Need urgent help checking voting machines for Java code - today!

[jmarch]

Folks,

I'm an elections observer in Pima County AZ credentialled by both the
Pima County Democratic and Libertarian parties. I need to be able to
check the Diebold Election Systems central tabulator for illicit Java
programs that might alter the central vote tally database.

In case you're not aware, Diebold's central vote tabulator stores it's
data in MS-Access. Yeah. Which means it can be "back doored" all too
easily. The box runs Windows 2000.

I already have a method for doing this for Visual Basic scripts from
the command line:

C:\>findstr /l /s /i /m /c:"select case" /c:"elseif" /c:"end sub" *.* >
c:\vblog.txt

The "findstr" command (built into Win2k and XP) will report back all
files that contain any of those three strings which are common stuff in
VB. I can then pull up the log file created and manually look at each
one for potential cheatin' stuff.

I need an equivelent for Java, as a separate second command line to
write to a "jslog.txt" file. But I don't know enough about Java to
create such a critter.

Any ideas? This is for a test this evening as today is the AZ
primaries.

(Note: yeah, I know they might compile it and screw us. Nothing I can
do about that except hope that any cheater is a pretty low-grade
geek...

Jim March / jmarch -at- prodigy.net
Member of the Board of Directors,
Black Box Voting Inc.
www.blackboxvoting.org

 

[Oliver Wong]

Folks,

I'm an elections observer in Pima County AZ credentialled by both the
Pima County Democratic and Libertarian parties. I need to be able to
check the Diebold Election Systems central tabulator for illicit Java
programs that might alter the central vote tally database.

In case you're not aware, Diebold's central vote tabulator stores it's
data in MS-Access. Yeah. Which means it can be "back doored" all too
easily. The box runs Windows 2000.

I already have a method for doing this for Visual Basic scripts from
the command line:

C:\>findstr /l /s /i /m /c:"select case" /c:"elseif" /c:"end sub" *.* >
c:\vblog.txt

The "findstr" command (built into Win2k and XP) will report back all
files that contain any of those three strings which are common stuff in
VB. I can then pull up the log file created and manually look at each
one for potential cheatin' stuff.

I need an equivelent for Java, as a separate second command line to
write to a "jslog.txt" file. But I don't know enough about Java to
create such a critter.

Any ideas? This is for a test this evening as today is the AZ
primaries.

(Note: yeah, I know they might compile it and screw us. Nothing I can
do about that except hope that any cheater is a pretty low-grade
geek...

I believe the pseudo-equivalents to VB's "select case", "elseif" and
"end sub" are "switch", "else"[*] and "}" respectively. However, for the
number of matches you're likely to get with "}", you might as well just read
the entire Java source code.

I don't see how finding these constructs, either in VB or Java, will
help you detect "illicit programs" in any way (unless this is one of those
"going through the motions to give the illusion of security" kind of
things), so maybe I completely misunderstood your question.

Are you trying to make sure there aren't any Java programs installed at
all? Well, as an easy first step, I'd go into the control panel and
uninstall any Java Virtual Machines I could find. That'll probably stop most
low-grade cheaters. If you're looking for keywords that almost always appear
in Java programs, you can try stuff like "public static void main(String",
"public class", "package", "import".

As for your "they might compile it and screw us", I have to say they
will definitely compile it. Java, traditionally, is compiled, not
interpreted. Which means if they're low grade, they probably compiled it. If
they manage to get a Java program running without compilation, that's
probably evidence of a high-grade cheater. So you should look for files with
the .class file extension. If the first 4 bytes are 0xCA 0xFE 0xBA 0xBE,
then it's a Java file. These 4 bytes are not whithin ASCII, so I'm not sure
if you can use findstr to detect them.

- Oliver

*: "else if" might be a better match, but then you'd have to deal with
whitespace issues like "else if".

 

[jmarch]

I believe the pseudo-equivalents to VB's "select case", "elseif" and
"end sub" are "switch", "else"[*] and "}" respectively. However, for the
number of matches you're likely to get with "}", you might as well just read
the entire Java source code.

I don't see how finding these constructs, either in VB or Java, will
help you detect "illicit programs" in any way (unless this is one of those
"going through the motions to give the illusion of security" kind of
things), so maybe I completely misunderstood your question.

Are you trying to make sure there aren't any Java programs installed at
all? Well, as an easy first step, I'd go into the control panel and
uninstall any Java Virtual Machines I could find. That'll probably stop most
low-grade cheaters. If you're looking for keywords that almost always appear
in Java programs, you can try stuff like "public static void main(String",
"public class", "package", "import".

As for your "they might compile it and screw us", I have to say they
will definitely compile it. Java, traditionally, is compiled, not
interpreted. Which means if they're low grade, they probably compiled it. If
they manage to get a Java program running without compilation, that's
probably evidence of a high-grade cheater. So you should look for files with
the .class file extension. If the first 4 bytes are 0xCA 0xFE 0xBA 0xBE,
then it's a Java file. These 4 bytes are not whithin ASCII, so I'm not sure
if you can use findstr to detect them.

- Oliver

*: "else if" might be a better match, but then you'd have to deal with
whitespace issues like "else if".

First off, I appreciate the feedback. I didn't realize Java is usually
compiled. Visual Basic usually isn't and I was thinking the two were
broadly similar. My bad.

The goal isn't to treat any Java (or VB) stuff as bad, but rather look
for database accesses. This system is pretty locked down, it's not a
general purpose station and there's only one live .MDB (Microsoft
DataBase) file on there. If anything is accessing it other than the
Diebold utilities provided, that's trouble and that's what we're
looking for.

It sounds like this sort of check isn't really possible with Java.
Sigh. Well, VB is a more obvious choice so...we'll at least check for
that.

Is this all "make work"? Honestly, we realize that anybody really good
can tamper to hell and gone and we'd never spot it. What we're hoping
is that since nobody is looking at this stuff or has been in previous
years, they've gotten sloppy enough to catch. It seems worth trying
anyways.

In another county we've documented use of a USB keychain device with
encryption on one of these tabulators. We don't know what they were
slipping in or out of the box but we know they were doing something. I
can't be too clear because it's an ongoing issue.

Jim March

 

[bikemh]

So you should look for files with
the .class file extension.

why not *.jar?

I don't see any reason, though, why any malware would not be there as
an *.exe. But this does bring up a kind of amusing irony to WORA

 

[bikemh]

So you should look for files with
the .class file extension.

why not *.jar?

I don't see any reason, though, why any malware would not be there as
an *.exe. But this does bring up a kind of amusing irony to WORA

 

[Oliver Wong]

Honestly, we realize that anybody really good
can tamper to hell and gone and we'd never spot it. What we're hoping
is that since nobody is looking at this stuff or has been in previous
years, they've gotten sloppy enough to catch. It seems worth trying
anyways.

Who are the potential cheaters, though? If you have time to run this
"pre-vote testing" phase, why not just completely wipe the harddrive, and
reinstall whatever software is needed from scratch right before voting
starts? Then the only possibility of cheating at this point is either you
(or whoever the technician doing this is) cheating, or Diebold themselves
cheating. In either cases, there's nothing you can really do to prevent
those.

If you have problems with voters stick USB keys into the machine, how
about physically locking down the machine so that only approved input
devices are accessible? IF you had an LCD touch screen, you could hide
everything except the screen, so all the user can do is touch on points on
the screen.

- Oliver

 

[bikemh]

Who are the potential cheaters, though? If you have time to run this
"pre-vote testing" phase,

Hi, Oliver. I believe he's indicating that he's an observer only, and
does so at the central computer which receives vote numbers from out in
the field, from the individual precincts or wards.

why not just completely wipe the harddrive, and
reinstall whatever software is needed from scratch right before voting
starts?

almost inevitably, some (or even most) of the machines wouldn't be
ready on time. Don't forget that a crony or relative of some politician
will likely be in charge overall.

Then the only possibility of cheating at this point is either you
(or whoever the technician doing this is) cheating, or Diebold themselves
cheating.

If the results are coming in from precincts to the central tabulator
over the internet, that's another avenue

In either cases, there's nothing you can really do to prevent
those.

except he's not trying to prevent so much as to "catch", as he says. Of
course, he might catch his own side doing something, you never know.

That being the case, it might be a better strategy to use whatever
Win2K has that parallels Task Manager.

But if the idea is that some malicious software is already installed,
but needs to be started from the console (or perhaps a CRON equivalent,
if one exists in Win2K) at the critical time - then I can see how the
search for software comes into play.

After all of that, just think what a nightmare will exist when some
supposedly "enlightened" government initiates actual voting via the
internet.

 

[bikemh]

Oliver Wong wrote:

almost inevitably, some (or even most) of the machines wouldn't be
ready on time. Don't forget that a crony or relative of some politician
will likely be in charge overall.

though maybe something like vmware would allow Oliver's astute
observation to be practical in the actual situation

 

[jmarch]

If you have problems with voters stick USB keys into the machine, how
about physically locking down the machine so that only approved input
devices are accessible? IF you had an LCD touch screen, you could hide
everything except the screen, so all the user can do is touch on points on
the screen.

- Oliver

No, this is the central tabulator station, the one PC at county
elections HQ that takes in the votes from the whole county. Voters
don't have access.

It's the county elections officials and Diebold on-site staff that are
the threats and yes, trying to block those guys is a hell of a fight.
If we do enough scrutiny we might scare them into not cheating in the
first place, which is fine. If they DO cheat I want to catch them.

Not impossible depending on how sloppy they are.

Somebody mentioned that I might find "my side" cheating. If so, y'all
have my promise I'll bust 'em as fast as anybody. I just moved to
Arizona today and will be registering Libertarian. In California I was
registered Republican but a member of the Republican Liberty Caucus,
which means "GOP but with major libertarian leanings". I've done
election checkouts for both Republican and Democratic candidates. My
concern is about the process, not who wins.

I believe there are corrupt elements of both major parties and even a
little in the minors, although not as much because without serious
power they don't attract those types.

Jim March