| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri May 12 20:58:41 2006 From: thorpflyer at yahoo.com (Simon Roberts) Subject: Scientists Call Diebold Security Flaw 'Worst Ever' I love the suggestion that the "probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low." Does low mean perhaps one-in-a-million? Hmm, how many registered voters are there in the country? Sheesh! --- lsi <stuart@...erdelix.net> wrote: > [I don't agree with the Professor, when he asserts that the best > treatment for this problem is denial. I suggest that the best > treatment for this problem is dissemination, far and wide, so that > the broadest range of pressures is brought to bear. - Stu] > > http://www.commondreams.org/headlines06/0511-11.htm > > Published on Thursday, May 11, 2006 by Inside Bay Area > > Scientists Call Diebold Security Flaw 'Worst Ever' > > Critics say hole created for upgrades could be exploited by someone > with nefarious plans > > by Ian Hoffman > > > Computer scientists say a security hole recently found in Diebold > Election Systems' touch-screen voting machines is the "worst ever" in > a voting system. > > Election officials from Iowa to Maryland have been rushing to limit > the risk of vote fraud or disabled voting machines since the hole was > reported Wednesday. > > Scientists, who have conferred with Diebold representatives, said > Diebold programmers created the security hole intentionally as a > means of quickly upgrading voting software on its electronic voting > machines. > > The hole allows someone with a common computer component and > knowledge of Diebold systems to load almost any software without a > password or proof of authenticity and potentially without leaving > telltale signs of the change. > > "I think it's the most serious thing I've heard to date," said Johns > Hopkins University computer science professor Avi Rubin, who > published the first security analysis of Diebold voting software in > 2003. "Even describing why I think it's serious is dangerous. This is > something that's so easy to do that if the public were to hear about > it, it would raise the risk of someone doing it. ... This is the > worst-case scenario, almost." > > Diebold representatives acknowledged the security hole to > Pennsylvania elections officials in a May 1 memo but said the > "probability for exploiting this vulnerability to install > unauthorized software that could affect an election is considered > low." > > California elections officials echoed that assessment Friday in a > message to county elections chiefs. > > But several computer scientists said Wednesday that those judgments > are founded on the mistaken assumption that taking advantage of the > security hole would require access to voting machines for a long > time. > > "I don't know anyone who considers two minutes lengthy, if it's > that," said Michael Shamos, a Carnegie Mellon University computer > science professor and veteran voting-systems examiner for the state > of Pennsylvania. > > "It's the most serious security breach that's ever been discovered in > a voting system. On this one, the probability of success is extremely > high because there's no residue. ... Any kind of cursory inspection > of the machine would not reveal it." > > States using Diebold touch screens are "going to have to fix it > because they can't have an election without having a fix to this," he > said. Otherwise, states risk challenges from losing candidates while > being unable to prove easily that the machines worked as designed. > > At least two states - Pennsylvania and California - have ordered > tighter security and reprogramming of all Diebold touch screens, > using software supplied by the state and a method opened by the > security hole. Local elections officials then must seal certain > openings on the machines with tamper-evident tape. > > David Wagner, an assistant professor of computer-science at the > University of California, Berkeley and a technical adviser to the > California secretary of state's office, said the new measures should > minimize risks in the June 6 primary. > > Elections officials in Georgia, which uses Diebold touch screens > statewide, said existing state rules already are sufficient. > > Bev Harris, founder of BlackBoxVoting.org, a nonprofit group critical > of electronic voting, said she isn't sure reprogramming and sealing > the touch screens will fix the problem. > > Voting machines often are delivered to polling places several days > before elections, and the outside case of Diebold's touch screens is > secured by common Phillips screws. Inside, a hacker can take > advantage of the security hole, as well as access other security > holes, without disturbing the tamper-evident seals, Harris said. > > "Ultimately, there's no way to get rid of the huge security flaws in > the design," she said. > > ??? 2000-2006 ANG Newspapers > > --- > Stuart Udall > stuart at@...erdelix.dot net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > "You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." ? Naguib Mahfouz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists