----- Original Message -----

From: "Tom Tully" <ttully@sos.state.ia.us>

To: "Jim March" <jmarch@prodigy.net>; <depew@ncn.net>; <john.kibbie@legis.state.ia.us>; <dolores.mertz@legis.state.ia.us>; <electioncent@pdq.net>; <ed.fallon@legis.state.ia.us> Cc: "Douglas W. Jones (E-mail)" <jones@cs.uiowa.edu>

Sent: Wednesday, September 24, 2003

Subject: RE: Diebold in Iowa?

>> Dear Mr. March -

Thank you for your comments and I just want to make clear that these are my personal comments and are not meant to imply that this is in anyway the direction or feeling of this office. <<

Sir, thank YOU for opening a dialog. I really appreciate it.

>> As a point of clarification, Mr. Lewis's letter was a response to the general fear of touchscreens as a whole and the concern of fraud during an election, not a response to the Diebold security issues that were published by the Johns Hopkins folks several months after this letter. Actually there are many other touchscreen vendors other than Diebold.<<

Right, I'm aware of that. Short-term, my focus is on Diebold. One step past that is the question "how did this thing get past certification?" and THAT question has implications for the rest.

>> As far as the certification process, the standards under which Diebold and every other product was as and still is certified under was "1990" standards! NEW "2002" standards are currently in place with the Federal Elections Commission and ALL equipment used after December 31, 2005 MUST meet these new federal requirements.....as of today, NO, I repeat, NO, machine has been approved for use with these new federal standards! <<

That's bad enough, but it hardly matters, because in at LEAST two key areas Diebold products got through the Federal testing process through deliberate fraud on Diebold's part:

1) Windows CE is NOT "standard software" under the 1990 or any other rules, and should never have been declared such. Diebold *knew* that, and went to specific lengths to conceal it. See also the Talbot Iredale memo of 15 Apr 2002 cited by myself on page 13 of the document attached: http://www.ninehundred.net/~equalccw/lewisdeconstructed.pdf.

2) Ken Clark's crafted lies to Metamor/Ciber around Oct. of 2002 (attached, pages 14 - 16 - http://www.ninehundred.net/~equalccw/lewisdeconstructed.pdf).

Once fraud is introduced in this fashion, the process has broken. Updating the standards won't help one bit.

>> There are a couple of misconceptions with touchscreens being like "computers" that we use everyday. These are more glorified "touchscreen" calculators than computers, sure there is software, but it is for the actual "touch" part of the screen, the ballot layout and design and for final tabulation.....there is no "processing" occurring during voting. So the crashes, failures, etc that we have all experienced with our own computers, it is not really relevant here. This doesn't mean these won't break or fail.....everything we make as humans has failed....it just means that the comparison to computers (although they have a screen like one) is not a true and accurate comparison....there again, this is a general statement, a few touchscreens ARE computers.<<

Sure, I understand that. That doesn't mean giving Diebold free reign to do whatever they want at that box with NO oversight is a good idea! And that's exactly what happened - with WinCE unscrutinized and impossible to prove it's "standard" (because it's a vendor-compiled OS), there's just no limits whatsoever.

>> There is NO question or argument from me that Diebold has many issues with the integrity of their touchscreen systems, but does that mean that all touchscreens/vendors are bad? <<

They've got more "issues" than the National Geographic!

:)

You DO understand that the only reason we know as much about Diebold as we do, is that their website security happened to be as deeply flawed as the security of their products? (Which is remarkable, given that website management is generally handled by a different person/group than product development.)

In any case, while I can't comment on the other touchscreen vendors, I *do* know that they passed though a cert process which Diebold has proven for us is about as "airtight" as a well-used bath sponge.

>> My big question with Diebold is more with the programmable "smartcards" that a voter inserts to gain access to a ballot........this to me seems a more likely way to commit election fraud....the cards can be bought anywhere (eBay) for a buck, the programming equipment can be acquired for $50 bucks and like the people that hack satellite TV with the same setup, same cards, same programmers..... wouldn't this be more of a threat? Make a bunch of cards up for an election, hand then out...and vote and vote often! That to me seems to be more of a lower tech, more duplicatable and probable way to "crack" these machines than the higher tech way of cracking software, hacking code and intercepting data transmissions. There again, the "programmer" would have to have a digital copy of all of the auditor's ballots for the different precincts/boundary lines.....but still, this can be described as an open door. <<

Sure it is. Especially since we know Diebold has been grabbing and archiving the actual voter database structures for various counties! Hell, we caught 'em red-handed with LIVE vote data from San Luis Obispo County from 5.5hours from BEFORE the polls closed. The file was on the Diebold FTP site, it's authenticity has been confirmed by Registrar Julie Rodewald, who also confirms that the Diebold tech on-site at that county was one Sophia Lee. The password on the file on the Diebold FTP site?

"sophia"

Tom, there are so MANY ways to hack a Diebold vote, it's hard to pick which is more likely.

I *do* know that California law (Elections Code 19205) bans state certification of anything as wide-open to rape as Diebold's garbage.

>> Since you seem to be passionate about election equipment and without being argumentative (I am just as cautious and passionate as you, but I must remain open-minded to all technologies) I'd like to pose a question/scenario: <<

Cool.

>> #1. FACT: In Polk County (Des Moines) if we were to change to touchscreens we would need about 1000 units. Prior to the election, the county auditor (the county commissioner of elections) will program the ballot to the machine, then disperse the machines to the various precincts. On election night, once the polls close, all machines will tabulate their individual totals and print out a "totals report"....keep in mind that these machines are not connected to any modem, phone line or wireless transmission device, then the individual PCMCIA removable hard drives are removed from each machine (There are usually 4 redundant hard drive systems on most of these machines) and placed in a security envelope, then the tabulations are combined and transmitted via CDMA digital encryption (the same transmission that the military uses in battle for its inability to be hacked into by any enemy).....but keep in mind that these transmitted numbers are only for election night reporting, the TRUE results are from the paper receipts and the PCMCIA cards from the precinct that are sealed by the election judge in the security envelope at the precinct then signed across the seal by the judge and the election workers, then taken directly to the courthouse for the canvassing board to open and verify. <<

Well, on a *Diebold* system, the huge gaping hole is that the results at each precinct aren't "accumulated" until the machine makes contact with the home-base GEMS computer at county HQ. Via a two-way modem link that Diebold has all the pieces necessary to hack into, encryption or no encryption.

By making contact with the terminals during this accumulation process through communications drivers that Diebold WITHHELD FROM TESTING (part of WinCE), Diebold has total control over what goes onto those PCMCIA cards.

Oooops.

Let's talk about encyption.

Let's say, on your PC, you encrypt your whole hard disk with a really nice hairy protocol like CMDA, RSA or whatever. And you also encypt all incoming and outgoing EMails via PGP or similar.

Cool. There's still TWO ways I can get at your data:

1) From across the street, I can do Van Allen Phreaking and tune in on the stray radio waves produced by your monitor and recreate your monitor's signal in the back of a van or similar. Yes, this works...

http://www.geocities.com/ifsm430kadena/White/computerspy.htm

Not applicable to our situation, but hey, you need a dose o' paranoia.

2) IF I can get access to your computer, I can go that one better: load a small program that records your keystrokes, mouseclicks (and screen views if I want) that remains hidden on your PC. At which point, you've got no security whatsoever. (Under the Digital Millenium Copyright Act, with a court order, law enforcement can place one of these on your rig while you're not looking, hide it there, and NOT tell you they're doing it. See also 17 USC 512.)

Point two is VERY damned applicable to Diebold or any of the touchscreen vendors. Diebold in particular, because the functionality for can be hidden in software they wrote and illegally diverted around the cert process! (WinCE)

Worse, this same illegally uncertified system has access to the PCMCIA card writer functions.

Still willing to trust those little cards in the little baggie?

>> So, my question is, How would 4 to 8 individuals nationwide be able to find and locate machines on election night in specific precincts, tap into whatever phone line during the 20 seconds of transmission time (oh, yeah, the hackers don't know when the transmission is occurring) at the precinct or if transmitted via wireless CDMA transmission, break the transmission code (which right now is impossible) and adjust the data.....all in less than 20 sec from hundreds of precincts? Actually nationwide, thousands of transmissions? Or are you saying that the hackers could somehow perform this covertly while the machines are in locked storage in the auditors office? Or hack into the auditor office? This is the part where it breaks down for me, please offer your insight. <<

The terminals talk to the GEMS boxes. The GEMS boxes have Microsoft "Remote Access Server" running and available for communications sessions. Diebold knows the phone lines GEMS are on, OR GEMS can be set to dial out to an 800-number.

So they don't need to set up a comm session to every precinct. I agree, that's too hairy a logistics problem.

But one per COUNTY!?

When you know exactly when the polls close and the modems get turned on?

Not a problem at all.

>> I have a computer engineering background and I understand the code issues....but what I don't understand is how there can be mass manipulation of results. How can all of the manipulation take place? I know about "Easter Eggs" that can be hidden by programmers, but there again, this is so unlikely a scenario and you would have to program the "Eggs" is advance to recognize a specific term, such as "(R)" or "Democrat" since the programmer would not know how the individual county auditors will be programming the ballot and what if there is a different identifier like a bitmap icon for "R" or "D" and that can be stored under any name that the auditor can give but the programmer of the "Egg" would never know what that specific identifier is to search for? Help me understand this so I can be better informed on exactly how, you, Jim March could alter an election with these machines, given the law and the procedures that take place during an election. <<

You're assuming that the names of the candidates to tweak has to be programmed into the terminals, GEMS boxes or both ahead of time.

Not hardly. All you need is the pieces necessary to open a communication channel. You then program the "which races to hack, and how" data into scripts executing from remote PCs. You can make decisions as to which races to booger right up until basically the last minute before polls close. And if you decide not to do it, just close down the "black room" and there'll be nothing to find out in the field except a lot of stupid security flaws, if you really look.

>> Consequently, can't the SAME thing that happens with touchscreens occur with a paper ballot system? I mean the "Changing of results", and before you say "Well you have the paper to back it up" this maybe true, but recounts are only preformed by law when an election is within a 1% margin, (You can not currently request a recount if the race is not close) there again all some hacker would have to do is to skew the paper ballot election results by like 5% (oh by the way, these transmissions are preformed with a standard modem) and a recount would never be preformed.....and again, full recounts are rare. (Actually this is the same accusation that Bev Harris and Blackboxvoting make about the ES&S optical machines in Nebraska because Sen. Chuck Hagel there is popular and gets 80% of the vote and keeps winning there and he used to be on the board of directors of ES&S's parent company and used to or may still be a stock holder (this isn't clear yet)....so that somehow is saying that Sen. Hagel through his past affiliation with an organization is magically able to demand that a company dictate to a subsidiary company that they break many state and federals laws plus put them out of business, only to guarantee an election win for him? Sure...anything is possible....heck on paper MIT proved that time travel is possible, but is this what occurs? My point being is that this doesn't occur because as in the touchscreen scenario, the paper reports are generated in the precinct and they are placed into a secure envelope and signed, which become the official results to the county board of canvassers.....the transmitted results are only for election night reporting, not official results. So, what should be done if touchscreens and paper can't be trusted? <<

First, the very existence of *accurate* paper makes engaging in *any* type of vote fraud far less likely, because it's far riskier.

Second, to do a "paper vote hack" takes a LOT more players. It quickly becomes known what's going on. (Like in Chicago, where it turned into an open joke...the problem that resulted was a poor public opinion of gov't and a "spiral of social decay" that's a factor in why the city regularly leads in violence levels in the US - they trade off with much smaller WashDC for the murder-rate "leadership". Voter apathy is a factor, as is police corruption and strict gun control.)

Third, while I don't know how the other vendors can or cannot hack their votes, that's only because I don't have access to their software. With public access to the software, flaws can be identified and then fixed.

>> My next question is a little more objective...

#2. Given the federal law, the Help America Vote Act, what do you offer as a solution? Keep in mind that the law states that voting machines need to alert voters of errors in private (particularly over votes) and that the machines need to be accessible to voters with disabilities to have the same voting rights and alerts as others to cast a ballot secretly and in private. This includes individuals that are blind, but also includes individuals that have glaucoma, macular degeneration, dyslexia and many other limiting factors that deserve the same right to cast an independent ballot as anyone else. The whole point of this is to allow ALL voters the SAME access to a ballot and to have that ballot cast exactly as the voter intended and to then have that ballot counted exactly as it was cast....period! <<

Australia already figured out the solution!

http://www.softimp.com.au/evacs.html

This is an "open source" application for electronic vote-counting. That means it runs on Linux, the source code for the entire application is available for public review, as is the ENTIRE operating system, comm drivers and similar. Along with the compiler versions needed.

You know what THAT means?

A techie like me can compile up an entire vote system of my own, legally, run CRC checksums on everything, write a script that'll do the same thing in the field, pop the loader CDs the county uses into my laptop at the county on election night and run CRC-checks to make sure what they're using hasn't been dicked with.

It gets better.

You need 1,000 terminals, right? Cool. You know what they're using for terminals?

Leftover PCs ("trailing edge") in the Pentium 90/120/150/200 horsepower range, which are worth about $300 a pop absolute tops. Figure four hours per rig for techie time to test, setup and image 'em @ $30/hr max. At that price, just make sure there's an extra one or two at every polling place...if one of 'em pukes, so what?

Diebold Touchscreens are worth how much? 20 times that or more?

For the blind, OK, you'll need headphones and a large pair of buttons. $30 tops.

For printers, just use cheapo dot matrix workhorses, worth about $50. Again, think in-field redundancy.

Diebold and these clowns have conned y'all both financially and in terms of security!

There is already an effort underway to improve on the Australian model here in the US:

http://gnosis.cx/voting-project/announce.html

You need to understand how advanced the whole "open source" concept is. There's a LONG treatise in the subject written by a really good writer in the form of a semi-novel, the full text of which is available free at:

http://www.spack.org/index.cgi/InTheBeginningWasTheCommandLine

Read it.

Specifically, I am making the following recommendations:

1) All of the source code for the vote applications must be publicly reviewable, ditto the operating system and drivers it runs on, and the public must have the ability to make sure the in-use versions haven't been doctored. The software can STILL be commercial if "corporate level support" is necessary, although that's CLEARLY been oversold by Diebold! See also http://www.scoop.co.nz/mason/stories/HL0309/S00157.htm - the Diebold techs you've dealt with have apparantly been illegal aliens!?

2) Each voter gets a printed reciept showing how they voted, which must be dropped into a box on the way out the door. The reciept would have a code on it - entering this code back at that same terminal ZEROS out that vote. That way, if the voter claims that what they entered wasn't what they got on paper, they can demand that their vote be erased and they get a chance to re-enter. If it still isn't working, a poll-worker can do a "test vote" themselves, examine the paper to see if it was OK, and zero that result when done. If there's a problem, call the techies back at county HQ. This printed reciept should be on a BIG piece of paper, 8.5" by 11" coming out of a standard dot matrix or laser printer...and it must be illegal to take that paper out of the polling place, it must go into a sealed box in case of recount. (This also prevents the "selling your vote" problem - you don't want the voter being able to prove later which way they voted.)

It is one hell of a lot CHEAPER to do this.

If you're a Diebold customer, getting the funding to do this is simple: SUE DIEBOLD FOR A FULL REFUND. Basic breach o' contract. The sumbiches systematically and deliberately conned the ITAs and the entire certification process *multiple* times. There is all SORTS of grounds to get your money back, and enough *time* to have a slick, working open-source project based on the Australian code up and running by Nov. '04 with ease, for the spring primaries with a bit of cramming. Not sure you could get something working for the blind by spring but november, no sweat.

Let's ask this: just how much money have you paid Diebold to date? Seriously now, public contracts are public record so ballpark, what are we talkin' here?

You can be up and running on slightly-tweaked Australian code *fast* for around 900k tops. That's at $800 per station (VERY generous) plus an extra hundred grand in techie time. And there's ways of cutting that WAY down, less than $500k if we can get Debian, Red Hat or one of the other big Linux build houses involved for the PR value.

>> Believe me, I understand vigilance in the elections process but rather than trying to block technology as people have done in the past with the Wright Brothers, Henry Ford and most recently with Bill Gates, why can't we constructively create a solution? Sure, Diebold has issues.....and that will be a selling challenge for Diebold and actually now it opens up all of the other touchscreen folks to additional scrutiny and questioning, which is great, but I am concerned that if we become so closed minded and steadfast that we lump all this technology into the same "Diebold" mold that we end up throwing the baby out with the bath water.<<

This bath water has been severely pissed in, and the "baby" is a diseased frog.

Not all technology is task-appropriate. Diebold's product is about akin to using gutted microwave ovens with the shielding ripped out to build a tanning salon booth.

The proper term for your next transaction with Diebold should be: REFUND!!!

>> I hope you take my comments in the spirit that they are meant, and that is for the purposes of open discussion on this topic and certainly not stated for argument....I just want to cut through the "conspiracy" crap and truly understand the facts and process that any of this can occur.

Thanks again for your discussion - Tom <<

Tom, I completely understand that you're in a bind here not of your own making. And a LOT of the details of what has been done by Diebold were clearly designed to evade the scrutiny of honest local elections officials.

I do not believe that the Diebold customers became so with ill intent! I haven't implied that, Bev Harris hasn't either.

However. You've seen enough of the Diebold internal EMails, policy manuals and similar to at least suspect SERIOUS problems.

At a bare minimum, you should be pressuring your state and/or the Feds to re-think Diebold's certification.

There is too much evidence available that Diebold has suffered a crisis of corporate ethics on the scale of Enron or Worldcom to pretend not to notice.

Jim March

-----Original Message-----

From: Jim March [mailto:jmarch@prodigy.net]

Sent: Wednesday, September 24, 2003 3:30 AM

To: depew@ncn.net; Tom Tully; john.kibbie@legis.state.ia.us; dolores.mertz@legis.state.ia.us; electioncent@pdq.net; ed.fallon@legis.state.ia.us Subject:

Re: RE: Diebold in Iowa?

I have been forwarded a letter from Doug Lewis of the Election Center and was disgusted enough at the content to do a complete de-construction. This work is attached in both MS-Word and Adobe Acrobat formats.

The full text of Mr. Lewis' comments are included, commented upon and exposed. Something has gone severely, tragically wrong with the certification system that approved Diebold's products, and the public is finally beginning to see warnings. Diebold's actions constitute a failure of corporate ethics on the scale of Enron and Worldcom, while the Federal certification process is revealed as woefully incompetent.

The attached letter (http://www.ninehundred.net/~equalccw/lewisdeconstructed.pdf) may be distributed at will.

Jim March