Should we discontinue EVMs?

[Pranav]

Master copy of the binary being replaced, either at the private company from which it is sourced, or at BEL/ECIL.

How does that help?

As Dileep said:

Everyone here KNOWS that you can load ANY program on it. I can even load a program that displays "RAHUL MEHTA IS THE WINNER".

It's unlikely that Navin Chawla, Sanjay Gandhi hitman of days past, and more recently, the guy who used to talk with kangressis during bathroom breaks, would want to declare our RM ji the winner. But it could be done.

[Dileep]

What is the current scenario? Someone replacing the executable binary at BEL?

Be clear.

Master copy of the binary being replaced, either at the private company from which it is sourced, or at BEL/ECIL.

Also, compromising the totalisers. Not much info is publicly available about totalisers.

OK, raise that objection publicly, and see what EC says.

Probably BEL can produce test/audit reports that verify the binary that is actually loaded on the unit.

[Pranav]

OK, raise that objection publicly, and see what EC says.

Probably BEL can produce test/audit reports that verify the binary that is actually loaded on the unit.

Who is going to listen to me? That's why one complains about it on BRF.

[Tanaji]

But Dileep, this assumes that the same compromised firmware can be used for all constituencies. How does the CU know which key to assign the additional votes to since it is unlikely that all constituencies will have the same key assignment for a particular party?

[Dileep]

Well, I am listening.

I am sure BEL have an established procedure for loading and verification of the binary onto the EVMs. This being an extremely important step for the security of the device, there will be elaborate procedures in place.

Even with no security consequence, our standard procedure for programming OTP controllers is that the operator always verifies the checksum of the code before doing the burn. When the device goes to the testing, the first thing verified is the checksum again. This is repeated for every testing. (we test the boards themselves, and after integration as a rule). A number of people are involved in the process, so sneaking something in the plant is impossible.

[Dileep]

But Dileep, this assumes that the same compromised firmware can be used for all constituencies. How does the CU know which key to assign the additional votes to since it is unlikely that all constituencies will have the same key assignment for a particular party?

Well, the theory is that someone (who has a vote in the booth) will go in and instead of voting, will press a key sequence that will activate the malicious code.

The key sequence activation itself is technically possible. But getting someone from each booth to go in and do it is tough. In Rahul universe, someone wears a thin skin layer to defeat the ink mark. But he forgot that the finger is inspected on both sides and the mark is made in a line, covering both skin and the nail. I don't think it is possible to put a "sticker" with no edge showing, but you are talking about Rahul universe here.

The last spot of my mark, which was made on 16th April, had just gone out with my last clipping yesterday.

[Sanku]

As Dileep said:

Everyone here KNOWS that you can load ANY program on it. I can even load a program that displays "RAHUL MEHTA IS THE WINNER".

It's unlikely that Navin Chawla & Co would want to declare our RM ji the winner, but it could be done.

1) Please tell me the exact psuedo code which you will put in which will favor congress.

Exact (there is a reason why I am asking this)

2) Also starting from the step of a bogey code for the EVM (please note not on the EVM). Please mention what are the steps that will be needed to use the bogey code.

---

Once you do this exercise you will see what Dileep et al have been saying for a while.

[Dileep]

Oh, I forgot something about the booth activation. The local politicians are expected to know all the voters. They get the voters list, go through and identify all of them, and make sure that they are visited for the campaign. You can't sneak someone from outside into the list. The voter must be resident in the coverage area of the booth to vote. The list has his address. So, how would you enroll one guy into multiple booths?

So, the only way the "key activation" happens is by recruiting a local guy from each booth. Quite possible in Rahul Universe.

[Rahul M]

So, the only way the "key activation" happens is by recruiting a local guy from each booth. Quite possible in Rahul Universe.

oh, but you only need to 'activate' the 'swing booths' ! (whatever that means !)

[Sanku]

I saw the deleted post -- Dileep mixed up his Rahul's

[Dileep]

Rahul M, please don't show up like this. I had to delete my post made on mistaken identity.

I know it is not the first time you draw friendly fire on behalf of the Mehta

[Dileep]

End of the day, multiplexing between many windows, such things do happen.

[Tanaji]

Well, the theory is that someone (who has a vote in the booth) will go in and instead of voting, will press a key sequence that will activate the malicious code.

Hmm so the theory is that the key code will act as the input for which key the party to which the votes should be credited. But doesn't the BU lock up as soon as any key is pressed which is a measure to prevent multiple voting and can be released only the returning officer using a polling button? So how does one input multiple key strokes on the BU?

[Sanku]

Well, the theory is that someone (who has a vote in the booth) will go in and instead of voting, will press a key sequence that will activate the malicious code.

Hmm so the theory is that the key code will act as the input for which key the party to which the votes should be credited. But doesn't the BU lock up as soon as any key is pressed which is a measure to prevent multiple voting and can be released only the returning officer using a polling button? So how does one input multiple key strokes on the BU?

Unmarked and unused keys on EVM (well there have to be guaranteed enough keys for those in RM world as well) -- magic keys

[Pranav]

1) Please tell me the exact psuedo code which you will put in which will favor congress.

Exact (there is a reason why I am asking this)

2) Also starting from the step of a bogey code for the EVM (please note not on the EVM). Please mention what are the steps that will be needed to use the bogey code.

---

Once you do this exercise you will see what Dileep et al have been saying for a while.

No exact pseudocode, but a possible approach that was mentioned was:
1. special key combination to transfer control to trojan, for example by pressing 1 and 7 simultaneously.
2. press key x
3. a simple version would be to allot third vote thereafter to key x.

The totalisers are just as important as the EVMs, but not enough public domain information about them is available.

[Pranav]

Hmm so the theory is that the key code will act as the input for which key the party to which the votes should be credited. But doesn't the BU lock up as soon as any key is pressed which is a measure to prevent multiple voting and can be released only the returning officer using a polling button? So how does one input multiple key strokes on the BU?

It is true that under normal circumstances, the CU does not record another vote unless the presiding officer presses a button. But there is no claim that the BU "locks up".

Irrespective of any security measures claimed by the EC, unless all specs are published and independent audits are allowed, there will always remain the possibility that any given EVM being used in polling does not in fact conform to the claimed specs.

[Rahul Mehta]

When I gave cost estimate of Re 1 per paper, it was TWICE the paper + printing. So overheads were counted.

Ok, so in your world that defies space and time laws, 2x cost will take care of overheads eh? By your own estimates, its Rs. 1 per ballot. A polling booth will take 500 people , again using your own numbers, total cost of polling people at that booth is R.s 500. Since you claimed that 2x includes all overheads it means it includes

• Cost of sending the three men on site
• Cost of pay for these three men
• Cost of living for 3 men

It also includes the cost of additional men required to do counting in case of paper ballots.

Wow.

How many times have we to prove that you use numbers that mislead? Your deliberate attempts at this only proves that you are doing this at the behest of some NBJPRIE that is upset that he cannot game the EVMs any more.

I am not counting costs common to EVMs and paper ballots, as they apply in both.

So cost of 3-5 men per booth (there are 5 men per booth including policeman, and more policeman is booth is sensitive) is not taken care in EVM vs Paper cost comparison.

Paper will not need extra men in booth.

---------

Rahul, why don't you go public with your allegations, as I mentioned earlier?

I will, except that using word "CIA" will only enable CIA puppets in ToI to twist what I said and thus make everything look un-serious. So I have to word this proposal carefully - thats all.

But an article will come on blog when I find time.

Getting rid of EVMs has been there in my manifesto since 1999, when I first "published" the list of laws I was proposed, and the reason was same --- EVM can be rigged in a way no one can later prove.

------

Dileep,

1. Which equipment is there to read the microcode inside the micro controller? Pls post URL to that. AFAIK, there is no way to read microcode.

2. Which equipment is there to read the ROM inside micro controller? How expensive are they? How much time would it take to read ROMs of 10000 EVMs?

.

[Rahul Mehta]

Even with no security consequence, our standard procedure for programming OTP controllers is that the operator always verifies the checksum of the code before doing the burn. When the device goes to the testing, the first thing verified is the checksum again. This is repeated for every testing. (we test the boards themselves, and after integration as a rule). A number of people are involved in the process, so sneaking something in the plant is impossible.

Checksum only helps against accidental errors, not intentional rigging.

If a smart person is rigging, he will add some bytes here and there to ensure that checksum is same.

And how do you falsify following


1. BEL delivered say 100,000 EVMs to EC in say Jan-2009

2. Between Jan-2009 and Mar-2009, Chawala gave EVMs to CIA or Congress. CIA or Congress opened the EVMs, changed the Micro-Controller with same micro-controller with different code in its ROM or a different microcode, which has trojan with activation code 5645X. Three months is enough time to open EVMs, de-solder the chip and put another ones. BEL will never come to know

In such case, the code will be still present there. Can it be read? Only if trojan is in the ROM and not microcode. If CIA or Congress has been successful in putting the trojan in microcode, then there is no way to prove or disprove it even if we rip apart 10000 EVMs.

[Rahul Mehta]

So, the only way the "key activation" happens is by recruiting a local guy from each booth. Quite possible in Rahul Universe.

I gave the details, and you probably missed it.

1. CIA has say 1000 field agents all over India.

2. Say CIA decided to rig 200,000 booths

3. CIA got the voter list of those 200,000 booths.

4. For each booth, the back office guys found 2-3 faces that matched the CIA field agents. Or, in any booth, some 50-100 voters dont have their photo at all. They too would do.

5. CIA back office guys got 200,000 fake IDs. Trivial.

6. These fake IDs were delivered to the 1000 field agents, each agent got 200 fake IDs with booths

7. Each field agent will cover 40 booths in a day. The polling was done over 5 days. So each field agent can thus cover 200 booths. 1000 agents can cover 200,000 booths

8. To deal with ink, they used a thin transparent sticker which just looks like artificial skin. This striker was applied on the skin. So the booth staff applied ink, but when field agent took off the transparent skin like sticker, the ink was gone. Such thin sticker will be expensive, say Rs 1000 per sticker in bulk.

So the field agent goes like a regular voter and covers 40-50 booths a day, or more. In each case, he enters the password and so machine gave 200-300 more votes to Congress.

So with 1000 field agents, CIA can rig 40000 booths in a day, Polling was held on 5 days, and so CIA could rig 200,000 booths.

There is no need of local voters

[Tanaji]

[Dileep]

Unmarked and unused keys on EVM (well there have to be guaranteed enough keys for those in RM world as well) -- magic keys

Those keys are mechanically shielded, by moving plastic tabs into position at the time of setup.

[Dileep]

1. Which equipment is there to read the microcode inside the micro controller? Pls post URL to that. AFAIK, there is no way to read microcode.

No equipment can "read" the microcode. But the presence of microcode shows up on the chip

2. Which equipment is there to read the ROM inside micro controller? How expensive are they? How much time would it take to read ROMs of 10000 EVMs?
.

A JTAG reader can read the ROM within a microcontroller. They are cheap, and doesn't take time. If you get an EVM in custody, you can read the ROM contents, and get the binary. You can then de-compile the binary to get the source.

[Dileep]

Checksum only helps against accidental errors, not intentional rigging.

If a smart person is rigging, he will add some bytes here and there to ensure that checksum is same.

Maintaining the SIZE and CHECKSUM is IMPOSSIBLE. Especially when the added code is rather big.

And how do you falsify following

1. BEL delivered say 100,000 EVMs to EC in say Jan-2009
2. Between Jan-2009 and Mar-2009, Chawala gave EVMs to CIA or Congress. CIA or Congress opened the EVMs, changed the Micro-Controller with same micro-controller with different code in its ROM or a different microcode, which has trojan with activation code 5645X. Three months is enough time to open EVMs, de-solder the chip and put another ones. BEL will never come to know.

Have you ever did soldering? I have. In fact I still can de-solder a chip and re-solder. It takes at least half an hour to replace the two chips at the best, using industrial hot air equipment. That is 6250 man-shifts for the lot.

Not to talk about the big industrial setup, the need for equipment and people, and people who actually see that these are EVMs, and it is obviously a secret operation. There is also the trivial problem of shipping paperwork, gate passes, waybills etc.

Only in RahulWorld!!

[Dileep]

I gave the details, and you probably missed it.

1. CIA has say 1000 field agents all over India.
2. Say CIA decided to rig 200,000 booths
3. CIA got the voter list of those 200,000 booths.
4. For each booth, the back office guys found 2-3 faces that matched the CIA field agents. Or, in any booth, some 50-100 voters dont have their photo at all. They too would do.

I can't believe you were a candidate. The photo is taken when the voter registers, and 100% of voters have their photo in the list. That is MANDATORY now.

5. CIA back office guys got 200,000 fake IDs. Trivial.

6. These fake IDs were delivered to the 1000 field agents, each agent got 200 fake IDs with booths

7. Each field agent will cover 40 booths in a day. The polling was done over 5 days. So each field agent can thus cover 200 booths. 1000 agents can cover 200,000 booths

8. To deal with ink, they used a thin transparent sticker which just looks like artificial skin. This striker was applied on the skin. So the booth staff applied ink, but when field agent took off the transparent skin like sticker, the ink was gone. Such thin sticker will be expensive, say Rs 1000 per sticker in bulk.

It is impossible to apply a skin-like sticker to the body that is invisible to the eye. It is only possible when you make movies, where the edges of the prosthesis is blended with the skin using make up, and lighting is adjusted to make the edges disappear. Even if you do the Hannibal Lechter stunt, ie peel off someone's skin and paste it, still the edges will show. Moreover, the ink is applied in a line, on both skin and the nail. Only in RahulWorld there will be a sticker that can seamlessly go over the skin, cuticle and the nail.

Jai Ho RahulWorld!!

[Rahul M]

Even with no security consequence, our standard procedure for programming OTP controllers is that the operator always verifies the checksum of the code before doing the burn. When the device goes to the testing, the first thing verified is the checksum again. This is repeated for every testing. (we test the boards themselves, and after integration as a rule). A number of people are involved in the process, so sneaking something in the plant is impossible.

Checksum only helps against accidental errors, not intentional rigging.

If a smart person is rigging, he will add some bytes here and there to ensure that checksum is same.
........

eh, what ?

you can't just add some bytes here and there and get two different files to have the same checksum. IT walas please correct me if I'm wrong. checksums are meant to be unique IDs for files and the newer SHA algos are virtually unbreakable.

AFAIK, the only way to have same checksum for two different files is to have complete access to the original code at the time of its writing and permission to modify it according to your needs.
----------------------

dileep saab, can we have that deleted post ?

[Dileep]

I want to make an OT statement about a weakness I have.

I can't stand people who make fake arguments. By fake argument, I mean arguing something when you yourself know that what you are saying is false or illogical. That is lying to yourself. I consider that the height of dishonesty. It is worse than lying, and equal to cheating. In my book they are bad people.

[Austin]

Thats the most hilarious statement i have read " he will add some bytes here and there to ensure that checksum is same "

Oh man you made my day , Thanks

Do you post in the MMRCA thread , that would be really fun

[Dileep]

About checksums:

Simple checksums can theoretically be faked. All you need to do is change four unused bytes somewhere in the file. In an executable binary, you will not have spare bytes. But there is a chance that you will have string constants whose contents are not that important. A smart hacker can adjust the bytes of she string and get the right checksum.

But it is impossible to add code, and keep the size and checksum the same. So, simple checksum is sufficient defense against fake binaries.

CRC can't be faked by humans, and normal computers. Cryptographic hashes like MD5 or SHA can't be faked at all. Considering the importance of the EVM, I would be surprised if BEL doesn't use them. Heck, opensource softwares give MD5 hash these days.

[Rahul M]

MD5 is pretty common these days. heck, moi, a non IT-vity guy uses them all the time.

[niran]

7. Each field agent will cover 40 booths in a day.

How would he would accomplished that?
every booth have a Que the quickest is 45 minutes/booth
add to that 30 minutes travel times, that makes it just 5-6 booths in a
polling day.

Dear Sir, nobody is perfect, the better man will see his mistakes accept it
and move on. Please Sir, its time to move.

[Dileep]

TALKING TO A BRICK WALL!!

[Rahul Mehta]

About checksums:

Simple checksums can theoretically be faked. All you need to do is change four unused bytes somewhere in the file. In an executable binary, you will not have spare bytes. But there is a chance that you will have string constants whose contents are not that important. A smart hacker can adjust the bytes of she string and get the right checksum.

But it is impossible to add code, and keep the size and checksum the same. So, simple checksum is sufficient defense against fake binaries.

CRC can't be faked by humans, and normal computers. Cryptographic hashes like MD5 or SHA can't be faked at all. Considering the importance of the EVM, I would be surprised if BEL doesn't use them. Heck, opensource softwares give MD5 hash these days.

Your initial post said CHECKSUM, and I mentioned that checksum can be faked by adding some bytes. Well, not adding but changing some bytes. So I am right that checksum can be faked.

You claim that binaries do not have extra unused bytes. WRONG. You know what padding is. When a structure is of size say 2k -1 bytes, the compiler will add 1 unused byte to make it even sized as even sized data are faster to access on most CPUs. So there will be lots of unused bytes in binaries which have some data in the code segment. So by changing the contents of these unused bytes, one can create a different binary with same checksum.

Also, 100% voters DO NOT have photo. I have personally seen voter lists without many voters without photo. And too many voters have wrong pix. eg my own voter card has my father's pix and vice versa !! So there are so many voter cards with wrong pix, that presiding officers were explicitly told not to turn away voters with card, just because pix was different.

If you dislike people who lie, you should try first not to lie.

-----

I will find out about CRC or Hash. I think that if the Hash function is known in advance, then hash too can be faked. Hash cannot be faked if hash function is unknown. I am not sure and will get back later.

----------------

AjayPratap,

The queues in the morning are small. The queues increase mostly after 11 am and are long in evening. And most booths dont have such queues --- the media shows ONLY booths with long queue and so many think that queues are always long. I have never voted in my life, but have taken my parents to voting booth over 5 times in past 10 years. Each time, waiting time was just a few few minutes. Also, there is something called booth cluster. eg the booths where I had gone -- some 7-8 booths were in same school building. And next booth cluster with 8-10 booths was just 1 km away. This is common in urban or even slightly dense rural areas like Tahsil centers. So in urban area, one can cover 100-120 booths in one day.

Queues get long only when voter list is messed up and so it takes time to identify voters.

[negi]

I am jealous of RM ji he is attracting so much attention that too of big wigs like Dileep and Co.; I guess I need to start my own thread ..errr..... "EVM's for recalling Ministers and Judges" voila ...we can always add a bit here or there and rig the machine to always decide in the favor of us commons.

On a serious note RM ji every process/system with Human input can be rigged/defeated by us humans who is denying this fundamental truth ?

Do you have a better system or alternative...please come up with a DRAFT.... we will then check on this thread the robustness and practicality of the said system/process, until then EVM's it is.

[amit]

I propose a special prize for perseverance and paitence for Dileep and Tanaji.

The amount of time and effort they've given to explain why massive EVM rigging is just not possilbe without somebody or the other knowing about it and making it public is really awesome. Normal brick walls would have wilted and slunked away. However, when you have slabs of concrete a foot thick... Only the CIA has bunker busters which can break the concrete, bring them to BRF!

[Rahul Mehta]

My favorite theory is replacement theory and not trojan theory.

Replacement theory says

1. Real EVMs were replaced by fakes AFTER candidate number was given. So Congress (=UPA) candidate number was known to that EVM's code.

2. The replacement was done in EC warehouse and/or District Centers of participating Collectors

3. After that fake EVMs were replaced by real ones with counters updated.

-----

Say booth has 1000 voters.
Say 650 voted.
Say the fake EVM is programmed to give 80% votes to Congress.
Then Congress would get 520 votes.
Say actual votes Congress got were 150 votes
Then Congress got extra 370 votes in that booth due to replaced EVMs
Hence by having 50 fake EVMs in that Constituency, CIA can get 18500 extra votes for Congress.

By having just 50 fake EVMs per seat, Congress can get lead of some 18500 votes in that Constituency.

IOW, even if CIA-Chawala replaced 50 of 1500 EVMs in say 400 Constituencies, they can change results in 100-150 of these 400 seats.

-----------

So there are many sub-scenario in replacement theories. The question is : what is lowest number of EVMs per seat to be replaced to win N seats?

The randomization done in CEC warehouse is useless. CIA-Chawala can easily ensure that fake EVM go the the Constituency CIA selected. So lets say some 20000 EVMs out of 700,000 EVMs nationwide were replaced by CIA-Chawala-Rajmata-MMS cabal and sent to selected 300-400 seats AFTER candidate numbers were known. So in those 300-400 seats, Congress got some 18000 to 20000 extra votes and the opponents lost that many votes. Enough to add 100-150 more seats to Congress, UPA.

Now since boothwise tallies were not given to public, such rigging can never be felt.

--------

Now replacing 20000 to 30000 of 700,000 EVMs at CEC warehouse in 20 days time is piece-o-cake for CIA. And then replacing them back after counting is also easy. And having 30000 EVMs look-like manufactured in US is also manageable for CIA.

Even if EVMs were stored in District warehouse, some extra EVMs may be needed at the last minute. A Constituency needs 1500 EVMs. Did District had all the EVMs it needed? Unlikely as voter population has increased by at least 10% since previous LS election and at least 1% to 10% since last Assembly elections. And some old EVMs could have malfunctioned. Replacements will all come from CEC warehouses. It is possible that CEC sent 50-100 EVMs after candidate numbers were issued and they were pro-Congress EVMs.

So one extreme scenario is that 200,000 EVMs were replaced each EVM was programed to give 50 extra votes.

Another scenario is 25000 EVMs were replaced, each EVM was programed to give 400 extra votes.

And many other combinations will also get 100-120 extra seats to Congress.

[suryag]

RM ji, that structure padding that you were talking of is totally C/compiler/architecture specific and relies on how the compiler generates code and how the processor can access memory. Some Compilers also make sure that structure addresses are aligned to a location that is multiple of 8/4. Now this wont be true if the code is written in assembly or if the processor is different. Faking checksums is difficult but given your great theories you might possibly come up with something like the CIA could design a control unit that would kick in when a combination of keys is pressed. Now you can may be do that but that is taking your paranoia too far. IMO, you are going too far please stop this

[Rahul Mehta]

Rahul Mehta:
1. Which equipment is there to read the microcode inside the micro controller? Pls post URL to that. AFAIK, there is no way to read microcode.

2. Which equipment is there to read the ROM inside micro controller? How expensive are they? How much time would it take to read ROMs of 10000 EVMs?

Dileep:

1. No equipment can "read" the microcode. But the presence of microcode shows up on the chip


2. A JTAG reader can read the ROM within a microcontroller. They are cheap, and doesn't take time. If you get an EVM in custody, you can read the ROM contents, and get the binary. You can then de-compile the binary to get the source.

What is "presence"? The good chip as well s bad chip has microcode. So both will show presence. How do I know which of the two chips has wrong microcode if the microcode cannot be read?

1. Initially, you said that microcode cannot have trojan. Then I showed that microcode can have a trojan if the microcode writer knew ROM code

2. Next you said checksum cant be rigged. I showed how checksum can be faked by putting bytes in padding spaces binaries have

It be a good idea to keep counts of how many times you change your positions.

------

Here are more

http://en.wikipedia.org/wiki/Cyclic_redundancy_check

cyclic redundancy check (CRC) is a non-secure hash function designed to detect accidental changes to raw computer data, and commonly used in digital networks and storage devices such as hard disk drives. A CRC-enabled device calculates a short, fixed-length binary sequence, known as the CRC code or just CRC, for each block of data and sends or stores them both together. When a block is read or received the device repeats the calculation; if the new CRC does not match (or in some cases, cancel out) the one calculated earlier then the block contains a data error and the device may take corrective action such as rereading or requesting the block be sent again.[1]

Attn : Rahul M

http://en.wikipedia.org/wiki/MD5

MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable.[2][3] In 2007 a group of researchers including Arjen Lenstra described how to create a pair of files that share the same MD5 checksum.[4] In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity.[5][6] US-CERT of the the U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use,"[7] and most U.S. government applications will be required to move to the SHA-2 family of hash functions by 2010.[8]

------

Now Dileep, pls show me URLs to read ROM contents of a micro-controller. Or if I send you a ROM, can you read its contents with equipment you have? Do you know anyone in India who can read a ROM contents? Because if chip does not have functionality to write out ROM contents, how will you read it? Have you actually read a ROM code before?

[Rahul Mehta]

RM ji, that structure padding that you were talking of is totally C/compiler/architecture specific and relies on how the compiler generates code and how the processor can access memory. Some Compilers also make sure that structure addresses are aligned to a location that is multiple of 8/4. Now this wont be true if the code is written in assembly or if the processor is different. Faking checksums is difficult but given your great theories you might possibly come up with something like the CIA could design a control unit that would kick in when a combination of keys is pressed. Now you can may be do that but that is taking your paranoia too far. IMO, you are going too far please stop this

Suryag,

Assemblers too *can* and they often do add pads to make addresses multiples of 2, 4 or 8. One may be able to turn the padding off to save space by giving some assembler options. Lack of padding can slow down a code. No Assembler writer would create Assembler with no padding option.

With known unused memory locations, faking checksum is easy. Forget that, people have even fooled MD5 !! Pls ee the wikipedia links I posted above.

----

Attn: Tanaji,

You asked how would CU know if field agent on BU had pressed keys 24567X. You claimed that CU cannot know this as BU locks itself after one key press. Pls see page two of following GoI report

http://www.scribd.com/doc/6794194/Exper ... ort-on-EVM

Line (iv) clearly says that ALL keystrokes are recorded, even if invalid.

So CU always knows what keys were pressed, even if invalid. BU locks itself from end user human point of view i.e. one I press key-A, other presses will be noted but ignored.

So if CU had trojan or BU had trojan, then trojan would know that keys 24567X have come, and so after 300 votes are polled, give 80% votes to candidate in RowX.

------------

Amit,

You should give insult throwing, sarcasm throwing and cartoon posting award to Dileep and Tanaji. Because thats all they have done in this thread. And NONE is yet to show how EVMs reduce cost compared to paper ballots.

.

[Rahul Mehta]

.

I just had a tubelight : What if the connectors of the cable between BU and CU was rigged?.

What if the cable between BU and CU was not a simple cable as it was supposed to be, but had a small chip inside connectors that would send pro-Congress signals to CU, no matter what BU sent? The connectors at the either end of the cables are large in size, and can hide a chip. The chip can work on very small amount of power and so the signals between CU and BU will have enough power to drive that chip.

Cables do NOT have serial number.

Cables were not tested by any committee.

----

So I have modified my replacement theory as follows :

1. After candidate number was given, CIA replaced the dumb cables with intelligent cables.

2. The cables had row number hard coded in them.

3. The rigged cables would send first 100 votes correctly and then send 5% to 10% more votes in favor of Congress. Or if the cables had clock in it, then rigging would start only on election date-time and not before. So all mock polls will be accurate and real poll will be rigged.

4. CIA has replaced those cables back with actual dumb cables.

-----

Now if there are 100,000 EVMs under CIA mole Chawala , and Chawala gives warehouse keys, one field agent can replace low ball 15 cables in one hour. So one field agent who works 10 hours can replace 150 cables, and in 10 days, he can replace 1500 cables. So with 70-80 field agents, CIA can replace cables in over 100,000 EVMs.

And if EVMs were at district head quarters, then it can be done where Collector is CIA mole. One Constituency is under one Collector and has 1500 EVMs. Replacing 1500 cables is not difficult task if Collector is CIA mole.

What is non-trivial here (for CIA)?

----

And if cable had trojan chip which needed Congress's candidate number as input, then a field agent has to be sent to feed the activation key and Congress's candidate number. That is possible, but more difficult than replacing cables.

.

[negi]

And NONE is yet to show how EVMs reduce cost compared to paper ballots.

Stop comparing cost of one EVM to 100,000 reams of paper first..will you ?

1. EVM if properly designed will come good for next 5 or even more general elections for there would be no added functionality unless the election process itself changes.

2. EVM's USP is elections can be held in far shorter span of time as compared to conventional ballots , can you imagine the MONEY saved by making the entire Govermund machinery run a complete 10-15 days LESS than what it used to for old system ( I am sure 10/15 days is a conservative estimate)?


3. The lesser the duration of GE lesser will be the number of people and innocents getting killed in election related violence and other political disruptions.

4. An election process carried out at a faster pace ensures that political parties have less time for fixing or scheming against a fair election process in any given constituency.

5. Booth Capturing to a large extent is prevented as during Ballot paper era ; laltain and cycle party used to come with a bunch of goons who used to come with their own Ballot papers or worse take the box itslef; the 5 minute interval between successive votes in a EVM makes this very difficult to pull (although I do not doubt likes of Lalloo and Co ).

6. In this age of 'GREEN frenzy' saving tonnes of paper is definitely a legitimate cause for going the EVM way.

7. Makes transition and improvement of election process easier; who knows 5/10 years down the line one might be able to cast the vote on the internet and all the counting and other processing might be done inside a kamplex 'CLOUD" .