Re: Scientists Call Diebold Security Flaw 'Worst Ever'

[Simon Roberts <thorpflyer () yahoo com>]

I love the suggestion that the "probability for exploiting this
vulnerability to install unauthorized software that could affect an
election is considered low."

Does low mean perhaps one-in-a-million? Hmm, how many registered voters
are there in the country?

Sheesh!

--- lsi <stuart () cyberdelix net> wrote:

> [I don't agree with the Professor, when he asserts that the best
> treatment for this problem is denial.  I suggest that the best
> treatment for this problem is dissemination, far and wide, so that
> the broadest range of pressures is brought to bear. - Stu]
>
> http://www.commondreams.org/headlines06/0511-11.htm
>
> Published on Thursday, May 11, 2006 by Inside Bay Area
>
> Scientists Call Diebold Security Flaw 'Worst Ever'
>
> Critics say hole created for upgrades could be exploited by someone
> with nefarious plans
>
> by Ian Hoffman
>
>
> Computer scientists say a security hole recently found in Diebold
> Election Systems' touch-screen voting machines is the "worst ever" in
> a voting system.
>
> Election officials from Iowa to Maryland have been rushing to limit
> the risk of vote fraud or disabled voting machines since the hole was
> reported Wednesday.
>
> Scientists, who have conferred with Diebold representatives, said
> Diebold programmers created the security hole intentionally as a
> means of quickly upgrading voting software on its electronic voting
> machines.
>
> The hole allows someone with a common computer component and
> knowledge of Diebold systems to load almost any software without a
> password or proof of authenticity and potentially without leaving
> telltale signs of the change.
>
> "I think it's the most serious thing I've heard to date," said Johns
> Hopkins University computer science professor Avi Rubin, who
> published the first security analysis of Diebold voting software in
> 2003. "Even describing why I think it's serious is dangerous. This is
> something that's so easy to do that if the public were to hear about
> it, it would raise the risk of someone doing it. ... This is the
> worst-case scenario, almost."
>
> Diebold representatives acknowledged the security hole to
> Pennsylvania elections officials in a May 1 memo but said the
> "probability for exploiting this vulnerability to install
> unauthorized software that could affect an election is considered
> low."
>
> California elections officials echoed that assessment Friday in a
> message to county elections chiefs.
>
> But several computer scientists said Wednesday that those judgments
> are founded on the mistaken assumption that taking advantage of the
> security hole would require access to voting machines for a long
> time.
>
> "I don't know anyone who considers two minutes lengthy, if it's
> that," said Michael Shamos, a Carnegie Mellon University computer
> science professor and veteran voting-systems examiner for the state
> of Pennsylvania.
>
> "It's the most serious security breach that's ever been discovered in
> a voting system. On this one, the probability of success is extremely
> high because there's no residue. ... Any kind of cursory inspection
> of the machine would not reveal it."
>
> States using Diebold touch screens are "going to have to fix it
> because they can't have an election without having a fix to this," he
> said. Otherwise, states risk challenges from losing candidates while
> being unable to prove easily that the machines worked as designed.
>
> At least two states - Pennsylvania and California - have ordered
> tighter security and reprogramming of all Diebold touch screens,
> using software supplied by the state and a method opened by the
> security hole. Local elections officials then must seal certain
> openings on the machines with tamper-evident tape.
>
> David Wagner, an assistant professor of computer-science at the
> University of California, Berkeley and a technical adviser to the
> California secretary of state's office, said the new measures should
> minimize risks in the June 6 primary.
>
> Elections officials in Georgia, which uses Diebold touch screens
> statewide, said existing state rules already are sufficient.
>
> Bev Harris, founder of BlackBoxVoting.org, a nonprofit group critical
> of electronic voting, said she isn't sure reprogramming and sealing
> the touch screens will fix the problem.
>
> Voting machines often are delivered to polling places several days
> before elections, and the outside case of Diebold's touch screens is
> secured by common Phillips screws. Inside, a hacker can take
> advantage of the security hole, as well as access other security
> holes, without disturbing the tamper-evident seals, Harris said.
>
> "Ultimately, there's no way to get rid of the huge security flaws in
> the design," she said.
>
> � 2000-2006 ANG Newspapers
>
> ---
> Stuart Udall
> stuart at () cyberdelix dot net - http://www.cyberdelix.net/
>
> ---
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." — Naguib 
Mahfouz

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/