Full Disclosure mailing list archives
Re: Scientists Call Diebold Security Flaw 'Worst Ever'
From: Simon Roberts <thorpflyer () yahoo com>
Date: Fri, 12 May 2006 12:58:32 -0700 (PDT)
I love the suggestion that the "probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low." Does low mean perhaps one-in-a-million? Hmm, how many registered voters are there in the country? Sheesh! --- lsi <stuart () cyberdelix net> wrote:
[I don't agree with the Professor, when he asserts that the best treatment for this problem is denial. I suggest that the best treatment for this problem is dissemination, far and wide, so that the broadest range of pressures is brought to bear. - Stu] http://www.commondreams.org/headlines06/0511-11.htm Published on Thursday, May 11, 2006 by Inside Bay Area Scientists Call Diebold Security Flaw 'Worst Ever' Critics say hole created for upgrades could be exploited by someone with nefarious plans by Ian Hoffman Computer scientists say a security hole recently found in Diebold Election Systems' touch-screen voting machines is the "worst ever" in a voting system. Election officials from Iowa to Maryland have been rushing to limit the risk of vote fraud or disabled voting machines since the hole was reported Wednesday. Scientists, who have conferred with Diebold representatives, said Diebold programmers created the security hole intentionally as a means of quickly upgrading voting software on its electronic voting machines. The hole allows someone with a common computer component and knowledge of Diebold systems to load almost any software without a password or proof of authenticity and potentially without leaving telltale signs of the change. "I think it's the most serious thing I've heard to date," said Johns Hopkins University computer science professor Avi Rubin, who published the first security analysis of Diebold voting software in 2003. "Even describing why I think it's serious is dangerous. This is something that's so easy to do that if the public were to hear about it, it would raise the risk of someone doing it. ... This is the worst-case scenario, almost." Diebold representatives acknowledged the security hole to Pennsylvania elections officials in a May 1 memo but said the "probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low." California elections officials echoed that assessment Friday in a message to county elections chiefs. But several computer scientists said Wednesday that those judgments are founded on the mistaken assumption that taking advantage of the security hole would require access to voting machines for a long time. "I don't know anyone who considers two minutes lengthy, if it's that," said Michael Shamos, a Carnegie Mellon University computer science professor and veteran voting-systems examiner for the state of Pennsylvania. "It's the most serious security breach that's ever been discovered in a voting system. On this one, the probability of success is extremely high because there's no residue. ... Any kind of cursory inspection of the machine would not reveal it." States using Diebold touch screens are "going to have to fix it because they can't have an election without having a fix to this," he said. Otherwise, states risk challenges from losing candidates while being unable to prove easily that the machines worked as designed. At least two states - Pennsylvania and California - have ordered tighter security and reprogramming of all Diebold touch screens, using software supplied by the state and a method opened by the security hole. Local elections officials then must seal certain openings on the machines with tamper-evident tape. David Wagner, an assistant professor of computer-science at the University of California, Berkeley and a technical adviser to the California secretary of state's office, said the new measures should minimize risks in the June 6 primary. Elections officials in Georgia, which uses Diebold touch screens statewide, said existing state rules already are sufficient. Bev Harris, founder of BlackBoxVoting.org, a nonprofit group critical of electronic voting, said she isn't sure reprogramming and sealing the touch screens will fix the problem. Voting machines often are delivered to polling places several days before elections, and the outside case of Diebold's touch screens is secured by common Phillips screws. Inside, a hacker can take advantage of the security hole, as well as access other security holes, without disturbing the tamper-evident seals, Harris said. "Ultimately, there's no way to get rid of the huge security flaws in the design," she said. � 2000-2006 ANG Newspapers --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Scientists Call Diebold Security Flaw 'Worst Ever' lsi (May 12)
- Re: Scientists Call Diebold Security Flaw 'Worst Ever' bkfsec (May 12)
- Re: Scientists Call Diebold Security Flaw 'Worst Ever' Simon Roberts (May 12)