[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040927223922.GA18674@www.kobly.com>
Date: Mon, 27 Sep 2004 16:39:22 -0600
From: "Patrick J. Kobly" <patrick@...ly.com>
To: bugtraq@...urityfocus.com
Subject: Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes
I would suggest that you read some of Schneier's more recent writing.
http://www.schneier.com
Is a good start. Also, it's not such a great idea reading "Applied
Cryptography" without also reading "Secrets and Lies" (also by
Schneier). I think his views and writing matured a fair bit after
Applied Crypto, and he started to consider the application of
cryptography inside the context in which it is used. In particular,
Schneier tends to look a lot more at the social impacts and
restrictions inherent in the application of cryptographic technology.
Specifically relating to e-voting, Schneier has recently come out
opposed to e-voting without a voter-verified paper ballot (/audit
trail) a la Mercuri method. He's been published in the Communications
of the ACM and in Cryptogram, talking about the hazards of e-voting.
Note also that in Applied crypto, the schemes presented all share the
common problem that they assume that a computing device is a faithful
agent of its user. The assumption is that a user acts through his
computer, and that no other entity can interfere in that
relationship. In practice, so much responsibility and authority
is delegated from the user to the computer that this assumption may
not be valid. In most environments, this is not problematic - because
there is usually an independant auditing capability that can tie
parties to a transaction to that transaction.
Schneier now acknowledges that the problem is not a "solved problem"
and moreover that it may not be a "solveable problem."
PK
On Fri, Sep 24, 2004 at 10:01:59AM -0400, Claudius Li wrote:
> I usually stay comfortably hidden in lurkland but I'm a bit confused. Maybe someone here can enlighten me.
>
> A few years ago I read Bruce Schneiers Applied Cryptography. Everything in the book which I tested or looked up independantly turned out to be true and it enjoyed an excellent reputation in our computer science department.
>
> This book has a whole section on electronic voting. In it, Mr. Schneier lists several thing which we expect a voting system to provide; anonymity, accountability, verifiability, and others. He also points out that there is a theoretical limit to the level to which all of these can be satisfied. That is, we can never guarantee all of them with 100% confidence. This limit seems to extended to all voting systems whether they are electronic, paper based, clay-shards-in-an-amphora, or raised hands.
>
> But we can choose the levels at which we will guarantee each characteristic and get them to levels at which we are comfortable. Mr. Scneier also presented an open protocol using public key cryptography which does just that. It doesn't involve hidden code, it doesn't require an actual physical paper trail and, as far as I know, noone has ever pointed out any flaws in it.
>
> So my question is, given that this seems to be a solved problem why is there so much debate on finding the solution? Surely I am missing something obvious.
>
> -Claudius Li
>
> On Wed, Sep 22, 2004 at 03:13:41AM -0700 or thereabouts, Mike Ely wrote:
> > Alright, I'll bite. After reading the blackboxvoting.org allegations,
> > and your response, I have a few more questions I'd like to see
> > answered. I'll take them point-for-point from your response:
> >
> > > On Tue, 2004-09-21 at 08:05, pressinfo@...bold.com wrote:
> > In-Reply-To: <20040831203815.13871.qmail@....securityfocus.com>
> > >
> > > Diebold strongly refutes the existence of any "back doors" or "hidden
> > codes" in its GEMS software.
> > Please explain the purpose of leaving in the apparent debug mode that
> > blackboxvoting has described. If the mechanism described is not a debug
> > mode, what does it do, and why would it be in production software?
> >
> > >These inaccurate allegations appear to stem from those not familiar
> > with the product, misunderstanding the purpose of legitimate structures
> > in the database. These structures are well documented...
> > Can you please provide a link to this documentation, and perhaps an
> > explanation that offers more detail as to why you believe blackboxvoting
> > is wrong?
> >
> > >and have been reviewed (including at a source code level) by
> > independent testing authorities as required by federal election
> > regulations.
> > Leaving aside the question of who paid these "independent testing
> > authorities," I would kindly suggest that if there is any mechanism
> > which the US public should be allowed to subject to a high degree of
> > scrutiny, it would be the mechanism by which we elect the people who
> > will be making decisions for us. There was no question as to how
> > punchcard machines worked - anybody with a screwdriver and some
> > mechanical aptitude could figure that out in a very short time. The
> > problem wasn't with how they worked; it was how well they worked that
> > led to grief. However, as a voter and a US citizen, I do feel that I'd
> > like to have the right to get my own second opinion on your software,
> > including any versions certified after the infamous GEMS code leak.
> > Please provide all GEMS sourcecode to the US public for further
> > examination.
> >
> > > In addition to the facts stated above, a paper and an electronic
> > record of all cast ballots are retrieved from each individual voting
> > machine following an election.
> > The key problem here is that this paper record is created >after< the
> > election, leaving voters at the whim of any compromise that may occur to
> > a given machine >during< the election. In a paper ballot situation, the
> > ballot box sits in plain sight during the entire election, and is
> > physically locked at the close of the election. In the case of your
> > system, each voting booth takes the place of the ballot box for the
> > duration of the election, and is hidden behind a curtain or partition
> > with many anonymous people during this process. For the voter, there is
> > no guarantee that what is being stored to computer memory has anything
> > to do with the selections he or she just made, and no paper trail is
> > created until often hours after a voter has left the polling area.
> > Without an immediate paper trail being generated, the voter is at the
> > whim of whatever software happens to be loaded onto the touchscreen
> > computer in front of him or her.
> >
> > > The results from each individual machine are then tabulated, and
> > thoroughly audited during the standard election canvass process. Once
> > the audit is complete, the official winners are announced. Any alleged
> > changes to a vote count in the election management software would be
> > immediately discovered during this audit process, as this total would
> > not match the true official total tabulated from each machine.
> > Again, this makes the assumption that the totals printed out of the
> > machine after all the voters have left would correctly reflect the
> > intent and belief of the voters who used it.
> >
> > Unfortunately, without a voter-verifiable paper trail, it is possible
> > for a successful attack to occur. Without the minimal safeguards
> > mentioned above, this attack could go undetected. Regardless of how
> > many votes are compromised, any stolen vote is too many. Please take
> > the neccessary steps to ensure the complete integrety of the US election
> > process.
> >
> >
> > > >From: "Jrme" ATHIAS <jerome.athias@...amail.com>
> > > >To: bugtraq@...urityfocus.com
> > > >Subject: Diebold Global Election Management System (GEMS) Backdoor
> > Account
> > > > Allows Authenticated Users to Modify Votes
> > > >
> > > >
> > > >
> > > >Date: Tue, 31 Aug 2004 00:38:05 -0400
> > > >Subject: http://www.blackboxvoting.org/?q=node/view/78
> > > >
> > > >BlackBoxVoting.org reported a vulnerability in the Diebold GEMS
> > central tabulator.
> > > >
> > > >A local authenticated user can enter a two-digit code in a certain
> > "hidden" location
> > > >to cause a second set of votes to be created on the system. This
> > second set of votes
> > > >can be modified by the local user and then read by the voting system
> > as legitimate
> > > >votes, the report said.
> > > >
> > > >GEMS 1.18.18, GEMS 1.18.19, and GEMS 1.18.23 are affected.
> > > >
> > > >The vendor was reportedly notified on July 8, 2003.
> > > >
> > > >
> > > >Solution: No vendor solution was available at the time of this
> > entry.
> > > >
> > > >Vendor URL: www.diebold.com/dieboldes/GEMS.htm (Links to External
> > Site)
> > > >
> > > >
> >
> >
--
"I am committed to helping Ohio deliver its electoral votes to the
President next year."
-- Wally O'Dell - CEO of Diebold, Inc. (One of the largest American
manufacturers of election machinery)
Powered by blists - more mailing lists