Slashdot Mirror

← Back to Stories (view on slashdot.org)

Help Black Box Voting Examine ES&S Software

Posted by kdawson on from the ooh-fresh-code dept.

Gottesser writes, "Bev Harris of Black Box Voting has asked for the help of the Slashdot community. She would like people to take a look at ES&S's central tabulator software and start reporting on their impressions of it. This is a past release of the software but it is similar to the applications in production. Sorry, no source code." Read on for Bev's request and pointers to the code repositories. Update 23:38 GMT by SM Bev has confirmed that blackbox1.org is indeed owned by BlackBoxVoting making both a comment in the discussion and a post on the front page of blackboxvoting.org to help assuage reader fear/doubt.


From Bev:

"ES&S 'Unity' central tabulator software.

Software stash: three zip files --
http://www.blackbox1.org/ems.zip
http://www.blackbox1.org/un5.zip
http://www.blackbox1.org/Unity.zip

User Manuals for ES&S software can be found here:
http://www.bbvforum s.org/forums/messages/2197/2864.html

This is the ES&S central tabulator software, the ES&S counterpart to the Diebold GEMS central tabulator software. No source code, sorry, and no software for the precinct machines. This is reportedly one generation back, but from what I'm told has significant similarities to the new stuff. I would appreciate it if you can provide me with feedback on your impressions after looking at it. You may want to Slashdot it or whatever.

Best,

Bev Harris
Founder
Black Box Voting

9 of 197 comments (clear)

  1. Mod parent up. by CyberVenom · · Score: 1, Informative

    There is something odd going on here.
    blackboxvoting.org is indeed registered to Bev Harris, but blackbox1.org is registered to "Registration Private" by "Domains by Proxy".

  2. Legit? Yes by kaan · · Score: 4, Informative

    I just got on blackboxvoting.org and called the primary phone number, and Bev Harris answered the phone.

    I spoke to her for about 5 minutes, explained that an article showed up on /. and there were questions about its authenticity. She said it was legit, they set up a new domain name so they don't hammer their primary server (they've gotten a ton of traffic lately). She said she could not disclose where she obtained the executable code, but that it was real software and she wanted feedback from the slashdot community.

    This is not a phishing scam, it's really from Bev, and she's trying to solicit help from the /. community to dig into this stuff.

    Oh, and yes, I'm posting this same comment in reply to all of the "is this real?" comments... Moderators: please do not mod me down without calling them yourself (go to blackboxvoting.org for phone number).

    Kaan

    1. Re:Legit? Yes by kaan · · Score: 2, Informative

      Appreciate the thought and effort, kaan, but folks are still in the position of accepting one stranger's (your) word to confirm another stranger's (Gottesser's) claim that a site we can't directly verify (blackbox1.org) is truly being run by BBV.

      Already done. Check http://www.blackboxvoting.org/ and see for yourself.

  3. story is legitimate, I just talked to Bev by phone by kaan · · Score: 4, Informative

    I just got on blackboxvoting.org and called the primary phone number, and Bev Harris answered the phone. This is legitimate. I talked to her for about 5 minutes, explained that an article showed up on /. and there were questions about its authenticity. She said it was legit, they set up a new domain name so they don't hammer their primary server (they've gotten a ton of traffic lately). She said she could not disclose where she obtained the executable code, but that it was real software and she wanted feedback from the slashdot community. This is really from Bev, and she's trying to solicit help from the /. community to dig into this stuff.

    Kaan

  4. Hi, I'm Bev Harris. There's nothing fishy here. by Bev+Harris+at+BlackB · · Score: 5, Informative
    Our domain, blackboxvoting.org (and the forums, on bbvforums.org, and the document archives, on bbvdocs.org) are on one server. These ES&S program files are on another server entirely because they are quite large and would slow down our blackboxvoting.org site.

    I won't say where they came from. I've checked them out to the extent possible, and they appear to be the real thing. In any situation like this you have to consider that the software might have changed significantly, or that someone could have left a honey pot out there, but I don't think this is a honey pot, not going to publish why on an Internet site. There is a good possibility that current versions have significant changes. Looking over these files should tell us a lot about how the ES&S programmers think, programming styles, etc. I haven't had time to look at the files at all, and I'm not a programmer. This program is designed to run on Windows, according to the user manuals, so I imagine you can just install it and start tinkering, as we did with the Diebold GEMS program. Some of the material refers to "Aero," which is definitely an older version that grew into the Unity program.

    No source code was provided (no source code was provided for the Diebold GEMS program, either, remember). The software is only for the election management system/central tally system, and we have so far been unable to get programs for the precinct-based individual voting machines, nor for the ES&S equivalent of the memory card, which they call the "PEB".

    Black Box Voting is receiving very credible reports of ES&S meltdowns in several states, though they always seem to have a temporary technician around to promise everyone their vote was not lost. Hard to explain, of course, since 18,000 votes are missing in action right now in Sarasota Florida, with about 300 votes separating the candidates for a U.S. House of Representatives race.

    We are getting reports of ES&S anomalies from BOTH political parties.

    If anyone has any questions, you can e-mail me at the e-mail address on the blackboxvoting.org Web site.

    Best,

    Bev Harris
    Founder
    Black Box Voting

  5. Re:this is legitimate, it's not phishing by kaan · · Score: 2, Informative

    1) How is this software legal to distribute in the way that it is being done? Can she supply information about why it is legal, even i she won't say where it came from?

    I asked Bev the same thing, she didn't want to say very much about it. So I'll add my own commentary: legality aside, if you piss off somebody big enough, they will find a way to shut you down, no matter what. Black Box Voting has had problems with this in the past (as explained in Hacking Democracy, where Bev originally found Diebold's Gems software on a public ftp server, her website was shut down, but not before many others had downloaded the contents).

    2) Even if it is legal for us to download it and posses it, how can we usefully examine the software unless hack it it in such a way which will probably break the DMCA (or other laws)

    Good question. The answer is, "you probably can't". The DMCA probably applies here, and probably says it's illegal for us to even discuss their proprietary software. I suggested to Bev that she try to participate in the discussion on /. because there are going to be some tough questions, especially when the initial comments are, "this whole thing looks bogus".

    If she won't say where she got it from then I'm going to assume that it is illegal. Also if this is illegal then isn't /. now also guilty under the DMCA, and possibly other laws?

    I can't disagree with you. Bev said she could not disclose anything about where it came from, because it would likely reveal who it came from, and she couldn't do that. I don't know what to tell you. The DMCA probably applies, and that's just something you'll have to decide on your own.

    I would further suggest that you consider whether voting software for public elections should be so secret as to be hidden behind a generic law such as the DMCA. That's really the issue here - everything about electronic voting is a secret, and her organization is trying to expose that.

    Kaan

  6. FYI: This is now reported on Black Box Voting by Bev+Harris+at+BlackB · · Score: 5, Informative

    Hopefully putting to rest any questions as to who is who. I posted this discussion at Slashdot as the lead story on blackboxvoting.org Cheers.

  7. Ask and ye shall receive... by Anonymous Coward · · Score: 3, Informative

    It would help significantly if there were a post either on the home page of blackboxvoting.org, or in the bbvforums.org forums under your name. This way there would be some credible record that this information did truly come from Bev Harris.

    Ask and ye shall receive... there's an update on their primary website
    http://www.blackboxvoting.org/

  8. Re:No source code, sorry by Unnngh! · · Score: 2, Informative

    You don't need the source code, don't even need a disassembler. I know that it would take me the better part of the next two months to get a grip on the assembly behind a windows app. Having the source code would be a different story.

    The first thing you want to do is figure out, broadly, what it's supposed to do. Install the software. Get it running. Look over the buttons and menu options. Look over the manual. Next I'd start examining the likely inputs and outputs. What data gets fed into the software? What does it output? What does it store? How does it store it? It may be worthwhile to find an external way to read the datastore (e.g. opening an access database in access) or that may come later.

    Now that you have an idea of how the software works, start examining how it handles inputs of different types. What are the expected inputs? Does it handle those properly? What are some unexpected inputs that are still input-able by the UI? What are some unexpected inputs that would not be possible or likely through the UI, i.e. a deliberately or intentionally corrupted input file or stream. Can you inject arbitrary values into the software where there should be none? Can you get the software to perform unexpected operations by manipulating the input? Attack the UI deliberately, perform operations in unexpected sequences, etc.

    During this process I guarantee that you will make the application break somewhere, if you're creative enough. Now you want to take the unexpected behavior that you caused and find some way to exploit it. In this case, one must ask, is there some way to manipulate the vote count through exploitation of the defect in the code? Better yet, is there some way to accomplish this manipulation strictly through the UI that generated the input? Or at least, with minimal rights to the aggregated input data, in this case? Can you make the software change the count through manipulating the UI of the counting application?

    Coders fall into routines and often repeat the same mistakes over and over. If you find one type of defect (e.g. SQL injection vulnerability), chances are you will find others like it. If they miss proper RI checking in one place, chances are they do so in others. You start to get a feel for how the program works and how it breaks. If you have written enough code of a similar nature, after a few hours or days of fooling around, you will probably have a very good idea of how the application is organized and even have an inkling of the code that went behind it without ever seeing a line of source or assembly.

    It was software made for profit in a closed-source environment, so they did not disclose or fix all the bugs they found during test. That's the way of closed source, proprietary software. They presumably fixed larger crashes and glaring problems but left the smaller stuff alone in the interest of adding features and meeting deadlines. These smaller issues and poor design decisions will make up the weaknesses in the code that can ultimately be exploited for fun and profit.