Hursti Report II is OLD news

I sent an email to Doug Jones with a link to the Jan 2004 RABA Technologies report. The report identifies the much trumpeted security hole was discoevred and documented over two years ago.

Dr. Jones concurs.

Is this reported problem different from the one reported in 2004 by RABA Technologies?

http://www.raba.com/press/TA_Report_AccuVote.pdf (page 19)

"3. Load a PCMCIA card with an update file. The PCMCIA card can be used to update
the software on the AccuVote-TS terminal. This can be done by placing a PCMCIA
card with an update file into the terminal and rebooting the terminal. The update file
allows an attacker to overwrite any file on the system. Furthermore, by using this
technique an attacker can install his own version of the ballot station software giving
him the ability to completely invalidate all the results on that terminal. If he
compromises the AccuVote-TS terminal used as the accumulator, he can
compromise the entire precinct results."

David Allen
www.blackboxvoting.com

Reply from Doug Jones:



There you have it folks, Bev Harris recycling something known for over two years.

I had just heard from Donna C that such was the case. Serious threat - yes, absolutely. Hidden by Diebold - yes, and apparently for quite a long time. But "new news" - not at all.

Because I know that DUers pointed it out to Bev Harris when they were reviewing the source code.

Rob Behler's interview pointed them to the issue in March 2003:
Because you load everything through the PCMCIA cards. You boot it up using the card and it loads the new software.
http://www.countthevote.org/behler_interview.htm

Bev would ever admit that.

I just got the same confirmation from Avi Rubin. He said Hursti had more detail, but they abviously were talking about the same thing.

Also, the problem was probably mentioned in the redacted sections of the SAIC report.

we are trying to get more people aware of these things. Rather than calling it "old news" (with all caps, mind you) why not say something like "Diebold problem has been known and ignored for 2 years"

instead of keeping the focus on the PROBLEM and DIEBOLD, you choose to divert the attention to BH. I see no point.

the problem is Deibold. The problem is the code. The fact that they've known about it for 2 years makes the story even worse. Congrats to Hursti et al for helping expose it. The fact that it's been two years since you and others have known about it, is completely besides the point. I feel your reference/accusation to BH is completely useless.

What exactly is the point of calling this "old news" ?

It's not old news when Secretaries of States are taking major action. This is huge news, current events and deserves all the attention it is getting.

to get attention and money. She KNEW this was old news, but repackaged it as new.

Her proxies were on here screaming at me and others that this was BRAND new and we were liars if we said otherwise.

This would be like a newspaper repackaging the Downing Street memos and claiming they had done all the work. I think the folks who DID do all the work would be a bit pissed.

In the report, they have BBV.org copyrights on each and every page. They have TWO footnotes, one about a meeting, one of Bev. The acknowledgements do not mention RABA Technologies, or any of the DU folk who originally found this hole.

In another thread, a poster was accused of plagiarism for quoting Bev's own words. And yet, what do you call when you appropriate another person or group's work without attribuition as was done in Bev's "report"?

Bev read the RABA report. I know, because we discussed it. She new it identified the PCMCIA security problem. She then has her group re-issue a report claiming they "found it".

That is dishonest on so many levels.

I don't care how old the news is. it's getting attention. I don't care if she knows it is old. Part of trying to get an issue noticed is to dig up old stories that didn't get the attention they needed previously and breathing fresh air into them.

I suppose we should all stop paying attention to the Plame affair because it's all old news and we've known about it for 2 years.

the issue is not BH. the issue is the voting machines. You seem to be more concerned with BH than the voting machines.

I have done quite a bit on this issue. And I did it without appropriating other people's work and calling it my own. I did it without attacking the academics who helped document the issue. I did it without asking for any money. I did it without pissing off people like Keith Olbermann and Randi Rhodes.


This anology is defective. What Bev did would be the equivalent of Matt Drudge taking credit for Fitzpatrick's invetigative work, then claiming it was a "late breaking story".

It seems to me you are making an "end justifies the means" argument. Sorry, I don't subscribe to that philosophy.

I have not noticed an abundance of claims from BBV that they are the first to find this. The focus is on the findings, not who, when, where discovered it first. I just searched through their lastest articles on this and maybe I missed something but I couldn't find anything that said "we at BBV would like everyone to know that we, and only we, were the first organization to find this flaw." furthermore, the third-party articles about this sometimes don't even mention BBV or Hursti. I think ifyou check the New York times article:

"The new concerns about Diebold's equimpent were discovered by Harri Hursti, a Finnish computer expert who was working at the request of Black Box Voting...."

I have no problem with this statement. The concerns are in fact NEW. 2 years ago it might have been known by some, but the concerns at this time are new because of the increased exposure. In regards to the claim that Hursti "discovered" it I think if you look up the word "discover" in the dictionary you'll find that it is very hazy on whether you have to be the first one to say you discovered something. in fact the #1 definition is simply:

"To notice or learn, especially by making an effort: got home and discovered that the furnace wasn't working."


I don't think this is plagarism. Is this really such a big deal to you that you have to make such an issue out of it. It's a non issue and I've already wasted too much time on it.

The bottom line is the results. The first Husti Hack was MONUMENTAL in getting recognition to the problem. It was real. It was effective. No one can argue it. And BBV was involved. I know you don't like to admit that but it's true. Just ask Ion Sancho.

Personally I don't care if people plagarize me. They can plagarize everything I say and do, if it has a significant affect, at exposing the problem. Plagarize away.

You on the other hand seem to be more concerned with staking your personal credit on something you did 2 years ago than helping the effort to expose the biggest problem facing our nation.

Ion Sancho is using Diebold voting machines in the next election.

That was useful, wasn't it?

David Allen (Kelvin Mace) helped to write and pass the legislation in North Carolina which stopped Diebold dead in it's tracks.

Diebold refused to do business in North Carolina because the legislation David Allen, our own Kelvin Mace forced them to show their code.

And you have the audacity to compare THAT WORK to Bev Harris in Florida? Yeah, that Hursti Hack that produced zero results.

about an security hole which has already been covered by someone else, and you have read their paper, and you fail to credit the original paper, I believe this is considered plagiarism.

Someone else did the original work and has received no attribution. This is frowned upon where I come from.

In other words, even if the person is a liar, as long as the lie is what I want to hear it's OK.

Barnum was right - there's one born every minute.

This was revealed by RABA in December of 2004.

Released January 29, 2004

The actual work was done in December.

That was my point.

The study was released on January 29, 2004. The work was done in December 2003.

So, when Diebold comes back and says "Yeah, our customers knew all about this since 2003 and implemented security to prevent unauthorized access" it's gonna make us ALL look like utter fools.

All of us who have worked on this issue have been abused by election officials who immediately assume we're all like the lying, scheming Bev Harris. And, now, they get to heap on more abuse.

How nice that anyone thinks that's OK. :sarcasm: