Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes

[Claudius Li <aprentic () sectae net>]

I usually stay comfortably hidden in lurkland but I'm a bit confused. Maybe someone here can enlighten me.

A few years ago I read Bruce Schneiers Applied Cryptography. Everything in the book which I tested or looked up 
independantly turned out to be true and it enjoyed an excellent reputation in our computer science department.

This book has a whole section on electronic voting. In it, Mr. Schneier lists several thing which we expect a voting 
system to provide; anonymity, accountability, verifiability, and others. He also points out that there is a theoretical 
limit to the level to which all of these can be satisfied. That is, we can never guarantee all of them with 100% 
confidence. This limit seems to extended to all voting systems whether they are electronic, paper based, 
clay-shards-in-an-amphora, or raised hands.

But we can choose the levels at which we will guarantee each characteristic and get them to levels at which we are 
comfortable. Mr. Scneier also presented an open protocol using public key cryptography which does just that. It doesn't 
involve hidden code, it doesn't require an actual physical paper trail and, as far as I know, noone has ever pointed 
out any flaws in it.

So my question is, given that this seems to be a solved problem why is there so much debate on finding the solution? 
Surely I am missing something obvious.

        -Claudius Li

On Wed, Sep 22, 2004 at 03:13:41AM -0700 or thereabouts, Mike Ely wrote:
> Alright, I'll bite.  After reading the blackboxvoting.org allegations,
> and your response, I have a few more questions I'd like to see
> answered.  I'll take them point-for-point from your response: 
>  
> > On Tue, 2004-09-21 at 08:05, pressinfo () diebold com wrote: 
> In-Reply-To: <20040831203815.13871.qmail () www securityfocus com> 
> >  
> > Diebold strongly refutes the existence of any "back doors" or "hidden
> codes" in its GEMS software.   
> Please explain the purpose of leaving in the apparent debug mode that
> blackboxvoting has described.  If the mechanism described is not a debug
> mode, what does it do, and why would it be in production software? 
>  
> > These inaccurate allegations appear to stem from those not familiar
> with the product, misunderstanding the purpose of legitimate structures
> in the database.  These structures are well documented...  
> Can you please provide a link to this documentation, and perhaps an
> explanation that offers more detail as to why you believe blackboxvoting
> is wrong? 
>  
> > and have been reviewed (including at a source code level) by
> independent testing authorities as required by federal election
> regulations. 
> Leaving aside the question of who paid these "independent testing
> authorities," I would kindly suggest that if there is any mechanism
> which the US public should be allowed to subject to a high degree of
> scrutiny, it would be the mechanism by which we elect the people who
> will be making decisions for us.  There was no question as to how
> punchcard machines worked - anybody with a screwdriver and some
> mechanical aptitude could figure that out in a very short time.  The
> problem wasn't with how they worked; it was how well they worked that
> led to grief.  However, as a voter and a US citizen, I do feel that I'd
> like to have the right to get my own second opinion on your software,
> including any versions certified after the infamous GEMS code leak. 
> Please provide all GEMS sourcecode to the US public for further
> examination. 
>  
> > In addition to the facts stated above, a paper and an electronic
> record of all cast ballots are retrieved from each individual voting
> machine following an election.  
> The key problem here is that this paper record is created >after< the
> election, leaving voters at the whim of any compromise that may occur to
> a given machine >during< the election.  In a paper ballot situation, the
> ballot box sits in plain sight during the entire election, and is
> physically locked at the close of the election.  In the case of your
> system, each voting booth takes the place of the ballot box for the
> duration of the election, and is hidden behind a curtain or partition
> with many anonymous people during this process.  For the voter, there is
> no guarantee that what is being stored to computer memory has anything
> to do with the selections he or she just made, and no paper trail is
> created until often hours after a voter has left the polling area. 
> Without an immediate paper trail being generated, the voter is at the
> whim of whatever software happens to be loaded onto the touchscreen
> computer in front of him or her. 
>  
> > The results from each individual machine are then tabulated, and
> thoroughly audited during the standard election canvass process. Once
> the audit is complete, the official winners are announced.  Any alleged
> changes to a vote count in the election management software would be
> immediately discovered during this audit process, as this total would
> not match the true official total tabulated from each machine.   
> Again, this makes the assumption that the totals printed out of the
> machine after all the voters have left would correctly reflect the
> intent and belief of the voters who used it. 
>  
> Unfortunately, without a voter-verifiable paper trail, it is possible
> for a successful attack to occur.  Without the minimal safeguards
> mentioned above, this attack could go undetected.  Regardless of how
> many votes are compromised, any stolen vote is too many.  Please take
> the neccessary steps to ensure the complete integrety of the US election
> process. 
>  
>  
> > > From: "Jrme" ATHIAS <jerome.athias () caramail com> 
> > > To: bugtraq () securityfocus com 
> > > Subject: Diebold Global Election Management System (GEMS) Backdoor
> Account 
> > >    Allows Authenticated Users to Modify Votes 
> > >
> > >
> > >
> > > Date:  Tue, 31 Aug 2004 00:38:05 -0400 
> > > Subject:  http://www.blackboxvoting.org/?q=node/view/78 
> > >  
> > > BlackBoxVoting.org reported a vulnerability in the Diebold GEMS
> central tabulator. 
> > >  
> > > A local authenticated user can enter a two-digit code in a certain
> "hidden" location  
> > > to cause a second set of votes to be created on the system.  This
> second set of votes  
> > > can be modified by the local user and then read by the voting system
> as legitimate  
> > > votes, the report said. 
> > >  
> > > GEMS 1.18.18, GEMS 1.18.19, and GEMS 1.18.23 are affected. 
> > >  
> > > The vendor was reportedly notified on July 8, 2003. 
> > >
> > >  
> > > Solution:  No vendor solution was available at the time of this
> entry. 
> > >  
> > > Vendor URL:  www.diebold.com/dieboldes/GEMS.htm (Links to External
> Site)  
> > >