Seakip18's Journal: Working for Diebo-Errr...Premier Election Solutions

Hopefully, I don't get sued over this. But Anon be damned! The knowledge here is by no means guaranteed to be accurate or representative of any employee of PES or Diebold Inc.

I recently finished a stint working temporarily for the election this past week and, rather than get washed away in the story comments by posting too late, I'll just refer here. I'm also too damned tired to comment on the big threads. This should be public knowledge and I'm not revealing which state or it's agreements with PES it has.

So, without going in the nitty gritty details of where or who I am, I worked with Premier as a County Technician for their OS, OSX, TSX and automark machines.

This position acts as the PES lead in many of the counties that are very small. The rest, they complement the ACTUAL counties technicians and IT staff. PES techs are never meant to touch the actual equipment but act as a adviser/support person. Larger counties, the IT staff will be the one asking you the question. But that's not why you are reading. You want to hear about the machines and the software on them.

Common attributes of every unit are the printer. The OS(x) variants use a actual ribbon-impact printer while the TSx uses a thermal printer. The purpose of these units is to provide before and after reports that can be used to verify the election had no-preexisting votes. Before the first vote is put in the unit, the state may require the Zero report to be examined and signed to verify this as well as a totals report to verify the recorded results are thought to be accurate, again, depending on state.

The OS, or Optical Scanner is Die-I mean, PES's oldest model of electronic voting. It's a glorified scantron essentially. You fill in the dots on your ballot, run it in, it tabulates it and you get a paper trail. It uses a 90lb card stock and timing marks on the ballot to determine it's side and feed. You can actually insert the ballot any vertical oriented direction, which is neat. The memory card that it uses is also a relic of the past. It is a 128k battery powered memory card. It holds up to 10 ballot styles (IE-precinct 1, precinct 2...) depending on ballot length. The interesting part: Before "security" became an issue, data and transmission of the ballots to the central server in the county (more on that soon!) was all done unencrypted. Not that reporting totals aren't public record, but the way data was transmitted was via modem using a dial-up interface! No fancy RAS or the such. It wasn't till a firmware patch back in 2006 they implemented client authentication and secure SSL transmission to the unit. Some older counties, that can't afford or want to change, still use the older firmware.

The TSx is the touchscreen ballot system, the most criticized one on Slashdot actually. It runs on Windows CE with/without the Timezone patches and has two PCIMA card slots with a built-in modem. It features a "robust" access control systems and has 1024MB internal memory. It uses a 128MB flash card to load and store the ballots and results on. Newer versions also use openSSL from Nov 2007/Oct 2006, depending on which firmware you use. The most criticized feature of this unit is that there is no paper trail. You vote is abstracted, which already happens with every other system here, but some states do not require a ballot to be printed out of the printer on the unit. Hence, you vote is entirely abstracted. This can be a problem. The election backed up to the memory card and the main unit after every vote. The memory on both of them should never fail at the same time according to our training. IF it does...well......there's your .001% failure rate during an election unless the Logic and Accuracy test were not done. The only problems that paper ballots don't face of a similar type, such as a fire, is that smashing the unit will probably get rid of all the votes. Other than that, the only time the unit SHOULD interact with something besides a voter is when the election memory card is loaded, any of the access cards are loaded or the unit dials up results.

Access control on the TSx needs an explanation on it's own. You see, when the TSx is setup, it can use no voter card or require a votercard. If not used, anybody can walk up to the machine and cast a ballot. If it does use a votercard, it is used one time then erased, requiring the card to be setup again. Each TSx, say, in a county, is keyed to one x-bit key that all resulting encoders and TSx/OSx units are keyed to. In addition, supervisor and Central Admin(if using a new firmware) are also created with that key. This keeps you from walking up with a Central admin card on election day and erasing all of the results. Your card hasn't been created with that key, so no machine or encoder will recognize it.

You load keys onto encoders and machines with something called a Security Key card. It's sole purpose is to hold the security key for each election and be loaded onto the necces. machines and encoders. You lose this card and you are going to be royally fucked. You see, with this card, you can upload the key back to a key card creator tool and then create any number of supervisor or central admin cards with that key. Then, you can access any voting machines various modes such as the central admin mode. With older firmwares, you could access the dreaded "unload election" with just the supervisor card, which is also needed to close the polls. The central admin card fixes that glaring defect. Imagine how many old ladies with that card messing with the TSx doohickey.....*shudder*.

Anyways, that leads me to my next point, lose the central admin card and you are royally fucked. This card allows you to reset or unload the election or load up a previous archive of the election. Now, the intelligent person will point out "Hey, it doesn't matter if you unload/reset the election. We can use that archive to restore to the last vote." True, but any intelligent person also knows taking down one machine isn't enough but a distributed attack during the middle of polls and yikes.... It also allows you to change the security key on the unit for access control. You see, if you try using a voter/supervisor/CA card that isn't keyed right, it will reject the card. Keep trying to insert it, and the card is permanently disabled. Change the key to something that the county can't access...they won't be able to vote with that machine or change the key to right settings. That machine will be knocked out for the election since only reformatting it will work.

If voter cards are used, when a voter needs to use that machine to vote, the encoder that every precinct will have holds whatever ballot style the voter needs. The voter card is inserted to the encoder, the proper ballot style selected and then loaded. The voter is given the card, then they go over to the machine and vote. If the vote is canceled, timed out, or cast, the card is erased and will require to be loaded again prior to voting. Your blank ballot is the card and the digital bits on the memory are the ballot box.

The OSX is the digital cousin of the OS from the TSx side of the family. It uses It still reads your paper ballot but instead of scantron, it makes a digital image of the selection for a race, say president and counts the bubble. The biggest problem this faces is that it relies very very heavily on correct ballot lengths and what not. 55% of the problems on election day dealt with improperly printed ballots that were not perforated correctly or printed properly. The OSx can be set to be very choosy about tolerances and changing them on election day to allow slightly "out of bounds" ballots is unacceptable. It sports the same Mobo as the TSX so it will also have two PCIMA slots and uses the same memory card. It also uses the security keys but only for being able to recognize the supervisor/CA cards.

All of these machines have two ways of uploading their data. The X-variants, since they are Windows CE, use RAS to connect the central server and upload the results. They can do this via ethernet or modem. The OS must use a dialup service or serial port.

The transmission of the results and the authentication that said transmission was authentic is the bread and butter of criticisms. Besides attacking the server directly, being able to intercept and rebroadcast the "correct" results is the easiest way to steer an election. The training obviously did not deal with this, but I surmised it from various areas, such as each printout including a SHA key(except for older OS firmwares.) and the server's receiving settings.

Before the firmware update, the only thing I can surmise is that there was either no encryption or that there was a standard key used to decrypt it. If you want to intercept the transmissions and rebroadcast, it would be trivial for a phreaker who knew how the units transmitted data. Simply have the phone lines connected to the server re-routed to you and then rebroadcast your results in the correct format. A man-in-the-middle attack easily done.

Since then, it looks like Public/Private security keys have been implemented. The data is transmitted using x-bit keys with the RSA-SHA1 or SHA2. If you want to authenticate each client, simply generate the keys on the server and load them onto the memory cards that are in the unit. Your trust network is already known before hand and you can safely discard any other transmissions. Of course, this all comes down to one point of failure....the GEMS server.

GEMS stands for Global Election Management System. It allows a county to setup, organize, layout and print ballots. It allows precincts, vote centers and machines to be created and managed. After loading up the machines, it will receive results from said machines on election night. You set up how many ever OS, TSx, OSx machines are at a precinct. This requires MS Server '03 at least. The way the server receives results is via a "digibox" multiplexer connected to how many ever modems the county wants to support. The only connection to the outside world the server has is those modems.

You want to to bring the election results to a crawl? DOS phone line attack all of those numbers. The county will be forced to bring every machine in and manually upload the results. Not too bad for a small county, but when you have one GEMS server and, say, an entire metropolitan area....yeah. It can get really bad just with all the units trying to phone it at once. Imagine what a concentrated denial attack could do. Counties can mitigate this by having only one machine type for every machine in the precinct upload the results via accumulating, but the issue still stands.

The last and most ancient way of messing with the election is manually entering ballots into the GEMS server. Keep in mind that it would be fucked up if you could actually get away without anyone noticing, but you simply click on the machine that "couldn't" get the right results and add the ballots and their results in. GEMS keeps an audit log of every action, such as that, but I guess if you can access the GEMS server to do this, logs aren't an issue.

What would also be interesting is if a bug were exposed in the dial-up or RAS setup of the GEMS server. I shudder if a buffer overflow that brings a machine down is executed on every machine across the states......yikes. Again, the solution is to disconnect the server from the outside and manually upload results. If you can compromise the server though, and handle working over speeds of less than 56k, all the better.

You'll notice I didn't talk about the automark. Simply put, no one is going to be carrying out fraud on a machine that marks ballots for the severely disabled. The machine is kept around more for ADA compliance than actual use. Most ADA folks either get assistance from poll workers/watchers or use the touch screen. The ballot is counted in any way. It just marks it for the OS(x) to read.

Lastly, the techs supporting these machines are often those out of work, too stupid to get an actual job, or can't afford retire(they're were a few guys who fondly remember "Ma Bell" years). There are full-time employees that serve as election day techs, but most onsite or telephone support is done by guys who are contract via placing service. That is, if the county pays for those services. At the very least, they'll probably keep the nation-wide tech support.

Who you get is whoever is available a week before the election for training. I was able to do it since, hey, I had some free time and this sounded interesting. Read an earlier post if you wonder why.

Pretty much, as long as you can do the most basic of basic call center support, you can do this job. Not well or even acceptably, but you can do the job. The testing to "weed out" the worst involves an open book test that is the exact same as an earlier practice test. We had someone manage to make less than 80% on the test.

Well, I hope you enjoyed reading this and understand more about the voting machines you use.

If you want to start making a difference and help keep these machines from breaking or other stupid stuff, PLEASE PLEASE volunteer to be a poll worker. The people that do it now are often retirees that are 60+ years old and have very limited technical experience.

I know the pay isn't great and you'll have to take vacation to do it but, at some point, us younger folk HAVE to help out. When you raise concerns to the Supervisor of Elections, you will be someone who has actually worked with the machine, not some whiny voter. Plus, you'll get some great food.