[E-voting] (USA) New security defect evidence

Catherine Ansbro cansbro at eircom.net
Tue Aug 1 08:27:40 IST 2006 

[See the original article at BBV.org for live links. --Catherine]

http://www.bbvforums.org/cgi-bin/forums/show.cgi?tpc=1954&post=26678#POST26678

The Diebold TS voting machine (what Global/Diebold called internally the 
"R6") now stands as the most stunning failure to date of the federal and 
state certification processes.

Printed right on the motherboard of the unit is a manual for vote fraud, 
obvious to anybody with even moderate personal computer experience. A 
single Diebold TS machine is now in private hands and photographs of the 
internals have just been posted, thanks to Open Voting Foundation, here:
http://www.openvotingfoundation.org/ts/

*Background:*
Black Box Voting conducted studies with Harri Hursti and an expert from 
Security Innovation, who did a biopsy on the newer Diebold TSx voting 
machine in Emery County UT earlier this year.

http://www.blackboxvoting.org/BBVtsxstudy.pdf
http://www.blackboxvoting.org/BBVtsxstudy-supp.pdf

The core of their findings was that the software on the unit could be 
replaced in it's entirety or at any of several key points, in all cases 
without any validation of the authenticity of the code in question. This 
was soon declared "the worst voting system security issue to date" by 
addition experts in and out of the certification process, including 
David Dill, Doug Jones and Barbara Simons 
(http://www.truthout.org/docs_2006/072506C.shtml) and Dr. Michael Shamos 
of the Pennsylvania state certification panel 
(http://www.votetrustusa.org/index.php?option=com_content&task=view&id=1281&Itemi 
d=51 
<http://www.votetrustusa.org/index.php?option=com_content&task=view&id=1281&Itemid=51>). 


The older model, the TS (used statewide in Georgia and Maryland) may be 
as bad or worse.

With the TS, it is still possible to do total-code-replacement such as 
the Black Box Voting studies with Hursti and SI found. But an attacker 
might not even need to bother. Instead, they would use motherboard 
switch settings on the TS to alter which area of memory the TS boots 
from, knowing that the machine can be switched back to the "certified" 
code set at any time with no tools required other than a standard 
Phillips screwdriver.

The TS motherboard has a chart showing how to set the machine to boot 
from any of three memory locations:

* Internal Flash – this is similar to the TSx and is apparently how the 
machine was set from the factory. In this switch position the machine 
acted like a Diebold touchscreen voting machine as has been shown in 
demos, official manuals, certification documents and the like.

* EPROM – in this switch position, the screen came up in a different 
color pattern, a copyright notice by BSquare Corporation and ends with 
"about to sync parallel port". Apparently, in this "mode" the machine 
wants to read data from the parallel port on the motherboard, normally 
used as a printer connection but likely capable of 2-way 
("bi-directional") data transfer. Not having a set of files to load via 
the parallel port, we don't know what was intended for this mode but if 
it wants input, somebody could give it some.

(For those technically familiar with the Hursti-SI Emery County report, 
this appears to be an alternate bootloader, and hence a very dangerous 
bit of code that has no business being in the unit at all, let alone 
switch-enabled and live.)

* External Flash – potentially the most troubling. The motherboard has a 
large white internal memory slot labeled "external flash memory", 
probably the memory location this switch setting would point to. 
PCMCIA-based flash memory is also a possibility. Either way, new code 
running on extra added memory that fits in a vest pocket appears to be 
able to completely change the functionality of the machine and at any 
time could be removed and the switches set back to make it a normal 
certified setup with all traces of the modifications eliminated.

*Yet another indictment of the federal and state certification processes*

Anyone at the Federal or state level who had looked inside the TS would 
have caught this in seconds and at a minimum, demanded that the switches 
and jumpers be glued and sealed in the certified direction. (Which would 
still leave the "Emery County style" attack available.)

These so-called professionals are asleep at the wheel. Every last one of 
them. Nobody who approved the TS as a voting technology should keep 
their jobs and the entire concept of "certification" that approved this 
nightmare must be rethought.

The Open Voting Consortium's solution is to throw all the source code 
open and let the "geeks of America" collectively probe these things.

Black Box Voting's position is that, after spending billions of taxpayer 
dollars on junk, it is time for Watergate-style hearings.

The current voting machine fiasco in the United States involved bribes, 
corruption and collusion. Citizens long to hear their representatives 
ask the tough questions. Citizens want the perps held accountable.

It is premature to try to paper over the parade of disastrous findings 
with a law. First, we need to know how this happened in the first place 
-- under oath and with subpoenas, in ,bipartisan hearings with tough 
questions.

The collective will to enact real solutions, which must include citizen 
oversight every step of the way, will only appear when citizens can see 
the full extent of the failures in our electoral procurement process 
exposed, and those who are responsible must be held accountable.

* Jim March took a leave of absence from Black Box Voting beginning June 
1, 2006 to work on some political campaigns, activities which cannot be 
done under the a 501c(3) nonprofit.

Beginning on Tuesday, August 1 2006, Black Box Voting will unveil a 
CITIZEN'S TOOL KIT TO TAKE BACK ELECTIONS.

If you are visiting this link on Aug. 2 or afterwards, click this link: 
http://www.blackboxvoting.org/toolkit.pdf to download the Citizen's Tool 
Kit. If you haven't taken personal actions to take back your elections, 
now is the time to start.
------------------------------------------------------------------------
* * * * *

"Regardless of size, just 1-3 people do all the work in any group. 
Better to have 10 groups of 10 people than one group with 100 people. 
That way, at least 10 people will get things done."
(-- John Brakey, an Arizona citizen)

You own your government, not the other way around. This is your task: 
Pick 1 thing and just DO IT. Then lead, mentor or organize 9 people to 
do the same thing.

Citizen Tool Kit to Take Back Elections:
http://www.blackboxvoting.org/toolkit.pdf
Begins 8/1/06

More information about the E-voting mailing list