[CTRL] Fwd: [ctrl] Re: Diebold Source Code!!!

Thu, 11 Nov 2004 08:22:11 -0800

-Caveat Lector- www.ctrl.org DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply.

Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at:

http://www.mail-archive.com/ctrl@listserv.aol.com/ <A HREF="">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om

--- Begin Message --- -Caveat Lector-

Bev Harris (BlackBoxVoting.org) discovered all the source code of the Diebold machines a while back on one of the companies unprotected FTP sites. The whole shebang … just sitting there for the taking. She sent it into Dr. Avi Rubin and even released it to some programmers to browse over it in a community effort. Seems the hard-coded DES encryption key was discovered (among other things) by one of the programmers in the open source chat.  Here’s a few excerpts form Chapter 12 of the Black Box Voting Book:

- Open source exam: The Diebold code Chapter 12

The contributor known here under the screen name “Rummage,”

studied computer science under a Nobel laureate at Carnegie-Mellon

University. In real life and under his normal name, he designs databases for critical applications in the medical field:

“So far, that’s the story of the last few days,” he wrote. “From

databases with no foreign keys (read no referential integrity), unprotected

transmission code, ample opportunity for buffer overruns

right to PCMCIA slots for wireless modems. Not so much nefarious

code as a system with so much opportunity for hacking/fraud as to

invite cheating. ”

“...as for structure and understanding the DB [database], there are

no relationships and the Primary keys are not defined as Access Primary

keys. This will make reconstructing the schema a little harder. I

don’t think a DBA [database analyst] designed this.

“No referential integrity — no autonumber primary keys. Bad for

maintaining a reliable database — good for adding and deleting data at

will.”

 

...

“The fact that they’re using Access disallows relationality ... When

using a decent database, SQL Server Sybase etc, for example, constraints,

triggers, stored procedures, packages, relationships, views, etc are all

maintained inside the database — that’s where all the business logic

resides in a well crafted modern application.

“With Access, however, you’re dealing with basically a toy database

 

...

“If you want to know why Access is a bad idea,” said Goody

Two-Shoes, “just do a Google search for ‘Access, vulnerability’

and browse through the 951,000 hits!”

 

...

Looking at the Microsoft Access database used in the county vote

tabulation system led to concerns about the integrity of the GEMS

program as a whole. Interest in the GEMS program began to take

on a life of its own on the forums.

“Here’s the best part,” said BlueMac, “With GEMS (server) installed

on my computer, I was able to create a user name (“me”)

with a password of my choosing (“mac”) and assign myself ADMIN

capabilities. This was without ever signing into GEMS....all I had

to do was create a new database and I was in like Flynn.”

 

...

They have their own implementation

of DES in Des.h. Here’s the bad news...it looks like the

DES encryption key is hard coded as a macro!!!!!

“AAAAIIIIIIIEEEEEEEHHHHHHHH!!!!!!!!!!!!

“I’ll leave discovery of aforementioned key as an exercise for the

reader... Good God.......”

PoodieToot’s discovery brought the Internet board alive with the

forum equivalent of shrieks and moans.

“Ooorah!!!!!!! Yeah,” said Topper. “I’ve found the DES.h file...and

will start trolling through this... If you’ve hard coded your key and

left it just like the public implementation, then it would not be that

hard for a hacker to figure out how to get into your system.”

Programmers were beside themselves upon viewing the blatant security

flaws, and soon they were finishing each others’ sentences.

“—It would end up as a static string in the executable file,” said PoodieToot. “And you can tear the static strings out of an executable

to view them faster than you can blink your eyes.”

“In your best 50s announcer voice,” said Romeo sarcastically, “now

that’s real data security! (cough, cough.)”

The more people learned, the more alarmed they became.

“These things actually use PCMCIA cards?” asked Clark Kent in

dismay. “Huge potential security breaches! Think of the new stuff

out there. This is Windows CE-based code. Couldn’t the existence

of these drivers open up any one of these machines having a PCMCIA

based wireless network card installed surreptitiously, allowing remote

access via airwaves?

“They’re using simple PCMCIA ATA disks These things are basically

notepad PC’s and the security is almost non-existent. How

many local governments will be up on the sophistication required to

implement WEP with encryption and hiding SSID’s for wireless networks?

Heck, you wouldn’t even have to hack the wireless network

to get around these things, all that is necessary is to pop out one

hard drive of results and pop in another with new results

preconfigured.”

A tech who went by the name “Razmataz” was shocked at finding

evidence of wireless communications in the voting system.

“Wireless programming required? Are they nuts? I thought I’d been

following all the ‘electronic voting machine’ strategies but that’s one

I missed. I’m a techie, 36 years in the business, some of it with reading

punch card votes and optical votes. Wireless programming capability

is just plain nuts. That’s a security hole the size of a 747.

“That would mean somebody could walk near the voting area (even

outside the building), connect to the voting machines via wireless

network, and make changes to the voting programs and/or the vote

counts”

“I think we’ve found a potential hole where somebody could alter

results remotely with nothing going over any wire,” said Clark Kent.

“Somebody needs to seriously wardrive elections sites using these

things.”

“Ah... That is serious bad news if they are running these terminals

wirelessly and only relying on WEP for security,” said

“RescueRanger.” “That is enough to fail a security audit at any fortune

1000 company.

 

Black Box Voting Book

Paperback version

- I will vote Chapter 01

- Compendium of errors Chapter 02

- Conflict of Interest Chapter 03

- History of vote-rigging Chapter 04

- Electronic vote-tampering Chapter 05

- Who's beholden to whom? Chapter 06

- Founding fathers wisdom Chapter 07

- What you won't find on company Web sites Chapter 08

- First public look into secret voting software Chapter 09

- Who's minding the store? Chapter 10

- 'rob-georgia.zip' -- noun or verb? Chapter 11

- Open source exam: The Diebold code Chapter 12

- Security breaches Chapter 13

- Solutions Chapter 14

- Practical activism Chapter 15

- The men behind the curtain Chapter 16

d - Appendix

Footnotes

Index

 

 

 

Conspiracy Archive

----------------------------------------------

http://www.conspiracyarchive.com/

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 10, 2004 8:02 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [C.F.T.M] Diebold Source Code!!! NewsUpdate from Citizens for Legitimate Gover

 

Diebold Source Code!!!
News Update from Citizens for Legitimate Government
 November 10, 2004 
http://www.legitgov.org/ 
   http://www.legitgov.org/index.html#breaking_news 

Diebold Source Code!!! --by ouranos (dailykos.com) "Dr. Avi Rubin is
currently Professor of Computer Science at John Hopkins University.

He 'accidentally' got his hands on a copy of the Diebold software
program-

-Diebold's source code-
-which runs their e-voting machines. Dr. Rubin's students pored over
48,609 lines of code that make up this software. One line in particular
stood out over all the rest:

#defineDESKEY((des_KEY8F2654hd4" All commercial programs have provisions
to be encrypted so as to protect them from having their contents read or
changed by anyone not having the key..

. The line that staggered the Hopkins team was that the method used to
encrypt the Diebold machines was

a method
called Digital Encryption Standard (DES), a code that was broken in 1997
and is NO LONGER USED by anyone to secure programs. F2654hd4 was the key
to the encryption. Moreover, because the KEY was IN the source code, all
Diebold machines would respond to the same key. Unlock one, you have
then ALL unlocked.

I can't believe there is a person alive who wouldn't understand the
reason this was allowed to happen. This wasn't a mistake by any stretch
of the imagination."
*****
Address to receive newsletter: [EMAIL PROTECTED]

Address to not receive newsletter:
[EMAIL PROTECTED]

(or, pls. write to: [EMAIL PROTECTED], and I can add your name to the
roster) lrp/mdr
CLG Newsletter editor: Lori Price, General Manager. Copyright ©
2004, Citizens For Legitimate Government ® All rights reserved.
 





----------------------------------------------------


www.ctrl.org
DECLARATION & DISCLAIMER
==========
ctrl is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please!  These are sordid matters and 'conspiracy theory'—with its many half-truths, mis-directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought.
That being said, ctrl gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. ctrl gives no credence to Holocaust denial and nazi's need not apply.

There are two list running, [EMAIL PROTECTED] and [EMAIL PROTECTED], [EMAIL PROTECTED] has unlimited posting and is more for discussion. [EMAIL PROTECTED] is more for informational exchange and has limited posting abilities.

Let us please be civil and as always, Caveat Lector.

Omimited posting abilities.

Let us please be civil and as always, Caveat Lector.

Om


Yahoo! Groups Sponsor
ADVERTISEMENT
click here

Yahoo! Groups Links
www.ctrl.org DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply.

Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at:

http://www.mail-archive.com/ctrl@listserv.aol.com/ <A HREF="">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om
--- End Message ---

Reply via email to