There has been a lot of talk about recycling lately, and it's not all coming from the Greens (bless their hearts)!:thumbsup:

I said we should judge Hursti's work on its own merits, so here's an excerpt from the RABA Technologies report on the Diebold crap prepared for the state of MD in Jan 2004.

From Page 19 of the Jan 20, 2004 report:



And here's the linky-poo:
http://www.raba.com/press/TA_Report_AccuVote.pdf

Now, honestly, doesn't this sound remarkably like at least some of the findings in the latest Hursti report -- like maybe the most important one -- that you can reboot a Diebold DRE and load malicious software?

OK, good.

Now, if Hursti has discovered some new vulnerabilities, that's fine and I applaud him for it. But before we mortgage the house and send the kids' college fund and the 401K off to BBV.org, we need to know how new they really are, right? Hursti should have at least cited RABA's work, don't you think?

Now, what the hell is going on in PA?

"Aviel Rubin, a professor of computer science at Johns Hopkins University, did the first in-depth analysis of the security flaws in the source code for Diebold touch-screen machines in 2003.


After studying the (((LATEST))) problem, he said: "I almost had a heart attack. The implications of this are pretty astounding".


LINK: LAST PARAGRAPH http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x427619

and thus thinks this is the case.

http://www.bbvforums.org/forums/messages/1954/27675.html?1147661525



Just off hand, why would Harri cite RABA's work when it had nothing to do with his independent investigation of the machines in Utah? :shrug:

You're not actually trying to alledge that the world respected computer security expert Harri Hursti had to steal the findings in the RABA report to find what he did? :rofl:

Do you think Rubin, Shamos, and Jones were in on some kind of coverup with RABA and now they've turned because Harri busted them? I'm sure they all read the RABA report and they all swear this is new. :tinfoilhat:

It seems the witchhunt has begun. Everything will boil down to who knew what and when. If the redacted portions of the SAIC Report contains information on the three-level built ins, congressional investigations will need to follow to determine why hundred of millions in taxpayer funds were invested in a system which contains "the nuclear bomb" of voting machine security problems.

Differences between what Bill Bored mentions and Hursti II

Discussion has been going on among election reform leaders about how to communicate the information in Hursti Report II so that the general public can understand its significance, and I have been somewhat close to the pulse on this but this is third hand, so please view it in that context. From what I understand, the activist who identified the most appropriate analogy is Susan Pynchon of Volusia County, who founded the Florida Fair Elections Coalition. I think I am correct on this, therefore I tip my hat to Susan Pynchon for this explanation:

As Black Box Voting writes, the problems found by Hursti are on three levels. Susan Pynchon's analogy, somewhat expanded, helps us all conceptualize the three level problem. As the Hursti II report points out, there are separate security problems in each of the three levels.

The deepest level can be conceptualized as the foundation of a house.
The next level up can be conceptualized as the house itself.
The level above that can be conceptualized as the furnishings in the house.

The foundation of the house = the bootloader
The house itself = the Windows CE operating system
The furnishings of the house = the application, in this case called Ballot Station

Add one more conceptualization to this. A hose runs into the land itself, and has the ability to pump either toxic waste or cleanup chemicals into the soil on which the foundation rests.

The hose = a specific hardware port which is redacted in the Hursti II report.

Now to apply the analogy

1. Suppose you want to buy a house with all its furnishings. When you inspect the house you notice that the furnishings (the application, the Ballot Station program) have structural flaws. Knowing you can't trust that bed not to collapse and knowing that the dishwasher leaks, you decide you'd better replace ALL the furnishings.

Hursti learned that the furnishings, the Ballot Station application, were not secure. The state of Pennsylvania says it is going to replace all the furnishings with furnishings that are new and authentic and checked out.

2. Now you get an inspection done on the house itself. You learn that it has a roof that leaks, a supporting wall eaten away by termites such that it cannot support the weight it is supposed to hold, and various other severe structural defects (mostly caused by an owner who decided to modify and customize the house). The house is the Windows CE operating system.

Hursti learned that the house had been modified and customized so that it had leaks and couldn't support the weight placed on it. The state of Pennsylvania says it is going to replace the Windows operating system software. This is the equivalent of renovating the house.

So now, we have an agreement to replace all the furnishings and renovate the house, supposedly.

The SAIC report, if it speaks to replacing software with a PCMCIA card, is speaking to the furnishings and the house, but not to the foundation.

3. Next we come to inspect the foundation (the bootloader). Suppose we find the foundation of the house to be filled with radioactive waste. Even if you replace all the furnishings (Ballot Station application) and renovate the house itself (Windows Operating System), would you buy this house if you knew the foundation was contaminated with radioactive waste?

The SAIC report (at least, the unredacted portion) does not speak to the issue of radioactive waste in the foundation. It deals only with the software (the house, Windows operating system, and the furnishings, the Ballot Station software).

Contamination of the foundation below the house and furnishings is very serious. How does one clean such contamination if it is found? Well, it turns out there is a hose leading into the land itself in which the foundation sits. (Hose = hardware connector). It turns out that you can decontaminate the foundation by pumping in a special environmental cleanup concoction through this hose (a specific connector on the motherboard). But this leads us to the fourth problem.

4. The hose (motherboard control connector). It turns out that this hose can easily pump in radioactive waste, or it can pump in environmental cleanup solutions. (It can be used to contaminate the bootloader or it can be used to clean up the bootloader, depending on who is using it).

Now, to make this analogy more accurate to the touchscreen situation, no one really knows whether the foundation contains radioactive waste or not. They only know it is hooked up to a couple of different hoses that can in turn be hooked up to the radioactive waste dumping site. They know that the hose is BUILT IN. They know that another delivery mechanism is also BUILT IN. And they know that the house has leaks and the furnishings have structural defects, but whether water is pouring in through the leaks at the moment, or the furnishings have collapsed on anyone yet is not known.

Besides the leaky house (operating system) and the structurally defective furnishings (Ballot Station application), at any time in the entire life cycle of the house, someone might have dumped some radioactive waste into the foundation (bootloader) using one or more of the hoses (PCMCIA card or special motherboard connector).

One can test for the structural problems with the furnishings (Ballot Station application). One can test for leaks and so forth in the house (Windows CE operating system). But no forensic testing method exists to test for whether the foundation (bootloader) has been contaminated with radioactive waste.

All you know is there are people who want to dump the toxic waste in there, and there are hoses those people can use to dump it, and if the toxic waste is in the foundation, the house should be deemed uninhabitable.

Remedies

So, to be on the safe side, you should decontaminate the foundation by using the hose to pump in a special environmental cleanup solution. (Open the case, use the special motherboard connector to gain control of the motherboard, overwrite the bootloader, Windows CE and Ballot Station application). No one is even discussing this cleanup operation at this time.

Here's the problem: After you decontaminate the foundation, anyone who gets control of the hose can recontaminate it without your knowing about it.

This is an elaborate analogy, but a fairly accurate one.

The furnishings (software) can be ruined through the PCMCIA card. They can be replaced, though.
The house (operating system) can be ruined through clumsy renovations that cause leaks and damage to the security of the structure. This Windows CE operating system can also ruined through the PCMCIA card, but it can also be replaced.
The foundation can contain radioactive waste, contaminating the whole structure, and there may be no outward sign of it. (Bootloader contamination). There are no forensics that will tell you whether it's contaminated or not. You cannot decontaminate the foundation by replacing it, because if it was contaminated it will just seep back in again. So you have to use a special hose.
The hose can decontaminate the foundation (ie. a special connector can take over the motherboard and get a clean bootloader into the system).

However, the hose can just as easily be attached to the toxic waste site and pump radioactive waste right back in, contaminating the whole thing again. (You can use the special hardware connector to recontaminate the boot loader.)

It is possible that the SAIC report contained this information. It is impossible to imagine why hundreds of millions in taxpayer funds were spent on these systems if this was known back in 2003.

////////////////////////////////////////////////////////////////

Does Hursti Report II contain new information? Certainly it contains new PUBLIC information, as the SAIC report says nothing about bootloader contamination. If citizens knew of this three years ago but chose to say nothing, they will certainly be questioned as to what they knew, when they knew it, and who they told. If governmental agencies knew about this three years ago, it needs to be determined who knew what and when.

The republic is at stake, so it is difficult to imagine any acceptable reason why any citizen or any government agency would permit elections to take place on machines with these vulnerabilities without going public with such devastating information.

If citizens have indeed known about the possibility of bootloader contamination since 2003, why didn't they say anything? If the SAIC report writes of this but redacts it, why did the state buy the voting machines anyway?

Who knew what and when. Get a good seat.

.

You see, the Hursti report has to be a deep dark secret, because..........

It's just a re-run of the findings well known since 2003.

And, now, Bill Bored, you are on the Bev Harris enemy list for pointing it out.

loading software which properly authenticates itself via memory card and loading software which searches only for a file name as a means of authentication.

The RABA report identifies the ability to reload software by memory card, but does it also say that the only file authentication performed by the touchscreen is to ask whether the file has the right name?

Put Tolstoy's "War and Peace" on a memory card and change the file name to a specific one, and Diebold's touchscreens will hurry off to replace the windows operating system with "War and Peace."

I may have missed reading about that in the RABA report, perhaps you can find that passage in RABA.

You'd think after all these years Bev Harris might have learned something about the terminology.

None of the points were addressed. If I question a witness as follows, "Did you state in your report that the retina had been detached?" and the witness responds "Perhaps you can learn the subject, you'd think after all these years your doctor would have learned something about the terminology" that would be deemed nonresponsive to the question.

Hmmmm, pretty funny shit.

She likely doesn't.

She appears to be in this for self-aggrandizment and self-enrichment.

This whole exercize is nothing but a fundraiser for Bev Harris. Just an example of one of her press releases designed to raise funds.

Sad, really.

I see no requests for funding in Hursti Report II. I saw no requests for funding in the New York Times. Had there been requests for funding, I have no problem with it, since it takes funding to do these studies.

But let's say this actually was a fund raising effort, rather than its mirror image (an example of how funds are spent to further election reform). The fund raising would go to Black Box Voting, Inc., a 501c(3) nonprofit organization. Since Harris is on a fixed $60,000 per year salary that does not change, how would fundraising go to Bev Harris?

Perhaps you meant to say "fund raising for Black Box Voting, the independent elections watchdog group that produced the study."

Or perhaps you are using another propaganda technique by converting an organization's name to a person's name. Fund raising for the nonprofit entity "Black Box Voting, Inc." becomes fund raising for "Bev Harris" personally.

Is it your intent to shut down Black Box Voting, Inc.? Is that what this is about?

One really must wonder how eliminating the work of Black Box Voting, Inc. would benefit election reform. Perhaps it benefits a different agenda.

trying to hide behind an organization..........

As for my agenda, it's simple. TRUTH. That's my agenda.

And an agenda of TRUTH only hurts Bev Harris.

One only needs to search the July 2003 archives of DU to find Bev Harris talking about the bootloader.

There's TRUTH for you.

The names "Harri Hursti" and "A Black Box Voting project" are on the report, but I don't see the name "Bev Harris" on it, negating your claim to self aggrandizement through this report.

Your allegations of self-enrichment are not supported by the firm's 990, which lists her salary at $60,000. Since she donated the book proceeds and donated the Qui Tam monies, the record supports generosity and commitment to the cause. If you have evidence that she has been paid anything other than the $60,000 listed on the 990, please provide it.

At least you used the words "appears." It "appears" this way because of a smear campaign which made unsubstantiated allegations that Harris in some way benefited financially. These untruths were repeated approximately one thousand times over the course of 18 months. Repeat a lie often enough and people will believe it.

Would you care to post it here?

The 990 hit the U.S. Post Office today.

How many months late is that?

And your argument amounts to "The Check Is In The Mail" as Guidestar will not have something you just ran down to the letter box with.

No, my dear, scan the motherfucker and post it here if you want ANY of us to believe that you finally got around to filing it.

And there are several people who have made formal requests for copies of it and you have never sent them as required by law.

Consider this a formal request.

Post the scans here NOW.

Seriously.

Does Bev report her every activity (including a walk to the mailbox) to her Bots?

Sub-thread removed by moderator. Click here to review the message board rules.

So the way we did that in the warehouse was, they would post whatever the update was on the FTP site. James would go get the file and put it on the cards. Because you load everything through the PCMCIA cards. You boot it up using the card and it loads the new software. "This was done in the warehouses -- once the machines were sent out to the county, these updates were done just to make sure the machines were running correctly. I went over to Dekalb . We updated 1800 machines in basically a day and a half. I still remember ol' Rusty, down at the warehouse, we ended up touching every single machine off the pallet, booting 'em up, update it, we had a couple hundred machines done when in comes a new update over the phone.

http://www.countthevote.org/behler_interview.htm

What you have there is a reprint of the interview Bev Harris conducted with Rob Behler. Certainly, people should read that interview which is covered in more depth here: http://www.blackboxvoting.org/bbv_chapter-11.pdf

The Rob Behler interview was first published by Harris on July 9, 2003. The information about reloading software with a memory card was first published by Harris in early Feb. 2003. That information was contained in interviews with Michael Barnes and Brit Williams. The interviews with Williams and Barnes can be found here: http://www.blackboxvoting.org/bbv_chapter-9.pdf

You are right that the issue of loading program code with a PCMCIA card has been known for some time. It was originally exposed by Bev Harris in Feb. 2003.

The RABA report, published in 2004, refers to loading code for the Ballot Station, the "furnishings" of the house. corroborating what Harris reported in 2003. I erred above in suggesting that RABA also discussed the house itself (the Windows operating system). Apparently RABA only examined the Ballot Station program.

It is your understanding, then, that the significance of the Hursti Report is that you can reload software with a memory card?

That's the most important thing you saw in the report? Now might be a good time to examine the photographs of the motherboard contained in the report. Perhaps you can point me to links from 2003 or 2004 containing photographs of the touchscreen motherboards along with links that describe the significance of what is on the motherboard in relation to bootloader contamination through various delivery mechanisms.

I'm confused, because it sounds like you believe the ability to upload software through a memory card (the furnishings and the house, in the analogy above) is the same thing as forensically undetectable radioactive waste in the foundation. Perhaps I didn't see that you'd gotten the significance of the report because you haven't yet provided us with the promised Democratic Underground archives containing discussions about the implications of bootloader contamination.

Or is it that you think Hursti Report II is just about reloading Ballot Station with a PCMCIA card?

You can't update software without a bootloader in this situation.

D'oh!

Contamination of the bootloader itself is the fundamental issue, not reloading of software.

You only need a BOOTLOADER to reload the software.

D'oh, again!

Contamination of the bootloader itself is the fundamental issue, not reloading of software.

Setting aside for the moment the issue of reloading the software, what are the implications to the software of a contaminated bootloader?

It's a simple fact - you cannot update software without a bootloader on these machines.

It's really not complicated. Perhaps you can wrap your "non-technical" mind around that idea.

Message removed by moderator. Click here to review the message board rules.

Quite frankly, they couldn't even load the software to begin with without a bootloader.

Bev Harris has long known that the bootloader was a serious problem.

ROFLMAO!

We will go back to the four-part analogy:

1. The furnishings
2. The Windows CE operating system
3. The foundation
4. Various hoses leading into the soil where the foundation is

That #1 and #2 can be replaced with a PCMCIA card was originally reported by Bev Harris. The failure to authenticate the files on the PCMCIA card was not reported by either Harris or RABA. Failure to authenticate is the new information in the Hursti Report II, which describes exactly how authentication (such as it is) is performed.

The implications of #3, radioactive waste in the foundation -- a contaminated bootloader -- were not reported by Harris, RABA or anyone else. That is the "nuclear bomb" referred to by Avi Rubin and the other scientists.

The existence of #4, the delivery mechanisms for contamination, was reported only insofar as the PCMCIA card can be used to contaminate. The difficulty of cleanup (PCMCIA card cannot be used to clean up the contamination) and the ability to recontaminate using multiple, specific, built-in delivery mechanisms has never been reported by Harris, RABA, or anyone else.

Known all along since 2003.

Your sayso is petulant, but not evidenciary.

see post #5

A plagiarized interview at that. Do you have permission to reprint Harris's work?

It does not discuss the delivery mechanisms built into the motherboard nor the other items I mentioned above. Is your purpose simply to write simple-minded sound bytes hoping readers will develop doubt?

One really must ask what your intent is. Are you pleased that the U.S. scientific community, the New York Times, the mainstream media, congressional investigators and state voting system authorities are finally taking this seriously and taking action (albeit inadequate actions which still need to be proven)?

It would seem that each step forward would be welcomed by those interested in election reform. Your belittling of these findings demeans the public education being delivered through mainstream media coverage. I've just been told you are from Georgia, a state blanketed with these machines.

Your belittling of the findings and the new momentum to make changes is mystifying. It reveals a lot about your intent.

When you take without credit all the time yourself???

it was her work. I hear otherwise.

And she has SO many other things to prove just now.

Like; Where is the tax paperwork for her 403c? Where are the employee withholding tax payments for 2004? Little matters like that.

was that an "exclusive" interview? Oh, no, didn't see that.

Secondly, so sue me. Please. I'd love to meet Ms. Harris in a courtroom.

Belittling OLD DATA is nothing more than printing the TRUTH. Something Ms. Harris is apparently incapable of.

In fact, so did Bev.

The interview was part of the book. The book was issued with a Creative Commons license, which permits it to be distrubuted. Back before Bev saw this as a money-making enterprise, that's how we did it.

Also the fact that Bill Bored is citing an interview is not plagiarism, which is something even you should understand.

Also, BB is not belittling the findings, he is belittling them being trotted out as new by Bev Harris.

Edit: I meant Bored to Death, not Bill Bored.

Sorry.

Claiming ownership of an open source book!

not BillBored.

Poor Bill, our our names are so close he gets mistaken for me all the time.

Thanks, corrected.

into this hole and you can fall into the rabbit hole just like Alice.

it's hard to tear myself away, but I'm afraid I must.

Q: "Did you report the detached retina, yes or no?"
A: "You don't know anything."
Q: "Here is your report. Can you show me where you reported that the retina was detached and where you reported that there was swelling on the brain?"
A: "That just shows you don't know as much as me."

All nonresponsive. This kind of answer tells the jury (and the readership here) all they need to know about the credibility of the witness, in this case, boredtodeath.

Attach the messenger when you can't attack the message.

Good luck with that.

Attack the messenger when you can't answer the questions. Then say the messenger is attacking you personally when he asks you questions.

Mirror image - Propaganda 101.

do you consider facts to be an attack?

Pretty pathetic.

A link was provided that showed the problem was known about three years ago. As usual, the link is to Bev's own mouth (so to speak).

The rebuttal consists of:

Uh-uh!
Did not!
You're a plagiarist.

Thread has gotten too personal.