[IP] Serious vulnerability in Diebold DRE voting machines...
Begin forwarded message:
From: Joseph Lorenzo Hall <joehall@xxxxxxxxx>
Date: May 11, 2006 11:56:45 AM EDT
To: Dave Farber <dave@xxxxxxxxxx>, Declan McCullagh <declan@xxxxxxxx>
Subject: Serious vulnerability in Diebold DRE voting machines...
Reply-To: joehall@xxxxxxxxx
The public (redacted) report on this should be available in one hour
(10AM PDT). -Joe
----
<http://www.insidebayarea.com/argus/localnews/ci_3804675>
# Voting glitch said to be 'dangerous' #
By Ian Hoffman, STAFF WRITER
Inside Bay Area
Elections officials in several states are scrambling to understand and
limit the risk from a "dangerous" security hole found in Diebold
Election Systems Inc.'s ATM-like touch-screen voting machines.
The hole is considered more worrisome than most security problems
discovered on modern voting machines, such as weak encryption, easily
pickable locks and use of the same, weak password nationwide.
Armed with a little basic knowledge of Diebold voting systems and a
standard component available at any computer store, someone with a
minute or two of access to a Diebold touch screen could load virtually
any software into the machine and disable it, redistribute votes or
alter its performance in myriad ways.
"This one is worse than any of the others I've seen. It's more
fundamental," said Douglas Jones, a University of Iowa computer
scientist and veteran voting-system examiner for the state of Iowa.
"In the other ones, we've been arguing about the security of the locks
on the front door," Jones said. "Now we find that there's no back
door. This is the kind of thing where if the states don't get out in
front of the hackers, there's a real threat."
The Argus is withholding some details of the vulnerability at the
request of several elections officials and scientists, partly because
exploiting it is so simple and the tools for doing so are widely
available. A Finnish computer expert working with Black Box Voting, a
nonprofit organization critical of electronic voting, found the
security hole in March after Emery County, Utah, was forced by state
officials to accept Diebold touch screens, and a local elections
official allowed the expert to examine the machines.
Black Box Voting was to issue two reports today on the security hole,
one of limited distribution that explains the vulnerability fully and
one for public release that withholds key technical details.
The computer expert, Harri Hursti, quietly sent word of the
vulnerability in March to several computer scientists who advise
various states on voting systems.
At least two of those scientists verified some or all of Hursti's
findings. Several notified their states and requested meetings with
Diebold to understand the problem.
[...]
The result, said Iowa's Jones, is a violation of federal voting
system rules.
"All of us who have heard the technical details of this are really
shocked. It defies reason that anyone who works with security would
tolerate this design," he said.
Contact Ian Hoffman at ihoffman@xxxxxxxxxxxxxxxxxx
--
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
<http://josephhall.org/>
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/