Rubin’s team had analyzed the 48609 lines of Diebold source code and found 328 security flaws, 26 deemed critical. The report not only dissected the code, but looked into the smart card security and its cryptographic weakness. One particular line of code stood out above all the rest:

defineDESKEY((des_KEY8F2654hd4

The encryption method was the Digital Encryption Standard (DES), which was broken in 1997 and is no longer used by anyone for encryption. Not only that, the “KEY” was hard coded into the source code which means that all the machines use the same key. Having access to one meant having access to all.

The report found that the smart cards were not encrypted. Rubin said “The smartcards chosen for the Diebold DREs were not encrypted and could be forged by a 15-year-old in his bedroom at an equipment cost of about three weeks allowance.” Diebold claims that the new machines are not using the same code as Rubin tested, but because the code is proprietary, Diebold won’t show the new code to anyone.

In November of 2006, The National Institute for Standards and Technology (NIST) issued a draft discussion report on “Requiring Software Independence in VVSG 2007” in which it declares “Potentially, a single programmer could “rig” a major election. The computer security community rejects the notion that DREs can be made secure, arguing that their design is inadequate to meet the requirements of voting and that they are vulnerable to large-scale errors and election fraud.”

http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf

Still have doubts? Go here to track election irregularities:

http://www.votersunite.org/electionproblems2004plus.asp

Filtered by machine malfunction:

http://www.votersunite.org/electionproblems2004plus.asp?sort=date&selectstate=ALL&selectproblemtype=Machine+malfunction

I guess you could say I’ve done some research on all this.

Rubin’s team had analyzed the 48609 lines of Diebold source code and found 328 security flaws, 26 deemed critical. The report not only dissected the code, but looked into the smart card security and its cryptographic weakness. One particular line of code stood out above all the rest:

defineDESKEY((des_KEY8F2654hd4

The encryption method was the Digital Encryption Standard (DES), which was broken in 1997 and is no longer used by anyone for encryption. Not only that, the “KEY” was hard coded into the source code which means that all the machines use the same key. Having access to one meant having access to all.

The report found that the smart cards were not encrypted. Rubin said “The smartcards chosen for the Diebold DREs were not encrypted and could be forged by a 15-year-old in his bedroom at an equipment cost of about three weeks allowance.” Diebold claims that the new machines are not using the same code as Rubin tested, but because the code is proprietary, Diebold won’t show the new code to anyone.

In November of 2006, The National Institute for Standards and Technology (NIST) issued a draft discussion report on “Requiring Software Independence in VVSG 2007” in which it declares “Potentially, a single programmer could “rig” a major election. The computer security community rejects the notion that DREs can be made secure, arguing that their design is inadequate to meet the requirements of voting and that they are vulnerable to large-scale errors and election fraud.”

http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf

Still have doubts? Go here to track election irregularities:

http://www.votersunite.org/electionproblems2004plus.asp

Filtered by machine malfunction:

http://www.votersunite.org/electionproblems2004plus.asp?sort=date&selectstate=ALL&selectproblemtype=Machine+malfunction

I guess you could say I’ve done some research on all this.

Rubin’s team had analyzed the 48609 lines of Diebold source code and found 328 security flaws, 26 deemed critical. The report not only dissected the code, but looked into the smart card security and its cryptographic weakness. One particular line of code stood out above all the rest:

defineDESKEY((des_KEY8F2654hd4

The encryption method was the Digital Encryption Standard (DES), which was broken in 1997 and is no longer used by anyone for encryption. Not only that, the “KEY” was hard coded into the source code which means that all the machines use the same key. Having access to one meant having access to all.

The report found that the smart cards were not encrypted. Rubin said “The smartcards chosen for the Diebold DREs were not encrypted and could be forged by a 15-year-old in his bedroom at an equipment cost of about three weeks allowance.” Diebold claims that the new machines are not using the same code as Rubin tested, but because the code is proprietary, Diebold won’t show the new code to anyone.

In November of 2006, The National Institute for Standards and Technology (NIST) issued a draft discussion report on “Requiring Software Independence in VVSG 2007” in which it declares “Potentially, a single programmer could “rig” a major election. The computer security community rejects the notion that DREs can be made secure, arguing that their design is inadequate to meet the requirements of voting and that they are vulnerable to large-scale errors and election fraud.”

http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf

Still have doubts? Go here to track election irregularities:

http://www.votersunite.org/electionproblems2004plus.asp

Filtered by machine malfunction:

http://www.votersunite.org/electionproblems2004plus.asp?sort=date&selectstate=ALL&selectproblemtype=Machine+malfunction

I guess you could say I’ve done some research on all this.

Rubin’s team had analyzed the 48609 lines of Diebold source code and found 328 security flaws, 26 deemed critical. The report not only dissected the code, but looked into the smart card security and its cryptographic weakness. One particular line of code stood out above all the rest:

defineDESKEY((des_KEY8F2654hd4

The encryption method was the Digital Encryption Standard (DES), which was broken in 1997 and is no longer used by anyone for encryption. Not only that, the “KEY” was hard coded into the source code which means that all the machines use the same key. Having access to one meant having access to all.

The report found that the smart cards were not encrypted. Rubin said “The smartcards chosen for the Diebold DREs were not encrypted and could be forged by a 15-year-old in his bedroom at an equipment cost of about three weeks allowance.” Diebold claims that the new machines are not using the same code as Rubin tested, but because the code is proprietary, Diebold won’t show the new code to anyone.

In November of 2006, The National Institute for Standards and Technology (NIST) issued a draft discussion report on “Requiring Software Independence in VVSG 2007” in which it declares “Potentially, a single programmer could “rig” a major election. The computer security community rejects the notion that DREs can be made secure, arguing that their design is inadequate to meet the requirements of voting and that they are vulnerable to large-scale errors and election fraud.”

http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf

Still have doubts? Go here to track election irregularities:

http://www.votersunite.org/electionproblems2004plus.asp

Filtered by machine malfunction:

http://www.votersunite.org/electionproblems2004plus.asp?sort=date&selectstate=ALL&selectproblemtype=Machine+malfunction

I guess you could say I’ve done some research on all this.

– Behler: “One of problems we had was an issue with the GEMS database. They had to do an update to it, so they just post the update to the web site. …One of the things we had wrong was the date wasn’t sticking in the Windows CE. The real time clock would go to check the time on the motherboard, and it would have an invalid year in it, like 1974 or something” – Hood: “”We were told that it was intended to fix the clock in the system, which it didn’t do. The curious thing is the very swift, covert way this was done.”

– Behler: “It just totally blew me away that they [Diebold] would be so incensed and just absolutely angry about something so frivolous as the basic information I gave Dr. Williams.” [Georgia’s voting machine examiner] “I’ve never been told to shut up so many times by so many people. I’ll give you a quote — this came from Urosevich: He said ‘we don’t need you airing our dirty laundry.” – Hood: “It was an unauthorized patch, and they were trying to keep it secret from the state. We were told not to talk to county personnel about it. I received instructions directly from Urosevich. It was very unusual that a president of the company would give an order like that and be involved at that level.

– Behler: “I went over to Dekalb. We updated 1,800 machines in basically a day and a half. I still remember ol’ Rusty, down at the warehouse, we ended up touching every single machine off the pallet, booting ’em up, update it, we had a couple hundred machines. They were trying to get us, the teams, into Fulton County to do Fulton County’s 1,900 machines. They were in the most horrific spot. The place they warehoused them was like 1,900 machines in a little office space. – “According to Hood, Diebold employees altered software in some 5,000 machines in DeKalb and Fulton counties – the state’s largest Democratic strongholds. To avoid detection, Hood and others on his team entered warehouses early in the morning. “We went in at 7:30 a.m. and were out by 11,” Hood says. “There was a universal key to unlock the machines, and it’s easy to get access. The machines in the warehouses were unlocked. We had control of everything. The state gave us the keys to the castle, so to speak, and they stayed out of our way.” Hood personally patched fifty-six machines and witnessed the patch being applied to more than 1,200 others.”

References:

http://www.rollingstone.com/politics/story/11717105/robertfkennedyjr_willthenextelectionbe_hacked

http://www.blackboxvoting.org/bbv_chapter-11.pdf

http://www.scoop.co.nz/stories/HL0307/S00078.htm

– Behler: “One of problems we had was an issue with the GEMS database. They had to do an update to it, so they just post the update to the web site. …One of the things we had wrong was the date wasn’t sticking in the Windows CE. The real time clock would go to check the time on the motherboard, and it would have an invalid year in it, like 1974 or something” – Hood: “”We were told that it was intended to fix the clock in the system, which it didn’t do. The curious thing is the very swift, covert way this was done.”

– Behler: “It just totally blew me away that they [Diebold] would be so incensed and just absolutely angry about something so frivolous as the basic information I gave Dr. Williams.” [Georgia’s voting machine examiner] “I’ve never been told to shut up so many times by so many people. I’ll give you a quote — this came from Urosevich: He said ‘we don’t need you airing our dirty laundry.” – Hood: “It was an unauthorized patch, and they were trying to keep it secret from the state. We were told not to talk to county personnel about it. I received instructions directly from Urosevich. It was very unusual that a president of the company would give an order like that and be involved at that level.

– Behler: “I went over to Dekalb. We updated 1,800 machines in basically a day and a half. I still remember ol’ Rusty, down at the warehouse, we ended up touching every single machine off the pallet, booting ’em up, update it, we had a couple hundred machines. They were trying to get us, the teams, into Fulton County to do Fulton County’s 1,900 machines. They were in the most horrific spot. The place they warehoused them was like 1,900 machines in a little office space. – “According to Hood, Diebold employees altered software in some 5,000 machines in DeKalb and Fulton counties – the state’s largest Democratic strongholds. To avoid detection, Hood and others on his team entered warehouses early in the morning. “We went in at 7:30 a.m. and were out by 11,” Hood says. “There was a universal key to unlock the machines, and it’s easy to get access. The machines in the warehouses were unlocked. We had control of everything. The state gave us the keys to the castle, so to speak, and they stayed out of our way.” Hood personally patched fifty-six machines and witnessed the patch being applied to more than 1,200 others.”

References:

http://www.rollingstone.com/politics/story/11717105/robertfkennedyjr_willthenextelectionbe_hacked

http://www.blackboxvoting.org/bbv_chapter-11.pdf

http://www.scoop.co.nz/stories/HL0307/S00078.htm

– Behler: “One of problems we had was an issue with the GEMS database. They had to do an update to it, so they just post the update to the web site. …One of the things we had wrong was the date wasn’t sticking in the Windows CE. The real time clock would go to check the time on the motherboard, and it would have an invalid year in it, like 1974 or something” – Hood: “”We were told that it was intended to fix the clock in the system, which it didn’t do. The curious thing is the very swift, covert way this was done.”

– Behler: “It just totally blew me away that they [Diebold] would be so incensed and just absolutely angry about something so frivolous as the basic information I gave Dr. Williams.” [Georgia’s voting machine examiner] “I’ve never been told to shut up so many times by so many people. I’ll give you a quote — this came from Urosevich: He said ‘we don’t need you airing our dirty laundry.” – Hood: “It was an unauthorized patch, and they were trying to keep it secret from the state. We were told not to talk to county personnel about it. I received instructions directly from Urosevich. It was very unusual that a president of the company would give an order like that and be involved at that level.

– Behler: “I went over to Dekalb. We updated 1,800 machines in basically a day and a half. I still remember ol’ Rusty, down at the warehouse, we ended up touching every single machine off the pallet, booting ’em up, update it, we had a couple hundred machines. They were trying to get us, the teams, into Fulton County to do Fulton County’s 1,900 machines. They were in the most horrific spot. The place they warehoused them was like 1,900 machines in a little office space. – “According to Hood, Diebold employees altered software in some 5,000 machines in DeKalb and Fulton counties – the state’s largest Democratic strongholds. To avoid detection, Hood and others on his team entered warehouses early in the morning. “We went in at 7:30 a.m. and were out by 11,” Hood says. “There was a universal key to unlock the machines, and it’s easy to get access. The machines in the warehouses were unlocked. We had control of everything. The state gave us the keys to the castle, so to speak, and they stayed out of our way.” Hood personally patched fifty-six machines and witnessed the patch being applied to more than 1,200 others.”

References:

http://www.rollingstone.com/politics/story/11717105/robertfkennedyjr_willthenextelectionbe_hacked

http://www.blackboxvoting.org/bbv_chapter-11.pdf

http://www.scoop.co.nz/stories/HL0307/S00078.htm

– Behler: “One of problems we had was an issue with the GEMS database. They had to do an update to it, so they just post the update to the web site. …One of the things we had wrong was the date wasn’t sticking in the Windows CE. The real time clock would go to check the time on the motherboard, and it would have an invalid year in it, like 1974 or something” – Hood: “”We were told that it was intended to fix the clock in the system, which it didn’t do. The curious thing is the very swift, covert way this was done.”

– Behler: “It just totally blew me away that they [Diebold] would be so incensed and just absolutely angry about something so frivolous as the basic information I gave Dr. Williams.” [Georgia’s voting machine examiner] “I’ve never been told to shut up so many times by so many people. I’ll give you a quote — this came from Urosevich: He said ‘we don’t need you airing our dirty laundry.” – Hood: “It was an unauthorized patch, and they were trying to keep it secret from the state. We were told not to talk to county personnel about it. I received instructions directly from Urosevich. It was very unusual that a president of the company would give an order like that and be involved at that level.

– Behler: “I went over to Dekalb. We updated 1,800 machines in basically a day and a half. I still remember ol’ Rusty, down at the warehouse, we ended up touching every single machine off the pallet, booting ’em up, update it, we had a couple hundred machines. They were trying to get us, the teams, into Fulton County to do Fulton County’s 1,900 machines. They were in the most horrific spot. The place they warehoused them was like 1,900 machines in a little office space. – “According to Hood, Diebold employees altered software in some 5,000 machines in DeKalb and Fulton counties – the state’s largest Democratic strongholds. To avoid detection, Hood and others on his team entered warehouses early in the morning. “We went in at 7:30 a.m. and were out by 11,” Hood says. “There was a universal key to unlock the machines, and it’s easy to get access. The machines in the warehouses were unlocked. We had control of everything. The state gave us the keys to the castle, so to speak, and they stayed out of our way.” Hood personally patched fifty-six machines and witnessed the patch being applied to more than 1,200 others.”

References:

http://www.rollingstone.com/politics/story/11717105/robertfkennedyjr_willthenextelectionbe_hacked

http://www.blackboxvoting.org/bbv_chapter-11.pdf

http://www.scoop.co.nz/stories/HL0307/S00078.htm

Although the following information has been out for years, what worries me is that GA and Ohio are still using these same voting machines. It’s doubtful that that have ever been recertified.

Rob Behler, Diebold’s lead tech for the Georgia roll-out (of the new voting machines) also reported that the cards, which provided the means of loading the patches, could simply be duplicated. Both Behler and Hood (DiebThroat) had commented on the slack and careless way in which the cards, machines, and the implementation in general were handled by Diebold.

Tech savvy bloggers were having a field day reporting what they had found in the code, which by then was widely available on the Internet. They were busy rifling through 13,000 hacked documents after a March 2003 hack into the Diebold website. Chapter 10 of Black Box Voting titled ‘Who’s Minding the Store’ [ http://www.blackboxvoting.org/bbv_chapter-10.pdf ] reveals some of the blogger’s comments on the Diebold source code for the card readers. A programmer “BlueMac” pointed out agonized comments by Diebold programmers, found in the source code for card readers:

– this is baloney, you don’t have to do this, this function is already built in to XXXXXXX, just use the XXXXXX command

– the (insert critical flag here) flag is broken so I did this and that to get around it

– I don’t know why you want me to do this, it will let this and that happen….unless that’s what you want to happen then I guess it’s OK

– I don’t think a DBA designed this. No referential integrity —no auto number primary keys. Bad for maintaining a reliable database —good for adding and deleting data at will

Blogger Lucile Goldman states: “The system has a history of ‘space’ problems” and points out these comments in the source code:

– Fixed problem with Accumulator not working with large elections (out of space)

– Fix problem with removing system.binand AVTSError.txtfiles when removing old election files to make more room on the storage device

– Add checking for minimum storage space free before allowing a ballot to be cast

Another blogger says: “You call that an audit log? Everybody’s [logged in as] ‘admin.’”

A blogger who went by the name “Razmataz” was shocked at finding evidence of wireless communications in the voting system:

– Wireless programming required? Are they nuts? I thought I’d been following all the ‘electronic voting machine’ strategies but that’s one I missed. I’m a techie, 36 years in the business, some of it with reading punch card votes and optical votes. Wireless programming capability is just plain nuts. That’s a security hole the size of a 747

– That would mean somebody could walk near the voting area (even outside the building), connect to the voting machines via wireless network, and make changes to the voting programs and/or the vote counts

– And when database files have passwords that are the name of the county where votes are counted, how secure is this system?

One of the bloggers posted this screenshot of a line in the decompiled code: http://img133.imageshack.us/img133/8702/pray02gg7.png

Although the following information has been out for years, what worries me is that GA and Ohio are still using these same voting machines. It’s doubtful that that have ever been recertified.

Rob Behler, Diebold’s lead tech for the Georgia roll-out (of the new voting machines) also reported that the cards, which provided the means of loading the patches, could simply be duplicated. Both Behler and Hood (DiebThroat) had commented on the slack and careless way in which the cards, machines, and the implementation in general were handled by Diebold.

Tech savvy bloggers were having a field day reporting what they had found in the code, which by then was widely available on the Internet. They were busy rifling through 13,000 hacked documents after a March 2003 hack into the Diebold website. Chapter 10 of Black Box Voting titled ‘Who’s Minding the Store’ [ http://www.blackboxvoting.org/bbv_chapter-10.pdf ] reveals some of the blogger’s comments on the Diebold source code for the card readers. A programmer “BlueMac” pointed out agonized comments by Diebold programmers, found in the source code for card readers:

– this is baloney, you don’t have to do this, this function is already built in to XXXXXXX, just use the XXXXXX command

– the (insert critical flag here) flag is broken so I did this and that to get around it

– I don’t know why you want me to do this, it will let this and that happen….unless that’s what you want to happen then I guess it’s OK

– I don’t think a DBA designed this. No referential integrity —no auto number primary keys. Bad for maintaining a reliable database —good for adding and deleting data at will

Blogger Lucile Goldman states: “The system has a history of ‘space’ problems” and points out these comments in the source code:

– Fixed problem with Accumulator not working with large elections (out of space)

– Fix problem with removing system.binand AVTSError.txtfiles when removing old election files to make more room on the storage device

– Add checking for minimum storage space free before allowing a ballot to be cast

Another blogger says: “You call that an audit log? Everybody’s [logged in as] ‘admin.’”

A blogger who went by the name “Razmataz” was shocked at finding evidence of wireless communications in the voting system:

– Wireless programming required? Are they nuts? I thought I’d been following all the ‘electronic voting machine’ strategies but that’s one I missed. I’m a techie, 36 years in the business, some of it with reading punch card votes and optical votes. Wireless programming capability is just plain nuts. That’s a security hole the size of a 747

– That would mean somebody could walk near the voting area (even outside the building), connect to the voting machines via wireless network, and make changes to the voting programs and/or the vote counts

– And when database files have passwords that are the name of the county where votes are counted, how secure is this system?

One of the bloggers posted this screenshot of a line in the decompiled code: http://img133.imageshack.us/img133/8702/pray02gg7.png

Do you really believe this crap? Did you hear? We didn’t land on the moon either!

Do you really believe this crap? Did you hear? We didn’t land on the moon either!