The MS Access database is not passworded and can be accessed illicitly through the back door simply by double-clicking the vote file. After we published this report, we observed unpassworded access on the very latest, GEMS 1.18.19 system in a county elections office.
Some locations removed the Microsoft Access software from their GEMS computer, leaving the back door intact but, essentially, removing the ability to easily view and edit the file.
However, you can easily edit the election, with or without Microsoft Access installed on the GEMS computer. As computer security expert Hugh Thompson demonstrated at the Aug. 18 California Secretary of State meeting, you simply open any text editor, like "Notepad," and type a six-line Visual Basic Script, and you own the election.
Some election officials claim that their GEMS central tabulator is not vulnerable to this back door, because they limit access to the GEMS tabulator room and they require a password to turn on the GEMS computer.
However...
(Click "read more" for the rest of this section)
Any county that uses modems to transfer votes may inadvertently be giving control of the entire central tabulator to anyone who gets at the computer through the modem phone lines (even if it is NOT attached to the Internet). This allows Diebold, or any individual, to manipulate votes at their leisure, from any personal computer anywhere in the world.
Let's talk about getting at the central tabulator through telephone lines: Mohave County, Arizona, for example, has six modems attached to its GEMS computer on election night. King County, Washington has had up to four dozen modems attached at once.
You will hear that the GEMS machine is stand alone, and is never connected to the Internet. It does have an Internet component, called "jresults," but nowadays most counties say that they do not hook GEMS up to the Internet. They say that they remove the disk from the GEMS computer and physically take it to another computer, from whence the Internet feed comes. Very nice -- BUT:
You can access a computer through phone lines as well as through the Internet. In fact, famous hacker Kevin Mitnick liked to hack through telephone lines, not the Internet.
If you have the dial-in numbers, it is possible to get at the GEMS computer from anywhere, using RAS. The dial-in protocols are given to poll workers, many people in Diebold have them, lots of temps have them, and the configurations have been sitting on the Internet for several years.
What if your county doesn't use any modems at all? That's excellent, but here's what we found: Harris & Stephenson visited county elections officials to ask for lists of names. We asked who was allowed to access the central tabulator, after it was already turned on, and who is given a password and permission to sit at the terminal?
Several officials told us they don't keep a list. Those who did, gave us the names of too many people -- County employees (sometimes limited to one or two). Diebold employees. Techs who work for the county, like county database technicians, also get access to GEMS. Printshops who do the ballots have some access also.
Diebold "contractors," who are temporary workers hired by subcontractors to Diebold were also reported to have gained access to the GEMS tabulator. (Diebold accounts payable reports obtained by Black Box Voting indicate that Diebold advertises for temps on Monster.com, hotjobs.com, and uses several temporary employment firms, including Coast to Coast Temporary, Ran Temps Inc, and also works with many subcontractors, like Wright Technologies, Total Technical Services, and PDS Technical Services.)
What if there is a password even to get onto the GEMS computer itself?
There usually is. The problem is this: Once that computer is open and running GEMS (on election night, for example), that password doesn't much matter. Votes are pouring in pell-mell, and they aren't about to shut that computer down until hours later, sometimes days later.
Also, Black Box Voting found another problem with the design of GEMS: Check out the Audit Log, which is supposed to record everything that happens. In every database, you find everyone logging is as the same person, "admin."
There is a reason for this. We did not find a way in GEMS to log in as a new user unless you close GEMS and reopen the file. Now who, on election night, with votes pouring in, is going to close and reopen the file? They don't. Instead, everyone calls themselves the same name, "admin," thereby ruining the audit log (which can be easily erased and changed anyway.)
What about counties that limit access to just one person, the county elections supervisor?
We've found nowhere that actually does this. The reason: Elections officials are dependent on the vendor, Diebold, during the election.
Suppose we have a computer whiz county official who is the ONLY person who can access GEMS?
Unlikely, but if you do: "Trust, but verify." We should never have to trust the sanctity of a million votes to just one person.
The following things can be done when you go in the back door in GEMS using Microsoft Access:
1) You can change vote totals.
2) You can change flags, which act as digital "on-off" switches, to cause the program to function differently.
According to internal Diebold memos, there are 32 combinations of on-off flags. Even the programmers have trouble keeping track of all the changes these flags can produce.
3) You can alter the audit log.
4) You can change passwords, access privileges, and add new users.
Let's talk about passwords
How many people can have passwords to GEMS? A sociable GEMS user can give all his friends access to the vote database. We added 50 people, and gave them all the same password, which was "password" -- so far, we haven't found a limit to how many people can be granted access to the election database.
Election meltdown:
We found that you can melt down an election in six seconds, simply by using the menu items in GEMS. You can destroy all data with two mouse clicks, and with four mouse clicks, you can destroy the configuration of the election making it very difficult to reload the original data.
Does GEMS even work as advertised? According to testimony given before the Cuyahoga Elections Board, the Microsoft Access database design used by Diebold's GEMS program apparently becomes unstable with high volume input. This problem, according to Diebold, resulted in thousands of votes being allocated to the wrong candidate in San Diego County in March 2004.
The Audit Log
Britain J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003:
"Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident.
Since Dr. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log.
We went in the front door in GEMS and added a user named "Evildoer." We had Evildoer perform various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log. When we had Evildoer melt down the election, by hitting "reset election" and declining to back up the files, he showed up in the audit log.
No matter. It was a simple matter to eliminate Evildoer. We went in through the back door and simply deleted all the references to Evildoer.
Microsoft Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace.
Could the double set of books be legitimate?
From a programming standpoint, there might be reasons to have a special vote ledger that disengages from the real one. For example, election officials might say they need to be able to alter the votes to add provisional ballots or absentee ballots. If so, this calls into question the training of these officials. If election officials are taught to deal with changes by overwriting votes, regardless of whether they do this in vote ledger 1 or vote ledger 2, this is improper.
Also, if it was legitimate, it would be a menu item in the GEMS program, not executed in a hidden location triggered by a secret 2-digit code. Nothing in the GEMS documentation describes the use of any feature like this whatsoever.
Here's why we need to involve CPAs in vote tabulation regulations, procedures, and design:
If changing election data is required, the corrective entry must be made not by overwriting vote totals, but by making a corrective entry.
It is never acceptable to make changes by overwriting. Data corrections should not be prohibited, but must always be done by indicating changes through a clearly marked line item that preserves each transaction.
However, according to elections officials we interviewed, GEMS is improperly designed, and cannot perform an adjustment, and you can't journal changes that occur for weird reasons that really happen. (For example, a poll worker might accidentally run ballots through twice. You need to be able to correct this and still show your work.)
Instead of doing an adjustment and showing the explanation, retaining a permanent record of everything that happened, a common procedure is to wipe out the mistake, and simply overwrite it with new data. This is completely improper, from an auditing standpoint.
It is certainly improper to have the summary reports come from the second ledger, while pulling the spot check reports from the first ledger, with a provision in the back door to allow these two ledgers to be mismatched.
But there is more evidence that these extra sets of books are illicit: If the extra set of books is legitimate, the county officials, whose jurisdiction paid for and own the voting system, should be informed of such functions. Yet Diebold has not explained to county officials why it is there at all, and in most cases, never even told them these functions exist.
As a member of slashdot.org commented when we originally published this information: "This is not a bug, it's a feature."