Voting Fraud by Lapis .....

This was taken from a blogger by the name of Brad who has put together some very important information concerning voting machines and how easily they can be manipulated without a trace.

Date:   2/25/2006 6:35:09 AM ( 18 y ago)

Why do Diebold's Touch-Screen Voting Machines Have Built-In Wireless Infrared Data Transfer Ports?

IrDA Protocol Can 'Totally Compromise System' Without Detection, Warns Federal Voting Standards Website

So far, no state or federal authority -- to our knowledge -- has dealt with this alarming security threat




We hate to pile on... (Or do we?)

But, really, with all the recent discussion
of California Sec. of State Bruce McPherson's mind-blowing about-face
re-certification of Diebold -- against state law, we hasten to add --
this may be a good time to point out one small item that we've been
meaning to mention for a while.

As Jody Holder's recent comment
points out, McPherson's silly "conditions" for re-certification of
Diebold in California require a few much-less-than-adequate knee-jerk
"safe guards" towards protection of the handling of the hackable memory
cards in Diebold's voting machines. (Here's McP's full "Certificate of Conditional Certification").

Never
mind, as Holder mentions, that the protective seals to be required are
easily peeled away without tearing. Or that such voting machines have
been stored in poll workers houses for weeks leading up to an election.
More to the point, for the moment, there are ways to manipulate the
information on those memory cards even without removing them or
breaking the seals. This is more of a concern than ever, since it was
recently proven, by the now-infamous Harri Hursti hack
in Leon County, FL, that changing the information on the memory cards
can force election results to be flipped...without a trace being left
behind.

On that note, here's the little item we've been meaning
to point out. It's a photograph from the side of a Diebold AccuVote TSx
touch-screen voting machine:



Now we have no idea what that "IrDA" port is meant

to be used for with a touch-screen voting machine, but we do know that
the IrDA (Infrared Data Association) is an Infrared port used for
wireless connection between two devices. We used to have one on the
back of our notebook and desktop computers which we used to keep the
two systems synched up via wireless data transfers over that Infrared
port.

A few election watchdog groups, including some members of
the National Institute of Standards and Technology (NIST) who works
with the federal authorities on these matters, have issued warnings
about the IrDA port and protocols on voting machines. However, little
-- if anything -- seems to have been done to mitigate the rather
obvious security threat posed, as far as we can tell.

Here's how a page at Microsoft.com,
last updated December 4, 2001, explains cable-free Infrafred data
transfer on the Microsoft Windows CE operating system (the operating
system which happens to be used in Diebold's AccuVote touch-screen
voting machines -- like the one pictured above)...



Imagine the following
scenario: Two notebook computers are placed beside each other. A
computer icon appears on both desktops with the name of the peer
computer below it. Open one of the icons to display a folder with the
contents of the peer computer's desktop. Drag-and-drop between your
desktop and the open folder to move files between the two computers.

  • Imagine
    that the only configuration that this application required to be
    installed or used was the ability for the user to enable or disable it.
    Imagine that multiple such applications could be running at the same
    time without interfering with each other.


  • Imagine that
    this application could run on 23 million existing notebook computers at
    a transfer speed of 115Kbps, and on 14 million existing notebook
    computers at 4MBps. Imagine that all applications, regardless of the
    speed of the underlying hardware, would work with all other
    applications at a common fastest speed.


  • Imagine that
    the other notebook computer in this example was a digital still camera,
    a handheld personal computer, a data capture device or a device that
    supports electronic commerce.


  • As a bonus, assume that the two computers do not need to be cabled together.


    • This
    application is currently possible under Microsoft® Windows® CE and the
    Windows family of operating systems. The underlying technology is based
    on inexpensive, widely available short-range infrared transceivers that
    adhere to the Infrared Data Association (IrDA) standards. IrDA
    standards (available from the IrDA at http://www.irda.org) also enable non-Windows devices to talk to Windows-based applications.


    There ya go.

    The
    issue of the IrDA port on touch-screen voting machines hasn't been much
    discussed as far as we can tell. VotersUnite.org issued an alert mentioning it, with a photograph (seen at right), back on October 26, 2004. The alert warned:

    3) A dangerous port on the Diebold touch screen!!

    This
    from TrueVoteMD: Diebold AccuVote TS electronic voting machines have an
    infrared (IrDA) port installed. This is a remote communication port
    through which another remote device could communicate with the touch
    screen and change either its data or its software or both.

    If
    your county uses Diebold touch screens, let your county officials and
    election judges know that it is crucial to cover the IR port with
    opaque tape.


    The National Institute for Standards and
    Technology (NIST) -- who works with the federal Election Assistance
    Commission (EAC) to develop and recommend guidelines for electronic
    voting machines -- issued a similar warning [PDF]

    about the Infrared ports on voting machines in a report which warned
    "The use of short range optical wireless," like infrared, "particularly
    on Election Day should not be allowed."

    As mentioned, since
    touch-screen machines have been stored at poll workers' houses and
    other unsecured locations prior to Election Day, and since data can be
    transferred to the machines and their memory cards via Infrared -- even
    without removing the cards or breaking their protective seals -- the
    IrDA ports would seem to be a tremendous concern.

    The NIST report discusses such concerns and some of the troubling security issues with IrDA protocols:

    How Secure is IrDA

    IrDA does not provide encryption at the Physical Layer, and depends on the end systems to implement security if any.
    ...
    With
    optical, it is possible for a session to be ‘hijacked’ unless strong
    authentication measures are implemented between communicating systems.
    When a session is hijacked, a foreign device masquerades as a trusted
    system that is authorized to exchange data. Because the system has no
    way to distinguish the masquerader from the authorized system, it will
    accept anything from it as if [sic] was authorized.


    The
    undated report -- from the EAC's own standards body, NIST -- then goes
    on to describe how simple and readily available IrDA software drivers
    are to obtain for use with UNIX and most Windows Operating Systems,
    including Windows CE. As well, it points out that such software could
    add executable code to the machines on, or prior to, Election Day and
    could then delete itself after ithe code has completed its main purpose
    [emphasis ours]:

    IrDA Software

    IrDA software drivers are available form [sic]
    a number of sources for use with UNIX, Windows and other Operating
    Systems (OS). Most versions of MS Windows come with support for IrDA
    already included. This is true of the MS Windows CE operating system as
    well as Windows XP. Microsoft also provides a free IrDA driver which
    can be downloaded from it web site. Other suppliers of IrDA systems
    (e.g., Ericsson) offer their own drivers including source code (Texas
    Inurnments [sic]).

    With the source code available, an
    interrupt handler (executable code) could easily be added. For example,
    when the voting terminal receives a special bit configuration (caused
    by holding down multiple keys concurrently) that is outside the usually
    accepted range, a special interrupt could be generated invoking a
    handler that could be programmed to perform any desired function. This
    would require a small amount of code and could easily be hidden; such
    code would be difficult to discover.

    If such code was installed
    in the driver, which is considered to be Commercial-Off-The-Shelf
    (COTS) [even if compiled and installed by the voting system
    manufacturer] it would not be examined by the ITAs [the federal Independent Testing Authorities].

    Code in such a handler could be designed to place the voting terminal in a mode where it downloads and install [sic]
    an executable module, thus allowing unapproved logic to be added to the
    voting machine while in use on Election Day. Obviously this executable
    could perform any function the programmer desired including deleting
    itself when finished. The only recourse is to disallow communications
    with the voting terminal during use. It might be augured [sic] that such code could be added the day before Election Day.


    Obviously, that last paragraph is very troubling. But also note the section about COTS.

    The
    source code for that "Commercial-Off-The-Shelf" software is what
    Diebold recently argued that they couldn't provide to North Carolina
    after they changed their law to require all voting machine vendors to
    submit such code in order to receive state certification. Diebold went to state court arguing they shouldn't be forced to supply the source code for COTS software. Eventually, they lost that battle, and notified

    North Carolina they preferred to pull out of the state entirely (if the
    state wouldn't change the law for them) rather than complying with the
    state law requiring the submission of all such source code.

    And another comment posted to NIST's voting website [PDF]
    by James C. Johnson on October 5, 2005, also discusses the concern,
    revealing that the use of the IrDA protocols could be used at any time,
    even after final "Logic and Accuracy" tests have been performed, and
    thus "totally compromising the system":

    In
    Diebold System's AccuVote TS systems these [IrDA] ports are supported
    using Microsoft's Windows CE with Winsock. This makes the application
    interface easy to program to, and all required drivers are already
    installed in the OS.

    It is interesting that the VVSG [Voluntary
    Voting System Guidelines] currently under development, while mentioning
    this technology does nothing to restrict or prevent its use, not even
    on Election Day.

    It is understandable that communications
    technology be used for pre election preparation, but is totally
    irresponsible and inexcusable to allow it to be used during an
    election. The presence of this technology makes it possible to upload
    to the voting system anything that is desired after the final "Logic
    and Accuracy" test have been performed, thus totally compromising the
    system.


    Perhaps some of you have additional thoughts on
    this matter. Like why such a port would be needed, or even present, on
    a touch-screen voting machine at all. And why the existence of
    such a port -- to our knowledge -- has hardly been discussed at all in
    conjuction with these machines. Especially in light of the now-infamous
    Leon County, FL "hack test"
    proving that executable code can be added to Diebold's memory cards
    resulting in a completely flipped election...as we've said...without a
    trace being left behind.





    [

     

    Popularity:   message viewed 1975 times
    URL:   http://www.curezone.org/blogs/fm.asp?i=978131

    << Return to the standard message view

    Page generated on: 11/23/2024 12:46:52 AM in Dallas, Texas
    www.curezone.org