Navigation
Topics
Log In
Log Out
:
Special Search
New Today
New This Week
Advanced Search
Tree View
Your Account
Edit Profile
Register
Forgot Password
Tools
Help/Instructions
Policies
...
|
| Security Now Podcast on Hacking Votin... |
|
| Author |
Message |
    
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3033
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, August 28, 2009 - 6:49 am: | 
|
Disclaimer: I have not even listened to it yet. I don't know if he is alarmed or pooh-poohs the whole problem, but one of the world's most respected experts on computer security, Steve Gibson of "Shields Up!" has devoted this week's "Security Now" podcast to the entire idea of hacking voting machines. This series is among the best tech podcasts anywhere. It's part of the TWiT network and co-hosted by Leo Laporte, the unofficial "President of the Internet".
You can access the podcast at:
http://www.twit.tv/sn
You can also get it where I do - the iTunes store as a free download.
This guy (Gibson) is no political ideologue, he's a mainstream guy with centrist, if not conservative, politics. Actually Leo is pretty liberal. [grin] Silicon Valley variety.
Bottom line: if Steve Gibson says it's a problem, it's a problem no one can ever ignore again.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Bev Harris
Board Administrator
Username: Admin
Post Number: 10750
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, August 30, 2009 - 10:18 am: |
|
moved this thread to Tech forum |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3036
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, August 31, 2009 - 8:03 am: |
|
Now I've listened to it. Except for the one attack, Gibson says the Zilog Z-80 Sequoia AVC Advantage is pretty stout in security.
My favorite, the Danaher 1242, shares many of the security attributes of the Advantage (RAM cannot be used for executables, NMI if is it attempted, 64K limit memory addressing, no OTS OS to get footholds) but the attack described by the Sequoia attack cannot be done on a Danaher, because no one can access the cartridge even a little bit without detection of serial numbered seals. You can't even TOUCH the cartridge without permanently breaking TWO serial numbered and on paper documented seals.
I'll say it again. The Danaher, while virtually no one wants to use it, and they could never supply the whole nation, is still the most secure system out there.
The shame is that in order to put enough memory in the new ones to hold audio for the vision impaired, they have had to allow more memory so that there is more room (much more) for shenanigans like those described to be done.
In order to accomodate the "accessibility lobby" numerous systems have had to have their security features compromised, including Danaher.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Bev Harris
Board Administrator
Username: Admin
Post Number: 10759
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, August 31, 2009 - 9:09 am: |
|
I find it very interesting that the state of Kentucky first disabled one of the key safeguards (instructing election officials not to upload from the cartridge and only use the poll tapes from the 1242) and now has ditched the 1242s altogether.
Kentucky has swapped out its Shoup 1242s (same as Danaher 1242s) for Hart eSlate optical scanners.
Some would say, good, now a paper trail but Kentucky has retained a bunch of Hart eSlates some people will vote on one, some on the other, making for more strangeness. |
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 389
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, August 31, 2009 - 9:28 am: |
|
I listened to at least half of that show before running out of time. These guys know security but it was obvious they knew little about election hardware and the security needs of elections.
I take the lack of an off-the-shelf OS as sort of a plus; at least there are no off-the-shelf exploits. But I suppose the fact that a new OS will have to be fixed repeatedly doesn't sit well with election equipment, which should be touched as little as possible.
I agree that the 1242 seems pretty well developed, and a good choice if forced to use DREs. Possibly the 10 Danaher incidents documented by EFF over the course of about 15 years would be about the same for paper ballots over the same period. Most of the incidents have to do with memory cartridges and human error. That said, although the structural confidence level should be high, you still can't prove who won any election. And some of those incidents involved error levels higher than the margins of victory.
As far as accessibility is concerned, if they would just print special paper ballots the size of a Danaher screen and have a booth with the same lighting level, that would solve 95% or more of the accessibility issues I have seen. I keep asking, and I have never been told that anyone has ever audio voted on our AutoMarks. Big bright paper ballots would have the same outcome with far less expense. |
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 390
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, August 31, 2009 - 10:38 am: |
|
Kentucky has swapped out its Shoup 1242s (same as Danaher 1242s) for Hart eSlate optical scanners. Hart's optical system is eScan. The eSlate is their DRE.
http://www.internetvoting.com/files/productcatalog.pdf |
Bev Harris
Board Administrator
Username: Admin
Post Number: 10760
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, August 31, 2009 - 11:14 am: |
|
woops I meant escan |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3037
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, August 31, 2009 - 1:00 pm: |
|
I've dealt with the Hart line. A Shoup/Danaher to Hart change is a step DOWN in security. It's "newer technology" and that's what sells it to politicians. But it's not more secure - it's less so.
Again, Danaher could NEVER handle the whole country. Those places that have it and use it correctly (unlike Kentucky and Ocean County, NJ) have probably the best that exists.
The point Steve Gibson is making is a valid one. Voting machines should NEVER have been "PC's". They need to be minimalist "electronic appliances" only. Anything more just adds more attack vectors.
Mike, I'm not sure what you mean about needing constant fixing. The Danaher/Shoup ROM-based programming was unchanged for over 25 years until HAVA mandates changed it.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Dale McClain
Voting Rights Forum Participant
Username: Dale
Post Number: 72
Registered: 10-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 3:40 am: |
|
V. Kurt Bellman
You have posted in part:
The point Steve Gibson is making is a valid one. Voting machines should NEVER have been "PC's". They need to be minimalist "electronic appliances" only. Anything more just adds more attack vectors.
……………………………….........
You have caused me to listen to the GRC.Com
Story about hacking voting machines.
………………………………...............
I went to sleep about half way through and it was still running when I woke up. I took a few notes.
It seemed to reinforce my hatred of electronic voting methods.
………………………………...........
My superficial knowledge of computers goes back to the days of the Commodore 64 when you could plug it into a 25 inch TV set and the printed words could be read from across the room.
……………………………….........
When Windows 95 came out in Beta everyone was amazed at the power of Windows.
………………………………
At a computer club event open to the public my granddaughter demonstrated a then current 3 D
Version of medical information including parts of the human body -- very impressive .. She was about 10 years old.
…………………………….
Elsewhere things that cause people eyes to glaze over have been discussed ---when you talk politics or
computer technology they are equally of eye glazing
Quality.
……………………………….
The autopsy on 82 dollars worth of Sequoia machines and 16 man months of work is very very impressive!
……………………………
Talk about Pet timers or watch dogs, MMI interrupts and loop timers are not my long suit.
…………………………….
Marking ballots with a number 3 pencil got my attention --
……………………………….
Keep up the good work,
Dale |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3039
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 4:55 am: |
|
Correction: the New Jersey county that improperly used Shoup/Danahers was Atlantic, where the casinos are. The one where the Mayor of that City was indicted.
If there is an Ocean County, NJ, they never used Shoup/Danahers.
The error came to me in the shower this AM.
Oh, by the way, I AM dismayed Steve Gibson doesn't remember it's the #2 pencil that is the standard for bubble filling. Always has been. For most elderly voters, a #3 would leave a marginal mark. I'm kind of hypersensitive to this because of my recent stroke which has weakened my writing and bubble fillng hand. It's not much stronger than a typical 80-year-old's might be right now.
Oh, and I'm down 35 lbs. from the picture at left, too.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 391
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 6:41 am: |
|
I never looked inside the 1242s before, but this page of photos tells me they really are very simple, more hardware than software. I believe Kurt's claim that they went without changes for a long time, but it is the changes in the beginning that I had in mind, when a new OS is created from scratch. If we had had a formal certification process back then, they might have been unable to fix whatever bugs they found, pretty much where we stand today.
The 1242 is so simple though, that I'm not sure if it even has an OS at all. Kurt points out that it can't execute from RAM. There seems to be at least a possibility that, as far as DREs go, the 1242 may be almost as secure as India's EVM, and more functional. Now, could we mount a new ballot on it for each voter and have them actually marking the ballots as they push down on the switches? The more we rely on a machine, and never check it's results, the bigger the disaster if/when we finally find out it has been giving us compromised elections.
About the limited employment of the Shouptronic/Danaher 1242s, my theory is that it goes back to the 1988 Republican primary in NH, the first large scale deployment of the Shouptronic design. George H.W. Bush was trailing Bob Dole by eight points in the last Gallup poll before primary day. During the evening "the computer broke down", and when it came back Bush was suddenly ahead. Bush won by nine points. In the ensuing flood of news stories there was controversy over the Shouptronic machines, but apparently not enough to kill them. My theory is that they are just permanently wounded. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3040
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 6:49 am: |
|
Mike,
Each 1242 has a single ballot sheet. It is NOT a machine that can serve more than one ballot style at all, unlike the newer generations. The ballot is printed on paper which is installed over the 504 hardware switches (those black panels). One ballot style per machine only, which is why "early voting centers" are practically IMPOSSIBLE in Danaher jurisdictions. Too many machines would be needed. "Early voting", if done at all, would need a different hardware system.
Correction on 1242 deployment, Mike. Dauphin County, PA has used them continuously since 1983 for all public elections non-stop. And they were NOT the first jurisdiction to use them. Dauphin County is where the capital, Harrisburg, is located.
Places that MAY have used them even earlier include Franklin County, Ohio, along with much of Kentucky and Tennessee. The state of Delaware uses them statewide, and many populous counties of eastern PA now use them, including Philadelphia.
Any state that values having "early voting" on machines would find the 1242 unacceptable. I get that. I don't think very highly of early voting at all. I'm a Pennsylvanian. I'm just wired that way. We still have a concept called "Election Day."
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 392
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 6:58 am: |
|
I had only one ballot style per machine in mind, but I was trying to make it function like an optical scanner in that each voter's ballot is counted by the machine and the ballot is kept somewhere. I'm stuck on paper, you know.
It never occurred to me that the 1242 can't change ballot styles. Does that mean there is no per-election programming? That would be sweet. |
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 393
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 7:07 am: |
|
OK, the use of Shouptronic in 1988 must have been the first large scale deployment of electronic voting in NH. I just recall reading "first large scale deployment" somewhere.
This page shows a Shouptronic used in Fairfax County, Virginia in 1981. So they do go back a ways. It aptly describes them as electronic lever machines. To me that was a step down, as the inner workings of lever machines are at least observable. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3041
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 7:13 am: |
|
Mike,
Yes, there is no per-election programming at all. All that changes are data tables. Building those data tables is frequently called "programming", but it's not really. There is no capability for a 1242 to create a "per voter" piece of paper at all. There is only the very small paper roll that prints results and on which all "write-ins" are literally written (long hand) onto it. There was a prototype with a per-voter ballot printer, but it was deemed unworkable for most pollworkers to set up and maintain. The only times in my whole voting life (since 1975) that I have ever created a paper record while voting is when I voted absentee. Not having paper has never been seen as an issue for me or by me.
The 1242 was designed as an electronic "substitute" for the mechical lever machine. The problem with lever machines is that by 1980 parts supplies had dried up, and cannibalization was the only source. By the 1980's counties were "playing chicken" seeing who would blink first into an electronic system so that the other could buy the other's lever machines to use for parts.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Bev Harris
Board Administrator
Username: Admin
Post Number: 10761
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 8:15 am: |
|
One point here re: New Hampshire. "The computer broke down" could very likely mean "the computer in the secretary of state's office broke down."
In New Hampshire in 1988 there were over 300 small jurisdictions, probably two-thirds of which were hand counting (about half hand counted in 2008). The mechanism has been that election officials call in their results to the Associated Press, and the sheets with the results are delivered by courier and/or state police to the secretary of state's office the next day. Then an employee at the secretary of state's office hand enters the results into an Excel spreadsheet.
So, "the computer broke down" may mean "the computer with the spreadsheet."
Even though Windows was not in wide use in 1988, I was using Excel back then on a DOS system. I don't know what NH was using.
I'm not sure "computer broke down" makes much sense for NH, since they do not use a central tabulation system at all.
In fact -- yikes -- that means they weren't feeding the cartridges into anything, opening up the main attack vector for the 1242s. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3042
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 10:19 am: |
|
DOS Excel was in a CLEAR 2nd place then to Lotus 1-2-3.
Lest anyone misunderstand me - I'm not saying a Danaher, done fully, is perfect. It's not. It lacks transparency like any other DRE. Even if it is fine, the average Joe can't verify that to his own satisfaction. I realize I'm the one who's unique here. I have enough experience so that I trust it. I am fully aware why YOU can't.
I just feel that the 1242 is better than anything else I've seen. It's pretty cool. But it's not ENOUGH.
I'm a convert. Only real transparency will do. But getting all the people in place to make transparency real will be tough in spots.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 395
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 10:26 am: |
|
Yes, I stopped short of mentioning that the problem in NH was in aggregation, not vote collection. But the Shouptronics were blamed anyway because they were the only things visible; election officials almost never give details on their aggregation process.
By the way, I don't have a problem with aggregating precinct results using whatever common tools are available. What I want to see, however, is the requirement that results are made public, in full detail down to the precinct level, and also require that precinct officials have to print the state results for their precinct, compare against precinct reports, and sign off that they are correct. Preferably this would be part of election certification. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 3043
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 10:44 am: |
|
Mike,
I am unaware of only ANY state that has EVER used Shoup/Danaher solutions for any aggregation beyond the county level. Even Delaware (only 3 counties) does not, I'm fairly certain. the design was only for the county level.
==========================================
Sometimes, every once in a while, the real reason "your side" lost an election is because more people really DID vote for the "other guy", hard as that may be to fathom.
|
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 396
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 1, 2009 - 11:00 am: |
|
Minor detail: In New England counties are irrelevant, so the only entity above towns and cities is the state. It's just a habit. When I say "state" please think "county". |
Charles Christopher
Frequent Voting Rights Forum Participant
Username: Ilikeinfo
Post Number: 111
Registered: 11-2006
Best of Black Box? 
Votes: 1 (A keeper?) | | Posted on Saturday, October 10, 2009 - 8:51 pm: |
|
I did not listen to the audio, I felt there was enough in the posts to comment.
Back in the 80's when the Radio Shack TRS-80's (based on the Z80) were still common, one of the then "PC" trade rags commented is was "Impossible" (direct quote) to thread the TRS-80 to run 2 apps at once. My college buddy loves challenges, wrote an app that does just what was said to be impossible and sold a lot of copies. All he did was observe that none of the apps he had for the TRS-80 were using the Z80's shadow registers. So he threaded using them, only limit was you can run 1 or 2 apps, but no more using that technique.
All those features stated in the posts are SELECTABLE by the hardware and software designers, and thus do not have to be used (or "available") if they do not wish to.
Electrical engineers love to talk about Software, and programmers love to talk about hardware. The only ones with a clue are called "Embedded Systems Engineers", and they make the big bucks because only they are competent in both worlds (that what they get paid for).
In fact their is a somewhat notorious "A20" "feature" in older PC's, it was used to manipulate more ram out of the microprocessor. In fact if you go back to the 70's microprocess exists as "slices", that is you bought chips and then actually built your own custome microprocessor. The point is simple, the spec sheet does not mean a damn when one single part can be added to it's pins and defeat or modify a feature, or add a feature - The 80386 uses a reverse technique to allow software emulation of the then price math coprocessors.
Yeah, the Z80 is old, and it's one of the most respected microprocessors on the planet. That micro has lived longer that others can hope to live (I learned Z80 assembler even before learning a 3rd generation language, that was 33 years ago), so it's a fairly well known variable but it still get presented as many different incarnations each with different features ... But just add some parts to it and you'll have something different, and that's allways done, that's the entire point of "general purpose" computational devices. You select the "general purpose micro" part that covers all your needs, then design the hardware to optimized those desired / needed features, or sometime you can't find a part and you manipulate an included feature into something not originally intended.
Nobody even knows what the limits of a micro are, nor any product embodiment, until someone more creative comes along and proves the limits you beleived in, were never there ....
Todays products are designed to get them out the door and move the "costly" engineers on to the next revenue generating product. The more the "sale people" are sure of their products, the faster you should run away. Real problems only get fixed when enough customers find out about the problems, and lawsuits are used to keep discoverers from talking about the problems they find.
Toss out the micro's, bring back the paper ballots.
From Bruce Schneier's (check his credentials yourselves, and his website http://www.schneier.com ) Book "Applied Crytography" (don't let the title fool you, Bruce talks a lot about secure systems in general), Second edition, Section 4 "The Real World", Chapter 25 "Politics", page 619:
"An NSA-employed acquaintance, when asked whether the government can crack DES traffic, quipped that real systems are so insecure that they never need to bother."
Nuf said?
Problem defintion *FIRST*, solution formulation *SECOND*.
|
Charles Christopher
Frequent Voting Rights Forum Participant
Username: Ilikeinfo
Post Number: 113
Registered: 11-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Saturday, October 10, 2009 - 9:57 pm: |
|
Some A20 hack links for the geeks:
http://fishbowl.pastiche.org/2006/06/22/the_a20_hack/
http://en.wikipedia.org/wiki/A20_handler
Oh, and almost forgot about Z80 undocumented instructions:
http://www.z80.info/zip/z80-documented.pdf
There may well be more that are undiscovered. In fact some of the ones mentioned might not even be real, they might just be unintended device behaviors that turn out to provide sensical results.
In other words, it's typical for micros, and CPUs, to have undocumented instuctions, and be so complex as to have unexpected but useful behavior to unintended instructions. These days such instructions may be used for debuggers to gain "executive level" access to the device - Call this a "GOD" mode. I'll spare you all the detials, just understand that in modern devices (or modern formulations of ancient devices like the Z80) the features often exist to fully "spy" on the code running in the device without the code being aware of it - And this debugging is often betrayed by "test points" left on the board from the design engineer putting them their to implement the design ... So they remain for hackers. It costs too much to removed them from the design, thus they tend to remain forever. Sometimes even the connector itself gets left on the bill of materials and thus keeps getting purchased and soldered onto the board ... Which just makes a hackers job that much easier and undetectable.
Who knows what undocumented OpCodes ("instructions") exist on the specific Z80 part used in that machine. Again, the theory is you and I are NOT supposed to know about them .... But if you buy a lot of parts, and sign and NDA, the manufacturer typically will cough up the full detials ...
Problem defintion *FIRST*, solution formulation *SECOND*.
|
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 5563
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, October 11, 2009 - 10:09 am: |
|
Charles,
Thanks for the insider's perspective.
If I understand your remarks--
1) There are unrecognized (and may still undiscovered) features in chips and other hardware.
2) The limitations (or lack thereof) or these chips' potential "extra functions" are unknown and unknowable, as they reflect the unique creativity and skills of the individual programmers, hackers or embedded system engineers playing with them.
3) There are undocumented instructions to allow or facilitate access to some of these functions or to the code running on them.
Have I got that right? |
Charles Christopher
Frequent Voting Rights Forum Participant
Username: Ilikeinfo
Post Number: 114
Registered: 11-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Sunday, October 11, 2009 - 2:49 pm: |
|
-------------------------------------------------------------------------------- ------------------------------------------------
>1) There are unrecognized (and may still undiscovered) features in chips and other hardware.
Correct.
I think they can generally be classed in two ways:
1) A product designer uses "test features" when placing the chip into a product. So to the chip designer may well place "test features" into the chip for their own development purposes. In some cases those chip features may be "exposed" to the user of the chip, or they might never be documented to user, or the chip designer(s) might not even tell anybody (nothing nefarious, it was just for them to get the device out the door.
2) Complex systems equate to "unpredicatable" results. You design a chip to do certain expected and documented things. If you then ask a micro to perform an instruction that was never part of the spec to begin with the behavior is "unpredicatable". The word "unpredicatable" is used in device spec sheets, but it's something of a lie. The fact is the behavior *IS* predicatable to the same set of conditions. The question then becomes can an instruction that is not part of the design cause a desirable behavior? As this was never a design goal, nobody honest can look you in the eye and claim there are no exploits using this technique.
This is part of "out of the box" thinking when reverese engineering products. You never do what the designer expected, you do the "bizar" and see if anything "interesting" happens ... Once you see a loose thread you then start pulling. Those the NSA comment above, "brute force" attacks are rarely needed.
One product I was tasked to reverse engineer demonstrates the case. Programmers are VERY predicatable. I asked for two of the devices, I eyeballed the device for the part that have the codeand then ran a compare of the two devices. I found 4 locations in the program that were different = The serialization code. I then programmed and Identical part with those 4 location programmed to zeroes .... As allways zero serialization is used at the "test device" and the device completely opened up for us exposing everything. This just shows how the "human" just makes things that much worse when it comes to complexity, in effect human try to eliminate complexity in predicatable ways and thus create predicatable exploits.
So long as you do what is "expected" a system looks safe and secure. Throw away your typical bias and systems tend to break in a big hurry. remember the designed of each part and product embodied those same biases into the parts and products. The more "in the box" they were, the more likely and "out of the box" thinker will peirce their defences. Then throw in "time to market" presures and you quickly realize these designers don't even have the time to address these issues, their bosses are demanding the product gets finished to the spec and not things that are NOT in the spec.
BTW, reverse engineering is 100% legal, despite when the main stream media would claim, just ask any good IP lawyer.
-------------------------------------------------------------------------------- ------------------------------------------------
2) The limitations (or lack thereof) or these chips' potential "extra functions" are unknown and unknowable, as they reflect the unique creativity and skills of the individual programmers, hackers or embedded system engineers playing with them.
Correct.
And the fact that some are intended, and not documented, others are just roll of the dice behaviors.
The more complex a system is the less predicatable it will be to unexpected / unspecified stimulous until you apply that stimulous and see what it does. Fact is you can be very abusive to boards to force behaviors. You can "short" signal lines to ground or power without harming the device but force it to do unexpected things.
Here is a great example. It shows my own ignorance and arogance early in my career. Please don't take this the wrong way, it's just a statement of my own education and human growth. This is what was going on in my mind when this happened, and I know know how common it is in industry. I think I overcame it, and I think most do not. This was at the beginning of my career:
---------------
I was part for the test department in a "zero defect" company, this was before the time of "six sigma". I was the only one in the department with an engineering "education". The department was "workers" following procedures. So I obviously knew far more that them ... Yeah right. Because of my background I was allways tasked with the product failures that others could not fix, as the number of products that failed test built up I'd be tasked with fixing them, documenting the failures, and get them back into the product flow to ship.
So one day I dealt with a board that just frustrated me and got no where. My boss came in and asked me how it was going ... I cursed out the board in front of me. So he asked the dept head what she thought and she said "change the red jack". Ok, I grabbed the schematic, found the red jack, and it was very clear the red jack had nothing to do with the section of the board that was not working. So I rejected her suggestion .. I clearly new more than her ... Yeah right ..
So I went through the rest of the pile quickly, then came back to that board. Fortunately I had a great boss who made sure I learn something crutial on this day. He came back, asked the dept head same question, gave same answer, and I gave the same response. The the end of the day came and my boss suggested changing the red jack - I'd been on that board for hours!
I changed the red jack, and the board was fixed! And I was pissed! I stayed that day until I figured out exactly what happend and where I screwed up.
The problem was simple. The hole on one pin of that jack was far too big, when the boards when through the wave solder the solder would infrequently flow up the hole and then short that pin to a trace right next to that pin. In this case the trace was part of the circuit I knew had failed!
So the moral of the story is simple. The people on "the floor", who make the products and have no "education", often know more about aspects of the products than the engineers who designed them - And I'm being very conservative with that statement. Want to know "interesting" stuff about a product? Don't ask the engineers, ask the people with the soldering irons in their hands.
Yes, that day I realized what and arogant ignorant idiot I was. 
Not even the engineer that designed that product would have had a clue about "The Red Jack". And that cuts to the heart of system design complexity and predictability, and making impossibility of "guarentees" of behavior "in the field".
How many engineers reviewed the Space Shuttle, with the potential for people dying, and yet 2 Shuttles have been lost to design failures - Huge costs to life and huge financial costs to prevent this from happening.
---------------
So you see in the example above, just the complexity of the printed circuit board itself, which is normally treated as "passive" is in fact and active component. And a product expresses its uniqueness in different ways to different people who interact with it - Same thing with following the directions. Sometimes a product designer is the last person your should ask questions of, and the people that make the product are the first people to talk to. ;)
So never exclude consideration of the printed circuit board itself. In fact many have demostrated the ability to capture the noise generated by a PCB in order the monitor the boards activity without any connections to the device. The board itself just adds that much more complexity and "unexpected" behavior.
By the way, go to any original equipment manufacture and you'll see my story above played out day after day, less the V8 moment. That wall between the engineering offices and "the floor" is a lot thicker and higher than it looks. The people on both sides rarely mix or communicate in a productive manor.
-------------------------------------------------------------------------------- ------------------------------------------------
>3) There are undocumented instructions to allow or facilitate access to some of these functions or to the code running on them.
Well I'm not guarenteeing they are allways there. The more complex the device, the more likely it is that it's there.
That said, yes, I agree with your comment.
Today event the cheapest microprocessors ($3) have such features. And the more "mature" the manufacture of said part the more likely they have built up intelectual property that they place into each part in the name of debugging.
The Z80 is such an old part and been touched by so many manufactures in so many ways, I find it very hard to beleive that one of today's Z80's would not have some "interesting" features in it or demonstrate interesting behaviors. And that those features will be very different from one manufacturer to another.
In fact it's tempting to think such features would be expensive and thus now exists due to cost. It's just the opposite. The silicon is so small these days, and the pin counts are so high that and integrated circuit's packaging is often as expensive or more expensive than the entire chip. Thus these debug features are "free" or in fact revenue generating since they help the engineer get the product out the door.
Thus you see the relationship. As as time goes on giving the engineer more tools is just that much more common.
There is another subtle aspect of this and I'll use Intel as an example.
There are many tools that you can use to detect the make and model of the CPU in yout PC. If you did what I'm about to describe years ago it would be more obvious. For example, when the Pentium came out one of it's feature was very advanced debug and "supervisory" functionality. But here is the key: The Pentium was out before Intel said so. In other word the cost of the Intel processor advancement is so outragious that each new device and NOT new! Basically the Pentium functions were included in the 80486's that were produced before being labeled "Pentium". So if ou ran an exploritory tool on and "old" pc it would tell you your 80486 is actually a Pentium, which it is.
In other words these microprocessors are incrementally advanced, and whent he new features are stabilized the device get and new label and a new higher price tag! It's a little more complex than that, but not a lot.
And so, you see the board has and 80486, and you get it's databook to see it's features. But the label lies as it's actually got the yet to be released Pentium ("80586") features in in?
See how ugly this stuff gets?
People ASSuME that since the part has a different label that it's entirely different, likely it's not, nor is it really new - Again the more complex the part the more likely it's incrementally developed and the part change is not as significant as you think. Sometime features might be disabled using onboard flash or even a laser etch, and sometimes those parts you see soldered on the chip itself cause the configuration changes.
So if I place a 80486 in your hand and I give you the databook for the 80486 and the Pentium, which databook is correct for that chip? You can't tell unless you use a tool to see if that particular 80468 actually contains some of the Pentium features and thus is something in between. In other words you might need both books.
Here's a good link on the Intel Processors:
ftp.gwdg.de/pub/misc/x86.org/secrets/opcodes/ICEBP.txt
And first item in the doc:
"ICEBP - F1 - INT01 (ICE BreakPoint)
An undocumented op code that will make debugging run-time code on an ICE
easier. Normally, to set an arbitrary breakpoint in a program which was
loaded by an operating system, you must perform a laborious task of
figuring out where your program was loaded in memory. Follow that
process with an equally laborious task of calculating the offset in
memory which corresponds to the desired breakpoint. This process is
exacerbated by programs which use many segments, especially many code
segments. Now for one final complication, consider that your program
switches from real mode, to protected mode, with paging enabled, and you
are not using a 1-to-1 mapping of physical to virtual memory. You want
to talk about a nightmare just to figure out where to set a breakpoint?
All of these problems are eliminated, simply by using this instruction -
- provided you know its caveats. "
And notice how these undocumented instructions relate to debugging, and seeing into the behavior of the running code in a why that minimizes your impact of the running code? In other words the debug feature reduce the "Heisenberg Effect" of changing the system by monitoring it. The better the debug features the less effect you have. The designer's requirements have huge overlaps onto the hacker's (reverse engineering) requirements.
And if you want to intentionally design a system so that the debug features have zero impact you can, and likely nobody is going to be able to prove that intent, it's just too subtle. This you can design in expolits that are next to impossible to prove the existance of. If caught you just say "random chance" and nobody is likely to prove otherwise. In fact, I'd argue the best designers would design the system this way so as to make their own debugging that much easier and their tools are that much more useful (they know their debug tools will have ignorable effects on system operation by design).
I hope that helps.
Again, this is all mental masturbation, time to bring back paper ballots.  The simpler the system the more predicatable it is, even if it's impossible to remove all the random or unintended elements of it's behavior. The key is to minimize those aspects of the design, and adding "chips" to the design is the wrong direction to go. ;)
Problem defintion *FIRST*, solution formulation *SECOND*.
|
Charles Christopher
Frequent Voting Rights Forum Participant
Username: Ilikeinfo
Post Number: 115
Registered: 11-2006
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Sunday, October 11, 2009 - 3:51 pm: |
|
One other thing I should add - This discussion is getting far deeper than I'd thought it would get!
Let me talk to the issue of the unintended behaviors and the modern source of them, and why they have become even more unpredicatable.
Yesteryear engineers designed chips using back tape on sheets which were photographically transfered onto the "chip" to form the desired features. In effect the same exact process used to make printed circuit boards. Imagine having to make a change to that? One "simple" change might result in having to rip up and redo a tremendious amount of work! Even using a computer does not solve the problem entirely when designing this way, the cost of an area of the chip is huge so the designer is allways mashing everything as small as possible (changes = rip ups).
The upside of this type of design is the designer has very intimate knowledge of the design and it's behavior, both designed and that of unexpected stimulus.
Today chips, espically the most complex (!) are design using "EDA" tools specifically "HDL" and/or "VHDL" (Verilog HDL). These are what are know as "synthesis tools". In other words tape has been replaced by a sort of programming language. You describe the chip using this programming language, and then tool synthesizes the need "tape" or photographic image.
NOTE WELL: This program INTERPRETED the designer description and then formed a solution, and NOT a unique solution!
NOTE WELL: Each time the designer makes a change the resulting "tape" image might have far more changes and differences than would be expected from the change.
In other words the HDL/VHDL is an abstraction of the desired designed and thus option to interpretation for that not specified in the design itself.
Using this modern design process, chips "unintended" behavior can radically change due to minor evolutionary changes as bugs are fixed or new features are added. Thus we have an even greater disconnect of the designer from these unexpected behaviors than existed yesteryear.
Here is a site that offers such HDL "IP Cores" for free:
http://www.opencores.org/projects
Search the page for the "Processor" section, and note the large number of commercial processors that people have converted into "HDL Description" for others to use and customize to their needs. In the "SOC" section (System On A Chip) you'll find the following Z80 design:
http://www.opencores.org/project,z80soc
And again, these designs are not analytically unique solutions. To call a design a "Z80" one expects the design to include all the original functionality of the original Z80, but additional features might be added. Nothing says you can't improve on the original, you just have to make sure code written for the original runs on this version.
More Z80 HDL description ("cores"):
http://www.cast-inc.com/cores/cz80cpu/index.shtml
http://www.chipestimate.com/log.php?from=%2Fip.php%3Fid%3D15624&logerr=1
http://www.thefreelibrary.com/CAST+Processor+IP+Offerings+Grow+With+New+DSP+and+ Z80-Compatible+Cores-a071627970
And for those that might want to try to beat me up, yes I know those cores are intended for FPGAs. However chip "foundries" typically offer conversion services from FPGA's to custom masks/chips. In other words you prove your design in FPGA and then the foundry makes yet another "abstraction step" in converting the design to another functionally equivlent form - But not necessarily equivlent for unintended stimulation!
In fact if memory serves, the Intel processors are now developed on FPGA's using description languages which are then converted to final masks. In the FPGA form they just run very slow, but time is a controlable design element with predictable scaling to the final chip embodiment.
It's almost like the Wonderama show where the circle of kids pass the message around the circle to see what come out the end. Obviously not that bad since the base functionality MUST come out intact, but everything else undergoes radical noise.
That is today's uncontrolled source of those "unexpected" / "unpredicatable" / "undesigned" behaviors. The very abstracted design process itself.
Problem defintion *FIRST*, solution formulation *SECOND*.
|
Joel Morine
Frequent Voting Rights Forum Participant
Username: Erased
Post Number: 363
Registered: 1-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, October 24, 2009 - 10:38 am: |
|
2) Complex systems equate to "unpredicatable" results. You design a chip to do certain expected and documented things. If you then ask a micro to perform an instruction that was never part of the spec to begin with the behavior is "unpredicatable". The word "unpredicatable" is used in device spec sheets, but it's something of a lie. The fact is the behavior *IS* predicatable to the same set of conditions. The question then becomes can an instruction that is not part of the design cause a desirable behavior? As this was never a design goal, nobody honest can look you in the eye and claim there are no exploits using this technique.
Mr. Christopher,
Am I correct in thinking that in the above you meant to say...
The question then becomes can an instruction that is not part of the design cause an undesirable behavior?
Sometimes hurried incomplete sentence edits lead to undesirable results?
=======================
What follows is best skipped for those seeking relevancy, but hopefully gives a laugh, and my appreciation for one, to Mr. Christopher..
=======================
Dear Sir,
Long time since I was writing software, but I particularly enjoyed the paragraph above for some remarkable memories it brought back of mind-bending time spent debugging unbelievable outcomes of interactions between two packages w/in one product I was writing solo -- both of which had worked fine thru much testing until I put the 2 together...& likewise memories of experiences using vendor equipt that wld work perfectly 29 days out of 30 & then do something that left all of us & the vendor as well scratching their heads during an Nth iteration of a task it had been performing perfectly.
In a different unpredictably inconsistent but far more recurrent "gremlin"(misnomer) experience w/ newly purhcased equipt I'd recommended for my tasks at a new job ... what was interesting was the 3 quite different approaches to our problem by the mgr, salesperson, & tech person at the franchise outlet we'd bought the equipt & software from. Their "human handlers" ran us in denial circles for weeks -- too long a story to tell, but we'd have been hung if I hadn't managed to sneak a conversation on the sly w/ their tech person (available to me cuz my boss had gone down there w/ me & their human handlers were busy handling him). Their tech made a judgment call re: our personalities that we wouldn't try to make them pay for admitting their mistake to get it right for us, but had to do it on the sly cuz that kind of judgment call belonged to the "human interactn" experts in sales & mgmt. He admitted to me (on the sly in confidence) what the mgr & salesperson knew -- that they'd had the same problem months before w/ the same mix of hardware, software & fast-math chip. While the human experts were all busy w/ each other, the tech "did the right thing", at risk of whatever repercussions for stepping out of line, & removed the math chip to see what would happen. Everything went back to working fine. My boss there was pretty special ... 99/100 others would have bagged unknown me based on what their sales/mgr had been telling him for a month beforehand ... he trusted his instincts abt me, & I trust my manner of communicating w/ him re: the problem fed that trust.
It is a fascinating profession for a lot more reasons than just those...and all the stereotypes re: tech people I've met over & over, especially from art/humanities pros, are so thoroughly off-base -- but then that was also my take on the half-dozen years I spent working in restaurant kitchens, often with minimum-wage dishwashers & potwashers who were better read and more interesting to talk to than way lots of college grads I've known.
It's a big surprising world if you take time to pick up the rocks and listen underneath!!!
I'm another huge fan of yr tag-line... |
Charles Christopher
Frequent Voting Rights Forum Participant
Username: Ilikeinfo
Post Number: 119
Registered: 11-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, October 24, 2009 - 11:19 am: |
|
Your story is a great one played out minute after minute ... With those around thinking about washing the person's mouth out with soup (well at least when I'm that person n the battle).
This is why the people LEAST likely to trust technology are the ones that actually GET PAID TO DESIGN IT. That really says it all right there ... And it's why those people get "hidden" in offices in a building away from the sale department ...
It's easy to trust tech until you get faced with one of those "expletive rich" situations. ;)
Then there is the very old WordPerfect support call where the tech and the customer go round and round for 10 minutes getting no where. You'd have to read the transcript to beleive it, but it took the tech that long to realize the customer had not yet turned on the computer - Even wonder why a tech would ask something so "stupid" as "Is you computer on?" That's why. Toss a "complex human" into a feedback loop with a "complex system" and your odds can be far better in Vegas. ;)
Also watch for techs to use this fact as an actual weapon against the unsuspecting customer. They even do it to themselves, there is allways a natural "friction" between hardware designers and software designer on the same "team", and that very game gets played a LOT ... Which of course can lead to exploits as one side ASSuMEs they've been giving factual data, but it's not and thus "derived requirements" start to cause break downs. No matter ho big the project, the smaller the team the less likely this happens. The bigger the team the more you get bet it's happened, just look at the latest MS Windows Patch, it's a total lie to suggest "one person" caused it. That's in effect says that MS allowed that one person to modify, compile, and then publish, that file == That Microsoft has *ZERO* quality control policies and procedures in place (some might argue that's true ;) ).
>Mr. Christopher,
>Am I correct in thinking that in
>the above you meant to say...
>The question then becomes can an instruction
>that is not part of the design cause an
>undesirable behavior?
In that sentance you are correct, I boo-boo. Thanks for pointing that out.
The view from 30,000 feet being that both sentances on their own are they issue, each creating their own problems.
For example say an unintended instruction just happen to cause a full "endless loop" dump of memory to the data lines? If nobody tested for that then *NOBODY* has the right to say there is no such opcode, period.
But then you face an interesting question, is such an opcode "desirable" or "undesireable"? To the hacker it's party time, to the person that signed off saying the system is secure it's time to "fall" on their sword. Ooooooops.
Problem defintion *FIRST*, solution formulation *SECOND*.
|
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 5584
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, October 24, 2009 - 1:37 pm: |
|
quote:But then you face an interesting question, is such an opcode "desirable" or "undesireable"?
This is why I never assumed the "typo" was a "typo". Either sentence is true depending on one's perspective. |
|
|
