ࡱ> @B?q` bjbjqPqP 4.:: f f f 8 $  OQQQQQQ$hHu u   OO DZpf jO0# _4, uu)^    B l a c k B o x V o t I n g Consumer Protection for Elections 425-793-1030 www.BlackBoxVoting.org To: Gary Herbert, Lt. Governor of the state of Utah Cc: David Blackwell, Emery County Attorney Bruce Funk, Emery County Elections Emery County Commissioners Michael Cragun, Utah State Elections Director Mar. 24, 2006 Dear Sirs, This is a formal notification that a security defect was found in the Diebold TSx system in Emery County, Utah by professional security experts from Security Innovation, Inc. and Mr. Harri Hursti. Because of the severity of the defects, the formal reports are being prepared with sufficient precision to garner the attention of the appropriate authorities with jurisdiction over this matter. These authorities, of course, include each of you who are receiving this notice, in addition to federal authorities in the general area of computer security. Preparation of the formal report will take a short time. In the mean time, we understand that you have sequestered the Emery County voting machines and have secured the area. This is a good step. We understand also that punitive consequences may be contemplated by the vendor toward the county and/or by the county toward your elected official. It would be prudent to learn more about the nature of the security vulnerability, in addition to conducting an investigation as to how the security problem got into the system in the first place, before anyone decides on a course of action. We believe circumstances will show Mr. Bruce Funk acted responsibly and in good conscience. His actions may indeed have protected national security, since a file has now been identified on a Chinese Internet site that appears to be similar to the file needed to exploit the identified security hole. A copy of the report will be forwarded by certified mail to each of you, and by e-mail to Homeland Securitys CERT reporting unit, the Election Assistance Commission, The National Institute of Standards and Technology (NIST), to selected members of the U.S. Congress, to each state elections official with the Diebold TSx, and to members of the Utah state legislature. The security problems found in Emery County present potentially catastrophic security defects for upcoming elections. The issue extends outside of Emery County to additional states. The identified security vulnerability appears to be: 1) Persistent, with the ability to survive through multiple elections; 2) Difficult to detect, not only for elections official but also for security experts and even for Diebold technicians 3) Flexible, in that the exploit can selectively affect any particular election, candidate or ballot question; 4) Accessible, in that no password, supervisor access or special equipment is needed to invoke the exploit; 5) Difficult to eradicate with any patch, reinstallation, or cleaning procedure; and 6) Likely to be exploited, because the skills needed to exploit the hole are possessed by many programmers and the information needed to conduct the exploit is generally available to the public. The time needed to exploit the security hole is in the range of a weeks planning time and 60 seconds for execution. As has been reported, this problem was discovered after Bruce Funk noted discrepancies in his Diebold products including electrical hazards due to a faulty mechanical design and also memory discrepancies. Clearly, the memory discrepancies were considered a red flag by Diebold because not only did the storage/memory indicator register that it was low, but the color of the message had switched over to red. Mr. Funk also noted paper jams, something previously identified as a problem in California, but supposedly fixed by Diebold. Emery County took delivery on the newer, supposedly improved model, but the paper jams persist. Whether or not Mr. Funk had authorized the test, it is very likely that various individuals were already aware of this security vulnerability. As unpleasant as the current situation is, the low memory problem in Emery County may be a blessing in that it has revealed a potentially catastrophic problem which may have a high probability of being exploited, and this was discovered in time to put protective measures in place. There is a mitigation procedure for this security hole which may require action on the part of the state. Unlike the problems found in the California source code review (which involved programming errors) this more serious security vulnerability is not an error, but an architectural decision made by the design team. Because of the nature of the vulnerability, corrective procedures should be undertaken by the state, or by a company chosen by the state, rather than by Diebold Election Systems. The specifics on this will be in the report. It should be emphasized here that no patch or modification to either the firmware or the configuration is permitted without identifying it with a new version number and taking the system through federal certification again. Also, no patch or quick modification will mitigate the risk. Diebold may wish to put in short-term corrective measures, but this must be avoided until the state first conducts an evaluation of how the problem got there in the first place. We realize this is an uncomfortable situation for everyone. However, it would seem prudent to avoid altering or accessing the machines or making any formal decisions about this until the formal report is presented, which will be shortly.      "#$%&GHTmnoW X ^ _ k   .  ʹh&5h+"$hGhhs\hwhXh=h,CJOJQJRHaJ hhB}CJOJQJRHaJh=CJOJQJRHaJ h=h=CJOJQJRHaJh=OJQJRHh=h=OJQJRH6&Hno O P ^ _ j k {|h( 0]0^gdK$0]0^a$gd=$0&dP]0^a$gd= % , B D R f I O V    7=Egp  DU_)12fghi&'()`achL?hhhnh~{#hwhGh 3h(hkhyhXhaDh&5h Jh+"$L(   0]0^gd9#$ 0]0^gdQX 0]0^gdKVZ[ ;DF]^fotBKnu), CHhj@Hnop^_` +6=@Jh+"$h>l?h7h <h:nhjh JhQXhGhUhFh&5hh~{#hMH hGjhGUhwh9#$hQXh h>l?h>  Footnote TextCJaJ@&@ Footnote ReferenceH*6U@6 Hyperlink >*B*phFV@!F FollowedHyperlink >*B* ph.&HnoOP^_jk{|h (   00000000000000000000000000000000000000@0I0@0I0@0I0@0I0I0  K0I0  (8@0(  B S  ?&MwMMLpMl;MlxMLMdM\M<M|M5M M:M/GM$$M M$MnMÒMlGMfMt M MJ MJ Ml?aBaDUQX=_ARoot Entry FDZpCData 1Table WordDocument4.SummaryInformation(/DocumentSummaryInformation87CompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89q