'Breaking' (not really new - article title) - Diebold Source Code

Kos: http://www.dailykos.com/story/2004/11/10/1172/9052
by ouranos
Wed Nov 10th, 2004 at 08:07:02 PST

Dr. Avi Rubin is currently Professor of Computer Science at John Hopkins University. He "accidently"got his hands on a copy of the Diebold software program--Diebold's source code--which runs their e-voting machines.
Dr. Rubin's students pored over 48,609 lines of code that make up this software. One line in partictular stood out over all the rest:

#defineDESKEY((des_KEY8F2654hd4"


All commercial programs have provisions to be encrypted so as to protect them from having their contents read or changed by anyone not having the key..The line that staggered the Hopkin's team was that the method used to encrypt the Diebold machines was a method called Digital Encryption Standard (DES), a code that was broken in 1997 and is NO LONGER USED by anyone to secure prograns.F2654hd4 was the key to the encryption. Moreover, because the KEY was IN the source code, all Diebold machines would respond to the same key. Unlock one, you have then ALL unlocked.

I can't believe there is a person alive who wouldn't understand the reason this was allowed to happen. This wasen't a mistake by any stretch of the imagination. This was a fixed election, plain and simple.

This second coup d'etat is either stopped now or America ceases to be.

please, please please.....

Bwahahahah. Somebody is honest, and as the fundies would say, "Praise God!!"

a while back (2002 i think), diebold accidentally uploaded the source code onto their webserver. there, the whole world downloaded it. then they found out, peed their pants, and took it off.

:silly:

B-)

if i ever did need one

Way to go John Hopkins!

I hate them guys :D

Or something. ;) Or maybe it's because they are part of the "Intellectual Elite." Or something.

Let's face it, other than the fundies and KoolAid drinkers, Junior has managed to chap just about everybody's hide.

Rubin has had the source code for some time now. Is this a new discovery?

That's quite a bit of code to analyze.

and also just read the comments there that it really wasn't new, but I think it is an important fact that should be forwarded to the media to convince them that the security problems are real.

It's not as if the media paid any attention to this when it was first revealed that these machines had serious flaws. They need to be brought up to speed. The media AND the machines. Both have serious flaws. :evilgrin: Well, they do!!

and there isn't some other security code. Depends how its all organized....

Once you know that they've hard-coded the DES pass key as a macro, all you have to do is extract it from the executable (static strings are EASY to pull out of executables).

So even if they changed it every year, it wouldn't matter. It could still be easily extracted and used from the current version of the executable.

Maybe there is a huge, sophisticated encryption subsystem defined in another set of source files. Maybe that define id only for testing, or as a default which in real-world use is always overwritten. Yadda, yadda, yadda.

That one liner is not an indictment. But so far the code sounds like major CRAP. Should have outsourced it to India!

It was used to encrypt the memory flash cards. Speaking from having read through ALL of it myself (which is why I remember it).

:)

And no, I can't. I enjoy my freedom. :)

BUT a little bird tells me that a file called 'dieboldcvs.tar' is somewhere out there on the Gnutella network.

Along with a file named 'SecretDieboldMemos.tar.gz', which might also be very interesting, since it shows that Diebold's programmers KNOW that they suck.

They are both out there somewhere.

Singing those songs.
Thanks birdie.

It's about 68374528 bytes.

Approximately. :)

:)

And like most corporate source code written by many people, some of them are both hilarious and scary.

// this subroutine fucks the godless
// liberal democrats.
// I get a big fat bonus for every
// election we steal!
//*************************************************

More like the stuff you see in too much business code, like "THIS CODE SUCKS WIND AND NEEDS TO BE REMOVED BEFORE DEPLOYMENT", around a section of code that's obviously still there, and obviously still sucks wind. (NOTE: That is not a direct quote, but a characterization.)

This just gets better and better. Did they actually pay somebody to deliberately write this code so poorly or did they decide to take advantage of poor code once they found out what they had? Rhetorical question. It really doesn't matter. Knowing they had it and using it anyway, is worse. Tampering with it during an election -- or telling someone how to tamper with it -- is far worse.

But I want to see the source itself to verify the line is indeed in there. If true = smoking gun.

If you can search the archives here, check for it.

I've seen the source code. It's there.

The election was rigged.

We have to get this story out.

March on Washington!

We have no way of knowing how old the code was that was worked on at Hopkins.

They would need a source code that would be more or less obsolete to programmers today.

I am happy that everything is coming out.

:bounce:

FYI

.......those of us who downloaded the entire library (Gigs of files!) have the entire source code library up until the time the software was found, complete with revision history. :)

Every change made to the source code is annotated with what the change was for, who made it, and which version number it was made for.

Each state that uses the machines has a public record of the certification documents stipulating the version number(s) certified for use in that state.

The code was current at the time and we can prove it. :evilgrin:

Thank God they elected a Dem Gov up there this time

designed in from the get-go.

And who knows what that DES key was used to encrypt anyway.

The main problem, in my opinion, is Diebold using Microsoft Access databases to store votes. These voting machines should be locked down more than ATM and slot machines combined. You can be sure that there are no banks out there storing account information in Access databases.

Look at the original article - "breaking" is part of the title

So with this DES pass key, you could take any one of the cards, alter the data, and reencode it so nobody was the wiser.

Is this the current release? Some snatched Diebold's software before and Diebold said it was the old release, a program in work and wasn't valid. You'd have to have the copy of what was running on the machine.

Even if they changed the password in later versions, it would be extractable once you knew it was compiled in as a macro (leading to a static string you can pull out WITHOUT the source code with the right tools).

static strings normally come out as plaintext when you look at the binhex depending on how it's compiled.

Lets say that the software was a work in progress, you sometimes take certain shortcuts like hardcoding passwords that you would prompt for in the production app.

I hope people are looking for strange functions that might manipulate the vote to give a predetermined result by doing as few changes as necessary.

There is a cvs log of all the changes at the top of each one each file. With dates. By these dates and checkin comments, you can see that the source code spans several elections.

In fact, I think it was by examing these cvs logs that it was determined that Diebold had made changes to their software without re-certification before an election (2002, IIRC).

These are all Unix/Linux type things. Are these the programs that run on XP? Not that they couldn't store the code on a more secure OS than XP, just curious. Also curious that these tools are more often used by Open Source advocates.

...But a lot of companies are likely to set up a CVS server on a cheap Linux box. If the CVS was on Linux, tarring up the code would be the natural thing.

Since the choice of CVS is probably one of the few things actually left up to the programmers, it wouldn't be too surprising.

I believe that all these tools are available on Windows as well. Perforce and Source Safe can be expensive. :shrug:

As a programmer I agree with the setup and I myself prefer Linux and Open Source. Just that XP was used for development and deployment but they do know better. I'm sure there was probably some design requirement from somewhere telling them to use XP, but they don't blindly bow to MS software. And think how much cheaper each voting machine would be if it used Linux instead of XP. One of those rhetorical things where you just shake your head. Just the Open Source advocate in me coming out.

......and the software to run the GEMS tabulator was made backward compatible to run on Windows 9x. :wow:

Did I mention that the OS gets NO SECURITY PATCH UPDATES? :scared:

Oh, one more thing, no one ever looks at the OS software because it is considered 'COTS, Commercial Off The Shelf' software and as such, the ITA says it does not need to be looked at. We've found that the patches applied to systems in Georgia (from the infamous Rob Georgia folder) and elsewhere were to fix the 'broken' OS that was causing the screens to freeze up.

:kick: :kick: :kick: :kick: :kick:
:kick: :kick: :kick: :kick: :kick:

What does it mean? What does this line stand for? What does it make the program do? Why is it a "smoking gun"? Please & thank you.

...but we knew that already.

Taking your ATM card (with access to, say, your entire lifesavings), writing your PIN directly on the card, and then super-gluing the card to the rear bumper of your car. The car you drive many miles with, each and every day.

I'm passing it on.

So they're using outdated code?

But only by dummies...or people who want the door to be easily opened...

Please pardon my yelling, but a LOT of people here do not understand the ramifcations of this "code", but would LIKE TO!!!!

I am a software engineer, that line of code doesn't make sense

#defineDESKEY((des_KEY8F2654hd4"

I might can understand the missing spaces. A define statement is

#define NAME VALUE


so the two opening parenthesis raise the first question, they are not closed and it would not be complete without it, but this could be the start of a MACRO which would have most of it missing. The other part is a DES key would usually be numbers, but 8F2654hd4 is not a hex number because of the 'h' embedded, leaving me to believe it is part of the des_KEY identifier. The final question is raised by a quotation mark " being opened and not closed. There is nothing you can tell from this piece of code other than it is not complete.

DES keys are usually numeric. DES codes are crackable but only by brute force, which takes lots of computing power and a good bit of time.

The original report referenced the line:

#define DESKEY ((des_key*) "F2654hD4")

That would imply defining a key word DESKEY that would be replaced with the code ((des_key*) "F2654hD4")

which would mean des_key* is a pointer to a memory address that has a class or stucture of type des_key. The rest is funny though. It is not a valid pointer as is. Problem number 1, it is a string (enclosed in quotes). Problem 2 is the embedded h again. So my theory. des_key is a class that has an operator overload for the pointer dereference that took a string and did something to it. What it does we can't tell and this is a very bad coding practice. if the code was something like
#define DESKEY ((des_key*) 0xF2654D4
it would make complete sense.

Editted for Second though
Unless the key is the alphanumber string F2654hD4, not a number. And des_key* is a typedef to a char*. Then it would make sense.

But how does it appear in the code itself- the way it is in the original post, or your 'correction' above?

That's what we need to know; the way it is written in the original post doesn't make much sense.

It's a simple macro to define a static C string for the DES pass key.

That by itself doesn't tell us much. Other than there is something inside the code called DES. It doesn't even show that it was the same DES that we are thinking of. Actually I would be impressed if they even used DES. If it is the same program I downloaded the compiled version at blackboxvoter.org they just used a MS Acess database with the password of 'password'.

Edit for spelling

They came down on people who'd posted parts of the code (elsewhere) under the DMCA.

Unfortunately, all I can say is 'trust me'.

But as a software engineer with 20 years programming, 15 of them in c++, it doesn't really make sense as is. I have also programmed DES functions before. It is a double encrypting code where you re-encrypt the encrypted data to get the original. It needs two keys. One is usually internal to the system and one external. While I don't imagine the security they put in is much, this is just not a smoking gun without the rest of the context.
I want as much as anyone to find the holes, and if you are looking at the code and this is it great, but it is not proof.

http://www.cs.rice.edu/~dwallach/talks/e-voting-risks.pdf

It has larger sections of the very code in question. Ultimately, the DESKEY string is fed to an API function named DesCBCEncrypt as the passkey.

Here's another document (might be the same, but different title) that also mentions this section of the code:
http://www.cs.utsa.edu/~shxu/CS6973-Fall2004/take-home-exam-1.pdf

If the DesCBCEncrypt function does what it seems like then that is the "The Key". I would love to see inside that function. Am I right in understanding they store each vote as a record on the memory cards, why would they do that? To me the option that jumps out is to trellis encode an aggregate value based on a trellis that was generated from a random key. The program itself would not need to know it for any reason and you can tell if and when the data was changed.

But if memory serves, they did not take it.

Another important issue is network security. How easy is it to access these PC's remotely? It's still not clear to me if someone needs physical access to the machine or if hackers can alter the results remotely.

I think these particular machines used memory cards that were physically taken to the central machine. I don't know if there was a modem hook up. The point of altering the results would have to be when the memory cards were in transit.

This is my assumption of how it works from what I have seen, others may know more specifically.

But even if they were not altered in transit, then still room for manipulations on the central tally machine.

I'm so computer illiterate I can't even post a picture. What does this all mean? Please explain for a nice grandma. ;)

And that password was available not only on the internet, but was extractable from any installation of the software (since static strings like this one are extractable from executables, anyone could have dug it out, even without the source code).

Ya get more flies with honey than vinegar. :)

I'm lost too. It's like a foreign language to me.

I,...um..., 'found' a copy of that way back when if 'found' it's way onto the internet. I posted what I'd found myself about that DESKEY macro, and many noted that they found it as well.

There were a number of other SERIOUS flaws in the code, but this one was one of the real doozies.

it doesn't appear that anyone in the government oversees or reviews the hardware or software of these systems once they are developed by Diebold or others. In fact, one would hope that when the government subcontracts a company to develop a machine to do something as important as decide our national elections, the government would provide the company with very specific requirements on the design and security of the entire system. So far it appears that the fed just gave Diebold a check as said "go at it."

Halli-something. ;)

It seems like diebold wanted their voting machines to be broken into. I wonder why? :eyes:

Especially for those who can't buy the scale of this fraud!

:wow:

Associated Press is reporting that (11/10/2004)
Diebold will pay California $2.6 Million to settle a suit related to its Voting Machines
California Attorney General Bill Lockyer joined a suit charging that Diebold sold the state inferior hardware and software that left the vote-count susceptible to hackers and software bugs.

I have seen an in ordinate amount of front page smears on the guy as of late

.......on the flimsiest of evidence after taking Bev's warning seriously and de-certifying the Diebold TSx machines and placing the AccuVote TS on conditional certification here. Here's a link to Key Documents On Electronic Voting Systems in California from the Secretary of State's web site for more background.

Governor Gropenator then froze 17.5 million dollars in HAVA funding meant for poll worker training and poll security based on the current investigation of Shelley's 'alleged' wrongdoing.

Bev, Andy and several other BBV activists met with California Voting Systems Panel officials and a representative of the AG's office to demonstrate the GEMS 'hack' developed by Dr. Hugh Thompson. After that meeting, Lockyer decided to join Bev's suit. That explains what you're seeing. :(

The good news is that a portion of that settlement will go toward funding Black Box Voting.org and "we the people" of California get our tax money back. :)

Thanks once again Bev, Andy, Jim March, and everyone else who helped make that happen. :toast:

someone use this and cheat the other way in the election? We knew they were going to hack it. Why didn't we? If I was a computer guru . . . ;-) :evilgrin:

I know, I know. High road and all, but I am still furious it looks like Bush is going to sit in the White House for another (at least) four years. I've donated and sent emails and such, but it doesn't take away the anger. :mad: :mad:

Justice Through Music, www.jtmp.org, has posted a $100,000 reward for evidence proving vote fraud in this election. JTM is looking for inside info, and is well aware of the things on this site. See website for details. JTM wants to increase the reward to provide the highest possible incentive to whistleblow. JTM has put a message on the Diebold company message board. Info goes to reward@jtmp.org, donations toward the reward can be made on the site. Today JTM was with Bev Harris and Ralph Nader discussing strategy. questions at questions@jtmp.org.

all of this. Maybe we Dems aren't crazy after all!

thanks for posting and welcome :)

Hopefully, someone will blow the whistle before one of his 'colleagues' does. Play them off each other. This terrible economy, plus all of the outsourcing, makes for a powerful incentive. Better than driving a truck in Iraq, that's for sure.

George Soros and let him pony up $1,000,000. Maybe that will really bring them out

Message removed by moderator. Click here to review the message board rules.

a cheater! Afraid that mandate is all rubbish?

Message removed by moderator. Click here to review the message board rules.

And we will do our best to save the world.

hemoroids up a bear's ass! And as about as intelligent as a rock! We go to www.dubyaspeak.com just to have hours and hours of entertainment!

Message removed by moderator. Click here to review the message board rules.

It becomes possible for other companies to market their own ATM machines because very few banks will want those produced by Diebold, anymore. Every time one of the Diebold machines has even the slightest glitch, everyone familiar with this issue will freak. The last thing banks want is a panic. So, there's a chance that whoever else makes ATM machines stands to benefit from Diebold's 'mistake'.

Is he going to do with this information? He'd better get himself some bodyguards while he's at it. I wouldn't put anything past these thugs.

They wrote a mock-up using code samples; and through a process of mis-management and/or incompetence and/or deliberate attempts to make a vulnerable system, promoted it into a 1.x release of a live product.

The use of an MS Access database alone was enough proof for me. I've seen this kind of software development fiasco many times in the 20+ years I've been a computer professional.

Definitely.

Not.

Industrial.

Grade.

Software.