Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes

From: Mike Ely (me_at_taupehat.com)
Date: 09/22/04

  • Next message: Macromedia Security Zone: "Macromedia Products Not Affected by MS JPEG/GDIPlus Issue" 
    To: pressinfo@diebold.com
Date: Wed, 22 Sep 2004 03:13:41 -0700

    Alright, I'll bite. After reading the blackboxvoting.org allegations,
    and your response, I have a few more questions I'd like to see
    answered. I'll take them point-for-point from your response:
     
    > On Tue, 2004-09-21 at 08:05, pressinfo@diebold.com wrote:
    In-Reply-To: <20040831203815.13871.qmail@www.securityfocus.com>
    >
    > Diebold strongly refutes the existence of any "back doors" or "hidden
    codes" in its GEMS software.
    Please explain the purpose of leaving in the apparent debug mode that
    blackboxvoting has described. If the mechanism described is not a debug
    mode, what does it do, and why would it be in production software?
     
    >These inaccurate allegations appear to stem from those not familiar
    with the product, misunderstanding the purpose of legitimate structures
    in the database. These structures are well documented...
    Can you please provide a link to this documentation, and perhaps an
    explanation that offers more detail as to why you believe blackboxvoting
    is wrong?
     
    >and have been reviewed (including at a source code level) by
    independent testing authorities as required by federal election
    regulations.
    Leaving aside the question of who paid these "independent testing
    authorities," I would kindly suggest that if there is any mechanism
    which the US public should be allowed to subject to a high degree of
    scrutiny, it would be the mechanism by which we elect the people who
    will be making decisions for us. There was no question as to how
    punchcard machines worked - anybody with a screwdriver and some
    mechanical aptitude could figure that out in a very short time. The
    problem wasn't with how they worked; it was how well they worked that
    led to grief. However, as a voter and a US citizen, I do feel that I'd
    like to have the right to get my own second opinion on your software,
    including any versions certified after the infamous GEMS code leak.
    Please provide all GEMS sourcecode to the US public for further
    examination.
     
    > In addition to the facts stated above, a paper and an electronic
    record of all cast ballots are retrieved from each individual voting
    machine following an election.
    The key problem here is that this paper record is created >after< the
    election, leaving voters at the whim of any compromise that may occur to
    a given machine >during< the election. In a paper ballot situation, the
    ballot box sits in plain sight during the entire election, and is
    physically locked at the close of the election. In the case of your
    system, each voting booth takes the place of the ballot box for the
    duration of the election, and is hidden behind a curtain or partition
    with many anonymous people during this process. For the voter, there is
    no guarantee that what is being stored to computer memory has anything
    to do with the selections he or she just made, and no paper trail is
    created until often hours after a voter has left the polling area.
    Without an immediate paper trail being generated, the voter is at the
    whim of whatever software happens to be loaded onto the touchscreen
    computer in front of him or her.
     
    > The results from each individual machine are then tabulated, and
    thoroughly audited during the standard election canvass process. Once
    the audit is complete, the official winners are announced. Any alleged
    changes to a vote count in the election management software would be
    immediately discovered during this audit process, as this total would
    not match the true official total tabulated from each machine.
    Again, this makes the assumption that the totals printed out of the
    machine after all the voters have left would correctly reflect the
    intent and belief of the voters who used it.
     
    Unfortunately, without a voter-verifiable paper trail, it is possible
    for a successful attack to occur. Without the minimal safeguards
    mentioned above, this attack could go undetected. Regardless of how
    many votes are compromised, any stolen vote is too many. Please take
    the neccessary steps to ensure the complete integrety of the US election
    process.
     
     
    > >From: "Jrme" ATHIAS <jerome.athias@caramail.com>
    > >To: bugtraq@securityfocus.com
    > >Subject: Diebold Global Election Management System (GEMS) Backdoor
    Account
    > > Allows Authenticated Users to Modify Votes
    > >
    > >
    > >
    > >Date: Tue, 31 Aug 2004 00:38:05 -0400
    > >Subject: http://www.blackboxvoting.org/?q=node/view/78
    > >
    > >BlackBoxVoting.org reported a vulnerability in the Diebold GEMS
    central tabulator.
    > >
    > >A local authenticated user can enter a two-digit code in a certain
    "hidden" location
    > >to cause a second set of votes to be created on the system. This
    second set of votes
    > >can be modified by the local user and then read by the voting system
    as legitimate
    > >votes, the report said.
    > >
    > >GEMS 1.18.18, GEMS 1.18.19, and GEMS 1.18.23 are affected.
    > >
    > >The vendor was reportedly notified on July 8, 2003.
    > >
    > >
    > >Solution: No vendor solution was available at the time of this
    entry.
    > >
    > >Vendor URL: www.diebold.com/dieboldes/GEMS.htm (Links to External
    Site)
    > >
    > >

  • Next message: Macromedia Security Zone: "Macromedia Products Not Affected by MS JPEG/GDIPlus Issue"

    Relevant Pages

    • Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users
      ... However, as a voter and a US citizen, I do feel that I'd ... > machine following an election. ... > Without an immediate paper trail being generated, ... > many votes are compromised, any stolen vote is too many. ...
      (Bugtraq)
    • No evidence of election crimes?
      ... John McKay insists that there was no evidence of election crimes in Washington's November 2004 election. ... Something wasn't right when King County counted more votes than voters and admitted to fabricating the reconciliation reports. ... Federal write-in ballot counted from unregistered voter who had not requested a ballot by the deadline ...
      (soc.retirement)
    • Re: N-Word Shouted at Palin Rally
      ... days AFTER the election - from a dodgy county). ... Don't tell me voter fraud doesn't exist. ... one election when a nurse rolled in an elderly person from a nursing ... votes turned up in Box 13 from the pint-sized town of Alice, ...
      (alt.home.repair)
    • Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users
      ... Cryptography" without also reading "Secrets and Lies" (also by ... However, as a voter and a US citizen, I do feel that I'd ... >> machine following an election. ... >> many votes are compromised, any stolen vote is too many. ...
      (Bugtraq)
    • Re: Playing with the vote in Ohio
      ... Americans must presume that any election that can be rigged will ... King County counted 8000 more votes ... That is before we get to the issue of ineligible voter ...
      (misc.survivalism)
    • Quantcast