Fwd: BBV: Unredacted Hursti Diebold reports, photos released

From: Kathy Dopp <kathy_dot_dopp_at_gmail_dot_com>
Date: Mon Jul 03 2006 - 18:50:52 CDT

Happy Birthday America - July 4th Fireworks!

BlackBox Voting releases detailed information on how to hack elections using
the Diebold touchscreens. This information was uncovered thanks to Utah's
Emery County Clerk, Bruce Funk who invited computer scientists to examine
his voting system.

BlackBoxVoting's public release of unredacted information puts the public on
a more equal footing with insiders within Diebold and election offices, to
be able to hack U.S. vote counts, particularly in Ohio, Utah, Maryland,
Mississippi, Georgia, and counties in Pennsylvania, California, Florida,
Virginia, Indiana, Kansas, Iowa, Texas, Alaska, Missouri, Colorado, Arizona,
Washington, Illinois, Tennessee, and Kentucky.

Rather than securing U.S. elections via scientificaly-conducted independent
audits, open source secure voting systems with voter verified paper ballots,
professionally-designed security measures designed by independent security
experts, and detailed election data monitoring -- there may be a
free-for-all vote-rigging frenzy to see who will be sworn into office.

It is up to U.S. Election Officials to secure U.S. voting systems.

Yet no state election officials have yet announced that they plan to
implement the recommendations of the Brennan Center, the National Election
Data Archive, and the Open Voting Consortium that would secure the integrity
of U.S. elections.

Here is the July 4th BlackBoxVoting Press Release:

---------- Forwarded message ----------
From: Black Box Voting <crew@blackboxvoting.org>
Date: 3 Jul 2006 21:56:56 -0000
Subject: BBV - 4th of July Fireworks: Unredacted Hursti reports, photos
released
To: kathy@uscountvotes.org

------------------------------------------------------------
Black Box Voting : From BBV:: BBV - 4th of July Fireworks: Unredacted Hursti
reports, photos released
------------------------------------------------------------

Posted by Bev Harris on Monday, July 03, 2006 - 02:54 pm:

States and local jurisdictions did not take sufficient action to
mitigate risks.

Black Box Voting has provided the following to VoterAction.org for its
litigation. This will become a public record via the litigation filed
by Lowell Finley. Because public officials who have received the
unredacted reports have failed to take this risk seriously and arrange
for appropriate mitigations, and because Black Box Voting believes
this information is of critical public interest for pending litigation
and citizen actions, we are releasing it publicly now.

HERE'S AN INFORMAL SYNOPSIS OF THE UNMITIGATED RISKS IN THE DIEBOLD
TSX:

A huge risk to the integrity of elections is a contaminated
bootloader. Here's why: If you own the bootloader, you own the
machine. The source code for the TSx, along with the technical data
package, have been publicly released since 2003. Estimates are that it
would take approximately three months for a reasonably skilled
programmer to design a working malicious bootloader.

You cannot clean a maliciously designed bootloader with the
mitigations performed so far by state officials (replacing programs
via memory cards).

HERE ARE SOME SPECIFIC PROBLEMS WITH THE DIEBOLD BOOTLOADER:

1) It appears not to have been examined by the Independent Testing
Authorities (ITAs). Therefore, we don't even know whether the original
bootloader contains malicious code.

2) There appears to be no authentication procedure when installing
"clean versions" to ensure that the code is the same as that which was
examined by the ITAs (and in this case, the ITAs didn't even examine
it).

3) There is no forensic test that will reveal a malicious bootloader

4) Because of the design of the Diebold TSx machine, a malicious
bootloader can be installed at any time from factory installation to
the election itself. Once a bootloader is contaminated, it can control
the machine permanently.

A contaminated bootloader, especially in combination with other
security issues in the TSx, has the potential to allow manipulation on
an election-by-election basis, at any time during the election cycle
and even years in advance of the election.

5) The Diebold TSx machine's motherboard contains a JTAG connection
which can be used to take control of the motherboard. Although you
cannot reliably clean a malicious bootloader by reinstalling it with a
memory card, you can install a pristine version using the JTAG cable.

However, there appears to be no pristine version of the bootloader,
since it has never been examined by the ITAs.

6) Unfortunately, the JTAG connector can be used to overwrite a
so-called authentic and proper bootloader with a malicious one. Thus,
even if a so-called pristine bootloader is installed via the JTAG
connector, the same connector can be used to replace that one with a
new one at any time.

7) In order to access the JTAG connection, you must pop open the case
to the TSx tablet. Unfortunately, the case on the TSx is designed with
no security. You can open it by unscrewing 8 standard phillips head
screws, access the JTAG connector, replace the bootloader and control
the machine for the rest of its life, despite L&A tests,
reinstallations of "clean" copies via memory cards or network
connections, etc.

8) TSx machines in California -- 10,000 machines in San Diego alone --
were sent home for "sleepovers" with poll workers in back in 2004,
when they were used for the March primary election. Over 1,000
machines originally used in Solano County, Calif, are now being used
in Johnson County, Kansas. The TSx machines are now being used
throughout the states of Mississippi, Utah, in dozens of Ohio
counties, and in many high-population California counties. A case can
be made that the Diebold TSx machine will dictate control of the U.S.
congress in November.

The sleepovers broke chain of custody. The combination of unsecured
cases with the ability to quickly alter the bootloader using the JTAG
connector means these machines cannot be considered "trusted" until
proper mitigations are done.

PROPER MITIGATIONS:

- The "official" bootloader needs to be sent to the ITAs for
examination, as well as provided to state voting machine examiners.

- An authentication device needs to be used to make sure that this
bootloader code, once examined by test labs, is the authentic version
of the code

- Once this is done, each of the cases needs to be opened and an
authentic clean bootloader installed using the JTAG cable.

- After this is done, the cases need to be sealed with tamper-evident
mechanisms. Note that "tamper evident" tape is quite different from
"tamper resistant" tape. Tamper evident tape should leave an indelible
mark if removed.

Note that the TSx tablet is stored inside a case, and is also seated
in the case during elections. It may be difficult to observe whether
the tablet has been opened -- even with tamper evident mechanisms --
unless it is removed from the case.

- Due to the severity of this security defect, and the deceptiveness
with which Diebold Election Systems has handled this situation, all
citizens who vote on these machines should be able to see for
themselves that the proper mitigations were done and that the case has
not been opened. This means:

a. The ITA review of the bootloader code should be done immediately
and the report should be made public.

b. The authentication methodology should be identified to the public.

c. The opening of the case and the installation of authentic, approved
bootloaders should be publicly announced and viewable by the public.
This process should be performed by public officials, not by Diebold
Election Systems.

d. The sealing of the case should be publicly viewable.

e. The case should be sealed in such a way that poll workers and the
public can verify that cases have not been opened when the machines
are deployed on election day.

IN A SANE WORLD, THESE MACHINES WOULD BE RECALLED.

According to recent PBS coverage, the reason NASED and/or the EAC have
given for failing to require a recall of the Diebold TSx is that it
would involve a lot of litigation and trouble.

It would not, of course, require litigation if Diebold initiated it.

OTHER ISSUES

Also, when you pop the tablet casing open, you can also pop out the
modem and install another device in place of the approved modem. You
can also insert an SD card wireless card in the slot.

Problems with sealing the case after delivery:

- Elections officials don't know if the legitimate modem or a wireless
modem is inside the case

- Elections officials don't know if there is an SD wireless card in
the slot

- The only way to find out is to open the case, which invalidates the
warranty

HERE ARE THE UNREDACTED HURSTI REPORTS:

http://www.bbvdocs.org/reports/BBVreportIIunredacted.pdf

http://www.bbvdocs.org/reports/BBVreportII-supplement-unredacted.pdf

HERE IS THE CONFIGURATION GUIDE:
http://www.bbvdocs.org/diebold/tsx/Wildcat-Software-Configuration-Guide.doc

HERE IS THE SOURCE CODE (Diebold will claim it is "old" of course)
http://www.bbvdocs.org/diebold/tsx/Wildcat_BSP_Source.zip

LOCATOR GRID
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-GRID-LOCATION-GUIDE.JPG

JTAG closeup (Section E4)
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E4.JPG

Closeup of SD card slot:
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-SD-MMC-closeup.jpg

Closeup of modem (underneath it are piggyback connectors,
unfortunately we did
not get a photo of them)
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-modem-closeup.JPG

HERE IS THE FIRST BATCH OF PHOTOGRAPHS:

Small versions will be uploaded in a day or two and will be appended
to this.

http://www.bbvdocs.org/diebold/tsx/accessibility-keypad-being-plugged-in.jpg
http://www.bbvdocs.org/diebold/tsx/accessibility-keypad-plug-on-tsx.jpg
http://www.bbvdocs.org/diebold/tsx/accessory-keypad-installed.jpg
http://www.bbvdocs.org/diebold/tsx/polltape-printer-under-vvpat-printer1.jpg
http://www.bbvdocs.org/diebold/tsx/polltape-printer-under-vvpat-printer2.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-assembled-without-vvpat.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-carrying-handle-view.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-side-view1.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-side-view2.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-sm.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-top-view.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-underside.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-unit-main-connector.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-battery.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-battery-closeup-reverse-side-w-nimh.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-main-base-station-connector.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-main-power-button-and-pcmcia-1.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-pcmcia-2-modem-port-and-button.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-phone-jack-for-modem-and-pcmcia-2.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-showing-audit-log-segment.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-side-view-with-button.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-sideview-with-smartcard-reader.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-smartcard-reader.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-view-of-voter-accessible-button.jpg
http://www.bbvdocs.org/diebold/tsx/512meg-USB-flash-loaded-on-GEMS.JPG
http://www.bbvdocs.org/diebold/tsx/back-of-GEMS-server-Dell-Xeon-1800.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-box-closeup-of-slot-area.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-closeup-of-motherboard-ports.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-closeup-of-removeable-drives.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-smartcard-writer-RS232.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-smartcard-writer-RS232-back.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-smartcard-writer-RS232-opening.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-task-manager-processes.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-GRID-LOCATION-GUIDE.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-misc-closeup2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-misc-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-modem-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-RAM-and-flash-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-ROM-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-SD-MMC-closeup.jpg
http://www.bbvdocs.org/diebold/tsx/Keypad-and-headset-kit.JPG
http://www.bbvdocs.org/diebold/tsx/Paper-rolls.JPG
http://www.bbvdocs.org/diebold/tsx/PCMCIA-and-CF-Ethernet-card1.JPG
http://www.bbvdocs.org/diebold/tsx/PCMCIA-and-CF-Ethernet-card2.JPG
http://www.bbvdocs.org/diebold/tsx/PCMCIA-and-CF-Ethernet-card3-sm.JPG
http://www.bbvdocs.org/diebold/tsx/Rack-of-TSx.jpg
http://www.bbvdocs.org/diebold/tsx/Spryus-card-programmer-front-and-back.JPG
http://www.bbvdocs.org/diebold/tsx/Supervisor-card.JPG
http://www.bbvdocs.org/diebold/tsx/Voter-access-card.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-connector-flaw-closeup-1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-connector-flaw-closeup-2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-connector-flaw-top-view.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-loose-power-plug-closeup-with-Bruce.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-loose-power-plug-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-loose-power-plug-with-Bruce.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-access-issue-with-smartcard-1.jpg
http://www.bbvdocs.org/diebold/tsx/TSx-access-issue-with-smartcard-2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-access-issue-with-smartcard-3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-fresnel-lens-in-use.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-description-pic.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-fresnel-lens.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-paper-jam-in-progress2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-paper-jam-in-progress.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-without-fresnel-lens.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-with-VVPAT-door-up.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-with-VVPAT-installed.JPG
http://www.bbvdocs.org/diebold/tsx/Ethernet-PCMCIA-card.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc1.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc2.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc3.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc4.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc5.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc6.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc7.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc8.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc9.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc10.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc11.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc12.JPG

THE SYNOPSIS OF THE BOOTLOADER ISSUE WAS WRITTEN BY BEV HARRIS AFTER
CAREFUL REVIEW OF THE VIDEOTAPES AND INTERVIEWS WITH HARRI HURSTI AND
SECURITY INNOVATION. IF YOU SPOT ANY TECHNICAL CORRECTIONS OR SEE A
STATEMENT THAT REQUIRES FURTHER QUALIFICATION, PLEASE NOTIFY US AND WE
WILL EVALUATE AND ISSUE AN APPROPRIATE CLARIFICATION OR CORRECTION IF
WARRANTED.

Permission to reprint granted, with link to
http://www.blackboxvoting.org

* * * * *

Black Box Voting is a nonpartisan, nonprofit 501c(3) elections
watchdog group funded entirely by citizen donations. To support our
work, click to http://www.blackboxvoting.org/donate.html or mail to:
Black Box Voting
330 SW 43rd St Suite K
PMB 547
Renton WA 98055

To sign up for the National Hand Count Registry click here:
http://www.bbvforums.org/cgi-bin/forums/board-profile.cgi?action=register

------------------------------------------------------------

Use this link to go directly to full article:
http://www.bbvforums.org/cgi-bin/forums/show.cgi?23291/32864

-- 
Forwarded by
----
Kathy Dopp
http://electionarchive.org
http://utahcountvotes.org
National Election Data Archive
Dedicated to Accurately Counting Elections
Subscribe to announcements by emailing election-subscribe@uscountvotes.org
Please donate or volunteer.  We need immediate funding to accomplish our
project to ensure that the correctly elected candidates are sworn into
office in upcoming elections.
"Enlighten the people generally, and tyranny and oppressions of body and
mind will vanish like evil spirits at the dawn of day," wrote Thomas
Jefferson in 1816

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon Jul 31 23:17:03 2006

This archive was generated by hypermail 2.1.8 : Mon Jul 31 2006 - 23:17:09 CDT