Stephen Spoonamore Interview

Oct 2006

Interviewer(I) – You’re the CEO of Cybrinth, a cyber security company, tell me a little bit about what your company does.

Spoonamore(S) -  We functionally develop policy and secure architecture for IT systems, primarily for major international banking corporations, credit card companies, a number of government agencies.

I - So these companies hire you to what, stop hackers…

S - One of the bi-products of what we we’re doing is we track data, we trace and track and create custodial management chains of how data moves through systems.  Our largest amount of work is actually for the global credit card industries in which we are generally tasked with finding how data moves between when you take a credit card and actually put it through a machine, the machine goes to an acquiring bank which then has to integrate that information with their banking structure, hand it off to a international credit card company who then hands it off to an issuing bank, who is the person who gave you your credit card.  It can populate as many as 90 databases all in a matter of 2 or 3 seconds to approve your single transaction.  We trace, set up the custodial management and secure those types of transactions.

I - I see, so it’s basically chain of custody issues to make sure the data is transported then secure.

S – Correct.

I - What is your experience with the architecture of electronic voting machines specifically the Diebold machines?

S - Um, my personal experience with them is purely as an outside observer asking to look at them.  They refuse to show the architecture or allow it to be exposed to any kind significant expert.  The people who I have met who they claim have certified their machines have no knowledge of architecture whatsoever.

I - Who has asked you to look at the architecture?

S - No one has asked me to look at the architecture of a voting machine.  I have repeatedly asked to look at the architecture of voting machines.  They will not allow us to do so.

I – Why?

S - Because the fundamentals Diebold has used to set up their machines are inherently flawed.  They’re what I would consider IT junk.  

I - Why do you say that?  On what basis?

S - Because they do not allow the code any kind of validation or check that allows for a local auditor to confirm that it is in a configuration pattern appropriate for voting.  So if you’re going to set up…let’s look at a Diebold ATM, which we work with a lot. If you’re going to set up a Diebold ATM system at a bank every line of code in that machine, and there should be 30,000-35,000 lines of code, is inspected by 4 or 5 people, where each of the fields are confirmed that they’re going to pass the information correctly to the machines that pass out the money, to the machines that take and validate your card, to the little motors that push your card back out to you, to the receipt printers and to the integrated databases on the back end.  No process inside of that is not followed with a 4 eyes operation meaning 2 different people have to be looking at each step of the process at each step of the way.   And those people are not from Diebold.  One of them is from the installation group and one of them is from the bank.  Otherwise the machine is not certified for use. 

 I - And this is not happening in respect for an electronic voting machine?

S - Not to my knowledge.

I - So what you’re saying is there’s more security regarding the dispensing of a $20 bill and the fact that if you don’t get that $20 bill there is more of an audit system set up?

S - Of course.

I - Ok, before we get into this, I just wanted to kind of do some background with the electronic voting machine.  It emerged out the 2000 election debacle and-

S - Earlier than that

I - But it was-

S - Global Elections systems, a group out of Texas, was pushing these back in 1998.  I first became aware of it and actually wrote a short letter encouraging people to not use these in 1999 before the 2000 election debacle.  What happened in 2000 is, all of a sudden you had a number of electronic systems fail during that election the Volusia County incident in which 16,000 votes suddenly vanished and then reappeared and several uncertified cards somehow ended up in the system, also a Diebold system.  That sort of got lost in the hanging chad debate in Florida, however, there’s a very strong argument to be made that the 2000 election was electronically stolen and the hanging chads were just a distraction. 

I - I see.  Now going back to the audit, I believe at many times you’ve asked the company, you’ve asked Diebold to audit their systems

S - I’ve sent personal letters to more than 20 executives at Diebold, I’ve send dozens of letters to my own home county, my own home election board which now uses Diebold machines.  I’ve sent letters to Ken Blackwell and his office.  Actually, I personally asked Ken Blackwell for this, I served as the Co-chairman for the National Electronic Identity Taskforce and presented the state’s Attorney General the findings on how to secure state secure databases.  At that meeting, Ken Blackwell was present and I actually went up and asked him if we could have a conversation about that and he said that it is not the appropriate venue.  I then said to him, if you cannot discuss voting machine security at a security conference meant for state functions, when can we have this discussion?  He then walked away.

I - What about Diebold executives?

S - They have never responded.  That’s not fully true.  I actually reached out to a number of their people in financial services because I have a very significant set of contacts through the banking work that we do and the banking people that I’m working with asked for some of the Diebold people to speak to me.  Since then, when they realized the scale of what I’ve asked for, they’ve refused any further communication.

I - Can you explain to the viewer how a Diebold voting machine can be hacked from a remote location?  I know at times you’ve mentioned that foreign nationals can access…

S – Sure.

I - Take us through that.

S - The department of homeland security actually - this is some of the people involved in issuing this, very good friends of mine from the Cyber Emergency Response Team(CERT).  The US CERT center actually put out a full warning, which I’m sure your station can get a copy of, warning that the way Diebold systems are architected, in the way the tabulators communicate to the central state tabulation center, is subject to foreign national hacking.  They put out a warning about it, to the best of my knowledge this is still the case.  Here’s how it happens, each individual machine has significant problems, most machines are not set up, the individual machines that you use as an individual voter touch are not set up so that they, themselves, are not electronically networked.  A few of them are.  Some of them hook up to phone lines for a variety of reasons, some of them have IR ports the same way you scan information back and forth from a PDA.  Inside of those machines are a number of layers of information but eventually they get down to a memory card which itself is subject to hacking, there are several subject to hacking in the operating systems.  Viruses, codes, screen flips…all those things can occur but let’s assume everything worked correctly in the machine and you now have a card with the correct votes in the machine.  Personally we have no way to know this, but let’s assume it’s true.  We then take those machines to the county elections headquarter.  All those cards come in and one by one are inserted into a central tabulator.  That tabulator then is supposed to take the total votes in each of the precincts and the total votes from the county and electronically transport them from that machine to a central state tabulation machine.  Here’s the problem – how is that moved from point A to point B?  It’s moved through common carriers.  It’d be very easy, if you understood the IP addresses, and this is something that anyone with basic electronic intercept skills understand, you can mimic an IP address, and in the process of that information being transferred from point A to point B, see it.  Now it may be PGP encrypted, it may be socket level encrypted, which Diebold claims to be the case, however, in the 3 counties where I have personally gone and asked the people who do the tabulation, they have no idea how to do encryption, what the encryption is, how it’s set or who sets it.  So again, we’re just trusting what Diebold says, oh don’t worry, it’s encrypted.  But none of the voting officials know this or understand how it works.  Ok, well then let a professional who actually looks at encryption key algorithm systems, which I have for probably for over 100 banks, let me see the system.  I can tell you whether or not they’re actually using a key exchange system which will make for secure transmission or not.  I tend to think they’re not doing so. 

 I – So again you said, forget the problems on the front end-

S - Let’s assume there are no problems-

I - So as a voter, if I touch the screen I’m assuming my vote is secure but you’re saying at that point, a lot can happen to your vote. 

S - The chain of custody in terms of that vote – here’s my finger and if I were to write on a ballot, that ballot is now a permanent document.  What is happening now is when you touch that screen, that screen has circuitry inside of it, and that circuitry talks to a data field.  That data field below it is like you basically walking up and opening a curtain and there’s a little man there and you say “Hello what’s your vote” and I say “Well I’d like to vote for this” and he says “Ok thank you” and he closes the screen and goes to a different screen and tells someone else and that next layer is the operating system.  Now you don’t really know what the screen is telling the operating system because you can’t see it.  So unlike a vote that you’ve marked the screen takes the information and passes it to a field set in the operating system.  Who knows who wrote the operating system?  Diebold won’t tell us.  I’ve personally reviewed a number of pieces of code from Diebold and it’s garbage.  Some of the code is awful.  I reviewed the patch that they put in Georgia 2002 that many of them claimed was a clock function and it’s not a clock function.  It’s a comparator function.  It asked for 3 different fields on the front end, that’s information coming down from the screen into the operating system, sits on the operating system in an entry platform.  At that point, this piece of code asks the 3 fields – I don’t know what the 3 fields were – what their totals are, compares them against each other and sends them somewhere else.  Well if it were me, and I were to guess what that code is, it’s a vote-flipping code.  It’s not a clock function that I know. 

I - You’re referring to the Georgia 2002 election, robgeorgia.zip and there was some upgrade that was supposedly inserted into the machines…

S - Whether it’s robgeorgia.zip, there’s a number of names of the file, I simply refer to it as what is called the zero-day patch.  They patched it 2 days before the actual election itself between Cleland and Chambliss.  I have no idea why, what it was for, what fields it’s asking for or where it delivered them.  But ostensibly, Bob Urosevich, the actual president, actually carried this himself, gave it to the people and told them that it was a clock function.  None of them are programmers, they installed it like they were instructed, but it’s not a clock function.  I don’t know what it is, it’s some kind of comparator program.  We didn’t quite finish your question, after you move through the system, all these different problems occur, but finally it deposits a final set of data into a memory card.  That card then has a number of chains of custody, that anybody who is then carrying that card – when you’re carrying a stack of paper ballots, you could rewrite all the ballots but that would take you a long time – but if you’re carrying a memory card with every single vote from that day from a machine, you can change it like that.  Somebody could have in their car, or anywhere else, they could have a very simple kind of reader- this has been demonstrated in a number of different hacks- you can just change the information on that card by over-riding it with the same operating system type that was used to record it in the first place. 

I - What about Al-Qaeda or China or…

S - That’s in the transmission component.  Now let’s say the cards successfully have gotten down to the county correctly, who knows?  No one has ever inspected the code inside this machine so you’re taking a card and saying well here’s all the votes, and let’s assume the correct card has been brought and nobody has lost the card which is what just happened in Maryland – they’ve actually gotten the card to the county, they’ve put it in, then it goes into a tabulator machine.  There have been repeated issues where people have said they’ve seen votes backing up in tabulators as cards are put in.  Ok well that would indicate that something inside of that program is not adding cards forward, it may be adding cards backwards.  I don’t know – I’ve never seen the field sets.  I do know in some of the optical scan machines, where again I have been able to take a look at the codes, some of the cards are capable of taking a negative number.  Now as a programmer, this is a very interesting question.  Generally you try to make a code as elegant, clean and simple as possible for security.  There is no reason at all, if you have zero votes and then you add votes from that point going forward - maybe ten thousand votes is the maximum they can run on a machine - that makes sense.  Cards should have a range from zero to ten thousand, so there is no reason in the world a negative number should ever be able to exist on a voting card.  And yet, in all the voting card code that I’ve looked at Diebold has a negative field that allows for a negative number to be entered in a vote total.  Why?  Why would you want to steal votes?  That way you can start with a card that has negative 100 votes for somebody then it takes them 100 votes before they even get back to zero. 

I - And yet, Diebold does not allow, for proprietary reasons, anyone to review the vote tabulation software?

S - They allow it…they let us work on their cash machines, but no, they won’t let anybody see their software. 

I - Any thoughts as to why?

S - Cause they’re stealing elections.

I - How can you say that and what are the vulnerabilities that you’re just surmising?

S - I’m not surmising it, I have a very strong understanding of statistical analysis.  The way we actually find credit card fraud – here’s a horrible fact that people are not gonna wanna know.  About two and a half percent of the transactions on the global credit card network happening right now are fraudulent.  Two and a half percent.   That’s a statistic that we are constantly battling with.  When a fraud group, when a group that is doing a particular credit card scam moves into an area and begins working actively to fraud cards, we start to see statistics rise above the background level then we send in work, figure out who it is and try to break out the gang.  Statistical analysis of one or two percentage points is how all computer hacking is detected.  If you look at the case of  Chambliss, that’s ridiculous, the man was not elected.  He lost that election by 5 points.  Max Cleland won, they flipped the votes.  Clear as day.  Everybody was shocked by it.  There’s been numerous vote flips by this point.  I do not believe George Bush won.  I believe Kerry won, and I’m a member of the GOP.  But I want to make it clear, we need to live in a place where your election is actually reflected in the vote.  I want my candidate to win, but if my candidate loses, I care a lot more about the process than I care about the victory. 

I - So this is not a partisan issue?

S - It shouldn’t be.  This is a fascist issue.  People who don’t want voting and want fascist control, but have people think they’re voting.  I mean, people forget the fact that there was voting in Hitler’s Germany.  Guess what?  He won with 90 percent of the vote all the time.  There was voting in Saddam’s Iraq, and guess what?  Saddam won the vote all the time.  Well, did they win?  Was that actually the will of the voter?  Was that the way the votes were even cast? 

I - Interesting question.  I want to read something to you that was on the front page of The Washington Post yesterday.  Maryland State Senate President Mike Miller called the card voting system “the Diebold machine is state of the art”.  Do you consider these machines state of the art?

S - State of the art what?  State of the art for a voting machine?  I guess so.  As far as I’m concerned, what I have seen of voting machines is reasonably good 1994 technology. 

I - Ok, now what do you suggest that the government should tell Diebold to do to make their machines less vulnerable?

S - You can’t make voting machines less vulnerable.  You can make voting machines transparent.  All code needs to be expected by external auditors, all process needs to be validated by external auditors, the same way we do banking systems.  Do credit card systems get defrauded?  Yes, to the tune of two and half percent.  Two and half percent is a major amount if you’re dealing a vote.  So let’s look at the credit card industry.  I spend an average of probably 30 hours a week, every single week of my life, battling to try and keep the number of credit card frauds below two and a half percent.  We have a lot of money to do it.  People really care about that, but that level of background fraud, we can’t get it below that point.  It’s just too hard.  Well let’s look at the question, do you want to have a system in place, where there’s a permanent background of electronic voting fraud of two and a half percent?  That means you have to win an election by a minimum of 3 percent to know that you’ve won?  I don’t.  Paper ballots please.  That’s the only thing that can be secure.  You can use electronic counters, and I appreciate Diebold wanted HAVA.  They’ve got their 4 billion dollars of given away federal money, great.  You’ve stolen the money, throw the machines away and let’s go back to paper. 

I - Ok, let me just back up a second.  Hacking.  There’s been a recent hack, much publicized.  Princeton hacked the memory card, a virus inserted and-

S - They didn’t hack the memory card.  They hacked the operating system.

I - They hacked the operating system but there have been other hacks to the memory cards-

S - Harry Hursti

I - Right, Diebold has come back every time and said, well you know, that can’t happen

S - They’re lying.  DieBold is lying. 

I - What?  Their systems can’t be hacked?

S - There is no system, electronic in the world that cannot be hacked.  I’ve spent my entire life building or hacking electronic systems.  There are entire companies dedicated to “ethical hacking” if you want to call it that.  There is no system in the world, none, that cannot be hacked.  If you give me the team of my choice of 8 people, in 1 week I will get any piece of data you want in the world.  End of discussion. 

I - Well then how do you secure such a piece of equipment?

S - You don’t.  You use paper ballots.

I - Ok, um…

S - I can’t make it any clearer than this.  You cannot have secure electronic voting.  It doesn’t exist. 

I - What if there was a transparency?

S - If there was transparency, you would be able to audit where a mistake had occurred and make decisions about what to throw away.  But you wouldn’t eliminate the effort to hack.  The cleverness of bad guys is extraordinary.  If you had complete transparency on the process, here’s what would happen.  People would eventually hack it and you’d have to throw away large portions of things.  Even if you want to use electronic systems to accelerate the process and make it more assured, there’s no reason not to use optical scanning.  You have a paper ballot, people mark it, you scan them very quickly into a system.  Now at that point, those need to have random sampling to compare the way the computer has actually recorded things versus some hand chosen samples at random, one or two percent, and if one or two percent of random samples from the hand counted paper ballots, matches the computers in all likelihood you do not have a hack.  In all likelihood.  So at that point you have a very high degree of assurance that what you have is an accurate tabulation of the vote, other than that, you don’t. 

I - So securing data custody, that’s how it works…

S - Correct, and having a validated paper trail.  You must have paper ballots.  Once you have a paper ballot, once you have generated a hand generated paper ballot is the best.  It’s cheapest, it’s easy, it’s fool proof, it’s secure.   The truth of the matter is that’s still how things are done in the electronic world as well.  Once you have generated that, you can validate how many ballots you have, who signed into a registry book, how the entire process is moved forward and you can go back and audit and check if there is any kind of dispute.  You then have accurate elections. 

I - Let’s go back to the Princeton hack, just briefly, um, shocking detail on how a virus can be inserted into a machine and I don’t want you to explain necessarily how it works but just to comment on something that Diebold’s response to this particular hack by a Princeton computer scientist was that they used an old machine.

S - As far as I know, that machine came off the assembly line 2 months ago.  I’m sure the registry number is there, but let’s stop and think about this.  Two graduate students in 3 hours successfully hacked the machine.  And once they had completed running their hack, they then added a 4 line code of self erasing virus to allow it to propagate across the network.  That’s just 2 guys with 2 hours, who had no interest or motivation in doing it other than in scientific interest.  There are people out there, and there’s a lot of them who don’t really want to win elections.  What they want to do is they want to steal them.  They have an enormous incentive for power, they have an enormous incentive for money and they have an enormous willingness to go do it.  I don’t want to have a society where we’re not sure who won.  I want to live in a democracy where there’s a valid capacity to audit the entire trail.  The Princeton guys did a brilliant job.  It was a simple and elegant organization, but stop and think about it.  It doesn’t matter even if it was an older machine.  Ok, so it was configured the way the 2004 machines were configured? Well in that case, does it mean that the 2004 election was hackable?  Diebold is lying again.

I - But even so, some of those machines may still be in operation in states across the country.

S - Correct! 

I - I see.

S - The 2002 machines that were used to steal the Chambliss election, they’re still in use in Georgia.  Same machines. 

I - How much money does Diebold spend, do you know off hand, in ATM security versus voting machines?

S - That’s a very interesting question.  I don’t know.

I - What would you say to those, I think I know the answer already, that Diebold machines are either poorly designed or intentionally designed?

S - I think they’re brilliantly designed.  They’re designed to steal elections.  I mean, if you were to come to me, and people have – some of the things we do are deliberate audits, I mean there are back doors in the tabulation machine, which is what the US CERT warning is about.  There’s a back door communication that allows secondary computers to talk to the actual tabulators electronically from a distance.  That’s what US CERT warned about.  There is layering and socket component problems.  There is a negative field set up inside the tabulation-

I - What are socket components?  People don’t know what this means.

S - Well the socket components, basically what it means is that there are deliberately places built into the Diebold machines that allow you to insert data, or make updates after the machine is running.  A socket layer is supposed to, once you activate a socket session or secure session, you’re not supposed to be able to change an operating procedure or change a code.  That’s not true with Diebold machines.  While the machine is running, if you have administrative over-ride from the touch screen layer, you can actually change the way the machine is operated, you can reprogram it – they sell it as a feature in case you need to make an update during the day. 

I - But according to state law, any changes made to the system, you’d have to recertify the equipment.

S - Well, if you change the software, of course.

I - What about the operating system?

S - If you change… well, different states have different laws on this area and I’m not an attorney but I certainly know that since no one has ever seen what the code actually is or no one credible has ever seen what the code is, there’s really no way to know what’s been changed.  

I - Many people who are denying problems, they’re saying well oh, these are just democrats signaling alarms…

S - I’m a Republican.  I’m a Republican, I worked on Giuliani’s campaign, I worked on Bloomberg’s campaign, I worked in John McCain’s campaign.  I’ve been a lifelong member of the party.  This is not a democrat-republican issue.  This is not a partisan issue.  This is a democracy issue.  If you actually care about a constitutional democracy in which each person votes, that vote is validated, and the people who end up in office are reflected on the basis of the way people voted, you care about this issue.  If you don’t want people to vote, if you don’t want people’s vote to count and if you want to rule without owning it by a mandate then you are very supportive of DieBold.

I - Well Wally O’Dell has promised in an old fundraising letter to deliver-

S - I’m gonna go ahead-

I - Is it a republican issue?  If what you say is true, who wants to steal the elections?

S - I certainly know that in old statistical information it seems that in every single bizarre circumstance where exit data, where polling data, informational data swings, it has all been in favor of republicans, but not the sort of republicans that I want to see in office at all.  These are people who lie and people who cheat.  That is not the conservative way.  Conservatives conserve things.  We are respectful and we are constitutionally based.  You know what the real problem is?  People do not want to believe that people want to steal elections in this country.  I’ve done extensive work over the years for voting monitoring overseas, if we had a variance in the exit polling of even 2 percent of what was actually tabulated, which is exactly how the Orange Revolution came about in the Ukraine.  We would be in there, explain to people something is wrong.  We have had numerous selections in this country now, in which where you use Diebold elections systems machines, and what happens with the vote is way off – 5, 10, as much as 12 percent – from the exit polling and the actual survey.  These statistical numbers are impossible and the problem is Americans do not want to believe that we have people stealing our elections.  And they must come to the realization there are people in this country who want to steal elections and we must stop them.