What exactly was this secret patch in Diebold machines supposed to do?

APN) ATLANTA – Top Diebold corporation officials ordered workers to install secret files to Georgia’s electronic voting machines shortly before the 2002 Elections, at least two whistleblowers are now asserting, Atlanta Progressive News has learned.

http://www.rawstory.com/showarticle.php?src=http%3A%2F%2Fwww.atlantaprogressivenews.com%2Fnews%2F0091.html

I don't know much about these machines. Could someone explain this?

the first two are proprietary,

and the last one takes you to cuba.

:shrug:

Personally, I despise the seeming fetish some activists have for Diebold scandal while ignoring questionable issues surrounding other vendors.

Nevertheless, what is the basis of your recollection?

Where Diebold claimed those changes to the OS were MS patches?

If they mentioned which MS patches? And why the patches were considered neccessary? And why they thought the software didn't need to be reviewed, thereafter?

And why they wanted to keep the SoS out of the loop?

That's what I'd be interested in knowing.

The patches were necessary for exactly the reason specified: there was a problem with the system clock. Definitely an OS problem and applying the service pack was appropriate.

That linklessly answers two of my questions and failed to address three.

The patch was an operating system modification, not a modification to the tabulation system as implied in this article.

http://www.diebold.com/dieboldes/pdf/rollingstone92306.pdf

And while they may want to argue the OS is not subject to Federal review, folks here will argue, at least, that the reissuance of software requires re-certification.

There was no re-issued software - and no reason to recertify software that hadn't been modified since its release.

What do you mean by...

"There was no re-issued software - and no reason to recertify software that hadn't been modified since its release."

Are you saying a patch isn't software and doesn't modify software?

:shrug:

application and an operating system. If so, then you're capable of understanding why an OS service pack does not modify an application's source code.

Of course, if you were really interested, there's plenty of factual material online

Williams does acknowledge, however, that a month and a half before the November election, he worked with Diebold to apply a patch to the Windows CE operating system. The voting machines run on version 3.0 of Windows CE, he said, and they patched it to correct problems they were having with the system.

But he said this patch was passed by Wyle Laboratories, the independent testing authority that originally certified the machines.

"We asked (Wyle) to take a quick look at it, but we didn't have time to do a full qualification on it. This was a month and a half before the election. To go through the full ITA qualification and state certification takes about six months. We asked them to look at it from the point of view of whether or not it would have any impact at all on the main line of the voting software."

http://www.wired.com/news/politics/0,60563-2.html?tw=wn_story_page_next2

The OS, being a commercial off the shelf product, did not require certification in the first place, so there was no reason to seek re-certification of the Diebold software.

pushed by the vendors and their admirers finds me unimpressed.

exemption. We may not like the situation as it currently exists, but starting from a factual basis is necessary for reasonable debate.

Something I am just learning here.

You have a good night,

my condolences on the loss of your ma and congratulations on your achievement.

Vendors, SoS's, et. al., employ techniques that leave the election systems vulnerable.

You seem to have a problem with the fact that many have a problem with that.

That's all.

In 2001, because both political parties agreed, 50k paper ballots weren't counted in NYC in a primary where the margin of victory was less than 20k. So the practice of putting defective voting machines in poor and ethnic precincts persists. But many DUers want to hold on to the mechanical system - yeah, I have a problem with that.

Mexico just went through an election with paper ballots; anyone want to claim that *that* process was untainted?

Think strategically ... start from a factual basis and determine your objective. Then take the steps necessary to promote the desired direction. That's what I'm doing here, even if it means confronting those who would rather have a political issue than reasonable dialogue.

First: IF Diebold did in fact install a 'secret software patch' to either an operating system OR an application; do you honestly think they would admit they did ? ....

Fredda ? .. I know you have been here for a very very long time arguing this issue .... so certainly you can understand why some of us might demand more than a mere denial of criminality ... Even the appreance of impropriety should be cause enough for an open investigation ....

Now: Back to operating systems and applications ....

YES .. it is true that operating systems and applications are 'different' .. but how does that difference matter ? .... A processor will execute whatever code is fed into it's execution stream.

One can easily alter software, if a person or group had decent OS programming skills and a strong knowledge of Window's OS in particular. And such a person or group can easily attach nefarious code into an OS patch .... and system calls can be made to such malicious modules, once they are embedded into the OS .... Furthermore: Since OS patches are actually suites of files, we cannot know, without close monitoring, whether one or more application files are being directed into user volumes.

A computer executing application software code always interacts with OS routines ... Application code can be programmed in such a way that it communicates with new system modules after they are loaded, and otherwise ignores them .... It is nonsense to imply that OS patches cannot introduce malicious code into the operating environment ....

As far as I am concerned: without STRICT control of custody, and the implementation of a protocol where voting systems are PUBLICALLY assembled (The Physical Machine) and PUBLICALLY programmed, using the latest SW validation techniques and tamper-proof closures ...

Without these things; such a system cannot be trusted ... period ....

and wondered why the CEO would tell his employees not to mention it to the SOS.

Why do you think that is?
What did they have to hide?
If it was just an update patch for the "clock", then why wouldn't they just release that info to the Election Officials?

Seems extremely fishy to me. When people become that secretive you know there is more to the story that isn't being told.

Now if we could only get more people to come forward with more stories....

Why does Diebold’s Chief of Election Division show to personally install software when it is just a simplistic service pack update?

It does seem fishy.




edited: for clarity

This story has morphed over time. Here's a version from 2003 that doesn't mention the CEO, just a "a high-level Diebold executive"

http://www.wired.com/news/politics/0,60563-1.html?tw=wn_story_page_prev3

From Raw Story, Headline qualified as "Claims"

Whistle-blower Accounts

“With the primaries looming, Urosevich was personally distributing a ‘patch,’ a little piece of software designed to correct glitches in the computer program,” Rolling Stone Magazine reported.

Wanting to get paid for 20,000 machines, I can understand the logic of Urosevich being there.

From your wired Article

....As for other patches, Williams said, "We have no idea what Diebold or anybody else does when they go in their warehouse and shut that door.'

At best It's a wash. ( personally I have faith in Raw story)

Segue:

what was Rob.Georgia?

Patches, software, glitches, malfunctions. It's all bogus. And it definitely is not complicated.

Someone probably has an applet or flash program that works just fine somewhere on their lame blog or something.

Commercial software ain't just code - and government systems are even more demanding.

All you need is an in. Or cash.

I've developed software for state, county and municipal governments. An "in" is not enough to satisfy the requirements - and cash won't get you anywhere. I've seen lots of incompetence and cronyism ... that's the game.

And since Diebold already had passed the RFP process and was actually implemented, they could (and allegedly did) make an unathorized change in the code.

application and the operating system?

Or more specifically, attacks on election integrity.

Attack 1 is the most obvious, altering the vote count to ensure the attacker's guy wins. Quite simple in a DRE voting machine - you just find the file or data structure where the counts are stored and change them to whatever you want. Just make sure the count is still slightly plausible, and no-one will know.

Attack 2 is a DoS, a Denial of Service attack. Basically, the code in this case causes the machine to crash on command. Conditions can be set - crash the voting machines at a certain time, or when a certain "excessive" number of votes for the unwanted candidate are recorded, or when the machine is set up for specific precincts whose polls are favorable to the opponent.

Attack 3 is sort of like attack 1 - change the vote counts, but in this case, you deliberately make the fraud obvious, say by altering the counts so there are ten times as many votes as voters, for example. The idea is to deliberately spoil the count for the entire precinct and disenfranchise all its voters. You could also make an obvious cheat that makes the opponent win, then catch the cheat and make sanctimonious cries of fraud afterwards to discredit the opponent.

Just from reading various stories about count irregularities, malfunctions, etc., I'm convinced that all three of these attacks have been used in the 2004 election.

You also have to reconcile the vote totals with the ballots cast. Diebold's system keeps track of individual ballot "images", so you'd have to manipulate those as well.

he was able to write a virus that can be transmitted from machine to machine through the memory cards. They'd use that memory slot with a lock over it that you can open with a hotel minibar key... Or you could do what Bob Urosevich did according to that Rolling Stone article, and infect them all at once by installing a "software upgrade" when they're all at the warehouse... Like I said, you can write the software to be selective as to which machines actually crash, and when, so you can target specific precincts.

I didn't know that Diebold tracked individual ballot data. Makes things more tricky, but it could be done.