Thursday, November 18, 2004

From A Loyal Oppositionist. . .

A Republican Tells It Like It Is. . .
by Chuck Herrin


Chuck Herrin is a Microsoft Certified Professional Systems Engineer, and a long time loyal Republican - Not a tin-hat, loony-leftie folks.

This is his take and FAQ, at his website, on the reality of the hack of the vote. . .

"Q: How'd you get involved with this?  Aren't you a Republican?"


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

A: I get asked this a lot, and it really shows how focused our country is on partisan politics.  I am a voter, first and foremost.  That being said, yes, I am a Republican and have been since being sent to Republican Indoctrination Camp at age 2.  That's where we are taught supply-side economics and the values of mutually assured destruction.  :-)

I got involved with this because I have been against the adoption of these voting systems for years.  It's a dumb-ass idea to implement them this way - our votes are too important.  I wouldn't trust my Bank with computer systems this insecure; Hell, I wouldn't keep recipes on a system this insecure.  When I saw all of the documentation regarding Diebold and their heavy partisan leanings, and then when the results came flooding in with a clear Bush victory when I seriously expected Kerry to win, I put two and two together.  I am, by trade, a professional White-Hat Hacker, so I know how easily "secure" systems can be breached, especially by insiders.  Roughly 80% of all computer crimes are perpetrated by insiders, so that's always the best place to look first.  When the insiders also write the code and roll the machines out, there is no question that they have too much power and can not be trusted, whether they support my party or not.  It's called "Segregation of Duties" in the professional world, and it is vital for system integrity.

But that was all theory and conceptual before I tried it myself.  I knew that the descriptions and ideas were bad, but I hadn't actually seen a copy of the software.  So I went to BlackBoxVoting
.org
following a link off of some website, I don't remember which, and saw Bev's plea - "Computer Guys - Test it yourself!".  I thought, all right, I will.  After all, this IS what I do for a living.  It's like asking an accountant to balance debits and credits - nothing special, and besides, I was curious.  Surely if our states are rolling this out to Hundreds of Millions of voters, somebody checked it.  It can't be as bad as these liberal whiners are making it out to be - they're just pissed off that our folks turned out in mass.

What I found truly shocked me, and made me physically ill.  That's what is documented on the other page.  It IS that bad.  I personally don't have conclusive evidence that voter fraud was perpetrated, but I can tell you as an Information Security professional that it would have been very, very easy to do.  If I had to choose between someone conspiring with exit poll workers nationwide or someone changing values in an Access Database as the cause of the difference between the poll numbers and the "actual" results, I'll go with the easier, more effective option every time.  Why choose the hard way when it's more trouble and you're less likely to succeed?
Again, I'm staying clear of making specific allegations - I'll leave that to the activists who are gathering data - but I would be much more surprised if the election weren't hacked than to find out that it was.

It was too easy, the companies were too partisan and unethical, and there was too much at stake for them NOT to hack it.  It looked like Bush was going to lose, and they had this tool available to pull out a victory.

Why do I call Diebold partisan and unethical, you ask?  How's this:

"I am committed to helping Ohio deliver its electoral votes to the president." - Walden O'Dell, Diebold's CEO in a fundraising letter to Republicans, Fall 2003.  O'Dell and other Diebold Senior Executives are Republican "Pioneers", which is the designation you get when you raise over $100,000.  His brother is President of ES&S, the #2 vote machine maker, and is also a "Pioneer".
Is that partisan enough for you?  Well, what about calling them unethical?

Check this out - No less than 5 of Diebold's developers are convicted felons, including Senior Vice President Jeff Dean, and topping the list are his twenty-three counts of felony Theft in the First Degree.  According to the findings of fact in case no. 89-1-04034-1:

“Defendant’s thefts occurred over a 2 1/2 year period of time, there were multiple incidents, more than the standard range can account for, the actual monetary loss was substantially greater than typical for the offense, the crimes and their cover-up involved a high degree of sophistication and planning in the use and alteration of records in the computerized accounting system that defendant maintained for the victim, and the defendant used his position of trust and fiduciary responsibility as a computer systems and accounting consultant for the victim to facilitate the commission of the offenses."

To sum up, he was convicted of 23 felony counts of theft from by - get this - planting back doors in his software and using a "high degree of sophistication" to evade detection.  Do you trust com-
puter systems designed by this man?  Is trust important in electronic voting systems?


So here we are - Means, Motive, Opportunity - the whole package.  And since the systems are so poorly designed, no audit trail to show any wrongdoing.  Add some cries of "conspiracy theories" and "sore losers", and you've got yourself a mandate.  Four more years, indeed.
Surprise, surprise.

BUT - what happens in 2006 or 2008, now that tens of thousands of activists know about the holes and how easy it is to steal votes?  Well, it'll be interesting, that's for sure.  These systems appear to be DESIGNED to be easy to Hack, so one can only imagine what will happen.  But I for one will embrace President Homer Simpson and will fully support his new 2008 doughnut agenda as a welcome change.  I hope that we can all stand together and welcome him as we Republicans continue to bring "dignity back to the White House."

Q: Why did you post this?  Won't this tell the Hackers what to do? back

A: That's a reasonable question, particularly for someone outside Information Security.  Let me answer in 2 parts:

1) The short answer is that Hackers already know this.  Not to insult those of you who are just finding out about this, but this isn't really news - it's been known for quite some time, and a mix of computer types and social activists have been trying to tell you that it's coming.  The GEMS software has been available for some time thanks to a dumb-ass move by Diebold, when they left an FTP server open to the public.  Copies of GEMS software, database files, user guides, code, and all kinds of "good stuff" have been circulating around the 'Net ever since.

2) The ONLY way to get this fixed is with a huge public outcry.  I need YOU to help spread the word.  Not just read this, but tell two friends.  And it would help if one of them was a Senator.  :-)

Q: I thought the problem was the touchscreens, but you're talking about something different.  Why would an attacker target the GEMS software instead of the Touch-
Screens?
back

A: Good question.  With all of the hype about the touch screen terminals, you'd think they'd be a likely target.  When you look through Hacker eyes, though, that's the best reason to avoid them.
Here's what I think:

I feel that it is unlikely that these individual touch screen machines would be targeted.  At greater risk than the individual touch screens are the Central Voting Tabulation computers, which compile the results from many other systems, such as touch screens and optically scanned cards.  From a hacker’s standpoint, there are a couple of reasons why these central computers are better targets:

a.  It is extremely labor intensive to compromise a large number of systems, and the chance of failure or being detected increases every time an attack is attempted.  Also, the controversy surrounding the touch screen terminals ensures that their results will be closely watched, and this theory has been born out in recent days.

b.  If one were to compromise the individual terminals, they would only be able to influence a few hundred to maybe a couple of thousand votes.  These factors create a very poor risk/reward ratio, which is a key factor in determining which systems it makes sense to attack.

c.  On the other hand, the Central Vote Tabulation systems are a very inviting target – by simply compromising one Windows desktop, you could potentially influence tens or hundreds of thou-
sands of votes, with only one attack to execute and only one attack to erase your tracks after.
This makes for an extremely attractive target, particularly when one realizes that by compro-
mising these machines you can affect the votes that people cast not only by the new touch screen systems, but also voters using traditional methods, such as optical scanning systems since the tallies from all of these systems are brought together for Centralized Tabulation.  This further helps an attacker stay under the radar and avoid detection, since scrutiny will not be as focused on the older systems, even though the vote data is still very much at risk since it is all brought together at a few critical points.  This also has been born out by early investigations, where the touch screen results seem to be fairly in line with expectations, while some very strange results are being reported in precincts still using some of the older methods.

This is not to say that the touch screens don’t have their problems, which are well documented on the web and the news.  My point here is that if you want to steal an election, targeting the individ-
ual touch screen machines is not the easiest way to do it.

Q: Where can we see the Diebold memos you're referencing? back

A: Some fine person (or people) at Swarthmore have posted a complete archive of Diebold memos at http://scdc.sccs.swarthmore.edu/diebold/.  Read the excerpts there, or you can download the entire 7.7MB archive HERE.

Q: Do you know what the version of the software that was used this election and is it available for download?  1.18.17 is from early 2003 if I recall.  Or does anyone at least have release notes so we can see what is different? back

A: Officially the version for this election is 1.18.19, but per their changelog there were no major changes.  I don't have the release notes handy, however.  I will try to find a copy - I know the folks at blackboxvoting.org have one.

Q: If there is a password on the Access db that would make it tougher to access, is this info stored in a specific table in a “master” db that can be accessed to reset the pass-
word?  Is it encrypted, and is there a crack utility to decrypt?  I’m asking because I want to know every possible way in for a hacker or dishonest poll worker.
back

A: There is no Access password.  Diebold's engineer (quoted in the article) talks about why they never put one on it.  See the "King County is famous for it" line.

Speaking of passwords though, the actual GEMS password is stored inside the Access database, so even if you don't have the GEMS password, you can get it very easily.

Q: Do you know of any s/w copies and db’s of the other electronic voting companies systems that can be reviewed as well?  Do they use Access as well and are they as easy to circumvent?

A: Sorry - I've only tested Diebold.  I do know that there is one who uses better, more open software, but I don't have any details on the other systems.  Diebold is definitely the 800 lb gorilla.

Q: Do you know of any information that breaks down the irregularities by precinct using each competing brand?  That could help determine if any one particular type of machine was “harder” for them to rig…?  Since I hear Diebold is the majority, perhaps this isn’t as relevant, but I’d like to know for purposes of discussion.

A: There is more data being generated out there than I have had time to analyze.  Democratic
Underground.com
has a big forum on the voting issues, with several different big analyses.  You might find it there - if you do, please let me know!

Q: Do you know if there have been any specific software security guidelines given to the government as part of their RFP process?  We should make sure there is, in case we do get the opportunity to get legislation on the floor.  I say this because I doubt we’ll be able to get rid of the e-voting type machines, so we’ll have to settle for smart, common sense, industry standard operational guidelines and procedures at the least.

A: Yes, there are specific requirements - there are a bunch of certification papers on blackbox
voting.org
- the main page, where it says "Technical people, test it yourself".  They're pdf files from the certification process.  They list requirements and what the certifying authority is to have checked.  Note the one that says "Penetration Analysis - N/A, not tested".  

back

My Open Letter of Thanks to my Site Visitors:

Thanks! Your support means a lot - it's a little overwhelming when something that you've been talking about for a long time suddenly hits the spotlight.  I probably should have let it go by now, but I just have this character flaw that won't let me just shut up when I know I'm right.  I just got off the phone with Chronograph magazine out of NY - they wanted an interview - and I have had I don't know how many site views in the last few days.  People are trying to hook me up with Congressmen - I'll keep you posted on that.  I might be meeting with some local representatives later, but it's not confirmed yet.  I've been asked if I would testify on Capital Hill, and yeah, I'd be glad to.  Whatever I need to do to preserve our Democracy.  Or get it back.

From what I understand, Bush's lawyers are waging quite an effective war trying to shut dissent-
ing voices down, regardless of the now over 37,000 incidents reported to verifiedvoting.com. Even the NY Times has told its reporters that the paper will not cover it.  Well, I will.  For what it's worth ;-).  It's amazing to me that with the MOUNTAINS of evidence and information that this issue is being dismissed by so many as a "tin foil hat crowd" conspiracy theory.

I wrote to the NC Republican Party last week, but haven't heard anything back.  I'm so disap-
pointed at some of our fellow Republican's responses - some people can't see past the partisan politics and look at the real problem.  It's like "It's OK if our votes don't count, as long as my guy wins."  Is that what real "Values Voters" believe?  What about when your son or daughter gets drafted and killed?  Should your vote have mattered then?  Makes me want to be a Congressman like Bush Sr. just so I can protect my kids in case of another Vietnam.  We all know that with a few exceptions, rich kids don't fight wars.

Sorry, don't mean to vent - just frustrated.

Thanks for your support, and keep fighting the good fight!

Peace,

Chuck

More questions?  Drop me a line.

1 Comments:

At 11/18/2004 10:51 AM, Blogger dhyana said...

hello old-happy-hippie !

 

Post a Comment

Links to this post:

Create a Link

<< Home