BBV: Computer guys -- question about remote access to voting system

And "guys" is in the generic sense, meaning people of both genders.

Hope this isn't too "techie" for the DU board nowadays. I anticipate that some 40 million votes will be counted via a modem setup almost identical to the following, in Nov.

We are talking about the central tabulator here, the machine that receives incoming votes from all the polling places, plus counts the absentee votes, for both paper ballot (optical scan) and touch-screen systems.

The Diebold system is set up with RAS. Following are details from a small county in Florida, and this county official is very helpful and forthcoming. We have observed similar answers in very large areas who are more uncooperative. While I don't see this man's county as a huge target for vote manipulation, I'd like to know how vulnerable you computer folks think the setup described would be in a larger, more critical election area.

Can you comment on attack points for the following, a situation where the county elections supervisor is confident his system cannot be penetrated through telephone line modems:

(In response to public records request)

MY QUESTION: CAN SOMEONE SPEAK TO THE ISSUE OF "ONE WAY" MODEM CONFIGURATION?

The phone line we use for election night reporting is just that: an unpublished, dedicated line used only for incoming calls to interface between our GEMS server and our Accu-Vote precinct tabulators. Nothing is plugged into the line itself until election night when the modems, configured to receive incoming calls only, are plugged into it.

AND HE ALSO SAYS THIS:

The modems used to transmit election results are internal components to the Accu-Vote. I assume for the purposes of this request, you are more so interested in the modems used to receive election results into the GEMS server on election night

The public records request asks about who has passwords, username, phone numbers.

BASIC SETUP:

You might note my use of “modems”and then my reference to one “line.” Allow me to elaborate. We have a bank of 5 modems, but all incoming calls on election night come through a main line with one number, and that number is configured by Sprint to roll down to another number if a busy signal is detected.

The location of this line is separate from where the GEMS server usually resides (my office), because on election night the server is wheeled out into a publicly-viewable area before any results transmissions take place.

Our central tabulation server is not networked, not even with a dial-up connection, at any time other than election night.

AS TO WHO KNOWS DIAL-IN NUMBER, PASSWORD, USERNAME:

Only three people in our organization know, or have a need to know, the modem access number to our central tabulation machine. Since no dial-up access is configured, there are no “accounts” or “passwords” to keep a list of. Those people are:

- Chief Deputy and Elections Services Manager – responsible for programming the elections and operating the tabulation equipment on election night
– Warehouse Foreman – responsible for testing precinct phone lines for election results transmittal
– Administrative and Records Manager – responsible for payments to Sprint for said phone line

Now, it can obviously be assumed that someone at Sprint must know the phone number, but as they neither know, nor care what the line is used for, I won’t belabor the point.

NOTE THAT ANYONE WHO SEES THE PHONE BILL CAN GET THAT NUMBER, AND -- THOUGH HE SAYS JUST ONE PERSON PAYS THE BILLS, IN MOST COUNTY OFFICES, I DOUBT THAT THEY PUT MUCH SECURITY AROUND OUT-OF-DATE FILED INVOICES.

HE ALSO HAS THIS TO SAY ABOUT DIEBOLD:

Nobody, I repeat, nobody at Diebold Election Systems has our election results phone number. We are not dependant on any vendor, especially election systems vendors. All of our ballot layout and design is done in-house by me and while our returns are coming in telephonically, it is only my hands on the GEMS server keyboard with the canvassing board looking over my shoulder.

I'LL NOTE THAT OUR OBSERVATION OF ELECTION NIGHT OBSERVERS IS THAT THEY HAD ABSOLUTELY NO CLUE WHAT THEY ARE LOOKING FOR. MOSTLY THEY GATHER AROUND EVERY TIME RESULTS COME IN AND THE INTERIM REPORTS ARE PRINTED.

I'LL GIVE YOU MY TAKE ON THE FOLLOWING, BUT WANT ANY COMMENTS YOU HAVE:

On election night, incoming calls are monitored through the upload screen and because we have the luxury of only having 52 precincts, each precinct number is checked and double-checked as it comes in by me and at least 1 member of the canvassing board. Any superfluous calls to this line would be detected almost immediately. As soon as all precincts have reported in, the modems are switched off and subsequently unplugged.

THE MONITORING HE DESCRIBES IS DONE THROUGH THE GEMS INTERFACE. HERE'S WHAT IT LOOKS LIKE:
- A PANEL SHOWS EACH POLLING PLACE BY NAME. WHILE RESULTS ARE UPLOADING A GREEN ARROW APPEARS.

- WHEN THE MODEM IS "STUCK" OR HAVING SOME UNDEFINED TROUBLE OR TRYING WITHOUT SUCCESS TO HANDSHAKE, A YELLOW CIRCLE APPEARS.

- WHEN THERE IS NO ACTIVITY, A RED ICON APPEARS.

IN THIS CASE, FIVE PRECINCTS AT A TIME MAY BE LIT UP WITH GREEN OR YELLOW, BECAUSE HE HAS FIVE MODEMS WHICH OPERATE SIMULTANEOUSLY.

WE KNOW OF COUNTIES WITH UP TO 7,000 PRECINCTS AND AT LEAST 48 MODEMS GOING SIMULTANEOUSLY. (IN KING COUNTY, THE YELLOW CIRCLES WERE WINNING FOR HOURS AT A TIME, ON PRIMARY NIGHT.)

Now, I have two questions about this.
1) Since all you are doing is looking at GEMS, would you really know if an infiltrator modemed in? I am not assuming the attack would be for the purpose of mimicking a precinct upload. If I were doing it, I'd go for taking over the desktop or I'd upload a virus, like that shown by Dr. Herbert Thompson at our demo, which shaved votes in GEMS.

2) Does the frequency of these connectivity glitches concern you? There are many, many internal memos from Diebold where support techs mention that the modems stay connected too long, and in effect, refuse to hang up after the vote data is transmitted. Sometimes the modem light goes on (yellow) indicating there is a problem with connectivity, but it ID's itself as a specific polling place.

And, as mentioned above, in King County at one point 100% of the precincts showing activity were lit up with yellow circles and error messages. The messages varied.

Oh, by the way: He says username and password is not an issue. On some Diebold systems, as I understand it, the username and password is programmed into the transmitting voting machine.

His county is small, and apparently doesn't use techs. Most counties do have "rovers" or techs or temps (called "contract employees"). We observed two Diebold support people in King County during the primary election, and their internal documents indicate that they'll be providing support for 600 counties in Nov. I assume that techs will have modem access information.

Thanks for any insights.

Bev Harris

have access to your machine (with password) I guess anything is possible...how would you even know?

I would like to see 1/2 or hourly database vote counts to see if "massive vote swings do occur" at least you would have a sense of "foul play".


I suspect if that 1/2 hour counts might be corruptable as well... on second thought - unless they printed them out.

First and foremost:

The phone number is programmed into EACH PCMCIA card. Look at the user manuals....the screen to transfer results gives the number to dial in to. Forget that it can be changed by anyone, just understand that the number is, in essence, public knowlede.

How many times have you heard that the only truly secure computer is the one that isn't connected to a phone line and only one person can access it?

Every time you add another person/location/process that has to access the computer, you break the security.

By the process of having precincts dial the results into the computer, you have opened multiple security breaches - one for every precinct and another for every person who can read the phone number off the screen on each DRE.

Trillions of dollars entrusted to network systems. Hell our entire economy is for that matter.

But the question is whether or not appropriate steps are being taken.

I do.

Repeat after me:
"There is no such thing as a secure system".

You *are* right in that the true question is one of appropriate steps, but there is no such thing as a completely secure computer system, unless it has been reduced to a molten heap of slag.

Of course, for that matter, there is no such thing as a completely secure voting system, but I think the goal here is to make sure that electronic voting is at least as locked-down as other methods, if not more so.

-Bop

:kick:ass Bev! :)

Anybody could have the passwords, phone numbers, etc. Anybody could exploit flaws (and "features") in the Diebold software.

It would take only one person to hijack the system and upload fraudulent results. Nobody can watch the electronic ballots flowing through the wires. It's all about trusting Diebold and the phone company.

(This is mostly a kick...)

Of course not. The last thing anybody would do if they wanted to secure communication would be use the public switched network.

Not even the phone company uses unsecured access on critical lines. At the very least would be dual modems with a handshake and password passed between both lines back to each end. But even this is not secure if you possess the hardware.

At the very least, if strong security is a necessity, private dedicated point to point lines should have provided between each polling place and the central tabulator, much like bank ATM's.

And then the actual packet transmission would be encrypted with one-time passwords on PCMCIA cards hand carried to each individual polling location, under state police guard. And then returned along with each of the machine PCMCIA cards that contain the actual vote totals for each machine, again under escort.

Better yet, have no access whatsoever between the polling location and the central tabulator. The tabulator completely totally isolated from any network. Then secure each polling location with guards (state police) delivering the PCMCIA cards that contain the totals from each machine after posting the polling site total and closing/locking the site.

Open dial-up lines are always subject to cracking through many software tricks. Buffer overflows to name one of many.

Why have access between the tabulator and the polling sites? That makes no sense. Treat as polling machine as ballot box and carry the box to counting center. Of course then the problem becomes 'lost' ballot boxes.

Without a paper ballot, to audit and recount if necessary, it is all corruptable.

Computer voting is a bad idea. The basic idea is flawed. In the end there is no way to secure the voting as long as the process is hidden as electrons inside a machine. Who's idea was this anyway?

maybe you can find out what you need there.

<http://www.zdnet.com>

The voting machine hacks are much easier, and potentially more "profitable."

.....there's a paper record as backup! :evilgrin:

Suprise!

Dialup is fine because you don't base your security on the obscurity of the phone number.

Your security is based on identification and encryption technologys.

(Many ATMS at locations like gas stations etc that don't have alot of activity use dialup. Sometimes you can even hear them dial when you put in your atm card)

FOr that matter leased lines or not automatically more secure. ESPECIALLY if you don't use AAA on each end.

If millions are involved, its trivial matter to redirect a leased line if you have any inside knowledge whatsoever. (and when millions are involved, you can BUY inside knowledge)

With elections $ millions are involved. Or billions. Or trillions.

Nevertheless, I see holes big enough to throw a double-decker bus through.

PM me if interested.

The most elegant attack is something simpler, but as an unethical third party it would be very cool to be sitting on top of that "modem bank." You could collect the actual results off the top, and pass your fraudulent results down to the official "modem bank" of the "central tabulation server."

These days "modem banks" are mostly software, not actual racks of modems. So are "central tabulation servers." One phone line goes into one card and that is your "modem bank." (A lot of "modem banks" are half-size cards, for those of you who like to mess around with the insides of your pc.)

So many things that were once hardware have become software, all naked to attack... A telephone exchange that once filled a building now fits into a small metal box, and it works mostly by the miracle of software.

Perhaps Diebold can be defeated at their own game - Kerry will still prevail, and computer voting can be thrown in the trash heap once and for all!

:shrug:

but the biggest worry should be social engineering. Kevin Mitnick, the world's most famous hacker, isn't famous because of his technical skills (which were still very good), but because he could persuade somebody to give him information. It'd probably be quite easy for somebody with the social skills of Mitnick to call up, pretend to be from one of the voting places, and take somebody out of the phone number, passwords, etc... . But anyway, each probably has his/her spouse's name as his/her password.

There's also physical access to the tabulator. That may be one of the larger problems.

I hope they at least encrypt their transmissions over the phone line.

"I hope they at least encrypt their transmissions over the phone line."

The transmissions are standard ASCII data.

makes me feel a whole lot better.

*note the sarcastic tone*

. . . for well over a year now. All of the players are already in position and just waiting . . .

Any heist takes planning. This one is way beyond that phase. It's GO time.

TYY

Thanks for continuing to reach out, Bev, and for letting those who are unaware of this situation to have a chance to see how much trouble we're in right now, as a Democracy.

O8) Many prayers for your continued safety and success!! O8)

:kick::kick::kick::kick:

Security isnt based upon whether or not anyone knows the number.

That info can be had by a large number of people. Anyone from a Spring operator to building technition (with access to the wiring closet) can obtain the numbers.

What important is how the endpoints identify each side. I.e how the caller identifys who it has called, and how the called identifys who called.

There are a number of technologys to accomplish this, but the post above is silent on this issue.

Actually, there's plenty of "info to pass judgement."

But let's think about your "endpoints" first.

Here's an ATM scam that has been successful...

You take an ATM machine and you drop it off somewhere that has a lot of pedestrian traffic. (Nobody ever calls the cops when a strange ATM machine shows up in their neighborhood.)

You set the machine to record the magnetic stripe of ATM cards people swipe through it, and the pin numbers they enter, and then you have the machine print out a very nice message. "Sorry, this machine is temporarily out of service."

Then you take the machine away, make copies of all the ATM cards the machine saw, and use these cards and the PIN numbers you got to get boatloads of cash at real ATM machines.

That's much easier than cracking the encrypted data stream of a real ATM, well maybe, if you aren't into cracking encrypted data streams.

There are always simple ways to bypass fancy authentication schemes because the creatures on either end of any encrypted data stream are humans, and most humans will use very sophisticated technology in very unsophisticated ways. Your "endpoints" are the weakest links, endpoints in the software, and endpoints in the human-machine interface.

Watch very carefully any election that uses Diebold machines connected to a central "tabulation server" by a "modem bank." What sorts of sophisticated methods are in place to assure that only authorized machines can talk to the central tabulator?

Hmmmm... enquiring minds want to know, and when they do know, they will snarf coffee through their noses. (BTW, I hear you can open those fancy Kryptonite bike locks with a ball point pen.) Maybe you can PM TrogL for "info", since he volunteered.

Fescue4u, there are people who know the guts of the Diebold machines and it ain't pretty. The delightful thing about Bev's post is that some small county election official remembered all the lies the Diebold reps told him. Most other election officials who bought Diebold machines are now hiding.

a ;-) and an :evilgrin: for agent mike because we want him to enjoy his work.

after they run an ender card through there should be a printout showing the votes for each candidate and item on the ballot. This is done before the votes are sent electronically to the central computer via modem.

If this election commissioner is cooperative and does proper follow-up, there should be a comparison of the electronic results to the printed results from each polling places tabulator on election night. This does not answer your modem questions, but should serve as a check on results if they were manipulated by someone being able to dial in and hack. The paper printouts would exist (on tabulators with paper ballots at least). In Iowa, which I am familiar with, people may view the election results as they are tabulated at the end of the night. Volunteers at precincts, if legally allowed, could help verify totals.

Hope this is clear.

1) At the California Voting Systems Panel meeting on Aug. 11, 2004, Dr. David Jefferson proposed a regulation that the transmission cannot occur until AFTER the polling place tape is printed. Believe it or not, this was controversial enough to result in a whole bunch of debate. He won on that point -- but most states don't really regulate it, and California was only regulating it for certain systems.

2) When, at the same meeting, it was suggested that a second copy be printed at the same time, and publicly posted, that was voted down. In many locations, when a tape is printed at all, it goes into the elections supervisor and is never seen at all by the public.

3) The tapes are generally spot-checked, not 100% checked. Thus, the double set of books, like that used in the Diebold GEMS program, can suffice to pass the spot checks.

4) Because the GEMS detail report generally isn't printed until 10 days or so after the election (and after any spot checks) and because it is easy to manipulate GEMS results using MS Access, that's plenty of time to diddle the data. Now, if we can get them to print a detail report on election night after uploading, and we can get them to post a public copy of the polling place tape, and we can match the two up, that would mitigate the risks of tampering through the modem, at least for the vote-counting phase on the central tabulator.

I would think election officials would want to make the process as transparent as possible with posted results, other public checks and balances. Unfortunately, we know that is not the case.

It seems more than a few of these "public" servants are happy as long as they do not have to deal with the public too much. I know a lot of elected officials get quite an attitude after being in office for so long that they forget it's the people's office and not their personal fiefdoms.

In Iowa it seems to be sheriffs, 3 counties have had sheriffs either resign, not run again, or be removed from office because of misconduct in office in the last year.

If someone controls the phone lines, they also control the verbal verification procedure. Precinct 17 may get a call to "verify" 387 votes for candidate Bar, Foo (D), and the commisioner may place a call to that precinct number to "verify" the 1389 votes for Bar, Foo (D), and have that verification.

Oh, and in case you think about cell-phone verification, those are just as hackable as land lines.

-Bop

Very bad.

Some failure points:
#1. "Unlisted" numbers are easily available to anybody who can hack a phone system. All they have to do is hack the phone company switching machines, which is Poulsen Level hacking (Kevin Poulsen, see numerous books on hacking and phreaking).

#2. Once phone "numbers" (they aren't actually real numbers tied to wires, unless they are a physical "dry pair"..) are known, they can be put on a delay, or re-routed. Here's how it works: Remote calls what it thinks is the tabulator. The "tabulator" is really another phone line, going to "badguy". Badguy then forwards that first call to tabulator, but "breaks" the transmission, halfway through. Precinct "tries" the call again, which badguy replaces with his own data, his own call.... or, badguy may just re-route *all* incoming calls to himself, and write a small program to replace incoming call data in real-time.

This is just laughable stuff. "One way" modem configs to hidden numbers? That's "security through obscurity".

-Bop

The multiple weaknesses of the system described only begin with the reporting via modem. Who checks the totals from each precincts vs totals on each machine? Who checks precinct totals recorded at the county level vs those recorded at precinct level? Who checks county totals reported to state vs those reported to the county? And on and on...

A decent solution would be:

1) Arrange for one of the precinct computers to be a LAN server, charged with collecting totals from each of the networked voting machines.

2) Before polls open, precinct poll watchers are charged with confirming only network cables are connected to each of the computers, including the LAN server. The location of the phone line is identified, and poll workers confirm the phone line is NOT CONNECTED to any of the machines.

2) After polls close--and ONLY AFTER POLLS CLOSE--a report is run on the precinct's LAN server showing totals from each machine. Reports are also run from each machine, and the totals are confirmed. Poll workers must witness this confirming check. Copies of the reports are given to the principal poll watchers of each party.

3) After polls close--and ONLY AFTER POLLS CLOSE--the LAN server is connected to a telephone line. A routine is run that dials the county data collection point, and transmits the report. Poll workers must witness this procedure. After completing the report, the link is terminated and the phone line is hung up by the computer.

4) The county collection computer is charged with posting these results immediately to the web, to a publicly accessible URL.

5) The chief poll watchers for each party are charged with examining the web results sometime during the next 6 hours, and sending an email "certification" that they have done so to the county, confirming that the totals do indeed match. This is followed by a notarized confirmation to be forwarded within 24 hours.