By Ernest A. Canning
“I worry that what we have here in Georgia is the Titanic Effect,” Georgia Tech Computer Scientist Richard DeMillo observed, regarding the myriad security issues revealed during the course of last month’s U.S. House Special Election in Georgia’s 6th Congressional District.
“Georgia officials are convinced the state’s election system cannot be breached. Shades of the ‘unsinkable ship’. They have neglected to give us life boats…a fail-safe system designed so that in case of a catastrophe Georgia voters can easily verify that reported vote totals match voter intent. It is the sort of common-sense approach that first-year engineering students learn. Other states have that capability. Inexplicably, Georgia does not,” DeMillo said in a statement quoted in support of a legal challenge filed contesting the 100% unverifiable results of the June 20 contest.
The computer scientist’s concerns are hardly the first expressed about Georgia’s absurd voting system. In fact, they cap well over a decade of chilling revelations, shocking vulnerabilities and dire warnings issued from the community of experts who have examined the Peach State’s voting system, including a number of those who installed it in the first place back in 2002.
For election integrity advocates, the allegations set forth in the July 3 complaint (Curling II) — filed by the Coalition for Good Governance and a multi-partisan (Republican, Democratic and Constitution Parties) group of electors — should be enough to make their hair stand on end. That’s especially true as it relates to official intransigence and even outright hostility towards computer scientists and researchers who revealed critical vulnerabilities within the state’s 100% unverifiable and Orwellian-named Diebold “AccuVote” TS touch-screen voting and tabulation system.
Curling I involved an earlier unsuccessful effort, filed just prior to the election, to secure a temporary restraining order that would have compelled Georgia to use paper ballots during what had become the most expensive U.S. House race in American history.
With the exception of a relatively small number of verifiable paper absentee ballots, Georgia 6th Congressional District electors were forced to cast their votes into electronic black holes. The result: an “election” in which Republican Karen Handel reportedly defeated Democrat Jon Ossoff 51.9% to 48.1%, despite almost all pre-election polls predicting an Ossof win, with some surveys finding the Democrat with a 7 point lead over his Republican opponent. The touch-screen “victory” for Handel, the state’s former Secretary of State, is now being contested in Curling II precisely because the reported results were produced by a wildly vulnerable and 100% unverifiable e-vote tabulation system.
As Brad Friedman accurately reported in his first BradCast following Election Day, the results “may be absolutely right or completely wrong…Nobody knows for certain either way…[What we] do know, according to the state’s reported results, [is] that Democrat Jon Ossoff defeated Republican Karen Handel in GA-06 by a nearly 2 to 1 margin on the only verifiable ballots used in the race, the paper absentee mail-in ballots”.
Privatization, the “patch” and the “Diebold Cover Girl”
For those interested in the Election Integrity movement, it is deeply troubling how few people are acquainted either with the Velvet Revolution interview of Chris Hood, a former Diebold contractor turned whistleblower, or with “Will the Next Election be Hacked,” an explosive investigative piece by Robert F. Kennedy, Jr. which appeared in the Oct. 5, 2006 edition of Rolling Stone.
RFK, Jr. reports that Hood had been present in May 2002 when officials from the office of Georgia’s then Secretary of State, Democrat Cathy Cox, signed a contract with Diebold. At the time, the company was the world’s third largest seller of ATMs. But, Diebold was a novice in the voting machine business, having just acquired Global Election Systems.
Of nine bids for the Georgia contract, Diebold’s was the highest. But, Diebold’s lobbyist was Democrat Lewis Massey, who had preceded Cox through the revolving door as Georgia’s Secretary of State.
In May 2002, Cox announced, according to Andrew Gumbel at the Huffington Post, that she’d entered a contract in which Diebold was to provide equipment, software, training and support at a cost of $54 million. But that was only for the first year. In subsequent amendments, however, Cox committed to paying between $10 million and $20 million more than that.
Brad Friedman later dubbed Cox the “Diebold Cover Girl” after her mug appeared on the cover of a Diebold sales brochure.
RFK, Jr. reports that the 2002 contract required that Diebold install the entire system in five months. According to Hood, this was a “very narrow window of time” that could be met only if Diebold “had control over the entire environment.” And that is precisely what took place.
And, with that, RFK Jr. reports, Georgia’s entire electoral system was instantaneously privatized. “The company was authorized to put together ballots, program machines and train poll workers across the state — all without any official supervision. ‘We ran the election,’ says Hood. ‘We had 356 people that Diebold brought into the state. Diebold opened and closed the polls and tabulated the votes’.”
Diebold, however, did a bit more. In August of that year, Bob Urosevich, then President of Diebold Elections Systems, personally provided Hood and other Diebold employees with a memory card “patch.” Urosevich said it was software intended “to fix the clock in the system, which” Hood says, “it didn’t do.”
Hood told RFK Jr., “It was an unauthorized patch, and they were trying to keep it secret from the state. We were told not to talk to county personnel about it. I received instructions directly from Urosevich.”
Hood claims Diebold covertly altered software in some 5,000 Diebold “AccuVote” TS touch-screens in two heavily Democratic counties. Diebold employees, who had a “universal key” to all of the machines, evaded detection by performing the task early in the morning.
The whistleblower added: “There could be a hidden program on a memory card that adjusts everything to the preferred election results. Your program says, ‘I want my candidate to stay ahead by three or four percent or whatever.’ Those programs can include a built-in delete that erases itself after it’s done.” (Ironically, “between three and four percent” was the margin of Handel’s June 2017 touch-screen “victory” on the very same machines, still in use in the state 15 years on.)
As reported by Atlanta Progressive News at the time, Hood’s account provided independent confirmation of allegations made by another former Diebold employee, Ron Behler, who informed election watchdog organization Black Box Voting that “there were several patches illegally applied on Georgia voting machines in the lead-up to the 2002 elections and that efforts were made to prevent the State from learning about them.”
Inexplicable 2002 results
While RFK Jr. acknowledged that it is “impossible to know” whether the ensuing GA election was stolen, the November 2002 election produced another of those statistical anomalies that have become so common place in modern American elections, particularly where 100% unverifiable e-voting systems are involved.
“Six days before the vote, polls showed Sen. Max Cleland, a decorated war veteran and Democratic incumbent, leading his Republican opponent Saxby Chambliss…by five percentage points.” The 100% unverifiable Diebold system declared that Chambliss received 53% of the vote to Cleland’s 47% — a twelve-point turn around.
In the Governor’s race, the same statewide polls showed Democrat Roy Barnes leading by a whopping 11% before the election. The Diebold Direct Recording Electronic (DRE) touch-screens declared that his Republican opponent, Sonny Perdue, had won 51% of the vote.
Ignoring the U.S. CERT alert and the Princeton hack
In August 2004 the U.S. Computer Emergency Readiness Team (U.S. CERT), a division of the Department of Homeland Security (DHS) issued a medium security alert. They’d discovered an “undocumented backdoor” in the Diebold election system that would provide access, either remotely or locally, by which an unauthorized user could maliciously modify the vote.
According to a company whistleblower, whom Friedman dubbed “Dieb-Throat” when breaking the exclusive story in 2005, “Diebold’s upper management was aware of access to the voter file defect before the 2004 election, but did nothing to correct it.”
In 2006, an Ed Felton-led team of Princeton University computer scientists demonstrated — in the very first independent tests of a Diebold DRE, provided to them by Velvet Revolution (a good government group co-founded by The BRAD BLOG) — that one individual, with as little as one minute’s access to a Diebold touch-screen machine, can use a memory card to insert a virus that would spread throughout the entire system, from machine to machine, in order to undetectably flip an election.
The results of the “Princeton Hack” received national attention following Friedman’s scoop when Felton appeared on CNN. A full-length video in which Felton demonstrates how fraudulent results can be produced is available here.
As Felton recently observed in an affidavit supporting the Curling II complaint, it is easy to spread the virus from machine to machine via the memory cards “even though the machines [are] never connected to any network.”
Yet, in 2007 Republican Karen Handel, then serving as Georgia’s Secretary of State, certified the state’s 100% unverifiable Diebold system as safe and accurate — a decision that markedly contrasts with the 2007 decision by California’s Democratic Secretary of State Debra Bowen to decertify Diebold touch-screens after a “top-to-bottom review” substantiated that the system was vulnerable to wholesale, yet undetectable electoral theft as well as unintended, systemic failures.
Handel’s certification and Georgia’s continued use of its vulnerable and 100% unverifiable touch-screen voting system also markedly contrasts with a 2006 Maryland House vote (137 – 0) to ban the use of the Diebold touch-screens. Maryland had first adopted the same systems in 2002 along with Georgia, as the first two states in the nation to use such systems statewide.
One of the core assertions set forth the Curling II complaint is that under the Georgia constitution, electors have a right “to know that their votes will be accurately recorded and counted” and that, by statute, Georgia’s Secretary of State has a duty to re-examine the voting system and “file an official report upon the request of ten or more electors…If the reexamination shows that the system ‘can no longer be safely and accurately used’ then the approval of the system ‘shall be revoked by the Secretary of State.'” The complaint adds that, per a separate Georgia statute, “if the use of voting machines is not possible or practicable…paper ballots shall be printed.”
The Curling II complaint alleges that, despite receipt of a written statutory elector demand, and multiple warnings from computer scientists about systemic vulnerabilities, Georgia’s current Republican Secretary of State Brian Kemp, in office since 2010, has failed and refused to re-examine the system to determine whether it should be decertified. Plaintiffs seek an order compelling the Republican Secretary of State to do just that.
Silencing the Lamb
“It would be best if you drop this now,” Merle King, the executive director of Kennesaw State University’s Center for Election Systems (CES) allegedly told Logan Lamb after the cybsersecurity expert had reported a major security breach to King. “The people downtown, the politicians…[will] crush you.”
CES is the entity that, at a cost of $750,000 per year, assumed the responsibility for testing and programming the entirety of Georgia’s electronic voting, voter registration and vote tabulation system for each and every election.
As revealed in June by Politico’s Kim Zetter, in August of 2016, Lamb, a 29-year old former cybersecurity researcher at the U.S. Oakridge National Laboratory, logged onto the CES website. His concerns about cybersecurity in that instance had been triggered by an FBI report about Russian hacker intrusions into local election databases.
Hoping to retrieve a few documents that would facilitate an understanding of the security procedures at CES, “Lamb wrote an automated script to scrape the site” and left for lunch. “When he returned,” Zetter reports, Lamb “discovered that the script had downloaded 15 gigabytes of data”, a “mother lode” that included “registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day,” and access to the database of GEMS, the computer system which, among other tasks, is used to “tabulate votes and produce summaries of vote totals.”
In his June 30, 2017 sworn affidavit, appended to the Curling II complaint, Lamb reveals that the ease by which he retrieved this data was due to the fact that the CES website was still using a 14-year old Microsoft Windows version of Drupal, a content management system, vulnerable to an exploit called drupageddon. “Using drupageddon, an attacker can fully compromise a vulnerable server with ease. A public advisory for drupageddon was release[d] in 2014, alerting users that attackers would be able to execute, create, modify and delete anything on the server,” Lamb’s affidavit explains.
The affidavit also reveals that included amongst the materials he’d downloaded from the CES website were “multiple training videos. One of these…instructed users to first download files from the [CES] website, put those files on a memory card, and insert that card into their local county voting systems.”
Where the 2006 Princeton Hack established that a lone malicious actor with as little as one minute’s direct access to a Diebold touch-screen machine could implant a virus via a memory card that could undetectably rig an entire Diebold touch-screen election, Lamb discovered, according to his sworn affidavit filed last week, that a malicious hacker, using the Internet, could gain “control of the [CES] server [and then] modify files that are downloaded by the end users of the website, potentially spreading malware to everyone who downloaded files from the website.”
Lamb notified King, CES’ executive director, via an August 28, 2016 email, the extent to which the CES system at Kennesaw had been compromised. While, according to the Curling II complaint, King warned Lamb that he’d be “crushed” by “the people downtown, the politicians” unless he dropped his investigation, there is nothing in Lamb’s affidavit to suggest he was intimidated. Instead, Lamb states that he “dropped” the matter after King assured him “that the issues would be remediated.”
It wasn’t until late February, 2017 — some six months after he’d warned King — that Lamb learned from a colleague, Chris Grayson, that CES had failed to remediate these critical security issues. Lamb noted in his affidavit that he then used a “tweaked” script, which not only downloaded the information he’d previously obtained in August 2016 but also downloaded subsequent files, including password memos for the November 2016 General Election.
Thus, as observed in the Curling II complaint, “from at least August 2016 to March of 2017 — a time period that overlapped with known attempts by Russia to hack elections in the United States — CES left exposed for anyone on the Internet to see and potentially manipulate: voter registration records, passwords for the central server, and election related applications.”
The perfidy of Brian Kemp
Georgia’s Republican Secretary of State Brian Kemp, soon to be a candidate for Governor, has done much more than simply ignore the warnings of computer scientists and a formal request from the requisite number of electors to reexamine the state’s vulnerable and 100% unverifiable touch-screen voting systems.
In an op-ed published by USA Today just one day before the Curling II complaint was filed, Kemp wrote that he had “worked tirelessly to ensure that [Georgia’s] elections are secure, accessible and fair.” The Peach state’s “voting systems,” he proclaimed, “are diverse, highly scrutinized and not connected to the Internet.” Kemp claimed that the only real threat to election integrity in his state is “the news media’s obsession with Russian meddling.”
But neither Lamb nor computer scientists like DeMillo and Felton were alone in their assessments that Georgia’s system — using outdated versions of Microsoft Windows, with vulnerabilities heightened by CES’ centralized functions — had indeed been vulnerable to a malicious Internet hack.
The Curling II complaint reveals that on March 1, after notifying Lamb that CES had not remediated its Internet vulnerability, Chris Grayson notified another colleague and KSU faculty member, Andrew Green.
As revealed by an April 18 “Incident Report” (appended as Exhibit “C” to the complaint) — a report that was issued on the same day as the GA-06 primary in April, in which Ossoff narrowly missed a majority win against 16 primary opponents — Green reported the “breach of data” from the CES server to the Kennesaw State University Information Security Office (“ISO”).
Within one hour, ISO was able to “confirm” Lamb’s allegations. “One day later,” the Curling II complaint observes, “the ISO seized CES’s server to preserve evidence ‘for later analysis and handoff to federal authorities’.”
The “Incident Report” attempts to shunt aside CES’s failure to immediately remediate the system’s Internet vulnerabilities, after they were first reported by Lamb on August 28, 2016, to a “poor understanding of the risk.” But it is clear that just as soon as anyone at KSU, outside of the CES, discovered the breach, the university fully understood the seriousness of what had occurred. So much so that, on March 30, KSU employees, who personally saw fit to meet with both the FBI and U.S. Attorney, included not only representatives from the ISO and CES but also KSU’s legal counsel and then KSU president Sam Olens. Olens, a Republican, had previously served as Georgia’s Attorney General.
But where the KSU ISO immediately recognized the need to preserve evidence for federal authorities, in August 2016, despite FBI concerns about possible Russian cyber intrusions into state and local election systems, Kemp “refused” to accept a Department of Homeland Security offer to assist states in securing the integrity of their respective election systems, according to the Curling II complaint. Kemp, the complaint alleges, claimed that the DHS offer amounted to an attempt to “subvert the Constitution to achieve the goal of federalizing elections under the guise of security.”
UPDATE 7/19/17: On July 14 — the same day this article was initially published by the BRAD BLOG — The Atlanta Journal-Constitution reported that, at a cost of $815,320 Secretary of State Brian Kemp entered a “final contract” with the Kennesaw State University Center for Election Services (CES) that will transition CES’s responsibility to program and test the entirety of Georgia’s unverifiable touch-screen voting system from CES to the Office of the Secretary of State, which Kemp claims “equipped, trained and tested to handle these tasks in-house.”
The article explicitly cites the “security lapses” discovered by Logan Lamb and the Curling II complaint, but adds: “There is no evidence that the state’s system has been compromised“.
The linked June 12 article, however, reveals that this matter-of-fact assertion that the system had not been compromised amounted to nothing more than an unsubstantiated claim made by Georgia election officials. At that time, Kemp boldly proclaimed: “There’s no evidence that our system is not working correctly…They haven’t been hacked, they haven’t been infiltrated.”
In truth, the system had, in fact, been “infiltrated” by Lamb and others. That means the system had been “compromised.”
The core assertion presented in Curling II is that there is simply no way to know whether the official counts produced by the 2016 and 2017 elections were valid. What we do know is that a malicious hacker, irrespective of whether they were Russian or any other nationality, could have exploited the system’s vulnerabilities to import a virus via the memory cards that could have altered the vote totals, yet remain undetectable because, as Chris Hood long ago observed, the memory card program can include a “built-in delete that erases itself after [its nefarious task] is done.”
Moreover, as demonstrated by the Princeton Hack, even if the Secretary of State’s office should tighten security with respect to an external hack, that would not eliminate the fact that an election insider could undetectably implant a virus into the memory cards capable of rigging an election. Next year, when Kemp runs as a candidate for governor, his office will have not only direct access but the responsibility to program those memory cards, once management of the system is transferred from CES to the Office of the Secretary of State.