[TriLUG] OT: www.hexblog.com - a fix for the WMF vulernability.

[Rick DeNatale]

On 1/4/06, Tanner Lovelace <clubjuggler at gmail.com> wrote:
> On 1/4/06, Rick DeNatale <rick.denatale at gmail.com> wrote:

> > And I'm surprised and concerned that the test last month in Leon
> > county FL, shows that the optical scan machines might not be as good a
> > solution to verifiable voting as many open voting advocates, including
> > me, thought they were.
>
> What happened here was that the accubasic interpreter was programmed
> with 5 positive and 5 negative votes and so when they ran the test to
> make sure there were 0 votes before starting the test, it did, indeed, say
> that there were zero votes.  They then voted on whether the machine
> could be hacked or not.  6 people voted no and 2 people voted yes.
> When they read back the results, they said:
>
> No: 1
> Yes: 7
>
> Thereby proving the point of those that voted yes.[1]  Yes, this could have
> been caught with a manual recount, but the chance of that happening is
> fairly slim.  The problem here was that all the calculation was done using
> the accubasic code and by simply switching the flash card, which could easily
> be done by a poll worker or a random BOE person beforehand, the election
> was changed.

It's been a few weeks since I read the BBV report with the details of
the hack, so I just re-scanned it.

Actually, the exploit DIDN'T involve or require changes to the
accubasic interpreter.  The full details are available here:
http://www.blackboxvoting.org/BBVreport.pdf

The architecture of the voting machine puts the interpreter in
firmware inside the scanning machine.  The exploit didn't touch this
firmware, rather it involved changes to a removable memory cartridge
which holds two things.

1) The vote counters which tally up the votes for each
candidate/proposition etc.  These counters are only writeable by the
scanner firmware, and are read-only to accu-basic programs, at least
according to the AccuBasic manual
http://www.bbvdocs.org/diebold/ab-manual.pdf

2) A set of  "auditing" utilities specific to the election which are
written in Accubasic.  These utilities perform functions like printing
a report prior to the start of the election,  "proving"  that EACH
vote counter is zero at the start of the election, as well as printing
a post election report of each candidates totals at the end of the
election.

The machines documentation didn't mention that these utilities were
stored on the memory card.

Hursti was first able to demonstrate that he could hack a memory card
using an external programmer with new utilities writtten in accu-basic
which simply printed false paper trails. This in and of itself
couldn't be used to rig an election, since the votes are tallied from
the actual data stored on the card, but it could be used to cover up a
coordinated attack using a rigged tallying system.

The balancing negative and positive votes were initialized directly,
not through accu-basic. But covering up the ballot stuffing required
changing the utility to print a zero-total report prior to the
election.

> If you think something like this couldn't effect a
> national election,
> think again and read this article entitled "President Nader or How I Learned to
> Stop Worrying and Love DREs" [2].

I remember watching the 2004 results coming in, and periodically
looking at Ohio's official incoming precinct counts on the state's web
site.  I was astounded at one point to see that the Libertarian
candidate had an unusually large lead in the presidential race in
several counties, only to see his total vote count end up SMALLER than
it had been early in the evening.  Now I could be misremembering this.

And then there are these footnotes from the referenced BBV report:

(24) In Volusia County during the 2000 election, minus 16,022 votes
appeared for Al Gore, and according to an internal CBS investigation
(http://www.bbvdocs.org/misc/CBSreport.pdf), these votes caused the
election to be erroneously called for George W. Bush. The
documentation contained in the Diebold memos indicates that this was
due to a memory card replacement, though no one explains how minus
16,022 votes appeared on a (now missing, according to the memo) memory
card for a precinct with only a few hundred voters.

(25) Document received in Nov. 2, 2004 Black Box Voting public records
request from Volusia County. Diebold representative Mark Earley
requests an explanation as to why 57 extra memory cards were needed,
allegedly due to an unusually high occurrence of memory card
corruption. He points out that Volusia County claims more corrupted
memory cards than all the counties in the state of Florida, combined.

(26) Poll tape analysis by Black Box Voting, with records obtained
from Volusia County showed anomalies on 57 reports. Some of the
reports were missing the zero tape, some were missing poll worker
signatures, and several showed that multiple copies of the memory card
for that precinct had been created.

(27) In Brevard County, Florida, an unexplained anomaly caused a
4,000-vote error in the 2000 general election. Report: "CBS News
Coverage of Election Night 2000"
(http://www.bbvdocs.org/misc/CBSreport.pdf)

(28) In Brevard County, officials repeatedly withheld logs and poll
tapes from the Nov. 2, 2004 Black Box Voting public records request,
and then deemed the records (including the results reports) to be
proprietary and unavailable due to security concerns.

--
Rick DeNatale

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/