629:
operating system and the ability to replace the boot loader simply by inserting a memory card with a specific program name. Hursti discovered that the system would accept macros in a manner that posed a risk to election security. Jim March opened the case of the TSx and photographed its interior, discovering a hidden SD wireless slot and piggyback connectors under the standard modem, both enabling the machine to be equipped for wireless communications without the knowledge of election directors.
412:"What we are going to do here is modify one card and then bring it to the election provider's Ion Sancho's office, log it has the real card...if in any election as to the real election system and run ballots through and that's the same system which have been used in a number of previous elections...and we'll see that what is the power in the ballot box, this should be an empty box containing the votes but it has more capabilities than that."
119:
570:
by Sancho to those in attendance and the card inserted and machine turned on which then produced the "zero total tape." The tape produced zero votes cast. The test ballots were then inserted into the
Diebold machine followed by the "ender card" (same size as ballot) was inserted telling the machine to turn off its counting function and start its reporting function. The machine then produced a paper tape with 7 yes votes and 1 no vote.
586:-sized ballot box used by computerized voting machines. More seriously Diebold Election Systems claimed in writing to state election officials that the Diebold memory cards did not contain any executable code. In fact the memory cards did contain executable code - likened to 'a living thing' inside the cards - and it was this executable code that hacking expert, Harri Hursti, used to defraud the Diebold voting system.
604:"Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server."
569:
Seven participants made out their ballots using the opti-scan paper sheets (Hursti remaining outside the test area). Sancho then went to Hursti and gave him a ballot which Hursti filled out. Hursti then gave Sancho the memory card to insert into the machine. The operation of the machine was explained
399:
However, during the Dec. 13 2005 testing, Hursti successfully altered the votes on the memory card. His memory card manipulations falsified both the voting machine results tapes and the GEMS central tabulator report. Leon County
Supervisor of Elections Ion Sancho stated that he would have had no way
380:
During Hursti's first memory card hack on May 26, 2005, he altered the program that creates the "poll tapes", or voting machine results reports. However, this hack would be detected if the supervisor of elections compared the poll tape results with the GEMS central tally report. The GEMS tally report
328:
city council who videotaped
Sequoia-brand touch-screen voting machines in her district recording vote after vote for the wrong candidate. During his research, Hursti found that Diebold's cards allowed negative votes. Hursti successfully altered the votes using only a memory card, producing a one-step
142:
vote totals without the system detecting entry. The first two projects targeted the computer program that adds up all the voting machine results and produces the final report. On Feb. 14 and again on May 2, Thompson successfully hacked the
Diebold GEMS central tabulator and bypassed all passwords by
589:
Furthermore, DES wrote a press release referring to the famous vote changing 'Hursti Hack', stating that - "Harri Hursti is shown attacking a DES machine in
Florida. But his attack proved later to be a complete sham." In response to the test election, California's Secretary of State commissioned a
632:
After seeing how serious the problems were, Black Box Voting engaged the services of
Herbert Thompson, then head of the security company Security Innovation, to provide an independent opinion. Both Hursti and Thompson conducted a second series of tests on March 16 and 17, 2006 to confirm findings,
628:
County Clerk Bruce Funk to examine the DES TSx touch-screen. Black Box Voting arranged for the services of Hursti and Black Box board member Jim March, who traveled to Utah March 1 and 2, 2006. Hursti discovered numerous security flaws, the most egregious being the ability to reload the entire
565:
he was asked by Sancho to remain outside of the test area. Selection of the voting machine was done by random draw. Machine #15191 was pulled as the random machine. Hursti only touched the memory card but did not come into contact with any machines.
377:, who proved that results reports could be altered without a password by using a Visual Basic script. The third and fourth tests were memory card tests performed by Hursti. The fifth test took place with both Hursti and Thompson in Emery County Utah.
407:
prior to any votes being cast. Hursti had pre-loaded the memory card giving one candidate 5 positive votes and one candidate 5 negative votes to create a "zero report." This keeps the machine accurate in votes cast compared to number of voters.
368:
The tests by Hursti were the third (May 26, 2005) and fourth (Dec. 13, 2005) in a series of five voting machine examinations produced by the Black Box Voting group. The first four tests were authorized by
Supervisor of Elections for Leon County,
329:
hack that simultaneously altered both the central tabulator results and the voting machine results tapes for matched (but rigged) results. "I would have had no way of knowing," said Sancho. "I would have certified this election."
384:
The May 26 version of the Hursti memory card hack would require two steps to succeed without detection in a vigilant election setting: Both the memory card and the GEMS tabulator program would need to have matching hacks.
360:(DES) Accu-Vote OS 1.94w (optical scan) voting machine. The third Hursti test was conducted for Black Box Voting in collaboration with Bruce Funk, then-County Clerk of Emery County, Utah, on a Diebold TSx touch-screen.
381:
can be hacked to match, as demonstrated during two earlier Black Box Voting projects in Leon County with
Herbert Thompson. Thompson successfully manipulated the GEMS tally program using a Visual Basic script.
291:
To show that both the results tapes and the central tabulator could be hacked, Black Box Voting then engaged the services of Hursti to hack the poll tapes. Black Box Voting purchased a card reader from the
143:
using a Visual Basic script. This, however, would be detected in a vigilant environment if the supervisor of elections checks the poll tapes (voting machine results) against the central tabulator report.
396:, DES Research and Development chief Pat Green stated that checks and balances would detect the tampering and that it would not be possible to alter the votes themselves on the memory card.
751:
598:
607:
A spokesman for DES said it was similar to "leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen."
373:
to ascertain whether votes could be altered on a
Diebold voting machine. Tests on Feb. 14, 2005 and May 2, 2005 were conducted on the Diebold GEMS central tabulator by
579:
748:
422:
Actual paper ballots were used pre-printed with the following question: "Can the votes on this
Diebold system be hacked using the memory card?"
130:
invited Black Box Voting to Tallahassee after an invitation to check the Diebold machines. Black Box Voting engaged the services of Dr.
296:
and Hursti used it to produce counterfeit memory cards, which successfully altered the voting machine results tapes on May 26, 2005.
867:
766:
650:
804:
313:
107:
633:
which prompted emergency warnings and last minute corrective actions in Pennsylvania, California, and other states.
357:
308:
organized the test. Attending were Harris and Kathleen Wynne from Black Box Voting, Hursti, Thompson, along with
872:
669:
Black Box Voting Report: Critical Security Issues with Diebold Optical Scan Design, Harri Hursti, July 4 2005
693:
370:
317:
139:
325:
374:
131:
93:
83:
304:
A fourth trip to Tallahassee was made on Dec. 13, 2005. Black Box Voting and the producers of the film
841:
403:
The Hursti memory card hack performed in Leon County on Dec. 13, 2005 is a variation on stuffing the
345:
55:
309:
103:
777:
800:
625:
610:
The test election was filmed and shown in the conclusion of the Emmy nominated HBO documentary,
788:
118:
612:
582:
across the nation when the company claimed votes could not be changed on the memory card, the
562:
877:
337:
147:
68:
830:
755:
697:
655:
389:
321:
89:
720:
Black Box Voting "Hursti I" Report: Critical Security Problem with Diebold Optical Scan
861:
333:
332:
Three voting machines hacking tests have been performed by Finnish computer expert
135:
77:
36:
852:
Technology Daily: States Still Concerned About New Voting Equipment; May 30, 2006
591:
583:
578:
This test demonstrated that Diebold Election Systems made misrepresentations to
97:
17:
809:
719:
668:
404:
353:
127:
64:
51:
293:
816:
679:
349:
32:
708:
117:
61:
Thomas James, Information Systems Officer for Leon County, Florida
126:
In a series of four tests conducted in Feb., May, and Dec. 2005,
778:"Hacking Democracy," HBO documentary. Retrieved October 16, 2006
690:
393:
400:
to detect the tampering and would have certified the election.
651:"As Elections Near, Officials Challenge Balloting Security"
150:
as a model. The results of the first hack are shown below.
31:
was a successful attempt to alter the votes recorded on a
344:
who filmed it. The first two Hursti Hacks were set up in
146:
For purposes of demonstration, an election was run using
138:. Dr. Thompson and Hursti believed they could change or
429:
222:
152:
599:
Special Report On The Diebold Accuvote Voting Machine
35:
optical scan voting machine. The hack is named after
842:
Unredacted supplement to Black Box Voting TSx report
74:
Kathleen Wynne, Black Box Voting Associate Director
352:with the authorization of Supervisor of Elections
831:Unredacted Black Box Voting Hursti report on TSx
620:Examination of the DES TSx touch-screens in Utah
410:
86:, application security expert and Ph.D. in math
789:HBO Documentary Films. retrieved Nov. 6, 2006
8:
336:for the nonprofit elections watchdog group
624:In 2006, Black Box Voting was invited by
417:Harri Hursti, Tuesday, December 13, 2005.
80:, computer programmer and security expert
739:Transcribed from "Hacking Democracy" DVD
730:Transcribed from "Hacking Democracy" DVD
641:
649:Goldfarb, Zachary (January 22, 2006),
616:, which premiered November 2, 2006."
7:
597:The UC Berkeley scientists wrote a
594:to investigate the 'Hursti Hack'.
122:Actual paper tape from initial hack
601:. Page 2 of their report states:
25:
533:Actual Results By Diebold Machine
749:Special Security Analysis Report
590:special report by scientists at
314:Florida Fair Elections Coalition
108:Florida Fair Elections Coalition
767:Washington Post, March 25, 2006
388:During a videotaped meeting in
1:
811:Hacking Democracy - The Hack:
709:hackingdemocracy.com website
435:Ballots Cast By Participants
228:Leon High School (post-hack)
356:and these tests examined a
158:Leon High School (pre-hack)
54:, Supervisor of Elections,
894:
530:
453:
432:
324:, a former candidate for
251:
225:
181:
155:
114:Hacking a Diebold machine
868:Electronic voting events
364:Hursti Memory Card Hacks
358:Diebold Election Systems
47:The participants were:
318:Volusia County, Florida
680:Florida Fair Elections
420:
123:
691:Black Box Voting site
561:Since Hursti was the
375:Herbert Hugh Thompson
340:and the producers of
132:Herbert Hugh Thompson
121:
580:Secretaries of State
56:Leon County, Florida
754:2016-12-02 at the
696:2007-07-16 at the
626:Emery County, Utah
124:
613:Hacking Democracy
563:technical advisor
559:
558:
426:The test election
342:Hacking Democracy
306:Hacking Democracy
289:
288:
221:
220:
16:(Redirected from
885:
853:
850:
844:
839:
833:
828:
822:
821:
797:
791:
786:
780:
775:
769:
764:
758:
746:
740:
737:
731:
728:
722:
717:
711:
706:
700:
688:
682:
677:
671:
666:
660:
659:
646:
535:
437:
430:
418:
338:Black Box Voting
230:
223:
160:
153:
148:Leon High School
69:Black Box Voting
21:
893:
892:
888:
887:
886:
884:
883:
882:
873:Electoral fraud
858:
857:
856:
851:
847:
840:
836:
829:
825:
808:
805:Wayback Machine
798:
794:
787:
783:
776:
772:
765:
761:
756:Wayback Machine
747:
743:
738:
734:
729:
725:
718:
714:
707:
703:
698:Wayback Machine
689:
685:
678:
674:
667:
663:
656:Washington Post
648:
647:
643:
639:
622:
576:
531:
483:Susan Bernecker
454:
433:
428:
419:
416:
390:Cuyahoga County
366:
322:Susan Bernecker
302:
252:
226:
182:
156:
116:
90:Susan Bernecker
45:
23:
22:
18:Susan Bernecker
15:
12:
11:
5:
891:
889:
881:
880:
875:
870:
860:
859:
855:
854:
845:
834:
823:
792:
781:
770:
759:
741:
732:
723:
712:
701:
683:
672:
661:
640:
638:
635:
621:
618:
575:
572:
557:
556:
553:
549:
548:
543:
537:
536:
528:
527:
524:
520:
519:
516:
512:
511:
508:
504:
503:
500:
496:
495:
492:
488:
487:
484:
480:
479:
476:
472:
471:
468:
464:
463:
460:
456:
455:
451:
450:
445:
439:
438:
427:
424:
414:
365:
362:
301:
298:
287:
286:
283:
280:
276:
275:
272:
269:
268:Thomas Guthrie
265:
264:
261:
258:
254:
253:
249:
248:
243:
238:
232:
231:
219:
218:
216:
213:
210:
206:
205:
202:
199:
198:Thomas Guthrie
195:
194:
191:
188:
184:
183:
179:
178:
173:
168:
162:
161:
115:
112:
111:
110:
106:, Director of
101:
96:candidate for
87:
81:
75:
72:
62:
59:
44:
41:
24:
14:
13:
10:
9:
6:
4:
3:
2:
890:
879:
876:
874:
871:
869:
866:
865:
863:
849:
846:
843:
838:
835:
832:
827:
824:
819:
818:
813:
812:
806:
802:
796:
793:
790:
785:
782:
779:
774:
771:
768:
763:
760:
757:
753:
750:
745:
742:
736:
733:
727:
724:
721:
716:
713:
710:
705:
702:
699:
695:
692:
687:
684:
681:
676:
673:
670:
665:
662:
658:
657:
652:
645:
642:
636:
634:
630:
627:
619:
617:
615:
614:
608:
605:
602:
600:
595:
593:
587:
585:
581:
573:
571:
567:
564:
554:
551:
550:
547:
544:
542:
539:
538:
534:
529:
525:
522:
521:
517:
514:
513:
509:
507:Hugh Thompson
506:
505:
501:
499:Kathleen Wynn
498:
497:
493:
491:Susan Pynchon
490:
489:
485:
482:
481:
477:
474:
473:
469:
466:
465:
461:
458:
457:
452:
449:
446:
444:
441:
440:
436:
431:
425:
423:
413:
409:
406:
401:
397:
395:
391:
386:
382:
378:
376:
372:
363:
361:
359:
355:
351:
347:
343:
339:
335:
330:
327:
323:
319:
315:
311:
310:Susan Pynchon
307:
300:One-Step hack
299:
297:
295:
284:
281:
279:Nadiyah Smith
278:
277:
273:
270:
267:
266:
262:
259:
256:
255:
250:
247:
244:
242:
239:
237:
234:
233:
229:
224:
217:
214:
211:
209:Nadiyah Smith
208:
207:
203:
200:
197:
196:
192:
189:
186:
185:
180:
177:
174:
172:
169:
167:
164:
163:
159:
154:
151:
149:
144:
141:
137:
133:
129:
120:
113:
109:
105:
104:Susan Pynchon
102:
100:city council.
99:
95:
91:
88:
85:
84:Hugh Thompson
82:
79:
76:
73:
70:
66:
63:
60:
57:
53:
50:
49:
48:
42:
40:
38:
34:
30:
19:
848:
837:
826:
815:
810:
801:Ghostarchive
799:Archived at
795:
784:
773:
762:
744:
735:
726:
715:
704:
686:
675:
664:
654:
644:
631:
623:
611:
609:
606:
603:
596:
588:
577:
568:
560:
545:
540:
532:
526:6 NO 2 YES
515:Harri Hursti
467:Thomas James
447:
442:
434:
421:
411:
402:
398:
387:
383:
379:
367:
341:
334:Harri Hursti
331:
305:
303:
290:
245:
240:
235:
227:
175:
170:
165:
157:
145:
136:Harri Hursti
125:
78:Harri Hursti
46:
43:Participants
37:Harri Hursti
28:
26:
592:UC Berkeley
584:credit card
443:Participant
346:Leon County
326:New Orleans
98:New Orleans
29:Hursti Hack
862:Categories
637:References
475:Ion Sancho
459:Bev Harris
405:ballot box
371:Ion Sancho
354:Ion Sancho
246:Percentage
176:Percentage
128:Ion Sancho
94:Republican
65:Bev Harris
52:Ion Sancho
448:Yes or No
257:Bud Baker
236:Candidate
187:Bud Baker
166:Candidate
92:, former
803:and the
752:Archived
694:Archived
415:—
294:internet
878:Diebold
817:YouTube
574:Results
350:Florida
285:85.98%
263:10.71%
215:28.32%
204:16.89%
193:54.79%
71:founder
33:Diebold
523:TOTAL:
320:, and
274:3.30%
316:from
241:Votes
171:Votes
518:Yes
510:Yes
394:Ohio
282:5000
140:hack
134:and
27:The
541:YES
502:No
494:No
486:No
478:No
470:No
462:No
312:of
271:192
260:623
212:322
201:192
190:623
864::
814:.
807::
653:,
555:1
546:NO
392:,
348:,
67:,
39:.
820:.
552:7
58:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.