World Video | Defence | Foreign Affairs | Natural Events | Trade | NZ in World News | NZ National News Video | NZ Regional News | Search

 


4th of July: Unredacted Hursti reports released

------------------------------------------------------------
Black Box Voting : From BBV:: BBV - 4th of July Fireworks: Unredacted Hursti reports, photos released
------------------------------------------------------------

Posted by Bev Harris on Monday, July 03, 2006 - 02:54 pm:

States and local jurisdictions did not take sufficient action to mitigate risks.

Black Box Voting has provided the following to VoterAction.org for its litigation. This will become a public record via the litigation filed by Lowell Finley. Because public officials who have received the unredacted reports have failed to take this risk seriously and arrange for appropriate mitigations, and because Black Box Voting believes this information is of critical public interest for pending litigation and citizen actions, we are releasing it publicly now.

HERE'S AN INFORMAL SYNOPSIS OF THE UNMITIGATED RISKS IN THE DIEBOLD TSX:

A huge risk to the integrity of elections is a contaminated bootloader. Here's why: If you own the bootloader, you own the machine. The source code for the TSx, along with the technical data package, have been publicly released since 2003. Estimates are that it would take approximately three months for a reasonably skilled programmer to design a working malicious bootloader.

You cannot clean a maliciously designed bootloader with the mitigations performed so far by state officials (replacing programs via memory cards).

HERE ARE SOME SPECIFIC PROBLEMS WITH THE DIEBOLD BOOTLOADER:

1) It appears not to have been examined by the Independent Testing Authorities (ITAs). Therefore, we don't even know whether the original bootloader contains malicious code.

2) There appears to be no authentication procedure when installing "clean versions" to ensure that the code is the same as that which was examined by the ITAs (and in this case, the ITAs didn't even examine it).

3) There is no forensic test that will reveal a malicious bootloader

4) Because of the design of the Diebold TSx machine, a malicious bootloader can be installed at any time from factory installation to the election itself. Once a bootloader is contaminated, it can control the machine permanently.

A contaminated bootloader, especially in combination with other security issues in the TSx, has the potential to allow manipulation on an election-by-election basis, at any time during the election cycle and even years in advance of the election.

5) The Diebold TSx machine's motherboard contains a JTAG connection which can be used to take control of the motherboard. Although you cannot reliably clean a malicious bootloader by reinstalling it with a memory card, you can install a pristine version using the JTAG cable.

However, there appears to be no pristine version of the bootloader, since it has never been examined by the ITAs.

6) Unfortunately, the JTAG connector can be used to overwrite a so-called authentic and proper bootloader with a malicious one. Thus, even if a so-called pristine bootloader is installed via the JTAG connector, the same connector can be used to replace that one with a new one at any time.

7) In order to access the JTAG connection, you must pop open the case to the TSx tablet. Unfortunately, the case on the TSx is designed with no security. You can open it by unscrewing 8 standard phillips head screws, access the JTAG connector, replace the bootloader and control the machine for the rest of its life, despite L&A tests, reinstallations of "clean" copies via memory cards or network connections, etc.

8) TSx machines in California -- 10,000 machines in San Diego alone -- were sent home for "sleepovers" with poll workers in back in 2004, when they were used for the March primary election. Over 1,000 machines originally used in Solano County, Calif, are now being used in Johnson County, Kansas. The TSx machines are now being used throughout the states of Mississippi, Utah, in dozens of Ohio counties, and in many high-population California counties. A case can be made that the Diebold TSx machine will dictate control of the U.S. congress in November.

The sleepovers broke chain of custody. The combination of unsecured cases with the ability to quickly alter the bootloader using the JTAG connector means these machines cannot be considered "trusted" until proper mitigations are done.

PROPER MITIGATIONS:

- The "official" bootloader needs to be sent to the ITAs for examination, as well as provided to state voting machine examiners.

- An authentication device needs to be used to make sure that this bootloader code, once examined by test labs, is the authentic version of the code

- Once this is done, each of the cases needs to be opened and an authentic clean bootloader installed using the JTAG cable.

- After this is done, the cases need to be sealed with tamper-evident mechanisms. Note that "tamper evident" tape is quite different from "tamper resistant" tape. Tamper evident tape should leave an indelible mark if removed.

Note that the TSx tablet is stored inside a case, and is also seated in the case during elections. It may be difficult to observe whether the tablet has been opened -- even with tamper evident mechanisms -- unless it is removed from the case.

- Due to the severity of this security defect, and the deceptiveness with which Diebold Election Systems has handled this situation, all citizens who vote on these machines should be able to see for themselves that the proper mitigations were done and that the case has not been opened. This means:

a. The ITA review of the bootloader code should be done immediately and the report should be made public.

b. The authentication methodology should be identified to the public.

c. The opening of the case and the installation of authentic, approved bootloaders should be publicly announced and viewable by the public. This process should be performed by public officials, not by Diebold Election Systems.

d. The sealing of the case should be publicly viewable.

e. The case should be sealed in such a way that poll workers and the public can verify that cases have not been opened when the machines are deployed on election day.

IN A SANE WORLD, THESE MACHINES WOULD BE RECALLED.

According to recent PBS coverage, the reason NASED and/or the EAC have given for failing to require a recall of the Diebold TSx is that it would involve a lot of litigation and trouble.

It would not, of course, require litigation if Diebold initiated it.

OTHER ISSUES

Also, when you pop the tablet casing open, you can also pop out the modem and install another device in place of the approved modem. You can also insert an SD card wireless card in the slot.

Problems with sealing the case after delivery:

- Elections officials don't know if the legitimate modem or a wireless modem is inside the case

- Elections officials don't know if there is an SD wireless card in the slot

- The only way to find out is to open the case, which invalidates the warranty

HERE ARE THE UNREDACTED HURSTI REPORTS:

http://www.bbvdocs.org/reports/BBVreportIIunredacted.pdf

http://www.bbvdocs.org/reports/BBVreportII-supplement-unredacted.pdf

HERE IS THE CONFIGURATION GUIDE:
http://www.bbvdocs.org/diebold/tsx/Wildcat-Software-Configuration-Guide.doc

HERE IS THE SOURCE CODE (Diebold will claim it is "old" of course)
http://www.bbvdocs.org/diebold/tsx/Wildcat_BSP_Source.zip

LOCATOR GRID
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-GRID-LOCATION-GUIDE.JPG

JTAG closeup (Section E4)
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E4.JPG

Closeup of SD card slot:
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-SD-MMC-closeup.jpg

Closeup of modem (underneath it are piggyback connectors,
unfortunately we did
not get a photo of them)
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-modem-closeup.JPG

HERE IS THE FIRST BATCH OF PHOTOGRAPHS:

Small versions will be uploaded in a day or two and will be appended to this.

http://www.bbvdocs.org/diebold/tsx/accessibility-keypad-being-plugged-in.jpg
http://www.bbvdocs.org/diebold/tsx/accessibility-keypad-plug-on-tsx.jpg
http://www.bbvdocs.org/diebold/tsx/accessory-keypad-installed.jpg
http://www.bbvdocs.org/diebold/tsx/polltape-printer-under-vvpat-printer1.jpg
http://www.bbvdocs.org/diebold/tsx/polltape-printer-under-vvpat-printer2.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-assembled-without-vvpat.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-carrying-handle-view.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-side-view1.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-side-view2.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-sm.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-top-view.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-station-underside.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-base-unit-main-connector.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-battery.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-battery-closeup-reverse-side-w-nimh.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-main-base-station-connector.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-main-power-button-and-pcmcia-1.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-pcmcia-2-modem-port-and-button.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-phone-jack-for-modem-and-pcmcia-2.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-showing-audit-log-segment.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-side-view-with-button.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-sideview-with-smartcard-reader.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-smartcard-reader.jpg
http://www.bbvdocs.org/diebold/tsx/tsx-view-of-voter-accessible-button.jpg
http://www.bbvdocs.org/diebold/tsx/512meg-USB-flash-loaded-on-GEMS.JPG
http://www.bbvdocs.org/diebold/tsx/back-of-GEMS-server-Dell-Xeon-1800.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-box-closeup-of-slot-area.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-closeup-of-motherboard-ports.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-closeup-of-removeable-drives.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-smartcard-writer-RS232.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-smartcard-writer-RS232-back.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-smartcard-writer-RS232-opening.JPG
http://www.bbvdocs.org/diebold/tsx/GEMS-task-manager-processes.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-GRID-LOCATION-GUIDE.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-A4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-B4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-C4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-D4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-E4.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-misc-closeup2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-misc-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-modem-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-RAM-and-flash-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-ROM-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-motherboard-SD-MMC-closeup.jpg
http://www.bbvdocs.org/diebold/tsx/Keypad-and-headset-kit.JPG
http://www.bbvdocs.org/diebold/tsx/Paper-rolls.JPG
http://www.bbvdocs.org/diebold/tsx/PCMCIA-and-CF-Ethernet-card1.JPG
http://www.bbvdocs.org/diebold/tsx/PCMCIA-and-CF-Ethernet-card2.JPG
http://www.bbvdocs.org/diebold/tsx/PCMCIA-and-CF-Ethernet-card3-sm.JPG
http://www.bbvdocs.org/diebold/tsx/Rack-of-TSx.jpg
http://www.bbvdocs.org/diebold/tsx/Spryus-card-programmer-front-and-back.JPG
http://www.bbvdocs.org/diebold/tsx/Supervisor-card.JPG
http://www.bbvdocs.org/diebold/tsx/Voter-access-card.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-connector-flaw-closeup-1.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-connector-flaw-closeup-2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-connector-flaw-top-view.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-loose-power-plug-closeup-with-Bruce.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-loose-power-plug-closeup.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-loose-power-plug-with-Bruce.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-access-issue-with-smartcard-1.jpg
http://www.bbvdocs.org/diebold/tsx/TSx-access-issue-with-smartcard-2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-access-issue-with-smartcard-3.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-fresnel-lens-in-use.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-description-pic.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-fresnel-lens.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-paper-jam-in-progress2.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-paper-jam-in-progress.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-VVPAT-without-fresnel-lens.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-with-VVPAT-door-up.JPG
http://www.bbvdocs.org/diebold/tsx/TSx-with-VVPAT-installed.JPG
http://www.bbvdocs.org/diebold/tsx/Ethernet-PCMCIA-card.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc1.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc2.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc3.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc4.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc5.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc6.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc7.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc8.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc9.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc10.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc11.JPG
http://www.bbvdocs.org/diebold/tsx/tsx-misc12.JPG

THE SYNOPSIS OF THE BOOTLOADER ISSUE WAS WRITTEN BY BEV HARRIS AFTER CAREFUL REVIEW OF THE VIDEOTAPES AND INTERVIEWS WITH HARRI HURSTI AND SECURITY INNOVATION. IF YOU SPOT ANY TECHNICAL CORRECTIONS OR SEE A STATEMENT THAT REQUIRES FURTHER QUALIFICATION, PLEASE NOTIFY US AND WE WILL EVALUATE AND ISSUE AN APPROPRIATE CLARIFICATION OR CORRECTION IF WARRANTED.

Permission to reprint granted, with link to http://www.blackboxvoting.org

* * * * *

Black Box Voting is a nonpartisan, nonprofit 501c(3) elections watchdog group funded entirely by citizen donations. To support our work, click to http://www.blackboxvoting.org/donate.html or mail to: Black Box Voting
330 SW 43rd St Suite K
PMB 547
Renton WA 98055

To sign up for the National Hand Count Registry click here:
http://www.bbvforums.org/cgi-bin/forums/board-profile.cgi?action=register

------------------------------------------------------------


Use this link to go directly to full article:
http://www.bbvforums.org/cgi-bin/forums/show.cgi?23291/32864


ENDS

© Scoop Media

 
 
 
 
 
World Headlines

 

At The UN: Paris Climate Agreement Moves Closer To Entry Into Force

The Paris Agreement on climate change moved closer toward entering into force in 2016 as 31 more countries joined the agreement today at a special event hosted by United Nations Secretary-General Ban Ki-moon. More>>

ALSO:

ALSO:

Gordon Campbell: On The End Game In Spain (And Other World News)

The coverage of international news seems almost entirely dependent on a random selection of whatever some overseas news agency happens to be carrying overnight... Here are a few interesting international stories that have largely flown beneath the radar this past week. More>>

Amnesty/Human Rights Watch: Appalling Abuse, Neglect Of Refugees On Nauru

Refugees and asylum seekers on Nauru, most of whom have been held there for three years, routinely face neglect by health workers and other service providers who have been hired by the Australian government, as well as frequent unpunished assaults by local Nauruans. More>>

ALSO:

Other Australian Detention

Gordon Campbell: On The Censorship Havoc In South Africa’s State Broadcaster

Demands have included an order to staff that there should be no further negative news about the country’s President Jacob Zuma, and SABC camera operators responsible for choosing camera angles that have allegedly made the President ‘look shorter’ were to be retrained... More>>

ALSO:

Gordon Campbell: On A Bad Week For Malcolm Turnbull, And The Queen

Malcolm Turnbull’s immediate goal – mere survival – is still within his grasp... In every other respect though, this election has been a total disaster for the Liberals. More>>

ALSO:

Gordon Campbell: On Bidding Bye Bye To Boris

Boris Johnson’s exit from the contest for Conservative Party leadership supports the conspiracy theory that he never really expected the “Leave” option to win the referendum – and he has no intention now of picking up the poisoned chalice that managing the outcome will entail... More>>

ALSO:

Get More From Scoop

 
 
 
 
 
World
Search Scoop  
 
 
Powered by Vodafone
NZ independent news