By Kim Zetter, Wired News, September 22, 2004
Voting activist Bev Harris and a computer scientist say they found more vulnerabilities in an electronic voting system made by Diebold Election Systems, weaknesses that could allow someone to alter votes in the election this November.
Diebold said Harris' claims are without merit and that if anyone did manage to change votes, a series of checks and balances that election officials perform at the end of an election would detect the changes.
Harris demonstrated the vulnerabilities to officials in the California secretary of state's office several weeks ago ....
David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and a member of the California secretary of state's voting systems panel, agreed with Diebold that election procedures could help prevent or detect changes in votes, but said that election officials and poll workers do not always follow procedures. Therefore, election observers need to know about the vulnerabilities so they can help reduce the risk that someone could use them to rig an election.
Jefferson added that he doesn't believe that the vulnerabilities show deliberate malice on Diebold's part to aid fraud, as Harris has sometimes contended in public statements. But the vulnerabilities do show incompetence and indicate that Diebold programmers simply don't know how to design a secure system.
Harris said it's possible to alter the vote summaries while leaving the raw data alone. In doing so, the election results that go to state officials would be manipulated, while the canvas spot check performed on the raw data would show that the GEMS results were accurate. Officials would only know that the summary votes didn't match precinct results if they went back and manually counted results from each individual polling place and compared them to the vote summaries in GEMS.
Diebold said because the two sets of data are coupled in GEMS it would be impossible for someone to change the summaries without changing the precinct data that feeds the summaries. And if they did, the system would flag the change.
But Harris said it's possible to change the voting summaries without using GEMS by writing a script in Visual Basic -- a simple, common programming language for Windows-based machines -- that tricks the system into thinking the votes haven't been changed. GEMS runs on the Windows operating system.
The trick was uncovered by Herbert Thompson, director of security technology at Security Innovation and a teacher of computer security at the Florida Institute of Technology. Thompson has authored several nonfiction books on computer security and co-authored a new novel about hacking electronic voting systems called The Mezonic Agenda: Hacking the Presidency.
Thompson acknowledged that the hack would take an insider with knowledge of the voting system and election procedures and access to GEMS. But this could include technical people working for a county or Diebold employees who sometimes assist technically challenged election officials on election night. It's unlikely that unsavvy election officials or observers would notice or understand the significance of someone writing five lines of code in Notepad.
....speaking generally on the vulnerabilities Harris mentions, Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty. He also said that election "policies and procedures dictate that no (single) person has access or is in control of a (voting) system," so it would be impossible for anyone to change votes on a machine without others noticing it. And even if someone managed to change the votes, auditing procedures would detect it.
Diebold spokesman Mark Radke said that after an election, counties are supposed to go back to the memory cards taken from voting machines and manually add vote totals stored on the cards as well as vote totals on a paper printout that poll workers take from each machine at the close of the polls. Officials compare these totals to the GEMS summary totals and if there is a discrepancy, Radke said, the totals from the memory cards take precedence over the GEMS totals.
Jefferson, the Lawrence Livermore computer scientist, agreed that election procedures usually indicate that there should not be one person operating the counting software. He also agreed with Bear that officials could catch discrepancies in vote totals if they went back and manually added up the results from every individual polling place and compared the totals with the tallies in the summary report. But Jefferson said that election officials and poll workers don't always follow procedures. In the California March primary, he pointed out, several counties refused to follow procedures that were requested by the secretary of state's office and others failed to follow procedures that are mandated under California election law.
Rather than creating a system that relies on the "perfect execution of (poll worker) procedures," Jefferson said, Diebold should have designed the system to better prevent fraud.
"You don't want to make up for poor design by adding more burden to beleaguered poll workers and election officials who don't understand the reasons for all of the rules that they have to obey and (are therefore) likely to cut corners," Jefferson said.
As for why Diebold would have designed such a poor system, Jefferson thinks the company simply didn't know how to do it any better.
"There are a lot of reasons why you might want parallel tables of vote totals," Jefferson said. "But there are better designs that avoid (these vulnerabilities) entirely. If you are not a world-class designer, if you're making it up as you go along and not deeply educated in data management, this is the kind of design you might come up with.
"I think the designers of the Diebold system never seriously understood what it would take to prevent vote manipulation by insiders," Jefferson said. "I consider that to be inexcusable."