Inside A U.S. Election Vote Counting Program
* Bev Harris is the Author of the soon to be published
book " Black Box Voting: Ballot Tampering In The 21st Century
*** NEW *** FOLLOW UP STORY
About Black Box Voting Machines
The Truth About
the Rob-Georgia File
IMPORTANT NOTE: Publication of this story marks a watershed in
American political history. It is offered freely for publication in full
or part on any and all internet forums, blogs and noticeboards. All
other media are also encouraged to utilise material. Readers are
encouraged to forward this to friends and acquaintances in the United
States and elsewhere.
1 - Can the votes be changed?
2 - Can the password be bypassed?
3 – Can the audit log be altered?
According to election industry officials, electronic voting systems
are absolutely secure, because they are protected by passwords and
tamperproof audit logs. But the passwords can easily be bypassed, and in
fact the audit logs can be altered. Worse, the votes can be changed
without anyone knowing, even the County Election Supervisor who runs the
The computer programs that tell electronic voting machines how to
record and tally votes are allowed to be held as "trade secrets." Can
citizen's groups examine them? No. The companies that make these
machines insist that their mechanisms are a proprietary secret. Can
citizen's groups, or even election officials, audit their accuracy? Not
at all, with touch screens, and rarely, with optical scans, because most
state laws mandate that optical scan paper ballots be run through the
machine and then sealed into a box, never to be counted unless there is
a court order. Even in recounts, the ballots are just run through the
machine again. Nowadays, all we look at is the machine tally.
Therefore, when I found that Diebold Election Systems had been
storing 40,000 of its files on an open web site, an obscure site, never
revealed to public interest groups, but generally known among election
industry insiders, and available to any hacker with a laptop, I looked
at the files. Having a so-called security-conscious voting machine
manufacturer store sensitive files on an unprotected public web site,
allowing anonymous access, was bad enough, but when I saw what was in
the files my hair turned gray. Really. It did.
The contents of these files amounted to a virtual handbook for
vote-tampering: They contained diagrams of remote communications setups,
passwords, encryption keys, source code, user manuals, testing
protocols, and simulators, as well as files loaded with votes and voting
Diebold Elections Systems AccuVote systems use software called
"GEMS," and this system is used in 37 states. The voting system works
Voters vote at the precinct, running their ballot through an optical
scan, or entering their vote on a touch screen.
After the polls close, poll workers transmit the votes that have been
accumulated to the county office. They do this by modem.
At the county office, there is a "host computer" with a program on it
called GEMS. GEMS receives the incoming votes and stores them in a vote
ledger. But in the files we examined, which were created by Diebold
employees and/or county officials, we learned that the Diebold program
used another set of books with a copy of what is in vote ledger
1. And at the same time, it made yet a third vote ledger with another
Apparently, the Elections Supervisor never sees these three sets of
books. All she sees is the reports she can run: Election summary
(totals, county wide) or a detail report (totals for each precinct). She
has no way of knowing that her GEMS program is using multiple sets of
books, because the GEMS interface draws its data from an Access
database, which is hidden. And here is what is quite odd: On the
programs we tested, the Election summary (totals, county wide) come from
the vote ledger 2 instead of vote ledger 1, and ledger 2 can be altered
so it may or may not match ledger 1.
Now, think of it like this: You want the report to add up only
the actual votes. But, unbeknownst to the election supervisor,
votes can be added and subtracted from vote ledger 2. Official reports
come from vote ledger 2, which has been disengaged from vote ledger 1.
If one asks for a detailed report for some precincts, though, the report
comes from vote ledger 1. Therefore, if you keep the correct votes in
vote ledger 1, a spot check of detailed precincts (even if you compare
voter-verified paper ballots) will always be correct.
And what is vote ledger 3 for? For now, we are calling it the "Lord
Only Knows" vote ledger.
Detailed Examination Of Diebold GEMS Voting Machine Security ( Part
CAN THE VOTES BE
Here's what we're going to do: We'll go in and run a totals report,
so you can see what the Election Supervisor sees. Then we'll tamper with
the votes. I'll show you that our tampering appears in Table 2, but not
Table 1. Then we'll go back and run another totals report, and you'll
see that it contains the tampered votes from Table 2. Remember that
there are two programs: The GEMS program, which the Election Supervisor
sees, and the Microsoft Access database that stores the votes, which she
Let's run a report on the Max Cleland/Saxby Chambliss race. (This is
an example, and does not contain the real data.) Here is what the Totals
Report will look like in GEMS:
As it stands, Cleland is stomping Chambliss. Let's make it more
The GEMS election file contains more than one "set of books." They
are hidden from the person running the GEMS program, but you can see
them if you go into Microsoft Access. You might look at it like this:
Suppose you have votes on paper ballots, and you pile all the paper
ballots in room one. Then, you make a copy of all the ballots and put
the stack of copies in room 2.
You then leave the door open to room 2, so that people can come in
and out, replacing some of the votes in the stack with their own.
You could have some sort of security device that would tell you if
any of the copies of votes in room 2 have been changed, but you opt not
Now, suppose you want to count the votes. Should you count them from
room 1 (original votes)? Or should you count them from room 2, where
they may or may not be the same as room 1? What Diebold chose to do in
the files we examined was to count the votes from "room2." Illustration:
If an intruder opens the GEMS program in Microsoft Access, they will
find that each candidate has an assigned number:
One can then go see how many votes a candidate has by visiting "room
1" which is called the CandidateCounter:
In the above example, "454" represents Max Cleland and "455"
represents Saxby Chambliss. Now let's visit Room2, which has copies of
Room1. You can find it in an Access table called SumCandidateCounter:
Now let's put our own votes in Room2. We'll put Chambliss ahead by a
nose, by subtracting 100 from Cleland and adding 100 to Chambliss.
Always add and delete the same number of votes, so the number of voters
Notice that we have only tampered with the votes in "Room 2." In
Room 1, they remain the same. Room 1, after tampering with Room 2:
Now let's run a report again. Go into GEMS and run the totals report.
Here's what it looks like now:
Now, the above example is for a simple race using just one precinct.
If you run a detail report, you'll see that the precinct report pulls
the untampered data, while the totals report pulls the tampered data.
This would allow a precinct to pass a spot check.
Detailed Examination Of Diebold GEMS Voting
Machine Security ( Part 2)
CAN THE PASSWORD BE BYPASSED?
At least a dozen full installation versions of the GEMS program were
available on the Diebold ftp site. The manual, also available on the ftp
site, tells that the default password in a new installation is
"GEMSUSER." Anyone who downloaded and installed GEMS can bypass the
passwords in elections. In this examination, we installed GEMS, clicked
"new" and made a test election, then closed it and opened the same file
in Microsoft Access.
One finds where they store the passwords by clicking the "Operator"
Anyone can copy an encrypted password from there, go to an election
database, and paste it into that.
Example: Cobb County Election file
One can overwrite the "admin" password with another, copied from
another GEMS installation. It will appear encrypted; no worries, just
cut and paste. In this example, we saved the old "admin" password so we
could replace it later and delete the evidence that we'd been there. An
intruder can grant himself administrative privileges by putting zeros in
the other boxes, following the example in "admin."
How many people can gain access? A sociable election hacker can give
all his friends access to the database too! In this case, they were
added in a test GEMS installation and copied into the Cobb County
Microsoft Access file. It encrypted each password as a different
character string, however, all the passwords are the same word:
"password." Password replacement can also be done directly in Access. To
assess how tightly controlled the election files really are, we added 50
of our friends; so far, we haven't found a limit to how many people can
be granted access to the election database.
Using this simple way to bypass password security, an intruder, or an
insider, can enter GEMS programs and play with election databases to
their heart's content.
Detailed Examination Of Diebold GEMS Voting Machine Security ( Part
CAN THE AUDIT TRAIL BE ALTERED?
Britain J. Williams, Ph.D., is the official voting machine certifier
for the state of Georgia, and he sits on the committee that decides how
voting machines will be tested and evaluated. Here's what he had to say
about the security of Diebold voting machines, in a letter dated April
"Computer System Security Features: The computer portion of the
election system contains features that facilitate overall security of
the election system. Primary among these features is a comprehensive set
of audit data. For transactions that occur on the system, a record is
made of the nature of the transaction, the time of the transaction, and
the person that initiated the transaction. This record is written to the
audit log. If an incident occurs on the system, this audit log allows an
investigator to reconstruct the sequence of events that occurred
surrounding the incident.
In addition, passwords are used to limit access to the system to
authorized personnel." Since Dr. Williams listed the audit data as the
primary security feature, we decided to find out how hard it is to alter
the audit log.
Here is a copy of a GEMS audit report.
Note that a user by the name of "Evildoer" was added. Evildoer
performed various functions, including running reports to check his
vote-rigging work, but only some of his activities showed up on the
It was a simple matter to eliminate Evildoer. First, we opened the
election database in Access, where we opened the audit table:
Then, we deleted all the references to Evildoer and, because we
noticed that the audit log never noticed when the admin closed the GEMS
program before, we tidily added an entry for that.
Access encourages those who create audit logs to use auto-numbering,
so that every logged entry has an uneditable log number. Then, if one
deletes audit entries, a gap in the numbering sequence will appear.
However, we found that this feature was disabled, allowing us to write
in our own log numbers. We were able to add and delete from the audit
without leaving a trace. Going back into GEMS, we ran another audit log
to see if Evildoer had been purged:
As you can see, the audit log appears pristine.
In fact, when using Access to adjust the vote tallies we found that
tampering never made it to the audit log at all.
Although we interviewed election officials and also the technicians
who set up the Diebold system in Georgia, and they confirmed that the
GEMS system does use Microsoft Access, is designed for remote access,
and does receive "data corrections" from time to time from support
personnel, we have not yet had the opportunity to test the above
tampering methods in the County Election Supervisor's office.
From a programming standpoint, there might be reasons to have a
special vote ledger that disengages from the real one. For example,
election officials might say they need to be able to alter the votes to
add provisional ballots or absentee ballots. If so, this calls into
question the training of these officials, which appears to be done by
The Election Center, under the direction of R. Doug Lewis. If election
officials are taught to deal with changes by overwriting votes,
regardless of whether they do this in vote ledger 1 or vote ledger 2,
this is improper.
If changing election data is required, the corrective entry must be
made not by overwriting vote totals, but by making a corrective entry.
When adding provisional ballots, for example, the proper procedure is to
add a line item "provisional ballots," and this should be added into the
original vote table (Table 1). It is never acceptable to make changes by
overwriting vote totals. Data corrections should not be prohibited, but
must always be done by indicating changes through a clearly marked line
item that preserves each transaction.
Proper bookkeeping never allows an extra ledger that can be
used to just erase the original information and add your own. And
certainly, it is improper to have the official reports come from the
second ledger, which may or may not have information erased or added.
But there is more evidence that these extra sets of books are
illicit: If election officials were using Table 2 to add votes, for
provisional ballots, or absentee voters, that would be in their GEMS
program. It makes no sense, if that's what Diebold claims the extra set
of books is for, to make vote corrections by sneaking in through the
back door and using Access, which according to the manual is not even
installed on the election official's computer.
Furthermore, if changing Table 2 was an acceptable way to adjust for
provisional ballots and absentee votes, we would see the option in GEMS
to print a report of both Table 1 totals and Table 2 so that we can
compare them. Certainly, if that were the case, that would be in the
manual along with instructions that say to compare Table 1 to Table 2,
and, if there is any difference, to make sure it exactly matches the
number of absentee ballots, or whatever, were added.
Using Microsoft Access was inappropriate for security reasons. Using
multiple sets of books, and/or altering vote totals to include new data,
is improper for accounting reasons. And, as a member of slashdot.org
commented, "This is not a bug, it's a feature."
*** ENDS ***
Home Page | Headlines |
Story | Next Story
Copyright (c) Scoop Media