my point. If this story isn't about the ability of an outsider to rig an election, why talk about the fact that the machines are connected to the outside and can be accessed remotely? If this story is only about the fact that voting machine hardware and software could theorectically be rigged by insiders, I'm wondering what the big deal is. Of course elections can be rigged by insiders--that is not news. Heck, insiders can rig paper ballot elections if they wanted to. Granted, an insider can rig electronic elections more easily, but I don't think that is news either.

In other words, if the goal of this story is to spur interest in the reform of the laws surrounding the testing of election systems and software, I think it will probably succeed. (And, I have to say, I think succeeding in that regard is very important). If however, you think this story is about election fraud and Republicans stealing elections, I simply don't see it. This story was billed as being as big as the Pentagon Papers. So far, I don't see anything remotely like that.

Well, now you are arguing semantics. What is important about this is that it makes "insiders", i.e. people who know how to take advantage of the carefully built-in flaws of the system -- into virtual *outsiders* who can do their dirty work from a remote location with practically no possibility of detection.

*If* you can access these machines remotely over a network and fool with data, well no matter how you slice it that is a huge big fat hairy deal because there is no amount of hand-waving that can justify any need to be able to do so, period.

I have county officials who tell me they call the GEMS computer from home.

... one bit. I was just covering my ass for the sake of debate. Since it was not a fact I was prepared to back up :)

we've got your back. :evilgrin:

Are you saying that the answer to my question in post #70 is yes?

are you saying you can set up such a demonstration?

If so, please do.....you'll get your answer live and in living color.

As you know, I've been fishing for places to go live with this too. But let's not let the adversary give us a specially clean and newformed system.

Bev

but, since the only objective here is to get someone to admit they can hack an election ---> get them arrested, I doubt we'll see any such offer.

isn't some special setup? It's not hard to rig a special "demo" machine, ask computer salespeople.

And then, given the machine to test, how could you possibly assemble enough qualified staff, though it would be easier with the high unemployement, take the time to write test and audit procedures, pay everyone who's not a volunteer, and believe you accomplished anything?

Even if it worked and couldn't be compromised, that doesn't mean that they don't have different HW or SW on the other machines out there or that they wouldn't do that at any time they chose.

No, Diebold's offer to "see if you can compromise this" is not an adequate answer.

An adequate answer is agreeing to all the necessary safeguards, printing copies for later recounting if necessary, and doing it openly.

I have no connection to Diebold that would allow that.

Now if you wanted to hack on Hart InterCivic systems, I could help you out...

Do you work for Hart InterCivic systems?

A former boss of mine does, and I've kept him aware of what's going on here. He told me about Diebold and its long history of problems months ago, so all this comes as no surprise. As a Diebold competitor, he's pleased as punch to see all this coming out. He is a diehard Democrat and a good guy. My biggest dispute with him is that he thinks that a paper based audit trail is a bad idea. I'm trying to turn him around on that one, but in the end it may not matter. Hart Intercivic is aware of the pending legislation, and they will do whatever the law requires. From his point of view its a simple business decision--the company will do whatever its customers (i.e. the government) asks it to.

reading your post and now knowing that there is someone in the industry who knew about all of this makes me want to sit here and cry!

My God, a Democrat, no less!

After what we went through in 2000! After all that has happened in this country after the coup - your friend should be ashamed of himself. Here it is taking an author, along with DU activists to research the process of our Constitutional right that is so very vital to our present and future democracy and our existance.

I realize he may be in fear, but so are some of our DUers. But they don't intend to be opportunistic about it.

Nederland's "former boss" is sitting there beside him/her and helping compose the answers and posts in these Diebold threads.....

I mean, seriously, how else is Nederland coming up with these immediate and prompt responses all day and night?

Nederland, say hi to that "former boss" for me the next time you happen past a mirror, will ya?

Oh, and how many times have we heard those "life long Democrats" who now "support this president" on CSPAN?

True to republican behavior, the chickenhawks will "let the women handle it" for them.

to be taken seriously and to have this issue
taken seriously it might be in your interest
to stop behaving like a whacko conspiracy theorist.
It's a common technique of the foil hat crowd to accuse
anyone who disagrees with them of being a part of the
conspiracy. It really discredits anything you have to
say.

The R. Doug Lewis' and Britian Williams' gave up calling us conspiracy theorists some weeks back.....you really need to get with the game.

They've elevated us to "terrorists" now. You're missing your daily talking point memo, me thinks.....your email went out, huh?

I'm a good deal more impressed.

You think I'm lying about where I work? You've obviously lost it. You pick the method of verification, and I'll comply. The only request I have is that after it is determined that I do not in fact work for Hart Intercivic, you have to apologize for calling me a liar. Deal?

every now and then.

reveal your own involvement at a much earlier time, since it puts such a different light on everything you've said.

What puzzles me is that if your at long last admitted connection to the industry is what you say it is, why are you as contrary to what's going on as you are? Seems to me you would have been more eager to HELP rather than mucking things up. I know, I know, you call it devil's advocate or whatever.

Just seems passing strange to me.

And what I've never understood, and still don't, is why you've been so eager to raise the bar: Oh, no, just having opportunity, motive, method to commit vote fraud, not to mention a past history of same, isn't nearly enough. Bev&Crew have got to come up with actual proof of vote fraud in order to be taken seriously. Why is that, exactly?

And tell me something else, while we're on the subject. Just who else has your former boss worked for in this industry? What industry were you both in when you worked for him? Have you had any jobs in the voting machine or software industry?

I'm sure I'm not the only one who would like to know these things.

Eloriel

I'm not really sure why this is such a big deal, but since I have nothing to hide I'll answer your questions.

My "connection" to the industry consists of the fact that three of my former co-workers currently work at Hart Intercivic. One individual is a project manager and my former boss, and the other two are developers. We all worked together at a little dot com startup called NetDelivery, now a dot-bomb barely hanging on with a new name and a much smaller set of employees. Because of the twenty or so developers that worked at NetDelivery but now work elsewhere, I suppose it can be said that I also have "connections" to the medical imaging industry, the web site development industry, the aerospace industry, and the telecommunications industry. Gosh, I didn't realize how well connected and influential I was until just now </sarcasm>.

As for why I think Bev&Crew have got to come up with "actual proof" of vote fraud in order to be taken seriously, I guess its because I'm sick and tired of my fellow Democrats looking like complete idiots and conspiracy freaks. The post above where DEMActivist actually claims that I am lying about where I work and the very existence of my former boss without any proof whatsoever other than his wild imagination is a classic example of this. Here's a hint: if you want to be taken seriously, you need proof, not speculation. In any case you are misrepresenting me because unlike Fredda, I actually agree with much of what Bev has to say. I do believe she has proof that the Diebold product sucks, I just don't think she has proof that any elections were rigged (at least, I haven't seen any yet). As a result, I think calling this "bigger than Watergate" is a bit overstated.

Finally, my former co-workers have only worked in this space for less than a year, and their role is simply to develop software. As for me, while I've several years of experience involving cryptography and secure systems, I've never worked in the voting machine industry. All told I've worked in the software industry for 14 years now.

Hope that answers your questions.

the best man at my wedding now works for lockheed martin, so you might say that i have connections to orbital surveillance and the military-industrial complex.

:)

They've been asking for it for months. That said, I would think that (duh) Diebold might put a slightly special version of their programs on the demo version, if they were controlling it, and if they were doing anything wrong. Thus, it would not prove anything quite as well as a couple other methods, also going live with it in real settings.

I sure as hell wouldn't let Diebold set it up. It's a little tricky; even with "permission" each state has different regulations as to who is allowed to test a voting machine. Some states allow officials at the county level to conduct tests on their voting machines, others allow it only at the state level. And (I'm a few steps down the walkway on this actually) the permission needs to come from a person who is friendly, or at least neutral, but also who holds a position where they have statutory permission to do the test.

Of course, there are our, ahem, "less formal" meet-ups, but we can't use those at all to document without screwing over sources. All they are good for is to get confidence we're on the right track, which has value.

Actually, Nederland, I value your contributions very much and may on occasion PM you to look at something before we finalize, if you don't mind. Skeptical points of view are very much needed.

Bev

This where you are in a real catch-22. In order to prove without a doubt that the system is fatally flawed, you need to be able to demonstrate the flaw in public. Not in words, articles, and descriptions, but a real live display of the flaw on a running machine. Problem is, if you let Diebold set things up, like you pointed out, they would probably change the configuration so your hack doesn't work. If you insist on setting up the machine yourself, Diebold can always claim that you configured the machine wrong. Now in my book, it should be impossble to setup an election machine "wrong". The design should prevent that inherently, and that is my biggest problem with the Diebold product. However, I have a feeling that my opinion is not really relevant here. Diebold will point the finger at you and most people will believe them--especially election officials that made the choice to buy Diebold and who would be made to look bad by a clear demonstration of a flaw.

Let's see, there are installations in...300 counties or so -- oh yeah, I have the list -- oh yeah, I have all their phone numbers -- oh yeah, some people are trying to pull strings on this right now.

We'll see if we have any luck.

Bev

I wish you the best of luck in this. People can argue back and forth all day long over what code and systems can and cannot do, but if you can get a live demonstration put together no-one can dispute you. It makes for great TV too :)

If I use their system, Bev's team findings and the system requirements that you specified, I probably could do it now. Within a typical six-month election cycle, probably a few on this board could setup a rigged election. There are enough security lapses (nevermind modems, firmware, MS-Access)in the system design from what I've read so far.

Diebold has done nothing to address these security issues. And what this? They had to design their own motherboard? That's gotta be buggy as all hell. Hopefully they haven't used any of those faulty Taiwanese capacitors that leak all over the motherboard. I highly doubt these systems would comply with NSA guidelines.

Though the icing on the cake for the serious criminal conspiracy charge of vote rigging and product fraud, the law will still require a demonstrated pattern of irregularity and malicious conduct with these system and specific corporate executives.

I seriously don't know.

Bev, did you find any hint of a program called Dameware? It is an application that allows a system to be taken over. It can load itself onto a PC and does not require software to be preloaded on the recieving end. It is used on Win2k and XP systems only. You do not need apps such as PCanywhere to take over a 2k system.

The embedded version of Windows. I've never attempted using Dameware ona CE machine. It's an interesting thought...

From the recent posting:

"When you say build a server it's not physically assembling a hardware. We added a component or two to make it do what we needed to do, modems, we load the Windows 2000, put the software in then we test it against their touch-screen machines."

If they are loaded with 2k then they are open to Dameware sessions and those can be nearly invisible to local users and require no software preloaded.

The touch screen devices are CE.

I noticed that. I assume James Rellinger knew what he was talking about, after all, he loaded it on 159 machines in a row -- but I did notice the discrepancy. The manual clearly says to run it on Windows NT and no other system.

And if they CHOSE to install Windows 2000 (when the Manual says Windows NT) -- that would be require an explanation, IMO. A formal explanation. Especially since the GEMS manual says to use NT and no other, and they are supplying the OS as part of the package.

What telltale signs would one look for with Dameware?

Bev

In fact the directory 2k installs to is called WINNT.

Windows 2K NT 5.0.

David Allen
Publisher, CEO, Janitor
Plan Nine Publishing
1237 Elon Place
High Point, NC 27263
http://www.plan9.org

They got to be sending our field service notices for these systems. And hopefully they would be requiring all systems devices and operating systems to be at current (not recent) patch levels. All Windows 2K, NT and XP OSes would be required to have the latest service package installed. I believe that Win 2K just had SP4 released.

Though the hardware may not be compatible (especially if its Diebold properiety hardware).

Hi Bev,

I've been following your investigations from the edges for a while, so forgive me if I'm behind the curve here. But a few observations for what they are worth:

Your case appears to be largley circumstantial so far. What I gather is that there may be security holes (although I don't think you've found a clear and concise way of articulating this yet -- a necessity if the mainstrem media is going to latch on to this).

The double-talk and confusion you report in interviews with election officials further suggests the possibility that problems exist which nobody wants to acknowledge yet -- all circumstantial however, at best.

They way I see it, there are two elements to this story that need to be resolved. First, are there security holes? If so, can you find a way to conclusivley and simply explain what they are?

Second, if there are security holes, were they exploited? This, of course, would be the bigger story and it shouldn't be that hard to validate -- assuming you can get some cooperation.

As Dr. Williams notes in his explaination of how these sytems work, "the computer system must provide audit data that is sufficient to track the sequence of events that occur on the system," and "For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction."

Can you not obtain the audit logs of the systems in question? This may take a Freedom of Information request, but this information could go a long way in resolving the issue.

which can be edited and your tracks erased is pretty useless.

David Allen
Publisher, CEO, Janitor
Plan Nine Publishing
1237 Elon Place
High Point, NC 27263
http://www.plan9.org

... in and of itself is a smoking gun to me. Anybody who has rudimentary understanding of technology and systems understands the uselessness of an "audit log" that is easily "corrected". In fact, it is worse than useless, it can be used to "prove" something did not happen when in fact it did.

I know - it won't make the 6 oclock news but it is a travesty.

how I overwrote the audit log (that was the story from yesterday, here's the link) http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm

or not? Because if you actually read that story and don't know if a security hole has been shown, that tells me one thing. Your suggestion that we check the audit log when the security hole was the audit log makes me think you missed the story?

Thanks,

Bev

No, I hadn't seen that story, but it's much clearer and much more compelling. Just to continue to play devil's advocate though, you've now demonstrated just how vulnerable these systems are to an "intruder or insider;" where do you go from here? Still lacking is evidence that any of the scenerios you paint as possible actually happened. Don't get me wrong, what you have discovered so far is a monumental achievement, but do you have any evidence that there was, in fact, any tampering?

(P.S. the article above says that votes are transmitted "by modem." (Which would open up other security issues). But Dr. Williams says that the cards are actually transported in locked cases, under armed guard, to the elections office. Which is it?)

Start looking at the HAVA act for the legal requirements of the software. Legally the election system is required to register the votes precisely. You can't legally field a system with bugs that do not count the vote accurately. The legal requirements for election systems are much higher than your typical ecommerce system.
The legal requirements do not permit bugs in the precise count of the vote.

There are legal requirements for security as well.

The real kicker here is the system not meeting the legal requirements of the HAVA act. Unlike a dotcom system, you can't just say there are bugs, so what, we'll fix them. The system must meet the legal requirements before fielding.

The point made in that post is what's important about this whole story. The fact that the security is lacking and there are holes all over the software makes the system ILLEGAL!!!!

This IS bigger than Watergate or the Pentagon Papers. It doesn't matter one hoot whether or not there was actually election fraud in 2002. What matters is the system used does not meet the legal requirements, ergo the election could have been rife with fraud. What's more, because of the nature of the secutiry holes and software bugs, THERE IS NO WAY TO TELL WHETHER OR NOT THERE WAS FRAUD IN THE 2002 ELECTION!!!

I don't give a damn if there's ever any proof thaat election fraud occurred in 2002. What's important is the fact that there could have been and we can never be certain.

Diebold should be held criminally liable simply because they openmed up the possibility of election fraud with no way to audit it.

the main point of the investigation of the voting software/hardware.
other investigations about the elections have turned up other damning issues.

It's important that you understand that I'm not trying to diminish the efforts here. They are extremely important and the people giving of their time and expertise are true patriots. My opinion is one of someone who is not a software or legal expert, but who is interested in knowing the truth -- in short, the kind of person to whom you ultimatley will have to make the case.

Simply telling me that this is ILLEGAL (with four excalmation points) and that it is bigger than Watergate is interesting, but unconvincing. I may even sense that you could be right. But it's not enough for me (and certainly won't be for a newspaper reporter.) It's unfortunate that a Woodward or Bernstien hasn't emerged, but it looks like Bev, et al are going to have to assume that role. Therefore, the nits I pick are in hope that your work continues so that this story become rock solid and doesn't get submarined because of innacuracies or hyperbole.

So, to the points made above:

1) What law was violated by what has been discovered so far? Can you cite a subsection of the HAVA or other law that has been violated? Maybe now is the time to solicit the opinion of some legal experts if this is the direction this story should go.

2) It DOES matter whether or not there was election fraud in 2002. Without it, the issue is one of sloppy (possibly illegal, as you contend) workmanship, which no matter what it may have allowed, seems not to even be backed up by indications of malicious intent, much less motive to change an election. The issue of poor industrial practices, even if ultimately illegal, is one that will be of interest to a smaller segment of the population.

If, on the other hand, there is evidence of actual vote tampering, that is a lead story for the nightly news and a front page, above the fold story for even the reluctant Atlanta Journal Constitution. You'll do the cause a favor by avoiding calling something election fraud prematurely.

You might not appreciate the distincition, Starr, but saying that there is no distinction for you between the possibility of fraud and whether or not there was any is a lot like saying it dosn't matter if WMDs are found or not in Iraq; that the possibility of their existince is as good as the unproven reality of their existince. It's the despised "Absence of evidence is not evidence of absence" argument -- a weak one that never got traction on WMDs and won't fly here.

(edit: spelling)

Even if there was fraud in the 2002 election, those who were put in office would have to be associated directly with the fraud in order to be removed from office. Even if you can prove the fraud in the 2002 election, you're not likely to be capable of proving Saxby Chambliss had any knowledge of that fraud.

That said, I'm most concerned about keeping fraud out of the 2004 election. THAT'S WHAT THIS THING IS ALL ABOUT!

In regard to my post about the post being responded to being important, if you read the post I responded to, it lays out how the security holes are, in fact, violations of election law. IF you want a state by state accounting of precise laws being violated, that will take some time as election laws vary state by state, however, I can guarantee ytou that the laws requiring accountability are violated by the Diebold system.

but I've looked at the FEC site and don't see anything in Diebold's system that violates the regulations.

As for bugs, has anyone found any?

if you actually understood Diebold's system.

Eloriel

GEMS does not meet the accuracy requirements legally mandated.
I am not sure it was even tested to meet these standards. After I finish compiling the mandates, then I will cross check it against the test cases.

Voting System Standards Hardware Section 3.2
For a voting system, accuracy is defined as the ability of the system to capture, record, store, consolidate and report the specific selections and absence of selections, made by the voter for each ballot position without error. Required accuracy is defined in terms of an error rate that for testing purposes represents the maximum number of errors allowed while processing a specified volume of data. This rate is set at a sufficiently stringent level such that the likelihood of voting system errors affecting the outcome of an election is exceptionally remote even in the closest of elections.

The error rate is defined using a convention that recognizes differences in how vote data is processed by different types of voting systems. Paper-based and DRE systems have different processing steps. Some differences also exist between precinct count and central count systems. Therefore, the acceptable error rate applies separately and distinctly to each of the following functions:
a. For all paper-based systems:
1) Scanning ballot positions on paper ballots to detect selections for individual candidates and contests;
2) Conversion of selections detected on paper ballots into digital data;
b. For all DRE systems:
1) Recording the voter selections of candidates and contests into voting data storage; and
2) Independently from voting data storage, recording voter selections of candidates and contests into ballot image storage.
c. For precinct-count systems (paper-based and DRE):
Consolidation of vote selection data from multiple precinct-based systems to generate jurisdiction-wide vote counts, including storage and reporting of the consolidated vote data; and
d. For central-count systems (paper-based and DRE):
Consolidation of vote selection data from multiple counting devices to generate jurisdiction-wide vote counts, including storage and reporting of the consolidated vote data.
For testing purposes, the acceptable error rate is defined using two parameters: the desired error rate to be achieved, and the maximum error rate that should be accepted by the test process.
For each processing function indicated above, the system shall achieve a target error rate of no more than one in 10,000,000 ballot positions, with a maximum acceptable error rate in the test process of one in 500,000 ballot positions

You heard me.

Check and see -- if you have what's on FEC.gov, it's 2002 standards.

Bev

otherwise your certification lapses. Also the 2002 standards build on earlier standards. So whatever is new under the 2002 standards is what Diebold may not be in compliance with.

You are right to point this out. In the introduction to the new standards, they point out the key areas where the standards are different. I do need to go back and double check exactly which requirements were never legally met either by the 1990 standards or the 2002.

I think we are on good ground to say that the voting machines must conform to current standards otherwise they should not be used. Unless someone can show the legal waiver.

sorry dupe...

Does our knowledge of altering the vote come from our theorising based on what was found or is the method spelled out in the documents found on the FTP site?

I'll try to answer what I'm assuming the question is....

The evidence of vote manipulation is in the files on the FTP. We are being especially careful not to "color" opinions of folks who are newly looking through those files. If we point the finger at the problem, saying "look here, look there," they have not independently verified our findings.

The question is does the knowledge of how to change the voting record come from our research or from the files present at the site? That is did we look at what was present and determine that tampering could occurr or was there what amounts to instructions on how to do it already present. My take on what I have read so far is that the documents available amounted to a roadmap to steal an election. Whether the map was used or not we cannot tell. But the existance of such a roadmap on Diebolds site is damning enough without evidence of use.

in many forms - the programs, the manuals, the instructions.

The roadmap led us to the evidence.

in the article yesterday? http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm

Because it wouldn't seem that a readme type file would at all be needed, would it?

Bev

The reason I am pursuing this issue is that for the public to grasp this they are going to need to be smacked in the face with something substantial that does not require an understanding of computer issues. A complex issue will be boiled down to a minor problem by the spindoctors of the right.

...a good lawyer and a secure location. He sounds like most of the real engineers I know--decent straightforward guy who just wants to fix the thing and do it right.

I expect he's about to face some serious attempts at libel, entrapment, slander, and even physical intimidation. That is some seriously ugly shit he's talking about these guys, and if they really are up to what it seems like, look out Rob-Georgia. I hope he didn't sign a non-disclosure--though I'd be surprised if he didn't have to--cause they'll come after him with some serious law as well.

whistleblower laws and legal support. You've got a situation where Diebold orders you to install patches, then Diebold orders you not to tell the official voting machine examiner what you're doing, and you get in trouble when you answer an honest question, and after you report the problem to the CEO, they dump your ass.

If he has any problems at all, I know exactly who I will call on his behalf.

Bev

... gets put on a small private airplane to fly out to some backwoods precinct to service its' Diebold systems.

that the ATl. Journal-Constitution would not be interested in this! Some well meaning advice from a fan and old PR hack, if you're not already doing it: Pitch these stories to the relevent local print and TV outlets before you post this stuff here, in NZ, or your site.

This story is a solid, sexy, up front sell--INDEPENDENT COMPUTER EXPERTS accross the nation are beginning to SUSPECT that there MAY be some questions about voting machines USED IN GA since the code was inadevertantly published on the internet. Now we have PROOF that a major player lied to a major news source about a major method that could POSSIBLY be used to alter elections, incuding the one in GA that HELPED TIP THE SENATE.

It can't hurt to offer them the scoop first-- if they say, "No, Bev, we don't do stories from whack jobs like you." Then do NZ, and you can, as the story unfolds keep going back to them and say, "still think I'm a whack job? All I'm trying to do is make your f'n career, Pal."

with two rigged machines and a candidate in handcuffs and they'd look the other way. Let me tell you what some poor excuses for reporters did: When we discovered 40,000 voting system files floating around in the wild where any hacker with a laptop could get at them, and I called the political reporters at AJC AND OFFERED TO GIVE THEM A GUIDED TOUR OF THE WEB SITE they turned me down, saying they did not consider the story "important" and wanted to write stories about the state flag instead.

There have been numerous attempts by many reputable people to interest AJC in the story. We need a reporter there who is a real reporter. There are some. Then, we need editors with the integrity to cover the story.

Oh yes, and the AJC, after receiving written information confirming the security flaws, ignored looking into that but DID print a two-month old press release about how much fun it is to vote on the machines, urged on them by Georgia Secretary of State Cathy Cox, who was well aware of the problems.

Bev

Bev

Pretty simple really, just send them to [email protected]. Whadya think? Start a seperate thread, perhaps?

I'll post mine tomorrow.

Has anyone discussed filing a lawsuit enjoining use of these machines? Bush v. Gore could be relied on as legal precedent. Sweet irony there!

"Our consideration is limited to the present circumstances, as the problem of equal protection in election processes generally presents many complexities."
http://www.geocities.com/dearkandb/supremeqanda.html

Decision:
http://www.supremecourtus.gov/opinions/00pdf/00-949.pdf
(December 9 stay stopping the recount) - PDF format

http://frwebgate.access.gpo.gov/supremecourt/00-949_dec12.pdf
(December 12 opinion) - PDF format
{Andrys’ alternative for the Dec. 12 opinion, including Dissents}

http://supct.law.cornell.edu/supct/html/00-949.ZPC.html
(December 12 opinion and dissents) - HTML browser and PDF formats

Under the majority decision which none of the felonious five would admit to authoring, Bush v. Gore CANNOT BE USED AS PRECEDENCE IN ANY LEGAL ARGUMENT.

This means that if, in 2004 for instance, The exact same thing were to occur with identical numbers of votes in Florida etc. etc. etc. with the only exception being the numbers are reversed and it's Bush demanding the recounts, the SCOTUS could make a decision that is 180 degrees in opposition to Bush v.s Gore putting Bush back in office.

It's all there in the treasonous decision.

That doesn't mean lower courts can't consider it, or necessarily that that all the justices in the majority meant what they said. In any event, an action could be brought under the Constitution or the Voting Rights Act that the machines do not assure people of their right to vote, and to have that vote counted.

First off, I think Bev Harris et al. are doing a great job trying to cut through all the secrets surrounding these voting machines and that there is still lots of investigating to do. Just hearing "Windows" and "Access" in conjunction with voting machines gives me the creeps.

On the other hand, reading this "second volley", I did encounter some passages that do not seem accurate to me, from a technical point of view:
1.Setting a modem to "dial-out only" per software is pretty basic. I'd assume everyone sharing a line between phone and modem would have to do that since otherwise the modem would pick up on every incoming phone call. The handshake issue is beside the point because a handshake only takes place after the connection is established (i.e. the modem has picked up), which doesn't happen if the modem is correctly set to "dial-out only". (I'm not taking into account any configuration or software errors or malware that is acting behind the user's back.) Naturally, once the connection is set up properly, it works both ways.
2.Manuals mentioning "modems, ports, uploading, downloading, TCP/IP protocols, transmissions" or "wireless communications" do not equate to "this machine has an Internet hook-up". I can do all those things with two machines that are only connected to each other, but not to the Internet, or even a single box. I can even run (and use) my own web server without it having anything to do with the Internet. In short, a "Web Server" or "Internet JAVA & HTML reports" depicted in a diagram do not necessarily mean that these reports are served to the public from that same box.

In my opinion, these inaccuracies should be addressed before distributing the story. It only hurts the overall message if it's not ironclad. I would absolutely hate to see it discredited just because of some details.

To clarify: I have not looked at any of the original Diebold files, I'm just referring to Bev's article. If anything in the original files (or anywhere else) invalidates my points, then please ignore my comment.

/me puts his asbestos suit on ;)

The "dial out only" issue is a diversion. In any case it appears that the upstream machines are connected to the internet, which means yes, the entire system ("dial out only" modems and all!) becomes "connected" to the internet.

Note, that there will most likely be some detail somewhere that was missed or some mistake is made. The challenge is to keep the number and scope of these inaccuracies down to a minimum so that the inevitable discussions on this major story don't lead off onto tangents based on these details.

Some of those who this may have hurt in election 2002 may still have enough stroke to help out! If the Robbed Georgians don't know about this, it's high time they find out! If the Evil Ones cheated the war hero from Georgia out of his senate seat this could be the straw that breaks the elephant's back! - Total Recall!!!!!

Bush is running a three ring circus, this gets better everyday for us hatters!

if someone gets a chance to revisit the link in the original post, I toned down the business about one-way modems, because it is in no way central to the point of the story.

Naysayers, weigh in please. Show your nits now.
Bev

Even if the modems are one-way (and it's likely that they are so because of software or firmware, either of which could be overwritten with a malicious patch - is an attempt to dial in via modem part of the test suite?), there is still the question of where those modems connect to.

- The modem could presumably connect to any computer, not just the GEMS system. So again, a malicious patch could cause the machine to dial up any other machine for instructions.

- What secures the computer that is intended to receive these dial-ins from the precinct? A possible attack is to masquerade as a legitimate precinct machine and upload those "vote counts" to the central point. If the computer were to receive two inputs from allegedly the same precinct, what does it do?

and welcome to DU!

Eloriel

Dial out, dial in, is just who initiated the connection. The *real* questions are, after the connection is made:

1) Is the application that dialed out in complete control of the modem, and if so, what data is the application transfering in and out of the modem connection?

2) If the application is not in complete control of the modem connection -- which is the default for most connections -- what services are running on the computer that are able to be contacted remotely while the apparently legitimate application is simultaneously using the modem connection?

--
On edit -- changed "initiated the question" initiated the connection.

and after having read everyone's responses as well, the lingering question for me is why are the technical details being left to the world of political and computer forums??? why have you not turned this over to a reputable computer firm who can tell you exactly what all this means, and thereby ensure your story is credible?

however, there are people at Stanford who are looking into this.

I accept VISA and Mastercard.

Bev

Message removed by moderator. Click here to review the message board rules.

and then let them front the bill for the research (as they'll be the ones making the money off of it at that point).

.....but what about the rest of us? :shrug:

Can you please tell me why my friends and I have been working 16 or more hours a day on this. Can you explain why we put ourselves at risk of being considered 'terrorists' who are trying to undermine the electoral process in this country? Would you let us all know what we stand to gain from all of this other than the knowledge that our votes will count in the next election? :shrug:

All I am is a screen name on a web site. Nobody knows who the hell I am and they sure don't know the others involved in what we're doing. We are NOT in any way associated with Bevs group. With any luck NO ONE will ever know who we are and that's just fine with us. :)

So I ask again, What's our motive? Why would we lie about something that is actively being looked at by others and soon be exposed?

On occasion when they think they've found something they may ask us to verify what they are seeing. Those requests are made in the broadest possible terms. We're simply asked things like, "what do you think of this routine?". First we check the documentation to see what the intended function is 'per the Diebold manual'. Only then do we look at the source code and 'follow the logic' of how the hardware will respond to what the software is asking it to do. We then relay our concerns back to them. Only after we have described our assessment of the situation do they tell us if we're in agreement on interpretation of the logic path. So far we've found no evidence that their people are misinterpreting the logic flow. :)

I can equate the voting system to a 'high tech' chess game. Only in this game the board is on multiple levels and is a mile square with thousands of pieces! It takes a team of players to see what's going on on all the levels and from every angle of the board. The difference between how we're playing the game and how Diebold plays it is simple.

Diebold holds their game in private, behind closed doors with only invited players. Then they invite us to bet on the outcome. They don't allow us to see how the game is actually played, they only give us a book of rules and swear they played by them. We only get to see the outcome of the game after it's over. They only show us the final position of the pieces. You are forbidden to watch the game in progress. If the game is questioned, they go back behind closed doors and replay the game. When the doors reopen, even if all the pieces are not in the same final position, they declare the same outcome and victory for one side.

We just took the game and opened it to the public. Anyone can play and anyone can see for themselves how the moves are made. The best part about how we play the game is that in the end everyone wins. :bounce:

So umm, what's my motive? :evilgrin:

nowhere in that post did I accuse anyone of lying. nowhere did i say i didn't believe the research. all i asked was why every semi-quasi wanna be geek to potentially great experts but we don't really know because they're participating via the internet is being asked to research this. This is a very important issue, as you state, to our democracy. don't you think it deserves to be treated a little more seriously than this? with all the effort and pushing for sales and interviews and speaking gigs don't you think some funds for research could have been raised? don't you think that there might be some companies who also share our concerns who would donate their company's services for this issue? I'm just asking and all i got was a rude smart*aleck* response.

take it upon yourself to pick up the phone and start calling some of these places to solicit assistance. We'd welcome your participation and activism.

I won't bother you with the responses we've gotten from these folks. It might discourage you.

As Bev says, grab an oar and start rowing.

companies are for-profit entities. Also, any blowback from working on this software would be potentially embarassing to government officials who award contracts. No company likes to piss off government sponsors.

That's why it has to be non-profit and volunteer groups who do this. If you are interested in working with people who have more of a standing in the community, look at Stanford University. There are some academics who are highly critical of the current voting systems over there.

about the discoveries you've made so far?