Dr. Dill's webmaster confirms: Diebold used CELL PHONE data transfer

GregD, who sometimes posts here at DU, arranged for a friend to assist as an official pollworker. He has posted several interesting observations at http://www.BBVreport.org.

For a little background -- let's start with my conversation today with the California Elections Division. I told them that the memos show that Diebold has used cell phones to transfer vote results.

"That's not certified!" he said indignantly (and doubtfully).

Yup. I know.

"Not in California they haven't," he said, after a stunned pause.

Yes, they have. In Marin and Tulare Counties, according to the Diebold memos that no one wants you to see. He was silent for a long time, and I told him where to find the memos.

==============================

Tom Flocco was the first writer to break this story publicly, which he did yesterday (http://www.tomflocco.com):

Diebold sales representative Steve Knecht wrote on April 12, 2000 that "We are using cell phones in Tulare and Marin ," while also introducing a rather curious, unfamiliar electronic election official called a 'rover:' "Rovers are the ones who are given the cell phone with the modem for end of night totals upload, not the precinct worker, at least in these two locations."

Guy Lancaster, Diebold software programmer, wrote on April 12, 2000, regarding cell phones: "I know of no written instructions," leading us to wonder if there were rules and traceable documentation, or why cell phones were being used in the first place ...

...Also, we did not have to dial the phone manually; the AccuVote did that just as if it was connected to the wall jack." Rivera reports that "On the new cells, they have an adaptor for connecting your lap-top to the internet with an RG-11 connector available. This will also do the trick."

So now we have private cell-phones, lap-top computers--and rovers, ostensibly uncertified by any government authority--but no one has reported or documented how or if this "add-on" equipment or the individual rovers are registered, tested, certified, identified--or secured by state or federal authorities prior to an election...

On April 17, 2000, Guy Lancaster wrote more about the Diebold AccuVote internal modem: "We use what's called 'blind dialing' (ATX0) which means that it'll dial with nothing plugged into it. Thus if the AV won't work without this Dial Tone Emulator, then it's doing something in addition to providing a dial tone." But Lancaster didn't get into what other actions he thought the software was affecting.

============

Okay, now let's take a look at what GregD discovered in Marin County yesterday. I am awaiting a more detailed write-up from him --

"Ok, I have some news...

"For starters, this election has taught us some lessons. We need to make sure that we have our own people in every precinct possible - along with exit-poll staff and observors at the close of polls. They need to be trained in advance, they should be provided written materials that document what to watch for, and essentially equipped to be our eyes and ears.

"I just finished a lengthy phone call with a friend who worked at my precinct, and she has agreed to write as much detail as possible - then send to Bev. Basically, the people there (however well-intensioned) were ill-prepared for the task, were unaware that this e-voting controversy even exists, and some other issues which will be in the written report.

"The pieces that were most interesting were these:

"1) Over the course of the day, the power cord for the scanner fell out of the wall 3 times. Yes, the power was disconnected repeatedly. Is the memory of votes lost in this case? Anyone know? The final resolution was to obtain a extension power cord and plug the power into a socket that did not allow the plug to fall out.

"2) At the end of the day, the "head" of the scanner was removed from the base. It was connected to some sort of cellphone for transmitting the results. Shocked, I asked her to repeat this: it appears that this phone was NOT connected, nor was the scanner connected to the landline that I observed in the polling place earlier in the day. It was wireless...

"During the transmission process, errors occurred. The phone apparently reported that a ballot was "stuck" in the reader. The precinct folks confirmed that this was not the case. There was a phone call placed to some "support number" which turned out to be a bad number. The lead precinct worker happened to have another phone number, reached some unidentified (to my friend) person, and eventually resolved the issue after a lengthy delay..."

==================

According to Mark Radke of Diebold, quoted in the Akron Beacon Journal, in an article by Erika D. Smith -- if someone intercepts the vote data, they'll "only be getting the unofficial results."

And apparently, the uncertified-transmission method results.

I spoke to my friend again this afternoon and asked further about the "power off" situation, and what was done. She was present for the (apparently lengthy) end-of-day process.

They ran a tape, and tried to balance it to the number of voters that arrived, and it was off by a few (like 3-4). So the issue of the power cord disconnecting during the election may be a non-issue. But she was VERY clear that this was a cordless phone (some sort of folding model) that was attached to the scanner at the end of the day.

I also just posted another report at BBVreport.org. I spotted a guy last night that I knew years ago, listed among the candidates. How does this guy www.richgosse.com get 430 votes? He has 15 here in Marin, 2 in Napa and 12 in Sonoma (both of these are nearby), and the rest are from distant parts of the state away from anyone who likely knows him? Fishy...

GregD

On edit - clarified that the cellphone was connected *only* during end-of-day processing.

the reason the wireless issue and the cell phone issue is so important is that it opens a whole new set of security issues. If one person can pick up the signal on a cell phone, who else can?

The memo that describes how to attach a laptop and Internet connection while picking up votes with a cell phone is particularly troublesome. When you understand that:

1) They say these machines don't connect to anything
2) They say that nothing connects to the Internet
3) They say they do not plug in the modem until day's end
4) Nothing of the kind has ever been certified for use, anywhere, as far as I know, but certainly not in California

This is a wonderful demonstration of the "theory vs. practice" model that junkdrawer was describing. In theory, there are all these tidy security protections. In practice, we keep doing things that are expedient and/or dangerous.

P.S. : Here is the link to the California law that requires result printout to be posted on the door:
http://www.democraticunderground.com/discuss/duboard.php?az=show_mesg&forum=104&topic_id=496859&mesg_id=501567&page=

... just contemplate sound quality by cell phone, and then try to imagine sending data over that same connection--it's one of the reasons why packet cellular is such a pain in the ass--reflected signals, deflected signals, etc. Even without the aspect of loss of security, there's the issue of the signal quality alone.

Cheers.

Why?

Why do it? Can we not plug in a simple modem any more? And what is a wireless modem doing inside an optical scan machine anyway -- especially one that is set to "dial out automatically" looking for a signal?

Think about it, folks.

I mean, if a tabloid newspaper can intercept Princess Diana's love talk with her riding instructor on a cell phone, and they can intercept Prince Charles telling Camilla he wishes he were her tampon, do you suppose someone who has a few billion dollars at stake in an election just might try to intercept that automatically dialed-out message from the voting machines?

I didn't say that - let me make sure you understand.

The precinct leader was provided a cordless phone of some sort. At the end of the day, she pulled the scanner out of the base and moved it to a table. Then the phone was attached (as I understand it) with a short cable.

I do not believe the unit was built into the scanner, nor was it connected during the day.

Greg, I have to pull all the memos on this topic tomorrow anyway. I'll send them to you. I'm not sure the optical scan machines require a physical hookup to the phone, but I'll check on this.

Enterasys
RoamAbout 802.11a Super Rate Wireless LAN Access Point PC Card
Step Up in Wireless Performance, Quickly and Cost Effectively

more...
http://www.enterasys.com/products/wireless/RBTBF-Ax/

peace

What risks are you arguing here? It's relatively easy to listen in on cell phones (particularly the analog phones used in Diana's days) but all that buys an attacker is early access to the election results.

I'm much more worried about how the BBVMs authenticate themselves to the central recording server and vice versa. Since the central server is accessible by a regular dialup call--originating from cellular or landline--the central server must have a reliable way of determining if the calls coming in are from legitimate BBVMs or criminal hackers.

Cell phones connect to the Access Tower with the strongest signal nearby. It is relatively easy to setup a rouge access tower. Once you do this, the cell phone communicates with you. You can then connect the call to your own GEMS server, get the real results, modify them and then call up the real GEMS server yourself and upload your own results. Although an ordinary person can not do this, it is very very easy to do if you have the equipment and the correct information.

I connect to the internet regularly through my cellphone connected to my laptop. Most cellphones (at least Sprint and Verizon) can do this with a $50 kit. The advertised speed is 14.4 Kbps but I've gotten 56K modem speed during offpeak hours. All this does is use my cell minutes. Off peak is unlimited and I've surfed for 2 hours straight (with no disconnects) in motel rooms during off peak hours. Basically, if you can carry a phone conversation, then the internet will work as well.

There is also a pay service available that allows you to connect at 144K (Verizon Express Network). Signal quality is not really an issue. If my phone has 5 "signal bars" it will obviously connect faster than if it only has 1, but normally I can get some sort of connection. I've even connected from Niagara Falls, ON to a US cell site. I traveled the entire country this summer and only had problems with my wireless connection in the most remote places (such as northwestern Nevada).

the last vehicle to use is your cell phone or your mobile phone at home. More easily intercepted. Land line is more difficult to intercept and/or monitor

Assuming that was your point.

Or in one location, say in a hotel room? Also, do you check regularly to see what sort of device errors and the rate of those errors you're getting when you use the cellphone?

Guess things have improved some. We had all sorts of problems doing real-time transmissions with packet cellular modems a few years ago.

Even so, you've just described a good part of all that would be required to manipulate data. Spoof an IP address, intercept, manipulate, dial up and transmit and then boogie on down the road, and no one's the wiser, especially with the failure to follow good security practices that we've seen with both the voting machinery and the elections offices. If they're not even printing precinct status reports, who knows what sort of audit trail they have for uploaded results.

Cheers.

I've had people in my car connect to the Internet while zipping down the PA Turnpike. It will stay connected as long as service is available. Basically, if you can make a call and hold a signal, you can surf the web. I use the free Verizon service that is available to anyone with a Mobile Office kit for their phone. This just uses your minutes (so for me, free on nights and weekends). As for device errors, I'm really not sure. The mobile office software shows only "battery strength" and "signal strength". The software also compresses images and allows you to remove sound and other stuff to speed up data transfer. Text only files transfer at a much higher speed than complete web pages. I've connected to P2P networks such as Kazaa and have been able to download files at around 2-3K and I've also attached digital photos (slowly) to emails.

There is also a 144 Kbps Express Network service that is available for a fee and they have also just launched a 300-500K Broadband service in DC and San Diego. I hope this will help in some way.
http://www.verizonwireless.com/b2c/mobileoptions/broadband/serviceavailability.jsp

Yes, you can intercept a cell phone call on a scanner, but that only works for voice communication. When a computer talks over a phone line or a cell phone, it sets up a two-way communcation with considerable handshaking (ACK/NACK pairs) to keep the connection established. Without this handshaking, the computer cannot interpret the incoming information and gets lost.

You'd also have to be damn lucky to pick the right frequency. AFAIK when a cell phone does an outgoing call, it sends out a broadcast. A cellphone repeater picks up this broadcast and negotiates with the cell phone:

• Whether or not it will take the call at all
  
• What frequency it will handle the call on.
  

There's thousands of frequencies as only one cell can use a frequency at a time.

The concept of hijacking a cell phone frequency is silly. Have you seen the size of cell phone repeaters. Those towers are huge and there's multiple layers of coverage in a city. You don't know for sure the nearest repeater is the one to pick up your call. It's whoever can hear the initial broadcast and has a frequency available.

There is no benefit from listening to the cell phone connection, intercepting and retransmitting is the key. again read my other posts in this thread a lot of people are very misinformed.

There is a finite number of frequencies available per cell site. And that's dependent on the form of encoding used.

A scanner or spectrum analyzer, a computer and some smarts and you've got the transmission. (What's in the packet. A packet is what the data/voice/payload is tranferred in)

60 Minutes apparently did an expose on this a couple years ago showing how easy it was to do.

With the right equipment, right smarts, you can do it.

There ain't nothing secure about it.

(Typing for my more technical SO, who works with frequencies all the time, in many forms)

Another problem is that if you know the cell phones ID number, you can imulate it.

The thing is that once a cell is turned on, it sends out a signel saying "I am here, I am on line." The towers that pick it up will negosate with the other towers to see who has this new signal the strongest, then direct the phone to a stand by freqency to listen to in case their is an incomeing call.

But every now and then, your phone will sent out an "I am here" mesage, and the answer it gets back determens how many bars you see. And part of that is an ID number so the tower knows who you are.

Now if you intercet this, you can set up a fake phone, and imulate that phone. The tower wouldn't be able to tell the diff, and your cell wouldn't know becase its still standing by.

If you can imulate one of these polling phones, than you can set up a fake presint. Consult a list of registerd votors who do not report to the poll, and walla, a rigged election, with no way to question it.

The numbers I have seen today have indecated a record turn out.

Instead of waring a sticker that says, "I voted, I think," perhaps you should hand out stickers that said, "I voted, an didn't know it."

I wonder where all those absentee ballots were counted, and if there were observers present when they were counted. All these shenanigans in the precincts sound pretty bizarre.

We need to get answers on that -- and then we need to see how discrepant it is with other elections.

... who has not been able to get a hard number for total votes cast, or a hard number for provisional ballots.

Cheers.

On edit, the best I can find is a 4-hour-old article in the SF Chronicle, quoting an election official that the number of provisional ballots was "approximately 450,000," about twice normal:

http://www.sfgate.com/cgi-bin/article.cgi?f=/news/archive/2003/10/08/state2131EDT0387.DTL

I find it a bit odd that the number of provisional ballots estimated was the same as the number of absentee ballots yet to be counted, 450,000. That tells me they don't really know, and they won't know until the individual counties begin to do more counting.

The other odd thing in this article is that CA is now saying the running vote total is 8,359,168, yet the numbers haven't changed at all on the SoS site. Taking the highest number of votes counted, the yes/no question, at 7,974,741, that would indicate a spoilage rate (by all means possible) of 4.6%. This is very high, compared to national studies done by the Caltech/MIT voting team.

And so can we...

We come away from this with a lot of information we can use for further research, but it also gives us a vision as to how to prepare for future elections. We should put together a simple textbook that can be used for activist training nationwide, and make sure we have eventually have our own precinct-volunteers everywhere we possibly can.

If our politicians won't assure us fair elections, we do it ourselves and hold their freaking feet to the fire when we find weirdness. And at the moment, it looks like there is plenty of that to go around. It will take a fair amount of organizing to do this thoroughly...

One of the comments my precinct-worker friend said was that she got more training when she was selling dresses at a local clothing store, than what she got for the election. And the woman next to her was clueless: writing incorrect numbers (which my friend spotted and corrected).

We should put together a simple textbook that can be used for activist training nationwide, and make sure we have eventually have our own precinct-volunteers everywhere we possibly can.

We considered the BBVreport.org forum to be a beta test -- thank goodness it wasn't a national election. It went much better than the first time I worked with a live vote problem reporting system, which was for the Nov 5 2002 election.

I think we need multiple ways to help voters know what to look for and where to take the information they learn.

The final chapter of the BBV book is called "Practical Activism" and we need a concise page of the most important things to look for on election day.

We also need such items in a sidebar on the BBVreport page (and/or any other site that does this)

We also need to implement a plan that starts, I'm thinking, no later than December for the state by state presidential primaries.

Anyone who wishes to participate in this, e-mail bev@blackboxvoting.com.

There are many different ways to get the information out, but first we need to decide what information is the most important. I do think that we can get mainstream press support, printing a "what to do" list. (Reporters want to know what to look for too)

Should start a new thread on this -- and certainly over at BBVreport.org site -- my thinking is -- we need to hash out schedule, activities that need to be done a month ahead, what to look for with voter registration issues, polling place vigilance, and a whole set of statistical and bad math watchdog activities.

Bev

.....can you set up a forum specifically for an Election Law Link Library? :evilgrin:
I'm working on separate pages for each state right now. :)

:kick:

A forum called "Take Back the Vote Tool Kit" (recognize that name? It's your wonderful contribution) -- and several sections within this -- for contact lists, laws, and posting of polling places and key links come election time, along with a "what to watch for" section for activists and vigilante vote guarders

Thanks Bev. Let's start by identifying all states with recall laws and target the Secretaries of State and State Elections Directors who are too incompetent to understand the need for transparency in the way our votes are counted. One or two challenges will definitely get the attention of the others! :evilgrin:

that there is a 7 digit, public phone number that anyone can call at any time and upload whatever results they want? The way it sounds to me, one Diebold rep with a phone number and a phony set of results could easily upload bogus results for every precinct in a few minutes.

It can't be that simple, can it?

... yes, it could almost be that simple. Wouldn't even have to be Diebold people themselves. Just someone in the know with an intent to rig the election....

If Diebold implemented no authentication security then yes, it really is that simple.

If the BBVMs authenticate themselves using a good implementation of Kerberos or SSL, then posession of the phone number will not enable an attacker to enter false results.

Anyone know if any of those memos or emails indicate how the BBVMs authenticate themselves to the count server?

but do all machines dial the same number?

Although technology exists to make them that way, it is not a feature which is cost-effective for providers.

A realistic scenario might involve intercepting calls to a reporting number, altering results, then resubmitting the call with ID code intact in near-realtime. Theoretically a transmitter/receiver coupled to a computer could alter results statewide.

I certainly would hope there are.

A realistic scenario might involve intercepting calls to a reporting number, altering results, then resubmitting the call with ID code intact in near-realtime.

How are you going to block the legitimate call from reaching the cell network without taking a big enough hole out of the network the provider's security people swarm out like hornets? The telcos aren't going to care about someone rigging an election, but they will care about someone spoofing their networks and costing them money.

In any case, non-toy authentication between the BBVM and the count server would deal with this issue quite nicely. If the devices securely authenticate each other, then hijacking the link layer won't help an attacker. The real issue here is authentication rather than the physical layer used to transmit votes--RSA-2048/AES over cell is going to be far more secure than straight ASCII over a landline.

... but in Diebold's case, they send straight ASCII on the landline, with a wired modem. I doubt that there's a heavy password protocol--everyone's who's looked at the manuals and user guides has discovered that the passwords are often not changed in the machines and the passwords are in the manuals.

Yes, it's tougher to break in on a cell phone, but if you know phone numbers and passwords and you call first, you get the cigar, not the polling station. The polling station can try again, and that results in some suspicious results. Does GEMS know which set of results are correct? There are memos indicating that the GEMS system got all boogered up when result uploads were attempted more than once.

Or, just as easily, with the spoofing mode, it would be fairly secure, because of the frequency shifts alone, if both ends were on a cell, but they're not. If you're on the other end, tapped into a landline, you can be the host computer, because it's most usually connected to a landline. You don't have to intercept the cell signal. You can just imitate the host from a variety of landline locations.

:nuke:

The other issue in this is programming for relaying (and this applies to both cell and landline modem). If there's a simple number substitution program, then the computer thinks it's dialing one number but dials another, where the results are received, modified, and relayed on the county host computer. That's plausible, too.

Cheers.

You might be able to hijack a few landlines at once; you could potentially spoof thousands of cell calls.

The true potential for abuse lies in ASCII over cell.

Is it just me or are there more BBV threads active on DU today than there have been for ages? And they seem to be floating too... Theres this one... the Bev in the NYT (again) one... DemA's one on the lawsuit... A Crispin Miller one, Hightower one and even one from Truthisall plus several others besides...

Dare I say it but I think people are starting to get with the programme around here...

Well done Greg D... and Bev as always.

Al

morning crew. While I am almost completely technically challenged, what I do understand about all of this scares the bejesus out of me :scared:

Jenn

kick and a kick kick

I suggest everyone read post 31, that is the real danger in using cell phones to transfer the election results. If my explanation is not sufficent I'll elaborate more. Most of you are going on about listening to cell phones, and talking about the cell phone using verizon's internet service to connect then upload results over the internet. This is a very unlikely scenario. The diebold memos and handbooks show that they setup modems in the county offices for the accuvote system to call up much as you would aol, get an address o their private network and upload their results to their GEMS server. This allows for tampering, but only if you have the resources, which would seem the way I would do it if I were going to tamper. It would keep the level of funds needed to rig the election high. If they uploaded it over the public internet any 12 year old could do it. I wouldn't want others to be able to tamper with my tampering.

(I'm not sure you have enough posts to use DU private email -- if so, you can also use that)

bev@blackboxvoting.com

I appreciate your input very much, and have some additional questions for you. (If I don't respond immediately, it's because a granddaughter is taking her sweet time coming into the world; been waiting on it since late last night, and I may be out of sync for bit when she finally arrives)

Thanks again for your input.

Bev

And I have to transmit weekly via my telephone. They INSIST that I use my regular wall phone and not a cordless or cell phone. The information may not go thru properly or basically interference.

I think this is the same as that.

to me. I mean, it matters, but...

Are the machines, ANY of the machines, certified, approved, authorized, to be connecting to a modem EVER? Directly, indirectly, during the day, end of day, wireless, whatever? From what I have seen around here, the answer is no.

Any kind of security or "unofficial results" arguments are somewhat besides the point. The machines are not certified for this process. (Presumably for a good reason.)

Correct me if I am wrong.

After all, it's in both the Georgia sales presentation and the RFP for Georgia, and it's long been part of the programs they have certified. Correct me if you have information to the contrary.

The use of cell phones if very important -- because they provide many more attack modes than land lines (which are bad enough). And they certainly are NOT certified.

Bev

I think I assumed from the vehemence of the official denials that the machines were ever hooked up to a modem or any kind of network, that it must have not been approved.

Also, I was arguing with an acquaintance about this the other day (he was defending the security of the system) and the bottom line of his argument was that the machines aren't hooked up to anything, so no hanky panky possible.

Good luck with all of this. I wish I could help more. I am just too stretched out right now on several fronts. Maybe soon. Although one of those fronts is getting more active in the Dem party, so maybe that will help eventually anyway. :-)

They're proving to be valuable allies in this.

Dammit. I just knew they were going to blackbox the recall vote!

for us to demand outside monitors? I think considering the problems being uncovered, not to mention widespread suspicions, that we need to bring in observers, from a neutral country preferrably, who don't have a political agenda. I feel we can't trust our own anymore.

that is what it takes to program fraud into this software.

http://www.allhatnocattle.net/november92002.htm

In the above link I talk of the TS systems having radio receiver hardware (for example) to pull the TRUE date and time. Cell Phone/ Internet connections for TS all have the same functions.

If you know it is Tuesday Oct 7 2003 and between 8:00am and 7:00 PM, then change come NO votes to YES vote and move some dem votes around... BUT only at that time and date.

Kick!

:kick:

cause I can...

:evilgrin:

....machines had WiFi and land line hook up?

In talking with SO, those wires outside the machines don't have to be very big- or look like what they are at all.

So, if a poll worker goes through the drill to modem in by land lines, but the priority call is via a wireless connection to the central brain....

If WE can come up with multiple ways this could be done, why don't we have stringent rules and checks to keep WiFi OUT of the picutre entirely? I mean, those who want to with the technology and bucks....