    
BBV Admin
Board Administrator
Username: Admin
Post Number: 2622
Registered: 12-2004
Best of Black Box? 
Votes: 2 (A keeper?) | | Posted on Friday, November 4, 2005 - 8:00 am: | 
|
New information obtained by Black Box Voting investigator Jim March shows that mail-in votes in upcoming Nov. 8 elections will lack crucial safeguards. The Diebold "GEMS defect" -- the ability for anyone with access to change vote results on the "mother ship" that tallies and controls election results -- has now been acknowledged by Diebold, but has not been mitigated in most locations, and it is worse for mail-in votes.
The GEMS defect has been proven. The risks are significant. Mail-in votes are at exceptional risk because they are counted on a system that lacks protective features found on polling place machines.
While the precinct-based optical scan machines made by Diebold produce a results tape, the same machines, when counting mail-in ballots, use a different program and do not store vote tallies on a memory card, nor do they produce an independent results tape. Therefore the defective GEMS program holds the only record for absentee vote totals.
The GEMS program is run on an ordinary PC, using the Windows operating system. Vote totals from each precinct, along with mail-in votes, are uploaded to the GEMS computer. GEMS tallies all votes and produces final election results.
According to the Aug. 18, 2004 report by CompuWare Corp., an independent evaluation commissioned by the Ohio secretary of state:
"... an unauthorized person with access to the GEMS server can access the database and change ballot definition files and election results."
The ability to selectively change ballot definition files with mail-in votes can achieve vote swapping from one candidate to another. In GEMS, each candidate is assigned a number.
Sims: #413
Irons: #200
Lange: #522
In GEMS, you can selectively change the candidate identifier number for mail-in votes, like this:
Sims: #200
Irons: #413
Lange: #522
This will cause the mail-in results to give Sims votes to Irons, and vice versa, a very dangerous vulnerability for close elections. (You can also change the votes themselves in GEMS, but that requires adjustments in several GEMS database tables.)
Changing the candidate identifier number in GEMS provides one-step adjustment that takes only seconds, and can be implemented any time during the absentee vote-counting process to flip results. As demonstrated in the Leon County, Florida elections office on May 2, 2005 by Dr. Herbert Thompson and Black Box Voting, this kind of GEMS manipulation does not require opening the GEMS program, does not require a GEMS password, and does not show up in any audit log.
The standard safeguard for this known risk is to compare results reports from voting machines with GEMS results reports. However, Black Box Voting has learned that Diebold's mail-in vote-counting system does not produce a voting machine report.
This week, Jim March examined the Diebold voting system in San Joaquin County, Calif. and learned that the voting machine results tape -- the telltale sign and the key safeguard for GEMS tabulator hacking -- does not exist for mail-in votes.
In California, approximately 30 percent of all votes are mail-in. In Washington state, the figure is over two-thirds of all votes, and in Oregon, 100 percent of votes are mail-in. All states have some mail-in voting, and new legislation has been proposed in many states which will have the effect of increasing (and sometimes mandating) mail-in voting.
Diebold optical scan machines process mail-in votes, according to San Joaquin County Systems Administrator Bill Barnes, without using a memory card (a credit card-sized removable disk which holds vote totals from the voting machine, and also controls how the voting machine calculates its paper results tape). The mail-in processing machines feed their votes directly into GEMS, and no independent record of the votes exists separate from GEMS, except the paper ballots themselves.
Jim March San Joaquin County examination
Therefore, the only way to catch a GEMS hack for mail-in votes is a hand count. California requires a hand count spot check -- but the 1 percent required is not only insufficient to catch manipulation, it is not required for mail-in votes. Most states using GEMS don't have hand count spot checks at all, leaving mail-in votes to the mercy of GEMS.
According to testimony elicited from Diebold on Oct. 17, Diebold is addressing the GEMS defect by adding a program called "Digital Guardian."
Transcript of Cuyahoga County hearing (see transcript pg. 230, Diebold acknowledgement of defect: "We addressed that by getting a third party software...")
The third CompuWare report, issued January 2005, tests the use of third party software to correct the GEMS defect. The software, "Digital Guardian", failed to mitigate the GEMS risk the first time, but succeeded in protecting GEMS after a patch to the Digital Guardian software was applied.
Third CompuWare Report
In San Diego, another program is under consideration, called "TripWire."
Neither Digital Guardian nor TripWire appear to have been certified for use with any voting system either by the EAC (federal) or by any state, and these programs do not appear to be in use in most (or any) locations to protect the Nov. 8 elections.
A history of exposures of the GEMS defect
The GEMS defect was first exposed by Black Box Voting founder Bev Harris in July, 2003. However, it was widely believed that the 'poll tapes' -- results reports that come out of the precinct-based voting machines -- could be compared with GEMS to mitigate this risk.
In August 2004, Harris taught Gov. Howard Dean how to hack the Diebold GEMS central tabulator on CNBC television. In September 2004, Dr. Herbert Thompson demonstrated using a trojan horse-like script to hack the GEMS central tabulator. At the same time, Black Box Voting videotaped Baxter the chimp hacking the GEMS audit log.
More: Howard Dean/Harris manipulating GEMS
Video: Baxter the chimp hacking the GEMS audit log
Diebold responded in the New York Times by characterizing these hacks as "a magic show," even though Diebold also provided a written response to election officials acknowledging that both MS Access and a Visual Basic script could be used to manipulate GEMS:
"For an attacker who edits the database
directly, outside of GEMS, the individuals describe this approach, either using MS Access to manually edit the database, or alternatively using a Visual Basic (or other) script for this purpose. We've already established that it's possible to modify the database in this way, but what are the effects?" (pg 3)
and
"Simply stated, GEMS is not expecting outside
forces to modify the database underneath it. If it were, then every value in the database
would have to be considered suspect." (pg 3)
The Diebold rebuttal goes on to explain that the voting machine reports will detect GEMS tampering:
"But the attack is detected and thwarted because it introduces inconsistencies into the system and because the actual results are always available on their corresponding memory cards and conveniently summarized on the paper reports from each polling center. (pg 6)
Of course, since there is no corresponding memory card for mail-in ballots, and there is no "conveniently summarized paper report" for mail-in ballots, this puts mail-in votes at a significant security disadvantage.
If Diebold did not consider GEMS tampering to be a risk, why did they take action to correct the problem? As described above, Diebold's chief engineer testified on Oct. 17, 2005 that Diebold is taking steps to mitigate this defect, and the third CompuWare report describes those steps, though they do not appear to be in effect yet.
On August 18, 2004, CompuWare Corporation produced its second report, commissioned by Ohio secretary of state Kenneth Blackwell, who withheld the report from the public until 2005. What was in this report? CompuWare characterized GEMS vulnerability to the risks shown by Harris, Thompson, and Baxter as "high, high, high."
Aug. 18 CompuWare report.
Questions need to be asked as to why the 2004 election was allowed to go forward using this defective software, since it was a known risk, and the mitigations recommended in the 2004 CompuWare report apparently were not implemented.
Why did Ohio Secretary of State Ken Blackwell withhold the CompuWare report from the public until 2005?
Why were elections officials not told of this defect by the Elections Assistance Commission (EAC)?
Did Blackwell share what he knew with the EAC?
Despite known risks, the 2004 presidential election proceeded on largely unprotected GEMS tabulators in at least 800 jurisdictions, in 30 states, potentially affecting as many as 30 million votes.
Two years after exposing the GEMS defect, it is still not corrected. |
