Yikes! Diebold and the Microsoft flaw, enabling remote control...

Okay, I probably shouldn’t post this, because I don’t have any of the programmers to consult with right now, and that usually gets me in trouble. BTW, we’ve moved up the ladder enough now that reputable media sources are providing code-checkers to verify our findings, and we’re in that process now. But, my procedure has always been to release information as I get it, as that makes me feel safer. (Go ahead, naysayers, laugh…)

So here goes, with the caveats that it hasn’t been independently verified yet:

Three files:
1) Show that Diebold wrote code that opened the Microsoft hole and
2) May have exploited the hole

Microsoft just released a report of the “worst ever” security flaw, which they say was uncovered by four Polish programmers. According to the group that discovered it: “Throughout its exploitation, any user can gain complete control over a vulnerable system by the means of a remote attack.“

Here are the specifics with Diebold, just so we’re not the only people who know:

All touch screens at the precincts, and the central count computer at the county, include a file called atl.dll. This atl.dll file includes three RPC (remote process call) interface files. The Microsoft hole is an exploit of the RPC interface.

The atl.dll file is built by a makefile called atlps.mak, the subject of a DU thread launched by me last Sunday night, wherein we asked for translation of a Czech description of identical code found on a web site. I was assured it had no meaning, but the whole deal was a little unusual:

The Czech commentary was removed every time we posted it. Translations were also removed. One DUer said he was emailing his friends in Poland with a request to look at it. Our input from hackers (who saw additional files along with the makefile) said “this is bad, this is bad!” Our initial take on this file, plus its corollary files, was that it was built to create a .dll file that enabled remote control of the voting machines. We specifically identified the three RPC (Remote Procedure Call) libraries as areas of interest, in context of the other things we were seeing.

One reply ridiculed the entire idea, saying it was irrelevant and that (in a later thread) the concern about this makefile proved we were unqualified to evaluate anything.

But here’s the thing: That makefile built the RPC interfaces, now identified by Microsoft as a critical security flaw enabling remote access attacks, into the voting program. This atl.dll file appears repeatedly in the compiled programs for both touch screens at the precinct and central count computer at the county.

We were told we needed the source code to evaluate what we were looking at. Well, we found it. The C++ source code for the atl.dll file is located in a file called atl.cpp.

Note that this was not built by Microsoft, but was created specifically by Diebold.

Yes, Diebold created files that appear to open a back door allowing remote control of the touch screens and county computers.

Is there any source code which may exploit the back door? These are preliminary findings, but a file called WCEATL.CPP must be looked at very carefully (and has been shipped to code-checkers with the media), to see why it invokes an invisible window with a mouse double-click, and why it appears to be writing persistent strings to the host. This does not appear to be just passing files, but seems to be writing information directly into the computer, enabled by remote access.

Legitimate reasons to write data to another computer:

1. According to user manuals, there is a download of ballots from county HOST computer to a touch screen, and it writes ballots to a PCMCIA card, and many copies of the card are made then. However, the configuration of the strings does not seem to match ballots.

2. Upload of vote data from touch screen to the county HOST computer after polls close. However, the strings don't appear long enough to accomplish this.

3. Another (more risky) function is that the county HOST computer transfers data to an Internet server for election night results, which is used by the media. I did not yet ask if these strings might be passing report data to the web page.

“Microsoft said the vulnerability could allow hackers to seize control of a victim's Windows computer over the Internet…The flaw, discovered by researchers in western Poland, also affected Windows versions popular among home users.”

"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.”

“..Maiffret said that inside vulnerable corporations, "until they have this patch installed, it will be Swiss cheese -- anybody can walk in and out of their servers."

================

Now, I have no idea whether the remote access we’re seeing built in are related to the Czech web site and the build file, and I’m sure I’ll get slapped around for this one, hope I’m not offending DU, probably I’m being ignorant to wonder about this in relation to the Microsoft flaw just discovered, but I just reread these snippets:

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=38507&mesg_id=38507&page=

Post from Bev Harris: "The following information, which refers to setting up remote control functions, was found at the Diebold voting machine ftp site in source code...We found the identical code (except for one word) on a Czech web site, http://www.eternal.cz/article.php?nID=280 , and it seems to have an explanation for what this code string does...Can anyone translate the following, or explain your theory as to why it is in voting machines?”
EDITED BY ADMIN

---------------------
“From Eloriel: "I'm not even sure if this is the whole thing. From this site: http://translation.langenberg.com/ which I found by googling Translate Czech -- here's the google page if anyone else wants to try http://search.earthlink.net/search?site=earthlink-ws&q=Translate+Czech”
EDITED BY ADMIN

---------------------
From MrSteve: “The second part text
“It's nothing cryptic or odd - just a set of directions to build an executable program from source code. All the Czech language stuff, though, is gonna be hard to translate without a Czech enabled tech person involved.”
EDITED BY ADMIN

---------------------
from Bev Harris:
“Ah, but perhaps you missed this: why are they using Active X remote control functions in voting machines at all?
“rpc = Remote Procedure Control”

---------------------
From MrSteve: “Assume you're talking about the rpc*.lib files? Good point - these library files do various things when linked into the program (per the MSDN library) - I'm looking them up individually right now.”

---------------------
From MrSteve:
“rpcndr.lib - used for general internal thread and COM control, including TAPI (phone call origination and answering), internal windows programming features, etc.
“Rpcns4.lib - again, general purpose windows plumbing, except where it's used to build and register a proxy dll
“Rpcrt4.lib - used for creating COM objects (again, with proxy DLL possibilities)
“Basically, they are all used for creating common windows internal constructs, although the proxy business and the TAPI use could be suspect. Plus, ActiveX and COM objects have proven to be exploitable by external attack, especially if they are not constructed in a secure manner, or if they are compromised purposely by the original authors in a trojan horse style COM component upgrade after the system is initially installed and approved.”

---------------------
From Bev Harris:
“… The hacker community is much more disturbed by this code snippet than others --
“they are saying "this is bad, this is bad." I'm getting these cryptic phone calls by all-nighters who do nothing but hack into computers. I consider them to be the flip side of academics like Dr. David Dill, and equally valuable. And yes, it is also being perused by the academics. As a non-computer person, I'm amazed that the same code gets such different interpretations by different people. It seems of very high value to get as many interpretations as possible.”

---------------------
From: MrSteve
“Also, the use of the proxy dll is telegraphed by the command to the C compiler in the 7th line: /DREGISTER_PROXY_DLL”

---------------------
From: alfredo
“Got a friend in Poland who has contacts with the Czech hacker community. I will contact him today to see if he can help. Czech hackers are among the best from what he says.”

(I don’t know, of course whether alfredo contacted his Polish friends, or if they have any contact with the Polish group that discovered the flaw. I'm pretty sure I’m going to have it explained to me that the Microsoft thing has nothing to do with this.)

---------------------
From: Bev Harris
“While we are waiting for less picturesque translation -- anyone? --
“rpcrt4 = Remote Procedure Call Run Time”

---------------------
From: Nlighten1
“This would make a good Slashdot post. I have contacted someone who I know that has good connections with the Slashdot crowd to see if we can get this posted there.”

---------------------
From: MrSteve
“I can give you a line by line by lie breakdown of what the makefile is doing, if you like (but only later during lunch). As I said last night, there's nothing really sinister in the makefile, because it's just a set of high level instructions on how to build the executable.

“Although I should correct myself - it's not creating a standalone executable, per se, but a dll file (atlps.dll to be exact). However, the main point is, what is in the objects that are used to build up theexecutable? What do the object files dlldata.obj atl_p.obj atl_i.obj contain?

“kernel32.lib is a non-issue - just about every windows program, dll, or libary links to it.

“And the libraries we looked at last night - rpcndr.lib rpcns4.lib rpcrt4.lib - what functions are being called in these DLLS? Are they being used to create simple interprocess communication (basic low level windows plumbing) or are they being used for external (out of the box) communication (TAPI, proxy connections, etc.?)”

---------------------
From: Sang0
“I'll ask around in my neighborhood. There are lots E European immigrants in my neighborhood. What needs to be translated? Is it just that one page that's linked to in post#1? I'll ask around tonight.”

---------------------
From: Nederland
“Got a Friend who is from Czechoslovakia...maybe he'll help me out.”

---------------------
From: Bev Harris
“… all I'm convinced of, for now, is that it definitely deals with remote access. I'm very interested in the remote access functions, you see, because of statements like this:

"The GEMS computers are not connected to any communication system" (Dr. Brit Williams, official voting machine examiner and one of the national powermongers influencing certification of these machines) So many places, I'm seeing them de-emphasize or mischaracterize communications, at all levels from precinct on up, and that makes me wonder: Why not just tell us the straight story? Is there something we are not supposed to see?”

---------------------
From Bev Harris
“Was there a reason to delete our assessment of the code on this Czech web site, that it pertains to remote control? … I take issue with not even being allowed to talk about what is in code we found.

“- We found code which pertains to remote access.

“- This code was built into files used in the Diebold voting system, and appears to be used at both local precinct levels and county levels.

“- This code appears to exploit Active X and remote control options.
“And the caveats: We are getting conflicting opinions from computer people, not about the fact that it pertains to remote access, but pertaining to exactly what data is being transferred, who is allowed to do it, and what boundaries are applied.

“This code is of special interest because of the lengths they are going to say the machines "are not connected" or "are connected only one way." It is imperative that we determine exactly, precisely what this code does.

“I am assuming this message is within acceptable DU boundaries. If this one disappears, it means we are getting uncomfortably close to something.”

---------------------
“From: Moderator You can talk all you want about this project, and you can even state your conclusions. But if you post anything that includes computer code allegedly from Diebold voting machines, then I have to assume that it is proprietary and I have to delete it. Your post isn't going to be deleted. You think the code has something to do with remote control. That's fine. Just don't post the code on this website.”

---------------------
From Bev: (posted repeat of Czech commentary without any code.)
--Message was deleted --

---------------------
Received a translation by private e-mail. Gee, the Czech commentary pertains to setting up remote access.

Bev Harris
Black Box Voting

P.S., Thank God I can see the light at the end of the tunnel now. I want my life back.

You will deserve a medal after this...

We all have done our bit but yours is down right heroic...

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=49624&mesg_id=49624&page=

:kick:

a potential cheater would have used. What is doubly suspicious here is that Eastern Europe is famous for "hackers for hire". Indeed, it was a Polish firm, The Last Stage of Delirium Research Group (you couldn't make this stuff up), that reported the exploit to Microsoft:

http://lsd-pl.net/special.html

And so, Diebold used Czech programmers to work that area of the code?

http://www.computerworld.com/industrytopics/retail/story/0,10801,58492,00.html

And...

http://www.cnn.com/2001/TECH/internet/03/08/hacker.attacks/

<snip>
The FBI says the Eastern European groups, after successfully hacking into a company, then attempt to extort the company offering services to solve the computer vulnerability.

"If the victim company is not cooperative in making payments or hiring the group for their security services, the hackers' correspondence has become more threatening," the FBI announcement said.
<snip>

Sorry to confuse the issue. There were two key Diebold programmers working on the code that revolves around this:

Stockholder Talbot R. Iredale, a Canadian, (shows up as initials tri in the programming notes)

and Dmitry Papushin. I do not know the heritage of Dmitry. I would have guessed Russian.

I have another file somewhere the names of several more Russian or Eastern European Diebold Election Systems employees -- now I'm going back to see what tasks they are involved in, I think they help walk the system through state certification.

The Czech website was only brought up because it contains an identical set of code as some found in Diebold, with descriptions of what it's used for. We wanted to see what the commentary had to say.

Eastern European employees: In March of 1998 Global Elections Systems Inc.(Global) of Mckinney, Texas requested review and examination in Washington State -- the software that runs the system had been rewritten as GEMS.. Representing the vendor were Sophia Lee, Slavica Milanovic, and Icten Yalin. The vendor made a presentation and a test election was conducted using a group of test decks prepared by the vendor.)

This post is no big deal. But yes, there seems to be at least a few people involved with GEMS programming and certification who are of Eastern European descent -- not that this proves anything at all. This is in the category of "hmm, okay, put it over here if I have to remember it later..."

Bev

I did a real quick search on that name, and a lot of Russian stuff came up.

Inside A U.S. Election Vote Counting Program
http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm

http://www.truthout.org/docs_03/voting.shtml
How to fix an election via the backdoor

How George W. Bush Won
the 2004 Presidential Election
Purging voter lists is just the beginning: the U.S. has embraced a form of electronic voting that is unreliable, unverifiable and funded by the radical Christian right.

http://www.infernalpress.com/Columns/election.html


http://www.chemtrailcentral.com/ubb/Forum6/HTML/001228.html

A flurry of topics posted to drive them to back pages?

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=108&topic_id=1693&mesg_id=1693&page=

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=108&topic_id=2405&mesg_id=2405&page=3

judgements on the flaw as if Diebold has sourcecode, they could have written the sourcode to do whatever bad stuff they want...

Bit in Visual C++, there is a standard COM library called "Active Template Library" that does all sorts of very useful things for programmers. you can either compile it directly into your application or as an external library - atl.dll. MS includes standard sourcecode with VC++ 6.0, and if this is an embedded MS OS, then they probably used the embedded VC++ tools which would also inculde it.

I guess once the techies pick it apart, you'll know for sure if they've done anything to the library source code, or if this dll even matches the MS one at all. maybe it is a Diebold-written dll given a confusing name! But someone should compare the source to that which comes with Visual C++ and see if they match - and see what is different too.

Oh, i didnt see the reference to WCEATL.cpp. that initially sounds like "Windows CE Active Template Library". a quick search on google finds:
http://www.cegadgets.com/atlcebugs.htm
which confirms a file by that name is in the WinCE ATL. once again, the original source could have been modified by Diebold. but this could be a start.

Do the files still have their microsoft copyrights in them with version numbers? my copy of Visual C++ 6.0 SP5 has the following at the very top of atl.cpp:
// atl.cpp : Implementation of DLL Exports.

// You will need the NT SUR Beta 2 SDK or VC 4.2 or higher in order to build
// this project. This is because you will need MIDL 3.00.15 or higher and new
// headers and libs. If you have VC 4.2 installed, then everything should
// already be configured correctly.

// Note: Proxy/Stub Information
// To build a separate proxy/stub DLL,
// run nmake -f atlps.mak in the project directory.


note the same atlps.mak makefile name. there definitely is a strong correlation with Microsoft ATL. Someone must have the EmbeddedVC++ tools, and can compare the actual files to see if there are changes. if there are service packs to this, the files may be different for different versions.

Welcome to DU!! :toast:

in GD
Florida 2000 by Ani Yun Wiya
US Embraces electronic voting funded by radical Christian right by SharonAnn
and this business I came across maybe be of small interesst, at least the name is www.blackbox.co.uk I was reading about remote access there.

:kick:

You may already have these but it couldn't hurt to post them.

White Hats: These are the good guys. They do security to keep it secure

http://www.securityfocus.com This site currently has this exploit mentioned here http://www.securityfocus.com/news/6397

http://www.computersecuritynow.com/

http://www.whitehats.com/index.shtml


Gray Hats: Curiousity and inquisitiveness are the driving force here.

http://packetstormsecurity.nl/

http://www.cqure.net

that you no longer need the translation?

Nuances are important. For example, one version I have refers to "stealth" or "secret entry" whereas another came out sounding very benign.

If you are able to provide another translation, I would very much appreciate it.

Bev

It might take a few days. My upstairs neighbor says she knows someone, but she works the night shifts and dounle-shifts, so it's hard to coordinate. I'll PM it when I get it

Exploits and vulnerabilities are an evolving issue. Exploits can lay hidden for years and suddenly come to light. Just because a potential vuln is found does not mean it has been exploited.

Some resistance you will find in the security community to your theories will come from this fact. Security experts are bombarded by sploits and vulns all the time. Its when they enter into the hacker community that they get red flagged. Hackers are usually ahead of the security forces but the security teams are usually pretty aware of where the hackers are. Its an arms race.

The existance of this vuln by itself is indicitive of nothing. You are on the right path trying to show that Diebold used it. Making that factor as clear as possible is the key to your research.

The technology is complex, different people and groups have contradictory interests, and it's hard for non-techies to evaluate and discard all the ridiculous and fallacious arguments that will be made. Evidence that something has actually been done will be very persuasive. The efforts you make nailing that down will be time well-spent.

You said:

The Czech commentary was removed every time we posted it. Translations were also removed.

What does this mean? Removed from where and by whom?

A sadistic millionaire invites a group of guests to his home. Standing by his pool, he announces:

“I will give anyone whatever they want to swim across this pool. But you should know, the pool is full of sharks.”

No sooner does he finish than a splash is heard and one of the guests is swimming as fast as he can across the pool. The sharks are about to strike when the guest pulls himself out untouched. The millionaire approaches and says:

“That was truly brave. I’m impressed, and true to my word, I will give you whatever you want. What will it be?”

The guest replies:

“Let’s just start with the name of whoever pushed me in the pool.”

Thanks, junkdrawer.

Bev

ATL.DLL is a microsoft library containing their active template library. It's benign. You'll find it on all kinds of machines.

The other day you posted an excerpt from a makefile that details how to build a library named ATLPS.DLL which, aside from sharing three common letters, is something entirely different. You've still posted no code from it, so there's still no way to deduce its purpose.

The makefile you posted the other day demonstrates that ATLPS.DLL links against the RPC libraries. Just like many other COM objects do. There are hundreds of libraries on your computer right now that link against the RPC libraries. According to your logic, they must all be doing something insidious, to wit: intentionally exploiting a security hole that was just discovered, some 6 months after you downloaded some files from Diebold.

Then you googled up a totally unrelated page with a description of, and instructions for building, a simple ATL-based library called TESTPS.DLL, written in Czech. There is no relationship between that page and anything except that they both build ATL-based modules, and are probably both simple test libraries. But because it's in Czech you imply that it must be hiding something important. Someone then posts a link to information about a newly-discovered Microsoft security hole, discovered by a team in Poland, and you somehow infer that this is what Diebold must be doing, never mind that the timeline doesn't fit at all. The Polish team has declined to make details of the exploit available, so you have no way to demonstrate that anyone is making use of the same technique, but you nevertheless imply (with your usual carefully-worded nuance) that Diebold must be exploiting the hole, with not a single line of code to back it up, simply because they link against a few basic system libraries. And for bonus crazy points, you tie your whole theory together by tossing out the name of some guy who sounds Russian and purportedly works at Diebold. Now it's a huge international conspiracy that so far spans the United States, Canada, Czechoslovakia, Poland and possibly Russia. I repeat my mournful refrain yet again: show me the code that's doing something nefarious. You have all the code, so why can nobody tell me "look in file X, lines Y through Z"?

Incidentally, unless you're holding back and not posting all the files, nothing in any of the source code you've arranged to make available indicates ATLPS.DLL is used on the voting machines at all. Certainly the ballot station program doesn't use it, which is evident from looking at its own makefile -- it's not referred to even once, as I'm sure you've discovered. More than likely it's for use on a desktop machine somewhere.

And for what it's worth, the source code for ATL.DLL is utterly benign. You don't even have to take my word for it, all of it's included as part of Microsoft Developer Studio. You should probably get your crack team of code-analyzing volunteers to look into that too. This thing clearly goes right to the very top.

WCEATL.CPP is part of the source code to Microsoft's ATL library for Windows CE. Also available from Microsoft. Let us know the results of your analysis.

I'm happy to hear you allegedly have code-checkers from the media poring over the source code now, because you clearly have no idea what you're talking about and you embarrass the cause every time you start blathering on about it. I eagerly await the results from the experts.

JC

been used in, say, the 2002 elections. /sarcasm off

Bev: I wouldn't give this guy the time of day. Let him read it at the same time everyone else does.

You're right. The button I shall push is "ignore." :)

So why must it be this hole? Do you want to know how many other holes there have been since the 2002 elections? Why do they need a hole at all when they can simply write code to do whatever they want in the first place?

Critical thinking, my friend. I have an open mind and I'm totally willing to believe whatever can be proved. Bev insists on making post after post of claims without any evidence. Show me the code. Simple enough.

JC

Go download them and LOOK FOR YOURSELF! :evilgrin:

You might be surprised at what you find! :(

Message removed by moderator. Click here to review the message board rules.

And I don't think Skinner would be too happy if I stopped "holding back" and decided to post the most interesting 15,000 lines of source code here.

By the way, those are only "standard" MS files when they contain Microsoft code. Once they are rewritten, they are no longer "standard."

Bev

So post them on your own site. What's the problem?

And yes they are only "standard" MS files when they contain Microsoft code. It's a simple matter to demonstrate whether they do or not, and catalog the differences. Use windiff or something, it's a 90-second job.

More innuendo, claims of secret evidence that proves everything, no evidence of anything. Zero critical thinking at all. Your entire post today is a string of non-sequiturs.

JC

Sorry. Dupe

I have it if you want it. PM me with your email address and I'll send it along. FYI, It was translated by a C++ developer.

Message removed by moderator. Click here to review the message board rules.

ack, double post

Message removed by moderator. Click here to review the message board rules.

My message was deleted! Am I getting too close to something???

Facetiousness aside, I can't even remember what was in it at the moment but my apologies to the administrators if it broke any rules. :(

JC

:thumbsdown:

remember, when the big story was about to break, you held auditions for a script for the big Flash presentation. Remember that? There was a deadline, it was urgent because the story was just about to break and the Flash presentation was going to help it break big.

Was there a winner? Was the Flash presentation ever produced, is it available somewhere for us to see?

thanks

in Poland.

JC

nt

Bev and others involved, if you haven't yet done so, check your C:\Windows\System folder for this file and DELETE IT if you are not specifically using it for something! You can right click on your Start tab from the Desktop, choose Find, type atl.dll in the 'files named' box and C:\ in the 'Look in' box, then hit enter. If you find this file in your System folder (Like I just did!) and are NOT SURE if you need it, you can temporarily disable it by renaming it atl._ll. Once you are sure none of your programs are using it DELETE IT! :(

ON EDIT:2 ATL! ATL! DUH!
ON EDIT: Add registry key removal info!

This is the registry key for the atl.dll.

ATL.Registrar = s 'ATL 2.0 Registrar Class'
{
CLSID = s '{44EC053A-400F-11D0-9DCD-00A0C90391D3}'
}
NoRemove CLSID
{
ForceRemove {44EC053A-400F-11D0-9DCD-00A0C90391D3} = s 'ATL 2.0 Registrar Class'

Use RegClean to remove the key from your system. :)

:kick:

:kick:

Is THIS the flaw MSFT has mentioned ? Or is this something else?
WTF is it?

Is THIS the flaw MSFT has mentioned ? Or is this something else?
WTF is it?


BTW could you re-state waht we sshoul br looking for? You edit really muddied things up for me:)

I hope you are suggesting this as a joke.. as a number of people have pointed out, there is -nothing- wrong with atl.dll. there is some confusion about atlps.dll, but a quick look at the atlps.mak makefile shipping with visual studio 6.0 shows that it too is written by Microsoft. I believe the 'ps' designation refers to Proxy/Stub, which is a DCOM term. the .obj files linked together are dlldata.obj, atl_p.obj, and atl_i.obj. atl_p and atl_i are generated by MIDL, the COM interface compiler.

The only question is - did Diebold somehow insert some sort of hack into stock Microsoft sourcecode as a way of hiding their hack. As TinfoilHatProgrammer pointed out, anyone with the correct version of the WinCE embedded toolkit could use windiff to compare the Diebold version to the Microsoft version. if they match, case closed - the files are as clean. there may be other exploits related to the files, but exploits might also be related to -any- dll on the computer. the only difference with ATL is that microsoft ships its source code. In fact, in the other thread there was some misunderstanding about needing a ".c or .cpp" file. ATL makes virtually no use of .c/.cpp files as it is a -template- library. Microsoft generally puts their template definitions in .h files.

If anyone follows your advice and deletes their atl.dll, any application depending on this file will likely break. actually there probably are not many as microsoft usually links in the template files rather than link to an external dll. but it is a standard windows xp/windows 2000 file that ships with the operating system. just look at the 'version' info on the dll and the date/timestamp.

I've been following the BlackBox threads for a while. Bev did the right thing by raising this as a possible technical issue. She isnt a programmer, so she wouldnt know about ATL and all this stuff. But we need to stay level-headed about technical finds and not jump to conclusions. Focus on the facts - there is some unknown sourcecode that looks like it originated from Microsoft - and dont jump to any conclusions until there is enough information to support them.

Here is another way of looking at this find - is atl.dll or atlps.dll even used in the voting app? if so, where and for what purpose? if not, why is it included in the sourcecode build? Shouldn't extra code be removed from the sourcecode tree? are there any verification poilicies on the sourcecode that this violates - i.e. the system cannot have 'unused' code? perhaps states such as Georgia have their own requirements that this violates. etc.

....Just for grins I did a 'find' for atl.dll and found it in C:/Windows/System.
"but it is a standard windows xp/windows 2000 file that ships with the operating system."
While that may be true, I'm running Win 98 on this box and have NO programs that load atl.dll on this computer. (I checked)
I did a complete system backup right after I built and loaded this box and there is no atl.dll in the backup copy.

In looking at the file properties I discovered that the 'Date Created' does not correspond to to any programs I loaded nor does it correspond to the date the OS or any subsequent 'service packs' were loaded.
I went further and did a 'find all files' and searched by the 'date created' and found over two dozen other files that were created at the same time. They include things like Telephon.ini, System.i~i, my PASSWORD LIST .pwl file, (I never store passwords) progman.ini, Protocal.ini, Net.exe, Wmexe.exe, Pci.vxd, msmouse.vxd, vsmouse.vxd, Filesec.vxd, Java.exe, Netpptp.sys, Pppmac.vxd, Vnetsup.vxd, Vredir.vxd, Ndiswan.vxd, Bios.vxd, Choosusr.dll, Msvcrt.3 and a number of my system log files.

I've checked them and many are the same as in the backup with only the 'date created' changed. A few of them (primarily .vxd, .ini and log files) are different than the originals as far as file size. Several are not in the backup at all. Most notably the Netpptp.sys and a very large log file that appears encrypted.

I'm just now trying to compare the files that have grown to see what's different from the ones in the backup.

When I first tried to rename the file to see if anything crashed, I was denied access because it was in use. I restarted the computer and attempted to remove it again and was again denied access. I disconnected the Ethernet cable from my computer and restarted and was successful at renaming it. I have no idea what program is calling it and until I get a chance to check the registry I'll just have to wonder why it loads at bootup but doesn't load when the network is unavailable. I don't have my computer set to 'connect at startup' so that freaks me out even more. :tinfoilhat:

I have NO programs that are allowed through my firewall without asking but every now and then I've noticed bursts of traffic on the DSL modem and the Linksys router that don't show up on my on screen traffic monitor. To make matters worse, I occasionally find permissions set in my firewall that I didn't set and once in a great while I'll be sitting here and the computer will change windows on its own, typically after I've left it alone for 5 or 10 minutes to work on another box. I CAN'T say for sure if this file is related but, from what I have seen in the last couple of hours, it sure looks like it. I'll know for sure in a couple of hours when the real geeks get off work.

Can someone tell me what program(s) would normally call this .dll and what it's supposed to do when called?

One more thing, my web pages load instantly now, (well except DU) they had been taking anywhere from 2-5 seconds from the time I clicked on a link till the time the page would start to load. It's been that way since right around the date on these files.

Anyone? Anyone? :shrug:

...required for any Visual C++ components that use the ATL library and also are compiled with the MIN_SIZE directive (normally used by things delivered over the web to keep them small). from the article:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q166/4/80.asp&NoWebContent=1

"If you build with the MinSize option, you are required to ship only Atl.dll with your control. You should statically link to the C Run-Time (CRT) Libraries. In case you do not need the CRT startup code, and with minimal use of the CRT, statically linking to the CRT produces a smaller image size than dynamically linking. "

there is further info on that page about what happens when atl.dll is missing:
"A. The following are the top three reasons an ATL server might fail to register:
...
You built your project as MinSize and Atl.dll is not properly installed on the system. The correct version of Atl.dll must be copied and registered by Regsvr32. There are Windows NT and Windows 95 versions of Atl.dll. The Windows 95 version runs under Windows NT. However, since it does not use the UNICODE APIs, it is slightly less efficient. Unless you build your project as MinDependency, you will need to install the correct version of Atl.dll and run Regsvr32 on it before you install your server. "


so to answer your second-to-last question, it is impossible to know which programs use atl.dll without looking at their DLL imports - which can be a little tricky to do. However, the above URL does describe that some valid programs use the DLL, which is why I included the warning.

As for your date discrepancy on atl.dll, i wish I could explain it. it probably is unique to the version number, but i would suspect it is harmless. Incidentally, there are potentially other copies of the file on many computers. I have a copy in "c:\program files\adobe\acrobat 6.0\reader". i also have a "msdatl.dll" file which looks similar in "c:\program files\common files\system\ole db".

regarding your strange network traffic, just recently i looked over my wife's spare laptop and found -12- different 'spyware' applications installed, probably due to going to web sites and installing software. I used an application called "Spy Sweeper":
http://www.webroot.com/wb/products/spysweeper/index.php
it didnt get everything but solved the weird popup ads that kept appearing out of nowhere...Perhaps you have a similar application that installed itself somehow?

...are you suggesting that Diebold put the ATL library on your computer? Are they doing some kind of remote control of your machine? Does the fact that you reportedly have bursts of unexplained modem traffic somehow demonstrate that Diebold is rigging elections using an atl library that's not used on their voting machine but links to specific RPC libraries which may or may not be the ones containing a security hole found by some Polish hackers? Or is this just a lengthy yet unrelated observation?

JC

As far as I can tell. :shrug:
But still I have to wonder :wtf: this is all about.

Also, atl.dll is part of Wave Express/TvTonic, a program used to view the Dean campaign's Dean TV.

:kick:

There is definitely some truth to the idea that Brightfuture and Tinfoilhat were expressing that ATL (Active Template Library) files were just standard Microsoft files that every developer used to create windows applications.

But if you look at the names of the objects that are linked in the makefile (okay, the makefile itself isn't here anymore per board rules, but I did list the files in one of my posts that Bev quotes) two of the objects linked in are "atl_p.obj" and "atl_i.obj". Even if atl.cpp was a basic file distributed with the MSDN (Microsoft Developer Network, for the less geek inclined out there) libraries, having objects called atl_p and atl_i implies that the source files for these objects in the voter application are atl_p.cpp and atl_i.cpp, different than the original atl.cpp.

What I'm getting at is this. Yes, Microsoft has sample code out there called the ATL. Yes, it's in hundreds of applications doing lots of mundane things.

However, it's common practice (God knows I've done it a hundred times, and many other people besides) to take a piece of MS sample code, lightly change it to do what you want it to do, perhaps partially rename it, and slap that new code into the build process to create an executable. Post #6, in fact, has the direct comment from wceatl.cpp (another sample MSDN file) that shows where the original version of the makefile that I analyzed comes from. It was part of the MSDN sample code, and the developers simple tweaked it a bit to create their own dll for a proxy server.

Thus the _p and _i extensions on objects created from source code that could have once been atl.cpp. Does this necessarily imply nefarious purpose? No, just hasty and sloppy coding.

MSDN sample files atl.cpp and wceatl.cpp might have been modified and used under the same name. Bad? Again, not necessarily, just sloppy.

Does it remove the possibility of back doors? Not at all. Epecially if the source code files atl_p.cpp and atl_i.cpp, or the modified sample files atl.cpp and wceatl.cpp contain code that does allow remote access to the voting machine functions or data. And proxy servers (the quoted makefile is used to build a dll for the proxy server) ARE used to communicate with the outside world in some manner.


Finally, analysis of the source code in the system is required to determine the purpose of this outside communication through the proxy server. And the analysis Bev seems to be getting on the wceatl.cpp and other source files seems to indicate that functions that can be exploited are in the code.

Just wanted to try and clear that up, and bounce the thread back to the top.

.

for those DUers whose only interest in DU seems to be Bev's threads. :evilgrin:

Eloriel

I agree with what you are saying. to clarify some more, atl_i.c and atl.h are created when MIDL.EXE compiles the atl.idl file. in my atl.mak file it is:
midl /h atl.h /iid atl_i.c atl.idl
acording to Microsoft MSDN on-line Documentation:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/midl/midl/general_midl_command_line_syntax.asp

The _p.c file is also output from MIDL when compiling the idl file, I presume the filename is assigned automatically by MIDL.exe. Although the MIDL call is not defined in the atl_ps.mak file, it is defined in the atl.mak file. I assume there is a dependency chain here. Of course both these files could be modifed after MIDL generates them. but, since they are auto-generated, this would not be a very practical place to put a backdoor as it would need to be re-added each time the sourcecode is rebuilt.

I have MSDN Unversal Subscriber access and a little spare time. for the sake of getting a technical answer, I can download/install the WinCE toolkit on a spare laptop and run windiff to find any potential differences. However I'd rather not waste time doing this if someone else is checking up on all of this. Although posting the source code in question can't be done on DU, I'd be happy to email my results to Bev and she can take care of it. I'd need someone to give URLs to the zip files and explain which subdirectory of the .zip file I need to look at.

Question - are the atl_i.c and atl_p.c files included in the source code drop? I would expect them not to be as they should be deleted when the build is 'cleaned'.

a point about terminology, though. a COM 'proxy' file is very different from a "Proxy Server". Proxy servers are designed to act as intermediaries in communications. for example, www.anonymizer.com is a very good prxoy server recommended by the ACLU so no one knows who you are when you are surfing the internet. a COM 'proxy' is part of a proxy/stub pair used for low-level DCOM communications. while this does involve communiation, it is pretty strict and requires a bunch of system configuration settings to actually work. I suspect it is standard microsoft practice to over-kill and create proxy/stub files by default even if they aren't used.

Even if there turns out to be some differences in the MS files, someone would still need to show:
1) that the ATL files are being used by the system (see my previous message about this)
2) that the changes actually facilitate some sort of hack. or, alternately, that the use to which atl.dll is being put is itself a hack.

That makes sense then, if the atl_i.c and atl_p.c files are products of the code generation process when compiling the COM source files, they probably are not significant.

I had to give up my MSDN Universal when my last startup when bye-bye. I miss it...sniff...so much tasty geekness in a mere 50 or so CDROMS.

You are right about the DCOM proxy business - on further research, the use of proxy in this case might refer only to the DCOM proxy/stub marshalling. But a DCOM control could also talk to another computer or progam across the network link. From the MSDN library:

"Component Object Model (COM) Internet Services (CIS) introduces support for a new Distributed COM (DCOM) transport protocol known as Tunneling Transmission Control Protocol (TCP) that allows DCOM to operate over TCP port 80. This allows a client and a server to communicate in the presence of most proxy servers and firewalls, thereby enabling a new class of COM-based Internet scenarios."


Reading the Czech translation might help illuminate if this is what might be going on.


As we both state, you must analyze the source modules used in atl.dll to determine if their functions are truly exploitable as a security breach.

I commend you for your posts, they're the only informed technical comments I've read in the entire ongoing blackbox discussion. Well, besides my own earlier attempts to point out the same sorts of things. I've been dismissed as a non-believer, hopefully you have better luck.

Have you looked at any of the black box source code? Have you found anything malicious? I'm still diligently looking.

JC

I usually know better than to take on something so much bigger than I can handle. I do small and medium systems architecture and coding, and this doesnt qualify as either :) maybe this time I'll make an exception.

Actually I browsed quickly through the 7 CDs on a site last night. Having some sort of architectural overview document indicating what the various software components are, etc would be very useful. I read on another thread that someone else had actually gotten the code to execute. any pointers for this discussion? The best way to learn how something works (and thus to find its flaws) is to get it running.

Also, no one answered my previous question - where exactly did Bev find the atl files on those 7 CDs - which CD, which zipfile, and within the zipfile what directory? I cant do a diff unless i know what to compare.

It's not part of the code for the ballot station program, however. As far as I can tell, the entire debate over atl.dll is pointless because Bev's claim that Diebold puts atl.dll on all their voting machines appears to be mendacious. The ballot station program doesn't use any ATL features or link against the ATL library, I double-checked this when this thread went up.

JC

You mendaciously imply that ballotstation.exe is the only program running on the touch screens.

So, mendaciousness aside, let's talk about the issues -- though I usually ignore you, because you seem to have an agenda:

First, you say you are looking at the source code but then you talk about what you find in ballotstation.exe -- that is a compiled executable. I may be a dummy when it comes to computers, but even I know that.

Next, you say the atl.dll program isn't used -- you bet it is used in the voting system. References to the dll are found in multiple locations within the certified version of the program, the only program allowed to be used by the way. References to the atl files are also found in the source code in at least six places.

As for where they are, I'm not brilliant with computers, but there is a little magnifying glass in the start menu that says "find" -- have you tried that?

Mendacious...I'll have to go look that up. It doesn't seem to apply to the posts I've made, so it must be a special computer term...

Bev

would have told me if he was invoved with that group.


BTW, to quickly find and print out differences in files. In UNIX, Linux,OSX, type diff file1 file2

Here is a quick test done to show what it returns.

bash-2.05a$ diff /Users/mango/Desktop/file1.rtf /Users/mango/Desktop/file2.rtf
11c11,12
< Helo}
\ No newline at end of file
---
> Helo\
> bye}
\ No newline at end of file
bash-2.05a$

It can find if binaries are different, but will not print out the differences.

...that I use a Macintosh. Not immune from attacks, of course, but a lot safer than Microsoft!

An RPC call means a call to a procedure that will run--on either the same machine or another machine on the network--in a separate "process," i.e. functionally separate from the process that calls it. So the term "Remote" shouldn't necessarily send up a red flag.

Also, if I were a Diebold programmer, trying to build a Manchurian Candidate into their voting system, I'd do it in a far simpler manner than trying to dynamically alter Microsoft .dll files. For one thing, if the .dll has been loaded into memory, the operating system won't permit a dynamic alteration of it.

For another, I believe M$ .dll's are all "signed" with Verisign, and using an altered version would cause the operating system to generate a warning.

Imho, there are better, simpler, less suspicious ways to do what I have no doubt some are busy trying to do.

On the other hand, let me say your investigation seems intense and astute.

Understand that my messages about computer issues vary greatly in astuteness depending on whether I have the advice of others when writing them, or not. In this case, not, this is just the not-very-astute Bev. But here are my questions on your post, above:

An RPC call means a call to a procedure that will run--on either the same machine or another machine on the network--in a separate "process," i.e. functionally separate from the process that calls it. So the term "Remote" shouldn't necessarily send up a red flag.

Note that this is in context with the Microsoft hole, which specifically says that the RPC interface is used to achieve remote control (or remote access, depending on which article you read). Therefore, what you are quoting is the official boilerplate usage, but what I am talking about is the Microsoft security hole, announced Wednesday. And in that context, we are talking about remote access or remote control from another machine, correct?

Also, if I were a Diebold programmer, trying to build a Manchurian Candidate into their voting system, I'd do it in a far simpler manner than trying to dynamically alter Microsoft .dll files. For one thing, if the .dll has been loaded into memory, the operating system won't permit a dynamic alteration of it.

Dynamic alteration -- that means doing something that alters the dll while the machine is running? That is not what I would postulate either. But if you mean "they wouldn't alter a dll" I disagree. My assumption would be that a dll file can be built which differs from the original. When you install GEMS, it can use your altered dll. But, once the dll is installed, no, it doesn't change unless you install an upgrade that overwrites it.

Now, we already know that they write dll files -- in fact, there was a small discussion about that earlier in context with the Wine project, which turned out to be an acceptable usage of Wine, by the way. They had "cribbed" (as they put it) the Wine Project and stuck it in a dll. I found another such reference last night, to grabbing someone else's program...lessee...where did I see that? List of things to do...anyway, we digress.

Perhaps you are saying they would never rewrite a WINDOWS dll. Well, that is easily ascertained, as many have pointed out, by doing file compares.

As for the warning it would generate, couldn't you just turn that off in the source code? I see many such references to turning off the error messages in comment lines. Don't know if they did, just saying, you could, right?

By the way, along the lines of corroborating coincidences: If you were to rewrite a bunch of Windows stuff, you might expect the machines could have problems, right?

Check out this report: http://www.blackboxvoting.org/robgeorgia.htm
It demonstrates that nearly 25% of the machines were choking, freezing, and erroring out; the "fix" was in the form of patches which ostensibly did nothing but changes to Windows; After the first batch of "fixes" the 25% went up to 75% failure rates; they ended up doing several rounds of patches, and the patches came out of the Diebold programming office in Vancouver, Canada -- NOT from Microsoft. I have some of the patches, by the way. They are most certainly not Windows service packs.

Next, again on my list of things to do: "look this up so I can cite it..." since I've quoted this twice, I am darn sure I have a reference from a certifying official that says they do not apply the Windows service packs to the machines.

If you were rewriting Windows dll files, you wouldn't want to install service packs, would you?

I have one more question, probably in the category of "dumb questions" -- is it normal to have the same dll file multiple times in an .exe program, in different forms? For example, one of the RCP dll files is only five lines long in one usage, but is a couple hundred lines long in another usage (both in GEMS.exe). Sometimes they have 10 different usages, but the dll of same name appears to be different depending on what directory it is in. Is this normal?

By the way, yours is exactly the type of post that I find most valuable, and one reason I put this stuff on DU. I want to hear what questions people ask, especially when they bring up valid points that need more clarification.

Bev Harris
Black Box Voting
http://www.blackboxvoting.org (Activism and Research)
http://www.blackboxvoting.com (book and more articles)

You don't want clarification, you pick and choose snippets that you think somehow corroborate your pre-conceived theories and dismiss any information that doesn't fit.

As to your points, yes it's easy to ascertain if they rewrote a WINDOWS dll by doing file compares, but you didn't do that before making this original post.

As for your question about the warning, no they couldn't turn it off in the source code. You can turn off compiler warnings, not the postulated warnings that might happen at runtime from other processes that happen to use the altered code.

In response to your question about whether rewriting a bunch of Windows stuff, one could argue that you could potentially expect the machines to have problems. On the other hand, I've read a hundred posts on these BBV topics about how bad Microsoft stuff is in general, so one could theoretically postulate that rewriting a bunch of it could only make it better. It depends on your outlook, obviously. Taking one guy's uncorroborated assertion that thousands of machines had problems and using that as a basis to conclude that Diebold must have altered a bunch of Windows code in a patch is pretty tenuous, even for you.

Still waiting for the reference to a single line of malicious code. Every day that passes makes me believe a little more strongly that you simply can't produce it.

Glad to see you're still kicking, I was starting to think that maybe Diebold had you whacked after all.

JC