The original *analysis* (in italics) can be found at:
http://www.chuckherrin.com/hackthevote.htm

Fair warning: this completely debunks that!

If the GEMS machine is networked - (I have heard conflicting reports as to whether they are or not)
1) Wander into the building, and quietly put a wireless access point on the same network segment as the Tabulation PC, maybe behind a copier somewhere, and then casually come in from across the street using a laptop and wireless card.

This is not as simple as it sounds. The GEMS machines were admittedly at the very least Windows NT 4.0 based systems, and I have direct knowledge that, at least some, were Windows 2000 based. These do not use the same useless security as Windows 95/98/Me. The security is extremely tight and one would have to have both a username and a password of a user on that machine who had the appropriate level of access to manipulate the necessary files.
The best-case scenario is to know the username and password, next best would be to know just the username and only have to guess the password, lastly would be to know neither. In the second scenario, a hacker would guess commonly used passwords or, if he knew some personal data about the user, he would guess things they might use. This could take several hours. In the last scenario, a hacker would have to try common usernames, like ‘Administrator’, which is the default administrator level account installed on Windows NT/2000/XP/2003 OS’s, and then try to guess the password.

If none of that worked, the hacker would use brute force hacking. Generally, at this point, the username is known, but the password is not. So the hacker will use a program that runs what is known as a dictionary attack. A list of common words are sent as passwords. This does not require the use of the normal Windows login interface and can be done much more quickly via the program. However, running a complete dictionary attack will generally take days. If the system is set up properly, it would, at the very minimum, disable the user account after 3 or 5 incorrect passwords are entered and either leave the account disabled for 10 minutes or more, or require the administrator to manually enable it. However, this is NOT the way the default settings are in these operating systems.

If the dictionary attack is unsuccessful, absolute brute force would be necessary. Guessing passwords starting at 0 and, generally going up to 10 characters, using ALL ASCII characters which includes all numbers, all lowercase letters, all uppercase letters and all symbols. This would take weeks or months even if the password guesses could be sent continuously.

This is the biggest reason that hacking these systems without a known username and password is VERY difficult to say the least.

We know they're connected by modems, so:
2) Find the telephone number of the office the PC is located in, and use a “war-dialing” program such as ToneLoc to dial all of the numbers in that exchange looking for a hanging modem. This technique was made famous by the 1983 movie “Wargames” and it still works today. These machines typically have hanging modems installed, so this should be a fairly easy way in.

Again, this sounds easy, but isn’t. I used to hack by using war-dialers back in the early ‘90s. This was when people were running DOS or Windows 3.1 and had absolutely no idea of security. Guessing passwords was easy then.

The biggest problem of war dialing, which this person totally ignores, is that the program will dial out starting with 303-555-0000 and go through 303-555-9999. That is 10,000 numbers in just ONE prefix. The program can be set to allow a certain number of rings. Four rings is usually the best because MOST communications programs are set to answer after 2 rings by default and you cannot be sure the first ring actually rings on the other end and you want to give it one extra ring. If the program either encounters too many rings, or if a person or answering machine answers the phone, the program hangs up and moves onto the next number in the list. This is because it waits a couple of seconds to see if a modem will answer, if not, it hangs up. If a modem answers, the program simply logs the number in a list, hangs up and moves on.

Generally speaking, to go through a single prefix will take about 3 days (10 seconds, roughly, per number). I know this from my days using war-dialers.

Then, all you have is a list of, maybe 100 or 200 phone numbers that you know modems exist at. Now you have to manually call each one and see what kind of system answers.

If you find a system you want to try to penetrate, the real hacking starts.

Simply not as easy as he made it sound, huh?

3) Come in through the Internet. It is reported that many of these machines are connected to the Internet to enable results to be queried using Jresult to pull data from the central PCs. Windows PCs on the Internet are inherently vulnerable, particularly if they’re not behind a firewall. Since a firewall would prevent the legitimate Jresult queries from being made, these machines are likely at extreme risk for being compromised through their Internet connection.

This falls into the exact same category as accessing the system via a local network. There is absolutely no difference between a computer connected via the Internet and a computer connected via a local network. Both are accessed via a unique IP address AND the hacker would have to know that IP address or use a tool that scans IP address ranges (which can be done much more quickly than war-dialing) and reports open TCP/IP ports. However, the hacker would not know that he had found the right system unless he hacked each and every IP address that had the appropriate ports open.

What would be required here would be for the hacker to gain access via a standard network protocol which, as previously discussed, would be very difficult if the hacker did not know the username and password. Or, the hacker could gain access, as is cited in other documents, via RAS (Remote Access Server) or more recently, via Terminal Server. However, both of those use the same user security that Windows NT/2000/XP/2003 uses and, again, simply hacking the username and password is really out of the question.

As for what the JResultClient really is, it is a set of Java Class files which are compiled Java scripts that enable a user to access a web page on a GEMS system which would then access the election data and display it in HTML.

The JResultClient is not a program in and of itself. It is simply a set of Java Class files which must be compiled and run. This is intended to be done via the virtual machine that is included with all popular web browsers.

The JResultClient does not have the capability to allow a user to gain access directly to the data at all, let alone manipulate it.

Keep in mind, also, that this would require that the GEMS system be running web server software as neither the GEMS software itself nor any component of the software is capable of performing this task.

Then there are the REALLY easy ways….
4) If you’re an insider, you already have the phone numbers and any usernames and passwords you may need. Dial into the machine, authenticate normally, and then manipulate the data as explained below.
5) Again, if you’re an insider - walk up to the machine and use the keyboard and mouse. Most poll workers, despite being good, caring people, tend to be political enough to motivate them to volunteer. It’s just human nature to use the tools at your disposal to your advantage, and people have a remarkable knack for justifying even the worst acts if they can convince themselves that the cause is worthwhile.

Of course this is the easiest method. MOST destructive hacking ever encountered is actually the acts of disgruntled employees and other ‘insiders’.

This is the ONLY feasible method as I am sure you are beginning to see.

Note for non-technical folks - did you know that in Windows, C: drives are shared out by default? No? Well, they are. But there’s a super-secret Hacker trick to connect to them. You have to call it C$ instead of just C. The $ means it’s a “hidden” drive, but it is still accessible via the network! Pick any Class C (classes are how network addresses are broken up) range of network addresses on the Internet and I’ll guarantee that you can simply “map” someone else’s C: drive over the Internet and browse their hard drives without their knowledge.

OK, I have to address this as well. The C$ share, as it is called – which exists ONLY on NT/2000/XP/2003 systems for ALL drives on those systems – is what is known as an ‘administrative share’. Even with an administrator username and password, the access is severely limited to only a few operating system files and CANNOT be changed even by the administrator on the machine itself.

What this person is trying to get around is that, if there is no remote access software that allows a user to connect to the computer remotely, then the ONLY method for connecting would be to connect to a shared drive on that system. Now any drive, folder, group of folders or files can be ‘shared’ by users of a system. They can assign permissions to particular users. If a drive is not shared, there is NO level of hacking that can access the system via this method. The C$ administrative share simply will not allow the level of access necessary to manipulate the database files.

Therefore, the bottom line is: There is no feasible way that anyone hacked these systems and manipulated election data unless they knew the exact connection information for each system and had the proper usernames and passwords. Without this, even the best hackers in the world would still be working on getting into these systems. It simply could not have been done in one night.

Ummm I barely glanced over the post because....It was mostly nuts anyway, but one thing pointed out very clear by brossing(who I've seen his background)

This guy, if he knows so much about hacking, I would think, at the very least would know this isn't like hacking into just some regular PC using telnet and crackware. Script generators which crack it etc.

Nah this was far far easier, the expert hacker saw just how sad it was setup that there was backdoors and basically, if the password wasn't "password" you can login anonymously. All this is in large is MS access, run in on the modem trouble slip install the script, run out, repeat. Done.

Such an operation is so crazily easy they could have taught it in 6th grade: The whole analysis fails to list anything other than: "Hey computers require BRUTE FORCE password crackers!!!!" Not even close to what GEMS actually are. Their whole security report is "n/a"

Good old brossignol the ______r at it again, trying to make people believe the vote couldnt be hacked.

__________

Hint: The vote was manipulated by insiders who had all the right userids/passwords and connection information. If you want to call them "hackers" be my guest, but they were able to sail right in without having to brute force anything.

Yes, and they didn't have to know diddly about computer programming. Just log in, access the database, and flip some numbers.

Well, I wouldnt go that far. They needed some computer skills. Maybe not Programming skills, but at least network and PC skills.

Yeah, in other words your basic MITs without any degrees. Given I could do what he's saying in little under a few hours, and given my degrees, I'd say amateurs do it. Probably half the time to not cover their errors.

I do not know about the Gems system, but I can get the Admin username and passowrd off a NT system in less than 30 seconds

and I'm a nothing and nobody, I never went to school for computers.

Well, first, to everyone else: like I said, this could ONLY have been done by someone with inside knowledge. Maybe *jacked*, but not *hacked*.

And, I hear another challenge coming on:

Go ahead and tell us all how you could do this. And then I will be happy to provide you with the machine to do it on.

Kent007 - Name calling is unncessary to a civil debate. I have edited your post.