Should we discontinue EVMs?

[Dileep]

Rahul, I will grant you one concession.

Please write the trojan code in ANSI C and provide the source file. Since it is ANSI C, take your own assumptions.

The trojan should be in the form of a set of functions. You should specify the "entry function" that should be called from the main program, and should specify WHEN that call happens. We need to ascertain how it is inserted into the execution sequence of the main program.

[Pranav]

1. Prove that the process I gave is riggable.
2. Admit that it is NOT riggable, and you will accept it as a reliable means of keeping binary integrity

Your process is riggable at companies which are writing the code. It is riggable by the QE. It is riggable by the QI, in coordination with the test staff. It is also riggable at the maintenance stage, at companies to which maintenance contracts have been steered. Finally, there is every possibility of rigging at the totalizer stage.

Instead of working with a hypothetical process, let the EC describe its process, and then we can analyze the vulnerabilities.

[Dileep]

Your process is riggable at companies which are writing the code.

We will come to the code writing process after we dispose the current issue

It is riggable by the QE. It is riggable by the QI, in coordination with the test staff.

Stick to the point. How will you rig it within the system? The test staff will be under their own system, and we will go there once we dispose this one off.

It is also riggable at the maintenance stage, at companies to whom maintenance contracts have been steered.

How exactly that will happen?

Finally there is every possibility of rigging at the totalizer stage.

Totalizers are not under the current discussion. We are discussing about the EVMs right now.

Instead of working with a hypothetical process, let the EC describe its process, and then we can analyze the vulnerabilities.

Well, try to analyze, and suggest rigging of a procedure drawn by just one ordinary mortal! We will go to EC and BEL if needed later.

Either show the vulnerability of my process, or accept it as a "good one".

[Pranav]

It is riggable by the QE. It is riggable by the QI, in coordination with the test staff.

Stick to the point. How will you rig it within the system? The test staff will be under their own system, and we will go there once we dispose this one off.

QE introduces compromised binary with hash of the compromised binary. If test staff are not an issue, then QI can do the same thing. If test staff are in the picture, some of them may need to be involved.

It is also riggable at the maintenance stage, at companies to whom maintenance contracts have been steered.

How exactly that will happen?

By replacing one or more chips, or entire PCB.

Instead of working with a hypothetical process, let the EC describe its process, and then we can analyze the vulnerabilities.

Well, try to analyze, and suggest rigging of a procedure drawn by just one ordinary mortal! We will go to EC and BEL if needed later.

Either show the vulnerability of my process, or accept it as a "good one".

It's not worth the effort to analyze hypothetical processes, IMHO.

[Dileep]

QE introduces compromised binary with hash of the compromised binary. If test staff are not an issue, then QI can do the same thing. If test staff are in the picture, some of them may need to be involved.

QE is the entry point, and hence his role will not be considered for this analysis. No one, including the QI can't do nothing because his activities are cross verified by independent people.

The only way security is arrived at in such systems is by having checks, balances and records. As you and RM proven here (by not being able to crack), such a system is unriggable.

By replacing one or more chips, or entire PCB.

Chip replacement is already discounted. Also, the existence of maintenance contract has no credible lead. The only sources of that is the politicsparty website. Bring some credible leads to that before we can have serious discussion on that.

It's not worth the effort to analyze hypothetical processes, IMHO.

Of course it is not worth to you, because you can't prove anything there.

[Pranav]

QE introduces compromised binary with hash of the compromised binary. If test staff are not an issue, then QI can do the same thing. If test staff are in the picture, some of them may need to be involved.

QE is the entry point, and hence his role will not be considered for this analysis. No one, including the QI can't do nothing because his activities are cross verified by independent people.

The only way security is arrived at in such systems is by having checks, balances and records. As you and RM proven here (by not being able to crack), such a system is unriggable.

Let the EC come out with its so-called "checks, balances and records" and we shall see what the gaps are.

By replacing one or more chips, or entire PCB.

Chip replacement is already discounted. Also, the existence of maintenance contract has no credible lead. The only sources of that is the politicsparty website. Bring some credible leads to that before we can have serious discussion on that.

There were reports from the mainstream media posted on this thread, and nobody has denied them. Once you have access to a machine for maintenance, you can replace anything.

It's not worth the effort to analyze hypothetical processes, IMHO.

Of course it is not worth to you, because you can't prove anything there.

Tch, tch ... I am confident that holes can be found in any EVM process that the EC can come out with. On the other hand, paper ballots with real time video multicasting is totally bulletproof.

[Dileep]

Let the EC come out with its so-called "checks, balances and records" and we shall see what the gaps are.

Do you, Pranav, claim that you have a proven method to rig the EVMs, as RM does? Then, you better defeat MY process, because your posture is you will beat ANY process.

Otherwise, agree that, if BEL implements that process, you would approve of that.

There were reports from the mainstream media posted on this thread, and nobody has denied them. Once you have access to a machine for maintenance, you can replace anything.

Rahul Menta's posts don't count as "mainstream media", nor does politicsparty posts. A BJP legislator claimed that, and that claim is reported in the media. There is no other corroboration.

If you have any, please post.

Tch, tch ... I am confident that holes can be found in any EVM process that the EC can come out with. On the other hand, paper ballots with real time video multicasting is totally bulletproof.

You are confident of finding holes with the process that EC comes up with, but can't find one in the one I, a mere nerd engineer, came up with.

Do you mean that I am better than the guys in EC? I am flattered!!

So, both RM and Pranav dropped the ball on that. Anyone else?

[Pranav]

Let the EC come out with its so-called "checks, balances and records" and we shall see what the gaps are.

Do you, Pranav, claim that you have a proven method to rig the EVMs, as RM does? Then, you better defeat MY process, because your posture is you will beat ANY process.

Otherwise, agree that, if BEL implements that process, you would approve of that.

I outlined how rigging could be done - you are trying to argue against it by relying on unspecified verification of QI activities, and unspecified checks, balances and records. Even if you were to spell it out, there would probably be holes in it, and in any case it may have no relevance for what is actually happening.

There were reports from the mainstream media posted on this thread, and nobody has denied them. Once you have access to a machine for maintenance, you can replace anything.

Rahul Menta's posts don't count as "mainstream media", nor does politicsparty posts. A BJP legislator claimed that, and that claim is reported in the media. There is no other corroboration.

If you have any, please post.

A BJP national executive member was quoted in a reputable publication, with no denials so far.

[Pranav]

You are confident of finding holes with the process that EC comes up with, but can't find one in the one I, a mere nerd engineer, came up with.

Do you mean that I am better than the guys in EC? I am flattered!!

So, both RM and Pranav dropped the ball on that. Anyone else?

It is in the interest of the government and the government-appointed EC to have a process that is suited to their goals. So your skill in creating processes is not the issue here.

[Rahul Mehta]

Anyone knows the exact chip number that EVM uses?

Is it of the shelf of custom made?

I want to see how hash code is implemented THAT chip. So that I can explain how manufacture can give planted hash code. Also, anyone has documentation on the cross compiler or cross assembler for this EVM chip? Is the code written in C or written in Assembly? Which specific cross assembler or cross compiler was used? And who made this compiler or assembler? Did the Japanese company provide this compiler or assembler? Because it is often a standard practice that chip manufacture himself provides all the tools needed to write code.

-----

Rahul, I will grant you one concession.

Please write the trojan code in ANSI C and provide the source file. Since it is ANSI C, take your own assumptions.

The trojan should be in the form of a set of functions. You should specify the "entry function" that should be called from the main program, and should specify WHEN that call happens. We need to ascertain how it is inserted into the execution sequence of the main program.

First you asked me to write chips' assembly code, assuming that I would get scared. When I ask for chip's toolkit, cross compiler and reference manual, you realized that your bluff of asking me to write the code for EVM chip has failed. So now comes your "20% Concession", that I may write code in C. So much for concession. I will paste VB6 code in 3-4 days. Now if something can be done in VB6, it can be done in C as well as Assembly. So that will close "is modulo-5 trojan" possible.

1. It will be just one function called Sub Trojan

2. it will be called when PO presses OffButton

3. The Trojan will check the Time for which EVM has been ON. If less than 7 hours, then no action, exit

4. The Trojan will check of nVotes. If nVotes <=200 then no action, exit (it can be mock poll)

5. If OnTime > 7 hours and nVotes >=200 then reduce 80% from all those who have above 10 votes, and add them to FavCandidate = (n + k) mod 5 + 1

6. Use some static variable to ensure that it is called only once

Now in the main files, I need to add these function and a line in called "call Trojan" in the OnOffButtonPress() function to call this function. Will give you code in 3-4 days.

---------

About rigging the human process,

If some at top wants to rig a human process, he will need to use bribe, blackmail and also exploit his anti-India or anti-democracy prejudice. This things are not technical issues that can be described like a pseudo-code. And here more important thing is reporting structure, not their job description. And rigging a human human process is a human action

So to answer the question "how BEL chief can get modulo-k trojans in ROM" , I need all inside information in BEL, who have what weak points. This rigging human process is not a technical issue. If you have all this information, I can show you how BEL chief could have (not that he did, he could have) planted modulo-5 trojans.

[Rahul Mehta]

So, both RM and Pranav dropped the ball on that. Anyone else?

So are you the player of referee? Or both? In that case, the debate is also fixed like EVMs.

As far as I go, I consider only the us commons as referee. In case you might have noticed, in the ad I mentioned that my I demand a GO by which citizens can register NO on any clause in any law in India for Rs 3 fee. I am NOT asking ECI or PM to obey me and drop EVM, I only want a mechanism to register voice of us commons. Once that happens, I will ask commons to register NO on Sec-61A of PRA, and thus create an objectively well defined proof that commons finds paper more dependable than EVMs. In addition, I would get deposit raised to 3 times per capita M3 or some such ratio using commons' YESes. I would get camera based booth with stamping machine, but that too using us commons' YESes. And in case commons want nothing of this and want EVMs, I will accept it with grace rather than throw mud on you guys with frustration (which what you do). IOW, I want us commons to steer the cart; I am merely a coolie pushing it.

So I would wait for commons to decide who should drop the ball.

But then IYO, we commons are all morons. So how can you possibly accept us commons as referee on this paper vs EVM issue or any issue for that matter? Right? So no wonder, you the referee as well.

[Raja Bose]

IOW, I want us commons to steer the cart; I am merely a coolie pushing it.

Yet there is no steering wheel and the so-called coolie decides where the cart's destination is while the commons get taken for a ride . Need I say more....

Anyone knows the exact chip number that EVM uses?
Is it of the shelf of custom made?
I want to see how hash code is implemented THAT chip. So that I can explain how manufacture can give planted hash code. Also, anyone has documentation on the cross compiler or cross assembler for this EVM chip? Is the code written in C or written in Assembly? Which specific cross assembler or cross compiler was used? And who made this compiler or assembler? Did the Japanese company provide this compiler or assembler? Because it is often a standard practice that chip manufacture himself provides all the tools needed to write code.

BTW, just got back from the Black Hat in Las Vegas - probably one of the first times B-R has been read by some of that uneducated crowd . Showed some of the folks (incld. one who received an award this year) this thread (last few pages or so) during one of the breaks and on request, passed on the contents via e-mail to a few. The almost universal response back has been "Why is this guy wimping out from doing the hack when he is being called out?". Mind you, just like me none of them said that EVMs are unhackable (in theory all systems are) but till you do it in practice, whatever you theorize is not worth anything and is mere conjecture. Everyone agreed that proving the hack in practice is the first step and there are plenty of hacks which even when proved possible are not feasible. However, for you though, first tackle the practical proof-by-implementation step,...we will worry about the feasibility part later based on what we learn from your first step.

And BTW, as one of them pointed out, hardware hacks are not always done on the actual system (unless it is a commercially available one) but are done on similarly constructed systems without even using the original BOM, so all this posturing over needing the real EVM and without which nothing can be done, is frankly a case of BS. This method is undertaken day-in day-out by security consultants when the target system is of restricted access or limited availability - in such a case if nobody gets a crack at the real thing first they instead work on similar hardware (built based on available information) to implement tactics (multiple), collect stimulus-responses etc. and then probes the actual target and repeats this process iteratively.

First you asked me to write chips' assembly code, assuming that I would get scared. When I ask for chip's toolkit, cross compiler and reference manual, you realized that your bluff of asking me to write the code for EVM chip has failed. So now comes your "20% Concession", that I may write code in C. So much for concession. I will paste VB6 code in 3-4 days. Now if something can be done in VB6, it can be done in C as well as Assembly. So that will close "is modulo-5 trojan" possible.

You do realize that Dileep is actually throwing you a lifeline and doing you a favour because he (and so am I) are convinced of your technical competence or rather the lack thereof. Once again, the ability to write a program which adds and does modulo is not in question. What is in question is the process to inject, hide and run it as you so blithely describe - you writing a VB6 program proves absolutely nothing because no MCU runs VB6 and even if it did, it still doesn't prove how you will inject, hide and execute it in practice. Hence, no it does not close the "is modulo-5 trojan possible" question.

And last but not the least, personally I am neither anti-EVM or pro-EVM. In fact, I did not participate in the initial debate on this thread for that very reason. But what I will not stand for, is when people such as yourself twist facts and reduce science to quackery thereby giving other Computer Science people a bad name. There are plenty of such people in Computer Science/Engineering nowadays floating around whose sole accomplishment seems to be spouting jargon and who neither have the intellectual rigor of pure sciences nor the practical skills of engineering. But I guess thats what you get when everybody and their grandmother wants jump on the ITvity bandwagon for the 'prestige'.

[vera_k]

It has been proven that trojans are not possible.

You either defining a trojan as one that is not built in during programming or are discounting the possibility of a trojan that is part of the program file burnt into the microcontroller.

Irrelevant for this discussion. It would be better that way, and plug all holes. It is better to have every piece of securlty that is rationally possible.

OK, so the keylog may have been tampered by a trojan built into the microcontroller since a) the keylog is stored in an EEPROM and b) the EC has not performed the keypress analysis post-election to rule out trojan activation as asked by the Indiresan Committee.

"Having" a checksum doesn't prove anything, but "verifying" the checksum after programming does. Since it is OTP, no one can change it after programming, so traceable verification is sufficient proof.

That by itself is no guarantee without assuring integrity of the tools and processes used to perform the checksum verification. Because compromised tools can be made to report a successful verification.

It is my take that, the programming is a critical step, and care should be taken to ensure that no corruption happens.This can be verified by an audit of BEL and ECIL by the expert committee.

True. Such an audit has not been done though.

[Dileep]

You are confident of finding holes with the process that EC comes up with, but can't find one in the one I, a mere nerd engineer, came up with.

Do you mean that I am better than the guys in EC? I am flattered!!

So, both RM and Pranav dropped the ball on that. Anyone else?

It is in the interest of the government and the government-appointed EC to have a process that is suited to their goals. So your skill in creating processes is not the issue here.

That shows that you agree that it is possible to have a system process that prevents rigging. Your only point is, BEL, being corrupt, will not do it.

Agree?

[Dileep]

Anyone knows the exact chip number that EVM uses?

Is it of the shelf of custom made?

I want to see how hash code is implemented THAT chip. So that I can explain how manufacture can give planted hash code. Also, anyone has documentation on the cross compiler or cross assembler for this EVM chip? Is the code written in C or written in Assembly? Which specific cross assembler or cross compiler was used? And who made this compiler or assembler? Did the Japanese company provide this compiler or assembler? Because it is often a standard practice that chip manufacture himself provides all the tools needed to write code.

No public domain information is available.

But indications point that it is a custom fab. It will be based on a standard core, like ARM, so instruction set and tools will be standard.

Rahul, I will grant you one concession.

Please write the trojan code in ANSI C and provide the source file. Since it is ANSI C, take your own assumptions.

The trojan should be in the form of a set of functions. You should specify the "entry function" that should be called from the main program, and should specify WHEN that call happens. We need to ascertain how it is inserted into the execution sequence of the main program.

First you asked me to write chips' assembly code, assuming that I would get scared. When I ask for chip's toolkit, cross compiler and reference manual, you realized that your bluff of asking me to write the code for EVM chip has failed. So now comes your "20% Concession", that I may write code in C. So much for concession. I will paste VB6 code in 3-4 days. Now if something can be done in VB6, it can be done in C as well as Assembly. So that will close "is modulo-5 trojan" possible.

It was you who bluffed (by demanding to send the chip details, and offering to write code), and I called that bluff. I sent you everything required to write the code.

You couldn't do it.

Now you claim that I am bluffing? I knew you were dishonest, but this is a new low.

I claim that there is NO WAY you could code in assembly language.[/q] in ANY Family of microcontrollers. Do you refute that? Which family of microcontrollers you can code?

VB6 is not a real programming language. I will accept only C

About rigging the human process,

If some at top wants to rig a human process, he will need to use bribe, blackmail and also exploit his anti-India or anti-democracy prejudice. This things are not technical issues that can be described like a pseudo-code. And here more important thing is reporting structure, not their job description. And rigging a human human process is a human action

So to answer the question "how BEL chief can get modulo-k trojans in ROM" , I need all inside information in BEL, who have what weak points. This rigging human process is not a technical issue. If you have all this information, I can show you how BEL chief could have (not that he did, he could have) planted modulo-5 trojans.

So, you DO agree that MY process is not riggable.

[Dileep]

So, both RM and Pranav dropped the ball on that. Anyone else?

So are you the player of referee? Or both? In that case, the debate is also fixed like EVMs.

As far as I go, I consider only the us commons as referee. In case you might have noticed, in the ad I mentioned that my I demand a GO by which citizens can register NO on any clause in any law in India for Rs 3 fee. I am NOT asking ECI or PM to obey me and drop EVM, I only want a mechanism to register voice of us commons. Once that happens, I will ask commons to register NO on Sec-61A of PRA, and thus create an objectively well defined proof that commons finds paper more dependable than EVMs. In addition, I would get deposit raised to 3 times per capita M3 or some such ratio using commons' YESes. I would get camera based booth with stamping machine, but that too using us commons' YESes. And in case commons want nothing of this and want EVMs, I will accept it with grace rather than throw mud on you guys with frustration (which what you do). IOW, I want us commons to steer the cart; I am merely a coolie pushing it.

So I would wait for commons to decide who should drop the ball.

But then IYO, we commons are all morons. So how can you possibly accept us commons as referee on this paper vs EVM issue or any issue for that matter? Right? So no wonder, you the referee as well.

I have no interest in discussing your other pet projects.

My ONLY interest is, people with ulterior motives should not shoot down the EVM based upon false premises.

[Dileep]

Since Rahul Mehta tried a dirty trick on the trojan coding:

He demanded the technical information "so that he can write the code" in his own words.

I have given him every piece of information needed to code his algorithm into an assembly language program. Someone with basic knowledge of assembly programming could use those documents and tools to make a code.

Would anyone refute that?

Rahul Mehta, who has declared crusade on corruption, and is self declared redeemer of the "commoner" doesn't show the minimum decency to accept that he can't do the assembly code. Nothing wrong, or to be ashamed on that. It is a technical skill, and no one expects Rahul to know that.

But he claimed he could. I called his bluff by sending him the information.

Now he showed the real colours of the politician, by claiming that he called MY bluff!!

Shame on you Rahul, and shame on the people who support you, all two of them!

[Dileep]

Rahul promises to give VB6 code in 3-4 days!! That means he couldn't even code in VB. He will have to get it done by someone.

Well, I have no problem with that. But the problem is, I don't know VB, so any VB code will be useless for me. AFAIK, VB can't be used in embedded systems.

I want code in the C language. I want to see how much binary space it would take. Can you please do that Rahul?

[Pranav]

That shows that you agree that it is possible to have a system process that prevents rigging. Your only point is, BEL, being corrupt, will not do it.

Agree?

By involving large numbers of people who are all cross checking and spying on each other, and giving these people access to various advanced verification tools, you can improve reliability to some extent.

But no system implemented by BEL, ECIL will be as reliable as paper balloting with real-time video multicasting. The latter system makes rigging virtually impossible - and even if there is some diabolical conspiracy, the damage is very localized and limited.

[Raja Bose]

I have given him every piece of information needed to code his algorithm into an assembly language program. Someone with basic knowledge of assembly programming could use those documents and tools to make a code.

The Black Hat folks were also wondering why there was no code after the links provided to the datasheet and tools.

[Dileep]

That shows that you agree that it is possible to have a system process that prevents rigging. Your only point is, BEL, being corrupt, will not do it.

Agree?

By involving large numbers of people who are all cross checking and spying on each other, and giving these people access to various advanced verification tools, you can improve reliability to some extent.

I gave you the exact number of people, and exact nature of the verification system. Now, Would that be reliable?

But no system implemented by BEL, ECIL will be as reliable as paper balloting with real-time video multicasting. The latter system makes rigging virtually impossible - and even if there is some diabolical conspiracy, the damage is very localized and limited.

Answer the point please.

[Dileep]

I have given him every piece of information needed to code his algorithm into an assembly language program. Someone with basic knowledge of assembly programming could use those documents and tools to make a code.

The Black Hat folks were also wondering why there was no code after the links provided to the datasheet and tools.

Oh, all of them are CIA agents of course. How else they will respond?

[Rahul Mehta]

See this link to an ATMEL device that offers OTP ROM. The technical details of programming and verification is given in the datasheet.

Yes, there is a security bit to prevent reading. If that is 'set' you can no longer read the full content. But the hash can still be read to verify the integrity of the program.

I opened this PDF ans searched on hash.

There is not a single instance of word "hash". Pls tell me, which page number shows how to read hash after chip is on PCB.

---

Raja Bose,

Pro-EVM till date have claimed that EVMs with pre-programmed bias (at factory) to add votes to a serial number will not help any party, and so no party will waste their time in making it favor a serial number. This is a claim they have made for over 20 years. I have proved them dead wrong on this specific claim. I have shown how EVMs with factory built bias can favor Congress.

----

Pro-EVM people,

1. I will provide biased code in VB6 in which the PC your PC will be EVM. If something can be done in VB6, it can be done in C. VB6 is not more powerful than C. I have coded in 8051, 8057 (?), 8086/8088 assembly, and last I did was 1994. Coding in 100-1000 assembly languages that exists in world is not useful for EVM vs paper debate. So now if you can get me THE chip that EVM uses, I am willing to put time in writing a assembly code with modulo-5 bias for that chip. And if you get me the source code of EVM, I can show how this function with modulo-5 bias can be integrated with EVM code.

2. Now comes question of planting the biased code (aka Trojan) in ROM, something we need to do in BEL. For this, pls give me information on NUMBER of people in BEL's coding team, number of people at each step from coding to burning ROM. I dont to write rigging method for 10 different processes that exist in world. I want to confine to processes BEL's EVM unit uses.

3. And finally, we have fool the hash. So pls explain in detail on how the hash can be read from chip on PCB after it has been soldered on the PCB. If possible, pls discuss the EVM chip only. Otherwise show me any other chip with page number of manual. AFAIT, the manufacture can make a chip that would allow user to plant a fake hash and then spit out same planted fake hash when asked. I will give details after you explain how hash is read.

---

AFAIT, you guys have NO clue on what chip EVM uses, what process steps BEL's EVM unit takes, what is the reporting structure inside BEL's EVM unit. And you are claiming each to be robust. This is bhakti and nothing more.

[Pranav]

I gave you the exact number of people, and exact nature of the verification system. Now, Would that be reliable?

You said something about a hypothetical verification system, and even in that hypothetical system there are gaps, as I have mentioned earlier.

I don't have much interest in studying hypothetical systems created by you - once there is any real information, that can be analyzed.

[niran]

I don't have much interest in studying hypothetical systems created by you - once there is any real information, that can be analyzed.

That is classic digital downhill skiing.

[Dileep]

I opened this PDF ans searched on hash.

There is not a single instance of word "hash". Pls tell me, which page number shows how to read hash after chip is on PCB.

See section 9.3.

Pro-EVM till date have claimed that EVMs with pre-programmed bias (at factory) to add votes to a serial number will not help any party, and so no party will waste their time in making it favor a serial number. This is a claim they have made for over 20 years. I have proved them dead wrong on this specific claim. I have shown how EVMs with factory built bias can favor Congress.

And I have proved how unreliable it is, but you have consistently ignored those arguments.

1. I will provide biased code in VB6 in which the PC your PC will be EVM. If something can be done in VB6, it can be done in C. VB6 is not more powerful than C. I have coded in 8051, 8057 (?), 8086/8088 assembly, and last I did was 1994. Coding in 100-1000 assembly languages that exists in world is not useful for EVM vs paper debate. So now if you can get me THE chip that EVM uses, I am willing to put time in writing a assembly code with modulo-5 bias for that chip. And if you get me the source code of EVM, I can show how this function with modulo-5 bias can be integrated with EVM code.

Well, I am not competent to comment on the highlighted part, as I have no knowledge of VB.
I don't care what you did or do. If you wish to prove that a trojan is feasible, you need to produce a binary.

2. Now comes question of planting the biased code (aka Trojan) in ROM, something we need to do in BEL. For this, pls give me information on NUMBER of people in BEL's coding team, number of people at each step from coding to burning ROM. I dont to write rigging method for 10 different processes that exist in world. I want to confine to processes BEL's EVM unit uses.

The debate is whether it is possible to insert the trojan into the process that has reasonable safeguards.

You have never claimed that the process I made is unreasonable, or unviable. It is something that any company would do.

The fact is that you are not able to drill any holes in it.

If you are not coming up with a vulnerability with that process, you lost your argument.

3. And finally, we have fool the hash. So pls explain in detail on how the hash can be read from chip on PCB after it has been soldered on the PCB. If possible, pls discuss the EVM chip only. Otherwise show me any other chip with page number of manual. AFAIT, the manufacture can make a chip that would allow user to plant a fake hash and then spit out same planted fake hash when asked. I will give details after you explain how hash is read.

See section 9.3 of the Atmel chip.

Do you agree to take te ATMEL chip as reference? I need explicit confirmation because you will try to weasel out later.

AFAIT, you guys have NO clue on what chip EVM uses, what process steps BEL's EVM unit takes, what is the reporting structure inside BEL's EVM unit. And you are claiming each to be robust. This is bhakti and nothing more.

And you have no clue either on the same subjects, and you gladly claim it is riggable. That is ulterior motive, and nothing more.

[Dileep]

We will never know which chip BEL uses or which system they follow to protect the code.

You claim it is riggable. I claim it is not.

The only way to debate is on a representative system that is rational and viable for BEL to do. That is why I suggested the ATMEL chip, and the process system I posted.

Answer this question: Do you argue that either choice is irrational or unviable for BEL to make? If so, give me the reasons please.

[Dileep]

Rahul, is your trojan use once only? ie, does it gets activated only once, and then the normal function of the EVM is made for the rest of the life of the EVM?

That is what you mentioned in your original post. Do you confirm that?

[Rahul Mehta]

Btw, trojan in my case is "doctored code" put at factory, not some trojan which comes from outside without manufacturer's or user's permission. The word trojan is mostly used for something that enters without permission, which is not the case here. So hence forth, I will use the words "doctored code" or "EVM with pre-programmed pro-Congress bias".

Pro-EVM till date have claimed that EVMs with pre-programmed bias (at factory) to add votes to a serial number will not help any party, and so no party will waste their time in making it favor a serial number. This is a claim they have made for over 20 years. I have proved them dead wrong on this specific claim. I have shown how EVMs with factory built bias can favor Congress.

And I have proved how unreliable it is, but you have consistently ignored those arguments.

You are only trying to prove that putting doctored code in EVM is impossible by citing process steps. If BEL chiefs manage to put 5 doctored code in EVMs which favor candidate number ((n + k) mod 5 + 1) then using it is trivially easy for UPA to add 150 seats. All EC needs to do is to ensure that one constituency has only one type of rigged EVM, which can be done by ensuring that all 20000 EVMs in first shipment are of type-1, second shipment are of type-2 and so so forth.

Now say a seat has EVMs of type-3. So its fav candidate will be ((n + 3) mod 5 + 1)And Congress candidate has no. 2. So candidate needs to ensure than nCandidates are 3, 8, 13 ..., 63. This can be done by putting 4 dummies and putting at the end of withdrawal line. The details are described in http://rahulmehta.com/evm1.pdf . eg say they send EVMs to 400 seats they are sure to lose. Even if they succeed in ensureing candidate number in 80% of seats, they get 60000 extra votes in each seats. So the tally goes up 100-120 for UPA.

-----

Rahul, is your trojan use once only? ie, does it gets activated only once, and then the normal function of the EVM is made for the rest of the life of the EVM? That is what you mentioned in your original post. Do you confirm that?

The rigged chip would need one bit which is 1 when manufactured and can be made 0 using some undocumented instruction. So the trojan would make that bit 0 after it does its job. And if that bit is 0, trojan will exit without job. Or it is some bit which is 1 when manufactured and becomes automatically 0 after 8 months (discharge). So chip was manufactured in Oct-2008, and till May-200 that but was 1. Now it is 0 and so doctored code will not act honestly. I am assuming that chip manufacturer of Japan did whatever changes Sonia had asked, unless a tech barrier prevents it. So if such 1 bit can be put by existing tech, it is doable. Otherwise, I need to think of some other way to make it work "once only".

Will answer process related Q later. I have to run to a 5 pm meeting on EVMs.

[Dileep]

Btw, trojan in my case is "doctored code" put at factory, not some trojan which comes from outside without manufacturer's or user's permission. The word trojan is mostly used for something that enters without permission, which is not the case here. So hence forth, I will use the words "doctored code" or "EVM with pre-programmed pro-Congress bias".

It doesn't matter what you call, your whole scheme is unviable.

You are only trying to prove that putting doctored code in EVM is impossible by citing process steps. If BEL chiefs manage to put 5 doctored code in EVMs which favor candidate number ((n + k) mod 5 + 1) then using it is trivially easy for UPA to add 150 seats. All EC needs to do is to ensure that one constituency has only one type of rigged EVM, which can be done by ensuring that all 20000 EVMs in first shipment are of type-1, second shipment are of type-2 and so so forth.

Now say a seat has EVMs of type-3. So its fav candidate will be ((n + 3) mod 5 + 1)And Congress candidate has no. 2. So candidate needs to ensure than nCandidates are 3, 8, 13 ..., 63. This can be done by putting 4 dummies and putting at the end of withdrawal line. The details are described in http://rahulmehta.com/evm1.pdf . eg say they send EVMs to 400 seats they are sure to lose. Even if they succeed in ensureing candidate number in 80% of seats, they get 60000 extra votes in each seats. So the tally goes up 100-120 for UPA.

Same the same things that was refued many times won't help your point.

Rahul, is your trojan use once only? ie, does it gets activated only once, and then the normal function of the EVM is made for the rest of the life of the EVM? That is what you mentioned in your original post. Do you confirm that?

The rigged chip would need one bit which is 1 when manufactured and can be made 0 using some undocumented instruction. So the trojan would make that bit 0 after it does its job. And if that bit is 0, trojan will exit without job. Or it is some bit which is 1 when manufactured and becomes automatically 0 after 8 months (discharge). So chip was manufactured in Oct-2008, and till May-200 that but was 1. Now it is 0 and so doctored code will not act honestly. I am assuming that chip manufacturer of Japan did whatever changes Sonia had asked, unless a tech barrier prevents it. So if such 1 bit can be put by existing tech, it is doable. Otherwise, I need to think of some other way to make it work "once only".

A simple YES would have been sufficient.

So, you need a rigged chip, rigged systems at BEL, rigged code, rigged distribution system, and what not, for a single shot at ONE election, and all the machines go back to normal honest mode.

What would poor Sonia do for the next election?

[Muppalla]

Rahul Mehta ji,

http://news.rediff.com/report/2009/aug/ ... ith-ec.htm

Could you be able to take your case where they are inviting a lot of folks to demonstrate how EVMs can be hacked? May be it is a best opportunity for anti-EVM activists.

I totally understand if you have busy schedule etc.

[Tanaji]

http://news.rediff.com/report/2009/aug/ ... ith-ec.htm

Quoting in full:

Election Commission on Saturday invited petitioners before various courts as also political parties to prove if the Electronic Voting Machines can be tampered.

"This is to ensure there is not even a small shade of doubt about the EMS," EC said in a statement.

The Election Commission affirmed that it completely rejects fallibility of EVMs, but yet it decided to go the extra distance by inviting all those expressing reservations about these machines to demonstrate their allegations in its headquarters in New Delhi [ Images ] in the first week of August.

"This will be done in the presence of a technical experts group as well as engineers representing the EVM manufacturers," the Commission said, adding that it expects that "the demonstration would once for all set at rest any misgiving anywhere, in the interest of the country's electoral democracy."

Among those invited include V V Rao and three others who had moved the Supreme Court that directed them to approach the Election Commission, as also those who have petitioned on EVMs' tampering in the High Courts of Mumbai [ Images ], Chennai and Madhya Pradesh [ Images ].

"The issues recently raised by petitioners in the Courts and by some others, broadly allege the possibility of tampering with the machine during the manufacturing process or while operating the machine. It has also been mentioned that some of the western countries have given up using the EVMs," the EC stated.

"The fact is that unlike the machines used by other countries, which are based on operating systems, the software in the EVM chip is one time programmable and is burnt into the chip at the time of manufacture. Nothing can be written on the chip after manufacture. The EVM in India is a fully stand-alone machine without being part of any
network and with no provision for any input," the EC added.

Main opposition Bharatiya Janata Party [ Images ] had earlier asked the EC to ensure that the machines were tamper-proof before putting them to use in the coming assembly polls in Maharashtra and Haryana.

Questioning the functioning of the EVMs, BJP leader L K Advani [ Images ] had suggested re-introduction of ballot papers and his demand was backed by Communist Party of India-Marxist, Anna Dravida Munnetra Kazhagam [ Images ], Rashtriya Janata Dl, Janata Dal-Secular, Pattali Makkal Katchi and Lok Janashakti Party.

CPI-M [ Images ] had said the reports about functioning of EVMs should be considered "very seriously", especially as many countries, including developed ones, have reverted to ballot papers.

With inputs from PTI

Rahul,

Despite being given all the resources, you have yet to provide a single line of code despite saying "the trojan is ready".

Here is another opportunity... if you truly believe yourself, you will go to Delhi and provide your so-called evidence and theories on "modulo 5" EVM hacking. It is an open invitation by EC: write to them and get yourself invited. The EC has already invited everyone who is objecting and that includes various political parties and those who have raised PILs. The technical representatives will also be there.

Either provide the code, go to Delhi or accept that you are just blowing hot air.

Of course I expect you to raise multiple objections on some pretext which would include statements that the invitation is a sham done by the elites and commons arent allowed. Typical neta style cop out.

[Raja Bose]

Rahul Mehta ji,

http://news.rediff.com/report/2009/aug/ ... ith-ec.htm

Could you be able to take your case where they are inviting a lot of folks to demonstrate how EVMs can be hacked? May be it is a best opportunity for anti-EVM activists.

This is an excellent opportunity for people to demonstrate their hacking theories and we can actually see if there are ways to subvert it practically or not (there may well be but it has to be proved in practice).

Now that RM's demand of getting access to EVMs is also fulfilled hence, RM ji d-o-n-t w-e-a-s-e-l o-u-t! If he has the time to write pages long posts on this thread, I am sure he can make the time! Go register yourself and be present at Delhi with your code and attacks and lets see what happens. It would be great if they could televise this event since then it will work out both ways - scam artists will get exposed and people with genuine hacks will be able to show actual vulnerabilities and it would be interesting to learn new things.

[Dileep]

Whaaaattt? Talk to the Corrupt EC, who are going to ignore whatever pearls of wisdom RM is going to give? No. RM trusts only the commoner, remember? Place some commoners in the dias, and then he will present his arguments.

Do you think the 'bought' technical experts will admit that the CEO of the chip fab can walk into their plant, whisper into the ears of the shift supervisor to add a trojan, and get it in? Do you think the 'corrupt to the core' BEL engineers will admit that their CMD came in into their plant and asked them to add the trojan into the code? Do you think that the 'paramount of corruption', the EC, will admit that he gave a list of EVM serial numbers which should go to each district?

No way Jose!! They will never agree!! RM would rather go to the 'commoner' and enlighten them.

[Dileep]

OK, here is the Rube Goldberg machine of Rahul Mehta:

1. Steal the chip design files for the microcontroller from BEL
2. Put a VLSI design team to work, to make five types of 'rigged' chip.
3. Give the five outputs files to the fab, asking them to use these files instead of the original files, one per each lot.
4. Tell the Incoming QC at BEL to ignore the mask ids and date codes.
5. Tell the BEL IQC to ignore the test data discrepancy.
6. Tell the BEL stores to track the types, so that they are kitted in lots.
7. Call a meeting of the entire software team (5-10 people), bribe, intimidate, threaten and blackmail them into putting the five trojans in the code.
8. Call a meeting of the entire team that does the programming of the chips, bribe, intimidate, threaten and blackmail them into ignoring five different hashes.
9. Carefully co-ordinate the issue of chips for programming and the type of binary used.
10. Call a meeting of the entire functional test team, bribe, intimidate, threaten and blackmail them into ignoring five different hashes.
11. Bribe, intimidate, threaten and blackmail the logistics managers and supervisors into managing the serial numbers of the CUs with each type program, and shipping them into different constituencies.

Phew!!! First part is over.

12. Bribe, intimidate, threaten and blackmail the district collector, and his 10 staff into tracking the rigged EVMS, and ensuring their dispatch to the specific constituencies.
13. Monitor the nomination scrutiny and withdrawal process, to make sure the exact candidate number.

[Rahul Mehta]

I don't have much interest in studying hypothetical systems created by you - once there is any real information, that can be analyzed.

That is classic digital downhill skiing.

For 20 years, assorted experts have been claiming that a rigged code in EVM will not benefit any party, and thus indirectly stating that no party will be interested in putting such a rigged code. It took me days to come up with algorithm of how rigged code with some ground action can add 100-150 seats to Congress and UPA. It was not a matter of minutes.

Now Dileep can propose a process (which may not be what BEL is following). Say I spend days and then find holes in it. Next Tanaji will propose a process. Another week in finding holes in that process. Next Raja Bose will propose process. Like that, I will be spending 6 months here.

If pro-EVM people are at serious in claiming that BEL CEO simply cant put the code I described, they should get list of chips, compilers, ROM burners and process BEL's EVM unit follows. Use RTI or whatever you like. For now, we dont even know how many programmers were in BEL's EVM unit. If there are are just 2-4 coders, then BEL CEO only needs to replace these 4 coders with someone who is pro-Congress and/or corrupt and willing to ring EVMs. Now that code is "confidential" and hence no one in QI, QE etc know if the code is set to favor ((n + k) mod 5 +1 ). This is not possible if there are 40 coders each having full view over code (which happens in monolithic coding). So unless all this information is given, I see no point spending time in finding holes in process which may not even exist in BEL to begin with.

-----

I have received email from ECI on Aug-1 inviting me to come on between Aug3 to Aug8. I will post my reply on my website and give a small AD in newspaper with just URL of that reply. I dont have money to paste whole reply. I have attended many such "complain hearings" for citizens problems in municipalities, police etc. I request you all to attend similar such "complain hearing" meetings conducted by police, municipalities and even Central Govt depts (like Income Tax). And you will yourself understand what eye wash they are. The EC has not given ANY details about inside of EVM. What would a complainer go and do? For one, I want to prove that the source in code 10% EVMs is rigged. Do I have randomly selected 100 EVMs? Do I have source code in EVM? Is there any tool to verify that source code given by EC is what is inside chips? NO , NO , NO. So if code cant be read, the only next option is reading hash. Will EC allow anyone to read hash of even 0.1% of randomly chose EVMs? Essentially, EC is calling this meeting to say "we heard all, and we 'proved' that all were wrong". I will post my reply on web, asking EC to post the reply on their website. Lets see where it goes from there.

[Rahul Mehta]

OK, here is the Rube Goldberg machine of Rahul Mehta:

1. Steal the chip design files for the microcontroller from BEL
2. Put a VLSI design team to work, to make five types of 'rigged' chip.
3. Give the five outputs files to the fab, asking them to use these files instead of the original files, one per each lot.
4. Tell the Incoming QC at BEL to ignore the mask ids and date codes.
5. Tell the BEL IQC to ignore the test data discrepancy.
6. Tell the BEL stores to track the types, so that they are kitted in lots.
7. Call a meeting of the entire software team (5-10 people), bribe, intimidate, threaten and blackmail them into putting the five trojans in the code.
8. Call a meeting of the entire team that does the programming of the chips, bribe, intimidate, threaten and blackmail them into ignoring five different hashes.
9. Carefully co-ordinate the issue of chips for programming and the type of binary used.
10. Call a meeting of the entire functional test team, bribe, intimidate, threaten and blackmail them into ignoring five different hashes.
11. Bribe, intimidate, threaten and blackmail the logistics managers and supervisors into managing the serial numbers of the CUs with each type program, and shipping them into different constituencies.

Phew!!! First part is over.

12. Bribe, intimidate, threaten and blackmail the district collector, and his 10 staff into tracking the rigged EVMS, and ensuring their dispatch to the specific constituencies.
13. Monitor the nomination scrutiny and withdrawal process, to make sure the exact candidate number.

Whole bunch of lies.

The possible rigging scheme is explained in http://rahulmehta.com/evm.htm

I am indeed assuming that Japanese chip was rigged. But above steps Dileep claims on my behalf are not in the possible plan I proposed, as we dont know what process BEL actually follows from coding to chip receiving to EVM box. Once I get details on process steps BEL follows and number of people at each point I will try to show how using mere 3-4 people code can be changed and new code can be inserted instead of original one. For that matter, no one even knows if ROM was burned inside BEL. It is possible that due to very tight schedule, BEL asked Japanese to burn the ROM and when chip came, the engineer just verified the hash and nothing else. So if chip was rigged to give a planted hash instead of real one, the engineer would never know that code is not what they sent. Unless we know exact steps BEL took, I dont want to spend time in "how BEL Chiefs can put wrong code in EVM".

----

Dileep,

I read section 9.3 of the data book you posted. It says how "verification" done at the time of burning ROM. My question is : say ROM burning is over and now chip is on EVM. Now how I read hash? And does the chip in EVM support hash reading? Do you know which Japanese company makes the chip? And how do you know it is Japanese and not American, or it is some company in Japan owned by American MNCs?

And from what I read, it looks that way to read "verification bytes" is by giving some control signals. If thats the case, Japanese company *can* make chip which would give wrong verification bytes from the planted hash. There is no technological barrier. So how do you know that chips in EVMs were not rigged to give the wrong hash? Have you scanned the chip and verified it? Or, is there any way one reverse engineer the chip at gate level and say that chip is reporting wrong hash and not the right one AFTER ROM has been burned.

Essentially, you are saying that we should put faith in a Japanese company whose name is not disclosed and whose ownership is not disclosed. How do you know that that Japanese company is not owned by Sonia?

[Raja Bose]

Now Dileep can propose a process (which may not be what BEL is following). Say I spend days and then find holes in it. Next Tanaji will propose a process. Another week in finding holes in that process. Next Raja Bose will propose process. Like that, I will be spending 6 months here.

Well according to you, it seems you would rather spend time spouting tall claims without proof than spend an iota of effort to back up your claims - what more can one expect from someone whose bluff's been called and he turns out to be n00k-n00d! This is soooooo neta-like behaviour that it's not even funny!

If pro-EVM people are at serious in claiming that BEL CEO simply cant put the code I described, they should get list of chips, compilers, ROM burners and process BEL's EVM unit follows. Use RTI or whatever you like. For now, we dont even know how many programmers were in BEL's EVM unit. If there are are just 2-4 coders, then BEL CEO only needs to replace these 4 coders with someone who is pro-Congress and/or corrupt and willing to ring EVMs. Now that code is "confidential" and hence no one in QI, QE etc know if the code is set to favor ((n + k) mod 5 +1 ). This is not possible if there are 40 coders each having full view over code (which happens in monolithic coding).

Why don't you go to the EC meeting and say the above. I know you dont have a trojan or anything and have been merely bluffing but atleast lets see you have the guts to go and confront the EC instead of hiding behind anonymous advertisements and cheap publicity.

So unless all this information is given, I see no point spending time in finding holes in process which may not even exist in BEL to begin with.

Ofcourse, lack of such information doesn't seem to prevent you from claiming that you have hacked the EVM and found holes. You seem to love to spend time in the limelight claiming you have hacked a system which you know nothing about and parroting your unproven theories. I doubt even the world's best hackers will be able to emulate this great feat ever (till the Klingons invade ofcourse)!

-----

I have received email from ECI on Aug-1 inviting me to come on between Aug3 to Aug8. I will post my reply on my website and give a small AD in newspaper with just URL of that reply. I dont have money to paste whole reply. I have attended many such "complain hearings" for citizens problems in municipalities, police etc. I request you all to attend similar such "complain hearing" meetings conducted by police, municipalities and even Central Govt depts (like Income Tax). And you will yourself understand what eye wash they are. The EC has not given ANY details about inside of EVM. What would a complainer go and do? For one, I want to prove that the source in code 10% EVMs is rigged. Do I have randomly selected 100 EVMs? Do I have source code in EVM? Is there any tool to verify that source code given by EC is what is inside chips? NO , NO , NO.
....blah blah blah....
I will post my reply on web, asking EC to post the reply on their website. Lets see where it goes from there.

Ho hum....as expected RM weasles out. He wants the EC to treat him like royalty before he condescends to prove his tall theories.

RM ji, Did you read my post where I mentioned some of the responses from hackers/security consultants in last week's BlackHat conference, that you don't need the exact target hardware or BOM to create a set of possible hacks and test them in practice. But I guess they are all CIA spies so they were probably all lying thru their teeth.

Ofcourse one must also take note that the lack of all the aforementioned information that he claims he necessarily requires for his proof, does not prevent him from claiming that all his theories are true! Surely a red letter day in the annals of Mathematics, Computer Science theory and science in general when one can prove a theorem/statement without a proof (is that case I guess one cannot call a proof a proof )!!!

And last but not the least, he doesn't even have plans to do some plain talking to the EC in person even when he has been personally invited - he'd rather hide behind websites and advertisements and play with the "commons" emotion.

[Raja Bose]

...
...
...
Essentially, you are saying that we should put faith in a Japanese company whose name is not disclosed and whose ownership is not disclosed. How do you know that that Japanese company is not owned by Sonia?

OK let me humour you for once on the really crazy "heavens are falling" post you made above (seriously, what are you smoking?). In the same vein, how are you so sure that the cameras that will be used in your paper ballot solution are not rigged since I am sure Sonia owns the camera company who have doctored their CCD sensors and associated control circuitry at the gate level - there is no technical barrier there also, as you so breezily put it! After all, the main components of all these cameras are made en-masse by a handful of chinese/taiwanese/korean manufacturers, all of which are naturally either owned or subverted by India's enemies or their stooges (USA, China, Saudis) and India does not manufacture any of these digital cameras indig.

[Dileep]

Rahul Mehta, your 15 minutes are up!!

You have not provided the code. You have not provided even an indication of how the five different versions will be put into the EVMs.

You are hiding behind vague statements that "the top 10 guys can".

It is time to DELIVER. Please provide the code, and explain how exactly the code will be put into the EVMs, in a standard manufacturing environment, without the information leaking out.

OR, go to your commons.