Scoop: Diebold Internal Mail Confirms U.S. Vote Count Vulnerabilities

By Alastair Thompson

Scoop has obtained internal mail messages from Diebold Election Systems which clearly and explicitly confirm security problems in the GEMS vote counting software that were highlighted in reports published on Scoop.co.nz and widely elsewhere in July.

In the internal mail Diebold Election Systems principal engineer R&D Ken Clark - then working for Global Election Systems before Diebold took the company over - responded to an internal query over a security problem. The official certification laboratory responsible for assessing the voting technology company software's robustness had noticed a problem, and a staff member was seeking Clark's advice.

Diebold Election Systems technical writer R&D Nel Finberg wrote to the "support" list on 16th October 2001: "Jennifer Price at Metamor (about to be Ciber) [this is the certification lab responsible for certifying all United States voting software] has indicated that she can access the GEMS Access database and alter the Audit log without entering a password. What is the position of our development staff on this issue? Can we justify this? Or should this be anathema?"

The "GEMS Access database" that Finberg refers to is a piece of computer software which is loaded onto county election supervisors computers. It is responsible for tallying votes from county precinct voting booths, these results are typically modemed into the central computer.

Significantly this software is responsible for tallying all votes, optical scan, touchscreen and absentee ballots. It was this software that Scoop initially reported was all too easy to hack in its July 8th report from Bev Harris.

In reply to Finberg's query Clark responded with an astonishingly frank posting which clearly confirms most of the worst aspects of the GEMS system security outlined by Harris in her July report.

Clark: "Right now you can open GEMS' .mdb file with MS-Access, and alter its contents. That includes the audit log. This isn't anything new. In VTS, you can open the database with progress and do the same. The same would go for anyone else's system using whatever database they are using. Hard drives are read-write entities. You can change their contents.

Now, where the perception comes in is that its right now very *easy* to change the contents. Double click the .mdb file. Even technical wizards at Metamor (or Ciber, or whatever) can figure that one out." (Clark's full email response is attached below)

In these two paragraphs Clark confirms:
- That anyone using an off-the-shelf copy of Microsoft Access can freely open and alter the election tally database;
- That in doing so they can also edit the audit log (which is hyped in sales literature as preventing tampering) thereby removing any evidence of their tampering;
- That these security flaws have been in place for a considerable period of time.

Clark here confirms the findings about GEMS first reported by Bev Harris and recently demonstrated by San Luis Obispo county voting activist Jim March.

--snip

And so in a single email message Diebold Election Systems' Ken Clark has effectively placed not only his own competence and integrity into question, but also that of the official voting software certification lab and that of numerous election officials. And remember that this is just one of well over 15,000 internal Diebold Election Systems internal mail messages that are now in public circulation.

Editor's Note: A Must Read Article!

Read Article