A few days ago, someone posted a diary about a claim by someone, or a group of someones, claiming to be Anonymous. It contained references to many things I did not understand and I took to the Google in hopes of shedding some light on the matter. Do not worry, I unconvered no conspiracies. However, I thought I would share with everyone what I did find. The more information we have, the better able we will be to judge unsubstantiated claims in the future.
In the interest of not further conspiracy theories, I am not linking to the diary which prompted the following questions.
What was Orca?
Project Orca was the name of a high-tech get out the vote effort created by the Romney campaign. It belonged specifically to the campaign and not to the Republican Party.
"The entire purpose of this project was to digitize the decades-old practice of strike lists. The old way was to sit with your paper and mark off people that have voted and, every hour or so, someone from the campaign would come get your list and take it back to local headquarters. Then, they'd begin contacting people that hadn't voted yet and encourage them to head to the polls. It's worked for years." 1The project envisioned poll watchers equipped with smart phones. The volunteers would note who came into vote using a web based application that they could access with their phones. After logging into the website, they would be able to access a list of all the eligible voters in the precint. After each individual voted, the watcher would change that person's status from "not voted" to "voted."
"At campaign headquarters in Boston, other volunteers will be taking all the information sent in by those working with Project ORCA and combining it with consumer data the campaign has purchased about individuals. They will use the data to organize last-minute campaign efforts, including social media outreach, phone-banking and traditional door-to-door visits." 2Over 34,000 volunteers3 were recruited for this effort which failed miserably on election day. A similar project named Houdini failed for the Obama campaign in 2008 while another, somewhat simpler, effort named Gordon was executed by the Obama campaign this year.4
Why were people suspicious of Orca?
Beyond the fact that it was created by the Republicans, I couldn't find any reason.
How does the voting technology work?
According to Douglas W. Jones, a computer science professor at the University of Iowa and an expert on voting technology, in real world situations, the accuracy of most methods of voting is similar, which is about one error in every 10,000 votes. "Increasing spending on elections could improve security, accuracy and ballot design. But jurisdictions try to run elections on the cheap, Jones says, so machine makers operate on thin margins and there is little money for testing."5
In the 2012 elections Ohio used a combination of optical scan and direct recording electronic (DRE) voting systems. The specific machines used varies from county to county. They are Premier Elections Solutions'(formerly Diebold) AccuVote and AccuVote TSX, ES&S' iVotronic, Model 100, DS200 and AutoMark and Hart Intercivic's eScan and eSlate.6
Hart is the company about which the rumours regarding Mitt Romney's son Tagg have circulated which have been deemed false by Snopes. "That close a connection between the Romney family, Romney campaign contributors, and a provider of voting systems may raise some eyebrows, but it doesn't establish any direct ownership link between Tagg Romney and a provider of voting systems."7 The former Ohio Secretary of State, Jennifer Brunner, a Democrat who conducted a study of election security8, said that it didn't "look good." However, she also said, "Because we did the study, we were able to put into place a very comprehensive set of procedures to ensure that everything works as it should.”9
The Hart Intercivic eScan was used in only two counties, Hamilton and Williams, and is an optical scan voting system that retains a paper ballot marked by the voter.10 According to the Cleveland Plain Dealer, "Both counties use a paper balloting system in which results are tallied by scanners made by Hart InterCivic. All programming of the machines, diagnostic testing, and vote tabulation is done by elections staff in each county and no vote tabulation is done over the Internet, county election board representatives say. The paper ballots are there as backup and can be recounted with Democratic and Republican party representatives on hand."11
The DREs used in Ohio were equipped with a voter verifiable paper trail. Neither the DREs nor the optical scan are connected to a network.
How are the votes tabulated after the election?
The vote totals for the individual machines are stored on PCMCIA memory cards or similar media.
"Immediately after polls close, poll workers must count the number of electors who voted as shown on the poll books and account for all voted, spoiled and unused ballots. The poll workers also must cause each DRE voting machine or precinct count optical scanner, whichever is used in that precinct, to print results tapes of votes cast on that device.At the county board of elections, the memory cards are placed in a device that reads the cards. The device is connected to a computer which is not connected to the internet.
After the precinct election judges complete the reconciliation process described below and certify the results, they must place all ballots, memory cards or cartridges, poll books and signature lists in containers provided by the board of elections and seal each container. They must transmit at least one copy of the certified summary report along with the containers returned to the board of elections."
"One copy of the election results from each precinct must be posted outside the polling place at the completion of vote-counting. After the county officials determined the result of the official canvass, they must post the certified declaration of the results in a conspicuous place in the board office for at least five days.Ohio is one of only six states that CountingVotes.org ranks as "good", the highest category they have.13
The optical scan county surveyed reported that “[t]he election report is printed and given to everyone who wants it” and that “all pages of the report are posted on the front window of the Election Office.” One of the DRE counties surveyed reported that the unofficial statement of votes cast is posted on line on election night, and can be picked up in hard copy the next day, and that official results are posted on the website 10 days later and are similarly available in hard copy. The other DRE county reported that the canvass report and machine totals are posted “outside [the] office before they leave” and that the results are also posted on line."12
Could the Ohio vote be hacked?
First, let's establish some terms.
What Is Hacking?
"Computer hacking is broadly defined as intentionally accesses a computer without authorization or exceeds authorized access."14In my imagination, and my imagination is not very original in this instance, our evil genius anti-hero is sitting in a darkened room, a glowing screen lighting his face as he types madly on a keyboard. Tap, tap, tap. "Access Denied." His brow knits. Tap, tap, tap. Presto! We're in! He's broken the code!
In reality, the code that's most often broken is a human one. Most hacks are done with "social engineering." You manipulate someone into giving you his or her login information or entice them to unwittingly download a malicious bit of code.15
Many examples of hacking voting machines that I could find involved physical access to the machines. For example, in one demonstration of a machine's vulnerability, the hacker takes a phillips screwdriver and unscrews the cover. He then removes a panel which contains a circuit board. He alters the circuit board and then replaces the panel. After the end of the demonstration, the following words appear on the screen: "A Voter Verified Paper Record would detect this attack!" Remember, the machines in Ohio have voter verified paper records.16
Another example of "hacking" a voter machine was reported by the Brad Blog. He refers to it as low tech an example of social engineering. Election workers waited until a voter walked away without realizing that his or her ballot was not cast because the voter failed to press "confirm vote" on the touch screen. After the voter walked away, the election workers changed the vote. The election officials are now serving time in a federal prison.17 Although technically it fits the definition of hacking, because the criminals had unauthorized access to a machine, it is far from what most of us would call hacking. According to the FBI, the officials also engaged in plain, old-fashioned vote buying.18
In 2006, ArsTechnica published an article entitled "How to Steal and Election by Hacking the Vote." It's a detailed examination of the various vulnerabilities inherent and the different ways the vote can be rigged. In the conclusion the writer states, "If you wanted to steal an election, the best place to drop a bad apple would be at the operating system vendor." In other words, "buy off. . . an individual programmer with access to the right window manager libraries."19 Somehow, I suspect that's easier said than done.
Are there ways of hacking the machines that don't involve physical access?
Since none of the machines involved are connected to a network, the answer appears to be no.
Well, this has all been rather fascinating, but it doesn't fit into the description of what "Anonymous" claims to have done.
What are the rats going through tunnels into the server?
A few basics, and I hope the technophiles among us will forgive me if I try to explain it in the simplest terms I can manage. If you connect two machines that can communicate you have a network. Connecting more than two or three machines directly would get messy. Routers are machines whose main function is to connect multiple machines, this can include computers, printers and other routers, as well as other things. You can think of routers as intersections that don't do much other than forward the communications. A router probably connects your home network to the internet. You can think of the internet as a lot of small private networks joined together.
In the case of the internet, the communications are sent in chunks called packets. You can think of these packets as envelopes with an adress written on them. Routers recieve a packet, check the address. If the address is on its network, it sends it to the machine to which it is addressed. If not, it sends it to a closer router.
A server is a computer that performs a particular function. It "serves" a "client." Most people are probably most familiar with the term from web servers. You're probably all too familliar with the message that the Daily Kos servers are down, which always seems to happen when you're jonesing for some political news. So when you clicked on the link to this diary, your computer put a message asking for a particular web page in an envelope addressed to the DKos Server. The message went from router to router until it arrived at the right place. The DKos Server put the source for the web page into an envelope (they're actually called frames) addressed to your computer.
Rats are remote access tools. It allows someone to control a system remotely, that is without physical access. It should be remembered that the computer, or other machine, being controlled needs to be connected to a network to which the person using the remote access tool has access. If you're familiar with GoToMyPC or PCAnywhere, you have a good idea about how it works. A few years ago, when I couldn't find affordable space in the city where I lived, I was able to locate manufacturing equipment in another city and operate it remotely in this manner. It was as if I was using the pc that was directly, physically connected to the equipment. Remote access software can be serepticiously installed on a computer.
Okay, before we get to tunnels, I'm going to have to explain one more thing. The packets are really envelopes within envelopes. Once your machine recieves the packet, it opens the envelope and finds another envelope which tells your machine which program to send it to, in this instance to your bowser, but it could be your email client or one of those "apps." There are more layers than that, but the important thing to understand that there are envelopes within envelopes, more typically described as layers upon layers.
Tunnelling is a concept that was developed to send a packet over an incompatible means of transmission. Let's say you wanted to send an item to my cat, who does not typically get the mail. You could put it in a package addressed to me. It would look to all the world like a package intended for a human. When I opened it, I would find the outside marked "For Baby" and I would deliver to my cat for you. That's probably a lousy analogy, but it's the best I could think of. I most often see tunnelling mentioned in references to virtual private networks, for privacy and security and as a way around a firewall. Since the message from "Anonymous" specifically mentioned firewalls, let's tackle that one next.
Knowing next to nothing about security, I had to look this up. Don't worry folks I have a firewall installed on my computer. I just wasn't exactly sure how it worked. I'm sure other people on the site will be glad to correct me if I get things terribly wrong. In order to keep your network safe from intrusion by unwanted visitors, every point in your network that has access to the "outside" needs to have a firewall. There is probably one on your computer. They are usually on routers as well. They are usually filters that examine packets and only allow ones of a specific type.
Okay, so I get the sense that someone is talking about accessing remote access tools installed on a server through a tunnel. However, since we have already established that the Ohio servers were not connected to a network, it is not possible to hack the vote in this manner.
So, what was that reference to OZ, the great firewall and creating and coding and all that? It sounded kind of cool.
I haven't the foggiest. Sorry, folks, I just sort of hit a dead end with that.
Well, I hope you're learned something. I've learned quite a lot about how elections are run in Ohio and much less than I had hoped about hacking. Interestingly, a CalTech/MIT study on voting had this to say:
"De-emphasize standards for security, aside from requirements for voter privacy and for auditability of election outcomes. While testing for minimal security properties is fine, expecting ITAs to do a thorough security review is unrealistic and not likely to be effective. Instead, statistically meaningful post-election auditing should be mandated. (“Audit the election outcome, not the election equipment” (Stark and Wagner 2012))."20
In 2010, Gizmodo published a list of every voting machine in America.
- Business Insider: Romney Project Orca Disaster
- Huffington Post: Mitt Romney's Project Orca
- Washington Examiner: In Boston Stunned Romney Suppoerters Struggle to Explain Defeat
- Slate: Orca vs. Gordon: A battle of election day poll monitoring systems
- How Voting Machines Work: Taking apart the various voting machines used in the U.S., Scientific American
- Ohio Secretary of State: Voting Systems
- Snopes: Tagg Romney and Voting Machines
- Ohio Secretary of State: Project EVEREST: Evaluation and Validation of Election Relatded Equipment Standards and Testing
- MSNBC: Jennifer Brunner: Tagg Romney's Stake in Voting Machine Company Doesn't Look Good
- Verified Voting: Hart InterCivic's eScan
- Cleveland.com: Ohio Voting Machines
- Counting Votes: 2012 A State by State Look at Voting Technology Preparedness
- Counting Votes
- U.S. Legal: Definitions: Computer Hacking
- Washington Post: In Cyberattacks Hacking Humans Is a Highly Effective Way to Access Systems
- Popsci.com: How I Hacked Electronic Voting Machine
- Brad Blog
- FBI: Louisville Press Releases
- ArsTechnica: How to Hack an Election
- Cal Tech - MIT Voting Technology Project: Voting: What Has Changed, What Hasn't and What Needs Improvement