FAQ / Feedback
Q: How'd you get involved with this? Aren't you a Republican?
A: I get asked this a lot, and it really shows how focused our country is on partisan politics. I am a voter, first and foremost. That being said, yes, I am a Republican and have been since being sent to Republican Indoctrination Camp at age 2. That's where we are taught supply-side economics and the values of mutually assured destruction. :-)
I got involved with this because I have been against the adoption of these voting systems for years. It's a dumb-ass idea to implement them this way - our votes are too important. I wouldn't trust my Bank with computer systems this insecure; Hell, I wouldn't keep recipes on a system this insecure. When I saw all of the documentation regarding Diebold and their heavy partisan leanings, and then when the results came flooding in with a clear Bush victory when I seriously expected Kerry to win, I put two and two together. I am, by trade, a professional White-Hat Hacker, so I know how easily "secure" systems can be breached, especially by insiders. Roughly 80% of all computer crimes are perpetrated by insiders, so that's always the best place to look first. When the insiders also write the code and roll the machines out, there is no question that they have too much power and can not be trusted, whether they support my party or not. It's called "Segregation of Duties" in the professional world, and it is vital for system integrity.
But that was all theory and conceptual before I tried it myself. I knew that the descriptions and ideas were bad, but I hadn't actually seen a copy of the software. So I went to BlackBoxVoting.org following a link off of some website, I don't remember which, and saw Bev's plea - "Computer Guys - Test it yourself!". I thought, all right, I will. After all, this IS what I do for a living. It's like asking an accountant to balance debits and credits - nothing special, and besides, I was curious. Surely if our states are rolling this out to Hundreds of Millions of voters, somebody checked it. It can't be as bad as these liberal whiners are making it out to be - they're just pissed off that our folks turned out in mass.
What I found truly shocked me, and made me physically ill. That's what is documented on the other page. It IS that bad. I personally don't have conclusive evidence that voter fraud was perpetrated, but I can tell you as an Information Security professional that it would have been very, very easy to do. If I had to choose between someone conspiring with exit poll workers nationwide or someone changing values in an Access Database as the cause of the difference between the poll numbers and the "actual" results, I'll go with the easier, more effective option every time. Why choose the hard way when it's more trouble and you're less likely to succeed? Again, I'm staying clear of making specific allegations - I'll leave that to the activists who are gathering data - but I would be much more surprised if the election weren't hacked than to find out that it was.
It was too easy, the companies were too partisan and unethical, and there was too much at stake for them NOT to hack it. It looked like Bush was going to lose, and they had this tool available to pull out a victory.
Why do I call Diebold partisan and unethical, you ask? How's this:
"I am committed to helping Ohio deliver its electoral votes to the president." - Walden O'Dell, Diebold's CEO in a fundraising letter to Republicans, Fall 2003. O'Dell and other Diebold Senior Executives are Republican "Pioneers", which is the designation you get when you raise over $100,000. Brothers Bob and Todd Urosevich co-founded ES&S, another voting machine company, before Bob became President of Diebold Election Systems. His brother Todd is a Vice President of ES&S, the #2 vote machine maker, and is also a "Pioneer". According to campaign finance records at OpenSecrets.org, of the over $240,000 given by Diebold’s directors and chief officers to political campaigns since 1998, all has gone to Republican candidates or party funds. Is that partisan enough for you? Well, what about calling them unethical?
Check this out - No less than 5 of Diebold's developers are convicted felons, including Senior Vice President Jeff Dean, and topping the list are his twenty-three counts of felony Theft in the First Degree. According to the findings of fact in case no. 89-1-04034-1 (Washington State):
“Defendant’s thefts occurred over a 2 1/2 year period of time, there were multiple incidents, more than the standard range can account for, the actual monetary loss was substantially greater than typical for the offense, the crimes and their cover-up involved a high degree of sophistication and planning in the use and alteration of records in the computerized accounting system that defendant maintained for the victim, and the defendant used his position of trust and fiduciary responsibility as a computer systems and accounting consultant for the victim to facilitate the commission of the offenses."
To sum up, he was convicted of 23 felony counts of theft from by - get this - planting back doors in his software and using a "high degree of sophistication" to evade detection. Do you trust computer systems designed by this man? Is trust important in electronic voting systems?
So here we are - Means, Motive, Opportunity - the whole package. And since the systems are so poorly designed, no audit trail to show any wrongdoing. Add some cries of "conspiracy theories" and "sore losers", and you've got yourself a mandate. Four more years, indeed. Surprise, surprise.
BUT - what happens in 2006 or 2008, now that tens of thousands of activists know about the holes and how easy it is to steal votes? Well, it'll be interesting, that's for sure. These systems appear to be DESIGNED to be easy to Hack, so one can only imagine what will happen. But I for one will embrace President Homer Simpson and will fully support his new 2008 doughnut agenda as a welcome change. I hope that we can all stand together and welcome him as we Republicans continue to bring "dignity back to the White House."
Q: I thought the problem was the touchscreens, but you're talking about something different. Why would an attacker target the GEMS software instead of the TouchScreens? back
A: Good question. With all of the hype about the touch screen terminals, you'd think they'd be a likely target. When you look through Hacker eyes, though, that's the best reason to avoid them. Here's what I think:
I feel that it is unlikely that these individual touch screen machines would be targeted. At greater risk than the individual touch screens are the Central Voting Tabulation computers, which compile the results from many other systems, such as touch screens and optically scanned cards. From a hacker’s standpoint, there are a couple of reasons why these central computers are better targets:
a. It is extremely labor intensive to compromise a large number of systems, and the chance of failure or being detected increases every time an attack is attempted. Also, the controversy surrounding the touch screen terminals ensures that their results will be closely watched, and this theory has been born out in recent days.
b. If one were to compromise the individual terminals, they would only be able to influence a few hundred to maybe a couple of thousand votes. These factors create a very poor risk/reward ratio, which is a key factor in determining which systems it makes sense to attack.
c. On the other hand, the Central Vote Tabulation systems are a very inviting target – by simply compromising one Windows desktop, you could potentially influence tens or hundreds of thousands of votes, with only one attack to execute and only one attack to erase your tracks after. This makes for an extremely attractive target, particularly when one realizes that by compromising these machines you can affect the votes that people cast not only by the new touch screen systems, but also voters using traditional methods, such as optical scanning systems and absentee ballots, since the tallies from all of these systems are brought together for Centralized Tabulation. This further helps an attacker stay under the radar and avoid detection, since scrutiny will not be as focused on the older systems, even though the vote data is still very much at risk since it is all brought together at a few critical points. This also has been born out by early investigations, where the touch screen results seem to be fairly in line with expectations, while some very strange results are being reported in precincts still using some of the older methods.
This is not to say that the touch screens don’t have their problems, which are well documented on the web and the news. My point here is that if you want to steal an election, targeting the individual touch screen machines is not the easiest way to do it.
Q: You seem very intelligent and reasonable. With all of the fraud, the lies, the dirty tricks, and the fanatics, WHY ARE YOU STILL A REPUBLICAN?
A: Thanks? You wouldn't believe how many times I've been asked that in the past week. Here's my short answer:
First, voter fraud has tainted both parties going back a long time, so switching sides won't automatically make it "better". Second, I will have NO say in Republican policies if I switch parties. I want my Party back, Dammit!
My goal from this point forward is to bring the Republican party back away from the psychos and towards the center, and I can't do that from the outside. I think that if you want to be an agent for change, you can't simply run away. That's why I'm still here.
One caveat - In case of Armageddon before the 2008 elections, all bets are off.
Q: Why did you post this? Won't this tell the Hackers what to do? back
A: That's a reasonable question, particularly for someone outside Information Security. Let me answer in 2 parts:
1) The short answer is that Hackers already know this. Not to insult those of you who are just finding out about this, but this isn't really news - it's been known for quite some time, and a mix of computer types and social activists have been trying to tell you that it's coming. The GEMS software has been available for some time thanks to a dumb-ass move by Diebold, when they left an FTP server open to the public. Copies of GEMS software, database files, user guides, code, and all kinds of "good stuff" have been circulating around the 'Net ever since.
2) The ONLY way to get this fixed is with a huge public outcry. I need YOU to help spread the word. Not just read this, but tell two friends. And it would help if one of them was a Senator. :-)
Q: Have you seen the recent happenings in NC, like the stuff happening in Gaston County?
A: Yes, I saw that. Guess who runs the machines in Gaston County, NC? A Diebold Employee! (Worst quote: "The county pays a technician from Diebold to operate its systems on Election Day. That person was in charge of transferring early votes from electronic storage to the counting computer.")
http://www.charlotte.com/mld/observer/news/local/10192340.htm OK - 1) how bad does your product suck if you have to keep a technician on-site to work on it, and 2) with the tech on site, the number of recorded votes and voters from the 2004 Election don't match in more than half of the precincts in Gaston County! (
http://newsobserver.com/news/ncwire_news/story/1839095p-8157912c.html)
Either a) the machines are so poorly built that even having a Diebold technician on-site couldn't make them work right, or b).... <fill in the blanks yourself>. Either way, we lose.
But it must just be a coincidence. In an effort to defend these systems, Diebold spokesman David Bear said by phone that "No one would risk manipulating votes in an election because it's against the law and carries a heavy penalty."
http://www.wired.com/news/evote/0,2645,65031,00.html?tw=rss.TOP Hey - we need this guy to get the word out to the criminals! That should also take care of the War on Drugs and that pesky Murder problem. Of course, if you DID manipulate the votes and win the Election, you would have the ability to, well, CHANGE the law (and Senate rules) should you be indicted on, oh, say, Corruption charges.
http://www.washingtonpost.com/wp-dyn/articles/A57294-2004Nov17.html. But no one would do that, because that would be wrong.
And besides, the fine folks at Diebold must be law-abiding ex-felons, right? Even though they can't VOTE on the systems in some states, they can still design and build them. <sarcastic sigh> THAT's a good idea.
Q: Where can we see the Diebold memos you're referencing? back
A: Some fine person (or people) at Swarthmore have posted a complete archive of Diebold memos at
http://scdc.sccs.swarthmore.edu/diebold/ . Read the excerpts there, or you can download the entire 7.7MB archive HERE.
Q: Will you get in trouble for downloading Diebold's software?
A: I thought about that before posting this, and after reading what both Bev Harris and Jim Clark said, I think I'll just quote them. I don't know if I can say it any better:
Bev:
"Here is what I came to believe, after much thought: I think
that examining our voting machine software is not only a legitimate
activity, but it is also our civic duty. For queasier souls, I offer these
statements in defense of this endeavor:
1) These files were publicly available.
2) Examining them is in the public interest.
3) Our objective is study and review, not copying and selling voting
systems.
4) In a democracy, vote-counting should not be secret in the first place."
http://www.blackboxvoting.org/bbv_chapter-12.pdf Jim takes a somewhat more aggressive stance, and backs it up, as he and Bev are suing Diebold under a WhistleBlower Law and actively trying to take it to court: (from www.equalccw.com/dieboldtestnotes#appendixC : their lawsuit information is at
http://www.usatoday.com/tech/news/computersecurity/2004-07-12-evote-calif-suit_x.htm)
"First, let me explain that I fully "confess" that I am distributing Diebold copyrighted product on my website. And I was (and am) involved in the effort to strip the encryption from some of the ZIP archives downloaded from Diebold's FTP site.
So why am I not worried?
a) I believe all this falls under "fair use". I have a history of using the Public Records Act to expose government-related misconduct, corruption and general stupidity. See also:
http://www.equalccw.com/commiemommies.html (the first time my reporting made Matt Drudge's site)
(the second time Drudge picked my stuff up - note that Perata is a well-known rabidly anti-gun politician)
http://www.equalccw.com/oaklandzen.htmlhttp://www.equalccw.com/sactoletter.html...and other examples.
b) Voting is a highly "public" function, and public scrutiny over the election process is a VERY well established area of law. There have been two lower court decisions in favor of the secrecy of electronic voting systems but first, I believe those decisions were wrong and second, in those cases no specific allegations of misconduct were presented - only theoretical issues.
c) In Diebold's case, misconduct is very, VERY well established. Good God, where do we start?
· Diebold is supposed to be supplying security with their system - it's part of the contract for services, either implied, specific or in some cases, mandated by law. So they leave their FTP site totally wide open, only encrypt some files and the ones they do encrypt, they do so with ZIP encyption which is known to be flawed?
· Diebold grabbed elections data from 3:31pm on the DAY OF THE RACE in SLO County. If the data isn't public record, then what the hell were they doing with it?!
· California Penal Code 19205(c) says that the Secretary of State shall not approve voting systems that are "subject to tampering". GEMS doesn't even begin to qualify, once you know that MS-Access is a "hack tool". By withholding the info on grotesque security flaws via MS-Access, Diebold violated God only knows how many contracts plus that element of state law.
- Diebold's own internal memos show that they fully understood the issues Bev Harris discovered years later, knew they were in violation of a slew of laws, and lied to the Federal testing labs. It doesn't get any worse - this is an "Enron grade" corporate ethics failure.
d) The elements of "c" above lead to an "unclean hands" problem on Diebold's. In court, the term "unclean hands" applies to somebody who tries to get "justice" when they themselves are law-breakers. This is why a crack dealer can't sue his customers over failure to pay.
e) I hope they do sue me in civil court. The discovery process will be an absolute blast. Depositions will be even more fun.
f) They might convince the Feds to prosecute me criminally. Riiight. Let's see - will they be able to convince a jury that hey, this whole "democracy" thing is over-rated? Basically, prosecuting me for copyright issues and/or hacking under the DCMA would be much the same as the guy who sees a robber in a ski mask and packin' a shotgun rush into a bank, so he slashes the crook's tires - and gets prosecuted for vandalism. There's such thing as a "necessity defense" in criminal law. It applies in this case, in spades.
g) Yo Diebold: before you take me on, you should know what you're up against. Go here:
http://www.keepandbeararms.com/information/Item.asp?ID=3601Pay particular attention to the downloadable video linked in that article. That's what you'll be facing in court.
h) I have friends with law degrees. Lots of 'em. Scads. And they're gun-rights lawyers, which in California means "battle hardened sumbiches fighting behind enemy lines".
i) Special message to Diebold: you are cordially invited to bite me. Bring it on. Make my day."--Jim Clark
As for me, I think that if this does come to light, many Diebold executives will be going to jail. Or BACK to jail, anyway. And rightfully so.
*Note - This does not constitute legal advice for those who try it themselves.
Q: Do you know what the version of the software that was used this election and is it available for download? 1.18.17 is from early 2003 if I recall. Or does anyone at least have release notes so we can see what is different? back
A: Officially the version for this election is 1.18.19, but per their changelog there were no major changes. I don't have the release notes handy, however. I will try to find a copy - I know the folks at blackboxvoting.org have one.
Addendum - 1.17.17 was used in Gaston County, which was staffed by a Diebold tech on Election Day.
Q: If there is a password on the Access db that would make it tougher to access, is this info stored in a specific table in a “master” db that can be accessed to reset the password? Is it encrypted, and is there a crack utility to decrypt? I’m asking because I want to know every possible way in for a hacker or dishonest poll worker. back
A: There is no Access password. Diebold's engineer (quoted in the article) talks about why they never put one on it. See the "King County is famous for it" line.
Speaking of passwords though, the actual GEMS password is stored inside the Access database, so even if you don't have the GEMS password, you can get it very easily.
Q: Do you know of any s/w copies and db’s of the other electronic voting companies systems that can be reviewed as well? Do they use Access as well and are they as easy to circumvent?
A: Sorry - I've only tested Diebold. I do know that there is one who uses better, more open software, but I don't have any details on the other systems. Diebold is definitely the 800 lb gorilla.
I am starting to look into a system called WINvote, which apparently uses 802.11B wireless. Another DumbAss idea.
Q: Do you know of any information that breaks down the irregularities by precinct using each competing brand? That could help determine if any one particular type of machine was “harder” for them to rig…?
Since I hear Diebold is the majority, perhaps this isn’t as relevant, but I’d like to know for purposes of discussion.
A: There is more data being generated out there than I have had time to analyze. DemocraticUnderground.com has a big forum on the voting issues, with several different big analyses. You might find it there - if you do, please let me know!
Q: Do you know if there have been any specific software security guidelines given to the government as part of their RFP process? We should make sure there is, in case we do get the opportunity to get legislation on the floor. I say this because I doubt we’ll be able to get rid of the e-voting type machines, so we’ll have to settle for smart, common sense, industry standard operational guidelines and procedures at the least.
A: Yes, there are specific requirements - there are a bunch of certification papers on blackboxvoting.org - the main page, where it says "Technical people, test it yourself". They're pdf files from the certification process. They list requirements and what the certifying authority is to have checked. Note the one that says "Penetration
Analysis - N/A, not tested". <sigh>
back
My Open Letter of Thanks to my Site Visitors:
Thanks! Your support means a lot - it's a little overwhelming when something that you've been talking about for a long time suddenly hits the spotlight. I probably should have let it go by now, but I just have this character flaw that won't let me just shut up when I know I'm right. I just got off the phone with Chronograph magazine out of NY - they wanted an interview - and I have had I don't know how many site views in the last few days. People are trying to hook me up with Congressmen - I'll keep you posted on that. I might be meeting with some local representatives later, but it's not confirmed yet. I've been asked if I would testify on Capital Hill, and yeah, I'd be glad to. Whatever I need to do to preserve our Democracy. Or get it back.
From what I understand, Bush's lawyers are waging quite an effective war trying to shut dissenting voices down, regardless of the now over 37,000 incidents reported to verifiedvoting.com. Even the NY Times has told its reporters that the paper will not cover it. Well, I will. For what it's worth ;-) . It's amazing to me that with the MOUNTAINS of evidence and information that this issue is being dismissed by so many as a "tin foil hat crowd" conspiracy theory.
I wrote to the NC Republican Party last week, but haven't heard anything back. I'm so disappointed at some of our fellow Republican's responses - some people can't see past the partisan politics and look at the real problem. It's like "It's OK if our votes don't count, as long as my guy wins." Is that what real "Values Voters" believe? What about when your son or daughter gets drafted and killed? Should your vote have mattered then? Makes me want to be a Congressman like Bush Sr. just so I can protect my kids in case of another Vietnam. We all know that with a few exceptions, rich kids don't fight wars.
Sorry, don't mean to vent - just frustrated.
Thanks for your support, and keep fighting the good fight!
Peace,
Chuck
More questions? Drop me a line.
Chuck
Back to HackTheVote
Copyright 2004 Chuck Herrin.