HELP?: How and Where would you manipulate an AVC Edge DRE system.....

Disclaimer: This discussion forum is for academic purposes only and does not encourage or intend to aid in the act of hacking into election systems, or into the computer equipment of others.

Hi all,

Could anyone with knowledge, insight and/or time to research help me figure out HOW and at WHAT POINT (WHERE), hypothetically, would you hack into an AVC Edge voting machine by Sequioa. All scenarios are welcome.

Here is a quote and an article to start with: "In fact, the system uses WinEDS, or Election Database System for Windows. WinEDS runs on top of the Microsoft Windows operating system. According to Sequoia, "WinEDS is used to administer all phases of the election cycle, create electronic ballots for the AVC Edge, and tally early voting, as well as official election and absentee votes." http://www.onlinesecurity.com/links/links692.php

Any help would be greatly appreciated. I remember punch cards and eight inch floppy disks; since then hardcore computer technology has gotten a little out of my grasp. ;) Even links would be nice. :)

Thanks! :) :) - G

don't let my toes get bloody. ;) -G

kick

...and that article originally ran Oct. 28ish, which concerned me as it was just days before the election. California has 2 counties with those, I thought I'd seen somewhere on here.

a few counties in Florida even; go figure. :) -G

Sequoias to California and a demonstration failed in front of the California officials.

Makes me wonder if someone let that code out for the sake of the neighboring state's election??

Guess we have to find out from computer guys and gals if this would apply??

Some people were asking this question earlier: Is every touch screen machine networked in some way? This would require each machine to have either a modem (for connection to a normal land line phone network) or an Ethernet connection for LAN.

Another possibility might be a wireless link:

WLAN: Would require a WLAN transceiver inside each machine and one connected to a local PC.

Cellular: Would require a TDMA, CDMA, or GSM transceiver in each machine and have wireless data link to basestation tower (if this is used, wireless providers would have records of these data connections).

I can tell you my experience in voting on touchscreen last month: First, I didn't notice any wires (other than what looked like a power cord) running out from the voting booths, so I assumed that each machine was stand-alone. When the election worker showed me how to use the machine, he first plugged in a module (about the size of a box of matches) on the left side. After his demo he unplugged the module and left me to vote. My assumption was that the box was downloading the previous voter's tally onto something like flash memory (I could be wrong on this - it might be some sort of security key). I'm not sure if the election worker would then take the box over to the main PC for download, but I, again, assume that is the procedure (wish I had paid more attention).

Questions:

1.) Are the machines networked, either wirelessly or wired? If not, how is the vote tally transferred from each machine to a computer?

2.) What is the "box" for? Is it flash memory to store vote tallies, is it a security key, or what?

at the beginning of Summer, the County Clerk said they will not be transferring the tally online within the county from all the precincts which meant the info was put onto a disc or something from each precinct and then taken to the county clerk's office to be tabulated but I need to find out how she got it to the state.

There was a thread during the summer about the Diebold machines having WiFi. I'm not sure about the others.

Seems NH tells us that it is good to see that paper trails via pre-Diebold ownership BBV machines.

But our guess all along was that the fraud was in the Gems central tabulation program.

To see if it is the Gems central tabulation we would need to review the county and state level central tabulation records for those precincts - And at least on a random basis do a comparison between the county and state level central tabulating records and the actual ballots cast at each precinct.

Many feel the scale of 'red shift' would be most efficiently achieved by truly 'simple' manipulation of tables at county-level tabulation centers.

Either a "read" portable memory device that collects the vote info could have the patch above and do the adjusting of the votes as it read them - or the Gems central program could have such an adjusting program. And all those audit logs for which Bev find did not find entries for a rather larger period of time may be of no importance if the change is internal to the process of adding up the votes

2004's WY and 106% of those voting equals total votes cast would seem to say that this time round they did not spend a great deal of effort on the program that made the vote change result look "reasonable". They would have a simple wipe coded at the end of the instruction of the "read"

With no paper trail a portable memory device collecting the votes from each machine could do the patch as it was removed from the machine - with a built in wipe that leaves us with no program traces and with voting machine totals matching portable memory device totals and no patch program visible. Without CIA/FBI level readers, there would no trail - ANYWHERE

ULTIMATELY THE ONLY PROOF WOULD BE THE EXIT POLLS!

UNLESS WE GET CODE!

ITERESTING SITE:
there is an MS Access hack http://www.chuckherrin.com/hackthevote.htm - but why work so hard.

http://www.legjoints.com/DirtyHacks /
leads to the the conclusion: there are many ways and many powerful debuggers (Ollydebug or Softice so as to run invisibly in the background and be run from a remote machine were mentioned by one DU poster) to use if the hack is not coming directly from the GOP believing leaders of the BBV industry.

.....at least to the extent it has been reported, to be worse than inadequate; it creates a distraction from the real issue.

The 'red shift' detected in numerous state's would likely be most efficiently achieved by truly 'simple' manipulation of tables at county-level tabulation centers.

What is required is a state-wide manual recount of each ballot is done and compared to what resides in the tables at each county- and state-level central tabulation database. NH, with a red-shift > 4, is an excellent candidate for that type of scrutiny, but so are at least 16 other states.

For the moment, though it's red-shift is 'only' 2.9, WA State may be the place we can force the type of comparison that must be made. Because of the Governor's race, a manual recount will happen (most likely). If every ballot can be checked for Pres/VP, as well, and then the comparison done to the current tables in each County's central tabulation system, we will have the type of data needed to BEGIN to resolve the 'miracle of 2 Nov 2004.'

If that type of analysis were done for each 9 or 16 of the 'red shift' states, so rigorously analyzed by 'truthisall' we'd truly BEGIN to have a basis for either trusting our electoral system or not.

The more the republican folk resist doing this type of analysis, the more reason every citizen of this franchise should say simply 'we have no government because we do not know what happened to our vote.'

And, you betcha the republicans in WA State are screaming vile stuff all over the place because they do not want a manual ballot inspection that will then be compared to the current data in each of the county central tabulating systems -- their vehement objections to the manual count most likely have motive well beyond providing Rossi 4 years of rent-free occupancy of the governor's mansion.

Peace.

"I Declare The 2004 Election Invalid: Someone I do not know was prevented from voting"

http://www.chuckherrin.com/HackthevoteFAQ.htm#how

i've seen him around DU as well....seems like he knows alot, especially about hacking votes.

Thanks for the link. :) -G

Is the vote tally manipulation being accomplished by outside hackers during election night remotely, or is the software in the machines or tabulating databases already coded to "turn over" the vote under certain flagged conditions (i.e. time of night, total vote tally, candidate percentage conditions, etc.)

If you assume outside hackers, where would be the most logical entry point for them? I would think that hacking individual machines would not be the most efficient solution (plus, how would they be hacked if they are not networked somehow?). Hacking a central database after the votes have been tallied would be much more effective and require less resources, however, the key here is timing (i.e. when and how does each precinct report and upload their final tally after polls close?). Also, are the computers that store these central databases networked somehow? If so, as long as hackers had a path (i.e. phone number to a modem, etc.) you can see how just a handful of hackers could have manipulated a lot of data in a short amount of time.

But this theory still seems a bit too complicated and risky for someone wanting to steal an election. I'm not saying it couldn't have been done in certain cases and may very well have been, but I would be more inclined to think the software in the touchscreen machines themselves is the main suspect (change the vote at the source where the risk is minimal).

One thing I would be interested to find out, did Diebold, Sequoia, etc. request states using their machines to allow the company to re-program or update the software either right before or after the election? This would not necessarily require, for instance, a technician from Diebold to physically visit the election office and reprogram the machines. This could be done remotely over an internet data connection. If they did, this would be highly suspicious.

it could be inside the machine already... I can't wait to hear back from Mr. Herrin. The AVC Edge machines use cards provided by poll workers... could the cards possibly trigger the response?

Oh, I could kick these machines. Talk about lack of transperancy! :) -G

Apart from the paperless e-machines-- my question is about the relatively "simple" manipulation of GEMS programs in countywide & statewide tallies.

Do I have this right? Our working theory is that the precinct info is changed in the central tabulators, so votes are "shifted" from Kerry and/or to Bush.

But after election night, are not audits done before the results are certified? Ohio SOS Blackwell was bragging about Ohio's elaborate & careful audit of the results before certification (which can also raise alarm bells on its own account). But I read somewhere about an Ohio county re-running all the ballots thru the optiscan machine again for the audit. If all the counties do that, and presumably tally those results again, wouldn't that make this kind of cheating very difficult? Or would there still be, maybe, malicious code in the tabulator that would again scramble the count?

It seems to me that if the machines have redundant memory that can be again matched to the cartridged, the manipulation would have to happen at more a precinct level or it can be audited by comparing the cartridge to the redundant memory in the machine. Any thoughts? :) -G

matchbox thingy I mentioned above? If so, I'm not sure if that thing is memory or if it's just a security key or both. Still, an algorithm could be written to flip votes as the voter is voting while still having his proper selection shown on the screen. Then nobody would be the wiser and an audit would turn up jack squat.

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x98749


read post number seven at that link, now Nevada has known they can't do a real recount on those paperless Sequoias, see the statements in that article.

thanks NVMojo! That was a good read and I e-mailed Steve Miller with some questions. :) -G

:) -G

I've talked to him about other things in the past. Thanks for contacting him.

He had a great piece last week on the Binion murder case, it was Pulizter material!!

the manual... http://www.sequoiavote.com/docs/AVCEdge.pdf

It seems to refer to the carts as carrying the vote results. I do agree with your assessment about the auditability challenge. :) -G

compiled. The question then, I guess, is whether the trigger is built into the system (which would risk detection during a test) or if it is triggered somehow externally. I did read a BBV account of a situation where someone brought there own PCMIA card (a company tech) and was messing around with the central tabulator.

Hard to tell. I've written a couple of experts, but without knowing how one would manipulate the vote it is hard to know where to look for evidence. - G

I have some good, solid information about it (from a pro).

Can I pm you or would you prefer I post it here?

ailsa

Thanks! :) -G

Hi geo,

I'm sure Mr. Herrin can help you more specifically than I as my focus isn't in security (although I have been studying it in self defense).

I came into the industry through the hardware route. I'm one of the few programmers who have built registers from discrete components (individual transistors, etc). In my youth, I was a dinosaur doctor. In short, I'm an old-school programmer in a modern world. Remember Geo, that the more things change the more they remain the same ;) If anyone wants a walk down core lane, check out Mel. Oh Hell, check him out anyway.

Now I mention Mel because some of the things people have suggested in threads I remember reading, would require work at the level our legendary friend. Assuming that your not an insider working for FOO Eleksun Machinen, these attacks on the individual vote taking machine software would probably fall to the application of Occams Razor.

If you are an insider, the possibilities are endless. This is demonstrated in a Novel/primer on election hacking. They have a contrived election system known to have a remote vulnerability that you can download and play with. It's actually part of a contest, who ever 'wins' the election wins a prize. If you're still reading this drivel, you'll probably like the book. (Another possible contact, Geo)

Given a voting system FOO, if I wanted to own the results, well, I'd study it. The entire system soup to nuts. Once I had the big picture, of how all the pieces work together, then I'd set about checking the obvious weak links.

The goal here is the data. What's the easiest route? Can I edit the repository directly? Can I just open a file in an editor and put it into a queue to be processed by the tabulator? What inputs generate errors that are trapped at the lower levels of the system? Are they open to SQL Insertion? Do I have to have access to execute an application on the tabulator or can I insert a sled via a Buffer overflow?

Geeze, I'm getting into Mel territory there, it's getting harder to find simple explanations of things to try :D I guess I'll stop then.

-Hoot

P.S. The honeynet project is pretty cool.

read through and e-mailed the honeynet project. They seem to take offense to the words "can't be hacked." :) -G