Diebold continues to attempt to ensure that the nightmare of 2000 will never be repeated where a national election comes down to the votes of five partisan hacks with no respect for a system of law. Diebold plans to do this by ensuring that elections are easily rigged:
Digital DailyLink.
AccuVote? Bit of an Oxymoron, Don’t You Think?
Published on August 3, 2007
by John Paczkowski
The access panel door on a Diebold AccuVote-TS voting machine–the door that protects the memory card that stores the votes and is the main barrier to the injection of a virus–can be opened with a standard key that is widely available on the Internet. The exact same key is used widely in office furniture, electronic equipment, jukeboxes and hotel minibars.”
–Princeton professor Ed Felten
With the presidential primary approaching, Diebold Election Systems is finally developing a voter-verified paper trail–of bad press. Earlier this week, the company made headlines when a team of investigators found fundamental security vulnerabilities in its touchscreen voting machines (as well as those of rivals Sequoia Voting Systems and Hart InterCivic).
Now it’s back in the news again, thanks to another government-ordered study that found its optical-scanning machines to be flawed as well. According to a report released by Florida Secretary of State Kurt Browning, Diebold’s AccuVote OS optical-scan voting devices could compromise the upcoming presidential primary elections in which they’re to be used. The machine’s “memory card can be preprogrammed to redistribute votes cast for selected candidates on that terminal, including swapping the votes for two candidates,” the report explains. “The attack can be carried out with low probability of detection, assuming that audit with paper ballots are infrequent and that programmed cards are not detected before use.”
An unsettling revelation for anyone concerned about this whole idea of “election integrity.” But never fear, Diebold has vowed to patch the vulnerabilities identified in the report by the Aug. 17 deadline given it by the state. If it doesn’t, it risks decertification, which some would argue might not be a bad idea at this point. Remember, Diebold is the company that designed its widely criticized electronic-voting systems, to be opened with a hotel minibar key and then posted a detailed photograph of that key to its online store.
It’s the company that can’t seem to safeguard its source code. It’s the company that evaded election transparency laws in North Carolina. And it’s the company that modified its machines without notifying election officials. Twice.
But there's much more (and let's remember that's it also pretty much applies to all e-voting machines):
Diebold Election Systems Inc. voting machines are not secure enough to guarantee a trustworthy election, and an attacker with access to a single machine could disrupt or change the outcome of an election using viruses, according to a review of Diebold's source code.[more]
"The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes," read the University of California at Berkeley report, commissioned by the California Secretary of State as part of a two-month "top-to-bottom" review of electronic voting systems certified for use in California.
The assessment of Diebold's source code revealed an attacker needs only limited access to compromise an election.
"An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive -- malicious code could spread to every voting machine in polling places and to county election servers," it said.
The report, titled "Source Code Review of the Diebold Voting System," was apparently released Thursday, just one day before California Secretary of State Debra Bowen is to decide which machines are certified for use in California's 2008 presidential primary elections.
The source-code review identified four main weaknesses in Diebold's software, including: vulnerabilities that allow an attacker to install malware on the machines, a failure to guarantee the secrecy of ballots, a lack of controls to prevent election workers from tampering with ballots and results, and susceptibility to viruses that could allow attackers to an influence an election.
"A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county's voting machines," the report said. "Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines."
The report warned that a paper trail of votes cast is not sufficient to guarantee the integrity of an election using the machines. "Malicious code might be able to subtly influence close elections, and it could disrupt elections by causing widespread equipment failure on election day," it said.
The source-code review went on to warn that commercial antivirus scanners do not offer adequate protection for the voting machines. "They are not designed to detect virally propagating malicious code that targets voting equipment and voting software," it said.
In conclusion, the report said Diebold's voting machines had not been designed with security as a priority. "For this reason, the safest way to repair the Diebold system is to reengineer it so that it is secure by design," it said.
Speaking of more, the report cited is here.
And as for not just Diebold, it's even worse:
This has not been a good week for e-voting companies. First came the report out of California that the security had problems on every machine tested by independent security experts, followed quickly by security experts finding problems with other machines in Florida. This should come as no surprise. Every time a security expert seems to get a chance to check out these machines, they find problems. What was odd, though, about the announcement on Monday coming out of California, was that the state had only released some of the reports. It left out the source code review. However, late Thursday, the source code reports were finally released and things don't look much better. Apparently all of the e-voting machines are vulnerable to malicious attacks that could "affect election outcomes." The report also points out: "An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive -- malicious code could spread to every voting machine in polling places and to county election servers." This, of course, is what others have been saying for years, and which Diebold always brushes off. Ed Felten has gone through the reports and is amazed to find that all of the e-voting machines seem to have very similar security problems -- and that many problems that Diebold had insisted it fixed in 2003 were still present. Remember how Diebold had used the master password "1111" in their machines? Now their machines use hard-coded passwords like "diebold" and (I kid you not) "12345678." At some point, isn't it time for Diebold (and the other e-voting machine makers) to stand up and admit that their machines aren't secure and, in fact, were never secure? At the very least, the company owes the world a huge apology -- but somehow, given its past behavior whenever its machines are shown as insecure, that seems unlikely to happen.Link.
But having just given Diebold a partial pass, that is, showing that they're all bad, just not Diebold, let me point out that Diebold has done far more to push this vile e-voting than anyone else. So yes, Diebold is the worst among equals.
No comments:
Post a Comment