Navigation
Topics
Log In
Log Out
:
Special Search
New Today
New This Week
Advanced Search
Tree View
Your Account
Edit Profile
Register
Forgot Password
Tools
Help/Instructions
Policies
...
|
| 7-31-06: Georgia, Maryland Touch-scre... |
|
| Author |
Message |
    
Bev Harris
Board Administrator
Username: Admin
Post Number: 5476
Registered: 12-2004
Best of Black Box? 
Votes: 2 (A keeper?) | | Posted on Monday, July 31, 2006 - 2:31 pm: | 
|
Guest blogged by Jim March*
The Diebold TS voting machine (what Global/Diebold called internally the "R6") now stands as the most stunning failure to date of the federal and state certification processes.
Printed right on the motherboard of the unit is a manual for vote fraud, obvious to anybody with even moderate personal computer experience. A single Diebold TS machine is now in private hands and photographs of the internals have just been posted, thanks to Open Voting Foundation, here:
http://www.openvotingfoundation.org/ts/
Background:
Black Box Voting conducted studies with Harri Hursti and an expert from Security Innovation, who did a biopsy on the newer Diebold TSx voting machine in Emery County UT earlier this year.
http://www.blackboxvoting.org/BBVtsxstudy.pdf
http://www.blackboxvoting.org/BBVtsxstudy-supp.pdf
The core of their findings was that the software on the unit could be replaced in it's entirety or at any of several key points, in all cases without any validation of the authenticity of the code in question. This was soon declared "the worst voting system security issue to date" by addition experts in and out of the certification process, including David Dill, Doug Jones and Barbara Simons (http://www.truthout.org/docs_2006/072506C.shtml) and Dr. Michael Shamos of the Pennsylvania state certification panel (http://www.votetrustusa.org/index.php?option=com_content&task=view&id=1281&Itemi d=51).
The older model, the TS (used statewide in Georgia and Maryland) may be as bad or worse.
With the TS, it is still possible to do total-code-replacement such as the Black Box Voting studies with Hursti and SI found. But an attacker might not even need to bother. Instead, they would use motherboard switch settings on the TS to alter which area of memory the TS boots from, knowing that the machine can be switched back to the "certified" code set at any time with no tools required other than a standard Phillips screwdriver.
The TS motherboard has a chart showing how to set the machine to boot from any of three memory locations:
* Internal Flash – this is similar to the TSx and is apparently how the machine was set from the factory. In this switch position the machine acted like a Diebold touchscreen voting machine as has been shown in demos, official manuals, certification documents and the like.
* EPROM – in this switch position, the screen came up in a different color pattern, a copyright notice by BSquare Corporation and ends with "about to sync parallel port". Apparently, in this "mode" the machine wants to read data from the parallel port on the motherboard, normally used as a printer connection but likely capable of 2-way ("bi-directional") data transfer. Not having a set of files to load via the parallel port, we don't know what was intended for this mode but if it wants input, somebody could give it some.
(For those technically familiar with the Hursti-SI Emery County report, this appears to be an alternate bootloader, and hence a very dangerous bit of code that has no business being in the unit at all, let alone switch-enabled and live.)
* External Flash – potentially the most troubling. The motherboard has a large white internal memory slot labeled "external flash memory", probably the memory location this switch setting would point to. PCMCIA-based flash memory is also a possibility. Either way, new code running on extra added memory that fits in a vest pocket appears to be able to completely change the functionality of the machine and at any time could be removed and the switches set back to make it a normal certified setup with all traces of the modifications eliminated.
Yet another indictment of the federal and state certification processes
Anyone at the Federal or state level who had looked inside the TS would have caught this in seconds and at a minimum, demanded that the switches and jumpers be glued and sealed in the certified direction. (Which would still leave the "Emery County style" attack available.)
These so-called professionals are asleep at the wheel. Every last one of them. Nobody who approved the TS as a voting technology should keep their jobs and the entire concept of "certification" that approved this nightmare must be rethought.
The Open Voting Consortium's solution is to throw all the source code open and let the "geeks of America" collectively probe these things.
Black Box Voting's position is that, after spending billions of taxpayer dollars on junk, it is time for Watergate-style hearings.
The current voting machine fiasco in the United States involved bribes, corruption and collusion. Citizens long to hear their representatives ask the tough questions. Citizens want the perps held accountable.
It is premature to try to paper over the parade of disastrous findings with a law. First, we need to know how this happened in the first place -- under oath and with subpoenas, in ,bipartisan hearings with tough questions.
The collective will to enact real solutions, which must include citizen oversight every step of the way, will only appear when citizens can see the full extent of the failures in our electoral procurement process exposed, and those who are responsible must be held accountable.
* Jim March took a leave of absence from Black Box Voting beginning June 1, 2006 to work on some political campaigns, activities which cannot be done under the a 501c(3) nonprofit.
Beginning on Tuesday, August 1 2006, Black Box Voting will unveil a CITIZEN'S TOOL KIT TO TAKE BACK ELECTIONS.
If you are visiting this link on Aug. 2 or afterwards, click this link: http://www.blackboxvoting.org/toolkit.pdf to download the Citizen's Tool Kit. If you haven't taken personal actions to take back your elections, now is the time to start.
* * * * *
"Regardless of size, just 1-3 people do all the work in any group. Better to have 10 groups of 10 people than one group with 100 people. That way, at least 10 people will get things done."
(-- John Brakey, an Arizona citizen)
You own your government, not the other way around. This is your task: Pick 1 thing and just DO IT. Then lead, mentor or organize 9 people to do the same thing.
Citizen Tool Kit to Take Back Elections:
http://www.blackboxvoting.org/toolkit.pdf
Begins 8/1/06
|
Dan Oetting
Voting Rights Forum Participant
Username: Dan_oetting
Post Number: 4
Registered: 07-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 3:49 am: |
|
BD2-288 -- Just your ordinary everyday printer interface?
<http://www.citizen-systems.com/product.aspx?id=48>
• Flash Memory??
Looks like this board can be reprogrammed. Is it possible to take over control of the voting machine through a clever back door in the printer driver? |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 3125
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 4:15 am: |
|
Dan,
Don't tell me you've discovered yet another back door!
Is anybody still keeping count? |
Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl
Post Number: 732
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 4:58 am: |
|
The parallel port is likely to be for the printer, although not necessarily, and bi-directional printer ports are the norm now (on PC style equipment, at least) not the exception. So this may be the parallel port previously mentioned. |
Dan Oetting
Voting Rights Forum Participant
Username: Dan_oetting
Post Number: 6
Registered: 07-2006
Best of Black Box? 
Votes: 2 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 6:03 am: |
|
The motherboard has a jumper that indicates it will run a a boot loader reading from the parallel port. So yes, the parallel port is bi-directional. But it may be too obvious if the machine was able to boot on command from the printer interface. And someone would still have to set that jumper on every machine before the election.
A more insidious plan would be to load sleeper code in the printer interface flash. This could be done years in advance of the election or at any time as part of routine maintenance diagnostics.
A secret handshake from the voting machine would wake the sleeper code. This could be encoded in printing the zero tape at the opening of the polls on election day. The trigger could be the inclusion of a key name in the data for the zero tape and possibly include polling pulses that happen when the machine recycles between voters. When the sleeper code determines that the election is real and needs to be rigged it knocks on the back door which could look like nothing more than a stack overflow in the printer driver, injects it's own code into the voting machine and takes over.
At the end of the day when the power is turned off all evidence vanishes. There is nothing in the audited code on the voting machine eprom or any key cards before or after the election that would show the hack.
In short simple terms, Every voting machine is networked to an unaudited computer on election day!! |
Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl
Post Number: 735
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 12:54 pm: |
|
'Printer interface FLASH' ? I suppose you mean flash that is in the printer? |
Jim March
Voting Rights Forum Participant
Username: Jimmarch
Post Number: 7
Registered: 05-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 3:24 pm: |
|
Dan: that's an interesting thought.
Among the pics Alan distributed was this:
http://www.openvotingfoundation.org/ts/slides/13-prtr2.html#
That's the printer board, connected via parallel. Click on the pic for a closeup that allows you to read all the chips (you sometimes have to try several times to get it to zoom).
Also note that bank of 8 dip switches. That bank is available from the outside of the machine once you open the PCMCIA slot door. I don't know what the switches do, probably basic printer control stuff like an early 1990s-era Epson dot matrix.
Somebody mentioned somewhere that this circuit board is a commodity item from the "cash register world" or something. If so it's probably not real useful for "evil". (Note the "Made In Japan" thing...the motherboard is classic Taiwanese looking, it was all assembled in Texas.)
Worst case, as Dan says, you have "malicious code" loaded in printer firmware or flash and on setting the motherboard to EPROM it reads in bad code from the printer board.
One possibility: there may be different models of printer board, some capable of evil, some not.
Alan was able to learn that insertable flash memory modules in the white slot are available in 8megs and 16megs; the latter should be enough to craft a complete "fake voting environment", enough to fool voters and pollworkers. If it blew up, a field tech could always crack it open, flip it back to internal flash, and it's "fixed".
I suspect that's more dangerous than the printer board attack but none of these are very "good" choices.
Anyone want to place bets on when we see Linda Lamone crack one of these open and squirt the motherboard jumpers and switches with a bunch of glue to seal them in the "certified" direction?
(That would *possibly* raise the TS security to the level of the TSx, which certainly isn't saying much...) |
Dan Oetting
Voting Rights Forum Participant
Username: Dan_oetting
Post Number: 7
Registered: 07-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 6:30 pm: |
|
The little printer board has flash memory which means it can be reprogrammed to do any evil work the programmer desires while just sitting there looking like an innocent "off the shelf" printer interface board that nobody thinks needs to be audited. What's more, if it is protected flash there may not be any way to read what is programmed in there.
With this board, you don't need to change any jumpers in the voting machine to hack it. You don't even need to touch the machine! The voting machine boots normally using certified code. You could even publish the source for the code running on the voting machine and not have the hack spotted because it only needs to be a single missing instruction. And being on an internal interface that has no outside access that section of code probably wouldn't get a lot of attention.
The rogue code in the printer interface would be start running when the voting machine is powered on. But being hidden away in it's own processor it will be virtually undetectable while it watches what is going on up above by reading the data being printed. It's waiting to strike only on election day and only if the inputs have the feel of a true election.
When conditions are right, in the middle of an election, just after a voter has cast a ballot and before the next voter can get to the machine, the rogue code pushes through the waiting back door and deposits the rigging code in the voting machines memory. The rigging code attaches itself to the running elections code and starts to do it's dirty work. |
Mike Myhre
Frequent Voting Rights Forum Participant
Username: Mike_myhre
Post Number: 125
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 6:52 pm: |
|
Dan,
While it would be possible to create a setup as you have described in your posts, I don't think you have any data to support your suggestions. This thread was discussing the selectable boot options. One option would cause the machine to boot from the EPROM which would put it in a mode apparently looking for data from a printer port. This does not imply that the machine is always scanning for information from a printer during the voting session.
While I agree it is possible, many may take your posts as a suggestion that the machines have been proven to have this capability. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5487
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 6:59 pm: |
|
Re: Phil McCracken posts being removed -- off topic. If you would like to discuss the merits of Diebold's design decision, Phil, go for it.
* * * * *
"Regardless of size, just 1-3 people do all the work in any group. Better to have 10 groups of 10 people than one group with 100 people. That way, at least 10 people will get things done."
(-- John Brakey, an Arizona citizen)
You own your government, not the other way around. This is your task: Pick 1 thing and just DO IT. Then lead, mentor or organize 9 people to do the same thing.
Citizen Tool Kit to Take Back Elections:
http://www.blackboxvoting.org/toolkit.pdf
Begins 8/1/06
|
Dan Oetting
Voting Rights Forum Participant
Username: Dan_oetting
Post Number: 8
Registered: 07-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 8:24 pm: |
|
While I can't say that the path is open to hack into the voting machine, what I do have evidence for is there is a computer running code that hasn't been certified by any elections department which is networked to the voting machine during the election in violation of the election laws in many states. The POSSIBILITY of a back door into the voting machine is why the machines are prohibited from being networked in the first place. |
Mike Myhre
Frequent Voting Rights Forum Participant
Username: Mike_myhre
Post Number: 126
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 8:30 pm: |
|
Dan,
I totaly agree. No election should have or should in the future be run on these machines. Anyone who certifies these machines for use, especially knowing what we know today, should be brought up on criminal charges. |
Marian Beddill
Voting Rights Forum Participant
Username: Uu7thprinciple
Post Number: 31
Registered: 08-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 9:19 pm: |
|
Dan O wrote: "....it watches what is going on up above by reading the data being printed. It's waiting to strike only on election day and only if the inputs....."
Very much like the demo I wrote a few years ago - where the system waited for an "odd" ballot, like votes for only 2 unusual races. That condition was the trigger for the "variant" in the program or system, as Dan described.
http://noleakybuckets.org/files/votedemo.xls ;
(Vote for the losing Senator and the DogCatcher of the same party.) |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 3128
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, August 1, 2006 - 10:56 pm: |
|
If anyone hasn't seen Marian's demo program it is really amazing. It really brings home the point that a "trigger" to rig an election can be subtle yet very easy to do. |
Jim March
Voting Rights Forum Participant
Username: Jimmarch
Post Number: 8
Registered: 05-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, August 2, 2006 - 2:35 am: |
|
Dan: which chip on the printer board is flash? And can you tell how big it is in terms of memory capacity?
This is very interesting.
Let's see...the printer board definately has a two-way and fairly high speed connection to the motherboard, via parallel. (For those unfamiliar with parallel ports, the original spec in the 1981-era PC was unidirectional but by the mid-90s bi-directional was a widespread standard.)
If the printer control circuit board has flash memory and it's own CPU, that makes a lot of sense as you could use one such board to control a bunch of different "cash register grade" physical printers. Keeps your parts costs down, just re-program the controller to match new hardware.
OK. If the flash software on the printer can read the eight dip switches, then in theory flipping one (or more?) could trigger malicious code in the printer circuit board flash. That in turn sends a "positive signal" of some sort back to the motherboard and "bad stuff" of some sort starts happening.
Now. If it does so, which piece of software on the motherboard will the printer board communicate with first?
Answer, and Bev this isn't speculation you can take it to the bank: the CE parallel port driver.
Which is probably written by Diebold (or perhaps BSquare) but in any case Diebold has the full source code for it and can modify it after BSquare finishes basic functionality.
(Wait: I'm saying "Diebold" by habit but this all basically dates to the Global era, not that it makes any difference but let's be accurate.)
My.
This is potentially REAL interesting.
The switches on the printer board are accessible via a hole in the outer case...all pollworkers or election officials with a key have access to the "switch hole" (it's right near the PCMCIA slots).
Waitasec...somewhere we have a manual for the TS/R6...
Yeah, must have been on my disk since Bev shared files with me in 2003...I have a file called "AccuVote-TS_R6_Hardware_Guide_Rev_1-2.pdf" and in it, searching for the words "DIP", "switch" and "printer" separately make no mention whatsoever of how to set those DIP switches. Meaning if somebody DID set them "different" nobody would notice. The switches are accessible only through a dark thin hole and with something like a toothpick or small screwdriver...no way in heck a pollworker would notice a change.
Huh. That's potentially a trigger for a change in behavior of the printer controller board firmware.
What else...another manual available to pollworkers might be "AccuVote-TS Users Guide 4.1.pdf" but again, while everything else on the printer is described, no mention of switch settings.
Whoa.
Ohhhhkay, Dan may be onto something here!
(Message edited by Jimmarch on August 02, 2006) |
Dan Oetting
Voting Rights Forum Participant
Username: Dan_oetting
Post Number: 10
Registered: 07-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, August 2, 2006 - 8:42 am: |
|
I found some documentation for the printer control board here:
<http://www.citizen-systems.co.jp/english/download/printer/index.html#dri>
In normal operation of the printer, the parallel port passes data only one way (to the printer).
IC-1 is labled H8/3002
H8/3002 Hardware Manual:
<http://home.mit.bme.hu/~papzs/munka/h83002h.pdf>
"The H8/3002 is a high-performance single-chip microcontroller...The H8/3002 has six input/output ports"
I have no doubt now that the printer control board is capable of writing to the parallel port, The only question is will the voting machine be listening.
There is only 512 bytes of ram onboard the CPU. The rest of the ram and the flash are probably in the larger chip. I haven't been able to locate a reference for that chip yet but CMB is a name used by the printer manufacturer so it may be custom. The printer control board can be flash programmed with custom graphics so there will be plenty of room for custom code.
On the first site you can also find some printer driver libraries for various systems which might be useful to compare with the code in the ROM on the voting machine. There are few reasons why a developer would write their own drivers when they are already available for free. |
Dan Oetting
Voting Rights Forum Participant
Username: Dan_oetting
Post Number: 11
Registered: 07-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Wednesday, August 2, 2006 - 9:49 am: |
|
I don't know why you are still looking for a manual trigger when I've already pointed out how the trigger can be built into the hardware. An electronic operative hiding inside every voting machine only needs a few tiny bits of information to tell it which candidates or issues need to be assisted in the election. This information could easily be coded into the ballot itself (especially if Dibold is assisting in the preparation of the ballots) or it could be already programmed to look for key names on specific dates. There is no need to expand the conspiracy and risk exposure beyond a few key persons.
And before you start thinking I'm just a conspiracy nut, I'm not necessarily talking about a conspiracy. The whole operation to swing a national election could be handled by a single person. (1. Insert a simple back door in the source code or library for the print driver for the internal printer. 2. Add a manufacturing diagnostic procedure that appears to test the printer but also flashes custom code in the printer control board. 3. There is no 3, the election is over and counted before the campaigning has even begun) If there is only 1 person involved it can't be a conspiracy (unless they talk to themselves). |
Mike Myhre
Frequent Voting Rights Forum Participant
Username: Mike_myhre
Post Number: 127
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, August 2, 2006 - 9:58 am: |
|
Dan,
I agree, the trigger can be any, seemingly innocent action that will activate the malitious code. The malitious code must first be added to the machine however (assuming that it was not manufactured into it - with so many ways to infect the machine, there was no need to build it in and risk incrimination).
The manual trigger necessary to load the hack is the boot switch. If a person had a sleep over with the machine, it could be the EPROM or a flash card, or something similar, but somehow you need to get the machine to swallow the initial hack. |
Jim March
Voting Rights Forum Participant
Username: Jimmarch
Post Number: 11
Registered: 05-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, August 2, 2006 - 12:39 pm: |
|
I see a minor advantage to a hardware trigger design if Global/Diebold thought the ITA certification process might get fairly "tough" sometime down the road.
If the "hack" is initiated at the printer control board, then the amount of bad code running on the motherboard can be minimized to just a "be open to reception" thing difficult to spot even with good source code review.
You're absolutely right though: a software trigger by code running on the motherboard (touchscreen driver maybe?) could be the initiation point. |
|
|
