What I think the Hursti Hack means….

During last week’s public meeting of the Allegheny County, PA commissioners prior to the purchase of the voting equipment for the county, Mark Radke of Diebold was asked to comment on the “so called Harri Hack”. Mark said that if hackers are given 100% access to ANY voting system, they could compromise that system. Thus, he concluded, the Harri Hursti hack was a meaningless publicity stunt. I’ve since read similar opinions expressed on this forum.

I beg to differ.

The Zero Value Report is printed at the beginning of every election. Its only purpose is to assure the election officials that the memory card has no votes preloaded. But, in at least the Diebold case, the memory card also holds an AccuBasic program that prints the zero value report. Now I could see putting a few candidate names and such on the card, BUT THE PROGRAM THAT PRINTS THE REPORT?

With the above design, the Zero Value Report is less than useless, it’s a ruse meant to give a false sense of security to election officials. A kind of conjurer’s “nothing up my sleeves” ploy. And that, I’m afraid, is what our election system itself is becoming – a magician’s trick to con the electorate out of their precious right of consent to be governed.

Now, if I’m wrong on any of this, I’d love to hear just where I’m wrong.

report. Thought it was proof that the machines were all clear at the start of the day.
I think you raise a good point.

One poster, who FWIW was of questionable pedigree, was sayin' it was a stunt. Otherwise I didn't notice such sentiment expressed of the hack.

However, there were some of the usual concern expressed that BBV may be a publicity stunt. Others argued there are easier ways to hack an election, but I don't believe doubted the significance of Hursti's work.

I'll dig if you need the link, but Hursti was quoted in the press coverage (Miami Herald?) saying that the security concern raised by the hack was relative to an inside job being pulled. Essentially someone authorized to have keys to the candy store. That needs to be shoved in Radke's face, and anyone printing his whining unchallenged.

Finally, the presence of interpreted code, in seeming violation of EAC standards is most interesting to me. As a result, CA SoS has sent the software in question back to the ITA's, and a few potential Diebold customers have hit the brakes.

How is the EAC and Diebold going to try to skirt that, and what could be done to stop them are my questions.

Why I think the presence of interpreted code on the memory cards is, frankly, shocking, may be summed up by two points:

Point 1:

When designing their voting equipment, Diebold (or more likely, Global Election Systems) could have gone two ways:

A.) Design the scan and print control firmware to read data structures from memory and then decide how to scan and print. Since the mother program GEMS stores all the information regarding ballot design in data structures, this would seem the straightforward, secure choice.

B.) Design the scan and print control firmware to be completely controllable by an external program, complete with all the branch and loop capabilities of any computer program. This decision means that GEMS now has to read its internal data structures and write a complete computer program. I've written a few "programs that write programs" in my day (mostly associated with translating applications between platforms) and I can tell you that this is a much harder task. In addition, it opens the resultant system to things like the Hursti Hack.

Point 2:

While either native binary -or- interpretive code would have been bad, the use of proprietary interpreted code is particularly suspicious. Imagine you're a cheater and you've preloaded a batch of cards ala the Hursti Hack. Your chief worry, it would seem to me, would be that one of the hacked cards would fall into the hands of someone who would discover the cheat. But if the program was in the form of a secret, proprietary language, then you could rest assured that no one could make head-or-tails out of said programs.

Diebold bought them @2002, and I think the software pre-dates that. Er, I mean the software certified for use, not software snuck in, but I digress.

As to Point 1B, is there any concievable non-nefarious reason to do it that way?

They’ll say it was so that they didn’t need to distribute updates to thousands of pieces of hardware but rather send updates just a few GEMS installations.

I followed the first Diebold hack, the so-called “GEMS Tabulator Hack” quite closely and I see quite a few parallels:

1.) Both hacks involve design decisions most professional programmers wouldn’t make.

2.) Both hacks open the system to fraud while providing a fig leaf of plausible deniability.

3.) Both hacks go out of their way to hide nefarious activity from elections officials.

4.) Both hacks rely on the fact that the paper ballots, IF ANY, would never be hand counted.

5.) Both hacks are done from the center-out and thus may be accomplished by just a few co-conspirators.

Not that I'm doubting this. That the certification process leaves questions underscores as much.

1,2.) Is there a laymans-terms to express these?

3.) Of course they would! Perhaps I'm not following.

4.) Easy enough to imagine.

5.) From where the election is managed?

Summary reports come from one area of the database while detail reports (and data for the data entry screens) come from another. It was (is??) an extremely complicated design that allowed the summary reports (the ones used on election night to decide elections) to be modified while insuring that an election official would never be able, through the data entry screens, to see just where the data was modified.

The GEMS "fig-leaf" was that this design produced faster reports than simply adding up all the raw data every time. IMHO, the time savings would be measured in sub-seconds.

"Both hacks are done from the center-out and thus may be accomplished by just a few co-conspirators."

Please learn me that one.

is a bit trickier.

Normally GEMS loads the memory cards. In the Leon County demo, Hursti used a separate card reader/writer to rig the memory card prior to the hack. However, it would be possible (and in many ways preferable), for the hacker to hack GEMS so that GEMS preloaded the votes and the modified AccuBasic Zero Value Report.

Please.

1. What would Diebold have to do to fix this problem? Might a fix involve software-only? Or would the hardware have to be re-tooled , as well?


2. What other manufacturers may have a similiar vulnerability with their equipment?

It doesn't matter. It proves that when the election official runs the zero report, it could be wrong with out them knowing it.

In Pennsylvania, the state SoS has interpreted the interpreted code issue to decertify Diebold OpScan but not the touch screens.

I don't know if it's happened, but it's possible that some counties will wind up with touch screens when they would have used OpScans. To make things worse, PA has no VVPAT law.

Had to be said.