Navigation
Topics
Log In
Log Out
:
Special Search
New Today
New This Week
Advanced Search
Tree View
Your Account
Edit Profile
Register
Forgot Password
Tools
Help/Instructions
Policies
CLICK STATE TO SEE:
"WATCH LIST"
Marked with: 
"OPEN & HONEST"
Marked with: 
...
|
| 1-3-2006: Hold on to your lugnuts, ES... |
|
| Author |
Message |
    
BBV Admin
Board Administrator
Username: Admin
Post Number: 3084
Registered: 12-2004
Best of Black Box? 
Votes: 4 (A keeper?) | | Posted on Tuesday, January 3, 2006 - 7:18 pm: | 
|
Dec. 13, 2005: Harri Hursti performs devastating hack in Leon County Florida with Diebold optical scan system, proving he could control votes by manipulating a credit-card-sized memory card..
Jan. 3, 2006: Information received pointing to similar vulnerabilities in the ES&S and Sequoia "Optech" optical scan machines.
In an exclusive interview by BBV investigator Jim March with Dr. Douglas Jones, University of Iowa associate professor and a former voting machine examiner for the state of Iowa, it was learned that one of the most widely-used voting machines over the last 15 years may suffer from design flaws broadly similar to Diebold's version 1.94 and 1.96 optical scan system.
The first problem is that memory chip contents can be modified with easy to obtain reprogramming devices, in ways that could enable Hursti-style hacking.
The second problem is that Sequoia and ES&S have been able to force their way into intimate access to the mechanics of democracy. The electronic ballot controls were maintained exclusively by the vendors at the vendor's headquarters rather than by county election staff.
Diebold took over total control of elections in counties that allowed it. ES&S and Sequoia didn't give them a choice because of the system's design. This effectively removed county officials from their proper oversight role.
Origins Of the Optech machine
Two of the four major voting machine companies have been using an identical machine, the Optech, originally produced by Business Records Corp (BRC).
BRC was the largest voting machine company in America when ES&S purchased it in 1997. The SEC objected on anti-trust grounds, and in the resulting decision, allowed ES&S to purchase BRC, splitting the Optech scanners up between ES&S (service contracts for existing machines) and Sequoia Voting Systems (sales of new machines).
Although now being phased out, Optechs have been used for 15 years without a peep from the federal testing labs, and without the public ever being told of their vulnerabilities, nor of the vendor�s extraordinary level of control over local elections.
System Design
According to Dr. Jones, the Optech machines are precinct optical scanners originally developed in the late 1980s. They reflect the technology of that period. They are broadly similar to the Global/Diebold optical scanners designed around the same time: These voting machines store votes on removable electronic memory devices and print out an "end of day ticker tape" on paper similar to a cash register tape, providing a precinct total of votes for each candidate and issue.
The Optech machines don't use a credit card-sized memory card � rather, they use a memory pack about the size of a pack of cigarettes.
This cigarette pack-sized device plugs into the body of the scanner with a proprietary connection. The memory pack provides three things:
- A chip ("ROM" memory) which is difficult to modify outside of a factory and contains the programming for the machine ("firmware")
- An "EPROM" chip which is easier to modify (more on that to follow) containing the ballot layout and precinct information
- Battery-powered memory chips to hold the vote totals
The Good News
As Dr. Jones points out, there's one advantage to this pack design. Honest election officials can separate the scanner body from the pack and send the large bulky scanner out to the field (precinct) days or weeks ahead of the election. Tampering with scanners that are missing the pack isn't really possible (other than to simply vandalize it) because the "brains" aren't present to tamper with. It�s the "memory pack" that needs to be held in strict security. The memory pack can later be hand-carried to the precinct by a group of poll workers and plugged into the scanner on election morning.
The Bad News
One reason the Hursti hack in Leon County resulted in a failure is that Diebold's memory device holding the votes and critical programs is both read-write (tamperable) and reader/writer devices like the Crop Scanner are available commercially to alter the cards.
The ES&S/Sequoia memory pack has a funky connector. It should be even more secure, right?
Not exactly.
Jim�s Rig-a-Vote Recipe
1. Unscrew the top of the pack.
The most critical chip holding the ballot/candidate/precinct layouts is sitting right there in an easy-access socket.
2. Find a chip burner. Once the chip is out with a screwdriver, you can find alteration devices (chip burner) for that chip even more easily that you can find the Crop Scanner.
Tip for finding a read/write device: The chips is called an "EPROM" - Electrically Programmable Read Only Memory .
Here are some examples:
http://www.stag.co.uk/products/EEprom_programmer.htm - this one allows some alteration without a PC, or PC connection.
http://www.action2k.com/topmax.htm - this one covers a very broad range of devices but needs a PC to work.
http://www.elettronicaceleste.com/celeste/programmatore_eeprom/sp280_uk.htm - shown next to an EPROM chip of exactly the type used in the Optech. You can see the small glass window in the chip to let the UV in for erasing. This chip burner was made for people who hot-rod cars to re-burn engine management chips(!) but should work with Optech EPROMS just fine. Needs a PC.
3. Put the chip in the chip burner device connected to a PC and read the contents. Edit at will using your PC.
4. Peel the sticker off the back of the EPROM, exposing a glass window. This makes the actual silicon surface visible through the glass. It's a neat looking critter, shiny and with lots of tiny circuits that geeks will love.
5. Put the chip in a tiny mouse-sized tanning booth. No, we�re not kidding � exposure to UV light for 25 minutes erases EPROMs. (Warning: We do not recommend putting in an actual mouse unless you can find very small sunglasses for him.)
http://testequip.com//sale/used/pictures/HES2152.jpg
6. Put the sticker back on the chip�s glass window and put it into the chip burner connected to the PC, and download your tampered code from your PC back to the chip.
7. Put the chip back into the "pack" and you�re done.
We have no reason to think that the security of the chip's contents is any better than in the Diebold environment. While this needs testing, it appears that hacking could cause all votes to be switched between any two candidates simply by altering the chip data.
Dr. Jones suggests the possibility of causing a minor party candidate's votes to go to a major party candidate, in addition to the major party candidate's proper votes. This would have the "benefit" of harming a small parties, possibly denying them ballot access. Each major party has at least one smaller party that tends to take a small chunk out of them � the Democrats always lose a few candidates to the Greens, the GOP loses a few to the Libertarians. Each major party would like to see their smaller more radical cousin go away, and that sort of hacking could do it.
Folks, understand that the above "recipe" is theoretical - it describes "how to get at the data" in simplified form. It's possible the data is encrypted in some way, or at least set so that anything with a different file length won't work. We doubt it for two reasons: their competitors of the same period (Global) didn't and second, BRC's reputation is poor to this day. What you should take from this is that the data is on something with a standard data transfer interface (the chip itself) and that the ability to tamper with this system is a real possibility warranting investigation.
The Worse News
While moderately advanced hackers should be able to alter the contents of these packs fairly easily, county election officials can't. Therefore, by design, the memory cards need to be programmed inside the vendor's corporate headquarters.
Will they do it correctly?
Well let's see: ES&S was partially owned by now-Senator Chuck Hagel at the time Hagel won his first major political victory to get into congress. Hagel's victory in the primary was so stunning that it made national news. According to CNN's All Politics, Hagel hoped he could make lightening strike twice by winning the big prize -- and he did. He defeated popular Democratic Governor Ben Nelson who led in the polls since the opening gun in what the Washington Post called "The major Republican upset in the November [1996] election."
(more: http://www.blackboxvoting.org/BBV_chapter-3.pdf)
Louisiana state elections chief Jerry Fowler was convicted on felony charges of taking bribes from Sequoia officials for system purchase decisions -- one of Sequoia's key people, Phil Foster, was indicted but the charges were dropped after a judge concluded that his immunized grand jury testimony couldn�t be used against him. (more: http://www.blackboxvoting.org/BBV_chapter-8.pdf)
So, is turning over the very foundation of Democracy to ES&S and Sequoia a good idea? We think not.
Conclusion
Nobody at the Federal or state testing labs seems to think like a hacker and tries to find ways to defeat these things. For that matter, nobody is paying attention to the basic ethics of the situation. No one ever asked the American citizens whether we choose to remain a Constitutional Republic versus a Corporate Republic.
Black Box Voting would like to do a "test hack" on the Optech with the blessing of public officials in any jurisdiction. Because these machines are not HAVA compliant, they are being phased out. We ask your help in facilitating this opportunity.
PERMISSION TO REPRINT GRANTED, WITH LINK TO http://www.blackboxvoting.org |
John Howard
Frequent Voting Rights Forum Participant
Username: Harmonyguy
Post Number: 193
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, January 3, 2006 - 8:33 pm: |
|
UV eraseable EPROMS have that little sticker over the glass windw for a very good reason. Sunlight (and the light from flourescent tubes) contains UV rays, and it's the UV rays that erase the EPROMS.
Somehow, it seems darkly twisted that devices in a ballot scanner are designed to have an adverse reaction to being exposed to the light of day.
HG |
BBV Admin
Board Administrator
Username: Admin
Post Number: 3085
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, January 3, 2006 - 8:59 pm: |
|
John,
Perfect analogy!
Kathleen Wynne |
BBV Admin
Board Administrator
Username: Admin
Post Number: 3086
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, January 3, 2006 - 9:09 pm: |
|
From Bev -
Hah! First Brad Friedman makes me laugh with his fedora story (hey Kathleen, maybe it's time to post the financial document from Diebold paying Abramoff's firm, Greenberg Traurig, ya think?)
Now John Howard weights in with that elegant line. Heh. |
BBV Admin
Board Administrator
Username: Admin
Post Number: 3088
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 5:38 am: |
|
Yes, Bev. It's time! 
Kathleen |
clark brooks
Voting Rights Forum Participant
Username: Czark
Post Number: 1
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 9:39 am: |
|
In a previous life, I erased and reprogrammed EPROMs "all the livelong day". It's even easier than it sounds. I'm quite curious whether ES&S/Sequoia use an interpreted code on these EPROMs like Diebold does. If they do, the code would be plain text, easier to understand than compiled machine code would be. OTOH, understanding the code is only useful if someone gets their hands on a memory block with malicious code...
I'm actually confused why HAVA would forbid interpreted code; java for example is famous for being both interpreted and compiled. |
Julio Edwards
Voting Rights Forum Participant
Username: Juliox
Post Number: 8
Registered: 11-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 11:32 am: |
|
Please let us know where and when you post the financial document from Diebold paying Abramoff's firm, Greenberg Traurig. It would be very timely to do so today.}} |
John Washburn
Frequent Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 319
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 11:46 am: |
|
RE: HAVA would forbid interpreted code
HAVA does not ban interpreted code (or self-modifying code or dynamically loaded code). Section 4.2.2 of Volume I of the 2002 Voluntary Voting System Guidelines phohibits self-modifying code, dynamically loaded code and interpreted code.
Or not, depending on how you deal with the typographical error in the section.
Here are the applicable sections exceprted from the original. You decide.
4.2.2 Software Integrity
Self-modifying, dynamically loaded, or interpreted code is prohibited, except under the security provisions outlined in section 6.4.e. This prohibition is to ensure that the software tested and approved during the qualification process remains unchanged and retains its integrity. External modification of code during execution shall be prohibited. Where the development environment (programming language and development tools) includes the following features, the software shall provide controls to prevent accidental or deliberate attempts to replace executable code:
Unbounded arrays or strings (includes buffers used to move data);
Pointer variables; and
Dynamic memory allocation and management.
But 6.4.e does not exist but likely references this:
6.4.1 Software and Firmware Installation
The system shall meet the following requirements for installation of software, including hardware with embedded firmware:
a. If software is resident in the system as firmware, the vendor shall require and state in the system documentation that every device is to be retested to validate each ROM prior to the start of elections operations;
b. To prevent alteration of executable code, no software shall be permanently installed or resident in the system unless the system documentation states that the jurisdiction must provide a secure physical and procedural environment for the storage, handling, preparation, and transportation of the system hardware;
c. The system bootstrap, monitor, and device-controller software may be resident permanently as firmware, provided that this firmware has been shown to be inaccessible to activation or control by any means other than by the authorized initiation and execution of the vote-counting program, and its associated exception handlers;
d. The election-specific programming may be installed and resident as firmware, provided that such firmware is installed on a component (such as computer chip) other than the component on which the operating system resides; and
e. After initiation of election day testing, no source code or compilers or assemblers shall be resident or accessible.
John Washburn
Only bad software is delayed by good testing.
|
Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl
Post Number: 298
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 12:29 pm: |
|
In PC programming at least, you use pointer variables all the time in memory writes and reads, disk writes and reads. You can cast (force, essentially) some things as pointers that aren't but it's a backwards way to do things. How do they get this kind of programming to work without pointers? Any idea how you do that, John?
Also B of 6.4.1 seems to demand that you use one-time programmable Read only memories (OTPROMS), though why you couldn't read them, modify what you read and burn a new one and replace it doesn't get covered here. |
BBV Admin
Board Administrator
Username: Admin
Post Number: 3092
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 1:11 pm: |
|
Julio,
We've posted the Diebold financial documents showing payments to Greenberg Traurig, the firm that Jack Abramoff worked for. You can find it at:
http://bbvdocs.org\moneytrail\greenberg.pdf
Kathleen Wynne |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 1427
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 1:23 pm: |
|
Kathleen,
The link is not working. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 1429
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 1:29 pm: |
|
This works:
http://www.bbvdocs.org/moneytrail/greenberg.pdf |
John Howard
Frequent Voting Rights Forum Participant
Username: Harmonyguy
Post Number: 196
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 5:53 pm: |
|
Looks like it was one of those 'easy monthly installments'
"Diebold Election Systems, based in McKinney, Tex., and known mostly for its A.T.M.'s, is spending $12,500 a month to retain Greenberg Traurig, a Manhattan law firm. Greenberg's lobbyists are Robert Harding, former deputy mayor under Rudolph W. Giuliani, and John Mascialino, a lawyer and former first deputy commissioner of a city agency charged with buying equipment and supplies under Mr. Giuliani.
Election Systems & Software pays Davidoff & Malito, one of the state's biggest lobbying firms, $10,000 a month. Its senior partners, Sid Davidoff and Robert Malito, are former aides to Mayor John V. Lindsay.
Liberty Election Systems, a new outfit owned by the executives of an Albany printing company that has produced election ballots for decades, is spending $3,000 a month on lobbyists from Capitol Group."
from http://lists.hss.caltech.edu/pipermail/votingtech/2003-October/000426.html
and, of course, that's only part of their overall lobbying payments.
JAN. - JUNE 2003 $75,000
JULY - DEC. 2003 $75,000
JAN. - FEB. 2004 $25,000
MARCH - APRIL 2004 $25,000
TOTAL $200,000
http://www.votetrustusa.org/pdfs/electionline_081104.pdf page 16 |
Bob Fleischer
Voting Rights Forum Participant
Username: Rjf7r
Post Number: 45
Registered: 09-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 7:18 pm: |
|
RE: HAVA would forbid interpreted code
Regardless of whatever it is that HAVA does or does not forbid, I often think that this technospeak is just there to impress the public, and a fig leaf for politicians, in order to make it seem that something substantial is being required, when it isn't. |
John Washburn
Frequent Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 321
Registered: 04-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, January 4, 2006 - 11:37 pm: |
|
Bring your code to Wisconsin an let me inspect it.
I promise to be thorough; somthing the ITA Labs have never been.
And with the signing into law of WI AB 627, I get to inspect the software code or you don't get to use your voting machinery in a Wisconsin election.
Ya gotta love the legacy of Fightin' Bob LaFollette. I guess I will have to stop speaking ill of this dead, income-taxing socialist. 
(Message edited by johnwashburn on January 05, 2006)
John Washburn
Only bad software is delayed by good testing.
|
BBV Admin - Bev Harris
Board Administrator
Username: Admin
Post Number: 3105
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 6:56 am: |
|
"A Nation of Sheep Will Beget A Government of Wolves." Edward R. Murrow
Kathleen Wynne |
Linda Franz
Frequent Voting Rights Forum Participant
Username: Linda_franz
Post Number: 176
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 8:56 am: |
|
Diebold
Abramoff
Ney
Isn't Ney the one that won't let any voting legislation requiring a voter verified paper ballot and auditing of that VVPB out of committee?
Any connection between the so-called authors of HAVA in the House and Senate, and Abramoff? |
John Washburn
Frequent Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 322
Registered: 04-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, January 5, 2006 - 10:51 am: |
|
I have some bad news from here in Wisconsin.
I was researching the bill signed into law in order to draft my request to the City of Milwaukee.
The version of AB-627 signed by governor Doyle is this this this
The second link which I mistakenly cited and has been mistakenly cited in other locations on the internet is to the bill as introduced on August 24, 2005. No bill survives contact with a legislature.
On November 3, 2005 the committee gutted the disclosed source requirement with a Assembly Substitut Amendment 1 (which deletes all of AB627 as introduced and replaces it with ASA1). I suspect I have Milwaukee-based VTI to thank for that.
On November 10, that version was replaced in toto by Assembly Substitution Amendment 2.
A senate amendment was proposed but withdrawn and AB627-ASA2 the Senate as written on December 8, 2005
All the details are here in the legislative history of the AB627.
All is not bad news though.
Paragraph 5.9005(1) gives a wide definiton of what can be included in the excsrow requirements.
Paragraph 5.9005(2) gives the Board wide, but discretionary statutory authority in defining what MUST be escrowed in order to be approved in Wisconsin. Further, non-legislative section 6 requires all current vendors to escrow within 90 days (Aplil 5, 2006).
Paragraph 5.9005(3) gives the Wisconsin State Elections Board incredibly wide statutory authority to inspect software source code and wide discrection on whom to employ for the task. A prior version of the bill required all such inspections be done by federally certified ITA labs. That provision did not survive to be signed into law.
Paragraph 5.9005(4) also gives a candidate embroiled in a recount the right to inspect the software.
Paragraph 5.9005(5) also gives a county to inspect as well. A good check on the State elections Board in case a future state board is corrupt. In Wisconsin you now need 73 corrupt goverment boards (state + 72 counties) and no recounts in order to prevent an inspection by an outside party.
Not all is good either
Under Section 5.9005(2) the escrowed material is specifically exempted from open records request (WI 19.35).
Paragraphs 5.9005(4) and 5.9005(5) make clear the inspector must work under a non-disclosure and a non-compete clause.
Even with the good the bad and the ugly. I will take this over what most states have.
John Washburn
Only bad software is delayed by good testing.
|
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 1435
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 11:35 am: |
|
Hi John,
Thanks for passing this on.
What Wisconsin has is far more than what other states have, and achieving this is a great credit to you and others who worked to get the best possible result for WI voters.
You've helped create a group of officials who have some willingness to listen to well-articulated sensible concerns. This has set a great example for others working for election reform. |
John Washburn
Frequent Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 325
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 12:18 pm: |
|
I did NOTHING to aid the passage of this bill. That credit goes to Paul Malischke of Madison and the legislators who introduced this bill.
Routinely the hearings on this legislation were held on the day following a Board meeting of the WI State elections board. There were excellent logistical reasons for this.
I chose to burn my vacation days in order to appear before the board. Paul burned his vacation days attending, appearing and testifying before the legislature and its various committees and sub-committees.
I do not regret the decision and today I doubt Paul regrets his. But, any credit on AB627 is not mine.
John Washburn
Only bad software is delayed by good testing.
|
BBV Admin
Board Administrator
Username: Admin
Post Number: 3110
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 1:59 pm: |
|
Thanks, John. I have edited the credit to Paul Malischke into the lead story. -- Bev |
Phil McCracken
Voting Rights Forum Participant
Username: Phil_mccracken
Post Number: 5
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 2:16 pm: |
|
Why were my posts removed? |
BBV Admin
Board Administrator
Username: Admin
Post Number: 3111
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 2:38 pm: |
|
Phil: they weren't removed. The whole thread was getting kind of hijacked, so that portion of it was moved to General Discussion.
If you post something and it is moved by the moderator, you can always find recent posts by hitting "today's posts" or "last 24 hours" and you'll see your posts. They were off-topic for this thread, but fair game for General Discussion. |
Phil McCracken
Voting Rights Forum Participant
Username: Phil_mccracken
Post Number: 6
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, January 5, 2006 - 2:59 pm: |
|
Ok, thanks for the clarification Bev. I appreciate it. |
From the Mailbag
Voting Rights Forum Participant
Username: Mailbag
Post Number: 21
Registered: 10-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, January 6, 2006 - 8:12 am: |
|
(From Steve K.)
Wait! It's not as hard or time-consuming as you make it out to be. All you need to is have an extra EPROM that has already been erased.
After step 3, skip that time-consuming step 5! After all, these EPROMs are mass-produced chips. They cost only a few dollars down at the electronics store or mail-order store.
6'. Put the sticker from the original chip over the window on your EPROM chip. Remove the original chip from the EPROM writer. Insert your chip into the EPROM writer. Write the modified data to your chip.
Continue with step 7, substituting your newly-written chip, taking the original chip home to erase or discard it somewhere where it can't be found.
By the way, this same scenario was used in the movie "Real Genius" (1985, starring Val Kilmer), where the Caltech students pose as Air Force technicians and change the trajectory of their evil professor's Star Wars-like death weapon. They do it by taking out the EPROM from the system, modified the code, and "burned" a substitute EPROM which they used to replace the original one. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 1441
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, January 6, 2006 - 8:35 am: |
|
Yikes.
So not only is this incredibly easy to do, it's been "out there" since 1985 or earlier.
I bet loads of people know all about this (like, for example, criminals who use computers to defraud companies). |
John Washburn
Frequent Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 331
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, January 6, 2006 - 8:51 am: |
|
In the movie the problem was physical access (get to the plane on an airforce base).
But, since granting physical access is a routine part of the voting machinery programming process, that is not a problem to the fraudster.
Chris Knight: In the immortal words of Socrates: 'I drank, What!?'
Mitch: Chris: you have to get back at Hathaway. It is a moral imperative.
Mitch: I don't have any friends in high school. I think I scare them.
Professor Hathaway: Good boy.
For other quotes fromReal Genius
(Message edited by johnwashburn on January 06, 2006)
John Washburn
Only bad software is delayed by good testing.
|
clark brooks
Voting Rights Forum Participant
Username: Czark
Post Number: 2
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, January 6, 2006 - 11:29 am: |
|
I should point out that Real Genius specifically does not take place at Caltech! "Pacific Tech" is almost indistinguishable from the Caltech I attended, but If I recall Correctly, only one Caltech student appears on screen.
On a more relevant point: although EPROM reprogramming has been easy for a few decades, only for the last ten years or so has it been applicable to election theft. |
John Washburn
Frequent Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 332
Registered: 04-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, January 6, 2006 - 12:13 pm: |
|
It has been applicable since 1992 in the village of Hales Corners, WI. The BRC/ES&S/Sequoia system (very early version) had EPROM on it then for the ballot defintion.
The card was like a modem card for an AT computer. It was physcally removed and sent to Minneapolis 4 times a year for re-programming by BRC; once for each election. More if a problem was discovered.
John Washburn
Only bad software is delayed by good testing.
|
BBV Admin
Board Administrator
Username: Admin
Post Number: 3127
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, January 6, 2006 - 1:00 pm: |
|
Only for 10 years? That's comforting, only five federal elections. (Good thing we've got a few more citizens involved in oversight now).
Bev |
richard delaney
Voting Rights Forum Participant
Username: Guitarstar
Post Number: 2
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, January 22, 2006 - 7:22 am: |
|
i'm curious about one thing though, since the only thing the machines are supposed to do is "count votes". why can't the "codes" be on the "rom chips",? there is no need for the source code to be on eproms, because the function of the code should not change! the only thing it is supposed to do is decide if i voted for this guy (or girl) and put a check in the appropriate column. what's so hard about that?
to tell us that the chips need to be re-programmable is nonsense, they cost twenty cents a piece... if you want to upgrade them, throw the old ones out, and put in new ones.
also, about ten years ago, a friend of mine demonstrated how you could turn on a cable box's pay-per-view stations with a simple black box that wirelessly spit out billions of digital codes in a matter of seconds, and whalla... your ppv channels worked for a month or so.
i'm guessing that technology is still available, and could easily be used to manipulate anyones vote, or even change source code back and forth at will. so come test time, it would appear that everything was just fine with the code.
pretty spooky when you think about it. |
From the Mailbag
Voting Rights Forum Participant
Username: Mailbag
Post Number: 32
Registered: 10-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, January 24, 2006 - 6:26 am: |
|
[Note: Strauss makes excellent points. However, he attributes everything to Bev Harris. In fact, the article was written by Jim March. Black Box Voting is an organization with three full time investigators: Bev Harris, Jim March, Kathleen Wynne. When in doubt, attribute to Black Box Voting.]
* * * * *
Hello to the folks at Black Box voting.org.
I run verified voting New mexico. I just read Bev Harris's extrapolation of the Hurtsi Attack to optical scan systems.
In the article from Bev harris, she attacks the question of whether the well-formed Hurtsi attack on the diebold flash-ram equipment could be replicated on the memory pack of optical scan systems.
As a old computer scientist, I am savvy enough to know that while every fact she cites is correct, her conclusion is not--yet-- supported by her arguments. She misses one critical link and skips over several huge flaws in the feasibility of her proposed scheme occurring undetected. This is not to say that what she argues is incorrect--it might be possible to rig the memory packs. But she simply does not complete the logical circle and I want to bring the gaps to your attention so you can address them.
let me give you a synopsis of the argument and then explain the gaps in her logic that leave the matter unsettled. The Sequoia brand optical scanners are ancient technology and use the forerunner of todays electrically alterable read write memory (frequently called Flash ram or similar). It was known as eprom (electrically programable read only memory). Important characteristics are:
1) Like flash memory it is reprogrammable memory used to configure the voting machine and thus might be a vector for injecting malicious manipulations
2) old-style eprom is vastly more secure than conventoional flash memory in this application because a normal computer by itself can't write or alter the eprom. It has to be done by mechanical access to the chip and using a UV lamp. This latter fact means that it's also hard to hide your tracks after the fact.
3) Standard eproms are not computer devices. they are only memory and cant hide their contents from scrutiny.
She says the eproms of the optical scan might be secretly altered to, say, give the minority party votes to the majority. This is probably possible.
Now what she does not say, and this is truly cruical, is exactly how the eprom configures the device. In the case of the Hurtsi attack on the diebold machine the flash ram contained actual executable instructions to the machine. Thus altering these could make the machine do anything you wanted (potentially) and then hide it's tracks to boot. In particular it could fake the "zero" tape to make the judges believe it was not tampered with and potentially it could even defeat some attempts at discovery via the pathetic logic and accuracy tests that get applied to machines. These were sophisticated instructions on the diebold card.
Now what I don't know is what is on these eproms. If they are like other systems of this vintage the card contents are essentially data mapping positions on the paper ballot to vote count memory location. So the first question is is it just data that describes the ballot layout or is it actual computer instructions? If it were just the ballot layout, it probably could do nothing more complicated than map one parties votes to the wrong spreadsheet colum and this give the the credit of another party. But it could not do so conditionally. It would do this same act reproducibly every time for a given ballot style. Such a manipulation would be:
1) easily detected in a logic and accuracy test which can be quite rigorous on optical scan as compared to touchscreens)
2) probably glaringly apparent in the vote patterns in an actual election
3) and the mode of attack detectable after the fact unless the perpetrator could regain physical access to the eproms.
On the other hand if these eproms are indeed allowed to contain executable code, like the diebold systems used, then all the same potential of the hurtsi attack exists for manipulation of optical scan.
However, even in that worst case assessment, optical scan elections are still much much better and safer. Assuming such an event were to occur and were detected then the paper ballots can still be recounted properly and the election is not ruined. And indeed a partial random recount would probably detect any widespread manipulation.
Finally, there is no discussion of how the attack would be accomplished in practice. Manipulating the contents of the eproms would have to be done individually. If this is not to be done on a one-off basis but rather on a larger scale that either means accessing and zapping all of these eproms by physical extraction from the sealed memory modules, or attacking them at the stage of the original programming. The latter would differ county by county unless of course they all hired a common external programming service.
Moreover, there's a simple expedient to suppress the latter form of common-point attack: always have the county produce one extra module, randomly select that module from the set, and allow a third party full access to dump the contents of the eprom for public scrutiny. Remember, conventional eproms are not computers and can't hide their contents.
It seems to me that the eprom discussion may be a red herring. If you really wanted to reproduce the Hurtsi-style attack you would want to go after the executable firmware on the ROMS not the eproms.
--charlie strauss
[note from BBV: One statement made by Strauss is not substantiated. We frequently hear that the ballots can be examined if there is a question, therefore, that the optical scan system is safer. In fact, many states prohibit examination of the ballots if there is a question and some prohibit examination of the ballots even in a recount.
To substantiate the claim that optical scan machines are safer because you can examine the ballots one would need to examine the laws in each state that govern when the ballots can be examined, and also one would need to gather data on how often ballots are actually examined and under what circumstances. In Michigan, for example, we have an internal memo from the state elections chief bragging that although it is allowed, Michigan makes it sufficiently obstructive that no citizen has EVER actually achieved it.] |
Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl
Post Number: 327
Registered: 01-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, January 25, 2006 - 4:56 am: |
|
Having spare PROMS in your pocket (as long as you know what type they should be obviates the need to erase them, anybody claiming you need the time to erase them is making a specious argument. There are three species of (R)ead (O)nly (M)emories (ROMs), (O)ne-(T)ime (P)rogrammables OTPROMs (no glass window, no erasing, can only be written once), ((E)rasable (usually UV erasable) (P)rogrammable (R)ead (O)nly (M)emories EPROMS , and (E)lectrically (E)rasable (P)rogrammable (R)ead (O)nly (M)emories EEPROMs. The electrically erasable ones came into common use in the late 80s, early 90s. Machines this old would be unlikely to have them. Does anybody have the chip numbers for these? I could look them up and tell you whether they were protected, or not. Some newer memories are password protected and won't yeild correct reading until you enter the password. You can erase them and reuse them without knowing the password, but you couldn't read their contents until you entered a password. |
|
|
