Should we discontinue EVMs?

[pgbhat]

getting into details

[Dileep]

The committee asked for this security measure and relied on it to explain how the Election Commission could detect the activation of a Trojan. At the minimum this means that the Election Commission should perform a post-election analysis of key presses on all EVM control units and publish the results to assure people that a Trojan was not activated. This activity has to be performed after each Election if the Trojan threat is to be mitigated using the Indiresan Committee's recommendations.

The key log is a proposal for additional security measures in the future. I have shown on these pages that without the keylog itself the system is secure.

Secondly, the very fact that this measure was added as a detection mechanism for Trojans raises more questions -

1. This new security measure is present in newly manufactured EVMs, leaving the existing stock of EVMs unprotected

Not yet. These are "recommendations" of the committee. It is not yet implemented.

2. The measure does not protect against Trojan's that do not require activation, and

I have conclusively proven that inserting a trojan is impossible.

3. A Trojan can tamper with the keypress log after activation to hide the activation sequence

Not if the memory used is one time programmable.

The committee examined the possibility of a Trojan horse sub-program being wilfully activated after knowing key number allocation to favour a particular key (i.e. candidate), by activating the "Trojan Horse" through some mechanism at time of poll. Such entry is viable only thro' "specific Key presses sequence" on CU or by wireless signal or CU ports. The former activity is not viable as all "key presses" are to be time-date-logged in the memory (as per advise of committee), and a "repeat pattern" in all CU's at various booths can be easily visible on post-election analysis.

Well, Prof Indiresan didn't expect a hairsplitting debate on the content, and obviously haven't debated with worthies like RM and you in his life. If he had, he would have phrased it properly.

The point remains.

1. It is impossible to put a trojan in
2. Key log is a good security measure.

[Dileep]

getting into details

Oh Bhat Madani janaab, that is where the "iblis" lives ain't it?

[Pranav]

OK. So, do you, and RM agree that if the QE gets a GOOD Binary, then there is no way it can be REPLACED with a bad one? Want more time to think? I want that question answered before I will work on the source of the binary.

The QE could get a compromised binary, or QE himself could replace the good binary with a compromised one, or the QI might do it.

[Dileep]

For this system, let us take the QE as the entry point. After that, the binary is protected through paper trail that gives the file size and hash in paper. So, QI or anyone else down the line, can't replace it. Also, the test team gets their document throug a different channel, and they are doing the verification independently.

[Pranav]

OK, the test people get the file size and hash of the compromised binary through a different channel. It must be emphasized, however, that the assumptions being made here are not backed by anything from the EC.

For this system, let us take the QE as the entry point. After that, the binary is protected through paper trail that gives the file size and hash in paper. So, QI or anyone else down the line, can't replace it. Also, the test team gets their document throug a different channel, and they are doing the verification independently.

[Dileep]

I am asking about the system I mentioned, with no reference to any other sources or means external to that system.

Now, answer the question please. Can you corrupt THAT system, or not?

I want to prove that system, before I look at anything else.

[vera_k]

These are "recommendations" of the committee. It is not yet implemented.

Wrong. Nearly 81,000 EVMs were manufactured with these modifications and used in the 2009 Lok Sabha Elections.

http://sify.com/news/fullstory.php?id=14876677

Not just that, the EVM also records the exact time when the whole balloting process starts and when the last vote is being cast. It gives an hourly update of the number of votes cast, and if there is any unusual trend in the process, it can be easily detected. Thus the whole process becomes tamper-proof

According to K.S. Rajasekhara Rao, chairman of ECIL, they have supplied 78,000 machines with the improvised features to the Election Commission

Not if the memory used is one time programmable.

The keypress log is in an EEPROM in the Control Unit (ref 3.4(c) of Indiresan Committee report) and therefore vulnerable to a trojan.

I have conclusively proven that inserting a trojan is impossible

On the contrary, the programming manual you posted shows how easy it is to program a trojan in if the supplier of the PROM is compromised. And, although the manufacturer (BEL, ECIL) of the EVM should be able to use checksumming to detect the introduction of a trojan, checksumming by itself is no guarantee of the absence of a trojan without further information on a) if *both* manufacturers have checked the checksums consistently all these years, b) if they have not outsourced the part of the manufacturing which includes the function of verifying the checksums and c) what security measures, if any, have been taken to secure process and equipment (such as PROM readers) used for checksum verification

There is conflicting information on whether checksums have been checked through the years. The Indiresan Committee report claims that the manufacturer cannot read the OTPROM - which would be necessary for checksum verification - while BEL claims that they do verify checksums. The truth is likely somewhere in between.

[vera_k]

Well, Prof Indiresan didn't expect a hairsplitting debate on the content, and obviously haven't debated with worthies like RM and you in his life. If he had, he would have phrased it properly.

So the committee did a shoddy job then?

[Dileep]

Wrong. Nearly 81,000 EVMs were manufactured with these modifications and used in the 2009 Lok Sabha Elections.

http://sify.com/news/fullstory.php?id=14876677

Thanks for the info. It doesn't change anything though.

Not if the memory used is one time programmable.

The keypress log is in an EEPROM in the Control Unit (ref 3.4(c) of Indiresan Committee report) and therefore vulnerable to a trojan.

My recommendation would be to use am EEPROM chip with hardwired erase protection, with a slide switch enabling erasure.

I have conclusively proven that inserting a trojan is impossible

On the contrary, the programming manual you posted shows how easy it is to program a trojan in if the supplier of the PROM is compromised.

The program is not stored in the PROM. It is stored inside the microcontroller, which is one time programmable. Could you please explain how would you insert the trojan?

And, although the manufacturer (BEL, ECIL) of the EVM should be able to use checksumming to detect the introduction of a trojan, checksumming by itself is no guarantee of the absence of a trojan without further information on a) if *both* manufacturers have checked the checksums consistently all these years, b) if they have not outsourced the part of the manufacturing which includes the function checking the checksums and c) what security measures, if any, have been taken to secure process and equipment (such as PROM readers) used for checksum verification

Sure thing. Let the expert committee audit them for the processes.

There is conflicting information on whether checksums have been checked through the years. The Indiresan Committee report claims that the manufacturer cannot read the OTPROM - which would be necessary for checksum verification - BEL claims that they do verify checksums. The truth is likely somwhere in between.

Any OTP controller will have a built in facility to progressively verify the checksum or hash. This is a logical requirement, because once the security bit is set, you can't read the binary.

[Dileep]

Well, Prof Indiresan didn't expect a hairsplitting debate on the content, and obviously haven't debated with worthies like RM and you in his life. If he had, he would have phrased it properly.

So the committee did a shoddy job then?

If regardless of the performance of the review, or the contents of the report, not making a review report "legally bulletproof" like a piece of legislation can be called shoddy, then yes.

But the poor prof never had the honour of debating on brf, did he?

[vera_k]

Thanks for the info. It doesn't change anything though.

It establishes that a) older models were vulnerable to this attack and b) that the attack vector has not been eliminated in current models because the EC has not conducted a post-election analysis to eliminate the possibility of the activation of a trojan.

My recommendation would be to use am EEPROM chip with hardwired erase protection, with a slide switch enabling erasure.

Sure. Is that how it is implemented in the EVM?

Sure thing. Let the expert committee audit them for the processes.

Do you agree then that having a checksum is, in itself, no guarantee of an unbiased machine?

The program is not stored in the PROM. It is stored inside the microcontroller, which is one time programmable. Could you please explain how would you insert the trojan?

The trojan would be part of the program file that is burnt into the microcontroller. Since a sealed microcontroller is imported into India (ref Q21 here), verification of the checksum is essential before use.

[Dileep]

It establishes that a) older models were vulnerable to this attack and b) that the attack vector has not been eliminated in current models because the EC has not conducted a post-election analysis to eliminate the possibility of the activation of a trojan.

Both fallacious inferences. Though keylog is a defense against trojans, that is not the sole defense. It has been proven that trojans are not possible.

My recommendation would be to use am EEPROM chip with hardwired erase protection, with a slide switch enabling erasure.

Sure. Is that how it is implemented in the EVM?

Irrelevant for this discussion. It would be better that way, and plug all holes. It is better to have every piece of securlty that is rationally possible.

Sure thing. Let the expert committee audit them for the processes.

Do you agree then that having a checksum is, in itself, no guarantee of an unbiased machine?

"Having" a checksum doesn't prove anything, but "verifying" the checksum after programming does. Since it is OTP, no one can change it after programming, so traceable verification is sufficient proof.

The program is not stored in the PROM. It is stored inside the microcontroller, which is one time programmable. Could you please explain how would you insert the trojan?

The trojan would be part of the program file that is burnt into the microcontroller. Since a sealed microcontroller is imported into India (ref Q21 here), verification of the checksum is essential before use.

Considering the security sensitivity of the product, I am sure there will be a system in place for verification. The FAQ21 is for people who are not familiar to the technical details.

I have given a reference procedure in one of the previous posts. See if you see any vulnerability there.

It is my take that, the programming is a critical step, and care should be taken to ensure that no corruption happens.This can be verified by an audit of BEL and ECIL by the expert committee.

[Dileep]

The report says the date stamp is "permanent record". So, it can be erase proof.

Even if it is using regular flash chip, you have a bit of problem. Flash chips can be erased in blocks of typically 64K bytes. They don't "overwrite", ie if you want to store new data at a location (which already has some data), you can't do that by just writing. You need to first copy the stored data into a buffer, erase the block, modify the data in the buffer, and write the buffer back.

In an EVM environment, the availability of RAM is very little. You can modify a timestamp, without affecting the previous values, only if the total data stored is less than the available free RAM. This is a major deterrent to modifying the time stamp.

[Tanaji]

I seem to have lost the link to Indiresan committee report, can someone please post it?

Actually the EC FAQ and this link should be on the first page of this thread as required reading.

[Dileep]

Folks,
Pls read First Page Indian Express Delhi or Ahmedabad tomorrow
I have paid the demand draft. Their legal dept has cleared the AD. If all goes smooth, the ad comes tomorrow.

Please be kind to scan and post it here.

Dileep,

The scanned page of photoless entries will come in 1-2 days. Sorry for the delay. Very busy for next 1-2 days. And I have found one way to put ONE trojan in chip in away that QE can never guesses even with hash. Now I am working on how 5 trojans can be planted..

And what about the trojan code?

I didn't know scanning takes that much time. In these parts of the world, it takes hardly a minute

Vera_K,
If checksum is used, then it is raam bharose. Checksum is only good against accidental errors. Checksum is not rigging-proof.

Well, PROVE IT!

[Rahul Mehta]

Folks,

1. I had asked Indian Express to give my ad on the first page in Delhi/Ahmedabad. The legal dept approved, but as marketing person said, the editor Rajkumar Jha refused to put it on the first page. And editor has control over first page ad. So the ad is on 3rd page. I have aked IE to put ad on 3rd page ALL over India, July-31. Pls buy your IE copy ASAP. And if you are anti-EVM, pls give xeroxes of the ad to all.

Added later : Pls see http://epaper.indianexpress.com/IE/IEH/ ... ndex.shtml , scroll to page-3

---

2. Dileep,


http://rahulmehta.com/example.voterlist ... outpix.jpg

Abve is the page scan of voter list page without pix. This issue is closed. Now you can post claims that I doctored the jpg. But then pls call your friends in EC and ask them to give you the copy of the page I gave from voter list of Marl-2009 (not later).

---

3. You posted link to some chip. Is that the exact chip EVM uses of something else? If it is something else, there is no point, Pls get URL to the data book of the exact chip EVM uses.

---

4. Also, you listed the process that BEL follows. Pls post the proof that BEL actually follows that process. Just because BEL chief claims that they follow process-X does not mean that they actually follow process-X.

5. And you deliberately did not answer one question : how many people are involved in the process at each step? How many coders are there to code EVM code? How many QE are there? How many QI are there? The headcount is essetial to see how BEEL chief can circumvent the process and get rigged code in. So pls give count of number of people at each step

6. And some EVMs were made 1989. Did that MC gave hadcode?

7. Which instruction should be sent to MC to get hash code of the ROM? Or, how do get hash code of ROM after the lockbit is set and chip is already mounted on PCB.

.

[Rahul Mehta]

There is no scare mongering against paper ballots. In fact, all the scare-mongering seems to be against EVMs despite the fact that you don't have one iota of physical proof - Sorry sir, but in the real life one demands actual results NOT paper theories. And what's all this so-called action in fast track courts? Do we have them, do they work, how successful are they? - again more theories and paper castles built on thin air.

There is NOT a single case of "camera in booth" and paper ballot rigging. So your scare mongering against paper ballot with camera in booth is only to misguide commons.

And in paper ballot rigging, you could actually see a guy stamping papers. In case of EVM, the PO (presiding officer) and some 2 bit guy can silently keep 10-20 buttons and no bystander (except staff and polling agents) will even notice. So paper was better --- it used to make rigging loud and clear, while EVM keeps rigging by PO hidden. In fact, with EVM, PO and staff alone can rig the booth by pressing 10s of buttons in the or free time and checking off the names in the voter list.

Why dont you PUBLICLY make claims that "commons in India are not capable of deciding whether paper should be brought back". Why confine such claims to BR only?

[Dileep]

Here is a challenge:

I have made a binary that is executable on a PowerPC based embedded system. The binary and its map file could be downloaded from the link below:

http://www.filehat.com/en/file/5705/tst-zip.html

The binary is 12,136 bytes in length.

The challenge is to insert your trojan in this binary, maintaining the checksum and size, without affecting the functionality of the original code. In other words, you should not modify the .text objects within the allocated space.

The binary is created using C source, compiled and linked with the powerpc-eabi toolset. It will execute standalone if loaded at the correct location. It used the serial port of an MPC8245 controller for i/o

[Dileep]

1. I had asked Indian Express to give my ad on the first page in Delhi/Ahmedabad. The legal dept approved, but as marketing person said, the editor Rajkumar Jha refused to put it on the first page. And editor has control over first page ad. So the ad is on 3rd page. I have aked IE to put ad on 3rd page ALL over India, July-31. Pls buy your IE copy ASAP. And if you are anti-EVM, pls give xeroxes of the ad to all.

We don't get IE here, after the split. Please get a scan posted here.

http://rahulmehta.com/example.voterlist ... outpix.jpg

Abve is the page scan of voter list page without pix. This issue is closed. Now you can post claims that I doctored the jpg. But then pls call your friends in EC and ask them to give you the copy of the page I gave from voter list of Marl-2009 (not later).

I don't have any friends in EC. The only friends I have are the local netas of both Cong and CPM. Your "advance bail" that I will accuse doctoring itself is a pointer. I will analyze the image and get back to you.

3. You posted link to some chip. Is that the exact chip EVM uses of something else? If it is something else, there is no point, Pls get URL to the data book of the exact chip EVM uses.

It is not the exact chip, but that is irrelevant. You claimed the chip could be rigged without knowing about the chip, so, you should be able to prove it on any chip.

What if BEL uses EXACTLY the said chip in the future versions of EVM? Would you accept them as unriggable?. If not, please rig this chip and prove your point.

Do not weasel out now. You are cornered. Produce the trojan for this chip, or agree that the chip is not riggable, hence you would accept it to be used on the future EVMS

4. Also, you listed the process that BEL follows. Pls post the proof that BEL actually follows that process. Just because BEL chief claims that they follow process-X does not mean that they actually follow process-X.

Would you agree that if BEL establishes this process, the EVMs thus produced are not riggable? If not, please prove that this process is riggable.

5. And you deliberately did not answer one question : how many people are involved in the process at each step? How many coders are there to code EVM code? How many QE are there? How many QI are there? The headcount is essetial to see how BEEL chief can circumvent the process and get rigged code in. So pls give count of number of people at each step

OK, here you go:

Three QEs, one per shift, rotating.
Six QIs, two per shift, rotating.
Six programme station operators, two stations, two per shift, rotating
Six board testers, two per shift
12 final testers, four per shift.

Now, please prove the process is riggable.

6. And some EVMs were made 1989. Did that MC gave hadcode?

Please re-state the question.

7. Which instruction should be sent to MC to get hash code of the ROM? Or, how do get hash code of ROM after the lockbit is set and chip is already mounted on PCB.

The hash is read by hardware signal. You need to make contact with the test points using a test probe, and the in-circuit tester will read the hash

[Raja Bose]

And in paper ballot rigging, you could actually see a guy stamping papers. In case of EVM, the PO (presiding officer) and some 2 bit guy can silently keep 10-20 buttons and no bystander (except staff and polling agents) will even notice. So paper was better --- it used to make rigging loud and clear, while EVM keeps rigging by PO hidden. In fact, with EVM, PO and staff alone can rig the booth by pressing 10s of buttons in the or free time and checking off the names in the voter list.

And where is the proof that such rigging is possible in practice? Dileep has been hounding you to give a trojan solution, yet all I see from you is weaseling out when you are asked to put your money where your mouth is. Recall that I termed your tactics as those of extremist/militant activism - that is the reason why...you are all hoity-toity with your claims and theories, unfortunately when asked to prove it scientifically in practice, you want to chicken out.

I hate to say this but the more I see your responses on this thread, the more I am convinced that despite a degree in engineering from a top university, you are thoroughly ignorant of what the discipline of engineering is about. Unfortunately this is becoming increasingly true with tons of engineering graduates who neither have the rigor of pure sciences nor the practical skills required of engineers. As someone who came to engineering from pure sciences I can attest to that, but that is a topic for the Education (and not the EVM) thread.

And please spare us this emotion-charged BS of taking it to the "commons" and putting out full page ads based on half-baked theories - it is nothing more than a time-tested method of whipping up public passion for the wrong reasons and cheap publicity.

Why dont you PUBLICLY make claims that "commons in India are not capable of deciding whether paper should be brought back". Why confine such claims to BR only?

Because my Dear Sir, unlike you I am not in the business of pandering to the vanity of the "commons" and taking them for a ride.

[Rahul Mehta]

We don't get IE here, after the split. Please get a scan posted here.

Pls see page-3 of http://epaper.indianexpress.com/IE/IEH/ ... ndex.shtml .

To see the ad properly, you may need to register and login

----

Rahul Mehta: You posted link to some chip. Is that the exact chip EVM uses of something else? If it is something else, there is no point, Pls get URL to the data book of the exact chip EVM uses. It is not the exact chip, but that is irrelevant. You claimed the chip could be rigged without knowing about the chip, so, you should be able to prove it on any chip. What if BEL uses EXACTLY the said chip in the future versions of EVM? Would you accept them as unriggable?. If not, please rig this chip and prove your point.

Dileep: Produce the trojan for this chip, or agree that the chip is not riggable, hence you would accept it to be used on the future EVMS

You and Raja Bose are now getting insane. You are claiming that a program that would candidate number [(nCandidates + 1) mod 5 + 1 ] cannot be simply written !! As if no one in world can add one and take mod 5 !! As for writing code for this target chip goes, if you can get me the databook, compiler and toolkit of the mc chip that EVM actually uses, it is worth spending my time so that I can give an actually demo to audience. But if you give some arbit mc chip, why waste time on that. I can write this "[(nCandidates + 1) mod 5 + 1 ] code" in C for some thin client and give a demo.

Would you agree that if BEL establishes this process, the EVMs thus produced are not riggable? If not, please prove that this process is riggable.

No. Because I have figured out a way to rig this process steps as well. I will mention that "if needed" only, otherwise I want to mention that in my magazine only so that curious BRites will be forced to read my maganize (and thus forced to read Right to Recall stuff which comes every second line ).

So first case is : pls show PROOF that BEL actually followed these process steps you mentioned while manufacturing all EVMs in Dec-2009. And show me REAL youtube video, not some papers signed by BEL chiefs claiming that they follow these process steps.

For all I know, pro-EVMs kept claiming that trojans are impossible to use, not plant in EVMs, as 100000s of people will need to go to booth to enter candidate number to be preferred. If that was the cases, then even unsecure process was good enough as no party will benefit by putting trojan as none knows the candidate number till 15 days before poll. The "impossibility of use" was taken as an argument and a proof that "no would world bother". This is quite rational --- after all why would Congress put a trojan if trojan cant help Congress? But now that I have demostrated that there does exist an algorithm, that was undisovered till now, that one can favor Congress by merely ensuring nCandidate parameter. This trojan does not need even one, forget 100,000 field agent to punch in keys in the EVMs. Hence such a mod-5 trojan is usable. Hence Congress has motive to put such this mod-5 trojan in EVM.

Now your claim is that even if Sonia/MMS and BEL chief try their best, the trojan wont reach into EVM ROM because of some goddam process steps. So pls prove that process first exists to begin with.

Unless you can PROVE that BEL has actually been following these processes for past 20 years, you have NO proof that trojan hasnt been inserted in past.

Will write more later. I have am sending emails to everyone in press now.

[Dileep]

Rahul Mehta. Do not weasel out.

You have claimed that the trojan is ready, and asked to provide the chip details. Now, back up the claim by publishing the code.

Do you, or do you not agree that the process I gave you, can be rigged or not?

DO NOT, I repeat, DO NOT, weasel out now. Straight answer to the questions please.

[Dileep]

First case is : pls show PROOF that BEL actually followed these process steps you mentioned. And shopw me REAL youtube video, not some papers signed by BEL chiefs claiming that they follow these process steps. For all I know, you kept claiming that trojans are impossible to use in EVMs, as 100000s of people will need to go to booth to enter candidate number to be preferred. If that was the cases, then even unsecure process was good enough as no party will benefit by putting trojan as none knows the candidate number till 15 days before poll. But now that I have demostrated that there does exist an algorithm, that was undisovered till now, that one can favor Congress by merely ensuring nCandidate parameter. This trojan does not need even one, forget 100,000 field agent to punch in keys in the EVMs.

You either PROVE that trojan is possible, or DROP the notion that a trojan is possible

Unless you can PROVE that BEL has actually been following these processes for past 20 years, you have NO proof that trojan cant be inserted. And I have already found a way by which trojan can be inserted even in the process you mentioned. But for now, first I want you to provide proof that BEL had actually followed this process. If not, why do insist that existing EVMs are trijan free?

If you found a way USE THAT WAY to put a trojan in the code I gave you.. And show HOW EXACTLY you are going to put that into the process I outlined.

1. Prove that trojan is possible by showing the code, and putting it into an actual binary

AND

2. Prove that the procedure I gave can be rigged.

Or, I have a better suggestion

VANISH FROM THIS THREAD!!

[Dileep]

Rahul Mehta's ad is shown below:



I don't think that would be copyright violation, but if admins believe so, please delete. Thank you.

[Rahul Mehta]

Do you, or do you not agree that the process I gave you, can be rigged or not?

We are talking about proceses BEL's EVM unit follows. Pls post the process steps BEL EVM unit follows with proofs that they actually follow those processes steps.

There is no point in discussing all 100 type of processes that exist in BEL.

---

The Trojan's basic algorith is in the ad nad has been posted here 10 times and you have seen it. As per your wanting code, you tell me what is the target machine. Do you want VB6 code that will run on PCs? Do you want code that will run on EVM chip? If yes, give me EVM's machine's chip's toolkit, C cross compiler and reference manuals. Without giving even one toolkit you want me to write code? How would I test the code?

---

Anti-EVM people,

Pls do the necessary to take anti-EVM jehad outside BR. IMO, there is no point in reasoning on process steps that we dont even know exist in BEL to begin with. Lets take EXACT steps BEL's EVM unit follows. My guess is that BEL staff assumed that Trojan would need candidate to send 1000s of people in booth, and so they assumed that trojan is not worth the prize. So they may not have made a "top-proof" system, as "top-proof" systems are expensive and reduce productivity. There system might have been to ensure that errors dont happen and someone in bottom, middle doesnt do mischeif.

Till we get word on EXACT process BEL follows, I dont want to discuss process steps anymore.

[Rahul Mehta]

Three QEs, one per shift, rotating.
Six QIs, two per shift, rotating.
Six programme station operators, two stations, two per shift, rotating
Six board testers, two per shift
12 final testers, four per shift.

How many programmers in writing EVM code. Because I would try to put a trojan in source code itself. Mind you, I am BEL chief in this scenario.

[Dileep]

We are talking about proceses BEL's EVM unit follows. Pls post the process steps BEL EVM unit follows with proofs that they actually follow those processes steps.

There is no point in discussing all 100 type of processes that exist in BEL.

Would you agree that if the process I gave is established in BEL, that would not be riggable.

A straight answer please.

The Trojan's basic algorith is in the ad nad has been posted here 10 times and you have seen it. As per your wanting code, you tell me what is the target machine. Do you want VB6 code that will run on PCs? Do you want code that will run on EVM chip? If yes, give me EVM's machine's chip's toolkit, C cross compiler and reference manuals. Without giving even one toolkit you want me to write code? How would I test the code?

I gave you the machine spec already. It is ATMEL TS83C51RD2 chip. I gave you links to the data sheet, instruction set and hardware manual. Please write the code for that platform.

Download the assembler from the link:
http://www.atmel.com/dyn/resources/prod ... LASM51.EXE

This tool is sufficient to assemble the code.

If you want to use C, please download the following tool:

http://www.atmel.com/dyn/resources/prod ... ACIFIC.EXE

Anti-EVM people,

Pls do the necessary to take anti-EVM jehad outside BR. IMO, there is no point in reasoning on process steps that we dont even know exist in BEL to begin with. Lets take EXACT steps BEL's EVM unit follows. My guess is that BEL staff assumed that Trojan would need candidate to send 1000s of people in booth, and so they assumed that trojan is not worth the prize. So they may not have made a "top-proof" system, as "top-proof" systems are expensive and reduce productivity. There system might have been to ensure that errors dont happen and someone in bottom, middle doesnt do mischeif.

Till we get word on EXACT process BEL follows, I dont want to discuss process steps anymore.

That is because you can't rig the given process.

If the said process is implemented in BEL, would you endorse that to be unriggable?

[Dileep]

Three QEs, one per shift, rotating.
Six QIs, two per shift, rotating.
Six programme station operators, two stations, two per shift, rotating
Six board testers, two per shift
12 final testers, four per shift.

How many programmers in writing EVM code. Because I would try to put a trojan in source code itself. Mind you, I am BEL chief in this scenario.

Before, discussing any other process, please finish with the current one.

Is it riggable, or not?

[Raja Bose]

You and Raja Bose are now getting insane. You are claiming that a program that would candidate number [(nCandidates + 1) mod 5 + 1 ] cannot be simply written !! As if no one in world can add one and take mod 5 !! As for writing code for this target chip goes, if you can get me the databook, compiler and toolkit of the mc chip that EVM actually uses, it is worth spending my time so that I can give an actually demo to audience. But if you give some arbit mc chip, why waste time on that. I can write this "[(nCandidates + 1) mod 5 + 1 ] code" in C for some thin client and give a demo.

My dear sir, the above bold statement proves that your intentions are indeed to deceive given how to attempt to obfuscate. Nobody claimed that writing such a program in isolation is impossible - what is being claimed as impractical (and rather unproven) is the ability to inject such a code into the MCU, manage to subvert all the integrity checks and run as you have so cooly theorized in the past 10 pages of this thread.

And since you seem to be bold enough to claim that a certain chip has security flaws without knowing anything about the chip, maybe now you should be kind enough to use the databook of the chip provided by Dileep (an Atmel chip well-known to embedded developers) and show how you inject your trojan into it.

Don't give us theories - we need actual proof by implementation.

Remember, I am not saying that EVM is unhackable (all systems are hackable in theory), instead I am saying that it has not yet been proved to be hackable in practice and am asking you for proof-by-implementation to back up your allegations. If you still can't fathom the difference between theory and practice, perhaps next time I go to Rutgers I need to ask some of those professors in CS what exactly are they teaching to their students in the name of higher education.

If you continue to weasel out and play word games despite all the resources provided by Dileep then you will basically prove that you are no better than any of fake preachers, 2-bit netas and con-men who roam our streets. Your only intention then remains to be deceiving common folk by pandering to their vanity, propagating pseudo-science and playing with their emotions to get cheap publicity.

[Dileep]

Rahul, you yourself posted:

Rahul Mehta
Post subject: Re: Should we discontinue EVMs?
PostPosted: July 29th, 2009, 11:44 am
BRFite
Offline

Joined: November 22nd, 2001, 7:01 am
Posts: 872
Location: Ahmedabad, India --- Bring JurySys in India
Dileep,

The psuedo code for rigged EVM is

//cMyType is some constant in ROM
// nCandidates = number of candidates
Fav_Candidate_Number = (nCandidates + cMyType ) mod 5 +1
nVotes[Fav_Candidate_Number] = TotalVotes*0.80
// Subtract others' votes accordingly.

Now pls send me the code of EVM and Assembly language manual of chip so that I can write exact code.

Please write that code, and shut me up on that point!!

After you write, I am going to ask you to insert that code into a binary, without affecting the size and checksum (the old SDRE 2's complement checksum) and prove your point.

I am asking you to write the code to see how big the binary object is.

[Tanaji]

Rahul demonstrates a fundamental lack of basic mathematical concepts and an understanding of what goes into any significant engineering activity on a medium to large scale. The sad part is that even after people have spent time and effort educating him, he will not or does not want to understand. As I have kept saying before, this is either because he cannot (which I dont think is the case) or he has his own agenda, or rather the person/entity that backs him.

Isnt it quite curious as to how his aims squarely match up with that of a neta?

[Dileep]

Rahul is the paramount of dishonesty. 400% neta onlee.

Good that most of the "commoners" will neither read nor understand his advertisement

[Rahul Mehta]

Nobody claimed that writing such a program in isolation is impossible - what is being claimed as impractical (and rather unproven) is the ability to inject such a code into the MCU, manage to subvert all the integrity checks and run as you have so cooly theorized in the past 10 pages of this thread.

And this only shows that you have not read even one of the post in past 10 pages.

The claim we (or at least I ) are making is : it is possible for someone INSIDE system at top to inject this mod-5 trojan. I did not claim that some Kasab can come and add the code and walk away unnoticeable. The so called checks can be subverted by the people who made the checks and have powers to make exceptions in the name of cost saving, speeding up to meet deadlines and so forth. eg order of some 100,000 EVMs was given to BEL in Oct-2008, and these EVMs were needed before Feb-2009 or latest by Mar-2009. Hence, it is possible that BEL can relax the checks.

My point is : if process and the power point slide of the process is all you have to create "faith", you are only throwing process buzzwords and nothing more.

---

And since you seem to be bold enough to claim that a certain chip has security flaws without knowing anything about the chip, maybe now you should be kind enough to use the databook of the chip provided by Dileep (an Atmel chip well-known to embedded developers) and show how you inject your trojan into it.

Errr... as you are mixing up. The "trojan in microcode" is different from "trojan in ROM". In "trojan in ROM", the code in ROM itself calculates FavCandidateNo = (n + k) mod 5 +1 and adds votes. Now here only compromise needed with chip is that when hash is asked to give hash, it should provide the hash given at the time of input and not the correct one. So the chip manufacturer will have to provide 2-3 instructions that are unpublished.

1. One instruction is to burn ROM without hashcode (usual)
2. Burn ROM with hashcode=X (confidential)

If ROM is burnt using (2), then processor is asked to give hashcode, it would give hashcode X no matter what is the hashcode of the ROM contents. So now the rigged binary goes into ROM, but the hash code is of actual unrigged binary.

--

Now if your claim is

1. RM can make such processor in next 14 days
2. Hence Japanese cant such processes with 6 months of planning

you are welcome to publish your claims.

---

(I have removed insults and general philosophical statements, and answered only the tech part)

[Tanaji]

About his ad:

A masterpiece of propoganda if there was one. Notice how he prominently displays his qualifications right at the top that sets the tone for the ad. It is an attempt to convince people of his technical qualifications on the matter, and the bit about "convener... etc" is to portray himself as an activist, which I believe is the current fashion these days since NGOs are so passe. (Its another matter that Rahul Mehta's technical expertise has been laid bare on this thread for all to see...)

The next 3 steps describe the method, and manage to subtly confuse or obfuscate the reader. Its another matter that his "method" has been shown to be impracticable, and he does not address how it remains undetectable (notice how he convinces it is undetectable by introducing "ROM", and ignoring the little matter of hashes and checksums)

Then follows his brilliant statement "I have proved that EVMs are unriggable", when he has proved really nothing. The sad part is that most people whose average attention span is 20 seconds will readily believe the statement. Then follows his standard Rs. 3 talati stuff....

Given the cynicism of the average Indian and his lack of knowledge to understand how Rahul's theories violate mathematical, physical and practical laws, is it any wonder that people will believe him?

Rahul is 400% fulfilling the agenda of his backer.

[Dileep]

The claim we (or at least I ) are making is : it is possible for someone INSIDE system at top to inject this mod-5 trojan.

I challenged you to prove it, and you weaseled out. Till this point in time, you have made no mention on how. Repeating 1000 times "it can be" is not going to fly.

PROVE that it can be or DROP that argument

I did not claim that some Kasab can come and add the code and walk away unnoticeable.

What exactly is your claim then? Please explain HOW it is going to be done.

The so called checks can be subverted by the people who made the checks and have powers to make exceptions in the name of cost saving, speeding up to meet deadlines and so forth. eg order of some 100,000 EVMs was given to BEL in Oct-2008, and these EVMs were needed before Feb-2009 or latest by Mar-2009. Hence, it is possible that BEL can relax the checks.

No weaseling!!

Specify EXACTLY how you propose to do it!!

My point is : if process and the power point slide of the process is all you have to create "faith", you are only throwing process buzzwords and nothing more.

I gave you exacting steps of a process. You either show how you will subvert it, or agree that you can't.

If you can do neither, please stop posting. No one will miss you.

Errr... as you are mixing up. The "trojan in microcode" is different from "trojan in ROM". In "trojan in ROM", the code in ROM itself calculates FavCandidateNo = (n + k) mod 5 +1 and adds votes. Now here only compromise needed with chip is that when hash is asked to give hash, it should provide the hash given at the time of input and not the correct one.

I have repeatedly proven that this is NOT possible, since the programmer is incrementally checking the hash.

So the chip manufacturer will have to provide 2-3 instructions that are unpublished.

1. One instruction is to burn ROM without hashcode (usual)
2. Burn ROM with hashcode=X (confidential)

Rom programming does not happen by instruction. It is done by hardware signalling.

If ROM is burnt using (2), then processor is asked to give hashcode, it would give hashcode X no matter what is the hashcode of the ROM contents. So now the rigged binary goes into ROM, but the hash code is of actual unrigged binary.

I have repeatedly pointed out that the programmer is verifying the hash after programming each block of bytes. You can't "give" a pre-fixed hash code.

[Dileep]

Rahul, since you seem to be not reading the points:

1. You can't have the microcontroller send a fake hash. During the course of programming, the hash is checked by the programmer (the machine that does the programming, not the human operator) after each block is programmed. If the controller is sending out the faked hash, the programming operation will fail then and here.

2. You haven't yet shown how the system will be subverted to allow programming of a corrupt binary. I am assuming that if you had any trace of cracking it, you would have come with that already. So, this point is conclusively disproven.

Apart from this, you have failed to provide the trojan code that you promised.

In all, you have provided absolutely no argument to back up your claims.

Please stop posting here, and go to the "commoners"

[Rahul Mehta]

Remember, I am not saying that EVM is unhackable (all systems are hackable in theory), instead I am saying that it has not yet been proved to be hackable in practice and am asking you for proof-by-implementation to back up your allegations. ...

Pro-EVM people have so far claimed that there exists no rigged code that would favor one party, and hence no one would waste time in planting a rigged code. Here, I have shown that there does exist a code, that would favor a party with a very good success rate. Even Indirse document used same argument that (not exact words) that "machines come to district before candidate number is assigned and hence pre-programming the machine to favor a particular candidate wont help". If the machine is pre-programmed to favor candidate number = (n + k) mod 5 + 1 , then it will help PartyX as their chief alone knows it and no one else does.

This takes a lot of wind out of the sail of pro-EVM people. They wont admit it here, but in public they will have no choice to admit that machine *can be* pre-programmed to assist Congress.

---

Tahil Mehta: The claim we (or at least I ) are making is : it is possible for someone INSIDE system at top to inject this mod-5 trojan.

Dieelp: I challenged you to prove it, and you weaseled out. Till this point in time, you have made no mention on how. .... PROVE that it can be or DROP that argument

The steps to rig human process will depend on what exact that human process is. It will involve bribing a few guys, and you want keep number as low as possible. For this, I need to know the process steps that BEL's EVM unit follows. Give me the process steps that BEL's EVM unit follows. You are naming some process. I dont want to spend my time on THAT process, unless that is the process BEL's EVM unit is following. So first show me BEL EVM's unit claiming the process-steps they take. And then show me proofs that they actually take those steps. After that, I will suggest how 3-4 persons at top can alter the source code and/or binary of the EVM.

And how many programmers are in EVM team? If I am BEL chief and I want to rig EVM code, the FIRST place I would start with is coding team. EVM does not need 10s of coders - it looks like a simple device. So the team will be about 3-4 coders. How big is this team and what is the reporting structure in this team? Pls provide all this details.

[Rishi]

[Dileep]

Pro-EVM people have so far claimed that there exists no rigged code that would favor one party, and hence no one would waste time in planting a rigged code. Here, I have shown that there does exist a code, that would favor a party with a very good success rate. Even Indirse document used same argument that (not exact words) that "machines come to district before candidate number is assigned and hence pre-programming the machine to favor a particular candidate wont help". If the machine is pre-programmed to favor candidate number = (n + k) mod 5 + 1 , then it will help PartyX as their chief alone knows it and no one else does.

This takes a lot of wind out of the sail of pro-EVM people. They wont admit it here, but in public they will have no choice to admit that machine *can be* pre-programmed to assist Congress.

Don't weasel out from the questions you don't like. First prove how you could get the five trojans into the machine.

You claim "very good success rate", which is humbug. The chain of events, from managing the distribution, to the nCandidates, is all prone to so much of failures, people in the right mind will not even think about it.

Before you even go there, let us resolve this little issue of putting the trojan in, shall we?

The steps to rig human process will depend on what exact that human process is. It will involve bribing a few guys, and you want keep number as low as possible. For this, I need to know the process steps that BEL's EVM unit follows. Give me the process steps that BEL's EVM unit follows. You are naming some process. I dont want to spend my time on THAT process, unless that is the process BEL's EVM unit is following.

Why not spend time on that? It is not a technological activity like coding in assembly. A production process is simple logic, and if there is a vulnerability, you should be able to come out with one pretty fast.

I KNOW that you had been breaking your head on that, and you came out empty handed.

DO NOT weasel out. Prove the vulnerability in THAT process if you can.

Or, take the easy way out. STOP POSTING.

So first show me BEL EVM's unit claiming the process-steps they take. And then show me proofs that they actually take those steps. After that, I will suggest how 3-4 persons at top can alter the source code and/or binary of the EVM.

I gave you a process. You either disprove that, or accept that it is unriggable, and you will accept the process as good if implemented in BEL.

Or take the easy way out. STOP POSTING.

And how many programmers are in EVM team? If I am BEL chief and I want to rig EVM code, the FIRST place I would start with is coding team. EVM does not need 10s of coders - it looks like a simple device. So the team will be about 3-4 coders. How big is this team and what is the reporting structure in this team? Pls provide all this details.

We will discuss this once we resolve the issue of the programming process

You have three choices:

1. Prove that the process I gave is riggable.
2. Admit that it is NOT riggable, and you will accept it as a reliable means of keeping binary integrity
3. The easy way out: STOP POSTING.