Start work now to protect Election 2006. Here's a tutorial if you are planning to do a presentation, demonstration or meeting with public officials about problems with voting machines. It takes a modest amount of computer skill to do this demo. Any tech-friendly person can help you with this.
Your comments and observations after you install the tamper-inviting GEMS program will be examined by many who are truly interested in election integrity. Wear a flame-proof suit to withstand the damage control trolls, and please do post your findings.
This do-it-yourself hack demonstration attacks the mail-in votes, neatly flipping them whenever necessary. It uses real software used in real elections. We have examined the latest versions and the techniques still work.
This system passed federal testing labs over and over, and state examiners said it met state law even when state law requires the system to be "secure from tampering."
The Diebold GEMS system is not secure. Most of these files have been available to anyone on the Internet since the late 1990s. The instructions for hacking have been on the Internet since July 2003, although we have recently updated them to demonstrate the more dangerous hacking of absentee votes. The mail-in votes are more vulnerable because they are counted ONLY in GEMS and are not accompanied by a "poll tape" to compare against GEMS results.
These security defects have been confirmed by the August 18, 2004 CompuWare report, commissioned by Ohio Secretary of State Kenneth Blackwell, then hidden from both Ohio elections officials and the national governing body (the Elections Assistance Commission - EAC) until AFTER the 2004 presidential election.
How do we know they were hidden? Black Box Voting investigator Kathleen Wynne did public records requests of Ohio Diebold counties and of the Election Assistence Commission, and these records requests confirm that Blackwell withheld the results of the CompuWare Report on the GEMS defects until AFTER the 2004 presidential election.
The security defects have not been corrected in the Diebold GEMS central tabulator -- the "mother ship" that collects votes from all the precincts and tallies them up. Systems using GEMS will count at least 30 million votes in 32 states in November 2006.
How do we know they have not been corrected?
Video: Diebold chief engineer admits to the GEMS defect
Diebold admits that in Ohio it hopes to use a program from Verdasys to mitigate the risk, and in California, voting system examiner Steve Freeman said in the public hearing in Nov. 2005 that he hopes to come up with a solution. However, these "solutions" are still in the future and in most states, "solutions" are not even on the horizon. Also, Black Box Voting has examined the new versions of GEMS in counties that have just taken delivery on new Diebold systems, and we found the system still just as vulnerable to tampering.
The reason for publishing this information is to allow you to advocate for increased protections for this sort of tampering. This needs to be done NOW, not 2 days before the November election.
Here is a quick tutorial
This will help you examine the GEMS defects for yourself, and you can then demonstrate the defects to public officials and reporters.
Since everyone has different skill sets, feel free to ask followup questions. You can do that Here.
First, for those who want to download an install version of GEMS:
Installation version of GEMS
(Large -- allow time to download. Compressed zip file, 18,562 KB)
Password to unzip is akdn2ieh01dnm
This password has been publicly available since September 2003. It is clearly marked in the Diebold memos. The EFF went to court and won an important case, which confirmed that the memos are of compelling public interest and not protectable by Diebold.
Here is the
full set of the Diebold memos
To demonstrate the GEMS security defects, you'll need to download an actual elections database. I did the Howard Dean demo with a Cobb County, Georgia database that had been used for a Logic & Accuracy test. The databases I'm linking you to here are even better.
Here are several elections databases, obtained from Glades County Florida in a public records request. These databases include the actual data files for the 2004 presidential election.
Databases obtained in public records requests
For most of the Glades County databases, the password, which was set by the Diebold "expert" is this: "diebold" (without the quote marks)
Tutorial
After you install GEMS (by using the GEMS setup.exe file) you will want to place the already created elections databases in the right folder/directory. (This is kind of like the Julia Child school of cooking elections...we have a prepared elections database already made, very handy, just add and stir...)
A ready-for-action elections database is an "mdb" file. After installing GEMS, you can find the place where GEMS needs to store its mdb elections files here:
- Go to "my computer"
- Go to the Local Disk "c" drive (on Windows, main hard drive)
- Go to "Program files"
- Go to "GEMS"
- Go to "localDB"
Place the elections databases in there. GEMS can't find the data files anywhere else.
- What if you have a "gbf" file?
There are dozens of gbf files in the Diebold memos, linked above. A "gbf" file is just a compressed GEMS backup file. If you want to open a gbf file, put it in the GEMS "backup" directory. To uncompress a gbf file, just open GEMS, and choose "load" which will take you to the backup file directory. Uncompress the files, which will transfer them to the localDB directory. You don't have to worry about passwords to uncompress the files.
To do the easy version of the demonstration: You must have Microsoft Access installed on your computer. The Dr. Herbert Thompson hack is a more elegant way to do it, but that requires Visual Basic programming skills. You can use Visual Basic, or Java Script, to exploit Windows characteristics to do the same thing invisibly, running in the background as a trojan horse. For you geeks, there is also this nifty tool which can do all of the below with simple SQL statements and no need for passwords, no need for MS Access.
Back to simplest demo, using MS Access
You'll want to practice this several times before demonstrating it in public. Also, we recommend making a copy of the original file and calling it "demo" so you can play with it.
The easy demo of GEMS security defects
- Open one of the elections in GEMS. For this example, I'm choosing one called "glades,fl11-5-02a.mdb"
- Open it in GEMS. Password: diebold
- Run a results report. Go to the "GEMS" menu at the top and choose to run an "Election Summary Report".
- Choose to "preview" the report if you don't want to print it.
This shows you the "before the hack" version.
- Now leave GEMS -- you don't have to close it, but close out of the results report.
- Go to the GEMS "localDB" folder and doubleclick the election file. If you have MS Access installed, it will open the file up automatically in the Access program.
- Choose the "tables" view. You'll see several tables, like "artwork", "ballot", etc.
- Choose the "Candidate" table. This will tell you what ID numbers were assigned to each candidate. For example, in the Nov. 2002 governor's race in Glades County, Bush/Brogan were assigned ID#3, and McBride/Rossin were assigned ID#4.
- Now go to the "SumCandidateCounter" table. This first effort will be a practice hack. Find the first instance of the candidate number in the column "CandVGroupID" and simply add 100,000 in the "TotalVotes" group for this candidate.
In the Nov. 2 Glades County file, for ReportunitID 7, VCenterID -1, candidate 3 has 72 votes and candidate 4 has 114 votes.
ReportunitID is an identifier for the precinct and VCenterID is an identifier for the set of data. In some tables, there will not be a VCenterID "-1" series. In that case, enter the 100,000 votes the first place in that table where you find candidate #3.
Add 100,000 votes to change as follows:
Original:
candidate 3 : 72 votes
candidate 4 : 114 votes
You add 100,000 to candidate 3:
candidate 3 : 100,072 votes
candidate 4 : 114 votes
6. Save the table and exit the table and go back to GEMS. Run a new report. If you see the 100,000 extra votes, you're on the right track.
If your "hack" doesn't work when you look at the GEMS report, with a modest amount of fiddling around, you will see how to hack the particular election database you've chosen. The specifics can vary depending on factors that take too much space to describe here. If you have problems, just ask.
NEXT
The above hack is clumsy and there are checks and balances that would find it. So let's try one that's more dangerous.
1. This time, check the "Vcenter" table. Find the number that is associated with absentee votes.
In the Glades Nov. 2002 database, absentee votes are associated with #16. This number will be linked to another number as we'll see below.
2. Go to the table called SumReportunitStats and find VCenterID 16. It will correlate with ReportunitID 34. (In other voting databases the numbers will be different but you can find them in these tables.)
You now know how to choose absentee votes only for hacking. Very dangerous, because absentee votes are counted ONLY in GEMS without a poll tape to back them up. Therefore, hacking GEMS will not be detected unless the paper absentee ballots are counted by hand.
3. Go back into SumCandidateCounter. Get rid of those 100,000 votes you added earlier.
Go find the ReportunitID for absentee votes ("34" in the Glades County Nov. 2002 election), which is the absentee votes. So you can easily spot the hack (for demo purposes) add 100,000 votes to candidate 3 in the ReportunitID for absentees. Save and exit the table.
Make a quick check of the summary report in GEMS to make sure you got that hack implemented correctly.
- Now, flip the candidate IDs for absentee votes only. Make candidate ID #3 into #4, and vice versa. Save and exit the table.
- Check GEMS. Did the 100,000 votes pop over to the other candidate?
- Obviously, for real absentee vote-rigging, you'd not add any votes. The 100,000 votes is just to make it easy to see, in a demo, without a calculator.
In a real vote-flip, you'd switch the candidate numbers ONLY, which would keep the number of ballots the same while flipping the results.
7. There is another report, the "Statement of Votes Cast" report which is run at the very end after all absentee votes have come in. It is usually run 7-10 days after the election. This report pulls from a different table, the "CandidateCounter" table. To make sure your vote-rigging is invisible in both reports, just flip the absentees in both SumCandidateCounter and in CandidateCounter tables.
Ask more questions if you have difficulty.
You can find some more information here, with the report done by Chuck Herrin:
http://www.chuckherrin.com/...
However, his report changes votes rather than flipping candidate IDs on the absentees, and would be more detectable.
The hack shown above, done properly, will be almost impossible to detect, even by the elections official who runs the county elections.
* * * * *
Since this diary is technical, it will probably fade into oblivion, but I am certain that at least one person will understand the significance of this and will conduct demonstrations to urge increased protections of Election 2006.
As we all know, every time I post something we get a lot of trolls foaming at the mouth. They usually successfully hijack the thread. No matter.
Grab the links, snag the instructions, and if you have any questions, hit the BBV One-on-One on this topic and we'll guide you to success on this.
Some pictures and visuals of GEMS:
Be the Media - GEMS images
Another presentation aid: Attack Tree presentation
Has pictures, simple messages, easy to explain material on why electronic voting needs careful monitoring and citizen oversight.