Q: Please respond to my assessment of your *Hack the Vote* analysis: 

A: Hey Brian,

Analysis? Hey, you can't spell analysis without "anal", so I took a look at your debunking to see what you came up with. <Flame On>

Frankly, I would expect better from the CEO of a computer consulting company. You may know Internet Explorer, but your security knowledge is a bit marginal, at best. Considering that you develop for IE, that's very alarming. It's a shame that the people that you're trying to convince might never see this reply. They should.

Even though it seems that you're trying to build a bulletproof case defending these terribly poor systems, you really sound like you just don't want it to be true. I understand that. I don't want it to be true, either. The problem is, you chose to attack me using technical information, and in saying that there's no problem you are going up against EVERY computer security expert in the country. Now honestly, which is more likely - that they're ALL wrong, or you're in the middle of some denial issues?

I don't know your reasons for defending the sorry state of our voting system's security, but EVERY information security professional in the country disagrees with you. Do you think that leans toward your argument being correct?

Here are a couple of links to other security pro's statements. Check them out.

By the way, thanks for the lessons in computer security :-) It was cute.  I'm sure that you think you know Hacking the same way I think I have a great singing voice. Rest assured, if I wanted to learn how to write a program to work with Internet Explorer, I'd ask you, because that's what you do. But this is what I do. I don't usually like to be sarcastic in my replies, but please keep in mind that I break into systems for a LIVING, with a 96% success rate. Do you? If not, then who could take a lesson from who?

Sorry, dude, but you're wrong.

However, since you went to so much trouble, I can offer a brief summary of why.

>>"The GEMS machines were admittedly at the very least Windows NT 4.0 based systems, and I have direct knowledge that, at least some, were Windows 2000 based. These do not use the same useless security as Windows 95/98/Me. The security is extremely tight and one would have to have both a username and a password of a user on that machine who had the appropriate level of access to manipulate the necessary files."

(I have to admit, I laughed out loud when I read this.)

Your classification of Windows NT and 2000 security as "extremely tight" is just laughable. Windows NT is only Orange Book C2 rated for system security, and that is ONLY when running with BIOS passwords, no network cards, locked cases, and after removing all bootable floppy/CD drives on a Compaq Proliant. The GEMS machines were not running this way.  The only 2000 to have any rating is SQL Server 2000. The idea that a username and password is secure is ridiculous, and the entire industry is moving away from passwords to biometrics and 2-factor authentication. Know why? Cause passwords suck. Rather than go on about Hacking Windows, I'll just refer you to NTWardoc by Rhino9. There's a link on my hacks page, and I think that you could benefit from reading it, as could every newcomer to Windows security. Also, Google "Rainbow Tables" for a little more info on why passwords aren't good enough any more.

Also, poll workers very often are not asked for any ID, and tend to be politically motivated. With physical access, I can root any Windows machine with a bootable drive (or that supports bootable USB, which most do now) in under 2 minutes, INCLUDING Active Directory Domain Controllers. Total local or Domain admin. I'm not saying that's part of the e-voting issue, but "extremely tight" systems don't get rooted that easily.

If Windows security is "extremely tight", can you tell me why the average time for an unprotected Windows machine to be compromised after connecting to the Internet is 20-40 minutes? I can. In your analysis, you COMPLETELY left out ANY exploits. Do you have ANY idea how many critical security patches have been released since Windows 2000 hit the market? Further, do you have ANY idea how many holes still exist that haven't been released or patched yet? Every pen-tester and hacker worth his salt keeps a private stash of 0-day exploits to rely on when systems are patched against "known" vulnerabilities.

I left exploits out of the analysis because I had to keep it simple, and because these systems are ridiculously insecure WITHOUT them in the equation. However, that is a major strike AGAINST your claims of Window's vaunted security. Dude, "extremely tight"? Your Infosec "street cred" hit the floor right off the bat. Then you started digging.

>>"Generally speaking, to go through a single prefix will take about 3 days (10 seconds, roughly, per number). I know this from my days using war-dialers."

Next, I still use wardialers. It's amazing how often they still work. A friend of mine broke into one of the largest networking and firewall manufacturers in the WORLD by coming in through a hanging modem. It takes some time, but why would you wait until the date of the election? The GEMS machines are up and running long before then, and the phone numbers don't change between elections.

>>"Simply not as easy as he made it sound, huh?" - I guess this indicates that you're passing this around to some friends or <shudder> clients and telling them I'm wrong? I've gotta ask - what is your agenda in wanting an insecure voting system? Or are you lashing out because you don't want it to be true? I feel pretty sure that they'll never see this reply. That's a shame.

<sigh> Pressing on....

>>"The JResultClient is not a program in and of itself. It is simply a set of Java Class files which must be compiled and run. This is intended to be done via the virtual machine that is included with all popular web browsers."

Yes, we call that an "applet", since there's no Main method. But it CAN run by itself, since jview.exe IS a program in and of itself. Here's the path to run the JResultClient --C:\WINNT\system32\jview.exe JResultClient

>>"The JResultClient does not have the capability to allow a user to gain access directly to the data at all, let alone manipulate it."

I never said that it did. I said that if you install a firewall, you cannot make remote Jresult queries. That would be due to the "Firewalling" effect of the "Firewall". This blocks ports. Ports are what computers use to talk to each other. "Firewalls" block them.

>>"Keep in mind, also, that this would require that the GEMS system be running web server software as neither the GEMS software itself nor any component of the software is capable of performing this task."

Windows 2000 runs IIS by default. That's how "extremely tight" its security is. Jeesh.

>>"If a drive is not shared, there is NO level of hacking that can access the system via this method. The C$ administrative share simply will not allow the level of access necessary to manipulate the database files."

OK, now you're just embarrassing yourself. Map or browse to C$, and you can access every file and folder there. Any junior network admin knows this(or should). The C$ is NOT just an administrative share, it is a FULL network drive share. I'm going to say this again - THE C DRIVE IN WINDOWS 2000 IS FULLY SHARED BY DEFAULT. Not just admin shares, the whole drive. The admin shares in 2K are IPC$ and ADMIN$. Jesus, try some of this in person before you go spreading this shit, will ya? I can't believe I'm spending my time teaching you this. And your company offers "Network and Security Services"?

>>"Even the best hackers in the world would still be working on getting into these systems. It simply could not have been done in one night."

It is common practice for penetration testers to gather 2-8 people in a "war room", each with specific objectives. By targeting regional voting centers, any decent team could probably have pulled it off as outsiders. If they were insiders and had actually designed and built the systems (Good Lord, do you trust Diebold?) it would have been a cakewalk. Automate it with a couple of scripts or trojaned driver files and call it a night. NONE of the certifications for these voting systems TOUCHED the operating system and the thousands of files that could be trojaned to create a backdoor. There are so many potential ways in that nobody can list them all. A couple quotes:

"16. According to a statement by the Supervisor of Elections on November 17, 2004, the GEMS computer is not networked, and is "stand alone." The furnished computer logs show evidence of at least two attempts to remotely access the GEMS central tabulator, which is claimed to be secure. A computer screen shot printout on November 17, 2004 (found in the trash) shows that the GEMS computer at that time had two networked hard drives."

--From a lawsuit recently filed in Volusia County, FL.

"After Harris met Thompson at the Defcon hacker conference this year, she asked him to examine the GEMS program. He found he could write a five-line script in the Notepad text editor that would change the vote summaries in GEMS without changing the raw precinct data. The auditing log in GEMS wouldn't record the change because it only tracks changes that occur within GEMS, not changes that occur on the computer outside of GEMS."

There has already been a demo where an outside attacker can dial in with a laptop, run a VB script, and change votes. This is the "extremely tight" security you're defending?

How about you ask yourself why you left the actual vote-changing part out of your "debunking", and decided to convince people that even with this MASSIVE hole, their votes are secure?

<Flame Off>

I feel for you, Brian. This is an ugly situation we're in, and it's really hard to accept. But how about you give the REAL issue a little thought before lashing out and embarrassing yourself?