Black Box Voting : Fourth of July Fireworks: Unredacted Hursti reports, photos released

SHORTCUTS: How to find what you're looking for

Navigation
  Topics
  Log In
  Log Out
:
Special Search
  New Today
  New This Week
  Advanced Search
  Tree View

Your Account
  Edit Profile
  Register
  Forgot Password

Tools
  Help/Instructions
  Policies

  ...

Fourth of July Fireworks: Unredacted ...

Black Box Voting » Latest Investigations from Black Box Voting » Fourth of July Fireworks: Unredacted Hursti reports, photos released

« Previous Next »

Author

Message

Bev Harris
Board Administrator
Username: Admin

Post Number: 5332
Registered: 12-2004

Best of Black Box?
Votes: 28 (A keeper?)

Posted on Monday, July 3, 2006 - 2:36 pm:

* * * * *

"We're counting the votes. Get over it."

Be part of the solution: Please sign up for the NATIONAL HAND COUNT REGISTRY: Go to Home Page - Hand Count Registry is right above lead story

Make November elections the biggest evidence gathering action ever. EVIDENCE = videotape, audiotape and photos. Come prepared. This time, focus on the COUNTING not just the voting.

Joseph Hall
Voting Rights Forum Participant
Username: Joehall

Post Number: 100
Registered: 01-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 3, 2006 - 4:41 pm:

Michael W Mather
Voting Rights Forum Participant
Username: Gypsy

Post Number: 63
Registered: 07-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 3, 2006 - 5:23 pm:

(From admin - link below is now fixed)

Bev,
Great 4th of July 'Fireworks.'

Note that some of the links to the photos have a problem; they lead to a "Not Found" page.
This one for example:
http://www.bbvdocs.org/diebold/tsx/tsx-side-view-with-button.jpg

Thanks.

Bev Harris
Board Administrator
Username: Admin

Post Number: 5335
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 3, 2006 - 7:30 pm:

On the motherboard (b1 b2 b3 b4) substitute jpg for JPG.

I'll troubleshoot the others tomorrow. Spilled coffee on my laptop and had to run it in to the repair shop, will re-upload from the office computer.

Sorry 'bout that.

John Gideon
Frequent Voting Rights Forum Participant
Username: Johngideon

Post Number: 235
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 3, 2006 - 7:45 pm:

Thanks for doing this. A lot of us have been waiting for this to happen.

Also, the report is on the TSx but does all of this also affect the TS-R6??

Bev Harris
Board Administrator
Username: Admin

Post Number: 5338
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Monday, July 3, 2006 - 7:50 pm:

The motherboard on the TS-R6 is very different from the TSx motherboard. So is the source code, so is the case.

That being said, many of the weaknesses are the same. The delivery mechanism may differ.

You can find out a lot about the use of the JTAG connections by searching for the word "JTAG" in the source codes and memos. The source code for the TSx is called Wildcat and the source code for the TS-R6 is in the AccuTouch set of files from the cvs.tar directory.

I also recommend searching for the terms "SD card" and "SD/MMC" and "IrDA".

John Gideon
Frequent Voting Rights Forum Participant
Username: Johngideon

Post Number: 236
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Monday, July 3, 2006 - 7:51 pm:

Diebold claims that one of their accessibility features is that the core unit can be removed and set on the lap of a voter who is in a wheelchair.

That's great except that there is no extension cord from the core unit to the vvpat printer so when the core unit is removed the vvpat does not work.

In other words that accessibility feature cannot be used in any state that has a required vvpat.

Bev Harris
Board Administrator
Username: Admin

Post Number: 5339
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Monday, July 3, 2006 - 8:14 pm:

You have to have the core unit seated in the case to use the printer. (See photos). The core unit (the "tablet") is dark gray, the case is light beige. The VVPAT printer is actually seated in the case, and the only way I know of to use it is to seat the gray tablet in the case.

So yes, John, right on. When the tablet is brought to a disabled voter by removing it from the case, the VVPAT is eliminated, thereby achieving two things:

1) Discriminating against the disabled voter

and

2) Ruining the audit trail. Why? Suppose you have two voters that use the touchscreen outside its case and there's no VVPAT for them. Suppose you have only one vote separating the candidates. (This happens more often than you think in small local races!). You are missing two paper audit trails, and you will not be able to do a meaningful recount.

And, as an added sucky bonus, if just one disabled voter uses the tablet without the VVPAT, you can identify their vote, thereby removing voter privacy and discriminating against them in two ways at once.

Phil McCracken
Voting Rights Forum Participant
Username: Phil_mccracken

Post Number: 21
Registered: 01-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 3, 2006 - 9:58 pm:

Does everyone know how many counties had machines taken home in California? The answer is 56 counties (the two smallest counties in California have all-mail balloting). Why is this such a new issue to many, since this has occurred with ballots being taken home by poll workers for over 40 years?

I guess San Diego County was the only county in the US running an election this year...

Amazing...

I have a question for EVERYONE: Let's try and design a solution to this "issue." What would YOU recommend as the process for taking equipment, ballots and supplies to the polling places...to protect the chain of custody and the potential for fraud? This should be good discussion...I hope.

Bev Harris
Board Administrator
Username: Admin

Post Number: 5340
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 3, 2006 - 10:50 pm:

Phil: You may post that discussion in the General Discussion area, and it will make for a fine discussion. I'm sure that step one would be to eliminate use of a Diebold TSx system with no security on the case which contains a JTAG connection inside allowing anyone with access to gain permanent control of the machine -- with no forensic test possible find out if the machine has been contaminated.

California elections officials were told by Diebold that the TSx was secure. The machine is not only insecure, it is perilous to the republic.

The real question is: Did Diebold disclose this to the elections officials when they sold the system? Did they represent it as secure? Did they fail to warn?

The real questions continue: Why was the system designed this way in the first place? With half a billion in taxpayer funds spent on Diebold, when will we put these questions to the programmers who designed the system? We should not be asking the PR guy, we need to put some tough questions to the programmers themselves, under oath.

The real questions are why, after this information was provided to the secretary of state of California, the EAC, and dozens of others, did they not take appropriate steps to protect U.S. elections?

The real questions are why did it take two 50-year old women to bring a guy here from Finland to tell us the truth -- and why, when the truth was revealed, was the problem not addressed appropriately?

It's okay to say the "C" word.

Corruption.

Barbara Bellows-TerraNova
Voting Rights Forum Participant
Username: Bellterr

Post Number: 13
Registered: 05-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Tuesday, July 4, 2006 - 11:02 am:

Let's hear it for the 50-year-old woman!!!

On the 4th of July, who better to celebrate, than a woman who believes democracy is worth doing!

Thank you, Bev.

From a 54-year-old woman.

Joseph Hall
Frequent Voting Rights Forum Participant
Username: Joehall

Post Number: 101
Registered: 01-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Tuesday, July 4, 2006 - 11:28 am:

The TSx should still be functional if it is unplugged, right? What (besides the damn thing being cumbersome) would preclude walking the whole unit (core, cradle, vvpat, etc.) out to a disabled voter? Just wondering if the "cumbersomeness" is the only deterrant from just taking the whole thing somewhere...

Bev Harris
Board Administrator
Username: Admin

Post Number: 5346
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Tuesday, July 4, 2006 - 2:38 pm:

the links are fixed, and I have added another couple dozen photos (linked into original post, starting from Misc 12 on)

There are about 50 more pics still to upload.

Kathleen Wynne
Moderator
Username: Admin_ii

Post Number: 437
Registered: 08-2005

Best of Black Box?
Votes: 2 (A keeper?)

Posted on Tuesday, July 4, 2006 - 9:46 pm:

Even if the vendors and the ITA's did follow the procedures BBV has declared necessary -- and did so publicly with proper citizen oversight -- in order to mitigate the glaring, security flaws inherent in the Diebold TSx touch screens in time for the November election, we will still be at the mercy of experts having to tell us whether or not the procedures were done correctly and then trust them to declare whether each voting machine is clean of malicious code. Will any citizen, without a computer background, have the ability to oversee this process effectively? If not, who will be overseeing this process throughout the country?

I don't think anyone can argue now that with all the hard evidence brought forth by BBV proving the many and varied security breakdowns at every level of our election process, that we need to start over. No band aids this time around please! First, if this is to be done right, it would require us taking trust totally out of the process altogether.

To begin the process of reclaiming our elections, BBV has also been proclaiming for some time now that citizens must demand and get ASAP a public, televised hearing, of the person or persons who designed the software architecture in the Diebold voting systems, answering questions under oath explaining why they ever designed such a flawed architecture riddled with redundant security holes and who approved it. The photos show the software architecture was intentionally designed this way. We have a right to know why. The answers we are given will guide us in deciding how to protect against this sort of thing from ever happening again. Furthermore, this hearing should also include all the vendors, the ITA's, NASED and state examiners (past and present). No more speculation about who did what, when and why. Waste of time and accomplishes nothing.

Another thing we shouldn't continue to trust and should make certain doesn't fall through the cracks -- We shouldn't assume that the other voting systems being used are safe and secure. So, we ought not be shy about demanding the same kind of independent testing be done on them, as was done on the Diebold voting systems. Why should we trust them to be safe and secure? The same ITA's and experts certified them. We need to know whether they also failed to examine certain components in these other systems and whether there are any hidden back doors open for business in them as well.

We cannot afford to compromise on taking these initial steps in letting go of trust in our elections process, if we are ever going to install and maintain a clean version of one. One designed to stop corruption before it starts and one that puts citizens in charge of a process designed for them to be able to effectively oversee and manage. No Ph.D. or computer background required. Only citizenship.

Kathleen

Bruce Sims
Frequent Voting Rights Forum Participant
Username: Ubetchaiam

Post Number: 838
Registered: 06-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Thursday, July 6, 2006 - 10:39 am:

To Joe Hall; I cannot speak except to that i observe in San Diego; the TSx's are mounted on a stand and tape is placed from the stand to the machine.
The stand is about 3 feet high,square, with what looks to be white plastic covering(the type of plastic used for trash bags)it and then tape holding everything in place.
So taking such curbside would be tough; it would be even tougher to undo the tape that attaches to the machine and stand, take the machine curbside,then bring it back in onto the stand and tape it all back together again.

Phil McCracken
Voting Rights Forum Participant
Username: Phil_mccracken

Post Number: 22
Registered: 01-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Thursday, July 6, 2006 - 2:29 pm:

Hey Bruce:

Ever see a TSX up close? There is no tape, not even for taking the unit out to the curb! You are correct in saying the unit is "seated" in the base unit." But there is no tape....

Bev Harris
Board Administrator
Username: Admin

Post Number: 5362
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Thursday, July 6, 2006 - 3:49 pm:

Phil,

I was going to ask about the tape, but Bruce Sims says he observed this. So rather than saying "there is no tape" I'd like to ask him to clarify what he saw.

I find Bruce to be someone who tends to speak with precision, and I want to hear what he has to say on this.

Robert Munyer
Voting Rights Forum Participant
Username: Munyer

Post Number: 29
Registered: 12-2005

Best of Black Box?
Votes: 3 (A keeper?)

Posted on Friday, July 7, 2006 - 5:57 am:

I haven't read the newly released information, but I've read the announcement above. I want to suggest one clarification/correction. I agree with the explanation of the problem, but I don't agree that the proposed "proper mitigations" would actually solve the problem.

Bev Harris wrote:

quote:
The "official" bootloader needs to be sent to the ITAs for examination, as well as provided to state voting machine examiners.

Are these really the right people for the job?

The job, if I understand correctly, is something like this: examine one copy of a piece of voting machine software, and certify that it contains no back doors or exploitable defects.

I submit that the people you mentioned above are the worst possible candidates for this job. They have a long and ignominious track record of repeatedly examining grossly unsafe voting systems and then certifying them as safe.

So, who can do the job?

Computer security experts?

Consider the "Berkeley report" which followed Hursti I. It was written by world-renowned computer security experts, and they found many vulnerabilities. They also included this important disclaimer:

quote:
One concern, however, is that these are just the bugs we were able to find; there are quite possibly others we did not notice, and that automated bug-finding tools (which are always imperfect) would not notice either. Code review is difficult. It is hard to be confident that one has found all bugs [...], and if we used another tool or if another person were to examine the code, they might find other vulnerabilities.

I expect that any real computer security expert would give you a similar disclaimer. Notice that the presence of such a disclaimer means that the report could not be used to certify the absence of back doors, even if the authors of the report had found no bugs at all.

What about someone like Dr. Dill? His "day job" involves verification of computer hardware and software, and he's been doing research in that field since the 1980s. Surely he would be qualified for this job?

Yes, Dr. Dill's field of expertise can be appropriate for this sort of job. He can analyze a system and certify that it does what it's supposed to do. But if you were to present him with this particular job (analyze a voting machine boot loader) he would give you some very important disclaimers which, much like the Berkeley disclaimer above, would prevent you from using his analysis of the boot loader as a reason to trust the actual voting machine.

His disclaimers would probably include sentences like "If you want to be able to trust the output of the application program, you'll have to verify everything: hardware, boot loader, firmware, operating system, application program, data files. Verifying only the boot loader won't really help." and: "You can't just take a typical modern software system (big, complex, sloppy) and verify it. Instead you generally need to redesign it for verification, and reimplement it, usually from scratch."

If Diebold would redesign all their software from scratch, and produce only perfect software which has no bugs and can be formally verified, would that solve the problem? Not really. Even with perfect new software, there still wouldn't be any good way to verify that the individual voting machines are running the good new software and nothing else. Even if everyone in town would show up to watch the election officials while they install the new software, the people wouldn't really be able to see the software that's being installed. They would only see a voting machine being hooked up to another computer. Why should they trust that other computer? You end up just moving the problem to another computer, instead of actually solving it.

My recommendation:

I don't think you should refer to your suggested procedures as "proper mitigations" which would allow the machines to be considered "trusted." Instead, I think you should do what the Berkeley team did: refer to these suggested procedures as "Short-term Mitigation Strategies for Local Elections" and state clearly that "in the longer term, or for statewide elections," stopgap solutions will not suffice, and real solutions must be implemented.

Bev Harris
Board Administrator
Username: Admin

Post Number: 5365
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Friday, July 7, 2006 - 7:40 am:

Robert,

I agree with the input you just provided. You're right!

And thank you.

Bev

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 91
Registered: 02-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Friday, July 7, 2006 - 8:03 am:

The art of finding bugs in software has been explained with the pearl necklace theory. When a pearl necklace is broken, the pearls scatter everywhere. The first pearls are easy to find. As time goes on, and you keep finding more pearls, the time between each find gets longer and longer. You can theorize by the rate at which you are finding pearls how many are left.

In electronic voting machines, it appears that many pearls were intentionally added to the collection. We can judge by how many bugs/security holes that have recently been discovered, that there are many more still there as Robert and the Berkley report stated. In software, often the fix for one bug introduces other bugs so just because you have plugged one security hole, doesn't mean another door hasn't opened somewhere else (either accidentally or purposely).

The point I am trying to make is I don't believe we will ever be bug free or know all the flaws that lurk undiscovered. If our goal is to make computers perfect without auditing, we will forever be chasing our tail hoping we are 'almost there'.

If computers are to be used in ANY area where accuracy is required, they must be audited. Rather than strive for perfection in every link of the chain, with no way to verify it (or the existence of flaws), simply audit the process from start to finish and the problems will become self evident.

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 1
Registered: 07-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Friday, July 7, 2006 - 9:28 am:

Dr. Avi Rubin cited the redacted Hursti report in his latest posting to the Huffington Blog. I recently reviewed the unredacted version posted here on BBV, along with the many photographs of the top side of the circuit board. I take exception to several comments in the Hursti report and frankly think it needs to be revised for clarity. Before I launch into an explanation, I feel that perhaps I should first review the Berkeley report that has been noted here. Can someone please offer a link toward this end?

Thanks!

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 92
Registered: 02-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Friday, July 7, 2006 - 9:38 am:

Saul, Here is the Berkeley Report Link:
http://www.bbvforums.org/forums/messages/73/security_analysis_of_the_diebold_acc ubasic_interpreter-19472.pdf

Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl

Post Number: 668
Registered: 01-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Friday, July 7, 2006 - 11:13 am:

ANY election, done on ANY equipment, should be auditted ANYway, regardless of the equipment type. Otherwise, some guy walks up sees that x votes went to candidate A and y votes went to candidate B and anounces Z votes went to candidate A and X votes went to candidate B.
"Trust everyone, but always cut the cards."

Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a

Post Number: 3017
Registered: 12-2004

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Friday, July 7, 2006 - 10:43 pm:

Hello Bruce,

About the tape you observed, do you know why they taped the machine to the stand?

This is odd.

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 2
Registered: 07-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Saturday, July 8, 2006 - 12:16 pm:

After reviewing Hursti II and the Berkeley report, I just wanted to contribute some thoughts. Hursti says in his report with regard to the CPU JTAG connector:

"It is unknown if this mechanism can be used to retrieve data for forensic studies from a system suspected of contamination, because the reprogramming operation is destructive and
prevents any other forensic studies."

The CPU JTAG connector allows the auxiliary system that Hursti speaks of to run as a debugging emulator. This means that the auxiliary system can do more than just a reprogramming operation. It can read the entire contents of flash, including the bootloader, without overwriting anything. So forensic studies can indeed be conducted on a suspect system. This should be revised in his report.

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 94
Registered: 02-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Saturday, July 8, 2006 - 12:45 pm:

Saul said: "The CPU JTAG connector allows the auxiliary system that Hursti speaks of to run as a debugging emulator. This means that the auxiliary system can do more than just a reprogramming operation. It can read the entire contents of flash, including the bootloader, without overwriting anything."

It depends on the processor. Many processors I use with JTAG connector require changing a fuse in the processor to enable the debugger. If any of the lock fuses are blown (as they should be), then you would not have access to any of the code without first clearing the flash and starting from scratch with a new firmware download. Furthermore, if the lockbits are blown, you would not have a copy of the firmware code to examine or download.

That does not diminish the vulnerability of the JTAG connector because you could write your own code to replace the firmware and take the machine hostage. It does however, prohibit a non-destructive analysis of the machine.

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 3
Registered: 07-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Saturday, July 8, 2006 - 1:19 pm:

Thank you Mike. Could you provide a datasheet or user's guide link to a microprocessor like this so I can review it? Is the PXA family among those? I don't question your comment. I would like to simply do my homework on the matter and respond appropriately. I appreciate your help.

Also, do you not think it important to note that there is also a CPLD JTAG chain available on this board?

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 95
Registered: 02-2006

Best of Black Box?
Votes: 2 (A keeper?)

Posted on Saturday, July 8, 2006 - 1:46 pm:

I am not familiar with the PXA family and did not see a processor number listed in the images. I am sure if you find the processor number you can quickly Google what you need.

A CPLD JTag connection could be another security risk, but not as blatently open as just replacing your own code. Usually these devices map memory, or do other hardware functions that are necessary for the product to function. While they could play a part in hijacking the system, writing your own firmware is a much more reasonable attack.

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 4
Registered: 07-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Saturday, July 8, 2006 - 2:33 pm:

How about just giving me an example of one of the processors you've worked with which has the properties you've described? It doesn't have to be the one used on this design. Just any example will suffice. I'll do the homework from there.

Also, does it not appear that U50 is the flash? If so, it is socketed, and can be removed easily by hand for forensic inspection, or worse, nefarious substitution.

Finally, one could also tie a logic analyzer to the address and data lines of the flash and capture the contents at bootup. This would be another method of forensic investigation; it would not depend on any microprocessor security features.

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 96
Registered: 02-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Saturday, July 8, 2006 - 2:54 pm:

Here is the link to an Atmel ATmega88 which is a much smaller microcontroller, but it will give you a detail of the concept of security and debug fuses that I was talking about.
http://atmel.com/dyn/products/product_card.asp?family_id=607&family_name=AVR+8%2 DBit+RISC+&part_id=3302

The procedures you talk about with logic analyzers and trying to read the machine code out of the flash are things you could do for forensic inspection, but the payback for the small amount you would discover would be very costly.
The reports that you are criticizing for not being complete exposed many blatent security holes in a mater of hours. What you are proposing, may squeak out a few more minor risks if any, but would take months of work. Going beyond these reports has a very small return for the investment in time. The goal was to show that these machines had security risks, not every security risk. The risks shown prove that they should not be used in any up coming election. Any further speculation only dilutes the strength of the gaping security holes already demonstrated.

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 5
Registered: 07-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Sunday, July 9, 2006 - 10:35 am:

Perhaps a little background would be worthwhile here. I've worked on the issue in a key battleground state: Maryland. As Dr. Avi Rubin will tell you, in Maryland we face a difficult elections administrator in Linda Lamone. Lamone, along with state legislators such as Jon Cardin, have coordinated an effort to provide alternative verification technologies to ensure the security of the Diebold TSx systems. They don't want to return to using paper ballots.

When a report such as the Hursti II report is released, we have found that legislators and proponents of alternative verification technologies like to seize upon any perceived weaknesses in such a report. They use these to raise doubt in the minds of legislators and even technically-minded individuals who would counter such claims. So we've found that by "battle hardening" the security reports we provide a robust weapon against any propaganda.

I have communicated with John Gideon briefly for instance (I see that he has posted in this thread) on the issue of VoteHere. I met with the VoteHere CEO as they launched their campaign here in Maryland. Initial information critiquing VoteHere was incomplete and lacked the robust quality I am promoting. As a result, the debate for the technology quickly began to spread to other states where people were not adequately equipped to address it.

My goal is to clarify whatever may be speculative in the Hursti II document and to place in proper perspective the security holes potentially uncovered therein. I find some of the "gaping security holes" in this document to be speculative insofar as they are described. Others I find to be more potent. Obviously I may be mistaken in my assessment on either count. But that is the purpose of the discussion. Because we cannot be present on every front with regard to this issue, these documents ultimately become our ambassadors. I merely want to test and groom them for their mission.

Bev Harris
Board Administrator
Username: Admin

Post Number: 5388
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Sunday, July 9, 2006 - 12:56 pm:

I agree that the Hursti Report should be discussed and vetted as fully as possible.

By the way, Saul, I know Baltimore County bought the machines later than the other Maryland counties. Did they buy the TS-R6 or the TSx?

The two machines are very, very different. Though they may share some vulnerabilities, like being able to replace software through the memory card, other vulnerabilities, like the accessibility of the casing and the ports and connections on the motherboard itself are quite different.

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 6
Registered: 07-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Sunday, July 9, 2006 - 3:59 pm:

Good question Bev. I'll check with my peers at TrueVoteMD on the distribution of Diebold equipment throughout the state.

On the matter of the JTAG connector, which seems to be one of the more significant finds in Hursti II, it should be noted that there is a good reason to have the CPU JTAG connector exposed as is shown. It is useful beyond prototyping (as Hursti describes). It is also useful in manufacturing to detect solder defects and the like. This is crucial with BGA or Ball Grid Array parts (and what appears to be the microprocessor -- or at least a high-density IC --on the circuit board is indeed a BGA). Without JTAG, such systems can be created with defects which appear to pass high-level testing and subsequently fail sporadically in the field. We want both reliability and security in these systems.

To achieve both, one would simply need to break the JTAG chain after manufacturing and in-circuit testing. One way (among many) to achieve this is to route the JTAG signals at some point through internal PCB layers to a BGA programmable logic device which acts as an arbiter of sorts. When manufacturing testing is complete, one simply reprograms the logic device in question so that the CPU JTAG chain is broken. To secure the logic device itself, you choose one which has a permanent lock available. That's just one approach. Since we don't have the schematic, layout, or even photos of the back side of the PCB, the actual implementation is unclear.

In order for Hursti's arguments about the security of the bootloader to take hold, he has to establish that the JTAG chain remains intact after manufacturing. It wouldn't be hard to check this. And he should also mention that there is indeed a great reason to keep the JTAG connector in the final design layout (as I have elaborated here).

(Message edited by malachite on July 09, 2006)

Bev Harris
Board Administrator
Username: Admin

Post Number: 5389
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Sunday, July 9, 2006 - 7:09 pm:

Saul,

If the JTAG chain does not remain intact after manufacturing, and you can replace the bootloader with a memory card or network device at any time during the life cycle of the machine -- would there even be a recovery path?

As I understand it, since the bootloader can be replaced using either the memory card or a networking device, without the JTAG connection, there might not be a recovery path at all to restore previously delivered machines to a trusted condition -- especially the tens of thousands of machines that went home for sleepovers back in 2004 and since that time.

If, as you suggest, the JTAG chain might have been broken how would you reliably restore a machine to something you could trust, given the other delivery mechanisms for inserting a contaminated bootloader?

Is it possible that this is a "damned if you do, damned if you don't situation"? With JTAG intact, replacement of the bootloader using that device is a risk. With JTAG not intact, am I not correct in assuming that you can not reliably restore machines to a trusted condition?

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 99
Registered: 02-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Sunday, July 9, 2006 - 7:43 pm:

Bev,

The JTAG connection is used to give the manufacturer direct access to the programmable chips on the board. Breaking the JTAG chain does not necessarily prohibit writing to these programmable devices, just not through the JTAG interface. If the product has the ability to load a new boot loader from a memory card, modem, or wireless connection, disabling the JTAG interface would not affect that method. There may be ways to disable the ability to write to the flash memory. If that 'switch' is thrown permanently, then any method of updating the boot loader would be deactivated. This flash write protect is a function of the board design. Without a schematic or reverse engineering the board, we don't know if this is an option.

Bev Harris
Board Administrator
Username: Admin

Post Number: 5390
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Sunday, July 9, 2006 - 8:02 pm:

No no, Mike. That's not what I was saying.

The problem, as I understand it, is that if you replace the bootloader with a contaminated one, there is no way to reliably restore it to a trusted condition using software. You have to use a hardware connector like the JTAG, turn the motherboard into a zombie, load a trusted version that way.

So, if the JTAG is disabled, yes you can overwrite the bootloader using other means, but no, you cannot know you actually nuked residual malicious items in a bootloader designed for malfeasance.

Mike Myhre
Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 100
Registered: 02-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Sunday, July 9, 2006 - 8:41 pm:

Bev,

You are correct.

Once the system is compromised, only a low level firmware reload will bring it back to a clean system.

If the JTAG is disabled, there is no way to reload soldered in chips to clean. Socketed flash chips could be removed and reprogrammed or replaced.

If microcontrollers are used, that have 'lock bits' to protect the internal firmware, there is no way to read the internal firmware to verify it is correct with or without a functioning JTAG.

So, if microcontrollers with lock bits are used, and the JTAG is permanently disabled, the machine could never be restored to a new state OR verified to be original.

Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl

Post Number: 674
Registered: 01-2005

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Monday, July 10, 2006 - 4:47 am:

Any IBM-compatible-based computer can be turned into a 'zombie' if you are willing to write your own executable from the ground up. This would mean that you can't rely on the BIOS for anything, you would have to do all I/O by writing the routines yourself, you would have to not rely on any BIOS routines at all. This would allow the re-writes of the bootloader that would need to be done. Very time consuming, very labor intensive, requiring exquisite hardware knowledge, but nonetheless, it is doable. It would also need to look for copies of the bootloader that might have been cached in secondary locations.

As for code on microcontrollers with 'lock bits' used to require pass-numbers in order to be able to read them and then you had full control of writing to them as well, I haven't been in this market in more than 10 years, I don't know what it's like now, and I wasn't exposed to all microcontrollers in any event. At the time that I was working on them, if you didn't have the pass-number the part would be wiped and you could then reprogram it (these were PIC microntrollers). So code was protected against reading it, but not against overwrite. It was secrecy, not security. Is this no longer true? Or did other vendors diverge from this?

Mike Myhre
Frequent Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 101
Registered: 02-2006

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Monday, July 10, 2006 - 7:02 am:

Brant,

You are correct on the lock bits for microcontrollers. They are flash and reprogrammable, but not readable.

Stand alone flash chips could be disabled by controlling their write enable line.

It would help if we could read some of the chip numbers so we knew what was used on the board. The large square PGA chip doesn't have a label, and there is no number readable. The chip in the 'flash' photo has a label so we can't read any number that may be on it. How do we know it is flash and not a microcontroller or PLD?

John Howard
Frequent Voting Rights Forum Participant
Username: Harmonyguy

Post Number: 500
Registered: 12-2004

Best of Black Box?
Votes: 1 (A keeper?)

Posted on Monday, July 10, 2006 - 7:04 pm:

If I'm not mistaken, there are actually two JTAG connections - one marked J7 CPLD JTAG (10 pin)and the other J16 CPU JTAG INTERFACE (20 pin)

(Whether or not this has any relevance, I don't know.)
HG

Saul Iversen
Voting Rights Forum Participant
Username: Malachite

Post Number: 7
Registered: 07-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Monday, July 10, 2006 - 10:18 pm:

No you are correct. It is discussed actually a few posts up in the thread.

There is so much we don't know about this design. But I have mulled over in my mind methods of triangulation. We could consider such things as which types of processors would support CE (MIPS, ARM, x86, etc), how much code space would be required, what was available in 2003, proximity of chips to one another, visible traces on the top layer, and so forth. It becomes an exhausting exercise. The only real conclusion it seems is that more needs to be known. But we knew that already! :-)

I need to review the history of how this machine was acquired. I gather it is not still in possession.

P.S. It appears that all machines in Maryland are TS-R6.

(Message edited by malachite on July 10, 2006)

Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl

Post Number: 677
Registered: 01-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Tuesday, July 11, 2006 - 5:33 am:

Mike, is the password number also correct?

Mike Myhre
Frequent Voting Rights Forum Participant
Username: Mike_myhre

Post Number: 102
Registered: 02-2006

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Tuesday, July 11, 2006 - 8:13 am:

Brant,
The microcontrollers I use just have a lock bit fuse you blow after programming the device. After that, you can no longer read the contents of the device. Some have several levels of locking such as: Can't read externally and Can't program internally (for updates where the boot loader can re-program itself with a received copy). At any time, anyone can erase the device and fuses and start over with new firmware. The Microchip PIC processor, Atmel and 8051 derivitives are good examples of this.
I don't know of any with a password to regain access.

Brant Lamb
Frequent Voting Rights Forum Participant
Username: Brantl

Post Number: 679
Registered: 01-2005

Best of Black Box? N/A
Votes: 0 (A keeper?)

Posted on Wednesday, July 12, 2006 - 5:20 am:

PICS (10 years ago) allowed reading with a password.

The public must be able to see and authenticate these four essential steps for an election to be public, democratic, and valid: (1) Who can vote (voter list); (2) Who did vote (3) The original count; (4) Chain of custody.