lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4464EC39.24753.11EA371B@stuart.cyberdelix.net>
Date: Fri May 12 20:13:14 2006
From: stuart at cyberdelix.net (lsi)
Subject: Scientists Call Diebold Security Flaw 'Worst Ever'

[I don't agree with the Professor, when he asserts that the best 
treatment for this problem is denial.  I suggest that the best 
treatment for this problem is dissemination, far and wide, so that 
the broadest range of pressures is brought to bear. - Stu]

http://www.commondreams.org/headlines06/0511-11.htm

Published on Thursday, May 11, 2006 by Inside Bay Area 

Scientists Call Diebold Security Flaw 'Worst Ever'

Critics say hole created for upgrades could be exploited by someone 
with nefarious plans

by Ian Hoffman
 	

Computer scientists say a security hole recently found in Diebold 
Election Systems' touch-screen voting machines is the "worst ever" in 
a voting system. 

Election officials from Iowa to Maryland have been rushing to limit 
the risk of vote fraud or disabled voting machines since the hole was 
reported Wednesday. 

Scientists, who have conferred with Diebold representatives, said 
Diebold programmers created the security hole intentionally as a 
means of quickly upgrading voting software on its electronic voting 
machines. 

The hole allows someone with a common computer component and 
knowledge of Diebold systems to load almost any software without a 
password or proof of authenticity and potentially without leaving 
telltale signs of the change. 

"I think it's the most serious thing I've heard to date," said Johns 
Hopkins University computer science professor Avi Rubin, who 
published the first security analysis of Diebold voting software in 
2003. "Even describing why I think it's serious is dangerous. This is 
something that's so easy to do that if the public were to hear about 
it, it would raise the risk of someone doing it. ... This is the 
worst-case scenario, almost." 

Diebold representatives acknowledged the security hole to 
Pennsylvania elections officials in a May 1 memo but said the 
"probability for exploiting this vulnerability to install 
unauthorized software that could affect an election is considered 
low." 

California elections officials echoed that assessment Friday in a 
message to county elections chiefs. 

But several computer scientists said Wednesday that those judgments 
are founded on the mistaken assumption that taking advantage of the 
security hole would require access to voting machines for a long 
time. 

"I don't know anyone who considers two minutes lengthy, if it's 
that," said Michael Shamos, a Carnegie Mellon University computer 
science professor and veteran voting-systems examiner for the state 
of Pennsylvania. 

"It's the most serious security breach that's ever been discovered in 
a voting system. On this one, the probability of success is extremely 
high because there's no residue. ... Any kind of cursory inspection 
of the machine would not reveal it." 

States using Diebold touch screens are "going to have to fix it 
because they can't have an election without having a fix to this," he 
said. Otherwise, states risk challenges from losing candidates while 
being unable to prove easily that the machines worked as designed. 

At least two states - Pennsylvania and California - have ordered 
tighter security and reprogramming of all Diebold touch screens, 
using software supplied by the state and a method opened by the 
security hole. Local elections officials then must seal certain 
openings on the machines with tamper-evident tape. 

David Wagner, an assistant professor of computer-science at the 
University of California, Berkeley and a technical adviser to the 
California secretary of state's office, said the new measures should 
minimize risks in the June 6 primary. 

Elections officials in Georgia, which uses Diebold touch screens 
statewide, said existing state rules already are sufficient. 

Bev Harris, founder of BlackBoxVoting.org, a nonprofit group critical 
of electronic voting, said she isn't sure reprogramming and sealing 
the touch screens will fix the problem. 

Voting machines often are delivered to polling places several days 
before elections, and the outside case of Diebold's touch screens is 
secured by common Phillips screws. Inside, a hacker can take 
advantage of the security hole, as well as access other security 
holes, without disturbing the tamper-evident seals, Harris said. 

"Ultimately, there's no way to get rid of the huge security flaws in 
the design," she said. 

? 2000-2006 ANG Newspapers

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ